From 06798ab8bfd8bfbca6987b9179d107bd6f7f4eec Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 2 Apr 2024 15:18:50 +0200 Subject: [PATCH 01/10] EAP-FAST Implement PACs for EAP-FAST - wolfSSL_set_session_ticket_ext_cb - server side wolfSSL_set_session_secret_cb (tls <=1.2 only) --- src/internal.c | 62 +++++++++++++++++++++++++++++++++++++++++++++ src/ssl.c | 15 ++++++++++- wolfcrypt/src/kdf.c | 16 ++++++++++++ wolfssl/internal.h | 2 ++ wolfssl/ssl.h | 8 ++++-- 5 files changed, 100 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 02e34dbc23..b71ea8563c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -35942,6 +35942,47 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, { int ret = 0; WOLFSSL_SESSION* session; + +#ifdef HAVE_SECRET_CALLBACK + if (ssl->sessionSecretCb != NULL +#ifdef HAVE_SESSION_TICKET + && ssl->session->ticketLen > 0 +#endif + ) { + int secretSz = SECRET_LEN; + WOLFSSL_MSG("Calling session secret callback"); + ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, + RAN_LEN); + if (ret == 0) { + ret = ssl->sessionSecretCb(ssl, ssl->arrays->masterSecret, + &secretSz, ssl->sessionSecretCtx); + if (secretSz != SECRET_LEN) + ret = SESSION_SECRET_CB_E; + } + if (ret == 0) + ret = MatchSuite(ssl, clSuites); + if (ret == 0) { + #ifdef NO_OLD_TLS + ret = DeriveTlsKeys(ssl); + #else + #ifndef NO_TLS + if (ssl->options.tls) + ret = DeriveTlsKeys(ssl); + #endif + if (!ssl->options.tls) + ret = DeriveKeys(ssl); + #endif + /* SERVER: peer auth based on session secret. */ + ssl->options.peerAuthGood = (ret == 0); + ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; + } + if (ret != 0) + WOLFSSL_ERROR_VERBOSE(ret); + WOLFSSL_LEAVE("HandleTlsResumption", ret); + return ret; + } +#endif /* HAVE_SECRET_CALLBACK */ + #ifdef HAVE_SESSION_TICKET if (ssl->options.useTicket == 1) { session = ssl->session; @@ -36601,6 +36642,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.haveSessionId = 1; /* ProcessOld uses same resume code */ + WOLFSSL_MSG_EX("ssl->options.resuming %d", ssl->options.resuming); if (ssl->options.resuming) { ret = HandleTlsResumption(ssl, clSuites); if (ret != 0) @@ -37982,6 +38024,22 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_START(WC_FUNC_TICKET_DO); WOLFSSL_ENTER("DoClientTicket"); +#ifdef HAVE_SECRET_CALLBACK + if (ssl->ticketParseCb != NULL) { + decryptRet = WOLFSSL_TICKET_RET_OK; + if (!ssl->ticketParseCb(ssl, input, len, ssl->ticketParseCtx)) { + /* Failure kills the connection */ + decryptRet = WOLFSSL_TICKET_RET_FATAL; + } + else { + if (wolfSSL_set_SessionTicket(ssl, input, len) != + WOLFSSL_SUCCESS) + decryptRet = WOLFSSL_TICKET_RET_REJECT; + } + goto cleanup; + } + else +#endif #ifdef WOLFSSL_TLS13 if (len == ID_LEN && IsAtLeastTLSv1_3(ssl->version)) { /* This is a stateful ticket. We can be sure about this because @@ -37996,7 +38054,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } else #endif + if (len >= sizeof(*it)) decryptRet = DoDecryptTicket(ssl, input, len, &it); + else + WOLFSSL_MSG("Ticket is smaller than InternalTicket. Rejecting."); + if (decryptRet != WOLFSSL_TICKET_RET_OK && decryptRet != WOLFSSL_TICKET_RET_CREATE) { diff --git a/src/ssl.c b/src/ssl.c index c2b4f82058..c36422d524 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8191,7 +8191,7 @@ int wolfSSL_set_session_secret_cb(WOLFSSL* ssl, SessionSecretCb cb, void* ctx) { WOLFSSL_ENTER("wolfSSL_set_session_secret_cb"); if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; + return WOLFSSL_FAILURE; ssl->sessionSecretCb = cb; ssl->sessionSecretCtx = ctx; @@ -8204,6 +8204,19 @@ int wolfSSL_set_session_secret_cb(WOLFSSL* ssl, SessionSecretCb cb, void* ctx) return WOLFSSL_SUCCESS; } +int wolfSSL_set_session_ticket_ext_cb(WOLFSSL* ssl, TicketParseCb cb, + void *ctx) +{ + WOLFSSL_ENTER("wolfSSL_set_session_ticket_ext_cb"); + if (ssl == NULL) + return WOLFSSL_FAILURE; + + ssl->ticketParseCb = cb; + ssl->ticketParseCtx = ctx; + + return WOLFSSL_SUCCESS; +} + int wolfSSL_set_secret_cb(WOLFSSL* ssl, TlsSecretCb cb, void* ctx) { WOLFSSL_ENTER("wolfSSL_set_secret_cb"); diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index 15672e8f42..7fef6a56d4 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -306,6 +306,16 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, { int ret = 0; +#ifdef WOLFSSL_DEBUG_TLS + WOLFSSL_MSG(" secret"); + WOLFSSL_BUFFER(secret, secLen); + WOLFSSL_MSG(" label"); + WOLFSSL_BUFFER(label, labLen); + WOLFSSL_MSG(" seed"); + WOLFSSL_BUFFER(seed, seedLen); +#endif + + if (useAtLeastSha256) { #ifdef WOLFSSL_SMALL_STACK byte* labelSeed; @@ -350,6 +360,12 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, #endif } +#ifdef WOLFSSL_DEBUG_TLS + WOLFSSL_MSG(" digest"); + WOLFSSL_BUFFER(digest, digLen); + WOLFSSL_MSG_EX("hash_type %d", hash_type); +#endif + return ret; } #endif /* WOLFSSL_HAVE_PRF && !NO_HMAC */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ea828a84c3..a339de4bd6 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -5869,6 +5869,8 @@ struct WOLFSSL { #ifdef HAVE_SECRET_CALLBACK SessionSecretCb sessionSecretCb; void* sessionSecretCtx; + TicketParseCb ticketParseCb; + void* ticketParseCtx; TlsSecretCb tlsSecretCb; void* tlsSecretCtx; #ifdef WOLFSSL_TLS13 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2d10864623..e7c8832f06 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1366,8 +1366,12 @@ WOLFSSL_ABI WOLFSSL_API long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx typedef int (*SessionSecretCb)(WOLFSSL* ssl, void* secret, int* secretSz, void* ctx); /* This callback is used to set the master secret during resumption */ -WOLFSSL_API int wolfSSL_set_session_secret_cb(WOLFSSL* ssl, SessionSecretCb, - void*); +WOLFSSL_API int wolfSSL_set_session_secret_cb(WOLFSSL* ssl, SessionSecretCb cb, + void* ctx); +typedef int (*TicketParseCb)(WOLFSSL *ssl, const unsigned char *data, + int len, void *ctx); +WOLFSSL_API int wolfSSL_set_session_ticket_ext_cb(WOLFSSL* ssl, + TicketParseCb cb, void *ctx); typedef int (*TlsSecretCb)(WOLFSSL* ssl, void* secret, int secretSz, void* ctx); /* This callback is used to log the secret for TLS <= 1.2 */ From 77a7297c42074fb78cf24377a231447356c43a89 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 2 Apr 2024 18:19:28 +0200 Subject: [PATCH 02/10] Filter cipher list on TLS version change --- src/internal.c | 42 +++++++++++--------------- src/ssl.c | 74 ++++++++++++++++++++++++++++++++++++++++++---- wolfssl/internal.h | 1 + 3 files changed, 88 insertions(+), 29 deletions(-) diff --git a/src/internal.c b/src/internal.c index b71ea8563c..48d687d970 100644 --- a/src/internal.c +++ b/src/internal.c @@ -33507,6 +33507,24 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } + /* search suites for specific one, idx on success, negative on error */ + int FindSuite(const Suites* suites, byte first, byte second) + { + int i; + + if (suites == NULL || suites->suiteSz == 0) { + WOLFSSL_MSG("Suites pointer error or suiteSz 0"); + return SUITES_ERROR; + } + + for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) { + if (suites->suites[i] == first && + suites->suites[i+1] == second ) + return i; + } + + return MATCH_SUITE_ERROR; + } #ifndef NO_WOLFSSL_SERVER @@ -35426,30 +35444,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return ret; } -#if defined(HAVE_SERVER_RENEGOTIATION_INFO) || defined(HAVE_FALLBACK_SCSV) || \ - defined(OPENSSL_ALL) - - /* search suites for specific one, idx on success, negative on error */ - static int FindSuite(Suites* suites, byte first, byte second) - { - int i; - - if (suites == NULL || suites->suiteSz == 0) { - WOLFSSL_MSG("Suites pointer error or suiteSz 0"); - return SUITES_ERROR; - } - - for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) { - if (suites->suites[i] == first && - suites->suites[i+1] == second ) - return i; - } - - return MATCH_SUITE_ERROR; - } - -#endif - #endif /* !WOLFSSL_NO_TLS12 */ /* Make sure server cert/key are valid for this suite, true on success diff --git a/src/ssl.c b/src/ssl.c index c36422d524..0e7290e7d9 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -15688,6 +15688,24 @@ static long wolf_set_options(long old_op, long op) return old_op | op; } +static int FindHashSig(const Suites* suites, byte first, byte second) +{ + word16 i; + + if (suites == NULL || suites->hashSigAlgoSz == 0) { + WOLFSSL_MSG("Suites pointer error or suiteSz 0"); + return SUITES_ERROR; + } + + for (i = 0; i < suites->hashSigAlgoSz-1; i += 2) { + if (suites->hashSigAlgo[i] == first && + suites->hashSigAlgo[i+1] == second ) + return i; + } + + return MATCH_SUITE_ERROR; +} + long wolfSSL_set_options(WOLFSSL* ssl, long op) { word16 haveRSA = 1; @@ -15703,21 +15721,25 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) ssl->options.mask = wolf_set_options(ssl->options.mask, op); if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == WOLFSSL_OP_NO_TLSv1_3) { + WOLFSSL_MSG("Disabling TLS 1.3"); if (ssl->version.minor == TLSv1_3_MINOR) ssl->version.minor = TLSv1_2_MINOR; } if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2) { + WOLFSSL_MSG("Disabling TLS 1.2"); if (ssl->version.minor == TLSv1_2_MINOR) ssl->version.minor = TLSv1_1_MINOR; } if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == WOLFSSL_OP_NO_TLSv1_1) { + WOLFSSL_MSG("Disabling TLS 1.1"); if (ssl->version.minor == TLSv1_1_MINOR) ssl->version.minor = TLSv1_MINOR; } if ((ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == WOLFSSL_OP_NO_TLSv1) { + WOLFSSL_MSG("Disabling TLS 1.0"); if (ssl->version.minor == TLSv1_MINOR) ssl->version.minor = SSLv3_MINOR; } @@ -15751,11 +15773,53 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) if (ssl->options.side != WOLFSSL_NEITHER_END) { if (AllocateSuites(ssl) != 0) return 0; - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveECDSAsig, - ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, - ssl->options.haveFalconSig, ssl->options.haveDilithiumSig, - ssl->options.useAnon, TRUE, ssl->options.side); + if (!ssl->suites->setSuites) { + InitSuites(ssl->suites, ssl->version, keySz, haveRSA, + havePSK, ssl->options.haveDH, ssl->options.haveECDSAsig, + ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, + ssl->options.haveFalconSig, + ssl->options.haveDilithiumSig, ssl->options.useAnon, + TRUE, ssl->options.side); + } + else { + /* Only preserve overlapping suites */ + Suites tmpSuites; + word16 in, out, haveECDSAsig = 0; + word16 haveStaticECC = ssl->options.haveStaticECC; +#ifdef NO_RSA + haveECDSAsig = 1; + haveStaticECC = 1; +#endif + XMEMSET(&tmpSuites, 0, sizeof(Suites)); + /* Get all possible ciphers and sigalgs for the version. Following + * options limit the allowed ciphers so let's try to get as many as + * possible. + * - haveStaticECC turns off haveRSA + * - haveECDSAsig turns off haveRSAsig */ + InitSuites(&tmpSuites, ssl->version, 0, 1, 1, 1, haveECDSAsig, 1, 1, + haveStaticECC, 1, 1, 1, 1, ssl->options.side); + for (in = 0, out = 0; in < ssl->suites->suiteSz; in += SUITE_LEN) { + if (FindSuite(&tmpSuites, ssl->suites->suites[in], + ssl->suites->suites[in+1]) >= 0) { + ssl->suites->suites[out] = ssl->suites->suites[in]; + ssl->suites->suites[out+1] = ssl->suites->suites[in+1]; + out += SUITE_LEN; + } + } + ssl->suites->suiteSz = out; + for (in = 0, out = 0; in < ssl->suites->hashSigAlgoSz; in += 2) { + if (FindHashSig(&tmpSuites, ssl->suites->hashSigAlgo[in], + ssl->suites->hashSigAlgo[in+1]) >= 0) { + ssl->suites->hashSigAlgo[out] = + ssl->suites->hashSigAlgo[in]; + ssl->suites->hashSigAlgo[out+1] = + ssl->suites->hashSigAlgo[in+1]; + out += 2; + } + } + ssl->suites->hashSigAlgoSz = out; + } + } return ssl->options.mask; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a339de4bd6..4c3f3980e3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6419,6 +6419,7 @@ WOLFSSL_LOCAL int cipherExtraData(WOLFSSL* ssl); WOLFSSL_LOCAL word32 LowResTimer(void); WOLFSSL_LOCAL int FindSuiteSSL(const WOLFSSL* ssl, byte* suite); +WOLFSSL_LOCAL int FindSuite(const Suites* suites, byte first, byte second); WOLFSSL_LOCAL void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType); From 66f72a258fc90b1d48d63cc779f40a91436234f9 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 4 Apr 2024 11:14:10 +0200 Subject: [PATCH 03/10] Remove unused internal API --- src/internal.c | 32 ++++---------------------------- src/tls13.c | 4 ++-- tests/api.c | 4 ++-- wolfssl/internal.h | 12 ++---------- 4 files changed, 10 insertions(+), 42 deletions(-) diff --git a/src/internal.c b/src/internal.c index 48d687d970..e21668e2fb 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3048,7 +3048,7 @@ static WC_INLINE void AddSuiteHashSigAlgo(byte* hashSigAlgo, byte macAlgo, } } -void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int haveSig, int tls1_2, +void InitSuitesHashSigAlgo(byte* hashSigAlgo, int haveSig, int tls1_2, int keySz, word16* len) { word16 idx = 0; @@ -3155,30 +3155,6 @@ void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int haveSig, int tls1_2, *len = idx; } -void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig, - int haveFalconSig, int haveDilithiumSig, int haveAnon, int tls1_2, - int keySz) -{ - InitSuitesHashSigAlgo_ex(suites->hashSigAlgo, haveECDSAsig, haveRSAsig, - haveFalconSig, haveDilithiumSig, haveAnon, tls1_2, keySz, - &suites->hashSigAlgoSz); -} - -void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig, - int haveRSAsig, int haveFalconSig, int haveDilithiumSig, int haveAnon, - int tls1_2, int keySz, word16* len) -{ - int have = 0; - - if (haveECDSAsig) have |= SIG_ECDSA; - if (haveRSAsig) have |= SIG_RSA; - if (haveFalconSig) have |= SIG_FALCON; - if (haveDilithiumSig) have |= SIG_DILITHIUM; - if (haveAnon) have |= SIG_ANON; - - InitSuitesHashSigAlgo_ex2(hashSigAlgo, have, tls1_2, keySz, len); -} - int AllocateCtxSuites(WOLFSSL_CTX* ctx) { if (ctx->suites == NULL) { @@ -4274,7 +4250,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, haveSig |= haveFalconSig ? SIG_FALCON : 0; haveSig |= haveDilithiumSig ? SIG_DILITHIUM : 0; haveSig &= ~SIG_ANON; - InitSuitesHashSigAlgo_ex2(suites->hashSigAlgo, haveSig, tls1_2, keySz, + InitSuitesHashSigAlgo(suites->hashSigAlgo, haveSig, tls1_2, keySz, &suites->hashSigAlgoSz); } } @@ -26729,7 +26705,7 @@ static int ParseCipherList(Suites* suites, #endif { suites->suiteSz = (word16)idx; - InitSuitesHashSigAlgo_ex2(suites->hashSigAlgo, haveSig, 1, keySz, + InitSuitesHashSigAlgo(suites->hashSigAlgo, haveSig, 1, keySz, &suites->hashSigAlgoSz); } @@ -26913,7 +26889,7 @@ int SetCipherListFromBytes(WOLFSSL_CTX* ctx, Suites* suites, const byte* list, haveSig |= haveFalconSig ? SIG_FALCON : 0; haveSig |= haveDilithiumSig ? SIG_DILITHIUM : 0; haveSig |= haveAnon ? SIG_ANON : 0; - InitSuitesHashSigAlgo_ex2(suites->hashSigAlgo, haveSig, 1, keySz, + InitSuitesHashSigAlgo(suites->hashSigAlgo, haveSig, 1, keySz, &suites->hashSigAlgoSz); #ifdef HAVE_RENEGOTIATION_INDICATION if (ctx->method->side == WOLFSSL_CLIENT_END) { diff --git a/src/tls13.c b/src/tls13.c index fb07314dad..eee95733f9 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -7647,12 +7647,12 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, return SIDE_ERROR; /* Get the length of the hashSigAlgo buffer */ - InitSuitesHashSigAlgo_ex2(NULL, haveSig, 1, ssl->buffers.keySz, + InitSuitesHashSigAlgo(NULL, haveSig, 1, ssl->buffers.keySz, &hashSigAlgoSz); sa = TLSX_SignatureAlgorithms_New(ssl, hashSigAlgoSz, ssl->heap); if (sa == NULL) return MEMORY_ERROR; - InitSuitesHashSigAlgo_ex2(sa->hashSigAlgo, haveSig, 1, ssl->buffers.keySz, + InitSuitesHashSigAlgo(sa->hashSigAlgo, haveSig, 1, ssl->buffers.keySz, &hashSigAlgoSz); ret = TLSX_Push(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, sa, ssl->heap); if (ret != 0) { diff --git a/tests/api.c b/tests/api.c index 01cafdd2eb..0829866cab 100644 --- a/tests/api.c +++ b/tests/api.c @@ -47112,7 +47112,7 @@ static int test_wolfSSL_sigalg_info(void) word16 idx = 0; int allSigAlgs = SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | SIG_DILITHIUM; - InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); + InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs, 1, 0xFFFFFFFF, &len); for (idx = 0; idx < len; idx += 2) { int hashAlgo = 0; int sigAlgo = 0; @@ -47124,7 +47124,7 @@ static int test_wolfSSL_sigalg_info(void) ExpectIntNE(sigAlgo, 0); } - InitSuitesHashSigAlgo_ex2(hashSigAlgo, allSigAlgs | SIG_ANON, 1, + InitSuitesHashSigAlgo(hashSigAlgo, allSigAlgs | SIG_ANON, 1, 0xFFFFFFFF, &len); for (idx = 0; idx < len; idx += 2) { int hashAlgo = 0; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 4c3f3980e3..bb9c06ccff 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2355,16 +2355,8 @@ typedef struct CipherSuite { #endif } CipherSuite; -WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, - int haveRSAsig, int haveFalconSig, - int haveDilithiumSig, int haveAnon, - int tls1_2, int keySz); -WOLFSSL_LOCAL void InitSuitesHashSigAlgo_ex(byte* hashSigAlgo, int haveECDSAsig, - int haveRSAsig, int haveFalconSig, - int haveDilithiumSig, int haveAnon, - int tls1_2, int keySz, word16* len); /* use wolfSSL_API visibility to be able to test in tests/api.c */ -WOLFSSL_API void InitSuitesHashSigAlgo_ex2(byte* hashSigAlgo, int have, +WOLFSSL_API void InitSuitesHashSigAlgo(byte* hashSigAlgo, int have, int tls1_2, int keySz, word16* len); WOLFSSL_LOCAL int AllocateCtxSuites(WOLFSSL_CTX* ctx); @@ -4040,7 +4032,7 @@ enum KeyExchangeAlgorithm { ecc_static_diffie_hellman_kea /* for verify suite only */ }; -/* Used with InitSuitesHashSigAlgo_ex2 */ +/* Used with InitSuitesHashSigAlgo */ #define SIG_ECDSA 0x01 #define SIG_RSA 0x02 #define SIG_SM2 0x04 From 020bcd0043226226a27cf9f90a6240b3afd24553 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 4 Apr 2024 11:36:31 +0200 Subject: [PATCH 04/10] Advertise all supported sigalgs by default --- src/internal.c | 45 +++++++++++++++++++-------------------------- src/tls13.c | 8 ++------ wolfssl/internal.h | 3 +++ 3 files changed, 24 insertions(+), 32 deletions(-) diff --git a/src/internal.c b/src/internal.c index e21668e2fb..1b93022d60 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3209,22 +3209,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, } #endif - (void)tls; /* shut up compiler */ - (void)tls1_2; - (void)dtls; - (void)haveDH; - (void)havePSK; - (void)haveStaticRSA; - (void)haveStaticECC; - (void)haveECC; - (void)side; - (void)haveRSA; /* some builds won't read */ - (void)haveRSAsig; /* non ecc builds won't read */ - (void)haveAnon; /* anon ciphers optional */ - (void)haveNull; - (void)haveFalconSig; - (void)haveDilithiumSig; - if (suites == NULL) { WOLFSSL_MSG("InitSuites pointer error"); return; @@ -4241,18 +4225,27 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, suites->suiteSz = idx; if (suites->hashSigAlgoSz == 0) { - int haveSig = 0; - haveSig |= (haveRSAsig | haveRSA) ? SIG_RSA : 0; - haveSig |= (haveECDSAsig | haveECC) ? SIG_ECDSA : 0; - #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) - haveSig |= (haveECDSAsig | haveECC) ? SIG_SM2 : 0; - #endif - haveSig |= haveFalconSig ? SIG_FALCON : 0; - haveSig |= haveDilithiumSig ? SIG_DILITHIUM : 0; - haveSig &= ~SIG_ANON; - InitSuitesHashSigAlgo(suites->hashSigAlgo, haveSig, tls1_2, keySz, + InitSuitesHashSigAlgo(suites->hashSigAlgo, SIG_ALL, tls1_2, keySz, &suites->hashSigAlgoSz); } + + /* Moved to the end as we set some of the vars but never use them */ + (void)tls; /* shut up compiler */ + (void)tls1_2; + (void)dtls; + (void)haveDH; + (void)havePSK; + (void)haveStaticRSA; + (void)haveStaticECC; + (void)haveECC; + (void)haveECDSAsig; + (void)side; + (void)haveRSA; /* some builds won't read */ + (void)haveRSAsig; /* non ecc builds won't read */ + (void)haveAnon; /* anon ciphers optional */ + (void)haveNull; + (void)haveFalconSig; + (void)haveDilithiumSig; } #if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) || \ diff --git a/src/tls13.c b/src/tls13.c index eee95733f9..1522b3fb5e 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -7633,10 +7633,6 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, word32 reqSz; word16 hashSigAlgoSz = 0; SignatureAlgorithms* sa; - int haveSig = SIG_RSA | SIG_ECDSA | SIG_FALCON | SIG_DILITHIUM; -#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) - haveSig |= SIG_SM2; -#endif WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND); WOLFSSL_ENTER("SendTls13CertificateRequest"); @@ -7647,12 +7643,12 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, return SIDE_ERROR; /* Get the length of the hashSigAlgo buffer */ - InitSuitesHashSigAlgo(NULL, haveSig, 1, ssl->buffers.keySz, + InitSuitesHashSigAlgo(NULL, SIG_ALL, 1, ssl->buffers.keySz, &hashSigAlgoSz); sa = TLSX_SignatureAlgorithms_New(ssl, hashSigAlgoSz, ssl->heap); if (sa == NULL) return MEMORY_ERROR; - InitSuitesHashSigAlgo(sa->hashSigAlgo, haveSig, 1, ssl->buffers.keySz, + InitSuitesHashSigAlgo(sa->hashSigAlgo, SIG_ALL, 1, ssl->buffers.keySz, &hashSigAlgoSz); ret = TLSX_Push(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, sa, ssl->heap); if (ret != 0) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index bb9c06ccff..c2b289fade 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4039,6 +4039,9 @@ enum KeyExchangeAlgorithm { #define SIG_FALCON 0x08 #define SIG_DILITHIUM 0x10 #define SIG_ANON 0x20 +/* SIG_ANON is omitted by default */ +#define SIG_ALL (SIG_ECDSA | SIG_RSA | SIG_SM2 | SIG_FALCON | \ + SIG_DILITHIUM) /* Supported Authentication Schemes */ enum SignatureAlgorithm { From 6b47ebd66ae42626b187fbde841eb572193c9f87 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 4 Apr 2024 18:43:28 +0200 Subject: [PATCH 05/10] Expose *_set_groups for TLS < 1.3 - Add test to make sure we fail on curve mismatch --- src/internal.c | 16 +++++++++ src/ssl.c | 50 +++++++++++++++++--------- src/tls.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++ src/tls13.c | 80 ------------------------------------------ tests/api.c | 81 ++++++++++++++++++++++++++++++++++++++++++ wolfssl/internal.h | 1 + wolfssl/ssl.h | 29 ++++++++-------- 7 files changed, 233 insertions(+), 111 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1b93022d60..ffeff44156 100644 --- a/src/internal.c +++ b/src/internal.c @@ -517,6 +517,22 @@ int IsTLS(const WOLFSSL* ssl) { if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR) return 1; +#ifdef WOLFSSL_DTLS + if (ssl->version.major == DTLS_MAJOR) + return 1; +#endif + + return 0; +} + +int IsTLS_ex(const ProtocolVersion pv) +{ + if (pv.major == SSLv3_MAJOR && pv.minor >=TLSv1_MINOR) + return 1; +#ifdef WOLFSSL_DTLS + if (pv.major == DTLS_MAJOR) + return 1; +#endif return 0; } diff --git a/src/ssl.c b/src/ssl.c index 0e7290e7d9..d2e45894fd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2692,6 +2692,7 @@ int wolfSSL_GetOutputSize(WOLFSSL* ssl, int inSz) #ifdef HAVE_ECC int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz) { + WOLFSSL_ENTER("wolfSSL_CTX_SetMinEccKey_Sz"); if (ctx == NULL || keySz < 0 || keySz % 8 != 0) { WOLFSSL_MSG("Key size must be divisible by 8 or ctx was null"); return BAD_FUNC_ARG; @@ -2707,6 +2708,7 @@ int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz) int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz) { + WOLFSSL_ENTER("wolfSSL_SetMinEccKey_Sz"); if (ssl == NULL || keySz < 0 || keySz % 8 != 0) { WOLFSSL_MSG("Key size must be divisible by 8 or ssl was null"); return BAD_FUNC_ARG; @@ -3349,7 +3351,7 @@ int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) #endif /* NO_TLS */ } -#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) +#if defined(OPENSSL_EXTRA) int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, int count) { @@ -3420,7 +3422,7 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) return wolfSSL_set_groups(ssl, _groups, count) == WOLFSSL_SUCCESS ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } -#endif /* OPENSSL_EXTRA && WOLFSSL_TLS13 */ +#endif /* OPENSSL_EXTRA */ #endif /* HAVE_SUPPORTED_CURVES */ /* Application-Layer Protocol Negotiation */ @@ -7877,6 +7879,8 @@ WOLFSSL_API int wolfSSL_get_negotiated_server_cert_type(WOLFSSL* ssl, int* tp) /* Set Temp CTX EC-DHE size in octets, can be 14 - 66 (112 - 521 bit) */ int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX* ctx, word16 sz) { + WOLFSSL_ENTER("wolfSSL_CTX_SetTmpEC_DHE_Sz"); + if (ctx == NULL) return BAD_FUNC_ARG; @@ -7911,6 +7915,8 @@ int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX* ctx, word16 sz) /* Set Temp SSL EC-DHE size in octets, can be 14 - 66 (112 - 521 bit) */ int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL* ssl, word16 sz) { + WOLFSSL_ENTER("wolfSSL_SetTmpEC_DHE_Sz"); + if (ssl == NULL) return BAD_FUNC_ARG; @@ -15819,7 +15825,6 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) } ssl->suites->hashSigAlgoSz = out; } - } return ssl->options.mask; @@ -21356,20 +21361,29 @@ void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, #if defined(OPENSSL_EXTRA) || defined(HAVE_CURL) int wolfSSL_curve_is_disabled(const WOLFSSL* ssl, word16 curve_id) { - if (curve_id >= WOLFSSL_FFDHE_START) { - /* DH parameters are never disabled. */ - return 0; - } - if (curve_id > WOLFSSL_ECC_MAX_AVAIL) { - WOLFSSL_MSG("Curve id out of supported range"); - /* Disabled if not in valid range. */ - return 1; - } - if (curve_id >= 32) { - /* 0 is for invalid and 1-14 aren't used otherwise. */ - return (ssl->disabledCurves & (1U << (curve_id - 32))) != 0; + int ret = 0; + + WOLFSSL_ENTER("wolfSSL_curve_is_disabled"); + WOLFSSL_MSG_EX("wolfSSL_curve_is_disabled checking for %d", curve_id); + + /* (curve_id >= WOLFSSL_FFDHE_START) - DH parameters are never disabled. */ + if (curve_id < WOLFSSL_FFDHE_START) { + if (curve_id > WOLFSSL_ECC_MAX_AVAIL) { + WOLFSSL_MSG("Curve id out of supported range"); + /* Disabled if not in valid range. */ + ret = 1; + } + else if (curve_id >= 32) { + /* 0 is for invalid and 1-14 aren't used otherwise. */ + ret = (ssl->disabledCurves & (1U << (curve_id - 32))) != 0; + } + else { + ret = (ssl->disabledCurves & (1U << curve_id)) != 0; + } } - return (ssl->disabledCurves & (1U << curve_id)) != 0; + + WOLFSSL_LEAVE("wolfSSL_curve_is_disabled", ret); + return ret; } #if (defined(HAVE_ECC) || \ @@ -21504,7 +21518,7 @@ static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names) disabled &= ~(1U << curve); } #ifdef HAVE_SUPPORTED_CURVES - #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_OLD_SET_CURVES_LIST) + #if !defined(WOLFSSL_OLD_SET_CURVES_LIST) /* using the wolfSSL API to set the groups, this will populate * (ssl|ctx)->groups and reset any TLSX_SUPPORTED_GROUPS. * The order in (ssl|ctx)->groups will then be respected @@ -21545,6 +21559,7 @@ static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names) int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) { + WOLFSSL_ENTER("wolfSSL_CTX_set1_curves_list"); if (ctx == NULL || names == NULL) { WOLFSSL_MSG("ctx or names was NULL"); return WOLFSSL_FAILURE; @@ -21554,6 +21569,7 @@ int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names) { + WOLFSSL_ENTER("wolfSSL_set1_curves_list"); if (ssl == NULL || names == NULL) { WOLFSSL_MSG("ssl or names was NULL"); return WOLFSSL_FAILURE; diff --git a/src/tls.c b/src/tls.c index 2db3c6ff74..82587f0328 100644 --- a/src/tls.c +++ b/src/tls.c @@ -300,6 +300,86 @@ ProtocolVersion MakeTLSv1_3(void) } #endif +#if defined(HAVE_SUPPORTED_CURVES) +/* Sets the key exchange groups in rank order on a context. + * + * ctx SSL/TLS context object. + * groups Array of groups. + * count Number of groups in array. + * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or + * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. + */ +int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) +{ + int ret, i; + + WOLFSSL_ENTER("wolfSSL_CTX_set_groups"); + if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) + return BAD_FUNC_ARG; + if (!IsTLS_ex(ctx->method->version)) + return BAD_FUNC_ARG; + + ctx->numGroups = 0; + #if !defined(NO_TLS) + TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); + #endif /* !NO_TLS */ + for (i = 0; i < count; i++) { + /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups + * are valid */ + if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i])) + != WOLFSSL_SUCCESS) { + #if !defined(NO_TLS) + TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); + #endif /* !NO_TLS */ + return ret; + } + ctx->group[i] = (word16)groups[i]; + } + ctx->numGroups = (byte)count; + + return WOLFSSL_SUCCESS; +} + +/* Sets the key exchange groups in rank order. + * + * ssl SSL/TLS object. + * groups Array of groups. + * count Number of groups in array. + * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or + * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. + */ +int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) +{ + int ret, i; + + WOLFSSL_ENTER("wolfSSL_set_groups"); + if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) + return BAD_FUNC_ARG; + if (!IsTLS_ex(ssl->version)) + return BAD_FUNC_ARG; + + ssl->numGroups = 0; + #if !defined(NO_TLS) + TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); + #endif /* !NO_TLS */ + for (i = 0; i < count; i++) { + /* Call to wolfSSL_UseSupportedCurve also checks if input groups + * are valid */ + if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i])) + != WOLFSSL_SUCCESS) { + #if !defined(NO_TLS) + TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); + #endif /* !NO_TLS */ + return ret; + } + ssl->group[i] = (word16)groups[i]; + } + ssl->numGroups = (byte)count; + + return WOLFSSL_SUCCESS; +} +#endif /* HAVE_SUPPORTED_CURVES */ + #ifndef WOLFSSL_NO_TLS12 #ifdef HAVE_EXTENDED_MASTER @@ -4675,6 +4755,7 @@ int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first, byte second, int ephmSuite = 0; word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */ int key = 0; /* validate key */ + int foundCurve = 0; /* Found at least one supported curve */ (void)oid; @@ -4836,6 +4917,8 @@ int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first, byte second, default: continue; /* unsupported curve */ } + foundCurve = 1; + #ifdef HAVE_ECC /* Set default Oid */ if (defOid == 0 && ssl->eccTempKeySz <= octets && defSz > octets) { @@ -4980,6 +5063,10 @@ int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first, byte second, } } + /* Check we found at least one supported curve */ + if (!foundCurve) + return 0; + *ecdhCurveOID = ssl->ecdhCurveOID; /* Choose the default if it is at the required strength. */ #ifdef HAVE_ECC diff --git a/src/tls13.c b/src/tls13.c index 1522b3fb5e..94abe21869 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13687,86 +13687,6 @@ int wolfSSL_preferred_group(WOLFSSL* ssl) } #endif -#if defined(HAVE_SUPPORTED_CURVES) -/* Sets the key exchange groups in rank order on a context. - * - * ctx SSL/TLS context object. - * groups Array of groups. - * count Number of groups in array. - * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or - * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. - */ -int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) -{ - int ret, i; - - WOLFSSL_ENTER("wolfSSL_CTX_set_groups"); - if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) - return BAD_FUNC_ARG; - if (!IsAtLeastTLSv1_3(ctx->method->version)) - return BAD_FUNC_ARG; - - ctx->numGroups = 0; - #if !defined(NO_TLS) - TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); - #endif /* !NO_TLS */ - for (i = 0; i < count; i++) { - /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups - * are valid */ - if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i])) - != WOLFSSL_SUCCESS) { - #if !defined(NO_TLS) - TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); - #endif /* !NO_TLS */ - return ret; - } - ctx->group[i] = (word16)groups[i]; - } - ctx->numGroups = (byte)count; - - return WOLFSSL_SUCCESS; -} - -/* Sets the key exchange groups in rank order. - * - * ssl SSL/TLS object. - * groups Array of groups. - * count Number of groups in array. - * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or - * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. - */ -int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) -{ - int ret, i; - - WOLFSSL_ENTER("wolfSSL_set_groups"); - if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) - return BAD_FUNC_ARG; - if (!IsAtLeastTLSv1_3(ssl->version)) - return BAD_FUNC_ARG; - - ssl->numGroups = 0; - #if !defined(NO_TLS) - TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); - #endif /* !NO_TLS */ - for (i = 0; i < count; i++) { - /* Call to wolfSSL_UseSupportedCurve also checks if input groups - * are valid */ - if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i])) - != WOLFSSL_SUCCESS) { - #if !defined(NO_TLS) - TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); - #endif /* !NO_TLS */ - return ret; - } - ssl->group[i] = (word16)groups[i]; - } - ssl->numGroups = (byte)count; - - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_SUPPORTED_CURVES */ - #ifndef NO_PSK /* Set the PSK callback, that is passed the cipher suite, for a client to use * against context object. diff --git a/tests/api.c b/tests/api.c index 0829866cab..0e5ecc2ebd 100644 --- a/tests/api.c +++ b/tests/api.c @@ -40475,6 +40475,86 @@ static int test_wolfSSL_set1_curves_list(void) return EXPECT_RESULT(); } +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) +{ + static int counter = 0; + EXPECT_DECLS; + + if (counter % 2) { + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-256"), + WOLFSSL_SUCCESS); + } + else { + ExpectIntEQ(wolfSSL_CTX_set1_curves_list(ctx, "P-384"), + WOLFSSL_SUCCESS); + } + + /* Ciphersuites that require curves */ + wolfSSL_CTX_set_cipher_list(ctx, "TLS13-AES256-GCM-SHA384:" + "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:" + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" + "ECDHE-ECDSA-AES128-GCM-SHA256:" + "ECDHE-RSA-AES128-GCM-SHA256"); + + counter++; + return EXPECT_RESULT(); +} +#endif + +static int test_wolfSSL_curves_mismatch(void) +{ + EXPECT_DECLS; +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) + test_ssl_cbf func_cb_client; + test_ssl_cbf func_cb_server; + size_t i; + struct { + method_provider client_meth; + method_provider server_meth; + const char* desc; + int client_last_err; + int server_last_err; + } test_params[] = { +#ifdef WOLFSSL_TLS13 + {wolfTLSv1_3_client_method, wolfTLSv1_3_server_method, "TLS 1.3", + FATAL_ERROR, BAD_KEY_SHARE_DATA}, +#endif +#ifndef WOLFSSL_NO_TLS12 + {wolfTLSv1_2_client_method, wolfTLSv1_2_server_method, "TLS 1.2", + FATAL_ERROR, MATCH_SUITE_ERROR}, +#endif +#ifndef NO_OLD_TLS + {wolfTLSv1_1_client_method, wolfTLSv1_1_server_method, "TLS 1.1", + FATAL_ERROR, MATCH_SUITE_ERROR}, +#endif + }; + + for (i = 0; i < XELEM_CNT(test_params) && !EXPECT_FAIL(); i++) { + XMEMSET(&func_cb_client, 0, sizeof(func_cb_client)); + XMEMSET(&func_cb_server, 0, sizeof(func_cb_server)); + + printf("\tTesting with %s...\n", test_params[i].desc); + + func_cb_client.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; + func_cb_server.ctx_ready = &test_wolfSSL_curves_mismatch_ctx_ready; + + func_cb_client.method = test_params[i].client_meth; + func_cb_server.method = test_params[i].server_meth; + + ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&func_cb_client, + &func_cb_server, NULL), TEST_FAIL); + ExpectIntEQ(func_cb_client.last_err, test_params[i].client_last_err); + ExpectIntEQ(func_cb_server.last_err, test_params[i].server_last_err); + + if (!EXPECT_SUCCESS()) + break; + printf("\t%s passed\n", test_params[i].desc); + } +#endif + return EXPECT_RESULT(); +} + static int test_wolfSSL_set1_sigalgs_list(void) { EXPECT_DECLS; @@ -72292,6 +72372,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_configure_args), TEST_DECL(test_wolfSSL_sk_SSL_CIPHER), TEST_DECL(test_wolfSSL_set1_curves_list), + TEST_DECL(test_wolfSSL_curves_mismatch), TEST_DECL(test_wolfSSL_set1_sigalgs_list), TEST_DECL(test_wolfSSL_OtherName), diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c2b289fade..a7780768ba 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6186,6 +6186,7 @@ WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl); WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side); WOLFSSL_LOCAL int IsTLS(const WOLFSSL* ssl); +WOLFSSL_LOCAL int IsTLS_ex(const ProtocolVersion pv); WOLFSSL_LOCAL int IsAtLeastTLSv1_2(const WOLFSSL* ssl); WOLFSSL_LOCAL int IsAtLeastTLSv1_3(ProtocolVersion pv); WOLFSSL_LOCAL int IsEncryptionOn(const WOLFSSL* ssl, int isSend); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index e7c8832f06..b571ec810b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1181,6 +1181,21 @@ WOLFSSL_API int wolfSSL_peek(WOLFSSL* ssl, void* data, int sz); WOLFSSL_ABI WOLFSSL_API int wolfSSL_accept(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req); WOLFSSL_API int wolfSSL_mutual_auth(WOLFSSL* ssl, int req); + +WOLFSSL_API int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, + int count); +WOLFSSL_API int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count); +#if defined(OPENSSL_EXTRA) && defined(HAVE_SUPPORTED_CURVES) +WOLFSSL_API int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, + int count); +WOLFSSL_API int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count); + +#ifdef HAVE_ECC +WOLFSSL_API int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, const char *list); +WOLFSSL_API int wolfSSL_set1_groups_list(WOLFSSL *ssl, const char *list); +#endif +#endif + #ifdef WOLFSSL_TLS13 WOLFSSL_API int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, unsigned int secretSz); @@ -1198,20 +1213,6 @@ WOLFSSL_API int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_request_certificate(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_preferred_group(WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, - int count); -WOLFSSL_API int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count); - -#if defined(OPENSSL_EXTRA) && defined(HAVE_SUPPORTED_CURVES) -WOLFSSL_API int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, - int count); -WOLFSSL_API int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count); - -#ifdef HAVE_ECC -WOLFSSL_API int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, const char *list); -WOLFSSL_API int wolfSSL_set1_groups_list(WOLFSSL *ssl, const char *list); -#endif -#endif WOLFSSL_API int wolfSSL_connect_TLSv13(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_accept_TLSv13(WOLFSSL* ssl); From a987e766777f008afb98919e564d9aa2f2e19ed4 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 22 Apr 2024 16:33:36 +0200 Subject: [PATCH 06/10] Use uml for hostap tests Remove tests that fail with openssl --- .../tests | 51 --- .../configs/hostap_2_10/extra.patch | 47 +++ .../hostap-files/configs/hostap_2_10/tests | 14 - .github/workflows/hostap-vm.yml | 303 ++++++++++++++++++ src/tls.c | 12 + tests/api.c | 14 +- 6 files changed, 370 insertions(+), 71 deletions(-) create mode 100644 .github/workflows/hostap-files/configs/hostap_2_10/extra.patch create mode 100644 .github/workflows/hostap-vm.yml diff --git a/.github/workflows/hostap-files/configs/b607d2723e927a3446d89aed813f1aa6068186bb/tests b/.github/workflows/hostap-files/configs/b607d2723e927a3446d89aed813f1aa6068186bb/tests index 87fc3320fc..ff99618815 100644 --- a/.github/workflows/hostap-files/configs/b607d2723e927a3446d89aed813f1aa6068186bb/tests +++ b/.github/workflows/hostap-files/configs/b607d2723e927a3446d89aed813f1aa6068186bb/tests @@ -191,13 +191,7 @@ ap_wpa2_psk_supp_proto_no_gtk_in_group_msg ap_wpa2_psk_supp_proto_too_long_gtk_in_group_msg ap_wpa2_psk_supp_proto_too_long_gtk_kde ap_wpa2_psk_supp_proto_gtk_not_encrypted -ap_wpa2_psk_supp_proto_no_igtk -ap_wpa2_psk_supp_proto_igtk_ok -ap_wpa2_psk_supp_proto_igtk_keyid_swap -ap_wpa2_psk_supp_proto_igtk_keyid_too_large -ap_wpa2_psk_supp_proto_igtk_keyid_unexpected ap_wpa2_psk_wep -ap_wpa2_psk_ifdown ap_wpa2_psk_drop_first_msg_4 ap_wpa2_psk_disable_enable ap_wpa2_psk_incorrect_passphrase @@ -210,10 +204,7 @@ ap_wpa2_disable_eapol_retry ap_wpa2_disable_eapol_retry_group ap_wpa2_psk_mic_0 ap_wpa2_psk_local_error -ap_wpa2_psk_inject_assoc -ap_wpa2_psk_no_control_port ap_wpa2_psk_ap_control_port -ap_wpa2_psk_ap_control_port_disabled ap_wpa2_psk_rsne_mismatch_ap ap_wpa2_psk_rsne_mismatch_ap2 ap_wpa2_psk_rsne_mismatch_ap3 @@ -253,10 +244,8 @@ ap_wpa2_eap_aka_sql ap_wpa2_eap_aka_config ap_wpa2_eap_aka_ext ap_wpa2_eap_aka_ext_auth_fail -ap_wpa2_eap_aka_prime ap_wpa2_eap_aka_prime_imsi_identity ap_wpa2_eap_aka_prime_imsi_privacy_key -ap_wpa2_eap_aka_prime_sql ap_wpa2_eap_aka_prime_ext_auth_fail ap_wpa2_eap_aka_prime_ext ap_wpa2_eap_ttls_pap @@ -416,19 +405,6 @@ ap_wpa2_radius_server_get_id ap_wpa2_eap_tls_tod ap_wpa2_eap_tls_tod_tofu ap_wpa2_eap_sake_no_control_port -ap_wpa2_tdls -ap_wpa2_tdls_concurrent_init -ap_wpa2_tdls_concurrent_init2 -ap_wpa2_tdls_decline_resp -ap_wpa2_tdls_long_lifetime -ap_wpa2_tdls_long_frame -ap_wpa2_tdls_reneg -ap_wpa2_tdls_wrong_lifetime_resp -ap_wpa2_tdls_diff_rsnie -ap_wpa2_tdls_wrong_tpk_m2_mic -ap_wpa2_tdls_wrong_tpk_m3_mic -ap_wpa2_tdls_double_tpk_m2 -ap_wpa2_tdls_responder_teardown dpp_network_intro_version dpp_network_intro_version_change dpp_network_intro_version_missing_req @@ -459,12 +435,9 @@ dpp_qr_code_curves dpp_qr_code_curves_brainpool dpp_qr_code_unsupported_curve dpp_qr_code_keygen_fail -dpp_qr_code_curve_select dpp_qr_code_auth_broadcast -dpp_configurator_enrollee dpp_configurator_enrollee_prime256v1 dpp_configurator_enrollee_secp384r1 -dpp_configurator_enrollee_secp521r1 dpp_configurator_enrollee_brainpoolP256r1 dpp_configurator_enrollee_brainpoolP384r1 dpp_configurator_enrollee_brainpoolP512r1 @@ -477,7 +450,6 @@ dpp_qr_code_curve_brainpoolP384r1 dpp_qr_code_curve_brainpoolP512r1 dpp_qr_code_set_key dpp_qr_code_auth_mutual -dpp_qr_code_auth_mutual2 dpp_qr_code_auth_mutual_p_256 dpp_qr_code_auth_mutual_p_384 dpp_qr_code_auth_mutual_p_521 @@ -514,13 +486,11 @@ dpp_config_no_signed_connector dpp_config_unexpected_signed_connector_char dpp_config_root_not_an_object dpp_config_no_wi_fi_tech -dpp_config_unsupported_wi_fi_tech dpp_config_no_discovery dpp_config_no_discovery_ssid dpp_config_too_long_discovery_ssid dpp_config_no_cred dpp_config_no_cred_akm -dpp_config_unsupported_cred_akm dpp_config_error_legacy_no_pass dpp_config_error_legacy_too_long_pass dpp_config_error_legacy_psk_with_sae @@ -531,13 +501,10 @@ dpp_config_connector_error_ext_sign dpp_config_connector_error_too_short_timestamp dpp_config_connector_error_invalid_timestamp dpp_config_connector_error_invalid_timestamp_date -dpp_config_connector_error_invalid_time_zone -dpp_config_connector_error_invalid_time_zone_2 dpp_config_connector_error_expired_1 dpp_config_connector_error_expired_2 dpp_config_connector_error_expired_3 dpp_config_connector_error_expired_4 -dpp_config_connector_error_expired_5 dpp_config_connector_error_expired_6 dpp_config_connector_error_no_groups dpp_config_connector_error_empty_groups @@ -565,13 +532,6 @@ dpp_ap_config_p256_bp256 dpp_ap_config_bp256_p256 dpp_ap_config_p521_bp512 dpp_ap_config_reconfig_configurator -dpp_auto_connect_1 -dpp_auto_connect_2 -dpp_auto_connect_2_connect_cmd -dpp_auto_connect_2_sta_ver1 -dpp_auto_connect_2_ap_ver1 -dpp_auto_connect_2_ver1 -dpp_auto_connect_2_conf_ver1 dpp_auto_connect_legacy dpp_auto_connect_legacy_ssid_charset dpp_auto_connect_legacy_sae_1 @@ -580,13 +540,6 @@ dpp_auto_connect_legacy_psk_sae_1 dpp_auto_connect_legacy_psk_sae_2 dpp_auto_connect_legacy_psk_sae_3 dpp_auto_connect_legacy_pmf_required -dpp_qr_code_auth_responder_configurator -dpp_qr_code_auth_responder_configurator_group_id -dpp_qr_code_auth_enrollee_init_netrole -dpp_qr_code_hostapd_init -dpp_qr_code_hostapd_init_offchannel -dpp_qr_code_hostapd_init_offchannel_neg_freq -dpp_qr_code_hostapd_ignore_mismatch dpp_test_vector_p_256 dpp_test_vector_p_256_b dpp_test_vector_p_521 @@ -603,7 +556,6 @@ dpp_pkex_no_identifier dpp_pkex_identifier_mismatch dpp_pkex_identifier_mismatch2 dpp_pkex_identifier_mismatch3 -dpp_pkex_5ghz dpp_pkex_test_vector dpp_pkex_code_mismatch dpp_pkex_code_mismatch_limit @@ -625,7 +577,6 @@ dpp_pkex_hostapd_errors dpp_pkex_nak_curve_change dpp_pkex_nak_curve_change2 dpp_hostapd_configurator -dpp_hostapd_configurator_enrollee_v1 dpp_hostapd_configurator_responder dpp_hostapd_configurator_fragmentation dpp_hostapd_enrollee_fragmentation @@ -650,7 +601,6 @@ dpp_proto_stop_at_pkex_cr_req dpp_proto_stop_at_pkex_cr_resp dpp_proto_network_introduction dpp_hostapd_auth_conf_timeout -dpp_hostapd_auth_resp_retries dpp_tcp dpp_tcp_port dpp_tcp_mutual @@ -702,6 +652,5 @@ dpp_qr_code_config_event_initiator_failure dpp_qr_code_config_event_initiator_no_response dpp_qr_code_config_event_initiator_both dpp_tcp_qr_code_config_event_initiator -dpp_qr_code_config_event_responder dpp_discard_public_action diff --git a/.github/workflows/hostap-files/configs/hostap_2_10/extra.patch b/.github/workflows/hostap-files/configs/hostap_2_10/extra.patch new file mode 100644 index 0000000000..80ae312f03 --- /dev/null +++ b/.github/workflows/hostap-files/configs/hostap_2_10/extra.patch @@ -0,0 +1,47 @@ +From a53a6a67dc121b45d611318e2a37815cc209839c Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz +Date: Fri, 19 Apr 2024 16:41:38 +0200 +Subject: [PATCH] Fixes for running tests under UML + +- Apply commit ID fix from more recent commit +- priv_sz and pub_sz are checked and fail on UML. Probably because stack is zeroed out. +--- + src/crypto/crypto_wolfssl.c | 2 +- + tests/hwsim/run-all.sh | 8 +++++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c +index 00ecf61352..a57fa50697 100644 +--- a/src/crypto/crypto_wolfssl.c ++++ b/src/crypto/crypto_wolfssl.c +@@ -785,7 +785,7 @@ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, + int ret = -1; + WC_RNG rng; + DhKey *dh = NULL; +- word32 priv_sz, pub_sz; ++ word32 priv_sz = prime_len, pub_sz = prime_len; + + if (TEST_FAIL()) + return -1; +diff --git a/tests/hwsim/run-all.sh b/tests/hwsim/run-all.sh +index ee48cd0581..75c3a58b52 100755 +--- a/tests/hwsim/run-all.sh ++++ b/tests/hwsim/run-all.sh +@@ -15,7 +15,13 @@ export LOGDIR + if [ -z "$DBFILE" ]; then + DB="" + else +- DB="-S $DBFILE --commit $(git rev-parse HEAD)" ++ DB="-S $DBFILE" ++ if [ -z "$COMMITID" ]; then ++ COMMITID="$(git rev-parse HEAD)" ++ fi ++ if [ -n "$COMMITID" ]; then ++ DB="$DB --commit $COMMITID" ++ fi + if [ -n "$BUILD" ]; then + DB="$DB -b $BUILD" + fi +-- +2.34.1 + diff --git a/.github/workflows/hostap-files/configs/hostap_2_10/tests b/.github/workflows/hostap-files/configs/hostap_2_10/tests index 732a054414..5679cbda93 100644 --- a/.github/workflows/hostap-files/configs/hostap_2_10/tests +++ b/.github/workflows/hostap-files/configs/hostap_2_10/tests @@ -163,7 +163,6 @@ ap_wpa2_disable_eapol_retry_group ap_wpa2_psk_mic_0 ap_wpa2_psk_local_error ap_wpa2_psk_inject_assoc -ap_wpa2_psk_no_control_port ap_wpa2_psk_ap_control_port ap_wpa2_psk_ap_control_port_disabled ap_wpa2_psk_rsne_mismatch_ap @@ -269,16 +268,3 @@ ap_wpa2_eap_psk_mac_addr_change ap_wpa2_eap_server_get_id ap_wpa2_radius_server_get_id ap_wpa2_eap_sake_no_control_port -ap_wpa2_tdls -ap_wpa2_tdls_concurrent_init -ap_wpa2_tdls_concurrent_init2 -ap_wpa2_tdls_decline_resp -ap_wpa2_tdls_long_lifetime -ap_wpa2_tdls_long_frame -ap_wpa2_tdls_reneg -ap_wpa2_tdls_wrong_lifetime_resp -ap_wpa2_tdls_diff_rsnie -ap_wpa2_tdls_wrong_tpk_m2_mic -ap_wpa2_tdls_wrong_tpk_m3_mic -ap_wpa2_tdls_double_tpk_m2 -ap_wpa2_tdls_responder_teardown diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml new file mode 100644 index 0000000000..fa8e6886ee --- /dev/null +++ b/.github/workflows/hostap-vm.yml @@ -0,0 +1,303 @@ +name: hostap and wpa-supplicant Tests + +on: + workflow_call: + +env: + LINUX_REF: v6.6 + +jobs: + build_wolfssl: + strategy: + matrix: + include: + - build_id: hostap-vm-build1 + wolf_extra_config: --disable-tls13 + - build_id: hostap-vm-build2 + wolf_extra_config: >- + --enable-wpas-dpp --enable-brainpool --with-eccminsz=192 + --enable-tlsv10 --enable-oldtls + # - build_id: hostap-vm-build3 + # wolf_extra_config: >- + # --enable-wpas-dpp --enable-brainpool --with-eccminsz=192 + # --enable-tlsv10 --enable-oldtls + name: Build wolfSSL + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 10 + steps: + # No way to view the full strategy in the browser (really weird) + - name: Print strategy + run: | + cat <> $GITHUB_ENV + + - name: Build wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + path: wolfssl + configure: >- + --enable-wpas CPPFLAGS=-DWOLFSSL_STATIC_RSA + ${{ env.wolf_debug_flags }} ${{ matrix.wolf_extra_config }} + install: true + + - name: Upload built lib + uses: actions/upload-artifact@v4 + with: + name: ${{ matrix.build_id }} + path: build-dir + retention-days: 5 + + build_uml_linux: + name: Build UML (UserMode Linux) + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 10 + steps: + - name: Checking if we have kernel in cache + uses: actions/cache@v4 + id: cache + with: + path: linux/linux + key: ${{ env.LINUX_REF }} + lookup-only: true + + - name: Checkout hostap + if: steps.cache.outputs.cache-hit != 'true' + uses: actions/checkout@v4 + with: + repository: julek-wolfssl/hostap-mirror + path: hostap + + - name: Checkout linux + if: steps.cache.outputs.cache-hit != 'true' + uses: actions/checkout@v4 + with: + repository: torvalds/linux + path: linux + + - name: Compile linux + if: steps.cache.outputs.cache-hit != 'true' + run: | + cp hostap/tests/hwsim/vm/kernel-config.uml linux/.config + cd linux + yes "" | ARCH=um make -j $(nproc) + + hostap_test: + strategy: + fail-fast: false + matrix: + # should hostapd be compiled with wolfssl + hostapd: [true, false] + # should wpa_supplicant be compiled with wolfssl + wpa_supplicant: [true, false] + # Fix the versions of hostap and osp to not break testing when a new + # patch is added in to osp. Tests are read from the corresponding + # configs/hostap_ref/tests file. + config: [ + { + hostap_ref: hostap_2_10, + remove_teap: true, + # TLS 1.3 does not work for this version + build_id: hostap-vm-build1, + }, + # Test the dpp patch + { + hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb, + osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446, + build_id: hostap-vm-build2 + }, + ] + exclude: + # don't test openssl on both sides + - hostapd: false + wpa_supplicant: false + # no hostapd support for dpp yet + - hostapd: true + config: { + hostap_ref: b607d2723e927a3446d89aed813f1aa6068186bb, + osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446, + build_id: hostap-vm-build2 + } + name: hwsim test + # For openssl 1.1 + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 12 + needs: [build_wolfssl, build_uml_linux] + steps: + - name: Checking if we have kernel in cache + uses: actions/cache/restore@v4 + id: cache + with: + path: linux/linux + key: ${{ env.LINUX_REF }} + fail-on-cache-miss: true + + - name: show file structure + run: tree + + # No way to view the full strategy in the browser (really weird) + - name: Print strategy + run: | + cat <> $GITHUB_ENV + echo Our job run ID is $SHA_SUM + + - name: Checkout wolfSSL + uses: actions/checkout@v4 + with: + path: wolfssl + + - name: Download lib + uses: actions/download-artifact@v4 + with: + name: ${{ matrix.config.build_id }} + path: build-dir + + - name: Install dependencies + run: | + # Don't prompt for anything + export DEBIAN_FRONTEND=noninteractive + sudo apt-get update + # hostap dependencies + sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \ + libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \ + libnl-route-3-dev libdbus-1-dev bridge-utils tshark + sudo pip3 install pycryptodome + + - name: Checkout hostap + uses: actions/checkout@v4 + with: + repository: julek-wolfssl/hostap-mirror + path: hostap + ref: ${{ matrix.config.hostap_ref }} + + - name: Update certs + working-directory: hostap/tests/hwsim/auth_serv + run: ./update.sh + + - if: ${{ matrix.config.osp_ref }} + name: Checkout OSP + uses: actions/checkout@v4 + with: + repository: wolfssl/osp + path: osp + ref: ${{ matrix.config.osp_ref }} + + - if: ${{ matrix.config.osp_ref }} + name: Apply patch files + working-directory: hostap + run: | + for f in $GITHUB_WORKSPACE/osp/hostap-patches/pending/* + do + patch -p1 < $f + done + + - name: Apply extra patches + working-directory: hostap + run: | + FILE=$GITHUB_WORKSPACE/wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/extra.patch + if [ -f "$FILE" ]; then + patch -p1 < $FILE + fi + + - if: ${{ matrix.hostapd }} + name: Setup hostapd config file + run: | + cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/hostapd.config \ + hostap/hostapd/.config + cat <> hostap/hostapd/.config + CFLAGS += -I$GITHUB_WORKSPACE/build-dir/include -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib + LIBS += -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib + EOF + + - if: ${{ matrix.wpa_supplicant }} + name: Setup wpa_supplicant config file + run: | + cp wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/wpa_supplicant.config \ + hostap/wpa_supplicant/.config + cat <> hostap/wpa_supplicant/.config + CFLAGS += -I$GITHUB_WORKSPACE/build-dir/include -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib + LIBS += -L$GITHUB_WORKSPACE/build-dir/lib -Wl,-rpath=$GITHUB_WORKSPACE/build-dir/lib + EOF + + - name: Build hostap and wpa_supplicant + working-directory: hostap/tests/hwsim/ + run: ./build.sh + + - if: ${{ matrix.hostapd }} + name: Confirm hostapd linking with wolfSSL + run: ldd hostap/hostapd/hostapd | grep wolfssl + + - if: ${{ matrix.wpa_supplicant }} + name: Confirm wpa_supplicant linking with wolfSSL + run: ldd hostap/wpa_supplicant/wpa_supplicant | grep wolfssl + + - if: ${{ matrix.config.remove_teap }} + name: Remove EAP-TEAP from test configuration + working-directory: hostap/tests/hwsim/auth_serv + run: | + sed -e 's/"erp-teap@example.com"\tTEAP//' -i eap_user.conf + sed -e 's/"erp-teap@example.com"\tMSCHAPV2\t"password"\t\[2\]//' -i eap_user.conf + sed -e 's/"TEAP"\t\tTEAP//' -i eap_user.conf + sed -e 's/TEAP,//' -i eap_user.conf + + - if: ${{ runner.debug }} + name: Enable hostap debug logging + run: | + echo "hostap_debug_flags=--debug" >> $GITHUB_ENV + + - name: Run tests + id: testing + working-directory: hostap/tests/hwsim/ + run: | + cat <> vm/vm-config + KERNELDIR=$GITHUB_WORKSPACE/linux + KVMARGS="-cpu host" + EOF + # Run tests in increments of 200 to not stall out the parallel-vm script + while mapfile -t -n 200 ary && ((${#ary[@]})); do + TESTS=$(printf '%s\n' "${ary[@]}" | tr '\n' ' ') + HWSIM_RES=0 # Not set when command succeeds + ./vm/parallel-vm.py ${{ env.hostap_debug_flags }} --nocurses $(nproc) $TESTS || HWSIM_RES=$? + if [ "$HWSIM_RES" -ne "0" ]; then + # Let's re-run the failing tests. We gather the failed tests from the log file. + FAILED_TESTS=$(grep 'failed tests' /tmp/hwsim-test-logs/*-parallel.log | sed 's/failed tests: //' | tr ' ' '\n' | sort | uniq | tr '\n' ' ') + printf 'failed tests: %s\n' "$FAILED_TESTS" + ./vm/parallel-vm.py ${{ env.hostap_debug_flags }} --nocurses $(nproc) $FAILED_TESTS + fi + rm -r /tmp/hwsim-test-logs + done < $GITHUB_WORKSPACE/wolfssl/.github/workflows/hostap-files/configs/${{ matrix.config.hostap_ref }}/tests + + # The logs are quite big. It hasn't been useful so far so let's not waste + # precious gh space. + #- name: zip logs + # if: ${{ failure() && steps.testing.outcome == 'failure' }} + # working-directory: hostap/tests/hwsim/ + # run: | + # rm /tmp/hwsim-test-logs/latest + # zip -9 -r logs.zip /tmp/hwsim-test-logs + # + #- name: Upload failure logs + # if: ${{ failure() && steps.testing.outcome == 'failure' }} + # uses: actions/upload-artifact@v4 + # with: + # name: hostap-logs-${{ env.our_job_run_id }} + # path: hostap/tests/hwsim/logs.zip + # retention-days: 5 diff --git a/src/tls.c b/src/tls.c index 82587f0328..d4861c025a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -319,7 +319,9 @@ int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) if (!IsTLS_ex(ctx->method->version)) return BAD_FUNC_ARG; + #ifdef WOLFSSL_TLS13 ctx->numGroups = 0; + #endif #if !defined(NO_TLS) TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); #endif /* !NO_TLS */ @@ -333,9 +335,13 @@ int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) #endif /* !NO_TLS */ return ret; } + #ifdef WOLFSSL_TLS13 ctx->group[i] = (word16)groups[i]; + #endif } + #ifdef WOLFSSL_TLS13 ctx->numGroups = (byte)count; + #endif return WOLFSSL_SUCCESS; } @@ -358,7 +364,9 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) if (!IsTLS_ex(ssl->version)) return BAD_FUNC_ARG; + #ifdef WOLFSSL_TLS13 ssl->numGroups = 0; + #endif #if !defined(NO_TLS) TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); #endif /* !NO_TLS */ @@ -372,9 +380,13 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) #endif /* !NO_TLS */ return ret; } + #ifdef WOLFSSL_TLS13 ssl->group[i] = (word16)groups[i]; + #endif } + #ifdef WOLFSSL_TLS13 ssl->numGroups = (byte)count; + #endif return WOLFSSL_SUCCESS; } diff --git a/tests/api.c b/tests/api.c index 0e5ecc2ebd..70c732d2ca 100644 --- a/tests/api.c +++ b/tests/api.c @@ -40475,7 +40475,8 @@ static int test_wolfSSL_set1_curves_list(void) return EXPECT_RESULT(); } -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) { static int counter = 0; @@ -40505,7 +40506,8 @@ static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) static int test_wolfSSL_curves_mismatch(void) { EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) +#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \ + (defined(OPENSSL_EXTRA) || defined(HAVE_CURL)) && defined(HAVE_ECC) test_ssl_cbf func_cb_client; test_ssl_cbf func_cb_server; size_t i; @@ -55515,7 +55517,7 @@ static int test_tls13_apis(void) #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ExpectIntEQ(wolfSSL_CTX_set_groups(clientTls12Ctx, groups, numGroups), - BAD_FUNC_ARG); + WOLFSSL_SUCCESS); #endif ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, WOLFSSL_MAX_GROUP_COUNT + 1), BAD_FUNC_ARG); @@ -55539,7 +55541,7 @@ static int test_tls13_apis(void) #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ExpectIntEQ(wolfSSL_set_groups(clientTls12Ssl, groups, numGroups), - BAD_FUNC_ARG); + WOLFSSL_SUCCESS); #endif ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, WOLFSSL_MAX_GROUP_COUNT + 1), BAD_FUNC_ARG); @@ -55566,7 +55568,7 @@ static int test_tls13_apis(void) #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ExpectIntEQ(wolfSSL_CTX_set1_groups_list(clientTls12Ctx, groupList), - WOLFSSL_FAILURE); + WOLFSSL_SUCCESS); #endif ExpectIntEQ(wolfSSL_CTX_set1_groups_list(clientCtx, groupList), WOLFSSL_SUCCESS); @@ -55584,7 +55586,7 @@ static int test_tls13_apis(void) #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12 ExpectIntEQ(wolfSSL_set1_groups_list(clientTls12Ssl, groupList), - WOLFSSL_FAILURE); + WOLFSSL_SUCCESS); #endif ExpectIntEQ(wolfSSL_set1_groups_list(clientSsl, groupList), WOLFSSL_SUCCESS); From 433f3ae0b93fc3049f45bc10539c6a1f4c931ef3 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 23 Apr 2024 18:55:27 +0200 Subject: [PATCH 07/10] Add latest patch set to CI --- .github/workflows/{ => disabled}/hostap.yml | 0 .../hostapd.config | 122 ++ .../tests | 1677 +++++++++++++++++ .../wpa_supplicant.config | 164 ++ .github/workflows/hostap-vm.yml | 20 +- 5 files changed, 1978 insertions(+), 5 deletions(-) rename .github/workflows/{ => disabled}/hostap.yml (100%) create mode 100644 .github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/hostapd.config create mode 100644 .github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/tests create mode 100644 .github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/wpa_supplicant.config diff --git a/.github/workflows/hostap.yml b/.github/workflows/disabled/hostap.yml similarity index 100% rename from .github/workflows/hostap.yml rename to .github/workflows/disabled/hostap.yml diff --git a/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/hostapd.config b/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/hostapd.config new file mode 100644 index 0000000000..b76663c8b3 --- /dev/null +++ b/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/hostapd.config @@ -0,0 +1,122 @@ +#CC=ccache gcc + +CONFIG_DRIVER_NONE=y +CONFIG_DRIVER_NL80211=y +CONFIG_RSN_PREAUTH=y + +#CONFIG_TLS=internal +#CONFIG_INTERNAL_LIBTOMMATH=y +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y +#CONFIG_TLS=openssl +CONFIG_TLS=wolfssl + +CONFIG_EAP=y +CONFIG_ERP=y +CONFIG_EAP_MD5=y +CONFIG_EAP_TLS=y +CONFIG_EAP_MSCHAPV2=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_GTC=y +CONFIG_EAP_TTLS=y +CONFIG_EAP_SIM=y +CONFIG_EAP_AKA=y +CONFIG_EAP_AKA_PRIME=y +CONFIG_EAP_GPSK=y +CONFIG_EAP_GPSK_SHA256=y +CONFIG_EAP_SAKE=y +CONFIG_EAP_PAX=y +CONFIG_EAP_PSK=y +CONFIG_EAP_VENDOR_TEST=y +CONFIG_EAP_FAST=y +CONFIG_EAP_TEAP=y +CONFIG_EAP_IKEV2=y +CONFIG_EAP_TNC=y +CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\" +LIBS += -rdynamic +CONFIG_EAP_UNAUTH_TLS=y +ifeq ($(CONFIG_TLS), openssl) +CONFIG_EAP_PWD=y +endif +ifeq ($(CONFIG_TLS), wolfssl) +CONFIG_EAP_PWD=y +endif +CONFIG_EAP_EKE=y +CONFIG_PKCS12=y +CONFIG_RADIUS_SERVER=y +CONFIG_IPV6=y +CONFIG_TLSV11=y +CONFIG_TLSV12=y + +CONFIG_FULL_DYNAMIC_VLAN=y +CONFIG_VLAN_NETLINK=y +CONFIG_LIBNL32=y +CONFIG_LIBNL3_ROUTE=y +CONFIG_IEEE80211R=y +CONFIG_IEEE80211AC=y +CONFIG_IEEE80211AX=y + +CONFIG_OCV=y + +CONFIG_WPS=y +CONFIG_WPS_UPNP=y +CONFIG_WPS_NFC=y +#CONFIG_WPS_STRICT=y +CONFIG_WPA_TRACE=y +CONFIG_WPA_TRACE_BFD=y + +CONFIG_P2P_MANAGER=y +CONFIG_DEBUG_FILE=y +CONFIG_DEBUG_LINUX_TRACING=y +CONFIG_WPA_CLI_EDIT=y +CONFIG_ACS=y +CONFIG_NO_RANDOM_POOL=y +CONFIG_WNM=y +CONFIG_INTERWORKING=y +CONFIG_HS20=y +CONFIG_SQLITE=y +CONFIG_SAE=y +CONFIG_SAE_PK=y +CFLAGS += -DALL_DH_GROUPS + +CONFIG_FST=y +CONFIG_FST_TEST=y + +CONFIG_TESTING_OPTIONS=y +CFLAGS += -DCONFIG_RADIUS_TEST +CONFIG_MODULE_TESTS=y + +CONFIG_SUITEB=y +CONFIG_SUITEB192=y + +# AddressSanitizer (ASan) can be enabled by uncommenting the following lines. +# This can be used as a more efficient memory error detector than valgrind +# (though, with still some CPU and memory cost, so VM cases will need more +# memory allocated for the guest). +#CFLAGS += -fsanitize=address -O1 -fno-omit-frame-pointer -g +#LIBS += -fsanitize=address -fno-omit-frame-pointer -g +#LIBS_h += -fsanitize=address -fno-omit-frame-pointer -g +#LIBS_n += -fsanitize=address -fno-omit-frame-pointer -g +#LIBS_c += -fsanitize=address -fno-omit-frame-pointer -g + +# Undefined Behavior Sanitizer (UBSan) can be enabled by uncommenting the +# following lines. +#CFLAGS += -Wno-format-nonliteral +#CFLAGS += -fsanitize=undefined +##CFLAGS += -fno-sanitize-recover +#LIBS += -fsanitize=undefined +##LIBS += -fno-sanitize-recover +#LIBS_h += -fsanitize=undefined +#LIBS_n += -fsanitize=undefined +#LIBS_c += -fsanitize=undefined +CONFIG_MBO=y + +CONFIG_TAXONOMY=y +CONFIG_FILS=y +CONFIG_FILS_SK_PFS=y +CONFIG_OWE=y +CONFIG_DPP=y +CONFIG_DPP2=y +CONFIG_WEP=y +CONFIG_PASN=y +CONFIG_AIRTIME_POLICY=y +CONFIG_IEEE80211BE=y diff --git a/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/tests b/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/tests new file mode 100644 index 0000000000..5ebaee3ba5 --- /dev/null +++ b/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/tests @@ -0,0 +1,1677 @@ +ap_cipher_bip +ap_cipher_bip_cmac_256 +ap_cipher_bip_cmac_256_req +ap_cipher_bip_gmac_128 +ap_cipher_bip_gmac_128_req +ap_cipher_bip_gmac_256 +ap_cipher_bip_gmac_256_req +ap_cipher_bip_req +ap_cipher_bip_req_mismatch +ap_cipher_gcmp +ap_cipher_gcmp_256_group_ccmp +ap_cipher_gcmp_256_group_ccmp_256 +ap_cipher_gcmp_256_group_gcmp_256 +ap_cipher_gcmp_ccmp +ap_cipher_mixed_wpa_wpa2 +ap_cipher_replay_protection_ap_ccmp +ap_cipher_replay_protection_ap_gcmp +ap_cipher_replay_protection_ap_tkip +ap_cipher_replay_protection_sta_bigtk +ap_cipher_replay_protection_sta_ccmp +ap_cipher_replay_protection_sta_gtk_ccmp +ap_cipher_replay_protection_sta_gtk_gcmp +ap_cipher_replay_protection_sta_gtk_tkip +ap_cipher_replay_protection_sta_tkip +ap_cipher_tkip +ap_cipher_tkip_countermeasures_ap +ap_cipher_tkip_countermeasures_ap_mixed_mode +ap_cipher_tkip_countermeasures_sta +ap_cipher_wpa_sae +ap_ft_eap +ap_ft_eap_ap_config_change +ap_ft_eap_cui +ap_ft_eap_dis +ap_ft_eap_dynamic_rxkhs +ap_ft_eap_over_ds +ap_ft_eap_ptk_rekey_ap +ap_ft_eap_sha384 +ap_ft_eap_sha384_over_ds +ap_ft_eap_sha384_reassoc +ap_ft_eap_vlan_multi +ap_ft_extra_ie +ap_ft_gcmp_256 +ap_ft_gtk_rekey +ap_ft_internal_rrb_check +ap_ft_invalid_resp +ap_ft_local_key_gen +ap_ft_many +ap_ft_many_vlan +ap_ft_mismatching_r0kh_id_pull +ap_ft_mismatching_r0kh_id_pull_eap +ap_ft_mismatching_rrb_key_pull +ap_ft_mismatching_rrb_key_pull_eap +ap_ft_mismatching_rrb_key_push +ap_ft_mismatching_rrb_r0kh_pull_eap +ap_ft_mismatching_rrb_r0kh_push_eap +ap_ft_mixed +ap_ft_no_full_ap_client_state +ap_ft_ocv +ap_ft_ocv_change +ap_ft_old_key +ap_ft_oom +ap_ft_oom2 +ap_ft_oom3 +ap_ft_oom4 +ap_ft_over_ds +ap_ft_over_ds_disabled +ap_ft_over_ds_many +ap_ft_over_ds_ocv +ap_ft_over_ds_proto +ap_ft_over_ds_proto_ap +ap_ft_over_ds_pull_old_key +ap_ft_over_ds_separate_hostapd +ap_ft_over_ds_unexpected +ap_ft_over_ds_unknown_target +ap_ft_pmf +ap_ft_pmf_bip_cmac_128 +ap_ft_pmf_bip_cmac_128_over_ds +ap_ft_pmf_bip_cmac_256 +ap_ft_pmf_bip_cmac_256_over_ds +ap_ft_pmf_bip_gmac_128_over_ds +ap_ft_pmf_bip_gmac_256 +ap_ft_pmf_bip_gmac_256_over_ds +ap_ft_pmf_bip_over_ds +ap_ft_pmf_required +ap_ft_pmf_required_mismatch +ap_ft_pmf_required_mismatch_over_ds +ap_ft_pmf_required_over_ds +ap_ft_pmksa_caching +ap_ft_pmksa_caching_sha384 +ap_ft_psk_file +ap_ft_ptk_rekey2 +ap_ft_ptk_rekey_ap +ap_ft_ptk_rekey_ap2 +ap_ft_r0_key_expiration +ap_ft_reassoc_local_fail +ap_ft_reassoc_proto +ap_ft_sae +ap_ft_sae_ext_key_19 +ap_ft_sae_ext_key_19_over_ds +ap_ft_sae_ext_key_20_over_ds +ap_ft_sae_ext_key_21 +ap_ft_sae_ext_key_21_over_ds +ap_ft_sae_h2e +ap_ft_sae_h2e_and_loop +ap_ft_sae_h2e_rsne_mismatch +ap_ft_sae_h2e_rsne_mismatch_pmkr1name +ap_ft_sae_h2e_rsne_override +ap_ft_sae_h2e_rsnxe_mismatch +ap_ft_sae_over_ds +ap_ft_sae_over_ds_ptk_rekey1 +ap_ft_sae_pmksa_caching +ap_ft_sae_pmksa_caching_h2e_prepend_pmkid +ap_ft_sae_pmksa_caching_pwe +ap_ft_sae_ptk_rekey_ap_ext_key_id +ap_ft_sae_rsnxe_used_mismatch +ap_ft_sae_rsnxe_used_mismatch2 +ap_ft_sae_skip_prune_assoc +ap_ft_sae_transition +ap_missing_psk +ap_mixed_security +ap_no_auth_ack +ap_no_probe_resp +ap_roam_wpa2_psk_pmf_mismatch +ap_roam_wpa2_psk_race +ap_sae_tdls +ap_vlan_file_open2 +ap_vlan_file_parsing +ap_vlan_iface_cleanup_multibss_per_sta_vif +ap_vlan_open +ap_vlan_sae +ap_vlan_tagged +ap_vlan_tagged_wpa2_radius_id_change +ap_vlan_wpa2_psk_radius_required +ap_vlan_wpa2_radius +ap_vlan_wpa2_radius_id_change +ap_vlan_wpa2_radius_mixed +ap_vlan_wpa2_radius_required +ap_wpa2_delayed_group_m1_retransmission +ap_wpa2_disable_eapol_retry +ap_wpa2_disable_eapol_retry_group +ap_wpa2_eap_aka_config +ap_wpa2_eap_aka_ext +ap_wpa2_eap_aka_ext_auth_fail +ap_wpa2_eap_aka_id_0 +ap_wpa2_eap_aka_id_1 +ap_wpa2_eap_aka_id_2 +ap_wpa2_eap_aka_id_3 +ap_wpa2_eap_aka_id_4 +ap_wpa2_eap_aka_id_5 +ap_wpa2_eap_aka_id_6 +ap_wpa2_eap_aka_id_7 +ap_wpa2_eap_aka_imsi_identity +ap_wpa2_eap_aka_imsi_identity_fallback +ap_wpa2_eap_aka_imsi_privacy_attr +ap_wpa2_eap_aka_imsi_privacy_key +ap_wpa2_eap_aka_imsi_privacy_key_expired +ap_wpa2_eap_aka_prime +ap_wpa2_eap_aka_prime_ext +ap_wpa2_eap_aka_prime_ext_auth_fail +ap_wpa2_eap_aka_prime_imsi_identity +ap_wpa2_eap_aka_prime_imsi_privacy_key +ap_wpa2_eap_aka_prime_sql +ap_wpa2_eap_aka_sql +ap_wpa2_eap_aka_sql_fallback_to_pseudonym +ap_wpa2_eap_aka_sql_fallback_to_pseudonym_id +ap_wpa2_eap_assoc_rsn +ap_wpa2_eap_eke +ap_wpa2_eap_eke_serverid_nai +ap_wpa2_eap_eke_server_oom +ap_wpa2_eap_expanded_nak +ap_wpa2_eap_fast_binary_pac +ap_wpa2_eap_fast_binary_pac_errors +ap_wpa2_eap_fast_cipher_suites +ap_wpa2_eap_fast_eap_aka +ap_wpa2_eap_fast_eap_sim +ap_wpa2_eap_fast_gtc_auth_prov +ap_wpa2_eap_fast_missing_pac_config +ap_wpa2_eap_fast_mschapv2_unauth_prov +ap_wpa2_eap_fast_pac_file +ap_wpa2_eap_fast_pac_lifetime +ap_wpa2_eap_fast_pac_refresh +ap_wpa2_eap_fast_pac_truncate +ap_wpa2_eap_fast_prf_oom +ap_wpa2_eap_fast_prov +ap_wpa2_eap_fast_text_pac_errors +ap_wpa2_eap_gpsk +ap_wpa2_eap_gpsk_ptk_rekey_ap +ap_wpa2_eap_ikev2 +ap_wpa2_eap_ikev2_as_frag +ap_wpa2_eap_ikev2_oom +ap_wpa2_eap_non_ascii_identity +ap_wpa2_eap_non_ascii_identity2 +ap_wpa2_eapol_retry_limit +ap_wpa2_eap_pax +ap_wpa2_eap_peap_eap_mschapv2_incorrect_password +ap_wpa2_eap_psk +ap_wpa2_eap_psk_mac_addr_change +ap_wpa2_eap_psk_oom +ap_wpa2_eap_pwd +ap_wpa2_eap_pwd_as_frag +ap_wpa2_eap_pwd_disabled_group +ap_wpa2_eap_pwd_groups +ap_wpa2_eap_pwd_invalid_group +ap_wpa2_eap_pwd_nthash +ap_wpa2_eap_pwd_salt_sha1 +ap_wpa2_eap_pwd_salt_sha256 +ap_wpa2_eap_pwd_salt_sha512 +ap_wpa2_eap_reauth +ap_wpa2_eap_reauth_ptk_rekey_blocked_ap +ap_wpa2_eap_reauth_ptk_rekey_blocked_sta +ap_wpa2_eap_request_identity_message +ap_wpa2_eap_sake +ap_wpa2_eap_sake_no_control_port +ap_wpa2_eap_sha384_psk +ap_wpa2_eap_sim +ap_wpa2_eap_sim_aka_result_ind +ap_wpa2_eap_sim_change_bssid +ap_wpa2_eap_sim_config +ap_wpa2_eap_sim_db +ap_wpa2_eap_sim_db_sqlite +ap_wpa2_eap_sim_ext +ap_wpa2_eap_sim_ext_anonymous +ap_wpa2_eap_sim_ext_anonymous_no_pseudonym +ap_wpa2_eap_sim_ext_auth_fail +ap_wpa2_eap_sim_ext_replace_sim +ap_wpa2_eap_sim_ext_replace_sim2 +ap_wpa2_eap_sim_ext_replace_sim3 +ap_wpa2_eap_sim_id_0 +ap_wpa2_eap_sim_id_1 +ap_wpa2_eap_sim_id_2 +ap_wpa2_eap_sim_id_3 +ap_wpa2_eap_sim_id_4 +ap_wpa2_eap_sim_id_5 +ap_wpa2_eap_sim_id_6 +ap_wpa2_eap_sim_id_7 +ap_wpa2_eap_sim_imsi_identity +ap_wpa2_eap_sim_imsi_privacy_attr +ap_wpa2_eap_sim_imsi_privacy_key +ap_wpa2_eap_sim_no_change_set +ap_wpa2_eap_sim_oom +ap_wpa2_eap_sim_sql +ap_wpa2_eap_sim_sql_fallback_to_pseudonym +ap_wpa2_eap_sim_zero_db_timeout +ap_wpa2_eap_tls_13_ec +ap_wpa2_eap_tls_13_missing_prot_success +ap_wpa2_eap_tls_blob_missing +ap_wpa2_eap_tls_check_cert_subject_neg +ap_wpa2_eap_tls_diff_ca_trust2 +ap_wpa2_eap_tls_domain_mismatch_cn +ap_wpa2_eap_tls_domain_suffix_mismatch_cn +ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp +ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1 +ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1 +ap_wpa2_eap_tls_neg_incorrect_trust_root +ap_wpa2_eap_tls_ocsp_multi +ap_wpa2_eap_tls_ocsp_multi_revoked +ap_wpa2_eap_tls_oom +ap_wpa2_eap_tls_versions +ap_wpa2_eap_tls_versions_server +ap_wpa2_eap_too_many_roundtrips_server +ap_wpa2_eap_too_many_roundtrips_server2 +ap_wpa2_eap_ttls_chap_incorrect_password +ap_wpa2_eap_ttls_dh_params_invalid +ap_wpa2_eap_ttls_dh_params_not_found +ap_wpa2_eap_ttls_eap_gtc_incorrect_password +ap_wpa2_eap_ttls_eap_gtc_no_password +ap_wpa2_eap_ttls_eap_md5_incorrect_password +ap_wpa2_eap_ttls_eap_md5_no_password +ap_wpa2_eap_ttls_eap_mschapv2_no_password +ap_wpa2_eap_ttls_expired_cert +ap_wpa2_eap_ttls_ignore_expired_cert +ap_wpa2_eap_ttls_invalid_phase2 +ap_wpa2_eap_ttls_long_duration +ap_wpa2_eap_ttls_mschap_incorrect_password +ap_wpa2_eap_ttls_mschapv2_incorrect_password +ap_wpa2_eap_ttls_ocsp_revoked +ap_wpa2_eap_ttls_ocsp_unknown +ap_wpa2_eap_ttls_pap_check_cert_subject_neg +ap_wpa2_eap_ttls_pap_incorrect_password +ap_wpa2_eap_ttls_server_cert_eku_client +ap_wpa2_eap_ttls_server_cert_hash +ap_wpa2_eap_ttls_server_cert_hash_invalid +ap_wpa2_eap_vendor_test +ap_wpa2_eap_vendor_test_oom +ap_wpa2_eap_wildcard_ssid +ap_wpa2_ext_add_to_bridge +ap_wpa2_gmk_rekey +ap_wpa2_gtk_initial_rsc_ccmp_256 +ap_wpa2_gtk_initial_rsc_tkip +ap_wpa2_gtk_rekey +ap_wpa2_gtk_rekey_fail_1_sta +ap_wpa2_gtk_rekey_failure +ap_wpa2_gtk_rekey_request +ap_wpa2_igtk_initial_rsc_aes_128_cmac +ap_wpa2_igtk_initial_rsc_bip_cmac_256 +ap_wpa2_igtk_initial_rsc_bip_gmac_128 +ap_wpa2_igtk_initial_rsc_bip_gmac_256 +ap_wpa2_plaintext_group_m1 +ap_wpa2_plaintext_group_m1_pmf +ap_wpa2_plaintext_m1_m3 +ap_wpa2_plaintext_m1_m3_pmf +ap_wpa2_plaintext_m3 +ap_wpa2_psk +ap_wpa2_psk_4addr +ap_wpa2_psk_ap_control_port +ap_wpa2_psk_assoc_rsn +ap_wpa2_psk_assoc_rsn_pmkid +ap_wpa2_psk_disable_enable +ap_wpa2_psk_drop_first_msg_4 +ap_wpa2_psk_ext +ap_wpa2_psk_ext_delayed_ptk_rekey +ap_wpa2_psk_ext_eapol +ap_wpa2_psk_ext_eapol_key_info +ap_wpa2_psk_ext_eapol_retry1 +ap_wpa2_psk_ext_eapol_retry1b +ap_wpa2_psk_ext_eapol_retry1c +ap_wpa2_psk_ext_eapol_retry1d +ap_wpa2_psk_ext_eapol_type_diff +ap_wpa2_psk_ext_key_id_ptk_rekey_ap0 +ap_wpa2_psk_ext_key_id_ptk_rekey_ap1 +ap_wpa2_psk_ext_key_id_ptk_rekey_ap2 +ap_wpa2_psk_ext_key_id_ptk_rekey_sta0 +ap_wpa2_psk_ext_key_id_ptk_rekey_sta1 +ap_wpa2_psk_ext_key_id_ptk_rekey_sta2 +ap_wpa2_psk_ext_retry_msg_3 +ap_wpa2_psk_ext_retry_msg_3b +ap_wpa2_psk_ext_retry_msg_3c +ap_wpa2_psk_ext_retry_msg_3d +ap_wpa2_psk_ext_retry_msg_3e +ap_wpa2_psk_file +ap_wpa2_psk_file_errors +ap_wpa2_psk_file_keyid +ap_wpa2_psk_ft_workaround +ap_wpa2_psk_incorrect_passphrase +ap_wpa2_psk_local_error +ap_wpa2_psk_mem +ap_wpa2_psk_mic_0 +ap_wpa2_psk_no_random +ap_wpa2_psk_rsne_mismatch_ap +ap_wpa2_psk_rsne_mismatch_ap2 +ap_wpa2_psk_rsne_mismatch_ap3 +ap_wpa2_psk_rsnxe_mismatch_ap +ap_wpa2_psk_supp_proto +ap_wpa2_psk_supp_proto_anonce_change +ap_wpa2_psk_supp_proto_gtk_keyidx_0_and_3 +ap_wpa2_psk_supp_proto_gtk_not_encrypted +ap_wpa2_psk_supp_proto_gtk_tx_bit_workaround +ap_wpa2_psk_supp_proto_ie_mismatch +ap_wpa2_psk_supp_proto_msg_1_invalid_kde +ap_wpa2_psk_supp_proto_no_gtk +ap_wpa2_psk_supp_proto_no_gtk_in_group_msg +ap_wpa2_psk_supp_proto_no_ie +ap_wpa2_psk_supp_proto_ok +ap_wpa2_psk_supp_proto_too_long_gtk_in_group_msg +ap_wpa2_psk_supp_proto_too_long_gtk_kde +ap_wpa2_psk_supp_proto_unexpected_group_msg +ap_wpa2_psk_supp_proto_wrong_group_key_len +ap_wpa2_psk_supp_proto_wrong_pairwise_key_len +ap_wpa2_psk_unexpected +ap_wpa2_psk_wep +ap_wpa2_psk_wildcard_ssid +ap_wpa2_ptk_rekey +ap_wpa2_ptk_rekey_anonce +ap_wpa2_ptk_rekey_ap +ap_wpa2_ptk_rekey_blocked_ap +ap_wpa2_ptk_rekey_blocked_sta +ap_wpa2_sha256_ptk_rekey +ap_wpa2_sha256_ptk_rekey_ap +ap_wpa2_strict_rekey +ap_wpa2_tdls +ap_wpa2_tdls_bssid_mismatch +ap_wpa2_tdls_concurrent_init +ap_wpa2_tdls_concurrent_init2 +ap_wpa2_tdls_decline_resp +ap_wpa2_tdls_diff_rsnie +ap_wpa2_tdls_double_tpk_m2 +ap_wpa2_tdls_long_frame +ap_wpa2_tdls_long_lifetime +ap_wpa2_tdls_reneg +ap_wpa2_tdls_responder_teardown +ap_wpa2_tdls_wrong_lifetime_resp +ap_wpa2_tdls_wrong_tpk_m2_mic +ap_wpa2_tdls_wrong_tpk_m3_mic +ap_wpa2_test_command_failures +ap_wpa3_eap_transition_disable +ap_wpa_gtk_rekey +ap_wpa_ie_parsing +ap_wpa_mixed_tdls +ap_wpa_psk_ext_eapol +ap_wpa_psk_rsn_pairwise +ap_wpa_ptk_rekey +ap_wpa_ptk_rekey_ap +ap_wpa_tdls +ap_wps_adv_oom +ap_wps_and_bss_limit +ap_wps_and_non_wps +ap_wps_and_sae +ap_wps_ap_pin_failure +ap_wps_appl_ext +ap_wps_ap_scan_2 +ap_wps_assoc_req_ie_oom +ap_wps_assoc_resp_ie_oom +ap_wps_authenticator_mismatch_m2 +ap_wps_authenticator_mismatch_m3 +ap_wps_authenticator_mismatch_m4 +ap_wps_authenticator_mismatch_m5 +ap_wps_authenticator_mismatch_m6 +ap_wps_authenticator_mismatch_m7 +ap_wps_authenticator_mismatch_m8 +ap_wps_authenticator_missing_m2 +ap_wps_check_pin +ap_wps_conf_and_sae +ap_wps_conf_and_sae_h2e +ap_wps_config_methods +ap_wps_config_without_wps +ap_wps_conf_pin +ap_wps_conf_pin_2sta +ap_wps_conf_pin_ccmp_256 +ap_wps_conf_pin_gcmp_128 +ap_wps_conf_pin_gcmp_256 +ap_wps_conf_pin_mixed_mode +ap_wps_conf_pin_timeout +ap_wps_conf_pin_v1 +ap_wps_conf_stub_cred +ap_wps_disabled +ap_wps_disable_enable +ap_wps_eapol_workaround +ap_wps_eap_wsc +ap_wps_eap_wsc_errors +ap_wps_e_hash_no_random_sta +ap_wps_encr_no_random_ap +ap_wps_encr_oom_ap +ap_wps_er_add_enrollee_uuid +ap_wps_er_cache_ap_settings +ap_wps_er_cache_ap_settings_oom +ap_wps_er_cache_ap_settings_oom2 +ap_wps_er_config_ap +ap_wps_er_enrollee_to_conf_ap +ap_wps_er_enrollee_to_conf_ap2 +ap_wps_er_http_client +ap_wps_er_http_client_timeout +ap_wps_er_http_proto +ap_wps_er_http_proto_control_url_dns +ap_wps_er_http_proto_event_sub_url_dns +ap_wps_er_http_proto_invalid_sid_no_uuid +ap_wps_er_http_proto_invalid_sid_uuid +ap_wps_er_http_proto_no_control_url +ap_wps_er_http_proto_no_event_sub_url +ap_wps_er_http_proto_no_sid +ap_wps_er_http_proto_subscribe_failing +ap_wps_er_http_proto_subscribe_invalid_response +ap_wps_er_http_proto_subscribe_oom +ap_wps_er_http_proto_upnp_info_invalid_udn_uuid +ap_wps_er_http_proto_upnp_info_no_device +ap_wps_er_http_proto_upnp_info_no_device_type +ap_wps_er_init_fail +ap_wps_er_init_oom +ap_wps_er_learn_oom +ap_wps_er_link_update +ap_wps_er_multi_add_enrollee +ap_wps_er_oom +ap_wps_er_pbc_overlap +ap_wps_er_set_sel_reg_oom +ap_wps_er_ssdp_proto +ap_wps_er_subscribe_oom +ap_wps_er_unsubscribe_errors +ap_wps_er_url_parse +ap_wps_er_v10_add_enrollee_pin +ap_wps_frag_ack_oom +ap_wps_fragmentation +ap_wps_from_event +ap_wps_ie_fragmentation +ap_wps_ie_invalid +ap_wps_ignore_broadcast_ssid +ap_wps_incorrect_pin +ap_wps_init +ap_wps_init_2ap_pbc +ap_wps_init_2ap_pin +ap_wps_init_oom +ap_wps_init_through_wps_config +ap_wps_init_through_wps_config_2 +ap_wps_invalid_assoc_req_elem +ap_wps_invalid_wps_config_passphrase +ap_wps_m1_no_random +ap_wps_m1_oom +ap_wps_m2_dev_passwd_id_change_pbc_to_pin +ap_wps_m2_dev_passwd_id_change_pin_to_pbc +ap_wps_m2_dev_passwd_id_p2p +ap_wps_m2_invalid +ap_wps_m2_missing_dev_passwd_id +ap_wps_m2_missing_enrollee_nonce +ap_wps_m2_missing_msg_type +ap_wps_m2_missing_registrar_nonce +ap_wps_m2_missing_uuid_r +ap_wps_m2_msg_type_m4 +ap_wps_m2_msg_type_m6 +ap_wps_m2_msg_type_m8 +ap_wps_m2_unknown_msg_type +ap_wps_m2_unknown_opcode +ap_wps_m2_unknown_opcode2 +ap_wps_m2_unknown_opcode3 +ap_wps_m3_oom +ap_wps_m4_msg_type_m2 +ap_wps_m4_msg_type_m2d +ap_wps_m5_no_random +ap_wps_m5_oom +ap_wps_m7_no_random +ap_wps_m7_oom +ap_wps_mixed_cred +ap_wps_new_version_ap +ap_wps_new_version_sta +ap_wps_passive_scan +ap_wps_pbc_2ap +ap_wps_pbc_in_m1 +ap_wps_pbc_mac_addr_change +ap_wps_pbc_overlap_2ap +ap_wps_pbc_overlap_2ap_specific_bssid +ap_wps_pbc_overlap_2sta +ap_wps_pbc_pin_mismatch +ap_wps_pbc_session_workaround +ap_wps_per_station_psk +ap_wps_per_station_psk_failure +ap_wps_per_station_psk_preset +ap_wps_pin_get_failure +ap_wps_pin_request_file +ap_wps_pin_start_failure +ap_wps_pk_oom +ap_wps_pk_oom_ap +ap_wps_priority +ap_wps_probe_req_ie_oom +ap_wps_random_ap_pin +ap_wps_random_psk_fail +ap_wps_random_uuid +ap_wps_reg_config +ap_wps_reg_config_and_sae +ap_wps_reg_config_ext_processing +ap_wps_reg_config_tkip +ap_wps_reg_connect +ap_wps_reg_connect_mixed_mode +ap_wps_reg_connect_zero_len_ap_pin +ap_wps_registrar_init_errors +ap_wps_reg_override_ap_settings +ap_wps_rf_bands +ap_wps_scan_prio_order +ap_wps_set_selected_registrar_proto +ap_wps_setup_locked +ap_wps_setup_locked_2 +ap_wps_ssdp_burst +ap_wps_ssdp_invalid_msearch +ap_wps_ssdp_msearch +ap_wps_tkip +ap_wps_twice +ap_wps_upnp +ap_wps_upnp_http_proto +ap_wps_upnp_http_proto_chunked +ap_wps_upnp_subscribe +ap_wps_upnp_subscribe_events +ap_wps_upnp_web_oom +ap_wps_wep +ap_wps_wep_config +ap_wps_wep_enroll +ap_wps_while_connected +ap_wps_while_connected_no_autoconnect +ap_wps_wpa_cli_action +ap_wps_wsc_done_oom +cert_check_basic +cert_check_dnsname +cert_check_dnsname_alt +cert_check_dnsname_cn +cert_check_dnsname_wildcard +cert_check_v3 +dpp_akm_sha256 +dpp_akm_sha384 +dpp_akm_sha512 +dpp_and_sae_akm +dpp_ap_config +dpp_ap_config_bp256_bp256 +dpp_ap_config_bp256_p256 +dpp_ap_config_bp384_bp384 +dpp_ap_config_bp512_bp512 +dpp_ap_config_bp512_p521 +dpp_ap_config_p256_bp256 +dpp_ap_config_p256_p256 +dpp_ap_config_p256_p384 +dpp_ap_config_p256_p521 +dpp_ap_config_p384_p256 +dpp_ap_config_p384_p384 +dpp_ap_config_p384_p521 +dpp_ap_config_p521_bp512 +dpp_ap_config_p521_p256 +dpp_ap_config_p521_p384 +dpp_ap_config_p521_p521 +dpp_ap_config_reconfig_configurator +dpp_ap_config_sae +dpp_auth_req_retries +dpp_auth_req_retries_multi_chan +dpp_auth_req_stop_after_ack +dpp_auth_resp_aes_siv_issue +dpp_auth_resp_retries +dpp_auth_resp_status_failure +dpp_auto_connect_2_connect_cmd +dpp_auto_connect_legacy +dpp_auto_connect_legacy_pmf_required +dpp_auto_connect_legacy_psk_sae_1 +dpp_auto_connect_legacy_psk_sae_2 +dpp_auto_connect_legacy_psk_sae_3 +dpp_auto_connect_legacy_sae_1 +dpp_auto_connect_legacy_sae_2 +dpp_auto_connect_legacy_ssid_charset +dpp_bootstrap_gen_failures +dpp_bootstrap_key_autogen_issues +dpp_chirp_ap +dpp_chirp_ap_as_configurator +dpp_chirp_ap_errors +dpp_chirp_configurator +dpp_chirp_configurator_inits +dpp_conf_file_update +dpp_config_connector_error_empty_groups +dpp_config_connector_error_expired_1 +dpp_config_connector_error_expired_2 +dpp_config_connector_error_expired_3 +dpp_config_connector_error_expired_4 +dpp_config_connector_error_expired_5 +dpp_config_connector_error_expired_6 +dpp_config_connector_error_ext_sign +dpp_config_connector_error_invalid_timestamp +dpp_config_connector_error_invalid_timestamp_date +dpp_config_connector_error_invalid_time_zone +dpp_config_connector_error_invalid_time_zone_2 +dpp_config_connector_error_missing_group_id +dpp_config_connector_error_missing_net_access_key +dpp_config_connector_error_missing_net_role +dpp_config_connector_error_net_access_key_mismatch +dpp_config_connector_error_no_groups +dpp_config_connector_error_too_short_timestamp +dpp_config_dpp_gen_3rd_party +dpp_config_dpp_gen_expired_key +dpp_config_dpp_gen_expiry +dpp_config_dpp_gen_prime256v1 +dpp_config_dpp_gen_prime256v1_prime256v1 +dpp_config_dpp_gen_prime256v1_secp384r1 +dpp_config_dpp_gen_prime256v1_secp384r1_secp384r1 +dpp_config_dpp_gen_prime256v1_secp521r1 +dpp_config_dpp_gen_secp384r1 +dpp_config_dpp_gen_secp384r1_prime256v1 +dpp_config_dpp_gen_secp384r1_secp384r1 +dpp_config_dpp_gen_secp384r1_secp521r1 +dpp_config_dpp_gen_secp521r1 +dpp_config_dpp_gen_secp521r1_prime256v1 +dpp_config_dpp_gen_secp521r1_secp384r1 +dpp_config_dpp_gen_secp521r1_secp521r1 +dpp_config_dpp_override_prime256v1 +dpp_config_dpp_override_secp384r1 +dpp_config_dpp_override_secp521r1 +dpp_config_error_legacy_invalid_psk +dpp_config_error_legacy_no_pass +dpp_config_error_legacy_no_pass_for_sae +dpp_config_error_legacy_psk_with_sae +dpp_config_error_legacy_too_long_pass +dpp_config_error_legacy_too_short_pass +dpp_config_error_legacy_too_short_psk +dpp_config_fragmentation +dpp_config_jwk_error_invalid_x +dpp_config_jwk_error_invalid_xy +dpp_config_jwk_error_invalid_y +dpp_config_jwk_error_no_crv +dpp_config_jwk_error_no_kid +dpp_config_jwk_error_no_kty +dpp_config_jwk_error_no_x +dpp_config_jwk_error_no_y +dpp_config_jwk_error_unexpected_kty +dpp_config_jwk_error_unsupported_crv +dpp_config_jws_error_prot_hdr_no_alg +dpp_config_jws_error_prot_hdr_no_kid +dpp_config_jws_error_prot_hdr_not_an_object +dpp_config_jws_error_prot_hdr_no_typ +dpp_config_jws_error_prot_hdr_unexpected_alg +dpp_config_jws_error_prot_hdr_unexpected_kid +dpp_config_jws_error_prot_hdr_unsupported_typ +dpp_config_legacy +dpp_config_legacy_gen +dpp_config_legacy_gen_psk +dpp_config_legacy_gen_sta_ap_conf +dpp_config_legacy_gen_two_conf +dpp_config_legacy_gen_two_conf_psk +dpp_config_legacy_psk_hex +dpp_config_no_cred +dpp_config_no_cred_akm +dpp_config_no_csign +dpp_config_no_discovery +dpp_config_no_discovery_ssid +dpp_config_no_signed_connector +dpp_config_no_wi_fi_tech +dpp_config_override_objects +dpp_config_root_not_an_object +dpp_config_save +dpp_config_save2 +dpp_config_save3 +dpp_config_signed_connector_error_invalid_signature_der +dpp_config_signed_connector_error_no_dot_1 +dpp_config_signed_connector_error_no_dot_2 +dpp_config_signed_connector_error_unexpected_signature_len +dpp_config_too_long_discovery_ssid +dpp_config_unexpected_signed_connector_char +dpp_config_unsupported_cred_akm +dpp_config_unsupported_wi_fi_tech +dpp_configurator_enroll_conf +dpp_configurator_enrollee +dpp_configurator_enrollee_brainpoolP256r1 +dpp_configurator_enrollee_brainpoolP384r1 +dpp_configurator_enrollee_brainpoolP512r1 +dpp_configurator_enrollee_prime256v1 +dpp_configurator_enrollee_secp384r1 +dpp_configurator_enrollee_secp521r1 +dpp_configurator_id_unknown +dpp_conn_status_assoc_reject +dpp_conn_status_connector_mismatch +dpp_conn_status_no_ap +dpp_conn_status_success +dpp_conn_status_wrong_passphrase +dpp_controller_init_through_relay +dpp_controller_init_through_relay_add +dpp_controller_init_through_relay_dynamic +dpp_controller_relay +dpp_controller_relay_chirp +dpp_controller_relay_chirp_duplicate +dpp_controller_relay_discover +dpp_controller_relay_pkex +dpp_controller_rx_errors +dpp_controller_rx_failure +dpp_discard_public_action +dpp_duplicated_auth_conf +dpp_duplicated_auth_resp +dpp_enrollee_ap_reject_config +dpp_enrollee_reject_config +dpp_enterprise +dpp_enterprise_reject +dpp_enterprise_tcp +dpp_enterprise_tcp2 +dpp_gas +dpp_gas_comeback_after_failure +dpp_gas_timeout +dpp_gas_timeout_handling +dpp_hostapd_auth_conf_timeout +dpp_hostapd_auth_resp_retries +dpp_hostapd_configurator +dpp_hostapd_configurator_enrollee_v1 +dpp_hostapd_configurator_fragmentation +dpp_hostapd_configurator_override_objects +dpp_hostapd_configurator_responder +dpp_hostapd_enrollee_fragmentation +dpp_hostapd_enrollee_gas_errors +dpp_hostapd_enrollee_gas_proto +dpp_hostapd_enrollee_gas_timeout +dpp_hostapd_enrollee_gas_timeout_comeback +dpp_hostapd_enrollee_gas_tx_status_errors +dpp_intro_mismatch +dpp_invalid_configurator_key +dpp_invalid_legacy_params +dpp_invalid_legacy_params2 +dpp_keygen_configurator_error +dpp_nfc_negotiated_handover_diff_curve +dpp_nfc_negotiated_handover_hostapd_req +dpp_nfc_negotiated_handover_hostapd_sel +dpp_own_config +dpp_own_config_ap +dpp_own_config_ap_group_id +dpp_own_config_ap_reconf +dpp_own_config_curve_mismatch +dpp_own_config_group_id +dpp_own_config_sign_fail +dpp_peer_intro_failures +dpp_peer_intro_local_failures +dpp_pfs_ap_0 +dpp_pfs_ap_0_sta_ver1 +dpp_pfs_ap_2 +dpp_pfs_connect_cmd_ap_2 +dpp_pfs_connect_cmd_ap_2_sae +dpp_pkex +dpp_pkex_after_retry +dpp_pkex_alloc_fail +dpp_pkex_bp256 +dpp_pkex_bp384 +dpp_pkex_bp512 +dpp_pkex_code_mismatch +dpp_pkex_code_mismatch_limit +dpp_pkex_commit_reveal_req_processing_failure +dpp_pkex_config +dpp_pkex_config2 +dpp_pkex_curve_mismatch +dpp_pkex_curve_mismatch_failure +dpp_pkex_curve_mismatch_failure2 +dpp_pkex_exchange_resp_processing_failure +dpp_pkex_hostapd_errors +dpp_pkex_identifier_mismatch +dpp_pkex_identifier_mismatch2 +dpp_pkex_identifier_mismatch3 +dpp_pkex_nak_curve_change +dpp_pkex_nak_curve_change2 +dpp_pkex_no_identifier +dpp_pkex_no_responder +dpp_pkex_p256 +dpp_pkex_p384 +dpp_pkex_p521 +dpp_pkex_test_fail +dpp_pkex_test_vector +dpp_pkex_v2 +dpp_pkex_v2_hostapd_initiator +dpp_pkex_v2_hostapd_responder +dpp_proto_after_wrapped_data_auth_conf +dpp_proto_after_wrapped_data_auth_req +dpp_proto_after_wrapped_data_auth_resp +dpp_proto_after_wrapped_data_conf_req +dpp_proto_after_wrapped_data_conf_resp +dpp_proto_after_wrapped_data_pkex_cr_req +dpp_proto_after_wrapped_data_pkex_cr_resp +dpp_proto_auth_conf_i_auth_mismatch +dpp_proto_auth_conf_invalid_i_bootstrap_key +dpp_proto_auth_conf_invalid_r_bootstrap_key +dpp_proto_auth_conf_invalid_status +dpp_proto_auth_conf_no_i_auth +dpp_proto_auth_conf_no_i_bootstrap_key +dpp_proto_auth_conf_no_r_bootstrap_key +dpp_proto_auth_conf_no_status +dpp_proto_auth_conf_no_wrapped_data +dpp_proto_auth_conf_replaced_by_resp +dpp_proto_auth_req_invalid_i_bootstrap_key +dpp_proto_auth_req_invalid_i_nonce +dpp_proto_auth_req_invalid_i_proto_key +dpp_proto_auth_req_invalid_r_bootstrap_key +dpp_proto_auth_req_no_i_bootstrap_key +dpp_proto_auth_req_no_i_capab +dpp_proto_auth_req_no_i_nonce +dpp_proto_auth_req_no_i_proto_key +dpp_proto_auth_req_no_r_bootstrap_key +dpp_proto_auth_req_no_wrapped_data +dpp_proto_auth_resp_incompatible_r_capab +dpp_proto_auth_resp_i_nonce_mismatch +dpp_proto_auth_resp_invalid_i_bootstrap_key +dpp_proto_auth_resp_invalid_r_bootstrap_key +dpp_proto_auth_resp_invalid_r_proto_key +dpp_proto_auth_resp_invalid_status +dpp_proto_auth_resp_no_i_bootstrap_key +dpp_proto_auth_resp_no_i_nonce +dpp_proto_auth_resp_no_r_auth +dpp_proto_auth_resp_no_r_bootstrap_key +dpp_proto_auth_resp_no_r_capab +dpp_proto_auth_resp_no_r_nonce +dpp_proto_auth_resp_no_r_proto_key +dpp_proto_auth_resp_no_status +dpp_proto_auth_resp_no_wrapped_data +dpp_proto_auth_resp_r_auth_mismatch +dpp_proto_auth_resp_r_auth_mismatch_failure +dpp_proto_auth_resp_r_auth_mismatch_failure2 +dpp_proto_auth_resp_status_invalid_i_bootstrap_key +dpp_proto_auth_resp_status_invalid_r_bootstrap_key +dpp_proto_auth_resp_status_no_i_bootstrap_key +dpp_proto_auth_resp_status_no_i_nonce +dpp_proto_auth_resp_status_no_r_bootstrap_key +dpp_proto_auth_resp_status_no_status +dpp_proto_conf_req_invalid_config_attr_obj +dpp_proto_conf_req_invalid_e_nonce +dpp_proto_conf_req_no_config_attr_obj +dpp_proto_conf_req_no_e_nonce +dpp_proto_conf_req_no_wrapped_data +dpp_proto_conf_resp_e_nonce_mismatch +dpp_proto_conf_resp_invalid_status +dpp_proto_conf_resp_no_config_obj +dpp_proto_conf_resp_no_e_nonce +dpp_proto_conf_resp_no_status +dpp_proto_conf_resp_no_wrapped_data +dpp_proto_network_introduction +dpp_proto_pkex_cr_req_i_auth_tag_mismatch +dpp_proto_pkex_cr_req_invalid_bootstrap_key +dpp_proto_pkex_cr_req_no_bootstrap_key +dpp_proto_pkex_cr_req_no_i_auth_tag +dpp_proto_pkex_cr_req_no_wrapped_data +dpp_proto_pkex_cr_resp_invalid_bootstrap_key +dpp_proto_pkex_cr_resp_no_bootstrap_key +dpp_proto_pkex_cr_resp_no_r_auth_tag +dpp_proto_pkex_cr_resp_no_wrapped_data +dpp_proto_pkex_cr_resp_r_auth_tag_mismatch +dpp_proto_pkex_exchange_req_invalid_encrypted_key +dpp_proto_pkex_exchange_req_no_encrypted_key +dpp_proto_pkex_exchange_req_no_finite_cyclic_group +dpp_proto_pkex_exchange_resp_invalid_encrypted_key +dpp_proto_pkex_exchange_resp_invalid_status +dpp_proto_pkex_exchange_resp_no_encrypted_key +dpp_proto_pkex_exchange_resp_no_status +dpp_proto_stop_at_auth_conf +dpp_proto_stop_at_auth_conf_tx +dpp_proto_stop_at_auth_conf_tx2 +dpp_proto_stop_at_auth_req +dpp_proto_stop_at_auth_resp +dpp_proto_stop_at_conf_req +dpp_proto_stop_at_pkex_cr_req +dpp_proto_stop_at_pkex_cr_resp +dpp_proto_stop_at_pkex_exchange_resp +dpp_proto_zero_i_capab +dpp_proto_zero_r_capab +dpp_qr_code_auth_broadcast +dpp_qr_code_auth_enrollee_init_netrole +dpp_qr_code_auth_hostapd_mutual2 +dpp_qr_code_auth_incompatible_roles +dpp_qr_code_auth_incompatible_roles2 +dpp_qr_code_auth_incompatible_roles_failure +dpp_qr_code_auth_incompatible_roles_failure2 +dpp_qr_code_auth_incompatible_roles_failure3 +dpp_qr_code_auth_initiator_either_1 +dpp_qr_code_auth_initiator_either_2 +dpp_qr_code_auth_initiator_either_3 +dpp_qr_code_auth_initiator_enrollee +dpp_qr_code_auth_mutual +dpp_qr_code_auth_mutual2 +dpp_qr_code_auth_mutual_bp_256 +dpp_qr_code_auth_mutual_bp_384 +dpp_qr_code_auth_mutual_bp_512 +dpp_qr_code_auth_mutual_curve_mismatch +dpp_qr_code_auth_mutual_not_used +dpp_qr_code_auth_mutual_p_256 +dpp_qr_code_auth_mutual_p_384 +dpp_qr_code_auth_mutual_p_521 +dpp_qr_code_auth_neg_chan +dpp_qr_code_auth_rand_mac_addr +dpp_qr_code_auth_responder_configurator +dpp_qr_code_auth_responder_configurator_group_id +dpp_qr_code_auth_unicast +dpp_qr_code_auth_unicast_ap_enrollee +dpp_qr_code_chan_list_no_match +dpp_qr_code_chan_list_no_peer_unicast +dpp_qr_code_chan_list_unicast +dpp_qr_code_chan_list_unicast2 +dpp_qr_code_config_event_initiator_both +dpp_qr_code_config_event_initiator_failure +dpp_qr_code_config_event_initiator_no_response +dpp_qr_code_config_event_initiator_slow +dpp_qr_code_curve_brainpoolP256r1 +dpp_qr_code_curve_brainpoolP384r1 +dpp_qr_code_curve_brainpoolP512r1 +dpp_qr_code_curve_prime256v1 +dpp_qr_code_curves +dpp_qr_code_curves_brainpool +dpp_qr_code_curve_secp384r1 +dpp_qr_code_curve_secp521r1 +dpp_qr_code_curve_select +dpp_qr_code_hostapd_ignore_mismatch +dpp_qr_code_hostapd_init +dpp_qr_code_hostapd_init_offchannel +dpp_qr_code_hostapd_init_offchannel_configurator +dpp_qr_code_hostapd_init_offchannel_neg_freq +dpp_qr_code_keygen_fail +dpp_qr_code_listen_continue +dpp_qr_code_no_chan_list_broadcast +dpp_qr_code_no_chan_list_unicast +dpp_qr_code_parsing +dpp_qr_code_parsing_fail +dpp_qr_code_set_key +dpp_qr_code_unsupported_curve +dpp_reconfig_connector +dpp_reconfig_connector_different_groups +dpp_reconfig_hostapd_configurator +dpp_relay_incomplete_connections +dpp_tcp +dpp_tcp_conf_init +dpp_tcp_conf_init_hostapd_enrollee +dpp_tcp_controller_management_hostapd +dpp_tcp_controller_management_hostapd2 +dpp_tcp_controller_start_failure +dpp_tcp_init_failure +dpp_tcp_mutual +dpp_tcp_mutual_hostapd_conf +dpp_tcp_pkex +dpp_tcp_pkex_auto_connect_2 +dpp_tcp_pkex_auto_connect_2_status +dpp_tcp_pkex_auto_connect_2_status_fail +dpp_tcp_pkex_while_associated +dpp_tcp_pkex_while_associated_conn_status +dpp_tcp_port +dpp_tcp_qr_code_config_event_initiator +dpp_test_vector_p_256 +dpp_test_vector_p_256_b +dpp_test_vector_p_521 +dpp_truncated_attr +dpp_two_initiators +dpp_uri_host +dpp_uri_supported_curves +dpp_uri_version +dpp_with_p2p_device +eap_canned_failure_before_method +eap_canned_success_after_identity +eap_canned_success_before_method +eap_fast_proto +eap_fast_proto_phase2 +eap_fast_tlv_nak_oom +eap_gpsk_errors +eap_mschapv2_errors +eap_nak_expanded +eap_nak_oom +eap_proto +eap_proto_aka +eap_proto_aka_errors +eap_proto_aka_prime +eap_proto_aka_prime_errors +eap_proto_eke +eap_proto_eke_errors +eap_proto_erp +eap_proto_expanded +eap_proto_fast_errors +eap_proto_gpsk +eap_proto_gpsk_errors_server +eap_proto_gpsk_server +eap_proto_ikev2 +eap_proto_ikev2_errors +eap_proto_ikev2_errors_server +eap_proto_ikev2_server +eap_proto_leap +eap_proto_leap_errors +eap_proto_md5 +eap_proto_md5_errors +eap_proto_md5_errors_server +eap_proto_md5_server +eap_proto_mschapv2 +eap_proto_mschapv2_errors +eap_proto_notification_errors +eap_proto_otp +eap_proto_otp_errors +eap_proto_pax +eap_proto_pax_errors +eap_proto_pax_errors_server +eap_proto_pax_server +eap_proto_psk +eap_proto_psk_errors +eap_proto_psk_errors_server +eap_proto_psk_server +eap_proto_pwd +eap_proto_pwd_errors +eap_proto_pwd_errors_server +eap_proto_pwd_invalid_element +eap_proto_pwd_invalid_element_peer +eap_proto_pwd_invalid_scalar +eap_proto_pwd_invalid_scalar_peer +eap_proto_pwd_reflection_attack +eap_proto_pwd_server +eap_proto_pwd_unexpected_fragment +eap_proto_sake +eap_proto_sake_errors +eap_proto_sake_errors2 +eap_proto_sake_errors_server +eap_proto_sake_server +eap_proto_sim +eap_proto_sim_errors +eap_proto_tls +eap_proto_tnc +eap_proto_wsc +eap_teap_basic_password_auth_failure +eap_teap_basic_password_auth_id2 +eap_teap_basic_password_auth_no_password +eap_teap_basic_password_auth_user_and_machine_fail_machine +eap_teap_basic_password_auth_user_and_machine_fail_user +eap_teap_basic_password_auth_user_and_machine_no_machine +eap_teap_eap_eke_unauth_server_prov +eap_teap_eap_mschapv2_id2 +eap_teap_eap_mschapv2_pac_no_ca_cert +eap_teap_eap_mschapv2_user_and_machine_fail_machine +eap_teap_eap_mschapv2_user_and_machine_fail_user +eap_teap_eap_mschapv2_user_and_machine_no_machine +eap_teap_tls_cs_sha1 +eap_teap_tls_cs_sha256 +eap_teap_tls_cs_sha384 +eap_tls_sha384 +eap_tls_sha512 +ext_password_file_psk +ext_password_interworking +ext_password_psk +ext_password_psk_not_found +ext_password_sae +ext_radio_work +ext_radio_work_disconnect_connect +fils_sk_pfs_25 +gas_anqp_address3_ap_non_compliant +gas_anqp_capab_list +gas_anqp_extra_elements +gas_anqp_get +gas_anqp_get_no_scan +gas_anqp_get_oom +gas_anqp_hs20_proto +gas_anqp_icon_binary_proto +gas_anqp_oom_hapd +gas_anqp_oom_wpas +gas_anqp_overrides +gas_anqp_venue_url +gas_anqp_venue_url2 +gas_anqp_venue_url_pmf +gas_comeback_delay +gas_comeback_delay_long +gas_comeback_delay_long2 +gas_comeback_resp_additional_delay +gas_concurrent_scan +gas_delete_at_deinit +gas_failures +gas_failure_status_code +gas_fragment +gas_fragment_mcc +gas_fragment_with_comeback_delay +gas_fragment_with_comeback_delay_mcc +gas_generic +gas_invalid_response_type +gas_malformed +gas_malformed_comeback_resp +gas_max_pending +gas_missing_payload +gas_no_dialog_token_match +gas_no_pending +gas_query_deinit +gas_rand_ta +gas_request_oom +gas_server_oom +hostapd_oom_open +hostapd_oom_wpa2_eap_radius +hostapd_oom_wpa2_psk +ieee8021x_auth_awhile +ieee8021x_eapol_key +ieee8021x_eapol_start +ieee8021x_force_unauth +ieee8021x_held +ieee8021x_open +ieee8021x_open_leap +ieee8021x_proto +ieee8021x_reauth +ieee8021x_set_conf +ieee8021x_wep104 +ieee8021x_wep_index_workaround +macsec_gcm_aes_256 +macsec_hostapd_eap +macsec_hostapd_eap_psk +macsec_hostapd_psk +macsec_psk +macsec_psk_256 +macsec_psk_br2 +macsec_psk_br2_same_prio +macsec_psk_br3 +macsec_psk_br3_same_prio +macsec_psk_cak_mismatch +macsec_psk_ckn_mismatch +macsec_psk_different_ports +macsec_psk_fail_cp +macsec_psk_fail_cp2 +macsec_psk_integ_only +macsec_psk_mka_life_time +macsec_psk_ns +macsec_psk_port +macsec_psk_shorter_ckn +macsec_psk_shorter_ckn2 +module_hostapd +module_wpa_supplicant +monitor_iface_wpa2_psk +multi_ap_backhaul_shared_bss +multi_ap_disabled_on_ap +multi_ap_fronthaul_on_ap +multi_ap_wps_fail_non_multi_ap +multi_ap_wps_shared_psk +multi_ap_wps_split_psk +nfc_p2p_both_go +nfc_p2p_go_neg_reverse +nfc_p2p_static_handover_invalid +nfc_p2p_tag_enable_disable +nfc_wps_handover_errors +nfc_wps_handover_failure +nfc_wps_handover_pk_hash_mismatch_ap +nfc_wps_handover_pk_hash_mismatch_sta +openssl_ecdh_curves +owe_assoc_reject +owe_double_assoc +owe_group_negotiation +owe_group_negotiation_connect_cmd +owe_invalid_assoc_resp +owe_local_errors +owe_only_sta +owe_only_sta_tm_ap +owe_ptk_hash +owe_ptk_workaround_ap +owe_sa_query +owe_transition_mode_disable +owe_transition_mode_ifname +owe_transition_mode_ifname_acs +owe_transition_mode_ifname_acs2 +owe_transition_mode_multi_assoc +owe_transition_mode_open_multiple_scans +owe_transition_mode_rsne_mismatch +owe_unsupported_group +owe_unsupported_group_connect_cmd +pasn_ap_mic_error +pasn_ccmp +pasn_ccmp_256 +pasn_channel_mismatch +pasn_comeback +pasn_comeback_after_0 +pasn_comeback_after_0_sae +pasn_comeback_multi +pasn_fils_sha256 +pasn_fils_sha384 +pasn_ft_psk +pasn_gcmp +pasn_gcmp_256 +pasn_group_mismatch +pasn_kdk_derivation +pasn_noauth_0 +pasn_owe_kdk_secure_ltf +pasn_owe_tm_kdk_secure_ltf +pasn_sae +pasn_sae_driver +pasn_sae_kdk +pasn_sae_kdk_ft +pasn_sae_kdk_secure_ltf +pasn_sae_while_connected_diff_channel +pasn_sae_while_connected_same_channel +pasn_sta_mic_error +pasn_while_connected_diff_channel +pasn_while_connected_same_ap +pasn_while_connected_same_channel +radius_acct +radius_acct_failure +radius_acct_failure_oom +radius_acct_failure_oom_rsn +radius_acct_failure_sta_data +radius_acct_ft_psk +radius_acct_ieee8021x +radius_acct_interim +radius_acct_interim_unreachable +radius_acct_interim_unreachable2 +radius_acct_ipaddr +radius_acct_non_ascii_ssid +radius_acct_pmksa_caching +radius_acct_psk +radius_acct_psk_sha256 +radius_acct_unreachable +radius_acct_unreachable2 +radius_acct_unreachable3 +radius_acct_unreachable4 +radius_auth_force_client_addr +radius_auth_force_client_dev +radius_auth_force_invalid_client_addr +radius_auth_unreachable +radius_auth_unreachable2 +radius_auth_unreachable3 +radius_das_coa +radius_das_disconnect +radius_das_disconnect_time_window +radius_ipv6 +radius_macacl +radius_macacl_acct +radius_macacl_oom +radius_macacl_unreachable +radius_protocol +radius_psk +radius_psk_default +radius_psk_during_4way_hs +radius_psk_hex_psk +radius_psk_invalid +radius_psk_invalid2 +radius_psk_oom +radius_psk_reject +radius_psk_reject_during_4way_hs +radius_psk_unknown_code +radius_req_attr +radius_sae_password +radius_server_failures +radius_tls_freeradius +sae +sae_akms +sae_and_psk +sae_and_psk2 +sae_and_psk_multiple_passwords +sae_and_psk_transition_disable +sae_auth_restart +sae_bignum_failure +sae_bignum_failure_unsafe_group +sae_commit_invalid_element_ap +sae_commit_invalid_element_sta +sae_commit_invalid_scalar_element_ap +sae_commit_invalid_scalar_element_sta +sae_commit_override +sae_commit_override2 +sae_confirm_immediate +sae_confirm_immediate2 +sae_connect_cmd +sae_ext_key_19 +sae_ext_key_19_gcmp256 +sae_ext_key_20 +sae_ext_key_20_gcmp256 +sae_ext_key_21 +sae_ext_key_21_gcmp256 +sae_ext_key_21_gcmp256_gcmp256 +sae_ext_key_h2e_rejected_group +sae_ext_key_h2e_rejected_group2 +sae_forced_anti_clogging +sae_forced_anti_clogging_h2e +sae_forced_anti_clogging_h2e_loop +sae_forced_anti_clogging_pw_id +sae_group_nego +sae_group_nego_no_match +sae_groups +sae_h2e_password_id +sae_h2e_rejected_groups +sae_h2e_rejected_groups_unexpected +sae_h2e_rsnxe_mismatch +sae_h2e_rsnxe_mismatch_ap +sae_h2e_rsnxe_mismatch_ap2 +sae_h2e_rsnxe_mismatch_ap3 +sae_h2e_rsnxe_mismatch_assoc +sae_h2e_rsnxe_mismatch_retries +sae_invalid_anti_clogging_token_req +sae_key_lifetime_in_memory +sae_mfp +sae_missing_password +sae_mixed +sae_mixed_check_mfp +sae_mixed_mfp +sae_no_ffc_by_default +sae_no_random +sae_ocv_pmk +sae_ocv_pmk_failure +sae_okc +sae_okc_pmk_lifetime +sae_okc_sta_only +sae_oom_wpas +sae_password +sae_password_ecc +sae_password_ffc +sae_password_file +sae_password_id +sae_password_id_ecc +sae_password_id_ffc +sae_password_id_only +sae_password_id_pwe_check_ap +sae_password_id_pwe_check_sta +sae_password_id_pwe_looping +sae_password_long +sae_password_short +sae_pk +sae_pk_and_psk +sae_pk_and_psk_invalid_password +sae_pk_confirm_immediate +sae_pk_group_19_sae_group_20 +sae_pk_group_20 +sae_pk_group_20_sae_group_19 +sae_pk_group_20_sae_group_21 +sae_pk_group_21 +sae_pk_group_negotiation +sae_pk_invalid_fingerprint +sae_pk_invalid_pw +sae_pk_invalid_signature +sae_pk_missing_ie +sae_pk_mixed +sae_pk_mixed_immediate_confirm +sae_pk_modes +sae_pk_not_on_ap +sae_pk_only +sae_pk_password_without_pk +sae_pk_sec_3 +sae_pk_sec_5 +sae_pk_transition_disable +sae_pk_unexpected_status +sae_pmf_roam +sae_pmk_lifetime +sae_pmksa_caching +sae_pmksa_caching_disabled +sae_pmksa_caching_pmkid +sae_pref_ap_wrong_password +sae_pref_ap_wrong_password2 +sae_proto_commit_delayed +sae_proto_commit_replay +sae_proto_confirm_replay +sae_proto_ecc +sae_proto_ffc +sae_proto_hostapd +sae_proto_hostapd_ecc +sae_proto_hostapd_ffc +sae_proto_hostapd_status_126 +sae_proto_hostapd_status_127 +sae_pwe_failure +sae_pwe_group_1 +sae_pwe_group_14 +sae_pwe_group_15 +sae_pwe_group_16 +sae_pwe_group_19 +sae_pwe_group_2 +sae_pwe_group_20 +sae_pwe_group_21 +sae_pwe_group_22 +sae_pwe_group_23 +sae_pwe_group_24 +sae_pwe_group_25 +sae_pwe_group_28 +sae_pwe_group_29 +sae_pwe_group_30 +sae_pwe_group_5 +sae_pwe_h2e_only_ap +sae_pwe_h2e_only_ap_sta_forcing_loop +sae_pwe_in_psk_ap +sae_pwe_loop_only_ap +sae_reauth +sae_reflection_attack_ecc +sae_reflection_attack_ecc_internal +sae_reflection_attack_ffc +sae_reflection_attack_ffc_internal +sae_reject +sae_rsne_mismatch +sae_sync +sae_wpa3_roam +sigma_dut_ap_beacon_prot +sigma_dut_ap_cipher_ccmp_128 +sigma_dut_ap_cipher_ccmp_256 +sigma_dut_ap_cipher_ccmp_gcmp_1 +sigma_dut_ap_cipher_ccmp_gcmp_2 +sigma_dut_ap_cipher_gcmp_128 +sigma_dut_ap_cipher_gcmp_256 +sigma_dut_ap_cipher_gcmp_256_group_ccmp +sigma_dut_ap_dpp_init_mud_url +sigma_dut_ap_dpp_offchannel +sigma_dut_ap_dpp_pkex_responder +sigma_dut_ap_dpp_pkex_responder_tcp +sigma_dut_ap_dpp_pkex_v1_responder +sigma_dut_ap_dpp_qr +sigma_dut_ap_dpp_qr_dpp_sae +sigma_dut_ap_dpp_qr_dpp_sae2 +sigma_dut_ap_dpp_qr_enrollee_chirp +sigma_dut_ap_dpp_qr_legacy +sigma_dut_ap_dpp_qr_legacy_psk +sigma_dut_ap_dpp_qr_mud_url +sigma_dut_ap_dpp_qr_sae +sigma_dut_ap_dpp_relay +sigma_dut_ap_dpp_self_config +sigma_dut_ap_dpp_self_config_connector_privacy +sigma_dut_ap_dpp_tcp_enrollee_init +sigma_dut_ap_eap +sigma_dut_ap_eap_sha256 +sigma_dut_ap_ent_ft_eap +sigma_dut_ap_ft_eap +sigma_dut_ap_ft_over_ds_psk +sigma_dut_ap_ft_psk +sigma_dut_ap_ft_rsnxe_used_mismatch +sigma_dut_ap_gtk_rekey +sigma_dut_ap_hs20 +sigma_dut_ap_ht40minus +sigma_dut_ap_ht40plus +sigma_dut_ap_ocv +sigma_dut_ap_override_rsne +sigma_dut_ap_owe +sigma_dut_ap_owe_ecgroupid +sigma_dut_ap_owe_ptk_workaround +sigma_dut_ap_owe_transition_mode +sigma_dut_ap_owe_transition_mode_2 +sigma_dut_ap_psk +sigma_dut_ap_psk_deauth +sigma_dut_ap_pskhex +sigma_dut_ap_psk_sae +sigma_dut_ap_psk_sae_ft +sigma_dut_ap_psk_sha256 +sigma_dut_ap_sae +sigma_dut_ap_sae_confirm_immediate +sigma_dut_ap_sae_group +sigma_dut_ap_sae_h2e +sigma_dut_ap_sae_h2e_anti_clogging +sigma_dut_ap_sae_h2e_group_rejection +sigma_dut_ap_sae_h2e_only +sigma_dut_ap_sae_h2e_rsnxe_mismatch +sigma_dut_ap_sae_loop_only +sigma_dut_ap_sae_password +sigma_dut_ap_sae_pk +sigma_dut_ap_sae_pk_misbehavior +sigma_dut_ap_sae_pk_mixed +sigma_dut_ap_sae_pw_id +sigma_dut_ap_sae_pw_id_ft +sigma_dut_ap_sae_pw_id_pwe_loop +sigma_dut_ap_suite_b +sigma_dut_ap_transition_disable +sigma_dut_ap_transition_disable_change +sigma_dut_ap_vht40 +sigma_dut_ap_vht80 +sigma_dut_basic +sigma_dut_beacon_prot +sigma_dut_dpp_curves_list +sigma_dut_dpp_enrollee_does_not_support_nak_curve +sigma_dut_dpp_enrollee_does_not_support_signing_curve +sigma_dut_dpp_incompatible_roles_init +sigma_dut_dpp_incompatible_roles_resp +sigma_dut_dpp_nfc_handover_requestor_enrollee +sigma_dut_dpp_nfc_handover_selector_enrollee +sigma_dut_dpp_nfc_static_read_enrollee +sigma_dut_dpp_nfc_static_write_enrollee +sigma_dut_dpp_pb_ap +sigma_dut_dpp_pb_ap2 +sigma_dut_dpp_pb_ap_misbehavior +sigma_dut_dpp_pb_configurator +sigma_dut_dpp_pb_configurator_session_overlap +sigma_dut_dpp_pb_sta +sigma_dut_dpp_pb_sta_first +sigma_dut_dpp_pb_sta_misbehavior +sigma_dut_dpp_pb_sta_session_overlap +sigma_dut_dpp_pkex_init_configurator +sigma_dut_dpp_pkex_init_configurator_tcp +sigma_dut_dpp_pkex_init_configurator_tcp_and_wifi +sigma_dut_dpp_pkex_init_configurator_tcp_through_relay +sigma_dut_dpp_pkex_responder_proto +sigma_dut_dpp_pkex_v1_only +sigma_dut_dpp_pkexv2_init_fallback_to_v1 +sigma_dut_dpp_proto_initiator +sigma_dut_dpp_proto_initiator_pkex +sigma_dut_dpp_proto_peer_disc_req +sigma_dut_dpp_proto_peer_disc_req2 +sigma_dut_dpp_proto_peer_disc_req3 +sigma_dut_dpp_proto_responder +sigma_dut_dpp_proto_responder_pkex +sigma_dut_dpp_proto_stop_at_initiator +sigma_dut_dpp_proto_stop_at_initiator_enrollee +sigma_dut_dpp_proto_stop_at_responder +sigma_dut_dpp_qr_configurator_chirp +sigma_dut_dpp_qr_enrollee_chirp +sigma_dut_dpp_qr_enrollee_chirp_3rd_party_info +sigma_dut_dpp_qr_init_configurator_1 +sigma_dut_dpp_qr_init_configurator_2 +sigma_dut_dpp_qr_init_configurator_3 +sigma_dut_dpp_qr_init_configurator_3rd_party +sigma_dut_dpp_qr_init_configurator_3rd_party_psk +sigma_dut_dpp_qr_init_configurator_4 +sigma_dut_dpp_qr_init_configurator_5 +sigma_dut_dpp_qr_init_configurator_6 +sigma_dut_dpp_qr_init_configurator_7 +sigma_dut_dpp_qr_init_configurator_both +sigma_dut_dpp_qr_init_configurator_mud_url +sigma_dut_dpp_qr_init_configurator_mud_url_nak_change +sigma_dut_dpp_qr_init_configurator_nak_from_uri +sigma_dut_dpp_qr_init_configurator_neg_freq +sigma_dut_dpp_qr_init_configurator_sign_curve_from_uri +sigma_dut_dpp_qr_init_enrollee +sigma_dut_dpp_qr_init_enrollee_configurator +sigma_dut_dpp_qr_init_enrollee_psk +sigma_dut_dpp_qr_init_enrollee_sae +sigma_dut_dpp_qr_mutual_init_enrollee +sigma_dut_dpp_qr_mutual_init_enrollee_check +sigma_dut_dpp_qr_mutual_init_enrollee_mud_url +sigma_dut_dpp_qr_mutual_init_enrollee_pending +sigma_dut_dpp_qr_mutual_resp_configurator +sigma_dut_dpp_qr_mutual_resp_enrollee +sigma_dut_dpp_qr_mutual_resp_enrollee_connector_privacy +sigma_dut_dpp_qr_mutual_resp_enrollee_pending +sigma_dut_dpp_qr_resp_1 +sigma_dut_dpp_qr_resp_10 +sigma_dut_dpp_qr_resp_11 +sigma_dut_dpp_qr_resp_2 +sigma_dut_dpp_qr_resp_3 +sigma_dut_dpp_qr_resp_4 +sigma_dut_dpp_qr_resp_5 +sigma_dut_dpp_qr_resp_6 +sigma_dut_dpp_qr_resp_7 +sigma_dut_dpp_qr_resp_8 +sigma_dut_dpp_qr_resp_9 +sigma_dut_dpp_qr_resp_chan_list +sigma_dut_dpp_qr_resp_configurator +sigma_dut_dpp_qr_resp_curve_change +sigma_dut_dpp_qr_resp_status_query +sigma_dut_dpp_reconfig_configurator +sigma_dut_dpp_reconfig_enrollee +sigma_dut_dpp_reconfig_enrollee_sae +sigma_dut_dpp_reconfig_invalid_proto_ver +sigma_dut_dpp_reconfig_no_proto_ver +sigma_dut_dpp_self_config +sigma_dut_dpp_tcp_configurator_init_from_uri +sigma_dut_dpp_tcp_configurator_init_mutual +sigma_dut_dpp_tcp_configurator_init_mutual_unsupported_curve +sigma_dut_dpp_tcp_conf_resp +sigma_dut_dpp_tcp_enrollee_init +sigma_dut_dpp_tcp_enrollee_init_mutual +sigma_dut_dpp_tcp_enrollee_resp +sigma_dut_eap_aka +sigma_dut_eap_ttls +sigma_dut_eap_ttls_uosc +sigma_dut_eap_ttls_uosc_ca_mistrust +sigma_dut_eap_ttls_uosc_initial_tod_strict +sigma_dut_eap_ttls_uosc_initial_tod_tofu +sigma_dut_eap_ttls_uosc_tod +sigma_dut_eap_ttls_uosc_tod_tofu +sigma_dut_ft_rsnxe_used_mismatch +sigma_dut_gtk_rekey +sigma_dut_ocv +sigma_dut_open +sigma_dut_owe +sigma_dut_owe_ptk_workaround +sigma_dut_preconfigured_profile +sigma_dut_psk_pmf +sigma_dut_psk_pmf_bip_cmac_128 +sigma_dut_psk_pmf_bip_cmac_256 +sigma_dut_psk_pmf_bip_gmac_128 +sigma_dut_psk_pmf_bip_gmac_256 +sigma_dut_psk_pmf_bip_gmac_256_mismatch +sigma_dut_sae +sigma_dut_sae_groups +sigma_dut_sae_h2e +sigma_dut_sae_h2e_ap_h2e +sigma_dut_sae_h2e_ap_loop +sigma_dut_sae_h2e_enabled_group_rejected +sigma_dut_sae_h2e_loop_forcing +sigma_dut_sae_h2e_rsnxe_mismatch +sigma_dut_sae_password +sigma_dut_sae_pk +sigma_dut_sae_pmkid_include +sigma_dut_sae_pw_id +sigma_dut_sae_pw_id_ft +sigma_dut_sae_pw_id_ft_over_ds +sigma_dut_sae_pw_id_pwe_loop +sigma_dut_sta_override_rsne +sigma_dut_sta_scan_bss +sigma_dut_sta_scan_short_ssid +sigma_dut_sta_scan_ssid_bssid +sigma_dut_sta_scan_wait_completion +sigma_dut_suite_b +sigma_dut_venue_url +sigma_dut_wpa3_inject_frame +sigma_dut_wps_pbc +suite_b +suite_b_192 +suite_b_192_mic_failure +suite_b_192_okc +suite_b_192_pmkid_failure +suite_b_192_pmksa_caching_roam +suite_b_192_radius +suite_b_192_rsa +suite_b_192_rsa_dhe +suite_b_192_rsa_dhe_radius_rsa2048_client +suite_b_192_rsa_ecdhe +suite_b_192_rsa_ecdhe_radius_rsa2048_client +suite_b_192_rsa_insufficient_dh +suite_b_192_rsa_insufficient_key +suite_b_192_rsa_no_cs_match +suite_b_192_rsa_radius +suite_b_192_rsa_tls_13 +suite_b_mic_failure +suite_b_pmkid_failure +suite_b_radius +wep_shared_key_auth_not_allowed +wext_wep_open_auth +wext_wep_shared_key_auth +wext_wpa2_psk +wext_wpa_psk +wpa2_psk_key_lifetime_in_memory +wpas_add_set_remove_support +wpas_ap_acs +wpas_ap_and_assoc_req_p2p_ie +wpas_ap_default_frequency +wpas_ap_disable +wpas_ap_failures +wpas_ap_global_sta +wpas_ap_invalid_frequency +wpas_ap_lifetime_in_memory +wpas_ap_lifetime_in_memory2 +wpas_ap_no_ht +wpas_ap_no_ssid +wpas_ap_params +wpas_ap_sae +wpas_ap_sae_and_psk_transition_disable +wpas_ap_sae_password +wpas_ap_sae_pmf1 +wpas_ap_sae_pmf2 +wpas_ap_sae_pwe_1 +wpas_ap_scan +wpas_ap_vendor_elems +wpas_ap_wps_disabled +wpas_ap_wps_frag +wpas_ap_wps_pbc_overlap +wpas_mesh_secure +wpas_mesh_secure_dropped_frame +wpas_mesh_secure_no_auto +wpas_mesh_secure_sae_group_mismatch +wpas_mesh_secure_sae_group_negotiation +wpas_mesh_secure_sae_missing_password +wpas_mesh_secure_sae_password diff --git a/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/wpa_supplicant.config b/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/wpa_supplicant.config new file mode 100644 index 0000000000..104807315a --- /dev/null +++ b/.github/workflows/hostap-files/configs/07c9f183ea744ac04585fb6dd10220c75a5e2e74/wpa_supplicant.config @@ -0,0 +1,164 @@ +#CC=ccache gcc + +#CONFIG_TLS=openssl +CONFIG_TLS=wolfssl +#CONFIG_TLS=internal +#CONFIG_INTERNAL_LIBTOMMATH=y +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +CONFIG_IEEE8021X_EAPOL=y + +CONFIG_ERP=y +CONFIG_EAP_MD5=y +CONFIG_MSCHAPV2=y +CONFIG_EAP_TLS=y +CONFIG_EAP_PEAP=y +CONFIG_EAP_TTLS=y +CONFIG_EAP_GTC=y +CONFIG_EAP_OTP=y +CONFIG_EAP_PSK=y +CONFIG_EAP_PAX=y +CONFIG_EAP_LEAP=y +CONFIG_EAP_SIM=y +CONFIG_EAP_AKA=y +CONFIG_EAP_AKA_PRIME=y +CONFIG_EAP_VENDOR_TEST=y +CONFIG_EAP_TLV=y +CONFIG_EAP_SAKE=y +CONFIG_EAP_GPSK=y +CONFIG_EAP_GPSK_SHA256=y +CONFIG_EAP_EKE=y +CONFIG_EAP_TNC=y +CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\" +LIBS += -rdynamic +CONFIG_EAP_FAST=y +CONFIG_EAP_TEAP=y +CONFIG_EAP_IKEV2=y + +ifeq ($(CONFIG_TLS), openssl) +CONFIG_EAP_PWD=y +endif +ifeq ($(CONFIG_TLS), wolfssl) +CONFIG_EAP_PWD=y +endif + +CONFIG_USIM_SIMULATOR=y +CONFIG_SIM_SIMULATOR=y + +#CONFIG_PCSC=y +CONFIG_IPV6=y +CONFIG_DRIVER_NONE=y +CONFIG_PKCS12=y +CONFIG_CTRL_IFACE=unix + +CONFIG_WPA_CLI_EDIT=y + +CONFIG_OCSP=y + +#CONFIG_ELOOP_POLL=y + +CONFIG_CTRL_IFACE_DBUS_NEW=y +CONFIG_CTRL_IFACE_DBUS_INTRO=y + +CONFIG_IEEE80211R=y +CONFIG_IEEE80211AC=y +CONFIG_IEEE80211AX=y + +CONFIG_OCV=y + +CONFIG_DEBUG_FILE=y + +CONFIG_WPS=y +#CONFIG_WPS_STRICT=y +CONFIG_WPS_UPNP=y +CONFIG_WPS_NFC=y +CONFIG_WPS_ER=y +#CONFIG_WPS_REG_DISABLE_OPEN=y + +CONFIG_DRIVER_WEXT=y + +CONFIG_DRIVER_NL80211=y +CFLAGS += -I/usr/include/libnl3 +CONFIG_LIBNL32=y + +CONFIG_IBSS_RSN=y + +CONFIG_AP=y +CONFIG_MESH=y +CONFIG_P2P=y +CONFIG_WIFI_DISPLAY=y + +CONFIG_ACS=y + +CONFIG_BGSCAN_SIMPLE=y +CONFIG_BGSCAN_LEARN=y + +CONFIG_WPA_TRACE=y +CONFIG_WPA_TRACE_BFD=y + +CONFIG_TDLS=y +CONFIG_TDLS_TESTING=y +CONFIG_NO_RANDOM_POOL=y + +CONFIG_TLSV11=y +CONFIG_TLSV12=y + +CONFIG_HT_OVERRIDES=y +CONFIG_VHT_OVERRIDES=y +CONFIG_HE_OVERRIDES=y + +CONFIG_DEBUG_LINUX_TRACING=y + +CONFIG_INTERWORKING=y +CONFIG_HS20=y + +CONFIG_AUTOSCAN_EXPONENTIAL=y +CONFIG_AUTOSCAN_PERIODIC=y + +CONFIG_EXT_PASSWORD_TEST=y +CONFIG_EXT_PASSWORD_FILE=y + +CONFIG_EAP_UNAUTH_TLS=y + +CONFIG_SAE=y +CONFIG_SAE_PK=y +CFLAGS += -DALL_DH_GROUPS + +CONFIG_WNM=y + +CONFIG_FST=y +CONFIG_FST_TEST=y + +CONFIG_TESTING_OPTIONS=y +CONFIG_MODULE_TESTS=y + +CONFIG_SUITEB=y +CONFIG_SUITEB192=y + +# AddressSanitizer (ASan) can be enabled by uncommenting the following lines. +# This can be used as a more efficient memory error detector than valgrind +# (though, with still some CPU and memory cost, so VM cases will need more +# memory allocated for the guest). +#CFLAGS += -fsanitize=address -O1 -fno-omit-frame-pointer -g +#LIBS += -fsanitize=address -fno-omit-frame-pointer -g +#LIBS_c += -fsanitize=address -fno-omit-frame-pointer -g +#LIBS_p += -fsanitize=address -fno-omit-frame-pointer -g + +# Undefined Behavior Sanitizer (UBSan) can be enabled by uncommenting the +# following lines. +#CFLAGS += -Wno-format-nonliteral +#CFLAGS += -fsanitize=undefined +##CFLAGS += -fno-sanitize-recover +#LIBS += -fsanitize=undefined +##LIBS += -fno-sanitize-recover +#LIBS_c += -fsanitize=undefined +#LIBS_p += -fsanitize=undefined +CONFIG_MBO=y +CONFIG_FILS=y +CONFIG_FILS_SK_PFS=y +CONFIG_PMKSA_CACHE_EXTERNAL=y +CONFIG_OWE=y +CONFIG_DPP=y +CONFIG_DPP2=y +CONFIG_WEP=y +CONFIG_PASN=y diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml index fa8e6886ee..9154aa3e91 100644 --- a/.github/workflows/hostap-vm.yml +++ b/.github/workflows/hostap-vm.yml @@ -1,7 +1,16 @@ name: hostap and wpa-supplicant Tests +# START OF COMMON SECTION on: - workflow_call: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION env: LINUX_REF: v6.6 @@ -17,10 +26,6 @@ jobs: wolf_extra_config: >- --enable-wpas-dpp --enable-brainpool --with-eccminsz=192 --enable-tlsv10 --enable-oldtls - # - build_id: hostap-vm-build3 - # wolf_extra_config: >- - # --enable-wpas-dpp --enable-brainpool --with-eccminsz=192 - # --enable-tlsv10 --enable-oldtls name: Build wolfSSL runs-on: ubuntu-latest # This should be a safe limit for the tests to run. @@ -113,6 +118,11 @@ jobs: osp_ref: ad5b52a49b3cc2a5bfb47ccc1d6a5137132e9446, build_id: hostap-vm-build2 }, + { + hostap_ref: 07c9f183ea744ac04585fb6dd10220c75a5e2e74, + osp_ref: e1876fbbf298ee442bc7ab8561331ebc7de17528, + build_id: hostap-vm-build2 + }, ] exclude: # don't test openssl on both sides From 16ec3e52b7f152836ad8f0c762de25f87943903a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 23 Apr 2024 19:19:39 +0200 Subject: [PATCH 08/10] Jenkins fixes --- src/internal.c | 17 +++++++++++++++++ tests/api.c | 3 ++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index ffeff44156..29fe6aeaa6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3225,6 +3225,23 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, } #endif + (void)tls; /* shut up compiler */ + (void)tls1_2; + (void)dtls; + (void)haveDH; + (void)havePSK; + (void)haveStaticRSA; + (void)haveStaticECC; + (void)haveECC; + (void)haveECDSAsig; + (void)side; + (void)haveRSA; /* some builds won't read */ + (void)haveRSAsig; /* non ecc builds won't read */ + (void)haveAnon; /* anon ciphers optional */ + (void)haveNull; + (void)haveFalconSig; + (void)haveDilithiumSig; + if (suites == NULL) { WOLFSSL_MSG("InitSuites pointer error"); return; diff --git a/tests/api.c b/tests/api.c index 70c732d2ca..ae82325c21 100644 --- a/tests/api.c +++ b/tests/api.c @@ -40496,7 +40496,8 @@ static int test_wolfSSL_curves_mismatch_ctx_ready(WOLFSSL_CTX* ctx) "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-GCM-SHA256:" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:" "ECDHE-ECDSA-AES128-GCM-SHA256:" - "ECDHE-RSA-AES128-GCM-SHA256"); + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:" + "ECDHE-ECDSA-CHACHA20-POLY1305"); counter++; return EXPECT_RESULT(); From 86c120a3f059796798ab584a8e8c547a4a801b3b Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 23 Apr 2024 20:02:46 +0200 Subject: [PATCH 09/10] Increase hostap test timeout --- .github/workflows/hostap-vm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml index 9154aa3e91..aa983ac03e 100644 --- a/.github/workflows/hostap-vm.yml +++ b/.github/workflows/hostap-vm.yml @@ -139,7 +139,7 @@ jobs: # For openssl 1.1 runs-on: ubuntu-latest # This should be a safe limit for the tests to run. - timeout-minutes: 12 + timeout-minutes: 45 needs: [build_wolfssl, build_uml_linux] steps: - name: Checking if we have kernel in cache From df425b306fbd95ecb7c76c3313e6e798dc4ee550 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 25 Apr 2024 14:28:29 +0200 Subject: [PATCH 10/10] Fix https://github.com/wolfSSL/wolfssl/issues/7391 --- src/ssl.c | 211 ++++++++++++++----------------------------- tests/api.c | 12 ++- wolfssl/internal.h | 13 +-- wolfssl/openssl/ec.h | 6 ++ 4 files changed, 85 insertions(+), 157 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d2e45894fd..eabd5ec6fa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -412,50 +412,6 @@ WC_RNG* wolfssl_make_rng(WC_RNG* rng, int* local) #include -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -const WOLF_EC_NIST_NAME kNistCurves[] = { - {XSTR_SIZEOF("P-192"), "P-192", NID_X9_62_prime192v1}, - {XSTR_SIZEOF("P-256"), "P-256", NID_X9_62_prime256v1}, - {XSTR_SIZEOF("P-112"), "P-112", NID_secp112r1}, - {XSTR_SIZEOF("P-112-2"), "P-112-2", NID_secp112r2}, - {XSTR_SIZEOF("P-128"), "P-128", NID_secp128r1}, - {XSTR_SIZEOF("P-128-2"), "P-128-2", NID_secp128r2}, - {XSTR_SIZEOF("P-160"), "P-160", NID_secp160r1}, - {XSTR_SIZEOF("P-160-2"), "P-160-2", NID_secp160r2}, - {XSTR_SIZEOF("P-224"), "P-224", NID_secp224r1}, - {XSTR_SIZEOF("P-384"), "P-384", NID_secp384r1}, - {XSTR_SIZEOF("P-521"), "P-521", NID_secp521r1}, - {XSTR_SIZEOF("K-160"), "K-160", NID_secp160k1}, - {XSTR_SIZEOF("K-192"), "K-192", NID_secp192k1}, - {XSTR_SIZEOF("K-224"), "K-224", NID_secp224k1}, - {XSTR_SIZEOF("K-256"), "K-256", NID_secp256k1}, - {XSTR_SIZEOF("B-160"), "B-160", NID_brainpoolP160r1}, - {XSTR_SIZEOF("B-192"), "B-192", NID_brainpoolP192r1}, - {XSTR_SIZEOF("B-224"), "B-224", NID_brainpoolP224r1}, - {XSTR_SIZEOF("B-256"), "B-256", NID_brainpoolP256r1}, - {XSTR_SIZEOF("B-320"), "B-320", NID_brainpoolP320r1}, - {XSTR_SIZEOF("B-384"), "B-384", NID_brainpoolP384r1}, - {XSTR_SIZEOF("B-512"), "B-512", NID_brainpoolP512r1}, -#ifdef HAVE_PQC - {XSTR_SIZEOF("KYBER_LEVEL1"), "KYBER_LEVEL1", WOLFSSL_KYBER_LEVEL1}, - {XSTR_SIZEOF("KYBER_LEVEL3"), "KYBER_LEVEL3", WOLFSSL_KYBER_LEVEL3}, - {XSTR_SIZEOF("KYBER_LEVEL5"), "KYBER_LEVEL5", WOLFSSL_KYBER_LEVEL5}, -#ifdef HAVE_LIBOQS - {XSTR_SIZEOF("P256_KYBER_LEVEL1"), "P256_KYBER_LEVEL1", - WOLFSSL_P256_KYBER_LEVEL1}, - {XSTR_SIZEOF("P384_KYBER_LEVEL3"), "P384_KYBER_LEVEL3", - WOLFSSL_P384_KYBER_LEVEL3}, - {XSTR_SIZEOF("P521_KYBER_LEVEL5"), "P521_KYBER_LEVEL5", - WOLFSSL_P521_KYBER_LEVEL5}, -#endif -#endif -#ifdef WOLFSSL_SM2 - {XSTR_SIZEOF("SM2"), "SM2", NID_sm2}, -#endif - {0, NULL, 0}, -}; -#endif - #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) /* create the hpke key and ech config to send to clients */ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName, @@ -17599,80 +17555,22 @@ int wolfSSL_get_peer_signature_type_nid(const WOLFSSL* ssl, int* nid) #ifdef HAVE_ECC #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) -static int populate_groups(int* groups, int max_count, const char *list) -{ - const char *end; - int count = 0; - const WOLF_EC_NIST_NAME* nist_name; - - if (!groups || !list) { - return -1; - } - - for (end = list; ; list = ++end) { - int len; - - if (count > max_count) { - WOLFSSL_MSG("Too many curves in list"); - return -1; - } - while (*end != ':' && *end != '\0') end++; - len = (int)(end - list); /* end points to char after end - * of curve name so no need for -1 */ - if ((len < kNistCurves_MIN_NAME_LEN) || - (len > kNistCurves_MAX_NAME_LEN)) { - WOLFSSL_MSG("Unrecognized curve name in list"); - return -1; - } - for (nist_name = kNistCurves; nist_name->name != NULL; nist_name++) { - if (len == nist_name->name_len && - XSTRNCMP(list, nist_name->name, nist_name->name_len) == 0) { - break; - } - } - if (!nist_name->name) { - WOLFSSL_MSG("Unrecognized curve name in list"); - return -1; - } - groups[count++] = nist_name->nid; - if (*end == '\0') break; - } - - return count; -} - int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, const char *list) { - int groups[WOLFSSL_MAX_GROUP_COUNT]; - int count = 0; - if (!ctx || !list) { return WOLFSSL_FAILURE; } - if ((count = populate_groups(groups, - WOLFSSL_MAX_GROUP_COUNT, list)) == -1) { - return WOLFSSL_FAILURE; - } - - return wolfSSL_CTX_set1_groups(ctx, groups, count); + return set_curves_list(NULL, ctx, list, 0); } int wolfSSL_set1_groups_list(WOLFSSL *ssl, const char *list) { - int groups[WOLFSSL_MAX_GROUP_COUNT]; - int count = 0; - if (!ssl || !list) { return WOLFSSL_FAILURE; } - if ((count = populate_groups(groups, - WOLFSSL_MAX_GROUP_COUNT, list)) == -1) { - return WOLFSSL_FAILURE; - } - - return wolfSSL_set1_groups(ssl, groups, count); + return set_curves_list(ssl, NULL, list, 0); } #endif /* WOLFSSL_TLS13 */ @@ -21388,7 +21286,55 @@ int wolfSSL_curve_is_disabled(const WOLFSSL* ssl, word16 curve_id) #if (defined(HAVE_ECC) || \ defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) -static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names) +#define CURVE_NAME(c) XSTR_SIZEOF((c)), (c) + +const WOLF_EC_NIST_NAME kNistCurves[] = { + {CURVE_NAME("P-160"), NID_secp160r1, WOLFSSL_ECC_SECP160R1}, + {CURVE_NAME("P-160-2"), NID_secp160r2, WOLFSSL_ECC_SECP160R2}, + {CURVE_NAME("P-192"), NID_X9_62_prime192v1, WOLFSSL_ECC_SECP192R1}, + {CURVE_NAME("P-224"), NID_secp224r1, WOLFSSL_ECC_SECP224R1}, + {CURVE_NAME("P-256"), NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, + {CURVE_NAME("P-384"), NID_secp384r1, WOLFSSL_ECC_SECP384R1}, + {CURVE_NAME("P-521"), NID_secp521r1, WOLFSSL_ECC_SECP521R1}, + {CURVE_NAME("K-160"), NID_secp160k1, WOLFSSL_ECC_SECP160K1}, + {CURVE_NAME("K-192"), NID_secp192k1, WOLFSSL_ECC_SECP192K1}, + {CURVE_NAME("K-224"), NID_secp224k1, WOLFSSL_ECC_SECP224R1}, + {CURVE_NAME("K-256"), NID_secp256k1, WOLFSSL_ECC_SECP256K1}, + {CURVE_NAME("B-256"), NID_brainpoolP256r1, WOLFSSL_ECC_BRAINPOOLP256R1}, + {CURVE_NAME("B-384"), NID_brainpoolP384r1, WOLFSSL_ECC_BRAINPOOLP384R1}, + {CURVE_NAME("B-512"), NID_brainpoolP512r1, WOLFSSL_ECC_BRAINPOOLP512R1}, +#ifdef HAVE_CURVE25519 + {CURVE_NAME("X25519"), NID_X25519, WOLFSSL_ECC_X25519}, +#endif +#ifdef HAVE_CURVE448 + {CURVE_NAME("X448"), NID_X448, WOLFSSL_ECC_X448}, +#endif +#ifdef HAVE_PQC + {CURVE_NAME("KYBER_LEVEL1"), WOLFSSL_KYBER_LEVEL1, WOLFSSL_KYBER_LEVEL1}, + {CURVE_NAME("KYBER_LEVEL3"), WOLFSSL_KYBER_LEVEL3, WOLFSSL_KYBER_LEVEL1}, + {CURVE_NAME("KYBER_LEVEL5"), WOLFSSL_KYBER_LEVEL5, WOLFSSL_KYBER_LEVEL1}, +#ifdef HAVE_LIBOQS + {CURVE_NAME("P256_KYBER_LEVEL1"), WOLFSSL_P256_KYBER_LEVEL1, WOLFSSL_P256_KYBER_LEVEL1}, + {CURVE_NAME("P384_KYBER_LEVEL3"), WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P256_KYBER_LEVEL1}, + {CURVE_NAME("P521_KYBER_LEVEL5"), WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_P256_KYBER_LEVEL1}, +#endif +#endif +#ifdef WOLFSSL_SM2 + {CURVE_NAME("SM2"), NID_sm2, WOLFSSL_ECC_SM2P256V1}, +#endif + /* Alternative curve names */ + {CURVE_NAME("prime256v1"), NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, + {CURVE_NAME("secp256r1"), NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, + {CURVE_NAME("secp384r1"), NID_secp384r1, WOLFSSL_ECC_SECP384R1}, + {CURVE_NAME("secp521r1"), NID_secp521r1, WOLFSSL_ECC_SECP521R1}, +#ifdef WOLFSSL_SM2 + {CURVE_NAME("sm2p256v1"), NID_sm2, WOLFSSL_ECC_SM2P256V1}, +#endif + {0, NULL, 0, 0}, +}; + +int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names, + byte curves_only) { int idx, start = 0, len, i, ret = WOLFSSL_FAILURE; word16 curve; @@ -21401,6 +21347,7 @@ static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names) #else int groups[WOLFSSL_MAX_GROUP_COUNT]; #endif + const WOLF_EC_NIST_NAME* nist_name; #ifdef WOLFSSL_SMALL_STACK groups = (int*)XMALLOC(sizeof(int)*WOLFSSL_MAX_GROUP_COUNT, @@ -21420,45 +21367,18 @@ static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names) goto leave; XMEMCPY(name, names + start, len); - name[len++] = 0; + name[len] = 0; + curve = WOLFSSL_NAMED_GROUP_INVALID; - /* Use XSTRNCMP to avoid valgrind error. */ - if ((XSTRNCMP(name, "prime256v1", len) == 0) || - (XSTRNCMP(name, "secp256r1", len) == 0) || - (XSTRNCMP(name, "P-256", len) == 0)) - { - curve = WOLFSSL_ECC_SECP256R1; - } - else if ((XSTRNCMP(name, "secp384r1", len) == 0) || - (XSTRNCMP(name, "P-384", len) == 0)) - { - curve = WOLFSSL_ECC_SECP384R1; - } - else if ((XSTRNCMP(name, "secp521r1", len) == 0) || - (XSTRNCMP(name, "P-521", len) == 0)) - { - curve = WOLFSSL_ECC_SECP521R1; - } - #ifdef WOLFSSL_SM2 - else if ((XSTRNCMP(name, "sm2p256v1", len) == 0) || - (XSTRNCMP(name, "SM2", len) == 0)) - { - curve = WOLFSSL_ECC_SM2P256V1; - } - #endif - #ifdef HAVE_CURVE25519 - else if (XSTRNCMP(name, "X25519", len) == 0) - { - curve = WOLFSSL_ECC_X25519; - } - #endif - #ifdef HAVE_CURVE448 - else if (XSTRNCMP(name, "X448", len) == 0) - { - curve = WOLFSSL_ECC_X448; + for (nist_name = kNistCurves; nist_name->name != NULL; nist_name++) { + if (len == nist_name->name_len && + XSTRNCMP(name, nist_name->name, len) == 0) { + curve = nist_name->curve; + break; + } } - #endif - else { + + if (curve == WOLFSSL_NAMED_GROUP_INVALID) { #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && defined(HAVE_ECC) int nret; const ecc_set_type *eccSet; @@ -21482,7 +21402,8 @@ static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names) #endif } - if (curve >= WOLFSSL_ECC_MAX_AVAIL) { + if ((curves_only && curve >= WOLFSSL_ECC_MAX_AVAIL) || + curve == WOLFSSL_NAMED_GROUP_INVALID) { WOLFSSL_MSG("curve value is not supported"); goto leave; } @@ -21564,7 +21485,7 @@ int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) WOLFSSL_MSG("ctx or names was NULL"); return WOLFSSL_FAILURE; } - return set_curves_list(NULL, ctx, names); + return set_curves_list(NULL, ctx, names, 1); } int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names) @@ -21574,7 +21495,7 @@ int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names) WOLFSSL_MSG("ssl or names was NULL"); return WOLFSSL_FAILURE; } - return set_curves_list(ssl, NULL, names); + return set_curves_list(ssl, NULL, names, 1); } #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) */ #endif /* OPENSSL_EXTRA || HAVE_CURL */ diff --git a/tests/api.c b/tests/api.c index ae82325c21..aa0e3ea529 100644 --- a/tests/api.c +++ b/tests/api.c @@ -55214,15 +55214,21 @@ static int test_tls13_apis(void) #endif #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) char groupList[] = +#ifdef HAVE_CURVE25519 + "X25519:" +#endif +#ifdef HAVE_CURVE448 + "X448:" +#endif #ifndef NO_ECC_SECP #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 - "P-521:" + "P-521:secp521r1:" #endif #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 - "P-384:" + "P-384:secp384r1:" #endif #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 - "P-256" + "P-256:secp256r1" #if defined(HAVE_PQC) && defined(HAVE_LIBOQS) ":P256_KYBER_LEVEL1" #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a7780768ba..f269959b1b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1768,7 +1768,7 @@ enum Misc { ECDHE_SIZE = 32, /* ECDHE server size defaults to 256 bit */ #endif MAX_EXPORT_ECC_SZ = 256, /* Export ANSI X9.62 max future size */ - MAX_CURVE_NAME_SZ = 16, /* Maximum size of curve name string */ + MAX_CURVE_NAME_SZ = 18, /* Maximum size of curve name string */ NEW_SA_MAJOR = 8, /* Most significant byte used with new sig algos */ ED25519_SA_MAJOR = 8, /* Most significant byte for ED25519 */ @@ -6117,16 +6117,11 @@ typedef struct { int name_len; const char *name; int nid; + word16 curve; } WOLF_EC_NIST_NAME; extern const WOLF_EC_NIST_NAME kNistCurves[]; -/* This is the longest and shortest curve name in the kNistCurves list. Note we - * also have quantum-safe group names as well. */ -#define kNistCurves_MIN_NAME_LEN 5 -#ifdef HAVE_PQC -#define kNistCurves_MAX_NAME_LEN 32 -#else -#define kNistCurves_MAX_NAME_LEN 7 -#endif +WOLFSSL_LOCAL int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, + const char* names, byte curves_only); #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ /* internal functions */ diff --git a/wolfssl/openssl/ec.h b/wolfssl/openssl/ec.h index 23ef5e9a29..dfd754f0d7 100644 --- a/wolfssl/openssl/ec.h +++ b/wolfssl/openssl/ec.h @@ -74,9 +74,15 @@ enum { #ifdef HAVE_ED448 NID_ED448 = ED448k, #endif +#ifdef HAVE_CURVE448 + NID_X448 = X448k, +#endif #ifdef HAVE_ED25519 NID_ED25519 = ED25519k, #endif +#ifdef HAVE_CURVE25519 + NID_X25519 = X25519k, +#endif OPENSSL_EC_EXPLICIT_CURVE = 0x000, OPENSSL_EC_NAMED_CURVE = 0x001,