Fix memcpy regression in PMK handling

[thirdparty/hostap.git] / src / ap / wpa_auth.c

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 5664caa3530ceeebb30c551cbe4b5f63c06aafad..0781068775e0cb5c388adf7aac823321eb0a15d3 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1,6 +1,6 @@
 /*
  * IEEE 802.11 RSN / WPA Authenticator
- * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -13,6 +13,7 @@
 #include "utils/state_machine.h"
 #include "utils/bitfield.h"
 #include "common/ieee802_11_defs.h"
+#include "common/ocv.h"
 #include "crypto/aes.h"
 #include "crypto/aes_wrap.h"
 #include "crypto/aes_siv.h"
@@ -22,6 +23,7 @@
 #include "crypto/sha384.h"
 #include "crypto/random.h"
 #include "eapol_auth/eapol_auth_sm.h"
+#include "drivers/driver.h"
 #include "ap_config.h"
 #include "ieee802_11.h"
 #include "wpa_auth.h"
@@ -112,12 +114,13 @@ static inline int wpa_auth_get_eapol(struct wpa_authenticator *wpa_auth,
 static inline const u8 * wpa_auth_get_psk(struct wpa_authenticator *wpa_auth,
                                          const u8 *addr,
                                          const u8 *p2p_dev_addr,
-                                         const u8 *prev_psk, size_t *psk_len)
+                                         const u8 *prev_psk, size_t *psk_len,
+                                         int *vlan_id)
 {
        if (wpa_auth->cb->get_psk == NULL)
                return NULL;
        return wpa_auth->cb->get_psk(wpa_auth->cb_ctx, addr, p2p_dev_addr,
-                                    prev_psk, psk_len);
+                                    prev_psk, psk_len, vlan_id);
 }
 
 
@@ -238,20 +241,23 @@ static void wpa_sta_disconnect(struct wpa_authenticator *wpa_auth,
 }
 
 
-static int wpa_use_aes_cmac(struct wpa_state_machine *sm)
+#ifdef CONFIG_OCV
+static int wpa_channel_info(struct wpa_authenticator *wpa_auth,
+                           struct wpa_channel_info *ci)
 {
-       int ret = 0;
-#ifdef CONFIG_IEEE80211R_AP
-       if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
-               ret = 1;
-#endif /* CONFIG_IEEE80211R_AP */
-#ifdef CONFIG_IEEE80211W
-       if (wpa_key_mgmt_sha256(sm->wpa_key_mgmt))
-               ret = 1;
-#endif /* CONFIG_IEEE80211W */
-       if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN)
-               ret = 1;
-       return ret;
+       if (!wpa_auth->cb->channel_info)
+               return -1;
+       return wpa_auth->cb->channel_info(wpa_auth->cb_ctx, ci);
+}
+#endif /* CONFIG_OCV */
+
+
+static int wpa_auth_update_vlan(struct wpa_authenticator *wpa_auth,
+                               const u8 *addr, int vlan_id)
+{
+       if (!wpa_auth->cb->update_vlan)
+               return -1;
+       return wpa_auth->cb->update_vlan(wpa_auth->cb_ctx, addr, vlan_id);
 }
 
 
@@ -349,6 +355,10 @@ static int wpa_group_init_gmk_and_counter(struct wpa_authenticator *wpa_auth,
        wpa_get_ntp_timestamp(buf + ETH_ALEN);
        ptr = (unsigned long) group;
        os_memcpy(buf + ETH_ALEN + 8, &ptr, sizeof(ptr));
+#ifdef TEST_FUZZ
+       os_memset(buf + ETH_ALEN, 0xab, 8);
+       os_memset(buf + ETH_ALEN + 8, 0xcd, sizeof(ptr));
+#endif /* TEST_FUZZ */
        if (random_get_bytes(rkey, sizeof(rkey)) < 0)
                return -1;
 
@@ -686,6 +696,9 @@ static void wpa_free_sta_sm(struct wpa_state_machine *sm)
        os_free(sm->last_rx_eapol_key);
        os_free(sm->wpa_ie);
        wpa_group_put(sm->wpa_auth, sm->group);
+#ifdef CONFIG_DPP2
+       wpabuf_clear_free(sm->dpp_z);
+#endif /* CONFIG_DPP2 */
        os_free(sm);
 }
 
@@ -852,15 +865,23 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
        int ok = 0;
        const u8 *pmk = NULL;
        size_t pmk_len;
+       int vlan_id = 0;
 
        os_memset(&PTK, 0, sizeof(PTK));
        for (;;) {
                if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
                    !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
                        pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
-                                              sm->p2p_dev_addr, pmk, &pmk_len);
+                                              sm->p2p_dev_addr, pmk, &pmk_len,
+                                              &vlan_id);
                        if (pmk == NULL)
                                break;
+#ifdef CONFIG_IEEE80211R_AP
+                       if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
+                               os_memcpy(sm->xxkey, pmk, pmk_len);
+                               sm->xxkey_len = pmk_len;
+                       }
+#endif /* CONFIG_IEEE80211R_AP */
                } else {
                        pmk = sm->PMK;
                        pmk_len = sm->pmk_len;
@@ -871,11 +892,16 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
 
                if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
                                       data, data_len) == 0) {
+                       if (sm->PMK != pmk) {
+                               os_memcpy(sm->PMK, pmk, pmk_len);
+                               sm->pmk_len = pmk_len;
+                       }
                        ok = 1;
                        break;
                }
 
-               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
+               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
+                   wpa_key_mgmt_sae(sm->wpa_key_mgmt))
                        break;
        }
 
@@ -888,6 +914,11 @@ static int wpa_try_alt_snonce(struct wpa_state_machine *sm, u8 *data,
        wpa_printf(MSG_DEBUG,
                   "WPA: Earlier SNonce resulted in matching MIC");
        sm->alt_snonce_valid = 0;
+
+       if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
+           wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
+               return -1;
+
        os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
        os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
        sm->PTK_valid = TRUE;
@@ -1003,10 +1034,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
                u16 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
                if (sm->pairwise == WPA_CIPHER_CCMP ||
                    sm->pairwise == WPA_CIPHER_GCMP) {
-                       if (wpa_use_aes_cmac(sm) &&
-                           sm->wpa_key_mgmt != WPA_KEY_MGMT_OSEN &&
-                           !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
-                           !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
+                       if (wpa_use_cmac(sm->wpa_key_mgmt) &&
+                           !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
                            ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
                                wpa_auth_logger(wpa_auth, sm->addr,
                                                LOGGER_WARNING,
@@ -1016,11 +1045,8 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
                                return;
                        }
 
-                       if (!wpa_use_aes_cmac(sm) &&
-                           !wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) &&
-                           !wpa_key_mgmt_fils(sm->wpa_key_mgmt) &&
-                           sm->wpa_key_mgmt != WPA_KEY_MGMT_OWE &&
-                           sm->wpa_key_mgmt != WPA_KEY_MGMT_DPP &&
+                       if (!wpa_use_cmac(sm->wpa_key_mgmt) &&
+                           !wpa_use_akm_defined(sm->wpa_key_mgmt) &&
                            ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
                                wpa_auth_logger(wpa_auth, sm->addr,
                                                LOGGER_WARNING,
@@ -1030,10 +1056,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
                        }
                }
 
-               if ((wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
-                    wpa_key_mgmt_fils(sm->wpa_key_mgmt) ||
-                    sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
-                    sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE) &&
+               if (wpa_use_akm_defined(sm->wpa_key_mgmt) &&
                    ver != WPA_KEY_INFO_TYPE_AKM_DEFINED) {
                        wpa_auth_logger(wpa_auth, sm->addr, LOGGER_WARNING,
                                        "did not use EAPOL-Key descriptor version 0 as required for AKM-defined cases");
@@ -1220,6 +1243,11 @@ continue_processing:
                     wpa_try_alt_snonce(sm, data, data_len))) {
                        wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
                                        "received EAPOL-Key with invalid MIC");
+#ifdef TEST_FUZZ
+                       wpa_printf(MSG_INFO,
+                                  "TEST: Ignore Key MIC failure for fuzz testing");
+                       goto continue_fuzz;
+#endif /* TEST_FUZZ */
                        return;
                }
 #ifdef CONFIG_FILS
@@ -1228,9 +1256,17 @@ continue_processing:
                                     &key_data_length) < 0) {
                        wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
                                        "received EAPOL-Key with invalid MIC");
+#ifdef TEST_FUZZ
+                       wpa_printf(MSG_INFO,
+                                  "TEST: Ignore Key MIC failure for fuzz testing");
+                       goto continue_fuzz;
+#endif /* TEST_FUZZ */
                        return;
                }
 #endif /* CONFIG_FILS */
+#ifdef TEST_FUZZ
+       continue_fuzz:
+#endif /* TEST_FUZZ */
                sm->MICVerified = TRUE;
                eloop_cancel_timeout(wpa_send_eapol_timeout, wpa_auth, sm);
                sm->pending_1_of_4_timeout = 0;
@@ -1335,6 +1371,9 @@ static int wpa_gmk_to_gtk(const u8 *gmk, const char *label, const u8 *addr,
        os_memcpy(data + ETH_ALEN, gnonce, WPA_NONCE_LEN);
        pos = data + ETH_ALEN + WPA_NONCE_LEN;
        wpa_get_ntp_timestamp(pos);
+#ifdef TEST_FUZZ
+       os_memset(pos, 0xef, 8);
+#endif /* TEST_FUZZ */
        pos += 8;
        if (random_get_bytes(pos, gtk_len) < 0)
                ret = -1;
@@ -1394,13 +1433,9 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 
        if (force_version)
                version = force_version;
-       else if (sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
-                sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
-                sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
-                wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
-                wpa_key_mgmt_fils(sm->wpa_key_mgmt))
+       else if (wpa_use_akm_defined(sm->wpa_key_mgmt))
                version = WPA_KEY_INFO_TYPE_AKM_DEFINED;
-       else if (wpa_use_aes_cmac(sm))
+       else if (wpa_use_cmac(sm->wpa_key_mgmt))
                version = WPA_KEY_INFO_TYPE_AES_128_CMAC;
        else if (sm->pairwise != WPA_CIPHER_TKIP)
                version = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
@@ -1422,10 +1457,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
        key_data_len = kde_len;
 
        if ((version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
-            sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
-            sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
-            sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
-            wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
+            wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
             version == WPA_KEY_INFO_TYPE_AES_128_CMAC) && encr) {
                pad_len = key_data_len % 8;
                if (pad_len)
@@ -1485,7 +1517,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
                os_memcpy(key_data, kde, kde_len);
                WPA_PUT_BE16(key_mic + mic_len, kde_len);
 #ifdef CONFIG_FILS
-       } else if (!mic_len) {
+       } else if (!mic_len && kde) {
                const u8 *aad[1];
                size_t aad_len[1];
 
@@ -1524,10 +1556,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
                wpa_hexdump_key(MSG_DEBUG, "Plaintext EAPOL-Key Key Data",
                                buf, key_data_len);
                if (version == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
-                   sm->wpa_key_mgmt == WPA_KEY_MGMT_OWE ||
-                   sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP ||
-                   sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN ||
-                   wpa_key_mgmt_suite_b(sm->wpa_key_mgmt) ||
+                   wpa_use_aes_key_wrap(sm->wpa_key_mgmt) ||
                    version == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
                        wpa_printf(MSG_DEBUG,
                                   "WPA: Encrypt Key Data using AES-WRAP (KEK length %u)",
@@ -1624,6 +1653,9 @@ static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
                timeout_ms = eapol_key_timeout_no_retrans;
        if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
                sm->pending_1_of_4_timeout = 1;
+#ifdef TEST_FUZZ
+       timeout_ms = 1;
+#endif /* TEST_FUZZ */
        wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
                   "counter %u)", timeout_ms, ctr);
        eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
@@ -1977,8 +2009,13 @@ SM_STATE(WPA_PTK, INITPMK)
                sm->pmk_len = pmk_len;
 #ifdef CONFIG_IEEE80211R_AP
                if (len >= 2 * PMK_LEN) {
-                       os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
-                       sm->xxkey_len = PMK_LEN;
+                       if (wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) {
+                               os_memcpy(sm->xxkey, msk, SHA384_MAC_LEN);
+                               sm->xxkey_len = SHA384_MAC_LEN;
+                       } else {
+                               os_memcpy(sm->xxkey, msk + PMK_LEN, PMK_LEN);
+                               sm->xxkey_len = PMK_LEN;
+                       }
                }
 #endif /* CONFIG_IEEE80211R_AP */
        } else {
@@ -2009,7 +2046,7 @@ SM_STATE(WPA_PTK, INITPSK)
 
        SM_ENTRY_MA(WPA_PTK, INITPSK, wpa_ptk);
        psk = wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr, NULL,
-                              &psk_len);
+                              &psk_len, NULL);
        if (psk) {
                os_memcpy(sm->PMK, psk, psk_len);
                sm->pmk_len = psk_len;
@@ -2049,8 +2086,18 @@ SM_STATE(WPA_PTK, PTKSTART)
        wpa_auth_logger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
                        "sending 1/4 msg of 4-Way Handshake");
        /*
-        * TODO: Could add PMKID even with WPA2-PSK, but only if there is only
-        * one possible PSK for this STA.
+        * For infrastructure BSS cases, it is better for the AP not to include
+        * the PMKID KDE in EAPOL-Key msg 1/4 since it could be used to initiate
+        * offline search for the passphrase/PSK without having to be able to
+        * capture a 4-way handshake from a STA that has access to the network.
+        *
+        * For IBSS cases, addition of PMKID KDE could be considered even with
+        * WPA2-PSK cases that use multiple PSKs, but only if there is a single
+        * possible PSK for this STA. However, this should not be done unless
+        * there is support for using that information on the supplicant side.
+        * The concern about exposing PMKID unnecessarily in infrastructure BSS
+        * cases would also apply here, but at least in the IBSS case, this
+        * would cover a potential real use case.
         */
        if (sm->wpa == WPA_VERSION_WPA2 &&
            (wpa_key_mgmt_wpa_ieee8021x(sm->wpa_key_mgmt) ||
@@ -2063,11 +2110,31 @@ SM_STATE(WPA_PTK, PTKSTART)
                pmkid[1] = RSN_SELECTOR_LEN + PMKID_LEN;
                RSN_SELECTOR_PUT(&pmkid[2], RSN_KEY_DATA_PMKID);
                if (sm->pmksa) {
+                       wpa_hexdump(MSG_DEBUG,
+                                   "RSN: Message 1/4 PMKID from PMKSA entry",
+                                   sm->pmksa->pmkid, PMKID_LEN);
                        os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
                                  sm->pmksa->pmkid, PMKID_LEN);
                } else if (wpa_key_mgmt_suite_b(sm->wpa_key_mgmt)) {
                        /* No KCK available to derive PMKID */
+                       wpa_printf(MSG_DEBUG,
+                                  "RSN: No KCK available to derive PMKID for message 1/4");
                        pmkid = NULL;
+#ifdef CONFIG_SAE
+               } else if (wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
+                       if (sm->pmkid_set) {
+                               wpa_hexdump(MSG_DEBUG,
+                                           "RSN: Message 1/4 PMKID from SAE",
+                                           sm->pmkid, PMKID_LEN);
+                               os_memcpy(&pmkid[2 + RSN_SELECTOR_LEN],
+                                         sm->pmkid, PMKID_LEN);
+                       } else {
+                               /* No PMKID available */
+                               wpa_printf(MSG_DEBUG,
+                                          "RSN: No SAE PMKID available for message 1/4");
+                               pmkid = NULL;
+                       }
+#endif /* CONFIG_SAE */
                } else {
                        /*
                         * Calculate PMKID since no PMKSA cache entry was
@@ -2076,6 +2143,9 @@ SM_STATE(WPA_PTK, PTKSTART)
                        rsn_pmkid(sm->PMK, sm->pmk_len, sm->wpa_auth->addr,
                                  sm->addr, &pmkid[2 + RSN_SELECTOR_LEN],
                                  sm->wpa_key_mgmt);
+                       wpa_hexdump(MSG_DEBUG,
+                                   "RSN: Message 1/4 PMKID derived from PMK",
+                                   &pmkid[2 + RSN_SELECTOR_LEN], PMKID_LEN);
                }
        }
        wpa_send_eapol(sm->wpa_auth, sm,
@@ -2088,14 +2158,24 @@ static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
                          const u8 *pmk, unsigned int pmk_len,
                          struct wpa_ptk *ptk)
 {
+       const u8 *z = NULL;
+       size_t z_len = 0;
+
 #ifdef CONFIG_IEEE80211R_AP
        if (wpa_key_mgmt_ft(sm->wpa_key_mgmt))
                return wpa_auth_derive_ptk_ft(sm, pmk, ptk);
 #endif /* CONFIG_IEEE80211R_AP */
 
+#ifdef CONFIG_DPP2
+       if (sm->wpa_key_mgmt == WPA_KEY_MGMT_DPP && sm->dpp_z) {
+               z = wpabuf_head(sm->dpp_z);
+               z_len = wpabuf_len(sm->dpp_z);
+       }
+#endif /* CONFIG_DPP2 */
+
        return wpa_pmk_to_ptk(pmk, pmk_len, "Pairwise key expansion",
                              sm->wpa_auth->addr, sm->addr, sm->ANonce, snonce,
-                             ptk, sm->wpa_key_mgmt, sm->pairwise);
+                             ptk, sm->wpa_key_mgmt, sm->pairwise, z, z_len);
 }
 
 
@@ -2126,22 +2206,35 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
        if (fils_ft_len) {
                struct wpa_authenticator *wpa_auth = sm->wpa_auth;
                struct wpa_auth_config *conf = &wpa_auth->conf;
-               u8 pmk_r0[PMK_LEN], pmk_r0_name[WPA_PMK_NAME_LEN];
+               u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
+               int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
+               size_t pmk_r0_len = use_sha384 ? SHA384_MAC_LEN : PMK_LEN;
 
                if (wpa_derive_pmk_r0(fils_ft, fils_ft_len,
                                      conf->ssid, conf->ssid_len,
                                      conf->mobility_domain,
                                      conf->r0_key_holder,
                                      conf->r0_key_holder_len,
-                                     sm->addr, pmk_r0, pmk_r0_name) < 0)
+                                     sm->addr, pmk_r0, pmk_r0_name,
+                                     use_sha384) < 0)
                        return -1;
 
-               wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0", pmk_r0, PMK_LEN);
+               wpa_hexdump_key(MSG_DEBUG, "FILS+FT: PMK-R0",
+                               pmk_r0, pmk_r0_len);
                wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR0Name",
                            pmk_r0_name, WPA_PMK_NAME_LEN);
-               wpa_ft_store_pmk_r0(wpa_auth, sm->addr, pmk_r0, pmk_r0_name,
-                                   sm->pairwise);
+               wpa_ft_store_pmk_fils(sm, pmk_r0, pmk_r0_name);
                os_memset(fils_ft, 0, sizeof(fils_ft));
+
+               res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
+                                            sm->addr, sm->pmk_r1_name,
+                                            use_sha384);
+               os_memset(pmk_r0, 0, PMK_LEN_MAX);
+               if (res < 0)
+                       return -1;
+               wpa_hexdump(MSG_DEBUG, "FILS+FT: PMKR1Name", sm->pmk_r1_name,
+                           WPA_PMK_NAME_LEN);
+               sm->pmk_r1_name_valid = 1;
        }
 #endif /* CONFIG_IEEE80211R_AP */
 
@@ -2521,7 +2614,8 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
        /* GTK KDE */
        gtk = gsm->GTK[gsm->GN - 1];
        gtk_len = gsm->GTK_len;
-       if (sm->wpa_auth->conf.disable_gtk) {
+       if (sm->wpa_auth->conf.disable_gtk ||
+           sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                /*
                 * Provide unique random GTK to each STA to prevent use
                 * of GTK in the BSS.
@@ -2545,6 +2639,27 @@ static struct wpabuf * fils_prepare_plainbuf(struct wpa_state_machine *sm,
        wpabuf_put(plain, tmp2 - tmp);
 
        *len = (u8 *) wpabuf_put(plain, 0) - len - 1;
+
+#ifdef CONFIG_OCV
+       if (wpa_auth_uses_ocv(sm)) {
+               struct wpa_channel_info ci;
+               u8 *pos;
+
+               if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
+                       wpa_printf(MSG_WARNING,
+                                  "FILS: Failed to get channel info for OCI element");
+                       wpabuf_free(plain);
+                       return NULL;
+               }
+
+               pos = wpabuf_put(plain, OCV_OCI_EXTENDED_LEN);
+               if (ocv_insert_extended_oci(&ci, pos) < 0) {
+                       wpabuf_free(plain);
+                       return NULL;
+               }
+       }
+#endif /* CONFIG_OCV */
+
        return plain;
 }
 
@@ -2610,6 +2725,21 @@ u8 * hostapd_eid_assoc_fils_session(struct wpa_state_machine *sm, u8 *buf,
 #endif /* CONFIG_FILS */
 
 
+#ifdef CONFIG_OCV
+int get_sta_tx_parameters(struct wpa_state_machine *sm, int ap_max_chanwidth,
+                         int ap_seg1_idx, int *bandwidth, int *seg1_idx)
+{
+       struct wpa_authenticator *wpa_auth = sm->wpa_auth;
+
+       if (!wpa_auth->cb->get_sta_tx_params)
+               return -1;
+       return wpa_auth->cb->get_sta_tx_params(wpa_auth->cb_ctx, sm->addr,
+                                              ap_max_chanwidth, ap_seg1_idx,
+                                              bandwidth, seg1_idx);
+}
+#endif /* CONFIG_OCV */
+
+
 SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
 {
        struct wpa_authenticator *wpa_auth = sm->wpa_auth;
@@ -2624,6 +2754,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
        struct ieee802_1x_hdr *hdr;
        struct wpa_eapol_key *key;
        struct wpa_eapol_ie_parse kde;
+       int vlan_id = 0;
 
        SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
        sm->EAPOLKeyReceived = FALSE;
@@ -2639,10 +2770,17 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                if (wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
                    !wpa_key_mgmt_sae(sm->wpa_key_mgmt)) {
                        pmk = wpa_auth_get_psk(sm->wpa_auth, sm->addr,
-                                              sm->p2p_dev_addr, pmk, &pmk_len);
+                                              sm->p2p_dev_addr, pmk, &pmk_len,
+                                              &vlan_id);
                        if (pmk == NULL)
                                break;
                        psk_found = 1;
+#ifdef CONFIG_IEEE80211R_AP
+                       if (wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt)) {
+                               os_memcpy(sm->xxkey, pmk, pmk_len);
+                               sm->xxkey_len = pmk_len;
+                       }
+#endif /* CONFIG_IEEE80211R_AP */
                } else {
                        pmk = sm->PMK;
                        pmk_len = sm->pmk_len;
@@ -2655,6 +2793,10 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                    wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
                                       sm->last_rx_eapol_key,
                                       sm->last_rx_eapol_key_len) == 0) {
+                       if (sm->PMK != pmk) {
+                               os_memcpy(sm->PMK, pmk, pmk_len);
+                               sm->pmk_len = pmk_len;
+                       }
                        ok = 1;
                        break;
                }
@@ -2668,7 +2810,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                }
 #endif /* CONFIG_FILS */
 
-               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt))
+               if (!wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) ||
+                   wpa_key_mgmt_sae(sm->wpa_key_mgmt))
                        break;
        }
 
@@ -2725,6 +2868,32 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                                   WLAN_REASON_PREV_AUTH_NOT_VALID);
                return;
        }
+#ifdef CONFIG_OCV
+       if (wpa_auth_uses_ocv(sm)) {
+               struct wpa_channel_info ci;
+               int tx_chanwidth;
+               int tx_seg1_idx;
+
+               if (wpa_channel_info(wpa_auth, &ci) != 0) {
+                       wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+                                       "Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
+                       return;
+               }
+
+               if (get_sta_tx_parameters(sm,
+                                         channel_width_to_int(ci.chanwidth),
+                                         ci.seg1_idx, &tx_chanwidth,
+                                         &tx_seg1_idx) < 0)
+                       return;
+
+               if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
+                                        tx_chanwidth, tx_seg1_idx) != 0) {
+                       wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+                                       ocv_errorstr);
+                       return;
+               }
+       }
+#endif /* CONFIG_OCV */
 #ifdef CONFIG_IEEE80211R_AP
        if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
                wpa_sta_disconnect(wpa_auth, sm->addr,
@@ -2773,6 +2942,13 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
        }
 #endif /* CONFIG_IEEE80211R_AP */
 
+       if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
+           wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
+               wpa_sta_disconnect(wpa_auth, sm->addr,
+                                  WLAN_REASON_PREV_AUTH_NOT_VALID);
+               return;
+       }
+
        sm->pending_1_of_4_timeout = 0;
        eloop_cancel_timeout(wpa_send_eapol_timeout, sm->wpa_auth, sm);
 
@@ -2830,7 +3006,8 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
        else
                os_memcpy(igtk.pn, rsc, sizeof(igtk.pn));
        os_memcpy(igtk.igtk, gsm->IGTK[gsm->GN_igtk - 4], len);
-       if (sm->wpa_auth->conf.disable_gtk) {
+       if (sm->wpa_auth->conf.disable_gtk ||
+           sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                /*
                 * Provide unique random IGTK to each STA to prevent use of
                 * IGTK in the BSS.
@@ -2861,6 +3038,36 @@ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos)
 #endif /* CONFIG_IEEE80211W */
 
 
+static int ocv_oci_len(struct wpa_state_machine *sm)
+{
+#ifdef CONFIG_OCV
+       if (wpa_auth_uses_ocv(sm))
+               return OCV_OCI_KDE_LEN;
+#endif /* CONFIG_OCV */
+       return 0;
+}
+
+static int ocv_oci_add(struct wpa_state_machine *sm, u8 **argpos)
+{
+#ifdef CONFIG_OCV
+       struct wpa_channel_info ci;
+
+       if (!wpa_auth_uses_ocv(sm))
+               return 0;
+
+       if (wpa_channel_info(sm->wpa_auth, &ci) != 0) {
+               wpa_printf(MSG_WARNING,
+                          "Failed to get channel info for OCI element");
+               return -1;
+       }
+
+       return ocv_insert_oci_kde(&ci, argpos);
+#else /* CONFIG_OCV */
+       return 0;
+#endif /* CONFIG_OCV */
+}
+
+
 SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 {
        u8 rsc[WPA_KEY_RSC_LEN], *_rsc, *gtk, *kde, *pos, dummy_gtk[32];
@@ -2908,7 +3115,8 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                secure = 1;
                gtk = gsm->GTK[gsm->GN - 1];
                gtk_len = gsm->GTK_len;
-               if (sm->wpa_auth->conf.disable_gtk) {
+               if (sm->wpa_auth->conf.disable_gtk ||
+                   sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                        /*
                         * Provide unique random GTK to each STA to prevent use
                         * of GTK in the BSS.
@@ -2943,7 +3151,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                }
        }
 
-       kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
+       kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
        if (gtk)
                kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
 #ifdef CONFIG_IEEE80211R_AP
@@ -2988,6 +3196,10 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                                  gtk, gtk_len);
        }
        pos = ieee80211w_kde_add(sm, pos);
+       if (ocv_oci_add(sm, &pos) < 0) {
+               os_free(kde);
+               return;
+       }
 
 #ifdef CONFIG_IEEE80211R_AP
        if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
@@ -3001,7 +3213,10 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                                  2 + sm->assoc_resp_ftie[1]);
                        res = 2 + sm->assoc_resp_ftie[1];
                } else {
-                       res = wpa_write_ftie(conf, conf->r0_key_holder,
+                       int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
+
+                       res = wpa_write_ftie(conf, use_sha384,
+                                            conf->r0_key_holder,
                                             conf->r0_key_holder_len,
                                             NULL, NULL, pos,
                                             kde + kde_len - pos,
@@ -3026,7 +3241,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
                *pos++ = 5;
                *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
-               WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
+               WPA_PUT_LE32(pos, conf->r0_key_lifetime);
                pos += 4;
        }
 #endif /* CONFIG_IEEE80211R_AP */
@@ -3173,7 +3388,7 @@ SM_STEP(WPA_PTK)
                break;
        case WPA_PTK_INITPSK:
                if (wpa_auth_get_psk(sm->wpa_auth, sm->addr, sm->p2p_dev_addr,
-                                    NULL, NULL)) {
+                                    NULL, NULL, NULL)) {
                        SM_ENTER(WPA_PTK, PTKSTART);
 #ifdef CONFIG_SAE
                } else if (wpa_auth_uses_sae(sm) && sm->pmksa) {
@@ -3284,7 +3499,8 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
                        "sending 1/2 msg of Group Key Handshake");
 
        gtk = gsm->GTK[gsm->GN - 1];
-       if (sm->wpa_auth->conf.disable_gtk) {
+       if (sm->wpa_auth->conf.disable_gtk ||
+           sm->wpa_key_mgmt == WPA_KEY_MGMT_OSEN) {
                /*
                 * Provide unique random GTK to each STA to prevent use
                 * of GTK in the BSS.
@@ -3295,7 +3511,7 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
        }
        if (sm->wpa == WPA_VERSION_WPA2) {
                kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
-                       ieee80211w_kde_len(sm);
+                       ieee80211w_kde_len(sm) + ocv_oci_len(sm);
                kde_buf = os_malloc(kde_len);
                if (kde_buf == NULL)
                        return;
@@ -3306,6 +3522,10 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
                pos = wpa_add_kde(pos, RSN_KEY_DATA_GROUPKEY, hdr, 2,
                                  gtk, gsm->GTK_len);
                pos = ieee80211w_kde_add(sm, pos);
+               if (ocv_oci_add(sm, &pos) < 0) {
+                       os_free(kde_buf);
+                       return;
+               }
                kde_len = pos - kde;
        } else {
                kde = gtk;
@@ -3326,8 +3546,67 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
 
 SM_STATE(WPA_PTK_GROUP, REKEYESTABLISHED)
 {
+#ifdef CONFIG_OCV
+       struct wpa_authenticator *wpa_auth = sm->wpa_auth;
+       const u8 *key_data, *mic;
+       struct ieee802_1x_hdr *hdr;
+       struct wpa_eapol_key *key;
+       struct wpa_eapol_ie_parse kde;
+       size_t mic_len;
+       u16 key_data_length;
+#endif /* CONFIG_OCV */
+
        SM_ENTRY_MA(WPA_PTK_GROUP, REKEYESTABLISHED, wpa_ptk_group);
        sm->EAPOLKeyReceived = FALSE;
+
+#ifdef CONFIG_OCV
+       mic_len = wpa_mic_len(sm->wpa_key_mgmt, sm->pmk_len);
+
+       /*
+        * Note: last_rx_eapol_key length fields have already been validated in
+        * wpa_receive().
+        */
+       hdr = (struct ieee802_1x_hdr *) sm->last_rx_eapol_key;
+       key = (struct wpa_eapol_key *) (hdr + 1);
+       mic = (u8 *) (key + 1);
+       key_data = mic + mic_len + 2;
+       key_data_length = WPA_GET_BE16(mic + mic_len);
+       if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
+           sizeof(*key) - mic_len - 2)
+               return;
+
+       if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
+               wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
+                                "received EAPOL-Key group msg 2/2 with invalid Key Data contents");
+               return;
+       }
+
+       if (wpa_auth_uses_ocv(sm)) {
+               struct wpa_channel_info ci;
+               int tx_chanwidth;
+               int tx_seg1_idx;
+
+               if (wpa_channel_info(wpa_auth, &ci) != 0) {
+                       wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+                                       "Failed to get channel info to validate received OCI in EAPOL-Key group 1/2");
+                       return;
+               }
+
+               if (get_sta_tx_parameters(sm,
+                                         channel_width_to_int(ci.chanwidth),
+                                         ci.seg1_idx, &tx_chanwidth,
+                                         &tx_seg1_idx) < 0)
+                       return;
+
+               if (ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
+                                        tx_chanwidth, tx_seg1_idx) != 0) {
+                       wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+                                       ocv_errorstr);
+                       return;
+               }
+       }
+#endif /* CONFIG_OCV */
+
        if (sm->GUpdateStationKeys)
                sm->group->GKeyDoneStations--;
        sm->GUpdateStationKeys = FALSE;
@@ -3936,6 +4215,15 @@ int wpa_auth_get_pairwise(struct wpa_state_machine *sm)
 }
 
 
+const u8 * wpa_auth_get_pmk(struct wpa_state_machine *sm, int *len)
+{
+       if (!sm)
+               return NULL;
+       *len = sm->pmk_len;
+       return sm->PMK;
+}
+
+
 int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm)
 {
        if (sm == NULL)
@@ -4061,6 +4349,13 @@ int wpa_auth_pmksa_add_sae(struct wpa_authenticator *wpa_auth, const u8 *addr,
 }
 
 
+void wpa_auth_add_sae_pmkid(struct wpa_state_machine *sm, const u8 *pmkid)
+{
+       os_memcpy(sm->pmkid, pmkid, PMKID_LEN);
+       sm->pmkid_set = 1;
+}
+
+
 int wpa_auth_pmksa_add2(struct wpa_authenticator *wpa_auth, const u8 *addr,
                        const u8 *pmk, size_t pmk_len, const u8 *pmkid,
                        int session_timeout, int akmp)
@@ -4519,11 +4814,12 @@ wpa_auth_pmksa_get_fils_cache_id(struct wpa_authenticator *wpa_auth,
 
 
 #ifdef CONFIG_IEEE80211R_AP
-int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, u8 *buf, size_t len)
+int wpa_auth_write_fte(struct wpa_authenticator *wpa_auth, int use_sha384,
+                      u8 *buf, size_t len)
 {
        struct wpa_auth_config *conf = &wpa_auth->conf;
 
-       return wpa_write_ftie(conf, conf->r0_key_holder,
+       return wpa_write_ftie(conf, use_sha384, conf->r0_key_holder,
                              conf->r0_key_holder_len,
                              NULL, NULL, buf, len, NULL, 0);
 }
@@ -4543,6 +4839,24 @@ void wpa_auth_get_fils_aead_params(struct wpa_state_machine *sm,
 #endif /* CONFIG_FILS */
 
 
+void wpa_auth_set_auth_alg(struct wpa_state_machine *sm, u16 auth_alg)
+{
+       if (sm)
+               sm->auth_alg = auth_alg;
+}
+
+
+#ifdef CONFIG_DPP2
+void wpa_auth_set_dpp_z(struct wpa_state_machine *sm, const struct wpabuf *z)
+{
+       if (sm) {
+               wpabuf_clear_free(sm->dpp_z);
+               sm->dpp_z = z ? wpabuf_dup(z) : NULL;
+       }
+}
+#endif /* CONFIG_DPP2 */
+
+
 #ifdef CONFIG_TESTING_OPTIONS
 
 int wpa_auth_resend_m1(struct wpa_state_machine *sm, int change_anonce,
@@ -4631,7 +4945,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
                }
        }
 
-       kde_len = wpa_ie_len + ieee80211w_kde_len(sm);
+       kde_len = wpa_ie_len + ieee80211w_kde_len(sm) + ocv_oci_len(sm);
        if (gtk)
                kde_len += 2 + RSN_SELECTOR_LEN + 2 + gtk_len;
 #ifdef CONFIG_IEEE80211R_AP
@@ -4674,11 +4988,16 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
 #ifdef CONFIG_IEEE80211W
        opos = pos;
        pos = ieee80211w_kde_add(sm, pos);
-       if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
-               opos += 2; /* skip keyid */
+       if (pos - opos >= 2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
+               /* skip KDE header and keyid */
+               opos += 2 + RSN_SELECTOR_LEN + 2;
                os_memset(opos, 0, 6); /* clear PN */
        }
 #endif /* CONFIG_IEEE80211W */
+       if (ocv_oci_add(sm, &pos) < 0) {
+               os_free(kde);
+               return -1;
+       }
 
 #ifdef CONFIG_IEEE80211R_AP
        if (wpa_key_mgmt_ft(sm->wpa_key_mgmt)) {
@@ -4692,7 +5011,10 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
                                  2 + sm->assoc_resp_ftie[1]);
                        res = 2 + sm->assoc_resp_ftie[1];
                } else {
-                       res = wpa_write_ftie(conf, conf->r0_key_holder,
+                       int use_sha384 = wpa_key_mgmt_sha384(sm->wpa_key_mgmt);
+
+                       res = wpa_write_ftie(conf, use_sha384,
+                                            conf->r0_key_holder,
                                             conf->r0_key_holder_len,
                                             NULL, NULL, pos,
                                             kde + kde_len - pos,
@@ -4717,7 +5039,7 @@ int wpa_auth_resend_m3(struct wpa_state_machine *sm,
                *pos++ = WLAN_EID_TIMEOUT_INTERVAL;
                *pos++ = 5;
                *pos++ = WLAN_TIMEOUT_KEY_LIFETIME;
-               WPA_PUT_LE32(pos, conf->r0_key_lifetime * 60);
+               WPA_PUT_LE32(pos, conf->r0_key_lifetime);
                pos += 4;
        }
 #endif /* CONFIG_IEEE80211R_AP */
@@ -4757,7 +5079,7 @@ int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
        gtk = gsm->GTK[gsm->GN - 1];
        if (sm->wpa == WPA_VERSION_WPA2) {
                kde_len = 2 + RSN_SELECTOR_LEN + 2 + gsm->GTK_len +
-                       ieee80211w_kde_len(sm);
+                       ieee80211w_kde_len(sm) + ocv_oci_len(sm);
                kde_buf = os_malloc(kde_len);
                if (kde_buf == NULL)
                        return -1;
@@ -4770,11 +5092,17 @@ int wpa_auth_resend_group_m1(struct wpa_state_machine *sm,
 #ifdef CONFIG_IEEE80211W
                opos = pos;
                pos = ieee80211w_kde_add(sm, pos);
-               if (pos - opos >= WPA_IGTK_KDE_PREFIX_LEN) {
-                       opos += 2; /* skip keyid */
+               if (pos - opos >=
+                   2 + RSN_SELECTOR_LEN + WPA_IGTK_KDE_PREFIX_LEN) {
+                       /* skip KDE header and keyid */
+                       opos += 2 + RSN_SELECTOR_LEN + 2;
                        os_memset(opos, 0, 6); /* clear PN */
                }
 #endif /* CONFIG_IEEE80211W */
+               if (ocv_oci_add(sm, &pos) < 0) {
+                       os_free(kde_buf);
+                       return -1;
+               }
                kde_len = pos - kde;
        } else {
                kde = gtk;