From patchwork Mon Apr 25 14:09:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Juliusz Sosinowicz <juliusz@wolfssl.com>
X-Patchwork-Id: 1621969
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=fKqyxUfh;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
 envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=<UNKNOWN>)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Kn6Pg4hP8z9s0B
	for <incoming@patchwork.ozlabs.org>; Tue, 26 Apr 2022 00:11:19 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=puA89YBnlGPoqz90zDsRg6l73b1LFLZxJP/6rR+9ng0=; b=fKqyxUfhLESm7H
	6j/1Uo6h59jq74wntzF2L8Q1dRI/ab/8obEr10dsUuhPc0rZfrJW9JK5CPZNJvNh+YfLRhx5wwjM+
	LLrf8TFtB/Cca708NhCPrvEI0eMQ+ln8NyiikYHLEewv8o7TIW6lW/SA4Dq8wzQoicmxeoaZRIyYh
	ZTqqg1nMkk7JLaXZmsFLzaWrcL2LO9q9kYmQGB5Lr+5aTo55VwUHj6jQygRBV9GJ/rbKApCuLNewl
	t7NfM8zbKdst8ZkXPKvH2QkdtJMYj65FqzDJCschVRYnLBM2O2O/pRZSNpXVyJAcd0/sXe+q4Wxhp
	HmBlkfX0UPWXcMrpmTjQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nizPe-009qkf-Qy; Mon, 25 Apr 2022 14:10:02 +0000
Received: from p3plsmtpa06-05.prod.phx3.secureserver.net ([173.201.192.106])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nizPa-009qio-Cs
 for hostap@lists.infradead.org; Mon, 25 Apr 2022 14:10:00 +0000
Received: from localhost.localdomain ([188.212.135.202])
 by :SMTPAUTH: with ESMTPSA
 id izP1nYJpTjeoLizPTnpek2; Mon, 25 Apr 2022 07:09:52 -0700
X-CMAE-Analysis: v=2.4 cv=Ydx4Wydf c=1 sm=1 tr=0 ts=6266abb0
 a=J8IhgmmtOvetfMqpEEuyKg==:117 a=J8IhgmmtOvetfMqpEEuyKg==:17
 a=PWXvBfhZc9AHSXmkz9oA:9
X-SECURESERVER-ACCT: juliusz@wolfssl.com
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
To: hostap@lists.infradead.org
Cc: Juliusz Sosinowicz <juliusz@wolfssl.com>
Subject: [PATCH] Fix TLS 1.3 and OCSP stapling with wolfSSL
Date: Mon, 25 Apr 2022 16:09:13 +0200
Message-Id: <20220425140913.78402-1-juliusz@wolfssl.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-CMAE-Envelope: 
 MS4xfPVqD5r5JsgVGOVsp2G+nNX4CIClv6r0N7Fnbe8J0Xi0L4FdjnZoIXM9+5wV57zACj+JMAavdxuLI3FZFpiMv6OAG/rBUPz/qZufRr18nSNM1HaQykUn
 s8sKGWabignzUBfpBeN40FF5ZcnLmtZbXgok6AOcutLy2k3z8kE2rguVlsbZEjZfEo6D1jubP8USGCHfvtQatiE2xKXy6tehn+rpY9tl39/S6Vix75IyfLy+
 O23SYX8crL5xZZk2cZm2Qw==
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220425_070958_488247_A6CB65FC 
X-CRM114-Status: GOOD (  12.16  )
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: --- src/crypto/tls_wolfssl.c | 18 +++++++++++++-----
 tests/hwsim/test_ap_eap.py
 | 6 +++--- tests/hwsim/test_suite_b.py | 2 ++ 3 files changed,
 18 insertions(+),
 8 deletions(-) diff --git a/src/crypto/tls_wolfssl.c
 b/src/crypto/tls_wolfssl.c
 index fe6a28162c..31f0bd8f3c 100644 --- a/src/crypto/tls_wolfssl.c +++
 b/src/crypto/tls_wolfssl.c
 @@ -554,11 +554,13 @@ int tls_connect [...]
 Content analysis details:   (0.0 points, 5.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [173.201.192.106 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [173.201.192.106 listed in wl.mailspike.net]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
 <mailto:hostap-request@lists.infradead.org?subject=subscribe>
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

---
 src/crypto/tls_wolfssl.c    | 18 +++++++++++++-----
 tests/hwsim/test_ap_eap.py  |  6 +++---
 tests/hwsim/test_suite_b.py |  2 ++
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index fe6a28162c..31f0bd8f3c 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -554,11 +554,13 @@ int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
 	wolfSSL_set_quiet_shutdown(conn->ssl, 1);
 	wolfSSL_shutdown(conn->ssl);
 
-	session = wolfSSL_get_session(conn->ssl);
-	if (wolfSSL_clear(conn->ssl) != 1)
+	session = wolfSSL_get1_session(conn->ssl);
+	if (wolfSSL_clear(conn->ssl) != 1) {
+		wolfSSL_SESSION_free(session);
 		return -1;
+	}
 	wolfSSL_set_session(conn->ssl, session);
-
+	wolfSSL_SESSION_free(session);
 	return 0;
 }
 
@@ -1495,6 +1497,8 @@ static void tls_set_conn_flags(WOLFSSL *ssl, unsigned int flags)
 		wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
 	if (flags & TLS_CONN_DISABLE_TLSv1_2)
 		wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
+	if (flags & TLS_CONN_DISABLE_TLSv1_3)
+		wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
 }
 
 #ifdef ANDROID
@@ -1921,7 +1925,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 					    WOLFSSL_CSR_OCSP_USE_NONCE) !=
 		    SSL_SUCCESS)
 			return -1;
-		wolfSSL_CTX_EnableOCSP(tls_ctx, 0);
+		if (wolfSSL_EnableOCSPStapling(conn->ssl) !=
+		    SSL_SUCCESS)
+			return -1;
 	}
 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
@@ -1930,7 +1936,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 					      WOLFSSL_CSR2_OCSP_MULTI, 0) !=
 		    SSL_SUCCESS)
 			return -1;
-		wolfSSL_CTX_EnableOCSP(tls_ctx, 0);
+		if (wolfSSL_EnableOCSPStapling(conn->ssl) !=
+		    SSL_SUCCESS)
+			return -1;
 	}
 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
 #if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 757cb5399b..55519c28e8 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -89,8 +89,8 @@ def check_ocsp_support(dev):
     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
     #if "BoringSSL" in tls:
     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
-    if tls.startswith("wolfSSL"):
-        raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
+    #if tls.startswith("wolfSSL"):
+    #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
 
 def check_pkcs5_v15_support(dev):
     tls = dev.request("GET tls_library")
@@ -99,7 +99,7 @@ def check_pkcs5_v15_support(dev):
 
 def check_tls13_support(dev):
     tls = dev.request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls:
+    if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls and "wolfSSL" not in tls:
         raise HwsimSkip("TLS v1.3 not supported")
 
 def check_ocsp_multi_support(dev):
diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py
index 2b3c30fc19..f3b6be50cd 100644
--- a/tests/hwsim/test_suite_b.py
+++ b/tests/hwsim/test_suite_b.py
@@ -24,6 +24,8 @@ def check_suite_b_tls_lib(dev, dhe=False, level128=False):
     tls = dev[0].request("GET tls_library")
     if tls.startswith("GnuTLS"):
         return
+    if tls.startswith("wolfSSL"):
+        return
     if not tls.startswith("OpenSSL"):
         raise HwsimSkip("TLS library not supported for Suite B: " + tls)
     supported = False