net: l2: wifi: Handle domain_suffix_match parameter

D-Triveni · D-Triveni · commit 559424ba3e28 · 2025-10-29T15:55:28.000+05:30
Add support to handle the domain_suffix_match parameter
for proper certification validation.

Fixes #88697.

Signed-off-by: Triveni Danda &lt;triveni.danda@nordicsemi.no&gt;
diff --git a/include/zephyr/net/wifi_mgmt.h b/include/zephyr/net/wifi_mgmt.h
@@ -723,6 +723,10 @@ struct wifi_connect_req_params {
 	uint8_t ignore_broadcast_ssid;
 	/** Parameter used for frequency band */
 	enum wifi_frequency_bandwidths bandwidth;
+	/** Domain suffix match */
+	const uint8_t *domain_suffix_match;
+	/** Length of domain suffix match, maximum 32 bytes */
+	uint8_t domain_suffix_length;
 };
 
 /** @brief Wi-Fi disconnect reason codes. To be overlaid on top of \ref wifi_status
diff --git a/modules/hostap/src/supp_api.c b/modules/hostap/src/supp_api.c
@@ -969,6 +969,13 @@ static int wpas_add_and_config_network(struct wpa_supplicant *wpa_s,
 				goto out;
 			}
 
+			if (params->domain_suffix_length > 0) {
+				if (!wpa_cli_cmd_v("set_network %d domain_suffix_match \"%s\"",
+						   resp.network_id, params->domain_suffix_match)) {
+					goto out;
+				}
+			}
+
 			if (false == ((params->security == WIFI_SECURITY_TYPE_EAP_PEAP_MSCHAPV2 ||
 			    params->security == WIFI_SECURITY_TYPE_EAP_TTLS_MSCHAPV2) &&
 			    (!params->verify_peer_cert))) {
diff --git a/subsys/net/l2/wifi/wifi_shell.c b/subsys/net/l2/wifi/wifi_shell.c
@@ -620,6 +620,7 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 		{"ignore-broadcast-ssid", required_argument, 0, 'g'},
 		{"ieee-80211r", no_argument, 0, 'R'},
 		{"iface", required_argument, 0, 'i'},
+		{"domain_suffix_match", required_argument, 0, 'd'},
 		{"help", no_argument, 0, 'h'},
 		{0, 0, 0, 0}};
 	char *endptr;
@@ -872,6 +873,10 @@ static int __wifi_args_to_params(const struct shell *sh, size_t argc, char *argv
 		case 'i':
 			/* Unused, but parsing to avoid unknown option error */
 			break;
+		case 'd':
+			params->domain_suffix_match = state->optarg;
+			params->domain_suffix_length = strlen(params->domain_suffix_match);
+			break;
 		case 'h':
 			return -ENOEXEC;
 		default:
@@ -4028,10 +4033,11 @@ SHELL_SUBCMD_ADD((wifi), connect, NULL,
 		 "[-P, --eap-pwd1]: Client Password.\n"
 		 "Default no password for eap user.\n"
 		 "[-R, --ieee-80211r]: Use IEEE80211R fast BSS transition connect."
+		 "[-d, --domain_suffix_match] : Domain suffix match value.\n"
 		 "[-h, --help]: Print out the help for the connect command.\n"
 		 "[-i, --iface=<interface index>] : Interface index.\n",
 		 cmd_wifi_connect,
-		 2, 42);
+		 2, 44);
 
 SHELL_SUBCMD_ADD((wifi), disconnect, NULL,
 		 "Disconnect from the Wi-Fi AP.\n"
