On Tue, May 08, 2018 at 09:26:45AM +1000, Sean Parkinson wrote:
> I’ve been able to fix the ECDH problem and the error tests.
Thanks, I can see the patch here fixing those in my setup as well.
> The EAP tests listed are not failing for me.
> I’m using Ubuntu 14.04.1 in a virtual machine, with the OpenSSL that comes with it, as recommended in example-setup.txt.
> What setup are you testing on?
I'm using Ubuntu 16.04 with various OpenSSL versions (including the one
from the distro).
I went through the details of the remaining hwsim test case failures and
there is only one real remaining issue (one real issue fixed and another
one depends on build capabilities):
EAP-FAST issues:
- tests needing unauthenticated provisioning (TLS ADH-AES128-SHA cipher
suite) fail
- tests using authentication provisioning pass (e.g., ap_hs20_eap_fast_gtc)
- OpenSSL-based server:
OpenSSL: RX ver=0x303 content_type=22 (handshake/client hello)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:illegal parameter
OpenSSL: openssl_handshake - SSL_connect error:1414F178:SSL routines:tls1_set_server_sigalgs:no shared sigature algorithms
OpenSSL: pending error: error:1408A0E2:SSL routines:ssl3_get_client_hello:clienthello tlsext
- ClientHello from wolfSSL uses the correct cipher suite 0x0034
* signature_algorithms extension includes one algorithm:
0x0200 (hash: SHA1, signature: Anonymous)
- ClientHello from OpenSSL does not include signature_algorithms
extension in this case
- disabling TLS 1.2 with wolfSSL seems to work around this since that
removes the signature_algorithms extension
- what would the best way of fixing this interop issue?
- impacted hwsim test cases:
ap_wpa2_eap_fast_binary_pac
ap_wpa2_eap_fast_binary_pac_errors
ap_wpa2_eap_fast_mschapv2_unauth_prov
ap_wpa2_eap_fast_pac_file
ap_wpa2_eap_fast_pac_refresh
ap_wpa2_eap_fast_pac_truncate
ap_wpa2_eap_fast_prov
ap_wpa2_eap_fast_server_oom
ap_wpa2_eap_fast_text_pac_errors
eap_proto_fast_errors
eap_mschapv2_errors
EAP-pwd with Group 21 failing: (groups 19, 20, 25, 26 worked)
- looks like OpenSSL and wolfSSL derive a different k values
--> this is a bug in crypto_bignum_rshift() wrapper: need to use
mp_rshb() instead of mp_rshd()
--> fixing this allows ap_wpa2_eap_pwd_groups to pass against OpenSSL
tls_wolfssl.c returns "unknown" from tls_get_version() (i.e.,
wolfSSL_get_version()):
- fails with ./configure --enable-wpas
- passed with ./configure --enable-wpas --enable-tlsv10
--> does not really need any implementation fixing; could considering
skipping TLS 1.0 check automatically with builds that do not include
support for it; kind of interesting to see "unknown" being reported,
though, instead of just failing the TLS handshake if both TLS 1.1 and
1.2 are disabled in runtime configuration and the wolfSSL build did
not include TLS 1.0 or 1.3
- related to hwsim test case ap_wpa2_eap_tls_versions
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
