Merge branch 'bugfix/add_unregister_wpa3_cb_v5.0' into 'release/v5.0'

wpa_supplicant : Fix issues encountered in WFA testing (v5.0)

See merge request espressif/esp-idf!22891

components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c

@@ -24,6 +24,7 @@ which are undefined if the following flag is not defined */
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/debug.h"
+#include "mbedtls/oid.h"
 #ifdef ESPRESSIF_USE
 #include "mbedtls/esp_debug.h"
 #include "mbedtls/esp_config.h"
@@ -191,7 +192,6 @@ static int set_ca_cert(tls_context_t *tls, const unsigned char *cacert, size_t c
 	}
 	mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 	mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
-
 	return 0;
 }
 
@@ -287,6 +287,14 @@ static void tls_enable_sha1_config(tls_context_t *tls)
 	mbedtls_ssl_conf_cert_profile(&tls->conf, crt_profile);
 	mbedtls_ssl_conf_sig_algs(&tls->conf, tls_sig_algs_for_eap);
 }
+#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK
+static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
+{
+	cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_KEY_USAGE;
+	cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE;
+	return 0;
+}
+#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
 
 static const int eap_ciphersuite_preference[] =
 {
@@ -516,6 +524,10 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 	 * but doesn't take that much processing power */
 	tls_set_ciphersuite(cfg, tls);
 
+#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK
+	mbedtls_ssl_set_verify( &tls->ssl, tls_disable_key_usages, NULL );
+#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
+
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 	if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
 		wpa_printf(MSG_INFO, "Using default cert bundle");

components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

@@ -261,4 +261,12 @@ void esp_wifi_register_wpa3_cb(struct wpa_funcs *wpa_cb)
     wpa_cb->wpa3_parse_sae_msg = wpa3_parse_sae_msg;
 }
 
+void esp_wifi_unregister_wpa3_cb(void)
+{
+    extern struct wpa_funcs *wpa_cb;
+
+    wpa_cb->wpa3_build_sae_msg = NULL;
+    wpa_cb->wpa3_parse_sae_msg = NULL;
+
+}
 #endif /* CONFIG_WPA3_SAE */

components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c

@@ -40,6 +40,7 @@
 #include "wps/wps_defs.h"
 
 const wifi_osi_funcs_t *wifi_funcs;
+struct wpa_funcs *wpa_cb;
 
 void  wpa_install_key(enum wpa_alg alg, u8 *addr, int key_idx, int set_tx,
                       u8 *seq, size_t seq_len, u8 *key, size_t key_len, enum key_flag key_flag)
@@ -311,7 +312,6 @@ static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, bo
 int esp_supplicant_init(void)
 {
     int ret = ESP_OK;
-    struct wpa_funcs *wpa_cb;
 
     wifi_funcs = WIFI_OSI_FUNCS_INITIALIZER();
     if (!wifi_funcs) {
@@ -370,5 +370,6 @@ int esp_supplicant_deinit(void)
 {
     esp_supplicant_common_deinit();
     eloop_destroy();
+    wpa_cb = NULL;
     return esp_wifi_unregister_wpa_cb_internal();
 }

components/wpa_supplicant/src/eap_peer/eap.c

@@ -646,6 +646,7 @@ void eap_peer_config_deinit(struct eap_sm *sm)
 	os_free(sm->config.new_password);
 	os_free(sm->config.eap_methods);
 	os_bzero(&sm->config, sizeof(struct eap_peer_config));
+	config_methods = NULL;
 }
 
 int eap_peer_blob_init(struct eap_sm *sm)

components/wpa_supplicant/src/rsn_supp/wpa.c

@@ -2497,6 +2497,18 @@ int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher,
                 wpa_printf(MSG_ERROR, "suite-b 192bit certification, only GMAC256 is supported");
                 return -1;
             }
+            if (sm->group_cipher != WPA_CIPHER_GCMP_256) {
+                wpa_printf(MSG_ERROR, "suite-b 192bit certification, only group GCMP256 is supported for group data cipher.");
+                return -1;
+            }
+            if (sm->pairwise_cipher != WPA_CIPHER_GCMP_256) {
+               wpa_printf(MSG_ERROR,"suite-b 192bit certification, only group GCMP256 is supported for pairwise cipher");
+               return -1;
+            }
+            if (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
+                wpa_printf(MSG_ERROR, "suite-b 192bit certification, 192bit akm supported");
+                return -1;
+            }
         }
 #endif
     } else {