From patchwork Thu Apr 4 18:16:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919904 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=dAy2EEUM; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=Uf0UVsI5; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG62RVnz1yYf for ; Fri, 5 Apr 2024 05:17:34 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4Aql2M7vmNG0DoZsAMQZNtE9Hti6oRkUBAlOehtwy4I=; b=dAy2EEUMg47mIn kbRQkEXCmqCM/2/P7YEW0W7GUzVVVOHnBpKTGJdLHJwutq0Gnp+N9MRM4XPV9mQvsiW1L02WlFrE0 KnG2oKf0NdGKQBJQ4ZJdm+TNxCkVeWEqt453O0qcBD4wI6lB4FRiwts/p+2R8x9ftq83k83kr+c0w NfqBjR3bOECIKnlZdL0T1UYZAMP8BvCAAmzScRFF988aV69Nug52HEbw6LEzdGZ+7bU2VnkP+EY75 RXzB7cLu6ywtIWO8QwXEKwSqxl2UNV6dn+buWMITfRvQvey0H5xZqh3Lqhnr69vDRbkI4gT6nSxzb tuWg7rhykAvpwx083HyQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe8-00000003miz-1n2m; Thu, 04 Apr 2024 18:17:08 +0000 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe2-00000003meU-3v37 for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:04 +0000 Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-56e22574eb3so1300680a12.3 for ; Thu, 04 Apr 2024 11:17:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254620; x=1712859420; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BCo1F8W0UNyyvrUaZvqOQoGOqKXnW5NACGgep6dwZiw=; b=Uf0UVsI5NRj5c7QwtEeHltS0A9z3u/Gz7sy+GN0aru1Cpx5d5veXyrQV8zcREj78uk CwHm1nq8dp682vCuRsGBjUPzR63TpNhdl3HuENA7NAbKOUIY5nmzs48Ndk/QlQsReg8t PINB4YmpXR23aFzhg2Rp6PMkT2lV+RiIS+A/xCRDSw+ZBRrGmeBZWYkClfq8WxjHwEH5 OTXVNsgJ3YhLw6FkHf2tHO3oWRIYPhWX3hpkHFvX9XIcMsDBzAFoY/WlLomWEZv6xt0C vOXRY8PwEuCE4NNXxDSPTIi1EmMgj9Xc0ZPedA1Xchh2Kdk0yNIAaw6uTmVJKTSx69jA F6qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254620; x=1712859420; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BCo1F8W0UNyyvrUaZvqOQoGOqKXnW5NACGgep6dwZiw=; b=TOHWtAUwI5VIxd7hWBNi6KG0zcUuKtZS/C85HTjdrr2JjGEq5GrzgS7P1jwCG2A2dO FKamoy6lKrYuldlIL/gcdatx4IEMVKQDBiwYqJIKT5Crj6kguVq2hjtmRIzOHodserDu U1Ct7znHBHjLb6S8bZlJ6OMzGU6Z5CVeq4ZvYnqI54JJ/rSIn9fvFBKJqZCFlw9KAPVN KjR1izFXHbOM9MUht+OONVixcgnSjMm6ORd4H18ny+LXASZaaaSqzxAZAMsNN3591zKV LZHTrN8Bzv2Yuxzg13n6OlmzbNiKURJ9OFSjtMlT66d2+pHl2Zt58R/5P5RmpvOnLKFO lQrw== X-Gm-Message-State: AOJu0YyLMreGPWm0Bdq8h8FUGdPkuZVGL5wFl0sS0uV+B5p19noKHToP a941ei6Ad+MwnmxPtaS47aTounsAsdfbIw8wBASS9z0C+QXU6f7Qt9bdbQFeQsKyN25C3k0WsYq n0Tg= X-Google-Smtp-Source: AGHT+IGhvBJJMsU3BK010ra6bYFwW5He1mDZSYsp9PIAsp0+pX0Z1a91CW+tBE8/zmTMvo1EJakn5w== X-Received: by 2002:a50:9996:0:b0:56e:211b:86df with SMTP id m22-20020a509996000000b0056e211b86dfmr1658724edb.30.1712254619972; Thu, 04 Apr 2024 11:16:59 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:59 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 05/24] wolfssl: support tod policy Date: Thu, 4 Apr 2024 20:16:11 +0200 Message-Id: <20240404181630.2431991-5-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111703_110805_DD5148CB X-CRM114-Status: GOOD ( 19.59 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Implement wolfssl_cert_tod() to support setting the correct tod value in the certificate event message. - Always send the certificate event message in addition to error messages. This is the same or [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:535 listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org - Implement wolfssl_cert_tod() to support setting the correct tod value in the certificate event message. - Always send the certificate event message in addition to error messages. This is the same order of messages that the OpenSSL backend sends. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 34 ++++++++++++++++++++++++++++++++-- tests/hwsim/utils.py | 2 +- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index e851dd09d1..38575375de 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -992,6 +992,35 @@ static void wolfssl_tls_fail_event(struct tls_connection *conn, wpabuf_free(cert); } +static int wolfssl_cert_tod(X509 *cert) +{ + WOLFSSL_STACK *ext; + int i; + char *buf; + int tod = 0; + + ext = wolfSSL_X509_get_ext_d2i(cert, CERT_POLICY_OID, NULL, NULL); + if (!ext) + return 0; + + for (i = 0; i < wolfSSL_sk_num(ext); i++) { + WOLFSSL_ASN1_OBJECT *policy; + + policy = wolfSSL_sk_value(ext, i); + if (!policy) + continue; + + buf = (char*)policy->obj; + wpa_printf(MSG_DEBUG, "wolfSSL: Certificate Policy %s", buf); + if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0) + tod = 1; /* TOD-STRICT */ + else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod) + tod = 2; /* TOD-TOFU */ + } + wolfSSL_sk_pop_free(ext, NULL); + + return tod; +} static void wolfssl_tls_cert_event(struct tls_connection *conn, WOLFSSL_X509 *err_cert, int depth, @@ -1080,6 +1109,7 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn, for (alt = 0; alt < num_alt_subject; alt++) ev.peer_cert.altsubject[alt] = alt_subject[alt]; ev.peer_cert.num_altsubject = num_alt_subject; + ev.peer_cert.tod = wolfssl_cert_tod(err_cert); context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev); wpabuf_free(cert); @@ -1185,6 +1215,8 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) } #endif /* CONFIG_SHA256 */ + wolfssl_tls_cert_event(conn, err_cert, depth, buf); + if (!preverify_ok) { wpa_printf(MSG_WARNING, "TLS: Certificate verification failed, error %d (%s) depth %d for '%s'", @@ -1232,8 +1264,6 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, "Domain mismatch", TLS_FAIL_DOMAIN_MISMATCH); - } else { - wolfssl_tls_cert_event(conn, err_cert, depth, buf); } if (conn->cert_probe && preverify_ok && depth == 0) { diff --git a/tests/hwsim/utils.py b/tests/hwsim/utils.py index 7e36082843..cd97c0175e 100644 --- a/tests/hwsim/utils.py +++ b/tests/hwsim/utils.py @@ -145,7 +145,7 @@ def check_imsi_privacy_support(dev): def check_tls_tod(dev): tls = dev.request("GET tls_library") - if not tls.startswith("OpenSSL") and not tls.startswith("internal"): + if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL") and not tls.startswith("internal"): raise HwsimSkip("TLS TOD-TOFU/STRICT not supported with this TLS library: " + tls) def vht_supported():