feat(wpa_supplicant): Add TLS v1.3 support for WiFi enterprise

* Add TLS v1.3 support for following EAP methods:
  - EAP-TLS  (RFC 9190)
  - EAP-PEAP (RFC 9427)
  - EAP-TTLS (RFC 9427)
* Add mbedtls porting for TLS v1.3 exporter (RFC 8446 Section 7.5)
* Add new Kconfig flag to enable TLS v1.3 for EAP methods
* Advertise TLS v1.3 signature algorithms if TLS 1.3 is enabled for EAP
  methods
* Advertise TLS v1.3 cipher suites if CONFIG_ESP_WIFI_EAP_TLS1_3 enabled
* Add support to Ack protected success indication
  (workaround for EAP-TLS 1.3 and 1.2 compatibilty)
This commit is contained in:
Sarvesh Bodakhe 2023-11-11 13:39:31 +05:30
parent b3e4aae7bb
commit ec09cdf885
6 changed files with 309 additions and 23 deletions

View File

@ -493,6 +493,20 @@ menu "Wi-Fi"
TLS-v1.0, TLS-v1.1 versions. Incase your server is using one of these version,
it is advisable to update your server.
Please disable this option for compatibilty with older TLS versions.
config ESP_WIFI_EAP_TLS1_3
bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
default n
select MBEDTLS_SSL_PROTO_TLS1_3
depends on ESP_WIFI_MBEDTLS_TLS_CLIENT
help
Select this option to support EAP with TLS v1.3.
This configuration still supports compatibility with EAP-TLS v1.2.
Please note that enabling this configuration will cause every application which
uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
and there may be interoperability issues with this. Please modify your application to set
max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.
endif
config ESP_WIFI_WAPI_PSK

View File

@ -304,6 +304,9 @@ endif()
if(CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA)
target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_OWE_STA)
endif()
if(CONFIG_ESP_WIFI_EAP_TLS1_3)
target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_TLSV13)
endif()
set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 3)
target_compile_options(${COMPONENT_LIB} PRIVATE "-Wno-format")

View File

@ -37,10 +37,21 @@
#include "mbedtls/platform.h"
#include "eap_peer/eap.h"
#ifdef CONFIG_TLSV13
#include "psa/crypto.h"
#include "md_psa.h"
#include "ssl_tls13_keys.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif /* CONFIG_TLSV13 */
#define TLS_RANDOM_LEN 32
#define TLS_HASH_MAX_SIZE 64
#define TLS_MASTER_SECRET_LEN 48
#define MAX_CIPHERSUITE 32
#define MAX_EXPORTER_CONTEXT_LEN 65535
@ -82,8 +93,10 @@ struct tls_connection {
struct tls_data tls_io_data;
unsigned char master_secret[TLS_MASTER_SECRET_LEN];
unsigned char randbytes[2 * TLS_RANDOM_LEN];
mbedtls_tls_prf_types tls_prf_type;
mbedtls_md_type_t mac;
mbedtls_tls_prf_types tls_prf_type;
#ifdef CONFIG_TLSV13
unsigned char exporter_master_secret[TLS_HASH_MAX_SIZE];
#endif /* CONFIG_TLSV13 */
};
static void tls_mbedtls_cleanup(tls_context_t *tls)
@ -201,6 +214,43 @@ static int set_ca_cert(tls_context_t *tls, const unsigned char *cacert, size_t c
#ifdef CONFIG_SUITEB192
static uint16_t tls_sig_algs_for_suiteb[] = {
#ifdef CONFIG_TLSV13
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA384) && \
defined(PSA_WANT_ECC_SECP_R1_384)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA512) && \
defined(PSA_WANT_ECC_SECP_R1_521)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif \
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
#endif \
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
#endif /* CONFIG_TLSV13 */
#if defined(MBEDTLS_SHA512_C)
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
@ -235,6 +285,60 @@ static void tls_set_suiteb_config(tls_context_t *tls)
#endif
static uint16_t tls_sig_algs_for_eap[] = {
#ifdef CONFIG_TLSV13
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA256) && \
defined(PSA_WANT_ECC_SECP_R1_256)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA384) && \
defined(PSA_WANT_ECC_SECP_R1_384)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA512) && \
defined(PSA_WANT_ECC_SECP_R1_521)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
#endif \
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
#endif \
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif \
/* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
#endif /* CONFIG_TLSV13 */
#if defined(MBEDTLS_SHA512_C)
#if defined(MBEDTLS_ECDSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
@ -300,8 +404,20 @@ static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth,
}
#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
#define TLS1_3_CIPHER_SUITES \
MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, \
MBEDTLS_TLS1_3_AES_256_GCM_SHA384, \
MBEDTLS_TLS1_3_AES_128_GCM_SHA256, \
MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, \
MBEDTLS_TLS1_3_AES_128_CCM_SHA256
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
static const int eap_ciphersuite_preference[] =
{
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
TLS1_3_CIPHER_SUITES,
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
#if defined(MBEDTLS_CCM_C)
MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
@ -417,6 +533,9 @@ static const int eap_ciphersuite_preference[] =
#ifdef CONFIG_SUITEB192
static const int suiteb_rsa_ciphersuite_preference[] =
{
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
TLS1_3_CIPHER_SUITES,
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
#if defined(MBEDTLS_GCM_C)
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@ -428,6 +547,9 @@ static const int suiteb_rsa_ciphersuite_preference[] =
static const int suiteb_ecc_ciphersuite_preference[] =
{
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
TLS1_3_CIPHER_SUITES,
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
#if defined(MBEDTLS_GCM_C)
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@ -437,6 +559,9 @@ static const int suiteb_ecc_ciphersuite_preference[] =
};
static const int suiteb_ciphersuite_preference[] =
{
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
TLS1_3_CIPHER_SUITES,
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
#if defined(MBEDTLS_GCM_C)
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@ -469,12 +594,23 @@ static void tls_set_ciphersuite(const struct tls_connection_params *cfg, tls_con
}
} else
#endif
#ifdef CONFIG_TLSV13
/* Enable TLS1.3 ciphers if TLS1.3 is enabled */
mbedtls_ssl_conf_ciphersuites(&tls->conf, eap_ciphersuite_preference);
#else
/* Set cipher suites if User has explicitly set those
* TODO: public API to set EAP ciphers */
if (tls->ciphersuite[0]) {
mbedtls_ssl_conf_ciphersuites(&tls->conf, tls->ciphersuite);
} else if (mbedtls_pk_get_bitlen(&tls->clientkey) > 2048 ||
(tls->cacert_ptr && mbedtls_pk_get_bitlen(&tls->cacert_ptr->pk) > 2048)) {
/* Incase of big RSA keylen, ESP chips do not have sufficient processing
* power to use high computation ciphers. This code will limit the ciphers
* to less computational ones */
mbedtls_ssl_conf_ciphersuites(&tls->conf, eap_ciphersuite_preference);
}
#endif /* CONFIG_TLSV13 */
}
static int set_client_config(const struct tls_connection_params *cfg, tls_context_t *tls)
@ -548,6 +684,22 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
return 0;
}
#ifdef CONFIG_TLSV13
static void tls13_extract_exporter_master_secret(struct tls_connection *conn)
{
mbedtls_ssl_context *ssl = &conn->tls->ssl;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
size_t hash_len = PSA_HASH_LENGTH(hash_alg);
assert(hash_len != 0);
mbedtls_ssl_tls13_application_secrets *app_secrets =
&ssl->session_negotiate->app_secrets;
os_memcpy(conn->exporter_master_secret, app_secrets->exporter_master_secret, hash_len);
}
#endif /* CONFIG_TLSV13 */
static void tls_key_derivation(void *ctx,
mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret,
@ -562,6 +714,12 @@ static void tls_key_derivation(void *ctx,
os_memcpy(conn->randbytes, client_random, TLS_RANDOM_LEN);
os_memcpy(conn->randbytes + 32, server_random, TLS_RANDOM_LEN);
conn->tls_prf_type = tls_prf_type;
#ifdef CONFIG_TLSV13
if (secret_type == MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET) {
tls13_extract_exporter_master_secret(conn);
}
#endif /* CONFIG_TLSV13 */
}
static int tls_create_mbedtls_handle(struct tls_connection *conn,
@ -593,6 +751,12 @@ static int tls_create_mbedtls_handle(struct tls_connection *conn,
mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg);
#if defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_3) && !defined(CONFIG_TLSV13)
/* Disable TLSv1.3 even when enabled in MbedTLS and not enabled in WiFi config.
* TODO: Remove Kconfig option for TLSv1.3 when it is matured enough */
mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2);
#endif /* CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && !CONFIG_TLSV13 */
ret = mbedtls_ssl_setup(&tls->ssl, &tls->conf);
if (ret != 0) {
wpa_printf(MSG_ERROR, "mbedtls_ssl_setup returned -0x%x", -ret);
@ -749,17 +913,8 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
/* Multiple reads */
while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
if (cli_state == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
/* Read random data before session completes, not present after handshake */
if (tls->ssl.MBEDTLS_PRIVATE(handshake)) {
os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes,
TLS_RANDOM_LEN * 2);
conn->mac = tls->ssl.MBEDTLS_PRIVATE(handshake)->ciphersuite_info->mac;
}
}
ret = mbedtls_ssl_handshake_step(&tls->ssl);
if (ret < 0) {
if (ret < 0)
break;
}
#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
@ -782,7 +937,28 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
if (!conn->tls_io_data.out_data) {
wpa_printf(MSG_INFO, "application data is null, adding one byte for ack");
u8 *dummy = os_zalloc(1);
if (dummy == NULL) {
wpa_printf(MSG_INFO, "%s: memory allocation failure. line:%d", __func__, __LINE__);
goto end;
}
#ifdef CONFIG_TLSV13
if (mbedtls_ssl_get_version_number(&conn->tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_3) {
*appl_data = wpabuf_alloc_ext_data(dummy, 1);
if (appl_data == NULL) {
wpa_printf(MSG_INFO, "%s: memory allocation failure. line:%d", __func__, __LINE__);
os_free(dummy);
goto end;
}
return NULL;
}
#endif /* CONFIG_TLSV13 */
conn->tls_io_data.out_data = wpabuf_alloc_ext_data(dummy, 0);
if (conn->tls_io_data.out_data == NULL) {
wpa_printf(MSG_INFO, "%s: memory allocation failure. line:%d", __func__, __LINE__);
os_free(dummy);
goto end;
}
}
end:
@ -1006,25 +1182,26 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
size_t seed_len = 2 * TLS_RANDOM_LEN;
mbedtls_ssl_context *ssl = &conn->tls->ssl;
if (context_len > 65535)
if (context_len > MAX_EXPORTER_CONTEXT_LEN) {
return -1;
}
if (context)
if (context) {
// The magic value 2 represents the memory required to store the context length.
seed_len += 2 + context_len;
seed = os_malloc(seed_len);
if (!seed) {
return -1;
}
if (!ssl) {
wpa_printf(MSG_ERROR, "TLS: %s, session ingo is null", __func__);
os_free(seed);
return -1;
}
if (!mbedtls_ssl_is_handshake_over(ssl)) {
wpa_printf(MSG_ERROR, "TLS: %s, incorrect tls state=%d", __func__, ssl->MBEDTLS_PRIVATE(state));
os_free(seed);
return -1;
}
seed = os_malloc(seed_len);
if (!seed) {
return -1;
}
@ -1046,7 +1223,7 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
wpa_hexdump_key(MSG_MSGDUMP, "master", ssl->MBEDTLS_PRIVATE(session)->MBEDTLS_PRIVATE(master), TLS_MASTER_SECRET_LEN);
ret = mbedtls_ssl_tls_prf(conn->tls_prf_type, conn->master_secret, TLS_MASTER_SECRET_LEN,
label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
label, seed, seed_len, out, out_len);
os_free(seed);
if (ret < 0) {
@ -1058,11 +1235,72 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
return ret;
}
#ifdef CONFIG_TLSV13
/* RFC 8446 Section 7.5 */
static int tls13_connection_export_key(void *tls_ctx, struct tls_connection *conn,
const char *label, const u8 *context,
size_t context_len, u8 *out, size_t out_len)
{
int ret;
mbedtls_ssl_context *ssl = &conn->tls->ssl;
psa_algorithm_t hash_alg;
size_t hash_len;
unsigned char tmp_secret[PSA_MAC_MAX_SIZE] = { 0 };
unsigned char hashed_context[PSA_HASH_MAX_SIZE] = { 0 };
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
conn->exporter_master_secret, hash_len,
(unsigned char const *) label, (size_t) strlen(label),
NULL, 0,
MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
tmp_secret, hash_len);
if (ret != 0) {
wpa_printf(MSG_ERROR, "%s(): mbedtls_ssl_tls13_derive_secret() failed",
__func__);
return ret;
}
status = psa_hash_compute(hash_alg, context, context_len, hashed_context,
PSA_HASH_LENGTH(hash_alg), &context_len);
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "%s(): psa_hash_compute() failed",
__func__);
ret = PSA_TO_MBEDTLS_ERR(status);
return ret;
}
ret = mbedtls_ssl_tls13_hkdf_expand_label(hash_alg,
tmp_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter),
hashed_context, context_len,
out, out_len);
if (ret != 0) {
wpa_printf(MSG_ERROR, "%s(): psa_hash_compute() failed",
__func__);
return ret;
}
return 0;
}
#endif /* CONFIG_TLSV13 */
int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
const char *label, const u8 *context,
size_t context_len, u8 *out, size_t out_len)
{
return tls_connection_prf(tls_ctx, conn, label,context, context_len,
#ifdef CONFIG_TLSV13
if (mbedtls_ssl_get_version_number(&conn->tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_3)
return tls13_connection_export_key(tls_ctx, conn, label, context, context_len,
out, out_len);
#endif /* CONFIG_TLSV13 */
return tls_connection_prf(tls_ctx, conn, label, context, context_len,
0, out, out_len);
}

View File

@ -18,6 +18,10 @@
#include "eap_peer/eap_config.h"
#include "eap_peer/eap_methods.h"
#ifdef CONFIG_TLSV13
#include "psa/crypto.h"
#endif /* CONFIG_TLSV13 */
/* Maximum supported PEAP version
* 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
* 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
@ -160,6 +164,13 @@ eap_peap_init(struct eap_sm *sm)
{
struct eap_peap_data *data;
struct eap_peer_config *config = eap_get_config(sm);
#ifdef CONFIG_TLSV13
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to initialize PSA crypto, returned %d", (int) status);
return NULL;
}
#endif /* CONFIG_TLSV13 */
data = (struct eap_peap_data *)os_zalloc(sizeof(*data));
if (data == NULL)

View File

@ -16,6 +16,10 @@
#include "eap_peer/eap_config.h"
#include "eap_peer/eap_methods.h"
#ifdef CONFIG_TLSV13
#include "psa/crypto.h"
#endif /* CONFIG_TLSV13 */
static void eap_tls_deinit(struct eap_sm *sm, void *priv);
@ -36,7 +40,13 @@ static void * eap_tls_init(struct eap_sm *sm)
{
struct eap_tls_data *data;
struct eap_peer_config *config = eap_get_config(sm);
#ifdef CONFIG_TLSV13
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "EAP-TLS: Failed to initialize PSA crypto, returned %d", (int) status);
return NULL;
}
#endif /* CONFIG_TLSV13 */
if (config == NULL ||
config->private_key == 0) {
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");

View File

@ -22,6 +22,9 @@
#include "eap_peer/eap_config.h"
#include "eap_peer/eap_methods.h"
#ifdef CONFIG_TLSV13
#include "psa/crypto.h"
#endif /* CONFIG_TLSV13 */
#define EAP_TTLS_VERSION 0
@ -72,6 +75,13 @@ static void * eap_ttls_init(struct eap_sm *sm)
{
struct eap_ttls_data *data;
struct eap_peer_config *config = eap_get_config(sm);
#ifdef CONFIG_TLSV13
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to initialize PSA crypto, returned %d", (int) status);
return NULL;
}
#endif /* CONFIG_TLSV13 */
data = (struct eap_ttls_data *)os_zalloc(sizeof(*data));
if (data == NULL)