espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-11-24 03:09:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
5c0fb109028d25a2a0ea348d40fa22a423ce24f5
esp-idf/components/wpa_supplicant
History
Jouni Malinen 5c0fb10902 EAP peer: External server certificate chain validation 
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-20 09:32:32 +05:30
..
esp_supplicant
Merge branch 'bugfix/dpp_auth_deinit_crash' into 'master'
2024-03-19 17:36:28 +08:00
include/utils
wpa_supplicant: Add WPS registrar support for softAP mode
2022-05-24 12:11:53 +05:30
port
fix(esp_wifi): Separate public and native wifi interface types
2024-02-01 12:17:37 +01:00
src
EAP peer: External server certificate chain validation
2024-03-20 09:32:32 +05:30
test_apps
fix: add count for wpa test
2023-12-06 15:58:05 +08:00
CMakeLists.txt
fix(esp_wifi): Support for esp_wifi_remote
2024-02-01 12:17:43 +01:00
COPYING
change(esp_wifi): Update copyright info for wpa_supplicant
2023-08-02 18:51:37 +05:30
linker.lf
fix(wifi): Add support to move supplicant BSS to external memory
2023-12-13 16:07:13 +00:00
README
wpa_supplicant: bypass sonar checks for upstream code
2021-07-22 14:12:22 +08:00
README.md
esp_wifi: Merge wpa_supplicant and esp_wifi Kconfig
2023-02-11 07:38:45 +08:00

README.md

'wpa_supplicant'

This component contains the upstream wpa_supplicant ported for ESP family of platforms. The code is tightly coupled with esp_wifi component which has ESP WiFi libraries and header files that are used in ported supplicant.

ESP uses MbedTLS as crypto library therefore MbedTLS component is also required for some features to work(see ESP_WIFI_MBEDTLS_CRYPTO).

To port it for different OS, esp_wifi and wpa_supplicant should be picked up a whole system(preferably with MbedTLS if we want all features to work.)

Reference in New Issue View Git Blame Copy Permalink