fix(wpa_supplicant): Update cipher suite list for TLSv1.3 suiteb and some refactoring

- Use MBEDTLS_TLS1_3_AES_256_GCM_SHA384 cipher for TLSv1.3-suiteb - Call psa_crypto_init() in tls_connection_init() to reduce redundancy
2024-02-06 13:12:12 +05:30 · 2024-02-06 13:12:12 +05:30 · 05b882baea
commit 05b882baea
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@ -534,7 +534,7 @@ static const int eap_ciphersuite_preference[] =
 static const int suiteb_rsa_ciphersuite_preference[] =
 {
 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
@ -548,7 +548,7 @@ static const int suiteb_rsa_ciphersuite_preference[] =
 static const int suiteb_ecc_ciphersuite_preference[] =
 {
 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
@ -560,7 +560,7 @@ static const int suiteb_ecc_ciphersuite_preference[] =
 static const int suiteb_ciphersuite_preference[] =
 {
 #if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
 #endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
@ -797,6 +797,13 @@ struct tls_connection * tls_connection_init(void *tls_ctx)
 		wpa_printf(MSG_ERROR, "TLS: Failed to allocate connection memory");
 		return NULL;
 	}
+#ifdef CONFIG_TLSV13
+	psa_status_t status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		wpa_printf(MSG_ERROR, "Failed to initialize PSA crypto, returned %d", (int) status);
+		return NULL;
+	}
+#endif /* CONFIG_TLSV13 */
 	return conn;
 }

@ -902,7 +909,6 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	tls_context_t *tls = conn->tls;
 	int ret = 0;
 	struct wpabuf *resp;
-	int cli_state;

 	/* data freed by sender */
 	conn->tls_io_data.out_data = NULL;
@ -912,9 +918,11 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,

 	/* Multiple reads */
 	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
-		cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+		int cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+#endif /* CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER */
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);
-		if (ret < 0)
+		if (ret < 0) {
 			break;
 		}
 #ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
--- a/components/wpa_supplicant/src/eap_peer/eap_peap.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_peap.c
@ -18,10 +18,6 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"

-#ifdef CONFIG_TLSV13
-#include "psa/crypto.h"
-#endif /* CONFIG_TLSV13 */
-
 /* Maximum supported PEAP version
 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
 * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
@ -164,13 +160,6 @@ eap_peap_init(struct eap_sm *sm)
 {
 	struct eap_peap_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-#ifdef CONFIG_TLSV13
-	psa_status_t status = psa_crypto_init();
-	if (status != PSA_SUCCESS) {
-		wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to initialize PSA crypto, returned %d", (int) status);
-		return NULL;
-	}
-#endif /* CONFIG_TLSV13 */

 	data = (struct eap_peap_data *)os_zalloc(sizeof(*data));
 	if (data == NULL)
--- a/components/wpa_supplicant/src/eap_peer/eap_tls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c
@ -16,10 +16,6 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"

-#ifdef CONFIG_TLSV13
-#include "psa/crypto.h"
-#endif /* CONFIG_TLSV13 */
-

 static void eap_tls_deinit(struct eap_sm *sm, void *priv);

@ -40,13 +36,7 @@ static void * eap_tls_init(struct eap_sm *sm)
 {
 	struct eap_tls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-#ifdef CONFIG_TLSV13
-	psa_status_t status = psa_crypto_init();
-	if (status != PSA_SUCCESS) {
-		wpa_printf(MSG_ERROR, "EAP-TLS: Failed to initialize PSA crypto, returned %d", (int) status);
-		return NULL;
-	}
-#endif /* CONFIG_TLSV13 */
+
 	if (config == NULL ||
 	    config->private_key == 0) {
 		wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
--- a/components/wpa_supplicant/src/eap_peer/eap_ttls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_ttls.c
@ -22,9 +22,6 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"

-#ifdef CONFIG_TLSV13
-#include "psa/crypto.h"
-#endif /* CONFIG_TLSV13 */

 #define EAP_TTLS_VERSION 0

@ -75,13 +72,6 @@ static void * eap_ttls_init(struct eap_sm *sm)
 {
 	struct eap_ttls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-#ifdef CONFIG_TLSV13
-	psa_status_t status = psa_crypto_init();
-	if (status != PSA_SUCCESS) {
-		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to initialize PSA crypto, returned %d", (int) status);
-		return NULL;
-	}
-#endif /* CONFIG_TLSV13 */

 	data = (struct eap_ttls_data *)os_zalloc(sizeof(*data));
 	if (data == NULL)