wpa_supplicant: Add CA certification bundle support

Add support for CA certificate bundle support for server certificate validation
2024-10-05 20:47:46 -04:00 · 2022-02-08 15:20:13 +05:30 · 2022-02-08 15:20:13 +05:30 · 62eb06e386
commit 62eb06e386
parent 82e9afeade
10 changed files with 79 additions and 8 deletions
--- a/components/wpa_supplicant/esp_supplicant/include/esp_wpa2.h
+++ b/components/wpa_supplicant/esp_supplicant/include/esp_wpa2.h
@ -246,6 +246,17 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int
  */
 esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config);

+/**
+  * @brief  Use default CA cert bundle for server validation
+  *
+  * @use_default_bundle : whether to use bundle or not
+  *
+  * @return
+  *    - ESP_OK: succeed
+  *    - ESP_FAIL: fail
+  */
+esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle);
+
 #ifdef __cplusplus
 }
 #endif
--- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c
@ -37,6 +37,9 @@
 #include "esp_wifi_driver.h"
 #include "esp_private/wifi.h"
 #include "esp_wpa_err.h"
+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+#include "esp_crt_bundle.h"
+#endif

 #define WPA2_VERSION    "v2.0"

@ -1250,3 +1253,18 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config confi
    return ESP_OK;

 }
+
+esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle)
+{
+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+    g_wpa_default_cert_bundle = use_default_bundle;
+    if (use_default_bundle) {
+        esp_crt_bundle_attach_fn = esp_crt_bundle_attach;
+    } else {
+        esp_crt_bundle_attach_fn = NULL;
+    }
+    return ESP_OK;
+#else
+    return ESP_FAIL;
+#endif
+}
--- a/components/wpa_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/src/crypto/tls_mbedtls.c
@ -30,6 +30,8 @@ which are undefined if the following flag is not defined */
 #else
 #include "mbedtls/config.h"
 #endif
+#include "eap_peer/eap.h"
+

 #define TLS_RANDOM_LEN 32
 #define TLS_MASTER_SECRET_LEN 48
@ -506,7 +508,6 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 		if (ret != 0) {
 			return ret;
 		}
-		mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
 	} else {
 		mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
 	}
@ -524,6 +525,19 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 	 * but doesn't take that much processing power */
 	tls_set_ciphersuite(cfg, tls);

+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+	if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
+		wpa_printf(MSG_INFO, "Using default cert bundle");
+		if (esp_crt_bundle_attach_fn) {
+			ret = (*esp_crt_bundle_attach_fn)(&tls->conf);
+		}
+		if (ret != 0) {
+			wpa_printf(MSG_ERROR, "Failed to set default cert bundle");
+			return ret;
+		}
+	}
+#endif
+
 	return 0;
 }

--- a/components/wpa_supplicant/src/eap_peer/eap.c
+++ b/components/wpa_supplicant/src/eap_peer/eap.c
@ -63,6 +63,10 @@ char *g_wpa_phase1_options;
 u8 *g_wpa_pac_file;
 int g_wpa_pac_file_len;
 bool g_wpa_suiteb_certification;
+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+bool g_wpa_default_cert_bundle;
+int (*esp_crt_bundle_attach_fn)(void *conf);
+#endif

 void eap_peer_config_deinit(struct eap_sm *sm);
 void eap_peer_blob_deinit(struct eap_sm *sm);
@ -571,9 +575,14 @@ int eap_peer_config_init(
 	}

 	if (g_wpa_suiteb_certification) {
-		sm->config.flags = TLS_CONN_SUITEB;
+		sm->config.flags |= TLS_CONN_SUITEB;
 	}

+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+	if (g_wpa_default_cert_bundle) {
+		sm->config.flags |= TLS_CONN_USE_DEFAULT_CERT_BUNDLE;
+	}
+#endif
 	/* To be used only for EAP-FAST */
 	if (g_wpa_phase1_options) {
 		sm->config.phase1 = g_wpa_phase1_options;
--- a/components/wpa_supplicant/src/eap_peer/eap.h
+++ b/components/wpa_supplicant/src/eap_peer/eap.h
@ -46,6 +46,8 @@ extern u8 *g_wpa_pac_file;
 extern int g_wpa_pac_file_len;

 extern bool g_wpa_suiteb_certification;
+extern bool g_wpa_default_cert_bundle;
+extern int (*esp_crt_bundle_attach_fn)(void *conf);

 const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len);
 void eap_deinit_prev_method(struct eap_sm *sm, const char *txt);
--- a/components/wpa_supplicant/src/eap_peer/eap_tls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c
@ -34,6 +34,7 @@ static void * eap_tls_init(struct eap_sm *sm)
 {
 	struct eap_tls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
+
 	if (config == NULL ||
 	    config->private_key == 0) {
 		wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
--- a/components/wpa_supplicant/src/eap_peer/eap_tls_common.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls_common.c
@ -84,6 +84,11 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
 		params->flags |= TLS_CONN_SUITEB;
 	else
 		params->flags &= (~TLS_CONN_SUITEB);
+
+	if (config->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE)
+		params->flags |= TLS_CONN_USE_DEFAULT_CERT_BUNDLE;
+	else
+		params->flags &= (~TLS_CONN_USE_DEFAULT_CERT_BUNDLE);
 }

 static int eap_tls_params_from_conf(struct eap_sm *sm,
--- a/components/wpa_supplicant/src/tls/tls.h
+++ b/components/wpa_supplicant/src/tls/tls.h
@ -84,6 +84,7 @@ struct tls_config {
 #define TLS_CONN_REQUIRE_OCSP BIT(4)
 #define TLS_CONN_SUITEB BIT(11)
 #define TLS_CONN_EAP_FAST BIT(7)
+#define TLS_CONN_USE_DEFAULT_CERT_BUNDLE BIT(18)

 /**
 * struct tls_connection_params - Parameters for TLS connection
--- a/examples/wifi/wifi_enterprise/main/Kconfig.projbuild
+++ b/examples/wifi/wifi_enterprise/main/Kconfig.projbuild
@ -1,5 +1,11 @@
 menu "Example Configuration"

+    config EXAMPLE_WIFI_SSID
+        string "WiFi SSID"
+        default "wpa2_test"
+        help
+            SSID (network name) for the example to connect to.
+
    choice
        prompt "Enterprise configuration to be used"
        default EXAMPLE_WPA_WPA2_ENTERPRISE
@ -15,12 +21,6 @@ menu "Example Configuration"
            select WPA_SUITE_B_192
    endchoice

-    config EXAMPLE_WIFI_SSID
-        string "WiFi SSID"
-        default "wpa2_test"
-        help
-            SSID (network name) for the example to connect to.
-
    if EXAMPLE_WPA_WPA2_ENTERPRISE
        config EXAMPLE_VALIDATE_SERVER_CERT
            bool "Validate server"
@ -34,6 +34,13 @@ menu "Example Configuration"
            default y
    endif

+    config EXAMPLE_USE_DEFAULT_CERT_BUNDLE
+        bool "Use default cert bundle"
+        depends on EXAMPLE_VALIDATE_SERVER_CERT
+        default n
+        help
+            Use default CA certificate bundle for WPA enterprise connection
+
    choice
        prompt "EAP method for the example to use"
        default EXAMPLE_EAP_METHOD_PEAP
--- a/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
+++ b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
@ -156,6 +156,9 @@ static void initialise_wifi(void)
 #if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
    ESP_LOGI(TAG, "Enabling 192 bit certification");
    ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true));
+#endif
+#ifdef CONFIG_EXAMPLE_USE_DEFAULT_CERT_BUNDLE
+    ESP_ERROR_CHECK(esp_wifi_sta_wpa2_use_default_cert_bundle(true));
 #endif
    ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() );
    ESP_ERROR_CHECK( esp_wifi_start() );