esp_examples: Update WiFi enterprise example

docs/en/api-guides/wifi.rst

@@ -1428,7 +1428,7 @@ For establishing a secure connection, AP and Station negotiate and agree on the
      - MSCHAP and MSCHAP-V2.
 
 
-Detailed information on creating certificates and how to run wpa2_enterprise example on {IDF_TARGET_NAME} can be found in :example:`wifi/wpa2_enterprise`.
+Detailed information on creating certificates and how to run wpa2_enterprise example on {IDF_TARGET_NAME} can be found in :example:`wifi/wifi_enterprise`.
 
 .. only:: esp32s2 or esp32c3
 

examples/wifi/wifi_enterprise/README.md

@@ -1,6 +1,6 @@
 # WPA2 Enterprise Example
 
-This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Example does the following steps:
+This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. The example does the following steps:
 
 1. Install CA certificate which is optional.
 2. Install client certificate and client key which is required in TLS method and optional in PEAP and TTLS methods.
@@ -9,12 +9,13 @@ This example shows how ESP32 connects to AP with wpa2 enterprise encryption. Exa
 5. Enable wpa2 enterprise.
 6. Connect to AP.
 
-*Note:* 1. The certificates currently are generated and are present in examples.wifi/wpa2_enterprise/main folder.
+*Note:* 1. The certificates currently are generated and are present in examples/wifi/wifi_enterprise/main folder.
         2. The expiration date of the certificates is 2027/06/05.
+        3. In case using suite-b, please use appropriate certificates such as RSA-3072 or p384 EC certificates.
 
 The steps to create new certificates are given below.
 
-## The file wpa2_ca.pem, wpa2_ca.key, wpa2_server.pem, wpa2_server.crt and wpa2_server.key can be used to configure AP with wpa2 enterprise encryption. 
+## The file ca.pem, ca.key, server.pem, server.crt and server.key can be used to configure AP with enterprise encryption.
 
 ## How to use Example
 
@@ -36,7 +37,7 @@ idf.py menuconfig
 idf.py -p PORT flash monitor
 ```
 
-## Steps to create wpa2_ent openssl certs
+## Steps to create enterprise openssl certs
 
 1. make directry tree
 
@@ -56,27 +57,27 @@ idf.py -p PORT flash monitor
       extendedKeyUsage = 1.3.6.1.5.5.7.3.1
 
 2. ca.pem: root certificate, foundation of certificate verigy
-  openssl req -new -x509 -keyout wpa2_ca.key -out wpa2_ca.pem
+  openssl req -new -x509 -keyout ca.key -out ca.pem
 
 3. generate rsa keys for client and server
-  openssl genrsa -out wpa2_client.key 2048
-  openssl genrsa -out wpa2_server.key 2048
+  openssl genrsa -out client.key 2048
+  openssl genrsa -out server.key 2048
 
 4. generate certificate signing req for both client and server
-  openssl req -new -key wpa2_client.key -out wpa2_client.csr
-  openssl req -new -key wpa2_server.key -out wpa2_server.csr
+  openssl req -new -key client.key -out client.csr
+  openssl req -new -key server.key -out server.csr
 
 5. create certs (.crt) for client nd server
-  openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_client.csr -key (password) -out wpa2_client.crt -extensions xpserver_ext -extfile xpextensions
-  openssl ca -batch -keyfile wpa2_ca.key -cert wpa2_ca.pem -in wpa2_server.csr -key (password) -out wpa2_server.crt -extensions xpserver_ext -extfile xpextensions
+  openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key (password) -out client.crt -extensions xpserver_ext -extfile xpextensions
+  openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key (password) -out server.crt -extensions xpserver_ext -extfile xpextensions
 
 6. export .p12 files
-  openssl pkcs12 -export -out wpa2_client.p12 -inkey wpa2_client.key -in wpa2_client.crt
-  openssl pkcs12 -export -out wpa2_server.p12 -inkey wpa2_server.key -in wpa2_server.crt
+  openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt
+  openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
 
 7. create .pem files
-  openssl pkcs12 -in wpa2_client.p12 -out wpa2_client.pem
-  openssl pkcs12 -in wpa2_server.p12 -out wpa2_server.pem
+  openssl pkcs12 -in client.p12 -out client.pem
+  openssl pkcs12 -in server.p12 -out server.pem
 
    
 

examples/wifi/wifi_enterprise/main/CMakeLists.txt

@@ -0,0 +1,4 @@
+# Embed CA, certificate & key directly into binary
+idf_component_register(SRCS "wifi_enterprise_main.c"
+                    INCLUDE_DIRS "."
+                    EMBED_TXTFILES ca.pem client.crt client.key)

examples/wifi/wifi_enterprise/main/Kconfig.projbuild

@@ -1,16 +1,35 @@
 menu "Example Configuration"
 
+    choice
+        prompt "Enterprise configuration to be used"
+        default EXAMPLE_WPA_WPA2_ENTERPRISE
+        config EXAMPLE_WPA_WPA2_ENTERPRISE
+            bool "WPA_WPA2_ENT"
+        config EXAMPLE_WPA3_ENTERPRISE
+            bool "WPA3_ENT"
+        config EXAMPLE_WPA3_192BIT_ENTERPRISE
+            bool "WPA3_192BIT_ENT"
+            depends on IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3
+    endchoice
+
     config EXAMPLE_WIFI_SSID
         string "WiFi SSID"
         default "wpa2_test"
         help
             SSID (network name) for the example to connect to.
 
-    config EXAMPLE_VALIDATE_SERVER_CERT
-        bool "Validate server"
-        default y
-        help
-            Validate the servers' certificate using CA cert.
+    if EXAMPLE_WPA_WPA2_ENTERPRISE
+        config EXAMPLE_VALIDATE_SERVER_CERT
+            bool "Validate server"
+            default y
+            help
+                Validate the servers' certificate using CA cert.
+    endif
+
+    if !EXAMPLE_WPA_WPA2_ENTERPRISE
+        config EXAMPLE_VALIDATE_SERVER_CERT
+            default y
+    endif
 
     choice
         prompt "EAP method for the example to use"

examples/wifi/wifi_enterprise/main/component.mk

@@ -5,6 +5,6 @@
 
 # embed files from the "certs" directory as binary data symbols
 # in the app
-COMPONENT_EMBED_TXTFILES := wpa2_ca.pem
-COMPONENT_EMBED_TXTFILES += wpa2_client.crt
-COMPONENT_EMBED_TXTFILES += wpa2_client.key
+COMPONENT_EMBED_TXTFILES := ca.pem
+COMPONENT_EMBED_TXTFILES += client.crt
+COMPONENT_EMBED_TXTFILES += client.key

examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c

@@ -58,9 +58,9 @@ const int CONNECTED_BIT = BIT0;
 
 static const char *TAG = "example";
 
-/* CA cert, taken from wpa2_ca.pem
-   Client cert, taken from wpa2_client.crt
-   Client key, taken from wpa2_client.key
+/* CA cert, taken from ca.pem
+   Client cert, taken from client.crt
+   Client key, taken from client.key
 
    The PEM, CRT and KEY file were provided by the person or organization
    who configured the AP with wpa2 enterprise.
@@ -69,15 +69,15 @@ static const char *TAG = "example";
    in the component.mk COMPONENT_EMBED_TXTFILES variable.
 */
 #ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT
-extern uint8_t ca_pem_start[] asm("_binary_wpa2_ca_pem_start");
-extern uint8_t ca_pem_end[]   asm("_binary_wpa2_ca_pem_end");
+extern uint8_t ca_pem_start[] asm("_binary_ca_pem_start");
+extern uint8_t ca_pem_end[]   asm("_binary_ca_pem_end");
 #endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */
 
 #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
-extern uint8_t client_crt_start[] asm("_binary_wpa2_client_crt_start");
-extern uint8_t client_crt_end[]   asm("_binary_wpa2_client_crt_end");
-extern uint8_t client_key_start[] asm("_binary_wpa2_client_key_start");
-extern uint8_t client_key_end[]   asm("_binary_wpa2_client_key_end");
+extern uint8_t client_crt_start[] asm("_binary_client_crt_start");
+extern uint8_t client_crt_end[]   asm("_binary_client_crt_end");
+extern uint8_t client_key_start[] asm("_binary_client_key_start");
+extern uint8_t client_key_end[]   asm("_binary_client_key_end");
 #endif /* CONFIG_EXAMPLE_EAP_METHOD_TLS */
 
 #if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS
@@ -122,6 +122,18 @@ static void initialise_wifi(void)
     wifi_config_t wifi_config = {
         .sta = {
             .ssid = EXAMPLE_WIFI_SSID,
+#if defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE)
+            .pmf_cfg = {
+                .capable = true,
+                .required = false
+            },
+#endif
+#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
+            .pmf_cfg = {
+                .capable = true,
+                .required = true
+            },
+#endif
         },
     };
     ESP_LOGI(TAG, "Setting WiFi configuration SSID %s...", wifi_config.sta.ssid);
@@ -129,9 +141,11 @@ static void initialise_wifi(void)
     ESP_ERROR_CHECK( esp_wifi_set_config(WIFI_IF_STA, &wifi_config) );
     ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EXAMPLE_EAP_ID, strlen(EXAMPLE_EAP_ID)) );
 
-#ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT
+#if defined(CONFIG_EXAMPLE_VALIDATE_SERVER_CERT) || \
+    defined(CONFIG_EXAMPLE_WPA3_ENTERPRISE) || \
+    defined(CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
     ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ca_cert(ca_pem_start, ca_pem_bytes) );
-#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */
+#endif /* CONFIG_EXAMPLE_VALIDATE_SERVER_CERT */ /* EXAMPLE_WPA3_ENTERPRISE */
 
 #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
     ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_cert_key(client_crt_start, client_crt_bytes,\
@@ -146,7 +160,10 @@ static void initialise_wifi(void)
 #if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS
     ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(TTLS_PHASE2_METHOD) );
 #endif /* CONFIG_EXAMPLE_EAP_METHOD_TTLS */
-
+#if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
+    ESP_LOGI(TAG, "Enabling 192 bit certification");
+    ESP_ERROR_CHECK(esp_wifi_sta_wpa2_set_suiteb_192bit_certification(true));
+#endif
     ESP_ERROR_CHECK( esp_wifi_sta_wpa2_ent_enable() );
     ESP_ERROR_CHECK( esp_wifi_start() );
 }

examples/wifi/wpa2_enterprise/main/CMakeLists.txt

@@ -1,4 +0,0 @@
-# Embed CA, certificate & key directly into binary
-idf_component_register(SRCS "wpa2_enterprise_main.c"
-                    INCLUDE_DIRS "."
-                    EMBED_TXTFILES wpa2_ca.pem wpa2_client.crt wpa2_client.key)

tools/ci/check_copyright_ignore.txt

@@ -3952,7 +3952,7 @@ examples/wifi/roaming/main/roaming_example.c
 examples/wifi/scan/main/scan.c
 examples/wifi/smart_config/main/smartconfig_main.c
 examples/wifi/wifi_easy_connect/dpp-enrollee/main/dpp_enrollee_main.c
-examples/wifi/wpa2_enterprise/main/wpa2_enterprise_main.c
+examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
 examples/wifi/wps/main/wps.c
 tools/ble/lib_ble_client.py
 tools/ble/lib_gap.py