From f283b589ed18331c5c81ae25e3579d71b6045db1 Mon Sep 17 00:00:00 2001 From: jgujarathi Date: Wed, 15 Feb 2023 17:59:18 +0530 Subject: [PATCH 1/4] wpa_supplicant : Add support for unregistering wifi wpa3 callbacks. Unregister wifi callbacks allows for disabling support for wpa3 functions when not required. --- components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c | 8 ++++++++ .../wpa_supplicant/esp_supplicant/src/esp_wpa_main.c | 3 ++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c index 62fc38e561..ed82f48e4f 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c @@ -260,4 +260,12 @@ void esp_wifi_register_wpa3_cb(struct wpa_funcs *wpa_cb) wpa_cb->wpa3_parse_sae_msg = wpa3_parse_sae_msg; } +void esp_wifi_unregister_wpa3_cb(void) +{ + extern struct wpa_funcs *wpa_cb; + + wpa_cb->wpa3_build_sae_msg = NULL; + wpa_cb->wpa3_parse_sae_msg = NULL; + +} #endif /* CONFIG_WPA3_SAE */ diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c index 434d66bbc2..1a919df6ff 100644 --- a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c +++ b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c @@ -40,6 +40,7 @@ #include "wps/wps_defs.h" const wifi_osi_funcs_t *wifi_funcs; +struct wpa_funcs *wpa_cb; void wpa_install_key(enum wpa_alg alg, u8 *addr, int key_idx, int set_tx, u8 *seq, size_t seq_len, u8 *key, size_t key_len, enum key_flag key_flag) @@ -311,7 +312,6 @@ static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len, bo int esp_supplicant_init(void) { int ret = ESP_OK; - struct wpa_funcs *wpa_cb; wifi_funcs = WIFI_OSI_FUNCS_INITIALIZER(); if (!wifi_funcs) { @@ -370,5 +370,6 @@ int esp_supplicant_deinit(void) { esp_supplicant_common_deinit(); eloop_destroy(); + wpa_cb = NULL; return esp_wifi_unregister_wpa_cb_internal(); } From 6279e58c429a7bf587832735c024711d4f3aed38 Mon Sep 17 00:00:00 2001 From: jgujarathi Date: Fri, 17 Feb 2023 17:21:41 +0530 Subject: [PATCH 2/4] wpa_supplicant : Add deinitialization of Enterprise config_methods. Add deinitialization of config_methods as it prevents correct reinitialization of sta in eap_peer_config_init() during reassoc. --- components/wpa_supplicant/src/eap_peer/eap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/components/wpa_supplicant/src/eap_peer/eap.c b/components/wpa_supplicant/src/eap_peer/eap.c index 1b80c191b0..51d772217a 100644 --- a/components/wpa_supplicant/src/eap_peer/eap.c +++ b/components/wpa_supplicant/src/eap_peer/eap.c @@ -646,6 +646,7 @@ void eap_peer_config_deinit(struct eap_sm *sm) os_free(sm->config.new_password); os_free(sm->config.eap_methods); os_bzero(&sm->config, sizeof(struct eap_peer_config)); + config_methods = NULL; } int eap_peer_blob_init(struct eap_sm *sm) From 4e1d466fc59487576815ee66b3bf52ae1027f982 Mon Sep 17 00:00:00 2001 From: jgujarathi Date: Thu, 23 Feb 2023 19:12:48 +0530 Subject: [PATCH 3/4] wpa_supplicant : Add validations for 192-bit Suite B test cases. Add validation for group data cipher, pairwise cipher and AKM Suites to ensure correct ciphers are supported by AP during 192-bit Enterprise connections. --- components/wpa_supplicant/src/rsn_supp/wpa.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c index f200e9ab9c..3b512701b7 100644 --- a/components/wpa_supplicant/src/rsn_supp/wpa.c +++ b/components/wpa_supplicant/src/rsn_supp/wpa.c @@ -2497,6 +2497,18 @@ int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher, wpa_printf(MSG_ERROR, "suite-b 192bit certification, only GMAC256 is supported"); return -1; } + if (sm->group_cipher != WPA_CIPHER_GCMP_256) { + wpa_printf(MSG_ERROR, "suite-b 192bit certification, only group GCMP256 is supported for group data cipher."); + return -1; + } + if (sm->pairwise_cipher != WPA_CIPHER_GCMP_256) { + wpa_printf(MSG_ERROR,"suite-b 192bit certification, only group GCMP256 is supported for pairwise cipher"); + return -1; + } + if (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { + wpa_printf(MSG_ERROR, "suite-b 192bit certification, 192bit akm supported"); + return -1; + } } #endif } else { From 4a0fbdccc70e0bdee6961c6075c705212fe41ff3 Mon Sep 17 00:00:00 2001 From: jgujarathi Date: Wed, 1 Mar 2023 11:53:42 +0530 Subject: [PATCH 4/4] wpa_supplicant : Add disable for tls key usage check. Disable the key usage check this leads to false negative results while using wfa certificates during testing. --- .../esp_supplicant/src/crypto/tls_mbedtls.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c index 0e07715595..3b3478a157 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c @@ -24,6 +24,7 @@ which are undefined if the following flag is not defined */ #include "mbedtls/ctr_drbg.h" #include "mbedtls/entropy.h" #include "mbedtls/debug.h" +#include "mbedtls/oid.h" #ifdef ESPRESSIF_USE #include "mbedtls/esp_debug.h" #include "mbedtls/esp_config.h" @@ -191,7 +192,6 @@ static int set_ca_cert(tls_context_t *tls, const unsigned char *cacert, size_t c } mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL); - return 0; } @@ -287,6 +287,14 @@ static void tls_enable_sha1_config(tls_context_t *tls) mbedtls_ssl_conf_cert_profile(&tls->conf, crt_profile); mbedtls_ssl_conf_sig_algs(&tls->conf, tls_sig_algs_for_eap); } +#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK +static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth, uint32_t *flags) +{ + cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_KEY_USAGE; + cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE; + return 0; +} +#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/ static const int eap_ciphersuite_preference[] = { @@ -516,6 +524,10 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex * but doesn't take that much processing power */ tls_set_ciphersuite(cfg, tls); +#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK + mbedtls_ssl_set_verify( &tls->ssl, tls_disable_key_usages, NULL ); +#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/ + #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) { wpa_printf(MSG_INFO, "Using default cert bundle");