net: wifi: shell: add enterprise support for sap

Add EAP-TLS, EAP-PEAP-MSCHAPv2, EAP-PEAP-GTC, EAP-TTLS-MSCHAPv2,
EAP-PEAP-TLS, EAP-TLS-SHA256 enterprise wpa2 and wpa3 suiteb
support for sap.

Signed-off-by: Rex Chen <rex.chen_1@nxp.com>

include/zephyr/net/wifi_mgmt.h

@@ -51,6 +51,12 @@ extern "C" {
 #define WIFI_MGMT_SCAN_CHAN_MAX_MANUAL 1
 #endif /* CONFIG_WIFI_MGMT_SCAN_CHAN_MAX_MANUAL */
 
+#ifdef CONFIG_WIFI_ENT_IDENTITY_MAX_USERS
+#define WIFI_ENT_IDENTITY_MAX_USERS CONFIG_WIFI_ENT_IDENTITY_MAX_USERS
+#else
+#define WIFI_ENT_IDENTITY_MAX_USERS 1
+#endif /* CONFIG_WIFI_ENT_IDENTITY_MAX_USERS */
+
 #define WIFI_MGMT_BAND_STR_SIZE_MAX 8
 #define WIFI_MGMT_SCAN_MAX_BSS_CNT 65535
 
@@ -535,7 +541,7 @@ struct wifi_connect_req_params {
 	/** suiteb or suiteb-192 */
 	uint8_t suiteb_type;
 	/** eap version */
-	uint8_t eap_ver;
+	int eap_ver;
 	/** Identity for EAP */
 	const uint8_t *eap_identity;
 	/** eap identity length, max 64 */
@@ -546,6 +552,14 @@ struct wifi_connect_req_params {
 	uint8_t eap_passwd_length;
 	/** Fast BSS Transition used */
 	bool ft_used;
+	/** Number of EAP users */
+	int nusers;
+	/** Number of EAP passwds */
+	uint8_t passwds;
+	/** User Identities */
+	const uint8_t *identities[WIFI_ENT_IDENTITY_MAX_USERS];
+	/** User Passwords */
+	const uint8_t *passwords[WIFI_ENT_IDENTITY_MAX_USERS];
 };
 
 /** @brief Wi-Fi connect result codes. To be overlaid on top of \ref wifi_status
@@ -797,6 +811,18 @@ struct wifi_enterprise_creds_params {
 	uint8_t *client_key2;
 	/** Phase2 Client key length */
 	uint32_t client_key2_len;
+	/** Server certification */
+	uint8_t *server_cert;
+	/** Server certification length */
+	uint32_t server_cert_len;
+	/** Server key */
+	uint8_t *server_key;
+	/** Server key length */
+	uint32_t server_key_len;
+	/** Diffie–Hellman parameter */
+	uint8_t *dh_param;
+	/** Diffie–Hellman parameter length */
+	uint32_t dh_param_len;
 };
 
 /** @brief Wi-Fi power save configuration */

modules/hostap/CMakeLists.txt

@@ -593,6 +593,73 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_DPP
 	${HOSTAP_SRC_BASE}/tls/asn1.c
 )
 
+zephyr_library_sources_ifdef(CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_tls_common.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+	WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+	EAP_TLS_FUNCS
+	EAP_SERVER
+)
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_IDENTITY
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_identity.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_IDENTITY
+	EAP_SERVER_IDENTITY
+)
+
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_TLS
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_tls.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_TLS
+	EAP_SERVER_TLS
+)
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_MD5
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_md5.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_MD5
+	EAP_SERVER_MD5
+)
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_MSCHAPV2
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_mschapv2.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_MSCHAPV2
+	EAP_SERVER_MSCHAPV2
+)
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_PEAP
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_peap.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_PEAP
+	EAP_SERVER_PEAP
+)
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_GTC
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_gtc.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_GTC
+	EAP_SERVER_GTC
+)
+
+zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_TTLS
+	${HOSTAP_SRC_BASE}/eap_server/eap_server_ttls.c
+)
+
+zephyr_library_compile_definitions_ifdef(CONFIGEAP_SERVER_TTLS
+	EAP_SERVER_TTLS
+)
+
 # crypto mbedtls related
 if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO)
 zephyr_library_sources(

modules/hostap/Kconfig

@@ -278,6 +278,35 @@ config WIFI_NM_HOSTAPD_AP
 	bool "FullAP mode support based on Hostapd"
 	depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON
 
+config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+	bool "Hostapd crypto enterprise support"
+
+config EAP_SERVER_TLS
+	bool "EAP-TLS server support"
+
+config EAP_SERVER_IDENTITY
+	bool "EAP-IDENTITY server support"
+
+config EAP_SERVER_MD5
+	bool "EAP-MD5 server support"
+
+config EAP_SERVER_MSCHAPV2
+	bool "EAP-MSCHAPV2 server support"
+
+config EAP_SERVER_PEAP
+	bool "EAP-PEAP server support"
+
+config EAP_SERVER_GTC
+	bool "EAP-GTC server support"
+
+config EAP_SERVER_TTLS
+	bool "EAP-TTLS server support"
+
+config EAP_SERVER_ALL
+	bool "All EAP methods support"
+	select EAP_SERVER_TLS
+	default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+
 config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME
 	int "BSS max idle timeout in seconds"
 	range 0 64000

modules/hostap/src/supp_api.c

@@ -394,24 +394,6 @@ static inline enum wifi_security_type wpas_key_mgmt_to_zephyr(int key_mgmt, int
 }
 
 #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
-int supplicant_add_enterprise_creds(const struct device *dev,
-			struct wifi_enterprise_creds_params *creds)
-{
-	int ret = 0;
-
-	if (!creds) {
-		ret = -1;
-		wpa_printf(MSG_ERROR, "enterprise creds is NULL");
-		goto out;
-	}
-
-	memcpy((void *)&enterprise_creds, (void *)creds,
-			sizeof(struct wifi_enterprise_creds_params));
-
-out:
-	return ret;
-}
-
 static int wpas_config_process_blob(struct wpa_config *config, char *name, uint8_t *data,
 				uint32_t data_len)
 {
@@ -446,6 +428,27 @@ static int wpas_config_process_blob(struct wpa_config *config, char *name, uint8
 
 	return 0;
 }
+#endif
+
+#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \
+	defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+int supplicant_add_enterprise_creds(const struct device *dev,
+			struct wifi_enterprise_creds_params *creds)
+{
+	int ret = 0;
+
+	if (!creds) {
+		ret = -1;
+		wpa_printf(MSG_ERROR, "enterprise creds is NULL");
+		goto out;
+	}
+
+	memcpy((void *)&enterprise_creds, (void *)creds,
+			sizeof(struct wifi_enterprise_creds_params));
+
+out:
+	return ret;
+}
 
 static const struct wifi_cipher_desc ciphers[] = {
 	{WPA_CAPA_ENC_GCMP_256, "GCMP-256"},
@@ -550,6 +553,276 @@ static int is_eap_valid_security(int security)
 }
 #endif
 
+#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+static int hapd_process_cert_data(struct hostapd_bss_config *conf,
+	char *type, uint8_t *data, uint32_t data_len)
+{
+	if (os_strcmp(type, "ca_cert_blob") == 0) {
+		conf->ca_cert_blob = data;
+		conf->ca_cert_blob_len = data_len;
+	} else if (os_strcmp(type, "server_cert_blob") == 0) {
+		conf->server_cert_blob = data;
+		conf->server_cert_blob_len = data_len;
+	} else if (os_strcmp(type, "private_key_blob") == 0) {
+		conf->private_key_blob = data;
+		conf->private_key_blob_len = data_len;
+	} else if (os_strcmp(type, "dh_blob") == 0) {
+		conf->dh_blob = data;
+		conf->dh_blob_len = data_len;
+	} else {
+		wpa_printf(MSG_ERROR, "input type error");
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+static int hapd_get_eap_config(struct wifi_connect_req_params *params,
+	struct wifi_eap_config *eap_cfg)
+{
+	unsigned int index = 0;
+
+	for (index = 0; index < ARRAY_SIZE(eap_config); index++) {
+		if (params->security == eap_config[index].type) {
+			memcpy(eap_cfg, &eap_config[index], sizeof(struct wifi_eap_config));
+			break;
+		}
+	}
+
+	if (index == ARRAY_SIZE(eap_config)) {
+		wpa_printf(MSG_ERROR, "Get eap method type with security type: %d",
+		params->security);
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+static struct hostapd_eap_user *hostapd_process_eap_user_phase1(
+	struct wifi_connect_req_params *params, struct hostapd_eap_user **pnew_user)
+{
+	struct hostapd_eap_user *user = NULL, *tail = NULL, *new_user = NULL;
+	struct wifi_eap_config eap_cfg;
+
+	user = os_zalloc(sizeof(*user));
+	if (user == NULL) {
+		wpa_printf(MSG_ERROR, "EAP user allocation failed");
+		goto failed;
+	}
+
+	user->force_version = -1;
+	if (params->eap_ver >= 0) {
+		user->force_version = params->eap_ver;
+	}
+
+	if (hapd_get_eap_config(params, &eap_cfg)) {
+		goto failed;
+	}
+
+	user->methods[0].method = eap_cfg.eap_type_phase1;
+	user->methods[0].vendor = 0;
+
+	if (tail == NULL) {
+		tail = new_user = user;
+	} else {
+		tail->next = user;
+		tail       = user;
+	}
+
+	*pnew_user = new_user;
+
+	return tail;
+
+failed:
+	if (user) {
+		hostapd_config_free_eap_user(user);
+	}
+
+	return NULL;
+}
+
+static int hostapd_process_eap_user(struct wifi_connect_req_params *params,
+	struct hostapd_bss_config *conf)
+{
+	struct hostapd_eap_user *user = NULL, *tail = NULL, *user_list = NULL;
+	int i, nusers = params->nusers;
+	const char *identity, *password;
+	struct wifi_eap_config eap_cfg;
+	int ret = 0;
+
+	if (hapd_get_eap_config(params, &eap_cfg)) {
+		goto failed;
+	}
+
+	if (eap_cfg.phase2 != NULL) {
+		tail = hostapd_process_eap_user_phase1(params, &user_list);
+	}
+
+	if (eap_cfg.phase2 != NULL && !nusers) {
+		wpa_printf(MSG_ERROR, "EAP users not found.");
+		goto failed;
+	}
+
+	for (i = 0; i < nusers; i++) {
+		user = os_zalloc(sizeof(*user));
+		if (user == NULL) {
+			wpa_printf(MSG_ERROR, "EAP user allocation failed");
+			goto failed;
+		}
+
+		user->force_version = -1;
+		if (params->eap_ver >= 0) {
+			user->force_version = params->eap_ver;
+		}
+
+		identity = params->identities[i];
+		password = params->passwords[i];
+
+		user->identity = os_memdup(identity, os_strlen(identity));
+		if (user->identity == NULL) {
+			wpa_printf(MSG_ERROR,
+				"Failed to allocate "
+				"memory for EAP identity");
+			goto failed;
+		}
+		user->identity_len = os_strlen(identity);
+
+		user->methods[0].method = eap_cfg.eap_type_phase1;
+		user->methods[0].vendor = 0;
+
+		if (eap_cfg.phase2 != NULL) {
+			user->methods[0].method = eap_cfg.eap_type_phase2;
+			user->password = os_memdup(password, os_strlen(password));
+			if (user->password == NULL) {
+				wpa_printf(MSG_ERROR,
+					"Failed to allocate "
+					"memory for EAP password");
+				goto failed;
+			}
+			user->password_len = os_strlen(password);
+
+			user->phase2 = 1;
+		}
+
+		if (params->security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2) {
+			user->ttls_auth |= 0x1E;
+		}
+
+		if (tail == NULL) {
+			tail = user_list = user;
+		} else {
+			tail->next = user;
+			tail       = user;
+		}
+
+		continue;
+
+failed:
+		if (user) {
+			hostapd_config_free_eap_user(user);
+		}
+
+		ret = -1;
+		break;
+	}
+
+	if (ret == 0) {
+		hostapd_config_free_eap_users(conf->eap_user);
+		conf->eap_user = user_list;
+	} else {
+		hostapd_config_free_eap_users(user_list);
+	}
+
+	return ret;
+}
+
+int hapd_process_enterprise_config(struct hostapd_iface *iface,
+	struct wifi_connect_req_params *params)
+{
+	struct wifi_eap_cipher_config cipher_config = {
+		NULL, "DEFAULT:!EXP:!LOW", "CCMP", "CCMP", "AES-128-CMAC", NULL};
+	int ret = 0;
+
+	if (process_cipher_config(params, &cipher_config)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set wpa %d", WPA_PROTO_RSN)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set wpa_key_mgmt %s", cipher_config.key_mgmt)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set rsn_pairwise %s", cipher_config.pairwise_cipher)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set wpa_pairwise %s", cipher_config.pairwise_cipher)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set group_cipher %s", cipher_config.group_cipher)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set group_mgmt_cipher %s", cipher_config.group_mgmt_cipher)) {
+		goto out;
+	}
+
+	if (cipher_config.tls_flags != NULL) {
+		if (!hostapd_cli_cmd_v("set tls_flags %s", cipher_config.tls_flags)) {
+			goto out;
+		}
+	}
+
+	if (!hostapd_cli_cmd_v("set ieee8021x %d", 1)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set eapol_version %d", 2)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set eap_server %d", 1)) {
+		goto out;
+	}
+
+	if (hapd_process_cert_data(iface->bss[0]->conf, "ca_cert_blob",
+		enterprise_creds.ca_cert, enterprise_creds.ca_cert_len)) {
+		goto out;
+	}
+
+	if (hapd_process_cert_data(iface->bss[0]->conf, "server_cert_blob",
+		enterprise_creds.server_cert, enterprise_creds.server_cert_len)) {
+		goto out;
+	}
+
+	if (hapd_process_cert_data(iface->bss[0]->conf, "private_key_blob",
+		enterprise_creds.server_key, enterprise_creds.server_key_len)) {
+		goto out;
+	}
+
+	if (hapd_process_cert_data(iface->bss[0]->conf, "dh_blob",
+		enterprise_creds.dh_param, enterprise_creds.dh_param_len)) {
+		goto out;
+	}
+
+	if (!hostapd_cli_cmd_v("set private_key_passwd %s", params->key_passwd)) {
+		goto out;
+	}
+
+	if (hostapd_process_eap_user(params, iface->bss[0]->conf)) {
+		goto out;
+	}
+
+	return ret;
+out:
+	return -1;
+}
+#endif
+
 static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 				       struct wifi_connect_req_params *params,
 				       bool mode_ap)
@@ -1945,6 +2218,12 @@ int hapd_config_network(struct hostapd_iface *iface,
 			if (!hostapd_cli_cmd_v("set dpp_configurator_connectivity 1")) {
 				goto out;
 			}
+#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+		} else if (is_eap_valid_security(params->security)) {
+			if (hapd_process_enterprise_config(iface, params)) {
+				goto out;
+			}
+#endif
 		}
 	} else {
 		if (!hostapd_cli_cmd_v("set wpa 0")) {
@@ -1956,8 +2235,10 @@ int hapd_config_network(struct hostapd_iface *iface,
 	if (!hostapd_cli_cmd_v("set ieee80211w %d", params->mfp)) {
 		goto out;
 	}
-out:
+
 	return ret;
+out:
+	return -1;
 }
 
 int supplicant_ap_config_params(const struct device *dev, struct wifi_ap_config_params *params)

modules/hostap/src/supp_api.h

@@ -183,7 +183,8 @@ int supplicant_reg_domain(const struct device *dev, struct wifi_reg_domain *reg_
  */
 int supplicant_mode(const struct device *dev, struct wifi_mode_info *mode);
 
-#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \
+	defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
 /** Set Wi-Fi enterprise mode CA/client Cert and key
  *
  * @param dev Pointer to the device structure for the driver instance

modules/hostap/src/supp_main.c

@@ -111,6 +111,9 @@ static const struct wifi_mgmt_ops mgmt_ap_ops = {
 	.dpp_dispatch = hapd_dpp_dispatch,
 #endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_DPP */
 	.ap_config_params = supplicant_ap_config_params,
+#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+	.enterprise_creds = supplicant_add_enterprise_creds,
+#endif
 };
 
 DEFINE_WIFI_NM_INSTANCE(hostapd, &mgmt_ap_ops);

samples/net/wifi/shell/boards/frdm_rw612.conf

@@ -93,6 +93,7 @@ CONFIG_WIFI_NM_WPA_SUPPLICANT_WPS=y
 CONFIG_WIFI_NM_HOSTAPD_WPS=y
 CONFIG_WIFI_NM_WPA_SUPPLICANT_ROAMING=y
 CONFIG_WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING=y
+CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE=y
 
 # Enable mbedtls
 CONFIG_MBEDTLS=y

samples/net/wifi/shell/boards/rd_rw612_bga.conf

@@ -92,6 +92,7 @@ CONFIG_WIFI_NM_WPA_SUPPLICANT_WPS=y
 CONFIG_WIFI_NM_HOSTAPD_WPS=y
 CONFIG_WIFI_NM_WPA_SUPPLICANT_ROAMING=y
 CONFIG_WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING=y
+CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE=y
 
 # Enable mbedtls
 CONFIG_MBEDTLS=y

subsys/net/l2/wifi/CMakeLists.txt

@@ -69,6 +69,17 @@ generate_inc_file_for_target(
     ${gen_dir}/ca2.pem.inc
     )
 
+generate_inc_file_for_target(
+    app
+    ${ZEPHYR_BASE}/samples/net/wifi/test_certs/server.pem
+    ${gen_dir}/server.pem.inc
+    )
+
+generate_inc_file_for_target(
+    app
+    ${ZEPHYR_BASE}/samples/net/wifi/test_certs/server-key.pem
+    ${gen_dir}/server-key.pem.inc
+    )
 # Add explicit dependency on app target for ZEPHYR_CURRENT_LIBRARY, so these
 # headers are generated at the correct point in the build
 add_dependencies(${ZEPHYR_CURRENT_LIBRARY} app)

subsys/net/l2/wifi/Kconfig

@@ -119,3 +119,9 @@ config WIFI_MGMT_AP_MAX_NUM_STA
 	help
 	  Maximum number of stations allowed in station table. New stations will be
 	  rejected after the station table is full.
+
+config WIFI_ENT_IDENTITY_MAX_USERS
+	int "Maximum number of identity users allowed connection"
+	default 8
+	help
+	  This option defines the maximum number of identity users allowed connection.

subsys/net/l2/wifi/wifi_shell.c

@@ -56,6 +56,16 @@ static const char client_cert2_test[] = {
 static const char client_key2_test[] = {
 	#include <wifi_enterprise_test_certs/client-key2.pem.inc>
 	'\0'};
+
+static const char server_cert_test[] = {
+	#include <wifi_enterprise_test_certs/server.pem.inc>
+	'\0'
+};
+
+static const char server_key_test[] = {
+	#include <wifi_enterprise_test_certs/server-key.pem.inc>
+	'\0'
+};
 #endif
 
 #define WIFI_SHELL_MODULE "wifi"
@@ -104,7 +114,8 @@ struct wifi_ap_sta_node {
 static struct wifi_ap_sta_node sta_list[CONFIG_WIFI_SHELL_MAX_AP_STA];
 
 
-#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \
+	defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
 static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if *iface)
 {
 	struct wifi_enterprise_creds_params params = {0};
@@ -121,6 +132,10 @@ static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if *
 	params.client_cert2_len = ARRAY_SIZE(client_cert2_test);
 	params.client_key2 = (uint8_t *)client_key2_test;
 	params.client_key2_len = ARRAY_SIZE(client_key2_test);
+	params.server_cert = (uint8_t *)server_cert_test;
+	params.server_cert_len = ARRAY_SIZE(server_cert_test);
+	params.server_key = (uint8_t *)server_key_test;
+	params.server_key_len = ARRAY_SIZE(server_key_test);
 
 	if (net_mgmt(NET_REQUEST_WIFI_ENTERPRISE_CREDS, iface, &params, sizeof(params))) {
 		PR_WARNING("Set enterprise credentials failed\n");
@@ -755,8 +770,17 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 			}
 			break;
 		case 'I':
+			if (params->nusers >= WIFI_ENT_IDENTITY_MAX_USERS) {
+				PR_WARNING("too many eap identities (max %d identities)\n",
+					    WIFI_ENT_IDENTITY_MAX_USERS);
+				return -EINVAL;
+			}
+
 			params->eap_identity = optarg;
 			params->eap_id_length = strlen(params->eap_identity);
+
+			params->identities[params->nusers] = optarg;
+			params->nusers++;
 			if (params->eap_id_length > WIFI_ENT_IDENTITY_MAX_LEN) {
 				PR_WARNING("eap identity too long (max %d characters)\n",
 					    WIFI_ENT_IDENTITY_MAX_LEN);
@@ -764,8 +788,17 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 			}
 			break;
 		case 'P':
+			if (params->passwds >= WIFI_ENT_IDENTITY_MAX_USERS) {
+				PR_WARNING("too many eap passwds (max %d passwds)\n",
+					    WIFI_ENT_IDENTITY_MAX_USERS);
+				return -EINVAL;
+			}
+
 			params->eap_password = optarg;
 			params->eap_passwd_length = strlen(params->eap_password);
+
+			params->passwords[params->passwds] = optarg;
+			params->passwds++;
 			if (params->eap_passwd_length > WIFI_ENT_PSWD_MAX_LEN) {
 				PR_WARNING("eap password length too long (max %d characters)\n",
 					    WIFI_ENT_PSWD_MAX_LEN);
@@ -1667,6 +1700,18 @@ static int cmd_wifi_ap_enable(const struct shell *sh, size_t argc,
 		return -ENOEXEC;
 	}
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	/* Load the enterprise credentials if needed */
+	if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS ||
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) {
+		cmd_wifi_set_enterprise_creds(sh, iface);
+	}
+#endif
+
 	k_mutex_init(&wifi_ap_sta_list_lock);
 
 	ret = net_mgmt(NET_REQUEST_WIFI_AP_ENABLE, iface, &cnx_params,
@@ -3085,14 +3130,23 @@ SHELL_STATIC_SUBCMD_SET_CREATE(
 		      "-c --channel=<channel number>\n"
 		      "-p --passphrase=<PSK> (valid only for secure SSIDs)\n"
 		      "-k --key-mgmt=<Security type> (valid only for secure SSIDs)\n"
-		      "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE, 4:WAPI, 5:EAP-TLS, 6:WEP\n"
-		      "7: WPA-PSK, 11: DPP\n"
+		      "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI,"
+		      "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n"
+		      "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n"
+		      "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n"
 		      "-w --ieee-80211w=<MFP> (optional: needs security type to be specified)\n"
 		      "0:Disable, 1:Optional, 2:Required\n"
 		      "-b --band=<band> (2 -2.6GHz, 5 - 5Ghz, 6 - 6GHz)\n"
 		      "-m --bssid=<BSSID>\n"
+		      "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n"
+		      "Private key passwd for enterprise mode. Default no password for private key.\n"
+		      "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n"
+		      "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n"
+		      "[-I, --eap-id1...--eap-id8]: Client Identity. Default no eap identity.\n"
+		      "[-P, --eap-pwd1...--eap-pwd8]: Client Password.\n"
+		      "Default no password for eap user.\n"
 		      "-h --help (prints help)",
-		      cmd_wifi_ap_enable, 2, 13),
+		      cmd_wifi_ap_enable, 2, 45),
 	SHELL_CMD_ARG(stations, NULL, "List stations connected to the AP", cmd_wifi_ap_stations, 1,
 		      0),
 	SHELL_CMD_ARG(disconnect, NULL,
@@ -3281,7 +3335,8 @@ SHELL_SUBCMD_ADD((wifi), connect, &wifi_commands,
 		  "[-k, --key-mgmt]: Key Management type (valid only for secure SSIDs)\n"
 		  "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI,"
 		  "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n"
-		  "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2, 15: EAP-PEAP-TLS\n"
+		  "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n"
+		  "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n"
 		  "[-w, --ieee-80211w]: MFP (optional: needs security type to be specified)\n"
 		  ": 0:Disable, 1:Optional, 2:Required.\n"
 		  "[-m, --bssid]: MAC address of the AP (BSSID).\n"

west.yml

@@ -259,7 +259,7 @@ manifest:
         - hal
     - name: hostap
       path: modules/lib/hostap
-      revision: 0f7b166487b1ac08e1c6c492383f5c103320b2be
+      revision: 14f350c2ad022529720cbf04432a825c28b469ec
     - name: libmetal
       revision: a6851ba6dba8c9e87d00c42f171a822f7a29639b
       path: modules/hal/libmetal