From patchwork Mon Apr 25 14:18:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1621996 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=KDYMLqQ/; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4Kn6gj2c13z9s0B for ; Tue, 26 Apr 2022 00:23:29 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=ERyYOCg9GaPlGV5LnBPwi+wwSmhvru0lgt+sME4hYgQ=; b=KDYMLqQ/hEsnO2 Z3f6wVNKHQcsq1PKvry4pXPjbrgiBZGMRx3bhSS3VdPLKRaAKWgPjI4zUFsW8Li2HHDU9Ow0imUGf KvscEC0ht6gnzamjJgq9tgA7xyQzAeenQnCMovtkFNm4KSO3+POMWIsK8Bypf87eLUlCkhVHlcwkN iS+UZOzc+F22KGVxv1n7WgOJWMy2v35ayFQnW3Z51BXxQHMPMK3ecHK+0a/HbDszL8DQhfoStRBx8 dPwwCWBiDgL3Ili1JTW68oQTCJJklaf08MUHnIAT5m6MsXNESXc4iZCcMjWZVSKB5lpKLoo/07Q4A nKY5uxmYiVoUhUmmbMcQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nizbj-009uaM-Q4; Mon, 25 Apr 2022 14:22:32 +0000 Received: from p3plsmtpa12-01.prod.phx3.secureserver.net ([68.178.252.230]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nizbg-009uXx-20 for hostap@lists.infradead.org; Mon, 25 Apr 2022 14:22:30 +0000 Received: from localhost.localdomain ([188.212.135.202]) by :SMTPAUTH: with ESMTPSA id izbbnqZLVF34QizbcnTJzo; Mon, 25 Apr 2022 07:22:25 -0700 X-CMAE-Analysis: v=2.4 cv=aKU1FZxm c=1 sm=1 tr=0 ts=6266aea1 a=J8IhgmmtOvetfMqpEEuyKg==:117 a=J8IhgmmtOvetfMqpEEuyKg==:17 a=NEAV23lmAAAA:8 a=VTTltBjBAAAA:8 a=PWXvBfhZc9AHSXmkz9oA:9 a=on_vo79ac8RWgsiwd8Ea:22 X-SECURESERVER-ACCT: juliusz@wolfssl.com From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH] Fix TLS 1.3 and OCSP stapling with wolfSSL Date: Mon, 25 Apr 2022 16:18:49 +0200 Message-Id: <20220425141848.80044-1-juliusz@wolfssl.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CMAE-Envelope: MS4xfKIBmihwu5mDOn+XU0xtWJjV7LF1fFWF6n2m62x76cJZlUB9e9gIo8kHgepqYZCa2+ufQ5u7aYsX41t+jtDFE6Z0khcZkxYrTa4x01kkkIkfi9RFXKg1 5Vy6fQ7WUDjPJwwJfYI4jM6hxmX1j2FItVNHV8mnkb2kQiOVx6tboZEX/md5uspQI+Ar4+soyCC0P5EOZdNtPY1sXQtsP4K/FMOrLaF1Jg7+gTXwEhbrN7Il MJvEcOSjmWSZhD1ioittwg== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220425_072228_154380_97AA04E3 X-CRM114-Status: GOOD ( 12.95 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Uses the changes to wolfSSL found in https://github.com/wolfSSL/wolfssl/pull/5078 Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 18 +++++++++++++----- tests/hwsim/test_ap_eap.py | 6 +++--- tests/hwsim/test_suite_b.py | 2 ++ 3 files changed, 1 [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [68.178.252.230 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Uses the changes to wolfSSL found in https://github.com/wolfSSL/wolfssl/pull/5078 Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 18 +++++++++++++----- tests/hwsim/test_ap_eap.py | 6 +++--- tests/hwsim/test_suite_b.py | 2 ++ 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index fe6a28162c..31f0bd8f3c 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -554,11 +554,13 @@ int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn) wolfSSL_set_quiet_shutdown(conn->ssl, 1); wolfSSL_shutdown(conn->ssl); - session = wolfSSL_get_session(conn->ssl); - if (wolfSSL_clear(conn->ssl) != 1) + session = wolfSSL_get1_session(conn->ssl); + if (wolfSSL_clear(conn->ssl) != 1) { + wolfSSL_SESSION_free(session); return -1; + } wolfSSL_set_session(conn->ssl, session); - + wolfSSL_SESSION_free(session); return 0; } @@ -1495,6 +1497,8 @@ static void tls_set_conn_flags(WOLFSSL *ssl, unsigned int flags) wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_1); if (flags & TLS_CONN_DISABLE_TLSv1_2) wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_2); + if (flags & TLS_CONN_DISABLE_TLSv1_3) + wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_3); } #ifdef ANDROID @@ -1921,7 +1925,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) return -1; - wolfSSL_CTX_EnableOCSP(tls_ctx, 0); + if (wolfSSL_EnableOCSPStapling(conn->ssl) != + SSL_SUCCESS) + return -1; } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 @@ -1930,7 +1936,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, WOLFSSL_CSR2_OCSP_MULTI, 0) != SSL_SUCCESS) return -1; - wolfSSL_CTX_EnableOCSP(tls_ctx, 0); + if (wolfSSL_EnableOCSPStapling(conn->ssl) != + SSL_SUCCESS) + return -1; } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ #if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 757cb5399b..55519c28e8 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -89,8 +89,8 @@ def check_ocsp_support(dev): # raise HwsimSkip("OCSP not supported with this TLS library: " + tls) #if "BoringSSL" in tls: # raise HwsimSkip("OCSP not supported with this TLS library: " + tls) - if tls.startswith("wolfSSL"): - raise HwsimSkip("OCSP not supported with this TLS library: " + tls) + #if tls.startswith("wolfSSL"): + # raise HwsimSkip("OCSP not supported with this TLS library: " + tls) def check_pkcs5_v15_support(dev): tls = dev.request("GET tls_library") @@ -99,7 +99,7 @@ def check_pkcs5_v15_support(dev): def check_tls13_support(dev): tls = dev.request("GET tls_library") - if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls: + if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls and "wolfSSL" not in tls: raise HwsimSkip("TLS v1.3 not supported") def check_ocsp_multi_support(dev): diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py index 2b3c30fc19..f3b6be50cd 100644 --- a/tests/hwsim/test_suite_b.py +++ b/tests/hwsim/test_suite_b.py @@ -24,6 +24,8 @@ def check_suite_b_tls_lib(dev, dhe=False, level128=False): tls = dev[0].request("GET tls_library") if tls.startswith("GnuTLS"): return + if tls.startswith("wolfSSL"): + return if not tls.startswith("OpenSSL"): raise HwsimSkip("TLS library not supported for Suite B: " + tls) supported = False