Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

enterprise-security/README.md

Go to file
 
 
Cannot retrieve contributors at this time
Enterprise Security Middleware Library Overview Features Supported Enterprise Security Modes Supported Frameworks Supported Platforms ModusToolbox™ Dependencies ModusToolbox™ RADIUS Servers Quick Start FreeRTOS, lwIP, and Mbed TLS ThreadX, NetX Duo, and NetX Secure Logging Additional Information
111 lines (84 sloc) 6.78 KB
Raw Blame
Open in GitHub Desktop

Enterprise Security Middleware Library

Overview

This library provides the capability for Infineon's best in class Wi-Fi enabled PSoC™ 6 devices to connect to enterprise Wi-Fi networks. This library implements a collection of the most commonly used Extensible Authentication Protocols (EAP) that are used in enterprise networks.

Features

This section provides details on the list of enterprise security Wi-Fi features supported by this library:

  • Supports the following EAP security protocols:
    • EAP-TLS
    • PEAPv0 with MSCHAPv2
    • EAP-TTLS with EAP-MSCHAPv2 (Phase 2 tunnel authentication supports only EAP methods)
  • Supports TLS session (session ID based) resumption
  • Supports 'PEAP Fast reconnect' (applicable only for PEAP protocol)
  • Supports roaming across APs in the enterprise network (vanilla roaming)
  • Supports TLS versions 1.0, 1.1, and 1.2

Note: Deviations for ThreadX :

  • Does not support TLS session resumption.
  • Supports TLS1.3 in addition to TLS 1.0, 1.1 and 1.2. Only ECDSA key and certificate is supported with TLS1.3.

Supported Enterprise Security Modes

  • WPA
  • WPA2
  • WPA3 Transition
  • WPA3 Enterprise only
  • WPA3 192Bit

Note: WPA3 Enterprise Modes are supported for ThreadX only.

Supported Frameworks

This library supports the following frameworks:

  • ModusToolbox™ environment: In this environment the Enterprise Security library uses the abstraction-rtos library that provides the RTOS abstraction API and the wcm library for network functions.

Supported Platforms

ModusToolbox™

Dependencies

This section provides the list of dependent libraries required for this middleware library to work:

ModusToolbox™

RADIUS Servers

This library has been verified with enterprise Wi-Fi networks configured using the following RADIUS server(s):

  • FreeRadius 3.0.15

Quick Start

This library is supported on ModusToolbox™ environments. Enterprise security library supports 2 combinations "FreeRTOS, lwIP, Mbed TLS" and "ThreadX, NetxDuo, NetxSecure". The section below provides information on how to build the library in these environments.

FreeRTOS, lwIP, and Mbed TLS

  • To use enterprise-security library on Wi-Fi kits with FreeRTOS, lwIP, and Mbed TLS combination, the application should pull wifi-core-freertos-lwip-mbedtls library which will internally pull all dependent modules. To pull wifi-core-freertos-lwip-mbedtls create the following .mtb file in deps folder.

    • wifi-core-freertos-lwip-mbedtls.mtb: https://github.com/Infineon/wifi-core-freertos-lwip-mbedtls#latest-v1.X#$$ASSET_REPO$$/wifi-core-freertos-lwip-mbedtls/latest-v1.X

  • A set of pre-defined configuration files for FreeRTOS, lwIP, and Mbed TLS combination is bundled in wifi-core-freertos-lwip-mbedtls library for Wi-Fi kits. The developer is expected to review the configuration and make adjustments.

  1. Make the following changes to the default mbed TLS configurations in mbedtls_user_config.h:

    • Enable the following flags: MBEDTLS_DES_C, MBEDTLS_MD4_C, MBEDTLS_MD5_C, MBEDTLS_SHA1_C, MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, and MBEDTLS_SSL_EXPORT_KEYS
    • Disable the following flags: MBEDTLS_POLY1305_C, MBEDTLS_CHACHAPOLY_C, and MBEDTLS_CHACHA20_C

  2. Define the following COMPONENTS in the application's Makefile for the Enterprise Security library.

  COMPONENTS=FREERTOS PSOC6HAL MBEDTLS LWIP WCM
  1. By default, the macro MBEDTLS_HAVE_TIME_DATE is undefined in mbedtls_user_config.h. If the application wishes to perform time and date validation on the certificate, then enable the MBEDTLS_HAVE_TIME_DATE flag in mbedtls_user_config.h.

ThreadX, NetX Duo, and NetX Secure

  • To use enterprise-security library with Wi-Fi kits on ThreadX, NetxDuo, and NetxSecure combination, the application should pull wifi-core-threadx-netxduo-netxsecure library which will internall pull all dependent modules except nx-secure-wpa3.

    • To pull wifi-core-threadx-netxduo-netxsecure create the following .mtb file in deps folder. wifi-core-threadx-netxduo-netxsecure.mtb: mtb://wifi-core-threadx-netxduo-netxsecure#latest-v1.X#$$ASSET_REPO$$/wifi-core-threadx-netxduo-netxsecure/latest-v1.X

    • To pull nx-secure-wpa3 create the following .mtb file in deps folder. nx-secure-wpa3.mtb: mtb://nx-secure-wpa3#latest-v1.X#$$ASSET_REPO$$/nx-secure-wpa3/latest-v1.X

  • A set of pre-defined configuration files is bundled in wifi-core-threadx-netxduo-netxsecure library for Wi-Fi kits. The developer is expected to review the configuration and make adjustments.

    1. Define the following COMPONENTS in the application's Makefile for the Enterprise Security library.
    COMPONENTS=THREADX NETXDUO NETXSECURE NETXSECURE_WPA3
DISABLE_COMPONENTS+=NETXSECURE_ROM

Logging

Enterprise Security library disables all the debug log messages by default. To enable log messages, the application must perform the following:

  • Add ENABLE_ENTERPRISE_SECURITY_LOGS macro to the DEFINES in the application's Makefile. The Makefile entry would look as follows: 
      DEFINES+=ENABLE_ENTERPRISE_SECURITY_LOGS
  • Call the cy_log_init() function provided by the cy-log module. cy-log is part of the connectivity-utilities library. See connectivity-utilities library API documentation for cy-log details.

Additional Information