Hi Jouni, I’ve been able to fix the ECDH problem and the error tests. The EAP tests listed are not failing for me. I’m using Ubuntu 14.04.1 in a virtual machine, with the OpenSSL that comes with it, as recommended in example-setup.txt. What setup are you testing on? See below for the patch file. Sean — Sean Parkinson sean@xxxxxxxxxxx wolfSSL Inc >From 50827b00c8c8330ec03b09e6b51a9e06ac182162 Mon Sep 17 00:00:00 2001 From: Sean Parkinson <sparki@xxxxxxxxxxx> Date: Tue, 8 May 2018 09:20:44 +1000 Subject: [PATCH] Fixes for wolfSSL Fix for ECDH set peer to use the index when importing point. Modified DH initialization to call TEST_FAIL() for error tests. Signed-off-by: Sean Parkinson <sean@xxxxxxxxxxx> --- src/crypto/crypto_wolfssl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c index fc9a67b..bc4fd6a 100644 --- a/src/crypto/crypto_wolfssl.c +++ b/src/crypto/crypto_wolfssl.c @@ -783,6 +783,9 @@ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, DhKey *dh = NULL; word32 priv_sz, pub_sz; + if (TEST_FAIL()) + return -1; + dh = os_malloc(sizeof(DhKey)); if (!dh) return -1; @@ -1762,7 +1765,7 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, goto fail; ret = wc_ecc_import_point_der(wpabuf_mhead(pubkey), 1 + 2 * key_len, - ecdh->ec->key.dp->id, point); + ecdh->ec->key.idx, point); if (ret != MP_OKAY) goto fail; -- 1.9.1 > On 3 May 2018, at 1:00 am, Jouni Malinen <j@xxxxx> wrote: > > On Thu, Mar 29, 2018 at 02:55:55PM +1000, Sean Parkinson wrote: >> I’ve looked into the failures and made changes as needed. >> There were changes to wolfSSL as well. >> >> To reproduce the setup I tested: >> - download wolfSSL latest from master (https://github.com/wolfssl/wolfssl) >> - configure wolfSSL with option -enable-wpas >> - build wolfSSL >> - in wpa_supplicant change .config >> - CONFIG_TLS=wolfssl >> - disable CONFIG_DPP >> >> The proposed new patch is below. > > Thanks. I applied this as number of smaller commits to make it easier to > review and understand. I did some cleanup and couple of fixes while > going through the changes as well. > > There are some remaining issues, but it looks like this is a reasonable > step forward, so I included or the changes even though it looks like > there is something wrong with the ECDH wrappers (at least > crypto_ecdh_set_peerkey() fails to work properly). > > The crypto_ecdh_set_peerkey() version in the patch you sent was broken, > i.e., it actually ended up causing process termination due to invalid > wpabuf_put() use that hit the buffer bounds checking routine. I fixed > that to use wpabuf_mhead() instead of wpabuf_put() since the > wc_ecc_import_point_der() call was clearly trying to use the already > generated buffer instead of trying to add something more into the > buffer. While this removed the process termination part, something is > still failing.. That wc_ecc_import_point_der() call fails every now and > then and even if it succeeds, the ECDH shared secret from > wc_ecc_shared_secret_ex() does not match the one that the AP derives > (i.e., using crypto_openssl.c on the other end of the connection). > > As far as wolfSSL changes for --enable-wpas case are concerned, please > note that I had to revert the GetName() change in wolfcrypt/src/asn.c > (i.e., do not add an extra '=' to make the one-line name output look > like /CN==FI/ instead of /CN=FI/). This was added in wolfssl commit > b325e0ff916aa5989c523e7619f4dbbbeded74a1 ("Fixes for wpa_supplicant") > for some reason, but it results in a failure in one of the hwsim test > cases that verifies the exact contents of the server certificate name. > > As far as remaining failures from wpa_supplicant build using current > wolfSSL snapshot against hostapd build using OpenSSL are concerned, I'm > seeing following issues: > - quite a few EAP-FAST test cases are failing > - ap_wpa2_eap_tls_versions is failing since tls_wolfssl.c returns > "unknown" from tls_get_version() (i.e., wolfSSL_get_version()) > - all OWE test cases are failing (that ECDH issue) > - all FILS PFS test cases are failing (ECDH) > - some EAP protocol test case failures > > I haven't looked at these in much detail yet, but this is the list of > failing test cases from my tests: > > ap_wpa2_eap_fast_binary_pac > ap_wpa2_eap_fast_binary_pac_errors > ap_wpa2_eap_fast_mschapv2_unauth_prov > ap_wpa2_eap_fast_pac_file > ap_wpa2_eap_fast_pac_refresh > ap_wpa2_eap_fast_pac_truncate > ap_wpa2_eap_fast_prov > ap_wpa2_eap_fast_server_oom > ap_wpa2_eap_fast_text_pac_errors > ap_wpa2_eap_ikev2_oom > ap_wpa2_eap_pwd_groups > ap_wpa2_eap_tls_versions > eap_mschapv2_errors > eap_proto_eke_errors > eap_proto_fast_errors > fils_sk_pfs_20 > fils_sk_pfs_21 > fils_sk_pfs_26 > owe > owe_and_psk > owe_group_negotiation > owe_group_negotiation_connect_cmd > owe_groups > owe_limited_group_set > owe_pmksa_caching > owe_pmksa_caching_connect_cmd > owe_transition_mode > owe_transition_mode_connect_cmd > owe_transition_mode_multi_bss > sigma_dut_ap_owe > sigma_dut_ap_owe_ecgroupid > sigma_dut_ap_owe_transition_mode > sigma_dut_ap_owe_transition_mode_2 > sigma_dut_owe > > -- > Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
