diff --git a/include/zephyr/net/wifi_mgmt.h b/include/zephyr/net/wifi_mgmt.h index d19eff6148b..2195b685a0e 100644 --- a/include/zephyr/net/wifi_mgmt.h +++ b/include/zephyr/net/wifi_mgmt.h @@ -51,6 +51,12 @@ extern "C" { #define WIFI_MGMT_SCAN_CHAN_MAX_MANUAL 1 #endif /* CONFIG_WIFI_MGMT_SCAN_CHAN_MAX_MANUAL */ +#ifdef CONFIG_WIFI_ENT_IDENTITY_MAX_USERS +#define WIFI_ENT_IDENTITY_MAX_USERS CONFIG_WIFI_ENT_IDENTITY_MAX_USERS +#else +#define WIFI_ENT_IDENTITY_MAX_USERS 1 +#endif /* CONFIG_WIFI_ENT_IDENTITY_MAX_USERS */ + #define WIFI_MGMT_BAND_STR_SIZE_MAX 8 #define WIFI_MGMT_SCAN_MAX_BSS_CNT 65535 @@ -535,7 +541,7 @@ struct wifi_connect_req_params { /** suiteb or suiteb-192 */ uint8_t suiteb_type; /** eap version */ - uint8_t eap_ver; + int eap_ver; /** Identity for EAP */ const uint8_t *eap_identity; /** eap identity length, max 64 */ @@ -546,6 +552,14 @@ struct wifi_connect_req_params { uint8_t eap_passwd_length; /** Fast BSS Transition used */ bool ft_used; + /** Number of EAP users */ + int nusers; + /** Number of EAP passwds */ + uint8_t passwds; + /** User Identities */ + const uint8_t *identities[WIFI_ENT_IDENTITY_MAX_USERS]; + /** User Passwords */ + const uint8_t *passwords[WIFI_ENT_IDENTITY_MAX_USERS]; }; /** @brief Wi-Fi connect result codes. To be overlaid on top of \ref wifi_status @@ -797,6 +811,18 @@ struct wifi_enterprise_creds_params { uint8_t *client_key2; /** Phase2 Client key length */ uint32_t client_key2_len; + /** Server certification */ + uint8_t *server_cert; + /** Server certification length */ + uint32_t server_cert_len; + /** Server key */ + uint8_t *server_key; + /** Server key length */ + uint32_t server_key_len; + /** Diffie–Hellman parameter */ + uint8_t *dh_param; + /** Diffie–Hellman parameter length */ + uint32_t dh_param_len; }; /** @brief Wi-Fi power save configuration */ diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt index d15546276da..744febe542a 100644 --- a/modules/hostap/CMakeLists.txt +++ b/modules/hostap/CMakeLists.txt @@ -593,6 +593,73 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_DPP ${HOSTAP_SRC_BASE}/tls/asn1.c ) +zephyr_library_sources_ifdef(CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + ${HOSTAP_SRC_BASE}/eap_server/eap_server_tls_common.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + EAP_TLS_FUNCS + EAP_SERVER +) + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_IDENTITY + ${HOSTAP_SRC_BASE}/eap_server/eap_server_identity.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_IDENTITY + EAP_SERVER_IDENTITY +) + + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_TLS + ${HOSTAP_SRC_BASE}/eap_server/eap_server_tls.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_TLS + EAP_SERVER_TLS +) + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_MD5 + ${HOSTAP_SRC_BASE}/eap_server/eap_server_md5.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_MD5 + EAP_SERVER_MD5 +) + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_MSCHAPV2 + ${HOSTAP_SRC_BASE}/eap_server/eap_server_mschapv2.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_MSCHAPV2 + EAP_SERVER_MSCHAPV2 +) + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_PEAP + ${HOSTAP_SRC_BASE}/eap_server/eap_server_peap.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_PEAP + EAP_SERVER_PEAP +) + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_GTC + ${HOSTAP_SRC_BASE}/eap_server/eap_server_gtc.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_SERVER_GTC + EAP_SERVER_GTC +) + +zephyr_library_sources_ifdef(CONFIG_EAP_SERVER_TTLS + ${HOSTAP_SRC_BASE}/eap_server/eap_server_ttls.c +) + +zephyr_library_compile_definitions_ifdef(CONFIGEAP_SERVER_TTLS + EAP_SERVER_TTLS +) + # crypto mbedtls related if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO) zephyr_library_sources( diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index 97a4c70ac71..4516fb88c9b 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -278,6 +278,35 @@ config WIFI_NM_HOSTAPD_AP bool "FullAP mode support based on Hostapd" depends on !WIFI_NM_WPA_SUPPLICANT_INF_MON +config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + bool "Hostapd crypto enterprise support" + +config EAP_SERVER_TLS + bool "EAP-TLS server support" + +config EAP_SERVER_IDENTITY + bool "EAP-IDENTITY server support" + +config EAP_SERVER_MD5 + bool "EAP-MD5 server support" + +config EAP_SERVER_MSCHAPV2 + bool "EAP-MSCHAPV2 server support" + +config EAP_SERVER_PEAP + bool "EAP-PEAP server support" + +config EAP_SERVER_GTC + bool "EAP-GTC server support" + +config EAP_SERVER_TTLS + bool "EAP-TTLS server support" + +config EAP_SERVER_ALL + bool "All EAP methods support" + select EAP_SERVER_TLS + default y if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME int "BSS max idle timeout in seconds" range 0 64000 diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c index 52c51345b8f..55bcd864e2e 100644 --- a/modules/hostap/src/supp_api.c +++ b/modules/hostap/src/supp_api.c @@ -394,24 +394,6 @@ static inline enum wifi_security_type wpas_key_mgmt_to_zephyr(int key_mgmt, int } #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE -int supplicant_add_enterprise_creds(const struct device *dev, - struct wifi_enterprise_creds_params *creds) -{ - int ret = 0; - - if (!creds) { - ret = -1; - wpa_printf(MSG_ERROR, "enterprise creds is NULL"); - goto out; - } - - memcpy((void *)&enterprise_creds, (void *)creds, - sizeof(struct wifi_enterprise_creds_params)); - -out: - return ret; -} - static int wpas_config_process_blob(struct wpa_config *config, char *name, uint8_t *data, uint32_t data_len) { @@ -446,6 +428,27 @@ static int wpas_config_process_blob(struct wpa_config *config, char *name, uint8 return 0; } +#endif + +#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \ + defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE +int supplicant_add_enterprise_creds(const struct device *dev, + struct wifi_enterprise_creds_params *creds) +{ + int ret = 0; + + if (!creds) { + ret = -1; + wpa_printf(MSG_ERROR, "enterprise creds is NULL"); + goto out; + } + + memcpy((void *)&enterprise_creds, (void *)creds, + sizeof(struct wifi_enterprise_creds_params)); + +out: + return ret; +} static const struct wifi_cipher_desc ciphers[] = { {WPA_CAPA_ENC_GCMP_256, "GCMP-256"}, @@ -550,6 +553,276 @@ static int is_eap_valid_security(int security) } #endif +#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE +static int hapd_process_cert_data(struct hostapd_bss_config *conf, + char *type, uint8_t *data, uint32_t data_len) +{ + if (os_strcmp(type, "ca_cert_blob") == 0) { + conf->ca_cert_blob = data; + conf->ca_cert_blob_len = data_len; + } else if (os_strcmp(type, "server_cert_blob") == 0) { + conf->server_cert_blob = data; + conf->server_cert_blob_len = data_len; + } else if (os_strcmp(type, "private_key_blob") == 0) { + conf->private_key_blob = data; + conf->private_key_blob_len = data_len; + } else if (os_strcmp(type, "dh_blob") == 0) { + conf->dh_blob = data; + conf->dh_blob_len = data_len; + } else { + wpa_printf(MSG_ERROR, "input type error"); + return -ENOTSUP; + } + + return 0; +} + +static int hapd_get_eap_config(struct wifi_connect_req_params *params, + struct wifi_eap_config *eap_cfg) +{ + unsigned int index = 0; + + for (index = 0; index < ARRAY_SIZE(eap_config); index++) { + if (params->security == eap_config[index].type) { + memcpy(eap_cfg, &eap_config[index], sizeof(struct wifi_eap_config)); + break; + } + } + + if (index == ARRAY_SIZE(eap_config)) { + wpa_printf(MSG_ERROR, "Get eap method type with security type: %d", + params->security); + return -ENOTSUP; + } + + return 0; +} + +static struct hostapd_eap_user *hostapd_process_eap_user_phase1( + struct wifi_connect_req_params *params, struct hostapd_eap_user **pnew_user) +{ + struct hostapd_eap_user *user = NULL, *tail = NULL, *new_user = NULL; + struct wifi_eap_config eap_cfg; + + user = os_zalloc(sizeof(*user)); + if (user == NULL) { + wpa_printf(MSG_ERROR, "EAP user allocation failed"); + goto failed; + } + + user->force_version = -1; + if (params->eap_ver >= 0) { + user->force_version = params->eap_ver; + } + + if (hapd_get_eap_config(params, &eap_cfg)) { + goto failed; + } + + user->methods[0].method = eap_cfg.eap_type_phase1; + user->methods[0].vendor = 0; + + if (tail == NULL) { + tail = new_user = user; + } else { + tail->next = user; + tail = user; + } + + *pnew_user = new_user; + + return tail; + +failed: + if (user) { + hostapd_config_free_eap_user(user); + } + + return NULL; +} + +static int hostapd_process_eap_user(struct wifi_connect_req_params *params, + struct hostapd_bss_config *conf) +{ + struct hostapd_eap_user *user = NULL, *tail = NULL, *user_list = NULL; + int i, nusers = params->nusers; + const char *identity, *password; + struct wifi_eap_config eap_cfg; + int ret = 0; + + if (hapd_get_eap_config(params, &eap_cfg)) { + goto failed; + } + + if (eap_cfg.phase2 != NULL) { + tail = hostapd_process_eap_user_phase1(params, &user_list); + } + + if (eap_cfg.phase2 != NULL && !nusers) { + wpa_printf(MSG_ERROR, "EAP users not found."); + goto failed; + } + + for (i = 0; i < nusers; i++) { + user = os_zalloc(sizeof(*user)); + if (user == NULL) { + wpa_printf(MSG_ERROR, "EAP user allocation failed"); + goto failed; + } + + user->force_version = -1; + if (params->eap_ver >= 0) { + user->force_version = params->eap_ver; + } + + identity = params->identities[i]; + password = params->passwords[i]; + + user->identity = os_memdup(identity, os_strlen(identity)); + if (user->identity == NULL) { + wpa_printf(MSG_ERROR, + "Failed to allocate " + "memory for EAP identity"); + goto failed; + } + user->identity_len = os_strlen(identity); + + user->methods[0].method = eap_cfg.eap_type_phase1; + user->methods[0].vendor = 0; + + if (eap_cfg.phase2 != NULL) { + user->methods[0].method = eap_cfg.eap_type_phase2; + user->password = os_memdup(password, os_strlen(password)); + if (user->password == NULL) { + wpa_printf(MSG_ERROR, + "Failed to allocate " + "memory for EAP password"); + goto failed; + } + user->password_len = os_strlen(password); + + user->phase2 = 1; + } + + if (params->security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2) { + user->ttls_auth |= 0x1E; + } + + if (tail == NULL) { + tail = user_list = user; + } else { + tail->next = user; + tail = user; + } + + continue; + +failed: + if (user) { + hostapd_config_free_eap_user(user); + } + + ret = -1; + break; + } + + if (ret == 0) { + hostapd_config_free_eap_users(conf->eap_user); + conf->eap_user = user_list; + } else { + hostapd_config_free_eap_users(user_list); + } + + return ret; +} + +int hapd_process_enterprise_config(struct hostapd_iface *iface, + struct wifi_connect_req_params *params) +{ + struct wifi_eap_cipher_config cipher_config = { + NULL, "DEFAULT:!EXP:!LOW", "CCMP", "CCMP", "AES-128-CMAC", NULL}; + int ret = 0; + + if (process_cipher_config(params, &cipher_config)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set wpa %d", WPA_PROTO_RSN)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set wpa_key_mgmt %s", cipher_config.key_mgmt)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set rsn_pairwise %s", cipher_config.pairwise_cipher)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set wpa_pairwise %s", cipher_config.pairwise_cipher)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set group_cipher %s", cipher_config.group_cipher)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set group_mgmt_cipher %s", cipher_config.group_mgmt_cipher)) { + goto out; + } + + if (cipher_config.tls_flags != NULL) { + if (!hostapd_cli_cmd_v("set tls_flags %s", cipher_config.tls_flags)) { + goto out; + } + } + + if (!hostapd_cli_cmd_v("set ieee8021x %d", 1)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set eapol_version %d", 2)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set eap_server %d", 1)) { + goto out; + } + + if (hapd_process_cert_data(iface->bss[0]->conf, "ca_cert_blob", + enterprise_creds.ca_cert, enterprise_creds.ca_cert_len)) { + goto out; + } + + if (hapd_process_cert_data(iface->bss[0]->conf, "server_cert_blob", + enterprise_creds.server_cert, enterprise_creds.server_cert_len)) { + goto out; + } + + if (hapd_process_cert_data(iface->bss[0]->conf, "private_key_blob", + enterprise_creds.server_key, enterprise_creds.server_key_len)) { + goto out; + } + + if (hapd_process_cert_data(iface->bss[0]->conf, "dh_blob", + enterprise_creds.dh_param, enterprise_creds.dh_param_len)) { + goto out; + } + + if (!hostapd_cli_cmd_v("set private_key_passwd %s", params->key_passwd)) { + goto out; + } + + if (hostapd_process_eap_user(params, iface->bss[0]->conf)) { + goto out; + } + + return ret; +out: + return -1; +} +#endif + static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, struct wifi_connect_req_params *params, bool mode_ap) @@ -1945,6 +2218,12 @@ int hapd_config_network(struct hostapd_iface *iface, if (!hostapd_cli_cmd_v("set dpp_configurator_connectivity 1")) { goto out; } +#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + } else if (is_eap_valid_security(params->security)) { + if (hapd_process_enterprise_config(iface, params)) { + goto out; + } +#endif } } else { if (!hostapd_cli_cmd_v("set wpa 0")) { @@ -1956,8 +2235,10 @@ int hapd_config_network(struct hostapd_iface *iface, if (!hostapd_cli_cmd_v("set ieee80211w %d", params->mfp)) { goto out; } -out: + return ret; +out: + return -1; } int supplicant_ap_config_params(const struct device *dev, struct wifi_ap_config_params *params) diff --git a/modules/hostap/src/supp_api.h b/modules/hostap/src/supp_api.h index b9ea808be0a..ab1e6c014eb 100644 --- a/modules/hostap/src/supp_api.h +++ b/modules/hostap/src/supp_api.h @@ -183,7 +183,8 @@ int supplicant_reg_domain(const struct device *dev, struct wifi_reg_domain *reg_ */ int supplicant_mode(const struct device *dev, struct wifi_mode_info *mode); -#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE +#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \ + defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE /** Set Wi-Fi enterprise mode CA/client Cert and key * * @param dev Pointer to the device structure for the driver instance diff --git a/modules/hostap/src/supp_main.c b/modules/hostap/src/supp_main.c index 0e21f5aa81b..5ac54803469 100644 --- a/modules/hostap/src/supp_main.c +++ b/modules/hostap/src/supp_main.c @@ -111,6 +111,9 @@ static const struct wifi_mgmt_ops mgmt_ap_ops = { .dpp_dispatch = hapd_dpp_dispatch, #endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_DPP */ .ap_config_params = supplicant_ap_config_params, +#ifdef CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE + .enterprise_creds = supplicant_add_enterprise_creds, +#endif }; DEFINE_WIFI_NM_INSTANCE(hostapd, &mgmt_ap_ops); diff --git a/samples/net/wifi/shell/boards/frdm_rw612.conf b/samples/net/wifi/shell/boards/frdm_rw612.conf index d04dd9afb9d..8f40dd471fa 100644 --- a/samples/net/wifi/shell/boards/frdm_rw612.conf +++ b/samples/net/wifi/shell/boards/frdm_rw612.conf @@ -93,6 +93,7 @@ CONFIG_WIFI_NM_WPA_SUPPLICANT_WPS=y CONFIG_WIFI_NM_HOSTAPD_WPS=y CONFIG_WIFI_NM_WPA_SUPPLICANT_ROAMING=y CONFIG_WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING=y +CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE=y # Enable mbedtls CONFIG_MBEDTLS=y diff --git a/samples/net/wifi/shell/boards/rd_rw612_bga.conf b/samples/net/wifi/shell/boards/rd_rw612_bga.conf index 6adaf2e6bc3..da51250fc0c 100644 --- a/samples/net/wifi/shell/boards/rd_rw612_bga.conf +++ b/samples/net/wifi/shell/boards/rd_rw612_bga.conf @@ -92,6 +92,7 @@ CONFIG_WIFI_NM_WPA_SUPPLICANT_WPS=y CONFIG_WIFI_NM_HOSTAPD_WPS=y CONFIG_WIFI_NM_WPA_SUPPLICANT_ROAMING=y CONFIG_WIFI_NM_WPA_SUPPLICANT_SKIP_DHCP_ON_ROAMING=y +CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE=y # Enable mbedtls CONFIG_MBEDTLS=y diff --git a/subsys/net/l2/wifi/CMakeLists.txt b/subsys/net/l2/wifi/CMakeLists.txt index 38f75109454..04f03cb6b60 100644 --- a/subsys/net/l2/wifi/CMakeLists.txt +++ b/subsys/net/l2/wifi/CMakeLists.txt @@ -69,6 +69,17 @@ generate_inc_file_for_target( ${gen_dir}/ca2.pem.inc ) +generate_inc_file_for_target( + app + ${ZEPHYR_BASE}/samples/net/wifi/test_certs/server.pem + ${gen_dir}/server.pem.inc + ) + +generate_inc_file_for_target( + app + ${ZEPHYR_BASE}/samples/net/wifi/test_certs/server-key.pem + ${gen_dir}/server-key.pem.inc + ) # Add explicit dependency on app target for ZEPHYR_CURRENT_LIBRARY, so these # headers are generated at the correct point in the build add_dependencies(${ZEPHYR_CURRENT_LIBRARY} app) diff --git a/subsys/net/l2/wifi/Kconfig b/subsys/net/l2/wifi/Kconfig index 5bc04f4b258..78f98497c73 100644 --- a/subsys/net/l2/wifi/Kconfig +++ b/subsys/net/l2/wifi/Kconfig @@ -119,3 +119,9 @@ config WIFI_MGMT_AP_MAX_NUM_STA help Maximum number of stations allowed in station table. New stations will be rejected after the station table is full. + +config WIFI_ENT_IDENTITY_MAX_USERS + int "Maximum number of identity users allowed connection" + default 8 + help + This option defines the maximum number of identity users allowed connection. diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c index b4169896211..fac7a354e86 100644 --- a/subsys/net/l2/wifi/wifi_shell.c +++ b/subsys/net/l2/wifi/wifi_shell.c @@ -56,6 +56,16 @@ static const char client_cert2_test[] = { static const char client_key2_test[] = { #include '\0'}; + +static const char server_cert_test[] = { + #include + '\0' +}; + +static const char server_key_test[] = { + #include + '\0' +}; #endif #define WIFI_SHELL_MODULE "wifi" @@ -104,7 +114,8 @@ struct wifi_ap_sta_node { static struct wifi_ap_sta_node sta_list[CONFIG_WIFI_SHELL_MAX_AP_STA]; -#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE +#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \ + defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if *iface) { struct wifi_enterprise_creds_params params = {0}; @@ -121,6 +132,10 @@ static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if * params.client_cert2_len = ARRAY_SIZE(client_cert2_test); params.client_key2 = (uint8_t *)client_key2_test; params.client_key2_len = ARRAY_SIZE(client_key2_test); + params.server_cert = (uint8_t *)server_cert_test; + params.server_cert_len = ARRAY_SIZE(server_cert_test); + params.server_key = (uint8_t *)server_key_test; + params.server_key_len = ARRAY_SIZE(server_key_test); if (net_mgmt(NET_REQUEST_WIFI_ENTERPRISE_CREDS, iface, ¶ms, sizeof(params))) { PR_WARNING("Set enterprise credentials failed\n"); @@ -755,8 +770,17 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv } break; case 'I': + if (params->nusers >= WIFI_ENT_IDENTITY_MAX_USERS) { + PR_WARNING("too many eap identities (max %d identities)\n", + WIFI_ENT_IDENTITY_MAX_USERS); + return -EINVAL; + } + params->eap_identity = optarg; params->eap_id_length = strlen(params->eap_identity); + + params->identities[params->nusers] = optarg; + params->nusers++; if (params->eap_id_length > WIFI_ENT_IDENTITY_MAX_LEN) { PR_WARNING("eap identity too long (max %d characters)\n", WIFI_ENT_IDENTITY_MAX_LEN); @@ -764,8 +788,17 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv } break; case 'P': + if (params->passwds >= WIFI_ENT_IDENTITY_MAX_USERS) { + PR_WARNING("too many eap passwds (max %d passwds)\n", + WIFI_ENT_IDENTITY_MAX_USERS); + return -EINVAL; + } + params->eap_password = optarg; params->eap_passwd_length = strlen(params->eap_password); + + params->passwords[params->passwds] = optarg; + params->passwds++; if (params->eap_passwd_length > WIFI_ENT_PSWD_MAX_LEN) { PR_WARNING("eap password length too long (max %d characters)\n", WIFI_ENT_PSWD_MAX_LEN); @@ -1667,6 +1700,18 @@ static int cmd_wifi_ap_enable(const struct shell *sh, size_t argc, return -ENOEXEC; } +#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE + /* Load the enterprise credentials if needed */ + if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) { + cmd_wifi_set_enterprise_creds(sh, iface); + } +#endif + k_mutex_init(&wifi_ap_sta_list_lock); ret = net_mgmt(NET_REQUEST_WIFI_AP_ENABLE, iface, &cnx_params, @@ -3085,14 +3130,23 @@ SHELL_STATIC_SUBCMD_SET_CREATE( "-c --channel=\n" "-p --passphrase= (valid only for secure SSIDs)\n" "-k --key-mgmt= (valid only for secure SSIDs)\n" - "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE, 4:WAPI, 5:EAP-TLS, 6:WEP\n" - "7: WPA-PSK, 11: DPP\n" + "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI," + "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n" + "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n" + "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n" "-w --ieee-80211w= (optional: needs security type to be specified)\n" "0:Disable, 1:Optional, 2:Required\n" "-b --band= (2 -2.6GHz, 5 - 5Ghz, 6 - 6GHz)\n" "-m --bssid=\n" + "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n" + "Private key passwd for enterprise mode. Default no password for private key.\n" + "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n" + "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n" + "[-I, --eap-id1...--eap-id8]: Client Identity. Default no eap identity.\n" + "[-P, --eap-pwd1...--eap-pwd8]: Client Password.\n" + "Default no password for eap user.\n" "-h --help (prints help)", - cmd_wifi_ap_enable, 2, 13), + cmd_wifi_ap_enable, 2, 45), SHELL_CMD_ARG(stations, NULL, "List stations connected to the AP", cmd_wifi_ap_stations, 1, 0), SHELL_CMD_ARG(disconnect, NULL, @@ -3281,7 +3335,8 @@ SHELL_SUBCMD_ADD((wifi), connect, &wifi_commands, "[-k, --key-mgmt]: Key Management type (valid only for secure SSIDs)\n" "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI," "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n" - "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2, 15: EAP-PEAP-TLS\n" + "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n" + "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n" "[-w, --ieee-80211w]: MFP (optional: needs security type to be specified)\n" ": 0:Disable, 1:Optional, 2:Required.\n" "[-m, --bssid]: MAC address of the AP (BSSID).\n" diff --git a/west.yml b/west.yml index 94676fef423..1a1c8d28bdb 100644 --- a/west.yml +++ b/west.yml @@ -259,7 +259,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: 0f7b166487b1ac08e1c6c492383f5c103320b2be + revision: 14f350c2ad022529720cbf04432a825c28b469ec - name: libmetal revision: a6851ba6dba8c9e87d00c42f171a822f7a29639b path: modules/hal/libmetal