cyw43: add support for WPA3 and more extensive security options.

2024-11-21 14:22:33 +00:00 · 2024-09-09 01:09:15 +02:00 · 2024-09-09 01:09:15 +02:00 · b9a1aaea5b
commit b9a1aaea5b
parent 6b21f6d3d1
7 changed files with 181 additions and 63 deletions
--- a/cyw43/src/consts.rs
+++ b/cyw43/src/consts.rs
@ -653,3 +653,18 @@ pub(crate) enum Ioctl {
    GetWsecPmk = 318,
    GetRandomBytes = 319,
 }
+
+pub(crate) const WSEC_TKIP: u32 = 0x02;
+pub(crate) const WSEC_AES: u32 = 0x04;
+
+pub(crate) const AUTH_OPEN: u32 = 0x00;
+pub(crate) const AUTH_SAE: u32 = 0x03;
+
+pub(crate) const MFP_NONE: u32 = 0;
+pub(crate) const MFP_CAPABLE: u32 = 1;
+pub(crate) const MFP_REQUIRED: u32 = 2;
+
+pub(crate) const WPA_AUTH_DISABLED: u32 = 0x0000;
+pub(crate) const WPA_AUTH_WPA_PSK: u32 = 0x0004;
+pub(crate) const WPA_AUTH_WPA2_PSK: u32 = 0x0080;
+pub(crate) const WPA_AUTH_WPA3_SAE_PSK: u32 = 0x40000;
--- a/cyw43/src/control.rs
+++ b/cyw43/src/control.rs
@ -35,7 +35,7 @@ pub struct Control<'a> {
    ioctl_state: &'a IoctlState,
 }

-#[derive(Copy, Clone)]
+#[derive(Copy, Clone, Debug)]
 #[cfg_attr(feature = "defmt", derive(defmt::Format))]
 pub enum ScanType {
    Active,
@ -43,8 +43,9 @@ pub enum ScanType {
 }

 /// Scan options.
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 #[cfg_attr(feature = "defmt", derive(defmt::Format))]
+#[non_exhaustive]
 pub struct ScanOptions {
    /// SSID to scan for.
    pub ssid: Option<heapless::String<32>>,
@ -74,6 +75,79 @@ impl Default for ScanOptions {
    }
 }

+/// Authentication type, used in [`JoinOptions::auth`].
+#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+#[cfg_attr(feature = "defmt", derive(defmt::Format))]
+pub enum JoinAuth {
+    /// Open network
+    Open,
+    /// WPA only
+    Wpa,
+    /// WPA2 only
+    Wpa2,
+    /// WPA3 only
+    Wpa3,
+    /// WPA2 + WPA3
+    Wpa2Wpa3,
+}
+
+/// Options for [`Control::join`].
+#[derive(Clone, Debug)]
+#[cfg_attr(feature = "defmt", derive(defmt::Format))]
+#[non_exhaustive]
+pub struct JoinOptions<'a> {
+    /// Authentication type. Default `Wpa2Wpa3`.
+    pub auth: JoinAuth,
+    /// Enable TKIP encryption. Default false.
+    pub cipher_tkip: bool,
+    /// Enable AES encryption. Default true.
+    pub cipher_aes: bool,
+    /// Passphrase. Default empty.
+    pub passphrase: &'a [u8],
+    /// If false, `passphrase` is the human-readable passphrase string.
+    /// If true, `passphrase` is the result of applying the PBKDF2 hash to the
+    /// passphrase string. This makes it possible to avoid storing unhashed passwords.
+    ///
+    /// This is not compatible with WPA3.
+    /// Default false.
+    pub passphrase_is_prehashed: bool,
+}
+
+impl<'a> JoinOptions<'a> {
+    /// Create a new `JoinOptions` for joining open networks.
+    pub fn new_open() -> Self {
+        Self {
+            auth: JoinAuth::Open,
+            cipher_tkip: false,
+            cipher_aes: false,
+            passphrase: &[],
+            passphrase_is_prehashed: false,
+        }
+    }
+
+    /// Create a new `JoinOptions` for joining encrypted networks.
+    ///
+    /// Defaults to supporting WPA2+WPA3 with AES only, you may edit
+    /// the returned options to change this.
+    pub fn new(passphrase: &'a [u8]) -> Self {
+        let mut this = Self::default();
+        this.passphrase = passphrase;
+        this
+    }
+}
+
+impl<'a> Default for JoinOptions<'a> {
+    fn default() -> Self {
+        Self {
+            auth: JoinAuth::Wpa2Wpa3,
+            cipher_tkip: false,
+            cipher_aes: true,
+            passphrase: &[],
+            passphrase_is_prehashed: false,
+        }
+    }
+}
+
 impl<'a> Control<'a> {
    pub(crate) fn new(state_ch: ch::StateRunner<'a>, event_sub: &'a Events, ioctl_state: &'a IoctlState) -> Self {
        Self {
@ -217,13 +291,70 @@ impl<'a> Control<'a> {
    }

    /// Join an unprotected network with the provided ssid.
-    pub async fn join_open(&mut self, ssid: &str) -> Result<(), Error> {
+    pub async fn join(&mut self, ssid: &str, options: JoinOptions<'_>) -> Result<(), Error> {
        self.set_iovar_u32("ampdu_ba_wsize", 8).await;

-        self.ioctl_set_u32(Ioctl::SetWsec, 0, 0).await; // wsec = open
-        self.set_iovar_u32x2("bsscfg:sup_wpa", 0, 0).await;
-        self.ioctl_set_u32(Ioctl::SetInfra, 0, 1).await; // set_infra = 1
-        self.ioctl_set_u32(Ioctl::SetAuth, 0, 0).await; // set_auth = open (0)
+        if options.auth == JoinAuth::Open {
+            self.ioctl_set_u32(Ioctl::SetWsec, 0, 0).await;
+            self.set_iovar_u32x2("bsscfg:sup_wpa", 0, 0).await;
+            self.ioctl_set_u32(Ioctl::SetInfra, 0, 1).await;
+            self.ioctl_set_u32(Ioctl::SetAuth, 0, 0).await;
+            self.ioctl_set_u32(Ioctl::SetWpaAuth, 0, WPA_AUTH_DISABLED).await;
+        } else {
+            let mut wsec = 0;
+            if options.cipher_aes {
+                wsec |= WSEC_AES;
+            }
+            if options.cipher_tkip {
+                wsec |= WSEC_TKIP;
+            }
+            self.ioctl_set_u32(Ioctl::SetWsec, 0, wsec).await;
+
+            self.set_iovar_u32x2("bsscfg:sup_wpa", 0, 1).await;
+            self.set_iovar_u32x2("bsscfg:sup_wpa2_eapver", 0, 0xFFFF_FFFF).await;
+            self.set_iovar_u32x2("bsscfg:sup_wpa_tmo", 0, 2500).await;
+
+            Timer::after_millis(100).await;
+
+            let (wpa12, wpa3, auth, mfp, wpa_auth) = match options.auth {
+                JoinAuth::Open => unreachable!(),
+                JoinAuth::Wpa => (true, false, AUTH_OPEN, MFP_NONE, WPA_AUTH_WPA_PSK),
+                JoinAuth::Wpa2 => (true, false, AUTH_OPEN, MFP_CAPABLE, WPA_AUTH_WPA2_PSK),
+                JoinAuth::Wpa3 => (false, true, AUTH_SAE, MFP_REQUIRED, WPA_AUTH_WPA3_SAE_PSK),
+                JoinAuth::Wpa2Wpa3 => (true, true, AUTH_SAE, MFP_CAPABLE, WPA_AUTH_WPA3_SAE_PSK),
+            };
+
+            if wpa12 {
+                let mut flags = 0;
+                if !options.passphrase_is_prehashed {
+                    flags |= 1;
+                }
+                let mut pfi = PassphraseInfo {
+                    len: options.passphrase.len() as _,
+                    flags,
+                    passphrase: [0; 64],
+                };
+                pfi.passphrase[..options.passphrase.len()].copy_from_slice(options.passphrase);
+                Timer::after_millis(3).await;
+                self.ioctl(IoctlType::Set, Ioctl::SetWsecPmk, 0, &mut pfi.to_bytes())
+                    .await;
+            }
+
+            if wpa3 {
+                let mut pfi = SaePassphraseInfo {
+                    len: options.passphrase.len() as _,
+                    passphrase: [0; 128],
+                };
+                pfi.passphrase[..options.passphrase.len()].copy_from_slice(options.passphrase);
+                Timer::after_millis(3).await;
+                self.set_iovar("sae_password", &pfi.to_bytes()).await;
+            }
+
+            self.ioctl_set_u32(Ioctl::SetInfra, 0, 1).await;
+            self.ioctl_set_u32(Ioctl::SetAuth, 0, auth).await;
+            self.set_iovar_u32("mfp", mfp).await;
+            self.ioctl_set_u32(Ioctl::SetWpaAuth, 0, wpa_auth).await;
+        }

        let mut i = SsidInfo {
            len: ssid.len() as _,
@ -234,55 +365,6 @@ impl<'a> Control<'a> {
        self.wait_for_join(i).await
    }

-    /// Join a protected network with the provided ssid and [`PassphraseInfo`].
-    async fn join_wpa2_passphrase_info(&mut self, ssid: &str, passphrase_info: &PassphraseInfo) -> Result<(), Error> {
-        self.set_iovar_u32("ampdu_ba_wsize", 8).await;
-
-        self.ioctl_set_u32(Ioctl::SetWsec, 0, 4).await; // wsec = open
-        self.set_iovar_u32x2("bsscfg:sup_wpa", 0, 1).await;
-        self.set_iovar_u32x2("bsscfg:sup_wpa2_eapver", 0, 0xFFFF_FFFF).await;
-        self.set_iovar_u32x2("bsscfg:sup_wpa_tmo", 0, 2500).await;
-
-        Timer::after_millis(100).await;
-
-        self.ioctl(IoctlType::Set, Ioctl::SetWsecPmk, 0, &mut passphrase_info.to_bytes())
-            .await; // WLC_SET_WSEC_PMK
-
-        self.ioctl_set_u32(Ioctl::SetInfra, 0, 1).await; // set_infra = 1
-        self.ioctl_set_u32(Ioctl::SetAuth, 0, 0).await; // set_auth = 0 (open)
-        self.ioctl_set_u32(Ioctl::SetWpaAuth, 0, 0x80).await;
-
-        let mut i = SsidInfo {
-            len: ssid.len() as _,
-            ssid: [0; 32],
-        };
-        i.ssid[..ssid.len()].copy_from_slice(ssid.as_bytes());
-
-        self.wait_for_join(i).await
-    }
-
-    /// Join a protected network with the provided ssid and passphrase.
-    pub async fn join_wpa2(&mut self, ssid: &str, passphrase: &str) -> Result<(), Error> {
-        let mut pfi = PassphraseInfo {
-            len: passphrase.len() as _,
-            flags: 1,
-            passphrase: [0; 64],
-        };
-        pfi.passphrase[..passphrase.len()].copy_from_slice(passphrase.as_bytes());
-        self.join_wpa2_passphrase_info(ssid, &pfi).await
-    }
-
-    /// Join a protected network with the provided ssid and precomputed PSK.
-    pub async fn join_wpa2_psk(&mut self, ssid: &str, psk: &[u8; 32]) -> Result<(), Error> {
-        let mut pfi = PassphraseInfo {
-            len: psk.len() as _,
-            flags: 0,
-            passphrase: [0; 64],
-        };
-        pfi.passphrase[..psk.len()].copy_from_slice(psk);
-        self.join_wpa2_passphrase_info(ssid, &pfi).await
-    }
-
    async fn wait_for_join(&mut self, i: SsidInfo) -> Result<(), Error> {
        self.events.mask.enable(&[Event::SET_SSID, Event::AUTH]);
        let mut subscriber = self.events.queue.subscriber().unwrap();
@ -477,7 +559,7 @@ impl<'a> Control<'a> {
    }

    async fn set_iovar(&mut self, name: &str, val: &[u8]) {
-        self.set_iovar_v::<64>(name, val).await
+        self.set_iovar_v::<196>(name, val).await
    }

    async fn set_iovar_v<const BUFSIZE: usize>(&mut self, name: &str, val: &[u8]) {
--- a/cyw43/src/lib.rs
+++ b/cyw43/src/lib.rs
@ -28,7 +28,9 @@ use ioctl::IoctlState;

 use crate::bus::Bus;
 pub use crate::bus::SpiBusCyw43;
-pub use crate::control::{AddMulticastAddressError, Control, Error as ControlError, ScanOptions, Scanner};
+pub use crate::control::{
+    AddMulticastAddressError, Control, Error as ControlError, JoinAuth, JoinOptions, ScanOptions, Scanner,
+};
 pub use crate::runner::Runner;
 pub use crate::structs::BssInfo;

--- a/cyw43/src/structs.rs
+++ b/cyw43/src/structs.rs
@ -394,6 +394,15 @@ pub struct PassphraseInfo {
 }
 impl_bytes!(PassphraseInfo);

+#[derive(Clone, Copy)]
+#[cfg_attr(feature = "defmt", derive(defmt::Format))]
+#[repr(C)]
+pub struct SaePassphraseInfo {
+    pub len: u16,
+    pub passphrase: [u8; 128],
+}
+impl_bytes!(SaePassphraseInfo);
+
 #[derive(Clone, Copy)]
 #[cfg_attr(feature = "defmt", derive(defmt::Format))]
 #[repr(C)]
--- a/examples/rp/src/bin/wifi_tcp_server.rs
+++ b/examples/rp/src/bin/wifi_tcp_server.rs
@ -7,6 +7,7 @@

 use core::str::from_utf8;

+use cyw43::JoinOptions;
 use cyw43_pio::PioSpi;
 use defmt::*;
 use embassy_executor::Spawner;
@ -95,8 +96,10 @@ async fn main(spawner: Spawner) {
    unwrap!(spawner.spawn(net_task(stack)));

    loop {
-        //control.join_open(WIFI_NETWORK).await;
-        match control.join_wpa2(WIFI_NETWORK, WIFI_PASSWORD).await {
+        match control
+            .join(WIFI_NETWORK, JoinOptions::new(WIFI_PASSWORD.as_bytes()))
+            .await
+        {
            Ok(_) => break,
            Err(err) => {
                info!("join failed with status={}", err.status);
--- a/examples/rp/src/bin/wifi_webrequest.rs
+++ b/examples/rp/src/bin/wifi_webrequest.rs
@ -7,6 +7,7 @@

 use core::str::from_utf8;

+use cyw43::JoinOptions;
 use cyw43_pio::PioSpi;
 use defmt::*;
 use embassy_executor::Spawner;
@ -98,8 +99,10 @@ async fn main(spawner: Spawner) {
    unwrap!(spawner.spawn(net_task(stack)));

    loop {
-        //match control.join_open(WIFI_NETWORK).await { // for open networks
-        match control.join_wpa2(WIFI_NETWORK, WIFI_PASSWORD).await {
+        match control
+            .join(WIFI_NETWORK, JoinOptions::new(WIFI_PASSWORD.as_bytes()))
+            .await
+        {
            Ok(_) => break,
            Err(err) => {
                info!("join failed with status={}", err.status);
--- a/tests/rp/src/bin/cyw43-perf.rs
+++ b/tests/rp/src/bin/cyw43-perf.rs
@ -2,6 +2,7 @@
 #![no_main]
 teleprobe_meta::target!(b"rpi-pico");

+use cyw43::JoinOptions;
 use cyw43_pio::PioSpi;
 use defmt::{panic, *};
 use embassy_executor::Spawner;
@ -81,7 +82,10 @@ async fn main(spawner: Spawner) {
    unwrap!(spawner.spawn(net_task(stack)));

    loop {
-        match control.join_wpa2(WIFI_NETWORK, WIFI_PASSWORD).await {
+        match control
+            .join(WIFI_NETWORK, JoinOptions::new(WIFI_PASSWORD.as_bytes()))
+            .await
+        {
            Ok(_) => break,
            Err(err) => {
                panic!("join failed with status={}", err.status);