Skip to content

Commit

Permalink
[toup] zephyr: crypto: Fix for embedtls
Browse files Browse the repository at this point in the history
Fix mbedtls for WPA3 enterprise suiteb192 rsa3k connect fail.
Use MBEDTLS_SSL_PRESET_DEFAULT as input.

Signed-off-by: Li Long <li.long@nxp.com>
  • Loading branch information
LiLongNXP committed Aug 21, 2024
1 parent 074df22 commit 9e1412c
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 3 deletions.
2 changes: 2 additions & 0 deletions src/crypto/tls.h
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ struct tls_config {
#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
#define TLS_CONN_TEAP_ANON_DH BIT(17)
#define TLS_CONN_CNSA BIT(18)
#define TLS_CONN_CNSA_NO_ECDH BIT(19)

/**
* struct tls_connection_params - Parameters for TLS connection
Expand Down
7 changes: 4 additions & 3 deletions src/crypto/tls_mbedtls_alt.c
Original file line number Diff line number Diff line change
Expand Up @@ -1730,6 +1730,7 @@ static int tls_mbedtls_set_params(struct tls_conf *tls_conf, const struct tls_co
int ret = mbedtls_ssl_config_defaults(
&tls_conf->conf, tls_ctx_global.tls_conf ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
(tls_conf->flags & TLS_CONN_CNSA) ? MBEDTLS_SSL_PRESET_CNSA :
(tls_conf->flags & TLS_CONN_SUITEB) ? MBEDTLS_SSL_PRESET_SUITEB : MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0)
{
Expand All @@ -1747,7 +1748,7 @@ static int tls_mbedtls_set_params(struct tls_conf *tls_conf, const struct tls_co
mbedtls_ssl_conf_cert_profile(&tls_conf->conf, &tls_mbedtls_crt_profile_suiteb192);
mbedtls_ssl_conf_dhm_min_bitlen(&tls_conf->conf, 3072);
}
else if (tls_conf->flags & TLS_CONN_SUITEB)
else if ((tls_conf->flags & TLS_CONN_SUITEB) | (tls_conf->flags & TLS_CONN_CNSA))
{
/* treat as suiteb192 while allowing any PK algorithm */
mbedtls_ssl_conf_cert_profile(&tls_conf->conf, &tls_mbedtls_crt_profile_suiteb192_anypk);
Expand Down Expand Up @@ -1776,10 +1777,10 @@ static int tls_mbedtls_set_params(struct tls_conf *tls_conf, const struct tls_co
if (!tls_mbedtls_set_ciphers(tls_conf, params->openssl_ciphers))
return -1;
}
else if (tls_conf->flags & TLS_CONN_SUITEB)
else if (tls_conf->flags & TLS_CONN_CNSA)
{
/* special-case a select set of ciphers for hwsim tests */
if (!tls_mbedtls_set_ciphers(tls_conf, (tls_conf->flags & TLS_CONN_SUITEB_NO_ECDH) ?
if (!tls_mbedtls_set_ciphers(tls_conf, (tls_conf->flags & TLS_CONN_CNSA_NO_ECDH) ?
"DHE-RSA-AES256-GCM-SHA384" :
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"))
return -1;
Expand Down
8 changes: 8 additions & 0 deletions src/eap_peer/eap_tls_common.c
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,14 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
params->flags |= TLS_CONN_SUITEB_NO_ECDH;
if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
if (os_strstr(txt, "tls_cnsa=1"))
params->flags |= TLS_CONN_CNSA;
if (os_strstr(txt, "tls_cnsa=0"))
params->flags &= ~TLS_CONN_CNSA;
if (os_strstr(txt, "tls_cnsa_no_ecdh=1"))
params->flags |= TLS_CONN_CNSA_NO_ECDH;
if (os_strstr(txt, "tls_cnsa_no_ecdh=0"))
params->flags &= ~TLS_CONN_CNSA_NO_ECDH;
}


Expand Down

0 comments on commit 9e1412c

Please sign in to comment.