Merge branch 'bugfix/add_unregister_wpa3_cb' into 'master'

wpa_supplicant : Fix issues encountered in WFA testing Closes WIFI-5386 See merge request espressif/esp-idf!22396
espressif · Mar 7, 2023 · 58b3692 · 58b3692
2 parents cf68a4c + 20c316d
commit 58b3692
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 2 deletions.
diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -27,6 +27,7 @@
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/debug.h"
+#include "mbedtls/oid.h"
 #ifdef ESPRESSIF_USE
 #include "mbedtls/esp_debug.h"
 #include "mbedtls/esp_config.h"
@@ -194,7 +195,6 @@ static int set_ca_cert(tls_context_t *tls, const unsigned char *cacert, size_t c
 	}
 	mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 	mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
-
 	return 0;
 }
 
@@ -290,6 +290,14 @@ static void tls_enable_sha1_config(tls_context_t *tls)
 	mbedtls_ssl_conf_cert_profile(&tls->conf, crt_profile);
 	mbedtls_ssl_conf_sig_algs(&tls->conf, tls_sig_algs_for_eap);
 }
+#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK
+static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
+{
+	cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_KEY_USAGE;
+	cert->MBEDTLS_PRIVATE(ext_types) &= ~MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE;
+	return 0;
+}
+#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
 
 static const int eap_ciphersuite_preference[] =
 {
@@ -519,6 +527,10 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 	 * but doesn't take that much processing power */
 	tls_set_ciphersuite(cfg, tls);
 
+#ifdef CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK
+	mbedtls_ssl_set_verify( &tls->ssl, tls_disable_key_usages, NULL );
+#endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
+
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 	if (cfg->flags & TLS_CONN_USE_DEFAULT_CERT_BUNDLE) {
 		wpa_printf(MSG_INFO, "Using default cert bundle");

diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c
@@ -322,6 +322,14 @@ void esp_wifi_register_wpa3_cb(struct wpa_funcs *wpa_cb)
     wpa_cb->wpa3_parse_sae_msg = wpa3_parse_sae_msg;
 }
 
+void esp_wifi_unregister_wpa3_cb(void)
+{
+    extern struct wpa_funcs *wpa_cb;
+
+    wpa_cb->wpa3_build_sae_msg = NULL;
+    wpa_cb->wpa3_parse_sae_msg = NULL;
+
+}
 #endif /* CONFIG_WPA3_SAE */
 
 #ifdef CONFIG_SAE

diff --git a/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c b/components/wpa_supplicant/esp_supplicant/src/esp_wpa_main.c
@@ -40,6 +40,7 @@
 #include "wps/wps_defs.h"
 
 const wifi_osi_funcs_t *wifi_funcs;
+struct wpa_funcs *wpa_cb;
 
 void  wpa_install_key(enum wpa_alg alg, u8 *addr, int key_idx, int set_tx,
                       u8 *seq, size_t seq_len, u8 *key, size_t key_len, enum key_flag key_flag)
@@ -311,7 +312,6 @@ static bool hostap_sta_join(void **sta, u8 *bssid, u8 *wpa_ie, u8 wpa_ie_len,u8
 int esp_supplicant_init(void)
 {
     int ret = ESP_OK;
-    struct wpa_funcs *wpa_cb;
 
     wifi_funcs = WIFI_OSI_FUNCS_INITIALIZER();
     if (!wifi_funcs) {
@@ -371,5 +371,6 @@ int esp_supplicant_deinit(void)
 {
     esp_supplicant_common_deinit();
     eloop_destroy();
+    wpa_cb = NULL;
     return esp_wifi_unregister_wpa_cb_internal();
 }
diff --git a/components/wpa_supplicant/src/eap_peer/eap.c b/components/wpa_supplicant/src/eap_peer/eap.c
@@ -646,6 +646,7 @@ void eap_peer_config_deinit(struct eap_sm *sm)
 	os_free(sm->config.new_password);
 	os_free(sm->config.eap_methods);
 	os_bzero(&sm->config, sizeof(struct eap_peer_config));
+	config_methods = NULL;
 }
 
 int eap_peer_blob_init(struct eap_sm *sm)

diff --git a/components/wpa_supplicant/src/rsn_supp/wpa.c b/components/wpa_supplicant/src/rsn_supp/wpa.c
@@ -2372,6 +2372,18 @@ int wpa_set_bss(char *macddr, char * bssid, u8 pairwise_cipher, u8 group_cipher,
                 wpa_printf(MSG_ERROR, "suite-b 192bit certification, only GMAC256 is supported");
                 return -1;
             }
+            if (sm->group_cipher != WPA_CIPHER_GCMP_256) {
+                wpa_printf(MSG_ERROR, "suite-b 192bit certification, only group GCMP256 is supported for group data cipher.");
+                return -1;
+            }
+            if (sm->pairwise_cipher != WPA_CIPHER_GCMP_256) {
+               wpa_printf(MSG_ERROR,"suite-b 192bit certification, only group GCMP256 is supported for pairwise cipher");
+               return -1;
+            }
+            if (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
+                wpa_printf(MSG_ERROR, "suite-b 192bit certification, 192bit akm supported");
+                return -1;
+            }
         }
 #endif
     } else {