hostap: add WPA3 enterprise security type

Change Wi-Fi suiteb type into WPA3 enterprise security type, it includes suiteB, suiteB-192 and WPA3 enterprise only mode. Support setting WPA3 enterprise only mode, which should use cipher_config->key_mgmt as WPA-EAP-SHA256, and the AKM in RSN IE will show 00-0F-AC:5. Signed-off-by: Maochen Wang <maochen.wang@nxp.com>
2024-12-27 15:51:05 +08:00 · 2024-12-27 15:51:05 +08:00 · c1782420d5
commit c1782420d5
parent 4777dfaa28
4 changed files with 37 additions and 15 deletions
--- a/include/zephyr/net/wifi.h
+++ b/include/zephyr/net/wifi.h
@ -108,12 +108,26 @@ enum wifi_eap_type {
 	WIFI_EAP_TYPE_MSCHAPV2 = 26,
 };

-/** @brief Enterprise security WPA3 suiteb types. */
-enum wifi_suiteb_type {
-	/** suiteb. */
-	WIFI_SUITEB = 1,
-	/** suiteb-192. */
-	WIFI_SUITEB_192,
+/** @brief WPA3 Enterprise security types.
+ *
+ * See Section#3 in WFA WPA3 specification v3.4:
+ * https://www.wi-fi.org/file/wpa3-specification for details.
+ */
+enum wifi_wpa3_enterprise_type {
+	/** No WPA3 enterprise, either WPA2 Enterprise or personal mode */
+	WIFI_WPA3_ENTERPRISE_NA = 0,
+	/** WPA3 enterprise Suite-B (PMFR + WPA3-Suite-B). */
+	WIFI_WPA3_ENTERPRISE_SUITEB = 1,
+	/** WPA3 enterprise Suite-B-192 (PMFR + WPA3-Suite-B-192). */
+	WIFI_WPA3_ENTERPRISE_SUITEB_192,
+	/** WPA3 enterprise only (PMFR + WPA2-ENT disabled). */
+	WIFI_WPA3_ENTERPRISE_ONLY,
+
+	/** @cond INTERNAL_HIDDEN */
+	__WIFI_WPA3_ENTERPRISE_AFTER_LAST,
+	WIFI_WPA3_ENTERPRISE_MAX = __WIFI_WPA3_ENTERPRISE_AFTER_LAST - 1,
+	WIFI_WPA3_ENTERPRISE_UNKNOWN
+	/** @endcond */
 };

 enum wifi_eap_tls_cipher_type {
--- a/include/zephyr/net/wifi_mgmt.h
+++ b/include/zephyr/net/wifi_mgmt.h
@ -553,8 +553,8 @@ struct wifi_connect_req_params {
 	const uint8_t *key2_passwd;
 	/** key2 passwd length, max 128 */
 	uint8_t key2_passwd_length;
-	/** suiteb or suiteb-192 */
-	uint8_t suiteb_type;
+	/** wpa3 enterprise mode */
+	enum wifi_wpa3_enterprise_type wpa3_ent_mode;
 	/** TLS cipher */
 	uint8_t TLS_cipher;
 	/** eap version */
--- a/modules/hostap/src/supp_api.c
+++ b/modules/hostap/src/supp_api.c
@ -490,13 +490,13 @@ int process_cipher_config(struct wifi_connect_req_params *params,
 	unsigned int gropu_mgmt_cipher_capa;
 	unsigned int index;

-	if (params->suiteb_type == WIFI_SUITEB) {
+	if (params->wpa3_ent_mode == WIFI_WPA3_ENTERPRISE_SUITEB) {
 		cipher_capa = WPA_CAPA_ENC_GCMP;
 		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP_GMAC_128;
 		cipher_config->key_mgmt = "WPA-EAP-SUITE-B";
 		cipher_config->openssl_ciphers = "SUITEB128";
 		cipher_config->tls_flags = "[SUITEB]";
-	} else if (params->suiteb_type == WIFI_SUITEB_192) {
+	} else if (params->wpa3_ent_mode == WIFI_WPA3_ENTERPRISE_SUITEB_192) {
 		cipher_capa = WPA_CAPA_ENC_GCMP_256;
 		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP_GMAC_256;
 		if (params->ft_used) {
@ -506,6 +506,10 @@ int process_cipher_config(struct wifi_connect_req_params *params,
 		}
 		cipher_config->openssl_ciphers = "SUITEB192";
 		cipher_config->tls_flags = "[SUITEB]";
+	} else if (params->wpa3_ent_mode == WIFI_WPA3_ENTERPRISE_ONLY) {
+		cipher_capa = WPA_CAPA_ENC_CCMP;
+		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP;
+		cipher_config->key_mgmt = "WPA-EAP-SHA256";
 	} else {
 		cipher_capa = WPA_CAPA_ENC_CCMP;
 		gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP;
@ -1062,7 +1066,7 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 				goto out;
 			}

-			if (params->suiteb_type == WIFI_SUITEB_192) {
+			if (params->wpa3_ent_mode == WIFI_WPA3_ENTERPRISE_SUITEB_192) {
 				if (params->TLS_cipher == WIFI_EAP_TLS_ECC_P384) {
 					if (!wpa_cli_cmd_v("set_network %d openssl_ciphers \"%s\"",
 							resp.network_id,
--- a/subsys/net/l2/wifi/wifi_shell.c
+++ b/subsys/net/l2/wifi/wifi_shell.c
@ -580,7 +580,7 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 		{"bandwidth", required_argument, 0, 'B'},
 		{"key1-pwd", required_argument, 0, 'K'},
 		{"key2-pwd", required_argument, 0, 'K'},
-		{"suiteb-type", required_argument, 0, 'S'},
+		{"wpa3-enterprise", required_argument, 0, 'S'},
 		{"TLS-cipher", required_argument, 0, 'T'},
 		{"eap-version", required_argument, 0, 'V'},
 		{"eap-id1", required_argument, 0, 'I'},
@ -785,7 +785,7 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 			key_passwd_cnt++;
 			break;
 		case 'S':
-			params->suiteb_type = atoi(state->optarg);
+			params->wpa3_ent_mode = atoi(state->optarg);
 			break;
 		case 'T':
 			params->TLS_cipher = atoi(state->optarg);
@ -3419,7 +3419,9 @@ SHELL_STATIC_SUBCMD_SET_CREATE(
 		      "[-B, --bandwidth=<bandwidth>]: 1:20MHz, 2:40MHz, 3:80MHz\n"
 		      "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n"
 		      "Private key passwd for enterprise mode. Default no password for private key.\n"
-		      "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n"
+		      "[-S, --wpa3-enterprise]: WPA3 enterprise mode:\n"
+		      "Default 0: Not WPA3 enterprise mode.\n"
+		      "1:Suite-b mode, 2:Suite-b-192-bit mode, 3:WPA3-enterprise-only mode.\n"
 		      "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n"
 		      "[-I, --eap-id1...--eap-id8]: Client Identity. Default no eap identity.\n"
 		      "[-P, --eap-pwd1...--eap-pwd8]: Client Password.\n"
@ -3656,7 +3658,9 @@ SHELL_SUBCMD_ADD((wifi), connect, NULL,
 		  "[-a, --anon-id]: Anonymous identity for enterprise mode.\n"
 		  "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n"
 		  "Private key passwd for enterprise mode. Default no password for private key.\n"
-		  "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n"
+		  "[-S, --wpa3-enterprise]: WPA3 enterprise mode:\n"
+		  "Default 0: Not WPA3 enterprise mode.\n"
+		  "1:Suite-b mode, 2:Suite-b-192-bit mode, 3:WPA3-enterprise-only mode.\n"
 		  "[-T, --TLS-cipher]: 0:TLS-NONE, 1:TLS-ECC-P384, 2:TLS-RSA-3K.\n"
 		  "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n"
 		  "[-I, --eap-id1]: Client Identity. Default no eap identity.\n"