From patchwork Thu Apr 4 18:16:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919903 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ZN7ghtJQ; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=RKweWshj; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG13zGsz23tv for ; Fri, 5 Apr 2024 05:17:27 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Dt0uhMxVRx2CRSjRT+gx0diDHtLa5Mx0Sq+CNYBG0wo=; b=ZN7ghtJQIFm0J/ SKRYgK2CVknaEoy9wUhHuGhisZjPFoGGabxRKmQdI0rZeuak3w+oSzTBoEuYrsq3NyrN4xBWCVjDP ddbGdqbZLD3d/fruFa4DaodQmgchA2wqU9zh9wKn9T7sAaJ9RwProc0DPRV6e6rSWzZTXrzJO0MM3 lVR8PNcxZn2HNU+JQvr8+kO1N21f4Mnv7F+lZ15rNslVIsNlbBF1Tzbs6XYX/nQ4C5lIhtlUtMs/h g7QJb1lIC9lDxXhj+FsbVbfAQflftOhIB1iZt4JcYew+grQakRvxn2O1X2Tslz+sUO0R6DUTEkko6 +ZIUpc2iaepc5km9utXQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdo-00000003mbd-3dv8; Thu, 04 Apr 2024 18:16:48 +0000 Received: from mail-ed1-x52c.google.com ([2a00:1450:4864:20::52c]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdm-00000003maK-0hv8 for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:16:47 +0000 Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-56df8e6a376so2489994a12.0 for ; Thu, 04 Apr 2024 11:16:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254603; x=1712859403; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Cwh/To9ihry4q+tWwZ6m+abcIuJomvwyd2mQ6FlojAo=; b=RKweWshjrg/Qczv1NJ4ZI6+PmnXnfCjYHRP4ukrgtyyCzhX7ylZWbSmDFi4quB84KD gJ8tZqMIxcApkktd/gwbm5/+WV+hKNuHd1k0KynorgzOiwOEbUPY5GFPMUBCgIzIhQKf Q0s3LZShEmlWqYXo+6IZdiOJL1Y7yccRE4p5CugWqDmvaomOCGSRxO3LJSyjjsj5+2uB /CHaLHCCKeFZV/VMvlrD8hKrGOuOnNT8vt4PEGjhFaIBHmJhOtdUSFA38iHi8tPo0vYi hwjW0z9FX9vQWcVKOjI4JzJpM8ANmdPgGgKOvygD0L1yRWbQB85ZwDMTebpN9c7PV1CL Dieg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254603; x=1712859403; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Cwh/To9ihry4q+tWwZ6m+abcIuJomvwyd2mQ6FlojAo=; b=MB0DctyyV2ePYiGO2iFeh+XpOH1ZlOkICButT422RH41/G4IinW2LudAn6sWvDBXxL DBRHHvZWkTbe2/ou+bgFrL+sSxkXH21mdzksoqkAdCmNJHL9ZxQAsy3S78fFxmQwc6R6 fKkjwHjQYp0g4TT4+XFTgrSovLUlZ41ZwBCekh5+TSX8ZqxLgmIkmwwSmPSkRA21w1m2 8zC4WSRv2YDXf0cK3NdfyPV4AthyE9KpdjOtAa+6FBZpTzkZEyu6yx3gEk2rZIqLOH24 CYZ7vrYl8muBESDi1gLwI+Wu6Vx4ybKoAydIx/b8WhQ0U4qr60oFrzInTPDBD2NRI2Aq y+BQ== X-Gm-Message-State: AOJu0YzbM6MJOfk60vQ65/Q3jEsLszYvUvCs2EKBcZTsv2RftrMVa0c7 /MtCDtyywzIWgh+gY+55YH4KVWGTGsBYrfoVo4FXd7hbeNfnU0pMfb1erVTNQWaLflkMxY+3dGG 4trg= X-Google-Smtp-Source: AGHT+IEckkpGH9UU3XQkAsdPGDm7oo0ZTVm3uyub0U/Pqjrs/SQ1Nirslco/QIrRI4TAnfC0OpBizQ== X-Received: by 2002:a50:8e12:0:b0:56d:f29d:c80d with SMTP id 18-20020a508e12000000b0056df29dc80dmr224803edw.5.1712254603165; Thu, 04 Apr 2024 11:16:43 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:42 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 01/24] wolfssl: simplify tls_get_cipher Date: Thu, 4 Apr 2024 20:16:07 +0200 Message-Id: <20240404181630.2431991-1-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111646_710428_9265BB62 X-CRM114-Status: GOOD ( 10.41 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: It appears that wolfSSL_get_cipher_name returns the ciphersuite in the format expected by hostapd. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 22 ++ 1 file changed, 2 insertions(+), 20 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52c listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org It appears that wolfSSL_get_cipher_name returns the ciphersuite in the format expected by hostapd. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 0b2947daf9..4db23e14ff 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1924,34 +1924,16 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, int tls_get_cipher(void *tls_ctx, struct tls_connection *conn, char *buf, size_t buflen) { - WOLFSSL_CIPHER *cipher; const char *name; if (!conn || !conn->ssl) return -1; - cipher = wolfSSL_get_current_cipher(conn->ssl); - if (!cipher) - return -1; - - name = wolfSSL_CIPHER_get_name(cipher); + name = wolfSSL_get_cipher_name(conn->ssl); if (!name) return -1; - if (os_strcmp(name, "SSL_RSA_WITH_RC4_128_SHA") == 0) - os_strlcpy(buf, "RC4-SHA", buflen); - else if (os_strcmp(name, "TLS_RSA_WITH_AES_128_CBC_SHA") == 0) - os_strlcpy(buf, "AES128-SHA", buflen); - else if (os_strcmp(name, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") == 0) - os_strlcpy(buf, "DHE-RSA-AES128-SHA", buflen); - else if (os_strcmp(name, "TLS_DH_anon_WITH_AES_128_CBC_SHA") == 0) - os_strlcpy(buf, "ADH-AES128-SHA", buflen); - else if (os_strcmp(name, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA") == 0) - os_strlcpy(buf, "DHE-RSA-AES256-SHA", buflen); - else if (os_strcmp(name, "TLS_RSA_WITH_AES_256_CBC_SHA") == 0) - os_strlcpy(buf, "AES256-SHA", buflen); - else - os_strlcpy(buf, name, buflen); + os_strlcpy(buf, name, buflen); return 0; } From patchwork Thu Apr 4 18:16:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919900 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=jxhoS6Mu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=rXSsGfeq; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG13vyPz1yYf for ; Fri, 5 Apr 2024 05:17:27 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=teGrBTDBqmQGEAe2uAjSc0TPb9AYIoCwZA5kUDsnJ90=; b=jxhoS6MuflrvvI pzE1E0vWY5isitdEYOAl01BI0CZ0/lqBsaGZ8oQYoxKUi1TPiEf1o+C3jBYpc2369DO5MF6FAvZQz DrGodQxeTtoWXBNVpVX6A4Rtpuud/pSjDXlMNBBlX4OEg2QJjyLXAeqpmsH1A0Tb1SdlzkRS4g4sM H85IhSsq7alzMyMJ8VG9k5sDoXEcl0gYps8KrpFf4F5KXWrXcq1wRcdGP0/cWE9LX/eQ/eNRkRP6D FzPNwV5CWjS362IKCNq/kHbEH2FlQIU6NaOYfzA1O5DeHapd9Td/+Wmdx1lFZLnQApiRa2lkdzOwt lHc0+/52pZFLWlzCoxbQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdx-00000003mdK-0epU; Thu, 04 Apr 2024 18:16:57 +0000 Received: from mail-lf1-x136.google.com ([2a00:1450:4864:20::136]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdu-00000003mcK-2OG0 for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:16:56 +0000 Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-516cdb21b34so1328517e87.1 for ; Thu, 04 Apr 2024 11:16:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254610; x=1712859410; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4Jx8O5AJhRhviHQeIrM/FPZG9yJMYqBQ6FeAtFoe5mc=; b=rXSsGfeq/ELhHKNeqFn7az7AqjcglUEEH8CNOKWcXN4Vi5CWoJ1MORNitucLcc5Be+ 0KYQSuEgndzEEftPlMfScOw7/iE4/SquEGLUIDw4Afy/kRqBLKE07Q4JvikugGE/xnMC w5LwwzIFFzFO/w/LSFW2cnQDxE6d29ZhYjeyckAr5cRIwOminzus6H7G9MCVp7Bmhnkc kumjdF/3LsDETgMyHdQ4rJovddVY5UsFXiZm8lHOwssKlzAEMF4hvnNJjgMGMxOVAQru OSANbXwFjlPJmpNnbddPW3Di4Wo5kKM4/mOGMa8TCmZ0mg6WLdTxcSDwHGKKtmABsMy/ nabw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254610; x=1712859410; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4Jx8O5AJhRhviHQeIrM/FPZG9yJMYqBQ6FeAtFoe5mc=; b=UCA3lIJnboTJ/7jVHhZ0VAujio3aXCx7fj8hl7iEG7XklmGE/5DifzHuouOTqwB0TQ qDmnlyDty5TzK0Pbd8wdTmPq6QG6LUPvy2hnoEEEEm4JjKL8sqivSkPQ2tjfjUot7RuJ BevV9/JV358KinNOK/zr4z9/PKJJn0xPpcnZ/eaGh+RPDTlGfDrIydDYTr1/PXoM6d4Y Z9muKl9NsvTOASig1Zaxoyqnb/Ntw0URJsjtGrf3OjnL8cF6flv2qtb5SLfA5plub52F BaQ8WEWUeV6NEiprs5n9oOw+W4JxdG/VSe4C/Ps4/9eLw64Vqs3tq/LszPifCpu+55tO Ytww== X-Gm-Message-State: AOJu0YygjwPbye5+KmOx+Hk5lboJbky6zsNF8cLjE9FnRsi76nMIeoQj f1/Rz+aGdR7cE/DDMbjGi5g0+Ok00uZGCq/jTTNQNHyf3lGQeRoBlLDL8AMl5fL5omhzN0yfFCq xX3U= X-Google-Smtp-Source: AGHT+IHJn3NglF7pbtiTp/ZRAZOzpRuX7X7tIa80RbAoHgNiV3bdhPAal0cz+Gb+p6QG2E/QXEHurg== X-Received: by 2002:a19:2d59:0:b0:516:9f1a:929d with SMTP id t25-20020a192d59000000b005169f1a929dmr2353660lft.1.1712254610263; Thu, 04 Apr 2024 11:16:50 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:49 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 02/24] wolfssl: implement suiteb ciphersuite Date: Thu, 4 Apr 2024 20:16:08 +0200 Message-Id: <20240404181630.2431991-2-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111654_640242_64862725 X-CRM114-Status: GOOD ( 19.55 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 166 +++++++++++++++++++++++++++++------- tests/hwsim/test_suite_b.py | 31 +++++-- 2 files changed, 162 insertions [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:136 listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 166 +++++++++++++++++++++++++++++------- tests/hwsim/test_suite_b.py | 31 +++++-- 2 files changed, 162 insertions(+), 35 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 4db23e14ff..25616f2c7a 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -223,11 +223,127 @@ static void wolfSSL_logging_cb(const int log_level, #endif /* DEBUG_WOLFSSL */ +#define SUITEB_OLDTLS_192_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384" +#define SUITEB_TLS13_192_CIPHERS "TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256" +#define SUITEB_TLS_192_CIPHERS SUITEB_TLS13_192_CIPHERS ":" SUITEB_OLDTLS_192_CIPHERS + +#define SUITEB_OLDTLS_128_CIPHERS SUITEB_OLDTLS_192_CIPHERS ":ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256" +#define SUITEB_TLS13_128_CIPHERS SUITEB_TLS13_192_CIPHERS ":TLS13-AES128-GCM-SHA256" +#define SUITEB_TLS_128_CIPHERS SUITEB_TLS13_128_CIPHERS ":" SUITEB_OLDTLS_128_CIPHERS + +#define SUITEB_TLS_192_SIGALGS "ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384" +#define SUITEB_TLS_128_SIGALGS SUITEB_TLS_192_SIGALGS ":ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256" + +#define SUITEB_TLS_192_CURVES "P-384:P-521" +#define SUITEB_TLS_128_CURVES "P-256:" SUITEB_TLS_192_CURVES + +static int handle_ciphersuites(WOLFSSL_CTX* ssl_ctx, WOLFSSL* ssl, + const char* openssl_ciphers, unsigned int flags) +{ + const char* ciphers = "DEFAULT:!aNULL"; + const char* sigalgs = NULL; + const char* curves = NULL; + unsigned int tls13 = !(flags & TLS_CONN_DISABLE_TLSv1_3); + unsigned int tls13OnlyMask = TLS_CONN_DISABLE_TLSv1_2 | + TLS_CONN_DISABLE_TLSv1_1 | TLS_CONN_DISABLE_TLSv1_0; + unsigned int oldTlsOnly = ((flags & tls13OnlyMask) != tls13OnlyMask) && !tls13; + unsigned int tls13only = ((flags & tls13OnlyMask) == tls13OnlyMask) && + !(flags & TLS_CONN_DISABLE_TLSv1_3); + short keySz = 0; + short eccKeySz = 0; + if (openssl_ciphers) { + if (os_strcmp(openssl_ciphers, "SUITEB128") == 0) { + if (tls13only) + ciphers = SUITEB_TLS13_128_CIPHERS; + else if (oldTlsOnly) + ciphers = SUITEB_OLDTLS_128_CIPHERS; + else + ciphers = SUITEB_TLS_128_CIPHERS; + sigalgs = SUITEB_TLS_128_SIGALGS; + keySz = 2048; + eccKeySz = 224; + curves = SUITEB_TLS_128_CURVES; + } + else if (os_strcmp(openssl_ciphers, "SUITEB192") == 0) { + if (tls13only) + ciphers = SUITEB_TLS13_192_CIPHERS; + else if (oldTlsOnly) + ciphers = SUITEB_OLDTLS_192_CIPHERS; + else + ciphers = SUITEB_TLS_192_CIPHERS; + sigalgs = SUITEB_TLS_192_SIGALGS; + keySz = 3072; + eccKeySz = 256; + curves = SUITEB_TLS_192_CURVES; + } + else + ciphers = openssl_ciphers; + } + else if (flags & TLS_CONN_SUITEB) { + if (tls13only) + ciphers = SUITEB_TLS13_192_CIPHERS; + else if (oldTlsOnly) + ciphers = SUITEB_OLDTLS_192_CIPHERS; + else + ciphers = SUITEB_TLS_192_CIPHERS; + sigalgs = SUITEB_TLS_192_SIGALGS; + keySz = 3072; + eccKeySz = 256; + curves = SUITEB_TLS_192_CURVES; + } + wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites for %s", ssl_ctx ? "ctx" : "ssl"); + wpa_printf(MSG_DEBUG, "wolfSSL: openssl_ciphers: %s", openssl_ciphers ? openssl_ciphers : "N/A"); + wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", ciphers ? ciphers : "N/A"); + wpa_printf(MSG_DEBUG, "wolfSSL: sigalgs: %s", sigalgs ? sigalgs : "N/A"); + wpa_printf(MSG_DEBUG, "wolfSSL: key size: %d", keySz); + if (ciphers) { + if ((ssl_ctx && wolfSSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) || + (ssl && wolfSSL_set_cipher_list(ssl, ciphers) != 1)) { + wpa_printf(MSG_ERROR, + "wolfSSL: Failed to set cipher string '%s'", ciphers); + return -1; + } + } + if (sigalgs) { + if ((ssl_ctx && wolfSSL_CTX_set1_sigalgs_list(ssl_ctx, sigalgs) != 1) || + (ssl && wolfSSL_set1_sigalgs_list(ssl, sigalgs) != 1)) { + wpa_printf(MSG_ERROR, + "wolfSSL: Failed to set sigalgs '%s'", sigalgs); + return -1; + } + } + if (keySz) { + if ((ssl_ctx && wolfSSL_CTX_SetMinRsaKey_Sz(ssl_ctx, keySz) != 1) || + (ssl && wolfSSL_SetMinRsaKey_Sz(ssl, keySz) != 1) || + (ssl_ctx && wolfSSL_CTX_SetMinDhKey_Sz(ssl_ctx, keySz) != 1) || + (ssl && wolfSSL_SetMinDhKey_Sz(ssl, keySz) != 1)) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set min key size"); + return -1; + } + } + if (eccKeySz) { + if ((ssl_ctx && wolfSSL_CTX_SetMinEccKey_Sz(ssl_ctx, eccKeySz) != 1) || + (ssl && wolfSSL_SetMinEccKey_Sz(ssl, eccKeySz) != 1) || + (ssl_ctx && wolfSSL_CTX_SetTmpEC_DHE_Sz(ssl_ctx, eccKeySz/8) != 1) || + (ssl && wolfSSL_SetTmpEC_DHE_Sz(ssl, eccKeySz/8) != 1)) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set min ecc key size"); + return -1; + } + } + if (curves) { + if ((ssl_ctx && wolfSSL_CTX_set1_curves_list(ssl_ctx, curves) != 1) || + (ssl && wolfSSL_set1_curves_list(ssl, curves) != 1)) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set curves"); + return -1; + } + } + return 0; +} + void * tls_init(const struct tls_config *conf) { WOLFSSL_CTX *ssl_ctx; struct tls_context *context; - const char *ciphers; #ifdef DEBUG_WOLFSSL wolfSSL_SetLoggingCb(wolfSSL_logging_cb); @@ -280,19 +396,14 @@ void * tls_init(const struct tls_config *conf) WOLFSSL_SESS_CACHE_OFF); } - if (conf && conf->openssl_ciphers) - ciphers = conf->openssl_ciphers; - else - ciphers = "ALL"; - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", ciphers); - if (wolfSSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { - wpa_printf(MSG_ERROR, - "wolfSSL: Failed to set cipher string '%s'", - ciphers); + if (handle_ciphersuites(ssl_ctx, NULL, conf->openssl_ciphers, + conf ? conf->tls_flags : 0) != 0) { + wpa_printf(MSG_INFO, "Error setting ciphersuites"); tls_deinit(ssl_ctx); return NULL; } + return ssl_ctx; } @@ -819,6 +930,8 @@ static enum tls_fail_reason wolfssl_tls_fail_reason(int err) case X509_V_ERR_CERT_UNTRUSTED: case X509_V_ERR_CERT_REJECTED: return TLS_FAIL_BAD_CERTIFICATE; + case RSA_KEY_SIZE_E: + return TLS_FAIL_INSUFFICIENT_KEY_LEN; default: return TLS_FAIL_UNSPECIFIED; } @@ -1324,13 +1437,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", - params->openssl_ciphers ? params->openssl_ciphers : "N/A"); - if (params->openssl_ciphers && - wolfSSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "wolfSSL: Failed to set cipher string '%s'", - params->openssl_ciphers); + if (handle_ciphersuites(NULL, conn->ssl, params->openssl_ciphers, + params->flags) != 0) { + wpa_printf(MSG_INFO, "Error setting ciphersuites"); return -1; } @@ -1556,14 +1665,9 @@ int tls_global_set_params(void *tls_ctx, return -1; } - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", - params->openssl_ciphers ? params->openssl_ciphers : "N/A"); - if (params->openssl_ciphers && - wolfSSL_CTX_set_cipher_list(tls_ctx, - params->openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "wolfSSL: Failed to set cipher string '%s'", - params->openssl_ciphers); + if (handle_ciphersuites(tls_ctx, NULL, params->openssl_ciphers, + params->flags) != 0) { + wpa_printf(MSG_INFO, "Error setting ciphersuites"); return -1; } @@ -1870,7 +1974,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, if (!conn || !conn->ssl || !ciphers) return -1; - buf[0] = '\0'; + buf[0] = buf[1] = '\0'; pos = buf; end = pos + sizeof(buf); @@ -1910,9 +2014,8 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, c++; } - wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", buf + 1); - - if (wolfSSL_set_cipher_list(conn->ssl, buf + 1) != 1) { + /* +1 to skip the ":" */ + if (handle_ciphersuites(NULL, conn->ssl, buf + 1, conn->flags) != 0) { wpa_printf(MSG_DEBUG, "Cipher suite configuration failed"); return -1; } @@ -1929,7 +2032,10 @@ int tls_get_cipher(void *tls_ctx, struct tls_connection *conn, if (!conn || !conn->ssl) return -1; - name = wolfSSL_get_cipher_name(conn->ssl); + if (wolfSSL_version(conn->ssl) == TLS1_3_VERSION) + name = wolfSSL_get_cipher(conn->ssl); + else + name = wolfSSL_get_cipher_name(conn->ssl); if (!name) return -1; diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index d03a39deef..59e255a3c6 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -74,7 +74,8 @@ def test_suite_b(dev, apdev): hapd.wait_sta() tls_cipher = dev[0].get_status_field("EAP TLS cipher") if tls_cipher != "ECDHE-ECDSA-AES128-GCM-SHA256" and \ - tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD": + tls_cipher != "ECDHE-ECDSA-AES-128-GCM-AEAD" and \ + tls_cipher != "ECDHE-ECDSA-AES256-GCM-SHA384": raise Exception("Unexpected TLS cipher: " + tls_cipher) bss = dev[0].get_bss(apdev[0]['bssid']) @@ -488,7 +489,16 @@ def test_suite_b_192_rsa_insufficient_key(dev, apdev): params["ca_cert"] = "auth_serv/ca.pem" params["server_cert"] = "auth_serv/server.pem" params["private_key"] = "auth_serv/server.key" - hapd = hostapd.add_ap(apdev[0], params) + + try: + hapd = hostapd.add_ap(apdev[0], params) + except: + hapd = hostapd.add_ap(apdev[0], suite_b_192_rsa_ap_params()) + tls = hapd.request("GET tls_library") + if tls.startswith("wolfSSL"): + # wolfSSL fails during key loading with too short key + return + raise dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", ieee80211w="2", @@ -505,6 +515,8 @@ def test_suite_b_192_rsa_insufficient_key(dev, apdev): raise Exception("Certificate error not reported") if "reason=11" in ev and "err='Insufficient RSA modulus size'" in ev: return + if "reason=11" in ev and "err='RSA key too small'" in ev: + return if "reason=7" in ev and "err='certificate uses insecure algorithm'" in ev: return raise Exception("Unexpected error reason: " + ev) @@ -516,7 +528,16 @@ def test_suite_b_192_rsa_insufficient_dh(dev, apdev): params = suite_b_192_rsa_ap_params() params["tls_flags"] = "[SUITEB-NO-ECDH]" params["dh_file"] = "auth_serv/dh.conf" - hapd = hostapd.add_ap(apdev[0], params) + try: + hapd = hostapd.add_ap(apdev[0], params) + except: + hapd = hostapd.add_ap(apdev[0], suite_b_192_rsa_ap_params()) + tls = hapd.request("GET tls_library") + if tls.startswith("wolfSSL"): + # wolfSSL fails during key loading with too short key + return + raise + dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192", ieee80211w="2", @@ -528,14 +549,14 @@ def test_suite_b_192_rsa_insufficient_dh(dev, apdev): pairwise="GCMP-256", group="GCMP-256", scan_freq="2412", wait_connect=False) ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'", - "CTRL-EVENT-CONNECTED"], + "CTRL-EVENT-CONNECTED", "CTRL-EVENT-EAP-FAILURE"], timeout=10) dev[0].request("DISCONNECT") if ev is None: raise Exception("DH error not reported") if "CTRL-EVENT-CONNECTED" in ev: raise Exception("Unexpected connection") - if "insufficient security" not in ev and "internal error" not in ev: + if "insufficient security" not in ev and "internal error" not in ev and "authentication failed" not in ev: raise Exception("Unexpected error reason: " + ev) def test_suite_b_192_rsa_radius(dev, apdev): From patchwork Thu Apr 4 18:16:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919902 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Suy59Hoe; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=TN6YGRCu; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG14XP8z23v3 for ; Fri, 5 Apr 2024 05:17:27 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=pl6wens1iPCYl2eKVijPg1qXyDKj48c4ODrEzJOfCFY=; b=Suy59HoecnUiY3 o2ADtKZZuDwACAPb3V2qVjPJKMhtQEIVKpnjrIknYvodHVeWVGZucknrFHcjUo5iji1a9oidZh3qM aEIZPTv2Oe2ScRuplbBN2FUziBiHp0fkhp6o0wcuyNIlrJNsE+wV8qMDxl/JLtOisGNDKND0z5/0S ni5zCWplfPo38jOCR9diDODg//m9mClaRakofui1Umy+LiI+IdVfweASMGww7lR0UjM2kbn0V7bYK 8rVZBQKV7Qc3IyW4TPpd98AogeeMK+riS1xe1nUpRJO4kMFbX+s3Tajxmj6YmN4qlMDwPGJdMWqw1 rgmPVnz68I/R/BoUlh5A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe2-00000003mfL-0cdJ; Thu, 04 Apr 2024 18:17:02 +0000 Received: from mail-ed1-x52c.google.com ([2a00:1450:4864:20::52c]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRdz-00000003mds-2RKg for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:00 +0000 Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-56c1a65275bso645387a12.1 for ; Thu, 04 Apr 2024 11:16:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254618; x=1712859418; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xklGj+O+/l1gKdsh/D64i2uvnysgd+OJMYnnf1bfWHE=; b=TN6YGRCuJsXEt+qEfJDSjKGTM+qgf/d3yj8Q1LS5u5QWDEanQdsf9nOxwTop17lsjU KR2cYNXGO3ExzL8xdZW0SmM3U6ko6VthhGO8aeZ/6QmHzc9mKWwxviX2hpV6AEArWNOO kBQP0DbU36wC9dCFhczqC0Ex7C8NQCg43dk248wTDzVruXG0+eQIhIcLnZ3GtKx0n/6O QjTMueS3NpoyYd5sjzvjm9qQh3A73bwP9izqquPyahvBmnLsST1q3QL22dmi3eoN8V+A fWQqgrJN3ZEq5p9QRBJ538otr/hSSkEzl7v3k77de3GYYnCyRIN4kMsVRZUxsGlMzfL9 0Zmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254618; x=1712859418; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xklGj+O+/l1gKdsh/D64i2uvnysgd+OJMYnnf1bfWHE=; b=RzZW/hh8w3ICMiRv8jwG7qZSO2bwGdXGrEcpREi0A96PwMMy0ft+aLt6hqJampKPdP TFQnSK++ok+yx0TFaUejW1L7fOG8bTkwT/y5KAPzrnyQ0W3kWK6o8nRag99XWkj1NIKS 2KK4AeXdl20ceXRCaSXlNb9vOGfIPuJzqCCFNCfFY1mnr0W7jxEPY1/dF3xWhwBAD7Gi xdt38dgyaMeNVcRO8mQw3M6U97E6xuwu3Qm+A0QaolBDzrPHNFJLH+EX4fFkVlFr3m/b POm9yiVKMxFPgDL85is1rkk+kUMiBAwknXDgCiM0b8Z25SwuwjLeytgF6R+ap2+bibul 8KHQ== X-Gm-Message-State: AOJu0YyceZy+6SRtXmiCqI6KiIQ2Yl3nBK69GO2D2O/zSdoPJuYEI8bI aBOkiEtFBJn8vhmLVkoJ5vuvTvwMpssC+D00IZNuhzCMYsFsG9fW6UI/UYLJNHlUmfx5lE8LC/+ 49QU= X-Google-Smtp-Source: AGHT+IFUUc2AJ+WhUHBNBh0H/LUWTwug2+WV0rqWR9vWSPSjhTB2Dn9Y7ePYOj+Ko+tgO35bA0xyGA== X-Received: by 2002:a50:9516:0:b0:56e:2bf4:fe02 with SMTP id u22-20020a509516000000b0056e2bf4fe02mr233409eda.11.1712254617889; Thu, 04 Apr 2024 11:16:57 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:57 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 03/24] wolfssl: use defines for ex_data access Date: Thu, 4 Apr 2024 20:16:09 +0200 Message-Id: <20240404181630.2431991-3-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111659_652565_C5351487 X-CRM114-Status: GOOD ( 14.30 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 28 ++++++++++++++++ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 25616f2c7a..26832ed430 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -42,7 +42,9 @@ Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52c listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 25616f2c7a..26832ed430 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -42,7 +42,9 @@ static int tls_ref_count = 0; -static int tls_ex_idx_session = 0; +#define TLS_SESSION_EX_IDX (0) +#define TLS_SSL_CTX_CTX_EX_IDX (0) +#define TLS_SSL_CON_EX_IDX (0) /* tls input data for wolfSSL Read Callback */ @@ -184,7 +186,7 @@ static void remove_session_cb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) { struct wpabuf *buf; - buf = wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); + buf = wolfSSL_SESSION_get_ex_data(sess, TLS_SESSION_EX_IDX); if (!buf) return; wpa_printf(MSG_DEBUG, @@ -192,7 +194,7 @@ static void remove_session_cb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) buf, sess); wpabuf_free(buf); - wolfSSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL); + wolfSSL_SESSION_set_ex_data(sess, TLS_SESSION_EX_IDX, NULL); } @@ -380,7 +382,7 @@ void * tls_init(const struct tls_config *conf) wolfSSL_SetIORecv(ssl_ctx, wolfssl_receive_cb); wolfSSL_SetIOSend(ssl_ctx, wolfssl_send_cb); context->tls_session_lifetime = conf->tls_session_lifetime; - wolfSSL_CTX_set_ex_data(ssl_ctx, 0, context); + wolfSSL_CTX_set_ex_data(ssl_ctx, TLS_SSL_CTX_CTX_EX_IDX, context); if (conf->tls_session_lifetime > 0) { wolfSSL_CTX_set_session_id_context(ssl_ctx, @@ -410,7 +412,8 @@ void * tls_init(const struct tls_config *conf) void tls_deinit(void *ssl_ctx) { - struct tls_context *context = wolfSSL_CTX_get_ex_data(ssl_ctx, 0); + struct tls_context *context = wolfSSL_CTX_get_ex_data(ssl_ctx, + TLS_SSL_CTX_CTX_EX_IDX); if (context != tls_global) os_free(context); @@ -462,8 +465,8 @@ struct tls_connection * tls_connection_init(void *tls_ctx) wolfSSL_SetIOReadCtx(conn->ssl, &conn->input); wolfSSL_SetIOWriteCtx(conn->ssl, &conn->output); - wolfSSL_set_ex_data(conn->ssl, 0, conn); - conn->context = wolfSSL_CTX_get_ex_data(ssl_ctx, 0); + wolfSSL_set_ex_data(conn->ssl, TLS_SSL_CON_EX_IDX, conn); + conn->context = wolfSSL_CTX_get_ex_data(ssl_ctx, TLS_SSL_CTX_CTX_EX_IDX); /* Need randoms post-hanshake for EAP-FAST, export key and deriving * session ID in EAP methods. */ @@ -1109,7 +1112,7 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) wolfSSL_X509_NAME_oneline(wolfSSL_X509_get_subject_name(err_cert), buf, sizeof(buf)); - conn = wolfSSL_get_ex_data(ssl, 0); + conn = wolfSSL_get_ex_data(ssl, TLS_SSL_CON_EX_IDX); if (!conn) { wpa_printf(MSG_DEBUG, "wolfSSL: No ex_data"); return 0; @@ -1733,7 +1736,8 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, wolfSSL_set_accept_state(conn->ssl); - context = wolfSSL_CTX_get_ex_data((WOLFSSL_CTX *) ssl_ctx, 0); + context = wolfSSL_CTX_get_ex_data((WOLFSSL_CTX *) ssl_ctx, + TLS_SSL_CTX_CTX_EX_IDX); if (context && context->tls_session_lifetime == 0) { /* * Set session id context to a unique value to make sure @@ -2361,13 +2365,13 @@ void tls_connection_set_success_data(struct tls_connection *conn, goto fail; } - old = wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); + old = wolfSSL_SESSION_get_ex_data(sess, TLS_SESSION_EX_IDX); if (old) { wpa_printf(MSG_DEBUG, "wolfSSL: Replacing old success data %p", old); wpabuf_free(old); } - if (wolfSSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1) + if (wolfSSL_SESSION_set_ex_data(sess, TLS_SESSION_EX_IDX, data) != 1) goto fail; wpa_printf(MSG_DEBUG, "wolfSSL: Stored success data %p", data); @@ -2390,7 +2394,7 @@ tls_connection_get_success_data(struct tls_connection *conn) sess = wolfSSL_get_session(conn->ssl); if (!sess) return NULL; - return wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); + return wolfSSL_SESSION_get_ex_data(sess, TLS_SESSION_EX_IDX); } From patchwork Thu Apr 4 18:16:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919901 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=wYIV/Zna; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=BE/RZoYF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG15rKnz23v5 for ; Fri, 5 Apr 2024 05:17:29 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=NufLNnA+kt1tHI/CdXo5QyqySgaYZ43t1siDwNYp9eU=; b=wYIV/Znaf4BDZU GImsTc+UyFkojigJEmcj2ePo9xLTq8yvJi8MKqtQ+Q39Dsy0ZDD3k3MjV4vtaMmZusXViVL73Asg8 r02O8wr1ED+I0lwzzoD09INltmOeuNJ4sXnohU/26fisll7uaU3o7PfxC+yvf10daBlyJVNgHe8OW qE0m46ped6IoXYlGIXhDLHMAVooYnTyNBi5tVqkeJ2POb8MHH37Ft0RjHRfs10Y3gQfn7Bjw/3O+v q5GuqUTH0e25Q+jkNjr24uDcq7ekxpKF8q8rpquhhKxA14v8UfWwBzPH3DMdTGxdrMesjhywT+lVU 7MUX2oYBDXEdhVontkkA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe5-00000003mhg-3PWB; Thu, 04 Apr 2024 18:17:05 +0000 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe2-00000003meC-0EWb for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:04 +0000 Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-56e1bbdb362so1582913a12.1 for ; Thu, 04 Apr 2024 11:17:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254619; x=1712859419; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ogbx5YyV7gC5c8w9NcRVNPdDek4rjvGBSFDud54gZ4g=; b=BE/RZoYFMvTpdjEnJ4boWupkn3Km305ilFNl36cf5fDFygTAlyb8My/XdeNP0/tgUI ++/GTCsx7i6IzTGGEgzVgzx8IvJXieTSzwVmQ9pDChv9Afvsczk04uS/6hp35iqvlzrs 3myU6LDBhE3grksJdZCFI7GbupcCdsXPyXfcDex86Wj5g8hoaGemueq7wd5igBPEZ90E Q4UvVwSI7bDfRCBlgjANt9htC2tKdEJvjh2rVhINm0OkOGtMZnvRJQKhdwUFaJBb/+KA wZny5tTJs+sIi6rlmqYv9b2qBD3PaB0q2D6BnPMBKPJErRRI72AgEO7JIGUqDxiSLreq hHmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254619; x=1712859419; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ogbx5YyV7gC5c8w9NcRVNPdDek4rjvGBSFDud54gZ4g=; b=LhVNdQFcKOqu72gnKvWaeyhFu6ktU8gwkfOou11BTgmaT6f3p6MXLdVgBO1aiKg/Je ws+XFAuZVyRvJRT8S/qpfxUuwzrT/WtVKiHnOwAtl5AILfqxhHou0pmBvGp6jS+7ugAj GPdAQqxhUufQsCclSvBg1mEPHRnV4v6VKK4Yb+vNegqjohFe5q9Rf+ENL85N///SdU0f n42fXqlHQ/Z4gzuvo3E7Y4e5LZDa0gKhEgXiQ1qvlmgud0/IldbD07fNNKcLFXWjP6Mw mVl4irufqoaZkxCnS81VGYNz47gNYFI+4+8BINV+5UeweN+9rcsC6bnCHDXin9VFv/Jh ZBhA== X-Gm-Message-State: AOJu0YwjabHBLujClFstVksNKoTejyGw5ufNdN2bqCAXCI5HY5x3Ibn+ fsJFQ566x7jYdsT/Df/+kA57k6pzDULYmXn1zle4ruOUAx1bGz86LXgI24N1oXxtgwznsF5A3or TWPE= X-Google-Smtp-Source: AGHT+IGUo479t1/ceop4bADGnBpVIUcBjO0RX/udXso2sMvTlfJf5Hun2zNB3jRudge+cR9KONJYoQ== X-Received: by 2002:a50:d71e:0:b0:56d:fdb3:bcc0 with SMTP id t30-20020a50d71e000000b0056dfdb3bcc0mr433019edi.11.1712254618893; Thu, 04 Apr 2024 11:16:58 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:58 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 04/24] wolfssl: fix get_x509_cert Date: Thu, 4 Apr 2024 20:16:10 +0200 Message-Id: <20240404181630.2431991-4-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111702_454237_6BDE6D1A X-CRM114-Status: GOOD ( 12.55 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The conditional was checking if data was not present. We should be allocating the buffer when data *is* present. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52b listed in] [list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org The conditional was checking if data was not present. We should be allocating the buffer when data *is* present. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 26832ed430..e851dd09d1 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -961,7 +961,7 @@ static struct wpabuf * get_x509_cert(WOLFSSL_X509 *cert) int cert_len; data = wolfSSL_X509_get_der(cert, &cert_len); - if (!data) + if (data) buf = wpabuf_alloc_copy(data, cert_len); return buf; From patchwork Thu Apr 4 18:16:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919904 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=dAy2EEUM; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=Uf0UVsI5; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VG62RVnz1yYf for ; Fri, 5 Apr 2024 05:17:34 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4Aql2M7vmNG0DoZsAMQZNtE9Hti6oRkUBAlOehtwy4I=; b=dAy2EEUMg47mIn kbRQkEXCmqCM/2/P7YEW0W7GUzVVVOHnBpKTGJdLHJwutq0Gnp+N9MRM4XPV9mQvsiW1L02WlFrE0 KnG2oKf0NdGKQBJQ4ZJdm+TNxCkVeWEqt453O0qcBD4wI6lB4FRiwts/p+2R8x9ftq83k83kr+c0w NfqBjR3bOECIKnlZdL0T1UYZAMP8BvCAAmzScRFF988aV69Nug52HEbw6LEzdGZ+7bU2VnkP+EY75 RXzB7cLu6ywtIWO8QwXEKwSqxl2UNV6dn+buWMITfRvQvey0H5xZqh3Lqhnr69vDRbkI4gT6nSxzb tuWg7rhykAvpwx083HyQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe8-00000003miz-1n2m; Thu, 04 Apr 2024 18:17:08 +0000 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe2-00000003meU-3v37 for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:04 +0000 Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-56e22574eb3so1300680a12.3 for ; Thu, 04 Apr 2024 11:17:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254620; x=1712859420; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BCo1F8W0UNyyvrUaZvqOQoGOqKXnW5NACGgep6dwZiw=; b=Uf0UVsI5NRj5c7QwtEeHltS0A9z3u/Gz7sy+GN0aru1Cpx5d5veXyrQV8zcREj78uk CwHm1nq8dp682vCuRsGBjUPzR63TpNhdl3HuENA7NAbKOUIY5nmzs48Ndk/QlQsReg8t PINB4YmpXR23aFzhg2Rp6PMkT2lV+RiIS+A/xCRDSw+ZBRrGmeBZWYkClfq8WxjHwEH5 OTXVNsgJ3YhLw6FkHf2tHO3oWRIYPhWX3hpkHFvX9XIcMsDBzAFoY/WlLomWEZv6xt0C vOXRY8PwEuCE4NNXxDSPTIi1EmMgj9Xc0ZPedA1Xchh2Kdk0yNIAaw6uTmVJKTSx69jA F6qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254620; x=1712859420; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BCo1F8W0UNyyvrUaZvqOQoGOqKXnW5NACGgep6dwZiw=; b=TOHWtAUwI5VIxd7hWBNi6KG0zcUuKtZS/C85HTjdrr2JjGEq5GrzgS7P1jwCG2A2dO FKamoy6lKrYuldlIL/gcdatx4IEMVKQDBiwYqJIKT5Crj6kguVq2hjtmRIzOHodserDu U1Ct7znHBHjLb6S8bZlJ6OMzGU6Z5CVeq4ZvYnqI54JJ/rSIn9fvFBKJqZCFlw9KAPVN KjR1izFXHbOM9MUht+OONVixcgnSjMm6ORd4H18ny+LXASZaaaSqzxAZAMsNN3591zKV LZHTrN8Bzv2Yuxzg13n6OlmzbNiKURJ9OFSjtMlT66d2+pHl2Zt58R/5P5RmpvOnLKFO lQrw== X-Gm-Message-State: AOJu0YyLMreGPWm0Bdq8h8FUGdPkuZVGL5wFl0sS0uV+B5p19noKHToP a941ei6Ad+MwnmxPtaS47aTounsAsdfbIw8wBASS9z0C+QXU6f7Qt9bdbQFeQsKyN25C3k0WsYq n0Tg= X-Google-Smtp-Source: AGHT+IGhvBJJMsU3BK010ra6bYFwW5He1mDZSYsp9PIAsp0+pX0Z1a91CW+tBE8/zmTMvo1EJakn5w== X-Received: by 2002:a50:9996:0:b0:56e:211b:86df with SMTP id m22-20020a509996000000b0056e211b86dfmr1658724edb.30.1712254619972; Thu, 04 Apr 2024 11:16:59 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.16.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:16:59 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 05/24] wolfssl: support tod policy Date: Thu, 4 Apr 2024 20:16:11 +0200 Message-Id: <20240404181630.2431991-5-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111703_110805_DD5148CB X-CRM114-Status: GOOD ( 19.59 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Implement wolfssl_cert_tod() to support setting the correct tod value in the certificate event message. - Always send the certificate event message in addition to error messages. This is the same or [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:535 listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org - Implement wolfssl_cert_tod() to support setting the correct tod value in the certificate event message. - Always send the certificate event message in addition to error messages. This is the same order of messages that the OpenSSL backend sends. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 34 ++++++++++++++++++++++++++++++++-- tests/hwsim/utils.py | 2 +- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index e851dd09d1..38575375de 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -992,6 +992,35 @@ static void wolfssl_tls_fail_event(struct tls_connection *conn, wpabuf_free(cert); } +static int wolfssl_cert_tod(X509 *cert) +{ + WOLFSSL_STACK *ext; + int i; + char *buf; + int tod = 0; + + ext = wolfSSL_X509_get_ext_d2i(cert, CERT_POLICY_OID, NULL, NULL); + if (!ext) + return 0; + + for (i = 0; i < wolfSSL_sk_num(ext); i++) { + WOLFSSL_ASN1_OBJECT *policy; + + policy = wolfSSL_sk_value(ext, i); + if (!policy) + continue; + + buf = (char*)policy->obj; + wpa_printf(MSG_DEBUG, "wolfSSL: Certificate Policy %s", buf); + if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0) + tod = 1; /* TOD-STRICT */ + else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod) + tod = 2; /* TOD-TOFU */ + } + wolfSSL_sk_pop_free(ext, NULL); + + return tod; +} static void wolfssl_tls_cert_event(struct tls_connection *conn, WOLFSSL_X509 *err_cert, int depth, @@ -1080,6 +1109,7 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn, for (alt = 0; alt < num_alt_subject; alt++) ev.peer_cert.altsubject[alt] = alt_subject[alt]; ev.peer_cert.num_altsubject = num_alt_subject; + ev.peer_cert.tod = wolfssl_cert_tod(err_cert); context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev); wpabuf_free(cert); @@ -1185,6 +1215,8 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) } #endif /* CONFIG_SHA256 */ + wolfssl_tls_cert_event(conn, err_cert, depth, buf); + if (!preverify_ok) { wpa_printf(MSG_WARNING, "TLS: Certificate verification failed, error %d (%s) depth %d for '%s'", @@ -1232,8 +1264,6 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, "Domain mismatch", TLS_FAIL_DOMAIN_MISMATCH); - } else { - wolfssl_tls_cert_event(conn, err_cert, depth, buf); } if (conn->cert_probe && preverify_ok && depth == 0) { diff --git a/tests/hwsim/utils.py b/tests/hwsim/utils.py index 7e36082843..cd97c0175e 100644 --- a/tests/hwsim/utils.py +++ b/tests/hwsim/utils.py @@ -145,7 +145,7 @@ def check_imsi_privacy_support(dev): def check_tls_tod(dev): tls = dev.request("GET tls_library") - if not tls.startswith("OpenSSL") and not tls.startswith("internal"): + if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL") and not tls.startswith("internal"): raise HwsimSkip("TLS TOD-TOFU/STRICT not supported with this TLS library: " + tls) def vht_supported(): From patchwork Thu Apr 4 18:16:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919905 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=VylPP8OM; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=NSbVaxy6; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VGG0JK8z1yYf for ; Fri, 5 Apr 2024 05:17:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=h9oohKyrPSZia/BI6tz8fNbZ/IxP/4/fAxeJWN+rcOY=; b=VylPP8OMiefeON YSiFRlU70/kyVCj/N+Dl52uhT8Tid6RzM+GcKWVZq1qou0zKaSEP/oXd09VDU2B+hEvPyhKnZli9+ V71yXiA2VH4Rpf03bfazDMMLAOToBRczL24WBWktdnP6SdumjnaiA7cyJc07u9V8DtTqErzN7x+TH 3zrYtROyuidYZpqVYkjnpzIBbzWVoFQi/jUm39JwdvyixKNawaEVaSeuofYJMkZ6e0OEEtADkpD1v wNlJguwsdvRtdYSpg0u6+gv2K3O53TXHaCwzEvN3d8H1wpUtSpJJrJejdh18GuNgYTsu0+UNoGNU1 3SNwMW0wpYRRJmpyEaLg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReC-00000003mlM-37ug; Thu, 04 Apr 2024 18:17:12 +0000 Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe4-00000003mfS-2VBJ for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:06 +0000 Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-516d2600569so280439e87.0 for ; Thu, 04 Apr 2024 11:17:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254621; x=1712859421; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EIVRtEDbOEmPtvDHdMeHsmv1/BFep/oUYh+BI3RErsk=; b=NSbVaxy6hCWp2WKYJEuyHQ+hZHYhyyFafh9HciFppZZMcA61lse2BQqHPuIK4StS13 dznXMcAAx2w+xH3XdXU09gBfTRvxOoOiF2304FzzF2X46CKYfXv6VHNjeqvVpSGkb/Th i6Bxo3D/TdJ2WRVs1PHL4xuaX09q4lqWuGKEPlKH8aSNG+ypq7hTvNt2V1ay8MpWzTPX i6dZGCXJeJYcpkXqGSgAAystcP+ClJ7Wdy+BeiI+aMpcGf5KuI/NdrNMKUTypyFLkH3V OiMAMzuw9tEiYIpFw6WdeaLLGbjAqyhkGcNgsjiGQk4Mqr8qYisxPGi7GsW6AbyS/lqU Iluw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254621; x=1712859421; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EIVRtEDbOEmPtvDHdMeHsmv1/BFep/oUYh+BI3RErsk=; b=Mp70ZkpK1ZwL0i+0hyyGNHP55Yf8BFcUrB8zzT+gHQRUwVL7vqm8kAdz/5EtxE3HL5 COSRgBMAL6VqBfaajT4Sx+u5ijffFDnbhnULsq77LPKGlUlxY9p8iScjCcCZB4+eAHOe u7++dgsM5EiVLOkqXW97vcUAmvRC7F952dA+iY0MO4tlsbvHanXcCuZSYNxu9ZY9S7N+ Cg5FYVTmZiH5hseK2uvxVpAwAzg6vOqpn6aks4P4gsA2w65HMSPE9Let5xyWmI2G42GM C83SRkUkq0vmb2KCDZme6y2mYKP5T/nLGwUlYJLH0m/0Pdi1R8xVXXdZTO02wwtySh/Q woCA== X-Gm-Message-State: AOJu0YxycAk3LjU1nAxl2W1m8n4x+QEvr5avJbbUYL/d/iZpHVOahMPB 5zZT7L1vcRg89i+kJQKGB3R/lmqvtNx/Dcz0yjEXThBpwOqv/PMgtIZd08XH8uR4j1/gEbiuEE2 flUU= X-Google-Smtp-Source: AGHT+IGufdljXUUCzZ5kq7zu1IMRJA7vjQgSUjd0Jht67+uZCRwR3f3/itenAH/zj0sh0ThCmdAJAg== X-Received: by 2002:a05:6512:92e:b0:516:a30e:765c with SMTP id f14-20020a056512092e00b00516a30e765cmr2119077lft.32.1712254621095; Thu, 04 Apr 2024 11:17:01 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:00 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 06/24] wolfssl: implement EAP-AKA Date: Thu, 4 Apr 2024 20:16:12 +0200 Message-Id: <20240404181630.2431991-6-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111704_738063_C0FCBE95 X-CRM114-Status: GOOD ( 17.92 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Implement the crypto_rsa_key set of functions in the wolfSSL backend to enable EAP-AKA and EAP-SIM Signed-off-by: Juliusz Sosinowicz --- hostapd/Makefile | 1 + src/crypto/crypto_wolfssl.c | 256 ++++++++++++++++++++++++++++++++++++ wpa_supplicant/Makefile | 1 + 3 files changed, [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12e listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Implement the crypto_rsa_key set of functions in the wolfSSL backend to enable EAP-AKA and EAP-SIM Signed-off-by: Juliusz Sosinowicz --- hostapd/Makefile | 1 + src/crypto/crypto_wolfssl.c | 256 ++++++++++++++++++++++++++++++++++++ wpa_supplicant/Makefile | 1 + 3 files changed, 258 insertions(+) diff --git a/hostapd/Makefile b/hostapd/Makefile index b3cb686734..2e69453443 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -708,6 +708,7 @@ CFLAGS += -DCONFIG_TLSV12 endif ifeq ($(CONFIG_TLS), wolfssl) +CFLAGS += -DCRYPTO_RSA_OAEP_SHA256 CONFIG_CRYPTO=wolfssl ifdef TLS_FUNCS OBJS += ../src/crypto/tls_wolfssl.o diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c index 269174321b..74e25fab91 100644 --- a/src/crypto/crypto_wolfssl.c +++ b/src/crypto/crypto_wolfssl.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -3554,6 +3555,261 @@ fail: #endif /* CONFIG_DPP */ +struct crypto_rsa_key { + RsaKey key; + WC_RNG *rng; +}; + +static struct crypto_rsa_key * crypto_rsa_key_init(void) +{ + struct crypto_rsa_key* ret; + int err; + ret = os_zalloc(sizeof(*ret)); + if (ret) { + err = wc_InitRsaKey(&ret->key, NULL); + if (err != MP_OKAY) { + LOG_WOLF_ERROR_FUNC(wc_InitRsaKey, err); + goto fail; + } + ret->rng = wc_rng_init(); + if (!ret->rng) { + LOG_WOLF_ERROR_FUNC_NULL(wc_rng_init); + goto fail; + } + err = wc_RsaSetRNG(&ret->key, ret->rng); + if (err != 0) { + LOG_WOLF_ERROR_FUNC(wc_RsaSetRNG, err); + goto fail; + } + } + return ret; +fail: + crypto_rsa_key_free(ret); + return NULL; +} + +void crypto_rsa_key_free(struct crypto_rsa_key *key) +{ + int err; + if (key) { + err = wc_FreeRsaKey(&key->key); + if (err != 0) + LOG_WOLF_ERROR_FUNC(wc_FreeRsaKey, err); + wc_rng_free(key->rng); + os_free(key); + } +} + +static void read_rsa_key_from_x509(unsigned char *keyPem, size_t keyPemLen, + DerBuffer** keyDer) +{ + struct DecodedCert cert; + DerBuffer* certDer = NULL; + word32 derKeySz = 0; + int err; + + err = wc_PemToDer(keyPem, (long)keyPemLen, CERT_TYPE, &certDer, + NULL, NULL, NULL); + if (err != 0) { + LOG_WOLF_ERROR_FUNC(wc_PemToDer, err); + goto fail; + } + + wc_InitDecodedCert(&cert, certDer->buffer, certDer->length, NULL); + err = wc_ParseCert(&cert, CERT_TYPE, NO_VERIFY, NULL); + if (err != 0) { + LOG_WOLF_ERROR_FUNC(wc_PemToDer, err); + goto fail; + } + + err = wc_GetPubKeyDerFromCert(&cert, NULL, &derKeySz); + if (err != LENGTH_ONLY_E) { + LOG_WOLF_ERROR_FUNC(wc_GetPubKeyDerFromCert, err); + goto fail; + } + + if (*keyDer) + wc_FreeDer(keyDer); + *keyDer = NULL; + + err = wc_AllocDer(keyDer, derKeySz, PUBLICKEY_TYPE, NULL); + if (err != 0) { + LOG_WOLF_ERROR_FUNC(wc_AllocDer, err); + goto fail; + } + + err = wc_GetPubKeyDerFromCert(&cert, (*keyDer)->buffer, &(*keyDer)->length); + if (err != 0) { + LOG_WOLF_ERROR_FUNC(wc_GetPubKeyDerFromCert, err); + goto fail; + } + +fail: + if (certDer) { + wc_FreeDecodedCert(&cert); + wc_FreeDer(&certDer); + } + /* caller is responsible for free'ing keyDer */ +} + +struct crypto_rsa_key * crypto_rsa_key_read(const char *file, bool private_key) +{ + struct crypto_rsa_key* ret = NULL; + unsigned char *keyPem = NULL; + size_t keyPemLen = 0; + DerBuffer* keyDer = NULL; + int keyFormat = 0; + int err; + int success = 0; + word32 idx = 0; + + keyPem = (unsigned char*)os_readfile(file, &keyPemLen); + if (!keyPem) { + LOG_WOLF_ERROR_FUNC_NULL(os_readfile); + goto fail; + } + + err = wc_PemToDer(keyPem, (long)keyPemLen, private_key ? PRIVATEKEY_TYPE : + PUBLICKEY_TYPE, &keyDer, + NULL, NULL, &keyFormat); + if (err != 0) { + if (private_key) { + LOG_WOLF_ERROR_FUNC(wc_PemToDer, err); + goto fail; + } + else { + /* input file might be public key or x509 cert we want to extract + * the key from */ + wpa_printf(MSG_DEBUG, + "wolfSSL: trying to extract key from x509 cert"); + read_rsa_key_from_x509(keyPem, keyPemLen, &keyDer); + if (!keyDer) { + LOG_WOLF_ERROR_FUNC(wc_PemToDer, err); + LOG_WOLF_ERROR_FUNC_NULL(read_rsa_key_from_x509); + goto fail; + } + } + } + if (private_key && keyFormat != RSAk) { + LOG_WOLF_ERROR("Private key is not RSA key"); + goto fail; + } + + /* No longer needed so let's free the memory early */ + os_free(keyPem); + keyPem = NULL; + + ret = crypto_rsa_key_init(); + if (!ret) { + LOG_WOLF_ERROR_FUNC_NULL(crypto_rsa_key_init); + goto fail; + } + + if (private_key) + err = wc_RsaPrivateKeyDecode(keyDer->buffer, &idx, &ret->key, keyDer->length); + else + err = wc_RsaPublicKeyDecode(keyDer->buffer, &idx, &ret->key, keyDer->length); + + if (err != 0) { + if (private_key) + LOG_WOLF_ERROR_FUNC(wc_RsaPrivateKeyDecode, err); + else + LOG_WOLF_ERROR_FUNC(wc_RsaPublicKeyDecode, err); + goto fail; + } + + success = 1; +fail: + if (keyPem) + os_free(keyPem); + if (keyDer) + wc_FreeDer(&keyDer); + if (!success && ret) { + crypto_rsa_key_free(ret); + ret = NULL; + } + return ret; +} + +struct wpabuf * crypto_rsa_oaep_sha256_encrypt(struct crypto_rsa_key *key, + const struct wpabuf *in) +{ + int err; + int success = 0; + struct wpabuf *ret = NULL; + + if (!key || !in) { + LOG_INVALID_PARAMETERS(); + return NULL; + } + + ret = wpabuf_alloc(wc_RsaEncryptSize(&key->key)); + if (!ret) { + LOG_WOLF_ERROR_FUNC_NULL(wpabuf_alloc); + goto fail; + } + + wpa_printf(MSG_DEBUG, + "wolfSSL: crypto_rsa_oaep_sha256_encrypt: wpabuf_len(in) %ld " + "wc_RsaEncryptSize(key->key) %d", wpabuf_len(in), wc_RsaEncryptSize(&key->key)); + + err = wc_RsaPublicEncrypt_ex(wpabuf_head_u8(in), wpabuf_len(in), + wpabuf_mhead_u8(ret), wpabuf_size(ret), &key->key, key->rng, + WC_RSA_OAEP_PAD, WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0); + if (err <= 0) { + LOG_WOLF_ERROR_FUNC(wc_RsaPublicEncrypt_ex, err); + goto fail; + } + wpabuf_put(ret, err); + + success = 1; +fail: + if (!success && ret) { + wpabuf_free(ret); + ret = NULL; + } + return ret; +} + +struct wpabuf * crypto_rsa_oaep_sha256_decrypt(struct crypto_rsa_key *key, + const struct wpabuf *in) +{ + int err; + int success = 0; + struct wpabuf *ret = NULL; + + if (!key || !in) { + LOG_INVALID_PARAMETERS(); + return NULL; + } + + ret = wpabuf_alloc(wc_RsaEncryptSize(&key->key)); + if (!ret) { + LOG_WOLF_ERROR_FUNC_NULL(wpabuf_alloc); + goto fail; + } + + wpa_printf(MSG_DEBUG, + "wolfSSL: crypto_rsa_oaep_sha256_decrypt: wpabuf_len(in) %ld " + "wc_RsaEncryptSize(key->key) %d", wpabuf_len(in), wc_RsaEncryptSize(&key->key)); + + err = wc_RsaPrivateDecrypt_ex(wpabuf_head_u8(in), wpabuf_len(in), + wpabuf_mhead_u8(ret), wpabuf_size(ret), &key->key, WC_RSA_OAEP_PAD, + WC_HASH_TYPE_SHA256, WC_MGF1SHA256, NULL, 0); + if (err <= 0) { + LOG_WOLF_ERROR_FUNC(wc_RsaPublicEncrypt_ex, err); + goto fail; + } + wpabuf_put(ret, err); + + success = 1; +fail: + if (!success && ret) { + wpabuf_free(ret); + ret = NULL; + } + return ret; +} void crypto_unload(void) { diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index dd13308f7b..3f75399eb9 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1188,6 +1188,7 @@ TLS_FUNCS=y endif ifeq ($(CONFIG_TLS), wolfssl) +CFLAGS += -DCRYPTO_RSA_OAEP_SHA256 ifdef TLS_FUNCS CFLAGS += -DWOLFSSL_DER_LOAD OBJS += ../src/crypto/tls_wolfssl.o From patchwork Thu Apr 4 18:16:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919906 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=hkm2QADr; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=goNntcH0; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VGG0ybjz23tv for ; Fri, 5 Apr 2024 05:17:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=GpoJ8FDBxSQKNwNNAWC09+Wh3CT05TtCs28P+UnFPP8=; b=hkm2QADr6H/9Fu 7o6EGGBEbwdmy6BxsUHZEPx1kK507gJr8UFcBQzvZNm+beuIQR8ysBR7yXMtx5mbs+M8F6XTwOvDN 96M0AcWWNUtDNvn2ZUVBuU1fBs3ZuoBwN6hbOjWXOuCmOBO4t94E7TYUd5guu5YSBU9DvRDUEecrv 7r8GrghV0pf161xrRZX0pum1FkFXeku7jaWGyyaGhPOdP+qjY4jzLXM0IWewWcwvPxbH5Hw8rHfpz wNv4MFwggghLrU2wJNpwOL9vZLiDU3N9MCU8jjnqWHi1N4RnQZXPeF7mDXPkFgEObUwrvnmYGLBK9 ZDk8msmxHVNcV1Cewibg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReG-00000003moO-4At1; Thu, 04 Apr 2024 18:17:17 +0000 Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe5-00000003mgA-0ads for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:07 +0000 Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56c404da0ebso2068119a12.0 for ; Thu, 04 Apr 2024 11:17:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254622; x=1712859422; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3R70+eupGDd8L+NNWHGCaTOFznCr5OXhBOwvMzRo7AE=; b=goNntcH0T1bjR1IOPKWyZ1K9TlwTNTctwU/NJHjU6XxoSh/9FQJn7sONZABCYXBbCw y2wIss+VqraGsPA6ZACaUknh6mn9BHHFj2ZM1FDJNWcVeP9vefM8W121cj3D3sKs6ZZ2 SLsW8jbBapE+17vQIwQoL+lVfO5d/LouWdBCFSwaKvV9PkXWTyXwosgno+iLFFmFAtlK KyyS0aF9SHlN2ISZRUcMENYeaUTGpRS3leK/KokR+i/TITlNSItqhszz1Cobf0Ldmtve cL9ybr8ETW+1ZvterjmTVKgIJ6HwPthg5JVEmJ+e+JgVe8fw75kSAkTGbA+h0xaNn52u A19A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254622; x=1712859422; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3R70+eupGDd8L+NNWHGCaTOFznCr5OXhBOwvMzRo7AE=; b=w3s0/XlLhMb5W4PKTBhwOWLxsSZvR5GW9AUSbS1aaBdI8iKpHTOThpxaa4WKc4hCXS sr0AepN0YmDpNZi3IJiMKwzYbijY8U2UWEJ2Z6/hn9NGC5kVIeZ+Bq2hny/RjBnSW6We WVCDairieBqUMCsqMnzj2mB/qNkMxNM8laZAoswku6HQtCXkkLcymqjcEUnJpFq764lk isANkk6wTZFKM9lE6EwzpoXTu9WWKhnR03XUmpWDwj6eh2MHANKSLwW+SjxNFcpPsKSJ D98868Dbub4sG0mA5DwbDWIwYKwki81P5nwsyxErYrt2XJqhzV2Z/qmDwTLP2tBpIUx7 FORg== X-Gm-Message-State: AOJu0YywEy5nPXvYoPQG3jwsC/mnpW1SERWoJ76SU4oWM7lav+W8tI/M gQ6wnuesjIrOEozyVCgc4F4gifnwwFCdGVyU2X+CTKJrXnSMki5kfSEug1+CCEWkKnpvpxe4Tte Pzbs= X-Google-Smtp-Source: AGHT+IFYAzixVtlKsmZhTdSVfTMN6WkLo/t3CFZNDIo15w+qXomCtRaE4ADOl3r3wanypksby8BAig== X-Received: by 2002:a50:9517:0:b0:56e:d2f:4da5 with SMTP id u23-20020a509517000000b0056e0d2f4da5mr2660870eda.34.1712254622272; Thu, 04 Apr 2024 11:17:02 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:01 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 07/24] openssl: Use uncompressed format for ECC keys Date: Thu, 4 Apr 2024 20:16:13 +0200 Message-Id: <20240404181630.2431991-7-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111705_319465_41EE6B52 X-CRM114-Status: GOOD ( 10.34 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL <3.0 uses ECC keys in the uncompressed format. We should keep it that way for compatibility. The wolfSSL backend also uses the uncompressed format. Signed-off-by: Juliusz Sosinowicz --- src/crypto/crypto_openssl.c | 2 ++ 1 file changed, 2 insertions(+) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52f listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org OpenSSL <3.0 uses ECC keys in the uncompressed format. We should keep it that way for compatibility. The wolfSSL backend also uses the uncompressed format. Signed-off-by: Juliusz Sosinowicz --- src/crypto/crypto_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index 2d8ff60aa9..e83a40b57c 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -3676,6 +3676,8 @@ struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key, 0); pkey = copy; } + EVP_PKEY_set_utf8_string_param(pkey, + OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, "uncompressed"); ctx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, "DER", "type-specific", NULL); From patchwork Thu Apr 4 18:16:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919908 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=YanKpUoB; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=qKn0fpnc; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VGj6kn5z1yYf for ; Fri, 5 Apr 2024 05:18:05 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=4mFycL/cwL7UeaDDIzh3fB6cVSbETvYVnlYmt50jCCs=; b=YanKpUoB4Df2IP xxba3lyGbYqQ0VBjARurufWSaMVKV96uFrrfChcYxyZNLLbcPsbmyO8rsLXM8i1M3oRytlsSraOcf Y6xNVITpOMQCDO+Dm9lmTHB0u2tugrrD2F+awvd7qfafwHFStKdR+1bKmgBakjthuqX+PF85f1DJW qwyM5llyTA5eKkb4QT7R0vSt7uuBnLaWkmrPj/24wnzSh3TQ/FWv4x+ilvtj8yyRHzKJislwiMdpv 7jqW4wR9XT0TiWnL5ChYdIgxQgmyJj0jBxFHiXWxIFyn7MwnngxA6/foNVF4XGL5UWmQLjlDbAfzv WK6jbEd0X55xedWU6PUQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRec-00000003n4r-2w4j; Thu, 04 Apr 2024 18:17:38 +0000 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe6-00000003mgl-19oa for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:08 +0000 Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-56e1baf0380so1455343a12.3 for ; Thu, 04 Apr 2024 11:17:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254623; x=1712859423; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V2oNYip7g1sxe0YE6t+9jq6aG19ikKadHPxKFR5IGGs=; b=qKn0fpnciCe8P+1oe3HsOuLwbTpqEPh2jtt18hxVta+WRgnR9Qpoh06ZvuzEvsZmIE eWz5za7OgodMCPhrdrgFALS4Msyugr0gH0ctqzZkaJEJzc2qnA8hTVIi4qROMZPGDj51 QKtpXIl0W6PxIi5k1M0fDWS7JKgN3eObKiJ0z+dFimnZQ+F+s+ut6YJSGROtoNPyhy42 HJmVtdu850c+lcD3CDlxeIzT3K+uY+uYf1XvdmlRmgopFt21ZkYC+6yPWw6gFqGDvdiE 0YGLNpR0HraVwAL/XEgEAV41ePOc8mocpQDI+7R92Os5ReR44Nu+JxZX7nxvicJmoPQJ WQ9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254623; x=1712859423; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V2oNYip7g1sxe0YE6t+9jq6aG19ikKadHPxKFR5IGGs=; b=g3ozpRWezGWkpEO203ugz/YDcGTZ6gyO9W6iDWaTqpG0kI4tkV5ix8JxtKdvnKeKR2 8AEwa27v1IZCkokfEhB/sEPrcHPEtxKGrDnsY+tUiOS70jR1kzSdypYfYRg/jDNhtjwm OiY10xLFDUM2dMjhLMcM52sK0tAJa8UT81xbNzPvU1iFLVzStarLv3AhEniWs/AEThz/ LxuGRDWFkin5ST6b9bu6rIUCsILHE7mM6p3TJ/iONdEYtnKmnzXdaeEHEPECKkdmKGPr v+9E+g/YJVVgANRpUgVFMFBo3PJrb6sJrB9tnLob5w+5KcANuavWZ8N/22Y/145y9gzK u6fw== X-Gm-Message-State: AOJu0YwgDCoGJW1JGuyQqAl9ps2SSRGx6SMGizcS21ZfBaSgiRYmlOlV 4mzup3+GoxhE6dbpqfmgFVEznyxG/wTLslfWwv0JXuqEZZcre+ow6YNLALZS6ihLgL501HviMzJ WImI= X-Google-Smtp-Source: AGHT+IHy9hVJY4Aza+u+w1EMnubmEyvvl7k12B6Qz0cmG9upWRhggAy9X5CwcdCmy7Kcer0rlu6sBQ== X-Received: by 2002:a50:8718:0:b0:56d:f405:9a42 with SMTP id i24-20020a508718000000b0056df4059a42mr2355213edb.2.1712254623324; Thu, 04 Apr 2024 11:17:03 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:02 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 08/24] wolfssl: Set additional sigalgs when using anon cipher Date: Thu, 4 Apr 2024 20:16:14 +0200 Message-Id: <20240404181630.2431991-8-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111706_395883_A52F37F3 X-CRM114-Status: GOOD ( 11.14 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When setting an anonymous cipher, wolfSSL would only set the anonymous signature algorithm. This sets some better defaults. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:529 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When setting an anonymous cipher, wolfSSL would only set the anonymous signature algorithm. This sets some better defaults. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 38575375de..a58e1f7607 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -2004,6 +2004,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, char buf[128], *pos, *end; u8 *c; int ret; + int setSigAlgs = 0; if (!conn || !conn->ssl || !ciphers) return -1; @@ -2028,6 +2029,7 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, break; case TLS_CIPHER_ANON_DH_AES128_SHA: suite = "ADH-AES128-SHA"; + setSigAlgs = 1; break; case TLS_CIPHER_RSA_DHE_AES256_SHA: suite = "DHE-RSA-AES256-SHA"; @@ -2054,6 +2056,12 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, return -1; } + if (setSigAlgs && + wolfSSL_set1_sigalgs_list(conn->ssl, SUITEB_TLS_128_SIGALGS) != 1) { + wpa_printf(MSG_DEBUG, "Sigalg configuration failed"); + return -1; + } + return 0; } From patchwork Thu Apr 4 18:16:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919907 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=fwZORd9u; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=kn4HrYDg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VGQ4gysz1yYf for ; Fri, 5 Apr 2024 05:17:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=GVKrEkxVdrsJNAoSyMog0vLFFapY+NwBcmhpjbuRKB4=; b=fwZORd9uOlBg7J CgUNz6f51Wr+nkxxsNAa3mP7H9aTpJcXWNC8AqxaFYPkJL9Pf+hYn46iblUPcLSqFoFuS5pYl4YJN b/P6CymJSsaLO3Kv3yqGfHvlKy6eU/lQSDASmpPCiS6W3XFdEv2uKaJX4+jSKkQAUcjhBLFgLx7w+ VWShCX4AgNievqtvaebnsEPGr8e9BAvtKiMSe1AqH3cMX1/jUF5KcUzA/ojbjnySdue3j+Bb8RVuq vKCO4YdS6guYBU04J659infH8rllrmjmGf8qjp7y7OAjZUf3qO6qYyRopE1/G8cUZExftToq9EZ80 PvSKjA9dT5SiHthvhs7A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReQ-00000003muv-3mwq; Thu, 04 Apr 2024 18:17:26 +0000 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe6-00000003mhJ-18Sq for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:08 +0000 Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-56c5d05128dso1670230a12.0 for ; Thu, 04 Apr 2024 11:17:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254624; x=1712859424; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KYlQ3T3Xnbcu0e+I5HJZHObl8mPK00DtbN57GwJCbSI=; b=kn4HrYDgmonnA5A9Auu5f5eZCpEHjZ9fJ2z+bUTh3BShbN0jGkeUDWLdohYJkCYFpA M+DJ+eL7CGUNQuRW+uAn5bKfY5AwI08qhg5/vZgl4+ID64PCB6tFByLRoayX/03O/HbV vz/J5iR2k+TjGYyHtjX0T/7VT5NhIGMKfPgxv+RvB/ky6+yHIqombWa0XoZVFGgukxzi Tr3qQM4sJc6Aj3JIoSLBP7mu8i8Ws1/11Pp2lgwdaJDO8r9ah7FQW9DZo3qj2aPjRPcd NlXTojTNyqzGYRX7Cs4jIx1AW0lhdZUZdufA9srgBcLqfbN+MY6egNtgGTgQLsqAKq3u PEEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254624; x=1712859424; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KYlQ3T3Xnbcu0e+I5HJZHObl8mPK00DtbN57GwJCbSI=; b=eawJqeqxB3+AFeJ/7ifOtMv+peI5s6aJNN7zhpmr4ojjXDT7Ed9S+IL6Th47ghbp86 BktXf+Hz7h7jaMzIZ0+zzS3nr6XLGcI9MHAT9xvKwhS2QnDFYnxhezAV/3v7SG4ZnN6T /UPO3Wf/hBRlX5CU+/fMZ5LndDsXRvW4vZbGzJ1lPuoiJFWk0wh4VqbDRur7/MsBeZ7y h9wn9RF7WHh3l+J8gsq6eaF4y83VM5Eb/VQ/3eyT4oUW/X9XJnzmtGrTvknV6nBmBuw2 rFg1agUGhpi1RXA6/Qcv09Yhx6X1lNntGyAm7Z759LbcZqvnvcoqPG5j1StPoopH3pTX bLsQ== X-Gm-Message-State: AOJu0YyQl2bEfxtamjNZj8/02vHRAQyO6Ops8DkxMrTp3UCIvJ2W6NSy Nu5VOdwOMZkObONa3lTYnLmPTQVii6fTHJaLJlcs/kAPoSJWQqgJtqXBD1B84+U1dhdGRu4TnlP PSYA= X-Google-Smtp-Source: AGHT+IHkbYQB2tHnKlyLroe8XDSmK4NXKmhQPm+KWOHu0Sp11uAsSf1Kj6e/UqpacJcecAe11Nk+5g== X-Received: by 2002:a50:d001:0:b0:56d:c942:c790 with SMTP id j1-20020a50d001000000b0056dc942c790mr247690edf.34.1712254624544; Thu, 04 Apr 2024 11:17:04 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:03 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 09/24] wolfssl: tune test_ap_wpa2_eap_fast_prf_oom for wolfssl Date: Thu, 4 Apr 2024 20:16:15 +0200 Message-Id: <20240404181630.2431991-9-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111706_384033_AED6F555 X-CRM114-Status: GOOD ( 11.48 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The wolfSSL backend only does one malloc in tls_connection_get_eap_fast_key. Failing on the second one skips the only malloc and fails the test. Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:529 listed in] [list.dnswl.org] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org The wolfSSL backend only does one malloc in tls_connection_get_eap_fast_key. Failing on the second one skips the only malloc and fails the test. Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index a201403163..5fe2cbc711 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4248,9 +4248,12 @@ def test_ap_wpa2_eap_fast_prf_oom(dev, apdev): """WPA2-Enterprise connection using EAP-FAST and OOM in PRF""" check_eap_capa(dev[0], "FAST") tls = dev[0].request("GET tls_library") - if tls.startswith("OpenSSL") or tls.startswith("wolfSSL"): + if tls.startswith("OpenSSL"): func = "tls_connection_get_eap_fast_key" count = 2 + elif tls.startswith("wolfSSL"): + func = "tls_connection_get_eap_fast_key" + count = 1 elif tls.startswith("internal"): func = "tls_connection_prf" count = 1 From patchwork Thu Apr 4 18:16:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=VXykyDJa; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=u3LMdbxX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VGr0ZPWz1yYf for ; Fri, 5 Apr 2024 05:18:12 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=iDbLhJH0c9vpmVPjwvFuaJAid7Q2d9Wj0lFhuKp9+6E=; b=VXykyDJaeNhOGF y/oRPywr4TCAZwd2hA+N3drOMd5/wJeJ95kTa6FEzwY2HnCH5WMMRyocUXl47ZjEFqJGBo2U9c6IH NfV9a1nAMiKKcRCUkBqIQdhljH9iH21vuNfBmNIU84ZRX0wLG8xVDosf5E8GkrQkrtpY6LBU0Jd3E EgaydZvquc+BHivWvzLfBNjCNhKT9sa6w925j0NtdEF4F/C6lmok/S4jW1REeHwHh1uxQUqnGScTo LrDCuvY/nSxJvDzCsKO7gAScbH+oEhaxRXRzYOX1iRv655kxMDzh/0rG1thiIAeEadeBboOKWHS0/ nbre0EesjZ5uEioocbGw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRel-00000003nC9-1kSP; Thu, 04 Apr 2024 18:17:47 +0000 Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe7-00000003miW-3Ula for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:10 +0000 Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-563cb3ba9daso1376750a12.3 for ; Thu, 04 Apr 2024 11:17:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254625; x=1712859425; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TKmL97h+9C4ZEuOpf+kaJ5kgSN8uSjmgTTLxfo8iVD8=; b=u3LMdbxXtOjkaEV5MuJzDBMo6LwUShy7/xiBVm6o2NaBLMMOhfp54cj0zzWIVFlb8q vw3VYG7iHYDVJVTV2e/HCMYa3/rqBkUXjNkJC+0zsOgRnjLiTb/LuOmscRl5T2f353zj fvBqRHzHS3xJb4YbHk9DCjvtRHqtAhbn+YJZYhjPn+ag60BSUnLyBAk8pl1uLO+QKgdO /Yw5b90zHyEEtdoX0cCz0zHBxpyJeR3awp3Ftu5EqwUDecEIMRcRI0A42aHR1/Vg0td1 743MR1quf9cK3mcgUEgMEiqXu06OGWwLT+gvCwUDol4bVqpM0JXBisTW1If+XiQJwGYL YE3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254625; x=1712859425; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TKmL97h+9C4ZEuOpf+kaJ5kgSN8uSjmgTTLxfo8iVD8=; b=PWCVoSQ7Him9Eyh9osttnpifxwGWLngwkCGDi22Iowkr5j69Nb0wxyAOgepl0Mtxrs F6+vMpFBaMFz956lLkx6zAzpyt6ftUmt2G/vx7OY+n/SgkNUThUmg70quLMCtQVAjaZL wZydPgsxheKr9xDLXwgCkxXtApSK/l3Eljfza6/gAqvPJ56rzRYs1KD6x1Gsvltd86n8 sMcxYEVGtXw+99pWkRIr9ocsHfPFK1CSpaF8R+h0W5Aqra36sOWrLB7uPajfQXOL2AZQ n0RFYRdRL3VV2xhrSlM/useuWtE+SFnfpo4UnFAXQdmEohx23GHxolGf0ORt8UgBODcn e09A== X-Gm-Message-State: AOJu0YyWMN9RK1qPThk/6rKXJA09kJS3fgubkbsFboVxTGuYG4X11xoJ UX3QlgUpBoPVNPzL8kxuK3lXeRtG8GTGSvE63LKhNlhsCioy6zJpZxX61aAOPLijJoe29zy5Y2g VV7s= X-Google-Smtp-Source: AGHT+IFgEz3reWS2eLr/43OawBfyJg6+ZC0LQ2mBksDGV9rcJwdiKQyFZ69jupR+s4i/MrmI2x2BmQ== X-Received: by 2002:a50:d484:0:b0:56e:22a1:a9a2 with SMTP id s4-20020a50d484000000b0056e22a1a9a2mr404218edi.33.1712254625576; Thu, 04 Apr 2024 11:17:05 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:05 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 10/24] ap_wpa2_eap_tls_rsa_and_ec: use ciphersuites that wolfSSL understands Date: Thu, 4 Apr 2024 20:16:16 +0200 Message-Id: <20240404181630.2431991-10-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111708_063169_CF57ACF8 X-CRM114-Status: UNSURE ( 9.54 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 5fe2cbc711..8f4b846f57 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6406,7 +6406,12 @@ def te [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52f listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 5fe2cbc711..8f4b846f57 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6406,7 +6406,12 @@ def test_ap_wpa2_eap_tls_rsa_and_ec(dev, apdev, params): private_key="auth_serv/ec-user.key") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() - + + tls = dev[1].request("GET tls_library") + if tls.startswith("wolfSSL"): + ciphers = "RSA" + else: + ciphers = "DEFAULT:-aECDH:-aECDSA" # TODO: Make wpa_supplicant automatically filter out cipher suites that # would require ECDH/ECDSA keys when those are not configured in the # selected client certificate. And for no-client-cert case, deprioritize @@ -6414,7 +6419,7 @@ def test_ap_wpa2_eap_tls_rsa_and_ec(dev, apdev, params): # likely to work cipher suites are selected by the server. Only do these # when an explicit openssl_ciphers parameter is not set. eap_connect(dev[1], hapd, "TLS", "tls user", - openssl_ciphers="DEFAULT:-aECDH:-aECDSA", + openssl_ciphers=ciphers, ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key") @@ -6450,7 +6455,12 @@ def test_ap_wpa2_eap_tls_ec_and_rsa(dev, apdev, params): private_key="auth_serv/ec-user.key") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() - + + tls = dev[1].request("GET tls_library") + if tls.startswith("wolfSSL"): + ciphers = "RSA" + else: + ciphers = "DEFAULT:-aECDH:-aECDSA" # TODO: Make wpa_supplicant automatically filter out cipher suites that # would require ECDH/ECDSA keys when those are not configured in the # selected client certificate. And for no-client-cert case, deprioritize @@ -6458,7 +6468,7 @@ def test_ap_wpa2_eap_tls_ec_and_rsa(dev, apdev, params): # likely to work cipher suites are selected by the server. Only do these # when an explicit openssl_ciphers parameter is not set. eap_connect(dev[1], hapd, "TLS", "tls user", - openssl_ciphers="DEFAULT:-aECDH:-aECDSA", + openssl_ciphers=ciphers, ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key") From patchwork Thu Apr 4 18:16:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919929 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=BTO4gb35; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=HiaCYIem; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf45SmYz1yYP for ; Fri, 5 Apr 2024 06:19:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=zbnUVlaJcsmMSB44m/bLLa1HWR2lUYlqhp8j/1s+ZYs=; b=BTO4gb35FtYZ+0 d7QW/dq+IGlAqCFMLRy0WlLujjBf+9RoVJ8PwZlGkqG4LkbdIb2akLqQypk2AD5iLEsLVhboFMGf3 4itAqK/lh6H6z3l6G3JFtKmZPao0nxufqcWn3hDBpg0tHFbuDe0qwqXDrzlHuvAubFhrGU9aXuOlK 8uGoTBVE2nUHfthMq06hvTLr8wXd6msudz7AlbT3PzX14JKUjZjvF1NvcBssqJaMgisdveX075mUP myNKg2BWFLwBwMgDbPhe+G0iZx5B1PFac5Q7yP7mmPzvOypxVZhyGsZgV8dKJ7q+xAjXquXrkQwQZ VTR6ftnTDPYQxkVIn3dQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsScd-000000040ax-26FU; Thu, 04 Apr 2024 19:19:39 +0000 Received: from mail-ed1-x52b.google.com ([2a00:1450:4864:20::52b]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe8-00000003mig-1Knh for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:10 +0000 Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-56e2ac1c16aso370461a12.0 for ; Thu, 04 Apr 2024 11:17:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254626; x=1712859426; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0iPJDnkgkGD+uMidHkVp703ycKuGMFfy8mRDRUtzhQI=; b=HiaCYIem1RLyUWX0Oym9++6hws2FmNc5Ykqu/u/eBOTl85sZldJBqj/bnRFxnDNUnV 2MLn3GTcWlsNBebrU9YWgFKz4OtXXMok8J4R31tJRvVuP7iv7i6gJ3QHgsWx7SdfU884 iukjxZ6HruC1Wzs5gjFQt11A7lorRQrRmF0yIABJvHNkfTj/NjbR328/rBAlH2OmwogZ uwdg5mtQSlei3eCTGCVYZI4xTRqFgjy9RcyPYRrpTsxlby61IrvLvgKbmsWHZ7peCiq6 7x6RJqCjHySkzBr2aKLi1nts3BZyTXXRudjWZAI73LhpKuzsWmPxcw+C4++KDc9ZjnAQ QMZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254626; x=1712859426; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0iPJDnkgkGD+uMidHkVp703ycKuGMFfy8mRDRUtzhQI=; b=SqmLsa9cHTR0DIjuZuK3g+J5Rz8qY5j+8BT/bdLuyq05CNbnZw/B1oQM/1xTrZdCrb Fq3lCNaPuuTU7ir3JDRodMSZEKw7uXroCIcuAAWi7RKXRrmF9w0dnXr9+JzRG7So27Dn X2BrfkPD2hKqXt8M0/QE1rq9Cliat1KaVzCmYx4QZU2jm84tdFcNyCjJe+NOx7q6DhpQ PPlRXZUluvpQ4hZS5rCyyCn4rQqwmyocItrjIVhuMA5PdzYH4Vckld4hVVxVAJfUCnTB 9A//U63rFbW/M4sxo2LHZsmVFfdkiCTvLdd8k6sDvxjQ5HfhvuMChv2ebUCYiR3u197p aGbg== X-Gm-Message-State: AOJu0Yzjvd7f7guZWDPWCgKrAUzTjHfCSHpIfDwhNiQx9qQYiwSIg+FM V7v68p7Hf6Ex3xwpFHu2ceVVLH33j4ttJQlx7KrwN13pU93AspIxuieNPlafOy/LAZ8Xeu1pMwh bEhM= X-Google-Smtp-Source: AGHT+IHVLivhSkkfTpBVeFcckMH17vOI7v3QsR5Gi7QBW3aYrt6c6XmVCUmOi6qP753fEx/P5jNp1w== X-Received: by 2002:a50:cc82:0:b0:567:ff26:4bcb with SMTP id q2-20020a50cc82000000b00567ff264bcbmr1992135edi.30.1712254626560; Thu, 04 Apr 2024 11:17:06 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:06 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 11/24] ap_wpa2_eap_fast_cipher_suites: allow wolfSSL to skip RC4 test Date: Thu, 4 Apr 2024 20:16:17 +0200 Message-Id: <20240404181630.2431991-11-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111708_588226_85364A8C X-CRM114-Status: GOOD ( 11.28 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 8f4b846f57..14f8980132 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4341,7 +4341,7 @@ def tes [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52b listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 8f4b846f57..14f8980132 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4341,7 +4341,7 @@ def test_ap_wpa2_eap_fast_cipher_suites(dev, apdev): if cipher == "RC4-SHA" and \ ("Could not select EAP method" in str(e) or \ "EAP failed" in str(e)): - if "run=OpenSSL" in tls: + if "run=OpenSSL" in tls or "wolfSSL" in tls: logger.info("Allow failure due to missing TLS library support") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() From patchwork Thu Apr 4 18:16:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919932 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=dU1mpU5b; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=s4TO9eZn; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf83jPpz1yYP for ; Fri, 5 Apr 2024 06:20:00 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=48FOHE2IEObsBmW8jXIe4Iwosvv4V+9QB+z26PUaVfI=; b=dU1mpU5bbIphOg lpbWLdRmjWNv2K+jisya/KVmaXDAVRhpveQJBnagS/DubnHFRukwOsOoYZJBCH1RZ95M0uYdlNHFg f9CkryDr3vIzcRIkcpDWZRIWjyR9xjqY7olKqjFX9yBF8zOWMz+I4IB1Xf9gd9XDdU4RlxWWWilId ED06OWx2xw81dvj0XEfJ6oOi8KXjNigHdTmUuB1iQduFRIcRWCXGdgqFLvuIpm/8gjDvE5isUlEhn /8lN06l4WqBqq0V4EYFEMPk/rfMQ0EZkaoFqEXZydpRMxhFQWwl/kB0bkfgQ0haohT2dNRqfRDTT3 9EA1geKg4ZDZGK9hlGxQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsSce-000000040bP-4Anb; Thu, 04 Apr 2024 19:19:40 +0000 Received: from mail-ed1-x531.google.com ([2a00:1450:4864:20::531]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReA-00000003mjK-1rfP for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:12 +0000 Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-56e1f3462caso1047446a12.3 for ; Thu, 04 Apr 2024 11:17:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254627; x=1712859427; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Q6PLfY1o45MPEiONy2FB/bXAlkwsVvv84VGHLSzX000=; b=s4TO9eZnXXB6FeTtTx11pCs3QrBn0INT4KgGBtdZ9UyGiNBh+3CIB+yBR+a7z7drXF jkaOkCWA23w7OBPUNMac5EqRd+1g97mIreC5rMEDlMx5nDwx8eWic6pqSPVlYAFhNHTD Y7O7Cbkq10Bmi3bfjK1jJhphxo8zanYPXjJkJn0p8+MdvEY8SOME/btmlnVJtm5i0nDb Q6zXk08WGDI7DI809TVl0b5uN/ih97PcorsK8RGaP4u3D3AwaNbkKRYNeyBs3DFcPPee umRHN/q/ibaP8t4iO2dMXO9nO1yIwz113VOD2YYwsfuiAT9VQiTbt0AaYwrRZrLjsQ1K XKrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254627; x=1712859427; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q6PLfY1o45MPEiONy2FB/bXAlkwsVvv84VGHLSzX000=; b=BgBpKVZzfGDZWJiz6b0k7fPjm38xHfiBjwp3DeDSml4fun0mW+GsvBBcb3e7qb7Toh jzdk1/ScuiDscUztLWYhx24XW3FFW1Khs/5uByjM/htPSmzC7Ekhp9ygpc3rdxHqsjvn WHo7ydJk6goAQLL1yzsLNSSFOOqBAyWmnYXI0FgzfReP3Kwm5FAwLMOz+lZc5m+p0p9o 1xNlt5zeu1bB5p4Gg0v9R1Ff9+qxiajDvPlXVyYZ2ITVVnn7lG1ZyILh0nZgHhUaOfPZ j5HIMaZwL0dSMXtpUAd7WlbA0aw97F9yODsiHNf2bhkkuz4QMZnlFt2h3jxM9EEV7/wY 3X2g== X-Gm-Message-State: AOJu0YxfXtW/rl3TQO0S7gZSavVxHm/XnCL6oj9RoalkfjkSevpHFvHK bXROo+bNJsSQi2YIAXRlFLO4xvneoHUIwgCYbbZRdzrTUl3RPzcxPb9sktFfGxPeExrQDs9tqey Jz9A= X-Google-Smtp-Source: AGHT+IESHmBGpCctNZiGxKVv1tufqwTBnTFU7lXFUeb1RKxvCxUPRZlRdaRwl/JiX8rN3xhhlLmHoA== X-Received: by 2002:a50:cc97:0:b0:56e:aca:83d1 with SMTP id q23-20020a50cc97000000b0056e0aca83d1mr2261212edi.38.1712254627652; Thu, 04 Apr 2024 11:17:07 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:07 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 12/24] ap_wpa2_eap_tls_versions: run tests with wolfSSL Date: Thu, 4 Apr 2024 20:16:18 +0200 Message-Id: <20240404181630.2431991-12-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111710_726062_FC30B2D8 X-CRM114-Status: UNSURE ( 9.92 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 14f8980132..3350da7e4e 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6205,11 +6205,8 @@ def te [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:531 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 14f8980132..3350da7e4e 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6205,11 +6205,8 @@ def test_ap_wpa2_eap_tls_versions(dev, apdev): "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2") if tls.startswith("wolfSSL"): - if ("build=3.10.0" in tls and "run=3.10.0" in tls) or \ - ("build=3.13.0" in tls and "run=3.13.0" in tls): - check_tls_ver(dev[0], hapd, - "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", - "TLSv1.2") + check_tls_ver(dev[0], hapd, + "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2") elif tls.startswith("internal"): check_tls_ver(dev[0], hapd, "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2") @@ -6217,7 +6214,8 @@ def test_ap_wpa2_eap_tls_versions(dev, apdev): "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1") check_tls_ver(dev[2], hapd, "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1") - if "run=OpenSSL 1.1.1" in tls or "run=OpenSSL 3." in tls: + if "run=OpenSSL 1.1.1" in tls or "run=OpenSSL 3." in tls or \ + tls.startswith("wolfSSL"): check_tls_ver(dev[0], hapd, "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3") From patchwork Thu Apr 4 18:16:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919927 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=MO3XXXob; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=GKC4Y2Hn; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf50Cvmz23v5 for ; Fri, 5 Apr 2024 06:19:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=hsl/pOCxPr68Dq5AyqR1/z9px84tNoru45REKMYDYaU=; b=MO3XXXob3XWSK7 JtAJNA1TqJkOyR4Na2dN6QDtW61NnLYSSrzrjO5D78/DKNL0DeiK3M2LG+P5BiuyjHLYhXwH29nfX qmE+2/Eb6aF8bqrTXZcJqFFjLUdNVgvTuA7cmCTyYMKCzTt5kLPFhYNXeycD7pUmCDiB+yr5T9+JX owfpb1JowcdT7j2v8Gr1M1huDR9t4i7BjClDqzJU1ACW4O6p3RUVDDjjds7LmoOsnVDBTDx6WAkP/ GNOLpsP5sytSlMonHR0R6lakZYv6Q0m5jrlNC7+GZIq6IRuDOZKhzQgZAI1ufNJjSvk+r5cyNFG61 Znv1mEL1OY4pnthdqzcg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsScf-000000040bf-457e; Thu, 04 Apr 2024 19:19:41 +0000 Received: from mail-ed1-x534.google.com ([2a00:1450:4864:20::534]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReC-00000003mk1-0USr for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:14 +0000 Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-56e2119cffeso1047925a12.3 for ; Thu, 04 Apr 2024 11:17:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254628; x=1712859428; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T7fxl02fLyKJPYCBOgdJudNI9OsZ4vdT1hZmpAd6W1Y=; b=GKC4Y2Hnx6vtb/jW4TnJ80gVguyFZ8LAGLMN2lSV5WnXaV8jM0+Lq1pWluPDaqPNVE GOZUxiA2nu3x9TbV7aiXP4iTBC1rLc8baXHKpfVIXpAplIKoXbxVjnMjXWZ9O7u3TCzA YN7sn8Wxm1ocORKaze6DQyS8nj0OpdFjW0ugMj9E619n3MmcdP8FErD6nkGLambmu8UK XgDGC14zTRfG7mpvxDs1/Zyctqt485y9x1YBIG7BDSD2ojmWeET0aJ7zhFgvKwF6UdGu b9E2wBxn3At6NFzAywvOnTFPt5/yTj96MtJFhtrqBFPrWHwitvJMt1+hA8AebuRYMZl5 ugDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254628; x=1712859428; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T7fxl02fLyKJPYCBOgdJudNI9OsZ4vdT1hZmpAd6W1Y=; b=JtzscvSndFayExDIwDTr0PvAwTiYV/ap47d9VCNYGjf6EECkPMWMtliW25xxw9QiZo ujb3RWtKU24wY9ZpKWCaRt4xScP4W/+M85Gp+g4U4zOoHY4aloJb7Yb9efCrd/jkOblJ w2JW8SAv0BvWTwKOsXXtx7m7HxQC+nz7zCPCE3JV8jaMjr3lEhLG8tJTyucqaTpxpOMY lCVUNVy6O951OYcAFeNTvMc4kxdT1kTXGo1aZOPwGWHxGEpY9iqEukGykW7EtP4ntPJJ 5yy1qspSYOdiIXUeYdXPPfxXfbx/BYMX9qKAVqvsgDwW0DdPnkj2dSbwCrv1mMWpWRIx UKlw== X-Gm-Message-State: AOJu0YzzjJZOHIwc5N6tRxajKL2Cz+/xllPWvxSHjIyvtxzva0qmnSez 5IcatWIOhA0ltec0B39t+9OB11NoeTn5ATh2aiicRMtzCM3HvJ9frvmbyU5BT0GbDESNfcYgM/9 NdW4= X-Google-Smtp-Source: AGHT+IFpc0uQCMuuEm4CnuRQlM7UD2jAoYzMNH5DtCknZx6jTWnPVoD47t/cGjuNTUE5i0vZkqtOIw== X-Received: by 2002:a50:d4d4:0:b0:56b:defb:3b59 with SMTP id e20-20020a50d4d4000000b0056bdefb3b59mr2048503edj.19.1712254628718; Thu, 04 Apr 2024 11:17:08 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:08 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 13/24] wolfssl: generate events when OCSP status is revoked Date: Thu, 4 Apr 2024 20:16:19 +0200 Message-Id: <20240404181630.2431991-13-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111712_477853_BA13037D X-CRM114-Status: GOOD ( 10.15 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index a58e1f7607..4016b6a46b 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1836,6 +1836,18 @@ static struct [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:534 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index a58e1f7607..4016b6a46b 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1836,6 +1836,18 @@ static struct wpabuf * wolfssl_handshake(struct tls_connection *conn, wolfSSL_ERR_error_string(err, msg)); conn->failed++; } + + /* Generate extra events */ + if (err == OCSP_CERT_REVOKED || err == BAD_CERTIFICATE_STATUS_ERROR || + err == OCSP_CERT_REVOKED) { + char buf[256]; + WOLFSSL_X509* err_cert = wolfSSL_get_peer_certificate(conn->ssl); + wolfSSL_X509_NAME_oneline(wolfSSL_X509_get_subject_name(err_cert), + buf, sizeof(buf)); + wolfssl_tls_fail_event(conn, err_cert, err, 0, buf, + "bad certificate status response", + TLS_FAIL_UNSPECIFIED); + } } return conn->output.out_data; From patchwork Thu Apr 4 18:16:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919910 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=jFTyZSsu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=bC2zkYto; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VH85CBRz1yYf for ; Fri, 5 Apr 2024 05:18:28 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=KNv4Kp2aqNipRyd2uMGVxyA92RUK4U2Y3d+6aK9EjAU=; b=jFTyZSsuT0C5O0 if2W6Yl9WIhj8X5kXH+A7r3MEjwxz/KTp4NJ4RNTb+ogMF16a7evHI5DlXvwzWXI+xmRfHVgWPf/e Dq2yQ1XGUZiZKkVl9g5T7RD8sRXB1sC5y1PUfVO2q32x8Z05oX3br+3Ke2WwbAgRaWiDhnn5utg+v kr1zXN3kur5HnqQi26qmuqndlCPKV0dKWuPvBmz8WUq7bJi/8P1+8Gb+SerMA3Fw0SeP7DdJZlOpg 9GznqbBn/TX/Dg5ok2M0y6Tc5bPPhqcAy8axjh6FDCkmRtmzWM0PkJu6/yT3xLULt3yKhXGL7KzSr /4cfp+Dphr5oXDiBOd0A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRf6-00000003nTg-41Lo; Thu, 04 Apr 2024 18:18:08 +0000 Received: from mail-lf1-x136.google.com ([2a00:1450:4864:20::136]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReB-00000003mks-3tBB for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:14 +0000 Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-516d0c004b1so885031e87.2 for ; Thu, 04 Apr 2024 11:17:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254630; x=1712859430; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=FwX/7vCBxX+jXGI1GaQ3SvhG4LDE3dAmeoJo7kP24Sw=; b=bC2zkYtoKz8KimnjKhCt5nE/RxeHSybRdoi0faoM13XAEBt/IGGYUI/J5ZuCMsxIq0 NMfIJ/691HnfRFZ7nOA333ZOixKtAh0n/K+SN0duVV1wd4B/MRyqRM5/mfXGQnxW0+Dw zaZ8Mdc657I3ZX7xdfVRKAs7Auyndq6iIJuF7tHGdBtYDKjASoC94Ku0M/1tUVH7GN3Q zozYo55J4OPCsTrMbVixy5V1Ocs8z0vTUTjGFwM0QLu4XOUqjZIkKkik0u1VMyNGvwMe EpwNpnqYPbkd5QpaPxe103yg+pxRDqzxkPN9RqCTc2dfpEn7VErXaxFgtW9oV0ANXWBo HUTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254630; x=1712859430; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FwX/7vCBxX+jXGI1GaQ3SvhG4LDE3dAmeoJo7kP24Sw=; b=btN1Z2JmZP2q3ZphynudKB32qZgupSQ1kTnzTXjYAgxuHJW9NPfibRZQFKJQfa43Dc 2hFj62flPZD32FLocRrATfG1RkGtP06DGb5gbBTP7l7eTyhN787cw3hza3UFyAnXan/0 fXOXFJZBpya4wISp6cAbQ5UfCXZZq0nis/Zl0jpMEDDPg0J2tQMIdEyZJDyuWyUttrFa ykr9ODO23g3zwQVX5v+W7G80epGYk36ddDUU1VgLU0CkcoRIadWTc0pKgD8Lf3Z63ohW gB9pmq+lf6wIW2a2NwHAqoaZidb+y98owP/KZt3KB54U5RfAmE+IcoZWza1ZzJoPjey9 grpw== X-Gm-Message-State: AOJu0Yy5GcTzgJVPm3plSkcXE2Cc1HnPZhFhK3ZyXWw9OExhdZuLyVT3 eSp8rEuJH2SLB8DoEBUyHQ+FonZhhgx/RVPoNlH4Izkb72cOwIBxqUJh+zLXuiShi94WmtlCzN0 rlRg= X-Google-Smtp-Source: AGHT+IECePhWi+XHUtJaCZ6YuizxfgKXjo4xMOPsdzvlUi/4QsJMeeu/HA9Xf3+7FCgr9ebYKQP9pg== X-Received: by 2002:a2e:9dc2:0:b0:2d8:5815:4479 with SMTP id x2-20020a2e9dc2000000b002d858154479mr78118ljj.44.1712254629735; Thu, 04 Apr 2024 11:17:09 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:09 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 14/24] wolfssl: remove unnecessary WOLFSSL_X509_STORE manipulation Date: Thu, 4 Apr 2024 20:16:20 +0200 Message-Id: <20240404181630.2431991-14-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111712_386360_5443B775 X-CRM114-Status: GOOD ( 11.44 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Setting a new WOLFSSL_X509_STORE is not necessary when calling wolfSSL_CTX_load_verify_locations(). Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:136 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Setting a new WOLFSSL_X509_STORE is not necessary when calling wolfSSL_CTX_load_verify_locations(). Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 4016b6a46b..f126c37479 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1383,15 +1383,8 @@ static int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn, } if (ca_cert || ca_path) { - WOLFSSL_X509_STORE *cm = wolfSSL_X509_STORE_new(); - - if (!cm) { - wpa_printf(MSG_INFO, - "SSL: failed to create certificate store"); - return -1; - } - wolfSSL_CTX_set_cert_store(ctx, cm); - + wpa_printf(MSG_DEBUG, "SSL: loading CA's from '%s' and '%s'", + ca_cert ? ca_cert : "N/A", ca_path ? ca_path : "N/A"); if (wolfSSL_CTX_load_verify_locations(ctx, ca_cert, ca_path) != SSL_SUCCESS) { wpa_printf(MSG_INFO, @@ -1408,6 +1401,7 @@ static int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn, return -1; } } + wpa_printf(MSG_DEBUG, "SSL: Loaded ca_cert or ca_path"); return 0; } From patchwork Thu Apr 4 18:16:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919930 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=AGfM3vmQ; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=dWI6axcK; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf45WkZz23tv for ; Fri, 5 Apr 2024 06:19:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=y0b8E1Mt5tR5mNvmfSy4BAd52JYjdR12S8ulN2nw64M=; b=AGfM3vmQ45tSl0 G7BnJXHaRGwqVoAW6/iVvTyggZ7wi8xw7aRIIeKBrmMivYQhnT4x4UpTsGSk6gZoehQQyMIAJJ04s 4d+FJC3cg259AQNyiQchIz5Rg5hLv1uhViYoYq8AgjG/wXghYniopLndml3JBBX5Q397CBAIyhSFE gdEa1IIw7jRuZxDlzDHj3hnyWi7wYwLXYZJ1YXumW0tD5Xqag6dysXM2e3XgHRXUgR5oI6xdK3SPZ nOP3dXlh3E0XvN8EsyNk3NzCHNhrSScjiKHbarvncKhfcVrw4Z6HCRlUkD3L/oc8lJ7p90Ak25dr6 EYh+lobXJCqhFl2AY7Ow==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsSch-000000040cC-1gVL; Thu, 04 Apr 2024 19:19:43 +0000 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReE-00000003ml5-0gUN for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:16 +0000 Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-516bfcc76efso1378116e87.3 for ; Thu, 04 Apr 2024 11:17:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254631; x=1712859431; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TMbie5zVxts0hl8Cec3ppbHroMp3sYTb4zC51juX6oM=; b=dWI6axcKndZWfJQM8mYwxQToPew1ZiATGTU1t9uZaV4M/LoaWvIZ78EbrbM7F0yGPx m81NlkZkG7m/j9LOod0Ycnjo2uPFtcT/bzesgjcOt9Y2iRALHnLaReqCwooGJaxQG6Er ljCl5KlWJz3E58+fWKCO9/263/BTev80Y3Zl4HcgAsYexhyaiA+gTBnWtrVgdBph6/za 644eayPBzcbQIIxy0eN7Ovjtz71402Ije1ctJOl8kTFkTk9V7U1Cpim+22/b1C9maZmE Tx/5FXiu3i96UIOrxySxgn4A6c9iUUgOscALgyL6JTbD7k2MlD/Gent/COhtclA/kTaS IPZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254631; x=1712859431; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TMbie5zVxts0hl8Cec3ppbHroMp3sYTb4zC51juX6oM=; b=PWuGxxm6o2dRokqfrrBxkmE4bk8bHbMnyPJaTlW3gOC8sLrutEeqGUh/xU+aMoGYKS 3xPFgSrPnfl6QvMwxNYsPwef4WpacyIm1+fmfXZi4ibbsVLIRNwl7X3XjrPuP815aIya 3I2BePxVrzz8mt55l9byjyY+DqwYL6x5klee/3UPu+FfzPDKlHmjQRyXCwJZTz44QEwG jbZSP2zPp5ktjGrPGS1MqYZswsxN27Rvm2h2YCSqCQkWXFaK0ZjFpR2e+yZl3fxpNGtT s+U5/ySdy+6ZEkgRyXN2G8pNtLAX4ccN4+3MO1yByWCNfKgCwD0lgvwcsJ5JOJELN7hk z/ZA== X-Gm-Message-State: AOJu0YxUisZYoJqDwTxjKwoUEHE7fKkWj6c0LZmRxs3UB/0U3vKRqtoD /ETs8Ggcrv6ZCtsJH6RDKXJQxruuUNnXxNL+4QqlljOPr83SXZP5nYBfaH4NhpMav/yZV6aOcUU 8DKY= X-Google-Smtp-Source: AGHT+IGiXX7RirZqU/MY2h5hawEnPBTDATaOXZCz0Qna9/LOHap/WPnafAqi0ZHuU7r4wBYgmZUkPQ== X-Received: by 2002:a05:6512:484a:b0:516:7739:354c with SMTP id ep10-20020a056512484a00b005167739354cmr2287424lfb.58.1712254630779; Thu, 04 Apr 2024 11:17:10 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:10 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 15/24] wolfssl: log error number on failure Date: Thu, 4 Apr 2024 20:16:21 +0200 Message-Id: <20240404181630.2431991-15-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111714_340636_5DAFDA7E X-CRM114-Status: GOOD ( 10.57 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Log raw error number after wolfSSL_accept or wolfSSL_connect error. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:135 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Log raw error number after wolfSSL_accept or wolfSSL_connect error. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index f126c37479..360a4a3b48 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1824,9 +1824,9 @@ static struct wpabuf * wolfssl_handshake(struct tls_connection *conn, char msg[80]; wpa_printf(MSG_DEBUG, - "SSL: %s - failed %s", + "SSL: %s - failed (%d) %s", server ? "wolfSSL_accept" : - "wolfSSL_connect", + "wolfSSL_connect", err, wolfSSL_ERR_error_string(err, msg)); conn->failed++; } From patchwork Thu Apr 4 18:16:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919931 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=Tw6fGMIu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=pbSsPGD+; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf66D8qz23vG for ; Fri, 5 Apr 2024 06:19:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=F2ugrLqfXQNQLpBts/ojVTcj+6qT/T9cH4Y0/SMmrao=; b=Tw6fGMIuAm43Aw vgs2Y6MwUIU8x3y+OxDbyxabgnbmHj6uvX2YkF/BttGeLPH7ag3GBH0gKv6MZJDQh8iHukwV5Zfvi GrGgkpRx08HAH6xp1dNZSUdpYh/XtpFTnU/cuHa4j4vn1o5i/XHahsXv8dctHSsOprAnCENKYe7Ig lS4Zi9eVQxIBWpu1+7DFf2iv8KHcsU8VRgzxP37+zQ2niD6JEKhdL/tKOSS62uOE9h7jaoxdin+iE IRUNaAzxxGB/TLD+jPtk2tpb4mIcovQCvMoUAN3HV0rrw5OCzWoZdmaJd/mjblATcciqfEnwmyDYJ j1akfyeVkyP+aQFZm/NA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsScn-000000040eZ-3x4Z; Thu, 04 Apr 2024 19:19:49 +0000 Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReF-00000003mla-2wls for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:19 +0000 Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-56e136cbcecso1677384a12.3 for ; Thu, 04 Apr 2024 11:17:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254631; x=1712859431; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IgPE4fjOiqoN9Wovg8jOvNcWlVjo64FVRP4n3d5QxDw=; b=pbSsPGD+Wcl9JVF8TgHvIPgJGU7IYCRsgODYOxXk6WdZ4zWSxrlC9AP1LDr1ESYcY0 k83wZ9qwwUdhQN1R72gkkJnm3GmslP4eatLgQJH4rTyR61juIqUHZyo5Q1yFA6THTbj8 IqWA6xxLrdnVdjSSUxeG4WjDyWRd88CI63F5lWg17X4L0f3xT/VWxteUEZIhZge2OZ7v 3iqpjHKTewmFjeAT8Us8bGSWQd34gCxIBB9gO7C0ZP6cBmQBX9TyvoanuiN0PNt4obn9 DaV7lk5Alati0LZFl+fqMvkRp4vKQ7bDDI4DYYbvmJdwboFj7ZQb1D2ECiFiqgLRVqp3 ZC9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254631; x=1712859431; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IgPE4fjOiqoN9Wovg8jOvNcWlVjo64FVRP4n3d5QxDw=; b=VbYD4iOaaB+pwmYSajpqx+fmeg8BUvgp0FSYxXFbrG7rgMLs9MkV10rhY/D8ZeUybB 43X+g0+fsgitFCNVjgp1Km2LDEkEejASgV7aMXp0ZujvPFUJWSw60/pczdA6nAMxpbXf jUrTJylQwoORhzw7hucfyoOX2qUzKC6QP6A9dOu0B/+bDs99lALHY15GjVe6JY6lu8NO RNVJ8709mtYKHdCnH1OZ3uSpgfunKRSdJF8l9Iz/3qcqpfYGCTS/lDehvye0EPCrAsWs s3GtC8d4sCrle5KegQrDjxVMHaR+dxHGNkT9aWKbkXH4M4wnmxQRpAJXbjAcRjU+I66w rD8Q== X-Gm-Message-State: AOJu0YxAme8+HeZ3O1p64MknN3mpZKwmcYg+oIHWtFrJxepvrOa6vvGP 3DD9Vd2JtOVXUZC5TID7aRwBFep+1dIp7V00FGHoOQ4Ukrx+f2KxaD8Qk3b8ovaXbslPO4Dqk3h 8xYY= X-Google-Smtp-Source: AGHT+IGbF8RiwIwXH/ua+PQPdUEHAJ7pLIcMF7U74CYV9io8tf7IfplxF0qfy/CtNl9jiCwpffGMUw== X-Received: by 2002:a50:9e69:0:b0:568:1882:651f with SMTP id z96-20020a509e69000000b005681882651fmr333623ede.25.1712254631803; Thu, 04 Apr 2024 11:17:11 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:11 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 16/24] wolfssl: remove unused and non-compiling code Date: Thu, 4 Apr 2024 20:16:22 +0200 Message-Id: <20240404181630.2431991-16-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111716_045098_D21F1D30 X-CRM114-Status: GOOD ( 10.76 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OCSP is handled internally by wolfSSL. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 25 1 file changed, 25 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 360a4a3b48..32331d25b8 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1275,31 +1275,6 @@ static int tls [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52a listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org OCSP is handled internally by wolfSSL. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 360a4a3b48..32331d25b8 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1275,31 +1275,6 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) TLS_FAIL_SERVER_CHAIN_PROBE); } -#ifdef HAVE_OCSP_WOLFSSL - if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) && - preverify_ok) { - enum ocsp_result res; - - res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert, - conn->peer_issuer, - conn->peer_issuer_issuer); - if (res == OCSP_REVOKED) { - preverify_ok = 0; - wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, - "certificate revoked", - TLS_FAIL_REVOKED); - if (err == X509_V_OK) - X509_STORE_CTX_set_error( - x509_ctx, X509_V_ERR_CERT_REVOKED); - } else if (res != OCSP_GOOD && - (conn->flags & TLS_CONN_REQUIRE_OCSP)) { - preverify_ok = 0; - wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, - "bad certificate status response", - TLS_FAIL_UNSPECIFIED); - } - } -#endif /* HAVE_OCSP_WOLFSSL */ if (depth == 0 && preverify_ok && context->event_cb != NULL) context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_SUCCESS, NULL); From patchwork Thu Apr 4 18:16:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919928 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=tZb1rwRJ; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=26Lcqb7T; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf45ZR0z23v3 for ; Fri, 5 Apr 2024 06:19:55 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=2eWKXmnFzKSzKgZizlADg+P5wPvp228kfEUoBt0lYNg=; b=tZb1rwRJE6FNXF VKnqK2lDD+07nrlLSYm/uTAnuiBzlN0vb9Ewy/ijZHE5XM8dxL+Vuqqgr7w6jNJL1cHsiMqmUvzDN bh3sKSWqAwTiZMQqkbjZI4vKj4daqIOhDn2NqHYVAw8NRv/5qHTrhl6FJqNpSug9spLAeqLauPeog KLB96pR0ysxUa6MlaHwTGJSn7msZVtDhLIqpdv0yWf0GUuDkmCmhi5s+WcITMKkkRxx+4Ef/rEJFJ WJmt19CATId7ox4b0gN/N7DpXoOD5OkSCOAz7UFaeKvYk5Zms7KwVnrOuDvv1gAA3ANpiwxykgLDU u/2g0gDHR6p9t7Q4WBGw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsSci-000000040cX-3ZHG; Thu, 04 Apr 2024 19:19:44 +0000 Received: from mail-ed1-x533.google.com ([2a00:1450:4864:20::533]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReF-00000003mmP-2xwg for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:18 +0000 Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5684db9147dso1637875a12.2 for ; Thu, 04 Apr 2024 11:17:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254632; x=1712859432; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mLsapNOPCRYQ9JsUJJZvjjz9j2wMYtZFx7dgnOYWkqs=; b=26Lcqb7TVdrS2yWRlRPIPDqlBYooZjLkSN1UpWzbiSfu6DKtaS6iUi7nl7a7T8b1KE 0lBNhcu4hGIOymaSfpICvYkuUGSqmcRPwh8Zf9nU4fd3EKCUIjuW/Y2khlkoQl6chpBa bk2Mt3+9io8S/xPuX6s9XyCPlU8NBI2H4QuC7vj4X5IBiWUeDB7E5jF1O6u8/MYg7IZP TuWbeASpcfzUMokeB9MPB9znaqI0qKLelrCw+A7nJqjU4z1pMcitWR5PTOwIWm74S398 /GrCoEi3RzxmqbB2vxAuuSpbVB69U69VoPqhopHc6DEfXuav6xn6oxnOs6iXonOMtSeI +whg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254632; x=1712859432; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mLsapNOPCRYQ9JsUJJZvjjz9j2wMYtZFx7dgnOYWkqs=; b=NGO882emGwS+xFXhQEwzxbt9OAliPEDH6Pey0Lag7eoQF8R8Gzc+PWWJfEAPaUGlrh QFtAP1ys3Cg0+L9Uo4NEADXqcWSwQeUuAi/vLGnONM1KKgL47qSH+AIIul+nrsuld91F hau+qHwZAZw9SvRrqQfqWxL/EhY0cyvOjPLWxe3W1+yzSc8Fef6T59IchB8z+J6iPttI pMz/NJIx2SD+nL57TWFNeP66Fm5quPeAubrOKYZCbHzikOV/vdABNikQ/8OFySD/osei ZThXP5BuKp5M58gxcau3iGc27Oeq26wnubQeAHVbJd8ytJVMLCmR5NFgxl2PYCuIQorE K/tQ== X-Gm-Message-State: AOJu0Yx9E4TVqrl11jc3rtwHBp3CShb4iv6o21ehN+LPdXmlG7YY0sw0 SNWAI9V108jR4w2odW1QykbasGPzierlYzsdpoykkRQ0w/YTyVhB6TM8ete3qyU+JUhOL1BCuV6 VSwM= X-Google-Smtp-Source: AGHT+IFVm8WM/v5FgXJ9CrbDlKW3vIUTqIVjrCou5BuE71jahdxTfZBI0W9N4wgL+bd4yxm9Vlf90w== X-Received: by 2002:a50:d61e:0:b0:56b:f5ae:ae58 with SMTP id x30-20020a50d61e000000b0056bf5aeae58mr2336281edi.29.1712254632769; Thu, 04 Apr 2024 11:17:12 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:12 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 17/24] wolfssl: add missing return in tls_init Date: Thu, 4 Apr 2024 20:16:23 +0200 Message-Id: <20240404181630.2431991-17-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111716_045976_A6E90037 X-CRM114-Status: UNSURE ( 9.70 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 32331d25b8..0cdc4c809a 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -378,6 +378,7 @@ void * tls_init(c [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:533 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 32331d25b8..0cdc4c809a 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -378,6 +378,7 @@ void * tls_init(const struct tls_config *conf) os_free(tls_global); tls_global = NULL; } + return NULL; } wolfSSL_SetIORecv(ssl_ctx, wolfssl_receive_cb); wolfSSL_SetIOSend(ssl_ctx, wolfssl_send_cb); From patchwork Thu Apr 4 18:16:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919913 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=dGXNsPR8; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=h9Sy1lYD; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VJ61vXGz1yYf for ; Fri, 5 Apr 2024 05:19:18 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=mu3cGrHChzPyaX+j3R6uDqDuy48Pl+CILB967s3MZDE=; b=dGXNsPR8EGOrbs Go5eArb5oh/bkb6fnOc+Za+j0WE7b4hzWQHE1Xi86dPedLJ8V7E8GdUa7r1iKP4wtxfHnfv6gmiXu MtfoQEb/dAjDITadQW2IYZila8lEkC4UUCLEAa6FJvjtGgcwVKkwZcY8016QqFvL+dtT5PTEdUflM hGXlCbRaBYeOCbIDKSOK0DZ67I+ER1uvegoM/DX8XulmDA3qRed/PeaVudgfBy9ZbQWc0ZhxiB4rF qnWS8cUAhKGcmVzbJatEYSR1/P8r2+x/UoJ33JDF6yseLNcNg811JFRklkFq7fNe082KGHIp66HCI ysZbOuYxrcBiFQcW0ruA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRfr-00000003o0R-2Enp; Thu, 04 Apr 2024 18:18:55 +0000 Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReH-00000003mnP-2X5b for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:25 +0000 Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-56bdf81706aso1828033a12.2 for ; Thu, 04 Apr 2024 11:17:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254634; x=1712859434; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3yWXnIvFhmCR1zB0/QVMzdWwUo+D8UtBU9+uZDuCm3I=; b=h9Sy1lYDSoJ731w7SyRpISKXjX1RdVUowI4yMT8jYXC7wwLAmO2FHzR6NlNFc67KPt jaZ0IwFieAnZOMnttjB3j4iDTQsxLVmE06VeQ5wHyJavvgzM4C2E/Br3WnIVS0dysujT 1l0sj+NzmadGpX6rvLyXEYOq0ujS0F6+oq88PvYm73sELZjFyEkciwKSrmSvcyfs1V/1 dKhhj2rJ8D8YDSvAGMWSd4EQRCfW4+Haj1sQxTXnGNA2qB+y4gWMONaAaxDgvH9QOfmq DEr7VHF+c9pPnXxLZSYGhcAz7ceN+TFpsmN/Z0otOic/U095DdaSFWdiupgYoR+Q+5wW mTeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254634; x=1712859434; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3yWXnIvFhmCR1zB0/QVMzdWwUo+D8UtBU9+uZDuCm3I=; b=gJPDDqr4dscUmLGYxM1EbxxvyEtwn3+u2hFlze6Rcd5stL8Ac1suY5QuSRRasJB7Tv /XsX+vwrWJluPkbnXqGoM6lf3YZZj9nVa7gDN5y/OE4jWYppqwr/jZUeQJcpValig8hf Ia0m3XLN7lk/LemZkF9tQy0ey6JQERX++WPaMHPpV2pfaF0NTwLxgLpENxWs2juH3oiU lVkDhU4pn4xj8sEgKabcvQei2By0Ogb1u1zOmSVGXz6EJdfv8Ide/j6To5YKa8tn089h tuQy36EH1JJ9B76gxAuTz8xsTBCDElJ28DjUbcXhYQ8rffoYaKJ+MHckdEX2aCf6D1sa 4Pdg== X-Gm-Message-State: AOJu0YyE5sTdvGB2UvbAP3U5HJ5O2FTsA6BsQ34lM5+EH/pwk4mn8F/D pYjMs+pM+oj1k5oeMxHtN37GWxoNrHY/+BpcmmFgWHDJD9Z5S8lJayKcligEQgUa8rd1grnDOA0 gwMs= X-Google-Smtp-Source: AGHT+IEbhSJ8kUji4L+qMOejvzKMomDz7Sr5hspLDC+3M+FZoAaBzXVYziAZi1FoCoRmqxNlIdercg== X-Received: by 2002:a50:cd1d:0:b0:56a:ae8a:acc0 with SMTP id z29-20020a50cd1d000000b0056aae8aacc0mr2165380edi.21.1712254633939; Thu, 04 Apr 2024 11:17:13 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:13 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 18/24] wolfssl: implement check_cert_subject Date: Thu, 4 Apr 2024 20:16:24 +0200 Message-Id: <20240404181630.2431991-18-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111718_782774_4581CBD4 X-CRM114-Status: GOOD ( 30.20 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Overall design was copied from tls_openssl.c. Multiple same distinguished names in one subject name are not supported. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 253 ++++++++++++++++++++++++++++++++++----- 1 file changed, 220 insertions(+), 33 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52e listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Overall design was copied from tls_openssl.c. Multiple same distinguished names in one subject name are not supported. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 253 ++++++++++++++++++++++++++++++++++----- 1 file changed, 220 insertions(+), 33 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 0cdc4c809a..b88e259e40 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -65,13 +65,15 @@ struct tls_context { int cert_in_cb; char *ocsp_stapling_response; unsigned int tls_session_lifetime; + /* This is alloc'ed and needs to be free'd */ + char *check_cert_subject; }; static struct tls_context *tls_global = NULL; /* wolfssl tls_connection */ struct tls_connection { - struct tls_context *context; + const struct tls_context *context; WOLFSSL *ssl; int read_alerts; int write_alerts; @@ -82,6 +84,7 @@ struct tls_connection { char *alt_subject_match; char *suffix_match; char *domain_match; + char *check_cert_subject; u8 srv_cert_hash[32]; @@ -121,6 +124,21 @@ static struct tls_context * tls_context_new(const struct tls_config *conf) return context; } +static void tls_context_free(struct tls_context* context) +{ + if (context) { + if (context->check_cert_subject) + os_free(context->check_cert_subject); + } + os_free(context); +} + +/* Helper to make sure the context stays const */ +static const struct tls_context* ssl_ctx_get_tls_context(void *ssl_ctx) +{ + return wolfSSL_CTX_get_ex_data(ssl_ctx, TLS_SSL_CTX_CTX_EX_IDX); +} + static void wolfssl_reset_in_data(struct tls_in_data *in, const struct wpabuf *buf) @@ -373,9 +391,9 @@ void * tls_init(const struct tls_config *conf) if (!ssl_ctx) { tls_ref_count--; if (context != tls_global) - os_free(context); + tls_context_free(context); if (tls_ref_count == 0) { - os_free(tls_global); + tls_context_free(tls_global); tls_global = NULL; } return NULL; @@ -413,18 +431,19 @@ void * tls_init(const struct tls_config *conf) void tls_deinit(void *ssl_ctx) { - struct tls_context *context = wolfSSL_CTX_get_ex_data(ssl_ctx, - TLS_SSL_CTX_CTX_EX_IDX); + struct tls_context *context = + /* Need to cast the const away */ + (struct tls_context *)ssl_ctx_get_tls_context(ssl_ctx); if (context != tls_global) - os_free(context); + tls_context_free(context); wolfSSL_CTX_free((WOLFSSL_CTX *) ssl_ctx); tls_ref_count--; if (tls_ref_count == 0) { wolfSSL_Cleanup(); - os_free(tls_global); + tls_context_free(tls_global); tls_global = NULL; } } @@ -467,7 +486,7 @@ struct tls_connection * tls_connection_init(void *tls_ctx) wolfSSL_SetIOReadCtx(conn->ssl, &conn->input); wolfSSL_SetIOWriteCtx(conn->ssl, &conn->output); wolfSSL_set_ex_data(conn->ssl, TLS_SSL_CON_EX_IDX, conn); - conn->context = wolfSSL_CTX_get_ex_data(ssl_ctx, TLS_SSL_CTX_CTX_EX_IDX); + conn->context = ssl_ctx_get_tls_context(ssl_ctx); /* Need randoms post-hanshake for EAP-FAST, export key and deriving * session ID in EAP methods. */ @@ -493,6 +512,7 @@ void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) os_free(conn->suffix_match); os_free(conn->domain_match); os_free(conn->peer_subject); + os_free(conn->check_cert_subject); /* self */ os_free(conn); @@ -542,7 +562,8 @@ static int tls_connection_set_subject_match(struct tls_connection *conn, const char *subject_match, const char *alt_subject_match, const char *suffix_match, - const char *domain_match) + const char *domain_match, + const char *check_cert_subject) { os_free(conn->subject_match); conn->subject_match = NULL; @@ -576,6 +597,14 @@ static int tls_connection_set_subject_match(struct tls_connection *conn, return -1; } + os_free(conn->check_cert_subject); + conn->check_cert_subject = NULL; + if (check_cert_subject) { + conn->check_cert_subject = os_strdup(check_cert_subject); + if (!conn->check_cert_subject) + return -1; + } + return 0; } @@ -954,6 +983,138 @@ static const char * wolfssl_tls_err_string(int err, const char *err_str) } } +/** + * match_dn_field - Match configuration DN field against Certificate DN field + * @cert: Certificate + * @nid: NID of DN field + * @field: Field name + * @value DN field value which is passed from configuration + * e.g., if configuration have C=US and this argument will point to US. + * Returns: 1 on success and 0 on failure + */ +static int match_dn_field(WOLFSSL_X509 *cert, int nid, const char *field, + const char *value) +{ + int ret = 0; + int len = os_strlen(value); + char buf[256]; + /* Fetch value based on NID */ + int buf_len = wolfSSL_X509_NAME_get_text_by_NID( + wolfSSL_X509_get_subject_name((WOLFSSL_X509*)cert), nid, + buf, sizeof(buf)); + + if (buf_len >= 0) { + wpa_printf(MSG_DEBUG, "wolfSSL: Matching fields: '%s' '%s' '%s'", field, + value, buf); + + /* Check wildcard at the right end side */ + /* E.g., if OU=develop* mentioned in configuration, allow 'OU' + * of the subject in the client certificate to start with + * 'develop' */ + if (len > 0 && value[len - 1] == '*') { + ret = buf_len >= len && os_memcmp(buf, value, len - 1) == 0; + } else { + ret = os_strcmp(buf, value) == 0; + } + } else { + wpa_printf(MSG_ERROR, "wolfSSL: cert does not contain entry for '%s'", + field); + } + + return ret; +} + +#define DN_FIELD_LEN 20 + +/** + * get_value_from_field - Get value from DN field + * @cert: Certificate + * @field_str: DN field string which is passed from configuration file (e.g., + * C=US) + * @processedNIDs: List of NIDs already processed + * Returns: 1 on success and 0 on failure + */ +static int get_value_from_field(WOLFSSL_X509 *cert, char *field_str, + int* processedNIDs) +{ + int nid, i; + char *context = NULL, *name, *value; + + if (os_strcmp(field_str, "*") == 0) + return 1; /* wildcard matches everything */ + + name = str_token(field_str, "=", &context); + if (!name) + return 0; + + nid = wolfSSL_OBJ_txt2nid(name); + if (nid == NID_undef) { + wpa_printf(MSG_ERROR, + "wolfSSL: Unknown field '%s' in check_cert_subject", name); + return 0; + } + + /* Check for duplicates */ + for (i = 0; processedNIDs[i] != NID_undef && i < DN_FIELD_LEN; i++) { + if (processedNIDs[i] == nid) { + wpa_printf(MSG_ERROR, "wolfSSL: no support for multiple DN's in " + "check_cert_subject"); + return 0; + } + } + if (i == DN_FIELD_LEN) { + wpa_printf(MSG_ERROR, "wolfSSL: only %d DN's are supported in check_cert_subject", + DN_FIELD_LEN); + return 0; + } + processedNIDs[i] = nid; + + value = str_token(field_str, "=", &context); + if (!value) { + wpa_printf(MSG_ERROR, "wolfSSL: Distinguished Name field '%s' value is " + "not defined in check_cert_subject", name); + return 0; + } + + return match_dn_field(cert, nid, name, value); +} + +/** + * tls_match_dn_field - Match subject DN field with check_cert_subject + * @cert: Certificate + * @match: check_cert_subject string + * Returns: Return 1 on success and 0 on failure +*/ +static int tls_match_dn_field(WOLFSSL_X509 *cert, const char *match) +{ + const char *token, *last = NULL; + /* Maximum length of each DN field is 255 characters */ + char field[256]; + int processedNIDs[DN_FIELD_LEN], i; + + for (i = 0; i < DN_FIELD_LEN; i++) + processedNIDs[i] = NID_undef; + + /* Process each '/' delimited field */ + while ((token = cstr_token(match, "/", &last))) { + if (last - token >= (int) sizeof(field)) { + wpa_printf(MSG_ERROR, + "wolfSSL: Too long DN matching field value in '%s'", + match); + return 0; + } + os_memcpy(field, token, last - token); + field[last - token] = '\0'; + + if (!get_value_from_field(cert, field, processedNIDs)) { + wpa_printf(MSG_INFO, "wolfSSL: No match for DN '%s'", + field); + return 0; + } + } + + return 1; +} static struct wpabuf * get_x509_cert(WOLFSSL_X509 *cert) { @@ -976,7 +1137,7 @@ static void wolfssl_tls_fail_event(struct tls_connection *conn, { union tls_event_data ev; struct wpabuf *cert = NULL; - struct tls_context *context = conn->context; + const struct tls_context *context = conn->context; if (!context->event_cb) return; @@ -1029,7 +1190,7 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn, { struct wpabuf *cert = NULL; union tls_event_data ev; - struct tls_context *context = conn->context; + const struct tls_context *context = conn->context; char *alt_subject[TLS_MAX_ALT_SUBJECT]; int alt, num_alt_subject = 0; WOLFSSL_GENERAL_NAME *gen; @@ -1126,8 +1287,9 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) int err, depth; WOLFSSL *ssl; struct tls_connection *conn; - struct tls_context *context; + const struct tls_context *context; char *match, *altmatch, *suffix_match, *domain_match; + const char *check_cert_subject; const char *err_str; err_cert = wolfSSL_X509_STORE_CTX_get_current_cert(x509_ctx); @@ -1231,7 +1393,20 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) "TLS: %s - preverify_ok=%d err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'", __func__, preverify_ok, err, err_str, conn->ca_cert_verify, depth, buf); - if (depth == 0 && match && os_strstr(buf, match) == NULL) { + check_cert_subject = conn->check_cert_subject; + if (!check_cert_subject) + check_cert_subject = conn->context->check_cert_subject; + if (check_cert_subject && depth == 0 && + !tls_match_dn_field(err_cert, check_cert_subject)) { + wpa_printf(MSG_WARNING, + "TLS: Subject '%s' did not match with '%s'", + buf, check_cert_subject); + preverify_ok = 0; + wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, + "Distinguished Name", + TLS_FAIL_DN_MISMATCH); + } + else if (depth == 0 && match && os_strstr(buf, match) == NULL) { wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not match with '%s'", buf, match); @@ -1412,8 +1587,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, if (tls_connection_set_subject_match(conn, params->subject_match, params->altsubject_match, params->suffix_match, - params->domain_match) < 0) { - wpa_printf(MSG_INFO, "Error setting subject match"); + params->domain_match, + params->check_cert_subject) < 0) { + wpa_printf(MSG_ERROR, "Error setting subject match"); return -1; } @@ -1421,14 +1597,14 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, params->ca_cert_blob, params->ca_cert_blob_len, params->ca_path) < 0) { - wpa_printf(MSG_INFO, "Error setting CA cert"); + wpa_printf(MSG_ERROR, "Error setting CA cert"); return -1; } if (tls_connection_client_cert(conn, params->client_cert, params->client_cert_blob, params->client_cert_blob_len) < 0) { - wpa_printf(MSG_INFO, "Error setting client cert"); + wpa_printf(MSG_ERROR, "Error setting client cert"); return -1; } @@ -1436,13 +1612,13 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, params->private_key_passwd, params->private_key_blob, params->private_key_blob_len) < 0) { - wpa_printf(MSG_INFO, "Error setting private key"); + wpa_printf(MSG_ERROR, "Error setting private key"); return -1; } if (handle_ciphersuites(NULL, conn->ssl, params->openssl_ciphers, params->flags) != 0) { - wpa_printf(MSG_INFO, "Error setting ciphersuites"); + wpa_printf(MSG_ERROR, "Error setting ciphersuites"); return -1; } @@ -1475,7 +1651,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, wolfSSL_CTX_EnableOCSP(ctx, 0); #else /* HAVE_OCSP */ if (params->flags & TLS_CONN_REQUIRE_OCSP) { - wpa_printf(MSG_INFO, + wpa_printf(MSG_ERROR, "wolfSSL: No OCSP support included - reject configuration"); return -1; } @@ -1636,19 +1812,33 @@ void ocsp_resp_free_cb(void *ocsp_stapling_response, unsigned char *response) int tls_global_set_params(void *tls_ctx, const struct tls_connection_params *params) { + struct tls_context *context = + /* Need to cast away const as this is one of the only places + * where we should modify it */ + (struct tls_context*)ssl_ctx_get_tls_context(tls_ctx); + wpa_printf(MSG_DEBUG, "SSL: global set params"); - if (params->check_cert_subject) - return -1; /* not yet supported */ + os_free(context->check_cert_subject); + context->check_cert_subject = NULL; + if (params->check_cert_subject) { + context->check_cert_subject = + os_strdup(params->check_cert_subject); + if (!context->check_cert_subject) { + wpa_printf(MSG_ERROR, "SSL: Failed to copy check_cert_subject '%s'", + params->check_cert_subject); + return -1; + } + } if (tls_global_ca_cert(tls_ctx, params->ca_cert) < 0) { - wpa_printf(MSG_INFO, "SSL: Failed to load ca cert file '%s'", + wpa_printf(MSG_ERROR, "SSL: Failed to load ca cert file '%s'", params->ca_cert); return -1; } if (tls_global_client_cert(tls_ctx, params->client_cert) < 0) { - wpa_printf(MSG_INFO, + wpa_printf(MSG_ERROR, "SSL: Failed to load client cert file '%s'", params->client_cert); return -1; @@ -1656,26 +1846,26 @@ int tls_global_set_params(void *tls_ctx, if (tls_global_private_key(tls_ctx, params->private_key, params->private_key_passwd) < 0) { - wpa_printf(MSG_INFO, + wpa_printf(MSG_ERROR, "SSL: Failed to load private key file '%s'", params->private_key); return -1; } if (tls_global_dh(tls_ctx, params->dh_file) < 0) { - wpa_printf(MSG_INFO, "SSL: Failed to load DH file '%s'", + wpa_printf(MSG_ERROR, "SSL: Failed to load DH file '%s'", params->dh_file); return -1; } if (handle_ciphersuites(tls_ctx, NULL, params->openssl_ciphers, params->flags) != 0) { - wpa_printf(MSG_INFO, "Error setting ciphersuites"); + wpa_printf(MSG_ERROR, "Error setting ciphersuites"); return -1; } if (params->openssl_ecdh_curves) { - wpa_printf(MSG_INFO, + wpa_printf(MSG_ERROR, "wolfSSL: openssl_ecdh_curves not supported"); return -1; } @@ -1717,7 +1907,7 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, const u8 *session_ctx, size_t session_ctx_len) { static int counter = 0; - struct tls_context *context; + const struct tls_context *context; if (!conn) return -1; @@ -1736,8 +1926,7 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, wolfSSL_set_accept_state(conn->ssl); - context = wolfSSL_CTX_get_ex_data((WOLFSSL_CTX *) ssl_ctx, - TLS_SSL_CTX_CTX_EX_IDX); + context = ssl_ctx_get_tls_context(ssl_ctx); if (context && context->tls_session_lifetime == 0) { /* * Set session id context to a unique value to make sure @@ -1753,8 +1942,6 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, session_ctx_len); } - /* TODO: do we need to fake a session like OpenSSL does here? */ - return 0; } From patchwork Thu Apr 4 18:16:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919933 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=wA8v9E/0; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=nJnfbUuk; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9Wf96yCYz1yYP for ; Fri, 5 Apr 2024 06:20:01 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=e/SLa5PaHg+2ld7flqnAzn2+DigSZ2HOcOB8NCquV4Y=; b=wA8v9E/0W9HyTX jcjzBEWh+b0DdnvoML4EWK3lzJ+zdy3qy5V+YUgNiKleVkfRLUAXh7M1zhRH9TwTzww/h49e3sfO7 aI+TLh2rXncDlk9NooEbd4dc1L2CS8fkt22gL4Yv5F8f8NYBo82qS436CT5INNy6esGrNuG/rT+TS MVkFSw5KdbUa9EsVII+9//o1InYx/MgXVOG12j6y140ZXJWuAXZR0LdKLg1xyCde3aXuE4CKjOpKO JWKcm2008Wfn2c+iEAzN7aarDiRD/evUndNgkX3gPJi14mBN0Fpx/ifl6/ipfIUoCBqv4uT741vPL ESi6DO0PPMZI6LlYWKlw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsScq-000000040g1-266w; Thu, 04 Apr 2024 19:19:52 +0000 Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReH-00000003mnj-2PbB for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:21 +0000 Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-56e030624d1so2208692a12.2 for ; Thu, 04 Apr 2024 11:17:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254635; x=1712859435; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=I4cjNWWuL1zZ5qEAbCikiVM7RLF/1ZgBlWOEjLH4euA=; b=nJnfbUukSyQXw2cBsErlschNRpPSo72rxQ7Z7oVstXx57ZFt+zUYG3HQ8IgchGzYJ0 VtRlFqur7asZOVgi3+3qx1qb2G1DSNxAz7fQKH1stcB13e/s6g89zk3IxSx/yMhVKDOd owWPj4HdYEoweBrX6DMXDJNkRUVEYacWVnzM3Sfjx6g87CIl/rr0OgO2c1OYLAtHeOnq FC577hTiQGWMbuhtkRn68gqvukC2R3keZcxcuf/e9yWmd2sHGiUrGb1XsE5nL72D6WNS bs9QVKWluXE5MapROis+YInaiSAMI5JAvkK/a9R4mVySMO7xr0nvS8l8UtFqf2r7gFW2 yaMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254635; x=1712859435; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=I4cjNWWuL1zZ5qEAbCikiVM7RLF/1ZgBlWOEjLH4euA=; b=HhGWKsXea0Z5/fH2YBHFzR7sA48VqldEDkj0+nrnuHnuSYlbZ+9CmkWL7GBARdkeI8 HNjf14Gwfxrj3MMeg6uqlmjwcRhh+1hbKvkQ5leRBblmxjSpHkQzk32sJeIc22oSww2B zu8NQmFSHuL00Vim6DNXuF7F4eIg2VD0YDOVtzjLtiivBHZYdfVar+Fr0vO0T/kjgGmr E/63/b8NYu+nSauBcKdXcJUSuOKDl9Rtk8onj66ZZorUqkM2Rkcy8dMbmzSgznWFFmVv 8yq7x5b7R2H9ke6zc6DOQdD6peQZ1jEQaWBr6MzKEIRq5U6nQbcL0JNnTqU8eE/N72WK HScg== X-Gm-Message-State: AOJu0Yx1ewxw96o05LTJeDdGQLyhm5ocTYpDOokayZevjD65DS7qthjN l9HCkiqT2Yj2oxymgYS5UL5Uq4inetQW9ESHkl6yAvW3p3SEydgkIIDIpUml1BQTDZWcsBvxxC4 d3H0= X-Google-Smtp-Source: AGHT+IFr/VQF2IeEcTB4Vb4ghYE31Wq4sM0x6UhwGaoyBnAW44R0LPqXq1gmEZtcmY+W7PNwz9jUMQ== X-Received: by 2002:a50:9f6b:0:b0:56e:2abd:9d13 with SMTP id b98-20020a509f6b000000b0056e2abd9d13mr491734edf.7.1712254634948; Thu, 04 Apr 2024 11:17:14 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:14 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 19/24] wolfssl: Actually use ocsp_stapling_response Date: Thu, 4 Apr 2024 20:16:25 +0200 Message-Id: <20240404181630.2431991-19-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111718_372589_C1D3B1A6 X-CRM114-Status: GOOD ( 14.05 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Without a call to wolfSSL_CTX_EnableOCSP(tls_ctx, WOLFSSL_OCSP_URL_OVERRIDE); then the override URL would not be used. But since we don't actually want to enable OCSP in this step, disable it immediat [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52e listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Without a call to wolfSSL_CTX_EnableOCSP(tls_ctx, WOLFSSL_OCSP_URL_OVERRIDE); then the override URL would not be used. But since we don't actually want to enable OCSP in this step, disable it immediately after. The option will stay turned on. Fully turn on OCSP stapling and do error checking on all calls. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 44 ++++++++++++++++++++++++++++++++++------ 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index b88e259e40..b6869b7488 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1872,16 +1872,48 @@ int tls_global_set_params(void *tls_ctx, #ifdef HAVE_SESSION_TICKET /* Session ticket is off by default - can't disable once on. */ - if (!(params->flags & TLS_CONN_DISABLE_SESSION_TICKET)) - wolfSSL_CTX_UseSessionTicket(tls_ctx); + if (!(params->flags & TLS_CONN_DISABLE_SESSION_TICKET)) { + if (wolfSSL_CTX_UseSessionTicket(tls_ctx) != WOLFSSL_SUCCESS) { + wpa_printf(MSG_ERROR, + "wolfSSL: wolfSSL_CTX_UseSessionTicket failed"); + return -1; + } + } #endif /* HAVE_SESSION_TICKET */ #ifdef HAVE_OCSP if (params->ocsp_stapling_response) { - wolfSSL_CTX_SetOCSP_OverrideURL(tls_ctx, - params->ocsp_stapling_response); - wolfSSL_CTX_SetOCSP_Cb(tls_ctx, ocsp_status_cb, - ocsp_resp_free_cb, NULL); + if (wolfSSL_CTX_EnableOCSP(tls_ctx, + WOLFSSL_OCSP_URL_OVERRIDE) != WOLFSSL_SUCCESS || + /* Workaround to force using the override URL without enabling OCSP */ + wolfSSL_CTX_DisableOCSP(tls_ctx) != WOLFSSL_SUCCESS) { + wpa_printf(MSG_ERROR, + "wolfSSL: wolfSSL_CTX_UseOCSPStapling failed"); + return -1; + } + if (wolfSSL_CTX_UseOCSPStapling(tls_ctx, WOLFSSL_CSR_OCSP, + WOLFSSL_CSR_OCSP_USE_NONCE) != WOLFSSL_SUCCESS) { + wpa_printf(MSG_ERROR, + "wolfSSL: wolfSSL_CTX_UseOCSPStapling failed"); + return -1; + } + if (wolfSSL_CTX_EnableOCSPStapling(tls_ctx) != WOLFSSL_SUCCESS) { + wpa_printf(MSG_ERROR, + "wolfSSL: wolfSSL_EnableOCSPStapling failed"); + return -1; + } + if (wolfSSL_CTX_SetOCSP_OverrideURL(tls_ctx, + params->ocsp_stapling_response) != WOLFSSL_SUCCESS) { + wpa_printf(MSG_ERROR, + "wolfSSL: wolfSSL_CTX_SetOCSP_OverrideURL failed"); + return -1; + } + if (wolfSSL_CTX_SetOCSP_Cb(tls_ctx, ocsp_status_cb, + ocsp_resp_free_cb, NULL) != WOLFSSL_SUCCESS) { + wpa_printf(MSG_ERROR, + "wolfSSL: wolfSSL_CTX_SetOCSP_Cb failed"); + return -1; + } } #endif /* HAVE_OCSP */ From patchwork Thu Apr 4 18:16:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919935 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ydIZPoeI; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=lHycQ0O4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9WfJ4djrz1yYP for ; Fri, 5 Apr 2024 06:20:08 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=D2+ZdQTELxgBDaZqi4HXkFivJ3X+IyPZ+5abAyj90qk=; b=ydIZPoeIhwCHbB h+AaM9Pzym+WNxao5IXavjl2Uny2ufT19O6CBQO6OtXa0n2VVsmZ0/Eqn+clKSJgJ/QxUuqpEvvA5 pwoFPJHDtoe9qsj240NuM96+jlKQBQ+OM+I2EGxHI/zSpvT3+JYRgpA01VDZD8huzhzB66MTNa3J7 9oQloEdIIOrfN94cJE8X/6hG9jDin58we/cnx4JYq8mc4XfERQJbUAkoZGOjkoQpqwESKl/mqkqtq HvfvxHLKzXTFHazeSIBKF0mTG723OkFrY844xff1gXwL00xfib1ZmtcOPIwAUvRWXC32gqJviwFDd Uzx/hjkKu9LvAEoruP/g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsScw-000000040jf-2DGT; Thu, 04 Apr 2024 19:19:58 +0000 Received: from mail-lf1-x135.google.com ([2a00:1450:4864:20::135]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReI-00000003moc-1roh for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:27 +0000 Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-516bf5a145aso1695059e87.1 for ; Thu, 04 Apr 2024 11:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254636; x=1712859436; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5YV47k2nZFgfClhyJLIGlXJwZkz8pmI7wzzXrZ0ntRo=; b=lHycQ0O4fltPRjl+s0tcRmimTAo0wqqIuZ6f8rgP0o5Qcv/Ba21CZg/Gh0pU8KSgQA 1kJlVD9UtirhC0gk2s1DVOBLWVpGhBJr3pn2YWRujaigB3IgAZhZ9B3D/lg4KebNKm9N DB9/1Ufm7PScZGquanRz1yIGB5JVD4Jhm1zbtkMQC7OrRQtWAFnPc342sOezi0poVz+g RzNDmGg02+NW6B2LsIFIsJjdBkJSSD1ZvFxoDJ5IiPSdgNAqEMDZjwjro+aRSiD66+zs KdaGoIyBeEF1rsWFWw3iIEkj63EAfzW8H7HOaA354CGn7E4E5hPcTHgkEuO1xfIPPbyP e6dQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254636; x=1712859436; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5YV47k2nZFgfClhyJLIGlXJwZkz8pmI7wzzXrZ0ntRo=; b=jrNYZCYmRzA4v5XIXnXHzmjdvnB/oWq4GjEoAbZxgwBNY4t+MiOX8PXTXSIr0AhBC0 z+0rdebRVcC0u0YsGeRwpm0OPdhhskHZwI8goxx0Z0KO30bEV8P17fHIpIdQqvMnjNul PEYZpro2wGWhg8uL1+iYiPBf8DLJdzidUggmSlRvXrNbSGXDtHIwr618nl588zy1CCMs MnKC3qpYNB77vegBO6cUzd7dm0PaW1nq4uMLoyJKpmlQpdS/LgUGhXxmOMvgwnaVM34s ZjzV0IFdsgUT2ZrBq1SK/ASNLWuCCpOnfTPxSZGtdCLFyLfr4Y1R31YZym8tU0A6zc/O s0yA== X-Gm-Message-State: AOJu0YzDDVMvrTh6HQ8bwFqgFs/z22webr8WkmudIZASUs+LW96M3EUk FKZnogAl/+M3McD1z8hdYHZIZLZ9jGGT7vHt9QhwsRwXyoyS6fRHPrEzKZh6Ac2fS6F9q9N4quy a6TM= X-Google-Smtp-Source: AGHT+IGH5IZ0CRF8+YEY0NjbmzPyTykRinoc3S2rAQpUmxDrzCCxcv3BOebrNaQ4XVRA4k9zevTehQ== X-Received: by 2002:a19:2d49:0:b0:516:a6ff:2467 with SMTP id t9-20020a192d49000000b00516a6ff2467mr171864lft.0.1712254636075; Thu, 04 Apr 2024 11:17:16 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:15 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 20/24] run_ap_wpa2_eap_tls_intermediate_ca_ocsp: fix cert configuration Date: Thu, 4 Apr 2024 20:16:26 +0200 Message-Id: <20240404181630.2431991-20-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111719_210672_0DEB8490 X-CRM114-Status: GOOD ( 16.26 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When wolfSSL is on the server side, it won't send the entire chain. The client needs to have the server CA loaded to be able to verify the server and needs to load user_and_ica.pem so it sends a cert [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:135 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When wolfSSL is on the server side, it won't send the entire chain. The client needs to have the server CA loaded to be able to verify the server and needs to load user_and_ica.pem so it sends a cert chain. Use entire cert chain PEM since the test relies on chain being sent. wolfSSL only sends the certificate that was loaded and not the full chain. Signed-off-by: Juliusz Sosinowicz --- .../iCA-server/server-revoked_and_ica.pem | 162 +++++++++--------- tests/hwsim/auth_serv/ica-generate.sh | 2 +- tests/hwsim/test_ap_eap.py | 12 +- 3 files changed, 90 insertions(+), 86 deletions(-) diff --git a/tests/hwsim/auth_serv/iCA-server/server-revoked_and_ica.pem b/tests/hwsim/auth_serv/iCA-server/server-revoked_and_ica.pem index 09619be1aa..22997b8655 100644 --- a/tests/hwsim/auth_serv/iCA-server/server-revoked_and_ica.pem +++ b/tests/hwsim/auth_serv/iCA-server/server-revoked_and_ica.pem @@ -1,84 +1,3 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - d8:d3:e3:a6:cb:e3:cc:f7 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=FI, L=Tuusula, O=w1.fi, CN=Root CA - Validity - Not Before: May 3 15:20:10 2020 GMT - Not After : May 3 15:20:10 2030 GMT - Subject: C=FI, O=w1.fi, CN=Server Intermediate CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:a2:b0:de:7f:e6:17:69:4b:bb:8d:dc:4f:8b:95: - 33:5e:13:ee:a1:01:f5:82:de:6e:fc:83:db:e7:22: - 5f:b9:8d:2b:de:10:72:4e:da:81:c1:f7:f3:eb:0e: - db:5b:5f:90:92:bb:41:68:55:4f:84:d9:73:5b:0c: - 6d:40:e6:c5:0f:5d:5c:5e:80:1e:64:87:5a:99:44: - 8b:3d:61:20:f0:15:cc:87:95:5b:a0:46:0f:bc:5c: - 14:ee:ac:4f:c8:7c:d2:c0:ef:60:94:22:b6:74:05: - 4f:ca:97:01:0a:30:b4:50:44:89:d0:c2:6b:e5:7f: - ce:66:22:1a:d6:38:7c:ff:42:42:ca:58:a0:38:85: - ca:f1:b1:1f:33:27:db:bf:5c:49:96:36:7a:11:2f: - 62:d7:eb:7e:9f:9b:9c:0e:2b:df:cd:59:bc:ee:e8: - 6a:e3:7d:fa:06:ba:34:42:b5:7d:e7:be:e1:7b:85: - af:1b:25:a9:45:33:06:cb:cc:0d:ca:78:5c:56:52: - ac:43:7e:f6:0c:e7:fb:86:b4:ac:d7:f4:b2:54:ee: - 65:7a:5c:32:6b:33:a0:68:1b:d8:ea:c8:74:94:08: - 00:7f:9b:f0:da:80:0f:f2:45:13:11:63:4c:e6:d2: - 97:d3:ae:12:b0:7c:e8:f0:56:c0:7b:7c:82:99:6d: - 3b:5d - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - EB:DC:8D:38:75:10:2F:E6:82:8E:FE:43:EC:9F:7E:63:22:BD:51:55 - X509v3 Authority Key Identifier: - keyid:A4:FD:B9:39:1B:81:B3:AA:EB:88:1D:D4:81:A9:B5:11:70:CC:A7:E1 - - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:0 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - Signature Algorithm: sha256WithRSAEncryption - 86:74:75:b2:bb:b0:85:25:48:38:e1:34:54:d5:d4:3a:9f:0e: - b1:96:fd:cc:ea:15:21:72:da:9e:ef:e2:fa:ae:29:74:dc:83: - 36:87:88:7d:75:51:9a:c5:6e:a8:80:77:3f:5c:ed:9e:ac:57: - 17:ed:ab:64:4f:15:8b:47:90:0a:17:2a:7e:49:a9:01:a1:41: - 66:d4:fe:be:18:70:d6:23:f7:0b:0a:53:d7:75:a8:7f:0a:52: - 1c:1d:8c:63:6f:82:ed:ed:fd:e2:fe:86:ef:0a:4c:f8:d7:93: - 56:9a:a3:dd:74:02:8c:b3:31:83:c1:8a:66:c6:c0:1d:dc:00: - 5c:57:f4:31:31:8b:d4:84:d8:da:6d:d6:f6:e4:10:7e:bb:f2: - 41:95:dd:a6:0c:37:c7:22:80:e6:36:3e:34:c6:1c:73:ab:42: - 90:6e:f8:db:e8:b6:c0:b2:f5:17:d2:6f:d3:8c:fb:14:25:8e: - 72:81:45:76:86:f7:d1:d9:3d:ff:b1:a2:10:6f:c0:24:e7:70: - 3f:2d:cf:32:ee:06:70:d5:1b:04:84:6d:48:69:26:1e:98:5a: - ed:e3:61:f5:29:45:88:25:cf:7f:c4:fb:f3:87:a7:11:95:9e: - cf:a8:aa:88:db:12:32:66:66:c4:1d:12:b1:62:1d:fa:28:f4: - 97:ac:df:2e ------BEGIN CERTIFICATE----- -MIIDaDCCAlCgAwIBAgIJANjT46bL48z3MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV -BAYTAkZJMRAwDgYDVQQHDAdUdXVzdWxhMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UE -AwwHUm9vdCBDQTAeFw0yMDA1MDMxNTIwMTBaFw0zMDA1MDMxNTIwMTBaMD4xCzAJ -BgNVBAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVy -bWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKw3n/m -F2lLu43cT4uVM14T7qEB9YLebvyD2+ciX7mNK94Qck7agcH38+sO21tfkJK7QWhV -T4TZc1sMbUDmxQ9dXF6AHmSHWplEiz1hIPAVzIeVW6BGD7xcFO6sT8h80sDvYJQi -tnQFT8qXAQowtFBEidDCa+V/zmYiGtY4fP9CQspYoDiFyvGxHzMn279cSZY2ehEv -Ytfrfp+bnA4r381ZvO7oauN9+ga6NEK1fee+4XuFrxslqUUzBsvMDcp4XFZSrEN+ -9gzn+4a0rNf0slTuZXpcMmszoGgb2OrIdJQIAH+b8NqAD/JFExFjTObSl9OuErB8 -6PBWwHt8gpltO10CAwEAAaNmMGQwHQYDVR0OBBYEFOvcjTh1EC/mgo7+Q+yffmMi -vVFVMB8GA1UdIwQYMBaAFKT9uTkbgbOq64gd1IGptRFwzKfhMBIGA1UdEwEB/wQI -MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCGdHWy -u7CFJUg44TRU1dQ6nw6xlv3M6hUhctqe7+L6ril03IM2h4h9dVGaxW6ogHc/XO2e -rFcX7atkTxWLR5AKFyp+SakBoUFm1P6+GHDWI/cLClPXdah/ClIcHYxjb4Lt7f3i -/obvCkz415NWmqPddAKMszGDwYpmxsAd3ABcV/QxMYvUhNjabdb25BB+u/JBld2m -DDfHIoDmNj40xhxzq0KQbvjb6LbAsvUX0m/TjPsUJY5ygUV2hvfR2T3/saIQb8Ak -53A/Lc8y7gZw1RsEhG1IaSYemFrt42H1KUWIJc9/xPvzh6cRlZ7PqKqI2xIyZmbE -HRKxYh36KPSXrN8u ------END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) @@ -165,3 +84,84 @@ zoQkEtp/qKsV/SSbzxyuL48TKCcJHlcryh/IvKSVCCdOxCFopUWfWkIcfzdZ1+0w vu0mEl2A9X19lP9SVvxnDz8AIee0L0h7d4b7FiiraOFNgOteS5mIL+yjHQbFBC67 VvtrdZ1beINjK3B8IZShWKSOizDTKIg= -----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d8:d3:e3:a6:cb:e3:cc:f7 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=FI, L=Tuusula, O=w1.fi, CN=Root CA + Validity + Not Before: May 3 15:20:10 2020 GMT + Not After : May 3 15:20:10 2030 GMT + Subject: C=FI, O=w1.fi, CN=Server Intermediate CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:a2:b0:de:7f:e6:17:69:4b:bb:8d:dc:4f:8b:95: + 33:5e:13:ee:a1:01:f5:82:de:6e:fc:83:db:e7:22: + 5f:b9:8d:2b:de:10:72:4e:da:81:c1:f7:f3:eb:0e: + db:5b:5f:90:92:bb:41:68:55:4f:84:d9:73:5b:0c: + 6d:40:e6:c5:0f:5d:5c:5e:80:1e:64:87:5a:99:44: + 8b:3d:61:20:f0:15:cc:87:95:5b:a0:46:0f:bc:5c: + 14:ee:ac:4f:c8:7c:d2:c0:ef:60:94:22:b6:74:05: + 4f:ca:97:01:0a:30:b4:50:44:89:d0:c2:6b:e5:7f: + ce:66:22:1a:d6:38:7c:ff:42:42:ca:58:a0:38:85: + ca:f1:b1:1f:33:27:db:bf:5c:49:96:36:7a:11:2f: + 62:d7:eb:7e:9f:9b:9c:0e:2b:df:cd:59:bc:ee:e8: + 6a:e3:7d:fa:06:ba:34:42:b5:7d:e7:be:e1:7b:85: + af:1b:25:a9:45:33:06:cb:cc:0d:ca:78:5c:56:52: + ac:43:7e:f6:0c:e7:fb:86:b4:ac:d7:f4:b2:54:ee: + 65:7a:5c:32:6b:33:a0:68:1b:d8:ea:c8:74:94:08: + 00:7f:9b:f0:da:80:0f:f2:45:13:11:63:4c:e6:d2: + 97:d3:ae:12:b0:7c:e8:f0:56:c0:7b:7c:82:99:6d: + 3b:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + EB:DC:8D:38:75:10:2F:E6:82:8E:FE:43:EC:9F:7E:63:22:BD:51:55 + X509v3 Authority Key Identifier: + keyid:A4:FD:B9:39:1B:81:B3:AA:EB:88:1D:D4:81:A9:B5:11:70:CC:A7:E1 + + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + 86:74:75:b2:bb:b0:85:25:48:38:e1:34:54:d5:d4:3a:9f:0e: + b1:96:fd:cc:ea:15:21:72:da:9e:ef:e2:fa:ae:29:74:dc:83: + 36:87:88:7d:75:51:9a:c5:6e:a8:80:77:3f:5c:ed:9e:ac:57: + 17:ed:ab:64:4f:15:8b:47:90:0a:17:2a:7e:49:a9:01:a1:41: + 66:d4:fe:be:18:70:d6:23:f7:0b:0a:53:d7:75:a8:7f:0a:52: + 1c:1d:8c:63:6f:82:ed:ed:fd:e2:fe:86:ef:0a:4c:f8:d7:93: + 56:9a:a3:dd:74:02:8c:b3:31:83:c1:8a:66:c6:c0:1d:dc:00: + 5c:57:f4:31:31:8b:d4:84:d8:da:6d:d6:f6:e4:10:7e:bb:f2: + 41:95:dd:a6:0c:37:c7:22:80:e6:36:3e:34:c6:1c:73:ab:42: + 90:6e:f8:db:e8:b6:c0:b2:f5:17:d2:6f:d3:8c:fb:14:25:8e: + 72:81:45:76:86:f7:d1:d9:3d:ff:b1:a2:10:6f:c0:24:e7:70: + 3f:2d:cf:32:ee:06:70:d5:1b:04:84:6d:48:69:26:1e:98:5a: + ed:e3:61:f5:29:45:88:25:cf:7f:c4:fb:f3:87:a7:11:95:9e: + cf:a8:aa:88:db:12:32:66:66:c4:1d:12:b1:62:1d:fa:28:f4: + 97:ac:df:2e +-----BEGIN CERTIFICATE----- +MIIDaDCCAlCgAwIBAgIJANjT46bL48z3MA0GCSqGSIb3DQEBCwUAMEExCzAJBgNV +BAYTAkZJMRAwDgYDVQQHDAdUdXVzdWxhMQ4wDAYDVQQKDAV3MS5maTEQMA4GA1UE +AwwHUm9vdCBDQTAeFw0yMDA1MDMxNTIwMTBaFw0zMDA1MDMxNTIwMTBaMD4xCzAJ +BgNVBAYTAkZJMQ4wDAYDVQQKDAV3MS5maTEfMB0GA1UEAwwWU2VydmVyIEludGVy +bWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKKw3n/m +F2lLu43cT4uVM14T7qEB9YLebvyD2+ciX7mNK94Qck7agcH38+sO21tfkJK7QWhV +T4TZc1sMbUDmxQ9dXF6AHmSHWplEiz1hIPAVzIeVW6BGD7xcFO6sT8h80sDvYJQi +tnQFT8qXAQowtFBEidDCa+V/zmYiGtY4fP9CQspYoDiFyvGxHzMn279cSZY2ehEv +Ytfrfp+bnA4r381ZvO7oauN9+ga6NEK1fee+4XuFrxslqUUzBsvMDcp4XFZSrEN+ +9gzn+4a0rNf0slTuZXpcMmszoGgb2OrIdJQIAH+b8NqAD/JFExFjTObSl9OuErB8 +6PBWwHt8gpltO10CAwEAAaNmMGQwHQYDVR0OBBYEFOvcjTh1EC/mgo7+Q+yffmMi +vVFVMB8GA1UdIwQYMBaAFKT9uTkbgbOq64gd1IGptRFwzKfhMBIGA1UdEwEB/wQI +MAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQCGdHWy +u7CFJUg44TRU1dQ6nw6xlv3M6hUhctqe7+L6ril03IM2h4h9dVGaxW6ogHc/XO2e +rFcX7atkTxWLR5AKFyp+SakBoUFm1P6+GHDWI/cLClPXdah/ClIcHYxjb4Lt7f3i +/obvCkz415NWmqPddAKMszGDwYpmxsAd3ABcV/QxMYvUhNjabdb25BB+u/JBld2m +DDfHIoDmNj40xhxzq0KQbvjb6LbAsvUX0m/TjPsUJY5ygUV2hvfR2T3/saIQb8Ak +53A/Lc8y7gZw1RsEhG1IaSYemFrt42H1KUWIJc9/xPvzh6cRlZ7PqKqI2xIyZmbE +HRKxYh36KPSXrN8u +-----END CERTIFICATE----- diff --git a/tests/hwsim/auth_serv/ica-generate.sh b/tests/hwsim/auth_serv/ica-generate.sh index d3fe7b9645..555cdb06d3 100755 --- a/tests/hwsim/auth_serv/ica-generate.sh +++ b/tests/hwsim/auth_serv/ica-generate.sh @@ -58,7 +58,7 @@ cat ec-ca-openssl.cnf | $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -keyout iCA-server/server-revoked.key -out iCA-server/server-revoked.req -outform PEM -sha256 $OPENSSL ca -config openssl.cnf.tmp -batch -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -create_serial -in iCA-server/server-revoked.req -out iCA-server/server-revoked.pem -extensions ext_server -md sha256 $OPENSSL ca -config openssl.cnf.tmp -revoke iCA-server/server-revoked.pem -keyfile iCA-server/private/cakey.pem -cert iCA-server/cacert.pem -cat iCA-server/cacert.pem iCA-server/server-revoked.pem > iCA-server/server-revoked_and_ica.pem +cat iCA-server/server-revoked.pem iCA-server/cacert.pem > iCA-server/server-revoked_and_ica.pem rm openssl.cnf.tmp echo diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 3350da7e4e..580660e592 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4972,14 +4972,18 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md): fn = ica_ocsp("server.pem", md) params["ocsp_stapling_response"] = fn try: - hostapd.add_ap(apdev[0], params) + hapd = hostapd.add_ap(apdev[0], params) tls = dev[0].request("GET tls_library") if "GnuTLS" in tls or "wolfSSL" in tls: - ca_cert = "auth_serv/iCA-user/ca-and-root.pem" client_cert = "auth_serv/iCA-user/user_and_ica.pem" else: - ca_cert = "auth_serv/iCA-user/ca-and-root.pem" client_cert = "auth_serv/iCA-user/user.pem" + hapd_tls = hapd.request("GET tls_library") + if "GnuTLS" in hapd_tls or "wolfSSL" in hapd_tls: + ca_cert = "auth_serv/iCA-server/ca-and-root.pem" + client_cert = "auth_serv/iCA-user/user_and_ica.pem" + else: + ca_cert = "auth_serv/iCA-user/ca-and-root.pem" dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS", identity="tls user", ca_cert=ca_cert, @@ -5003,7 +5007,7 @@ def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev, apdev, params, md): check_ocsp_support(dev[0]) params = int_eap_server_params() params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem" - params["server_cert"] = "auth_serv/iCA-server/server-revoked.pem" + params["server_cert"] = "auth_serv/iCA-server/server-revoked_and_ica.pem" params["private_key"] = "auth_serv/iCA-server/server-revoked.key" fn = ica_ocsp("server-revoked.pem", md) params["ocsp_stapling_response"] = fn From patchwork Thu Apr 4 18:16:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919934 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=X1NbW05q; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=SBSi5r6p; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9WfD6pl6z1yYP for ; Fri, 5 Apr 2024 06:20:04 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=3BvHTJ+KzA96+4vYUJ48FVuiYQc9lRktRkxfHdZQDsg=; b=X1NbW05q+VSvDD tXx+XIuOZcCaS/tVPkVPP3KBV6VhT8f5UUq5EX/SWwKqqB9+SvK717HrhjdxfuHSl0F9TRCm7Vocw R05cIjUrtk9qgLCp/tAUeKbToHIFNwZjwyPvoTGlZ2Yqr19BTOSl5VIUCk7NTHFYjFTb7lk7s+4Fm OtKNWTL9IjQ94HuerYZ6dttiGJpjjMV6L8CzQdiae3tnkzwfCNPTayzr1tAxm83yIZnMyL/ycjtVL an7l++6NgAJf7+N8kB/1xt41PabdAWVwl/jamEkNdNFyndham1ZlCIIroLo6QHbA1QiJ2IMvHWh+V d9FO/SxV5pCPI552boGA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsSct-000000040iG-38y3; Thu, 04 Apr 2024 19:19:55 +0000 Received: from mail-ej1-x630.google.com ([2a00:1450:4864:20::630]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReK-00000003mpR-3kqO for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:26 +0000 Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a465ddc2c09so85636866b.2 for ; Thu, 04 Apr 2024 11:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254637; x=1712859437; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dbxCdO/UHksa1EiU48f2R6iDesAWtNFwYcKEa6GrDbI=; b=SBSi5r6p+BTzx+l3J3iwSHIb8ALf0tgjiGSaC5ZaRuyWWEUfHnV/kbJS+VFppV2Zbm lmnXg8yHvAbM67ZCgC83zx2QB0zhwWn96h/qE1uqcUC2reno070d71MYVdf34fvW8st/ HPE6YBHz7YXQ1G/02aPyESWRyt+10PL26HGo7hAZQagw+XlAV1PWFLweUSVi8JjmNHl7 9BLj8PvbItOD+gZ9mFwMbFWzyWUlictb2XQ3vT7SGM8tPWKdg3ud+81Q6XiFsEcpAMMF 8hTIUWU5mCCe+yiiZU0pBfHkFYaGrTdZSFGUtWmdIgoMk2+rJaCZJBRGZXxKB3ZoMvBS +NGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254637; x=1712859437; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dbxCdO/UHksa1EiU48f2R6iDesAWtNFwYcKEa6GrDbI=; b=fZl/mg6NsydHh1HcYThGNgsEJWeY/DQ2Tihhc5KtqV/oIvtsU9oMMfOQwiLeRzl13F u0iAlZ9d6c8po/Alk+TR6howZXtyu32Nm/SD4rdC1nklF1xl3ihE7CDzVJUOPhqSFwF9 ZhZ5/ohlXV/4A+Sy/6WF3NkgRnGk1Astg5KL00q8Q4Rj7rwzm8oEsYD4gS27hGa5swMz K5LLNn5M1ebYifXGj6vvjks9l1ejj9kUuL8PHL7hhTERacpdJgmyvXQ/RA+qJ0tL+lO+ BEXhjGw2MeNTxJo0TbPmGbmH6vfHOYcGzqe9qTV3ZOXd28EhL3/LJmkmasyDuYTPBrb1 qdAA== X-Gm-Message-State: AOJu0YyHLIqdV+IKMQ8DvyYLnrzBmNmoPDDZ7u2Ho7lQ7QCXjxvevRar ZmTxJLp0b9tQb2lBrQ/0ahz6Osbscj5tp/VpTaxnJGaoKveb0oGu9VhLxMJSeN23Df/LNOIIdgl 3glQ= X-Google-Smtp-Source: AGHT+IHkfenT6/x34Bc9sYaKgSNzCrPo+3qFNcQzsaZW4JVsKp7Ek/GQFobCOWewScAziS7Gnpos2Q== X-Received: by 2002:a50:d75e:0:b0:56b:986b:b4e7 with SMTP id i30-20020a50d75e000000b0056b986bb4e7mr2948610edj.27.1712254637214; Thu, 04 Apr 2024 11:17:17 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:16 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 21/24] wolfssl: Implement EAP-FAST Date: Thu, 4 Apr 2024 20:16:27 +0200 Message-Id: <20240404181630.2431991-21-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111721_499279_71C1AFA8 X-CRM114-Status: GOOD ( 14.86 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 59 +++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 13 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:630 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 59 +++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index b6869b7488..22f8d6eb78 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -94,7 +94,8 @@ struct tls_connection { #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) tls_session_ticket_cb session_ticket_cb; void *session_ticket_cb_ctx; - byte session_ticket[SESSION_TICKET_LEN]; + u8 *session_ticket; + size_t session_ticket_len; #endif unsigned int ca_cert_verify:1; unsigned int cert_probe:1; @@ -513,6 +514,7 @@ void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) os_free(conn->domain_match); os_free(conn->peer_subject); os_free(conn->check_cert_subject); + os_free(conn->session_ticket); /* self */ os_free(conn); @@ -2481,32 +2483,58 @@ static int tls_sess_sec_cb(WOLFSSL *s, void *secret, int *secret_len, void *arg) int ret; unsigned char client_random[RAN_LEN]; unsigned char server_random[RAN_LEN]; - word32 ticket_len = sizeof(conn->session_ticket); if (!conn || !conn->session_ticket_cb) - return 1; + return -1; + + wpa_printf(MSG_DEBUG, "wolfSSL: %s", __func__); if (wolfSSL_get_client_random(s, client_random, sizeof(client_random)) == 0 || wolfSSL_get_server_random(s, server_random, - sizeof(server_random)) == 0 || - wolfSSL_get_SessionTicket(s, conn->session_ticket, - &ticket_len) != 1) - return 1; - - if (ticket_len == 0) - return 0; + sizeof(server_random)) == 0) + return -1; ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, - conn->session_ticket, ticket_len, + conn->session_ticket, conn->session_ticket_len, client_random, server_random, secret); + + wpa_printf(MSG_DEBUG, "wolfSSL: %s conn->session_ticket_cb: %d", __func__, ret); + + os_free(conn->session_ticket); + conn->session_ticket = NULL; + if (ret <= 0) - return 1; + return -1; *secret_len = SECRET_LEN; return 0; } +static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data, + int len, void *arg) +{ + struct tls_connection *conn = arg; + + if (conn == NULL || conn->session_ticket_cb == NULL) + return 0; + + wpa_printf(MSG_DEBUG, "wolfSSL: %s: length=%d", __func__, len); + + os_free(conn->session_ticket); + conn->session_ticket = NULL; + + wpa_hexdump(MSG_DEBUG, "wolfSSL: ClientHello SessionTicket " + "extension", data, len); + + conn->session_ticket = os_memdup(data, len); + if (conn->session_ticket == NULL) + return 0; + + conn->session_ticket_len = len; + + return 1; +} #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ @@ -2521,11 +2549,16 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx, if (cb) { if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, - conn) != 1) + conn) != 1) + return -1; + if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, + tls_session_ticket_ext_cb, conn) != 1) return -1; } else { if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) return -1; + if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL) != 1) + return -1; } return 0; From patchwork Thu Apr 4 18:16:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919911 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=YpdCier5; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=wl0wCHrw; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VHR1SbRz1yYf for ; Fri, 5 Apr 2024 05:18:43 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=9EUUAqAmtT/WA4GEc0vIcQGVwmyyOuSVJgC2yfRHW6k=; b=YpdCier5YiSMMZ gbYo0UDuXAH5W4n4TxendSFh+MAzoQY0vBh0ABKiq08d2pXddgP1GbaDcufcd1yAzNauTkYicJjJk QAcgqbSmqR5Jgd/fFRZxBnPMatBxAtVPixgpTnT22cpJNMRuZjrJnnm7iihmc0EMWXnQc2JLY7wqE COn01IoQVfy1vHKe58wQEIHZ/a1RQCwS4zpXFXnsQNK534JWfReUKtv6TQcPaFmDDEkHDf7vmmrkA 2xozIC1WgQfnnrSHFETJZZeUdBNf3+37H7e8CYO10H/53RE3+UTuv0JyLaImA28Bf9lkSdv0yMyHA qddIa2GpPTjESB9PaIpw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRfM-00000003ngY-1zcK; Thu, 04 Apr 2024 18:18:24 +0000 Received: from mail-ed1-x52e.google.com ([2a00:1450:4864:20::52e]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReJ-00000003mqF-3joI for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:24 +0000 Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-56b0af675deso1508875a12.1 for ; Thu, 04 Apr 2024 11:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254638; x=1712859438; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wwzNgIEH0QGOJGkDHXrTeIXsLazuBWrPNSGZvv77zGg=; b=wl0wCHrwePcaNBbH3MqV784VS09WwANd6b2Z3cW83HlMU/dzK5hNZXB4VnqQq6bc5i 22x9sQ/NWUdqEnc6Zi2C49BuMvUUKvOaMh55ksI28eCohDjCEEQ9GZUoyeiXzkBGUmr3 sW+8cpx8BKWm1hvQPgDJR4Wkh3ijlbSmWZFOnVFs7fuS0dJzxiDD1tmZULqACOMuQ8CZ /DC7ZFVcF+lMKyhU18lVS0MzU+sunNPAjoFR4qRTAd1skYsyvNIJ+7lEBc+UWtmZ5u2n B8OeLn0n7UTVs9YEH3QR8Cq0nsVVqB4lVElMBwt5vKjNoQuBcD9jXZwAwuS0VnCl9cWz 0lWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254638; x=1712859438; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wwzNgIEH0QGOJGkDHXrTeIXsLazuBWrPNSGZvv77zGg=; b=ADc6m+YKf5AHRA3n4wwYpHudm041eJUTmljccn9M89qDdPdEqiR+5Y7ucaVY+T4VH8 SltHpZ0U9UaGUtcSqhiqcDndMlPzx0EY/cTBPrWib343rj5nnIAr7QPSH4bpC/QgRwQy UOylPF/tl4Ifygj34jJiTriar+d6k2U7FWhjZayvHMhD8w5rU74vJyi9t+wXCnF6b0RS Oou3hD2yANvGRk3r5Sq4VA9TrH/OcdnyO065XfADIhnyqCjfTad87Q1s5NkkvrXi2fg3 4iQJABWi1wfBCfxaPc2qcmD4XFzIubj5n7ammE2xZHYKdHceIcS+ul1Mkc+VtcAIdXF7 l7KQ== X-Gm-Message-State: AOJu0YyuSbUK4fTlBEdpjPVqCHlv3naAxRDgm065feUiJcEbkpOQyyaW 4rY8HeslsVmEMkTJUok6uiznWiLRTxEQjjI9P6uFzK7t/HSlpIebEX7a6IAGR8tGNiSIuucdC2P Yrc8= X-Google-Smtp-Source: AGHT+IGGh3o126FzOaTs6G2v3P+zLzKybjbbYx0aABMwYBoyS1OvkX7VfJjPQXNnI5iQ+RxD8VHbRg== X-Received: by 2002:a50:f61a:0:b0:56b:9029:dd48 with SMTP id c26-20020a50f61a000000b0056b9029dd48mr422215edn.5.1712254638249; Thu, 04 Apr 2024 11:17:18 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:17 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 22/24] wolfSSL: simplify option setting in tls_set_conn_flags Date: Thu, 4 Apr 2024 20:16:28 +0200 Message-Id: <20240404181630.2431991-22-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111720_402712_84509F31 X-CRM114-Status: GOOD ( 12.85 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Use one call to wolfSSL_set_options with all the relevant options already set. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52e listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Use one call to wolfSSL_set_options with all the relevant options already set. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 22f8d6eb78..8940de98d4 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1565,19 +1565,23 @@ static int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn, static void tls_set_conn_flags(WOLFSSL *ssl, unsigned int flags) { + long op = 0; #ifdef HAVE_SESSION_TICKET if (!(flags & TLS_CONN_DISABLE_SESSION_TICKET)) wolfSSL_UseSessionTicket(ssl); #endif /* HAVE_SESSION_TICKET */ + wpa_printf(MSG_DEBUG, "SSL: conn_flags: %d", flags); + if (flags & TLS_CONN_DISABLE_TLSv1_0) - wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1); + op |= WOLFSSL_OP_NO_TLSv1; if (flags & TLS_CONN_DISABLE_TLSv1_1) - wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_1); + op |= WOLFSSL_OP_NO_TLSv1_1; if (flags & TLS_CONN_DISABLE_TLSv1_2) - wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_2); + op |= WOLFSSL_OP_NO_TLSv1_2; if (flags & TLS_CONN_DISABLE_TLSv1_3) - wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_3); + op |= WOLFSSL_OP_NO_TLSv1_3; + wolfSSL_set_options(ssl, op); } @@ -1947,6 +1951,7 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, return -1; wpa_printf(MSG_DEBUG, "SSL: set verify: %d", verify_peer); + wpa_printf(MSG_DEBUG, "SSL: flags: %d", flags); if (verify_peer) { conn->ca_cert_verify = 1; @@ -1976,6 +1981,8 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, session_ctx_len); } + tls_set_conn_flags(conn->ssl, flags); + return 0; } From patchwork Thu Apr 4 18:16:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919914 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=i4zAAxAx; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=uco/vbyy; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VJK3jGMz1yYf for ; Fri, 5 Apr 2024 05:19:29 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=1qWUMDGtV1qGTILwYDmdZj9s/ubme+pUDFPGGmccxWM=; b=i4zAAxAxINQ4/Z LJGmxmK6sxl7ZT28gOu0afoKcx0d4ATLfiSLsS4u3dikNi9JyB3A6VYSRDlrAiwDtmh1Z0bRohvDJ eqw8bBESi028CKVJkwdwTvO5k9CO3W66cnbjQooIwDoX+K6237b27Is53NZnJoKVkzhYReo0DMkqn UKvsxbL9c8eTJX1P/hF6qa1PMpvd3NAODrqibDNuAxVElb8RlCR2mRbt/+gzuIDKtN7M4dO0Dz248 xbSy262zM2rnYKxAzfDfRKL9hWOaslMAZKS+qPLL0lMH1Ka8e9owXknMYkGoYM9zKX7ELtQ04syFR t4Xqi4Lt5jrRg4D2SG3A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRg8-00000003oAD-098n; Thu, 04 Apr 2024 18:19:12 +0000 Received: from mail-lf1-x12f.google.com ([2a00:1450:4864:20::12f]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReN-00000003mr6-09HL for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:27 +0000 Received: by mail-lf1-x12f.google.com with SMTP id 2adb3069b0e04-516cbf3fd3dso1307321e87.2 for ; Thu, 04 Apr 2024 11:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254639; x=1712859439; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=qstqQw+c3YcxalyArdUTrRCNTyqMX09Fq8b/xlI3l4Q=; b=uco/vbyyCvM8M2gsMzX+AO0ON+KKvvzaNd4xU9r1nnQtzG/mY/8IclgnOH7SQ+iCj9 /BE2y4E/+GT/qphcwaYvPN8Lozln2V7bzYb6moVTrQf1jnDgKB2QqEsmTzRmoTs0Bh5o HJ8UPFKKcZJJ6BWoghe4gQ9abUKN1iCpY9gvSJ8pWA704PzeRJolR8vMLNNZglMlBHKN rfSOhI5lkJRNMGsWZpSCJmWPwZrdeyduqnEQyl+jXMJ+XUi3hB6ZvDz1WTmzs9/lMeTA 4NBTwmovpEpveylIQaXvCDNXimwqEnJlNQDXeWAbRCZF9v2wJ9n/tDNWwDAPNJHLzwBg xMKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254639; x=1712859439; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qstqQw+c3YcxalyArdUTrRCNTyqMX09Fq8b/xlI3l4Q=; b=BqH+DQs3VQxPhCqhIYqy+JX/lcENXxCSBXw8Mw0dXdWDYnlfr4zXCvL3hpyX45I79D wpmetCe2iAOL4yXTIKRaUIB5oxMOa6yx2NRf8aP8326zkyyHyMVCN7ZzGgcGzUzdhLlQ 2Ej563YNZJXNsDpXBOOux0Y6VytgJzEWzJSGyQ3FZmmSxIpMXIMdETbVOaOk9tZNRKj1 As7F4tcDTqDPsGsNMEmATNcHpoS3S/ZYcxtbwr0JGBBq1GwuBDPAjeWUyBAvPZ6Z+IYP 4ZYi3TSdQWRhbzc+BX50aoBCKC3BdqMWq8CeBKKtLGxVnHSFOjv/18ZJFox4GaReK4yH tcxw== X-Gm-Message-State: AOJu0YwTvipz5sOgJMJ0Frz0jWNJjYhjPPsBHS1BSZ5x2oyVYFHESnj3 S5N4ui/apWU+yTjBi6LZ9iueGgpxWMHdDSDxcpxjmP2VbCwbxHDCuy9XIYqi8f+yfBjtwXx+BNZ SynU= X-Google-Smtp-Source: AGHT+IEaiH2b4bFemnrHRjWZI2E6Oi/ZfQyLT/Ej5szfdUi6OLj9CeoX7xUWbcNPHBSQdooGXUtBQw== X-Received: by 2002:a05:6512:49a:b0:516:be61:7688 with SMTP id v26-20020a056512049a00b00516be617688mr170295lfq.22.1712254639289; Thu, 04 Apr 2024 11:17:19 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:18 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 23/24] wolfSSL: Implement openssl_ecdh_curves Date: Thu, 4 Apr 2024 20:16:29 +0200 Message-Id: <20240404181630.2431991-23-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111723_702676_2F012E49 X-CRM114-Status: GOOD ( 10.48 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 8940de98d4..224940a402 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1628,6 +1628,15 @@ int tls_connec [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12f listed in] [list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 8940de98d4..224940a402 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -1628,6 +1628,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + if (params->openssl_ecdh_curves) { + if (wolfSSL_set1_curves_list(conn->ssl, params->openssl_ecdh_curves) + != 1) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set ECDH curves '%s'", + params->openssl_ecdh_curves); + return -1; + } + } + tls_set_conn_flags(conn->ssl, params->flags); #ifdef HAVE_CERTIFICATE_STATUS_REQUEST @@ -1871,9 +1880,12 @@ int tls_global_set_params(void *tls_ctx, } if (params->openssl_ecdh_curves) { - wpa_printf(MSG_ERROR, - "wolfSSL: openssl_ecdh_curves not supported"); - return -1; + if (wolfSSL_CTX_set1_curves_list((WOLFSSL_CTX*)tls_ctx, + params->openssl_ecdh_curves) != 1) { + wpa_printf(MSG_ERROR, "wolfSSL: Failed to set ECDH curves '%s'", + params->openssl_ecdh_curves); + return -1; + } } #ifdef HAVE_SESSION_TICKET From patchwork Thu Apr 4 18:16:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919912 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=tc/0ouuD; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=fD84uJwP; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VHn286Lz1yYf for ; Fri, 5 Apr 2024 05:19:01 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Ff27jsq7DLoN6V5IexesT1qb6usxXzsGPRJ0701xBDM=; b=tc/0ouuDUVFMgR LS2u6xb1tfA45dt60Hz3vqwfw2WEQ3tREorLd0rfIWauQHXJo8/dgFaSDzHU7XD0bOrqjpCQ5UKAo NXbLrW0R2LzKGaimSlCDa4EtwNm/kW9KooFHUVFhi0yl22CMZAxJiJBP1QU4KMH8FpFm391l/6p5j tu2csfAfAKonqSKlbUDhA3asIXiI+NS9VyVanyjFFRQNUenIkhv1LXcDBWAvY8V/wn4DgtKwuA7sg 3FjXw+TMAQFv/3qCAVqHQrhPSenV/744GVPwiiNG0B8mvaXi2maLY5Gj+tcFRcRG3v794wOtJc7OW IbbXbEeuP1RPcMiuVd2Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRfZ-00000003nqR-2RGY; Thu, 04 Apr 2024 18:18:37 +0000 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsReM-00000003mrn-1MnC for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:26 +0000 Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-56dc9955091so1490494a12.1 for ; Thu, 04 Apr 2024 11:17:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254640; x=1712859440; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NgHwYbryam0D79tGpRmyKtKOSumMCZ/Qjqawd6PEK38=; b=fD84uJwP0xvN2bbKdgNCfLxUw/sWLJTU3FAQHEYD67jFhAEe60k2+sXArMuxwR7bfr saQpIZCmnC28qlrsby6I4pPHzgOzo7fwz64818H3JstOmiJ/scAZchVoHZ3yOdHjY0Ga 14kFV5CIl7T34aN3JBkbT8Aj6Sz1raJUE0vY5Q+AOBcKqBUmKE0oKD6nDuL9W6uxvRfO bdbs2i3ZS+VvdKyXklp8uSCegiTHW86UXFGLYFY3CaTcWZWBqd2OdGnabQ9QhsRhLvEH OKbeWzexUGnK14AOz+NuLUS8rGAE04YKjxIf2jjL4Zdeu4bjxG77wCdO2wQuZ1dD34Vn 26gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254640; x=1712859440; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NgHwYbryam0D79tGpRmyKtKOSumMCZ/Qjqawd6PEK38=; b=m2hrmLJYbz85aauXT3g4DFsIXmKb9AhQtNYuDaGMFojI2Wlyla56IpKact+oCt9Iy8 IXFLvxlzyuxM8kZLLJxbsa8vGe1TYH/O1OGU4Vsykq3iQeYsVB+Euh6qmhHjc50EuNpz 0FmkOM+t/w+5I6BMVI+CpYuKut6aVhHffVyjPg7+A8TCfyL91ofSh3FsbD52u1WmtuAT x/IwAwDbMo0uvA7YvpJvHihrFd/yBB4TfDVQndtHA+MbpvAYBFHjBAz1qIGAplHWDu1u qFkwp0FtuDh/jdSeVg17P0Ea+CTrqO0GOIq/uooNGsNic/g/YdAsF0o8qyPNFHyhtXUO l3EQ== X-Gm-Message-State: AOJu0YybcqPPwS4Nk0Kg4A7w3DHe8oQhC17JUi21yEen5XJd0WqmrLRM hGu1GxO4jnbMKgRuGY2hOd67erlX+h9j7VZnVDKFzkSiznegTxWjBfuF834Trak4pOKtSMzboWe +ouU= X-Google-Smtp-Source: AGHT+IExtcOmg8LoKGbHYDJQH1IG3mdH+n3hvER/eOtW90O5eaRLRP+EJD95SLp4iZW2pyNc8W7VoA== X-Received: by 2002:a50:99db:0:b0:56b:9f82:4a40 with SMTP id n27-20020a5099db000000b0056b9f824a40mr2512680edb.11.1712254640331; Thu, 04 Apr 2024 11:17:20 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:19 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 24/24] wolfSSL: test_ap_wpa2_eap_fast_server_oom Date: Thu, 4 Apr 2024 20:16:30 +0200 Message-Id: <20240404181630.2431991-24-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111723_625363_B2CDCA43 X-CRM114-Status: GOOD ( 10.93 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: wolfSSL sends the session ticket extension on the first TLS handshake. This causes the malloc error to be triggered on the first connection instead of the second and the failure event is not registere [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:529 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org wolfSSL sends the session ticket extension on the first TLS handshake. This causes the malloc error to be triggered on the first connection instead of the second and the failure event is not registered in the python test. Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 580660e592..9b1ca119b7 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -4277,6 +4277,9 @@ def test_ap_wpa2_eap_fast_prf_oom(dev, apdev): def test_ap_wpa2_eap_fast_server_oom(dev, apdev): """EAP-FAST/MSCHAPv2 and server OOM""" check_eap_capa(dev[0], "FAST") + tls = dev[0].request("GET tls_library") + if not tls.startswith("OpenSSL"): + raise HwsimSkip("TLS library is not OpenSSL: " + tls) params = int_eap_server_params() params['dh_file'] = 'auth_serv/dh.conf'