wifi: hostap super PR

drivers/wifi/nrf_wifi/inc/fmac_main.h

@@ -90,6 +90,7 @@ struct nrf_wifi_vif_ctx_zep {
 	struct k_work_delayable nrf_wifi_rpu_recovery_bringup_work;
 #endif /* CONFIG_NRF_WIFI_RPU_RECOVERY */
 	int rts_threshold_value;
+	unsigned short bss_max_idle_period;
 };
 
 struct nrf_wifi_vif_ctx_map {

drivers/wifi/nrf_wifi/inc/wifi_mgmt.h

@@ -77,4 +77,7 @@ int nrf_wifi_set_rts_threshold(const struct device *dev,
 
 int nrf_wifi_get_rts_threshold(const struct device *dev,
 			       unsigned int *rts_threshold);
+
+int nrf_wifi_set_bss_max_idle_period(const struct device *dev,
+				     unsigned short bss_max_idle_period);
 #endif /*  __ZEPHYR_WIFI_MGMT_H__ */

drivers/wifi/nrf_wifi/src/fmac_main.c

@@ -840,6 +840,9 @@ static int nrf_wifi_drv_main_zep(const struct device *dev)
 #endif /* CONFIG_NRF70_RADIO_TEST */
 
 	k_mutex_init(&rpu_drv_priv_zep.rpu_ctx_zep.rpu_lock);
+#ifndef CONFIG_NRF70_RADIO_TEST
+	vif_ctx_zep->bss_max_idle_period = USHRT_MAX;
+#endif /* !CONFIG_NRF70_RADIO_TEST */
 	return 0;
 #ifdef CONFIG_NRF70_RADIO_TEST
 fmac_deinit:
@@ -867,6 +870,7 @@ static const struct wifi_mgmt_ops nrf_wifi_mgmt_ops = {
 	.get_power_save_config = nrf_wifi_get_power_save_config,
 	.set_rts_threshold = nrf_wifi_set_rts_threshold,
 	.get_rts_threshold = nrf_wifi_get_rts_threshold,
+	.set_bss_max_idle_period = nrf_wifi_set_bss_max_idle_period,
 #endif
 #ifdef CONFIG_NRF70_SYSTEM_WITH_RAW_MODES
 	.mode = nrf_wifi_mode,

drivers/wifi/nrf_wifi/src/wifi_mgmt.c

@@ -1077,3 +1077,56 @@ int nrf_wifi_get_rts_threshold(const struct device *dev,
 
 	return ret;
 }
+
+int nrf_wifi_set_bss_max_idle_period(const struct device *dev,
+				     unsigned short bss_max_idle_period)
+{
+	struct nrf_wifi_ctx_zep *rpu_ctx_zep = NULL;
+	struct nrf_wifi_vif_ctx_zep *vif_ctx_zep = NULL;
+	int ret = -1;
+
+	if (!dev) {
+		LOG_ERR("%s: dev is NULL", __func__);
+		return ret;
+	}
+
+	vif_ctx_zep = dev->data;
+
+	if (!vif_ctx_zep) {
+		LOG_ERR("%s: vif_ctx_zep is NULL", __func__);
+		return ret;
+	}
+
+	rpu_ctx_zep = vif_ctx_zep->rpu_ctx_zep;
+
+	if (!rpu_ctx_zep) {
+		LOG_ERR("%s: rpu_ctx_zep is NULL", __func__);
+		return ret;
+	}
+
+
+	if (!rpu_ctx_zep->rpu_ctx) {
+		LOG_ERR("%s: RPU context not initialized", __func__);
+		return ret;
+	}
+
+	if (((int)bss_max_idle_period < 0) ||
+	    (bss_max_idle_period > 64000)) {
+		/* 0 or value less than 64000 is passed to f/w.
+		 * All other values considered as invalid.
+		 */
+		LOG_ERR("%s: Invalid max_idle_period value : %d",
+			__func__, (int)bss_max_idle_period);
+		return ret;
+	}
+
+	k_mutex_lock(&vif_ctx_zep->vif_lock, K_FOREVER);
+
+	vif_ctx_zep->bss_max_idle_period = bss_max_idle_period;
+
+	ret = 0;
+
+	k_mutex_unlock(&vif_ctx_zep->vif_lock);
+
+	return ret;
+}

drivers/wifi/nrf_wifi/src/wpa_supp_if.c

@@ -931,8 +931,15 @@ int nrf_wifi_wpa_supp_associate(void *if_priv, struct wpa_driver_associate_param
 		assoc_info.use_mfp = NRF_WIFI_MFP_REQUIRED;
 	}
 
-	if (params->bss_max_idle_period) {
-		assoc_info.bss_max_idle_time = params->bss_max_idle_period;
+	if (vif_ctx_zep->bss_max_idle_period == USHRT_MAX) {
+		assoc_info.bss_max_idle_time = CONFIG_WIFI_MGMT_BSS_MAX_IDLE_TIME;
+	} else {
+		assoc_info.bss_max_idle_time = vif_ctx_zep->bss_max_idle_period;
+	}
+
+	assoc_info.conn_type = NRF_WIFI_CONN_TYPE_OPEN;
+	if (!(params->key_mgmt_suite & WPA_KEY_MGMT_NONE)) {
+		assoc_info.conn_type = NRF_WIFI_CONN_TYPE_SECURE;
 	}
 
 	status = nrf_wifi_sys_fmac_assoc(rpu_ctx_zep->rpu_ctx, vif_ctx_zep->vif_idx, &assoc_info);

include/zephyr/net/wifi_certs.h

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef WIFI_CERTS_H__
+#define WIFI_CERTS_H__
+
+#include <stdbool.h>
+#include <zephyr/kernel.h>
+#include <zephyr/net/wifi_mgmt.h>
+
+/**
+ * Set Wi-Fi Enterprise credentials.
+ *
+ * Sets up the required credentials for Enterprise mode in both
+ * Access Point and Station modes.
+ *
+ * Certificates typically used:
+ * - CA certificate
+ * - Client certificate
+ * - Client private key
+ * - Server certificate and server key (for AP mode)
+ *
+ * @param iface Network interface
+ * @param is_ap AP or Station mode
+ *
+ * @return 0 if ok, < 0 if error
+ */
+int wifi_set_enterprise_credentials(struct net_if *iface, bool is_ap);
+
+/**
+ * Clear Wi-Fi enterprise credentials
+ */
+void wifi_clear_enterprise_credentials(void);
+
+#endif /* WIFI_CERTS_H__ */

include/zephyr/net/wifi_mgmt.h

@@ -133,6 +133,8 @@ enum net_request_wifi_cmd {
 	NET_REQUEST_WIFI_CMD_CANDIDATE_SCAN,
 	/** AP WPS config */
 	NET_REQUEST_WIFI_CMD_AP_WPS_CONFIG,
+	/** Configure BSS maximum idle period */
+	NET_REQUEST_WIFI_CMD_BSS_MAX_IDLE_PERIOD,
 	/** @cond INTERNAL_HIDDEN */
 	NET_REQUEST_WIFI_CMD_MAX
 	/** @endcond */
@@ -317,6 +319,11 @@ NET_MGMT_DEFINE_REQUEST_HANDLER(NET_REQUEST_WIFI_START_ROAMING);
 
 NET_MGMT_DEFINE_REQUEST_HANDLER(NET_REQUEST_WIFI_NEIGHBOR_REP_COMPLETE);
 
+#define NET_REQUEST_WIFI_BSS_MAX_IDLE_PERIOD				\
+	(NET_WIFI_BASE | NET_REQUEST_WIFI_CMD_BSS_MAX_IDLE_PERIOD)
+
+NET_MGMT_DEFINE_REQUEST_HANDLER(NET_REQUEST_WIFI_BSS_MAX_IDLE_PERIOD);
+
 /** @cond INTERNAL_HIDDEN */
 
 enum {
@@ -788,7 +795,7 @@ struct wifi_iface_status {
 	/** is TWT capable? */
 	bool twt_capable;
 	/** The current 802.11 PHY TX data rate (in Mbps) */
-	int current_phy_tx_rate;
+	float current_phy_tx_rate;
 };
 
 /** @brief Wi-Fi power save parameters */
@@ -1685,6 +1692,15 @@ struct wifi_mgmt_ops {
 	 * @return 0 if ok, < 0 if error
 	 */
 	int (*start_11r_roaming)(const struct device *dev);
+	/** Set BSS max idle period
+	 *
+	 * @param dev Pointer to the device structure for the driver instance.
+	 * @param BSS max idle period value
+	 *
+	 * @return 0 if ok, < 0 if error
+	 */
+	int (*set_bss_max_idle_period)(const struct device *dev,
+			unsigned short bss_max_idle_period);
 };
 
 /** Wi-Fi management offload API */

modules/hostap/Kconfig

@@ -24,13 +24,33 @@ config WIFI_NM_WPA_SUPPLICANT
 
 if WIFI_NM_WPA_SUPPLICANT
 
+config WIFI_NM_WPA_SUPPLICANT_GLOBAL_HEAP
+	bool "Use Zephyr kernel heap for Wi-Fi driver"
+	default y
+	help
+	  Enable this option to use K_HEAP for memory allocations in supplicant.
+
+if !WIFI_NM_WPA_SUPPLICANT_GLOBAL_HEAP
+config WIFI_NM_WPA_SUPPLICANT_HEAP
+	int "Dedicated memory pool for wpa_supplicant"
+	def_int 66560 if WIFI_NM_HOSTAPD_AP
+	def_int 55000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE && WIFI_CREDENTIALS
+	def_int 48000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP
+	# 30K is mandatory, but might need more for long duration use cases
+	def_int 30000
+endif # !WIFI_NM_WPA_SUPPLICANT_GLOBAL_HEAP
+
+if WIFI_NM_WPA_SUPPLICANT_GLOBAL_HEAP
 config HEAP_MEM_POOL_ADD_SIZE_HOSTAP
 	def_int 66560 if WIFI_NM_HOSTAPD_AP
 	def_int 55000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE && WIFI_CREDENTIALS
 	def_int 48000 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	def_int 41808 if WIFI_NM_WPA_SUPPLICANT_AP
 	# 30K is mandatory, but might need more for long duration use cases
 	def_int 30000
+endif # WIFI_NM_WPA_SUPPLICANT_GLOBAL_HEAP
+
 
 config WIFI_NM_WPA_SUPPLICANT_THREAD_STACK_SIZE
 	int "Stack size for wpa_supplicant thread"
@@ -81,6 +101,17 @@ config WIFI_NM_WPA_SUPPLICANT_DEBUG_LEVEL
 	  runtime filtering can also be configured in addition to the compile-time
 	  filtering.
 
+config WIFI_NM_WPA_SUPPLICANT_DEBUG_SHOW_KEYS
+	bool "Include key material in debug output"
+	help
+	  This option enables inclusion of key material (passwords, encryption keys,
+	  etc.) in debug output. This is equivalent to the -K command line flag
+	  in wpa_supplicant.
+
+	  WARNING: This is a security risk and should only be enabled during
+	  development or debugging. Key material should never be logged in production
+	  systems as it can compromise network security.
+
 if WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL_DBG
 # hostap debug is very verbose and despite large log buffer sizes
 # log messages can be lost. So, we set the log mode to immediate
@@ -201,6 +232,7 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	select MBEDTLS_X509_CRL_PARSE_C
 	select MBEDTLS_TLS_VERSION_1_2
 	select NOT_SECURE
+	select WIFI_CERTIFICATE_LIB
 	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	help
 	  Enable Enterprise Crypto support for WiFi. This feature
@@ -309,6 +341,7 @@ config WIFI_NM_HOSTAPD_AP
 
 config WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE
 	bool "Hostapd crypto enterprise support"
+	select WIFI_CERTIFICATE_LIB
 	depends on WIFI_NM_HOSTAPD_AP
 
 if WIFI_NM_HOSTAPD_CRYPTO_ENTERPRISE

modules/hostap/src/supp_api.c

@@ -1815,6 +1815,19 @@ int supplicant_legacy_roam(const struct device *dev)
 	return ret;
 }
 
+int supplicant_set_bss_max_idle_period(const struct device *dev,
+				       unsigned short bss_max_idle_period)
+{
+	const struct wifi_mgmt_ops *const wifi_mgmt_api = get_wifi_mgmt_api(dev);
+
+	if (!wifi_mgmt_api || !wifi_mgmt_api->set_bss_max_idle_period) {
+		wpa_printf(MSG_ERROR, "set_bss_max_idle_period is not supported");
+		return -ENOTSUP;
+	}
+
+	return wifi_mgmt_api->set_bss_max_idle_period(dev, bss_max_idle_period);
+}
+
 #ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_WNM
 int supplicant_btm_query(const struct device *dev, uint8_t reason)
 {

modules/hostap/src/supp_api.h

@@ -305,6 +305,14 @@ int supplicant_get_wifi_conn_params(const struct device *dev,
  */
 int supplicant_wps_config(const struct device *dev, struct wifi_wps_config_params *params);
 
+/** @ Set Wi-Fi max idle period
+ *
+ * @param dev Wi-Fi interface handle to use
+ * @param bss_max_idle_period Maximum idle period to set
+ * @return 0 for OK; -1 for ERROR
+ */
+int supplicant_set_bss_max_idle_period(const struct device *dev,
+				       unsigned short bss_max_idle_period);
 #ifdef CONFIG_AP
 int set_ap_bandwidth(const struct device *dev, enum wifi_frequency_bandwidths bandwidth);
 

modules/hostap/src/supp_main.c

@@ -83,6 +83,7 @@ static const struct wifi_mgmt_ops mgmt_ops = {
 #endif
 	.get_conn_params = supplicant_get_wifi_conn_params,
 	.wps_config = supplicant_wps_config,
+	.set_bss_max_idle_period = supplicant_set_bss_max_idle_period,
 #ifdef CONFIG_AP
 	.ap_enable = supplicant_ap_enable,
 	.ap_disable = supplicant_ap_disable,

subsys/net/l2/wifi/CMakeLists.txt

@@ -13,6 +13,7 @@ zephyr_library_include_directories_ifdef(
   )
 
 zephyr_library_sources_ifdef(CONFIG_NET_L2_WIFI_MGMT wifi_mgmt.c)
+zephyr_library_sources_ifdef(CONFIG_WIFI_CERTIFICATE_LIB wifi_certs.c)
 zephyr_library_sources_ifdef(CONFIG_NET_L2_WIFI_SHELL wifi_shell.c)
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM wifi_nm.c)
 zephyr_library_sources_ifdef(CONFIG_NET_L2_WIFI_UTILS wifi_utils.c)

subsys/net/l2/wifi/Kconfig

@@ -126,6 +126,11 @@ config WIFI_ENT_IDENTITY_MAX_USERS
 	help
 	  This option defines the maximum number of identity users allowed connection.
 
+config WIFI_CERTIFICATE_LIB
+	bool
+	help
+	  Enable this option to process certificates in enterprise mode.
+
 if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 
 config WIFI_SHELL_RUNTIME_CERTIFICATES
@@ -149,3 +154,19 @@ config HEAP_MEM_POOL_ADD_SIZE_WIFI_CERT
 endif # WIFI_SHELL_RUNTIME_CERTIFICATES
 
 endif # WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+
+config WIFI_MGMT_BSS_MAX_IDLE_TIME
+	int "BSS max idle timeout in seconds"
+	range 0 64000
+	default 30
+	help
+	  As per 802.11-2020: 11.21.13 BSS max idle period management
+	  If dot11WirelessManagementImplemented is true, dot11BSSMaxIdlePeriod is
+	  nonzero and dot11BSSMaxIdlePeriodIndicationByNonAPSTA is true, then a
+	  non-S1G non-AP STA shall include a BSS Max Idle Period element
+	  in the (Re)Association Request frame. If the BSS Max Idle Period
+	  element is present in the (Re)Association Request frame received
+	  by a non-S1G AP that has dot11BSSMaxIdlePeriodIndicationByNonAPSTA
+	  equal to true, then the non-S1G AP may choose the non-AP STA’s
+	  preferred maximum idle period. The non-S1G AP indicates its chosen
+	  value to the non-S1G STA in the (Re)Association Response frame.