From e47e4691b3cde06fca5f43e7d8139d7038717c5d Mon Sep 17 00:00:00 2001 From: Kapil Gupta Date: Fri, 27 Jun 2025 18:16:46 +0530 Subject: [PATCH] feat(esp_wifi): Add support to limit EAP methods Added support to limit EAP method supported by device based on user configuration. --- .../esp_supplicant/include/esp_eap_client.h | 32 ++++++++++ .../esp_supplicant/src/esp_eap_client.c | 61 +++++++++++++++++++ components/wpa_supplicant/src/eap_peer/eap.c | 26 +++++--- components/wpa_supplicant/src/eap_peer/eap.h | 1 + .../main/wifi_enterprise_main.c | 7 +++ 5 files changed, 119 insertions(+), 8 deletions(-) diff --git a/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h b/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h index 3827663e08..8ffae93095 100644 --- a/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h +++ b/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h @@ -29,6 +29,17 @@ typedef enum { ESP_EAP_TTLS_PHASE2_CHAP /**< CHAP (Challenge Handshake Authentication Protocol) */ } esp_eap_ttls_phase2_types; +/** + * @brief Bitmask of supported EAP authentication methods. + */ +typedef enum { + ESP_EAP_TYPE_NONE = 0, /*!< No EAP method defined */ + ESP_EAP_TYPE_TLS = (1 << 0), /*!< EAP-TLS method */ + ESP_EAP_TYPE_TTLS = (1 << 1), /*!< EAP-TTLS method */ + ESP_EAP_TYPE_PEAP = (1 << 2), /*!< EAP-PEAP method */ + ESP_EAP_TYPE_FAST = (1 << 3) /*!< EAP-FAST method */ +} esp_eap_method_t; + /** * @brief Configuration settings for EAP-FAST * (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling). @@ -70,6 +81,8 @@ esp_err_t esp_wifi_sta_enterprise_enable(void); * * @note Disabling EAP authentication may cause the device to connect to the Wi-Fi * network using other available authentication methods, if configured using esp_wifi_set_config(). + * @note Calling this will reset all eap configuration set using esp_eap_client_xxx APIs. + * Please call esp_eap_client_XXX APIs again to set new config after calling this function. * * @return * - ESP_OK: EAP authentication disabled successfully. @@ -335,6 +348,25 @@ esp_err_t esp_eap_client_use_default_cert_bundle(bool use_default_bundle); */ esp_err_t esp_eap_client_set_domain_name(const char *domain_name); +/** + * @brief Set one or more EAP (Extensible Authentication Protocol) methods to be used by the EAP client. + * + * This API sets the allowed EAP authentication methods using a bitmask. + * Multiple methods can be specified by OR-ing together values from `esp_eap_method_t`. + * + * @param[in] methods Bitmask of EAP methods to enable. + * + * @return + * - ESP_OK on success + * - ESP_ERR_INVALID_ARG if none of the methods are valid + * + * @note + * If this API is not called or `EAP_TYPE_NONE` is passed, EAP methods will be dynamically + * selected at runtime based on configuration from other `esp_eap_client_*` APIs. + * If one or more methods are set using this API, only the specified methods will be considered. + */ +esp_err_t esp_eap_client_set_eap_methods(esp_eap_method_t methods); + #ifdef __cplusplus } #endif diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c b/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c index 94d0b0bd5f..92c58bea7e 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c @@ -820,6 +820,8 @@ static esp_err_t esp_client_enable_fn(void *arg) } #endif g_wpa_config_changed = true; + /* Enable opportunistic key caching support */ + esp_wifi_set_okc_support(true); return ESP_OK; } @@ -854,6 +856,51 @@ esp_err_t esp_wifi_sta_enterprise_enable(void) return ret; } +static void eap_globals_reset(void) +{ + g_wpa_anonymous_identity = NULL; + g_wpa_anonymous_identity_len = 0; + + g_wpa_username = NULL; + g_wpa_username_len = 0; + + g_wpa_client_cert = NULL; + g_wpa_client_cert_len = 0; + + g_wpa_private_key = NULL; + g_wpa_private_key_len = 0; + + g_wpa_private_key_passwd = NULL; + g_wpa_private_key_passwd_len = 0; + + g_wpa_ca_cert = NULL; + g_wpa_ca_cert_len = 0; + + g_wpa_password = NULL; + g_wpa_password_len = 0; + + g_wpa_new_password = NULL; + g_wpa_new_password_len = 0; + + g_wpa_ttls_phase2_type = NULL; + g_wpa_phase1_options = NULL; + + g_wpa_pac_file = NULL; + g_wpa_pac_file_len = 0; + + g_wpa_suiteb_certification = false; + +#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE + g_wpa_default_cert_bundle = false; + esp_crt_bundle_attach_fn = NULL; +#endif + +#ifndef CONFIG_TLS_INTERNAL_CLIENT + g_wpa_domain_match = NULL; +#endif + g_eap_method_mask = 0; +} + static esp_err_t eap_client_disable_fn(void *param) { struct wpa_sm *sm = &gWpaSm; @@ -864,6 +911,7 @@ static esp_err_t eap_client_disable_fn(void *param) eap_peer_sm_deinit(); } + eap_globals_reset(); #ifdef EAP_PEER_METHOD eap_peer_unregister_methods(); #endif @@ -882,6 +930,7 @@ esp_err_t esp_wifi_sta_enterprise_disable(void) if (wpa2_is_disabled()) { wpa_printf(MSG_INFO, "EAP: already disabled"); + eap_globals_reset(); wpa2_api_unlock(); return ESP_OK; } @@ -1261,3 +1310,15 @@ esp_err_t esp_eap_client_set_domain_name(const char *domain_name) return ESP_OK; #endif } + +esp_err_t esp_eap_client_set_eap_methods(esp_eap_method_t methods) +{ + const esp_eap_method_t supported_methods = EAP_TYPE_TLS | EAP_TYPE_TTLS | EAP_TYPE_PEAP | EAP_TYPE_FAST; + + if ((methods & ~supported_methods) != 0) { + return ESP_ERR_INVALID_ARG; + } + + g_eap_method_mask = methods; + return ESP_OK; +} diff --git a/components/wpa_supplicant/src/eap_peer/eap.c b/components/wpa_supplicant/src/eap_peer/eap.c index c06268c608..817ddea0e9 100644 --- a/components/wpa_supplicant/src/eap_peer/eap.c +++ b/components/wpa_supplicant/src/eap_peer/eap.c @@ -41,6 +41,7 @@ #endif #include "supplicant_opt.h" +#include "esp_eap_client.h" u8 *g_wpa_anonymous_identity; int g_wpa_anonymous_identity_len; @@ -70,6 +71,7 @@ int (*esp_crt_bundle_attach_fn)(void *conf); #ifndef CONFIG_TLS_INTERNAL_CLIENT char *g_wpa_domain_match; #endif +uint32_t g_eap_method_mask; void eap_peer_config_deinit(struct eap_sm *sm); void eap_peer_blob_deinit(struct eap_sm *sm); @@ -623,22 +625,30 @@ int eap_peer_config_init( if (g_wpa_username) { //set EAP-PEAP - config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; - config_methods[allowed_method_count++].method = EAP_TYPE_PEAP; + if ((g_eap_method_mask == 0) || (g_eap_method_mask & ESP_EAP_TYPE_PEAP)) { + config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; + config_methods[allowed_method_count++].method = EAP_TYPE_PEAP; + } //set EAP-TTLS - config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; - config_methods[allowed_method_count++].method = EAP_TYPE_TTLS; + if ((g_eap_method_mask == 0) || (g_eap_method_mask & ESP_EAP_TYPE_TTLS)) { + config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; + config_methods[allowed_method_count++].method = EAP_TYPE_TTLS; + } } if (g_wpa_private_key) { //set EAP-TLS - config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; - config_methods[allowed_method_count++].method = EAP_TYPE_TLS; + if ((g_eap_method_mask == 0) || (g_eap_method_mask & ESP_EAP_TYPE_TLS)) { + config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; + config_methods[allowed_method_count++].method = EAP_TYPE_TLS; + } } #ifdef EAP_FAST if (g_wpa_pac_file) { //set EAP-FAST - config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; - config_methods[allowed_method_count++].method = EAP_TYPE_FAST; + if ((g_eap_method_mask == 0) || (g_eap_method_mask & ESP_EAP_TYPE_FAST)) { + config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF; + config_methods[allowed_method_count++].method = EAP_TYPE_FAST; + } } #endif // Terminate the allowed method list diff --git a/components/wpa_supplicant/src/eap_peer/eap.h b/components/wpa_supplicant/src/eap_peer/eap.h index 93d623d1cc..1775413f14 100644 --- a/components/wpa_supplicant/src/eap_peer/eap.h +++ b/components/wpa_supplicant/src/eap_peer/eap.h @@ -52,6 +52,7 @@ extern int (*esp_crt_bundle_attach_fn)(void *conf); #ifndef CONFIG_TLS_INTERNAL_CLIENT extern char *g_wpa_domain_match; #endif +extern uint32_t g_eap_method_mask; const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len); void eap_deinit_prev_method(struct eap_sm *sm, const char *txt); diff --git a/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c index a1ebb65e1d..8146bcff66 100644 --- a/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c +++ b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c @@ -96,6 +96,7 @@ static void event_handler(void* arg, esp_event_base_t event_base, static void initialise_wifi(void) { + esp_eap_method_t eap_methods = ESP_EAP_TYPE_NONE; #ifdef SERVER_CERT_VALIDATION_ENABLED unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start; #endif /* SERVER_CERT_VALIDATION_ENABLED */ @@ -103,6 +104,7 @@ static void initialise_wifi(void) #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS unsigned int client_crt_bytes = client_crt_end - client_crt_start; unsigned int client_key_bytes = client_key_end - client_key_start; + eap_methods = ESP_EAP_TYPE_TLS; #endif /* CONFIG_EXAMPLE_EAP_METHOD_TLS */ ESP_ERROR_CHECK(esp_netif_init()); @@ -148,7 +150,11 @@ static void initialise_wifi(void) #if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS ESP_ERROR_CHECK(esp_eap_client_set_ttls_phase2_method(TTLS_PHASE2_METHOD) ); + eap_methods = ESP_EAP_TYPE_TTLS; #endif /* CONFIG_EXAMPLE_EAP_METHOD_TTLS */ +#if defined (CONFIG_EXAMPLE_EAP_METHOD_PEAP) + eap_methods = ESP_EAP_TYPE_PEAP; +#endif /* CONFIG_EXAMPLE_EAP_METHOD_PEAP */ #if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) ESP_LOGI(TAG, "Enabling 192 bit certification"); @@ -160,6 +166,7 @@ static void initialise_wifi(void) #ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT_DOMAIN ESP_ERROR_CHECK(esp_eap_client_set_domain_name(EXAMPLE_SERVER_CERT_DOMAIN)); #endif + ESP_ERROR_CHECK(esp_eap_client_set_eap_methods(eap_methods)); ESP_ERROR_CHECK(esp_wifi_sta_enterprise_enable()); ESP_ERROR_CHECK(esp_wifi_start()); }