[TW#26175] wifi: wpa2_enterprise: DES-CBC3-SHA is incorrectly presented as supported cipher suite

[ghost]

Environment

• Development Kit: [none]
• Kit version (for WroverKit/PicoKit/DevKitC): [-]
• Core (if using chip or module): [ESP32]
• IDF version (git rev-parse --short HEAD to get the commit id.): 599da58
• Development Env: [Make]
• Operating System: [Ubuntu]
• Power Supply: [external 5V]

Problem Description

When connecting to an wpa2 enterprise network ESP32 claim support for cipher suites that are not really supoorted. During EAP handshake ESP32 presents its list of supported cipher suites in the client hello eap message. Currently the list of (claimed) supported ciphers looks like this:

Cipher Suites (7 suites)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

Connecting to networks using TLS_RSA_WITH_3DES_EDE_CBC_SHA ciphers however does not work. Looking at ESP-IDF sources it appears this non-support is intentional.

3DES initialization is removed at compile time for both HW and SW crypto implementations (function crypto_cipher_init in fast_crypto_internal-cipher.c and crypto_internal-cipher.c). The relevant code is protected by #ifdef CONFIG_DES3 which is not set. As code won't build if CONFIG_DES3 is set I suppose the non-support is intentional.

Either way to avoid interop problems ESP32 shall not present cipher suites that it cannot handle.

Expected Behavior

1. Connect to an enterprise network that only supports TLS_RSA_WITH_3DES_EDE_CBC_SHA and some weaker ciphers.
2. During EAP handshake ESP32 shall not present TLS_RSA_WITH_3DES_EDE_CBC_SHA as a supported cipher.
3. Network selects a cipher supported by both STA and AP
4. Successful EAP and 4-way handshake
5. Wifi successfully connects.

Actual Behavior

1. Connect to an enterprise network that only supports TLS_RSA_WITH_3DES_EDE_CBC_SHA and some weaker ciphers.
2. During ESP handshake ESP presents TLS_RSA_WITH_3DES_EDE_CBC_SHA as a supported cipher.
3. Network selects TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher as others are weaker.
4. ESP32 does not really support selected cipher so ESP handshake fails
5. Wifi connection cannot be established.

Steps to reproduce

1. Setup an enterprise test network with hostapd
2. Configure network to only allow cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA and the weaker cipher TLS_RSA_WITH_RC4_128_MD5. i.e. hostapd.conf option 'openssl_ciphers=DES-CBC3-SHA:RC4-MD5'
3. Connect to network
4. Notice connect failure

Code to reproduce this issue

Use the esp-idf wpa2_enterprise example code to connect to test network

Debug Logs

Relevant ESP32 logs:

I (635) wifi: mode : sta (30:ae:a4:22:6a:1c)
D (635) event: SYSTEM_EVENT_STA_START
V (635) event: enter default callback
V (645) tcpip_adapter: check: local, if=0 fn=0x400e5090
0x400e5090: tcpip_adapter_start_api at esp-idf/components/tcpip_adapter/tcpip_adapter_lwip.c:1082


V (645) tcpip_adapter: call api in lwip: ret=0x0, give sem
V (655) tcpip_adapter: check: remote, if=0 fn=0x400e5090
0x400e5090: tcpip_adapter_start_api at esp-idf/components/tcpip_adapter/tcpip_adapter_lwip.c:1082


V (655) event: exit default callback
I (3075) wifi: n:3 0, o:1 0, ap:255 255, sta:3 0, prof:1
I (4055) wifi: state: init -> auth (b0)
I (4055) wifi: state: auth -> assoc (0)
I (4065) wifi: state: assoc -> run (10)
I (4065) wpa: wpa2_task prio:2, stack:6656

I (4075) wpa: EAP-TLS: Private key not configured
E (4075) wpa: Method private structure allocated failure

D (4075) wpa: TLS: using phase1 config options
D (4075) wpa: SSL: Received packet(len=6) - Flags 0x21
D (4085) wpa: EAP-PEAP: Start (server ver=1, own ver=1)
D (4085) wpa: EAP-PEAP: Using PEAP version 1
D (4095) wpa: TLSv1: Send ClientHello
D (4095) wpa: SSL: 62 bytes left to be sent out (of total 62 bytes)
D (4115) wpa: SSL: Received packet(len=1215) - Flags 0x01
D (4115) wpa: TLSv1: Received content type 22 version 3.1 length 42
D (4115) wpa: TLSv1: Received ServerHello
D (4125) wpa: TLSv1: Using TLS v1.0
D (4125) wpa: TLSv1: Selected cipher suite: 0x000a
D (4135) wpa: TLSv1: Received content type 22 version 3.1 length 1148
D (4135) wpa: TLSv1: Received Certificate (certificate_list len 1144)
D (4145) wpa: TLSv1: Certificate 0 (len 1138)
D (4145) wpa: X509: Version X.509v3
D (4155) wpa: X509: serialNumber 4
D (4155) wpa: X509: issuer CN=WiFi-Intermediate-CA-srv
D (4155) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (4165) wpa: X509: subject CN=wifi-server
D (4165) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (4175) wpa: X509: Extension: extnID=2.16.840.1.113730.1.4 critical=0
D (4185) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (4185) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (4195) wpa: X509: Extension: extnID=2.5.29.18 critical=0
D (4195) wpa: X509: IssuerAltName
D (4205) wpa: X509: Extension: extnID=2.5.29.17 critical=0
D (4205) wpa: X509: SubjectAltName
D (4215) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (4215) wpa: X509: KeyUsage 0x5
D (4215) wpa: X509: Extension: extnID=2.5.29.37 critical=0
D (4225) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (4235) wpa: X509: Version X.509v3
D (4235) wpa: X509: serialNumber 4
D (4235) wpa: X509: issuer CN=WiFi-Intermediate-CA-srv
D (4245) wpa: X509: Validity: notBefore: 0 notAfter: 0
D (4245) wpa: X509: subject CN=wifi-server
D (4255) wpa: X509: Extension: extnID=2.5.29.35 critical=0
D (4255) wpa: X509: Extension: extnID=2.16.840.1.113730.1.4 critical=0
D (4265) wpa: X509: Extension: extnID=2.5.29.31 critical=0
D (4265) wpa: X509: Extension: extnID=1.3.6.1.5.5.7.1.1 critical=0
D (4275) wpa: X509: Extension: extnID=2.5.29.18 critical=0
D (4285) wpa: X509: IssuerAltName
D (4285) wpa: X509: Extension: extnID=2.5.29.17 critical=0
D (4295) wpa: X509: SubjectAltName
D (4295) wpa: X509: Extension: extnID=2.5.29.15 critical=0
D (4295) wpa: X509: KeyUsage 0x5
D (4305) wpa: X509: Extension: extnID=2.5.29.37 critical=0
D (4305) wpa: X509: Extension: extnID=2.5.29.14 critical=0
D (4315) wpa: X509: Validate certificate chain
D (4315) wpa: X509: 0: CN=wifi-server
D (4325) wpa: X509: Did not find any of the issuers from the list of trusted certificates
D (4335) wpa: X509: Certificate chain validation disabled - ignore unknown CA issue
D (4335) wpa: X509: Certificate chain valid
D (4345) wpa: TLSv1: Received content type 22 version 3.1 length 4
D (4345) wpa: TLSv1: Received ServerHelloDone
D (4355) wpa: TLSv1: Send ClientKeyExchange
D (4565) wpa: TLSv1: Send ChangeCipherSpec
D (4565) wpa: TLSv1: Record Layer - New write cipher suite 0x000a
D (4565) wpa: TLSv1: Failed to initialize cipher
D (4565) wpa: TLSv1: Failed to set write cipher for record layer
D (4575) wpa: TLSv1: Send Alert(2:80)
D (4575) wpa: SSL: 7 bytes left to be sent out (of total 7 bytes)
I (4585) wpa: >>>>>wpa2 FAILED

D (4585) wpa: TLSv1: Selected cipher suite: 0x0000
D (4595) wpa: TLSv1: Record Layer - New write cipher suite 0x0000
D (4595) wpa: TLSv1: Record Layer - New read cipher suite 0x0000 

I (4605) wifi: state: run -> init (17c0)
I (4605) wifi: n:3 0, o:3 0, ap:255 255, sta:3 0, prof:1
D (4615) event: SYSTEM_EVENT_STA_DISCONNECTED, ssid:Kanstrup, ssid_len:8, bssid:xx:xx:xx:xx:xx:xx, reason:23
V (4625) event: enter default callback
V (4625) tcpip_adapter: check: local, if=0 fn=0x400e569c
0x400e569c: tcpip_adapter_down_api at esp-idf/components/tcpip_adapter/tcpip_adapter_lwip.c:1082


D (4635) tcpip_adapter: if0 start ip lost tmr: enter
D (4635) tcpip_adapter: if0 start ip lost tmr: no need start because netif=0x3ffc670c interval=120 ip=0
I (4645) example: ~~~~~~~~~~~
V (4645) tcpip_adapter: call api in lwip: ret=0x0, give sem
I (4655) example: IP:0.0.0.0
V (4655) tcpip_adapter: check: remote, if=0 fn=0x400e569c
0x400e569c: tcpip_adapter_down_api at esp-idf/components/tcpip_adapter/tcpip_adapter_lwip.c:1082

Relevant hostapd logs:

Configuration file: peap-mschapv2.conf
Using interface wlan0 with hwaddr xx:xx:xx:xx:xx:xx and ssid "Kanstrup"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED 
wlan0: STA 30:ae:a4:22:6a:1c IEEE 802.11: authenticated
wlan0: STA 30:ae:a4:22:6a:1c IEEE 802.11: associated (aid 1)
wlan0: CTRL-EVENT-EAP-STARTED 30:ae:a4:22:6a:1c
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-STARTED 30:ae:a4:22:6a:1c
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
SSL: SSL3 alert: read (remote end reported an error):fatal:internal error
OpenSSL: openssl_handshake - SSL_connect error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
wlan0: CTRL-EVENT-EAP-FAILURE 30:ae:a4:22:6a:1c
wlan0: STA 30:ae:a4:22:6a:1c IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
wlan0: STA 30:ae:a4:22:6a:1c IEEE 802.1X: Supplicant used different EAP type: 25 (PEAP)

[ghost]

Removing TLS_RSA_WITH_3DES_EDE_CBC_SHA from function tlsv1_client_init in tlsv1_client.c solves this problem.

@@ -463,7 +463,6 @@ struct tlsv1_client * tlsv1_client_init(void)
        suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
        suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
        suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
-       suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
        suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
        suites[count++] = TLS_RSA_WITH_RC4_128_MD5;
        conn->num_cipher_suites = count;

[negativekelvin]

Good find and this array should probably be dynamically generated based on the configured cypher suites in mbedtls, not hardcoded