[nrf fromtree] wifi: shell: Add support for EAP-TLS method

Add support to read identity and private key password if
configured in Enterprise mode.

Signed-off-by: Triveni Danda <[email protected]>
(cherry picked from commit 589333e)

Author: D-Triveni

subsys/net/l2/wifi/wifi_mgmt.c

@@ -1312,6 +1312,9 @@ static int __stored_creds_to_params(struct wifi_credentials_personal *creds,
 {
 	char *ssid = NULL;
 	char *psk = NULL;
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	char *key_passwd = NULL;
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
 	int ret;
 
 	/* SSID */
@@ -1357,6 +1360,29 @@ static int __stored_creds_to_params(struct wifi_credentials_personal *creds,
 	/* Defaults */
 	params->security = creds->header.type;
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	if (params->security == WIFI_SECURITY_TYPE_EAP_TLS) {
+		if (creds->header.key_passwd_length > 0) {
+			key_passwd = (char *)k_malloc(creds->header.key_passwd_length + 1);
+			if (!key_passwd) {
+				LOG_ERR("Failed to allocate memory for key_passwd\n");
+				ret = -ENOMEM;
+				goto err_out;
+			}
+			memset(key_passwd, 0, creds->header.key_passwd_length + 1);
+			ret = snprintf(key_passwd, creds->header.key_passwd_length + 1, "%s",
+				       creds->header.key_passwd);
+			if (ret > creds->header.key_passwd_length) {
+				LOG_ERR("key_passwd string truncated\n");
+				ret = -EINVAL;
+				goto err_out;
+			}
+			params->key_passwd = key_passwd;
+			params->key_passwd_length = creds->header.key_passwd_length;
+		}
+	}
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
 	/* If channel is set to 0 we default to ANY. 0 is not a valid Wi-Fi channel. */
 	params->channel = (creds->header.channel != 0) ? creds->header.channel : WIFI_CHANNEL_ANY;
 	params->timeout = (creds->header.timeout != 0)
@@ -1397,6 +1423,13 @@ static int __stored_creds_to_params(struct wifi_credentials_personal *creds,
 		psk = NULL;
 	}
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	if (key_passwd) {
+		k_free(key_passwd);
+		key_passwd = NULL;
+	}
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
 	return ret;
 }
 

subsys/net/lib/wifi_credentials/CMakeLists.txt

@@ -34,3 +34,43 @@ if(WIFI_CREDENTIALS_STATIC_SSID)
 		"Static Wi-Fi configuration is used, please remove before deployment!"
 	)
 endif()
+
+if(DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE AND NOT DEFINED CONFIG_NET_L2_WIFI_SHELL)
+  # Wi-Fi Enterprise test certificates handling
+  set(gen_inc_dir ${ZEPHYR_BINARY_DIR}/misc/generated)
+  set(gen_dir ${gen_inc_dir}/wifi_enterprise_test_certs)
+  if(NOT DEFINED WIFI_TEST_CERTS_DIR)
+    set(WIFI_TEST_CERTS_DIR ${ZEPHYR_BASE}/samples/net/wifi/test_certs/rsa3k)
+  endif()
+  # Create output directory for test certs
+  file(MAKE_DIRECTORY ${gen_dir})
+
+  # convert .pem files to array data at build time
+  zephyr_include_directories(${gen_inc_dir})
+
+  foreach(cert_file IN ITEMS
+      ${WIFI_TEST_CERTS_DIR}/client.pem
+      ${WIFI_TEST_CERTS_DIR}/client-key.pem
+      ${WIFI_TEST_CERTS_DIR}/ca.pem
+      ${WIFI_TEST_CERTS_DIR}/client2.pem
+      ${WIFI_TEST_CERTS_DIR}/client-key2.pem
+      ${WIFI_TEST_CERTS_DIR}/ca2.pem
+      )
+
+  if(EXISTS ${cert_file})
+      get_filename_component(cert_name ${cert_file} NAME)
+      generate_inc_file_for_target(
+          app
+          ${cert_file}
+          ${gen_dir}/${cert_name}.inc
+          )
+    else()
+      get_filename_component(cert_name ${cert_file} NAME)
+      file(WRITE ${gen_dir}/${cert_name}.inc "// Empty file generated because ${cert_file} does not exist\n")
+    endif()
+  endforeach()
+
+  # Add explicit dependency on app target for ZEPHYR_CURRENT_LIBRARY, so these
+  # headers are generated at the correct point in the build
+  add_dependencies(${ZEPHYR_CURRENT_LIBRARY} app)
+endif()

subsys/net/lib/wifi_credentials/wifi_credentials.c

@@ -136,6 +136,7 @@ int wifi_credentials_get_by_ssid_personal_struct(const char *ssid, size_t ssid_l
 	    buf->header.type != WIFI_SECURITY_TYPE_PSK &&
 	    buf->header.type != WIFI_SECURITY_TYPE_PSK_SHA256 &&
 	    buf->header.type != WIFI_SECURITY_TYPE_SAE &&
+	    buf->header.type != WIFI_SECURITY_TYPE_EAP_TLS &&
 	    buf->header.type != WIFI_SECURITY_TYPE_WPA_PSK) {
 		LOG_ERR("Requested WiFi credentials entry is corrupted");
 		ret = -EPROTO;

subsys/net/lib/wifi_credentials/wifi_credentials_shell.c

@@ -25,6 +25,63 @@
 #define MAX_BANDS_STR_LEN 64
 #define MACSTR "%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx"
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+static const char ca_cert_test[] = {
+	#include <wifi_enterprise_test_certs/ca.pem.inc>
+	'\0'
+};
+
+static const char client_cert_test[] = {
+	#include <wifi_enterprise_test_certs/client.pem.inc>
+	'\0'
+};
+
+static const char client_key_test[] = {
+	#include <wifi_enterprise_test_certs/client-key.pem.inc>
+	'\0'
+};
+
+static const char ca_cert2_test[] = {
+	#include <wifi_enterprise_test_certs/ca2.pem.inc>
+	'\0'};
+
+static const char client_cert2_test[] = {
+	#include <wifi_enterprise_test_certs/client2.pem.inc>
+	'\0'};
+
+static const char client_key2_test[] = {
+	#include <wifi_enterprise_test_certs/client-key2.pem.inc>
+	'\0'};
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
+#if defined CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE || \
+	defined CONFIG_WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
+static int cmd_wifi_set_enterprise_creds(const struct shell *sh, struct net_if *iface)
+{
+	struct wifi_enterprise_creds_params params = {0};
+
+	params.ca_cert = (uint8_t *)ca_cert_test;
+	params.ca_cert_len = ARRAY_SIZE(ca_cert_test);
+	params.client_cert = (uint8_t *)client_cert_test;
+	params.client_cert_len = ARRAY_SIZE(client_cert_test);
+	params.client_key = (uint8_t *)client_key_test;
+	params.client_key_len = ARRAY_SIZE(client_key_test);
+	params.ca_cert2 = (uint8_t *)ca_cert2_test;
+	params.ca_cert2_len = ARRAY_SIZE(ca_cert2_test);
+	params.client_cert2 = (uint8_t *)client_cert2_test;
+	params.client_cert2_len = ARRAY_SIZE(client_cert2_test);
+	params.client_key2 = (uint8_t *)client_key2_test;
+	params.client_key2_len = ARRAY_SIZE(client_key2_test);
+
+	if (net_mgmt(NET_REQUEST_WIFI_ENTERPRISE_CREDS, iface, &params, sizeof(params))) {
+		shell_warn(sh, "Set enterprise credentials failed\n");
+		return -1;
+	}
+
+	return 0;
+}
+#endif
+
 static void print_network_info(void *cb_arg, const char *ssid, size_t ssid_len)
 {
 	int ret = 0;
@@ -53,6 +110,23 @@ static void print_network_info(void *cb_arg, const char *ssid, size_t ssid_len)
 			      creds.password, creds.password_len);
 	}
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	if (creds.header.type == WIFI_SECURITY_TYPE_EAP_TLS) {
+		if (creds.header.key_passwd_length > 0) {
+			shell_fprintf(sh, SHELL_VT100_COLOR_DEFAULT,
+				      ", key_passwd: \"%.*s\", key_passwd_len: %d",
+				      creds.header.key_passwd_length, creds.header.key_passwd,
+				      creds.header.key_passwd_length);
+		}
+		if (creds.header.aid_length > 0) {
+			shell_fprintf(sh, SHELL_VT100_COLOR_DEFAULT,
+				      ", anon_id: \"%.*s\", anon_id_len: %d",
+				      creds.header.aid_length, creds.header.anon_id,
+				      creds.header.aid_length);
+		}
+	}
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
 	if (creds.header.flags & WIFI_CREDENTIALS_FLAG_BSSID) {
 		shell_fprintf(sh, SHELL_VT100_COLOR_DEFAULT, ", bssid: " MACSTR,
 			      creds.header.bssid[0], creds.header.bssid[1], creds.header.bssid[2],
@@ -266,6 +340,19 @@ static int cmd_add_network(const struct shell *sh, size_t argc, char *argv[])
 		return -EINVAL;
 	}
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	struct net_if *iface = net_if_get_first_by_type(&NET_L2_GET_NAME(ETHERNET));
+
+	/* Load the enterprise credentials if needed */
+	if (creds.header.type == WIFI_SECURITY_TYPE_EAP_TLS ||
+	    creds.header.type == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
+	    creds.header.type == WIFI_SECURITY_TYPE_EAP_PEAP_GTC ||
+	    creds.header.type == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2 ||
+	    creds.header.type == WIFI_SECURITY_TYPE_EAP_PEAP_TLS) {
+		cmd_wifi_set_enterprise_creds(sh, iface);
+	}
+#endif /* CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE */
+
 	return wifi_credentials_set_personal_struct(&creds);
 }