[21/24] wolfssl: Implement EAP-FAST

Message ID	20240404181630.2431991-21-juliusz@wolfssl.com
State	New
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Juliusz Sosinowicz <juliusz@wolfssl.com> To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz <juliusz@wolfssl.com> Subject: [PATCH 21/24] wolfssl: Implement EAP-FAST Date: Thu, 4 Apr 2024 20:16:27 +0200 Message-Id: <20240404181630.2431991-21-juliusz@wolfssl.com> In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 preview: Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API. Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com> --- src/crypto/tls_wolfssl.c \| 59 +++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 13 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:630 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	[01/24] wolfssl: simplify tls_get_cipher \| expand [01/24] wolfssl: simplify tls_get_cipher [02/24] wolfssl: implement suiteb ciphersuite [03/24] wolfssl: use defines for ex_data access [04/24] wolfssl: fix get_x509_cert [05/24] wolfssl: support tod policy [06/24] wolfssl: implement EAP-AKA [07/24] openssl: Use uncompressed format for ECC keys [08/24] wolfssl: Set additional sigalgs when using anon cipher [09/24] wolfssl: tune test_ap_wpa2_eap_fast_prf_oom for wolfssl [10/24] ap_wpa2_eap_tls_rsa_and_ec: use ciphersuites that wolfSSL understands [11/24] ap_wpa2_eap_fast_cipher_suites: allow wolfSSL to skip RC4 test [12/24] ap_wpa2_eap_tls_versions: run tests with wolfSSL [13/24] wolfssl: generate events when OCSP status is revoked [14/24] wolfssl: remove unnecessary WOLFSSL_X509_STORE manipulation [15/24] wolfssl: log error number on failure [16/24] wolfssl: remove unused and non-compiling code [17/24] wolfssl: add missing return in tls_init [18/24] wolfssl: implement check_cert_subject [19/24] wolfssl: Actually use ocsp_stapling_response [20/24] run_ap_wpa2_eap_tls_intermediate_ca_ocsp: fix cert configuration [21/24] wolfssl: Implement EAP-FAST [22/24] wolfSSL: simplify option setting in tls_set_conn_flags [23/24] wolfSSL: Implement openssl_ecdh_curves [24/24] wolfSSL: test_ap_wpa2_eap_fast_server_oom

Message ID

20240404181630.2431991-21-juliusz@wolfssl.com

State

New

Headers

From: Juliusz Sosinowicz <juliusz@wolfssl.com>
To: hostap@lists.infradead.org
Cc: Juliusz Sosinowicz <juliusz@wolfssl.com>
Subject: [PATCH 21/24] wolfssl: Implement EAP-FAST
Date: Thu,  4 Apr 2024 20:16:27 +0200
Message-Id: <20240404181630.2431991-21-juliusz@wolfssl.com>
In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com>
References: <20240404181630.2431991-1-juliusz@wolfssl.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

[01/24] wolfssl: simplify tls_get_cipher | expand

Commit Message

Juliusz Sosinowicz April 4, 2024, 6:16 p.m. UTC

Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---
 src/crypto/tls_wolfssl.c | 59 +++++++++++++++++++++++++++++++---------
 1 file changed, 46 insertions(+), 13 deletions(-)

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index b6869b7488..22f8d6eb78 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -94,7 +94,8 @@  struct tls_connection {
 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
 	tls_session_ticket_cb session_ticket_cb;
 	void *session_ticket_cb_ctx;
-	byte session_ticket[SESSION_TICKET_LEN];
+	u8 *session_ticket;
+	size_t session_ticket_len;
 #endif
 	unsigned int ca_cert_verify:1;
 	unsigned int cert_probe:1;
@@ -513,6 +514,7 @@  void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
 	os_free(conn->domain_match);
 	os_free(conn->peer_subject);
 	os_free(conn->check_cert_subject);
+	os_free(conn->session_ticket);
 
 	/* self */
 	os_free(conn);
@@ -2481,32 +2483,58 @@  static int tls_sess_sec_cb(WOLFSSL *s, void *secret, int *secret_len, void *arg)
 	int ret;
 	unsigned char client_random[RAN_LEN];
 	unsigned char server_random[RAN_LEN];
-	word32 ticket_len = sizeof(conn->session_ticket);
 
 	if (!conn || !conn->session_ticket_cb)
-		return 1;
+		return -1;
+
+	wpa_printf(MSG_DEBUG, "wolfSSL: %s", __func__);
 
 	if (wolfSSL_get_client_random(s, client_random,
 				      sizeof(client_random)) == 0 ||
 	    wolfSSL_get_server_random(s, server_random,
-				      sizeof(server_random)) == 0 ||
-	    wolfSSL_get_SessionTicket(s, conn->session_ticket,
-				      &ticket_len) != 1)
-		return 1;
-
-	if (ticket_len == 0)
-		return 0;
+				      sizeof(server_random)) == 0)
+		return -1;
 
 	ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
-				      conn->session_ticket, ticket_len,
+				      conn->session_ticket, conn->session_ticket_len,
 				      client_random, server_random, secret);
+
+	wpa_printf(MSG_DEBUG, "wolfSSL: %s conn->session_ticket_cb: %d", __func__, ret);
+
+	os_free(conn->session_ticket);
+	conn->session_ticket = NULL;
+
 	if (ret <= 0)
-		return 1;
+		return -1;
 
 	*secret_len = SECRET_LEN;
 	return 0;
 }
 
+static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
+				     int len, void *arg)
+{
+	struct tls_connection *conn = arg;
+
+	if (conn == NULL || conn->session_ticket_cb == NULL)
+		return 0;
+
+	wpa_printf(MSG_DEBUG, "wolfSSL: %s: length=%d", __func__, len);
+
+	os_free(conn->session_ticket);
+	conn->session_ticket = NULL;
+
+	wpa_hexdump(MSG_DEBUG, "wolfSSL: ClientHello SessionTicket "
+		    "extension", data, len);
+
+	conn->session_ticket = os_memdup(data, len);
+	if (conn->session_ticket == NULL)
+		return 0;
+
+	conn->session_ticket_len = len;
+
+	return 1;
+}
 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
 
 
@@ -2521,11 +2549,16 @@  int tls_connection_set_session_ticket_cb(void *tls_ctx,
 
 	if (cb) {
 		if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
-						  conn) != 1)
+				conn) != 1)
+			return -1;
+		if (wolfSSL_set_session_ticket_ext_cb(conn->ssl,
+				tls_session_ticket_ext_cb, conn) != 1)
 			return -1;
 	} else {
 		if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
 			return -1;
+		if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL) != 1)
+			return -1;
 	}
 
 	return 0;

[21/24] wolfssl: Implement EAP-FAST

Commit Message

Patch