mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
esp_wifi: WPA2 enterprise related changes
1. Removed DHE ciphers when mbedTLS is disabled since they take too much processing power. 2. Removed support of SHA384 and SHA512 when mbedTLS is disabled due to too much processing needed. 3. Fixed bugs in crypto_hash_init API which was causing EAP connections to fail when mbedTLS was enabled. 4. Cleaned some code of crypto_hash_***
This commit is contained in:
Kapil Gupta
parent
db7df70331
commit
951928960b
@ -251,7 +251,7 @@ if(CONFIG_WPA_11R_SUPPORT)
|
||||
endif()
|
||||
if(NOT CONFIG_WPA_MBEDTLS_TLS_CLIENT)
|
||||
target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_TLS_INTERNAL_CLIENT
|
||||
CONFIG_TLSV11 CONFIG_TLSV12 CONFIG_INTERNAL_SHA384 CONFIG_INTERNAL_SHA512 EAP_FAST)
|
||||
CONFIG_TLSV11 CONFIG_TLSV12 EAP_FAST)
|
||||
endif()
|
||||
if(CONFIG_WPA_MBEDTLS_CRYPTO)
|
||||
target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_CRYPTO_MBEDTLS)
|
||||
|
||||
@ -119,14 +119,10 @@ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
|
||||
}
|
||||
#endif
|
||||
|
||||
struct crypto_hash {
|
||||
mbedtls_md_context_t ctx;
|
||||
};
|
||||
|
||||
struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
|
||||
size_t key_len)
|
||||
{
|
||||
struct crypto_hash *ctx;
|
||||
mbedtls_md_context_t *ctx = NULL;
|
||||
mbedtls_md_type_t md_type;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
int ret;
|
||||
@ -169,53 +165,53 @@ struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
mbedtls_md_init(&ctx->ctx);
|
||||
mbedtls_md_init(ctx);
|
||||
md_info = mbedtls_md_info_from_type(md_type);
|
||||
if (!md_info) {
|
||||
goto cleanup;
|
||||
}
|
||||
if (mbedtls_md_setup(&ctx->ctx, md_info, 1) != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len) != 0) {
|
||||
if (mbedtls_md_setup(ctx, md_info, is_hmac) != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
if (is_hmac) {
|
||||
ret = mbedtls_md_hmac_starts(&ctx->ctx, key, key_len);
|
||||
ret = mbedtls_md_hmac_starts(ctx, key, key_len);
|
||||
} else {
|
||||
ret = mbedtls_md_starts(&ctx->ctx);
|
||||
ret = mbedtls_md_starts(ctx);
|
||||
}
|
||||
if (ret < 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
return ctx;
|
||||
return (struct crypto_hash *)ctx;
|
||||
cleanup:
|
||||
mbedtls_md_free(ctx);
|
||||
os_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
|
||||
void crypto_hash_update(struct crypto_hash *crypto_ctx, const u8 *data, size_t len)
|
||||
{
|
||||
int ret;
|
||||
mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
|
||||
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
if (ctx->ctx.MBEDTLS_PRIVATE(hmac_ctx)) {
|
||||
ret = mbedtls_md_hmac_update(&ctx->ctx, data, len);
|
||||
if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
|
||||
ret = mbedtls_md_hmac_update(ctx, data, len);
|
||||
} else {
|
||||
ret = mbedtls_md_update(&ctx->ctx, data, len);
|
||||
ret = mbedtls_md_update(ctx, data, len);
|
||||
}
|
||||
if (ret != 0) {
|
||||
wpa_printf(MSG_ERROR, "%s: mbedtls_md_hmac_update failed", __func__);
|
||||
}
|
||||
}
|
||||
|
||||
int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
|
||||
int crypto_hash_finish(struct crypto_hash *crypto_ctx, u8 *mac, size_t *len)
|
||||
{
|
||||
int ret = 0;
|
||||
mbedtls_md_type_t md_type;
|
||||
mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
|
||||
|
||||
if (ctx == NULL) {
|
||||
return -2;
|
||||
@ -224,7 +220,7 @@ int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
|
||||
if (mac == NULL || len == NULL) {
|
||||
goto err;
|
||||
}
|
||||
md_type = mbedtls_md_get_type(ctx->ctx.MBEDTLS_PRIVATE(md_info));
|
||||
md_type = mbedtls_md_get_type(ctx->MBEDTLS_PRIVATE(md_info));
|
||||
switch(md_type) {
|
||||
case MBEDTLS_MD_MD5:
|
||||
if (*len < MD5_MAC_LEN) {
|
||||
@ -271,14 +267,14 @@ int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
|
||||
ret = -1;
|
||||
goto err;
|
||||
}
|
||||
if (ctx->ctx.MBEDTLS_PRIVATE(hmac_ctx)) {
|
||||
ret = mbedtls_md_hmac_finish(&ctx->ctx, mac);
|
||||
if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
|
||||
ret = mbedtls_md_hmac_finish(ctx, mac);
|
||||
} else {
|
||||
ret = mbedtls_md_finish(&ctx->ctx, mac);
|
||||
ret = mbedtls_md_finish(ctx, mac);
|
||||
}
|
||||
|
||||
err:
|
||||
mbedtls_md_free(&ctx->ctx);
|
||||
mbedtls_md_free(ctx);
|
||||
bin_clear_free(ctx, sizeof(*ctx));
|
||||
|
||||
return ret;
|
||||
|
||||
@ -483,15 +483,25 @@ struct tlsv1_client * tlsv1_client_init(void)
|
||||
|
||||
count = 0;
|
||||
suites = conn->cipher_suites;
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
|
||||
#endif
|
||||
suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
|
||||
#endif
|
||||
suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
|
||||
#endif
|
||||
suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
|
||||
#endif
|
||||
suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
|
||||
#endif
|
||||
suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
|
||||
suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
|
||||
suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
|
||||
|
||||
@ -126,16 +126,26 @@ u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
|
||||
WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
|
||||
pos += 2;
|
||||
/* opaque extension_data<0..2^16-1> length */
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
WPA_PUT_BE16(pos, 8);
|
||||
#else
|
||||
WPA_PUT_BE16(pos, 4);
|
||||
#endif
|
||||
pos += 2;
|
||||
/* supported_signature_algorithms<2..2^16-2> length */
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
WPA_PUT_BE16(pos, 6);
|
||||
#else
|
||||
WPA_PUT_BE16(pos, 2);
|
||||
#endif
|
||||
pos += 2;
|
||||
/* supported_signature_algorithms */
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
*pos++ = TLS_HASH_ALG_SHA512;
|
||||
*pos++ = TLS_SIGN_ALG_RSA;
|
||||
*pos++ = TLS_HASH_ALG_SHA384;
|
||||
*pos++ = TLS_SIGN_ALG_RSA;
|
||||
#endif
|
||||
*pos++ = TLS_HASH_ALG_SHA256;
|
||||
*pos++ = TLS_SIGN_ALG_RSA;
|
||||
}
|
||||
|
||||
@ -350,6 +350,7 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
|
||||
alg = CRYPTO_HASH_ALG_SHA256;
|
||||
hlen = SHA256_MAC_LEN;
|
||||
break;
|
||||
#ifdef CONFIG_CRYPTO_MBEDTLS
|
||||
case TLS_HASH_ALG_SHA384:
|
||||
alg = CRYPTO_HASH_ALG_SHA384;
|
||||
hlen = 48;
|
||||
@ -358,6 +359,7 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
|
||||
alg = CRYPTO_HASH_ALG_SHA512;
|
||||
hlen = 64;
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
return -1;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user