From 6e13fc803ab188983a1640d40fcd1b377ba8cdb2 Mon Sep 17 00:00:00 2001 From: Christoph Rackwitz Date: Mon, 25 Oct 2021 12:15:30 +0200 Subject: [PATCH 1/4] esp_wifi: Reset event bits in ftm example to avoid repeated failures --- examples/wifi/ftm/main/ftm_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/wifi/ftm/main/ftm_main.c b/examples/wifi/ftm/main/ftm_main.c index 446329e19a..1090f6476c 100644 --- a/examples/wifi/ftm/main/ftm_main.c +++ b/examples/wifi/ftm/main/ftm_main.c @@ -476,7 +476,7 @@ static int wifi_cmd_ftm(int argc, char **argv) } bits = xEventGroupWaitBits(ftm_event_group, FTM_REPORT_BIT | FTM_FAILURE_BIT, - pdFALSE, pdFALSE, portMAX_DELAY); + pdTRUE, pdFALSE, portMAX_DELAY); /* Processing data from FTM session */ if (bits & FTM_REPORT_BIT) { ftm_process_report(); @@ -485,7 +485,6 @@ static int wifi_cmd_ftm(int argc, char **argv) g_ftm_report_num_entries = 0; ESP_LOGI(TAG_STA, "Estimated RTT - %d nSec, Estimated Distance - %d.%02d meters", g_rtt_est, g_dist_est / 100, g_dist_est % 100); - xEventGroupClearBits(ftm_event_group, FTM_REPORT_BIT); } else { /* Failure case */ } From 3d0076a31f7c8d9ee563a4826dd731857be4e614 Mon Sep 17 00:00:00 2001 From: Nachiket Kukade Date: Thu, 18 Nov 2021 18:43:06 +0530 Subject: [PATCH 2/4] esp_wifi: Update wifi lib Update wifi lib with below fixes - 1. In FTM Responder, add session timer for cleanup, also remove unnecessary mutex locks 2. In FTM Responder, fix incorrect print in case of failure while setting up the SofTAP 2. In FTM Initiator, increase FTM Request response timeout to avoid failures in noisy environments 3. In FTM Initiator, abort for high start delta time, also fix timeout issue in ASAP mode --- components/esp_wifi/lib | 2 +- examples/wifi/ftm/main/ftm_main.c | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/components/esp_wifi/lib b/components/esp_wifi/lib index bba5f9116d..4c9f657748 160000 --- a/components/esp_wifi/lib +++ b/components/esp_wifi/lib @@ -1 +1 @@ -Subproject commit bba5f9116dec8eccce0ad43281a69f3f7f8c633b +Subproject commit 4c9f657748769d61b453b7b5b631c823ef9b4112 diff --git a/examples/wifi/ftm/main/ftm_main.c b/examples/wifi/ftm/main/ftm_main.c index 1090f6476c..fe3e2bec3d 100644 --- a/examples/wifi/ftm/main/ftm_main.c +++ b/examples/wifi/ftm/main/ftm_main.c @@ -317,7 +317,7 @@ static bool wifi_cmd_ap_set(const char* ssid, const char* pass) if (pass) { if (strlen(pass) != 0 && strlen(pass) < 8) { s_reconnect = true; - ESP_LOGE(TAG_AP, "password less than 8"); + ESP_LOGE(TAG_AP, "password cannot be less than 8 characters long"); return false; } strlcpy((char*) g_ap_config.ap.password, pass, MAX_PASSPHRASE_LEN); @@ -341,8 +341,11 @@ static int wifi_cmd_ap(int argc, char** argv) return 1; } - wifi_cmd_ap_set(ap_args.ssid->sval[0], ap_args.password->sval[0]); - ESP_LOGI(TAG_AP, "Starting SoftAP with FTM Responder support, SSID - %s, Password - %s", ap_args.ssid->sval[0], ap_args.password->sval[0]); + if (true == wifi_cmd_ap_set(ap_args.ssid->sval[0], ap_args.password->sval[0])) + ESP_LOGI(TAG_AP, "Starting SoftAP with FTM Responder support, SSID - %s, Password - %s", ap_args.ssid->sval[0], ap_args.password->sval[0]); + else + ESP_LOGE(TAG_AP, "Failed to start SoftAP!"); + return 0; } From 47ccdef8c11168ee29c9fb970dac93c4fad077c0 Mon Sep 17 00:00:00 2001 From: Nachiket Kukade Date: Tue, 8 Feb 2022 12:21:26 +0530 Subject: [PATCH 3/4] esp_wifi: Miscellaneous FTM bugfixes 1. Update wifi libs with bugfixes for corner cases 2. Avoid ASSERT for scan failure in FTM example --- examples/wifi/ftm/main/ftm_main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/wifi/ftm/main/ftm_main.c b/examples/wifi/ftm/main/ftm_main.c index fe3e2bec3d..2d3eaf23ba 100644 --- a/examples/wifi/ftm/main/ftm_main.c +++ b/examples/wifi/ftm/main/ftm_main.c @@ -261,7 +261,10 @@ static bool wifi_perform_scan(const char *ssid, bool internal) uint8_t i; ESP_ERROR_CHECK( esp_wifi_set_mode(WIFI_MODE_STA) ); - ESP_ERROR_CHECK( esp_wifi_scan_start(&scan_config, true) ); + if (ESP_OK != esp_wifi_scan_start(&scan_config, true)) { + ESP_LOGI(TAG_STA, "Failed to perform scan"); + return false; + } esp_wifi_scan_get_ap_num(&g_scan_ap_num); if (g_scan_ap_num == 0) { From 6fd6a8b40ba97780c75b990a4677cddad4ade0fa Mon Sep 17 00:00:00 2001 From: Nachiket Kukade Date: Mon, 7 Feb 2022 18:40:19 +0530 Subject: [PATCH 4/4] esp_wifi: Always connect Station in PMF mode if possible While using esp_wifi_set_config, flag pmf_capable defaults to 0. Users may not bother to enable it, which prevents connection to a WPA3 AP. Or the AP may reset into WPA3 mode failing the re-connection. To ensure better security, deprecate the pmf_capable flag and set it to true internally. --- components/esp_wifi/include/esp_wifi_types.h | 2 +- .../src/esp_supplicant/esp_dpp.c | 1 - docs/en/api-guides/wifi-security.rst | 51 ++++++++++--------- .../nimble/bleprph_wifi_coex/main/main.c | 5 -- .../station/main/station_example_main.c | 5 -- examples/wifi/iperf/main/cmd_wifi.c | 1 - .../wifi_eap_fast/main/wifi_eap_fast_main.c | 8 +-- 7 files changed, 28 insertions(+), 45 deletions(-) diff --git a/components/esp_wifi/include/esp_wifi_types.h b/components/esp_wifi/include/esp_wifi_types.h index 503e8d7bb0..199de43766 100644 --- a/components/esp_wifi/include/esp_wifi_types.h +++ b/components/esp_wifi/include/esp_wifi_types.h @@ -218,7 +218,7 @@ typedef enum { /** Configuration structure for Protected Management Frame */ typedef struct { - bool capable; /**< Advertizes support for Protected Management Frame. Device will prefer to connect in PMF mode if other device also advertizes PMF capability. */ + bool capable; /**< Deprecated variable. Device will always connect in PMF mode if other device also advertizes PMF capability. */ bool required; /**< Advertizes that Protected Management Frame is required. Device will not associate to non-PMF capable devices. */ } wifi_pmf_config_t; diff --git a/components/wpa_supplicant/src/esp_supplicant/esp_dpp.c b/components/wpa_supplicant/src/esp_supplicant/esp_dpp.c index c223b170f3..22f986b521 100644 --- a/components/wpa_supplicant/src/esp_supplicant/esp_dpp.c +++ b/components/wpa_supplicant/src/esp_supplicant/esp_dpp.c @@ -178,7 +178,6 @@ static int esp_dpp_handle_config_obj(struct dpp_authentication *auth, os_memcpy(wifi_cfg->sta.password, conf->passphrase, sizeof(wifi_cfg->sta.password)); if (conf->akm == DPP_AKM_PSK_SAE) { - wifi_cfg->sta.pmf_cfg.capable = true; wifi_cfg->sta.pmf_cfg.required = true; } } diff --git a/docs/en/api-guides/wifi-security.rst b/docs/en/api-guides/wifi-security.rst index 3691516682..77f1bdc624 100644 --- a/docs/en/api-guides/wifi-security.rst +++ b/docs/en/api-guides/wifi-security.rst @@ -25,31 +25,12 @@ An attacker can use eavesdropping and packet injection to send spoofed (de)authe PMF provides protection against these attacks by encrypting unicast management frames and providing integrity checks for broadcast management frames. These include deauthentication, disassociation and robust management frames. It also provides Secure Association (SA) teardown mechanism to prevent spoofed association/authentication frames from disconnecting already connected clients. -API & Usage -+++++++++++ +There are 3 types of PMF configuration modes on both Station and AP side - + - PMF Optional + - PMF Required + - PMF Disabled -:cpp:func:`esp_wifi_set_config` can be used to configure PMF mode by setting appropriate flags in `pmf_cfg` parameter. Currently, PMF is supported only in Station mode. -While setting up a Station, configure PMF using two flags ``capable`` and ``required`` like below. - - .. code-block:: c - - wifi_config_t wifi_config = { - .sta = { - .ssid = EXAMPLE_WIFI_SSID, - .password = EXAMPLE_WIFI_PASSWORD, - .pmf_cfg = { - .capable = true, - .required = false - } - } - }; - -{IDF_TARGET_NAME} supports three modes of PMF by combination of these two flags - - - PMF Optional : ``.capable = true, .required = false`` - - PMF Required : ``.capable = true, .required = true`` - - PMF Disabled : ``.capable = false, .required = false`` - - Depending on what AP side PMF Mode is, the resulting connnection will behave differently. The table below summarises all possible outcomes - +Depending on the PMF configuration on Station and AP side, the resulting connection will behave differently. Below table summarises all possible outcomes. +--------------+------------------------+---------------------------+ | STA Setting | AP Setting | Outcome | @@ -67,7 +48,27 @@ While setting up a Station, configure PMF using two flags ``capable`` and ``requ | PMF Disabled | PMF Required | AP refuses Connection | +--------------+------------------------+---------------------------+ -PMF Optional Mode, which is shown in the example of ``wifi_confit_t``, is suggested to be used in all Station configurations. This is to take the additional security benefit of PMF whenever possible without breaking connections with legacy AP's. +API & Usage ++++++++++++ + +{IDF_TARGET_NAME} supports PMF only in Station mode. Station defaults to PMF Optional mode and disabling PMF is not possible. For even higher security, PMF required mode can be enabled by setting the ``required`` flag in `pmf_cfg` while using the :cpp:func:`esp_wifi_set_config` API. This will result in Station only connecting to a PMF enabled AP and rejecting all other AP's. An example of this configuration is given below. + + .. code-block:: c + + wifi_config_t wifi_config = { + .sta = { + .ssid = EXAMPLE_WIFI_SSID, + .password = EXAMPLE_WIFI_PASSWORD, + .pmf_cfg = { + .required = true + } + } + }; + +.. attention:: + + ``capable`` flag in `pmf_cfg` is deprecated and set to true internally. This is to take the additional security benefit of PMF whenever possible. + WPA3-Personal ------------- diff --git a/examples/bluetooth/nimble/bleprph_wifi_coex/main/main.c b/examples/bluetooth/nimble/bleprph_wifi_coex/main/main.c index fb93e64fee..5a4e3b4811 100644 --- a/examples/bluetooth/nimble/bleprph_wifi_coex/main/main.c +++ b/examples/bluetooth/nimble/bleprph_wifi_coex/main/main.c @@ -123,11 +123,6 @@ void wifi_init_sta(void) * However these modes are deprecated and not advisable to be used. Incase your Access point * doesn't support WPA2, these mode can be enabled by commenting below line */ .threshold.authmode = WIFI_AUTH_WPA2_PSK, - - .pmf_cfg = { - .capable = true, - .required = false - }, }, }; ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) ); diff --git a/examples/wifi/getting_started/station/main/station_example_main.c b/examples/wifi/getting_started/station/main/station_example_main.c index f8d91e26e1..e478a4fc2b 100644 --- a/examples/wifi/getting_started/station/main/station_example_main.c +++ b/examples/wifi/getting_started/station/main/station_example_main.c @@ -96,11 +96,6 @@ void wifi_init_sta(void) * However these modes are deprecated and not advisable to be used. Incase your Access point * doesn't support WPA2, these mode can be enabled by commenting below line */ .threshold.authmode = WIFI_AUTH_WPA2_PSK, - - .pmf_cfg = { - .capable = true, - .required = false - }, }, }; ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA) ); diff --git a/examples/wifi/iperf/main/cmd_wifi.c b/examples/wifi/iperf/main/cmd_wifi.c index 08ef097e36..e5f5369f1d 100644 --- a/examples/wifi/iperf/main/cmd_wifi.c +++ b/examples/wifi/iperf/main/cmd_wifi.c @@ -148,7 +148,6 @@ static bool wifi_cmd_sta_join(const char* ssid, const char* pass) int bits = xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT, 0, 1, 0); wifi_config_t wifi_config = { 0 }; - wifi_config.sta.pmf_cfg.capable = true; strlcpy((char*) wifi_config.sta.ssid, ssid, sizeof(wifi_config.sta.ssid)); if (pass) { diff --git a/examples/wifi/wifi_eap_fast/main/wifi_eap_fast_main.c b/examples/wifi/wifi_eap_fast/main/wifi_eap_fast_main.c index 477c08cd29..8588feef36 100644 --- a/examples/wifi/wifi_eap_fast/main/wifi_eap_fast_main.c +++ b/examples/wifi/wifi_eap_fast/main/wifi_eap_fast_main.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: CC0-1.0 */ @@ -89,12 +89,6 @@ static void initialise_wifi(void) wifi_config_t wifi_config = { .sta = { .ssid = EXAMPLE_WIFI_SSID, -#if defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) - .pmf_cfg = { - .capable = true, - .required = false - }, -#endif }, }; ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);