diff --git a/doc/connectivity/networking/api/wifi.rst b/doc/connectivity/networking/api/wifi.rst index 84c407cd4a8..1499f1c75ab 100644 --- a/doc/connectivity/networking/api/wifi.rst +++ b/doc/connectivity/networking/api/wifi.rst @@ -38,6 +38,9 @@ module. $ cp client.pem samples/net/wifi/test_certs/ $ cp client-key.pem samples/net/wifi/test_certs/ $ cp ca.pem samples/net/wifi/test_certs/ + $ cp client2.pem samples/net/wifi/test_certs/ + $ cp client-key2.pem samples/net/wifi/test_certs/ + $ cp ca2.pem samples/net/wifi/test_certs/ $ west build -p -b samples/net/wifi -- -DEXTRA_CONF_FILE=overlay-enterprise.conf For using variable size network buffer, the following overlay file can be used: @@ -52,15 +55,11 @@ To initiate Wi-Fi connection, the following command can be used: .. code-block:: console - uart:~$ wifi connect -s -k 7 -a anon -K whatever + uart:~$ wifi connect -s -c 149 -k 17 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever --eap-id1 id1 --eap-pwd1 pwd1 Server certificate is also provided in the same directory for testing purposes. Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``. -.. important:: - - The passphrase for the :file:`client-key.pem`` and the :file:`server-key.pem` is ``whatever``. - .. note:: The certificates are for testing purposes only and should not be used in production. diff --git a/include/zephyr/net/wifi.h b/include/zephyr/net/wifi.h index 4612fe2b0b1..36a62f02cad 100644 --- a/include/zephyr/net/wifi.h +++ b/include/zephyr/net/wifi.h @@ -68,6 +68,16 @@ enum wifi_security_type { WIFI_SECURITY_TYPE_WPA_AUTO_PERSONAL, /** DPP security */ WIFI_SECURITY_TYPE_DPP, + /** EAP PEAP MSCHAPV2 security - Enterprise. */ + WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2, + /** EAP PEAP GTC security - Enterprise. */ + WIFI_SECURITY_TYPE_EAP_PEAP_GTC, + /** EAP TTLS MSCHAPV2 security - Enterprise. */ + WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2, + /** EAP PEAP security - Enterprise. */ + WIFI_SECURITY_TYPE_EAP_PEAP_TLS, + /** EAP TLS SHA256 security - Enterprise. */ + WIFI_SECURITY_TYPE_EAP_TLS_SHA256, /** @cond INTERNAL_HIDDEN */ __WIFI_SECURITY_TYPE_AFTER_LAST, @@ -76,6 +86,91 @@ enum wifi_security_type { /** @endcond */ }; +/** @brief EPA method Types. */ +enum wifi_eap_type { + /** No EPA security. */ + WIFI_EAP_TYPE_NONE = 0, + /** EPA GTC security, refer to rfc3748 chapter 5. */ + WIFI_EAP_TYPE_GTC = 6, + /** EPA TLS security, refer to rfc5216. */ + WIFI_EAP_TYPE_TLS = 13, + /** EPA TTLS security, refer to rfc5281. */ + WIFI_EAP_TYPE_TTLS = 21, + /** EPA PEAP security, refer to draft-josefsson-pppext-eap-tls-eap-06.txt. */ + WIFI_EAP_TYPE_PEAP = 25, + /** EPA MSCHAPV2 security, refer to draft-kamath-pppext-eap-mschapv2-00.txt. */ + WIFI_EAP_TYPE_MSCHAPV2 = 26, +}; + +/** @brief Enterprise security WPA3 suiteb types. */ +enum wifi_suiteb_type { + /** suiteb. */ + WIFI_SUITEB = 1, + /** suiteb-192. */ + WIFI_SUITEB_192, +}; + +/** @brief Group cipher and pairwise cipher types. */ +enum wifi_cipher_type { + /** AES in counter mode with CBC-MAC (CCMP-128). */ + WPA_CAPA_ENC_CCMP, + /** 128-bit Galois/Counter Mode Protocol. */ + WPA_CAPA_ENC_GCMP, + /** 256-bit Galois/Counter Mode Protocol. */ + WPA_CAPA_ENC_GCMP_256, +}; + +/** @brief group mgmt cipher types. */ +enum wifi_group_mgmt_cipher_type { + /** 128-bit Broadcast/Multicast Integrity Protocol + * Cipher-based Message Authentication Code . + */ + WPA_CAPA_ENC_BIP, + /** 128-bit Broadcast/Multicast Integrity Protocol + * Galois Message Authentication Code . + */ + WPA_CAPA_ENC_BIP_GMAC_128, + /** 256-bit Broadcast/Multicast Integrity Protocol + * Galois Message Authentication Code . + */ + WPA_CAPA_ENC_BIP_GMAC_256, +}; + +struct wifi_cipher_desc { + /** Cipher capability. */ + unsigned int capa; + /** Cipher name string. */ + char *name; +}; + +struct wifi_eap_cipher_config { + /** Key management type string. */ + char *key_mgmt; + /** OpenSSL cipher string. */ + char *openssl_ciphers; + /** Group cipher cipher string. */ + char *group_cipher; + /** Pairwise_cipher cipher string. */ + char *pairwise_cipher; + /** Group management cipher string. */ + char *group_mgmt_cipher; + /** Used to confiure TLS features. */ + char *tls_flags; +}; + +struct wifi_eap_config { + /** Security type. */ + unsigned int type; + /** EPA method type of phase1. */ + enum wifi_eap_type eap_type_phase1; + /** EPA method type of phase2. */ + enum wifi_eap_type eap_type_phase2; + /** EPA method string. */ + char *method; + /** Phase2 setting string. */ + char *phase2; +}; + /** Helper function to get user-friendly security type name. */ const char *wifi_security_txt(enum wifi_security_type security); diff --git a/include/zephyr/net/wifi_mgmt.h b/include/zephyr/net/wifi_mgmt.h index c0c9643602a..c67cab30a0e 100644 --- a/include/zephyr/net/wifi_mgmt.h +++ b/include/zephyr/net/wifi_mgmt.h @@ -466,12 +466,28 @@ struct wifi_connect_req_params { int timeout; /** anonymous identity */ const uint8_t *anon_id; - /** anon_id length */ - uint8_t aid_length; /* Max 64 */ + /** anon_id length, max 64 */ + uint8_t aid_length; /** Private key passwd for enterprise mode */ const uint8_t *key_passwd; - /** Private key passwd length */ - uint8_t key_passwd_length; /* Max 128 */ + /** Private key passwd length, max 128 */ + uint8_t key_passwd_length; + /** private key2 passwd */ + const uint8_t *key2_passwd; + /** key2 passwd length, max 128 */ + uint8_t key2_passwd_length; + /** suiteb or suiteb-192 */ + uint8_t suiteb_type; + /** eap version */ + uint8_t eap_ver; + /** Identity for EAP */ + const uint8_t *eap_identity; + /** eap identity length, max 64 */ + uint8_t eap_id_length; + /** Password string for EAP. */ + const uint8_t *eap_password; + /** eap passwd length, max 128 */ + uint8_t eap_passwd_length; }; /** @brief Wi-Fi connect result codes. To be overlaid on top of \ref wifi_status @@ -711,6 +727,18 @@ struct wifi_enterprise_creds_params { uint8_t *client_key; /** Client key length */ uint32_t client_key_len; + /** CA certification of phase2*/ + uint8_t *ca_cert2; + /** Phase2 CA certification length */ + uint32_t ca_cert2_len; + /** Client certification of phase2*/ + uint8_t *client_cert2; + /** Phase2 Client certification length */ + uint32_t client_cert2_len; + /** Client key of phase2*/ + uint8_t *client_key2; + /** Phase2 Client key length */ + uint32_t client_key2_len; }; /** @brief Wi-Fi power save configuration */ diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt index 7512152eb14..8a89329b10c 100644 --- a/modules/hostap/CMakeLists.txt +++ b/modules/hostap/CMakeLists.txt @@ -46,6 +46,7 @@ zephyr_library_compile_definitions( CONFIG_SHA512 CONFIG_CTRL_IFACE_ZEPHYR CONFIG_SUITEB192 + CONFIG_SUITEB ) @@ -366,6 +367,14 @@ zephyr_library_compile_definitions_ifdef(CONFIG_EAP_MD5 EAP_MD5 ) +zephyr_library_sources_ifdef(CONFIG_EAP_GTC + ${HOSTAP_SRC_BASE}/eap_peer/eap_gtc.c +) + +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_GTC + EAP_GTC +) + zephyr_library_sources_ifdef(CONFIG_EAP_MSCHAPV2 ${HOSTAP_SRC_BASE}/eap_peer/eap_mschapv2.c ${HOSTAP_SRC_BASE}/eap_peer/mschapv2.c diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index 01574cfc60c..09a43d7d07e 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -190,6 +190,9 @@ config EAP_PEAP config EAP_MD5 bool "EAP-MD5 support" +config EAP_GTC + bool "EAP-GTC support" + config EAP_MSCHAPV2 bool "EAP-MSCHAPv2 support" @@ -466,6 +469,9 @@ config SHA512 config SUITEB192 bool +config SUITEB + bool + config WEP bool default y if WIFI_NM_WPA_SUPPLICANT_WEP diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c index f140fec99c0..5fcf852634d 100644 --- a/modules/hostap/src/supp_api.c +++ b/modules/hostap/src/supp_api.c @@ -438,6 +438,100 @@ static int wpas_config_process_blob(struct wpa_config *config, char *name, uint8 return 0; } + +static const struct wifi_cipher_desc ciphers[] = { + {WPA_CAPA_ENC_GCMP_256, "GCMP-256"}, + {WPA_CAPA_ENC_CCMP, "CCMP"}, + {WPA_CAPA_ENC_GCMP, "GCMP"}, +}; + +static const struct wifi_cipher_desc ciphers_group_mgmt[] = { + {WPA_CAPA_ENC_BIP, "AES-128-CMAC"}, + {WPA_CAPA_ENC_BIP_GMAC_128, "BIP-GMAC-128"}, + {WPA_CAPA_ENC_BIP_GMAC_256, "BIP-GMAC-256"}, +}; + +static struct wifi_eap_config eap_config[] = { + {WIFI_SECURITY_TYPE_EAP_TLS, WIFI_EAP_TYPE_TLS, WIFI_EAP_TYPE_NONE, "TLS", NULL}, + {WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_MSCHAPV2, "PEAP", + "auth=MSCHAPV2"}, + {WIFI_SECURITY_TYPE_EAP_PEAP_GTC, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_GTC, "PEAP", + "auth=GTC"}, + {WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2, WIFI_EAP_TYPE_TTLS, WIFI_EAP_TYPE_NONE, "TTLS", + "auth=MSCHAPV2"}, + {WIFI_SECURITY_TYPE_EAP_PEAP_TLS, WIFI_EAP_TYPE_PEAP, WIFI_EAP_TYPE_TLS, "PEAP", + "auth=TLS"}, + {WIFI_SECURITY_TYPE_EAP_TLS_SHA256, WIFI_EAP_TYPE_TLS, WIFI_EAP_TYPE_NONE, "TLS", NULL}, +}; + +int process_cipher_config(struct wifi_connect_req_params *params, + struct wifi_eap_cipher_config *cipher_config) +{ + unsigned int cipher_capa; + unsigned int gropu_mgmt_cipher_capa; + unsigned int index; + + if (params->suiteb_type == WIFI_SUITEB) { + cipher_capa = WPA_CAPA_ENC_GCMP; + gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP_GMAC_128; + cipher_config->key_mgmt = "WPA-EAP-SUITE-B"; + cipher_config->openssl_ciphers = "SUITEB128"; + cipher_config->tls_flags = "[SUITEB]"; + } else if (params->suiteb_type == WIFI_SUITEB_192) { + cipher_capa = WPA_CAPA_ENC_GCMP_256; + gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP_GMAC_256; + cipher_config->key_mgmt = "WPA-EAP-SUITE-B-192"; + cipher_config->openssl_ciphers = "SUITEB192"; + cipher_config->tls_flags = "[SUITEB]"; + } else { + cipher_capa = WPA_CAPA_ENC_CCMP; + gropu_mgmt_cipher_capa = WPA_CAPA_ENC_BIP; + cipher_config->key_mgmt = "WPA-EAP"; + } + + if (params->security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) { + cipher_config->key_mgmt = "WPA-EAP-SHA256"; + } + + for (index = 0; index < ARRAY_SIZE(ciphers); index++) { + if (cipher_capa == ciphers[index].capa) { + cipher_config->group_cipher = ciphers[index].name; + cipher_config->pairwise_cipher = ciphers[index].name; + break; + } + } + + if (index == ARRAY_SIZE(ciphers)) { + wpa_printf(MSG_ERROR, "Get ciphers error"); + goto out; + } + + for (index = 0; index < ARRAY_SIZE(ciphers_group_mgmt); index++) { + if (gropu_mgmt_cipher_capa == ciphers_group_mgmt[index].capa) { + cipher_config->group_mgmt_cipher = ciphers_group_mgmt[index].name; + break; + } + } + + if (index == ARRAY_SIZE(ciphers_group_mgmt)) { + wpa_printf(MSG_ERROR, "Get group mgmt ciphers error"); + goto out; + } + + return 0; +out: + return -EINVAL; +} + +static int is_eap_valid_security(int security) +{ + return (security == WIFI_SECURITY_TYPE_EAP_TLS || + security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || + security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || + security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 || + security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS || + security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256); +} #endif static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, @@ -451,6 +545,14 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, uint8_t ssid_null_terminated[WIFI_SSID_MAX_LEN + 1]; uint8_t psk_null_terminated[WIFI_PSK_MAX_LEN + 1]; uint8_t sae_null_terminated[WIFI_SAE_PSWD_MAX_LEN + 1]; +#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE + struct wifi_eap_cipher_config cipher_config = {NULL, "DEFAULT:!EXP:!LOW", "CCMP", + "CCMP", "AES-128-CMAC", NULL}; + char *method; + char phase1[128] = {0}; + char *phase2 = NULL; + unsigned int index; +#endif if (!wpa_cli_cmd_v("remove_network all")) { goto out; @@ -634,9 +736,47 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, goto out; } #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE - } else if (params->security == WIFI_SECURITY_TYPE_EAP_TLS) { - if (!wpa_cli_cmd_v("set_network %d key_mgmt WPA-EAP", - resp.network_id)) { + } else if (is_eap_valid_security(params->security)) { + if (process_cipher_config(params, &cipher_config)) { + goto out; + } + + for (index = 0; index < ARRAY_SIZE(eap_config); index++) { + if (params->security == eap_config[index].type) { + method = eap_config[index].method; + phase2 = eap_config[index].phase2; + break; + } + } + + if (index == ARRAY_SIZE(eap_config)) { + wpa_printf(MSG_ERROR, "Get eap method error with security type: %d", + params->security); + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d key_mgmt %s", resp.network_id, + cipher_config.key_mgmt)) { + goto out; + } + + if (!wpa_cli_cmd_v("set openssl_ciphers \"%s\"", + cipher_config.openssl_ciphers)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d group %s", resp.network_id, + cipher_config.group_cipher)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d pairwise %s", resp.network_id, + cipher_config.pairwise_cipher)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d group_mgmt %s", resp.network_id, + cipher_config.group_mgmt_cipher)) { goto out; } @@ -645,11 +785,44 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, goto out; } - if (!wpa_cli_cmd_v("set_network %d eap TLS", - resp.network_id)) { + if (!wpa_cli_cmd_v("set_network %d eap %s", resp.network_id, method)) { goto out; } + if (params->security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || + params->security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || + params->security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) { + snprintk(phase1, sizeof(phase1), + "peapver=%d peaplabel=0 crypto_binding=0", + params->eap_ver); + + if (!wpa_cli_cmd_v("set_network %d phase1 \"%s\"", resp.network_id, + &phase1[0])) { + goto out; + } + } + + if (phase2 != NULL) { + if (!wpa_cli_cmd_v("set_network %d phase2 \"%s\"", resp.network_id, + phase2)) { + goto out; + } + } + + if (params->eap_id_length > 0) { + if (!wpa_cli_cmd_v("set_network %d identity \"%s\"", + resp.network_id, params->eap_identity)) { + goto out; + } + } + + if (params->eap_passwd_length > 0) { + if (!wpa_cli_cmd_v("set_network %d password \"%s\"", + resp.network_id, params->eap_password)) { + goto out; + } + } + if (!wpa_cli_cmd_v("set_network %d anonymous_identity \"%s\"", resp.network_id, params->anon_id)) { goto out; @@ -692,6 +865,44 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, resp.network_id, params->key_passwd)) { goto out; } + + if (wpas_config_process_blob(wpa_s->conf, "ca_cert2", + enterprise_creds.ca_cert2, + enterprise_creds.ca_cert2_len)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d ca_cert2 \"blob://ca_cert2\"", + resp.network_id)) { + goto out; + } + + if (wpas_config_process_blob(wpa_s->conf, "client_cert2", + enterprise_creds.client_cert2, + enterprise_creds.client_cert2_len)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d client_cert2 \"blob://client_cert2\"", + resp.network_id)) { + goto out; + } + + if (wpas_config_process_blob(wpa_s->conf, "private_key2", + enterprise_creds.client_key2, + enterprise_creds.client_key2_len)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d private_key2 \"blob://private_key2\"", + resp.network_id)) { + goto out; + } + + if (!wpa_cli_cmd_v("set_network %d private_key2_passwd \"%s\"", + resp.network_id, params->key2_passwd)) { + goto out; + } #endif } else { ret = -1; diff --git a/modules/hostap/src/supp_main.h b/modules/hostap/src/supp_main.h index 7137d281929..e80ced03431 100644 --- a/modules/hostap/src/supp_main.h +++ b/modules/hostap/src/supp_main.h @@ -15,7 +15,7 @@ !defined(CONFIG_EAP_PSK) && !defined(CONFIG_EAP_PAX) && \ !defined(CONFIG_EAP_SAKE) && !defined(CONFIG_EAP_GPSK) && \ !defined(CONFIG_EAP_PWD) && !defined(CONFIG_EAP_EKE) && \ - !defined(CONFIG_EAP_IKEV2) + !defined(CONFIG_EAP_IKEV2 && !defined(CONFIG_EAP_GTC) #error "At least one of the following EAP methods need to be defined \ CONFIG_EAP_TLS \ CONFIG_EAP_TTLS \ @@ -32,6 +32,7 @@ CONFIG_EAP_IKEV2 \ CONFIG_EAP_SIM \ CONFIG_EAP_AKA \ + CONFIG_EAP_GTC \ CONFIG_EAP_ALL " #endif /* EAP METHODS */ #endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */ diff --git a/samples/net/wifi/boards/rd_rw612_bga.conf b/samples/net/wifi/boards/rd_rw612_bga.conf index a916ff131ad..d6435e874b7 100644 --- a/samples/net/wifi/boards/rd_rw612_bga.conf +++ b/samples/net/wifi/boards/rd_rw612_bga.conf @@ -28,6 +28,7 @@ CONFIG_ZVFS_OPEN_MAX=30 CONFIG_SHELL_ARGC_MAX=48 CONFIG_WIFI_SHELL_MAX_AP_STA=8 CONFIG_WIFI_MGMT_AP_MAX_NUM_STA=8 +CONFIG_SHELL_CMD_BUFF_SIZE=512 # net CONFIG_NET_L2_ETHERNET=y diff --git a/subsys/net/l2/wifi/CMakeLists.txt b/subsys/net/l2/wifi/CMakeLists.txt index 9f190dda307..eb22a54cf77 100644 --- a/subsys/net/l2/wifi/CMakeLists.txt +++ b/subsys/net/l2/wifi/CMakeLists.txt @@ -49,3 +49,21 @@ generate_inc_file_for_target( ${ZEPHYR_BASE}/samples/net/wifi/test_certs/ca.pem ${gen_dir}/ca.pem.inc ) + +generate_inc_file_for_target( + app + ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client2.pem + ${gen_dir}/client2.pem.inc + ) + +generate_inc_file_for_target( + app + ${ZEPHYR_BASE}/samples/net/wifi/test_certs/client-key2.pem + ${gen_dir}/client-key2.pem.inc + ) + +generate_inc_file_for_target( + app + ${ZEPHYR_BASE}/samples/net/wifi/test_certs/ca2.pem + ${gen_dir}/ca2.pem.inc + ) diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c index ac37a64a346..d422abb5024 100644 --- a/subsys/net/l2/wifi/wifi_shell.c +++ b/subsys/net/l2/wifi/wifi_shell.c @@ -44,6 +44,18 @@ static const char client_key_test[] = { #include '\0' }; + +static const char ca_cert2_test[] = { + #include + '\0'}; + +static const char client_cert2_test[] = { + #include + '\0'}; + +static const char client_key2_test[] = { + #include + '\0'}; #endif #define WIFI_SHELL_MODULE "wifi" @@ -103,6 +115,12 @@ static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if * params.client_cert_len = ARRAY_SIZE(client_cert_test); params.client_key = (uint8_t *)client_key_test; params.client_key_len = ARRAY_SIZE(client_key_test); + params.ca_cert2 = (uint8_t *)ca_cert2_test; + params.ca_cert2_len = ARRAY_SIZE(ca_cert2_test); + params.client_cert2 = (uint8_t *)client_cert2_test; + params.client_cert2_len = ARRAY_SIZE(client_cert2_test); + params.client_key2 = (uint8_t *)client_key2_test; + params.client_key2_len = ARRAY_SIZE(client_key2_test); if (net_mgmt(NET_REQUEST_WIFI_ENTERPRISE_CREDS, iface, ¶ms, sizeof(params))) { PR_WARNING("Set enterprise credentials failed\n"); @@ -503,7 +521,26 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv {"channel", required_argument, 0, 'c'}, {"timeout", required_argument, 0, 't'}, {"anon-id", required_argument, 0, 'a'}, - {"key-passwd", required_argument, 0, 'K'}, + {"key1-pwd", required_argument, 0, 'K'}, + {"key2-pwd", required_argument, 0, 'K'}, + {"suiteb-type", required_argument, 0, 'S'}, + {"eap-version", required_argument, 0, 'V'}, + {"eap-id1", required_argument, 0, 'I'}, + {"eap-id2", required_argument, 0, 'I'}, + {"eap-id3", required_argument, 0, 'I'}, + {"eap-id4", required_argument, 0, 'I'}, + {"eap-id5", required_argument, 0, 'I'}, + {"eap-id6", required_argument, 0, 'I'}, + {"eap-id7", required_argument, 0, 'I'}, + {"eap-id8", required_argument, 0, 'I'}, + {"eap-pwd1", required_argument, 0, 'P'}, + {"eap-pwd2", required_argument, 0, 'P'}, + {"eap-pwd3", required_argument, 0, 'P'}, + {"eap-pwd4", required_argument, 0, 'P'}, + {"eap-pwd5", required_argument, 0, 'P'}, + {"eap-pwd6", required_argument, 0, 'P'}, + {"eap-pwd7", required_argument, 0, 'P'}, + {"eap-pwd8", required_argument, 0, 'P'}, {"help", no_argument, 0, 'h'}, {0, 0, 0, 0}}; char *endptr; @@ -519,14 +556,16 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv char bands_str[MAX_BANDS_STR_LEN] = {0}; size_t offset = 0; long channel; + int key_passwd_cnt = 0; /* Defaults */ params->band = WIFI_FREQ_BAND_UNKNOWN; params->channel = WIFI_CHANNEL_ANY; params->security = WIFI_SECURITY_TYPE_NONE; params->mfp = WIFI_MFP_OPTIONAL; + params->eap_ver = 1; - while ((opt = getopt_long(argc, argv, "s:p:k:w:b:c:m:t:a:K:h", + while ((opt = getopt_long(argc, argv, "s:p:k:e:w:b:c:m:t:a:K:S:V:I:P:h", long_options, &opt_index)) != -1) { state = getopt_state_get(); switch (opt) { @@ -640,10 +679,54 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv } break; case 'K': - params->key_passwd = optarg; - params->key_passwd_length = strlen(params->key_passwd); - if (params->key_passwd_length > WIFI_ENT_PSWD_MAX_LEN) { - PR_WARNING("key_passwd too long (max %d characters)\n", + if (key_passwd_cnt >= 2) { + PR_WARNING("too many key_passwd (max 2 key_passwd)\n"); + return -EINVAL; + } + + if (key_passwd_cnt == 0) { + params->key_passwd = optarg; + params->key_passwd_length = strlen(params->key_passwd); + if (params->key_passwd_length > WIFI_ENT_PSWD_MAX_LEN) { + PR_WARNING("key_passwd too long (max %d characters)\n", + WIFI_ENT_PSWD_MAX_LEN); + return -EINVAL; + } + } else if (key_passwd_cnt == 1) { + params->key2_passwd = optarg; + params->key2_passwd_length = strlen(params->key2_passwd); + if (params->key2_passwd_length > WIFI_ENT_PSWD_MAX_LEN) { + PR_WARNING("key2_passwd too long (max %d characters)\n", + WIFI_ENT_PSWD_MAX_LEN); + return -EINVAL; + } + } + key_passwd_cnt++; + break; + case 'S': + params->suiteb_type = atoi(optarg); + break; + case 'V': + params->eap_ver = atoi(optarg); + if (params->eap_ver != 0U && params->eap_ver != 1U) { + PR_WARNING("eap_ver error %d\n", params->eap_ver); + return -EINVAL; + } + break; + case 'I': + params->eap_identity = optarg; + params->eap_id_length = strlen(params->eap_identity); + if (params->eap_id_length > WIFI_ENT_IDENTITY_MAX_LEN) { + PR_WARNING("eap identity too long (max %d characters)\n", + WIFI_ENT_IDENTITY_MAX_LEN); + return -EINVAL; + } + break; + case 'P': + params->eap_password = optarg; + params->eap_passwd_length = strlen(params->eap_password); + if (params->eap_passwd_length > WIFI_ENT_PSWD_MAX_LEN) { + PR_WARNING("eap password length too long (max %d characters)\n", WIFI_ENT_PSWD_MAX_LEN); return -EINVAL; } @@ -710,7 +793,12 @@ static int cmd_wifi_connect(const struct shell *sh, size_t argc, #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE /* Load the enterprise credentials if needed */ - if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS) { + if (cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_GTC || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_PEAP_TLS || + cnx_params.security == WIFI_SECURITY_TYPE_EAP_TLS_SHA256) { cmd_wifi_set_enterprise_creds(sh, iface); } #endif @@ -2997,16 +3085,23 @@ SHELL_SUBCMD_ADD((wifi), connect, &wifi_commands, "[-p, --psk]: Passphrase (valid only for secure SSIDs)\n" "[-k, --key-mgmt]: Key Management type (valid only for secure SSIDs)\n" "0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI," - " 7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n" + "7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP\n" + "12: EAP-PEAP-MSCHAPv2, 13: EAP-PEAP-GTC, 14: EAP-TTLS-MSCHAPv2, 15: EAP-PEAP-TLS\n" "[-w, --ieee-80211w]: MFP (optional: needs security type to be specified)\n" ": 0:Disable, 1:Optional, 2:Required.\n" "[-m, --bssid]: MAC address of the AP (BSSID).\n" "[-t, --timeout]: Timeout for the connection attempt (in seconds).\n" "[-a, --anon-id]: Anonymous identity for enterprise mode.\n" - "[-K, --key-passwd]: Private key passwd for enterprise mode.\n" + "[-K, --key1-pwd for eap phase1 or --key2-pwd for eap phase2]:\n" + "Private key passwd for enterprise mode. Default no password for private key.\n" + "[-S, --suiteb-type]: 1:suiteb, 2:suiteb-192. Default 0: not suiteb mode.\n" + "[-V, --eap-version]: 0 or 1. Default 1: eap version 1.\n" + "[-I, --eap-id1]: Client Identity. Default no eap identity.\n" + "[-P, --eap-pwd1]: Client Password.\n" + "Default no password for eap user.\n" "[-h, --help]: Print out the help for the connect command.\n", cmd_wifi_connect, - 2, 13); + 2, 19); SHELL_SUBCMD_ADD((wifi), disconnect, &wifi_commands, "Disconnect from the Wi-Fi AP.\n",