kopia lustrzana https://github.com/espressif/esp-idf
fix(wpa_supplicant): Update cipher suite list for TLSv1.3 suiteb and some refactoring
- Use MBEDTLS_TLS1_3_AES_256_GCM_SHA384 cipher for TLSv1.3-suiteb - Call psa_crypto_init() in tls_connection_init() to reduce redundancypull/13473/head
rodzic
5903e9ea2b
commit
05b882baea
|
@ -494,18 +494,18 @@ menu "Wi-Fi"
|
|||
it is advisable to update your server.
|
||||
Please disable this option for compatibilty with older TLS versions.
|
||||
|
||||
config ESP_WIFI_EAP_TLS1_3
|
||||
bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
|
||||
default n
|
||||
select MBEDTLS_SSL_PROTO_TLS1_3
|
||||
depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES
|
||||
help
|
||||
Select this option to support EAP with TLS v1.3.
|
||||
This configuration still supports compatibility with EAP-TLS v1.2.
|
||||
Please note that enabling this configuration will cause every application which
|
||||
uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
|
||||
and there may be interoperability issues with this. Please modify your application to set
|
||||
max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.
|
||||
config ESP_WIFI_EAP_TLS1_3
|
||||
bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
|
||||
default n
|
||||
select MBEDTLS_SSL_PROTO_TLS1_3
|
||||
depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES
|
||||
help
|
||||
Select this option to support EAP with TLS v1.3.
|
||||
This configuration still supports compatibility with EAP-TLS v1.2.
|
||||
Please note that enabling this configuration will cause every application which
|
||||
uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
|
||||
and there may be interoperability issues with this. Please modify your application to set
|
||||
max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.
|
||||
|
||||
endif
|
||||
|
||||
|
|
|
@ -405,10 +405,10 @@ static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth,
|
|||
#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
|
||||
|
||||
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
|
||||
#define TLS1_3_CIPHER_SUITES \
|
||||
#define TLS1_3_CIPHER_SUITES \
|
||||
MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, \
|
||||
MBEDTLS_TLS1_3_AES_256_GCM_SHA384, \
|
||||
MBEDTLS_TLS1_3_AES_128_GCM_SHA256, \
|
||||
MBEDTLS_TLS1_3_AES_256_GCM_SHA384, \
|
||||
MBEDTLS_TLS1_3_AES_128_GCM_SHA256, \
|
||||
MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, \
|
||||
MBEDTLS_TLS1_3_AES_128_CCM_SHA256
|
||||
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
|
||||
|
@ -534,7 +534,7 @@ static const int eap_ciphersuite_preference[] =
|
|||
static const int suiteb_rsa_ciphersuite_preference[] =
|
||||
{
|
||||
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
|
||||
TLS1_3_CIPHER_SUITES,
|
||||
MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
|
||||
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
|
||||
#if defined(MBEDTLS_GCM_C)
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
|
@ -548,7 +548,7 @@ static const int suiteb_rsa_ciphersuite_preference[] =
|
|||
static const int suiteb_ecc_ciphersuite_preference[] =
|
||||
{
|
||||
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
|
||||
TLS1_3_CIPHER_SUITES,
|
||||
MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
|
||||
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
|
||||
#if defined(MBEDTLS_GCM_C)
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
|
@ -560,7 +560,7 @@ static const int suiteb_ecc_ciphersuite_preference[] =
|
|||
static const int suiteb_ciphersuite_preference[] =
|
||||
{
|
||||
#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
|
||||
TLS1_3_CIPHER_SUITES,
|
||||
MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
|
||||
#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
|
||||
#if defined(MBEDTLS_GCM_C)
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
|
@ -797,6 +797,13 @@ struct tls_connection * tls_connection_init(void *tls_ctx)
|
|||
wpa_printf(MSG_ERROR, "TLS: Failed to allocate connection memory");
|
||||
return NULL;
|
||||
}
|
||||
#ifdef CONFIG_TLSV13
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
wpa_printf(MSG_ERROR, "Failed to initialize PSA crypto, returned %d", (int) status);
|
||||
return NULL;
|
||||
}
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
return conn;
|
||||
}
|
||||
|
||||
|
@ -902,7 +909,6 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
|
|||
tls_context_t *tls = conn->tls;
|
||||
int ret = 0;
|
||||
struct wpabuf *resp;
|
||||
int cli_state;
|
||||
|
||||
/* data freed by sender */
|
||||
conn->tls_io_data.out_data = NULL;
|
||||
|
@ -912,9 +918,11 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
|
|||
|
||||
/* Multiple reads */
|
||||
while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
|
||||
cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
|
||||
#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
|
||||
int cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
|
||||
#endif /* CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER */
|
||||
ret = mbedtls_ssl_handshake_step(&tls->ssl);
|
||||
if (ret < 0)
|
||||
if (ret < 0) {
|
||||
break;
|
||||
}
|
||||
#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
|
||||
|
|
|
@ -18,10 +18,6 @@
|
|||
#include "eap_peer/eap_config.h"
|
||||
#include "eap_peer/eap_methods.h"
|
||||
|
||||
#ifdef CONFIG_TLSV13
|
||||
#include "psa/crypto.h"
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
|
||||
/* Maximum supported PEAP version
|
||||
* 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
|
||||
* 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
|
||||
|
@ -164,13 +160,6 @@ eap_peap_init(struct eap_sm *sm)
|
|||
{
|
||||
struct eap_peap_data *data;
|
||||
struct eap_peer_config *config = eap_get_config(sm);
|
||||
#ifdef CONFIG_TLSV13
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to initialize PSA crypto, returned %d", (int) status);
|
||||
return NULL;
|
||||
}
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
|
||||
data = (struct eap_peap_data *)os_zalloc(sizeof(*data));
|
||||
if (data == NULL)
|
||||
|
|
|
@ -16,10 +16,6 @@
|
|||
#include "eap_peer/eap_config.h"
|
||||
#include "eap_peer/eap_methods.h"
|
||||
|
||||
#ifdef CONFIG_TLSV13
|
||||
#include "psa/crypto.h"
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
|
||||
|
||||
static void eap_tls_deinit(struct eap_sm *sm, void *priv);
|
||||
|
||||
|
@ -40,13 +36,7 @@ static void * eap_tls_init(struct eap_sm *sm)
|
|||
{
|
||||
struct eap_tls_data *data;
|
||||
struct eap_peer_config *config = eap_get_config(sm);
|
||||
#ifdef CONFIG_TLSV13
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
wpa_printf(MSG_ERROR, "EAP-TLS: Failed to initialize PSA crypto, returned %d", (int) status);
|
||||
return NULL;
|
||||
}
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
|
||||
if (config == NULL ||
|
||||
config->private_key == 0) {
|
||||
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
|
||||
|
|
|
@ -22,9 +22,6 @@
|
|||
#include "eap_peer/eap_config.h"
|
||||
#include "eap_peer/eap_methods.h"
|
||||
|
||||
#ifdef CONFIG_TLSV13
|
||||
#include "psa/crypto.h"
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
|
||||
#define EAP_TTLS_VERSION 0
|
||||
|
||||
|
@ -75,13 +72,6 @@ static void * eap_ttls_init(struct eap_sm *sm)
|
|||
{
|
||||
struct eap_ttls_data *data;
|
||||
struct eap_peer_config *config = eap_get_config(sm);
|
||||
#ifdef CONFIG_TLSV13
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to initialize PSA crypto, returned %d", (int) status);
|
||||
return NULL;
|
||||
}
|
||||
#endif /* CONFIG_TLSV13 */
|
||||
|
||||
data = (struct eap_ttls_data *)os_zalloc(sizeof(*data));
|
||||
if (data == NULL)
|
||||
|
|
Ładowanie…
Reference in New Issue