Skip to content

zephyr: hostap: drivers: WPA3-External SAE(auth) driver zephyr ops support#132

Open
Ramprasad-Kannappan wants to merge 2 commits into
zephyrproject-rtos:mainfrom
Ramprasad-Kannappan:topic/ramprasad-wpa3-external-auth-driver-zep-support
Open

zephyr: hostap: drivers: WPA3-External SAE(auth) driver zephyr ops support#132
Ramprasad-Kannappan wants to merge 2 commits into
zephyrproject-rtos:mainfrom
Ramprasad-Kannappan:topic/ramprasad-wpa3-external-auth-driver-zep-support

Conversation

@Ramprasad-Kannappan

@Ramprasad-Kannappan Ramprasad-Kannappan commented Apr 8, 2026

Copy link
Copy Markdown

Added support for WPA3 SAE authentication commit, confirm frame RX and TX by adding the event handling and zephyr driver ops.

New functions/ops added for this integration,

wpa_drv_zep_event_ext_auth_req :
- Send the SAE external auth status to the driver, if the zephyr driver ops is registered for this.
- This function notifies the supplicant to initiate a External Authentication process
for WPA3 SAE STA connection.

wpa_drv_zep_send_external_auth_status :
- Send the SAE external auth status to the driver, if the zephyr driver ops is registered for this.
- This function send the external auth status to the driver.

Related PR - zephyrproject-rtos/zephyr#107029

PR #107029 (Zephyr driver) implements the send_external_auth_status and send_mlme driver ops that PR #132 (hostap shim) calls — and PR #132 adds the ext_auth_req callback that PR #107029 invokes. Neither works without the other: the Zephyr driver alone has no SAE state machine, and the hostap shim alone has no driver ops to call into.

wpa_supplicant Zephyr driver shim — is the glue layer between wpa_supplicant's core SAE state machine and Zephyr's driver interface. It adds:

wpa_drv_zep_event_ext_auth_req — receives the EVENT_EXTERNAL_AUTH notification forwarded from the Infineon driver and triggers the supplicant's SAE exchange
wpa_drv_zep_send_external_auth_status — calls back into the Infineon driver to report the final SAE result.

Signed-off-by: Ramprasad Kannappan Ramprasad.Kannappan@infineon.com

@jukkar jukkar left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Please squash the commits together (we normally do not do fixup commits in zephyr)
  • You need to add some description in the commit message why this commit is needed (the commit body is now empty)
  • Please add Signed-off-by to the commit message

It looks like the zephyr Infineon WiFi PR needs this PR, why is that?

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Zephyr driver integration hooks for WPA3 SAE external authentication by wiring an EVENT_EXTERNAL_AUTH path into the Zephyr event/callback flow and exposing a driver op to report external-auth status back to the Zephyr Wi-Fi driver.

Changes:

  • Added Zephyr callback support to forward external authentication requests (EVENT_EXTERNAL_AUTH) into wpa_supplicant.
  • Added Zephyr driver op plumbing for send_external_auth_status.
  • Refactored/relocated send_mlme wiring to ensure it is available for external-auth SAE commit/confirm handling.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
src/drivers/driver_zephyr.h Adds new Zephyr callback (ext_auth_req) and new Zephyr driver op (send_external_auth_status) for external auth flow.
src/drivers/driver_zephyr.c Implements EVENT_EXTERNAL_AUTH deep-copy handling, adds external-auth callback wrapper, and adds driver-op wrapper for sending external-auth status.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/drivers/driver_zephyr.c Outdated
Comment on lines +384 to +396

if (!bssid || !ssid) {
wpa_printf(MSG_ERROR,
"%s:%d event %u Failed to alloc ssid/bssid \n",
__func__, __LINE__, event);
os_free(msg.data);
return;
}
os_memcpy(bssid, data->external_auth.bssid, ETH_ALEN);
data_tmp->external_auth.bssid = bssid;
os_memcpy(ssid, data->external_auth.ssid, data->external_auth.ssid_len);
data_tmp->external_auth.ssid = ssid;
data_tmp->external_auth.mld_addr = data->external_auth.mld_addr;

Copilot AI Apr 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

data_tmp->external_auth.mld_addr is left as a shallow-copied pointer (copied from the original union wpa_event_data via os_memcpy). Since this event is queued asynchronously, that pointer may be invalid by the time wpa_supplicant processes EVENT_EXTERNAL_AUTH (and SME reads mld_addr and copies ETH_ALEN). Please deep-copy mld_addr when non-NULL (and ensure it gets freed alongside the other deep-copied buffers).

Suggested change
if (!bssid || !ssid) {
wpa_printf(MSG_ERROR,
"%s:%d event %u Failed to alloc ssid/bssid \n",
__func__, __LINE__, event);
os_free(msg.data);
return;
}
os_memcpy(bssid, data->external_auth.bssid, ETH_ALEN);
data_tmp->external_auth.bssid = bssid;
os_memcpy(ssid, data->external_auth.ssid, data->external_auth.ssid_len);
data_tmp->external_auth.ssid = ssid;
data_tmp->external_auth.mld_addr = data->external_auth.mld_addr;
char *mld_addr = NULL;
if (data->external_auth.mld_addr)
mld_addr = os_zalloc(ETH_ALEN);
if (!bssid || !ssid ||
(data->external_auth.mld_addr && !mld_addr)) {
wpa_printf(MSG_ERROR,
"%s:%d event %u Failed to alloc ssid/bssid/mld_addr \n",
__func__, __LINE__, event);
os_free(mld_addr);
os_free(ssid);
os_free(bssid);
os_free(msg.data);
return;
}
os_memcpy(bssid, data->external_auth.bssid, ETH_ALEN);
data_tmp->external_auth.bssid = bssid;
os_memcpy(ssid, data->external_auth.ssid, data->external_auth.ssid_len);
data_tmp->external_auth.ssid = ssid;
if (mld_addr) {
os_memcpy(mld_addr, data->external_auth.mld_addr, ETH_ALEN);
data_tmp->external_auth.mld_addr = mld_addr;
} else {
data_tmp->external_auth.mld_addr = NULL;
}

Copilot uses AI. Check for mistakes.
Comment thread src/drivers/driver_zephyr.c Outdated
Comment on lines +728 to +735
* wpa_drv_zep_event_ext_auth_req - Send the SAE external auth status to
* the driver, if the zephyr driver ops is registered for this.
*
* @if_ctx : Interface context
* @event : event data to be sent to supplicant
*
* This function notifies the supplicant to initiate a External Authentication process
* for WPA3 SAE STA connection.

Copilot AI Apr 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function header comment for wpa_drv_zep_event_ext_auth_req says it sends the external auth status "to the driver", but the implementation forwards EVENT_EXTERNAL_AUTH to the supplicant via wpa_supplicant_event_wrapper(). Please update the doc comment to reflect the actual direction/purpose to avoid confusion for future maintainers.

Suggested change
* wpa_drv_zep_event_ext_auth_req - Send the SAE external auth status to
* the driver, if the zephyr driver ops is registered for this.
*
* @if_ctx : Interface context
* @event : event data to be sent to supplicant
*
* This function notifies the supplicant to initiate a External Authentication process
* for WPA3 SAE STA connection.
* wpa_drv_zep_event_ext_auth_req - Forward the SAE external auth event to
* the supplicant.
*
* @if_ctx : Interface context
* @event : event data to be sent to supplicant
*
* This function notifies the supplicant to initiate an External
* Authentication process for a WPA3 SAE STA connection.

Copilot uses AI. Check for mistakes.
Comment thread src/drivers/driver_zephyr.c Outdated
* This function send the external auth status to the driver.
*/
int wpa_drv_zep_send_external_auth_status(void *priv,
struct external_auth *params) {

Copilot AI Apr 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brace placement for wpa_drv_zep_send_external_auth_status() is inconsistent with the surrounding functions in this file (e.g., wpa_drv_zep_send_mlme() just above uses the opening brace on the next line). Please align this function’s formatting with the prevailing style in driver_zephyr.c for consistency.

Suggested change
struct external_auth *params) {
struct external_auth *params)
{

Copilot uses AI. Check for mistakes.
Comment thread src/drivers/driver_zephyr.c Outdated
Comment on lines +383 to +394
char *ssid = os_zalloc(data->external_auth.ssid_len);

if (!bssid || !ssid) {
wpa_printf(MSG_ERROR,
"%s:%d event %u Failed to alloc ssid/bssid \n",
__func__, __LINE__, event);
os_free(msg.data);
return;
}
os_memcpy(bssid, data->external_auth.bssid, ETH_ALEN);
data_tmp->external_auth.bssid = bssid;
os_memcpy(ssid, data->external_auth.ssid, data->external_auth.ssid_len);

Copilot AI Apr 29, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the EVENT_EXTERNAL_AUTH deep-copy block, if either bssid or ssid allocation fails, the other allocation (if successful) is leaked. Also, os_zalloc(data->external_auth.ssid_len) will treat ssid_len == 0 as an allocation failure on implementations that return NULL for size 0. Please free any partially allocated buffers on this error path and handle zero-length SSID safely.

Suggested change
char *ssid = os_zalloc(data->external_auth.ssid_len);
if (!bssid || !ssid) {
wpa_printf(MSG_ERROR,
"%s:%d event %u Failed to alloc ssid/bssid \n",
__func__, __LINE__, event);
os_free(msg.data);
return;
}
os_memcpy(bssid, data->external_auth.bssid, ETH_ALEN);
data_tmp->external_auth.bssid = bssid;
os_memcpy(ssid, data->external_auth.ssid, data->external_auth.ssid_len);
char *ssid = NULL;
if (data->external_auth.ssid_len)
ssid = os_zalloc(data->external_auth.ssid_len);
if (!bssid || (data->external_auth.ssid_len && !ssid)) {
wpa_printf(MSG_ERROR,
"%s:%d event %u Failed to alloc ssid/bssid \n",
__func__, __LINE__, event);
if (bssid)
os_free(bssid);
if (ssid)
os_free(ssid);
os_free(msg.data);
return;
}
os_memcpy(bssid, data->external_auth.bssid, ETH_ALEN);
data_tmp->external_auth.bssid = bssid;
if (data->external_auth.ssid_len)
os_memcpy(ssid, data->external_auth.ssid,
data->external_auth.ssid_len);

Copilot uses AI. Check for mistakes.
@Ramprasad-Kannappan
Ramprasad-Kannappan force-pushed the topic/ramprasad-wpa3-external-auth-driver-zep-support branch from 6c443dc to c6ef638 Compare June 7, 2026 10:32
@Ramprasad-Kannappan

Copy link
Copy Markdown
Author

Hi @jukkar ,

I addressed your review comments and concern, could you re-review...

Thanks.

@chuangjiashyr

Copy link
Copy Markdown

@jukkar
please help to review this PR, we are waiting for this PR to be merged.
thank you

1 similar comment
@chuangjiashyr

Copy link
Copy Markdown

@jukkar
please help to review this PR, we are waiting for this PR to be merged.
thank you

@jukkar

jukkar commented Jun 22, 2026

Copy link
Copy Markdown
Member

@krish2718 & @MaochenWang1 can you take a look

@krish2718 krish2718 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit log needs to follow the standard rules (72 chars, sauce tag etc) please check the history for reference.

Please split this into multiple commits for easier review:

  1. Moving send_mlme out of CONFIG_AP define
  2. Add external auth support

And the external auth support path is only applicable for those drivers that don't advertize WPA_DRIVER_FLAGS_SME, does the airoc driver use WPA supplicant but doesn't doesn't support SME? and is this for WPA3 only or WPA2 also?

@chuangjiashyr
chuangjiashyr force-pushed the topic/ramprasad-wpa3-external-auth-driver-zep-support branch from c6ef638 to 029df39 Compare June 26, 2026 07:21
@chuangjiashyr

Copy link
Copy Markdown

The commit log needs to follow the standard rules (72 chars, sauce tag etc) please check the history for reference.

Please split this into multiple commits for easier review:

  1. Moving send_mlme out of CONFIG_AP define
  2. Add external auth support

And the external auth support path is only applicable for those drivers that don't advertize WPA_DRIVER_FLAGS_SME, does the airoc driver use WPA supplicant but doesn't doesn't support SME? and is this for WPA3 only or WPA2 also?

@krish2718 Could you help to check it again?
thank you

@jukkar jukkar left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see lot of cosmetic changes, why you did that?

@krish2718 krish2718 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commits logs can be a paragraph instead of distinct lines. And also what are all the acronyms at the end of the name? Signed-off-by: Patel Niket (CSS ICW ENG WFS SW WFSW / EE) <Niket.Patel-EE@infineon.com> Please use just the name.

@krish2718

Copy link
Copy Markdown
Collaborator

Also, please raise a manifest update PR in Zephyr.

@Niketp8966

Copy link
Copy Markdown

Sure, I will raise a manifest update PR in Zephyr after this hostap PR is
merged, updating the hostap revision in west.yml to point to the merged commit
from this PR.

@Niketp8966
Niketp8966 force-pushed the topic/ramprasad-wpa3-external-auth-driver-zep-support branch from 029df39 to f498b29 Compare June 30, 2026 06:06
@chuangjiashyr

Copy link
Copy Markdown

@krish2718 @jukkar
Could you review it again for @Niketp8966 ?
Thank you

@krish2718

Copy link
Copy Markdown
Collaborator

@krish2718 @jukkar Could you review it again for @Niketp8966 ? Thank you

  1. Commit log still doesn't follow the guidelines (72 chars wrapping)(
  2. I still don't see the linkage to zephyr repo with a manifest update.

@chuangjiashyr

Copy link
Copy Markdown

about your question "I still don't see the linkage to zephyr repo with a manifest update"
please guide us how to update it and where to update it.
I check previous committed by you, there is no update manifest as below commit
e97765d
thank you

@krish2718

Copy link
Copy Markdown
Collaborator

about your question "I still don't see the linkage to zephyr repo with a manifest update" please guide us how to update it and where to update it.

Please refer https://docs.zephyrproject.org/latest/develop/modules.html#process-for-submitting-changes-to-existing-modules.

I check previous committed by you, there is no update manifest as below commit e97765d thank you

That commit was part of #143 which is pulled by zephyrproject-rtos/zephyr#111092 to ZephyrRTOS repo.

Patel Niket added 2 commits July 1, 2026 12:15
The external SAE authentication flow needs to transmit SAE commit and
confirm frames from the STA-side wpa_supplicant path. Move the existing
send_mlme driver hook out of the CONFIG_AP-only section so it remains
available for AP mode and can also be used by STA builds.

Signed-off-by: Patel Niket <Niket.Patel-EE@infineon.com>
Add Zephyr driver hooks for WPA3 SAE external authentication. The shim
forwards EVENT_EXTERNAL_AUTH requests into wpa_supplicant and reports the
SAE result back to the driver through send_external_auth_status. Deep-copy
external-auth payload pointers before queueing the event asynchronously.

Signed-off-by: Patel Niket <Niket.Patel-EE@infineon.com>
@Niketp8966
Niketp8966 force-pushed the topic/ramprasad-wpa3-external-auth-driver-zep-support branch from f498b29 to b05fc98 Compare July 1, 2026 06:50
@jukkar

jukkar commented Jul 2, 2026

Copy link
Copy Markdown
Member

Where is the zephyr manifest update PR? Without the zephyr upstream west.yml change that updates hostap commit id, this change will not get merged.

@Niketp8966

Copy link
Copy Markdown

The Zephyr manifest update PR:
zephyrproject-rtos/zephyr#112655

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants