wpa_supplicant: Support WPA3 4-way handshake, add config option

1. Add changes in 4-way handshake path to allow SAE key mgmt.
2. Support for configuring WAP3 at init time, added Kconfig option.
3. Handle and propagate error conditions properly.
4. Link changes from WiFi library.

components/esp_wifi/Kconfig

@@ -326,6 +326,14 @@ menu "Wi-Fi"
             When this option is disabled, more than 17Kbytes of IRAM memory will be saved
             but Wi-Fi performance will be reduced.
 
+    config ESP32_WIFI_ENABLE_WPA3_SAE
+        bool "Enable WPA3-Personal"
+        default n
+        help
+            Select this option to allow the device to establish a WPA3-Personal connection with eligible AP's.
+            PMF (Protected Management Frames) is a prerequisite feature for a WPA3 connection, it needs to be
+            explicitly configured before attempting connection. Please refer to the Wi-Fi Driver API Guide for details.
+
 endmenu  # Wi-Fi
 
 menu "PHY"

components/esp_wifi/include/esp_wifi.h

@@ -111,6 +111,7 @@ typedef struct {
     int                    wifi_task_core_id;      /**< WiFi Task Core ID */
     int                    beacon_max_len;         /**< WiFi softAP maximum length of the beacon */
     int                    mgmt_sbuf_num;          /**< WiFi management short buffer number, the minimum value is 6, the maximum value is 32 */
+    uint64_t               feature_caps;           /**< Enables additional WiFi features and capabilities */
     int                    magic;                  /**< WiFi init magic number, it should be the last field */
 } wifi_init_config_t;
 
@@ -157,6 +158,7 @@ typedef struct {
 #endif
 
 extern const wpa_crypto_funcs_t g_wifi_default_wpa_crypto_funcs;
+extern uint64_t g_wifi_feature_caps;
 
 #define WIFI_INIT_CONFIG_MAGIC    0x1F2F3F4F
 
@@ -190,6 +192,8 @@ extern const wpa_crypto_funcs_t g_wifi_default_wpa_crypto_funcs;
 #define WIFI_MGMT_SBUF_NUM 32
 #endif
 
+#define CONFIG_FEATURE_WPA3_SAE_BIT     (1<<0)
+
 #define WIFI_INIT_CONFIG_DEFAULT() { \
     .event_handler = &esp_event_send_internal, \
     .osi_funcs = &g_wifi_osi_funcs, \
@@ -209,6 +213,7 @@ extern const wpa_crypto_funcs_t g_wifi_default_wpa_crypto_funcs;
     .wifi_task_core_id = WIFI_TASK_CORE_ID,\
     .beacon_max_len = WIFI_SOFTAP_BEACON_MAX_LEN, \
     .mgmt_sbuf_num = WIFI_MGMT_SBUF_NUM, \
+    .feature_caps = g_wifi_feature_caps, \
     .magic = WIFI_INIT_CONFIG_MAGIC\
 };
 

components/esp_wifi/lib

@@ -1 +1 @@
-Subproject commit d88a262fbdf35e5abb372280eb08008749c3faa0
+Subproject commit 6513ff9a71d0cea1924e37d9f70a08dfaed946cd

components/esp_wifi/src/wifi_init.c

@@ -41,6 +41,13 @@ static esp_pm_lock_handle_t s_wifi_modem_sleep_lock;
 wifi_mac_time_update_cb_t s_wifi_mac_time_update_cb = NULL;
 #endif
 
+/* Set additional WiFi features and capabilities */
+uint64_t g_wifi_feature_caps =
+#if CONFIG_ESP32_WIFI_ENABLE_WPA3_SAE
+    CONFIG_FEATURE_WPA3_SAE_BIT |
+#endif
+0;
+
 static const char* TAG = "wifi_init";
 
 static void __attribute__((constructor)) s_set_default_wifi_log_level(void)

components/wpa_supplicant/CMakeLists.txt

@@ -10,6 +10,7 @@ set(srcs "port/os_xtensa.c"
     "src/crypto/aes-internal-dec.c"
     "src/crypto/aes-internal-enc.c"
     "src/crypto/aes-internal.c"
+    "src/crypto/aes-omac1.c"
     "src/crypto/aes-unwrap.c"
     "src/crypto/aes-wrap.c"
     "src/crypto/aes-omac1.c"

components/wpa_supplicant/component.mk

@@ -2,4 +2,4 @@ COMPONENT_ADD_INCLUDEDIRS := include port/include include/esp_supplicant
 COMPONENT_PRIV_INCLUDEDIRS := src
 COMPONENT_SRCDIRS := port src/ap src/common src/crypto src/eap_peer src/rsn_supp src/tls src/utils src/esp_supplicant src/wps
 
-CFLAGS += -DCONFIG_IEEE80211W -DESP_SUPPLICANT -DIEEE8021X_EAPOL -DEAP_PEER_METHOD -DEAP_TLS -DEAP_TTLS -DEAP_PEAP -DEAP_MSCHAPv2 -DUSE_WPA2_TASK -DCONFIG_WPS2 -DCONFIG_WPS_PIN -DUSE_WPS_TASK -DESPRESSIF_USE -DESP32_WORKAROUND -DCONFIG_ECC -D__ets__ -Wno-strict-aliasing
+CFLAGS += -DCONFIG_WPA3_SAE -DCONFIG_IEEE80211W -DESP_SUPPLICANT -DIEEE8021X_EAPOL -DEAP_PEER_METHOD -DEAP_TLS -DEAP_TTLS -DEAP_PEAP -DEAP_MSCHAPv2 -DUSE_WPA2_TASK -DCONFIG_WPS2 -DCONFIG_WPS_PIN -DUSE_WPS_TASK -DESPRESSIF_USE -DESP32_WORKAROUND -DCONFIG_ECC -D__ets__ -Wno-strict-aliasing

components/wpa_supplicant/src/common/defs.h

@@ -50,6 +50,7 @@ static inline int wpa_key_mgmt_wpa_ieee8021x(int akm)
 			 WPA_KEY_MGMT_FT_IEEE8021X |
 			 WPA_KEY_MGMT_CCKM |
 			 WPA_KEY_MGMT_OSEN |
+			 WPA_KEY_MGMT_SAE |
 			 WPA_KEY_MGMT_IEEE8021X_SHA256 |
 			 WPA_KEY_MGMT_IEEE8021X_SUITE_B |
 			 WPA_KEY_MGMT_IEEE8021X_SUITE_B_192));
@@ -82,6 +83,7 @@ static inline int wpa_key_mgmt_sha256(int akm)
 	return !!(akm & (WPA_KEY_MGMT_PSK_SHA256 |
 			 WPA_KEY_MGMT_IEEE8021X_SHA256 |
 			 WPA_KEY_MGMT_OSEN |
+			 WPA_KEY_MGMT_SAE |
 			 WPA_KEY_MGMT_IEEE8021X_SUITE_B));
 }
 

components/wpa_supplicant/src/common/sae.c

@@ -42,7 +42,7 @@ int sae_set_group(struct sae_data *sae, int group)
 	sae_clear_data(sae);
 	tmp = sae->tmp = os_zalloc(sizeof(*tmp));
 	if (tmp == NULL)
-		return -1;
+		return ESP_FAIL;
 
 	/* First, check if this is an ECC group */
 	tmp->ec = crypto_ec_init(group);
@@ -53,7 +53,7 @@ int sae_set_group(struct sae_data *sae, int group)
 		tmp->prime_len = crypto_ec_prime_len(tmp->ec);
 		tmp->prime = crypto_ec_get_prime(tmp->ec);
 		tmp->order = crypto_ec_get_order(tmp->ec);
-		return 0;
+		return ESP_OK;
 	}
 
 	/* Not an ECC group, check FFC */
@@ -65,14 +65,14 @@ int sae_set_group(struct sae_data *sae, int group)
 		tmp->prime_len = tmp->dh->prime_len;
 		if (tmp->prime_len > SAE_MAX_PRIME_LEN) {
 			sae_clear_data(sae);
-			return -1;
+			return ESP_FAIL;
 		}
 
 		tmp->prime_buf = crypto_bignum_init_set(tmp->dh->prime,
 							tmp->prime_len);
 		if (tmp->prime_buf == NULL) {
 			sae_clear_data(sae);
-			return -1;
+			return ESP_FAIL;
 		}
 		tmp->prime = tmp->prime_buf;
 
@@ -80,17 +80,17 @@ int sae_set_group(struct sae_data *sae, int group)
 							tmp->dh->order_len);
 		if (tmp->order_buf == NULL) {
 			sae_clear_data(sae);
-			return -1;
+			return ESP_FAIL;
 		}
 		tmp->order = tmp->order_buf;
 
-		return 0;
+		return ESP_OK;
 	}
 
 	/* Unsupported group */
 	wpa_printf(MSG_DEBUG,
 		   "SAE: Group %d not supported by the crypto library", group);
-	return -1;
+	return ESP_FAIL;
 }
 
 void sae_clear_temp_data(struct sae_data *sae)
@@ -236,7 +236,7 @@ static int is_quadratic_residue_blind(struct sae_data *sae,
 	 */
 	r = get_rand_1_to_p_1(prime, sae->tmp->prime_len, bits, &r_odd);
 	if (!r)
-		return -1;
+		return ESP_FAIL;
 
 	num = crypto_bignum_init();
 	if (!num ||
@@ -293,22 +293,22 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed,
 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
 	if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
 			    prime, sae->tmp->prime_len, pwd_value, bits) < 0)
-		return -1;
+		return ESP_FAIL;
 	if (bits % 8)
 		buf_shift_right(pwd_value, sizeof(pwd_value), 8 - bits % 8);
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value",
 			pwd_value, sae->tmp->prime_len);
 
 	if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0)
-		return 0;
+		return ESP_OK;
 
 	x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len);
 	if (!x_cand)
-		return -1;
+		return ESP_FAIL;
 	y_sqr = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x_cand);
 	if (!y_sqr) {
 		crypto_bignum_deinit(x_cand, 1);
-		return -1;
+		return ESP_FAIL;
 	}
 
 	res = is_quadratic_residue_blind(sae, prime, bits, qr, qnr, y_sqr);
@@ -337,14 +337,14 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
 	if (sha256_prf_bits(pwd_seed, SHA256_MAC_LEN, "SAE Hunting and Pecking",
 			    sae->tmp->dh->prime, sae->tmp->prime_len, pwd_value,
 			    bits) < 0)
-		return -1;
+		return ESP_FAIL;
 	wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value,
 			sae->tmp->prime_len);
 
 	if (os_memcmp(pwd_value, sae->tmp->dh->prime, sae->tmp->prime_len) >= 0)
 	{
 		wpa_printf(MSG_DEBUG, "SAE: pwd-value >= p");
-		return 0;
+		return ESP_OK;
 	}
 
 	/* PWE = pwd-value^((p-1)/r) modulo p */
@@ -380,13 +380,13 @@ static int sae_test_pwd_seed_ffc(struct sae_data *sae, const u8 *pwd_seed,
 
 	if (res < 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Failed to calculate PWE");
-		return -1;
+		return ESP_FAIL;
 	}
 
 	/* if (PWE > 1) --> found */
 	if (crypto_bignum_is_zero(pwe) || crypto_bignum_is_one(pwe)) {
 		wpa_printf(MSG_DEBUG, "SAE: PWE <= 1");
-		return 0;
+		return ESP_OK;
 	}
 
 	wpa_printf(MSG_DEBUG, "SAE: PWE found");
@@ -450,12 +450,12 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 	if (dummy_password_len > sizeof(dummy_password))
 		dummy_password_len = sizeof(dummy_password);
 	if (random_get_bytes(dummy_password, dummy_password_len) < 0)
-		return -1;
+		return ESP_FAIL;
 
 	prime_len = sae->tmp->prime_len;
 	if (crypto_bignum_to_bin(sae->tmp->prime, prime, sizeof(prime),
 				 prime_len) < 0)
-		return -1;
+		return ESP_FAIL;
 	bits = crypto_ec_prime_len_bits(sae->tmp->ec);
 
 	/*
@@ -464,7 +464,7 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
 	 */
 	if (get_random_qr_qnr(prime, prime_len, sae->tmp->prime, bits,
 			      &qr, &qnr) < 0)
-		return -1;
+		return ESP_FAIL;
 
 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
 			      password, password_len);
@@ -579,7 +579,7 @@ static int sae_derive_pwe_ffc(struct sae_data *sae, const u8 *addr1,
 	if (sae->tmp->pwe_ffc == NULL) {
 		sae->tmp->pwe_ffc = crypto_bignum_init();
 		if (sae->tmp->pwe_ffc == NULL)
-			return -1;
+			return ESP_FAIL;
 	}
 
 	wpa_hexdump_ascii_key(MSG_DEBUG, "SAE: password",
@@ -638,7 +638,7 @@ static int sae_derive_commit_element_ecc(struct sae_data *sae,
 		sae->tmp->own_commit_element_ecc =
 			crypto_ec_point_init(sae->tmp->ec);
 		if (!sae->tmp->own_commit_element_ecc)
-			return -1;
+			return ESP_FAIL;
 	}
 
 	if (crypto_ec_point_mul(sae->tmp->ec, sae->tmp->pwe_ecc, mask,
@@ -646,10 +646,10 @@ static int sae_derive_commit_element_ecc(struct sae_data *sae,
 	    crypto_ec_point_invert(sae->tmp->ec,
 				   sae->tmp->own_commit_element_ecc) < 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
-		return -1;
+		return ESP_FAIL;
 	}
 
-	return 0;
+	return ESP_OK;
 }
 
 static int sae_derive_commit_element_ffc(struct sae_data *sae,
@@ -659,7 +659,7 @@ static int sae_derive_commit_element_ffc(struct sae_data *sae,
 	if (!sae->tmp->own_commit_element_ffc) {
 		sae->tmp->own_commit_element_ffc = crypto_bignum_init();
 		if (!sae->tmp->own_commit_element_ffc)
-			return -1;
+			return ESP_FAIL;
 	}
 
 	if (crypto_bignum_exptmod(sae->tmp->pwe_ffc, mask, sae->tmp->prime,
@@ -668,10 +668,10 @@ static int sae_derive_commit_element_ffc(struct sae_data *sae,
 				  sae->tmp->prime,
 				  sae->tmp->own_commit_element_ffc) < 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Could not compute commit-element");
-		return -1;
+		return ESP_FAIL;
 	}
 
-	return 0;
+	return ESP_OK;
 }
 
 static int sae_derive_commit(struct sae_data *sae)
@@ -689,13 +689,13 @@ static int sae_derive_commit(struct sae_data *sae)
 			 * theoretical infinite loop, break out after 100
 			 * attemps.
 			 */
-			return -1;
+			return ESP_FAIL;
 		}
 
 		mask = sae_get_rand_and_mask(sae);
 		if (mask == NULL) {
 			wpa_printf(MSG_DEBUG, "SAE: Could not get rand/mask");
-			return -1;
+			return ESP_FAIL;
 		}
 
 		/* commit-scalar = (rand + mask) modulo r */
@@ -733,8 +733,8 @@ int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
 						password_len,
 						identifier) < 0) ||
 	    sae_derive_commit(sae) < 0)
-		return -1;
-	return 0;
+		return ESP_FAIL;
+	return ESP_OK;
 }
 
 static int sae_derive_k_ecc(struct sae_data *sae, u8 *k)
@@ -861,17 +861,17 @@ int sae_process_commit(struct sae_data *sae)
 	    (sae->tmp->ec && sae_derive_k_ecc(sae, k) < 0) ||
 	    (sae->tmp->dh && sae_derive_k_ffc(sae, k) < 0) ||
 	    sae_derive_keys(sae, k) < 0)
-		return -1;
-	return 0;
+		return ESP_FAIL;
+	return ESP_OK;
 }
 
-void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
+int sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
 		      const struct wpabuf *token, const char *identifier)
 {
 	u8 *pos;
 
 	if (sae->tmp == NULL)
-		return;
+		return ESP_FAIL;
 
 	wpabuf_put_le16(buf, sae->group); /* Finite Cyclic Group */
 	if (token) {
@@ -880,23 +880,32 @@ void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
 			    wpabuf_head(token), wpabuf_len(token));
 	}
 	pos = wpabuf_put(buf, sae->tmp->prime_len);
-	crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
-			     sae->tmp->prime_len, sae->tmp->prime_len);
+	if (crypto_bignum_to_bin(sae->tmp->own_commit_scalar, pos,
+				 sae->tmp->prime_len, sae->tmp->prime_len) < 0) {
+		wpa_printf(MSG_ERROR, "SAE: failed bignum operation on own commit scalar");
+		return ESP_FAIL;
+	}
 	wpa_hexdump(MSG_DEBUG, "SAE: own commit-scalar",
 		    pos, sae->tmp->prime_len);
 	if (sae->tmp->ec) {
 		pos = wpabuf_put(buf, 2 * sae->tmp->prime_len);
-		crypto_ec_point_to_bin(sae->tmp->ec,
-				       sae->tmp->own_commit_element_ecc,
-				       pos, pos + sae->tmp->prime_len);
+		if (crypto_ec_point_to_bin(sae->tmp->ec,
+					   sae->tmp->own_commit_element_ecc,
+					   pos, pos + sae->tmp->prime_len) < 0) {
+			wpa_printf(MSG_ERROR, "SAE: failed bignum op while deriving ec point");
+			return ESP_FAIL;
+		}
 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(x)",
 			    pos, sae->tmp->prime_len);
 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element(y)",
 			    pos + sae->tmp->prime_len, sae->tmp->prime_len);
 	} else {
 		pos = wpabuf_put(buf, sae->tmp->prime_len);
-		crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
-				     sae->tmp->prime_len, sae->tmp->prime_len);
+		if (crypto_bignum_to_bin(sae->tmp->own_commit_element_ffc, pos,
+					 sae->tmp->prime_len, sae->tmp->prime_len) < 0) {
+			wpa_printf(MSG_ERROR, "SAE: failed bignum operation on commit elem ffc");
+			return ESP_FAIL;
+		}
 		wpa_hexdump(MSG_DEBUG, "SAE: own commit-element",
 			    pos, sae->tmp->prime_len);
 	}
@@ -910,6 +919,7 @@ void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
 		wpa_printf(MSG_DEBUG, "SAE: own Password Identifier: %s",
 			   identifier);
 	}
+	return ESP_OK;
 }
 
 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group)
@@ -1299,7 +1309,7 @@ static void sae_cn_confirm(struct sae_data *sae, const u8 *sc,
 			   confirm);
 }
 
-static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
+static int sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
 			       const struct crypto_bignum *scalar1,
 			       const struct crypto_ec_point *element1,
 			       const struct crypto_bignum *scalar2,
@@ -1309,40 +1319,54 @@ static void sae_cn_confirm_ecc(struct sae_data *sae, const u8 *sc,
 	u8 element_b1[2 * SAE_MAX_ECC_PRIME_LEN];
 	u8 element_b2[2 * SAE_MAX_ECC_PRIME_LEN];
 
-	crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
-			       element_b1 + sae->tmp->prime_len);
-	crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
-			       element_b2 + sae->tmp->prime_len);
+	if (crypto_ec_point_to_bin(sae->tmp->ec, element1, element_b1,
+			       element_b1 + sae->tmp->prime_len) < 0) {
+		wpa_printf(MSG_ERROR, "SAE: failed bignum op while deriving ec point");
+		return ESP_FAIL;
+	}
+	if (crypto_ec_point_to_bin(sae->tmp->ec, element2, element_b2,
+			       element_b2 + sae->tmp->prime_len) < 0) {
+		wpa_printf(MSG_ERROR, "SAE: failed bignum op while deriving ec point");
+		return ESP_FAIL;
+	}
 
 	sae_cn_confirm(sae, sc, scalar1, element_b1, 2 * sae->tmp->prime_len,
 		       scalar2, element_b2, 2 * sae->tmp->prime_len, confirm);
+	return ESP_OK;
 }
 
-static void sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
-			       const struct crypto_bignum *scalar1,
-			       const struct crypto_bignum *element1,
-			       const struct crypto_bignum *scalar2,
-			       const struct crypto_bignum *element2,
-			       u8 *confirm)
+static int sae_cn_confirm_ffc(struct sae_data *sae, const u8 *sc,
+			      const struct crypto_bignum *scalar1,
+			      const struct crypto_bignum *element1,
+			      const struct crypto_bignum *scalar2,
+			      const struct crypto_bignum *element2,
+			      u8 *confirm)
 {
 	u8 element_b1[SAE_MAX_PRIME_LEN];
 	u8 element_b2[SAE_MAX_PRIME_LEN];
 
-	crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
-			     sae->tmp->prime_len);
-	crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
-			     sae->tmp->prime_len);
+	if (crypto_bignum_to_bin(element1, element_b1, sizeof(element_b1),
+			         sae->tmp->prime_len) < 0) {
+		wpa_printf(MSG_ERROR, "SAE: failed bignum op while generating SAE confirm - e1");
+		return ESP_FAIL;
+	}
+	if (crypto_bignum_to_bin(element2, element_b2, sizeof(element_b2),
+				 sae->tmp->prime_len) < 0) {
+		wpa_printf(MSG_ERROR, "SAE: failed bignum op while generating SAE confirm - e2");
+		return ESP_FAIL;
+	}
 
 	sae_cn_confirm(sae, sc, scalar1, element_b1, sae->tmp->prime_len,
 		       scalar2, element_b2, sae->tmp->prime_len, confirm);
+	return ESP_OK;
 }
 
-void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
+int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
 {
 	const u8 *sc;
 
 	if (sae->tmp == NULL)
-		return;
+		return ESP_FAIL;
 
 	/* Send-Confirm */
 	sc = wpabuf_put(buf, 0);
@@ -1350,18 +1374,26 @@ void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
 	if (sae->send_confirm < 0xffff)
 		sae->send_confirm++;
 
-	if (sae->tmp->ec)
-		sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
-				   sae->tmp->own_commit_element_ecc,
-				   sae->peer_commit_scalar,
-				   sae->tmp->peer_commit_element_ecc,
-				   wpabuf_put(buf, SHA256_MAC_LEN));
-	else
-		sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
-				   sae->tmp->own_commit_element_ffc,
-				   sae->peer_commit_scalar,
-				   sae->tmp->peer_commit_element_ffc,
-				   wpabuf_put(buf, SHA256_MAC_LEN));
+	if (sae->tmp->ec) {
+		if (sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,
+				       sae->tmp->own_commit_element_ecc,
+				       sae->peer_commit_scalar,
+				       sae->tmp->peer_commit_element_ecc,
+				       wpabuf_put(buf, SHA256_MAC_LEN))) {
+			wpa_printf(MSG_ERROR, "SAE: failed generate SAE confirm (ecc)");
+			return ESP_FAIL;
+		}
+	} else {
+		if (sae_cn_confirm_ffc(sae, sc, sae->tmp->own_commit_scalar,
+				       sae->tmp->own_commit_element_ffc,
+				       sae->peer_commit_scalar,
+				       sae->tmp->peer_commit_element_ffc,
+				       wpabuf_put(buf, SHA256_MAC_LEN))) {
+			wpa_printf(MSG_ERROR, "SAE: failed generate SAE confirm (ffc)");
+			return ESP_FAIL;
+		}
+	}
+	return ESP_OK;
 }
 
 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
@@ -1370,28 +1402,35 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
 
 	if (len < 2 + SHA256_MAC_LEN) {
 		wpa_printf(MSG_DEBUG, "SAE: Too short confirm message");
-		return -1;
+		return ESP_FAIL;
 	}
 
 	wpa_printf(MSG_DEBUG, "SAE: peer-send-confirm %u", WPA_GET_LE16(data));
 
 	if (sae->tmp == NULL) {
 		wpa_printf(MSG_DEBUG, "SAE: Temporary data not yet available");
-		return -1;
+		return ESP_FAIL;
 	}
 
-	if (sae->tmp->ec)
-		sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
-				   sae->tmp->peer_commit_element_ecc,
-				   sae->tmp->own_commit_scalar,
-				   sae->tmp->own_commit_element_ecc,
-				   verifier);
-	else
-		sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
-				   sae->tmp->peer_commit_element_ffc,
-				   sae->tmp->own_commit_scalar,
-				   sae->tmp->own_commit_element_ffc,
-				   verifier);
+	if (sae->tmp->ec) {
+		if (sae_cn_confirm_ecc(sae, data, sae->peer_commit_scalar,
+				       sae->tmp->peer_commit_element_ecc,
+				       sae->tmp->own_commit_scalar,
+				       sae->tmp->own_commit_element_ecc,
+				       verifier)) {
+			wpa_printf(MSG_ERROR, "SAE: failed to check SAE confirm (ecc)");
+			return ESP_FAIL;
+		}
+	} else {
+		if (sae_cn_confirm_ffc(sae, data, sae->peer_commit_scalar,
+				       sae->tmp->peer_commit_element_ffc,
+				       sae->tmp->own_commit_scalar,
+				       sae->tmp->own_commit_element_ffc,
+				       verifier)) {
+			wpa_printf(MSG_ERROR, "SAE: failed check SAE confirm (ffc)");
+			return ESP_FAIL;
+		}
+	}
 
 	if (os_memcmp(verifier, data + 2, SHA256_MAC_LEN) != 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Confirm mismatch");
@@ -1399,10 +1438,10 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len)
 			    data + 2, SHA256_MAC_LEN);
 		wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
 			    verifier, SHA256_MAC_LEN);
-		return -1;
+		return ESP_FAIL;
 	}
 
-	return 0;
+	return ESP_OK;
 }
 
 const char * sae_state_txt(enum sae_state state)

components/wpa_supplicant/src/common/sae.h

@@ -77,11 +77,11 @@ int sae_prepare_commit(const u8 *addr1, const u8 *addr2,
 		       const u8 *password, size_t password_len,
 		       const char *identifier, struct sae_data *sae);
 int sae_process_commit(struct sae_data *sae);
-void sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
+int sae_write_commit(struct sae_data *sae, struct wpabuf *buf,
 		      const struct wpabuf *token, const char *identifier);
 u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
 		     const u8 **token, size_t *token_len, int *allowed_groups);
-void sae_write_confirm(struct sae_data *sae, struct wpabuf *buf);
+int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf);
 int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len);
 u16 sae_group_allowed(struct sae_data *sae, int *allowed_groups, u16 group);
 const char * sae_state_txt(enum sae_state state);

components/wpa_supplicant/src/common/wpa_common.c

@@ -394,6 +394,9 @@ int wpa_eapol_key_mic(const u8 *key, int ver, const u8 *buf, size_t len,
 		memcpy(mic, hash, MD5_MAC_LEN);
 		break;
 #ifdef CONFIG_IEEE80211W
+#ifdef CONFIG_WPA3_SAE
+       case WPA_KEY_INFO_TYPE_AKM_DEFINED:
+#endif
 	case WPA_KEY_INFO_TYPE_AES_128_CMAC:
 		return omac1_aes_128(key, buf, len, mic);
 #endif
@@ -514,13 +517,11 @@ void wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
 			  WPA_NONCE_LEN);
 	}
 
-#ifdef CONFIG_IEEE80211W
 	if (use_sha256) {
 		sha256_prf(pmk, pmk_len, label, data, sizeof(data),
 			ptk, ptk_len);
 	}
 	else
-#endif /* CONFIG_IEEE80211W */
 	{
 	    sha1_prf(pmk, pmk_len, label, data, sizeof(data), ptk, ptk_len);
 	}

components/wpa_supplicant/src/common/wpa_common.h

@@ -121,6 +121,7 @@
 
 /* IEEE 802.11, 8.5.2 EAPOL-Key frames */
 #define WPA_KEY_INFO_TYPE_MASK ((u16) (BIT(0) | BIT(1) | BIT(2)))
+#define WPA_KEY_INFO_TYPE_AKM_DEFINED 0
 #define WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 BIT(0)
 #define WPA_KEY_INFO_TYPE_HMAC_SHA1_AES BIT(1)
 #define WPA_KEY_INFO_TYPE_AES_128_CMAC 3

components/wpa_supplicant/src/crypto/aes_wrap.h

@@ -24,11 +24,16 @@
 
 int __must_check aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher);
 int __must_check aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain);
+int __must_check omac1_aes_vector(const u8 *key, size_t key_len,
+                                  size_t num_elem, const u8 *addr[],
+                                  const size_t *len, u8 *mac);
 int __must_check omac1_aes_128_vector(const u8 *key, size_t num_elem,
 				      const u8 *addr[], const size_t *len,
 				      u8 *mac);
 int __must_check omac1_aes_128(const u8 *key, const u8 *data, size_t data_len,
 			       u8 *mac);
+int __must_check omac1_aes_256(const u8 *key, const u8 *data, size_t data_len,
+                               u8 *mac);
 int __must_check aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out);
 int __must_check aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
 				     u8 *data, size_t data_len);

components/wpa_supplicant/src/esp_supplicant/esp_wpa3.c

@@ -14,7 +14,7 @@
 
 #ifdef CONFIG_WPA3_SAE
 
-#include "../common/sae.h"
+#include "common/sae.h"
 #include "esp_wifi_driver.h"
 #include "rsn_supp/wpa.h"
 
@@ -47,11 +47,17 @@ static struct wpabuf *wpa3_build_sae_commit(u8 *bssid)
 		return NULL;
 	}
 
-	// For reuse PWE after retry case
-	// memcpy(g_sae_data.tmp->bssid, bssid, ETH_ALEN);
-
 	buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN);
-	sae_write_commit(&g_sae_data, buf, NULL, NULL); //no token
+	if (!buf) {
+		wpa_printf(MSG_ERROR, "wpa3: failed to allocate buffer for commit msg");
+		return NULL;
+	}
+
+	if (sae_write_commit(&g_sae_data, buf, NULL, NULL) != ESP_OK) {
+		wpa_printf(MSG_ERROR, "wpa3: failed to write SAE commit msg");
+		wpabuf_free(buf);
+		return NULL;
+	}
 	g_sae_data.state = SAE_COMMITTED;
 
 	return buf;
@@ -65,7 +71,16 @@ static struct wpabuf *wpa3_build_sae_confirm(void)
 		return NULL;
 
 	buf = wpabuf_alloc(SAE_COMMIT_MAX_LEN);
-	sae_write_confirm(&g_sae_data, buf);
+	if (!buf) {
+		wpa_printf(MSG_ERROR, "wpa3: failed to allocate buffer for confirm msg");
+		return NULL;
+	}
+
+	if (sae_write_confirm(&g_sae_data, buf) != ESP_OK) {
+		wpa_printf(MSG_ERROR, "wpa3: failed to write SAE confirm msg");
+		wpabuf_free(buf);
+		return NULL;
+	}
 	g_sae_data.state = SAE_CONFIRMED;
 
 	return buf;
@@ -100,22 +115,22 @@ static int wpa3_parse_sae_commit(u8 *buf, u32 len)
 	if (g_sae_data.state != SAE_COMMITTED) {
 		wpa_printf(MSG_ERROR, "wpa3: failed to parse SAE commit in state(%d)!",
 			   g_sae_data.state);
-		return -1;
+		return ESP_FAIL;
 	}
 
 	ret = sae_parse_commit(&g_sae_data, buf, len, NULL, 0, g_allowed_groups);
 	if (ret) {
 		wpa_printf(MSG_ERROR, "wpa3: could not parse commit(%d)", ret);
-		return -1;
+		return ESP_FAIL;
 	}
 
 	ret = sae_process_commit(&g_sae_data);
 	if (ret) {
 		wpa_printf(MSG_ERROR, "wpa3: could not process commit(%d)", ret);
-		return -1;
+		return ESP_FAIL;
 	}
 
-	return 0;
+	return ESP_OK;
 }
 
 static int wpa3_parse_sae_confirm(u8 *buf, u32 len)
@@ -123,21 +138,24 @@ static int wpa3_parse_sae_confirm(u8 *buf, u32 len)
 	if (g_sae_data.state != SAE_CONFIRMED) {
 		wpa_printf(MSG_ERROR, "wpa3: failed to parse SAE commit in state(%d)!",
 			   g_sae_data.state);
-		return -1;
+		return ESP_FAIL;
 	}
 
-	sae_check_confirm(&g_sae_data, buf, len);
+	if (sae_check_confirm(&g_sae_data, buf, len) != ESP_OK) {
+		wpa_printf(MSG_ERROR, "wpa3: failed to parse SAE confirm");
+		return ESP_FAIL;
+	}
 	g_sae_data.state = SAE_ACCEPTED;
 
 	wpa_set_pmk(g_sae_data.pmk);
 	memcpy(esp_wifi_sta_get_ap_info_prof_pmk_internal(), g_sae_data.pmk, PMK_LEN);
 
-	return 0;
+	return ESP_OK;
 }
 
 static int wpa3_parse_sae_msg(u8 *buf, u32 len, u32 sae_msg_type)
 {
-	int ret = 0;
+	int ret = ESP_OK;
 
 	switch (sae_msg_type) {
 		case SAE_MSG_COMMIT:
@@ -149,7 +167,7 @@ static int wpa3_parse_sae_msg(u8 *buf, u32 len, u32 sae_msg_type)
 		default:
 			wpa_printf(MSG_ERROR, "wpa3: Invalid SAE msg type(%d)!",
 				   sae_msg_type);
-			ret = -1;
+			ret = ESP_FAIL;
 			break;
 	}
 

components/wpa_supplicant/src/rsn_supp/wpa.c

@@ -245,6 +245,8 @@ void   wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
         ver = WPA_KEY_INFO_TYPE_AES_128_CMAC;
     else if (sm->pairwise_cipher == WPA_CIPHER_CCMP)
         ver = WPA_KEY_INFO_TYPE_HMAC_SHA1_AES;
+    else if (sm->key_mgmt == WPA_KEY_MGMT_SAE)
+	ver = 0;
     else
         ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 
@@ -1661,7 +1663,8 @@ failed:
             return -1;
         }
     } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
-           ver == WPA_KEY_INFO_TYPE_AES_128_CMAC) {
+               ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
+               sm->key_mgmt == WPA_KEY_MGMT_SAE) {
         u8 *buf;
         if (keydatalen % 8) {
             #ifdef DEBUG_PRINT    
@@ -1832,6 +1835,9 @@ int   wpa_sm_rx_eapol(u8 *src_addr, u8 *buf, u32 len)
     if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
 #ifdef CONFIG_IEEE80211W
         ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
+#ifdef CONFIG_WPA3_SAE
+        sm->key_mgmt != WPA_KEY_MGMT_SAE &&
+#endif
 #endif
         ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
 #ifdef DEBUG_PRINT    
@@ -1843,14 +1849,16 @@ int   wpa_sm_rx_eapol(u8 *src_addr, u8 *buf, u32 len)
 
 #ifdef CONFIG_IEEE80211W
     if (wpa_key_mgmt_sha256(sm->key_mgmt)) {
-        if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
+        if (ver != WPA_KEY_INFO_TYPE_AES_128_CMAC &&
+	    sm->key_mgmt != WPA_KEY_MGMT_SAE) {
             goto out;
         }
     } else
 #endif
 
     if (sm->pairwise_cipher == WPA_CIPHER_CCMP &&
-        ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
+        ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
+        sm->key_mgmt != WPA_KEY_MGMT_SAE) {
 #ifdef DEBUG_PRINT    
            wpa_printf(MSG_DEBUG, "WPA: CCMP is used, but EAPOL-Key "
                "descriptor version (%d) is not 2.", ver);
@@ -2073,8 +2081,6 @@ void wpa_set_profile(u32 wpa_proto, u8 auth_mode)
     sm->proto = wpa_proto;
     if (auth_mode == WPA2_AUTH_ENT) {
         sm->key_mgmt = WPA_KEY_MGMT_IEEE8021X; /* for wpa2 enterprise */
-    } else if (auth_mode == WPA2_AUTH_PSK) {
-        sm->key_mgmt = WPA_KEY_MGMT_PSK;  /* fixed to PSK for now */
     } else if (auth_mode == WPA2_AUTH_PSK_SHA256) {
         sm->key_mgmt = WPA_KEY_MGMT_PSK_SHA256;
     } else if (auth_mode == WPA3_AUTH_PSK) {

components/wpa_supplicant/test/test_sae.c

@@ -85,7 +85,7 @@ TEST_CASE("Test SAE functionality with ECC group", "[wpa3_sae]")
 
         TEST_ASSERT( buf != NULL);
 
-        sae_write_commit(&sae, buf, NULL);// No anti-clogging token
+        sae_write_commit(&sae, buf, NULL, NULL);// No anti-clogging token
 
         /* Parsing commit created by self will be detected as reflection attack*/
         TEST_ASSERT(sae_parse_commit(&sae,
@@ -125,14 +125,14 @@ TEST_CASE("Test SAE functionality with ECC group", "[wpa3_sae]")
         /* STA1 creates commit msg buffer*/
         buf1 = wpabuf_alloc2(SAE_COMMIT_MAX_LEN);
         TEST_ASSERT( buf1 != NULL);
-        sae_write_commit(&sae1, buf1, NULL);// No anti-clogging token
+        sae_write_commit(&sae1, buf1, NULL, NULL);// No anti-clogging token
 	ESP_LOG_BUFFER_HEXDUMP("SAE: Commit1", wpabuf_mhead_u8(buf1), wpabuf_len(buf1), ESP_LOG_INFO);
 
 
         /* STA2 creates commit msg buffer*/
         buf2 = wpabuf_alloc2(SAE_COMMIT_MAX_LEN);
         TEST_ASSERT( buf2 != NULL);
-        sae_write_commit(&sae2, buf2, NULL);// No anti-clogging token
+        sae_write_commit(&sae2, buf2, NULL, NULL);// No anti-clogging token
         ESP_LOG_BUFFER_HEXDUMP("SAE: Commit2", wpabuf_mhead_u8(buf2), wpabuf_len(buf2), ESP_LOG_INFO);
 
         sae1.state = SAE_COMMITTED;
@@ -205,20 +205,20 @@ TEST_CASE("Test SAE functionality with ECC group", "[wpa3_sae]")
         TEST_ASSERT(sae_set_group(&sae2, IANA_SECP256R1) == 0);
 
         /* STA1 prepares for commit*/
-        TEST_ASSERT(sae_prepare_commit(addr1, addr2, pwd1, strlen((const char *)pwd), NULL, &sae1) == 0);
+        TEST_ASSERT(sae_prepare_commit(addr1, addr2, pwd1, strlen((const char *)pwd1), NULL, &sae1) == 0);
 
         /* STA2 prepares for commit*/
-        TEST_ASSERT(sae_prepare_commit(addr2, addr1, pwd2, strlen((const char *)pwd), NULL, &sae2) == 0);
+        TEST_ASSERT(sae_prepare_commit(addr2, addr1, pwd2, strlen((const char *)pwd2), NULL, &sae2) == 0);
 
         /* STA1 creates commit msg buffer*/
         buf1 = wpabuf_alloc2(SAE_COMMIT_MAX_LEN);
         TEST_ASSERT( buf1 != NULL);
-        sae_write_commit(&sae1, buf1, NULL);// No anti-clogging token
+        sae_write_commit(&sae1, buf1, NULL, NULL);// No anti-clogging token
 
         /* STA2 creates commit msg buffer*/
         buf2 = wpabuf_alloc2(SAE_COMMIT_MAX_LEN);
         TEST_ASSERT( buf2 != NULL);
-        sae_write_commit(&sae2, buf2, NULL);// No anti-clogging token
+        sae_write_commit(&sae2, buf2, NULL, NULL);// No anti-clogging token
 
         sae1.state = SAE_COMMITTED;
         sae2.state = SAE_COMMITTED;