Enterprise Security library provides the capability for Infineon's best-in-class Wi-Fi enabled PSoC™ 6 devices to connect to enterprise Wi-Fi networks. This library implements a collection of the most commonly used Extensible Authentication Protocols (EAP) that are commonly used in enterprise networks. This library is an embedded variant of the Wi-Fi supplicant (minimal features) that runs on an RTOS and provides the ability to securely join enterprise security networks (802.1x) using various EAP authentication protocols.
Features and Functionality
- Supports the following EAP security protocols:
- EAP-TLS
- PEAPv0 with MSCHAPv2
- EAP-TTLS with EAP-MSCHAPv2 (Phase 2 tunnel authentication supports only EAP methods)
- Supports TLS session (session ID based) resumption
- Supports 'PEAP Fast reconnect' (applicable only for PEAP protocol)
- Supports roaming across APs in the enterprise network (vanilla roaming)
- Supports TLS versions 1.0, 1.1, and 1.2
This library provides application developers an easy-to-use, unified interface for quickly enabling enterprise security in their applications. The library provides a single interface to join and leave 802.1x networks using different protocols.
Supported Frameworks
- ModusToolbox™ environment: In this environment the Enterprise Security library uses the abstraction-rtos library that provides the RTOS abstraction API and the wcm library for network functions.
- Mbed Framework: Mbed framework is an Mbed OS-based solution. Enterprise Security Library uses the abstraction-rtos library that provides RTOS abstraction API, and uses the Mbed socket API for implementing network functions.
Supported Platforms
ModusToolbox™
Mbed OS
Dependent Libraries
ModusToolbox™
Mbed OS
RADIUS Servers
This library has been verified with enterprise Wi-Fi networks configured using the following RADIUS server(s):
Quick Start
This library is supported on both ModusToolbox™ and Mbed OS environments. The section below provides information on how to build the library in those environments.
ModusToolbox™
A set of pre-defined configuration files have been bundled with the wifi-mw-core library for FreeRTOS, lwIP, and mbed TLS. Review the configuration and make the required adjustments. See the "Quick Start" section in README.md.
- Make the following changes to the default mbed TLS configurations in mbedtls_user_config.h:
- Enable the following flags:
MBEDTLS_DES_C, MBEDTLS_MD4_C, MBEDTLS_MD5_C, MBEDTLS_SHA1_C, MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, and MBEDTLS_SSL_EXPORT_KEYS
- Disable the following flags:
MBEDTLS_POLY1305_C, MBEDTLS_CHACHAPOLY_C, and MBEDTLS_CHACHA20_C
- Define the following COMPONENTS in the application's Makefile for the Enterprise Security library.
COMPONENTS=FREERTOS PSOC6HAL MBEDTLS LWIP WCM
- Enterprise Security library disables all the debug log messages by default. To enable log messages, the application must perform the following:
- Add
ENABLE_ENTERPRISE_SECURITY_LOGS
macro to the DEFINES in the application's Makefile. The Makefile entry would look as follows: DEFINES+=ENABLE_ENTERPRISE_SECURITY_LOGS
- Call the
cy_log_init()
function provided by the cy-log module. cy-log is part of the connectivity-utilities library. See connectivity-utilities library API documentation for cy-log details.
- By default, the macro
MBEDTLS_HAVE_TIME_DATE
is undefined in mbedtls_user_config.h. If application wishes to perform time and date validation on the certificate, then define the MBEDTLS_HAVE_TIME_DATE flag in mbedtls_user_config.h.
Mbed OS
- Add the .lib file(s) for dependent libraries.
- Create a folder named
deps
.
- Create a file with name mbed-os.lib and add the following line to this file:
- Create a file with name connectivity-utilities.lib and add the following line to this file:
- Replace
<commit-SHA-for-latest-release-v3.X>
in the above line with commit SHA of 'latest-v3.X' tag available in the GitHub repository.
- Example: For tag
release-v3.0.1
- Add
MBED
and MBEDTLS
to the components_add section in the application's JSON file. The JSON file entry would look as follows: "target.components_add": ["MBED", "MBEDTLS"]
- Enterprise Security library disables all the debug log messages by default. To enable log messages, the application must perform the following:
- Add
ENABLE_ENTERPRISE_SECURITY_LOGS
macro to the macros section in the application's JSON file. The JSON file entry would look as follows: "macros": ["ENABLE_ENTERPRISE_SECURITY_LOGS"]
- Call the
cy_log_init()
function provided by the cy-log module. cy-log is part of the connectivity-utilities library. See connectivity-utilities library API documentation for cy-log details.
- Add an mbed TLS user config file (for e.g. mbedtls_user_config.h) with the following changes to the default mbed TLS configuration:
- Enable the following flags:
MBEDTLS_DES_C, MBEDTLS_MD4_C, MBEDTLS_MD5_C, `MBEDTLS_SHA1_C, MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, and MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
- Disable the following flags:
MBEDTLS_POLY1305_C, MBEDTLS_CHACHAPOLY_C, and MBEDTLS_CHACHA20_C
- If the application wishes to perform time and date validation on the certificate, then enable the MBEDTLS_HAVE_TIME_DATE flag in the mbed TLS user config file created in the step above.
- Provide the path to the mbed TLS user config file in the application's JSON file. The JSON file entry would look as follows:
"macros": ["MBEDTLS_USER_CONFIG_FILE=\"mbedtls_user_config.h\""]
Code Snippets
This section provides code snippets for this library on ModusToolbox™ and Mbed OS environements. The code snippets given under the ModusToolbox™ section uses C APIs, whereas the snippets given under Mbed OS use C++ Class to demonstrate the library usage. In general, the library features are tested on Mbed OS using C++ Class interface, and tested on ModusToolbox™ using C APIs.
- ModusToolbox™ - Snippets for HTTP Server create, start, stop, and delete (C implementation).
- Mbed OS - Snippets for HTTP server create, start, stop, and delete (C++ implementation).
ModusToolbox™
Code Snippet 1: Enterprise Security Join and Leave (EAP-TLS)
Creates an Enterprise Security instance and performs join and leave using cy_enterprise_security_join and cy_enterprise_security_leave APIs respectively with EAP-TLS.
#include <stdio.h>
#include "cy_enterprise_security.h"
#include "certificate.h"
#define RADIUS_SERVER_IDENTITY "svtuser"
#define RADIUS_SERVER_PASSWORD "hnd@123"
#define ENTERPRISE_SECURITY_NW_SSID "ENT_SEC_NW_2G"
#define APP_INFO( x ) printf x
cy_rslt_t ent_sec_join_leave_eap_tls()
{
cy_rslt_t result = CY_RSLT_SUCCESS;
ent_parameters.
ca_cert = (
char*) WIFI_ROOT_CERTIFICATE_STRING;
ent_parameters.
client_cert = (
char*) WIFI_USER_CERTIFICATE_STRING;
ent_parameters.
client_key = (
char*) WIFI_USER_PRIVATE_KEY_STRING;
memcpy(ent_parameters.
ssid, (
char *)ENTERPRISE_SECURITY_NW_SSID, strlen(ENTERPRISE_SECURITY_NW_SSID) + 1);
memcpy(ent_parameters.
outer_eap_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
if( result != CY_RSLT_SUCCESS )
{
APP_INFO(("Failed to create Enterprise Security instance with error %u\n", (unsigned int)result));
return CY_RSLT_ERROR;
}
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Joining an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Joining an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Leaving an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Leaving an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
cleanup:
if( result != CY_RSLT_SUCCESS )
{
APP_INFO(("Failed to delete Enterprise Security instance with error %u\n", (unsigned int)result));
return CY_RSLT_ERROR;
}
return result;
}
Code Snippet 2: Enterprise Security Join and Leave (PEAP)
Creates an Enterprise Security instance and performs join and leave using cy_enterprise_security_join and cy_enterprise_security_leave APIs respectively with PEAP.
#include <stdio.h>
#include "cy_enterprise_security.h"
#include "certificate.h"
#define RADIUS_SERVER_IDENTITY "svtuser"
#define RADIUS_SERVER_PASSWORD "hnd@123"
#define ENTERPRISE_SECURITY_NW_SSID "ENT_SEC_NW_2G"
#define APP_INFO( x ) printf x
cy_rslt_t ent_sec_join_leave_peap()
{
cy_rslt_t result = CY_RSLT_SUCCESS;
ent_parameters.
ca_cert = (
char*) WIFI_ROOT_CERTIFICATE_STRING;
ent_parameters.
client_cert = (
char*) WIFI_USER_CERTIFICATE_STRING;
ent_parameters.
client_key = (
char*) WIFI_USER_PRIVATE_KEY_STRING;
memcpy(ent_parameters.
ssid, (
char *)ENTERPRISE_SECURITY_NW_SSID, strlen(ENTERPRISE_SECURITY_NW_SSID) + 1);
memcpy(ent_parameters.
outer_eap_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_password, (
char *)RADIUS_SERVER_PASSWORD, strlen(RADIUS_SERVER_PASSWORD) + 1);
if( result != CY_RSLT_SUCCESS )
{
APP_INFO(("Failed to create Enterprise Security instance with error %u\n", (unsigned int)result));
return CY_RSLT_ERROR;
}
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Joining an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Joining an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Leaving an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Leaving an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
cleanup:
if( result != CY_RSLT_SUCCESS )
{
APP_INFO(("Failed to delete Enterprise Security instance with error %u\n", (unsigned int)result));
return CY_RSLT_ERROR;
}
return result;
}
Code Snippet 3: Enterprise Security Join and Leave (EAP-TTLS)
Creates an Enterprise Security instance and performs join and leave using cy_enterprise_security_join and cy_enterprise_security_leave APIs respectively with EAP-TTLS.
#include <stdio.h>
#include "cy_enterprise_security.h"
#include "certificate.h"
#define RADIUS_SERVER_IDENTITY "svtuser"
#define RADIUS_SERVER_PASSWORD "hnd@123"
#define ENTERPRISE_SECURITY_NW_SSID "ENT_SEC_NW_2G"
#define APP_INFO( x ) printf x
cy_rslt_t ent_sec_join_leave_eap_ttls()
{
cy_rslt_t result = CY_RSLT_SUCCESS;
ent_parameters.
ca_cert = (
char*) WIFI_ROOT_CERTIFICATE_STRING;
ent_parameters.
client_cert = (
char*) WIFI_USER_CERTIFICATE_STRING;
ent_parameters.
client_key = (
char*) WIFI_USER_PRIVATE_KEY_STRING;
memcpy(ent_parameters.
ssid, (
char *)ENTERPRISE_SECURITY_NW_SSID, strlen(ENTERPRISE_SECURITY_NW_SSID) + 1);
memcpy(ent_parameters.
outer_eap_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_password, (
char *)RADIUS_SERVER_PASSWORD, strlen(RADIUS_SERVER_PASSWORD) + 1);
if( result != CY_RSLT_SUCCESS )
{
APP_INFO(("Failed to create Enterprise Security instance with error %u\n", (unsigned int)result));
return CY_RSLT_ERROR;
}
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Joining an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Joining an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Leaving an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Leaving an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
cleanup:
if( result != CY_RSLT_SUCCESS )
{
APP_INFO(("Failed to delete Enterprise Security instance with error %u\n", (unsigned int)result));
return CY_RSLT_ERROR;
}
return result;
}
Mbed OS
Code Snippet 1: Enterprise Security Join and Leave (EAP-TLS)
Creates an EnterpriseSecurity instance and performs join and leave using the class methods with EAP-TLS.
#include <stdio.h>
#include "mbed.h"
#include "cy_enterprise_security.hpp"
#include "certificate.h"
#define RADIUS_SERVER_IDENTITY "svtuser"
#define RADIUS_SERVER_PASSWORD "hnd@123"
#define ENTERPRISE_SECURITY_NW_SSID "ENT_SEC_NW_2G"
#define APP_INFO( x ) printf x
cy_rslt_t ent_sec_join_leave_eap_tls()
{
cy_rslt_t result = CY_RSLT_SUCCESS;
ent_parameters.
ca_cert = (
char*) WIFI_ROOT_CERTIFICATE_STRING;
ent_parameters.
client_cert = (
char*) WIFI_USER_CERTIFICATE_STRING;
ent_parameters.
client_key = (
char*) WIFI_USER_PRIVATE_KEY_STRING;
memcpy(ent_parameters.
ssid, (
char *)ENTERPRISE_SECURITY_NW_SSID, strlen(ENTERPRISE_SECURITY_NW_SSID) + 1);
memcpy(ent_parameters.
outer_eap_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
if( ent_sec_obj == NULL )
{
APP_INFO( ( "Failed to allocate memory for EnterpriseSecurity object.\n" ) );
return CY_RSLT_ERROR;
}
result = ent_sec_obj->
join();
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Joining an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Joining an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
result = ent_sec_obj->
leave();
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Leaving an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Leaving an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
cleanup:
delete ent_sec_obj;
ent_sec_obj = NULL;
return result;
}
Code Snippet 2: Enterprise Security Join and Leave (PEAP)
Creates an EnterpriseSecurity instance and performs join and leave using the class methods with PEAP.
#define RADIUS_SERVER_IDENTITY "svtuser"
#define RADIUS_SERVER_PASSWORD "hnd@123"
#define ENTERPRISE_SECURITY_NW_SSID "ENT_SEC_NW_2G"
#define APP_INFO( x ) printf x
cy_rslt_t ent_sec_join_leave_peap()
{
cy_rslt_t result = CY_RSLT_SUCCESS;
ent_parameters.
ca_cert = (
char*) WIFI_ROOT_CERTIFICATE_STRING;
ent_parameters.
client_cert = (
char*) WIFI_USER_CERTIFICATE_STRING;
ent_parameters.
client_key = (
char*) WIFI_USER_PRIVATE_KEY_STRING;
memcpy(ent_parameters.
ssid, (
char *)ENTERPRISE_SECURITY_NW_SSID, strlen(ENTERPRISE_SECURITY_NW_SSID) + 1);
memcpy(ent_parameters.
outer_eap_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_password, (
char *)RADIUS_SERVER_PASSWORD, strlen(RADIUS_SERVER_PASSWORD) + 1);
if( ent_sec_obj == NULL )
{
APP_INFO( ( "Failed to allocate memory for EnterpriseSecurity object.\n" ) );
return CY_RSLT_ERROR;
}
result = ent_sec_obj->
join();
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Joining an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Joining an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
result = ent_sec_obj->
leave();
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Leaving an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Leaving an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
cleanup:
delete ent_sec_obj;
ent_sec_obj = NULL;
return result;
}
Code Snippet 3: Enterprise Security Join and Leave (EAP-TTLS)
Creates an EnterpriseSecurity instance and performs join and leave using the class methods with EAP-TTLS.
#define RADIUS_SERVER_IDENTITY "svtuser"
#define RADIUS_SERVER_PASSWORD "hnd@123"
#define ENTERPRISE_SECURITY_NW_SSID "ENT_SEC_NW_2G"
#define APP_INFO( x ) printf x
cy_rslt_t ent_sec_join_leave_eap_ttls()
{
cy_rslt_t result = CY_RSLT_SUCCESS;
ent_parameters.
ca_cert = (
char*) WIFI_ROOT_CERTIFICATE_STRING;
ent_parameters.
client_cert = (
char*) WIFI_USER_CERTIFICATE_STRING;
ent_parameters.
client_key = (
char*) WIFI_USER_PRIVATE_KEY_STRING;
memcpy(ent_parameters.
ssid, (
char *)ENTERPRISE_SECURITY_NW_SSID, strlen(ENTERPRISE_SECURITY_NW_SSID) + 1);
memcpy(ent_parameters.
outer_eap_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_identity, (
char *)RADIUS_SERVER_IDENTITY, strlen(RADIUS_SERVER_IDENTITY) + 1);
memcpy(ent_parameters.
phase2.
inner_password, (
char *)RADIUS_SERVER_PASSWORD, strlen(RADIUS_SERVER_PASSWORD) + 1);
if( ent_sec_obj == NULL )
{
APP_INFO( ( "Failed to allocate memory for EnterpriseSecurity object.\n" ) );
return CY_RSLT_ERROR;
}
result = ent_sec_obj->
join();
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Joining an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Joining an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
result = ent_sec_obj->
leave();
if( result == CY_RSLT_SUCCESS )
{
APP_INFO(("Leaving an Enterprise Security network is successful.\n"));
}
else
{
APP_INFO(("Leaving an Enterprise Security network failed with error %u\n", (unsigned int)result));
goto cleanup;
}
cleanup:
delete ent_sec_obj;
ent_sec_obj = NULL;
return result;
}