[PATCH 0/3] Support TLS/SSL and WPA3-Personal/SAE by default

Petr Štetiar ynezz at true.cz
Mon Jul 27 04:50:48 EDT 2020 

Hauke Mehrtens <hauke at hauke-m.de> [2020-07-26 19:15:59]:

> How stable is the ABI of wolfssl?

I assume, that we're going to find the answer in the upcoming years :-)

Anyway, by looking purely at the Git log of hostapd it seems stable.

 $ git log --pretty="%ci %s" src/crypto/*wolfssl*

   2020-05-16 21:02:17 +0300 wolfssl: Fix crypto_bignum_rand() implementation
   2020-05-16 21:01:51 +0300 wolfssl: Fix compiler warnings on size_t printf format use
   2020-02-29 23:26:26 +0200 crypto: Add a function to get the ECDH prime length
   2019-10-25 19:29:53 +0300 crypto: Remove unused crypto_bignum_sqrtmod()
   2019-10-14 19:38:41 +0300 wolfSSL: Fix crypto_bignum_sub()
   2019-10-14 19:38:41 +0300 crypto: Add more bignum/EC helper functions
   2019-08-06 13:12:37 +0300 wolfssl: Avoid void pointer arithmetic
   2019-05-26 16:11:56 +0300 More forceful clearing of stack memory with keys
   2019-04-26 17:43:45 +0300 Remove unused crypto_bignum_bits()
   2019-04-13 18:28:05 +0300 Remove the unused crypto_ec_cofactor() function
   2019-04-09 16:24:38 +0300 Extend domain_match and domain_suffix_match to allow list of values
   2019-04-09 16:24:38 +0300 wolfSSL: Fix dNSName matching with domain_match and domain_suffix_match
   2019-03-16 18:52:09 +0200 Add support for an optional context parameter to TLS exporter
   2019-03-11 14:09:45 +0200 OpenSSL: Add 'check_cert_subject' support for TLS server
   2019-03-05 17:05:03 +0200 Add explicit checks for peer's DH public key
   2018-12-31 12:51:51 +0200 hostapd: Add configuration option check_crl_strict
   2018-12-30 17:21:55 +0200 OpenSSL: Add openssl_ecdh_curves parameter
   2018-10-11 12:12:30 +0300 TLS: Add tls_connection_peer_serial_num()
   2018-05-17 22:02:02 +0300 wolfSSL: Fix crypto_bignum_rshift() wrapper
   2018-05-17 20:08:22 +0300 wolfSSL: DH initialization to call TEST_FAIL() for error tests
   2018-05-17 20:08:15 +0300 wolfSSL: Fix ECDH set peer to use the index when importing point
   2018-05-02 13:32:51 +0300 wolfSSL: Fix EAP-FAST key derivation
   2018-05-02 13:32:51 +0300 wolfSSL: Do not free cert store after setting it
   2018-05-02 13:32:51 +0300 wolfSSL: Fix OCSP ifdefs
   2018-05-02 13:32:51 +0300 wolfSSL: Fix altSubjectName handling
   2018-05-02 13:32:51 +0300 wolfSSL: Use defines from wolfssl/options.h
   2018-05-02 13:32:51 +0300 wolfSSL: Use wolfSSL memory allocation in dh5_init()
   2018-05-02 13:32:51 +0300 wolfSSL: Load certificates using 'chain' APIs
   2018-05-02 13:32:51 +0300 wolfSSL: Changes for memory allocation failure testing
   2018-05-02 13:32:51 +0300 wolfSSL: Fix crypto_hash_init() memory clearing
   2018-05-02 13:32:51 +0300 wolfSSL: Fix crypto_ec_point_y_sqr()
   2018-05-02 13:32:51 +0300 wolfSSL: Fix crypto_ec_point_solve_y_coord()
   2018-05-02 13:32:49 +0300 wolfSSL: Add crypto_ecdh_*()
   2018-05-02 12:04:46 +0300 wolfSSL: Use new digest namespace
   2018-05-02 00:37:57 +0300 wolfSSL: Fix conditional EAP-FAST compilation issue
   2018-03-03 11:52:40 +0200 Add support for wolfSSL cryptographic library

> We probably have to update it to new versions in the lifetime and then
> it would be nice if we only have to update the wolfssl package.

We're using stable release, so this should be doable.

> Is this also enough to make LUCI work with https when just luci is
> activated?

I didn't tried it yet, but I assume, that uhttpd uses libustream-wolfssl for
the TLS so it should work out of the box. As Daniel already pointed out, the
"only" missing bit is px5g-wolfssl for self-signed certificate generation.

-- ynezz

More information about the openwrt-devel mailing list