diff --git a/components/wpa_supplicant/esp_supplicant/include/esp_wpa2.h b/components/wpa_supplicant/esp_supplicant/include/esp_wpa2.h index 172ef8ea2f..8de7e07c63 100644 --- a/components/wpa_supplicant/esp_supplicant/include/esp_wpa2.h +++ b/components/wpa_supplicant/esp_supplicant/include/esp_wpa2.h @@ -246,6 +246,17 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_pac_file(const unsigned char *pac_file, int */ esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config config); +/** + * @brief Use default CA cert bundle for server validation + * + * @use_default_bundle : whether to use bundle or not + * + * @return + * - ESP_OK: succeed + * - ESP_FAIL: fail + */ +esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle); + #ifdef __cplusplus } #endif diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c index f966207c5c..f3fd00e490 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa2.c @@ -37,6 +37,9 @@ #include "esp_wifi_driver.h" #include "esp_private/wifi.h" #include "esp_wpa_err.h" +#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE +#include "esp_crt_bundle.h" +#endif #define WPA2_VERSION "v2.0" @@ -1250,3 +1253,18 @@ esp_err_t esp_wifi_sta_wpa2_ent_set_fast_phase1_params(esp_eap_fast_config confi return ESP_OK; } + +esp_err_t esp_wifi_sta_wpa2_use_default_cert_bundle(bool use_default_bundle) +{ +#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE + g_wpa_default_cert_bundle = use_default_bundle; + if (use_default_bundle) { + esp_crt_bundle_attach_fn = esp_crt_bundle_attach; + } else { + esp_crt_bundle_attach_fn = NULL; + } + return ESP_OK; +#else + return ESP_FAIL; +#endif +} diff --git a/components/wpa_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/src/crypto/tls_mbedtls.c index e2a1ee481a..2bacc18524 100644 --- a/components/wpa_supplicant/src/crypto/tls_mbedtls.c +++ b/components/wpa_supplicant/src/crypto/tls_mbedtls.c @@ -30,6 +30,8 @@ which are undefined if the following flag is not defined */ #else #include "mbedtls/config.h" #endif +#include "eap_peer/eap.h" + #define TLS_RANDOM_LEN 32 #define TLS_MASTER_SECRET_LEN 48 @@ -506,7 +508,6 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex if (ret != 0) { return ret; } - mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL); } else { mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); } @@ -524,6 +525,19 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex * but doesn't take that much processing power */ tls_set_ciphersuite(cfg, tls); +#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE + if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) { + wpa_printf(MSG_INFO, "Using default cert bundle"); + if (esp_crt_bundle_attach_fn) { + ret = (*esp_crt_bundle_attach_fn)(&tls->conf); + } + if (ret != 0) { + wpa_printf(MSG_ERROR, "Failed to set default cert bundle"); + return ret; + } + } +#endif + return 0; } diff --git a/components/wpa_supplicant/src/eap_peer/eap.c b/components/wpa_supplicant/src/eap_peer/eap.c index f904148032..24c282b749 100644 --- a/components/wpa_supplicant/src/eap_peer/eap.c +++ b/components/wpa_supplicant/src/eap_peer/eap.c @@ -63,6 +63,10 @@ char *g_wpa_phase1_options; u8 *g_wpa_pac_file; int g_wpa_pac_file_len; bool g_wpa_suiteb_certification; +#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE +bool g_wpa_default_cert_bundle; +int (*esp_crt_bundle_attach_fn)(void *conf); +#endif void eap_peer_config_deinit(struct eap_sm *sm); void eap_peer_blob_deinit(struct eap_sm *sm); @@ -571,9 +575,14 @@ int eap_peer_config_init( } if (g_wpa_suiteb_certification) { - sm->config.flags = TLS_CONN_SUITEB; + sm->config.flags |= TLS_CONN_SUITEB; } +#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE + if (g_wpa_default_cert_bundle) { + sm->config.flags |= TLS_CONN_USE_DEFAULT_CERT_BUNDLE; + } +#endif /* To be used only for EAP-FAST */ if (g_wpa_phase1_options) { sm->config.phase1 = g_wpa_phase1_options; diff --git a/components/wpa_supplicant/src/eap_peer/eap.h b/components/wpa_supplicant/src/eap_peer/eap.h index 9ef8224fab..0651bd5ec5 100644 --- a/components/wpa_supplicant/src/eap_peer/eap.h +++ b/components/wpa_supplicant/src/eap_peer/eap.h @@ -46,6 +46,8 @@ extern u8 *g_wpa_pac_file; extern int g_wpa_pac_file_len; extern bool g_wpa_suiteb_certification; +extern bool g_wpa_default_cert_bundle; +extern int (*esp_crt_bundle_attach_fn)(void *conf); const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len); void eap_deinit_prev_method(struct eap_sm *sm, const char *txt); diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls.c b/components/wpa_supplicant/src/eap_peer/eap_tls.c index bad1e6d640..0a30fc906c 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_tls.c +++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c @@ -34,6 +34,7 @@ static void * eap_tls_init(struct eap_sm *sm) { struct eap_tls_data *data; struct eap_peer_config *config = eap_get_config(sm); + if (config == NULL || config->private_key == 0) { wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured"); diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls_common.c b/components/wpa_supplicant/src/eap_peer/eap_tls_common.c index d6a535d913..6201eb7c50 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_tls_common.c +++ b/components/wpa_supplicant/src/eap_peer/eap_tls_common.c @@ -84,6 +84,11 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params, params->flags |= TLS_CONN_SUITEB; else params->flags &= (~TLS_CONN_SUITEB); + + if (config->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) + params->flags |= TLS_CONN_USE_DEFAULT_CERT_BUNDLE; + else + params->flags &= (~TLS_CONN_USE_DEFAULT_CERT_BUNDLE); } static int eap_tls_params_from_conf(struct eap_sm *sm, diff --git a/components/wpa_supplicant/src/tls/tls.h b/components/wpa_supplicant/src/tls/tls.h index 9a09fb2bb7..3fe3fe5406 100644 --- a/components/wpa_supplicant/src/tls/tls.h +++ b/components/wpa_supplicant/src/tls/tls.h @@ -84,6 +84,7 @@ struct tls_config { #define TLS_CONN_REQUIRE_OCSP BIT(4) #define TLS_CONN_SUITEB BIT(11) #define TLS_CONN_EAP_FAST BIT(7) +#define TLS_CONN_USE_DEFAULT_CERT_BUNDLE BIT(18) /** * struct tls_connection_params - Parameters for TLS connection diff --git a/examples/wifi/wifi_enterprise/main/Kconfig.projbuild b/examples/wifi/wifi_enterprise/main/Kconfig.projbuild index 6c4615f97a..ebbf3715dc 100644 --- a/examples/wifi/wifi_enterprise/main/Kconfig.projbuild +++ b/examples/wifi/wifi_enterprise/main/Kconfig.projbuild @@ -1,5 +1,11 @@ menu "Example Configuration" + config EXAMPLE_WIFI_SSID + string "WiFi SSID" + default "wpa2_test" + help + SSID (network name) for the example to connect to. + choice prompt "Enterprise configuration to be used" default EXAMPLE_WPA_WPA2_ENTERPRISE @@ -15,12 +21,6 @@ menu "Example Configuration" select WPA_SUITE_B_192 endchoice - config EXAMPLE_WIFI_SSID - string "WiFi SSID" - default "wpa2_test" - help - SSID (network name) for the example to connect to. - if EXAMPLE_WPA_WPA2_ENTERPRISE config EXAMPLE_VALIDATE_SERVER_CERT bool "Validate server" @@ -34,6 +34,13 @@ menu "Example Configuration" default y endif + config EXAMPLE_USE_DEFAULT_CERT_BUNDLE + bool "Use default cert bundle" + depends on EXAMPLE_VALIDATE_SERVER_CERT + default n + help + Use default CA certificate bundle for WPA enterprise connection + choice prompt "EAP method for the example to use" default EXAMPLE_EAP_METHOD_PEAP diff --git a/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c index 892c542590..4c9aab4829 100644 --- a/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c +++ b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c @@ -156,6 +156,9 @@ static void initialise_wifi(void) #if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) ESP_LOGI(TAG, "Enabling 192 bit certification"); ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true)); +#endif +#ifdef CONFIG_EXAMPLE_USE_DEFAULT_CERT_BUNDLE + ESP_ERROR_CHECK(esp_wifi_sta_wpa2_use_default_cert_bundle(true)); #endif ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() ); ESP_ERROR_CHECK( esp_wifi_start() );