Commit Graph

100 Commits

Author SHA1 Message Date
Nachiket Kukade
2db6b1578e esp_wifi: Update wifi lib
1. Use flag ESP32_WIFI_ENABLE_WPA3_SAE to control WPA3 code, disabling
   it code footprint reduces by 7.7kB in libwpa_supplicant.a
2. Fix handling of multiple AP credentials in WPS, apps need update
   to handle the new event for the fix to work
2020-12-01 19:28:56 +08:00
kapil.gupta
280a342826 esp_wifi: Add support for 802.1x sha256 auth key mode
Closes https://github.com/espressif/esp-idf/issues/5805
2020-12-01 14:47:30 +08:00
Hrudaynath Dhabe
7b4a2560a6 wpa_supplicant: Minor bugfix with wpa_supplicant debug logs. 2020-11-27 15:42:41 +08:00
Hrudaynath Dhabe
395fa980d8 wpa_supplicant: Fix configurable debug log feature's warning issue 2020-11-27 15:41:55 +08:00
GOPTIONS\pfrost
e5b52ae423 Reduce log level of hexdumps to verbose
Revert "Reduce log level of hexdumps to verbose"

Add a menuconfig option to enable or disable the logging in wpa_supplicant

Clarify help message
2020-11-27 15:41:34 +08:00
kapil.gupta
dae98ddff7 wpa_supplicant: Replace internal RSA APIs by mbedtls APIs
Curretly wpa_supplicant uses internal APIs for RSA operations
which internally uses lots of big num operations.

Big num operations are CPU expensive and can take a lot of time
which can cause watchdog timer to tigger.

This can be optimize by using mbedtls APIs which uses
hardware blocks for big num operations.

To fix this, write new crypto_mbedtls-rsa.c which has APIs
similar to crypto_internal-rsa.c but uses mbedtls APIs.
2020-11-27 15:22:51 +08:00
kapil.gupta
31b6b885e6 wpa_supplicant: Fix IOT issue with latest freeradius
Fix inter operability issue with freeradius version 3.0.21
and openssl 1.1.1f when internal tls client is used which
requires extension elements in client hello.

closes https://github.com/espressif/esp-idf/issues/5273
closes https://github.com/espressif/esp-idf/issues/5627
2020-11-20 08:02:28 +00:00
kapil.gupta
c384d61e53 wpa_supplicant: Fix invalid pointer deference and memleak
Add following changes as part of this:

1. EAP client will crash during validation of key size when CA
certs and keys not present. Add changes to validate it first.
2. Free memory allocated in TLS context
2020-11-20 08:02:28 +00:00
kapil.gupta
0263a182fc wpa_supplicant: Support for mbedtls tls handshake
Add support for mbedtls based tls handshake, this removes
dependency from internal implementation of EAP client.
2020-11-20 08:02:28 +00:00
Nachiket Kukade
511d3b05cd wpa_supplicant: Increase PMK Lifetime to a very high value
For WPA3 connection nearing PMK lifetime expiry, PMK Cache
needs a re-authentication or the cache will expire. After
current expiry of 12 hours Station ends up sending a deauth
to the AP. An SAE re-authentication also cannot occur without
a disconnection with current implementation. So increase the
PMK lifetime to 100 days for now.
2020-11-20 03:46:08 +00:00
Angus Gratton
1d224db575 wpa_supplicant: Fix failure to link under some circumstances
Depending on CMake internals, the wpa_supplicant library may need to be repeated
multiple times in the linker command line.

Closes https://github.com/espressif/esp-idf/issues/5641
2020-10-26 15:13:12 +11:00
Nachiket Kukade
0016d20946 esp_wifi: Update wifi lib
1. Add STA checks during STA PMF operations
2. Fix WPA2-Ent issue with Open AP
3. Skip WPA-TKIP profile if PMF is required
4. Skip & clear Supplicant PMK Cache for mismatching AP config
2020-10-10 10:10:11 +00:00
Nachiket Kukade
4d8ba4b4de espnow/pmf: Implement ESPNOW + PMF Co-existance
H/W decryption of Mgmt frames was disabled for PMF and done through
S/W. If ESPNOW packets go through this path, it affects backward
compatibility since method of decrypting Mgmt packets is different in H/W.

To address PMF + ESPNOW Co-existance, CCMP decryption method is modified
for ESPNOW packets so that they can be decrypted correctly. Since Tx
of ESPNOW packets can still be done in H/W alongside PMF, no change
required in encryption method in S/W.

Co-Authored-By: Nachiket Kukade <nachiket.kukade@espressif.com>
Co-Authored-By: zhangyanjiao <zhangyanjiao@espressif.com>
Co-Authored-By: kapil.gupta <kapil.gupta@espressif.com>
2020-09-02 15:02:45 +05:30
kapil.gupta
98d525c1ea wpa_supplicant: Deinit wpa2 states in wifi deinit 2020-08-20 15:09:55 +05:30
ronghulin
4e7d7426aa bugfix: fix softap mode wpa memory leak 2020-07-29 14:17:12 +08:00
Nachiket Kukade
e9a07592fc wpa_supplicant: Fix WPA3 and WPA2 transition related failures
1. If Device is connected to AP in WPA3-PSK mode, AP switching
security to WPA2-PSK causes connection failures even after reset.
Fix is to not store WPA3's PMK in NVS for caching.

2. AP switching back to WPA3 causes even more connection failures.
This is due to device not clearing Supplicant level PMK Cache when
it is no longer valid. Fix is to clear the Cache when 4-way handshake
fails and to check Key Mgmt of Cache before using.

3. When AP switches from WPA3 to WPA2, device's PMF config in
Supplicant remains enabled. This may cause failures during
4-way handshake. So clear PMF config in when PMF is no longer used.
2020-07-15 13:40:03 +00:00
Jiang Jiang Jian
1ad7e276d9 Merge branch 'workaround/wps_iot_fixes_v4.0' into 'release/v4.0'
wpa_supplicant: WPS Inter operatability Fixes( backport v4.0)

See merge request espressif/esp-idf!8951
2020-06-05 13:50:27 +08:00
Angus Gratton
84d6d48fe0 wpa_supplicant: Allow building with mbedTLS integration but no hardware MPI
Closes https://github.com/espressif/esp-idf/issues/5321
2020-06-04 18:32:58 +10:00
kapil.gupta
9746fa569c wpa_supplicant: WPS Inter operatability Fixes
Add WPS IOT fixes under config option

Current fixes under this flag.
1. Allow NULL-padded WPS attributes.
2. Bypass WPS-Config method validation
2020-06-03 13:33:49 +00:00
Nachiket Kukade
40385ea454 wpa_supplicant: Allow NULL-padded WPS attributes
Some AP's keep NULL-padding at the end of some variable length WPS
Attributes. This is not as par the WPS2.0 specs, but to avoid interop
issues, ignore the padding by reducing the attribute length by 1.
2020-06-03 13:33:49 +00:00
Jiang Jiang Jian
5c2ed3af0e Merge branch 'bugfix/fix_memleak_in_wpa3_feature_v4.0' into 'release/v4.0'
fix(wpa_supplicant): fix memleak in wpa3 feature (backport v4.0)

See merge request espressif/esp-idf!8655
2020-05-29 11:14:36 +08:00
Nachiket Kukade
db5f01429f wpa_supplicant: Fix memory leaks in WPA3 connection
1. Buffers for SAE messages are not freed after the handshake.
   This causes memory leak, free buffers after SAE handshake.
2. SAE global data is not freed until the next WPA3 connection
   takes place, holding up heap space without reason. Free theis
   data after SAE handshake is complete or event fails.
3. Update wifi lib which includes memory leak fix during BIP
   encryption/decryption operations.
2020-05-13 20:45:34 +05:30
Nachiket Kukade
b938846de6 wpa_supplicant: Fix formatting of file esp_wpa3.c
Replace tabs with spaces in esp_wpa3.c.
2020-05-13 20:35:56 +05:30
Jiang Jiang Jian
6a6de506b1 Merge branch 'bugfix/supplicant_general_fixes_40' into 'release/v4.0'
wpa_supplicant: Fix some memleaks and invalid memory access (backport v4.0)

See merge request espressif/esp-idf!8553
2020-05-12 20:17:51 +08:00
kapil.gupta
398dc28a4e wpa_supplicant: Add parsing support for WEP40 key
WEP key is passed as ascii key without "", add parsing support
in supplicant for this.
2020-05-11 11:23:10 +05:30
Zhang Jun Hao
a87df25d9e fix(wpa_supplicant): fix memleak in wpa3 feature 2020-05-08 16:25:38 +08:00
kapil.gupta
4242519894 wpa_supplicant: Fix some memleaks and invalid memory access
Add changes to fix issues reported in clang analyzer
2020-05-06 11:06:51 +00:00
Nachiket Kukade
4557c686b8 wpa_supplicant: Fix EAP Re-authentication issue
EAP reauth frames are dropped at various stages due to current
implementation of WPA2 ENT states and EAP SM init/deinit logic.
Route EAPOL frames based on EAP pkt type and maintain EAP SM
to facilitate EAP re-authentication process.
2020-05-06 10:21:45 +05:30
Nachiket Kukade
bc7a34b494 wpa_supplicant: Disable TLSv1.2 by default
Some Enterprise Authentication Servers do not support TLS v1.2.
Move this option to Menuconfig and disable by default.
2020-05-06 10:21:25 +05:30
Nachiket Kukade
ab81940982 esp_wifi: Additional changes for WPA3 & PMF testcases
Added WPA3 Testcases support for -
1. Anti-Clogging Token Request support
2. Return correct status from SAE modules for invalid scenarios
3. Add PMK Caching support for WPA3

wifi lib includes fixes for below PMF Certification issues -
1. Check return status of decrypt operation. Fixes 5.3.3.1.
2. Allow PMF negotiation for WPA2-Enterprise. Fixes 5.3.3.2, 5.3.3.4.
3. Add NULL check on key before encrypting PMF, fixes crash.
2020-05-06 10:20:46 +05:30
Nachiket Kukade
d36663b798 wpa_supplicant: Support WPA3 4-way handshake, add config option
1. Add changes in 4-way handshake path to allow SAE key mgmt.
2. Support for configuring WAP3 at init time, added Kconfig option.
3. Handle and propagate error conditions properly.
2020-05-06 10:20:35 +05:30
Nachiket Kukade
6b76228fcb wpa_supplicant: Add SAE handshake support for WPA3-PSK
Under WPA3-Personal, SAE authentication is used to derive PMK
which is more secure and immune to offline dictionary attacks.
1. Add modules to generate SAE commit/confirm for the handshake
2. Add modules that build and parse SAE data in Auth frames
3. Add WPA3 association and key mgmt definitions
4. Invert y-bit while solving for ECC co-ordinate -
     Once an X co-ordinate is obtained, solving for Y co-ordinate
     using an elliptical curve equation results in 2 possible values,
     Y and (P - Y), where p is the prime number. The co-ordinates are
     used for deriving keys in SAE handshake. As par the 802.11 spec
     if LSB of X is same as LSB of Y then Y is chosen, (P - Y) otherwise.
     This is not what is implemented, so fix this behavior to obtain the
     correct Y co-ordinate.
2020-05-06 10:20:26 +05:30
Sagar Bijwe
8f5f828ad6 wpa_supplicant: Adding SAE modules with testcase
This change ports SAE(Simultaneous Authentication of Equals)
feature from wpa_supplicant and makes it work with mbedtls
crypto APIs. Currently only group 19 is supported. A sample
SAE handshake is included in the testcase. Other minor
changes for DH groups are also included.
2020-05-06 10:20:22 +05:30
Nachiket Kukade
5c5ae96be2 Add encryption/decryption support for PMF
1. Add CCMP, AES crypto modules for unicast protected Mgmt frames
2. Add support for computing SHA256 MIC on Bcast Mgmt frames
3. Add support for storing iGTK during 4-way handshake.
4. Provide APIs to MLME for utilizing the SW crypto modules
2020-05-06 10:20:16 +05:30
Nachiket Kukade
1b7f3fee5c Add support for PMF configuration and negotiation
1. Add APIs for configuring PMF through set config.
2. Map Supplicant and Wifi Cipher types.
3. Add support for PMF negotiation while generating RSN IE.
2020-05-06 10:20:11 +05:30
liu zhifu
8cd210b38b esp_wifi/supplicant: fix some WiFi stop memory leak 2020-05-06 10:15:51 +05:30
Hrudaynath Dhabe
19e840aa53 wpa_supplicant: Set assoc_ie_len based on generated RSN/WPA IE 2020-05-06 10:15:46 +05:30
Hrudaynath Dhabe
39acf9c4dd wifi: Add PMK caching feature for station WPA2-enterprise
4. Pmksa cache expiry after dot11RSNAConfigPMKLifetime timeout.
2020-05-06 10:15:43 +05:30
Sagar Bijwe
2da4ffa2aa wifi: Add PMK caching feature for station WPA2-enterprise
1) Added PMK caching module from wpa_supplicant.
2) Modified wpa_sm to
    a) Add entry to PMK cache when first time associated to an AP.
    b) Maintain entry across the associations.
    c) Clear current PMKSA when deauth happens.
    d) Search for an entry when re-associating to the same AP and
       set it as current PMKSA
    e) Wait for msg 1/4 from AP instead of starting EAP authentication.
    f) Check PMKID in msg 1 with current PMKSA/cache.
    g) Use the cached PMK to complete 4-way handshake.
3) Remove config_bss callback as it was redundant and used to cause
   problems for PMK caching flow.

Closes IDF-969
2020-05-06 10:15:36 +05:30
Sagar Bijwe
5209dff76b wpa_supplicant: Fix compilation errors when USE_MBEDTLS is disabled.
This is a regression from earlier commit related to TLSV12 which used
sha functions that are currently declared static.
Solution: Follow upstream code structure and resolve the errors.
2020-04-15 15:34:35 +05:30
Sagar Bijwe
64061541f0 wpa_supplicant: Fix wpa_supplicant TLS 1.2 issues
1) Fixed compilation issues.
2) Added tlsprf.c from upstream
3) Enabled SHA256 in supplicant compilation.
2020-04-13 16:24:26 +00:00
Sagar Bijwe
a8e0b9171b wpa_supplicant: Fix SAE test-case failure on mbedtls version udpate
Problem:
mbedtls_ctr_drbg_context was initialized in crypto_ec_point_mul. This
was okay in releases before 2.16.4 as entropy_len used to get set to
MBEDTLS_CTR_DRBG_ENTROPY_LEN in function mbedtls_ctr_drbg_seed. The
function is now changed to set the length to
MBEDTLS_CTR_DRBG_ENTROPY_LEN if previous length is 0 and hence the bug.

Solution:
Initialize mbedtls_ctr_drbg_context in crypto_ec_point_mul.
2020-03-18 11:49:23 +00:00
Hrudaynath Dhabe
8f0f3e8f88 WPS_CONFIG_INIT_DEFAULT(type) error 2020-02-06 14:06:38 +08:00
liu zhifu
19e355e080 esp_wifi: fix WiFi deinit memory leak 2019-10-29 22:32:17 +08:00
Nachiket Kukade
ca80b0445d wpa_supplicant: Make internal crypto headers private (backport v4.0)
A lot of internally used crypto headers are publicly includeable
in user projects. This leads to bug reports when these headers
are incorrectly used or the API's are not used as intended.

Move all crypto headers into private crypto src folder, also move
crypto_ops into Supplicant to remove dependecy on crypto headers.

Closes IDF-476
2019-09-17 13:28:30 +00:00
Nachiket Kukade
6b348b94e3 wps: Relax the check on older config methods in case of WPS2.0 (backport
v4.0)

Some APs incorrectly advertize newer WPS2.0 config method bits
without setting bits for the corresponding older methods. This
results in failures during 8-way handshake. Add a workaround to
relax this check so that WPS handshake can proceed.
2019-08-29 13:05:02 +05:30
liu zhifu
f3f08fa713 esp_wifi/supplicant: fix some supplicant bugs
Closes IDFGH-1455
Closes IDF-774
2019-07-18 17:36:19 +08:00
xiehang
6c865a84ff 1, Fix wps memory leak.
2, Add a queue to save wps rx eapol frame.
  3, Add data lock protect wpa2_sig_cnt.
  4, Add a queue to save wpa2 rx rapol frame.
2019-07-11 08:57:31 +00:00
Nachiket Kukade
900df44546 wpa_supplicant: Cleanup fast_xxx modules that use duplicate code
wpa_supplicant is using MbedTLS API's for crypto algorithms. For
calling them a duplicate set of modules is maintained prepended
with 'fast_'. Remove these and use flag USE_MBEDTLS_CRYPTO
instead to separate modules calling MbedTLS API's from native
implementation.
2019-07-10 14:53:20 +05:30
Sagar Bijwe
ae46f04997 wpa_supplicant: Fix sprintf security bugs.
Revert back to using os_snprintf instead of sprintf.

Closes WIFI-624
2019-07-06 04:22:53 +00:00