[21/24] wolfssl: Implement EAP-FAST

Message ID	20240404181630.2431991-21-juliusz@wolfssl.com
State	Changes Requested
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Juliusz Sosinowicz <juliusz@wolfssl.com> To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz <juliusz@wolfssl.com> Subject: [PATCH 21/24] wolfssl: Implement EAP-FAST Date: Thu, 4 Apr 2024 20:16:27 +0200 Message-Id: <20240404181630.2431991-21-juliusz@wolfssl.com> In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 preview: Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API. Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com> --- src/crypto/tls_wolfssl.c \| 59 +++++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 13 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:630 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	[01/24] wolfssl: simplify tls_get_cipher \| expand [01/24] wolfssl: simplify tls_get_cipher [02/24] wolfssl: implement suiteb ciphersuite [03/24] wolfssl: use defines for ex_data access [04/24] wolfssl: fix get_x509_cert [05/24] wolfssl: support tod policy [06/24] wolfssl: implement EAP-AKA [07/24] openssl: Use uncompressed format for ECC keys [08/24] wolfssl: Set additional sigalgs when using anon cipher [09/24] wolfssl: tune test_ap_wpa2_eap_fast_prf_oom for wolfssl [10/24] ap_wpa2_eap_tls_rsa_and_ec: use ciphersuites that wolfSSL understands [11/24] ap_wpa2_eap_fast_cipher_suites: allow wolfSSL to skip RC4 test [12/24] ap_wpa2_eap_tls_versions: run tests with wolfSSL [13/24] wolfssl: generate events when OCSP status is revoked [14/24] wolfssl: remove unnecessary WOLFSSL_X509_STORE manipulation [15/24] wolfssl: log error number on failure [16/24] wolfssl: remove unused and non-compiling code [17/24] wolfssl: add missing return in tls_init [18/24] wolfssl: implement check_cert_subject [19/24] wolfssl: Actually use ocsp_stapling_response [20/24] run_ap_wpa2_eap_tls_intermediate_ca_ocsp: fix cert configuration [21/24] wolfssl: Implement EAP-FAST [22/24] wolfSSL: simplify option setting in tls_set_conn_flags [23/24] wolfSSL: Implement openssl_ecdh_curves [24/24] wolfSSL: test_ap_wpa2_eap_fast_server_oom

Message ID

20240404181630.2431991-21-juliusz@wolfssl.com

State

Changes Requested

Headers

From: Juliusz Sosinowicz <juliusz@wolfssl.com>
To: hostap@lists.infradead.org
Cc: Juliusz Sosinowicz <juliusz@wolfssl.com>
Subject: [PATCH 21/24] wolfssl: Implement EAP-FAST
Date: Thu,  4 Apr 2024 20:16:27 +0200
Message-Id: <20240404181630.2431991-21-juliusz@wolfssl.com>
In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com>
References: <20240404181630.2431991-1-juliusz@wolfssl.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

[01/24] wolfssl: simplify tls_get_cipher | expand

Commit Message

Juliusz Sosinowicz April 4, 2024, 6:16 p.m. UTC

Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---
 src/crypto/tls_wolfssl.c | 59 +++++++++++++++++++++++++++++++---------
 1 file changed, 46 insertions(+), 13 deletions(-)

Comments

Jouni Malinen Feb. 2, 2025, 6:47 p.m. UTC | #1

On Thu, Apr 04, 2024 at 08:16:27PM +0200, Juliusz Sosinowicz wrote:
> Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API.

That function is so new that it did not exist in any release and does
not exist in anything I'm currently testing with.. In other words, this
would break existing builds. Would it be possible to use #ifdef/#endif
to avoid such compilation failures in case older wolfSSL version is
used?

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index b6869b7488..22f8d6eb78 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -94,7 +94,8 @@  struct tls_connection {
 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
 	tls_session_ticket_cb session_ticket_cb;
 	void *session_ticket_cb_ctx;
-	byte session_ticket[SESSION_TICKET_LEN];
+	u8 *session_ticket;
+	size_t session_ticket_len;
 #endif
 	unsigned int ca_cert_verify:1;
 	unsigned int cert_probe:1;
@@ -513,6 +514,7 @@  void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
 	os_free(conn->domain_match);
 	os_free(conn->peer_subject);
 	os_free(conn->check_cert_subject);
+	os_free(conn->session_ticket);
 
 	/* self */
 	os_free(conn);
@@ -2481,32 +2483,58 @@  static int tls_sess_sec_cb(WOLFSSL *s, void *secret, int *secret_len, void *arg)
 	int ret;
 	unsigned char client_random[RAN_LEN];
 	unsigned char server_random[RAN_LEN];
-	word32 ticket_len = sizeof(conn->session_ticket);
 
 	if (!conn || !conn->session_ticket_cb)
-		return 1;
+		return -1;
+
+	wpa_printf(MSG_DEBUG, "wolfSSL: %s", __func__);
 
 	if (wolfSSL_get_client_random(s, client_random,
 				      sizeof(client_random)) == 0 ||
 	    wolfSSL_get_server_random(s, server_random,
-				      sizeof(server_random)) == 0 ||
-	    wolfSSL_get_SessionTicket(s, conn->session_ticket,
-				      &ticket_len) != 1)
-		return 1;
-
-	if (ticket_len == 0)
-		return 0;
+				      sizeof(server_random)) == 0)
+		return -1;
 
 	ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
-				      conn->session_ticket, ticket_len,
+				      conn->session_ticket, conn->session_ticket_len,
 				      client_random, server_random, secret);
+
+	wpa_printf(MSG_DEBUG, "wolfSSL: %s conn->session_ticket_cb: %d", __func__, ret);
+
+	os_free(conn->session_ticket);
+	conn->session_ticket = NULL;
+
 	if (ret <= 0)
-		return 1;
+		return -1;
 
 	*secret_len = SECRET_LEN;
 	return 0;
 }
 
+static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
+				     int len, void *arg)
+{
+	struct tls_connection *conn = arg;
+
+	if (conn == NULL || conn->session_ticket_cb == NULL)
+		return 0;
+
+	wpa_printf(MSG_DEBUG, "wolfSSL: %s: length=%d", __func__, len);
+
+	os_free(conn->session_ticket);
+	conn->session_ticket = NULL;
+
+	wpa_hexdump(MSG_DEBUG, "wolfSSL: ClientHello SessionTicket "
+		    "extension", data, len);
+
+	conn->session_ticket = os_memdup(data, len);
+	if (conn->session_ticket == NULL)
+		return 0;
+
+	conn->session_ticket_len = len;
+
+	return 1;
+}
 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
 
 
@@ -2521,11 +2549,16 @@  int tls_connection_set_session_ticket_cb(void *tls_ctx,
 
 	if (cb) {
 		if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
-						  conn) != 1)
+				conn) != 1)
+			return -1;
+		if (wolfSSL_set_session_ticket_ext_cb(conn->ssl,
+				tls_session_ticket_ext_cb, conn) != 1)
 			return -1;
 	} else {
 		if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
 			return -1;
+		if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL) != 1)
+			return -1;
 	}
 
 	return 0;

[21/24] wolfssl: Implement EAP-FAST

Commit Message

Comments

Patch