wifi: Improve WPA3 handling

modules/hostap/src/supp_api.c

@@ -9,6 +9,7 @@
 #include <zephyr/logging/log.h>
 #include <zephyr/kernel.h>
 #include <zephyr/net/wifi_mgmt.h>
+#include <zephyr/sys/util.h>
 
 #include "includes.h"
 #include "common.h"
@@ -399,29 +400,39 @@
 	case WPA_KEY_MGMT_PSK_SHA256:
 		return WIFI_SECURITY_TYPE_PSK_SHA256;
 	case WPA_KEY_MGMT_SAE:
-		if (pwe == 1) {
-			return WIFI_SECURITY_TYPE_SAE_H2E;
-		} else if (pwe == 2) {
-			return WIFI_SECURITY_TYPE_SAE_AUTO;
-		} else {
-			return WIFI_SECURITY_TYPE_SAE_HNP;
+		if (IS_ENABLED(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3)) {
+			if (pwe == 1) {
+				return WIFI_SECURITY_TYPE_SAE_H2E;
+			} else if (pwe == 2) {
+				return WIFI_SECURITY_TYPE_SAE_AUTO;
+			} else {
+				return WIFI_SECURITY_TYPE_SAE_HNP;
+			}
 		}
+		return WIFI_SECURITY_TYPE_UNKNOWN;
+	case WPA_KEY_MGMT_PSK_SHA256 | WPA_KEY_MGMT_PSK:
 	case WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_PSK:
 	case WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_PSK_SHA256:
 	case WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_PSK_SHA256 | WPA_KEY_MGMT_PSK:
 		return WIFI_SECURITY_TYPE_WPA_AUTO_PERSONAL;
 	case WPA_KEY_MGMT_FT_PSK:
 		return WIFI_SECURITY_TYPE_FT_PSK;
 	case WPA_KEY_MGMT_FT_SAE:
-		return WIFI_SECURITY_TYPE_FT_SAE;
+		if (IS_ENABLED(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3)) {
+			return WIFI_SECURITY_TYPE_FT_SAE;
+		}
+		return WIFI_SECURITY_TYPE_UNKNOWN;
 	case WPA_KEY_MGMT_FT_IEEE8021X:
 		return WIFI_SECURITY_TYPE_FT_EAP;
 	case WPA_KEY_MGMT_DPP:
 		return WIFI_SECURITY_TYPE_DPP;
 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
 		return WIFI_SECURITY_TYPE_FT_EAP_SHA384;
 	case WPA_KEY_MGMT_SAE_EXT_KEY:
-		return WIFI_SECURITY_TYPE_SAE_EXT_KEY;
+		if (IS_ENABLED(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3)) {
+			return WIFI_SECURITY_TYPE_SAE_EXT_KEY;
+		}
+		return WIFI_SECURITY_TYPE_UNKNOWN;
 	case WPA_KEY_MGMT_DPP | WPA_KEY_MGMT_PSK:
 		return WIFI_SECURITY_TYPE_DPP;
 	default:
@@ -710,10 +721,11 @@
 			}
 		}
 
-		if (params->security == WIFI_SECURITY_TYPE_SAE_HNP ||
-		    params->security == WIFI_SECURITY_TYPE_SAE_H2E ||
-		    params->security == WIFI_SECURITY_TYPE_SAE_AUTO ||
-		    params->security == WIFI_SECURITY_TYPE_SAE_EXT_KEY) {
+		if (IS_ENABLED(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3) &&
+		    (params->security == WIFI_SECURITY_TYPE_SAE_HNP ||
+		     params->security == WIFI_SECURITY_TYPE_SAE_H2E ||
+		     params->security == WIFI_SECURITY_TYPE_SAE_AUTO ||
+		     params->security == WIFI_SECURITY_TYPE_SAE_EXT_KEY)) {
 			if (params->sae_password) {
 				if ((params->sae_password_length < WIFI_PSK_MIN_LEN) ||
 				    (params->sae_password_length > WIFI_SAE_PSWD_MAX_LEN)) {
@@ -810,42 +822,50 @@
 				goto out;
 			}
 		} else if (params->security == WIFI_SECURITY_TYPE_WPA_AUTO_PERSONAL) {
-			if (params->sae_password) {
-				if ((params->sae_password_length < WIFI_PSK_MIN_LEN) ||
-				    (params->sae_password_length > WIFI_SAE_PSWD_MAX_LEN)) {
-					wpa_printf(MSG_ERROR,
-						"Passphrase should be in range (%d-%d) characters",
-						WIFI_PSK_MIN_LEN, WIFI_SAE_PSWD_MAX_LEN);
+			if (!wpa_cli_cmd_v("set_network %d psk \"%s\"", resp.network_id,
+					   psk_null_terminated)) {
+				goto out;
+			}
+
+			if (IS_ENABLED(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3)) {
+				if (params->sae_password) {
+					if ((params->sae_password_length < WIFI_PSK_MIN_LEN) ||
+					    (params->sae_password_length > WIFI_SAE_PSWD_MAX_LEN)) {
+						wpa_printf(MSG_ERROR,
+							"Passphrase should be in range (%d-%d) characters",
+							WIFI_PSK_MIN_LEN, WIFI_SAE_PSWD_MAX_LEN);
+						goto out;
+					}
+					strncpy(sae_null_terminated, params->sae_password,
+						WIFI_SAE_PSWD_MAX_LEN);
+					sae_null_terminated[params->sae_password_length] = '\0';
+					if (!wpa_cli_cmd_v("set_network %d sae_password \"%s\"",
+							   resp.network_id, sae_null_terminated)) {
+						goto out;
+					}
+				} else {
+					if (!wpa_cli_cmd_v("set_network %d sae_password \"%s\"",
+							   resp.network_id, psk_null_terminated)) {
+						goto out;
+					}
+				}
+
+				if (!wpa_cli_cmd_v("set sae_pwe 2")) {
 					goto out;
 				}
-				strncpy(sae_null_terminated, params->sae_password,
-					WIFI_SAE_PSWD_MAX_LEN);
-				sae_null_terminated[params->sae_password_length] = '\0';
-				if (!wpa_cli_cmd_v("set_network %d sae_password \"%s\"",
-						   resp.network_id, sae_null_terminated)) {
+
+				if (!wpa_cli_cmd_v(
+					"set_network %d key_mgmt WPA-PSK WPA-PSK-SHA256 SAE",
+					resp.network_id)) {
 					goto out;
 				}
 			} else {
-				if (!wpa_cli_cmd_v("set_network %d sae_password \"%s\"",
-						   resp.network_id, psk_null_terminated)) {
+				if (!wpa_cli_cmd_v("set_network %d key_mgmt WPA-PSK WPA-PSK-SHA256",
+						   resp.network_id)) {
 					goto out;
 				}
 			}
 
-			if (!wpa_cli_cmd_v("set_network %d psk \"%s\"", resp.network_id,
-					   psk_null_terminated)) {
-				goto out;
-			}
-
-			if (!wpa_cli_cmd_v("set sae_pwe 2")) {
-				goto out;
-			}
-
-			if (!wpa_cli_cmd_v("set_network %d key_mgmt WPA-PSK WPA-PSK-SHA256 SAE",
-					   resp.network_id)) {
-				goto out;
-			}
-
 			if (!wpa_cli_cmd_v("set_network %d proto WPA RSN", resp.network_id)) {
 				goto out;
 			}

subsys/net/l2/wifi/wifi_shell.c

@@ -667,6 +667,14 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 			if (params->security) {
 				secure_connection = true;
 			}
+			/* WPA3 security types (SAE) require MFP (802.11w) as required,
+			 * if not otherwise set.
+			 */
+			if (params->security == WIFI_SECURITY_TYPE_SAE_HNP ||
+			    params->security == WIFI_SECURITY_TYPE_SAE_H2E ||
+			    params->security == WIFI_SECURITY_TYPE_SAE_AUTO) {
+				params->mfp = WIFI_MFP_REQUIRED;
+			}
 			break;
 		case 'p':
 			params->psk = state->optarg;
@@ -812,6 +820,9 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 			break;
 		case 'S':
 			params->wpa3_ent_mode = atoi(state->optarg);
+			if (params->wpa3_ent_mode != WIFI_WPA3_ENTERPRISE_NA) {
+				params->mfp = WIFI_MFP_REQUIRED;
+			}
 			break;
 		case 'T':
 			params->TLS_cipher = atoi(state->optarg);
@@ -905,16 +916,6 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 		return -EINVAL;
 	}
 
-	if (params->security == WIFI_SECURITY_TYPE_SAE_HNP
-		|| params->security == WIFI_SECURITY_TYPE_SAE_H2E
-		|| params->security == WIFI_SECURITY_TYPE_SAE_AUTO
-		|| params->wpa3_ent_mode != WIFI_WPA3_ENTERPRISE_NA) {
-		if (params->mfp != WIFI_MFP_REQUIRED) {
-			PR_ERROR("MFP is required for WPA3 mode\n");
-			return -EINVAL;
-		}
-	}
-
 	if (iface_mode == WIFI_MODE_AP && params->channel == WIFI_CHANNEL_ANY) {
 		PR_ERROR("Channel not provided\n");
 		return -EINVAL;