Merge branch 'feature/192bit_security_' into 'master'

ESP_WIFI: Added GCMP, GMAC, WPA3 192 bit Support

Closes WIFI-3907 and WIFI-3778

See merge request espressif/esp-idf!14530

Author: jack0c

components/esp_rom/esp32c3/ld/esp32c3.rom.ld

@@ -1567,7 +1567,6 @@ ppEnqueueRxq = 0x400016c8;
 ppEnqueueTxDone = 0x400016cc;
 ppGetTxQFirstAvail_Locked = 0x400016d0;
 ppGetTxframe = 0x400016d4;
-ppProcTxSecFrame = 0x400016dc;
 ppProcessRxPktHdr = 0x400016e0;
 ppProcessTxQ = 0x400016e4;
 ppRecordBarRRC = 0x400016e8;

components/esp_rom/esp32s3/ld/esp32s3.rom.ld

@@ -1873,7 +1873,6 @@ ppEnqueueTxDone = 0x400055a4;
 ppGetTxQFirstAvail_Locked = 0x400055b0;
 ppGetTxframe = 0x400055bc;
 ppMapTxQueue = 0x400055c8;
-ppProcTxSecFrame = 0x400055d4;
 ppProcessRxPktHdr = 0x400055e0;
 ppProcessTxQ = 0x400055ec;
 ppRecordBarRRC = 0x400055f8;

components/esp_wifi/Kconfig

@@ -312,4 +312,17 @@ menu "Wi-Fi"
             This function depends on BT-off
             because currently we don't support external coex and internal coex simultaneously.
 
+    config ESP_WIFI_GCMP_SUPPORT
+        bool "WiFi GCMP Support(GCMP128 and GCMP256)"
+        default n
+        depends on (IDF_TARGET_ESP32C3 || IDF_TARGET_ESP32S3)
+        help
+            Select this option to enable GCMP support. GCMP support is compulsory for WiFi Suite-B support.
+
+    config ESP_WIFI_GMAC_SUPPORT
+        bool "WiFi GMAC Support(GMAC128 and GMAC256)"
+        default n
+        help
+            Select this option to enable GMAC support. GMAC support is compulsory for WiFi 192 bit certification.
+
 endmenu  # Wi-Fi

components/esp_wifi/include/esp_wifi_crypto_types.h

@@ -1,16 +1,8 @@
-// Hardware crypto support Copyright 2017 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2017-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 
 
 #ifndef __ESP_WIFI_CRYPTO_TYPES_H__
@@ -358,6 +350,21 @@ typedef uint8_t * (*esp_ccmp_decrypt_t)(const uint8_t *tk, const uint8_t *ieee80
 typedef uint8_t * (*esp_ccmp_encrypt_t)(const uint8_t *tk, uint8_t *frame, size_t len, size_t hdrlen,
                                         uint8_t *pn, int keyid, size_t *encrypted_len);
 
+/**
+ * @brief One-Key GMAC hash with AES for MIC computation
+ *
+ * @key: key for the hash operation
+ * @keylen: key length
+ * @iv: initialization vector
+ * @iv_len: initialization vector length
+ * @aad: aad
+ * @aad_len: aad length
+ * @mic: Buffer for MIC (128 bits, i.e., 16 bytes)
+ * Returns: 0 on success, -1 on failure
+ */
+typedef int (*esp_aes_gmac_t)(const uint8_t *key, size_t keylen, const uint8_t *iv, size_t iv_len,
+                              const uint8_t *aad, size_t aad_len, uint8_t *mic);
+
 /**
   * @brief The crypto callback function structure used when do station security connect.
   *        The structure can be set as software crypto or the crypto optimized by ESP32
@@ -390,6 +397,7 @@ typedef struct {
     esp_omac1_aes_128_t omac1_aes_128;
     esp_ccmp_decrypt_t ccmp_decrypt;
     esp_ccmp_encrypt_t ccmp_encrypt;
+    esp_aes_gmac_t aes_gmac;
 }wpa_crypto_funcs_t;
 
 /**

components/esp_wifi/include/esp_wifi_types.h

@@ -142,6 +142,10 @@ typedef enum {
     WIFI_CIPHER_TYPE_TKIP_CCMP,  /**< the cipher type is TKIP and CCMP */
     WIFI_CIPHER_TYPE_AES_CMAC128,/**< the cipher type is AES-CMAC-128 */
     WIFI_CIPHER_TYPE_SMS4,       /**< the cipher type is SMS4 */
+    WIFI_CIPHER_TYPE_GCMP,       /**< the cipher type is GCMP */
+    WIFI_CIPHER_TYPE_GCMP256,    /**< the cipher type is GCMP-256 */
+    WIFI_CIPHER_TYPE_AES_GMAC128,/**< the cipher type is AES-GMAC-128 */
+    WIFI_CIPHER_TYPE_AES_GMAC256,/**< the cipher type is AES-GMAC-256 */
     WIFI_CIPHER_TYPE_UNKNOWN,    /**< the cipher type is unknown */
 } wifi_cipher_type_t;
 

components/esp_wifi/lib

@@ -10,6 +10,7 @@ set(srcs "port/os_xtensa.c"
     "src/crypto/aes-siv.c"
     "src/crypto/sha256-kdf.c"
     "src/crypto/ccmp.c"
+    "src/crypto/aes-gcm.c"
     "src/crypto/crypto_ops.c"
     "src/crypto/dh_group5.c"
     "src/crypto/dh_groups.c"
@@ -19,6 +20,7 @@ set(srcs "port/os_xtensa.c"
     "src/crypto/sha384-tlsprf.c"
     "src/crypto/sha256-prf.c"
     "src/crypto/sha1-prf.c"
+    "src/crypto/sha384-prf.c"
     "src/crypto/md4-internal.c"
     "src/eap_peer/chap.c"
     "src/eap_peer/eap.c"
@@ -194,6 +196,18 @@ endif()
 if(CONFIG_WPA_WPS_STRICT)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_WPS_STRICT)
 endif()
+if(CONFIG_WPA_SUITE_B_192)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_SUITEB192)
+endif()
+if(CONFIG_WPA_SUITE_B)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_SUITEB)
+endif()
+if(CONFIG_ESP_WIFI_GCMP_SUPPORT)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_GCMP)
+endif()
+if(CONFIG_ESP_WIFI_GMAC_SUPPORT)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_GMAC)
+endif()
 
 if(CONFIG_WPA_MBO_SUPPORT)
     target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_MBO)

components/wpa_supplicant/CMakeLists.txt

@@ -18,6 +18,15 @@ menu "Supplicant"
             Select this option to enable WAPI-PSK
             which is a Chinese National Standard Encryption for Wireless LANs (GB 15629.11-2003).
 
+    config WPA_SUITE_B_192
+        bool "Enable NSA suite B support with 192 bit key"
+        default n
+        select ESP_WIFI_GCMP_SUPPORT
+        select ESP_WIFI_GMAC_SUPPORT
+        help
+            Select this option to enable 192 bit NSA suite-B.
+            This is necessary to support WPA3 192 bit security.
+
     config WPA_DEBUG_PRINT
         bool "Print debug messages from WPA Supplicant"
         default n

components/wpa_supplicant/Kconfig

@@ -85,3 +85,15 @@ endif
 ifdef CONFIG_WPA_MBO_SUPPORT
 	CFLAGS += -DCONFIG_MBO
 endif
+ifdef CONFIG_WPA_SUITE_B_192
+	CFLAGS += -DCONFIG_SUITEB192
+endif
+ifdef CONFIG_WPA_SUITE_B
+	CFLAGS += -DCONFIG_SUITEB
+endif
+ifdef CONFIG_ESP_WIFI_GCMP_SUPPORT
+	CFLAGS += -DCONFIG_GCMP
+endif
+ifdef CONFIG_ESP_WIFI_GMAC_SUPPORT
+	CFLAGS += -DCONFIG_GMAC
+endif

components/wpa_supplicant/component.mk

@@ -1,16 +1,8 @@
-// Hardware crypto support Copyright 2019 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 
 #ifndef _ESP_WPA2_H
 #define _ESP_WPA2_H
@@ -209,6 +201,16 @@ esp_err_t esp_wifi_sta_wpa2_ent_get_disable_time_check(bool *disable);
   */
 esp_err_t esp_wifi_sta_wpa2_ent_set_ttls_phase2_method(esp_eap_ttls_phase2_types type);
 
+/**
+  * @brief  enable/disable 192 bit suite b certification checks
+  *
+  * @param  enable: bool to enable/disable it.
+  *
+  * @return
+  *    - ESP_OK: succeed
+  */
+esp_err_t esp_wifi_sta_wpa2_set_suiteb_192bit_certification(bool enable);
+
 #ifdef __cplusplus
 }
 #endif