Merge branch 'feature/rename_wpa2_ent_to_eap_client' into 'master'

WiFi: Rename WPA2 enterprise APIs to EAP Client.

See merge request espressif/esp-idf!25233
This commit is contained in:
Kapil Gupta 2023-09-18 16:16:54 +08:00
commit 3b748a6cb7
26 changed files with 915 additions and 272 deletions

View File

@ -281,7 +281,7 @@ menu "Wi-Fi"
config ESP_WIFI_ENABLE_WPA3_SAE
bool "Enable WPA3-Personal"
default y
depends on ESP_WIFI_MBEDTLS_CRYPTO
select ESP_WIFI_MBEDTLS_CRYPTO
help
Select this option to allow the device to establish a WPA3-Personal connection with eligible AP's.
PMF (Protected Management Frames) is a prerequisite feature for a WPA3 connection, it needs to be
@ -465,9 +465,16 @@ menu "Wi-Fi"
select MBEDTLS_ECP_C
select MBEDTLS_ECDH_C
select MBEDTLS_ECDSA_C
select MBEDTLS_TLS_ENABLED
select MBEDTLS_CMAC_C
select MBEDTLS_ECP_DP_SECP256R1_ENABLED
help
Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.
Select this option to enable the use of MbedTLS crypto APIs.
The internal crypto support within the supplicant is limited
and may not suffice for all new security features, including WPA3.
It is recommended to always keep this option enabled. Additionally,
note that MbedTLS can leverage hardware acceleration if available,
resulting in significantly faster cryptographic operations.
if ESP_WIFI_MBEDTLS_CRYPTO
config ESP_WIFI_MBEDTLS_TLS_CLIENT
@ -493,6 +500,7 @@ menu "Wi-Fi"
config ESP_WIFI_SUITE_B_192
bool "Enable NSA suite B support with 192 bit key"
default n
depends on SOC_WIFI_GCMP_SUPPORT
select ESP_WIFI_GCMP_SUPPORT
select ESP_WIFI_GMAC_SUPPORT
help

View File

@ -61,7 +61,8 @@ set(srcs "port/os_xtensa.c"
"src/wps/wps_dev_attr.c"
"src/wps/wps_enrollee.c")
set(esp_srcs "esp_supplicant/src/esp_wpa2.c"
set(esp_srcs "esp_supplicant/src/esp_eap_client.c"
"esp_supplicant/src/esp_wpa2_api_port.c"
"esp_supplicant/src/esp_wpa_main.c"
"esp_supplicant/src/esp_wpas_glue.c"
"esp_supplicant/src/esp_common.c"

View File

@ -0,0 +1,326 @@
/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
#include <stdbool.h>
#include "esp_err.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* @brief Enumeration of phase 2 authentication types for EAP-TTLS.
*
* This enumeration defines the supported phase 2 authentication methods
* that can be used in the EAP-TTLS (Extensible Authentication Protocol -
* Tunneled Transport Layer Security) protocol for the second authentication
* phase.
*/
typedef enum {
ESP_EAP_TTLS_PHASE2_EAP, /**< EAP (Extensible Authentication Protocol) */
ESP_EAP_TTLS_PHASE2_MSCHAPV2, /**< MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol - Version 2) */
ESP_EAP_TTLS_PHASE2_MSCHAP, /**< MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) */
ESP_EAP_TTLS_PHASE2_PAP, /**< PAP (Password Authentication Protocol) */
ESP_EAP_TTLS_PHASE2_CHAP /**< CHAP (Challenge Handshake Authentication Protocol) */
} esp_eap_ttls_phase2_types;
/**
* @brief Configuration settings for EAP-FAST
* (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling).
*
* This structure defines the configuration options that can be used to customize the behavior of the
* EAP-FAST authentication protocol, specifically for Fast Provisioning and PAC (Protected Access Credential) handling.
*/
typedef struct {
int fast_provisioning; /**< Enable or disable Fast Provisioning in EAP-FAST (0 = disabled, 1 = enabled) */
int fast_max_pac_list_len; /**< Maximum length of the PAC (Protected Access Credential) list */
bool fast_pac_format_binary; /**< Set to true for binary format PAC, false for ASCII format PAC */
} esp_eap_fast_config;
/**
* @brief Enable EAP authentication(WiFi Enterprise) for the station mode.
*
* This function enables Extensible Authentication Protocol (EAP) authentication
* for the Wi-Fi station mode. When EAP authentication is enabled, the ESP device
* will attempt to authenticate with the configured EAP credentials when connecting
* to a secure Wi-Fi network.
*
* @note Before calling this function, ensure that the Wi-Fi configuration and EAP
* credentials (such as username and password) have been properly set using the
* appropriate configuration APIs.
*
* @return
* - ESP_OK: EAP authentication enabled successfully.
* - ESP_ERR_NO_MEM: Failed to enable EAP authentication due to memory allocation failure.
*/
esp_err_t esp_wifi_sta_enterprise_enable(void);
/**
* @brief Disable EAP authentication(WiFi Enterprise) for the station mode.
*
* This function disables Extensible Authentication Protocol (EAP) authentication
* for the Wi-Fi station mode. When EAP authentication is disabled, the ESP device
* will not attempt to authenticate using EAP credentials when connecting to a
* secure Wi-Fi network.
*
* @note Disabling EAP authentication may cause the device to connect to the Wi-Fi
* network using other available authentication methods, if configured using esp_wifi_set_config().
*
* @return
* - ESP_OK: EAP authentication disabled successfully.
* - ESP_ERR_INVALID_STATE: EAP client is in an invalid state for disabling.
*/
esp_err_t esp_wifi_sta_enterprise_disable(void);
/**
* @brief Set identity for PEAP/TTLS authentication method.
*
* This function sets the identity to be used during PEAP/TTLS authentication.
*
* @param[in] identity Pointer to the identity data.
* @param[in] len Length of the identity data (limited to 1~127 bytes).
*
* @return
* - ESP_OK: The identity was set successfully.
* - ESP_ERR_INVALID_ARG: Invalid argument (len <= 0 or len >= 128).
* - ESP_ERR_NO_MEM: Memory allocation failure.
*/
esp_err_t esp_eap_client_set_identity(const unsigned char *identity, int len);
/**
* @brief Clear the previously set identity for PEAP/TTLS authentication.
*
* This function clears the identity that was previously set for the EAP client.
* After calling this function, the EAP client will no longer use the previously
* configured identity during the authentication process.
*/
void esp_eap_client_clear_identity(void);
/**
* @brief Set username for PEAP/TTLS authentication method.
*
* This function sets the username to be used during PEAP/TTLS authentication.
*
* @param[in] username Pointer to the username data.
* @param[in] len Length of the username data (limited to 1~127 bytes).
*
* @return
* - ESP_OK: The username was set successfully.
* - ESP_ERR_INVALID_ARG: Failed due to an invalid argument (len <= 0 or len >= 128).
* - ESP_ERR_NO_MEM: Failed due to memory allocation failure.
*/
esp_err_t esp_eap_client_set_username(const unsigned char *username, int len);
/**
* @brief Clear username for PEAP/TTLS method.
*
* This function clears the previously set username for the EAP client.
*/
void esp_eap_client_clear_username(void);
/**
* @brief Set password for PEAP/TTLS authentication method.
*
* This function sets the password to be used during PEAP/TTLS authentication.
*
* @param[in] password Pointer to the password data.
* @param[in] len Length of the password data (len > 0).
*
* @return
* - ESP_OK: The password was set successfully.
* - ESP_ERR_INVALID_ARG: Failed due to an invalid argument (len <= 0).
* - ESP_ERR_NO_MEM: Failed due to memory allocation failure.
*/
esp_err_t esp_eap_client_set_password(const unsigned char *password, int len);
/**
* @brief Clear password for PEAP/TTLS method.
*
* This function clears the previously set password for the EAP client.
*/
void esp_eap_client_clear_password(void);
/**
* @brief Set a new password for MSCHAPv2 authentication method.
*
* This function sets the new password to be used during MSCHAPv2 authentication.
* The new password is used to substitute the old password when an eap-mschapv2 failure request
* message with error code ERROR_PASSWD_EXPIRED is received.
*
* @param[in] new_password Pointer to the new password data.
* @param[in] len Length of the new password data.
*
* @return
* - ESP_OK: The new password was set successfully.
* - ESP_ERR_INVALID_ARG: Failed due to an invalid argument (len <= 0).
* - ESP_ERR_NO_MEM: Failed due to memory allocation failure.
*/
esp_err_t esp_eap_client_set_new_password(const unsigned char *new_password, int len);
/**
* @brief Clear new password for MSCHAPv2 method.
*
* This function clears the previously set new password for the EAP client.
*/
void esp_eap_client_clear_new_password(void);
/**
* @brief Set CA certificate for EAP authentication.
*
* This function sets the Certificate Authority (CA) certificate to be used during EAP authentication.
* The CA certificate is passed to the EAP client module through a global pointer.
*
* @param[in] ca_cert Pointer to the CA certificate data.
* @param[in] ca_cert_len Length of the CA certificate data.
*
* @return
* - ESP_OK: The CA certificate was set successfully.
*/
esp_err_t esp_eap_client_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len);
/**
* @brief Clear the previously set Certificate Authority (CA) certificate for EAP authentication.
*
* This function clears the CA certificate that was previously set for the EAP client.
* After calling this function, the EAP client will no longer use the previously
* configured CA certificate during the authentication process.
*/
void esp_eap_client_clear_ca_cert(void);
/**
* @brief Set client certificate and private key for EAP authentication.
*
* This function sets the client certificate and private key to be used during authentication.
* Optionally, a private key password can be provided for encrypted private keys.
*
* @attention 1. The client certificate, private key, and private key password are provided as pointers
* to the respective data arrays.
* @attention 2. The client_cert, private_key, and private_key_password should be zero-terminated.
*
* @param[in] client_cert Pointer to the client certificate data.
* @param[in] client_cert_len Length of the client certificate data.
* @param[in] private_key Pointer to the private key data.
* @param[in] private_key_len Length of the private key data (limited to 1~4096 bytes).
* @param[in] private_key_password Pointer to the private key password data (optional).
* @param[in] private_key_passwd_len Length of the private key password data (can be 0 for no password).
*
* @return
* - ESP_OK: The certificate, private key, and password (if provided) were set successfully.
*/
esp_err_t esp_eap_client_set_certificate_and_key(const unsigned char *client_cert, int client_cert_len,
const unsigned char *private_key, int private_key_len,
const unsigned char *private_key_password, int private_key_passwd_len);
/**
* @brief Clear the previously set client certificate and private key for EAP authentication.
*
* This function clears the client certificate and private key that were previously set
* for the EAP client. After calling this function, the EAP client will no longer use the
* previously configured certificate and private key during the authentication process.
*/
void esp_eap_client_clear_certificate_and_key(void);
/**
* @brief Set EAP client certificates time check (disable or not).
*
* This function enables or disables the time check for EAP client certificates.
* When disabled, the certificates' expiration time will not be checked during the authentication process.
*
* @param[in] disable True to disable EAP client certificates time check, false to enable it.
*
* @return
* - ESP_OK: The EAP client certificates time check setting was updated successfully.
*/
esp_err_t esp_eap_client_set_disable_time_check(bool disable);
/**
* @brief Get EAP client certificates time check status.
*
* This function retrieves the current status of the EAP client certificates time check.
*
* @param[out] disable Pointer to a boolean variable to store the disable status.
*
* @return
* - ESP_OK: The status of EAP client certificates time check was retrieved successfully.
*/
esp_err_t esp_eap_client_get_disable_time_check(bool *disable);
/**
* @brief Set EAP-TTLS phase 2 method.
*
* This function sets the phase 2 method to be used during EAP-TTLS authentication.
*
* @param[in] type The type of phase 2 method to be used (e.g., EAP, MSCHAPv2, MSCHAP, PAP, CHAP).
*
* @return
* - ESP_OK: The EAP-TTLS phase 2 method was set successfully.
*/
esp_err_t esp_eap_client_set_ttls_phase2_method(esp_eap_ttls_phase2_types type);
/**
* @brief Enable or disable Suite-B 192-bit certification checks.
*
* This function enables or disables the 192-bit Suite-B certification checks during EAP-TLS authentication.
* Suite-B is a set of cryptographic algorithms which generally are considered more secure.
*
* @param[in] enable True to enable 192-bit Suite-B certification checks, false to disable it.
*
* @return
* - ESP_OK: The 192-bit Suite-B certification checks were set successfully.
*/
esp_err_t esp_eap_client_set_suiteb_192bit_certification(bool enable);
/**
* @brief Set the PAC (Protected Access Credential) file for EAP-FAST authentication.
*
* EAP-FAST requires a PAC file that contains the client's credentials.
*
* @attention 1. For files read from the file system, length has to be decremented by 1 byte.
* @attention 2. Disabling the ESP_WIFI_MBEDTLS_TLS_CLIENT config is required to use EAP-FAST.
*
* @param[in] pac_file Pointer to the PAC file buffer.
* @param[in] pac_file_len Length of the PAC file buffer.
*
* @return
* - ESP_OK: The PAC file for EAP-FAST authentication was set successfully.
*/
esp_err_t esp_eap_client_set_pac_file(const unsigned char *pac_file, int pac_file_len);
/**
* @brief Set the parameters for EAP-FAST Phase 1 authentication.
*
* EAP-FAST supports Fast Provisioning, where clients can be authenticated faster using precomputed keys (PAC).
* This function allows configuring parameters for Fast Provisioning.
*
* @attention 1. Disabling the ESP_WIFI_MBEDTLS_TLS_CLIENT config is required to use EAP-FAST.
*
* @param[in] config Configuration structure with Fast Provisioning parameters.
*
* @return
* - ESP_OK: The parameters for EAP-FAST Phase 1 authentication were set successfully.
*/
esp_err_t esp_eap_client_set_fast_params(esp_eap_fast_config config);
/**
* @brief Use the default certificate bundle for EAP authentication.
*
* By default, the EAP client uses a built-in certificate bundle for server verification.
* Enabling this option allows the use of the default certificate bundle.
*
* @param[in] use_default_bundle True to use the default certificate bundle, false to use a custom bundle.
*
* @return
* - ESP_OK: The option to use the default certificate bundle was set successfully.
*/
esp_err_t esp_eap_client_use_default_cert_bundle(bool use_default_bundle);
#ifdef __cplusplus
}
#endif

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -13,39 +13,41 @@ extern "C" {
#endif
/**
* enum non_pref_chan_reason: Reason for non preference of channel
*/
* @brief Enumeration of reasons for a channel being non-preferred in a wireless network.
*
* This enumeration defines various reasons why a specific channel might be considered non-preferred
* in a wireless network configuration.
*/
enum non_pref_chan_reason {
NON_PREF_CHAN_REASON_UNSPECIFIED = 0,
NON_PREF_CHAN_REASON_RSSI = 1,
NON_PREF_CHAN_REASON_EXT_INTERFERENCE = 2,
NON_PREF_CHAN_REASON_INT_INTERFERENCE = 3,
NON_PREF_CHAN_REASON_UNSPECIFIED = 0, /**< Unspecified reason for non-preference */
NON_PREF_CHAN_REASON_RSSI = 1, /**< Non-preferred due to low RSSI (Received Signal Strength Indication) */
NON_PREF_CHAN_REASON_EXT_INTERFERENCE = 2, /**< Non-preferred due to external interference */
NON_PREF_CHAN_REASON_INT_INTERFERENCE = 3, /**< Non-preferred due to internal interference */
};
/**
* @brief Channel structure for non preferred channel
*
* @param reason: enum non_pref_chan_reason
* @param oper_class: operating class for the channel
* @param chan: channel number
* @param preference: channel preference
*/
* @brief Structure representing a non-preferred channel in a wireless network.
*
* This structure encapsulates information about a non-preferred channel
* including the reason for its non-preference, the operating class, channel number, and preference level.
*/
struct non_pref_chan {
enum non_pref_chan_reason reason;
uint8_t oper_class;
uint8_t chan;
uint8_t preference;
enum non_pref_chan_reason reason; /**< Reason for the channel being non-preferred */
uint8_t oper_class; /**< Operating class of the channel */
uint8_t chan; /**< Channel number */
uint8_t preference; /**< Preference level of the channel */
};
/**
* @brief Array structure for non preferred channel struct
*
* @param non_pref_chan_num: channel count
* @param chan: array of non_pref_chan type
*/
* @brief Structure representing a list of non-preferred channels in a wireless network.
*
* This structure encapsulates information about a list of non-preferred channels
* including the number of non-preferred channels and an array of structures
* representing individual non-preferred channels.
*/
struct non_pref_chan_s {
size_t non_pref_chan_num;
struct non_pref_chan chan[];
size_t non_pref_chan_num; /**< Number of non-preferred channels in the list */
struct non_pref_chan chan[]; /**< Array of structures representing individual non-preferred channels */
};
/**

View File

@ -7,31 +7,16 @@
#ifndef _ESP_WPA2_H
#define _ESP_WPA2_H
#include <stdbool.h>
#pragma message("esp_wpa2.h is deprecated. Use esp_eap_client.h instead.")
#include "esp_err.h"
typedef enum {
ESP_EAP_TTLS_PHASE2_EAP,
ESP_EAP_TTLS_PHASE2_MSCHAPV2,
ESP_EAP_TTLS_PHASE2_MSCHAP,
ESP_EAP_TTLS_PHASE2_PAP,
ESP_EAP_TTLS_PHASE2_CHAP
} esp_eap_ttls_phase2_types;
typedef struct {
int fast_provisioning;
int fast_max_pac_list_len;
bool fast_pac_format_binary;
} esp_eap_fast_config;
#ifdef __cplusplus
extern "C" {
#endif
#include "esp_eap_client.h"
/**
* @brief Enable wpa2 enterprise authentication.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_wifi_sta_enterprise_enable()` instead.
*
* @attention 1. wpa2 enterprise authentication can only be used when station mode is enabled.
* @attention 2. wpa2 enterprise authentication supports EAP-FAST, TLS, PEAP, TTLS(EAP, MSCHAPv2, MSCHAP, PAP, CHAP) methods.
*
@ -39,22 +24,30 @@ extern "C" {
* - ESP_OK: succeed.
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_wifi_sta_enterprise_enable' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_enable(void);
/**
* @brief Disable wpa2 enterprise authentication.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_wifi_sta_enterprise_disable()` instead.
*
* @attention 1. wpa2 enterprise authentication can only be used when station mode is enabled.
* @attention 2. wpa2 enterprise authentication supports EAP-FAST, TLS, PEAP, TTLS(EAP, MSCHAPv2, MSCHAP, PAP, CHAP) methods.
*
* @return
* - ESP_OK: succeed.
*/
__attribute__((deprecated("Use 'esp_wifi_sta_enterprise_disable' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_disable(void);
/**
* @brief Set identity for PEAP/TTLS method.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_identity` instead.
*
* @attention The API only passes the parameter identity to the global pointer variable in wpa2 enterprise module.
*
* @param identity: point to address where stores the identity;
@ -65,17 +58,24 @@ esp_err_t esp_wifi_sta_wpa2_ent_disable(void);
* - ESP_ERR_INVALID_ARG: fail(len <= 0 or len >= 128)
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_eap_client_set_identity' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_identity(const unsigned char *identity, int len);
/**
* @brief Clear identity for PEAP/TTLS method.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_clear_identity` instead.
*
*/
__attribute__((deprecated("Use 'esp_eap_client_clear_identity' instead")))
void esp_wifi_sta_wpa2_ent_clear_identity(void);
/**
* @brief Set username for PEAP/TTLS method.
*
* @attention The API only passes the parameter username to the global pointer variable in wpa2 enterprise module.
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_username` instead.
*
* @param username: point to address where stores the username;
* @param len: length of username, limited to 1~127
@ -85,17 +85,23 @@ void esp_wifi_sta_wpa2_ent_clear_identity(void);
* - ESP_ERR_INVALID_ARG: fail(len <= 0 or len >= 128)
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_eap_client_set_username' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_username(const unsigned char *username, int len);
/**
* @brief Clear username for PEAP/TTLS method.
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_clear_username` instead.
*
*/
__attribute__((deprecated("Use 'esp_eap_client_clear_username' instead")))
void esp_wifi_sta_wpa2_ent_clear_username(void);
/**
* @brief Set password for PEAP/TTLS method..
*
* @attention The API only passes the parameter password to the global pointer variable in wpa2 enterprise module.
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_password` instead.
*
* @param password: point to address where stores the password;
* @param len: length of password(len > 0)
@ -105,18 +111,25 @@ void esp_wifi_sta_wpa2_ent_clear_username(void);
* - ESP_ERR_INVALID_ARG: fail(len <= 0)
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_eap_client_set_password' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_password(const unsigned char *password, int len);
/**
* @brief Clear password for PEAP/TTLS method..
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_clear_password` instead.
*/
__attribute__((deprecated("Use 'esp_eap_client_clear_password' instead")))
void esp_wifi_sta_wpa2_ent_clear_password(void);
/**
* @brief Set new password for MSCHAPv2 method..
*
* @attention 1. The API only passes the parameter password to the global pointer variable in wpa2 enterprise module.
* @attention 2. The new password is used to substitute the old password when eap-mschapv2 failure request message with error code ERROR_PASSWD_EXPIRED is received.
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_new_password` instead.
*
* @attention 1. The new password is used to substitute the old password when eap-mschapv2 failure request message with error code ERROR_PASSWD_EXPIRED is received.
*
* @param new_password: point to address where stores the password;
* @param len: length of password
@ -126,17 +139,25 @@ void esp_wifi_sta_wpa2_ent_clear_password(void);
* - ESP_ERR_INVALID_ARG: fail(len <= 0)
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_eap_client_set_new_password' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_new_password(const unsigned char *new_password, int len);
/**
* @brief Clear new password for MSCHAPv2 method..
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_clear_new_password` instead.
*
*/
__attribute__((deprecated("Use 'esp_eap_client_clear_new_password' instead")))
void esp_wifi_sta_wpa2_ent_clear_new_password(void);
/**
* @brief Set CA certificate for PEAP/TTLS method.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_ca_cert` instead.
*
* @attention 1. The API only passes the parameter ca_cert to the global pointer variable in wpa2 enterprise module.
* @attention 2. The ca_cert should be zero terminated.
*
@ -146,16 +167,25 @@ void esp_wifi_sta_wpa2_ent_clear_new_password(void);
* @return
* - ESP_OK: succeed
*/
__attribute__((deprecated("Use 'esp_eap_client_set_ca_cert' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len);
/**
* @brief Clear CA certificate for PEAP/TTLS method.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_clear_ca_cert` instead.
*
*/
__attribute__((deprecated("Use 'esp_eap_client_clear_ca_cert' instead")))
void esp_wifi_sta_wpa2_ent_clear_ca_cert(void);
/**
* @brief Set client certificate and key.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_certificate_and_key` instead.
*
* @attention 1. The API only passes the parameter client_cert, private_key and private_key_passwd to the global pointer variable in wpa2 enterprise module.
* @attention 2. The client_cert, private_key and private_key_passwd should be zero terminated.
*
@ -169,57 +199,84 @@ void esp_wifi_sta_wpa2_ent_clear_ca_cert(void);
* @return
* - ESP_OK: succeed
*/
esp_err_t esp_wifi_sta_wpa2_ent_set_cert_key(const unsigned char *client_cert, int client_cert_len, const unsigned char *private_key, int private_key_len, const unsigned char *private_key_passwd, int private_key_passwd_len);
__attribute__((deprecated("Use 'esp_eap_client_set_certificate_and_key' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_cert_key(const unsigned char *client_cert, int client_cert_len,
const unsigned char *private_key, int private_key_len,
const unsigned char *private_key_passwd, int private_key_passwd_len);
/**
* @brief Clear client certificate and key.
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_clear_certificate_and_key` instead.
*
*/
__attribute__((deprecated("Use 'esp_eap_client_clear_certificate_and_key' instead")))
void esp_wifi_sta_wpa2_ent_clear_cert_key(void);
/**
* @brief Set wpa2 enterprise certs time check(disable or not).
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_disable_time_check` instead.
*
* @param true: disable wpa2 enterprise certs time check
* @param false: enable wpa2 enterprise certs time check
*
* @return
* - ESP_OK: succeed
*/
__attribute__((deprecated("Use 'esp_eap_client_set_disable_time_check' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_disable_time_check(bool disable);
/**
* @brief Get wpa2 enterprise certs time check(disable or not).
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_get_disable_time_check` instead.
*
* @param disable: store disable value
*
* @return
* - ESP_OK: succeed
*/
__attribute__((deprecated("Use 'esp_eap_client_get_disable_time_check' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_get_disable_time_check(bool *disable);
/**
* @brief Set wpa2 enterprise ttls phase2 method
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_ttls_phase2_method` instead.
*
* @param type: the type of phase 2 method to be used
*
* @return
* - ESP_OK: succeed
*/
__attribute__((deprecated("Use 'esp_eap_client_set_ttls_phase2_method' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(esp_eap_ttls_phase2_types type);
/**
* @brief enable/disable 192 bit suite b certification checks
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_suiteb_192bit_certification` instead.
*
* @param enable: bool to enable/disable it.
*
* @return
* - ESP_OK: succeed
*/
__attribute__((deprecated("Use 'esp_eap_client_set_suiteb_192bit_certification' instead")))
esp_err_t esp_wifi_sta_wpa2_set_suiteb_192bit_certification(bool enable);
/**
* @brief Set client pac file
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_pac_file` instead.
*
* @attention 1. For files read from the file system, length has to be decremented by 1 byte.
* @attention 2. Disabling the ESP_WIFI_MBEDTLS_TLS_CLIENT config is required to use EAP-FAST.
*
@ -230,11 +287,15 @@ esp_err_t esp_wifi_sta_wpa2_set_suiteb_192bit_certification(bool enable);
* - ESP_OK: succeed
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_eap_client_set_pac_file' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int pac_file_len);
/**
* @brief Set Phase 1 parameters for EAP-FAST
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_set_fast_params` instead.
*
* @attention 1. Disabling the ESP_WIFI_MBEDTLS_TLS_CLIENT config is required to use EAP-FAST.
*
* @param config: eap fast phase 1 configuration
@ -244,17 +305,22 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int
* - ESP_ERR_INVALID_ARG: fail(out of bound arguments)
* - ESP_ERR_NO_MEM: fail(internal memory malloc fail)
*/
__attribute__((deprecated("Use 'esp_eap_client_set_fast_params' instead")))
esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config);
/**
* @brief Use default CA cert bundle for server validation
*
* @deprecated This function is deprecated and will be removed in the future.
* Please use `esp_eap_client_use_default_cert_bundle` instead.
*
* @use_default_bundle : whether to use bundle or not
*
* @return
* - ESP_OK: succeed
* - ESP_FAIL: fail
*/
__attribute__((deprecated("Use 'esp_eap_client_use_default_cert_bundle' instead")))
esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle);
#ifdef __cplusplus

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -33,32 +33,60 @@ extern "C" {
#define ESP_ERR_WIFI_WPS_TYPE (ESP_ERR_WIFI_BASE + 52) /*!< WPS type error */
#define ESP_ERR_WIFI_WPS_SM (ESP_ERR_WIFI_BASE + 53) /*!< WPS state machine is not initialized */
/**
* @brief Enumeration of WPS (Wi-Fi Protected Setup) types.
*/
typedef enum wps_type {
WPS_TYPE_DISABLE = 0,
WPS_TYPE_PBC,
WPS_TYPE_PIN,
WPS_TYPE_MAX,
WPS_TYPE_DISABLE = 0, /**< WPS is disabled */
WPS_TYPE_PBC, /**< WPS Push Button Configuration method */
WPS_TYPE_PIN, /**< WPS PIN (Personal Identification Number) method */
WPS_TYPE_MAX /**< Maximum value for WPS type enumeration */
} wps_type_t;
#define WPS_MAX_MANUFACTURER_LEN 65
#define WPS_MAX_MODEL_NUMBER_LEN 33
#define WPS_MAX_MODEL_NAME_LEN 33
#define WPS_MAX_DEVICE_NAME_LEN 33
#define WPS_MAX_MANUFACTURER_LEN 65 /**< Maximum length of the manufacturer name in WPS information */
#define WPS_MAX_MODEL_NUMBER_LEN 33 /**< Maximum length of the model number in WPS information */
#define WPS_MAX_MODEL_NAME_LEN 33 /**< Maximum length of the model name in WPS information */
#define WPS_MAX_DEVICE_NAME_LEN 33 /**< Maximum length of the device name in WPS information */
/**
* @brief Structure representing WPS factory information for ESP device.
*
* This structure holds various strings representing factory information for a device, such as the manufacturer,
* model number, model name, and device name. Each string is a null-terminated character array. If any of the
* strings are empty, the default values are used.
*/
typedef struct {
char manufacturer[WPS_MAX_MANUFACTURER_LEN]; /*!< Manufacturer, null-terminated string. The default manufcturer is used if the string is empty */
char model_number[WPS_MAX_MODEL_NUMBER_LEN]; /*!< Model number, null-terminated string. The default model number is used if the string is empty */
char model_name[WPS_MAX_MODEL_NAME_LEN]; /*!< Model name, null-terminated string. The default model name is used if the string is empty */
char device_name[WPS_MAX_DEVICE_NAME_LEN]; /*!< Device name, null-terminated string. The default device name is used if the string is empty */
char manufacturer[WPS_MAX_MANUFACTURER_LEN]; /*!< Manufacturer of the device. If empty, the default manufacturer is used. */
char model_number[WPS_MAX_MODEL_NUMBER_LEN]; /*!< Model number of the device. If empty, the default model number is used. */
char model_name[WPS_MAX_MODEL_NAME_LEN]; /*!< Model name of the device. If empty, the default model name is used. */
char device_name[WPS_MAX_DEVICE_NAME_LEN]; /*!< Device name. If empty, the default device name is used. */
} wps_factory_information_t;
#define PIN_LEN 9
#define PIN_LEN 9 /*!< The length of the WPS PIN (Personal Identification Number). */
/**
* @brief Structure representing configuration settings for WPS (Wi-Fi Protected Setup).
*
* This structure encapsulates various configuration settings for WPS, including the WPS type (PBC or PIN),
* factory information that will be shown in the WPS Information Element (IE), and a PIN if the WPS type is
* set to PIN.
*/
typedef struct {
wps_type_t wps_type;
wps_factory_information_t factory_info;
char pin[PIN_LEN];
wps_type_t wps_type; /*!< The type of WPS to be used (PBC or PIN). */
wps_factory_information_t factory_info; /*!< Factory information to be shown in the WPS Information Element (IE). Vendor can choose to display their own information. */
char pin[PIN_LEN]; /*!< WPS PIN (Personal Identification Number) used when wps_type is set to WPS_TYPE_PIN. */
} esp_wps_config_t;
/**
* @def WPS_CONFIG_INIT_DEFAULT(type)
* @brief Initialize a default WPS configuration structure with specified WPS type.
*
* This macro initializes a `esp_wps_config_t` structure with default values for the specified WPS type.
* It sets the WPS type, factory information (including default manufacturer, model number, model name, and device name),
* and a default PIN value if applicable.
*
* @param type The WPS type to be used (PBC or PIN).
* @return An initialized `esp_wps_config_t` structure with the specified WPS type and default values.
*/
#define WPS_CONFIG_INIT_DEFAULT(type) { \
.wps_type = type, \
.factory_info = { \
@ -73,9 +101,7 @@ typedef struct {
/**
* @brief Enable Wi-Fi WPS function.
*
* @attention WPS can only be used when station is enabled.
*
* @param wps_type_t wps_type : WPS type, so far only WPS_TYPE_PBC and WPS_TYPE_PIN is supported
* @param config : WPS config to be used in connection
*
* @return
* - ESP_OK : succeed
@ -88,8 +114,6 @@ esp_err_t esp_wifi_wps_enable(const esp_wps_config_t *config);
/**
* @brief Disable Wi-Fi WPS function and release resource it taken.
*
* @param null
*
* @return
* - ESP_OK : succeed
* - ESP_ERR_WIFI_WPS_MODE : wifi is not in station mode or sniffer mode is on
@ -97,9 +121,9 @@ esp_err_t esp_wifi_wps_enable(const esp_wps_config_t *config);
esp_err_t esp_wifi_wps_disable(void);
/**
* @brief WPS starts to work.
* @brief Start WPS session.
*
* @attention WPS can only be used when station is enabled.
* @attention WPS can only be used when station is enabled. WPS needs to be enabled first for using this API.
*
* @param timeout_ms : deprecated: This argument's value will have not effect in functionality of API.
* The argument will be removed in future.
@ -120,7 +144,7 @@ esp_err_t esp_wifi_wps_start(int timeout_ms);
*
* @attention WPS can only be used when softAP is enabled.
*
* @param esp_wps_config_t config: wps configuration to be used.
* @param config: wps configuration to be used.
*
* @return
* - ESP_OK : succeed
@ -133,8 +157,6 @@ esp_err_t esp_wifi_ap_wps_enable(const esp_wps_config_t *config);
/**
* @brief Disable Wi-Fi SoftAP WPS function and release resource it taken.
*
* @param null
*
* @return
* - ESP_OK : succeed
* - ESP_ERR_WIFI_WPS_MODE : wifi is not in station mode or sniffer mode is on

View File

@ -36,7 +36,8 @@
#include "esp_crt_bundle.h"
#endif
#include "esp_wpas_glue.h"
#include "esp_wpa2_i.h"
#include "esp_eap_client_i.h"
#include "esp_eap_client.h"
#define WPA2_VERSION "v2.0"
@ -77,7 +78,7 @@ static void wpa2_api_lock(void)
if (s_wpa2_api_lock == NULL) {
s_wpa2_api_lock = os_recursive_mutex_create();
if (!s_wpa2_api_lock) {
wpa_printf(MSG_ERROR, "WPA2: failed to create wpa2 api lock");
wpa_printf(MSG_ERROR, "EAP: failed to create EAP api lock");
return;
}
}
@ -117,7 +118,7 @@ static void wpa2_set_eap_state(wpa2_ent_eap_state_t state)
esp_wifi_set_wpa2_ent_state_internal(state);
}
wpa2_ent_eap_state_t wpa2_get_eap_state(void)
wpa2_ent_eap_state_t eap_client_get_eap_state(void)
{
if (!gEapSm) {
return WPA2_ENT_EAP_STATE_NOT_START;
@ -132,14 +133,14 @@ static inline void wpa2_task_delete(void *arg)
int ret = ESP_OK;
if (my_task_hdl == s_wpa2_task_hdl) {
wpa_printf(MSG_ERROR, "WPA2: should never call task delete api in wpa2 task context");
wpa_printf(MSG_ERROR, "EAP: should never call task delete api in eap task context");
return;
}
ret = wpa2_post(SIG_WPA2_TASK_DEL, 0);
if (ESP_OK != ret) {
wpa_printf(MSG_ERROR, "WPA2: failed to post task delete event, ret=%d", ret);
wpa_printf(MSG_ERROR, "EAP: failed to post task delete event, ret=%d", ret);
return;
}
}
@ -241,23 +242,23 @@ void wpa2_task(void *pvParameters )
break;
} else {
if (s_wifi_wpa2_sync_sem) {
wpa_printf(MSG_DEBUG, "WPA2: wifi->wpa2 api completed sig(%" PRId32 ")", e->sig);
wpa_printf(MSG_DEBUG, "EAP: wifi->EAP api completed sig(%" PRId32 ")", e->sig);
os_semphr_give(s_wifi_wpa2_sync_sem);
} else {
wpa_printf(MSG_ERROR, "WPA2: null wifi->wpa2 sync sem");
wpa_printf(MSG_ERROR, "EAP: null wifi->EAP sync sem");
}
}
}
wpa_printf(MSG_DEBUG, "WPA2: queue deleted");
wpa_printf(MSG_DEBUG, "EAP: queue deleted");
os_queue_delete(s_wpa2_queue);
wpa_printf(MSG_DEBUG, "WPA2: task deleted");
wpa_printf(MSG_DEBUG, "EAP: task deleted");
s_wpa2_queue = NULL;
if (s_wifi_wpa2_sync_sem) {
wpa_printf(MSG_DEBUG, "WPA2: wifi->wpa2 api completed sig(%" PRId32 ")", e->sig);
wpa_printf(MSG_DEBUG, "EAP: wifi->EAP api completed sig(%" PRId32 ")", e->sig);
os_semphr_give(s_wifi_wpa2_sync_sem);
} else {
wpa_printf(MSG_ERROR, "WPA2: null wifi->wpa2 sync sem");
wpa_printf(MSG_ERROR, "EAP: null wifi->EAP sync sem");
}
/* At this point, we completed */
@ -279,7 +280,7 @@ int wpa2_post(uint32_t sig, uint32_t par)
} else {
ETSEvent *evt = (ETSEvent *)os_malloc(sizeof(ETSEvent));
if (evt == NULL) {
wpa_printf(MSG_ERROR, "WPA2: E N M");
wpa_printf(MSG_ERROR, "EAP: E N M");
DATA_MUTEX_GIVE();
return ESP_FAIL;
}
@ -288,14 +289,14 @@ int wpa2_post(uint32_t sig, uint32_t par)
evt->sig = sig;
evt->par = par;
if (os_queue_send(s_wpa2_queue, &evt, os_task_ms_to_tick(10)) != TRUE) {
wpa_printf(MSG_ERROR, "WPA2: Q S E");
wpa_printf(MSG_ERROR, "EAP: Q S E");
return ESP_FAIL;
} else {
if (s_wifi_wpa2_sync_sem) {
os_semphr_take(s_wifi_wpa2_sync_sem, OS_BLOCK);
wpa_printf(MSG_DEBUG, "WPA2: wpa2 api return, sm->state(%d)", sm->finish_state);
wpa_printf(MSG_DEBUG, "EAP: EAP api return, sm->state(%d)", sm->finish_state);
} else {
wpa_printf(MSG_ERROR, "WPA2: null wifi->wpa2 sync sem");
wpa_printf(MSG_ERROR, "EAP: null wifi->EAP sync sem");
}
}
}
@ -552,20 +553,20 @@ static int eap_sm_rx_eapol_internal(u8 *src_addr, u8 *buf, u32 len, uint8_t *bss
/* TODO: backwards compatibility */
}
if (hdr->type != IEEE802_1X_TYPE_EAP_PACKET) {
wpa_printf(MSG_DEBUG, "WPA2: EAP frame (type %u) discarded, "
wpa_printf(MSG_DEBUG, "EAP: EAP frame (type %u) discarded, "
"not a EAP PACKET frame", hdr->type);
ret = -2;
goto _out;
}
if (plen > len - sizeof(*hdr) || plen < sizeof(*ehdr)) {
wpa_printf(MSG_DEBUG, "WPA2: EAPOL frame payload size %lu "
wpa_printf(MSG_DEBUG, "EAP: EAPOL frame payload size %lu "
"invalid (frame size %lu)",
(unsigned long) plen, (unsigned long) len);
ret = -2;
goto _out;
}
wpa_hexdump(MSG_MSGDUMP, "WPA2: RX EAPOL-EAP PACKET", tmp, len);
wpa_hexdump(MSG_MSGDUMP, "EAP: RX EAPOL-EAP PACKET", tmp, len);
if (data_len < len) {
wpa_printf(MSG_DEBUG, "WPA: ignoring %lu bytes after the IEEE "
@ -577,7 +578,7 @@ static int eap_sm_rx_eapol_internal(u8 *src_addr, u8 *buf, u32 len, uint8_t *bss
case EAP_CODE_REQUEST:
/* Handle EAP-reauthentication case */
if (sm->finish_state == WPA2_ENT_EAP_STATE_SUCCESS) {
wpa_printf(MSG_INFO, ">>>>>wpa2 EAP Re-authentication in progress");
wpa_printf(MSG_INFO, "EAP Re-authentication in progress");
wpa2_set_eap_state(WPA2_ENT_EAP_STATE_IN_PROGRESS);
}
@ -592,18 +593,18 @@ static int eap_sm_rx_eapol_internal(u8 *src_addr, u8 *buf, u32 len, uint8_t *bss
wpa_set_pmk(sm->eapKeyData, NULL, false);
os_free(sm->eapKeyData);
sm->eapKeyData = NULL;
wpa_printf(MSG_INFO, ">>>>>wpa2 FINISH");
wpa_printf(MSG_INFO, ">>>>>EAP FINISH");
ret = WPA2_ENT_EAP_STATE_SUCCESS;
wpa2_set_eap_state(WPA2_ENT_EAP_STATE_SUCCESS);
eap_deinit_prev_method(sm, "EAP Success");
} else {
wpa_printf(MSG_INFO, ">>>>>wpa2 FAILED, receive EAP_SUCCESS but pmk is empty, potential attack!");
wpa_printf(MSG_INFO, ">>>>>EAP FAILED, receive EAP_SUCCESS but pmk is empty, potential attack!");
ret = WPA2_ENT_EAP_STATE_FAIL;
wpa2_set_eap_state(WPA2_ENT_EAP_STATE_FAIL);
}
break;
case EAP_CODE_FAILURE:
wpa_printf(MSG_INFO, ">>>>>wpa2 FAILED");
wpa_printf(MSG_INFO, ">>>>>EAP FAILED");
ret = WPA2_ENT_EAP_STATE_FAIL;
wpa2_set_eap_state(WPA2_ENT_EAP_STATE_FAIL);
break;
@ -678,7 +679,7 @@ static int eap_peer_sm_init(void)
struct eap_sm *sm;
if (gEapSm) {
wpa_printf(MSG_ERROR, "WPA2: wpa2 sm not null, deinit it");
wpa_printf(MSG_ERROR, "EAP: EAP sm not null, deinit it");
eap_peer_sm_deinit();
}
@ -691,7 +692,7 @@ static int eap_peer_sm_init(void)
gEapSm = sm;
s_wpa2_data_lock = os_recursive_mutex_create();
if (!s_wpa2_data_lock) {
wpa_printf(MSG_ERROR, "wpa2 eap_peer_sm_init: failed to alloc data lock");
wpa_printf(MSG_ERROR, "EAP eap_peer_sm_init: failed to alloc data lock");
ret = ESP_ERR_NO_MEM;
goto _err;
}
@ -733,12 +734,12 @@ static int eap_peer_sm_init(void)
}
s_wifi_wpa2_sync_sem = os_semphr_create(1, 0);
if (!s_wifi_wpa2_sync_sem) {
wpa_printf(MSG_ERROR, "WPA2: failed create wifi wpa2 task sync sem");
wpa_printf(MSG_ERROR, "EAP: failed create wifi EAP task sync sem");
ret = ESP_FAIL;
goto _err;
}
wpa_printf(MSG_INFO, "wpa2_task prio:%d, stack:%d", WPA2_TASK_PRIORITY, WPA2_TASK_STACK_SIZE);
wpa_printf(MSG_INFO, "wifi_task prio:%d, stack:%d", WPA2_TASK_PRIORITY, WPA2_TASK_STACK_SIZE);
#endif
return ESP_OK;
@ -783,7 +784,7 @@ static void eap_peer_sm_deinit(void)
if (s_wpa2_data_lock) {
os_semphr_delete(s_wpa2_data_lock);
s_wpa2_data_lock = NULL;
wpa_printf(MSG_DEBUG, "wpa2 eap_peer_sm_deinit: free data lock");
wpa_printf(MSG_DEBUG, "EAP: eap_peer_sm_deinit: free data lock");
}
if (s_wpa2_queue) {
@ -794,16 +795,15 @@ static void eap_peer_sm_deinit(void)
gEapSm = NULL;
}
esp_err_t esp_wifi_sta_wpa2_ent_enable_fn(void *arg)
static esp_err_t esp_client_enable_fn(void *arg)
{
struct wpa2_funcs *wpa2_cb;
wpa_printf(MSG_INFO, "WPA2 ENTERPRISE VERSION: [%s] enable",
WPA2_VERSION);
wpa_printf(MSG_INFO, "WiFi Enterprise enable");
wpa2_cb = (struct wpa2_funcs *)os_zalloc(sizeof(struct wpa2_funcs));
if (wpa2_cb == NULL) {
wpa_printf(MSG_ERROR, "WPA2: no mem for wpa2 cb");
wpa_printf(MSG_ERROR, "EAP: no mem for eap cb");
return ESP_ERR_NO_MEM;
}
@ -814,7 +814,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_enable_fn(void *arg)
esp_wifi_register_wpa2_cb_internal(wpa2_cb);
wpa_printf(MSG_DEBUG, "WPA2 ENTERPRISE CRYPTO INIT.\r");
wpa_printf(MSG_DEBUG, "WiFi Enterprise crypto init.\r");
#ifdef EAP_PEER_METHOD
if (eap_peer_register_methods()) {
@ -824,7 +824,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_enable_fn(void *arg)
return ESP_OK;
}
esp_err_t esp_wifi_sta_wpa2_ent_enable(void)
esp_err_t esp_wifi_sta_enterprise_enable(void)
{
wifi_wpa2_param_t param;
esp_err_t ret;
@ -833,21 +833,21 @@ esp_err_t esp_wifi_sta_wpa2_ent_enable(void)
wpa2_api_lock();
if (wpa2_is_enabled()) {
wpa_printf(MSG_INFO, "WPA2: already enabled");
wpa_printf(MSG_INFO, "EAP: already enabled");
wpa2_api_unlock();
return ESP_OK;
}
param.fn = (wifi_wpa2_fn_t)esp_wifi_sta_wpa2_ent_enable_fn;
param.fn = (wifi_wpa2_fn_t)esp_client_enable_fn;
param.param = NULL;
ret = esp_wifi_sta_wpa2_ent_enable_internal(&param);
if (ESP_OK == ret) {
wpa2_set_state(WPA2_STATE_ENABLED);
sm->wpa_sm_wpa2_ent_disable = esp_wifi_sta_wpa2_ent_disable;
sm->wpa_sm_eap_disable = esp_wifi_sta_enterprise_disable;
} else {
wpa_printf(MSG_ERROR, "failed to enable wpa2 ret=%d", ret);
wpa_printf(MSG_ERROR, "failed to enable eap ret=%d", ret);
}
wpa2_api_unlock();
@ -855,10 +855,10 @@ esp_err_t esp_wifi_sta_wpa2_ent_enable(void)
return ret;
}
esp_err_t esp_wifi_sta_wpa2_ent_disable_fn(void *param)
static esp_err_t eap_client_disable_fn(void *param)
{
struct wpa_sm *sm = &gWpaSm;
wpa_printf(MSG_INFO, "WPA2 ENTERPRISE VERSION: [%s] disable", WPA2_VERSION);
wpa_printf(MSG_INFO, "WiFi enterprise disable");
esp_wifi_unregister_wpa2_cb_internal();
if (gEapSm) {
@ -869,11 +869,11 @@ esp_err_t esp_wifi_sta_wpa2_ent_disable_fn(void *param)
eap_peer_unregister_methods();
#endif
sm->wpa_sm_wpa2_ent_disable = NULL;
sm->wpa_sm_eap_disable = NULL;
return ESP_OK;
}
esp_err_t esp_wifi_sta_wpa2_ent_disable(void)
esp_err_t esp_wifi_sta_enterprise_disable(void)
{
wifi_wpa2_param_t param;
esp_err_t ret;
@ -881,19 +881,19 @@ esp_err_t esp_wifi_sta_wpa2_ent_disable(void)
wpa2_api_lock();
if (wpa2_is_disabled()) {
wpa_printf(MSG_INFO, "WPA2: already disabled");
wpa_printf(MSG_INFO, "EAP: already disabled");
wpa2_api_unlock();
return ESP_OK;
}
param.fn = (wifi_wpa2_fn_t)esp_wifi_sta_wpa2_ent_disable_fn;
param.fn = (wifi_wpa2_fn_t)eap_client_disable_fn;
param.param = 0;
ret = esp_wifi_sta_wpa2_ent_disable_internal(&param);
if (ESP_OK == ret) {
wpa2_set_state(WPA2_STATE_DISABLED);
} else {
wpa_printf(MSG_ERROR, "failed to disable wpa2 ret=%d", ret);
wpa_printf(MSG_ERROR, "failed to disable eap ret=%d", ret);
}
wpa2_api_unlock();
@ -901,7 +901,9 @@ esp_err_t esp_wifi_sta_wpa2_ent_disable(void)
return ret;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_cert_key(const unsigned char *client_cert, int client_cert_len, const unsigned char *private_key, int private_key_len, const unsigned char *private_key_passwd, int private_key_passwd_len)
esp_err_t esp_eap_client_set_certificate_and_key(const unsigned char *client_cert, int client_cert_len,
const unsigned char *private_key, int private_key_len,
const unsigned char *private_key_passwd, int private_key_passwd_len)
{
if (client_cert && client_cert_len > 0) {
g_wpa_client_cert = client_cert;
@ -919,10 +921,8 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_cert_key(const unsigned char *client_cert, i
return ESP_OK;
}
void esp_wifi_sta_wpa2_ent_clear_cert_key(void)
void esp_eap_client_clear_certificate_and_key(void)
{
esp_wifi_unregister_wpa2_cb_internal();
g_wpa_client_cert = NULL;
g_wpa_client_cert_len = 0;
g_wpa_private_key = NULL;
@ -934,7 +934,7 @@ void esp_wifi_sta_wpa2_ent_clear_cert_key(void)
g_wpa_pac_file_len = 0;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len)
esp_err_t esp_eap_client_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len)
{
if (ca_cert && ca_cert_len > 0) {
g_wpa_ca_cert = ca_cert;
@ -944,14 +944,14 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_ca_cert(const unsigned char *ca_cert, int ca
return ESP_OK;
}
void esp_wifi_sta_wpa2_ent_clear_ca_cert(void)
void esp_eap_client_clear_ca_cert(void)
{
g_wpa_ca_cert = NULL;
g_wpa_ca_cert_len = 0;
}
#define ANONYMOUS_ID_LEN_MAX 128
esp_err_t esp_wifi_sta_wpa2_ent_set_identity(const unsigned char *identity, int len)
esp_err_t esp_eap_client_set_identity(const unsigned char *identity, int len)
{
if (len <= 0 || len > ANONYMOUS_ID_LEN_MAX) {
return ESP_ERR_INVALID_ARG;
@ -973,7 +973,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_identity(const unsigned char *identity, int
return ESP_OK;
}
void esp_wifi_sta_wpa2_ent_clear_identity(void)
void esp_eap_client_clear_identity(void)
{
if (g_wpa_anonymous_identity) {
os_free(g_wpa_anonymous_identity);
@ -984,7 +984,7 @@ void esp_wifi_sta_wpa2_ent_clear_identity(void)
}
#define USERNAME_LEN_MAX 128
esp_err_t esp_wifi_sta_wpa2_ent_set_username(const unsigned char *username, int len)
esp_err_t esp_eap_client_set_username(const unsigned char *username, int len)
{
if (len <= 0 || len > USERNAME_LEN_MAX) {
return ESP_ERR_INVALID_ARG;
@ -1006,7 +1006,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_username(const unsigned char *username, int
return ESP_OK;
}
void esp_wifi_sta_wpa2_ent_clear_username(void)
void esp_eap_client_clear_username(void)
{
if (g_wpa_username) {
os_free(g_wpa_username);
@ -1016,7 +1016,7 @@ void esp_wifi_sta_wpa2_ent_clear_username(void)
g_wpa_username_len = 0;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_password(const unsigned char *password, int len)
esp_err_t esp_eap_client_set_password(const unsigned char *password, int len)
{
if (len <= 0) {
return ESP_ERR_INVALID_ARG;
@ -1038,7 +1038,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_password(const unsigned char *password, int
return ESP_OK;
}
void esp_wifi_sta_wpa2_ent_clear_password(void)
void esp_eap_client_clear_password(void)
{
if (g_wpa_password) {
os_free(g_wpa_password);
@ -1047,7 +1047,7 @@ void esp_wifi_sta_wpa2_ent_clear_password(void)
g_wpa_password_len = 0;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_new_password(const unsigned char *new_password, int len)
esp_err_t esp_eap_client_set_new_password(const unsigned char *new_password, int len)
{
if (len <= 0) {
return ESP_ERR_INVALID_ARG;
@ -1069,7 +1069,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_new_password(const unsigned char *new_passwo
return ESP_OK;
}
void esp_wifi_sta_wpa2_ent_clear_new_password(void)
void esp_eap_client_clear_new_password(void)
{
if (g_wpa_new_password) {
os_free(g_wpa_new_password);
@ -1078,7 +1078,7 @@ void esp_wifi_sta_wpa2_ent_clear_new_password(void)
g_wpa_new_password_len = 0;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_disable_time_check(bool disable)
esp_err_t esp_eap_client_set_disable_time_check(bool disable)
{
s_disable_time_check = disable;
return ESP_OK;
@ -1089,13 +1089,13 @@ bool wifi_sta_get_enterprise_disable_time_check(void)
return s_disable_time_check;
}
esp_err_t esp_wifi_sta_wpa2_ent_get_disable_time_check(bool *disable)
esp_err_t esp_eap_client_get_disable_time_check(bool *disable)
{
*disable = wifi_sta_get_enterprise_disable_time_check();
return ESP_OK;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(esp_eap_ttls_phase2_types type)
esp_err_t esp_eap_client_set_ttls_phase2_method(esp_eap_ttls_phase2_types type)
{
switch (type) {
case ESP_EAP_TTLS_PHASE2_EAP:
@ -1120,7 +1120,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(esp_eap_ttls_phase2_types
return ESP_OK;
}
esp_err_t esp_wifi_sta_wpa2_set_suiteb_192bit_certification(bool enable)
esp_err_t esp_eap_client_set_suiteb_192bit_certification(bool enable)
{
#ifdef CONFIG_SUITEB192
g_wpa_suiteb_certification = enable;
@ -1130,7 +1130,7 @@ esp_err_t esp_wifi_sta_wpa2_set_suiteb_192bit_certification(bool enable)
#endif
}
esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int pac_file_len)
esp_err_t esp_eap_client_set_pac_file(const unsigned char *pac_file, int pac_file_len)
{
if (pac_file && pac_file_len > -1) {
if (pac_file_len < 512) { // The file contains less than 1 pac and is to be rewritten later
@ -1154,7 +1154,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int
return ESP_OK;
}
esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config)
esp_err_t esp_eap_client_set_fast_params(esp_eap_fast_config config)
{
char config_for_supplicant[PHASE1_PARAM_STRING_LEN] = "";
if ((config.fast_provisioning > -1) && (config.fast_provisioning <= 2)) {
@ -1186,7 +1186,7 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config confi
}
esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle)
esp_err_t esp_eap_client_use_default_cert_bundle(bool use_default_bundle)
{
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
g_wpa_default_cert_bundle = use_default_bundle;

View File

@ -4,11 +4,8 @@
* SPDX-License-Identifier: Apache-2.0
*/
#ifndef ESP_WPA2_I_H
#define ESP_WPA2_I_H
#pragma once
#include "esp_wifi_driver.h"
wpa2_ent_eap_state_t wpa2_get_eap_state(void);
#endif
wpa2_ent_eap_state_t eap_client_get_eap_state(void);

View File

@ -0,0 +1,115 @@
/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include "esp_eap_client.h"
esp_err_t esp_wifi_sta_wpa2_ent_enable(void)
{
return esp_wifi_sta_enterprise_enable();
}
esp_err_t esp_wifi_sta_wpa2_ent_disable(void)
{
return esp_wifi_sta_enterprise_disable();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_identity(const unsigned char *identity, int len)
{
return esp_eap_client_set_identity(identity, len);
}
void esp_wifi_sta_wpa2_ent_clear_identity(void)
{
esp_eap_client_clear_identity();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_username(const unsigned char *username, int len)
{
return esp_eap_client_set_username(username, len);
}
void esp_wifi_sta_wpa2_ent_clear_username(void)
{
esp_eap_client_clear_username();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_password(const unsigned char *password, int len)
{
return esp_eap_client_set_password(password, len);
}
void esp_wifi_sta_wpa2_ent_clear_password(void)
{
esp_eap_client_clear_password();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_new_password(const unsigned char *new_password, int len)
{
return esp_eap_client_set_new_password(new_password, len);
}
void esp_wifi_sta_wpa2_ent_clear_new_password(void)
{
esp_eap_client_clear_new_password();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len)
{
return esp_eap_client_set_ca_cert(ca_cert, ca_cert_len);
}
void esp_wifi_sta_wpa2_ent_clear_ca_cert(void)
{
esp_eap_client_clear_ca_cert();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_cert_key(const unsigned char *client_cert, int client_cert_len,
const unsigned char *private_key, int private_key_len,
const unsigned char *private_key_passwd, int private_key_passwd_len)
{
return esp_eap_client_set_certificate_and_key(client_cert, client_cert_len,
private_key, private_key_len, private_key_passwd, private_key_passwd_len);
}
void esp_wifi_sta_wpa2_ent_clear_cert_key(void)
{
esp_eap_client_clear_certificate_and_key();
}
esp_err_t esp_wifi_sta_wpa2_ent_set_disable_time_check(bool disable)
{
return esp_eap_client_set_disable_time_check(disable);
}
esp_err_t esp_wifi_sta_wpa2_ent_get_disable_time_check(bool *disable)
{
return esp_eap_client_get_disable_time_check(disable);
}
esp_err_t esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(esp_eap_ttls_phase2_types type)
{
return esp_eap_client_set_ttls_phase2_method(type);
}
esp_err_t esp_wifi_sta_wpa2_set_suiteb_192bit_certification(bool enable)
{
return esp_eap_client_set_suiteb_192bit_certification(enable);
}
esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int pac_file_len)
{
return esp_eap_client_set_pac_file(pac_file, pac_file_len);
}
esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config)
{
return esp_eap_client_set_fast_params(config);
}
esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle)
{
return esp_eap_client_use_default_cert_bundle(use_default_bundle);
}

View File

@ -28,7 +28,7 @@
#include "esp_wifi_driver.h"
#include "esp_private/wifi.h"
#include "esp_wpa3_i.h"
#include "esp_wpa2.h"
#include "esp_eap_client.h"
#include "esp_common_i.h"
#include "esp_owe_i.h"
@ -180,13 +180,13 @@ void wpa_ap_get_peer_spp_msg(void *sm_data, bool *spp_cap, bool *spp_req)
*spp_req = sm->spp_sup.require;
}
bool wpa_deattach(void)
bool wpa_deattach(void)
{
struct wpa_sm *sm = &gWpaSm;
esp_wpa3_free_sae_data();
#ifdef CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT
if (sm->wpa_sm_wpa2_ent_disable) {
sm->wpa_sm_wpa2_ent_disable();
if (sm->wpa_sm_eap_disable) {
sm->wpa_sm_eap_disable();
}
#endif
if (sm->wpa_sm_wps_disable) {

View File

@ -13,7 +13,6 @@
#include "eap.h"
#include "eap_common.h"
#include "eap_config.h"
#include "esp_wpa2.h"
/* RFC 4137 - EAP Peer state machine */

View File

@ -35,7 +35,7 @@
#include "esp_common_i.h"
#include "esp_owe_i.h"
#include "common/sae.h"
#include "esp_wpa2_i.h"
#include "esp_eap_client_i.h"
/**
* eapol_sm_notify_eap_success - Notification of external EAP success trigger
@ -656,7 +656,7 @@ void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
size_t kde_len;
if (is_wpa2_enterprise_connection()) {
wpa2_ent_eap_state_t state = wpa2_get_eap_state();
wpa2_ent_eap_state_t state = eap_client_get_eap_state();
if (state == WPA2_ENT_EAP_STATE_IN_PROGRESS) {
wpa_printf(MSG_INFO, "EAP Success has not been processed yet."
" Drop EAPOL message.");

View File

@ -117,7 +117,7 @@ struct wpa_sm {
struct wpabuf *owe_ie;
#endif /* CONFIG_OWE_STA */
int (*wpa_sm_wps_disable)(void);
esp_err_t (*wpa_sm_wpa2_ent_disable)(void);
esp_err_t (*wpa_sm_eap_disable)(void);
};
/**

View File

@ -198,6 +198,11 @@ INPUT = \
$(PROJECT_PATH)/components/esp_wifi/include/esp_wifi_default.h \
$(PROJECT_PATH)/components/esp_wifi/include/esp_wifi_types.h \
$(PROJECT_PATH)/components/esp_wifi/include/esp_wifi.h \
$(PROJECT_PATH)/components/wpa_supplicant/esp_supplicant/include/esp_mbo.h \
$(PROJECT_PATH)/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h \
$(PROJECT_PATH)/components/wpa_supplicant/esp_supplicant/include/esp_rrm.h \
$(PROJECT_PATH)/components/wpa_supplicant/esp_supplicant/include/esp_wnm.h \
$(PROJECT_PATH)/components/wpa_supplicant/esp_supplicant/include/esp_wps.h \
$(PROJECT_PATH)/components/esp_wifi/wifi_apps/include/esp_nan.h \
$(PROJECT_PATH)/components/esp-tls/esp_tls_errors.h \
$(PROJECT_PATH)/components/esp-tls/esp_tls.h \

View File

@ -28,3 +28,8 @@ API Reference
.. include-build-file:: inc/esp_wifi.inc
.. include-build-file:: inc/esp_wifi_types.inc
.. include-build-file:: inc/esp_eap_client.inc
.. include-build-file:: inc/esp_wps.inc
.. include-build-file:: inc/esp_rrm.inc
.. include-build-file:: inc/esp_wnm.inc
.. include-build-file:: inc/esp_mbo.inc

View File

@ -8,3 +8,4 @@ Migration from 5.1 to 5.2
peripherals
protocols
wifi

View File

@ -0,0 +1,10 @@
WiFi
====
:link_to_translation:`zh_CN:[中文]`
WiFi Enterprise security
------------------------
APIs defined in `esp_wpa2.h` have been deprecated. Please use newer APIs from `esp_eap_client.h`.

View File

@ -8,3 +8,4 @@
peripherals
protocols
wifi

View File

@ -0,0 +1,10 @@
WiFi
====
:link_to_translation:`en:[English]`
WiFi企业级安全
------------------------
`esp_wpa2.h` 中定义的API已被弃用请使用来自 `esp_eap_client.h` 的新API。

View File

@ -8,13 +8,14 @@ This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption usi
1. Install CA certificate which is optional.
2. Set user name and password and identity.
3. Set the PAC file which may be empty.
4. Enable wpa2 enterprise.
4. Enable WiFi enterprise mode.
5. Connect to AP.
*Note:* 1. EAP-FAST is not supported with `CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT` and so is disabled by default.
2. Setting the config `fast_provisioning` to methods 0 and 1 do not support saving the PAC credentials in case of a restart or loss of power.
3. The certificates present in the `examples/wifi/wifi_eap_fast/main` folder contain server certificates which have the corresponding CA as well. These can be used for server validation which is opptional.
4. The expiration date of these certificates is 2027/06/05.
*Note:*
1. EAP-FAST is not supported with `CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT` and so is disabled by default.
2. Setting the config `fast_provisioning` to methods 0 and 1 do not support saving the PAC credentials in case of a restart or loss of power.
3. The certificates present in the `examples/wifi/wifi_eap_fast/main` folder contain server certificates which have the corresponding CA as well. These can be used for server validation which is opptional.
4. The expiration date of these certificates is 2027/06/05.
### Configuration

View File

@ -1,25 +1,21 @@
menu "Example Configuration"
choice
prompt "Enterprise configuration to be used"
default EXAMPLE_WPA_WPA2_ENTERPRISE
config EXAMPLE_WPA_WPA2_ENTERPRISE
bool "WPA_WPA2_ENT"
config EXAMPLE_WPA3_ENTERPRISE
bool "WPA3_ENT"
depends on IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3
select ESP_WIFI_GCMP_SUPPORT
select ESP_WIFI_GMAC_SUPPORT
select ESP_WIFI_SUITE_B_192
endchoice
config EXAMPLE_WIFI_SSID
string "WiFi SSID"
default "wpa2_test"
default "ESP_EAP_FAST_AP"
help
SSID (network name) for the example to connect to.
if EXAMPLE_WPA_WPA2_ENTERPRISE
choice
prompt "Enterprise configuration to be used"
default EXAMPLE_WPA3_ENTERPRISE
config EXAMPLE_WPA2_ENTERPRISE
bool "WPA2_ENT"
config EXAMPLE_WPA3_ENTERPRISE
bool "WPA3_ENT"
endchoice
if EXAMPLE_WPA2_ENTERPRISE
config EXAMPLE_VALIDATE_SERVER_CERT
bool "Validate server"
default y
@ -27,7 +23,7 @@ menu "Example Configuration"
Validate the servers' certificate using CA cert.
endif
if !EXAMPLE_WPA_WPA2_ENTERPRISE
if !EXAMPLE_WPA2_ENTERPRISE
config EXAMPLE_VALIDATE_SERVER_CERT
default y
endif

View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: CC0-1.0
*/
@ -10,7 +10,7 @@
#include "freertos/task.h"
#include "freertos/event_groups.h"
#include "esp_wifi.h"
#include "esp_wpa2.h"
#include "esp_eap_client.h"
#include "esp_event.h"
#include "esp_log.h"
#include "esp_system.h"
@ -89,33 +89,38 @@ static void initialise_wifi(void)
wifi_config_t wifi_config = {
.sta = {
.ssid = EXAMPLE_WIFI_SSID,
#if defined (CONFIG_EXAMPLE_WPA3_ENTERPRISE)
.pmf_cfg = {
.required = true
},
#endif
},
};
ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
ESP_ERROR_CHECK( esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA));
ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config));
ESP_ERROR_CHECK(esp_eap_client_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)));
#if defined(CONFIG_EXAMPLE_VALIDATE_SERVER_CERT) || \
defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE)
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) );
ESP_ERROR_CHECK(esp_eap_client_set_ca_cert(ca_pem_start, ca_pem_bytes) );
#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ /* EXAMPLE_WPA3_ENTERPRISE */
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)) );
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)) );
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_pac_file(pac_file_pac_start, pac_file_bytes - 1) );
ESP_ERROR_CHECK(esp_eap_client_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)));
ESP_ERROR_CHECK(esp_eap_client_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)));
ESP_ERROR_CHECK(esp_eap_client_set_pac_file(pac_file_pac_start, pac_file_bytes - 1) );
esp_eap_fast_config eap_fast_config = {
.fast_provisioning = 2,
.fast_max_pac_list_len = 0,
.fast_pac_format_binary = false
};
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_fast_phase1_params(eap_fast_config) );
ESP_ERROR_CHECK(esp_eap_client_set_fast_params(eap_fast_config));
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() );
ESP_ERROR_CHECK( esp_wifi_start() );
ESP_ERROR_CHECK(esp_wifi_sta_enterprise_enable());
ESP_ERROR_CHECK(esp_wifi_start());
}
static void wpa2_enterprise_example_task(void *pvParameters)
static void wifi_enterprise_example_task(void *pvParameters)
{
esp_netif_ip_info_t ip;
memset(&ip, 0, sizeof(esp_netif_ip_info_t));
@ -138,5 +143,5 @@ void app_main(void)
{
ESP_ERROR_CHECK( nvs_flash_init() );
initialise_wifi();
xTaskCreate(&wpa2_enterprise_example_task, "wpa2_enterprise_example_task", 4096, NULL, 5, NULL);
xTaskCreate(&wifi_enterprise_example_task, "wifi_enterprise_example_task", 4096, NULL, 5, NULL);
}

View File

@ -1,7 +1,16 @@
| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-S2 | ESP32-S3 |
| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- |
# WPA2 Enterprise Example
# Understanding different WiFi enterprise modes:
**WPA2 Enterprise**: WPA2-Enterprise is an advanced Wi-Fi security mode primarily used in business environments. It employs a RADIUS server for user-based authentication, supporting various EAP methods like EAP-TLS and EAP-PEAP. This mode enhances security by requiring individual user credentials, establishes secure encryption keys, and allows for efficient user management. It's a scalable and robust solution ideal for large-scale networks seeking strong protection against unauthorized access.
**WPA3 Enterprise**: WPA2-Enterprise + PMF mandatory + CA certificate validaion(required)
**WPA3 Enterprise(192 bit)**: WPA3 Enterprise + AES256 Keys(GCMP256/CCMP256) + BIP256 + RSA3096/EC certs + NSA SuiteB ciphers in EAP authentication.
# WiFi Enterprise Example
This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. The example does the following steps:
@ -9,8 +18,8 @@ This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. Th
2. Install client certificate and client key which is required in TLS method and optional in PEAP and TTLS methods.
3. Set identity of phase 1 which is optional.
4. Set user name and password of phase 2 which is required in PEAP and TTLS methods.
5. Enable wpa2 enterprise.
6. Connect to AP.
5. Enable WiFi enterprise mode.
6. Connect to AP using esp_wifi_connect().
*Note:*
1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder.
@ -93,25 +102,100 @@ idf.py -p PORT flash monitor
### Example output
Here is an example of wpa2 enterprise(PEAP method) console output.
```
I (1352) example: Setting WiFi configuration SSID wpa2_test...
I (1362) wpa: WPA2 ENTERPRISE VERSION: [v2.0] enable
I (31) boot: ESP-IDF v5.2-dev-2787-g40cf6433be-dirty 2nd stage bootloader
I (31) boot: compile time Sep 12 2023 13:39:03
I (33) boot: Multicore bootloader
I (38) boot: chip revision: v3.0
I (41) boot.esp32: SPI Speed : 40MHz
I (46) boot.esp32: SPI Mode : DIO
I (51) boot.esp32: SPI Flash Size : 2MB
I (55) boot: Enabling RNG early entropy source...
I (61) boot: Partition Table:
I (64) boot: ## Label Usage Type ST Offset Length
I (71) boot: 0 nvs WiFi data 01 02 00009000 00006000
I (79) boot: 1 phy_init RF data 01 01 0000f000 00001000
I (86) boot: 2 factory factory app 00 00 00010000 00100000
I (94) boot: End of partition table
I (98) esp_image: segment 0: paddr=00010020 vaddr=3f400020 size=2aa0ch (174604) map
I (170) esp_image: segment 1: paddr=0003aa34 vaddr=3ffb0000 size=037a0h ( 14240) load
I (175) esp_image: segment 2: paddr=0003e1dc vaddr=40080000 size=01e3ch ( 7740) load
I (179) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=954c8h (611528) map
I (405) esp_image: segment 4: paddr=000d54f0 vaddr=40081e3c size=13de0h ( 81376) load
I (449) boot: Loaded app from partition at offset 0x10000
I (450) boot: Disabling RNG early entropy source...
I (461) cpu_start: Multicore app
I (461) cpu_start: Pro cpu up.
I (462) cpu_start: Starting app cpu, entry point is 0x400811e0
I (0) cpu_start: App cpu up.
I (479) cpu_start: Pro cpu start user code
I (479) cpu_start: cpu freq: 160000000 Hz
I (479) cpu_start: Application information:
I (484) cpu_start: Project name: wifi_enterprise
I (490) cpu_start: App version: c6_h2_rng_final_tests-2032-g40c
I (497) cpu_start: Compile time: Sep 12 2023 13:38:55
I (503) cpu_start: ELF file SHA256: 8d1ba00d3...
I (508) cpu_start: ESP-IDF: v5.2-dev-2787-g40cf6433be-dirty
I (515) cpu_start: Min chip rev: v0.0
I (520) cpu_start: Max chip rev: v3.99
I (525) cpu_start: Chip rev: v3.0
I (530) heap_init: Initializing. RAM available for dynamic allocation:
I (537) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (543) heap_init: At 3FFB7A20 len 000285E0 (161 KiB): DRAM
I (549) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM
I (555) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (562) heap_init: At 40095C1C len 0000A3E4 (40 KiB): IRAM
I (570) spi_flash: detected chip: generic
I (573) spi_flash: flash io: dio
W (577) spi_flash: Detected size(8192k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
I (591) app_start: Starting scheduler on CPU0
I (595) app_start: Starting scheduler on CPU1
I (595) main_task: Started on CPU0
I (605) main_task: Calling app_main()
I (635) wifi:wifi driver task: 3ffbf930, prio:23, stack:6656, core=0
I (635) wifi:wifi firmware version: e03c1ca
I (635) wifi:wifi certification version: v7.0
I (635) wifi:config NVS flash: enabled
I (635) wifi:config nano formating: disabled
I (645) wifi:Init data frame dynamic rx buffer num: 32
I (645) wifi:Init management frame dynamic rx buffer num: 32
I (655) wifi:Init management short buffer num: 32
I (655) wifi:Init dynamic tx buffer num: 32
I (665) wifi:Init static rx buffer size: 1600
I (665) wifi:Init static rx buffer num: 10
I (665) wifi:Init dynamic rx buffer num: 32
I (675) wifi_init: rx ba win: 6
I (675) wifi_init: tcpip mbox: 32
I (675) wifi_init: udp mbox: 6
I (685) wifi_init: tcp mbox: 6
I (685) wifi_init: tcp tx win: 5744
I (695) wifi_init: tcp rx win: 5744
I (695) wifi_init: tcp mss: 1440
I (695) wifi_init: WiFi IRAM OP enabled
I (705) wifi_init: WiFi RX IRAM OP enabled
I (705) example: Setting WiFi configuration SSID ESP_ENTERPRISE_AP...
I (715) wpa: WiFi Enterprise enable
I (725) phy_init: phy_version 4771,450c73b,Aug 16 2023,11:03:10
I (835) wifi:mode : sta (e0:e2:e6:6a:7c:20)
I (845) wifi:enable tsf
I (845) main_task: Returned from app_main()
I (1465) wpa: BSS: Add new id 0 BSSID 38:94:ed:34:07:66 SSID 'ESP_ENTERPRISE_AP' chan 6
I (1465) wifi:new:<6,0>, old:<1,0>, ap:<255,255>, sta:<6,0>, prof:1
I (7385) wifi:state: init -> auth (b0)
I (7395) wifi:state: auth -> assoc (0)
I (7405) wifi:state: assoc -> run (10)
I (7405) wpa: wifi_task prio:7, stack:6656
I (7495) wpa: len=5 not available in input
I (7555) wpa: SSL: Need 1595 bytes more input data
I (7605) wpa: SSL: Need 601 bytes more input data
I (8575) wpa: len=5 not available in input
I (8695) wpa: application data is null, adding one byte for ack
I (8725) wpa: >>>>>EAP FINISH
I (8785) wifi:connected with ESP_ENTERPRISE_AP, aid = 1, channel 6, BW20, bssid = 38:94:ed:34:07:66
I (8785) wifi:security: WPA2-ENT, phy: bgn, rssi: -22
I (8785) wifi:pm start, type: 1
I (1362) wifi: rx_ba=1 tx_ba=1
I (8795) wifi:AP's beacon interval = 102400 us, DTIM period = 3
I (1372) wifi: mode : sta (24:0a:c4:03:b8:dc)
I (3002) wifi: n:11 0, o:1 0, ap:255 255, sta:11 0, prof:11
I (3642) wifi: state: init -> auth (b0)
I (3642) wifi: state: auth -> assoc (0)
I (3652) wifi: state: assoc -> run (10)
I (3652) wpa: wpa2_task prio:24, stack:6144
I (3972) wpa: >>>>>wpa2 FINISH
I (3982) wpa: wpa2 task delete
I (3992) wifi: connected with wpa2_test, channel 11
I (5372) example: ~~~~~~~~~~~
I (5372) example: IP:0.0.0.0
I (5372) example: MASK:0.0.0.0

View File

@ -2,15 +2,15 @@ menu "Example Configuration"
config EXAMPLE_WIFI_SSID
string "WiFi SSID"
default "wpa2_test"
default "ESP_ENTERPRISE_AP"
help
SSID (network name) for the example to connect to.
choice
prompt "Enterprise configuration to be used"
default EXAMPLE_WPA_WPA2_ENTERPRISE
config EXAMPLE_WPA_WPA2_ENTERPRISE
bool "WPA_WPA2_ENT"
default EXAMPLE_WPA3_ENTERPRISE
config EXAMPLE_WPA2_ENTERPRISE
bool "WPA2_ENT"
config EXAMPLE_WPA3_ENTERPRISE
bool "WPA3_ENT"
config EXAMPLE_WPA3_192BIT_ENTERPRISE
@ -21,7 +21,7 @@ menu "Example Configuration"
select ESP_WIFI_SUITE_B_192
endchoice
if EXAMPLE_WPA_WPA2_ENTERPRISE
if EXAMPLE_WPA2_ENTERPRISE
config EXAMPLE_VALIDATE_SERVER_CERT
bool "Validate server"
default y
@ -29,21 +29,14 @@ menu "Example Configuration"
Validate the servers' certificate using CA cert.
endif
if !EXAMPLE_WPA_WPA2_ENTERPRISE
if !EXAMPLE_WPA2_ENTERPRISE
config EXAMPLE_VALIDATE_SERVER_CERT
default y
endif
config EXAMPLE_USE_DEFAULT_CERT_BUNDLE
bool "Use default cert bundle"
depends on EXAMPLE_VALIDATE_SERVER_CERT
default n
help
Use default CA certificate bundle for WPA enterprise connection
choice
prompt "EAP method for the example to use"
default EXAMPLE_EAP_METHOD_PEAP
default EXAMPLE_EAP_METHOD_TLS
config EXAMPLE_EAP_METHOD_TLS
bool "TLS"
config EXAMPLE_EAP_METHOD_PEAP
@ -90,13 +83,19 @@ menu "Example Configuration"
depends on EXAMPLE_EAP_METHOD_PEAP || EXAMPLE_EAP_METHOD_TTLS
default "espressif"
help
Username for EAP method (PEAP and TTLS).
Username for EAP method (valid for PEAP and TTLS).
config EXAMPLE_EAP_PASSWORD
string "EAP PASSWORD"
depends on EXAMPLE_EAP_METHOD_PEAP || EXAMPLE_EAP_METHOD_TTLS
default "test11"
help
Password for EAP method (PEAP and TTLS).
Password for EAP method (valid for PEAP and TTLS).
config EXAMPLE_USE_DEFAULT_CERT_BUNDLE
bool "Use default cert bundle"
depends on EXAMPLE_VALIDATE_SERVER_CERT
default n
help
Use default CA certificate bundle for WiFi enterprise connection
endmenu

View File

@ -1,28 +1,17 @@
/* WiFi Connection Example using WPA2 Enterprise
/*
* SPDX-FileCopyrightText: 2006-2016 ARM Limited
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
*
* Original Copyright (C) 2006-2016, ARM Limited, All Rights Reserved, Apache 2.0 License.
* Additions Copyright (C) Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD, Apache 2.0 License.
*
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
* SPDX-License-Identifier: Apache-2.0
*/
#include <string.h>
#include <stdlib.h>
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "freertos/event_groups.h"
#include "esp_wifi.h"
#include "esp_wpa2.h"
#include "esp_eap_client.h"
#include "esp_event.h"
#include "esp_log.h"
#include "esp_system.h"
@ -63,7 +52,7 @@ static const char *TAG = "example";
Client key, taken from client.key
The PEM, CRT and KEY file were provided by the person or organization
who configured the AP with wpa2 enterprise.
who configured the AP with wifi enterprise.
To embed it in the app binary, the PEM, CRT and KEY file is named
in the component.mk COMPONENT_EMBED_TXTFILES variable.
@ -115,14 +104,14 @@ static void initialise_wifi(void)
assert(sta_netif);
wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
ESP_ERROR_CHECK( esp_wifi_init(&cfg) );
ESP_ERROR_CHECK( esp_event_handler_register(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL) );
ESP_ERROR_CHECK( esp_event_handler_register(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler, NULL) );
ESP_ERROR_CHECK( esp_wifi_set_storage(WIFI_STORAGE_RAM) );
ESP_ERROR_CHECK(esp_wifi_init(&cfg));
ESP_ERROR_CHECK(esp_event_handler_register(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL));
ESP_ERROR_CHECK(esp_event_handler_register(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler, NULL));
ESP_ERROR_CHECK(esp_wifi_set_storage(WIFI_STORAGE_RAM));
wifi_config_t wifi_config = {
.sta = {
.ssid = EXAMPLE_WIFI_SSID,
#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) || defined (CONFIG_EXAMPLE_WPA3_ENTERPRISE)
.pmf_cfg = {
.required = true
},
@ -130,41 +119,43 @@ static void initialise_wifi(void)
},
};
ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) );
ESP_ERROR_CHECK( esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) );
ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
ESP_ERROR_CHECK(esp_eap_client_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
#if defined(CONFIG_EXAMPLE_VALIDATE_SERVER_CERT) || \
defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) || \
defined(CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) );
ESP_ERROR_CHECK(esp_eap_client_set_ca_cert(ca_pem_start, ca_pem_bytes) );
#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ /* EXAMPLE_WPA3_ENTERPRISE */
#ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,\
client_key_start, client_key_bytes, NULL, 0) );
ESP_ERROR_CHECK(esp_eap_client_set_certificate_and_key(client_crt_start, client_crt_bytes,
client_key_start, client_key_bytes, NULL, 0) );
#endif /* CONFIG_EXAMPLE_EAP_METHOD_TLS */
#if defined CONFIG_EXAMPLE_EAP_METHOD_PEAP || CONFIG_EXAMPLE_EAP_METHOD_TTLS
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)) );
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)) );
#if defined (CONFIG_EXAMPLE_EAP_METHOD_PEAP) || \
defined (CONFIG_EXAMPLE_EAP_METHOD_TTLS)
ESP_ERROR_CHECK(esp_eap_client_set_username((uint8_t *)EXAMPLE_EAP_USERNAME, strlen(EXAMPLE_EAP_USERNAME)) );
ESP_ERROR_CHECK(esp_eap_client_set_password((uint8_t *)EXAMPLE_EAP_PASSWORD, strlen(EXAMPLE_EAP_PASSWORD)) );
#endif /* CONFIG_EXAMPLE_EAP_METHOD_PEAP || CONFIG_EXAMPLE_EAP_METHOD_TTLS */
#if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(TTLS_PHASE2_METHOD) );
ESP_ERROR_CHECK(esp_eap_client_set_ttls_phase2_method(TTLS_PHASE2_METHOD) );
#endif /* CONFIG_EXAMPLE_EAP_METHOD_TTLS */
#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
ESP_LOGI(TAG, "Enabling 192 bit certification");
ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true));
ESP_ERROR_CHECK(esp_eap_client_set_suiteb_192bit_certification(true));
#endif
#ifdef CONFIG_EXAMPLE_USE_DEFAULT_CERT_BUNDLE
ESP_ERROR_CHECK(esp_wifi_sta_wpa2_use_default_cert_bundle(true));
ESP_ERROR_CHECK(esp_eap_client_use_default_cert_bundle(true));
#endif
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() );
ESP_ERROR_CHECK( esp_wifi_start() );
ESP_ERROR_CHECK(esp_wifi_sta_enterprise_enable());
ESP_ERROR_CHECK(esp_wifi_start());
}
static void wpa2_enterprise_example_task(void *pvParameters)
static void wifi_enterprise_example_task(void *pvParameters)
{
esp_netif_ip_info_t ip;
memset(&ip, 0, sizeof(esp_netif_ip_info_t));
@ -185,7 +176,7 @@ static void wpa2_enterprise_example_task(void *pvParameters)
void app_main(void)
{
ESP_ERROR_CHECK( nvs_flash_init() );
ESP_ERROR_CHECK(nvs_flash_init());
initialise_wifi();
xTaskCreate(&wpa2_enterprise_example_task, "wpa2_enterprise_example_task", 4096, NULL, 5, NULL);
xTaskCreate(&wifi_enterprise_example_task, "wifi_enterprise_example_task", 4096, NULL, 5, NULL);
}

View File

@ -1304,7 +1304,6 @@ examples/wifi/roaming/main/roaming_example.c
examples/wifi/scan/main/scan.c
examples/wifi/smart_config/main/smartconfig_main.c
examples/wifi/wifi_easy_connect/dpp-enrollee/main/dpp_enrollee_main.c
examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
examples/wifi/wps/main/wps.c
tools/ble/lib_ble_client.py
tools/ble/lib_gap.py