From 4777dfaa28084f65fbd0e1fcfd2745bce7b10f5e Mon Sep 17 00:00:00 2001
From: Maochen Wang <maochen.wang@nxp.com>
Date: Fri, 27 Dec 2024 15:38:46 +0800
Subject: [PATCH] net: l2: wifi: remove EAP TLS SHA256 security

Remove EAP TLS SHA256 security, as it was added to support the AKM
of 00-0F-AC:5 in RSN IE, but actually this AKM is used by WPA3
enterprise only mode.

Signed-off-by: Maochen Wang <maochen.wang@nxp.com>
---
 include/zephyr/net/wifi.h       |  2 --
 modules/hostap/src/supp_api.c   |  8 +-------
 subsys/net/l2/wifi/wifi_mgmt.c  |  2 --
 subsys/net/l2/wifi/wifi_shell.c | 10 ++++------
 4 files changed, 5 insertions(+), 17 deletions(-)

diff --git a/include/zephyr/net/wifi.h b/include/zephyr/net/wifi.h
index e74a44cafd4..dbe643c4d02 100644
--- a/include/zephyr/net/wifi.h
+++ b/include/zephyr/net/wifi.h
@@ -76,8 +76,6 @@ enum wifi_security_type {
 	WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2,
 	/** EAP PEAP security - Enterprise. */
 	WIFI_SECURITY_TYPE_EAP_PEAP_TLS,
-	/** EAP TLS SHA256 security - Enterprise. */
-	WIFI_SECURITY_TYPE_EAP_TLS_SHA256,
 	/** FT-PSK security */
 	WIFI_SECURITY_TYPE_FT_PSK,
 	/** FT-SAE security */
diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c
index fe697204fa3..8be2b085bdd 100644
--- a/modules/hostap/src/supp_api.c
+++ b/modules/hostap/src/supp_api.c
@@ -481,7 +481,6 @@ static struct wifi_eap_config eap_config[] = {
 	 "auth=MSCHAPV2"},
 	{WIFI_SECURITY_TYPE_EAP_PEAP_TLS, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_TLS, "PEAP",
 	 "auth=TLS"},
-	{WIFI_SECURITY_TYPE_EAP_TLS_SHA256, WIFI_EAP_TYPE_TLS, WIFI_EAP_TYPE_NONE, "TLS", NULL},
 };
 
 int process_cipher_config(struct wifi_connect_req_params *params,
@@ -517,10 +516,6 @@ int process_cipher_config(struct wifi_connect_req_params *params,
 		}
 	}
 
-	if (params->security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) {
-		cipher_config->key_mgmt = "WPA-EAP-SHA256";
-	}
-
 	for (index = 0; index < ARRAY_SIZE(ciphers); index++) {
 		if (cipher_capa == ciphers[index].capa) {
 			cipher_config->group_cipher = ciphers[index].name;
@@ -557,8 +552,7 @@ static int is_eap_valid_security(int security)
 		    security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
 		    security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
 		    security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
-		    security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS ||
-		    security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256);
+		    security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS);
 }
 #endif
 
diff --git a/subsys/net/l2/wifi/wifi_mgmt.c b/subsys/net/l2/wifi/wifi_mgmt.c
index 8713d0bd7fb..0009467abe3 100644
--- a/subsys/net/l2/wifi/wifi_mgmt.c
+++ b/subsys/net/l2/wifi/wifi_mgmt.c
@@ -83,8 +83,6 @@ const char *wifi_security_txt(enum wifi_security_type security)
 		return "EAP-TTLS-MSCHAPV2";
 	case WIFI_SECURITY_TYPE_EAP_PEAP_TLS:
 		return "EAP-PEAP-TLS";
-	case WIFI_SECURITY_TYPE_EAP_TLS_SHA256:
-		return "EAP-TLS-SHA256";
 	case WIFI_SECURITY_TYPE_FT_PSK:
 		return "FT-PSK";
 	case WIFI_SECURITY_TYPE_FT_SAE:
diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c
index ccdd2f5c7a9..79a8f88b353 100644
--- a/subsys/net/l2/wifi/wifi_shell.c
+++ b/subsys/net/l2/wifi/wifi_shell.c
@@ -915,8 +915,7 @@ static int cmd_wifi_connect(const struct shell *sh, size_t argc,
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
-	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS ||
-	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) {
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) {
 		cmd_wifi_set_enterprise_creds(sh, iface);
 	}
 #endif
@@ -1924,8 +1923,7 @@ static int cmd_wifi_ap_enable(const struct shell *sh, size_t argc,
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
 	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
-	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS ||
-	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) {
+	    cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) {
 		cmd_wifi_set_enterprise_creds(sh, iface);
 	}
 #endif
@@ -3407,7 +3405,7 @@ SHELL_STATIC_SUBCMD_SET_CREATE(
 		      "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI,"
 		      "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n"
 		      "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n"
-		      "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n"
+		      "15: EAP-PEAP-TLS\n"
 		      "-w --ieee-80211w=<MFP> (optional: needs security type to be specified)\n"
 		      "0:Disable, 1:Optional, 2:Required\n"
 		      "-b --band=<band> (2 -2.6GHz, 5 - 5Ghz, 6 - 6GHz)\n"
@@ -3650,7 +3648,7 @@ SHELL_SUBCMD_ADD((wifi), connect, NULL,
 		  "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI,"
 		  "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n"
 		  "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2,\n"
-		  "15: EAP-PEAP-TLS, 16:EAP_TLS_SHA256\n"
+		  "15: EAP-PEAP-TLS\n"
 		  "[-w, --ieee-80211w]: MFP (optional: needs security type to be specified)\n"
 		  ": 0:Disable, 1:Optional, 2:Required.\n"
 		  "[-m, --bssid]: MAC address of the AP (BSSID).\n"