fix(wpa_supplicant): Update cipher suite list for TLSv1.3 suiteb and some refactoring

- Use MBEDTLS_TLS1_3_AES_256_GCM_SHA384 cipher for TLSv1.3-suiteb - Call psa_crypto_init() in tls_connection_init() to reduce redundancy
2024-02-06 13:12:12 +05:30 · 2024-02-06 13:12:12 +05:30 · 05b882baea
commit 05b882baea
--- a/components/esp_wifi/Kconfig
+++ b/components/esp_wifi/Kconfig
@ -494,18 +494,18 @@ menu "Wi-Fi"
                    it is advisable to update your server.
                    Please disable this option for compatibilty with older TLS versions.

-        config ESP_WIFI_EAP_TLS1_3
-            bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
-            default n
-            select MBEDTLS_SSL_PROTO_TLS1_3
-            depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES
-            help
-                Select this option to support EAP with TLS v1.3.
-                This configuration still supports compatibility with EAP-TLS v1.2.
-                Please note that enabling this configuration will cause every application which
-                uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
-                and there may be interoperability issues with this. Please modify your application to set
-                max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.
+            config ESP_WIFI_EAP_TLS1_3
+                bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
+                default n
+                select MBEDTLS_SSL_PROTO_TLS1_3
+                depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES
+                help
+                    Select this option to support EAP with TLS v1.3.
+                    This configuration still supports compatibility with EAP-TLS v1.2.
+                    Please note that enabling this configuration will cause every application which
+                    uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
+                    and there may be interoperability issues with this. Please modify your application to set
+                    max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.

        endif

--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@ -405,10 +405,10 @@ static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth,
 #endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/

 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-#define TLS1_3_CIPHER_SUITES \
+#define TLS1_3_CIPHER_SUITES 				\
 	MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,	\
-	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,			\
-	MBEDTLS_TLS1_3_AES_128_GCM_SHA256,			\
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,		\
+	MBEDTLS_TLS1_3_AES_128_GCM_SHA256,		\
 	MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,		\
 	MBEDTLS_TLS1_3_AES_128_CCM_SHA256
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
@ -534,7 +534,7 @@ static const int eap_ciphersuite_preference[] =
 static const int suiteb_rsa_ciphersuite_preference[] =
 {
 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
@ -548,7 +548,7 @@ static const int suiteb_rsa_ciphersuite_preference[] =
 static const int suiteb_ecc_ciphersuite_preference[] =
 {
 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
@ -560,7 +560,7 @@ static const int suiteb_ecc_ciphersuite_preference[] =
 static const int suiteb_ciphersuite_preference[] =
 {
 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
@ -797,6 +797,13 @@ struct tls_connection * tls_connection_init(void *tls_ctx)
 		wpa_printf(MSG_ERROR, "TLS: Failed to allocate connection memory");
 		return NULL;
 	}
+#ifdef CONFIG_TLSV13
+	psa_status_t status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		wpa_printf(MSG_ERROR, "Failed to initialize PSA crypto, returned %d", (int) status);
+		return NULL;
+	}
+#endif /* CONFIG_TLSV13 */
 	return conn;
 }

@ -902,7 +909,6 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	tls_context_t *tls = conn->tls;
 	int ret = 0;
 	struct wpabuf *resp;
-	int cli_state;

 	/* data freed by sender */
 	conn->tls_io_data.out_data = NULL;
@ -912,9 +918,11 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,

 	/* Multiple reads */
 	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
-		cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+		int cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+#endif /* CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER */
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);
-		if (ret < 0)
+		if (ret < 0) {
 			break;
 		}
 #ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
--- a/components/wpa_supplicant/src/eap_peer/eap_peap.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_peap.c
@ -18,10 +18,6 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"

-#ifdef CONFIG_TLSV13
-#include "psa/crypto.h"
-#endif /* CONFIG_TLSV13 */
-
 /* Maximum supported PEAP version
 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
@ -164,13 +160,6 @@ eap_peap_init(struct eap_sm *sm)
 {
 	struct eap_peap_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-#ifdef CONFIG_TLSV13
-	psa_status_t status = psa_crypto_init();
-	if (status != PSA_SUCCESS) {
-		wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to initialize PSA crypto, returned %d", (int) status);
-		return NULL;
-	}
-#endif /* CONFIG_TLSV13 */

 	data = (struct eap_peap_data *)os_zalloc(sizeof(*data));
 	if (data == NULL)
--- a/components/wpa_supplicant/src/eap_peer/eap_tls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c
@ -16,10 +16,6 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"

-#ifdef CONFIG_TLSV13
-#include "psa/crypto.h"
-#endif /* CONFIG_TLSV13 */
-

 static void eap_tls_deinit(struct eap_sm *sm, void *priv);

@ -40,13 +36,7 @@ static void * eap_tls_init(struct eap_sm *sm)
 {
 	struct eap_tls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-#ifdef CONFIG_TLSV13
-	psa_status_t status = psa_crypto_init();
-	if (status != PSA_SUCCESS) {
-		wpa_printf(MSG_ERROR, "EAP-TLS: Failed to initialize PSA crypto, returned %d", (int) status);
-		return NULL;
-	}
-#endif /* CONFIG_TLSV13 */
+
 	if (config == NULL ||
 	    config->private_key == 0) {
 		wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
--- a/components/wpa_supplicant/src/eap_peer/eap_ttls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_ttls.c
@ -22,9 +22,6 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"

-#ifdef CONFIG_TLSV13
-#include "psa/crypto.h"
-#endif /* CONFIG_TLSV13 */

 #define EAP_TTLS_VERSION 0

@ -75,13 +72,6 @@ static void * eap_ttls_init(struct eap_sm *sm)
 {
 	struct eap_ttls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-#ifdef CONFIG_TLSV13
-	psa_status_t status = psa_crypto_init();
-	if (status != PSA_SUCCESS) {
-		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to initialize PSA crypto, returned %d", (int) status);
-		return NULL;
-	}
-#endif /* CONFIG_TLSV13 */

 	data = (struct eap_ttls_data *)os_zalloc(sizeof(*data));
 	if (data == NULL)