diff --git a/doc/connectivity/networking/api/wifi.rst b/doc/connectivity/networking/api/wifi.rst index 7f322bf2486..a06fda8f862 100644 --- a/doc/connectivity/networking/api/wifi.rst +++ b/doc/connectivity/networking/api/wifi.rst @@ -30,37 +30,63 @@ Wi-Fi PSA crypto supported build To enable PSA crypto API supported Wi-Fi build, the :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT` and the :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA` need to be set. -Wi-Fi Enterprise test: X.509 Certificate header generation -********************************************************** +Wi-Fi Enterprise test: X.509 Certificate management +*************************************************** -Wi-Fi enterprise security requires use of X.509 certificates, test certificates -in PEM format are committed to the repo at :zephyr_file:`samples/net/wifi/test_certs` and the during the +Wi-Fi enterprise security requires use of X.509 certificates, two methods of installing certificates are supported: + +Compile time certificates +------------------------- + +Test certificates in PEM format are committed to the repo at :zephyr_file:`samples/net/wifi/test_certs` and the during the build process the certificates are converted to a C header file that is included by the Wi-Fi shell module. +If you want to use your own certificates, you can replace the existing certificates with your own certificates in the same directory. + +.. code-block:: bash + + $ export CERTS_DIR=samples/net/wifi/test_certs/rsa3k + $ cp client.pem $CERTS_DIR + $ cp client-key.pem $CERTS_DIR + $ cp ca.pem $CERTS_DIR + $ cp client2.pem $CERTS_DIR + $ cp client-key2.pem $CERTS_DIR + $ cp ca2.pem $CERTS_DIR + $ west build -p -b samples/net/wifi -S wifi-enterprise + +or alternatively copy ``rsa2k`` certificates by changing the ``CERTS_DIR`` environment variable. + .. code-block:: bash - $ cp client.pem samples/net/wifi/test_certs/ - $ cp client-key.pem samples/net/wifi/test_certs/ - $ cp ca.pem samples/net/wifi/test_certs/ - $ cp client2.pem samples/net/wifi/test_certs/ - $ cp client-key2.pem samples/net/wifi/test_certs/ - $ cp ca2.pem samples/net/wifi/test_certs/ - $ west build -p -b samples/net/wifi -- -DEXTRA_CONF_FILE=overlay-enterprise.conf + $ export CERTS_DIR=samples/net/wifi/test_certs/rsa2k + +or you can set the :envvar:`WIFI_TEST_CERTS_DIR` environment variable to point to the directory containing your certificates. + +.. code-block:: bash + + $ west build -p -b samples/net/wifi -S wifi-enterprise -- -DWIFI_TEST_CERTS_DIR= + +Run time certificates +--------------------- + +The Wi-Fi shell module uses TLS credentials subsystem to store and manage the certificates. The certificates can be added at runtime using the shell commands, see :ref:`tls_credentials_shell` for more details. +The sample or application need to enable the :kconfig:option:`CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES` option to use this feature. -For using variable size network buffer, the following overlay file can be used: +To facilitate installation of the certificates, a helper script is provided in the ``samples/net/wifi/test_certs`` directory. The script can be used to install the certificates at runtime. .. code-block:: bash - $ west build -p -b samples/net/wifi -- -DEXTRA_CONF_FILE=overlay-enterprise-variable-bufs.conf + $ samples/net/wifi/test_certs/install_certs.sh samples/net/wifi/test_certs/rsa2k +The script will install the certificates in the ``rsa2k`` directory to the TLS credentials store in the device over UART and using TLS credentials shell commands. To initiate Wi-Fi connection, the following command can be used: .. code-block:: console - uart:~$ wifi connect -s -c 149 -k 17 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever --eap-id1 id1 --eap-pwd1 pwd1 + uart:~$ wifi connect -s -c 149 -k 7 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever Server certificate is also provided in the same directory for testing purposes. Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``. diff --git a/drivers/wifi/nrf_wifi/src/wifi_mgmt_scan.c b/drivers/wifi/nrf_wifi/src/wifi_mgmt_scan.c index f85c71c4f5f..e30f572aeb3 100644 --- a/drivers/wifi/nrf_wifi/src/wifi_mgmt_scan.c +++ b/drivers/wifi/nrf_wifi/src/wifi_mgmt_scan.c @@ -297,8 +297,6 @@ static inline enum wifi_security_type drv_to_wifi_mgmt(int drv_security_type) return WIFI_SECURITY_TYPE_WAPI; case NRF_WIFI_EAP: return WIFI_SECURITY_TYPE_EAP; - case NRF_WIFI_EAP_TLS_SHA256: - return WIFI_SECURITY_TYPE_EAP_TLS_SHA256; default: return WIFI_SECURITY_TYPE_UNKNOWN; } diff --git a/include/zephyr/net/wifi.h b/include/zephyr/net/wifi.h index e74a44cafd4..dbe643c4d02 100644 --- a/include/zephyr/net/wifi.h +++ b/include/zephyr/net/wifi.h @@ -76,8 +76,6 @@ enum wifi_security_type { WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2, /** EAP PEAP security - Enterprise. */ WIFI_SECURITY_TYPE_EAP_PEAP_TLS, - /** EAP TLS SHA256 security - Enterprise. */ - WIFI_SECURITY_TYPE_EAP_TLS_SHA256, /** FT-PSK security */ WIFI_SECURITY_TYPE_FT_PSK, /** FT-SAE security */ diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c index fe697204fa3..8be2b085bdd 100644 --- a/modules/hostap/src/supp_api.c +++ b/modules/hostap/src/supp_api.c @@ -481,7 +481,6 @@ static struct wifi_eap_config eap_config[] = { "auth=MSCHAPV2"}, {WIFI_SECURITY_TYPE_EAP_PEAP_TLS, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_TLS, "PEAP", "auth=TLS"}, - {WIFI_SECURITY_TYPE_EAP_TLS_SHA256, WIFI_EAP_TYPE_TLS, WIFI_EAP_TYPE_NONE, "TLS", NULL}, }; int process_cipher_config(struct wifi_connect_req_params *params, @@ -517,10 +516,6 @@ int process_cipher_config(struct wifi_connect_req_params *params, } } - if (params->security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) { - cipher_config->key_mgmt = "WPA-EAP-SHA256"; - } - for (index = 0; index < ARRAY_SIZE(ciphers); index++) { if (cipher_capa == ciphers[index].capa) { cipher_config->group_cipher = ciphers[index].name; @@ -557,8 +552,7 @@ static int is_eap_valid_security(int security) security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 || - security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS || - security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256); + security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS); } #endif diff --git a/samples/net/wifi/shell/overlay-enterprise.conf b/samples/net/wifi/shell/overlay-enterprise.conf deleted file mode 100644 index ba6d958f9a5..00000000000 --- a/samples/net/wifi/shell/overlay-enterprise.conf +++ /dev/null @@ -1,10 +0,0 @@ -CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE=y -# EAP frames are ~1100 bytes, so, need higher packet counts as default packet size is 128 -CONFIG_NET_PKT_TX_COUNT=36 -CONFIG_NET_PKT_RX_COUNT=36 -CONFIG_NET_BUF_TX_COUNT=72 -CONFIG_NET_BUF_RX_COUNT=36 -# For TLS and X.509 processing MbedTLS needs large heap size and using separate heap -# for MbedTLS gives us more control over the heap size. -CONFIG_MBEDTLS_ENABLE_HEAP=y -CONFIG_MBEDTLS_HEAP_SIZE=70000 diff --git a/samples/net/wifi/shell/prj.conf b/samples/net/wifi/shell/prj.conf index ab3d718f06b..e1a1b40a409 100644 --- a/samples/net/wifi/shell/prj.conf +++ b/samples/net/wifi/shell/prj.conf @@ -31,10 +31,6 @@ CONFIG_NET_STATISTICS_PERIODIC_OUTPUT=n CONFIG_WIFI=y CONFIG_WIFI_LOG_LEVEL_ERR=y CONFIG_NET_L2_WIFI_SHELL=y - -CONFIG_MBEDTLS_ENABLE_HEAP=y -CONFIG_MBEDTLS_HEAP_SIZE=70000 - # printing of scan results puts pressure on queues in new locking # design in net_mgmt. So, use a higher timeout for a crowded # environment. diff --git a/samples/net/wifi/test_certs/install_certs.sh b/samples/net/wifi/test_certs/install_certs.sh new file mode 100755 index 00000000000..4a6940dc522 --- /dev/null +++ b/samples/net/wifi/test_certs/install_certs.sh @@ -0,0 +1,135 @@ +#!/usr/bin/env bash +# Copyright (c) 2025, Nordic Semiconductor ASA +# SPDX-License-Identifier: Apache-2.0 +# +# This script installs Wi-Fi certificates to a device using the `device_credentials_installer` tool. +# +# shellcheck disable=SC2086,SC2154 +# Usage: +# ./install_certs.sh [port] [mode] +# +# Arguments: +# Path to the directory containing the certificate files. +# [port] (Optional) Serial port to use for communication with the device. Default is +# /dev/ttyACM1. +# [mode] (Optional) Mode of operation: AP or STA. Default is STA. +# +# Dependencies: +# - `device_credentials_installer` tool must be installed. You can install it using: +# pip3 install nrfcloud-utils +# +# Certificate Files: +# The script expects the following certificate files in the specified directory: +# - ca.pem: CA certificate for Wi-Fi Enterprise mode (Phase 1) +# - client-key.pem: Client private key for Wi-Fi Enterprise mode (Phase 1) +# - server-key.pem: Server private key for Wi-Fi Enterprise mode, for used in AP mode. +# - client.pem: Client certificate for Wi-Fi Enterprise mode (Phase 1) +# - server.pem: Server certificate for Wi-Fi Enterprise mode, for used in AP mode. +# - ca2.pem: CA certificate for Wi-Fi Enterprise mode (Phase 2) +# - client-key2.pem: Client private key for Wi-Fi Enterprise mode (Phase 2) +# - client2.pem: Client certificate for Wi-Fi Enterprise mode (Phase 2) +# +# Each certificate file is associated with a specific security tag (sec_tag) which is used during +# installation. +# +# The script performs the following steps: +# 1. Checks if the required arguments are provided. +# 2. Validates the existence of the certificate directory. +# 3. Checks if the `device_credentials_installer` tool is available. +# 4. Iterates over the expected certificate files and installs them to the device if they exist. +# 5. Logs the success or failure of each certificate installation. +# +# Note: +# - If a certificate file is missing, the script will skip its installation and log a warning. +# - The script will terminate on the first encountered error (set -e). +set -e + +if [ -z "$1" ]; then + echo -e "\033[31mError: Usage: $0 [port] [mode]\033[0m" + exit 1 +fi + +CERT_PATH=$1 +PORT=${2:-/dev/ttyACM1} # Default port is /dev/ttyACM1 if not provided +MODE=${3:-STA} # Default mode is STA if not provided + +if [ ! -d "$CERT_PATH" ]; then + echo -e "\033[31mError: Directory $CERT_PATH does not exist.\033[0m" + exit 1 +fi + +echo -e "\033[33mWarning: Please make sure that the UART is not being used by another" \ + " application.\033[0m" + +read -r -p "Press Enter to continue or Ctrl+C to exit..." + +if ! command -v device_credentials_installer &> /dev/null; then + echo -e "\033[31mError: device_credentials_installer could not be found.\033[0m" + echo "Please install it using: pip3 install nrfcloud-utils" + exit 1 +fi + +INSTALLED_VERSION=$(pip3 show nrfcloud-utils | grep Version | awk '{print $2}') +REQUIRED_VERSION="1.0.4" + +if [ "$(printf '%s\n' "$REQUIRED_VERSION" "$INSTALLED_VERSION" | sort -V | head -n1)" != \ +"$REQUIRED_VERSION" ]; then + echo -e "\033[31mError: device_credentials_installer >= $REQUIRED_VERSION required. Installed: \ +$INSTALLED_VERSION.\033[0m" + echo "Update: pip3 install --upgrade nrfcloud-utils" + exit 1 +fi + +# From zephyr/subsys/net/lib/tls_credentials/tls_credentials_shell.c +TLS_CREDENTIAL_CA_CERTIFICATE=0 # CA +TLS_CREDENTIAL_PUBLIC_CERTIFICATE=1 # SERV +TLS_CREDENTIAL_PRIVATE_KEY=2 # PK + + +WIFI_CERT_SEC_TAG_BASE=0x1020001 +declare -A WIFI_CERT_SEC_TAG_MAP=( + ["ca.pem"]="{\"$TLS_CREDENTIAL_CA_CERTIFICATE\" $((WIFI_CERT_SEC_TAG_BASE))}" + ["client-key.pem"]="{\"$TLS_CREDENTIAL_PRIVATE_KEY\" $((WIFI_CERT_SEC_TAG_BASE + 1))}" + ["server-key.pem"]="{\"$TLS_CREDENTIAL_PRIVATE_KEY\" $((WIFI_CERT_SEC_TAG_BASE + 2))}" + ["client.pem"]="{\"$TLS_CREDENTIAL_PUBLIC_CERTIFICATE\" $((WIFI_CERT_SEC_TAG_BASE + 3))}" + ["server.pem"]="{\"$TLS_CREDENTIAL_PUBLIC_CERTIFICATE\" $((WIFI_CERT_SEC_TAG_BASE + 4))}" + ["ca2.pem"]="{\"$TLS_CREDENTIAL_CA_CERTIFICATE\" $((WIFI_CERT_SEC_TAG_BASE + 5))}" + ["client-key2.pem"]="{\"$TLS_CREDENTIAL_PRIVATE_KEY\" $((WIFI_CERT_SEC_TAG_BASE + 6))}" + ["client2.pem"]="{\"$TLS_CREDENTIAL_PUBLIC_CERTIFICATE\" $((WIFI_CERT_SEC_TAG_BASE + 7))}" +) + +# Select certificates based on mode +if [ "$MODE" == "AP" ]; then + CERT_FILES=("ca.pem" "server-key.pem" "server.pem") +else + CERT_FILES=("ca.pem" "client-key.pem" "client.pem" "ca2.pem" "client-key2.pem" "client2.pem") +fi + +total_certs=${#CERT_FILES[@]} +processed_certs=0 + +for cert in "${CERT_FILES[@]}"; do + processed_certs=$((processed_certs + 1)) + echo "Processing certificate $processed_certs of $total_certs: $cert" + + if [ ! -f "$CERT_PATH/$cert" ]; then + echo -e "\033[31mWarning: Certificate file $CERT_PATH/$cert does not exist. Skipping...\033[0m" + continue + fi + + cert_info=${WIFI_CERT_SEC_TAG_MAP[$cert]} + cert_type=$(echo "$cert_info" | awk -F'[{} ]' '{print $2}' | tr -d '"') + cert_type_int=$((10#$cert_type)) + sec_tag=$(echo "$cert_info" | awk -F'[{} ]' '{print $3}' | tr -d '"') + sec_tag_int=$((10#$sec_tag)) + if device_credentials_installer --local-cert-file "$CERT_PATH/$cert" \ + --cmd-type tls_cred_shell --delete \ + --port $PORT -S $sec_tag_int --cert-type $cert_type_int; then + echo "Successfully installed $cert." + else + echo -e "\033[31mFailed to install $cert.\033[0m" + fi +done + + +echo "Certificate installation process completed." diff --git a/samples/net/wifi/test_certs/rsa2k/ca.pem b/samples/net/wifi/test_certs/rsa2k/ca.pem new file mode 100644 index 00000000000..a267be8fe47 --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/ca.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE+TCCA+GgAwIBAgIUH614zvmCngpSc26BLLFu2loqvfgwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNv +bWV3aGVyZTEUMBIGA1UECgwLRXhhbXBsZSBJbmMxIDAeBgkqhkiG9w0BCQEWEWFk +bWluQGV4YW1wbGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1 +dGhvcml0eTAgFw0yNTAzMjcxMjUwNDhaGA8yMDUyMDgxMTEyNTA0OFowgZIxCzAJ +BgNVBAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEU +MBIGA1UECgwLRXhhbXBsZSBJbmMxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w +bGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALljCArLJs7rdS4pJDrpbSd3 +pNCo1skN3h9FSdboWnz5uvy4dUfOQcPzd1i/Kav7R+eURTIlIe24slDobYW7dS+u +U+mlw8yzd6Xs9L8BvHrE/JvHMdaCubSWJwJ+BtTZMAvwfpysw0TrYgUw10v4O6PU +0ri80I/79IKXCQjLnoqrf7OylYnSeuufMrcojZlqMD444EcJS8OAhm648D7w9xWp +YwGhhV7gLgFZfIZ3vq/VQE6//pasHZ4P2bdej4Up7Nhsqa3qLtPYlUsJB8uTp04h +YLA600hKoGKJiW1fHrmVIQiYamwkpUSmhY1mw/RJ0GbWE1BT+vLC2BMckw+cwF0C +AwEAAaOCAUEwggE9MB0GA1UdDgQWBBTgzBbVi3ycphRotu7Am6ynMwVAyTCB0gYD +VR0jBIHKMIHHgBTgzBbVi3ycphRotu7Am6ynMwVAyaGBmKSBlTCBkjELMAkGA1UE +BhMCRlIxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRQwEgYD +VQQKDAtFeGFtcGxlIEluYzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5v +cmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ghQfrXjO ++YKeClJzboEssW7aWiq9+DAPBgNVHRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6Ap +oCeGJWh0dHA6Ly93d3cuZXhhbXBsZS5jb20vZXhhbXBsZV9jYS5jcmwwDQYJKoZI +hvcNAQELBQADggEBAAV8StX4zFbOqcNVzF0JaZGu7CquFR4pOjCbM9XJVcwCxc0+ +DtIxy+w9KMLGgwB6LHh51tAExCR3UTktG8FqFxdjESCD8qlQoLU1uzt0kadKvQUr +wjn8ToEp1UP8UZa+SzaXVAYv09DC+VMYqBmkUtze/F5LC0LMWQBR3bn2EGdwBoMl +k2Gq6BdJZRCotyraSvG01mMyORY6UzLi25WFVg6B284VlD0cqFqmUMEmk2f76Ix3 +WpUkoGZ/ArAoS6+vaFmSrhZ9W+YBfBoBgjXrGMKi2dkUUngbm4yGxrhnN1MFu2lA +xnBWRxSQjzLGzqQP/bfxAVlNyXwQNPETGVZpGzc= +-----END CERTIFICATE----- diff --git a/samples/net/wifi/test_certs/rsa2k/ca2.pem b/samples/net/wifi/test_certs/rsa2k/ca2.pem new file mode 100644 index 00000000000..a267be8fe47 --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/ca2.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE+TCCA+GgAwIBAgIUH614zvmCngpSc26BLLFu2loqvfgwDQYJKoZIhvcNAQEL +BQAwgZIxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNv +bWV3aGVyZTEUMBIGA1UECgwLRXhhbXBsZSBJbmMxIDAeBgkqhkiG9w0BCQEWEWFk +bWluQGV4YW1wbGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1 +dGhvcml0eTAgFw0yNTAzMjcxMjUwNDhaGA8yMDUyMDgxMTEyNTA0OFowgZIxCzAJ +BgNVBAYTAkZSMQ8wDQYDVQQIDAZSYWRpdXMxEjAQBgNVBAcMCVNvbWV3aGVyZTEU +MBIGA1UECgwLRXhhbXBsZSBJbmMxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1w +bGUub3JnMSYwJAYDVQQDDB1FeGFtcGxlIENlcnRpZmljYXRlIEF1dGhvcml0eTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALljCArLJs7rdS4pJDrpbSd3 +pNCo1skN3h9FSdboWnz5uvy4dUfOQcPzd1i/Kav7R+eURTIlIe24slDobYW7dS+u +U+mlw8yzd6Xs9L8BvHrE/JvHMdaCubSWJwJ+BtTZMAvwfpysw0TrYgUw10v4O6PU +0ri80I/79IKXCQjLnoqrf7OylYnSeuufMrcojZlqMD444EcJS8OAhm648D7w9xWp +YwGhhV7gLgFZfIZ3vq/VQE6//pasHZ4P2bdej4Up7Nhsqa3qLtPYlUsJB8uTp04h +YLA600hKoGKJiW1fHrmVIQiYamwkpUSmhY1mw/RJ0GbWE1BT+vLC2BMckw+cwF0C +AwEAAaOCAUEwggE9MB0GA1UdDgQWBBTgzBbVi3ycphRotu7Am6ynMwVAyTCB0gYD +VR0jBIHKMIHHgBTgzBbVi3ycphRotu7Am6ynMwVAyaGBmKSBlTCBkjELMAkGA1UE +BhMCRlIxDzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRQwEgYD +VQQKDAtFeGFtcGxlIEluYzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5v +cmcxJjAkBgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ghQfrXjO ++YKeClJzboEssW7aWiq9+DAPBgNVHRMBAf8EBTADAQH/MDYGA1UdHwQvMC0wK6Ap +oCeGJWh0dHA6Ly93d3cuZXhhbXBsZS5jb20vZXhhbXBsZV9jYS5jcmwwDQYJKoZI +hvcNAQELBQADggEBAAV8StX4zFbOqcNVzF0JaZGu7CquFR4pOjCbM9XJVcwCxc0+ +DtIxy+w9KMLGgwB6LHh51tAExCR3UTktG8FqFxdjESCD8qlQoLU1uzt0kadKvQUr +wjn8ToEp1UP8UZa+SzaXVAYv09DC+VMYqBmkUtze/F5LC0LMWQBR3bn2EGdwBoMl +k2Gq6BdJZRCotyraSvG01mMyORY6UzLi25WFVg6B284VlD0cqFqmUMEmk2f76Ix3 +WpUkoGZ/ArAoS6+vaFmSrhZ9W+YBfBoBgjXrGMKi2dkUUngbm4yGxrhnN1MFu2lA +xnBWRxSQjzLGzqQP/bfxAVlNyXwQNPETGVZpGzc= +-----END CERTIFICATE----- diff --git a/samples/net/wifi/test_certs/rsa2k/client-key.pem b/samples/net/wifi/test_certs/rsa2k/client-key.pem new file mode 100644 index 00000000000..4fbf52d284f --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/client-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIcm3x/CvLYRcCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCSqbBrS+vObBIIEyPSMbzL5DvaJ +tW/lEoNvmujkYw/qADyExm4JidoemiTxMJB6TkXJE+W8glDeY+TCZUD6UyeiSx7J +HC1R2rQmpy91LT5o6P7Eyq/VHIsXVE77rS91NCKjiljdPWbzkLFo5oNwguhsvKI9 +YjU8m0V6KVLx21DZFDi5OZQ8g0ULu9FR9WIr4eDUnAIjJnpqw00hZF6FVKe7lu9t +2uCiKABXpODMqQyrDrTTsQNB4MV8axVWMaYW4P6JVf40ByzA4ISNYhmFH3DWMlAH +c6LhZstT7n3lXbpsq3pTvn/07+5yuTIvOmFvOoUnXo+kIU7gf1ODma7kPHrcD62c +9ZgMh/Y90YcQamoLUXJqKBk96ybj9v4p6CTzJC8vOj8GOJqEoUgs6lNYrNQmdJka +InZJnMfCgX67g60NrQ7vb/LPXTs1gShk/fn2EdLCvhqJNQwNgLjwFtio2DObBD4b +kuIV/h83moZ/yGrW2PPjxDrzWCxgFhMXs8kGZX6119J8Ki8L+EgKXz0Vfed6XQP6 +RK2anaQzmtJgM4gzzXDOPBPKYDMjqZHqZpMCl1J6TOYbVELDu+OAPGrLSXt71O+T +toPVrUNdKvYB5H4hosoqMiyeNGwEVjFlSKEInSM6IlwWK2+/xeqTued74nKgj/Je +xmLbZEurHtOctY0807gj2aNO2/iR4n+1kk9nniBcZNJ7la5GEqAp4wRSH2KI+hu0 +YoJHLtRX/BccawOTvWnLXOsbBTxXtZV9m4ojLbqCzpEV5alFkO0ycP/ao6A/ZTej +52X01EoUi7Nq5uoIxx+BKj5LN4Pa0Wpe4/DryiEqjSQ2sZMnkD+DhHw/soGcJrJm +s9zV0YFfFk9Flfnq/9uteHOj+CLxE4BQCpaEBkE+2IooU2Vtw9i5YOeQB+4971XE +JFBqNknjSfFqaL9zzBliKA9bizZawBub/HUX5P+3k71761k+Li1ID+RYOhTGjqKh +ws8bke2BtAOB/vccxQGYEOdi8U6+AgK7Dz1AmMQhLlDA8S7qAwodLmnaC6WhP1rA +1koQYnAGCxOcARTZCLzlfidNf1KzYMRdSVjTh9QAGW7cxEnNEnai5nU4VXUVT3xB +LWRP98yWzOIsQLFtXzjE0P+ESYGOsQj8aVyy/QHSOg5oEHxZ/myUbr1QB58Z+VKa +T8/EE2lQazINMIxfsxjDygHX3iF3BlxpwCBk2ykdbfqQFwZ3cr1l53ixuKqd2pTV +xsEhuAvAfJ1OadUM8HefT+ijUuKPUowtcrcA8URqgy1V/vgcM0qiw7fWysKK7oWl +L7Oa3JfTE1mpZuocOvF7e5ueNzIgEgnxQEkEE3AJmS0YxMqI6ShTnUx6p79OlVZr +/Izdkwqqhene+zudNd3z0TMhkjI8LZa6x4SBfCZmCOzOgoZ9XMrf80S/9CKTLWFv +UrLOe8RJz/6SYweQTMakejC/sbHSSTrqmIf9mrVLP1sMBm8R7TPLMRt8CFNtuYB0 +3nHO9kP7qT3U3sTZ9A0NQyaOfQYcWSLSGBkLSJAM3wh590hp7i6hnM3FeOYY3+lL +2a9q59B2H3HJfSUUCXtPA8wsEkZyCfz+y5YGscrhQcCbBq1FkkarluKJFonFCEKK +D4mU9Io0mhON+5ZNhwqurQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/samples/net/wifi/test_certs/rsa2k/client-key2.pem b/samples/net/wifi/test_certs/rsa2k/client-key2.pem new file mode 100644 index 00000000000..4fbf52d284f --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/client-key2.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIcm3x/CvLYRcCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECCSqbBrS+vObBIIEyPSMbzL5DvaJ +tW/lEoNvmujkYw/qADyExm4JidoemiTxMJB6TkXJE+W8glDeY+TCZUD6UyeiSx7J +HC1R2rQmpy91LT5o6P7Eyq/VHIsXVE77rS91NCKjiljdPWbzkLFo5oNwguhsvKI9 +YjU8m0V6KVLx21DZFDi5OZQ8g0ULu9FR9WIr4eDUnAIjJnpqw00hZF6FVKe7lu9t +2uCiKABXpODMqQyrDrTTsQNB4MV8axVWMaYW4P6JVf40ByzA4ISNYhmFH3DWMlAH +c6LhZstT7n3lXbpsq3pTvn/07+5yuTIvOmFvOoUnXo+kIU7gf1ODma7kPHrcD62c +9ZgMh/Y90YcQamoLUXJqKBk96ybj9v4p6CTzJC8vOj8GOJqEoUgs6lNYrNQmdJka +InZJnMfCgX67g60NrQ7vb/LPXTs1gShk/fn2EdLCvhqJNQwNgLjwFtio2DObBD4b +kuIV/h83moZ/yGrW2PPjxDrzWCxgFhMXs8kGZX6119J8Ki8L+EgKXz0Vfed6XQP6 +RK2anaQzmtJgM4gzzXDOPBPKYDMjqZHqZpMCl1J6TOYbVELDu+OAPGrLSXt71O+T +toPVrUNdKvYB5H4hosoqMiyeNGwEVjFlSKEInSM6IlwWK2+/xeqTued74nKgj/Je +xmLbZEurHtOctY0807gj2aNO2/iR4n+1kk9nniBcZNJ7la5GEqAp4wRSH2KI+hu0 +YoJHLtRX/BccawOTvWnLXOsbBTxXtZV9m4ojLbqCzpEV5alFkO0ycP/ao6A/ZTej +52X01EoUi7Nq5uoIxx+BKj5LN4Pa0Wpe4/DryiEqjSQ2sZMnkD+DhHw/soGcJrJm +s9zV0YFfFk9Flfnq/9uteHOj+CLxE4BQCpaEBkE+2IooU2Vtw9i5YOeQB+4971XE +JFBqNknjSfFqaL9zzBliKA9bizZawBub/HUX5P+3k71761k+Li1ID+RYOhTGjqKh +ws8bke2BtAOB/vccxQGYEOdi8U6+AgK7Dz1AmMQhLlDA8S7qAwodLmnaC6WhP1rA +1koQYnAGCxOcARTZCLzlfidNf1KzYMRdSVjTh9QAGW7cxEnNEnai5nU4VXUVT3xB +LWRP98yWzOIsQLFtXzjE0P+ESYGOsQj8aVyy/QHSOg5oEHxZ/myUbr1QB58Z+VKa +T8/EE2lQazINMIxfsxjDygHX3iF3BlxpwCBk2ykdbfqQFwZ3cr1l53ixuKqd2pTV +xsEhuAvAfJ1OadUM8HefT+ijUuKPUowtcrcA8URqgy1V/vgcM0qiw7fWysKK7oWl +L7Oa3JfTE1mpZuocOvF7e5ueNzIgEgnxQEkEE3AJmS0YxMqI6ShTnUx6p79OlVZr +/Izdkwqqhene+zudNd3z0TMhkjI8LZa6x4SBfCZmCOzOgoZ9XMrf80S/9CKTLWFv +UrLOe8RJz/6SYweQTMakejC/sbHSSTrqmIf9mrVLP1sMBm8R7TPLMRt8CFNtuYB0 +3nHO9kP7qT3U3sTZ9A0NQyaOfQYcWSLSGBkLSJAM3wh590hp7i6hnM3FeOYY3+lL +2a9q59B2H3HJfSUUCXtPA8wsEkZyCfz+y5YGscrhQcCbBq1FkkarluKJFonFCEKK +D4mU9Io0mhON+5ZNhwqurQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/samples/net/wifi/test_certs/rsa2k/client.pem b/samples/net/wifi/test_certs/rsa2k/client.pem new file mode 100644 index 00000000000..33eeed9918e --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/client.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEgzCCA2ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCRlIx +DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRQwEgYDVQQKDAtF +eGFtcGxlIEluYzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5vcmcxJjAk +BgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI1MDMyNzEy +NTA0OVoYDzIwNTIwODExMTI1MDQ5WjB0MQswCQYDVQQGEwJGUjEPMA0GA1UECAwG +UmFkaXVzMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEVMBMGA1UEAwwMRXhhbXBsZSB1 +c2VyMScwJQYJKoZIhvcNAQkBFhh1c2VyLmV4YW1wbGVAZXhhbXBsZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkyPDf2/pHiJ6Bb7JK2syekEMh +j67IpFshtBy/6WAxQfbu9i8LAtyTiEg/7FvZbtAhfPtOnXc45Lu64EHyF8o60Y0X +6+45Ja3TCrPI609uTf1wTk8cpuRbm5u5blVwECaRiUJQL+Jm6TVNHF4byrNgKmUn +KY7JFYHQCp6FTCfyex7pTkZSWdNo/EWTuAtOqmwjVLBEQCGtdpbQZmnE9b0WcoPL +TB5vw3T30UBf3ve5wj6y3BFgMnbaoGvZd07lQtKVjkf50fVwuenPJF6+5XQS68qO +qeNTq77//qtjFEukobQ5CxFUTrLTO3XTfN+to7xI1WRxDCAIO7wxPCPOcAx3AgMB +AAGjgf4wgfswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYB +BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l +eGFtcGxlX2NhLmNybDA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6 +Ly93d3cuZXhhbXBsZS5vcmcvb2NzcDAbBgNVHREEFDASgRB1c2VyQGV4YW1wbGUu +b3JnMB0GA1UdDgQWBBReX3pn9AYI0W0cD5Qrd1PP4mNtOjAfBgNVHSMEGDAWgBTg +zBbVi3ycphRotu7Am6ynMwVAyTANBgkqhkiG9w0BAQsFAAOCAQEAbXo1Wc2a4053 +jBgl/lGN7p1KNyTO92V/gNT1jM6lOfy+qK6NZGZsayLLT2qubX5t9+1FI/RbRq3i +FVCocIGRbZD+vKWTfxe4XowCwF9aE2od3xbQjWfSRGZCCYJpPkr5oh3i5qfztYos +ONclAY54yx3cpsEj5VG/TXA4BmlaoJRrBbAVCGwRHL/KXGu4Y/AlAKHQWnZp6+sl +UraELVaPeSRuZLgustDtIbMdyC6yTBTfCaRHPDmgYAxVVhzR29kitMO/hoJIAt8d +MDWMXTRNsJMGMVOy6YWZAdvW0pj9tTN1shhYBRA3Wi8W/HrvlPtQWfrJqaTHNJ32 +sTKtziYlCg== +-----END CERTIFICATE----- diff --git a/samples/net/wifi/test_certs/rsa2k/client2.pem b/samples/net/wifi/test_certs/rsa2k/client2.pem new file mode 100644 index 00000000000..33eeed9918e --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/client2.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEgzCCA2ugAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCRlIx +DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRQwEgYDVQQKDAtF +eGFtcGxlIEluYzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5vcmcxJjAk +BgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI1MDMyNzEy +NTA0OVoYDzIwNTIwODExMTI1MDQ5WjB0MQswCQYDVQQGEwJGUjEPMA0GA1UECAwG +UmFkaXVzMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEVMBMGA1UEAwwMRXhhbXBsZSB1 +c2VyMScwJQYJKoZIhvcNAQkBFhh1c2VyLmV4YW1wbGVAZXhhbXBsZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkyPDf2/pHiJ6Bb7JK2syekEMh +j67IpFshtBy/6WAxQfbu9i8LAtyTiEg/7FvZbtAhfPtOnXc45Lu64EHyF8o60Y0X +6+45Ja3TCrPI609uTf1wTk8cpuRbm5u5blVwECaRiUJQL+Jm6TVNHF4byrNgKmUn +KY7JFYHQCp6FTCfyex7pTkZSWdNo/EWTuAtOqmwjVLBEQCGtdpbQZmnE9b0WcoPL +TB5vw3T30UBf3ve5wj6y3BFgMnbaoGvZd07lQtKVjkf50fVwuenPJF6+5XQS68qO +qeNTq77//qtjFEukobQ5CxFUTrLTO3XTfN+to7xI1WRxDCAIO7wxPCPOcAx3AgMB +AAGjgf4wgfswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYB +BQUHAwIwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3d3dy5leGFtcGxlLmNvbS9l +eGFtcGxlX2NhLmNybDA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAGGG2h0dHA6 +Ly93d3cuZXhhbXBsZS5vcmcvb2NzcDAbBgNVHREEFDASgRB1c2VyQGV4YW1wbGUu +b3JnMB0GA1UdDgQWBBReX3pn9AYI0W0cD5Qrd1PP4mNtOjAfBgNVHSMEGDAWgBTg +zBbVi3ycphRotu7Am6ynMwVAyTANBgkqhkiG9w0BAQsFAAOCAQEAbXo1Wc2a4053 +jBgl/lGN7p1KNyTO92V/gNT1jM6lOfy+qK6NZGZsayLLT2qubX5t9+1FI/RbRq3i +FVCocIGRbZD+vKWTfxe4XowCwF9aE2od3xbQjWfSRGZCCYJpPkr5oh3i5qfztYos +ONclAY54yx3cpsEj5VG/TXA4BmlaoJRrBbAVCGwRHL/KXGu4Y/AlAKHQWnZp6+sl +UraELVaPeSRuZLgustDtIbMdyC6yTBTfCaRHPDmgYAxVVhzR29kitMO/hoJIAt8d +MDWMXTRNsJMGMVOy6YWZAdvW0pj9tTN1shhYBRA3Wi8W/HrvlPtQWfrJqaTHNJ32 +sTKtziYlCg== +-----END CERTIFICATE----- diff --git a/samples/net/wifi/test_certs/rsa2k/server-key.pem b/samples/net/wifi/test_certs/rsa2k/server-key.pem new file mode 100644 index 00000000000..5a6a2e77e65 --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/server-key.pem @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIZwdmrQt6RogCAggA +MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECHEftLym1jQkBIIEyH5UdHK2L2sR +frTjMbkJBty0NxC8ucPqmBleZPkpAOF8XazZkfiq40/Vj9D+wTgXWL9/UNQHrY1m +MbJvBaONODXnJe14rsL18NzN+LoUscE4poKBcrZ4Hbua5mS8mJ+WtPs9AfARyaEZ +t60lDQMyJ/Hj2Nr7jbUykP6OOkAy1xqcjytcIRA+3q2Jiivv8XMozBzi8t+njODZ +huMbuj13IFqLtZzTZikL+DpalNCezi7D8kttpkQul1uAtmtIAq3QZ99Ed8/XkRV1 +PiKkcj9J5oOcIyH9PE5D9Mid7+As2kkz614J3zeCG2s9xtUkgoasiabTKZNYgL4K +sjuTFU4vOoGNasfH+j4tEFRozySW7z53C4jB1KZ8MmOUG+G9tlJk/jAHyFGiK0LN +CTIsY/ZiA5f7Gk6BL1MbRTsLqch+5pmh43gDwfbq22gPs/TwQKxx3YZJfuUy2L7A +T5sX3VjqQZ+rTwMEql790AnKSFsCbIH4Y7XcFY2Ux6tYzddiViLMTR29kJ0GJSEv +aw5VIDAexec2M72p+l7kMecJiJgB2cDwkGFgD8qAd/hkWj6k6R9rRdI6Dg4a3Ta3 +Q50colSh0XfpPQ9jg6NjGJCUVO+uICOa5rD5tI5s/Ogd7MzgTcdDnzl7RDgOH1W+ +TivRMpFwCLdrtDmq9DSA0H7XCeSvf6orROK15dkQn1nmtK4/zhG20DVNJxV9UK0u +GNCkEqqvcGXu75PKkw0bO7BFPAksP4WX+RPIEyZLasB8PxrorkDZTqNh7AJ5CuwO +xy+ekOrNkfcqHIl2vJvrAhl6i68zM9e6sDV6+J1Eia0naFpZ3cjYC+AAgxcUZT23 +xLcNrNlZbcFJvCrb7JNgSbsQnHSjA1rtMXfNNTpnOGP29gv49rWiSL5QFMTSEBEZ +4CGs6fpBNQxjvRfxGTnKaZWhenVE98r35zALeD74P8WWieRj7qDPMS8VJmvN6JmN +VaQ2ysHeFlUEZxC2STHlUl0RAQU/Um4ee2kK6rzywjiZuOv3GeG7zB9P0kIpROa2 +KlxLN+EDffwFytiAlCMfqHrS7iqHPzMxWxzo/Fv7KFngrCxNSPTwxkRu/VVZouOl +g6ip7VIYxuWgpUD4jZNllLKbJyQ8QABkmZIZI3nZqPX2K6OhqKPdnqF1BiuwrDRD +k1f2jQBC4cue2nIuitr+mgsw5GG3mwob6Sniv4a6vy19DJImD+bGAxduiUH0laPq +D2L5BH/Q3c+GtuQGfcemtPD3lteV4Qw/keOEBoLG0tPSVjs+uADUK3cBI4f2C3pd +gb7Ze1dOPH8Fy/hy+wGp7+gLLLTv23RRYFZZsHBCat9qTyP97vzsckvL3VQN6zWE +3W8TB2HBVKKkszv5ov0r8/mf5k6aqSw+IYHnkXehkTcRfENUdl7X/x0LM5Hi+I5F +ZhbtWEETZlcu8XWaIAvW3eV2AOlf0xzC1SmCYEuQ6V9dSxGNuVn4pIMzxfLDfPOw +gqheYFzSrKZJfB/iGI7XpN2XjWo61ZKudKRxZXSVxPM1hTOqtAFiE4mKarJUTkvC +TWKmPppA4suT1wV79CMMxWBhe4Kj4STHYSHQfUS22SqsqJbdK/1DD9u+nNANnKol +riIOT3CiCzNDQyu627UONg== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/samples/net/wifi/test_certs/rsa2k/server.pem b/samples/net/wifi/test_certs/rsa2k/server.pem new file mode 100644 index 00000000000..d894c33ded1 --- /dev/null +++ b/samples/net/wifi/test_certs/rsa2k/server.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFaTCCBFGgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCRlIx +DzANBgNVBAgMBlJhZGl1czESMBAGA1UEBwwJU29tZXdoZXJlMRQwEgYDVQQKDAtF +eGFtcGxlIEluYzEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5vcmcxJjAk +BgNVBAMMHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTI1MDMyNzEy +NTA0OVoYDzIwNTIwODExMTI1MDQ5WjB7MQswCQYDVQQGEwJGUjEPMA0GA1UECAwG +UmFkaXVzMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEjMCEGA1UEAwwaRXhhbXBsZSBT +ZXJ2ZXIgQ2VydGlmaWNhdGUxIDAeBgkqhkiG9w0BCQEWEWFkbWluQGV4YW1wbGUu +b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxtIpRygUsyReit9O +/15T0lf3p0ck1Sjw3ufaqaXXzEcM7i/w7UoSfNyqrjmCsZhfIDHqzWKdRUD+jE3Z +TfRzrF/nGtyG2jjjqZy/p+0uTL0cN/QdMjUEvla/eRIgMHPPNG0oFn7GkzbrrqFt ++f3RgsWV6Anw+8ipZvd8BjsummA4W4v6A86zXgORlefU4A7JOlxHXYvhFwS044nd +N1Fvi0bjyZ7ciKltVCxjLDJEzV7I3ttoO57TI85vtEIjMMwkGywx6ICyLbLrgycl +OeMmArC86MFINUor3oz+mfI8ETOIfLftqVN+oPRtDqjLlrIvtaDV6PsEoiFajpdx +faMLhwIDAQABo4IB3DCCAdgwHQYDVR0OBBYEFMGuQKFgIgEb+q+VVWotbLlNZUxu +MIHSBgNVHSMEgcowgceAFODMFtWLfJymFGi27sCbrKczBUDJoYGYpIGVMIGSMQsw +CQYDVQQGEwJGUjEPMA0GA1UECAwGUmFkaXVzMRIwEAYDVQQHDAlTb21ld2hlcmUx +FDASBgNVBAoMC0V4YW1wbGUgSW5jMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFt +cGxlLm9yZzEmMCQGA1UEAwwdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmC +FB+teM75gp4KUnNugSyxbtpaKr34MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0G +A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDDjA2BgNVHR8ELzAtMCugKaAnhiVo +dHRwOi8vd3d3LmV4YW1wbGUuY29tL2V4YW1wbGVfY2EuY3JsMDcGCCsGAQUFBwEB +BCswKTAnBggrBgEFBQcwAYYbaHR0cDovL3d3dy5leGFtcGxlLm9yZy9vY3NwMDoG +A1UdEQQzMDGCEnJhZGl1cy5leGFtcGxlLm9yZ6AbBggrBgEFBQcICKAPDA0qLmV4 +YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAov9HxapiYtoAUebNdGU6hFz7G +3F6Jtpg5d34/AW1ntmgxHryNn5dJp/fmc3eyndMLQRJhDIksc/6Tmp0jUs6DhxE5 +5BmdAPVsAPhYfr3ylOoOP21wtmaH4MeRtBYuBsdvLgyiIXMWrliQnJa+12ovdqMX ++9KJJLWJm81IH6O2kEZ7HmoWkY6XXYpJZqw3c8FukuUoFQQk2mJ4u2yncq4oFQSn +uu5G4UL8o3blhkY1pK8WmuzUiafyJjjlwBcsBkk47BuKbyQCquOXl/O+lzteJMEZ +Z83ZANWQb7g1vhIVvse5qLZ9Osa68TJFDaHWcmIyFutbyfdAJy4XEGawf1Fq +-----END CERTIFICATE----- diff --git a/samples/net/wifi/test_certs/ca.pem b/samples/net/wifi/test_certs/rsa3k/ca.pem similarity index 100% rename from samples/net/wifi/test_certs/ca.pem rename to samples/net/wifi/test_certs/rsa3k/ca.pem diff --git a/samples/net/wifi/test_certs/ca2.pem b/samples/net/wifi/test_certs/rsa3k/ca2.pem similarity index 100% rename from samples/net/wifi/test_certs/ca2.pem rename to samples/net/wifi/test_certs/rsa3k/ca2.pem diff --git a/samples/net/wifi/test_certs/client-key.pem b/samples/net/wifi/test_certs/rsa3k/client-key.pem similarity index 100% rename from samples/net/wifi/test_certs/client-key.pem rename to samples/net/wifi/test_certs/rsa3k/client-key.pem diff --git a/samples/net/wifi/test_certs/client-key2.pem b/samples/net/wifi/test_certs/rsa3k/client-key2.pem similarity index 100% rename from samples/net/wifi/test_certs/client-key2.pem rename to samples/net/wifi/test_certs/rsa3k/client-key2.pem diff --git a/samples/net/wifi/test_certs/client.pem b/samples/net/wifi/test_certs/rsa3k/client.pem similarity index 100% rename from samples/net/wifi/test_certs/client.pem rename to samples/net/wifi/test_certs/rsa3k/client.pem diff --git a/samples/net/wifi/test_certs/client2.pem b/samples/net/wifi/test_certs/rsa3k/client2.pem similarity index 100% rename from samples/net/wifi/test_certs/client2.pem rename to samples/net/wifi/test_certs/rsa3k/client2.pem diff --git a/samples/net/wifi/test_certs/server-key.pem b/samples/net/wifi/test_certs/rsa3k/server-key.pem similarity index 100% rename from samples/net/wifi/test_certs/server-key.pem rename to samples/net/wifi/test_certs/rsa3k/server-key.pem diff --git a/samples/net/wifi/test_certs/server.pem b/samples/net/wifi/test_certs/rsa3k/server.pem similarity index 100% rename from samples/net/wifi/test_certs/server.pem rename to samples/net/wifi/test_certs/rsa3k/server.pem diff --git a/snippets/wifi-enterprise/README.rst b/snippets/wifi-enterprise/README.rst new file mode 100644 index 00000000000..ddf512b5835 --- /dev/null +++ b/snippets/wifi-enterprise/README.rst @@ -0,0 +1,31 @@ +.. _snippet-wifi-enterprise: + +Wi-Fi Enterprise Snippet (wifi-enterprise) +########################################## + +.. code-block:: console + + west build -S wifi-enterprise [...] + +Can also be used along with the :ref:`snippet-wifi-ipv4` snippet. + +.. code-block:: console + + west build -S "wifi-enterprise,wifi-ipv4" [...] + +Overview +******** + +This snippet enables enterprise Wi-Fi support in supported networking samples. + +See :ref:`wifi_mgmt` for more information on the usage. + +Requirements +************ + +Hardware support for: + +- :kconfig:option:`CONFIG_WIFI` +- :kconfig:option:`CONFIG_WIFI_USE_NATIVE_NETWORKING` +- :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT` +- :kconfig:option:`CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE` diff --git a/snippets/wifi-enterprise/snippet.yml b/snippets/wifi-enterprise/snippet.yml new file mode 100644 index 00000000000..6a4f73d38b4 --- /dev/null +++ b/snippets/wifi-enterprise/snippet.yml @@ -0,0 +1,3 @@ +name: wifi-enterprise +append: + EXTRA_CONF_FILE: wifi-enterprise.conf diff --git a/samples/net/wifi/shell/overlay-enterprise-variable-bufs.conf b/snippets/wifi-enterprise/wifi-enterprise.conf similarity index 52% rename from samples/net/wifi/shell/overlay-enterprise-variable-bufs.conf rename to snippets/wifi-enterprise/wifi-enterprise.conf index 627d77a9247..5cc0646d518 100644 --- a/samples/net/wifi/shell/overlay-enterprise-variable-bufs.conf +++ b/snippets/wifi-enterprise/wifi-enterprise.conf @@ -1,9 +1,16 @@ +# Enable Wi-Fi enterprise mode CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE=y -# EAP frames are ~1100 bytes, so, for efficiency, we set the data size to 1100 -CONFIG_NET_BUF_DATA_SIZE=1100 # Use variable data size to reduce memory usage for small data packets CONFIG_NET_BUF_VARIABLE_DATA_SIZE=y # For TLS and X.509 processing MbedTLS needs large heap size and using separate heap # for MbedTLS gives us more control over the heap size. CONFIG_MBEDTLS_ENABLE_HEAP=y -CONFIG_MBEDTLS_HEAP_SIZE=55000 +CONFIG_MBEDTLS_HEAP_SIZE=60000 + +# For use with TLS credentials +CONFIG_TLS_CREDENTIALS_SHELL=y +CONFIG_BASE64=y +CONFIG_TLS_CREDENTIALS=y +CONFIG_TLS_CREDENTIALS_SHELL_CRED_BUF_SIZE=8192 +CONFIG_TLS_MAX_CREDENTIALS_NUMBER=6 +CONFIG_HEAP_MEM_POOL_ADD_SIZE_TLS_CRED_SHELL=9000 diff --git a/subsys/net/l2/wifi/CMakeLists.txt b/subsys/net/l2/wifi/CMakeLists.txt index 560f7b301be..e1e9606bfd2 100644 --- a/subsys/net/l2/wifi/CMakeLists.txt +++ b/subsys/net/l2/wifi/CMakeLists.txt @@ -27,59 +27,37 @@ if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE AND CONFIG_NET_L2_WIFI_SHELL) # Wi-Fi Enterprise test certificates handling set(gen_inc_dir ${ZEPHYR_BINARY_DIR}/misc/generated) set(gen_dir ${gen_inc_dir}/wifi_enterprise_test_certs) + if(NOT DEFINED WIFI_TEST_CERTS_DIR) + set(WIFI_TEST_CERTS_DIR ${ZEPHYR_BASE}/samples/net/wifi/test_certs/rsa3k) + endif() # Create output directory for test certs file(MAKE_DIRECTORY ${gen_dir}) # convert .pem files to array data at build time zephyr_include_directories(${gen_inc_dir}) - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client.pem - ${gen_dir}/client.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client-key.pem - ${gen_dir}/client-key.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/ca.pem - ${gen_dir}/ca.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client2.pem - ${gen_dir}/client2.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client-key2.pem - ${gen_dir}/client-key2.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/ca2.pem - ${gen_dir}/ca2.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/server.pem - ${gen_dir}/server.pem.inc - ) - - generate_inc_file_for_target( - app - ${ZEPHYR_BASE}/samples/net/wifi/test_certs/server-key.pem - ${gen_dir}/server-key.pem.inc + foreach(cert_file IN ITEMS + ${WIFI_TEST_CERTS_DIR}/client.pem + ${WIFI_TEST_CERTS_DIR}/client-key.pem + ${WIFI_TEST_CERTS_DIR}/ca.pem + ${WIFI_TEST_CERTS_DIR}/client2.pem + ${WIFI_TEST_CERTS_DIR}/client-key2.pem + ${WIFI_TEST_CERTS_DIR}/ca2.pem + ${WIFI_TEST_CERTS_DIR}/server.pem + ${WIFI_TEST_CERTS_DIR}/server-key.pem ) + if(EXISTS ${cert_file}) + get_filename_component(cert_name ${cert_file} NAME) + generate_inc_file_for_target( + app + ${cert_file} + ${gen_dir}/${cert_name}.inc + ) + else() + get_filename_component(cert_name ${cert_file} NAME) + file(WRITE ${gen_dir}/${cert_name}.inc "// Empty file generated because ${cert_file} does not exist\n") + endif() + endforeach() # Add explicit dependency on app target for ZEPHYR_CURRENT_LIBRARY, so these # headers are generated at the correct point in the build diff --git a/subsys/net/l2/wifi/Kconfig b/subsys/net/l2/wifi/Kconfig index 78f98497c73..cd6540aa831 100644 --- a/subsys/net/l2/wifi/Kconfig +++ b/subsys/net/l2/wifi/Kconfig @@ -125,3 +125,26 @@ config WIFI_ENT_IDENTITY_MAX_USERS default 8 help This option defines the maximum number of identity users allowed connection. + +if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE + +config WIFI_SHELL_RUNTIME_CERTIFICATES + bool "Provide Wi-Fi enterprise security certificates at run-time" + select TLS_CREDENTIALS + select TLS_CREDENTIALS_SHELL + select BASE64 + help + This option enables providing Wi-Fi enterprise security certificates at run-time. + Uses the TLS credentials subsystem to store and manage the certificates. + +if WIFI_SHELL_RUNTIME_CERTIFICATES +config HEAP_MEM_POOL_ADD_SIZE_WIFI_CERT + int "Wi-Fi enterprise security certificates memory pool size" + # STA - 6 certs and each assume 1500 bytes + default 12000 + help + The size of the memory pool used by the Wi-Fi enterprise security certificates. + +endif # WIFI_SHELL_RUNTIME_CERTIFICATES + +endif # WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE diff --git a/subsys/net/l2/wifi/wifi_mgmt.c b/subsys/net/l2/wifi/wifi_mgmt.c index 8713d0bd7fb..0009467abe3 100644 --- a/subsys/net/l2/wifi/wifi_mgmt.c +++ b/subsys/net/l2/wifi/wifi_mgmt.c @@ -83,8 +83,6 @@ const char *wifi_security_txt(enum wifi_security_type security) return "EAP-TTLS-MSCHAPV2"; case WIFI_SECURITY_TYPE_EAP_PEAP_TLS: return "EAP-PEAP-TLS"; - case WIFI_SECURITY_TYPE_EAP_TLS_SHA256: - return "EAP-TLS-SHA256"; case WIFI_SECURITY_TYPE_FT_PSK: return "FT-PSK"; case WIFI_SECURITY_TYPE_FT_SAE: diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c index ccdd2f5c7a9..182eb85d018 100644 --- a/subsys/net/l2/wifi/wifi_shell.c +++ b/subsys/net/l2/wifi/wifi_shell.c @@ -30,7 +30,29 @@ LOG_MODULE_REGISTER(net_wifi_shell, LOG_LEVEL_INF); #include "net_shell_private.h" #include -#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE +#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \ + defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE +#ifdef CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES +#include +enum wifi_enterprise_cert_sec_tags { + WIFI_CERT_CA_SEC_TAG = 0x1020001, + WIFI_CERT_CLIENT_KEY_SEC_TAG, + WIFI_CERT_SERVER_KEY_SEC_TAG, + WIFI_CERT_CLIENT_SEC_TAG, + WIFI_CERT_SERVER_SEC_TAG, + /* Phase 2 */ + WIFI_CERT_CA_P2_SEC_TAG, + WIFI_CERT_CLIENT_KEY_P2_SEC_TAG, + WIFI_CERT_CLIENT_P2_SEC_TAG, +}; + +struct wifi_cert_data { + enum tls_credential_type type; + uint32_t sec_tag; + uint8_t **data; + size_t *len; +}; +#else static const char ca_cert_test[] = { #include '\0' @@ -67,7 +89,8 @@ static const char server_key_test[] = { #include '\0' }; -#endif +#endif /* CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES */ +#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */ #define WIFI_SHELL_MODULE "wifi" @@ -102,6 +125,12 @@ static struct { }; uint8_t all; }; +#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \ + defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE +#ifdef CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES + struct wifi_enterprise_creds_params enterprise_creds_params; +#endif /* CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES */ +#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */ } context; static struct net_mgmt_event_callback wifi_shell_mgmt_cb; @@ -117,27 +146,212 @@ static struct wifi_ap_sta_node sta_list[CONFIG_WIFI_SHELL_MAX_AP_STA]; #if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \ defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE -static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if *iface) +#ifdef CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES +static int process_certificates(struct wifi_cert_data *certs, size_t cert_count) +{ + for (size_t i = 0; i < cert_count; i++) { + int err; + size_t len = 0; + uint8_t *cert_tmp; + + err = tls_credential_get(certs[i].sec_tag, certs[i].type, NULL, &len); + if (err != -EFBIG) { + LOG_ERR("Failed to get credential tag: %d length, err: %d", + certs[i].sec_tag, err); + return err; + } + + cert_tmp = k_malloc(len); + if (!cert_tmp) { + LOG_ERR("Failed to allocate memory for credential tag: %d", + certs[i].sec_tag); + return -ENOMEM; + } + + err = tls_credential_get(certs[i].sec_tag, certs[i].type, cert_tmp, &len); + if (err) { + LOG_ERR("Failed to get credential tag: %d", certs[i].sec_tag); + k_free(cert_tmp); + return err; + } + + *certs[i].data = cert_tmp; + *certs[i].len = len; + } + + return 0; +} + +static void set_enterprise_creds_params(struct wifi_enterprise_creds_params *params, + bool is_ap) { - struct wifi_enterprise_creds_params params = {0}; + struct wifi_cert_data certs_common[] = { + { + .type = TLS_CREDENTIAL_CA_CERTIFICATE, + .sec_tag = WIFI_CERT_CA_SEC_TAG, + .data = ¶ms->ca_cert, + .len = ¶ms->ca_cert_len, + }, + }; + + struct wifi_cert_data certs_sta[] = { + { + .type = TLS_CREDENTIAL_PRIVATE_KEY, + .sec_tag = WIFI_CERT_CLIENT_KEY_SEC_TAG, + .data = ¶ms->client_key, + .len = ¶ms->client_key_len, + }, + { + .type = TLS_CREDENTIAL_PUBLIC_CERTIFICATE, + .sec_tag = WIFI_CERT_CLIENT_SEC_TAG, + .data = ¶ms->client_cert, + .len = ¶ms->client_cert_len, + }, + { + .type = TLS_CREDENTIAL_CA_CERTIFICATE, + .sec_tag = WIFI_CERT_CA_P2_SEC_TAG, + .data = ¶ms->ca_cert2, + .len = ¶ms->ca_cert2_len, + }, + { + .type = TLS_CREDENTIAL_PRIVATE_KEY, + .sec_tag = WIFI_CERT_CLIENT_KEY_P2_SEC_TAG, + .data = ¶ms->client_key2, + .len = ¶ms->client_key2_len, + }, + { + .type = TLS_CREDENTIAL_PUBLIC_CERTIFICATE, + .sec_tag = WIFI_CERT_CLIENT_P2_SEC_TAG, + .data = ¶ms->client_cert2, + .len = ¶ms->client_cert2_len, + }, + }; + + struct wifi_cert_data certs_ap[] = { + { + .type = TLS_CREDENTIAL_PUBLIC_CERTIFICATE, + .sec_tag = WIFI_CERT_SERVER_SEC_TAG, + .data = ¶ms->server_cert, + .len = ¶ms->server_cert_len, + }, + { + .type = TLS_CREDENTIAL_PRIVATE_KEY, + .sec_tag = WIFI_CERT_SERVER_KEY_SEC_TAG, + .data = ¶ms->server_key, + .len = ¶ms->server_key_len, + }, + }; + + memset(params, 0, sizeof(*params)); + + /* Process common certificates */ + if (process_certificates(certs_common, ARRAY_SIZE(certs_common)) != 0) { + goto cleanup; + } + + /* Process STA-specific certificates */ + if (!is_ap) { + if (process_certificates(certs_sta, ARRAY_SIZE(certs_sta)) != 0) { + goto cleanup; + } + } + + /* Process AP-specific certificates if is_ap is true */ + if (is_ap) { + if (process_certificates(certs_ap, ARRAY_SIZE(certs_ap)) != 0) { + goto cleanup; + } + } + + memcpy(&context.enterprise_creds_params, params, sizeof(*params)); + return; + +cleanup: + for (size_t i = 0; i < ARRAY_SIZE(certs_common); i++) { + if (certs_common[i].data) { + k_free(*certs_common[i].data); + } + } + + if (!is_ap) { + for (size_t i = 0; i < ARRAY_SIZE(certs_sta); i++) { + if (certs_sta[i].data) { + k_free(*certs_sta[i].data); + } + } + } - params.ca_cert = (uint8_t *)ca_cert_test; - params.ca_cert_len = ARRAY_SIZE(ca_cert_test); - params.client_cert = (uint8_t *)client_cert_test; - params.client_cert_len = ARRAY_SIZE(client_cert_test); - params.client_key = (uint8_t *)client_key_test; - params.client_key_len = ARRAY_SIZE(client_key_test); - params.ca_cert2 = (uint8_t *)ca_cert2_test; - params.ca_cert2_len = ARRAY_SIZE(ca_cert2_test); - params.client_cert2 = (uint8_t *)client_cert2_test; - params.client_cert2_len = ARRAY_SIZE(client_cert2_test); - params.client_key2 = (uint8_t *)client_key2_test; - params.client_key2_len = ARRAY_SIZE(client_key2_test); - params.server_cert = (uint8_t *)server_cert_test; - params.server_cert_len = ARRAY_SIZE(server_cert_test); - params.server_key = (uint8_t *)server_key_test; - params.server_key_len = ARRAY_SIZE(server_key_test); + if (is_ap) { + for (size_t i = 0; i < ARRAY_SIZE(certs_ap); i++) { + if (certs_ap[i].data) { + k_free(*certs_ap[i].data); + } + } + } +} + +static void clear_enterprise_creds_params(struct wifi_enterprise_creds_params *params) +{ + size_t i; + + if (!params) { + return; + } + const uint8_t *certs[] = { + params->ca_cert, + params->client_cert, + params->client_key, + params->server_cert, + params->server_key, + params->ca_cert2, + params->client_cert2 + params->client_key2, + }; + + for (i = 0; i < ARRAY_SIZE(certs); i++) { + k_free((void *)certs[i]); + } + memset(params, 0, sizeof(*params)); +} +#else +static void set_enterprise_creds_params(struct wifi_enterprise_creds_params *params, + bool is_ap) +{ + params->ca_cert = (uint8_t *)ca_cert_test; + params->ca_cert_len = ARRAY_SIZE(ca_cert_test); + + if (!is_ap) { + params->client_cert = (uint8_t *)client_cert_test; + params->client_cert_len = ARRAY_SIZE(client_cert_test); + params->client_key = (uint8_t *)client_key_test; + params->client_key_len = ARRAY_SIZE(client_key_test); + params->ca_cert2 = (uint8_t *)ca_cert2_test; + params->ca_cert2_len = ARRAY_SIZE(ca_cert2_test); + params->client_cert2 = (uint8_t *)client_cert2_test; + params->client_cert2_len = ARRAY_SIZE(client_cert2_test); + params->client_key2 = (uint8_t *)client_key2_test; + params->client_key2_len = ARRAY_SIZE(client_key2_test); + + return; + } + + params->server_cert = (uint8_t *)server_cert_test; + params->server_cert_len = ARRAY_SIZE(server_cert_test); + params->server_key = (uint8_t *)server_key_test; + params->server_key_len = ARRAY_SIZE(server_key_test); +} +#endif /* CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES */ + +static int wifi_set_enterprise_creds(const struct shell *sh, struct net_if *iface, + bool is_ap) +{ + struct wifi_enterprise_creds_params params = {0}; + +#ifdef CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES + clear_enterprise_creds_params(&context.enterprise_creds_params); +#endif /* CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES */ + set_enterprise_creds_params(¶ms, is_ap); if (net_mgmt(NET_REQUEST_WIFI_ENTERPRISE_CREDS, iface, ¶ms, sizeof(params))) { PR_WARNING("Set enterprise credentials failed\n"); return -1; @@ -915,9 +1129,8 @@ static int cmd_wifi_connect(const struct shell *sh, size_t argc, cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 || - cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS || - cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) { - cmd_wifi_set_enterprise_creds(sh, iface); + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) { + wifi_set_enterprise_creds(sh, iface, 0); } #endif @@ -959,6 +1172,11 @@ static int cmd_wifi_disconnect(const struct shell *sh, size_t argc, PR("Disconnect requested\n"); } +#ifdef CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES + /* Clear the certificates */ + clear_enterprise_creds_params(&context.enterprise_creds_params); +#endif /* CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES */ + return 0; } @@ -1924,9 +2142,8 @@ static int cmd_wifi_ap_enable(const struct shell *sh, size_t argc, cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 || - cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS || - cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) { - cmd_wifi_set_enterprise_creds(sh, iface); + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) { + wifi_set_enterprise_creds(sh, iface, 1); } #endif @@ -1957,6 +2174,12 @@ static int cmd_wifi_ap_disable(const struct shell *sh, size_t argc, } PR("AP mode disable requested\n"); + +#ifdef CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES + /* Clear the certificates */ + clear_enterprise_creds_params(&context.enterprise_creds_params); +#endif /* CONFIG_WIFI_SHELL_RUNTIME_CERTIFICATES */ + return 0; } @@ -3407,7 +3630,7 @@ SHELL_STATIC_SUBCMD_SET_CREATE( "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI," "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n" "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n" - "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n" + "15: EAP-PEAP-TLS\n" "-w --ieee-80211w= (optional: needs security type to be specified)\n" "0:Disable, 1:Optional, 2:Required\n" "-b --band= (2 -2.6GHz, 5 - 5Ghz, 6 - 6GHz)\n" @@ -3650,7 +3873,7 @@ SHELL_SUBCMD_ADD((wifi), connect, NULL, "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI," "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n" "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n" - "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n" + "15: EAP-PEAP-TLS\n" "[-w, --ieee-80211w]: MFP (optional: needs security type to be specified)\n" ": 0:Disable, 1:Optional, 2:Required.\n" "[-m, --bssid]: MAC address of the AP (BSSID).\n" diff --git a/subsys/net/lib/tls_credentials/Kconfig.shell b/subsys/net/lib/tls_credentials/Kconfig.shell index 3e20f6e7717..9a28e887bf6 100644 --- a/subsys/net/lib/tls_credentials/Kconfig.shell +++ b/subsys/net/lib/tls_credentials/Kconfig.shell @@ -32,4 +32,13 @@ config TLS_CREDENTIALS_SHELL_DIGEST_BUF_SIZE Also used to print error messages if digest generation fails. +if TLS_CREDENTIALS_BACKEND_VOLATILE +config HEAP_MEM_POOL_ADD_SIZE_TLS_CRED_SHELL + int "TLS credentials shell memory pool size" + # default 4 certs and each assume 1500 bytes + default 6000 + help + The size of the memory pool used by the TLS credentials shell. +endif # TLS_CREDENTIALS_BACKEND_VOLATILE + endif # TLS_CREDENTIALS_SHELL diff --git a/subsys/net/lib/tls_credentials/tls_credentials_shell.c b/subsys/net/lib/tls_credentials/tls_credentials_shell.c index 1b06520466b..3195c759962 100644 --- a/subsys/net/lib/tls_credentials/tls_credentials_shell.c +++ b/subsys/net/lib/tls_credentials/tls_credentials_shell.c @@ -564,8 +564,8 @@ static int tls_cred_cmd_del(const struct shell *sh, size_t argc, char *argv[]) ref_slot = find_ref_slot(cred->buf); if (ref_slot >= 0) { /* This was a credential we copied to heap. Clear and free it. */ - memset((void *)cred_buf, 0, cred->len); - k_free((void *)cred_buf); + memset(&cred_refs[ref_slot], 0, cred->len); + k_free((void *)&cred_refs[ref_slot]); cred->buf = NULL; /* Clear the reference slot so it can be used again. */