614 Commits

Author SHA1 Message Date
Kapil Gupta
131dc6d1c0 fix(esp_wifi): cleanup for crypto_ec struct 2024-07-10 19:29:34 +08:00
aditi_lonkar
4125c56007 fix(wifi):Fix for setting wps status fail when connection fails 2024-07-04 16:01:41 +05:30
Sarvesh Bodakhe
ac508b5778 fix(wifi): Fix issue of supplicant using wrong parameters to configure bss
- Ensure that wpa_supplicant's state machine registers the requirement for rsnxe
  before deciding to add rsnxe to a assoc request.

Co-authored-by: jgujarathi <jash.gujarathi@espressif.com>
2024-07-01 15:32:45 +05:30
Shyamal Khachane
0fac1ebe40 fix(esp_wifi): Fix a memory leak that occurs when the SAE connection is interrupted
1. Free temporary data used by SAE before memsetting the same
2. Drop any received auth responses that use a different algorithm than the one currently in use
2024-06-20 11:45:16 +05:30
Alexey Lapshin
ed6e497c6f feat(build): add COMPILER_STATIC_ANALYZER option 2024-06-18 14:25:37 +08:00
Alexey Lapshin
f328e06ed4 fix(wpa_supplicant): fix warnings found by GNU static analyzer 2024-06-18 14:25:37 +08:00
David Čermák
64fb5a2849 Merge branch 'feat/netif_errcode_wifitxfail_2' into 'master'
change(esp_netif): Add Non-Fatal errtype to indicate lower layer medium failure

See merge request espressif/esp-idf!29835
2024-06-11 22:02:49 +08:00
Kapil Gupta
63386f34bf Merge branch 'bugfix/wpa3_init_crash' into 'master'
fix(wpa_supplicant): Fix wpa3 AP crash because of dangling pointer

Closes WIFIBUG-540

See merge request espressif/esp-idf!31358
2024-06-11 18:06:30 +08:00
Yogesh Mantri
586207207f change(esp_netif): Add Non-Fatal errtype to indicate lower layer medium failure
UDP application sends packet using esp_netif, underlying transport such
as Wi-Fi may drop the packet due to higher load. New error code
represent transient, non-fatal packet drop error. udp application may
use such errtype, for example to rate limit.
2024-06-11 09:20:49 +02:00
muhaidong
812faf4f7d fix(wifi): fix configure gcmp failure issue 2024-06-07 14:04:23 +08:00
Shreyas Sheth
e331dff337 fix(wpa_supplicant): Fix wpa3 AP crash because of dangling pointer 2024-06-06 11:29:05 +05:30
Harshit Malpani
8adcd2b460
fix: Fix spelling mistakes in esp_err_to_name.c 2024-05-29 18:30:01 +05:30
morris
dc6989796a feat(gdma): set burst size and return alignment constraint
burst size can affect the buffer alignment
2024-05-24 22:43:55 +08:00
Kapil Gupta
79cea90dc1 fix(esp_wifi): Correct action frame type in send_mgmt_frame API 2024-04-22 16:08:18 +05:30
Sarvesh Bodakhe
d97c8ed1b1 fix(wifi): Add bugfix to avoid RSNXE and KDE mismatch during 4-way-handshake 2024-04-16 19:49:28 +05:30
Kapil Gupta
95b522a1be fix(wifi): Fix encryption/decryption issue for mgmt packets
* Fix issues related to mgmt packets encryption in GCMP
* Fix issue of wrong decryption of mgmt packets when PMF is enabled
* Fix softAP bug in handling of SAE Reauthentication
2024-04-16 19:49:09 +05:30
Kapil Gupta
58ee771f3c fix(wifi): Run tools/format.sh on WiFi component 2024-04-16 10:58:37 +05:30
Shreyas Sheth
e3338a3103 fix(wpa_supplicant): Compile error when CONFIG_SAE is disabled
Closes https://github.com/espressif/esp-idf/issues/13553
2024-04-08 17:29:48 +05:30
Jiang Jiang Jian
ce6363095e Merge branch 'bugfix/wpa3_ap_ci_crash' into 'master'
fix(esp_wifi): Fix crash when assoc req comes before confirm is processed

Closes IDFCI-2090

See merge request espressif/esp-idf!29805
2024-04-02 20:05:06 +08:00
Shreyas Sheth
73ec4a74fd fix(esp_wifi): Fix crash when assoc req comes before confirm is processed 2024-04-02 14:28:59 +05:30
Kapil Gupta
00ab1ef500 feat(esp_wifi): Provide API to disable PMK caching 2024-04-02 10:21:26 +05:30
jgujarathi
9a88dab748 feat(esp_wifi): Add support for advanced roaming as a wifi app
- Adds support for advanced roaming as a wifi app.
2024-04-01 23:00:01 +08:00
jgujarathi
71e6c10f7c fix(wpa_supplicant): Update supplicant last scan time when application scanning
- Any scanning currently updates the bss table held by supplicant anyway,
  but the time record used to maintain the recency of the last scan is
  only updated by supplicant issued scans. Updating the last scan time
  for application trigerred scanning will prevent the needless scanning
  by supplicant if there has been an application trigerred scan in
  the time diff threshold(currently 10s).
2024-04-01 23:00:01 +08:00
jgujarathi
b23e29d5ae fix(wpa_supplicant): Add current bss channel as hint to scanning
- Add current bss channel as hint to scanning during supplicant connect
  making the process faster.
2024-04-01 23:00:01 +08:00
jgujarathi
560c951e33 fix(wpa_supplicant): Add default durations to supplicant issued scans
- Add default durations to supplicant issued scans based on results from
  initial experiments where probe response times were recorded in a
  significantly noisy environment. It was noticed  that  within 70ms
  we receive over 80% of the responses 90% of the time
2024-04-01 23:00:01 +08:00
jgujarathi
84d7ab5c0c fix(wpa_supplicant): Clear bssid flag and channel in supplicant disconnect handler
- Clear the bssid set flag and channel in supplicant disconnect handler as this
  can cause the station to recursively connect to the wrong AP in case
  roaming through BTM mechanisms fails.
- Fix issue with incorrect blocking time calculation when blocking scan
  issued for a single channel.
2024-04-01 23:00:01 +08:00
jgujarathi
c6134a23dd fix(wpa_supplicant): Replace Neighbor Report callback with an event
- Deprecate the existing esp_rrm_send_neighbor_rep_request() API
- Adds a new API to send neighbor report requests esp_rrm_send_neighbor_report_request().
  This replaces the older API's callback procedure with a new Wi-Fi
  event that is posted when the neighbor report is received.
  This moves the execution of the callback from supplicant
  context to freertos context.
2024-04-01 23:00:01 +08:00
jgujarathi
743772fb76 fix(btm): Improve BTM scanning effiency by using channel bitmap
- Improve the BTM scanning efficiency by using channel bitmap feature in
  scanning. This sets only the channels we need to scan instead of all.
2024-04-01 23:00:01 +08:00
xiehang
f3c5047638 feat(extconn): Supports external WiFi connections for ESP32p4 and other espressf chips 2024-04-01 11:44:52 +08:00
Jiang Jiang Jian
52380e3052 Merge branch 'bugfix/wps_reg_regression' into 'master'
fix(esp_wifi): Fixed regression caused by fe35466c when wpa_supplicant debug logs enabled (!28521)

See merge request espressif/esp-idf!29753
2024-03-22 13:53:18 +08:00
Sarvesh Bodakhe
72f0c47526 fix(esp_wifi): Fix regression caused by fe35466c when supplicant logs enabled 2024-03-20 10:53:30 +05:30
Sarvesh Bodakhe
1d71178193 fix(wpa_supplicant): Add bugfixes related to ciphersuites in wifi enterprise
- Avoid downgrading TLS ciphersuites when client RSA keys are larger than RSA-2048 bit.
- Note that when using bigger certificates on low-power chips without crypto
  hardware acceleration, it is recommended to adjust the task watchdog timer (TWDT)
  if it is enabled. For precise information on timing requirements, you can check
  performance numbers at https://github.com/espressif/mbedtls/wiki/Performance-Numbers.
2024-03-20 09:33:52 +05:30
Sarvesh Bodakhe
05b882baea fix(wpa_supplicant): Update cipher suite list for TLSv1.3 suiteb and some refactoring
- Use MBEDTLS_TLS1_3_AES_256_GCM_SHA384 cipher for TLSv1.3-suiteb
- Call psa_crypto_init() in tls_connection_init() to reduce redundancy
2024-03-20 09:33:52 +05:30
Sarvesh Bodakhe
ec09cdf885 feat(wpa_supplicant): Add TLS v1.3 support for WiFi enterprise
* Add TLS v1.3 support for following EAP methods:
  - EAP-TLS  (RFC 9190)
  - EAP-PEAP (RFC 9427)
  - EAP-TTLS (RFC 9427)
* Add mbedtls porting for TLS v1.3 exporter (RFC 8446 Section 7.5)
* Add new Kconfig flag to enable TLS v1.3 for EAP methods
* Advertise TLS v1.3 signature algorithms if TLS 1.3 is enabled for EAP
  methods
* Advertise TLS v1.3 cipher suites if CONFIG_ESP_WIFI_EAP_TLS1_3 enabled
* Add support to Ack protected success indication
  (workaround for EAP-TLS 1.3 and 1.2 compatibilty)
2024-03-20 09:33:52 +05:30
Glenn Strauss
b3e4aae7bb TLS: Fix unsigned int underflow in internal TLS 1.0/1.1 implementation
Taking sizeof(ptr) is incorrect to determine size of passed in hash and
results in hlen getting set to a very large value since MD5_MAC_LEN >
sizeof(ptr). Provide the actual size of the hash buffer from the caller
to fix this.

tls_key_x_server_params_hash() callers src/tls/tlsv1_client_read.c and
src/tls/tlsv1_server_write.c both pass in a large enough hash (hash[64]
or hash[100]) that this does not appear to have an impact, though it is
still wrong.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2024-03-20 09:33:52 +05:30
Glenn Strauss
b58dbf2808 Update tls_connection_set_verify() documentation to verify_peer=2
This new value was added to verify peer certificate if it is provided,
but not reject the TLS handshake if no peer certificate is provided.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2024-03-20 09:33:52 +05:30
Jouni Malinen
8ff4837830 Fix tls_connection_set_success_data() in TLS library wrappers
Some of the TLS library wrappers defined only an empty function for
tls_connection_set_success_data(). That could result in memory leaks in
TLS server cases, so update these to do the minimal thing and free the
provided buffer as unused.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 09:33:52 +05:30
Jouni Malinen
6658c3ed63 Remove useless DH file configuration from TLS library wrappers
These operations do not really have any effect since
tls_connection_set_params() is used only in the TLS client case and the
client receives the DH parameters from the server instead of local
configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-20 09:33:52 +05:30
Jouni Malinen
89fc940ec0 EAP-TLS: Do not allow TLSv1.3 success without protected result indication
RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 09:33:52 +05:30
Jouni Malinen
98183fe062 EAP-TLS: Replace the Commitment Message term with RFC 9190 language
While the drafts for RFC 9190 used a separate Commitment Message term,
that term was removed from the published RFC. Update the debug prints to
match that final language.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 09:33:52 +05:30
Jouni Malinen
9cb8c0545f EAP-TLS: Update specification references to RFC 5216 and 9190
The previously used references were pointing to an obsoleted RFC and
draft versions. Replace these with current versions.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 09:33:52 +05:30
Alexander Clouter
b17d6a1b3a EAP-TTLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2024-03-20 09:33:52 +05:30
Alexander Clouter
65248148f0 EAP-TLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2024-03-20 09:33:52 +05:30
Alexander Clouter
a5ee253d62 EAP: Extend Session-Id derivation with TLS 1.3 to PEAP and EAP-TTLS
This newer Session-Id/Method-Id derivation is used with PEAP and
EAP-TTLS when using TLS 1.3 per draft-ietf-emu-tls-eap-types-00, so do
not limit this to only EAP-TLS.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2024-03-20 09:33:52 +05:30
Alexander Clouter
42e37285e5 EAP-TTLS: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2024-03-20 09:33:52 +05:30
Alexander Clouter
0d90484018 EAP-PEAP: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for PEAP with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2024-03-20 09:33:52 +05:30
Alexander Clouter
252dd1b976 EAP-TTLS/PEAP peer: Fix failure when using session tickets under TLS 1.3
EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.

There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.

The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.

[1] https://www.spinics.net/lists/hostap/msg05376.html

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2024-03-20 09:33:52 +05:30
Jouni Malinen
a5b01a93ff EAP-TTLS peer: Support vendor EAP method in Phase 2
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-20 09:33:52 +05:30
Jouni Malinen
a9170c6a20 EAP-TLS peer: Handle possible application data at the end
EAP-TLS with TLS 1.3 uses an empty application data record from the
server to indicate end of the exchange, so EAP-TLS peer will need to
check for this special case and finish the exchange with an empty
EAP-TLS (ACK) so that the server can send out EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-20 09:33:52 +05:30
Ervin Oro
caf49e8c10 Add Type-Code context to EAP-TLS 1.3 exported Key_Material and Method-Id
Change to require the Type-Code in context for Key_Material and
Method-Id has now been published as draft-ietf-emu-eap-tls13-04.
https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-04#section-2.3

Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
2024-03-20 09:33:52 +05:30