feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

fix(esp_wifi): Enable Server certificate validation when using mbedtls TLS v1.3

Browse Source 
In TLS v1.2, It was possible to disable server certificate validation simply by using
API 'mbedtls_ssl_conf_authmode'. But this behaviour is changed in TLS v1.3. We can not
disable server certificate validation in TLS v1.3 using this API anymore.

For more details, refer https://github.com/Mbed-TLS/mbedtls/issues/7075
This commit is contained in:
Sarvesh Bodakhe
2023-11-11 13:37:30 +05:30
parent ec09cdf885
commit 5ce95cae91
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
View File

@@ -57,10 +57,17 @@ static const char *TAG = "example";
To embed it in the app binary, the PEM, CRT and KEY file is named To embed it in the app binary, the PEM, CRT and KEY file is named
in the component.mk COMPONENT_EMBED_TXTFILES variable. in the component.mk COMPONENT_EMBED_TXTFILES variable.
*/ */
#ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT #if defined(CONFIG_EXAMPLE_VALIDATE_SERVER_CERT) || \
defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) || \
defined(CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE) || \
defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
#define SERVER_CERT_VALIDATION_ENABLED
#endif
#ifdef SERVER_CERT_VALIDATION_ENABLED
extern uint8_t ca_pem_start[] asm("_binary_ca_pem_start"); extern uint8_t ca_pem_start[] asm("_binary_ca_pem_start");
extern uint8_t ca_pem_end[] asm("_binary_ca_pem_end"); extern uint8_t ca_pem_end[] asm("_binary_ca_pem_end");
#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ #endif /* SERVER_CERT_VALIDATION_ENABLED */
#ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
extern uint8_t client_crt_start[] asm("_binary_client_crt_start"); extern uint8_t client_crt_start[] asm("_binary_client_crt_start");
@@ -88,9 +95,9 @@ static void event_handler(void* arg, esp_event_base_t event_base,
static void initialise_wifi(void) static void initialise_wifi(void)
{ {
#ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT #ifdef SERVER_CERT_VALIDATION_ENABLED
unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start; unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start;
#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ #endif /* SERVER_CERT_VALIDATION_ENABLED */
#ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
unsigned int client_crt_bytes = client_crt_end - client_crt_start; unsigned int client_crt_bytes = client_crt_end - client_crt_start;
@@ -123,11 +130,9 @@ static void initialise_wifi(void)
ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) ); ESP_ERROR_CHECK(esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
ESP_ERROR_CHECK(esp_eap_client_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) ); ESP_ERROR_CHECK(esp_eap_client_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
#if defined(CONFIG_EXAMPLE_VALIDATE_SERVER_CERT) || \ #ifdef SERVER_CERT_VALIDATION_ENABLED
defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) || \
defined(CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
ESP_ERROR_CHECK(esp_eap_client_set_ca_cert(ca_pem_start, ca_pem_bytes) ); ESP_ERROR_CHECK(esp_eap_client_set_ca_cert(ca_pem_start, ca_pem_bytes) );
#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ /* EXAMPLE_WPA3_ENTERPRISE */ #endif /* SERVER_CERT_VALIDATION_ENABLED */
#ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
ESP_ERROR_CHECK(esp_eap_client_set_certificate_and_key(client_crt_start, client_crt_bytes, ESP_ERROR_CHECK(esp_eap_client_set_certificate_and_key(client_crt_start, client_crt_bytes,