This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
SAE: Derive a variable length PMK with the new AKM suites
Select the PMK length based on the used group (prime length) when using
the new AKM suites for SAE.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
SAE: Indicate AKM suite selector in commit for new AKM suites
SAE authentication needs to known which AKM suite is being used to be
able to determine the correct PMK length for the new AKM suite selectors
that use variable length keys.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
SAE: EAPOL-Key and key/MIC length information for the new AKM suites
Update the AKM suite specific mapping of various EAPOL-Key key lengths
and algorithms to include the new SAE AKM suites with variable length
keys.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Define new RSN AKM suite selector values
Add the new AKM suite selectors defined in IEEE P802.11-REVme/D1.3.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
-Merges the addition of extended caps IE for assoc req, probe resp
and beacons in a single place. This ensures that there are no
duplicate Extended Caps IE in the frame. Moves the capability
indication for BTM and HT20/40 from supplicant to wifi libs.
-Fix issue with frequent disconections when scanning for only a single
channel.
-Prints error message and returns ESP_ERR_NOT_SUPPORTED in case
esp32c2 tries to set bandwidth to HT40.
Fix crash in sending new RRM neighbour report requests by removing
the call to neighbour report request timeout callback in case of
already ongoing neighbour report request timer.
1) Resolve wpa_suppliant coverity issues caused by SAE softAP
2) Fix crash occured while deinitialization of softAP
when authmode is changed
3) Fix issue related to anti clogging token and send_confirm
4) Put some AP specific functions under ESP_WIFI_SOFTAP_SUPPORT
compilation flags
Some components were including esp_timer.h without declaring a
dependency on esp_timer component. This used to work due to a
transitive public dependency on esp_timer from freertos component.
Add explicit dependencies where needed.
Also some source files were using esp_timer functions without
including the header file. This used to work because esp_timer.h was
included from freertos port header file. This commit adds esp_timer.h
includes where needed.
