Matching CA certificate during WPA2/Enterprise eap - peap

Post Reply
svitrol
Posts: 1
Joined: Tue Dec 12, 2023 9:33 pm

Matching CA certificate during WPA2/Enterprise eap - peap

Postby svitrol » Tue Dec 12, 2023 10:40 pm

I tried this code:
https://github.com/espressif/arduino-es ... rprise.ino
https://github.com/martinius96/ESP32-ed ... duroam.ino

I can connect to Eduroam fine without the CA cert but when trying to insert the cert file it does not connect.

So I looked here:
https://github.com/espressif/esp-idf/tr ... enterprise
but this inserts the CA cert directly into the binary.

I tried to look into wpa_supplicant
https://github.com/espressif/esp-idf/tr ... supplicant
Code: [Select all] [Expand/Collapse]
  1. esp_err_t esp_eap_client_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len)
  2. {
  3.     if (ca_cert && ca_cert_len > 0) {
  4.         g_wpa_ca_cert = ca_cert;
  5.         g_wpa_ca_cert_len = ca_cert_len;
  6.     }
  7.  
  8.     return ESP_OK;
  9. }
GeSHi © Codebox Plus Extension
Here we just put the ca_cert into global variable
and then here inserting into eap_sm struct.
Code: [Select all] [Expand/Collapse]
  1. int eap_peer_blob_init(struct eap_sm *sm)
  2. {
  3. ...
  4.     if (g_wpa_ca_cert && g_wpa_ca_cert_len) {
  5.         sm->blob[2].name = (char *)os_zalloc(BLOB_NAME_LEN+1);
  6.         if (sm->blob[2].name == NULL) {
  7.             ret = -2;
  8.             goto _out;
  9.         }
  10.         os_strlcpy(sm->blob[2].name, CA_CERT_NAME, BLOB_NAME_LEN+1);
  11.         sm->blob[2].len = g_wpa_ca_cert_len;
  12.         sm->blob[2].data = g_wpa_ca_cert;
  13.     }
  14. ...
  15. }
GeSHi © Codebox Plus Extension
But I can't seem to find where does the matching of the certificates takes place. There is this function 'crypto_verify_cert', but it has no usage.

In the code bellow there is another place where there is access to ca_cert, but still no matching.
Code: [Select all] [Expand/Collapse]
  1. static int eap_tls_params_from_conf(struct eap_sm *sm,
  2.                     struct eap_ssl_data *data,
  3.                     struct tls_connection_params *params,
  4.                     struct eap_peer_config *config)
  5. {
  6.     ...
  7.  
  8.     /*
  9.      * Use blob data, if available. Otherwise, leave reference to external
  10.      * file as-is.
  11.      */
  12.     if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,
  13.                    &params->ca_cert_blob_len) ||
  14.         eap_tls_check_blob(sm, &params->client_cert,
  15.                    &params->client_cert_blob,
  16.                    &params->client_cert_blob_len) ||
  17.         eap_tls_check_blob(sm, &params->private_key,
  18.                    &params->private_key_blob,
  19.                    &params->private_key_blob_len)) {
  20.         wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
  21.         return -1;
  22.     }
  23. ...
  24. }
GeSHi © Codebox Plus Extension
And this code is called only from: 'eap_peer_tls_ssl_init'.

But can't find the place where I could see what is going on.

I would like to look into what is coming from the AP and finding out how to edit the pem file written into code so that it matches.

Any idea how to debug this?
Top
Post Reply

Return to “ESP-IDF”

Who is online

Users browsing this forum: No registered users and 86 guests