Merge branch 'feature/eap_tls_v1.3_support' into 'master'

wpa_supplicant: Add TLS v1.3 support in WiFi Enterprise Authentication Closes WIFI-6135 See merge request espressif/esp-idf!24975
espressif · Mar 21, 2024 · 9971413 · 9971413
2 parents cfcdaca + 1d71178
commit 9971413
Show file tree

Hide file tree

Showing 21 changed files with 778 additions and 258 deletions.
diff --git a/Kconfig b/Kconfig
@@ -627,3 +627,4 @@ mainmenu "Espressif IoT Development Framework Configuration"
             - CONFIG_SPIRAM_SPEED_120M && CONFIG_SPIRAM_MODE_OCT
             - CONFIG_BOOTLOADER_CACHE_32BIT_ADDR_QUAD_FLASH
             - CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL
+            - CONFIG_ESP_WIFI_EAP_TLS1_3
diff --git a/components/esp_wifi/Kconfig b/components/esp_wifi/Kconfig
@@ -493,6 +493,20 @@ menu "Wi-Fi"
                     TLS-v1.0, TLS-v1.1 versions. Incase your server is using one of these version,
                     it is advisable to update your server.
                     Please disable this option for compatibilty with older TLS versions.
+
+            config ESP_WIFI_EAP_TLS1_3
+                bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
+                default n
+                select MBEDTLS_SSL_PROTO_TLS1_3
+                depends on ESP_WIFI_MBEDTLS_TLS_CLIENT && IDF_EXPERIMENTAL_FEATURES
+                help
+                    Select this option to support EAP with TLS v1.3.
+                    This configuration still supports compatibility with EAP-TLS v1.2.
+                    Please note that enabling this configuration will cause every application which
+                    uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
+                    and there may be interoperability issues with this. Please modify your application to set
+                    max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.
+
         endif
 
         config ESP_WIFI_WAPI_PSK
@@ -629,6 +643,11 @@ menu "Wi-Fi"
                 disabling this will reduce binary size.
                 disabling this will disable the use of any esp_wifi_sta_wpa2_ent_* (as APIs will be meaningless)
 
+                Note that when using bigger certificates on low-power chips without crypto
+                hardware acceleration, it is recommended to adjust the task watchdog timer (TWDT)
+                if it is enabled. For precise information on timing requirements, you can check
+                performance numbers at https://github.com/espressif/mbedtls/wiki/Performance-Numbers.
+
         config ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
             bool "Free dynamic buffers during WiFi enterprise connection"
             depends on ESP_WIFI_ENTERPRISE_SUPPORT

diff --git a/components/wpa_supplicant/CMakeLists.txt b/components/wpa_supplicant/CMakeLists.txt
@@ -304,6 +304,9 @@ endif()
 if(CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA)
         target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_OWE_STA)
 endif()
+if(CONFIG_ESP_WIFI_EAP_TLS1_3)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_TLSV13)
+endif()
 set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 3)
 
 target_compile_options(${COMPONENT_LIB} PRIVATE "-Wno-format")