From f5c14ba5a026b26e2c8e2f6b2e584ee499f25898 Mon Sep 17 00:00:00 2001 From: "tarun.kumar" Date: Sun, 1 Dec 2024 15:54:11 +0530 Subject: [PATCH 1/4] fix(softAP): Adjusted authentication mode for wpa-eap version 1 --- components/esp_rom/esp32c2/ld/esp32c2.rom.ld | 2 +- components/esp_wifi/include/esp_wifi_types.h | 10 +++++++--- components/wpa_supplicant/src/rsn_supp/wpa.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld index ef8b1f7223..327875a459 100644 --- a/components/esp_rom/esp32c2/ld/esp32c2.rom.ld +++ b/components/esp_rom/esp32c2/ld/esp32c2.rom.ld @@ -1024,7 +1024,7 @@ ieee80211_getcapinfo = 0x40002130; /* sta_recv_sa_query_resp = 0x40002144; */ ieee80211_set_max_rate = 0x4000214c; ic_set_sta = 0x40002150; -ieee80211_parse_wpa = 0x40002158; +/* ieee80211_parse_wpa = 0x40002158; */ ieee80211_add_assoc_req_ies = 0x40002160; ieee80211_add_probe_req_ies = 0x40002164; /* Data (.data, .bss, .rodata) */ diff --git a/components/esp_wifi/include/esp_wifi_types.h b/components/esp_wifi/include/esp_wifi_types.h index 9696a32e56..ce2534bf2a 100644 --- a/components/esp_wifi/include/esp_wifi_types.h +++ b/components/esp_wifi/include/esp_wifi_types.h @@ -59,7 +59,7 @@ typedef struct { * @brief Wi-Fi authmode type * Strength of authmodes * Personal Networks : OPEN < WEP < WPA_PSK < OWE < WPA2_PSK = WPA_WPA2_PSK < WAPI_PSK < WPA3_PSK = WPA2_WPA3_PSK - * Enterprise Networks : WIFI_AUTH_WPA2_ENTERPRISE < WIFI_AUTH_WPA3_ENT_192 + * Enterprise Networks : WIFI_AUTH_WPA_ENTERPRISE < WIFI_AUTH_WPA2_ENTERPRISE < WIFI_AUTH_WPA3_ENT_192 */ typedef enum { WIFI_AUTH_OPEN = 0, /**< authenticate mode : open */ @@ -67,8 +67,8 @@ typedef enum { WIFI_AUTH_WPA_PSK, /**< authenticate mode : WPA_PSK */ WIFI_AUTH_WPA2_PSK, /**< authenticate mode : WPA2_PSK */ WIFI_AUTH_WPA_WPA2_PSK, /**< authenticate mode : WPA_WPA2_PSK */ - WIFI_AUTH_ENTERPRISE, /**< authenticate mode : WiFi EAP security */ - WIFI_AUTH_WPA2_ENTERPRISE = WIFI_AUTH_ENTERPRISE, /**< authenticate mode : WiFi EAP security */ + WIFI_AUTH_ENTERPRISE, /**< authenticate mode : WiFi EAP security, treated the same as WIFI_AUTH_WPA2_ENTERPRISE */ + WIFI_AUTH_WPA2_ENTERPRISE = WIFI_AUTH_ENTERPRISE, /**< authenticate mode : WPA2-Enterprise security */ WIFI_AUTH_WPA3_PSK, /**< authenticate mode : WPA3_PSK */ WIFI_AUTH_WPA2_WPA3_PSK, /**< authenticate mode : WPA2_WPA3_PSK */ WIFI_AUTH_WAPI_PSK, /**< authenticate mode : WAPI_PSK */ @@ -76,6 +76,10 @@ typedef enum { WIFI_AUTH_WPA3_ENT_192, /**< authenticate mode : WPA3_ENT_SUITE_B_192_BIT */ WIFI_AUTH_WPA3_EXT_PSK, /**< this authentication mode will yield same result as WIFI_AUTH_WPA3_PSK and not recommended to be used. It will be deprecated in future, please use WIFI_AUTH_WPA3_PSK instead. */ WIFI_AUTH_WPA3_EXT_PSK_MIXED_MODE, /**< this authentication mode will yield same result as WIFI_AUTH_WPA3_PSK and not recommended to be used. It will be deprecated in future, please use WIFI_AUTH_WPA3_PSK instead.*/ + WIFI_AUTH_DUMMY1, + WIFI_AUTH_DUMMY2, + WIFI_AUTH_DUMMY3, + WIFI_AUTH_WPA_ENTERPRISE, /**< Authenticate mode : WPA-Enterprise security */ WIFI_AUTH_MAX } wifi_auth_mode_t; diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c index c047183597..86d75b5085 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa.c @@ -2274,7 +2274,7 @@ void wpa_set_profile(u32 wpa_proto, u8 auth_mode) struct wpa_sm *sm = &gWpaSm; sm->proto = wpa_proto; - if (auth_mode == WPA2_AUTH_ENT) { + if (auth_mode == WPA2_AUTH_ENT || (auth_mode == WPA_AUTH_UNSPEC)) { sm->key_mgmt = WPA_KEY_MGMT_IEEE8021X; /* for wpa2 enterprise */ } else if (auth_mode == WPA2_AUTH_ENT_SHA256) { sm->key_mgmt = WPA_KEY_MGMT_IEEE8021X_SHA256; /* for wpa2 enterprise sha256 */ From fb9c3aeac49eebaf383e6f8ae6d24dce586ec889 Mon Sep 17 00:00:00 2001 From: "tarun.kumar" Date: Tue, 4 Mar 2025 20:38:05 +0530 Subject: [PATCH 2/4] fix(wifi): Sending disconnect event in connect fail and add enterprise check in Suite-B 192-bit certification --- components/esp_wifi/include/esp_wifi.h | 2 +- components/wpa_supplicant/src/rsn_supp/wpa.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/components/esp_wifi/include/esp_wifi.h b/components/esp_wifi/include/esp_wifi.h index 35164c5565..019d1974cc 100644 --- a/components/esp_wifi/include/esp_wifi.h +++ b/components/esp_wifi/include/esp_wifi.h @@ -1407,7 +1407,7 @@ esp_err_t esp_wifi_force_wakeup_release(void); /** * @brief configure country * - * @attention 1. When ieee80211d_enabled, the country info of the AP to which + * @attention 1. When ieee80211d_enabled is enabled, the country info of the AP to which * the station is connected is used. E.g. if the configured country is US * and the country info of the AP to which the station is connected is JP * then the country info that will be used is JP. If the station disconnected diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c index 86d75b5085..33063a5dce 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa.c @@ -2376,7 +2376,7 @@ int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher, } #ifdef CONFIG_SUITEB192 extern bool g_wpa_suiteb_certification; - if (g_wpa_suiteb_certification) { + if (is_wpa2_enterprise_connection() && g_wpa_suiteb_certification) { if (sm->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_256) { wpa_printf(MSG_ERROR, "suite-b 192bit certification, only GMAC256 is supported"); return -1; From dc5ae9c88fc3e53d22ac09b7fe8d7917db957db1 Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Mon, 9 Jun 2025 13:08:38 +0530 Subject: [PATCH 3/4] fix(wpa_supplicant): Delay sending of EAP_START for EAP auth --- .../esp_supplicant/src/esp_eap_client.c | 27 ++++++++++++++++--- .../wpa_supplicant/src/eap_peer/eap_i.h | 1 + 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c b/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c index 1d3e7ff700..f0f807c805 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c @@ -60,6 +60,7 @@ static struct eap_sm *gEapSm = NULL; static int eap_peer_sm_init(void); static void eap_peer_sm_deinit(void); +static void eap_start_eapol(void *ctx, void *data); static int eap_sm_rx_eapol_internal(u8 *src_addr, u8 *buf, u32 len, uint8_t *bssid); static int wpa2_start_eapol_internal(void); @@ -529,6 +530,10 @@ static int eap_sm_rx_eapol_internal(u8 *src_addr, u8 *buf, u32 len, uint8_t *bss return ESP_FAIL; } + if (!sm->eap_process_started) { + sm->eap_process_started = true; + eloop_cancel_timeout(eap_start_eapol, NULL, NULL); + } if (len < sizeof(*hdr) + sizeof(*ehdr)) { wpa_printf(MSG_DEBUG, "WPA: EAPOL frame too short to be a WPA " "EAPOL-Key (len %lu, expecting at least %lu)", @@ -612,15 +617,28 @@ _out: return ret; } -static int wpa2_start_eapol(void) +static void eap_start_eapol(void *ctx, void *data) { #ifdef USE_WPA2_TASK - return wpa2_post(SIG_WPA2_START, 0); + wpa2_post(SIG_WPA2_START, 0); #else - return wpa2_start_eapol_internal(); + wpa2_start_eapol_internal(); #endif } +static int eap_start_eapol_timer(void) +{ + /* + * Do not send EAPOL-Start immediately since in most cases, + * Authenticator is going to start authentication immediately + * after association and an extra EAPOL-Start is just going to + * delay authentication. Use a short timeout to send the first + * EAPOL-Start if Authenticator does not start authentication. + */ + eloop_register_timeout(2, 0, eap_start_eapol, NULL, NULL); + return 0; +} + static int wpa2_start_eapol_internal(void) { struct eap_sm *sm = gEapSm; @@ -739,6 +757,7 @@ static int eap_peer_sm_init(void) wpa_printf(MSG_INFO, "wifi_task prio:%d, stack:%d", WPA2_TASK_PRIORITY, WPA2_TASK_STACK_SIZE); #endif sm->workaround = 1; + sm->eap_process_started = false; return ESP_OK; _err: @@ -806,7 +825,7 @@ static esp_err_t esp_client_enable_fn(void *arg) } wpa2_cb->wpa2_sm_rx_eapol = wpa2_ent_rx_eapol; - wpa2_cb->wpa2_start = wpa2_start_eapol; + wpa2_cb->wpa2_start = eap_start_eapol_timer; wpa2_cb->wpa2_init = eap_peer_sm_init; wpa2_cb->wpa2_deinit = eap_peer_sm_deinit; diff --git a/components/wpa_supplicant/src/eap_peer/eap_i.h b/components/wpa_supplicant/src/eap_peer/eap_i.h index fec7856714..ca4f3a277a 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_i.h +++ b/components/wpa_supplicant/src/eap_peer/eap_i.h @@ -311,6 +311,7 @@ struct eap_sm { size_t eapKeyDataLen; struct wpabuf *lastRespData; const struct eap_method *m; + bool eap_process_started; }; typedef enum { From bbdf1b4e994c96ab2309ccb4aaad034406c7e3e4 Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Thu, 3 Jul 2025 14:33:09 +0530 Subject: [PATCH 4/4] fix (esp_wifi): Set default akm as eap for non AKM APs --- components/esp_wifi/lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index 2182ce8650..f5476bb8a5 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit 2182ce8650020297d2adc4b1b05ccf09b787c09b +Subproject commit f5476bb8a58e99c121e1e9c4515ed447279aa0fe