On Thu, Mar 29, 2018 at 02:55:55PM +1000, Sean Parkinson wrote: > I’ve looked into the failures and made changes as needed. > There were changes to wolfSSL as well. > > To reproduce the setup I tested: > - download wolfSSL latest from master (https://github.com/wolfssl/wolfssl) > - configure wolfSSL with option -enable-wpas > - build wolfSSL > - in wpa_supplicant change .config > - CONFIG_TLS=wolfssl > - disable CONFIG_DPP > > The proposed new patch is below. Thanks. I applied this as number of smaller commits to make it easier to review and understand. I did some cleanup and couple of fixes while going through the changes as well. There are some remaining issues, but it looks like this is a reasonable step forward, so I included or the changes even though it looks like there is something wrong with the ECDH wrappers (at least crypto_ecdh_set_peerkey() fails to work properly). The crypto_ecdh_set_peerkey() version in the patch you sent was broken, i.e., it actually ended up causing process termination due to invalid wpabuf_put() use that hit the buffer bounds checking routine. I fixed that to use wpabuf_mhead() instead of wpabuf_put() since the wc_ecc_import_point_der() call was clearly trying to use the already generated buffer instead of trying to add something more into the buffer. While this removed the process termination part, something is still failing.. That wc_ecc_import_point_der() call fails every now and then and even if it succeeds, the ECDH shared secret from wc_ecc_shared_secret_ex() does not match the one that the AP derives (i.e., using crypto_openssl.c on the other end of the connection). As far as wolfSSL changes for --enable-wpas case are concerned, please note that I had to revert the GetName() change in wolfcrypt/src/asn.c (i.e., do not add an extra '=' to make the one-line name output look like /CN==FI/ instead of /CN=FI/). This was added in wolfssl commit b325e0ff916aa5989c523e7619f4dbbbeded74a1 ("Fixes for wpa_supplicant") for some reason, but it results in a failure in one of the hwsim test cases that verifies the exact contents of the server certificate name. As far as remaining failures from wpa_supplicant build using current wolfSSL snapshot against hostapd build using OpenSSL are concerned, I'm seeing following issues: - quite a few EAP-FAST test cases are failing - ap_wpa2_eap_tls_versions is failing since tls_wolfssl.c returns "unknown" from tls_get_version() (i.e., wolfSSL_get_version()) - all OWE test cases are failing (that ECDH issue) - all FILS PFS test cases are failing (ECDH) - some EAP protocol test case failures I haven't looked at these in much detail yet, but this is the list of failing test cases from my tests: ap_wpa2_eap_fast_binary_pac ap_wpa2_eap_fast_binary_pac_errors ap_wpa2_eap_fast_mschapv2_unauth_prov ap_wpa2_eap_fast_pac_file ap_wpa2_eap_fast_pac_refresh ap_wpa2_eap_fast_pac_truncate ap_wpa2_eap_fast_prov ap_wpa2_eap_fast_server_oom ap_wpa2_eap_fast_text_pac_errors ap_wpa2_eap_ikev2_oom ap_wpa2_eap_pwd_groups ap_wpa2_eap_tls_versions eap_mschapv2_errors eap_proto_eke_errors eap_proto_fast_errors fils_sk_pfs_20 fils_sk_pfs_21 fils_sk_pfs_26 owe owe_and_psk owe_group_negotiation owe_group_negotiation_connect_cmd owe_groups owe_limited_group_set owe_pmksa_caching owe_pmksa_caching_connect_cmd owe_transition_mode owe_transition_mode_connect_cmd owe_transition_mode_multi_bss sigma_dut_ap_owe sigma_dut_ap_owe_ecgroupid sigma_dut_ap_owe_transition_mode sigma_dut_ap_owe_transition_mode_2 sigma_dut_owe -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
