Add guard of supplicant state condition.
Not send neighbor request in auth procedures.
Add process for null pointer params.
Signed-off-by: Fengming Ye <frank.ye@nxp.com>
Add CONFIG_WIFI_NM_WPA_SUPPLICANT_DEBUG_SHOW_KEYS option to control
whether key material (passwords, encryption keys, etc.) is included
in debug output. This is equivalent to the -K command line flag in
wpa_supplicant.
The option:
- Defaults to disabled (n) for security reasons
- Includes clear warning about security risks
- Should only be enabled during development/debugging
- Provides compile-time control over key material logging
This allows developers to enable key material debugging when needed
while maintaining security by default.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Refactor certificate processing code to eliminate duplication and
enable reuse across modules that require enterprise support.
Signed-off-by: Triveni Danda <triveni.danda@nordicsemi.no>
Ignore duplicate 11v and legacy roaming requests if roaming is in
progress. This fix can avoid multiple auth or reassociate, which are
triggered by duplicate roaming requests.
Signed-off-by: Hui Bai <hui.bai@nxp.com>
The Kconfig CONFIG_HS20 was undefined in zephyr hostap.
Need to add config for Hotspot 2.0 feature.
Signed-off-by: Kapil Bhatt <kapil.bhatt@nordicsemi.no>
When the external AP is in WPA3 SAE mode, the group cipher uses
TKIP and the pairwise cipher uses TKIP and CCMP. Should not
connect to the AP.
For WPA2 & WPA3 SAE & WPA2/WPA3 mixed mode, set group cipher to
CCMP, pairwise cipher to CCMP.
Signed-off-by: Gang Li <gang.li_1@nxp.com>
Ensure 'params' is not NULL before accessing its fields.
Prevents possible null pointer dereference when calling
strlen(params->ssid).
Delay access to ssid->ssid and ssid->ssid_len until after null check.
Prevents potential crash if wpa_s->current_ssid is NULL.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
If the disconnect event is raised before the network has been connected,
report the connection result as `WIFI_STATUS_CONN_FAIL`, instead of as
`WIFI_REASON_DISCONN_SUCCESS`, which is interpretted as
`WIFI_STATUS_CONN_SUCCESS`.
Signed-off-by: Jordan Yates <jordan@embeint.com>
In case anyone enabled EAP_*_ALL explicitly without enabling the
Enterprise then it leads to a build error.
Fix by adding the dependency.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
[Description]
After starting a DPP soft ap, enter 'wifi ap status'.
Security is shown as 'UNKNOW'.
[Root Cause]
1. Start a DPP soft ap:
wifi ap enable -s xxx -c x -p xxx -k 11
The parameter '-k 11' corresponds to
zephyr security type 'WIFI_SECURITY_TYPE_DPP'.
2. hapd_config_network() will be called to config a
new hostap bss.
3. Filed 'bss->wpa_key_mgmt' is set to
WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_DPP.
4. When try to get security type of DPP soft ap,
there is no corresponding zephyr security type.
[Fix]
Add enhance code to convert the security type
to zephyr DPP security type.
Signed-off-by: Qiankun Li <qiankun.li@nxp.com>
Earlier we had socketpair to pass wifi event information from
wpa_supplicant side to zephyr adaption layer. This is now replaced
by k_fifo to save some RAM.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
1. When external station connects to soft ap, zephyr
hostap will fill sta_info before sending mgmt event
to l2 wifi layer.
sta_info.twt_capable should be filled with external
station capability rather than soft ap self.
2. Rename hapd_is_twt_capable to
hapd_get_sta_he_twt_capable.
Try to get twt_capa form capability of external station
rather than soft ap.
Signed-off-by: Qiankun Li <qiankun.li@nxp.com>
Add a snippet for Wi-Fi credentials support. Update the heap sizes as
required for enterprise mode.
Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
Added kconfig for regulatory domain in hostapd. Default is set to
00 as World Wide mode.
Also added 3rd octet kconfig to set regulatory environment and set
it to 32 for all supported environments.
Signed-off-by: Abhinav Kulkarni <abhinav.kulkarni@nxp.com>
Instead of using 32 bit enum values for event numbers, convert
the code to use 64 bit long bit fields. This means that the
user API is changed to use 64 bit event values instead of 32
bit event values.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
[Description]
After DUT connects to AP through DPP,
enter 'wifi status' to check connection status.
Security shows UNKNOWN.
[Analysis]
1. DUT supplicant will add a dpp network after
receiving GAS response.
Assign ssid->key_mgmt as WPA_KEY_MGMT_DPP.
2. Call wpas_key_mgmt_to_zephyr() to convert
hostapd/supplicant security type to zephry
security type.
In this function, convert WPA_KEY_MGMT_DPP
to WIFI_SECURITY_TYPE_UNKNOWN.
[Fix]
1. Add code to convert WPA_KEY_MGMT_DPP
to WIFI_SECURITY_TYPE_DPP.
Signed-off-by: Qiankun Li <qiankun.li@nxp.com>
Add missing curly braces in if/while/for statements.
This is a style guideline we have that was not enforced in CI. All
issues fixed here were detected by sonarqube SCA.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Turn the MBEDTLS_RSA_FULL selects into depends on.
This is how the other MBEDTLS_KEY_EXCHANGE_* Kconfig options are defined.
This is done to avoid circular dependencies.
At the same time update uses of the affected MBEDTLS_KEY_EXCHANGE_*
Kconfig options to enable/disable the dependencies which used to be
automatically handled.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
SoftAP operation needs around 5700 bytes of stack. With a
buffer of 100 bytes, set the supplicant stack size to 5800.
Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
Instead of hard coding some random value to layer code, use the
code that is registered in net_mgmt.h
This way it is easier to keep track of used layer codes in the
future, and we also allow out-of-tree components a way to avoid
allocating same layer code to in-tree-source code.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The _ is a reserved character in front of the symbols so remove
it from network management event macros. The remaining string
without the _ will identify the network API anyway so having
underscore there is not needed.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Background:
In DPP hostapd will put more than 1K bytes text in multiple
wpa_msg calls in one loop. This will drain hostapd monitor
socket pair and fail. Thus DPP connection will fail.
The monitor socket pair of wpa_supplicant and hostapd are not like
ctrl_iface socket pair, which are used for sending command to
hostap from other tasks. The monitor socket pair is used by wpa_msg
to send messages to attatched ctrl_iface monitors. But in zephyr case,
the monitor is hostap task itself.
This means hostap task is both the sender and receiver task.
So it writes all the wpa_msg text into FIFO and read it in next loop.
So there is risk of draining socket pair FIFO and missing msg.
And the reading socket loop can be omitted by directly handling msg
in wpa_msg_cb.
Linux uses monitor socket pair because hostap is a process and wpa_msg
does cross-process communication.
But zephyr hostap is used as module in the same binary with
zephyr kernel.
So the usage is different and we don't need to use socket pair to
notify ctrl_iface monitors.
As long as we don't do time-consuming process in zephyr_wpa_msg_cb,
it won't affect hostap task.
So the zephyr_wpa_msg_cb will only filter and restore interesting logs,
or raise mgmt events to wifi l2 mgmt task.
Fix:
Remove socket send flow in wpa_msg.
Directly filter and handle text in zephyr_wpa_msg_cb,
coding in zephyr repo.
This will save 2K RAM in supplicant case and 4K RAM in
supplicant & hostapd coex case, in current default hostap
socket pair config.
And this will save max 50% loops of hostap task.
Signed-off-by: Fengming Ye <frank.ye@nxp.com>
Created new files and relocate hostapd support code in glue layer to new
files. The new files will be compiled only if hostapd support is enabled.
Signed-off-by: Hui Bai <hui.bai@nxp.com>
Increase stack size of supplicant thread to fix crash seen during
enterprise mode connection. Increase heap requirement of hostap
to handle TLS processing failures.
Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
The interface workq thread and supplicant handler thread
did not had names set to them. Set the names so that it is
easier to find them from "kernel thread stacks" list.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
-Mbed TLS has come up with its own naming-convention with regards
to certain Mbed TLS configurations for TLS/DTLS and X.509. This
commit fixes a couple of them by depending on MBEDTLS_BUILTIN
which is set when Kconfig.tls-generic is used
1. Make MBEDTLS_PEM_CERTIFICATE_FORMAT depend on MBEDTLS_BUILTIN
The proper name for this functionaity is MBEDTL_PEM_PARSE_C and
MBEDTLS_PEM_WRITE_C
2. Make MBEDTLS_SERVER_NAME_INDICATION depend on MBEDTLS_BUILTIN
The proper name for this is MBEDTLS_SSL_SERVER_NAME_INDICATION
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-PSA_WANT_ALG_CMAC must be set for PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
to be valid. This commit fixes this mismatch for hostap
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Remove `select FILE_SYSTEM` from `WIFI_NM_WPA_SUPPLICANT`, originally
added in 3fc932c5. The selection is not required by any tests, and does
not appear to be used by any code in the module.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Enable MBEDTLS_SHA384 support to use of RSA3K + Suite-B, that
is required by WPA3-Enterprise.
Signed-off-by: Ravi Dondaputi <ravi.dondaputi@nordicsemi.no>
In case interface is UP, the interface is added to WPA supplicant in the
iface_wq itself and the max stack size is 4264, so, increase the stack
size of the iface_wq.
If the interface is added via net_mgmt thread then it works fine.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Added new parameter "A" in wifi connect command to support
CA certificate used or CA certificate skipped for
EAP-TTLS-MSCHAPV2 and EAP-PEAP-MSCHAPV2.
Signed-off-by: Qingling Wu <qingling.wu@nxp.com>
During experiments it was observed that workqueue uses a maximum of
3872 bytes, so, with cushion added set it to 4096.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
When connecting to a WPA3 connection, the max stack size observed was
5456, fix the SoF by increasing by 200bytes (cushion added).
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
nRF boards have a ROM crunch esp. with combined with Matter/networking
features, as the advanced features are not essential for typical Wi-Fi
operation, disable them by default. Individual samples can choose to
enable it.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Based on few tests, it was observed that WPA supplicant's maximum usage
for connection and disconnection is 4360.
This would save ~4K which is huge as we have a crunch for RAM.
This was missed when hostap was upstreamed from NCS.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
