diff --git a/docs/en/api-guides/wifi.rst b/docs/en/api-guides/wifi.rst index 61def912bc..b43424a2b0 100644 --- a/docs/en/api-guides/wifi.rst +++ b/docs/en/api-guides/wifi.rst @@ -1428,7 +1428,7 @@ For establishing a secure connection, AP and Station negotiate and agree on the - MSCHAP and MSCHAP-V2. -Detailed information on creating certificates and how to run wpa2_enterprise example on {IDF_TARGET_NAME} can be found in :example:`wifi/wpa2_enterprise`. +Detailed information on creating certificates and how to run wpa2_enterprise example on {IDF_TARGET_NAME} can be found in :example:`wifi/wifi_enterprise`. .. only:: esp32s2 or esp32c3 diff --git a/examples/wifi/wpa2_enterprise/CMakeLists.txt b/examples/wifi/wifi_enterprise/CMakeLists.txt similarity index 100% rename from examples/wifi/wpa2_enterprise/CMakeLists.txt rename to examples/wifi/wifi_enterprise/CMakeLists.txt diff --git a/examples/wifi/wpa2_enterprise/Makefile b/examples/wifi/wifi_enterprise/Makefile similarity index 100% rename from examples/wifi/wpa2_enterprise/Makefile rename to examples/wifi/wifi_enterprise/Makefile diff --git a/examples/wifi/wpa2_enterprise/README.md b/examples/wifi/wifi_enterprise/README.md similarity index 68% rename from examples/wifi/wpa2_enterprise/README.md rename to examples/wifi/wifi_enterprise/README.md index 1a1a837329..9e83f3e2e9 100644 --- a/examples/wifi/wpa2_enterprise/README.md +++ b/examples/wifi/wifi_enterprise/README.md @@ -1,6 +1,6 @@ # WPA2 Enterprise Example -This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Example does the following steps: +This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. The example does the following steps: 1. Install CA certificate which is optional. 2. Install client certificate and client key which is required in TLS method and optional in PEAP and TTLS methods. @@ -9,12 +9,13 @@ This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Exa 5. Enable wpa2 enterprise. 6. Connect to AP. -*Note:* 1. The certificates currently are generated and are present in examples.wifi/wpa2_enterprise/main folder. +*Note:* 1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder. 2. The expiration date of the certificates is 2027/06/05. + 3. In case using suite-b, please use appropriate certificates such as RSA-3072 or p384 EC certificates. The steps to create new certificates are given below. -## The file wpa2_ca.pem, wpa2_ca.key, wpa2_server.pem, wpa2_server.crt and wpa2_server.key can be used to configure AP with wpa2 enterprise encryption. +## The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption. ## How to use Example @@ -36,7 +37,7 @@ idf.py menuconfig idf.py -p PORT flash monitor ``` -## Steps to create wpa2_ent openssl certs +## Steps to create enterprise openssl certs 1. make directry tree @@ -56,27 +57,27 @@ idf.py -p PORT flash monitor extendedKeyUsage = 1.3.6.1.5.5.7.3.1 2. ca.pem: root certificate, foundation of certificate verigy - openssl req -new -x509 -keyout wpa2_ca.key -out wpa2_ca.pem + openssl req -new -x509 -keyout ca.key -out ca.pem 3. generate rsa keys for client and server - openssl genrsa -out wpa2_client.key 2048 - openssl genrsa -out wpa2_server.key 2048 + openssl genrsa -out client.key 2048 + openssl genrsa -out server.key 2048 4. generate certificate signing req for both client and server - openssl req -new -key wpa2_client.key -out wpa2_client.csr - openssl req -new -key wpa2_server.key -out wpa2_server.csr + openssl req -new -key client.key -out client.csr + openssl req -new -key server.key -out server.csr 5. create certs (.crt) for client nd server - openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_client.csr -key (password) -out wpa2_client.crt -extensions xpserver_ext -extfile xpextensions - openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_server.csr -key (password) -out wpa2_server.crt -extensions xpserver_ext -extfile xpextensions + openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key (password) -out client.crt -extensions xpserver_ext -extfile xpextensions + openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key (password) -out server.crt -extensions xpserver_ext -extfile xpextensions 6. export .p12 files - openssl pkcs12 -export -out wpa2_client.p12 -inkey wpa2_client.key -in wpa2_client.crt - openssl pkcs12 -export -out wpa2_server.p12 -inkey wpa2_server.key -in wpa2_server.crt + openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt + openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt 7. create .pem files - openssl pkcs12 -in wpa2_client.p12 -out wpa2_client.pem - openssl pkcs12 -in wpa2_server.p12 -out wpa2_server.pem + openssl pkcs12 -in client.p12 -out client.pem + openssl pkcs12 -in server.p12 -out server.pem diff --git a/examples/wifi/wifi_enterprise/main/CMakeLists.txt b/examples/wifi/wifi_enterprise/main/CMakeLists.txt new file mode 100644 index 0000000000..75a028a0dc --- /dev/null +++ b/examples/wifi/wifi_enterprise/main/CMakeLists.txt @@ -0,0 +1,4 @@ +# Embed CA, certificate & key directly into binary +idf_component_register(SRCS "wifi_enterprise_main.c" + INCLUDE_DIRS "." + EMBED_TXTFILES ca.pem client.crt client.key) diff --git a/examples/wifi/wpa2_enterprise/main/Kconfig.projbuild b/examples/wifi/wifi_enterprise/main/Kconfig.projbuild similarity index 73% rename from examples/wifi/wpa2_enterprise/main/Kconfig.projbuild rename to examples/wifi/wifi_enterprise/main/Kconfig.projbuild index af9a5b0384..8642dc73fd 100644 --- a/examples/wifi/wpa2_enterprise/main/Kconfig.projbuild +++ b/examples/wifi/wifi_enterprise/main/Kconfig.projbuild @@ -1,16 +1,35 @@ menu "Example Configuration" + choice + prompt "Enterprise configuration to be used" + default EXAMPLE_WPA_WPA2_ENTERPRISE + config EXAMPLE_WPA_WPA2_ENTERPRISE + bool "WPA_WPA2_ENT" + config EXAMPLE_WPA3_ENTERPRISE + bool "WPA3_ENT" + config EXAMPLE_WPA3_192BIT_ENTERPRISE + bool "WPA3_192BIT_ENT" + depends on IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3 + endchoice + config EXAMPLE_WIFI_SSID string "WiFi SSID" default "wpa2_test" help SSID (network name) for the example to connect to. - config EXAMPLE_VALIDATE_SERVER_CERT - bool "Validate server" - default y - help - Validate the servers' certificate using CA cert. + if EXAMPLE_WPA_WPA2_ENTERPRISE + config EXAMPLE_VALIDATE_SERVER_CERT + bool "Validate server" + default y + help + Validate the servers' certificate using CA cert. + endif + + if !EXAMPLE_WPA_WPA2_ENTERPRISE + config EXAMPLE_VALIDATE_SERVER_CERT + default y + endif choice prompt "EAP method for the example to use" diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_ca.pem b/examples/wifi/wifi_enterprise/main/ca.pem similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_ca.pem rename to examples/wifi/wifi_enterprise/main/ca.pem diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_client.crt b/examples/wifi/wifi_enterprise/main/client.crt similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_client.crt rename to examples/wifi/wifi_enterprise/main/client.crt diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_client.key b/examples/wifi/wifi_enterprise/main/client.key similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_client.key rename to examples/wifi/wifi_enterprise/main/client.key diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_client.pem b/examples/wifi/wifi_enterprise/main/client.pem similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_client.pem rename to examples/wifi/wifi_enterprise/main/client.pem diff --git a/examples/wifi/wpa2_enterprise/main/component.mk b/examples/wifi/wifi_enterprise/main/component.mk similarity index 63% rename from examples/wifi/wpa2_enterprise/main/component.mk rename to examples/wifi/wifi_enterprise/main/component.mk index a0a4ceddea..19aafa5d04 100644 --- a/examples/wifi/wpa2_enterprise/main/component.mk +++ b/examples/wifi/wifi_enterprise/main/component.mk @@ -5,6 +5,6 @@ # embed files from the "certs" directory as binary data symbols # in the app -COMPONENT_EMBED_TXTFILES := wpa2_ca.pem -COMPONENT_EMBED_TXTFILES += wpa2_client.crt -COMPONENT_EMBED_TXTFILES += wpa2_client.key +COMPONENT_EMBED_TXTFILES := ca.pem +COMPONENT_EMBED_TXTFILES += client.crt +COMPONENT_EMBED_TXTFILES += client.key diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_server.crt b/examples/wifi/wifi_enterprise/main/server.crt similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_server.crt rename to examples/wifi/wifi_enterprise/main/server.crt diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_server.key b/examples/wifi/wifi_enterprise/main/server.key similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_server.key rename to examples/wifi/wifi_enterprise/main/server.key diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_server.pem b/examples/wifi/wifi_enterprise/main/server.pem similarity index 100% rename from examples/wifi/wpa2_enterprise/main/wpa2_server.pem rename to examples/wifi/wifi_enterprise/main/server.pem diff --git a/examples/wifi/wpa2_enterprise/main/wpa2_enterprise_main.c b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c similarity index 84% rename from examples/wifi/wpa2_enterprise/main/wpa2_enterprise_main.c rename to examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c index 87b114c444..e6175d695b 100644 --- a/examples/wifi/wpa2_enterprise/main/wpa2_enterprise_main.c +++ b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c @@ -58,9 +58,9 @@ const int CONNECTED_BIT = BIT0; static const char *TAG = "example"; -/* CA cert, taken from wpa2_ca.pem - Client cert, taken from wpa2_client.crt - Client key, taken from wpa2_client.key +/* CA cert, taken from ca.pem + Client cert, taken from client.crt + Client key, taken from client.key The PEM, CRT and KEY file were provided by the person or organization who configured the AP with wpa2 enterprise. @@ -69,15 +69,15 @@ static const char *TAG = "example"; in the component.mk COMPONENT_EMBED_TXTFILES variable. */ #ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT -extern uint8_t ca_pem_start[] asm("_binary_wpa2_ca_pem_start"); -extern uint8_t ca_pem_end[] asm("_binary_wpa2_ca_pem_end"); +extern uint8_t ca_pem_start[] asm("_binary_ca_pem_start"); +extern uint8_t ca_pem_end[] asm("_binary_ca_pem_end"); #endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS -extern uint8_t client_crt_start[] asm("_binary_wpa2_client_crt_start"); -extern uint8_t client_crt_end[] asm("_binary_wpa2_client_crt_end"); -extern uint8_t client_key_start[] asm("_binary_wpa2_client_key_start"); -extern uint8_t client_key_end[] asm("_binary_wpa2_client_key_end"); +extern uint8_t client_crt_start[] asm("_binary_client_crt_start"); +extern uint8_t client_crt_end[] asm("_binary_client_crt_end"); +extern uint8_t client_key_start[] asm("_binary_client_key_start"); +extern uint8_t client_key_end[] asm("_binary_client_key_end"); #endif /* CONFIG_EXAMPLE_EAP_METHOD_TLS */ #if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS @@ -122,6 +122,18 @@ static void initialise_wifi(void) wifi_config_t wifi_config = { .sta = { .ssid = EXAMPLE_WIFI_SSID, +#if defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) + .pmf_cfg = { + .capable = true, + .required = false + }, +#endif +#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) + .pmf_cfg = { + .capable = true, + .required = true + }, +#endif }, }; ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid); @@ -129,9 +141,11 @@ static void initialise_wifi(void) ESP_ERROR_CHECK( esp_wifi_set_config(WIFI_IF_STA, &wifi_config) ); ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) ); -#ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT +#if defined(CONFIG_EXAMPLE_VALIDATE_SERVER_CERT) || \ + defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) || \ + defined(CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) ); -#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ +#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ /* EXAMPLE_WPA3_ENTERPRISE */ #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,\ @@ -146,7 +160,10 @@ static void initialise_wifi(void) #if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(TTLS_PHASE2_METHOD) ); #endif /* CONFIG_EXAMPLE_EAP_METHOD_TTLS */ - +#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) + ESP_LOGI(TAG, "Enabling 192 bit certification"); + ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true)); +#endif ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() ); ESP_ERROR_CHECK( esp_wifi_start() ); } diff --git a/examples/wifi/wpa2_enterprise/main/CMakeLists.txt b/examples/wifi/wpa2_enterprise/main/CMakeLists.txt deleted file mode 100644 index 59f94eb604..0000000000 --- a/examples/wifi/wpa2_enterprise/main/CMakeLists.txt +++ /dev/null @@ -1,4 +0,0 @@ -# Embed CA, certificate & key directly into binary -idf_component_register(SRCS "wpa2_enterprise_main.c" - INCLUDE_DIRS "." - EMBED_TXTFILES wpa2_ca.pem wpa2_client.crt wpa2_client.key) diff --git a/tools/ci/check_copyright_ignore.txt b/tools/ci/check_copyright_ignore.txt index 417c75386f..bb101de637 100644 --- a/tools/ci/check_copyright_ignore.txt +++ b/tools/ci/check_copyright_ignore.txt @@ -3952,7 +3952,7 @@ examples/wifi/roaming/main/roaming_example.c examples/wifi/scan/main/scan.c examples/wifi/smart_config/main/smartconfig_main.c examples/wifi/wifi_easy_connect/dpp-enrollee/main/dpp_enrollee_main.c -examples/wifi/wpa2_enterprise/main/wpa2_enterprise_main.c +examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c examples/wifi/wps/main/wps.c tools/ble/lib_ble_client.py tools/ble/lib_gap.py