From 4d178f664c7b1d5e39f343e54022e4a667cbc5f1 Mon Sep 17 00:00:00 2001 From: Li Long Date: Tue, 22 Oct 2024 18:19:06 +0800 Subject: [PATCH] modules: hostap: add tls_cipher param Add tls_cipher param for client WPA3 enterprise suiteb-192. Add parameter "-T" to specify tls_cipher: Specify "-T 1": client use ECC P384. Specify "-T 2": client use RSA 3K. Signed-off-by: Li Long --- include/zephyr/net/wifi.h | 9 +++++++++ include/zephyr/net/wifi_mgmt.h | 2 ++ modules/hostap/src/supp_api.c | 14 ++++++++++++++ subsys/net/l2/wifi/wifi_shell.c | 7 ++++++- 4 files changed, 31 insertions(+), 1 deletion(-) diff --git a/include/zephyr/net/wifi.h b/include/zephyr/net/wifi.h index ba57409baa56c6..e74a44cafd437a 100644 --- a/include/zephyr/net/wifi.h +++ b/include/zephyr/net/wifi.h @@ -118,6 +118,15 @@ enum wifi_suiteb_type { WIFI_SUITEB_192, }; +enum wifi_eap_tls_cipher_type { + /** EAP TLS with NONE */ + WIFI_EAP_TLS_NONE, + /** EAP TLS with ECDH & ECDSA with p384 */ + WIFI_EAP_TLS_ECC_P384, + /** EAP TLS with ECDH & RSA with > 3K */ + WIFI_EAP_TLS_RSA_3K, +}; + /** @brief Group cipher and pairwise cipher types. */ enum wifi_cipher_type { /** AES in counter mode with CBC-MAC (CCMP-128). */ diff --git a/include/zephyr/net/wifi_mgmt.h b/include/zephyr/net/wifi_mgmt.h index 5ea11ef0ffa3c3..d9d84303f32380 100644 --- a/include/zephyr/net/wifi_mgmt.h +++ b/include/zephyr/net/wifi_mgmt.h @@ -540,6 +540,8 @@ struct wifi_connect_req_params { uint8_t key2_passwd_length; /** suiteb or suiteb-192 */ uint8_t suiteb_type; + /** TLS cipher */ + uint8_t TLS_cipher; /** eap version */ int eap_ver; /** Identity for EAP */ diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c index 952fb8a652cb4c..e94c0e6e3f35c9 100644 --- a/modules/hostap/src/supp_api.c +++ b/modules/hostap/src/supp_api.c @@ -1045,6 +1045,20 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, goto out; } + if (params->suiteb_type == WIFI_SUITEB_192) { + if (params->TLS_cipher == WIFI_EAP_TLS_ECC_P384) { + if (!wpa_cli_cmd_v("set_network %d openssl_ciphers \"%s\"", + resp.network_id, + cipher_config.openssl_ciphers)) + goto out; + } else if (params->TLS_cipher == WIFI_EAP_TLS_RSA_3K) { + snprintf(phase1, sizeof(phase1), "tls_suiteb=1"); + if (!wpa_cli_cmd_v("set_network %d phase1 \"%s\"", + resp.network_id, &phase1[0])) + goto out; + } + } + if (!wpa_cli_cmd_v("set_network %d key_mgmt %s", resp.network_id, cipher_config.key_mgmt)) { goto out; diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c index 207542e07796dd..f7d8d555987cb4 100644 --- a/subsys/net/l2/wifi/wifi_shell.c +++ b/subsys/net/l2/wifi/wifi_shell.c @@ -580,6 +580,7 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv {"key1-pwd", required_argument, 0, 'K'}, {"key2-pwd", required_argument, 0, 'K'}, {"suiteb-type", required_argument, 0, 'S'}, + {"TLS-cipher", required_argument, 0, 'T'}, {"eap-version", required_argument, 0, 'V'}, {"eap-id1", required_argument, 0, 'I'}, {"eap-id2", required_argument, 0, 'I'}, @@ -626,7 +627,7 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv params->ignore_broadcast_ssid = 0; params->bandwidth = WIFI_FREQ_BANDWIDTH_20MHZ; - while ((opt = getopt_long(argc, argv, "s:p:k:e:w:b:c:m:t:a:B:K:S:V:I:P:i:Rh", + while ((opt = getopt_long(argc, argv, "s:p:k:e:w:b:c:m:t:a:B:K:S:T:V:I:P:i:Rh", long_options, &opt_index)) != -1) { state = getopt_state_get(); switch (opt) { @@ -785,6 +786,9 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv case 'S': params->suiteb_type = atoi(state->optarg); break; + case 'T': + params->TLS_cipher = atoi(state->optarg); + break; case 'V': params->eap_ver = atoi(state->optarg); if (params->eap_ver != 0U && params->eap_ver != 1U) { @@ -3406,6 +3410,7 @@ SHELL_SUBCMD_ADD((wifi), connect, NULL, "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n" "Private key passwd for enterprise mode. Default no password for private key.\n" "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n" + "[-T, --TLS-cipher]: 0:TLS-NONE, 1:TLS-ECC-P384, 2:TLS-RSA-3K.\n" "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n" "[-I, --eap-id1]: Client Identity. Default no eap identity.\n" "[-P, --eap-pwd1]: Client Password.\n"