wolfSupplicant: clean-room WPA/WPA2/WPA3 supplicant (PSK 4-way, EAP-TLS, PEAP/MSCHAPv2, SAE with H2E)#123
Draft
dgarske wants to merge 4 commits into
Draft
wolfSupplicant: clean-room WPA/WPA2/WPA3 supplicant (PSK 4-way, EAP-TLS, PEAP/MSCHAPv2, SAE with H2E)#123dgarske wants to merge 4 commits into
dgarske wants to merge 4 commits into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a clean-room WPA/WPA2/WPA3 supplicant (“wolfSupplicant”) to wolfIP and introduces Linux hostapd-based interop harnesses (wired + mac80211_hwsim) to validate EAP-TLS/PEAP, WPA2-PSK 4-way, and WPA3-SAE flows against a real authenticator.
Changes:
- Introduces an optional Wi‑Fi control vtable (
wolfIP_wifi_ops) and an EAPOL (0x888E) RX demux hook for supplicant integration. - Adds the supplicant implementation (
src/supplicant/*) including EAP-TLS, PEAP/MSCHAPv2, RSN parsing, WPA(2) 4-way, and SAE (incl. H2E) plus test binaries. - Adds hostapd/mac80211_hwsim scripts + templates and an
nl80211_connecthelper, and wires new build/test targets into the Makefile.
Reviewed changes
Copilot reviewed 50 out of 50 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfip.h | Adds Wi‑Fi ops vtable + public EAPOL handler registration API. |
| src/wolfip.c | Implements EAPOL handler registration and EAPOL ethertype demux in RX path. |
| src/test/unit/unit_tests_dns_dhcp.c | Adds unit coverage for EAPOL handler register/unregister behavior. |
| src/test/unit/unit.c | Registers the new unit test in the suite. |
| Makefile | Adds supplicant build outputs and hostapd/hwsim interop targets (+ nl80211 helper build). |
| src/supplicant/supplicant.c | Core supplicant state machine (PSK/EAP/SAE integration). |
| src/supplicant/supplicant.h | Supplicant public interface/types. |
| src/supplicant/eapol.c | 802.1X/EAPOL framing helpers. |
| src/supplicant/eapol.h | EAPOL constants and APIs. |
| src/supplicant/eap.c | EAP packet parsing/building. |
| src/supplicant/eap.h | EAP structs/APIs and documentation for EAP parsing/building. |
| src/supplicant/eap_tls.c | EAP-TLS outer method implementation. |
| src/supplicant/eap_tls.h | EAP-TLS API/types. |
| src/supplicant/eap_tls_engine.c | TLS engine glue (wolfSSL IO/exporter integration) for EAP-TLS/PEAP. |
| src/supplicant/eap_tls_engine.h | TLS engine API/types. |
| src/supplicant/eap_peap.c | PEAP outer method implementation (when enabled). |
| src/supplicant/eap_peap.h | PEAP API/types. |
| src/supplicant/mschapv2.c | MSCHAPv2 inner method implementation (when enabled). |
| src/supplicant/mschapv2.h | MSCHAPv2 API/types. |
| src/supplicant/rsn_ie.c | RSN IE parse/build utilities (AKM/ciphers). |
| src/supplicant/rsn_ie.h | RSN IE API/types. |
| src/supplicant/wpa_crypto.c | WPA(2) key derivation/PRFs and related crypto helpers. |
| src/supplicant/wpa_crypto.h | WPA crypto API/types. |
| src/supplicant/sae_crypto.c | SAE (dragonfly) + H2E crypto/state helpers. |
| src/supplicant/sae_crypto.h | SAE crypto API/types. |
| src/supplicant/test_eap_certs.h | Test certificate material helpers for EAP-TLS/PEAP tests. |
| src/supplicant/test_eap_framing.c | Unit tests for EAP framing/parsing. |
| src/supplicant/test_eap_tls_engine.c | Unit tests for EAP-TLS engine behavior. |
| src/supplicant/test_mschapv2.c | Unit tests for MSCHAPv2 vectors. |
| src/supplicant/test_wpa_crypto.c | Unit tests for WPA crypto routines. |
| src/supplicant/test_supplicant_4way.c | In-process tests for 4-way handshake state machine. |
| src/supplicant/test_supplicant_eap_tls.c | In-process tests for EAP-TLS supplicant flow. |
| src/supplicant/test_sae_crypto.c | Unit tests/vectors for SAE crypto (incl. H2E). |
| src/supplicant/test_supplicant_sae.c | In-process tests for SAE handshake state machine. |
| src/supplicant/test_supplicant_hostapd.c | Wired hostapd interop test binary for EAP-TLS. |
| src/supplicant/test_supplicant_hostapd_psk.c | hostapd interop test binary for WPA2-PSK path. |
| src/supplicant/test_supplicant_hostapd_peap.c | hostapd interop test binary for PEAP/MSCHAPv2 path. |
| src/supplicant/test_supplicant_hostapd_sae.c | nl80211 external-auth hostapd interop test binary for SAE. |
| tools/hostapd/README.md | Documents hostapd-based interop harness setup/targets/flags. |
| tools/hostapd/run_hostapd_test.sh | Runner for wired hostapd interop (veth pair). |
| tools/hostapd/run_hwsim_psk_test.sh | Runner for mac80211_hwsim WPA2-PSK interop (nl80211 + hostapd). |
| tools/hostapd/run_hwsim_sae_test.sh | Runner for mac80211_hwsim SAE interop attempt (documents SoftMAC limitation). |
| tools/hostapd/hostapd.conf.template | hostapd wired-mode EAP server template for interop harness. |
| tools/hostapd/hostapd_psk.conf.template | hostapd PSK template for wired path (documented limitation). |
| tools/hostapd/hostapd_psk_hwsim.conf.template | hostapd nl80211 WPA2-PSK AP template for hwsim path. |
| tools/hostapd/hostapd_sae_hwsim.conf.template | hostapd nl80211 WPA3-SAE AP template for hwsim path. |
| tools/hostapd/eap_users | EAP users file for EAP-TLS interop. |
| tools/hostapd/eap_users_peap | EAP users file for PEAP/MSCHAPv2 interop. |
| tools/hostapd/nl80211_connect.c | Minimal libnl nl80211 client to associate STA with CONTROL_PORT for external EAPOL handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
force-pushed
the
supplicant
branch
2 times, most recently
from
efe6635 to
d71bf94
Compare
…PA3-SAE interop
Adds the SoftMAC path that lets the wolfSupplicant's WPA3-SAE (and PSK /
802.1X) handshakes run over a real mac80211 radio - mac80211_hwsim for
hardware-free CI, or a SoftMAC USB card (TP-Link ath9k_htc / rtl8xxxu /
mt76).
- tools/hostapd/nl80211_sta.{c,h}: reusable STA radio glue. SAE via
NL80211_CMD_AUTHENTICATE (Commit/Confirm in NL80211_ATTR_SAE_DATA) +
NL80211_CMD_ASSOCIATE; PSK/802.1X via NL80211_CMD_CONNECT; PTK/GTK
install via NL80211_CMD_NEW_KEY; EAPOL over the AF_PACKET control port.
- src/supplicant/test_supplicant_hwsim_sae_softmac.c + the
run_hwsim_sae_softmac_test.sh / -h2e runners and Makefile targets
(supplicant-hwsim-sae-softmac-test, -h2e-test). Validated to
AUTHENTICATED against hostapd over mac80211_hwsim for both
hunt-and-peck and RFC 9380 H2E (P-256).
- tools/wolfsta/: wolfIP + wolfSupplicant host STA application that joins
a network and obtains a DHCP lease over the encrypted link.
Unlike the FullMAC external-auth path (test_supplicant_hostapd_sae.c),
this is the surface mac80211_hwsim supports, so it validates with no
hardware.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
wolfSupplicant: clean-room WPA2 / WPA2-Enterprise / WPA3 supplicant
Adds an in-tree Wi-Fi supplicant (
src/supplicant/) built directly on wolfSSL/wolfCrypt: WPA2-Personal (PSK), WPA2-Enterprise (EAP-TLS, optional PEAP/MSCHAPv2), and WPA3-Personal (SAE). Transport-agnostic, caller-allocated context, no dynamic allocation on the bare-metal path. ~5,000 lines of C (~6,500 with headers), each method selectable at build time.Commits
sae_crypto.c), EAP-TLS engine (wolfSSL native + custom IO), AES-CMAC/Key-Wrap, RSN IE handling, and the host unit + hostapd test suite.tools/hostapd/nl80211_sta.cdrives a Linux mac80211 station (AUTHENTICATE+SAE_DATA / ASSOCIATE / NEW_KEY / control-port) and wires it to the supplicant ops;tools/wolfsta/is a wolfIP+supplicant host app (join -> DHCP -> ping/UDP echo).What's validated
Against real hostapd over mac80211_hwsim (SoftMAC; same code path a TP-Link USB card uses), all reaching
AUTHENTICATED:Plus: STM32H563 authenticates over wired 802.1X EAP-TLS on hardware; host unit tests cover the 4-way, SAE crypto (incl. RFC 9380 J.1.1 P-256 KAT), EAP-TLS, and MSCHAPv2 vectors.
Notable correctness work
--enable-cmacdependency.8 - 521%8 = 7bits before the< ptest (matching hostapd'sbuf_shift_right) - the prior high-byte mask agreed with an in-process peer but not hostapd.SET_PMKSApath); hostapd matches the cached PMKSA and runs the 4-way directly.Build flags
WOLFIP_ENABLE_EAP_TLS(1),WOLFIP_ENABLE_SAE(1, needsWOLFSSL_PUBLIC_MP),WOLFIP_ENABLE_SAE_H2E(1),WOLFIP_ENABLE_SAE_HNP(1),WOLFIP_ENABLE_PEAP_MSCHAPV2(0, pulls in MD4/DES). Compile in only what you ship.Testing
hwsim targets need root,
mac80211_hwsim,hostapd,iw, andlibnl-genl-3. Seetools/hostapd/README.mdfor the full matrix and wolfSSL build flags.Licensed GPLv3; commercial licensing available from wolfSSL.