OWE with hostapd versions compiled using wolfssl are currently broken.
Clients receive Association Rejects when attempting to connect to the
AP.
This is due to WolfSSL returning MISING_RNG_E in
wc_ecc_shared_secret_gen_sync when hardened builds are enabled, as
hostapd does not provide an initialized rng with the ecc key.
Other approaches would be to patch out enabling ECC_TIMING_RESISTANT on
a hardened build or patching hostapd to store the rng with the ECC key.
However, it looks like there is no interface in WolfSSL to store the rng
regardless of whether or not hardened builds are enabled. So the latter
solution would probably also end up being a downstream patch unless
someone implements such an interface in WolfSSL.
FWIW it looks like this is broken since at least commit
6467de5a8840
("Randomize z ordinates in scalar mult when timing resistant")
Run-tested: ath9k / OCEDO Raccoon
Signed-off-by: David Bauer <[email protected]>
--enable-stunnel \
--disable-crypttests \
--disable-examples \
+ --disable-harden \
--disable-jobserver \
--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
--$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \
projects / openwrt / staging / blocktrron.git / commitdiff