fix(wpa_supplicant): Add bugfixes related to ciphersuites in wifi ent…

…erprise

- Avoid downgrading TLS ciphersuites when client RSA keys are larger than RSA-2048 bit.
- Note that when using bigger certificates on low-power chips without crypto
  hardware acceleration, it is recommended to adjust the task watchdog timer (TWDT)
  if it is enabled. For precise information on timing requirements, you can check
  performance numbers at https://github.com/espressif/mbedtls/wiki/Performance-Numbers.

components/esp_wifi/Kconfig

@@ -643,6 +643,11 @@ menu "Wi-Fi"
                 disabling this will reduce binary size.
                 disabling this will disable the use of any esp_wifi_sta_wpa2_ent_* (as APIs will be meaningless)
 
+                Note that when using bigger certificates on low-power chips without crypto
+                hardware acceleration, it is recommended to adjust the task watchdog timer (TWDT)
+                if it is enabled. For precise information on timing requirements, you can check
+                performance numbers at https://github.com/espressif/mbedtls/wiki/Performance-Numbers.
+
         config ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
             bool "Free dynamic buffers during WiFi enterprise connection"
             depends on ESP_WIFI_ENTERPRISE_SUPPORT

components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c

@@ -404,132 +404,6 @@ static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth,
 }
 #endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
 
-#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-#define TLS1_3_CIPHER_SUITES 				\
-	MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,	\
-	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,		\
-	MBEDTLS_TLS1_3_AES_128_GCM_SHA256,		\
-	MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,		\
-	MBEDTLS_TLS1_3_AES_128_CCM_SHA256
-#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
-
-static const int eap_ciphersuite_preference[] =
-{
-#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
-	TLS1_3_CIPHER_SUITES,
-#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
-	MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-#endif
-
-#if defined(MBEDTLS_GCM_C)
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8,
-#endif
-#endif
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM,
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8,
-
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM,
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_RSA_WITH_AES_256_CCM,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
-	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8,
-#endif
-
-#if defined(MBEDTLS_GCM_C)
-	MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_RSA_WITH_AES_128_CCM,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(MBEDTLS_GCM_C)
-	MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(MBEDTLS_GCM_C)
-	MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8,
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-#if defined(MBEDTLS_GCM_C)
-	MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
-#endif
-	/* The PSK suites */
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_PSK_WITH_AES_256_CCM,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
-#endif
-
-#if defined(MBEDTLS_GCM_C)
-	MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_PSK_WITH_AES_128_CCM,
-#endif
-#if defined(MBEDTLS_CIPHER_MODE_CBC)
-	MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
-	MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA,
-#endif
-#if defined(MBEDTLS_CCM_C)
-	MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
-#endif
-#endif
-	0
-};
-
 #ifdef CONFIG_SUITEB192
 static const int suiteb_rsa_ciphersuite_preference[] =
 {
@@ -594,23 +468,12 @@ static void tls_set_ciphersuite(const struct tls_connection_params *cfg, tls_con
 		}
 	} else
 #endif
-#ifdef CONFIG_TLSV13
-	/* Enable TLS1.3 ciphers if TLS1.3 is enabled */
-	mbedtls_ssl_conf_ciphersuites(&tls->conf, eap_ciphersuite_preference);
-#else
 	/* Set cipher suites if User has explicitly set those
 	 * TODO: public API to set EAP ciphers */
 	if (tls->ciphersuite[0]) {
 		mbedtls_ssl_conf_ciphersuites(&tls->conf, tls->ciphersuite);
-	} else if (mbedtls_pk_get_bitlen(&tls->clientkey) > 2048 ||
-		(tls->cacert_ptr && mbedtls_pk_get_bitlen(&tls->cacert_ptr->pk) > 2048)) {
-		/* Incase of big RSA keylen, ESP chips do not have sufficient processing
-		 * power to use high computation ciphers. This code will limit the ciphers
-		 * to less computational ones */
-		mbedtls_ssl_conf_ciphersuites(&tls->conf, eap_ciphersuite_preference);
 	}
 
-#endif /* CONFIG_TLSV13 */
 }
 
 static int set_client_config(const struct tls_connection_params *cfg, tls_context_t *tls)

examples/wifi/wifi_enterprise/README.md

@@ -10,6 +10,9 @@
 
 **WPA3 Enterprise(192 bit)**: WPA3 Enterprise + AES256 Keys(GCMP256/CCMP256) + BIP256 + RSA3096/EC certs + NSA SuiteB ciphers in EAP authentication.
 
+*Note:* 
+Note that when using bigger certificates on low-power chips without crypto hardware acceleration, it is recommended to adjust the task watchdog timer (TWDT) if it is enabled. For precise information on timing requirements, you can check performance numbers at https://github.com/espressif/mbedtls/wiki/Performance-Numbers.
+
 # WiFi Enterprise Example
 
 This example shows how ESP32 connects to AP with Wi-Fi enterprise encryption. The example does the following steps: