On Thu, Jan 18, 2018 at 12:26:39PM +1000, Sean Parkinson wrote: > I’ve prepared a new patch with the changes as asked for by Jouni. > > This patch was written to allow hostap to be compiled with the wolfSSL cryptography and TLS library. Thanks! I'm seeing number of errors in the hwsim test cases, but it looks like it is easiest to move ahead with this if I push in the cleaned up version that I've been testing with some fixes to avoid breaking non-wolfSSL builds. I'd welcome any incremental changes on top of the current hostap.git master branch snapshot to address things that I list below or maybe a recommendation on how to configure the wolfSSL build properly to avoid the issues. I ran my tests with wolfSSL 3.13.0 and ended up adding various configure options until the build went through cleanly. This ended up with following options: ./configure --prefix=/home/jm/wolfssl/3.13.0 --enable-des3 --enable-md4 --enable-harden --enable-pwdbased --enable-tlsv10 --enable-oldtls --enable-cmac --enable-aeskeywrap --enable-keygen --enable-crl --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 --enable-pkcallbacks --enable-tls13 --enable-fortress --enable-wpas --enable-static=yes --enable-shared=no These are the notes from my hwsim test runs: SAE: - SAE: Could not solve y - SAE: Could not pick PWE --> check crypto_ec_point_solve_y_coord() implementation (wc_ecc_import_point_der() returns -1) sae sae_anti_clogging sae_anti_clogging_proto sae_bignum_failure sae_forced_anti_clogging sae_group_nego sae_groups sae_invalid_anti_clogging_token_req sae_key_lifetime_in_memory sae_mixed sae_mixed_mfp sae_no_random sae_oom_wpas sae_password sae_password_ecc sae_password_long sae_password_short sae_pmksa_caching sae_pmksa_caching_disabled sae_proto_confirm_replay sae_proto_ecc sae_pwe_failure ap_ft_sae ap_ft_sae_over_ds sigma_dut_ap_psk_sae sigma_dut_ap_sae sigma_dut_ap_sae_group sigma_dut_ap_sae_password sigma_dut_sae sigma_dut_sae_password wpas_mesh_password_mismatch mesh_forwarding_secure ap_mixed_security TLS interop(?) issue with OpenSSL server: - OpenSSL server: * SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad record mac * SSL: SSL_accept:error in SSLv3 read finished A * OpenSSL: openssl_handshake - SSL_connect error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac ap_hs20_remediation_sql eap_tls_no_session_resumption_radius authsrv_testing_options ap_wpa2_eap_tls_versions OpenSSL authentication server: - OpenSSL: openssl_handshake - SSL_connect error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher ap_wpa2_eap_ttls_dh_params ap_wpa2_eap_ttls_dh_params_blob ap_wpa2_eap_ttls_dh_params_dsa OpenSSL authentication server: - TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=FI/O=w1.fi/CN=user.w1.fi' - SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA - OpenSSL: openssl_handshake - SSL_connect error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed ap_wpa2_eap_tls_intermediate_ca ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1 ap_wpa2_eap_tls_intermediate_ca_ocsp ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1 TLS: tls_verify_cb - preverify_ok=1 err=0 (unknown error number) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi' TLS: altSubjectName match 'EMAIL:noone@xxxxxxxxxxx;DNS:server.w1.fi;URI:http://example.com/' not found wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=6 depth=0 subject='/C=FI/O=w1.fi/CN=server.w1.fi' err='AltSubject mismatch' ap_wpa2_eap_ttls_pap_subject_match TLS: tls_verify_cb - preverify_ok=1 err=0 (unknown error number) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi' TLS: altSubjectName match 'EMAIL:noone@xxxxxxxxxxx;URI:http://example.com/;DNS:server.w1.fi' not found wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=6 depth=0 subject='/C=FI/O=w1.fi/CN=server.w1.fi' err='AltSubject mismatch' ap_wpa2_eap_ttls_chap_altsubject_match TLS: Certificate verification failed, error -407 (Invalid OCSP Status Error) depth 2 for '/C=FI/O=w1.fi/CN=server.w1.fi' ap_wpa2_eap_ttls_ocsp_revoked ap_wpa2_eap_ttls_ocsp_unknown ap_wpa2_eap_ttls_optional_ocsp_unknown Missing altsubject in D-Bus output?! dbus_connect_eap DH: crypto_dh_derive_secret failed eap_proto_ikev2 TLS: Certificate verification failed, error -238 (ASN CA path length larger than signer error) depth 2 for '/C=FI/O=w1.fi/CN=sha384.server.w1.fi' eap_tls_sha384 eap_tls_sha512 GET_FAIL/GET_ALLOC_FAIL failure did not trigger: radius_mppe_failure authsrv_oom -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
