Merge branch 'bugfix/wpa2_enterprise_issues' into 'master'

esp_wifi: WPA2 enterprise related changes

Closes WIFI-4579

See merge request espressif/esp-idf!19162

components/wpa_supplicant/CMakeLists.txt

@@ -251,7 +251,7 @@ if(CONFIG_WPA_11R_SUPPORT)
 endif()
 if(NOT CONFIG_WPA_MBEDTLS_TLS_CLIENT)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_TLS_INTERNAL_CLIENT
-                CONFIG_TLSV11 CONFIG_TLSV12 CONFIG_INTERNAL_SHA384 CONFIG_INTERNAL_SHA512 EAP_FAST)
+                CONFIG_TLSV11 CONFIG_TLSV12 EAP_FAST)
 endif()
 if(CONFIG_WPA_MBEDTLS_CRYPTO)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_CRYPTO_MBEDTLS)

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c

@@ -119,14 +119,10 @@ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 }
 #endif
 
-struct crypto_hash {
-	mbedtls_md_context_t ctx;
-};
-
 struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
 				      size_t key_len)
 {
-	struct crypto_hash *ctx;
+	mbedtls_md_context_t *ctx = NULL;
 	mbedtls_md_type_t md_type;
 	const mbedtls_md_info_t *md_info;
 	int ret;
@@ -169,53 +165,53 @@ struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key,
 		return NULL;
 	}
 
-	mbedtls_md_init(&ctx->ctx);
+	mbedtls_md_init(ctx);
 	md_info = mbedtls_md_info_from_type(md_type);
 	if (!md_info) {
 		goto cleanup;
 	}
-	if (mbedtls_md_setup(&ctx->ctx, md_info, 1) != 0) {
-		goto cleanup;
-	}
-	if (mbedtls_md_hmac_starts(&ctx->ctx, key, key_len) != 0) {
+	if (mbedtls_md_setup(ctx, md_info, is_hmac) != 0) {
 		goto cleanup;
 	}
 	if (is_hmac) {
-		ret = mbedtls_md_hmac_starts(&ctx->ctx, key, key_len);
+		ret = mbedtls_md_hmac_starts(ctx, key, key_len);
 	} else {
-		ret = mbedtls_md_starts(&ctx->ctx);
+		ret = mbedtls_md_starts(ctx);
 	}
 	if (ret < 0) {
 		goto cleanup;
 	}
 
-	return ctx;
+	return (struct crypto_hash *)ctx;
 cleanup:
+	mbedtls_md_free(ctx);
 	os_free(ctx);
 	return NULL;
 }
 
-void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len)
+void crypto_hash_update(struct crypto_hash *crypto_ctx, const u8 *data, size_t len)
 {
 	int ret;
+	mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
 
 	if (ctx == NULL) {
 		return;
 	}
-	if (ctx->ctx.MBEDTLS_PRIVATE(hmac_ctx)) {
-		ret = mbedtls_md_hmac_update(&ctx->ctx, data, len);
+	if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
+		ret = mbedtls_md_hmac_update(ctx, data, len);
 	} else {
-		ret = mbedtls_md_update(&ctx->ctx, data, len);
+		ret = mbedtls_md_update(ctx, data, len);
 	}
 	if (ret != 0) {
 		wpa_printf(MSG_ERROR, "%s: mbedtls_md_hmac_update failed", __func__);
 	}
 }
 
-int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
+int crypto_hash_finish(struct crypto_hash *crypto_ctx, u8 *mac, size_t *len)
 {
 	int ret = 0;
 	mbedtls_md_type_t md_type;
+	mbedtls_md_context_t *ctx = (mbedtls_md_context_t *)crypto_ctx;
 
 	if (ctx == NULL) {
 		return -2;
@@ -224,7 +220,7 @@ int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
 	if (mac == NULL || len == NULL) {
 		goto err;
 	}
-	md_type = mbedtls_md_get_type(ctx->ctx.MBEDTLS_PRIVATE(md_info));
+	md_type = mbedtls_md_get_type(ctx->MBEDTLS_PRIVATE(md_info));
 	switch(md_type) {
 	case MBEDTLS_MD_MD5:
 		if (*len < MD5_MAC_LEN) {
@@ -271,14 +267,14 @@ int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len)
 		ret = -1;
 		goto err;
 	}
-	if (ctx->ctx.MBEDTLS_PRIVATE(hmac_ctx)) {
-		ret = mbedtls_md_hmac_finish(&ctx->ctx, mac);
+	if (ctx->MBEDTLS_PRIVATE(hmac_ctx)) {
+		ret = mbedtls_md_hmac_finish(ctx, mac);
 	} else {
-		ret = mbedtls_md_finish(&ctx->ctx, mac);
+		ret = mbedtls_md_finish(ctx, mac);
 	}
 
 err:
-	mbedtls_md_free(&ctx->ctx);
+	mbedtls_md_free(ctx);
 	bin_clear_free(ctx, sizeof(*ctx));
 
 	return ret;

components/wpa_supplicant/src/tls/tlsv1_client.c

@@ -483,15 +483,25 @@ struct tlsv1_client * tlsv1_client_init(void)
 
 	count = 0;
 	suites = conn->cipher_suites;
+#ifdef CONFIG_CRYPTO_MBEDTLS
 	suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
+#endif
 	suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
+#ifdef CONFIG_CRYPTO_MBEDTLS
 	suites[count++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
+#endif
 	suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
+#ifdef CONFIG_CRYPTO_MBEDTLS
 	suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
+#endif
 	suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
+#ifdef CONFIG_CRYPTO_MBEDTLS
 	suites[count++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
+#endif
 	suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
+#ifdef CONFIG_CRYPTO_MBEDTLS
 	suites[count++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
+#endif
 	suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
 	suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
 	suites[count++] = TLS_RSA_WITH_RC4_128_MD5;

components/wpa_supplicant/src/tls/tlsv1_client_write.c

@@ -126,16 +126,26 @@ u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
 		WPA_PUT_BE16(pos, TLS_EXT_SIGNATURE_ALGORITHMS);
 		pos += 2;
 		/* opaque extension_data<0..2^16-1> length */
+#ifdef CONFIG_CRYPTO_MBEDTLS
 		WPA_PUT_BE16(pos, 8);
+#else
+		WPA_PUT_BE16(pos, 4);
+#endif
 		pos += 2;
 		/* supported_signature_algorithms<2..2^16-2> length */
+#ifdef CONFIG_CRYPTO_MBEDTLS
 		WPA_PUT_BE16(pos, 6);
+#else
+		WPA_PUT_BE16(pos, 2);
+#endif
 		pos += 2;
 		/* supported_signature_algorithms */
+#ifdef CONFIG_CRYPTO_MBEDTLS
 		*pos++ = TLS_HASH_ALG_SHA512;
 		*pos++ = TLS_SIGN_ALG_RSA;
 		*pos++ = TLS_HASH_ALG_SHA384;
 		*pos++ = TLS_SIGN_ALG_RSA;
+#endif
 		*pos++ = TLS_HASH_ALG_SHA256;
 		*pos++ = TLS_SIGN_ALG_RSA;
 	}

components/wpa_supplicant/src/tls/tlsv1_common.c

@@ -350,6 +350,7 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
 		alg = CRYPTO_HASH_ALG_SHA256;
 		hlen = SHA256_MAC_LEN;
 		break;
+#ifdef CONFIG_CRYPTO_MBEDTLS
 	case TLS_HASH_ALG_SHA384:
 		alg = CRYPTO_HASH_ALG_SHA384;
 		hlen = 48;
@@ -358,6 +359,7 @@ int tlsv12_key_x_server_params_hash(u16 tls_version, u8 hash_alg,
 		alg = CRYPTO_HASH_ALG_SHA512;
 		hlen = 64;
 		break;
+#endif
 	default:
 		return -1;
 	}