From patchwork Thu Apr 4 18:16:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919934 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=X1NbW05q; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=SBSi5r6p; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9WfD6pl6z1yYP for ; Fri, 5 Apr 2024 06:20:04 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=3BvHTJ+KzA96+4vYUJ48FVuiYQc9lRktRkxfHdZQDsg=; b=X1NbW05q+VSvDD tXx+XIuOZcCaS/tVPkVPP3KBV6VhT8f5UUq5EX/SWwKqqB9+SvK717HrhjdxfuHSl0F9TRCm7Vocw R05cIjUrtk9qgLCp/tAUeKbToHIFNwZjwyPvoTGlZ2Yqr19BTOSl5VIUCk7NTHFYjFTb7lk7s+4Fm OtKNWTL9IjQ94HuerYZ6dttiGJpjjMV6L8CzQdiae3tnkzwfCNPTayzr1tAxm83yIZnMyL/ycjtVL an7l++6NgAJf7+N8kB/1xt41PabdAWVwl/jamEkNdNFyndham1ZlCIIroLo6QHbA1QiJ2IMvHWh+V d9FO/SxV5pCPI552boGA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsSct-000000040iG-38y3; Thu, 04 Apr 2024 19:19:55 +0000 Received: from mail-ej1-x630.google.com ([2a00:1450:4864:20::630]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReK-00000003mpR-3kqO for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:26 +0000 Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a465ddc2c09so85636866b.2 for ; Thu, 04 Apr 2024 11:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254637; x=1712859437; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dbxCdO/UHksa1EiU48f2R6iDesAWtNFwYcKEa6GrDbI=; b=SBSi5r6p+BTzx+l3J3iwSHIb8ALf0tgjiGSaC5ZaRuyWWEUfHnV/kbJS+VFppV2Zbm lmnXg8yHvAbM67ZCgC83zx2QB0zhwWn96h/qE1uqcUC2reno070d71MYVdf34fvW8st/ HPE6YBHz7YXQ1G/02aPyESWRyt+10PL26HGo7hAZQagw+XlAV1PWFLweUSVi8JjmNHl7 9BLj8PvbItOD+gZ9mFwMbFWzyWUlictb2XQ3vT7SGM8tPWKdg3ud+81Q6XiFsEcpAMMF 8hTIUWU5mCCe+yiiZU0pBfHkFYaGrTdZSFGUtWmdIgoMk2+rJaCZJBRGZXxKB3ZoMvBS +NGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254637; x=1712859437; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dbxCdO/UHksa1EiU48f2R6iDesAWtNFwYcKEa6GrDbI=; b=fZl/mg6NsydHh1HcYThGNgsEJWeY/DQ2Tihhc5KtqV/oIvtsU9oMMfOQwiLeRzl13F u0iAlZ9d6c8po/Alk+TR6howZXtyu32Nm/SD4rdC1nklF1xl3ihE7CDzVJUOPhqSFwF9 ZhZ5/ohlXV/4A+Sy/6WF3NkgRnGk1Astg5KL00q8Q4Rj7rwzm8oEsYD4gS27hGa5swMz K5LLNn5M1ebYifXGj6vvjks9l1ejj9kUuL8PHL7hhTERacpdJgmyvXQ/RA+qJ0tL+lO+ BEXhjGw2MeNTxJo0TbPmGbmH6vfHOYcGzqe9qTV3ZOXd28EhL3/LJmkmasyDuYTPBrb1 qdAA== X-Gm-Message-State: AOJu0YyHLIqdV+IKMQ8DvyYLnrzBmNmoPDDZ7u2Ho7lQ7QCXjxvevRar ZmTxJLp0b9tQb2lBrQ/0ahz6Osbscj5tp/VpTaxnJGaoKveb0oGu9VhLxMJSeN23Df/LNOIIdgl 3glQ= X-Google-Smtp-Source: AGHT+IHkfenT6/x34Bc9sYaKgSNzCrPo+3qFNcQzsaZW4JVsKp7Ek/GQFobCOWewScAziS7Gnpos2Q== X-Received: by 2002:a50:d75e:0:b0:56b:986b:b4e7 with SMTP id i30-20020a50d75e000000b0056b986bb4e7mr2948610edj.27.1712254637214; Thu, 04 Apr 2024 11:17:17 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:16 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 21/24] wolfssl: Implement EAP-FAST Date: Thu, 4 Apr 2024 20:16:27 +0200 Message-Id: <20240404181630.2431991-21-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111721_499279_71C1AFA8 X-CRM114-Status: GOOD ( 14.86 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 59 +++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 13 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:630 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 59 +++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index b6869b7488..22f8d6eb78 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -94,7 +94,8 @@ struct tls_connection { #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) tls_session_ticket_cb session_ticket_cb; void *session_ticket_cb_ctx; - byte session_ticket[SESSION_TICKET_LEN]; + u8 *session_ticket; + size_t session_ticket_len; #endif unsigned int ca_cert_verify:1; unsigned int cert_probe:1; @@ -513,6 +514,7 @@ void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) os_free(conn->domain_match); os_free(conn->peer_subject); os_free(conn->check_cert_subject); + os_free(conn->session_ticket); /* self */ os_free(conn); @@ -2481,32 +2483,58 @@ static int tls_sess_sec_cb(WOLFSSL *s, void *secret, int *secret_len, void *arg) int ret; unsigned char client_random[RAN_LEN]; unsigned char server_random[RAN_LEN]; - word32 ticket_len = sizeof(conn->session_ticket); if (!conn || !conn->session_ticket_cb) - return 1; + return -1; + + wpa_printf(MSG_DEBUG, "wolfSSL: %s", __func__); if (wolfSSL_get_client_random(s, client_random, sizeof(client_random)) == 0 || wolfSSL_get_server_random(s, server_random, - sizeof(server_random)) == 0 || - wolfSSL_get_SessionTicket(s, conn->session_ticket, - &ticket_len) != 1) - return 1; - - if (ticket_len == 0) - return 0; + sizeof(server_random)) == 0) + return -1; ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, - conn->session_ticket, ticket_len, + conn->session_ticket, conn->session_ticket_len, client_random, server_random, secret); + + wpa_printf(MSG_DEBUG, "wolfSSL: %s conn->session_ticket_cb: %d", __func__, ret); + + os_free(conn->session_ticket); + conn->session_ticket = NULL; + if (ret <= 0) - return 1; + return -1; *secret_len = SECRET_LEN; return 0; } +static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data, + int len, void *arg) +{ + struct tls_connection *conn = arg; + + if (conn == NULL || conn->session_ticket_cb == NULL) + return 0; + + wpa_printf(MSG_DEBUG, "wolfSSL: %s: length=%d", __func__, len); + + os_free(conn->session_ticket); + conn->session_ticket = NULL; + + wpa_hexdump(MSG_DEBUG, "wolfSSL: ClientHello SessionTicket " + "extension", data, len); + + conn->session_ticket = os_memdup(data, len); + if (conn->session_ticket == NULL) + return 0; + + conn->session_ticket_len = len; + + return 1; +} #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ @@ -2521,11 +2549,16 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx, if (cb) { if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, - conn) != 1) + conn) != 1) + return -1; + if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, + tls_session_ticket_ext_cb, conn) != 1) return -1; } else { if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) return -1; + if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL) != 1) + return -1; } return 0;