Matching CA certificate during WPA2/Enterprise eap - peap

svitrol
Posts: 1
Joined: Tue Dec 12, 2023 9:33 pm

Matching CA certificate during WPA2/Enterprise eap - peap

Postby svitrol » Tue Dec 12, 2023 10:40 pm

I tried this code:
https://github.com/espressif/arduino-es ... rprise.ino
https://github.com/martinius96/ESP32-ed ... duroam.ino

I can connect to Eduroam fine without the CA cert but when trying to insert the cert file it does not connect.

So I looked here:
https://github.com/espressif/esp-idf/tr ... enterprise
but this inserts the CA cert directly into the binary.

I tried to look into wpa_supplicant
https://github.com/espressif/esp-idf/tr ... supplicant
  1. esp_err_t esp_eap_client_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len)
  2. {
  3.     if (ca_cert && ca_cert_len > 0) {
  4.         g_wpa_ca_cert = ca_cert;
  5.         g_wpa_ca_cert_len = ca_cert_len;
  6.     }
  7.  
  8.     return ESP_OK;
  9. }
Here we just put the ca_cert into global variable
and then here inserting into eap_sm struct.
  1. int eap_peer_blob_init(struct eap_sm *sm)
  2. {
  3. ...
  4.     if (g_wpa_ca_cert && g_wpa_ca_cert_len) {
  5.         sm->blob[2].name = (char *)os_zalloc(BLOB_NAME_LEN+1);
  6.         if (sm->blob[2].name == NULL) {
  7.             ret = -2;
  8.             goto _out;
  9.         }
  10.         os_strlcpy(sm->blob[2].name, CA_CERT_NAME, BLOB_NAME_LEN+1);
  11.         sm->blob[2].len = g_wpa_ca_cert_len;
  12.         sm->blob[2].data = g_wpa_ca_cert;
  13.     }
  14. ...
  15. }
But I can't seem to find where does the matching of the certificates takes place. There is this function 'crypto_verify_cert', but it has no usage.

In the code bellow there is another place where there is access to ca_cert, but still no matching.
  1. static int eap_tls_params_from_conf(struct eap_sm *sm,
  2.                     struct eap_ssl_data *data,
  3.                     struct tls_connection_params *params,
  4.                     struct eap_peer_config *config)
  5. {
  6.     ...
  7.  
  8.     /*
  9.      * Use blob data, if available. Otherwise, leave reference to external
  10.      * file as-is.
  11.      */
  12.     if (eap_tls_check_blob(sm, &params->ca_cert, &params->ca_cert_blob,
  13.                    &params->ca_cert_blob_len) ||
  14.         eap_tls_check_blob(sm, &params->client_cert,
  15.                    &params->client_cert_blob,
  16.                    &params->client_cert_blob_len) ||
  17.         eap_tls_check_blob(sm, &params->private_key,
  18.                    &params->private_key_blob,
  19.                    &params->private_key_blob_len)) {
  20.         wpa_printf(MSG_INFO, "SSL: Failed to get configuration blobs");
  21.         return -1;
  22.     }
  23. ...
  24. }
And this code is called only from: 'eap_peer_tls_ssl_init'.

But can't find the place where I could see what is going on.

I would like to look into what is coming from the AP and finding out how to edit the pem file written into code so that it matches.

Any idea how to debug this?

Who is online

Users browsing this forum: Baidu [Spider] and 115 guests