From 05b882baeac3821db7b1bf089050c445567394ce Mon Sep 17 00:00:00 2001 From: Sarvesh Bodakhe Date: Tue, 6 Feb 2024 13:12:12 +0530 Subject: [PATCH] fix(wpa_supplicant): Update cipher suite list for TLSv1.3 suiteb and some refactoring - Use MBEDTLS_TLS1_3_AES_256_GCM_SHA384 cipher for TLSv1.3-suiteb - Call psa_crypto_init() in tls_connection_init() to reduce redundancy --- components/esp_wifi/Kconfig | 24 ++++++++--------- .../esp_supplicant/src/crypto/tls_mbedtls.c | 26 ++++++++++++------- .../wpa_supplicant/src/eap_peer/eap_peap.c | 11 -------- .../wpa_supplicant/src/eap_peer/eap_tls.c | 12 +-------- .../wpa_supplicant/src/eap_peer/eap_ttls.c | 10 ------- 5 files changed, 30 insertions(+), 53 deletions(-) diff --git a/components/esp_wifi/Kconfig b/components/esp_wifi/Kconfig index 580a90f8d0..42b7fcbb38 100644 --- a/components/esp_wifi/Kconfig +++ b/components/esp_wifi/Kconfig @@ -494,18 +494,18 @@ menu "Wi-Fi" it is advisable to update your server. Please disable this option for compatibilty with older TLS versions. - config ESP_WIFI_EAP_TLS1_3 - bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection" - default n - select MBEDTLS_SSL_PROTO_TLS1_3 - depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES - help - Select this option to support EAP with TLS v1.3. - This configuration still supports compatibility with EAP-TLS v1.2. - Please note that enabling this configuration will cause every application which - uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls - and there may be interoperability issues with this. Please modify your application to set - max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection. + config ESP_WIFI_EAP_TLS1_3 + bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection" + default n + select MBEDTLS_SSL_PROTO_TLS1_3 + depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES + help + Select this option to support EAP with TLS v1.3. + This configuration still supports compatibility with EAP-TLS v1.2. + Please note that enabling this configuration will cause every application which + uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls + and there may be interoperability issues with this. Please modify your application to set + max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection. endif diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c index b2d94dd65f..0af9052ca2 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c @@ -405,10 +405,10 @@ static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth, #endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/ #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3) -#define TLS1_3_CIPHER_SUITES \ +#define TLS1_3_CIPHER_SUITES \ MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256, \ - MBEDTLS_TLS1_3_AES_256_GCM_SHA384, \ - MBEDTLS_TLS1_3_AES_128_GCM_SHA256, \ + MBEDTLS_TLS1_3_AES_256_GCM_SHA384, \ + MBEDTLS_TLS1_3_AES_128_GCM_SHA256, \ MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256, \ MBEDTLS_TLS1_3_AES_128_CCM_SHA256 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */ @@ -534,7 +534,7 @@ static const int eap_ciphersuite_preference[] = static const int suiteb_rsa_ciphersuite_preference[] = { #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3) - TLS1_3_CIPHER_SUITES, + MBEDTLS_TLS1_3_AES_256_GCM_SHA384, #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */ #if defined(MBEDTLS_GCM_C) #if defined(MBEDTLS_SHA512_C) @@ -548,7 +548,7 @@ static const int suiteb_rsa_ciphersuite_preference[] = static const int suiteb_ecc_ciphersuite_preference[] = { #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3) - TLS1_3_CIPHER_SUITES, + MBEDTLS_TLS1_3_AES_256_GCM_SHA384, #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */ #if defined(MBEDTLS_GCM_C) #if defined(MBEDTLS_SHA512_C) @@ -560,7 +560,7 @@ static const int suiteb_ecc_ciphersuite_preference[] = static const int suiteb_ciphersuite_preference[] = { #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3) - TLS1_3_CIPHER_SUITES, + MBEDTLS_TLS1_3_AES_256_GCM_SHA384, #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */ #if defined(MBEDTLS_GCM_C) #if defined(MBEDTLS_SHA512_C) @@ -797,6 +797,13 @@ struct tls_connection * tls_connection_init(void *tls_ctx) wpa_printf(MSG_ERROR, "TLS: Failed to allocate connection memory"); return NULL; } +#ifdef CONFIG_TLSV13 + psa_status_t status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + wpa_printf(MSG_ERROR, "Failed to initialize PSA crypto, returned %d", (int) status); + return NULL; + } +#endif /* CONFIG_TLSV13 */ return conn; } @@ -902,7 +909,6 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx, tls_context_t *tls = conn->tls; int ret = 0; struct wpabuf *resp; - int cli_state; /* data freed by sender */ conn->tls_io_data.out_data = NULL; @@ -912,9 +918,11 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx, /* Multiple reads */ while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) { - cli_state = tls->ssl.MBEDTLS_PRIVATE(state); +#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER + int cli_state = tls->ssl.MBEDTLS_PRIVATE(state); +#endif /* CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER */ ret = mbedtls_ssl_handshake_step(&tls->ssl); - if (ret < 0) + if (ret < 0) { break; } #ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER diff --git a/components/wpa_supplicant/src/eap_peer/eap_peap.c b/components/wpa_supplicant/src/eap_peer/eap_peap.c index 6c8a232024..312536a880 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_peap.c +++ b/components/wpa_supplicant/src/eap_peer/eap_peap.c @@ -18,10 +18,6 @@ #include "eap_peer/eap_config.h" #include "eap_peer/eap_methods.h" -#ifdef CONFIG_TLSV13 -#include "psa/crypto.h" -#endif /* CONFIG_TLSV13 */ - /* Maximum supported PEAP version * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt @@ -164,13 +160,6 @@ eap_peap_init(struct eap_sm *sm) { struct eap_peap_data *data; struct eap_peer_config *config = eap_get_config(sm); -#ifdef CONFIG_TLSV13 - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to initialize PSA crypto, returned %d", (int) status); - return NULL; - } -#endif /* CONFIG_TLSV13 */ data = (struct eap_peap_data *)os_zalloc(sizeof(*data)); if (data == NULL) diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls.c b/components/wpa_supplicant/src/eap_peer/eap_tls.c index babf6fac34..8db2e1f417 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_tls.c +++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c @@ -16,10 +16,6 @@ #include "eap_peer/eap_config.h" #include "eap_peer/eap_methods.h" -#ifdef CONFIG_TLSV13 -#include "psa/crypto.h" -#endif /* CONFIG_TLSV13 */ - static void eap_tls_deinit(struct eap_sm *sm, void *priv); @@ -40,13 +36,7 @@ static void * eap_tls_init(struct eap_sm *sm) { struct eap_tls_data *data; struct eap_peer_config *config = eap_get_config(sm); -#ifdef CONFIG_TLSV13 - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - wpa_printf(MSG_ERROR, "EAP-TLS: Failed to initialize PSA crypto, returned %d", (int) status); - return NULL; - } -#endif /* CONFIG_TLSV13 */ + if (config == NULL || config->private_key == 0) { wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured"); diff --git a/components/wpa_supplicant/src/eap_peer/eap_ttls.c b/components/wpa_supplicant/src/eap_peer/eap_ttls.c index 08f1cb504a..e664d57eff 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_ttls.c +++ b/components/wpa_supplicant/src/eap_peer/eap_ttls.c @@ -22,9 +22,6 @@ #include "eap_peer/eap_config.h" #include "eap_peer/eap_methods.h" -#ifdef CONFIG_TLSV13 -#include "psa/crypto.h" -#endif /* CONFIG_TLSV13 */ #define EAP_TTLS_VERSION 0 @@ -75,13 +72,6 @@ static void * eap_ttls_init(struct eap_sm *sm) { struct eap_ttls_data *data; struct eap_peer_config *config = eap_get_config(sm); -#ifdef CONFIG_TLSV13 - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to initialize PSA crypto, returned %d", (int) status); - return NULL; - } -#endif /* CONFIG_TLSV13 */ data = (struct eap_ttls_data *)os_zalloc(sizeof(*data)); if (data == NULL)