mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
wpa_supplicant: Add CA certification bundle support
Add support for CA certificate bundle support for server certificate validation
This commit is contained in:
Kapil Gupta
parent
82e9afeade
commit
62eb06e386
@ -246,6 +246,17 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int
|
|||||||
*/
|
*/
|
||||||
esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config);
|
esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Use default CA cert bundle for server validation
|
||||||
|
*
|
||||||
|
* @use_default_bundle : whether to use bundle or not
|
||||||
|
*
|
||||||
|
* @return
|
||||||
|
* - ESP_OK: succeed
|
||||||
|
* - ESP_FAIL: fail
|
||||||
|
*/
|
||||||
|
esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@ -37,6 +37,9 @@
|
|||||||
#include "esp_wifi_driver.h"
|
#include "esp_wifi_driver.h"
|
||||||
#include "esp_private/wifi.h"
|
#include "esp_private/wifi.h"
|
||||||
#include "esp_wpa_err.h"
|
#include "esp_wpa_err.h"
|
||||||
|
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
|
||||||
|
#include "esp_crt_bundle.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#define WPA2_VERSION "v2.0"
|
#define WPA2_VERSION "v2.0"
|
||||||
|
|
||||||
@ -1250,3 +1253,18 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config confi
|
|||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle)
|
||||||
|
{
|
||||||
|
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
|
||||||
|
g_wpa_default_cert_bundle = use_default_bundle;
|
||||||
|
if (use_default_bundle) {
|
||||||
|
esp_crt_bundle_attach_fn = esp_crt_bundle_attach;
|
||||||
|
} else {
|
||||||
|
esp_crt_bundle_attach_fn = NULL;
|
||||||
|
}
|
||||||
|
return ESP_OK;
|
||||||
|
#else
|
||||||
|
return ESP_FAIL;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|||||||
@ -30,6 +30,8 @@ which are undefined if the following flag is not defined */
|
|||||||
#else
|
#else
|
||||||
#include "mbedtls/config.h"
|
#include "mbedtls/config.h"
|
||||||
#endif
|
#endif
|
||||||
|
#include "eap_peer/eap.h"
|
||||||
|
|
||||||
|
|
||||||
#define TLS_RANDOM_LEN 32
|
#define TLS_RANDOM_LEN 32
|
||||||
#define TLS_MASTER_SECRET_LEN 48
|
#define TLS_MASTER_SECRET_LEN 48
|
||||||
@ -506,7 +508,6 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
|
|||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
|
|
||||||
} else {
|
} else {
|
||||||
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
||||||
}
|
}
|
||||||
@ -524,6 +525,19 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
|
|||||||
* but doesn't take that much processing power */
|
* but doesn't take that much processing power */
|
||||||
tls_set_ciphersuite(cfg, tls);
|
tls_set_ciphersuite(cfg, tls);
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
|
||||||
|
if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
|
||||||
|
wpa_printf(MSG_INFO, "Using default cert bundle");
|
||||||
|
if (esp_crt_bundle_attach_fn) {
|
||||||
|
ret = (*esp_crt_bundle_attach_fn)(&tls->conf);
|
||||||
|
}
|
||||||
|
if (ret != 0) {
|
||||||
|
wpa_printf(MSG_ERROR, "Failed to set default cert bundle");
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -63,6 +63,10 @@ char *g_wpa_phase1_options;
|
|||||||
u8 *g_wpa_pac_file;
|
u8 *g_wpa_pac_file;
|
||||||
int g_wpa_pac_file_len;
|
int g_wpa_pac_file_len;
|
||||||
bool g_wpa_suiteb_certification;
|
bool g_wpa_suiteb_certification;
|
||||||
|
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
|
||||||
|
bool g_wpa_default_cert_bundle;
|
||||||
|
int (*esp_crt_bundle_attach_fn)(void *conf);
|
||||||
|
#endif
|
||||||
|
|
||||||
void eap_peer_config_deinit(struct eap_sm *sm);
|
void eap_peer_config_deinit(struct eap_sm *sm);
|
||||||
void eap_peer_blob_deinit(struct eap_sm *sm);
|
void eap_peer_blob_deinit(struct eap_sm *sm);
|
||||||
@ -571,9 +575,14 @@ int eap_peer_config_init(
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (g_wpa_suiteb_certification) {
|
if (g_wpa_suiteb_certification) {
|
||||||
sm->config.flags = TLS_CONN_SUITEB;
|
sm->config.flags |= TLS_CONN_SUITEB;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
|
||||||
|
if (g_wpa_default_cert_bundle) {
|
||||||
|
sm->config.flags |= TLS_CONN_USE_DEFAULT_CERT_BUNDLE;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
/* To be used only for EAP-FAST */
|
/* To be used only for EAP-FAST */
|
||||||
if (g_wpa_phase1_options) {
|
if (g_wpa_phase1_options) {
|
||||||
sm->config.phase1 = g_wpa_phase1_options;
|
sm->config.phase1 = g_wpa_phase1_options;
|
||||||
|
|||||||
@ -46,6 +46,8 @@ extern u8 *g_wpa_pac_file;
|
|||||||
extern int g_wpa_pac_file_len;
|
extern int g_wpa_pac_file_len;
|
||||||
|
|
||||||
extern bool g_wpa_suiteb_certification;
|
extern bool g_wpa_suiteb_certification;
|
||||||
|
extern bool g_wpa_default_cert_bundle;
|
||||||
|
extern int (*esp_crt_bundle_attach_fn)(void *conf);
|
||||||
|
|
||||||
const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len);
|
const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len);
|
||||||
void eap_deinit_prev_method(struct eap_sm *sm, const char *txt);
|
void eap_deinit_prev_method(struct eap_sm *sm, const char *txt);
|
||||||
|
|||||||
@ -34,6 +34,7 @@ static void * eap_tls_init(struct eap_sm *sm)
|
|||||||
{
|
{
|
||||||
struct eap_tls_data *data;
|
struct eap_tls_data *data;
|
||||||
struct eap_peer_config *config = eap_get_config(sm);
|
struct eap_peer_config *config = eap_get_config(sm);
|
||||||
|
|
||||||
if (config == NULL ||
|
if (config == NULL ||
|
||||||
config->private_key == 0) {
|
config->private_key == 0) {
|
||||||
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
|
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
|
||||||
|
|||||||
@ -84,6 +84,11 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
|
|||||||
params->flags |= TLS_CONN_SUITEB;
|
params->flags |= TLS_CONN_SUITEB;
|
||||||
else
|
else
|
||||||
params->flags &= (~TLS_CONN_SUITEB);
|
params->flags &= (~TLS_CONN_SUITEB);
|
||||||
|
|
||||||
|
if (config->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE)
|
||||||
|
params->flags |= TLS_CONN_USE_DEFAULT_CERT_BUNDLE;
|
||||||
|
else
|
||||||
|
params->flags &= (~TLS_CONN_USE_DEFAULT_CERT_BUNDLE);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int eap_tls_params_from_conf(struct eap_sm *sm,
|
static int eap_tls_params_from_conf(struct eap_sm *sm,
|
||||||
|
|||||||
@ -84,6 +84,7 @@ struct tls_config {
|
|||||||
#define TLS_CONN_REQUIRE_OCSP BIT(4)
|
#define TLS_CONN_REQUIRE_OCSP BIT(4)
|
||||||
#define TLS_CONN_SUITEB BIT(11)
|
#define TLS_CONN_SUITEB BIT(11)
|
||||||
#define TLS_CONN_EAP_FAST BIT(7)
|
#define TLS_CONN_EAP_FAST BIT(7)
|
||||||
|
#define TLS_CONN_USE_DEFAULT_CERT_BUNDLE BIT(18)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct tls_connection_params - Parameters for TLS connection
|
* struct tls_connection_params - Parameters for TLS connection
|
||||||
|
|||||||
@ -1,5 +1,11 @@
|
|||||||
menu "Example Configuration"
|
menu "Example Configuration"
|
||||||
|
|
||||||
|
config EXAMPLE_WIFI_SSID
|
||||||
|
string "WiFi SSID"
|
||||||
|
default "wpa2_test"
|
||||||
|
help
|
||||||
|
SSID (network name) for the example to connect to.
|
||||||
|
|
||||||
choice
|
choice
|
||||||
prompt "Enterprise configuration to be used"
|
prompt "Enterprise configuration to be used"
|
||||||
default EXAMPLE_WPA_WPA2_ENTERPRISE
|
default EXAMPLE_WPA_WPA2_ENTERPRISE
|
||||||
@ -15,12 +21,6 @@ menu "Example Configuration"
|
|||||||
select WPA_SUITE_B_192
|
select WPA_SUITE_B_192
|
||||||
endchoice
|
endchoice
|
||||||
|
|
||||||
config EXAMPLE_WIFI_SSID
|
|
||||||
string "WiFi SSID"
|
|
||||||
default "wpa2_test"
|
|
||||||
help
|
|
||||||
SSID (network name) for the example to connect to.
|
|
||||||
|
|
||||||
if EXAMPLE_WPA_WPA2_ENTERPRISE
|
if EXAMPLE_WPA_WPA2_ENTERPRISE
|
||||||
config EXAMPLE_VALIDATE_SERVER_CERT
|
config EXAMPLE_VALIDATE_SERVER_CERT
|
||||||
bool "Validate server"
|
bool "Validate server"
|
||||||
@ -34,6 +34,13 @@ menu "Example Configuration"
|
|||||||
default y
|
default y
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
config EXAMPLE_USE_DEFAULT_CERT_BUNDLE
|
||||||
|
bool "Use default cert bundle"
|
||||||
|
depends on EXAMPLE_VALIDATE_SERVER_CERT
|
||||||
|
default n
|
||||||
|
help
|
||||||
|
Use default CA certificate bundle for WPA enterprise connection
|
||||||
|
|
||||||
choice
|
choice
|
||||||
prompt "EAP method for the example to use"
|
prompt "EAP method for the example to use"
|
||||||
default EXAMPLE_EAP_METHOD_PEAP
|
default EXAMPLE_EAP_METHOD_PEAP
|
||||||
|
|||||||
@ -156,6 +156,9 @@ static void initialise_wifi(void)
|
|||||||
#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
|
#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
|
||||||
ESP_LOGI(TAG, "Enabling 192 bit certification");
|
ESP_LOGI(TAG, "Enabling 192 bit certification");
|
||||||
ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true));
|
ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true));
|
||||||
|
#endif
|
||||||
|
#ifdef CONFIG_EXAMPLE_USE_DEFAULT_CERT_BUNDLE
|
||||||
|
ESP_ERROR_CHECK(esp_wifi_sta_wpa2_use_default_cert_bundle(true));
|
||||||
#endif
|
#endif
|
||||||
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() );
|
ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() );
|
||||||
ESP_ERROR_CHECK( esp_wifi_start() );
|
ESP_ERROR_CHECK( esp_wifi_start() );
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user