From afe564b04a20cea7836ed4506a11858e5a45f788 Mon Sep 17 00:00:00 2001 From: Hui Bai Date: Mon, 11 Aug 2025 10:27:15 +0800 Subject: [PATCH 01/10] [nrf fromtree] samples: net: wifi: Add TLSv1.3 support in wifi example Add TLSv1.3 support in wifi example for RW612 and IW610. Signed-off-by: Hui Bai (cherry picked from commit af9f889135ddb9ac4e9828531c189f83ac1cec9c) --- modules/hostap/CMakeLists.txt | 4 ++++ modules/hostap/Kconfig | 8 ++++++++ west.yml | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt index 5c750f545d2e..f3233bb2cfbb 100644 --- a/modules/hostap/CMakeLists.txt +++ b/modules/hostap/CMakeLists.txt @@ -572,6 +572,10 @@ zephyr_library_compile_definitions_ifdef(CONFIG_EAP_FAST EAP_FAST ) +zephyr_library_compile_definitions_ifdef(CONFIG_EAP_TLSV1_3 + EAP_TLSV1_3 +) + zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_EAPOL ${HOSTAP_SRC_BASE}/eapol_supp/eapol_supp_sm.c ${HOSTAP_SRC_BASE}/eap_peer/eap.c diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index 1aa21670bb71..7799239a2840 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -299,6 +299,14 @@ config EAP_ALL select EAP_TTLS select EAP_MSCHAPV2 default y + +config EAP_TLSV1_3 + bool "EAP TLSv1.3 support" + select MBEDTLS_TLS_VERSION_1_3 + select MBEDTLS_TLS_SESSION_TICKETS + select MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + select MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + select MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED endif # WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE config WIFI_NM_WPA_SUPPLICANT_WPA3 diff --git a/west.yml b/west.yml index 1bff38e1c7b8..88b61440d420 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: 5abcff1c0ecff65f0f81e0cc086b7f766e5101bf + revision: f707b19c1733ebe401a50450494e5ebdd2e71b5f - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From cbc0d54169bc160660d3672ab730d8ca33a5c1ea Mon Sep 17 00:00:00 2001 From: Chaitanya Tata Date: Mon, 15 Sep 2025 20:21:37 +0530 Subject: [PATCH 02/10] [nrf fromtree] manifest: hostap: Pull hostap changes required for multiple VIF This commit links the hostap PR required for the nrf7002 driver. west.yml is updated Signed-off-by: Hanan Arshad Signed-off-by: Chaitanya Tata (cherry picked from commit 58e7dba8bcb627909cc4236be923c5be698edc33) --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 88b61440d420..4b5a35fc3ea5 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: f707b19c1733ebe401a50450494e5ebdd2e71b5f + revision: 0798bf0faff40919bd577f1c8f75a2f9baae6299 - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From 5104a85476e5d034a9e6f881055708571526bfdd Mon Sep 17 00:00:00 2001 From: Chaitanya Tata Date: Mon, 15 Sep 2025 20:21:38 +0530 Subject: [PATCH 03/10] [nrf fromtree] modules: hostap: Update WPA supplicant to use per-VIF control channel Update WPA supplicant functions to pass the control channel (socket) as a parameter instead of relying on a global socket. This change aligns with the PR 80 modifications in hostap repo and ensures that each Virtual Interface (VIF) uses its dedicated control channel for communication. Signed-off-by: Hanan Arshad Signed-off-by: Chaitanya Tata (cherry picked from commit 53a885a696e22bf0a78b727709ea401e42f045af) --- modules/hostap/src/supp_api.c | 38 +++++++++++++++++----------------- modules/hostap/src/supp_main.h | 2 -- modules/hostap/src/wpa_cli.c | 21 ++++++++++++++++++- 3 files changed, 39 insertions(+), 22 deletions(-) diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c index 8ae45d6db2af..7f9993bed2dc 100644 --- a/modules/hostap/src/supp_api.c +++ b/modules/hostap/src/supp_api.c @@ -80,20 +80,19 @@ static void supp_shell_connect_status(struct k_work *work); static K_WORK_DELAYABLE_DEFINE(wpa_supp_status_work, supp_shell_connect_status); -#define wpa_cli_cmd_v(cmd, ...) ({ \ - bool status; \ - \ - if (zephyr_wpa_cli_cmd_v(cmd, ##__VA_ARGS__) < 0) { \ - wpa_printf(MSG_ERROR, \ - "Failed to execute wpa_cli command: %s", \ - cmd); \ - status = false; \ - } else { \ - status = true; \ - } \ - \ - status; \ -}) +#define wpa_cli_cmd_v(cmd, ...) \ + ({ \ + bool status; \ + \ + if (zephyr_wpa_cli_cmd_v(wpa_s->ctrl_conn, cmd, ##__VA_ARGS__) < 0) { \ + wpa_printf(MSG_ERROR, "Failed to execute wpa_cli command: %s", cmd); \ + status = false; \ + } else { \ + status = true; \ + } \ + \ + status; \ + }) static struct wpa_supplicant *get_wpa_s_handle(const struct device *dev) { @@ -626,7 +625,7 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, goto out; } - ret = z_wpa_ctrl_add_network(&resp); + ret = z_wpa_ctrl_add_network(wpa_s->ctrl_conn, &resp); if (ret) { wpa_printf(MSG_ERROR, "Failed to add network"); goto out; @@ -1365,7 +1364,7 @@ int supplicant_status(const struct device *dev, struct wifi_iface_status *status status->channel = channel; if (ssid_len == 0) { - int _res = z_wpa_ctrl_status(&cli_status); + int _res = z_wpa_ctrl_status(wpa_s->ctrl_conn, &cli_status); if (_res < 0) { ssid_len = 0; @@ -1394,7 +1393,7 @@ int supplicant_status(const struct device *dev, struct wifi_iface_status *status status->rssi = -WPA_INVALID_NOISE; if (status->iface_mode == WIFI_MODE_INFRA) { - ret = z_wpa_ctrl_signal_poll(&signal_poll); + ret = z_wpa_ctrl_signal_poll(wpa_s->ctrl_conn, &signal_poll); if (!ret) { status->rssi = signal_poll.rssi; status->current_phy_tx_rate = signal_poll.current_txrate; @@ -2007,7 +2006,7 @@ static int supplicant_wps_pin(const struct device *dev, struct wifi_wps_config_p } if (params->oper == WIFI_WPS_PIN_GET) { - if (zephyr_wpa_cli_cmd_resp(get_pin_cmd, params->pin)) { + if (zephyr_wpa_cli_cmd_resp(wpa_s->ctrl_conn, get_pin_cmd, params->pin)) { goto out; } } else if (params->oper == WIFI_WPS_PIN_SET) { @@ -2440,6 +2439,7 @@ int supplicant_dpp_dispatch(const struct device *dev, struct wifi_dpp_params *pa { int ret; char *cmd = NULL; + struct wpa_supplicant *wpa_s = get_wpa_s_handle(dev); if (params == NULL) { return -EINVAL; @@ -2458,7 +2458,7 @@ int supplicant_dpp_dispatch(const struct device *dev, struct wifi_dpp_params *pa } wpa_printf(MSG_DEBUG, "wpa_cli %s", cmd); - if (zephyr_wpa_cli_cmd_resp(cmd, params->resp)) { + if (zephyr_wpa_cli_cmd_resp(wpa_s->ctrl_conn, cmd, params->resp)) { os_free(cmd); return -ENOEXEC; } diff --git a/modules/hostap/src/supp_main.h b/modules/hostap/src/supp_main.h index 60ac642f9c79..2b2d5fc61112 100644 --- a/modules/hostap/src/supp_main.h +++ b/modules/hostap/src/supp_main.h @@ -58,8 +58,6 @@ struct wpa_supplicant *zephyr_get_handle_by_ifname(const char *ifname); struct hapd_interfaces *zephyr_get_default_hapd_context(void); #endif -struct wpa_supplicant *zephyr_get_handle_by_ifname(const char *ifname); - struct wpa_supplicant_event_msg { #ifdef CONFIG_WIFI_NM_HOSTAPD_AP int hostapd; diff --git a/modules/hostap/src/wpa_cli.c b/modules/hostap/src/wpa_cli.c index 406008da101a..0e1b41728b74 100644 --- a/modules/hostap/src/wpa_cli.c +++ b/modules/hostap/src/wpa_cli.c @@ -8,10 +8,17 @@ * @brief wpa_cli implementation for Zephyr OS */ +#include #include #include +#include #include + +#include "supp_main.h" + +#include "common.h" +#include "wpa_supplicant_i.h" #include "wpa_cli_zephyr.h" #ifdef CONFIG_WIFI_NM_HOSTAPD_AP #include "hostapd_cli_zephyr.h" @@ -21,8 +28,20 @@ static int cmd_wpa_cli(const struct shell *sh, size_t argc, const char *argv[]) { + struct net_if *iface = net_if_get_first_wifi(); + char if_name[CONFIG_NET_INTERFACE_NAME_LEN + 1]; + struct wpa_supplicant *wpa_s = NULL; + ARG_UNUSED(sh); + if (iface == NULL) { + shell_error(sh, "No Wifi interface found"); + return -ENOENT; + } + + net_if_get_name(iface, if_name, sizeof(if_name)); + wpa_s = zephyr_get_handle_by_ifname(if_name); + if (argc == 1) { shell_error(sh, "Missing argument"); return -EINVAL; @@ -32,7 +51,7 @@ static int cmd_wpa_cli(const struct shell *sh, argc++; /* Remove wpa_cli from the argument list */ - return zephyr_wpa_ctrl_zephyr_cmd(argc - 1, &argv[1]); + return zephyr_wpa_ctrl_zephyr_cmd(wpa_s->ctrl_conn, argc - 1, &argv[1]); } #ifdef CONFIG_WIFI_NM_HOSTAPD_AP From 91d36814539ddcde4b02fc92c58da5720a911d46 Mon Sep 17 00:00:00 2001 From: Chris Friedt Date: Thu, 25 Sep 2025 12:17:33 -0400 Subject: [PATCH 04/10] [nrf fromtree] manifest: update hostap module to correct time.h and signal.h paths Update the hostap module to use non-prefixed paths for the ISO C time.h and signal.h headers. Signed-off-by: Chris Friedt (cherry picked from commit 882ee961865734b3571eb1730b87ab532023b21b) --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 4b5a35fc3ea5..1ac6629e2e8f 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: 0798bf0faff40919bd577f1c8f75a2f9baae6299 + revision: 61182a45fecafaa0f20e98ca7f862d26fbf65293 - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From e355c10246339798edd4546827c1e06eee81abba Mon Sep 17 00:00:00 2001 From: Pieter De Gendt Date: Fri, 5 Sep 2025 13:56:27 +0200 Subject: [PATCH 05/10] [nrf fromtree] manifest: update hostap revision for bgscan fix The hostap module is updated with a build fix fetched from upstream. Signed-off-by: Pieter De Gendt (cherry picked from commit 5a503644ba716e9fdecfd5b15502820d81887129) --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 1ac6629e2e8f..42ef14c26e21 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: 61182a45fecafaa0f20e98ca7f862d26fbf65293 + revision: 3ec675be30c25b56cc0e7dbd5bd931a87d32937e - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From d985665fc6fcbe7a1bc0031e969a95bedb922501 Mon Sep 17 00:00:00 2001 From: Maochen Wang Date: Mon, 20 Oct 2025 15:36:56 +0800 Subject: [PATCH 06/10] [nrf fromtree] manifest: update hostap to fix EAP-FAST connection issue DUT Failed to associate fast-gtc/fast-mscahpv2 enterprise network, there is error log shows 'EAP-FAST: Compound MAC did not match'. tls_connection_get_eap_fast_key() gets wrong key, currently using mbedtls_ssl_tls_prf to derive key, and it's not PSA API. Therefore, conn->expkey_keyblock_size can't be set as 0, the correct expkey_keyblock_size should contain keylen + mac_key_len + ivlen. Remove MBEDTLS_USE_PSA_CRYPTO to get keyblock_size correctly. Signed-off-by: Maochen Wang (cherry picked from commit dfd6efc972afd8d35db24be20aa9e1acc0d369c8) --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 42ef14c26e21..82ac520eca10 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: 3ec675be30c25b56cc0e7dbd5bd931a87d32937e + revision: ca77ec50a01a09b8bf149160308736b6b5741f12 - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From 3fdb59677f527f595f817c2c8fdb0ba620870473 Mon Sep 17 00:00:00 2001 From: Chaitanya Tata Date: Wed, 22 Oct 2025 01:10:24 +0530 Subject: [PATCH 07/10] [nrf fromtree] manifest: hostap: Pull fix for SoftAP start Due to the recent nRF70 driver changes, the driver ops are removed from config, but few functions in hostap still depend on that, so, pull the fix for hostap driver ops. Signed-off-by: Chaitanya Tata (cherry picked from commit fa0d62393f9b3fc396565428e17f75b849aff86f) --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 82ac520eca10..9aba75719c07 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: ca77ec50a01a09b8bf149160308736b6b5741f12 + revision: cf05f33f594de6b62840a3b0dd435f10467a2e4c - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From ea353ab26b6525ac98f1cd2e4af672162a52c240 Mon Sep 17 00:00:00 2001 From: Triveni Danda Date: Fri, 24 Oct 2025 14:41:04 +0530 Subject: [PATCH 08/10] [nrf fromtree] manifest: hostap: Enable server certificate verification Enable hostname validation for server certificate verification. Signed-off-by: Triveni Danda (cherry picked from commit b708f3d04b3d89f79b3c90eb244859fab042024e) --- west.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/west.yml b/west.yml index 9aba75719c07..a00bfc9e1318 100644 --- a/west.yml +++ b/west.yml @@ -281,7 +281,7 @@ manifest: - hal - name: hostap path: modules/lib/hostap - revision: cf05f33f594de6b62840a3b0dd435f10467a2e4c + revision: 6086dea5ee7406e1eede7f2ca6dff1b00b0f04e2 - name: liblc3 revision: 48bbd3eacd36e99a57317a0a4867002e0b09e183 path: modules/lib/liblc3 From 8da9f607b79617ecf95186a04d547a93cd5e2cfc Mon Sep 17 00:00:00 2001 From: Triveni Danda Date: Wed, 29 Oct 2025 15:54:48 +0530 Subject: [PATCH 09/10] [nrf fromtree] net: l2: wifi: Handle domain match and suffix match parameters Add support to handle domain match and suffix match parameters for proper server certification validation. Signed-off-by: Triveni Danda (cherry picked from commit b4e2cd139bc86f9a853df6bee96832b87ffb972d) --- include/zephyr/net/wifi_mgmt.h | 10 ++++++++++ modules/hostap/src/supp_api.c | 16 ++++++++++++++++ subsys/net/l2/wifi/wifi_shell.c | 16 +++++++++++++++- 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/include/zephyr/net/wifi_mgmt.h b/include/zephyr/net/wifi_mgmt.h index a9dbd74607ca..703f634209d2 100644 --- a/include/zephyr/net/wifi_mgmt.h +++ b/include/zephyr/net/wifi_mgmt.h @@ -716,6 +716,16 @@ struct wifi_connect_req_params { uint8_t ignore_broadcast_ssid; /** Parameter used for frequency band */ enum wifi_frequency_bandwidths bandwidth; + + /** Full domain name to verify in the server certificate */ + const uint8_t *server_cert_domain_exact; + /** Length of the server_cert_domain_exact string, maximum 128 bytes */ + uint8_t server_cert_domain_exact_len; + + /** Domain name suffix to verify in the server certificate */ + const uint8_t *server_cert_domain_suffix; + /** Length of the server_cert_domain_suffix string, maximum 64 bytes */ + uint8_t server_cert_domain_suffix_len; }; /** @brief Wi-Fi disconnect reason codes. To be overlaid on top of \ref wifi_status diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c index 7f9993bed2dc..c905fc4cfbcf 100644 --- a/modules/hostap/src/supp_api.c +++ b/modules/hostap/src/supp_api.c @@ -969,6 +969,22 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s, goto out; } + if (params->server_cert_domain_exact_len > 0) { + if (!wpa_cli_cmd_v("set_network %d domain_match \"%s\"", + resp.network_id, + params->server_cert_domain_exact)) { + goto out; + } + } + + if (params->server_cert_domain_suffix_len > 0) { + if (!wpa_cli_cmd_v("set_network %d domain_suffix_match \"%s\"", + resp.network_id, + params->server_cert_domain_suffix)) { + goto out; + } + } + if (false == ((params->security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 || params->security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2) && (!params->verify_peer_cert))) { diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c index 555358aff0a9..5a90d2ccf4c4 100644 --- a/subsys/net/l2/wifi/wifi_shell.c +++ b/subsys/net/l2/wifi/wifi_shell.c @@ -620,6 +620,8 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv {"ignore-broadcast-ssid", required_argument, 0, 'g'}, {"ieee-80211r", no_argument, 0, 'R'}, {"iface", required_argument, 0, 'i'}, + {"server-cert-domain-exact", required_argument, 0, 'e'}, + {"server-cert-domain-suffix", required_argument, 0, 'x'}, {"help", no_argument, 0, 'h'}, {0, 0, 0, 0}}; char *endptr; @@ -872,6 +874,16 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv case 'i': /* Unused, but parsing to avoid unknown option error */ break; + case 'e': + params->server_cert_domain_exact = state->optarg; + params->server_cert_domain_exact_len = + strlen(params->server_cert_domain_exact); + break; + case 'x': + params->server_cert_domain_suffix = state->optarg; + params->server_cert_domain_suffix_len = + strlen(params->server_cert_domain_suffix); + break; case 'h': return -ENOEXEC; default: @@ -3921,10 +3933,12 @@ SHELL_SUBCMD_ADD((wifi), connect, NULL, "[-P, --eap-pwd1]: Client Password.\n" "Default no password for eap user.\n" "[-R, --ieee-80211r]: Use IEEE80211R fast BSS transition connect." + "[-e, --server-cert-domain-exact]: Full domain names for server certificate match.\n" + "[-x, --server-cert-domain-suffix]: Domain name suffixes for server certificate match.\n" "[-h, --help]: Print out the help for the connect command.\n" "[-i, --iface=] : Interface index.\n", cmd_wifi_connect, - 2, 42); + 2, 46); SHELL_SUBCMD_ADD((wifi), disconnect, NULL, "Disconnect from the Wi-Fi AP.\n" From e098e28f162c025a50d01206b90c6c0ac9cb9c75 Mon Sep 17 00:00:00 2001 From: Triveni Danda Date: Thu, 6 Nov 2025 15:48:02 +0530 Subject: [PATCH 10/10] [nrf fromtree] doc: wifi: Add server certificate domain validation instructions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add instructions for verifying the authentication server’s certificate domain using exact domain match and domain suffix match options. Signed-off-by: Triveni Danda (cherry picked from commit 0186d123e89e6830b1b9cfd5bc1712b1222d2214) --- doc/connectivity/networking/api/wifi.rst | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/doc/connectivity/networking/api/wifi.rst b/doc/connectivity/networking/api/wifi.rst index 65cc7d9502d8..e0be44835443 100644 --- a/doc/connectivity/networking/api/wifi.rst +++ b/doc/connectivity/networking/api/wifi.rst @@ -120,6 +120,29 @@ To initiate a Wi-Fi connection using enterprise security, use one of the followi Server certificate is also provided in the same directory for testing purposes. Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``. +Server certificate domain name verification +------------------------------------------- + +The authentication server’s identity is verified by validating the domain name in the X.509 certificate received from the server, using the ``Common Name`` (CN) field. + +* Exact domain match — Verifies that the certificate’s CN exactly matches the specified domain. + +* Domain suffix match — Allows a certificate whose CN ends with the specified domain suffix. + +To initiate a Wi-Fi connection using enterprise security with server certificate validation, use one of the following commands, depending on the desired validation mode: + +* Exact domain match + + .. code-block:: console + + wifi connect -s -c -k 12 -K -e + +* Domain suffix match + + .. code-block:: console + + wifi connect -s -c -k 12 -K -x + Certificate requirements for EAP methods ----------------------------------------