wifi: enterprise: Pull support for runtime certificates #2681
+762
−120
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Compliance failure should be ignored as there isn't a way to workaround: Please see zephyrproject-rtos/zephyr#87656 (comment) (And Discord discussion) |
sachinthegreen
approved these changes
Apr 1, 2025
krish2718
force-pushed
the
wifi_runtime_certs
branch
from
ee972e5 to
6f127db
Compare
…an results" This reverts commit 4c3af28. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
This reverts commit 38d709d. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Remove EAP TLS SHA256 security, as it was added to support the AKM of 00-0F-AC:5 in RSN IE, but actually this AKM is used by WPA3 enterprise only mode. Signed-off-by: Maochen Wang <maochen.wang@nxp.com> (cherry picked from commit 4777dfa)
…ation Memory allocation failures during certificate validation causes connection termination. Increase MBEDTLS_HEAP_SIZE to fix this. Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no> (cherry picked from commit 58591c6f2c33434e048fd23d7bc15806c90467ca)
Using TLS credentials library add support for run-time certificates where the installed certs are retrieved from the credential store (as of now only volatile backend is tested). This helps in production environments. Implements #79564. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
The volatile backend stores the credentials on the heap, so, explicitly add a config option that can be overridden in case there are more certs than the default. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Instead of having an overlay move the Enterprise configurations to a dedicated snippet so that it can be enabled with any sample. Can be used along with Wi-Fi snippet e.g., `-S "wifi-ipv4;wifi-enterprise"`. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
…ials Enable TLS credentials shell to manager Wi-Fi enterprise certs. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Deletion of credential should use the pointer from the reference slot not the temporary buffer, this causes a crash (unknown error). Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Certificates usage depends on STA/AP mode, but we don't have that information at a build time, so, make all certs as optional and if a file isn't found then generate an empty header so that corresponding C code will be built. Any missing mandatory certificates will be validated before connection and connection is failed. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
RSA3K based certs are not supported on all platforms, so, keep both variants, rsa2k (the older certs but with longer expiry 9999 days) and rsa3k (latest ones) and we can have more variants in this folders. Also, add a cmake variable to override the path with default as rsa3k. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
The command should work with existing certs rather than a generic example, also fix the key-management. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
For enterprise mode we need to install multiple certs to the TLS credentials store, so, add a helper script. Upstream PR #: 87656 Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
krish2718
force-pushed
the
wifi_runtime_certs
branch
from
6f127db to
951a982
Compare
|
rado17
approved these changes
Apr 1, 2025
VivekUppunda
approved these changes
Apr 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
manifest-pr-skip