xref: /freebsd/contrib/wpa/src/common/wpa_common.c (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1 /*
2  * WPA/RSN - Shared functions for supplicant and authenticator
3  * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/sha512.h"
17 #include "crypto/aes_wrap.h"
18 #include "crypto/crypto.h"
19 #include "ieee802_11_defs.h"
20 #include "defs.h"
21 #include "wpa_common.h"
22 
23 
24 static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
25 {
26 	switch (akmp) {
27 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
28 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
29 		return 24;
30 	case WPA_KEY_MGMT_FILS_SHA256:
31 	case WPA_KEY_MGMT_FT_FILS_SHA256:
32 	case WPA_KEY_MGMT_FILS_SHA384:
33 	case WPA_KEY_MGMT_FT_FILS_SHA384:
34 		return 0;
35 	case WPA_KEY_MGMT_DPP:
36 		return pmk_len / 2;
37 	case WPA_KEY_MGMT_OWE:
38 		return pmk_len / 2;
39 	default:
40 		return 16;
41 	}
42 }
43 
44 
45 #ifdef CONFIG_IEEE80211R
46 static unsigned int wpa_kck2_len(int akmp)
47 {
48 	switch (akmp) {
49 	case WPA_KEY_MGMT_FT_FILS_SHA256:
50 		return 16;
51 	case WPA_KEY_MGMT_FT_FILS_SHA384:
52 		return 24;
53 	default:
54 		return 0;
55 	}
56 }
57 #endif /* CONFIG_IEEE80211R */
58 
59 
60 static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
61 {
62 	switch (akmp) {
63 	case WPA_KEY_MGMT_FILS_SHA384:
64 	case WPA_KEY_MGMT_FT_FILS_SHA384:
65 		return 64;
66 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
67 	case WPA_KEY_MGMT_FILS_SHA256:
68 	case WPA_KEY_MGMT_FT_FILS_SHA256:
69 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
70 		return 32;
71 	case WPA_KEY_MGMT_DPP:
72 		return pmk_len <= 32 ? 16 : 32;
73 	case WPA_KEY_MGMT_OWE:
74 		return pmk_len <= 32 ? 16 : 32;
75 	default:
76 		return 16;
77 	}
78 }
79 
80 
81 #ifdef CONFIG_IEEE80211R
82 static unsigned int wpa_kek2_len(int akmp)
83 {
84 	switch (akmp) {
85 	case WPA_KEY_MGMT_FT_FILS_SHA256:
86 		return 16;
87 	case WPA_KEY_MGMT_FT_FILS_SHA384:
88 		return 32;
89 	default:
90 		return 0;
91 	}
92 }
93 #endif /* CONFIG_IEEE80211R */
94 
95 
96 unsigned int wpa_mic_len(int akmp, size_t pmk_len)
97 {
98 	switch (akmp) {
99 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
100 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
101 		return 24;
102 	case WPA_KEY_MGMT_FILS_SHA256:
103 	case WPA_KEY_MGMT_FILS_SHA384:
104 	case WPA_KEY_MGMT_FT_FILS_SHA256:
105 	case WPA_KEY_MGMT_FT_FILS_SHA384:
106 		return 0;
107 	case WPA_KEY_MGMT_DPP:
108 		return pmk_len / 2;
109 	case WPA_KEY_MGMT_OWE:
110 		return pmk_len / 2;
111 	default:
112 		return 16;
113 	}
114 }
115 
116 
117 /**
118  * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used
119  * @akmp: WPA_KEY_MGMT_* used in key derivation
120  * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise
121  */
122 int wpa_use_akm_defined(int akmp)
123 {
124 	return akmp == WPA_KEY_MGMT_OSEN ||
125 		akmp == WPA_KEY_MGMT_OWE ||
126 		akmp == WPA_KEY_MGMT_DPP ||
127 		akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
128 		wpa_key_mgmt_sae(akmp) ||
129 		wpa_key_mgmt_suite_b(akmp) ||
130 		wpa_key_mgmt_fils(akmp);
131 }
132 
133 
134 /**
135  * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC
136  * @akmp: WPA_KEY_MGMT_* used in key derivation
137  * Returns: 1 if CMAC is used; 0 otherwise
138  */
139 int wpa_use_cmac(int akmp)
140 {
141 	return akmp == WPA_KEY_MGMT_OSEN ||
142 		akmp == WPA_KEY_MGMT_OWE ||
143 		akmp == WPA_KEY_MGMT_DPP ||
144 		wpa_key_mgmt_ft(akmp) ||
145 		wpa_key_mgmt_sha256(akmp) ||
146 		wpa_key_mgmt_sae(akmp) ||
147 		wpa_key_mgmt_suite_b(akmp);
148 }
149 
150 
151 /**
152  * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data
153  * @akmp: WPA_KEY_MGMT_* used in key derivation
154  * Returns: 1 if AES Keywrap is used; 0 otherwise
155  *
156  * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether
157  * to use AES Keywrap based on the negotiated pairwise cipher. This function
158  * does not cover those special cases.
159  */
160 int wpa_use_aes_key_wrap(int akmp)
161 {
162 	return akmp == WPA_KEY_MGMT_OSEN ||
163 		akmp == WPA_KEY_MGMT_OWE ||
164 		akmp == WPA_KEY_MGMT_DPP ||
165 		wpa_key_mgmt_ft(akmp) ||
166 		wpa_key_mgmt_sha256(akmp) ||
167 		wpa_key_mgmt_sae(akmp) ||
168 		wpa_key_mgmt_suite_b(akmp);
169 }
170 
171 
172 /**
173  * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
174  * @key: EAPOL-Key Key Confirmation Key (KCK)
175  * @key_len: KCK length in octets
176  * @akmp: WPA_KEY_MGMT_* used in key derivation
177  * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
178  * @buf: Pointer to the beginning of the EAPOL header (version field)
179  * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
180  * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
181  * Returns: 0 on success, -1 on failure
182  *
183  * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
184  * to be cleared (all zeroes) when calling this function.
185  *
186  * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
187  * description of the Key MIC calculation. It includes packet data from the
188  * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
189  * happened during final editing of the standard and the correct behavior is
190  * defined in the last draft (IEEE 802.11i/D10).
191  */
192 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
193 		      const u8 *buf, size_t len, u8 *mic)
194 {
195 	u8 hash[SHA512_MAC_LEN];
196 
197 	if (key_len == 0) {
198 		wpa_printf(MSG_DEBUG,
199 			   "WPA: KCK not set - cannot calculate MIC");
200 		return -1;
201 	}
202 
203 	switch (ver) {
204 #ifndef CONFIG_FIPS
205 	case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
206 		wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5");
207 		return hmac_md5(key, key_len, buf, len, mic);
208 #endif /* CONFIG_FIPS */
209 	case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
210 		wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1");
211 		if (hmac_sha1(key, key_len, buf, len, hash))
212 			return -1;
213 		os_memcpy(mic, hash, MD5_MAC_LEN);
214 		break;
215 	case WPA_KEY_INFO_TYPE_AES_128_CMAC:
216 		wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC");
217 		return omac1_aes_128(key, buf, len, mic);
218 	case WPA_KEY_INFO_TYPE_AKM_DEFINED:
219 		switch (akmp) {
220 #ifdef CONFIG_SAE
221 		case WPA_KEY_MGMT_SAE:
222 		case WPA_KEY_MGMT_FT_SAE:
223 			wpa_printf(MSG_DEBUG,
224 				   "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)");
225 			return omac1_aes_128(key, buf, len, mic);
226 #endif /* CONFIG_SAE */
227 #ifdef CONFIG_HS20
228 		case WPA_KEY_MGMT_OSEN:
229 			wpa_printf(MSG_DEBUG,
230 				   "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - OSEN)");
231 			return omac1_aes_128(key, buf, len, mic);
232 #endif /* CONFIG_HS20 */
233 #ifdef CONFIG_SUITEB
234 		case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
235 			wpa_printf(MSG_DEBUG,
236 				   "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)");
237 			if (hmac_sha256(key, key_len, buf, len, hash))
238 				return -1;
239 			os_memcpy(mic, hash, MD5_MAC_LEN);
240 			break;
241 #endif /* CONFIG_SUITEB */
242 #ifdef CONFIG_SUITEB192
243 		case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
244 			wpa_printf(MSG_DEBUG,
245 				   "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)");
246 			if (hmac_sha384(key, key_len, buf, len, hash))
247 				return -1;
248 			os_memcpy(mic, hash, 24);
249 			break;
250 #endif /* CONFIG_SUITEB192 */
251 #ifdef CONFIG_OWE
252 		case WPA_KEY_MGMT_OWE:
253 			wpa_printf(MSG_DEBUG,
254 				   "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)",
255 				   (unsigned int) key_len * 8 * 2);
256 			if (key_len == 128 / 8) {
257 				if (hmac_sha256(key, key_len, buf, len, hash))
258 					return -1;
259 			} else if (key_len == 192 / 8) {
260 				if (hmac_sha384(key, key_len, buf, len, hash))
261 					return -1;
262 			} else if (key_len == 256 / 8) {
263 				if (hmac_sha512(key, key_len, buf, len, hash))
264 					return -1;
265 			} else {
266 				wpa_printf(MSG_INFO,
267 					   "OWE: Unsupported KCK length: %u",
268 					   (unsigned int) key_len);
269 				return -1;
270 			}
271 			os_memcpy(mic, hash, key_len);
272 			break;
273 #endif /* CONFIG_OWE */
274 #ifdef CONFIG_DPP
275 		case WPA_KEY_MGMT_DPP:
276 			wpa_printf(MSG_DEBUG,
277 				   "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)",
278 				   (unsigned int) key_len * 8 * 2);
279 			if (key_len == 128 / 8) {
280 				if (hmac_sha256(key, key_len, buf, len, hash))
281 					return -1;
282 			} else if (key_len == 192 / 8) {
283 				if (hmac_sha384(key, key_len, buf, len, hash))
284 					return -1;
285 			} else if (key_len == 256 / 8) {
286 				if (hmac_sha512(key, key_len, buf, len, hash))
287 					return -1;
288 			} else {
289 				wpa_printf(MSG_INFO,
290 					   "DPP: Unsupported KCK length: %u",
291 					   (unsigned int) key_len);
292 				return -1;
293 			}
294 			os_memcpy(mic, hash, key_len);
295 			break;
296 #endif /* CONFIG_DPP */
297 #if defined(CONFIG_IEEE80211R) && defined(CONFIG_SHA384)
298 		case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
299 			wpa_printf(MSG_DEBUG,
300 				   "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - FT 802.1X SHA384)");
301 			if (hmac_sha384(key, key_len, buf, len, hash))
302 				return -1;
303 			os_memcpy(mic, hash, 24);
304 			break;
305 #endif /* CONFIG_IEEE80211R && CONFIG_SHA384 */
306 		default:
307 			wpa_printf(MSG_DEBUG,
308 				   "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)",
309 				   akmp);
310 			return -1;
311 		}
312 		break;
313 	default:
314 		wpa_printf(MSG_DEBUG,
315 			   "WPA: EAPOL-Key MIC algorithm not known (ver=%d)",
316 			   ver);
317 		return -1;
318 	}
319 
320 	return 0;
321 }
322 
323 
324 /**
325  * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
326  * @pmk: Pairwise master key
327  * @pmk_len: Length of PMK
328  * @label: Label to use in derivation
329  * @addr1: AA or SA
330  * @addr2: SA or AA
331  * @nonce1: ANonce or SNonce
332  * @nonce2: SNonce or ANonce
333  * @ptk: Buffer for pairwise transient key
334  * @akmp: Negotiated AKM
335  * @cipher: Negotiated pairwise cipher
336  * @kdk_len: The length in octets that should be derived for KDK
337  * Returns: 0 on success, -1 on failure
338  *
339  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
340  * PTK = PRF-X(PMK, "Pairwise key expansion",
341  *             Min(AA, SA) || Max(AA, SA) ||
342  *             Min(ANonce, SNonce) || Max(ANonce, SNonce)
343  *             [ || Z.x ])
344  *
345  * The optional Z.x component is used only with DPP and that part is not defined
346  * in IEEE 802.11.
347  */
348 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
349 		   const u8 *addr1, const u8 *addr2,
350 		   const u8 *nonce1, const u8 *nonce2,
351 		   struct wpa_ptk *ptk, int akmp, int cipher,
352 		   const u8 *z, size_t z_len, size_t kdk_len)
353 {
354 #define MAX_Z_LEN 66 /* with NIST P-521 */
355 	u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN];
356 	size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN;
357 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
358 		WPA_KDK_MAX_LEN];
359 	size_t ptk_len;
360 #ifdef CONFIG_OWE
361 	int owe_ptk_workaround = 0;
362 
363 	if (akmp == (WPA_KEY_MGMT_OWE | WPA_KEY_MGMT_PSK_SHA256)) {
364 		owe_ptk_workaround = 1;
365 		akmp = WPA_KEY_MGMT_OWE;
366 	}
367 #endif /* CONFIG_OWE */
368 
369 	if (pmk_len == 0) {
370 		wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation");
371 		return -1;
372 	}
373 
374 	if (z_len > MAX_Z_LEN)
375 		return -1;
376 
377 	if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
378 		os_memcpy(data, addr1, ETH_ALEN);
379 		os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
380 	} else {
381 		os_memcpy(data, addr2, ETH_ALEN);
382 		os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
383 	}
384 
385 	if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
386 		os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
387 		os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
388 			  WPA_NONCE_LEN);
389 	} else {
390 		os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
391 		os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
392 			  WPA_NONCE_LEN);
393 	}
394 
395 	if (z && z_len) {
396 		os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len);
397 		data_len += z_len;
398 	}
399 
400 	if (kdk_len > WPA_KDK_MAX_LEN) {
401 		wpa_printf(MSG_ERROR,
402 			   "WPA: KDK len=%zu exceeds max supported len",
403 			   kdk_len);
404 		return -1;
405 	}
406 
407 	ptk->kck_len = wpa_kck_len(akmp, pmk_len);
408 	ptk->kek_len = wpa_kek_len(akmp, pmk_len);
409 	ptk->tk_len = wpa_cipher_key_len(cipher);
410 	ptk->kdk_len = kdk_len;
411 	if (ptk->tk_len == 0) {
412 		wpa_printf(MSG_ERROR,
413 			   "WPA: Unsupported cipher (0x%x) used in PTK derivation",
414 			   cipher);
415 		return -1;
416 	}
417 	ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len + ptk->kdk_len;
418 
419 	if (wpa_key_mgmt_sha384(akmp)) {
420 #if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS)
421 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
422 		if (sha384_prf(pmk, pmk_len, label, data, data_len,
423 			       tmp, ptk_len) < 0)
424 			return -1;
425 #else /* CONFIG_SUITEB192 || CONFIG_FILS */
426 		return -1;
427 #endif /* CONFIG_SUITEB192 || CONFIG_FILS */
428 	} else if (wpa_key_mgmt_sha256(akmp)) {
429 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
430 		if (sha256_prf(pmk, pmk_len, label, data, data_len,
431 			       tmp, ptk_len) < 0)
432 			return -1;
433 #ifdef CONFIG_OWE
434 	} else if (akmp == WPA_KEY_MGMT_OWE && (pmk_len == 32 ||
435 						owe_ptk_workaround)) {
436 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
437 		if (sha256_prf(pmk, pmk_len, label, data, data_len,
438 			       tmp, ptk_len) < 0)
439 			return -1;
440 	} else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 48) {
441 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
442 		if (sha384_prf(pmk, pmk_len, label, data, data_len,
443 			       tmp, ptk_len) < 0)
444 			return -1;
445 	} else if (akmp == WPA_KEY_MGMT_OWE && pmk_len == 64) {
446 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
447 		if (sha512_prf(pmk, pmk_len, label, data, data_len,
448 			       tmp, ptk_len) < 0)
449 			return -1;
450 	} else if (akmp == WPA_KEY_MGMT_OWE) {
451 		wpa_printf(MSG_INFO, "OWE: Unknown PMK length %u",
452 			   (unsigned int) pmk_len);
453 		return -1;
454 #endif /* CONFIG_OWE */
455 #ifdef CONFIG_DPP
456 	} else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) {
457 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
458 		if (sha256_prf(pmk, pmk_len, label, data, data_len,
459 			       tmp, ptk_len) < 0)
460 			return -1;
461 	} else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) {
462 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
463 		if (sha384_prf(pmk, pmk_len, label, data, data_len,
464 			       tmp, ptk_len) < 0)
465 			return -1;
466 	} else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) {
467 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
468 		if (sha512_prf(pmk, pmk_len, label, data, data_len,
469 			       tmp, ptk_len) < 0)
470 			return -1;
471 	} else if (akmp == WPA_KEY_MGMT_DPP) {
472 		wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u",
473 			   (unsigned int) pmk_len);
474 		return -1;
475 #endif /* CONFIG_DPP */
476 	} else {
477 		wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)");
478 		if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp,
479 			     ptk_len) < 0)
480 			return -1;
481 	}
482 
483 	wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
484 		   MAC2STR(addr1), MAC2STR(addr2));
485 	wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
486 	wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
487 	if (z && z_len)
488 		wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len);
489 	wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
490 	wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
491 
492 	os_memcpy(ptk->kck, tmp, ptk->kck_len);
493 	wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
494 
495 	os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
496 	wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
497 
498 	os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
499 	wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
500 
501 	if (kdk_len) {
502 		os_memcpy(ptk->kdk, tmp + ptk->kck_len + ptk->kek_len +
503 			  ptk->tk_len, ptk->kdk_len);
504 		wpa_hexdump_key(MSG_DEBUG, "WPA: KDK", ptk->kdk, ptk->kdk_len);
505 	}
506 
507 	ptk->kek2_len = 0;
508 	ptk->kck2_len = 0;
509 
510 	os_memset(tmp, 0, sizeof(tmp));
511 	os_memset(data, 0, data_len);
512 	return 0;
513 }
514 
515 #ifdef CONFIG_FILS
516 
517 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
518 		     const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
519 		     size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
520 {
521 	u8 nonces[2 * FILS_NONCE_LEN];
522 	const u8 *addr[2];
523 	size_t len[2];
524 	size_t num_elem;
525 	int res;
526 
527 	/* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
528 	wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
529 
530 	if (wpa_key_mgmt_sha384(akmp))
531 		*pmk_len = SHA384_MAC_LEN;
532 	else if (wpa_key_mgmt_sha256(akmp))
533 		*pmk_len = SHA256_MAC_LEN;
534 	else
535 		return -1;
536 
537 	wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
538 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
539 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
540 	wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
541 
542 	os_memcpy(nonces, snonce, FILS_NONCE_LEN);
543 	os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
544 	addr[0] = rmsk;
545 	len[0] = rmsk_len;
546 	num_elem = 1;
547 	if (dh_ss) {
548 		addr[1] = dh_ss;
549 		len[1] = dh_ss_len;
550 		num_elem++;
551 	}
552 	if (wpa_key_mgmt_sha384(akmp))
553 		res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
554 					 addr, len, pmk);
555 	else
556 		res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
557 					 addr, len, pmk);
558 	if (res == 0)
559 		wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
560 	else
561 		*pmk_len = 0;
562 	return res;
563 }
564 
565 
566 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
567 		   u8 *pmkid)
568 {
569 	const u8 *addr[1];
570 	size_t len[1];
571 	u8 hash[SHA384_MAC_LEN];
572 	int res;
573 
574 	/* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
575 	addr[0] = reauth;
576 	len[0] = reauth_len;
577 	if (wpa_key_mgmt_sha384(akmp))
578 		res = sha384_vector(1, addr, len, hash);
579 	else if (wpa_key_mgmt_sha256(akmp))
580 		res = sha256_vector(1, addr, len, hash);
581 	else
582 		return -1;
583 	if (res)
584 		return res;
585 	os_memcpy(pmkid, hash, PMKID_LEN);
586 	wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
587 	return 0;
588 }
589 
590 
591 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
592 		    const u8 *snonce, const u8 *anonce, const u8 *dhss,
593 		    size_t dhss_len, struct wpa_ptk *ptk,
594 		    u8 *ick, size_t *ick_len, int akmp, int cipher,
595 		    u8 *fils_ft, size_t *fils_ft_len, size_t kdk_len)
596 {
597 	u8 *data, *pos;
598 	size_t data_len;
599 	u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
600 	       FILS_FT_MAX_LEN + WPA_KDK_MAX_LEN];
601 	size_t key_data_len;
602 	const char *label = "FILS PTK Derivation";
603 	int ret = -1;
604 	size_t offset;
605 
606 	/*
607 	 * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
608 	 *                       SPA || AA || SNonce || ANonce [ || DHss ])
609 	 * ICK = L(FILS-Key-Data, 0, ICK_bits)
610 	 * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
611 	 * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
612 	 * If doing FT initial mobility domain association:
613 	 * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
614 	 *             FILS-FT_bits)
615 	 * When a KDK is derived:
616 	 * KDK = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits + FILS-FT_bits,
617 	 *	   KDK_bits)
618 	 */
619 	data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len;
620 	data = os_malloc(data_len);
621 	if (!data)
622 		goto err;
623 	pos = data;
624 	os_memcpy(pos, spa, ETH_ALEN);
625 	pos += ETH_ALEN;
626 	os_memcpy(pos, aa, ETH_ALEN);
627 	pos += ETH_ALEN;
628 	os_memcpy(pos, snonce, FILS_NONCE_LEN);
629 	pos += FILS_NONCE_LEN;
630 	os_memcpy(pos, anonce, FILS_NONCE_LEN);
631 	pos += FILS_NONCE_LEN;
632 	if (dhss)
633 		os_memcpy(pos, dhss, dhss_len);
634 
635 	ptk->kck_len = 0;
636 	ptk->kek_len = wpa_kek_len(akmp, pmk_len);
637 	ptk->tk_len = wpa_cipher_key_len(cipher);
638 	if (wpa_key_mgmt_sha384(akmp))
639 		*ick_len = 48;
640 	else if (wpa_key_mgmt_sha256(akmp))
641 		*ick_len = 32;
642 	else
643 		goto err;
644 	key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
645 
646 	if (kdk_len) {
647 		if (kdk_len > WPA_KDK_MAX_LEN) {
648 			wpa_printf(MSG_ERROR, "FILS: KDK len=%zu too big",
649 				   kdk_len);
650 			goto err;
651 		}
652 
653 		ptk->kdk_len = kdk_len;
654 		key_data_len += kdk_len;
655 	} else {
656 		ptk->kdk_len = 0;
657 	}
658 
659 	if (fils_ft && fils_ft_len) {
660 		if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) {
661 			*fils_ft_len = 32;
662 		} else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) {
663 			*fils_ft_len = 48;
664 		} else {
665 			*fils_ft_len = 0;
666 			fils_ft = NULL;
667 		}
668 		key_data_len += *fils_ft_len;
669 	}
670 
671 	if (wpa_key_mgmt_sha384(akmp)) {
672 		wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)");
673 		if (sha384_prf(pmk, pmk_len, label, data, data_len,
674 			       tmp, key_data_len) < 0)
675 			goto err;
676 	} else {
677 		wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)");
678 		if (sha256_prf(pmk, pmk_len, label, data, data_len,
679 			       tmp, key_data_len) < 0)
680 			goto err;
681 	}
682 
683 	wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR
684 		   " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa));
685 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
686 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
687 	if (dhss)
688 		wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len);
689 	wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
690 	wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
691 
692 	os_memcpy(ick, tmp, *ick_len);
693 	offset = *ick_len;
694 	wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
695 
696 	os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
697 	wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
698 	offset += ptk->kek_len;
699 
700 	os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
701 	wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
702 	offset += ptk->tk_len;
703 
704 	if (fils_ft && fils_ft_len) {
705 		os_memcpy(fils_ft, tmp + offset, *fils_ft_len);
706 		wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT",
707 				fils_ft, *fils_ft_len);
708 		offset += *fils_ft_len;
709 	}
710 
711 	if (ptk->kdk_len) {
712 		os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len);
713 		wpa_hexdump_key(MSG_DEBUG, "FILS: KDK", ptk->kdk, ptk->kdk_len);
714 	}
715 
716 	ptk->kek2_len = 0;
717 	ptk->kck2_len = 0;
718 
719 	os_memset(tmp, 0, sizeof(tmp));
720 	ret = 0;
721 err:
722 	bin_clear_free(data, data_len);
723 	return ret;
724 }
725 
726 
727 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
728 		     const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
729 		     const u8 *g_sta, size_t g_sta_len,
730 		     const u8 *g_ap, size_t g_ap_len,
731 		     int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
732 		     size_t *key_auth_len)
733 {
734 	const u8 *addr[6];
735 	size_t len[6];
736 	size_t num_elem = 4;
737 	int res;
738 
739 	wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR
740 		   " AP-BSSID=" MACSTR, MAC2STR(sta_addr), MAC2STR(bssid));
741 	wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len);
742 	wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
743 	wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
744 	wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len);
745 	wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
746 
747 	/*
748 	 * For (Re)Association Request frame (STA->AP):
749 	 * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
750 	 *                      [ || gSTA || gAP ])
751 	 */
752 	addr[0] = snonce;
753 	len[0] = FILS_NONCE_LEN;
754 	addr[1] = anonce;
755 	len[1] = FILS_NONCE_LEN;
756 	addr[2] = sta_addr;
757 	len[2] = ETH_ALEN;
758 	addr[3] = bssid;
759 	len[3] = ETH_ALEN;
760 	if (g_sta && g_sta_len && g_ap && g_ap_len) {
761 		addr[4] = g_sta;
762 		len[4] = g_sta_len;
763 		addr[5] = g_ap;
764 		len[5] = g_ap_len;
765 		num_elem = 6;
766 	}
767 
768 	if (wpa_key_mgmt_sha384(akmp)) {
769 		*key_auth_len = 48;
770 		res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
771 					 key_auth_sta);
772 	} else if (wpa_key_mgmt_sha256(akmp)) {
773 		*key_auth_len = 32;
774 		res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
775 					 key_auth_sta);
776 	} else {
777 		return -1;
778 	}
779 	if (res < 0)
780 		return res;
781 
782 	/*
783 	 * For (Re)Association Response frame (AP->STA):
784 	 * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
785 	 *                      [ || gAP || gSTA ])
786 	 */
787 	addr[0] = anonce;
788 	addr[1] = snonce;
789 	addr[2] = bssid;
790 	addr[3] = sta_addr;
791 	if (g_sta && g_sta_len && g_ap && g_ap_len) {
792 		addr[4] = g_ap;
793 		len[4] = g_ap_len;
794 		addr[5] = g_sta;
795 		len[5] = g_sta_len;
796 	}
797 
798 	if (wpa_key_mgmt_sha384(akmp))
799 		res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
800 					 key_auth_ap);
801 	else if (wpa_key_mgmt_sha256(akmp))
802 		res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
803 					 key_auth_ap);
804 	if (res < 0)
805 		return res;
806 
807 	wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
808 		    key_auth_sta, *key_auth_len);
809 	wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
810 		    key_auth_ap, *key_auth_len);
811 
812 	return 0;
813 }
814 
815 #endif /* CONFIG_FILS */
816 
817 
818 #ifdef CONFIG_IEEE80211R
819 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,
820 	       const u8 *ap_addr, u8 transaction_seqnum,
821 	       const u8 *mdie, size_t mdie_len,
822 	       const u8 *ftie, size_t ftie_len,
823 	       const u8 *rsnie, size_t rsnie_len,
824 	       const u8 *ric, size_t ric_len,
825 	       const u8 *rsnxe, size_t rsnxe_len,
826 	       u8 *mic)
827 {
828 	const u8 *addr[10];
829 	size_t len[10];
830 	size_t i, num_elem = 0;
831 	u8 zero_mic[24];
832 	size_t mic_len, fte_fixed_len;
833 
834 	if (kck_len == 16) {
835 		mic_len = 16;
836 #ifdef CONFIG_SHA384
837 	} else if (kck_len == 24) {
838 		mic_len = 24;
839 #endif /* CONFIG_SHA384 */
840 	} else {
841 		wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
842 			   (unsigned int) kck_len);
843 		return -1;
844 	}
845 
846 	fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len;
847 
848 	addr[num_elem] = sta_addr;
849 	len[num_elem] = ETH_ALEN;
850 	num_elem++;
851 
852 	addr[num_elem] = ap_addr;
853 	len[num_elem] = ETH_ALEN;
854 	num_elem++;
855 
856 	addr[num_elem] = &transaction_seqnum;
857 	len[num_elem] = 1;
858 	num_elem++;
859 
860 	if (rsnie) {
861 		addr[num_elem] = rsnie;
862 		len[num_elem] = rsnie_len;
863 		num_elem++;
864 	}
865 	if (mdie) {
866 		addr[num_elem] = mdie;
867 		len[num_elem] = mdie_len;
868 		num_elem++;
869 	}
870 	if (ftie) {
871 		if (ftie_len < 2 + fte_fixed_len)
872 			return -1;
873 
874 		/* IE hdr and mic_control */
875 		addr[num_elem] = ftie;
876 		len[num_elem] = 2 + 2;
877 		num_elem++;
878 
879 		/* MIC field with all zeros */
880 		os_memset(zero_mic, 0, mic_len);
881 		addr[num_elem] = zero_mic;
882 		len[num_elem] = mic_len;
883 		num_elem++;
884 
885 		/* Rest of FTIE */
886 		addr[num_elem] = ftie + 2 + 2 + mic_len;
887 		len[num_elem] = ftie_len - (2 + 2 + mic_len);
888 		num_elem++;
889 	}
890 	if (ric) {
891 		addr[num_elem] = ric;
892 		len[num_elem] = ric_len;
893 		num_elem++;
894 	}
895 
896 	if (rsnxe) {
897 		addr[num_elem] = rsnxe;
898 		len[num_elem] = rsnxe_len;
899 		num_elem++;
900 	}
901 
902 	for (i = 0; i < num_elem; i++)
903 		wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
904 #ifdef CONFIG_SHA384
905 	if (kck_len == 24) {
906 		u8 hash[SHA384_MAC_LEN];
907 
908 		if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash))
909 			return -1;
910 		os_memcpy(mic, hash, 24);
911 	}
912 #endif /* CONFIG_SHA384 */
913 	if (kck_len == 16 &&
914 	    omac1_aes_128_vector(kck, num_elem, addr, len, mic))
915 		return -1;
916 
917 	return 0;
918 }
919 
920 
921 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
922 			     struct wpa_ft_ies *parse, int use_sha384)
923 {
924 	const u8 *end, *pos;
925 
926 	parse->ftie = ie;
927 	parse->ftie_len = ie_len;
928 
929 	pos = ie + (use_sha384 ? sizeof(struct rsn_ftie_sha384) :
930 		    sizeof(struct rsn_ftie));
931 	end = ie + ie_len;
932 	wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos);
933 
934 	while (end - pos >= 2) {
935 		u8 id, len;
936 
937 		id = *pos++;
938 		len = *pos++;
939 		if (len > end - pos) {
940 			wpa_printf(MSG_DEBUG, "FT: Truncated subelement");
941 			break;
942 		}
943 
944 		switch (id) {
945 		case FTIE_SUBELEM_R1KH_ID:
946 			if (len != FT_R1KH_ID_LEN) {
947 				wpa_printf(MSG_DEBUG,
948 					   "FT: Invalid R1KH-ID length in FTIE: %d",
949 					   len);
950 				return -1;
951 			}
952 			parse->r1kh_id = pos;
953 			break;
954 		case FTIE_SUBELEM_GTK:
955 			parse->gtk = pos;
956 			parse->gtk_len = len;
957 			break;
958 		case FTIE_SUBELEM_R0KH_ID:
959 			if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
960 				wpa_printf(MSG_DEBUG,
961 					   "FT: Invalid R0KH-ID length in FTIE: %d",
962 					   len);
963 				return -1;
964 			}
965 			parse->r0kh_id = pos;
966 			parse->r0kh_id_len = len;
967 			break;
968 		case FTIE_SUBELEM_IGTK:
969 			parse->igtk = pos;
970 			parse->igtk_len = len;
971 			break;
972 #ifdef CONFIG_OCV
973 		case FTIE_SUBELEM_OCI:
974 			parse->oci = pos;
975 			parse->oci_len = len;
976 			break;
977 #endif /* CONFIG_OCV */
978 		case FTIE_SUBELEM_BIGTK:
979 			parse->bigtk = pos;
980 			parse->bigtk_len = len;
981 			break;
982 		default:
983 			wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id);
984 			break;
985 		}
986 
987 		pos += len;
988 	}
989 
990 	return 0;
991 }
992 
993 
994 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
995 		     struct wpa_ft_ies *parse, int use_sha384)
996 {
997 	const u8 *end, *pos;
998 	struct wpa_ie_data data;
999 	int ret;
1000 	const struct rsn_ftie *ftie;
1001 	int prot_ie_count = 0;
1002 	int update_use_sha384 = 0;
1003 
1004 	if (use_sha384 < 0) {
1005 		use_sha384 = 0;
1006 		update_use_sha384 = 1;
1007 	}
1008 
1009 	os_memset(parse, 0, sizeof(*parse));
1010 	if (ies == NULL)
1011 		return 0;
1012 
1013 	pos = ies;
1014 	end = ies + ies_len;
1015 	while (end - pos >= 2) {
1016 		u8 id, len;
1017 
1018 		id = *pos++;
1019 		len = *pos++;
1020 		if (len > end - pos)
1021 			break;
1022 
1023 		switch (id) {
1024 		case WLAN_EID_RSN:
1025 			wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len);
1026 			parse->rsn = pos;
1027 			parse->rsn_len = len;
1028 			ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
1029 						   parse->rsn_len + 2,
1030 						   &data);
1031 			if (ret < 0) {
1032 				wpa_printf(MSG_DEBUG, "FT: Failed to parse "
1033 					   "RSN IE: %d", ret);
1034 				return -1;
1035 			}
1036 			parse->rsn_capab = data.capabilities;
1037 			if (data.num_pmkid == 1 && data.pmkid)
1038 				parse->rsn_pmkid = data.pmkid;
1039 			parse->key_mgmt = data.key_mgmt;
1040 			parse->pairwise_cipher = data.pairwise_cipher;
1041 			if (update_use_sha384) {
1042 				use_sha384 =
1043 					wpa_key_mgmt_sha384(parse->key_mgmt);
1044 				update_use_sha384 = 0;
1045 			}
1046 			break;
1047 		case WLAN_EID_RSNX:
1048 			wpa_hexdump(MSG_DEBUG, "FT: RSNXE", pos, len);
1049 			if (len < 1)
1050 				break;
1051 			parse->rsnxe = pos;
1052 			parse->rsnxe_len = len;
1053 			break;
1054 		case WLAN_EID_MOBILITY_DOMAIN:
1055 			wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len);
1056 			if (len < sizeof(struct rsn_mdie))
1057 				return -1;
1058 			parse->mdie = pos;
1059 			parse->mdie_len = len;
1060 			break;
1061 		case WLAN_EID_FAST_BSS_TRANSITION:
1062 			wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len);
1063 			if (use_sha384) {
1064 				const struct rsn_ftie_sha384 *ftie_sha384;
1065 
1066 				if (len < sizeof(*ftie_sha384))
1067 					return -1;
1068 				ftie_sha384 =
1069 					(const struct rsn_ftie_sha384 *) pos;
1070 				wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control",
1071 					    ftie_sha384->mic_control, 2);
1072 				wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC",
1073 					    ftie_sha384->mic,
1074 					    sizeof(ftie_sha384->mic));
1075 				parse->fte_anonce = ftie_sha384->anonce;
1076 				wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1077 					    ftie_sha384->anonce,
1078 					    WPA_NONCE_LEN);
1079 				parse->fte_snonce = ftie_sha384->snonce;
1080 				wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1081 					    ftie_sha384->snonce,
1082 					    WPA_NONCE_LEN);
1083 				prot_ie_count = ftie_sha384->mic_control[1];
1084 				if (wpa_ft_parse_ftie(pos, len, parse, 1) < 0)
1085 					return -1;
1086 				break;
1087 			}
1088 
1089 			if (len < sizeof(*ftie))
1090 				return -1;
1091 			ftie = (const struct rsn_ftie *) pos;
1092 			wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control",
1093 				    ftie->mic_control, 2);
1094 			wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC",
1095 				    ftie->mic, sizeof(ftie->mic));
1096 			parse->fte_anonce = ftie->anonce;
1097 			wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1098 				    ftie->anonce, WPA_NONCE_LEN);
1099 			parse->fte_snonce = ftie->snonce;
1100 			wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1101 				    ftie->snonce, WPA_NONCE_LEN);
1102 			prot_ie_count = ftie->mic_control[1];
1103 			if (wpa_ft_parse_ftie(pos, len, parse, 0) < 0)
1104 				return -1;
1105 			break;
1106 		case WLAN_EID_TIMEOUT_INTERVAL:
1107 			wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval",
1108 				    pos, len);
1109 			if (len != 5)
1110 				break;
1111 			parse->tie = pos;
1112 			parse->tie_len = len;
1113 			break;
1114 		case WLAN_EID_RIC_DATA:
1115 			if (parse->ric == NULL)
1116 				parse->ric = pos - 2;
1117 			break;
1118 		}
1119 
1120 		pos += len;
1121 	}
1122 
1123 	if (prot_ie_count == 0)
1124 		return 0; /* no MIC */
1125 
1126 	/*
1127 	 * Check that the protected IE count matches with IEs included in the
1128 	 * frame.
1129 	 */
1130 	if (parse->rsn)
1131 		prot_ie_count--;
1132 	if (parse->mdie)
1133 		prot_ie_count--;
1134 	if (parse->ftie)
1135 		prot_ie_count--;
1136 	if (parse->rsnxe)
1137 		prot_ie_count--;
1138 	if (prot_ie_count < 0) {
1139 		wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
1140 			   "the protected IE count");
1141 		return -1;
1142 	}
1143 
1144 	if (prot_ie_count == 0 && parse->ric) {
1145 		wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
1146 			   "included in protected IE count");
1147 		return -1;
1148 	}
1149 
1150 	/* Determine the end of the RIC IE(s) */
1151 	if (parse->ric) {
1152 		pos = parse->ric;
1153 		while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
1154 		       prot_ie_count) {
1155 			prot_ie_count--;
1156 			pos += 2 + pos[1];
1157 		}
1158 		parse->ric_len = pos - parse->ric;
1159 	}
1160 	if (prot_ie_count) {
1161 		wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
1162 			   "frame", (int) prot_ie_count);
1163 		return -1;
1164 	}
1165 
1166 	return 0;
1167 }
1168 #endif /* CONFIG_IEEE80211R */
1169 
1170 
1171 #ifdef CONFIG_PASN
1172 
1173 /*
1174  * pasn_use_sha384 - Should SHA384 be used or SHA256
1175  *
1176  * @akmp: Authentication and key management protocol
1177  * @cipher: The cipher suite
1178  *
1179  * According to IEEE P802.11az/D2.7, 12.12.7, the hash algorithm to use is the
1180  * hash algorithm defined for the Base AKM (see Table 9-151 (AKM suite
1181  * selectors)). When there is no Base AKM, the hash algorithm is selected based
1182  * on the pairwise cipher suite provided in the RSNE by the AP in the second
1183  * PASN frame. SHA-256 is used as the hash algorithm, except for the ciphers
1184  * 00-0F-AC:9 and 00-0F-AC:10 for which SHA-384 is used.
1185  */
1186 static bool pasn_use_sha384(int akmp, int cipher)
1187 {
1188 	return (akmp == WPA_KEY_MGMT_PASN && (cipher == WPA_CIPHER_CCMP_256 ||
1189 					      cipher == WPA_CIPHER_GCMP_256)) ||
1190 		wpa_key_mgmt_sha384(akmp);
1191 }
1192 
1193 
1194 /**
1195  * pasn_pmk_to_ptk - Calculate PASN PTK from PMK, addresses, etc.
1196  * @pmk: Pairwise master key
1197  * @pmk_len: Length of PMK
1198  * @spa: Suppplicant address
1199  * @bssid: AP BSSID
1200  * @dhss: Is the shared secret (DHss) derived from the PASN ephemeral key
1201  *	exchange encoded as an octet string
1202  * @dhss_len: The length of dhss in octets
1203  * @ptk: Buffer for pairwise transient key
1204  * @akmp: Negotiated AKM
1205  * @cipher: Negotiated pairwise cipher
1206  * @kdk_len: the length in octets that should be derived for HTLK. Can be zero.
1207  * Returns: 0 on success, -1 on failure
1208  */
1209 int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
1210 		    const u8 *spa, const u8 *bssid,
1211 		    const u8 *dhss, size_t dhss_len,
1212 		    struct wpa_ptk *ptk, int akmp, int cipher,
1213 		    size_t kdk_len)
1214 {
1215 	u8 tmp[WPA_KCK_MAX_LEN + WPA_TK_MAX_LEN + WPA_KDK_MAX_LEN];
1216 	u8 *data;
1217 	size_t data_len, ptk_len;
1218 	int ret = -1;
1219 	const char *label = "PASN PTK Derivation";
1220 
1221 	if (!pmk || !pmk_len) {
1222 		wpa_printf(MSG_ERROR, "PASN: No PMK set for PTK derivation");
1223 		return -1;
1224 	}
1225 
1226 	if (!dhss || !dhss_len) {
1227 		wpa_printf(MSG_ERROR, "PASN: No DHss set for PTK derivation");
1228 		return -1;
1229 	}
1230 
1231 	/*
1232 	 * PASN-PTK = KDF(PMK, “PASN PTK Derivation”, SPA || BSSID || DHss)
1233 	 *
1234 	 * KCK = L(PASN-PTK, 0, 256)
1235 	 * TK = L(PASN-PTK, 256, TK_bits)
1236 	 * KDK = L(PASN-PTK, 256 + TK_bits, kdk_len * 8)
1237 	 */
1238 	data_len = 2 * ETH_ALEN + dhss_len;
1239 	data = os_zalloc(data_len);
1240 	if (!data)
1241 		return -1;
1242 
1243 	os_memcpy(data, spa, ETH_ALEN);
1244 	os_memcpy(data + ETH_ALEN, bssid, ETH_ALEN);
1245 	os_memcpy(data + 2 * ETH_ALEN, dhss, dhss_len);
1246 
1247 	ptk->kck_len = WPA_PASN_KCK_LEN;
1248 	ptk->tk_len = wpa_cipher_key_len(cipher);
1249 	ptk->kdk_len = kdk_len;
1250 	ptk->kek_len = 0;
1251 	ptk->kek2_len = 0;
1252 	ptk->kck2_len = 0;
1253 
1254 	if (ptk->tk_len == 0) {
1255 		wpa_printf(MSG_ERROR,
1256 			   "PASN: Unsupported cipher (0x%x) used in PTK derivation",
1257 			   cipher);
1258 		goto err;
1259 	}
1260 
1261 	ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len;
1262 	if (ptk_len > sizeof(tmp))
1263 		goto err;
1264 
1265 	if (pasn_use_sha384(akmp, cipher)) {
1266 		wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA384");
1267 
1268 		if (sha384_prf(pmk, pmk_len, label, data, data_len, tmp,
1269 			       ptk_len) < 0)
1270 			goto err;
1271 	} else {
1272 		wpa_printf(MSG_DEBUG, "PASN: PTK derivation using SHA256");
1273 
1274 		if (sha256_prf(pmk, pmk_len, label, data, data_len, tmp,
1275 			       ptk_len) < 0)
1276 			goto err;
1277 	}
1278 
1279 	wpa_printf(MSG_DEBUG,
1280 		   "PASN: PTK derivation: SPA=" MACSTR " BSSID=" MACSTR,
1281 		   MAC2STR(spa), MAC2STR(bssid));
1282 
1283 	wpa_hexdump_key(MSG_DEBUG, "PASN: DHss", dhss, dhss_len);
1284 	wpa_hexdump_key(MSG_DEBUG, "PASN: PMK", pmk, pmk_len);
1285 	wpa_hexdump_key(MSG_DEBUG, "PASN: PASN-PTK", tmp, ptk_len);
1286 
1287 	os_memcpy(ptk->kck, tmp, WPA_PASN_KCK_LEN);
1288 	wpa_hexdump_key(MSG_DEBUG, "PASN: KCK:", ptk->kck, WPA_PASN_KCK_LEN);
1289 
1290 	os_memcpy(ptk->tk, tmp + WPA_PASN_KCK_LEN, ptk->tk_len);
1291 	wpa_hexdump_key(MSG_DEBUG, "PASN: TK:", ptk->tk, ptk->tk_len);
1292 
1293 	if (kdk_len) {
1294 		os_memcpy(ptk->kdk, tmp + WPA_PASN_KCK_LEN + ptk->tk_len,
1295 			  ptk->kdk_len);
1296 		wpa_hexdump_key(MSG_DEBUG, "PASN: KDK:",
1297 				ptk->kdk, ptk->kdk_len);
1298 	}
1299 
1300 	forced_memzero(tmp, sizeof(tmp));
1301 	ret = 0;
1302 err:
1303 	bin_clear_free(data, data_len);
1304 	return ret;
1305 }
1306 
1307 
1308 /*
1309  * pasn_mic_len - Returns the MIC length for PASN authentication
1310  */
1311 u8 pasn_mic_len(int akmp, int cipher)
1312 {
1313 	if (pasn_use_sha384(akmp, cipher))
1314 		return 24;
1315 
1316 	return 16;
1317 }
1318 
1319 
1320 /**
1321  * pasn_mic - Calculate PASN MIC
1322  * @kck: The key confirmation key for the PASN PTKSA
1323  * @akmp: Negotiated AKM
1324  * @cipher: Negotiated pairwise cipher
1325  * @addr1: For the 2nd PASN frame supplicant address; for the 3rd frame the
1326  *	BSSID
1327  * @addr2: For the 2nd PASN frame the BSSID; for the 3rd frame the supplicant
1328  *	address
1329  * @data: For calculating the MIC for the 2nd PASN frame, this should hold the
1330  *	Beacon frame RSNE + RSNXE. For calculating the MIC for the 3rd PASN
1331  *	frame, this should hold the hash of the body of the PASN 1st frame.
1332  * @data_len: The length of data
1333  * @frame: The body of the PASN frame including the MIC element with the octets
1334  *	in the MIC field of the MIC element set to 0.
1335  * @frame_len: The length of frame
1336  * @mic: Buffer to hold the MIC on success. Should be big enough to handle the
1337  *	maximal MIC length
1338  * Returns: 0 on success, -1 on failure
1339  */
1340 int pasn_mic(const u8 *kck, int akmp, int cipher,
1341 	     const u8 *addr1, const u8 *addr2,
1342 	     const u8 *data, size_t data_len,
1343 	     const u8 *frame, size_t frame_len, u8 *mic)
1344 {
1345 	u8 *buf;
1346 	u8 hash[SHA384_MAC_LEN];
1347 	size_t buf_len = 2 * ETH_ALEN + data_len + frame_len;
1348 	int ret = -1;
1349 
1350 	if (!kck) {
1351 		wpa_printf(MSG_ERROR, "PASN: No KCK for MIC calculation");
1352 		return -1;
1353 	}
1354 
1355 	if (!data || !data_len) {
1356 		wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation");
1357 		return -1;
1358 	}
1359 
1360 	if (!frame || !frame_len) {
1361 		wpa_printf(MSG_ERROR, "PASN: invalid data for MIC calculation");
1362 		return -1;
1363 	}
1364 
1365 	buf = os_zalloc(buf_len);
1366 	if (!buf)
1367 		return -1;
1368 
1369 	os_memcpy(buf, addr1, ETH_ALEN);
1370 	os_memcpy(buf + ETH_ALEN, addr2, ETH_ALEN);
1371 
1372 	wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: data", data, data_len);
1373 	os_memcpy(buf + 2 * ETH_ALEN, data, data_len);
1374 
1375 	wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: frame", frame, frame_len);
1376 	os_memcpy(buf + 2 * ETH_ALEN + data_len, frame, frame_len);
1377 
1378 	wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: KCK", kck, WPA_PASN_KCK_LEN);
1379 	wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: buf", buf, buf_len);
1380 
1381 	if (pasn_use_sha384(akmp, cipher)) {
1382 		wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA384");
1383 
1384 		if (hmac_sha384(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash))
1385 			goto err;
1386 
1387 		os_memcpy(mic, hash, 24);
1388 		wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 24);
1389 	} else {
1390 		wpa_printf(MSG_DEBUG, "PASN: MIC using HMAC-SHA256");
1391 
1392 		if (hmac_sha256(kck, WPA_PASN_KCK_LEN, buf, buf_len, hash))
1393 			goto err;
1394 
1395 		os_memcpy(mic, hash, 16);
1396 		wpa_hexdump_key(MSG_DEBUG, "PASN: MIC: mic: ", mic, 16);
1397 	}
1398 
1399 	ret = 0;
1400 err:
1401 	bin_clear_free(buf, buf_len);
1402 	return ret;
1403 }
1404 
1405 
1406 /**
1407  * pasn_auth_frame_hash - Computes a hash of an Authentication frame body
1408  * @akmp: Negotiated AKM
1409  * @cipher: Negotiated pairwise cipher
1410  * @data: Pointer to the Authentication frame body
1411  * @len: Length of the Authentication frame body
1412  * @hash: On return would hold the computed hash. Should be big enough to handle
1413  *	SHA384.
1414  * Returns: 0 on success, -1 on failure
1415  */
1416 int pasn_auth_frame_hash(int akmp, int cipher, const u8 *data, size_t len,
1417 			 u8 *hash)
1418 {
1419 	if (pasn_use_sha384(akmp, cipher)) {
1420 		wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-384");
1421 		return sha384_vector(1, &data, &len, hash);
1422 	} else {
1423 		wpa_printf(MSG_DEBUG, "PASN: Frame hash using SHA-256");
1424 		return sha256_vector(1, &data, &len, hash);
1425 	}
1426 }
1427 
1428 #endif /* CONFIG_PASN */
1429 
1430 
1431 static int rsn_selector_to_bitfield(const u8 *s)
1432 {
1433 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
1434 		return WPA_CIPHER_NONE;
1435 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
1436 		return WPA_CIPHER_TKIP;
1437 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
1438 		return WPA_CIPHER_CCMP;
1439 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
1440 		return WPA_CIPHER_AES_128_CMAC;
1441 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
1442 		return WPA_CIPHER_GCMP;
1443 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
1444 		return WPA_CIPHER_CCMP_256;
1445 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
1446 		return WPA_CIPHER_GCMP_256;
1447 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
1448 		return WPA_CIPHER_BIP_GMAC_128;
1449 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
1450 		return WPA_CIPHER_BIP_GMAC_256;
1451 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
1452 		return WPA_CIPHER_BIP_CMAC_256;
1453 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
1454 		return WPA_CIPHER_GTK_NOT_USED;
1455 	return 0;
1456 }
1457 
1458 
1459 static int rsn_key_mgmt_to_bitfield(const u8 *s)
1460 {
1461 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
1462 		return WPA_KEY_MGMT_IEEE8021X;
1463 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1464 		return WPA_KEY_MGMT_PSK;
1465 #ifdef CONFIG_IEEE80211R
1466 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
1467 		return WPA_KEY_MGMT_FT_IEEE8021X;
1468 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
1469 		return WPA_KEY_MGMT_FT_PSK;
1470 #ifdef CONFIG_SHA384
1471 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384)
1472 		return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
1473 #endif /* CONFIG_SHA384 */
1474 #endif /* CONFIG_IEEE80211R */
1475 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
1476 		return WPA_KEY_MGMT_IEEE8021X_SHA256;
1477 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
1478 		return WPA_KEY_MGMT_PSK_SHA256;
1479 #ifdef CONFIG_SAE
1480 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
1481 		return WPA_KEY_MGMT_SAE;
1482 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
1483 		return WPA_KEY_MGMT_FT_SAE;
1484 #endif /* CONFIG_SAE */
1485 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
1486 		return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
1487 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
1488 		return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
1489 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
1490 		return WPA_KEY_MGMT_FILS_SHA256;
1491 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
1492 		return WPA_KEY_MGMT_FILS_SHA384;
1493 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
1494 		return WPA_KEY_MGMT_FT_FILS_SHA256;
1495 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
1496 		return WPA_KEY_MGMT_FT_FILS_SHA384;
1497 #ifdef CONFIG_OWE
1498 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
1499 		return WPA_KEY_MGMT_OWE;
1500 #endif /* CONFIG_OWE */
1501 #ifdef CONFIG_DPP
1502 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP)
1503 		return WPA_KEY_MGMT_DPP;
1504 #endif /* CONFIG_DPP */
1505 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
1506 		return WPA_KEY_MGMT_OSEN;
1507 #ifdef CONFIG_PASN
1508 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PASN)
1509 		return WPA_KEY_MGMT_PASN;
1510 #endif /* CONFIG_PASN */
1511 	return 0;
1512 }
1513 
1514 
1515 int wpa_cipher_valid_group(int cipher)
1516 {
1517 	return wpa_cipher_valid_pairwise(cipher) ||
1518 		cipher == WPA_CIPHER_GTK_NOT_USED;
1519 }
1520 
1521 
1522 int wpa_cipher_valid_mgmt_group(int cipher)
1523 {
1524 	return cipher == WPA_CIPHER_GTK_NOT_USED ||
1525 		cipher == WPA_CIPHER_AES_128_CMAC ||
1526 		cipher == WPA_CIPHER_BIP_GMAC_128 ||
1527 		cipher == WPA_CIPHER_BIP_GMAC_256 ||
1528 		cipher == WPA_CIPHER_BIP_CMAC_256;
1529 }
1530 
1531 
1532 /**
1533  * wpa_parse_wpa_ie_rsn - Parse RSN IE
1534  * @rsn_ie: Buffer containing RSN IE
1535  * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
1536  * @data: Pointer to structure that will be filled in with parsed data
1537  * Returns: 0 on success, <0 on failure
1538  */
1539 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
1540 			 struct wpa_ie_data *data)
1541 {
1542 	const u8 *pos;
1543 	int left;
1544 	int i, count;
1545 
1546 	os_memset(data, 0, sizeof(*data));
1547 	data->proto = WPA_PROTO_RSN;
1548 	data->pairwise_cipher = WPA_CIPHER_CCMP;
1549 	data->group_cipher = WPA_CIPHER_CCMP;
1550 	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1551 	data->capabilities = 0;
1552 	data->pmkid = NULL;
1553 	data->num_pmkid = 0;
1554 	data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
1555 
1556 	if (rsn_ie_len == 0) {
1557 		/* No RSN IE - fail silently */
1558 		return -1;
1559 	}
1560 
1561 	if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
1562 		wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1563 			   __func__, (unsigned long) rsn_ie_len);
1564 		return -1;
1565 	}
1566 
1567 	if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
1568 	    rsn_ie[1] == rsn_ie_len - 2 &&
1569 	    WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
1570 		pos = rsn_ie + 6;
1571 		left = rsn_ie_len - 6;
1572 
1573 		data->group_cipher = WPA_CIPHER_GTK_NOT_USED;
1574 		data->has_group = 1;
1575 		data->key_mgmt = WPA_KEY_MGMT_OSEN;
1576 		data->proto = WPA_PROTO_OSEN;
1577 	} else {
1578 		const struct rsn_ie_hdr *hdr;
1579 
1580 		hdr = (const struct rsn_ie_hdr *) rsn_ie;
1581 
1582 		if (hdr->elem_id != WLAN_EID_RSN ||
1583 		    hdr->len != rsn_ie_len - 2 ||
1584 		    WPA_GET_LE16(hdr->version) != RSN_VERSION) {
1585 			wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1586 				   __func__);
1587 			return -2;
1588 		}
1589 
1590 		pos = (const u8 *) (hdr + 1);
1591 		left = rsn_ie_len - sizeof(*hdr);
1592 	}
1593 
1594 	if (left >= RSN_SELECTOR_LEN) {
1595 		data->group_cipher = rsn_selector_to_bitfield(pos);
1596 		data->has_group = 1;
1597 		if (!wpa_cipher_valid_group(data->group_cipher)) {
1598 			wpa_printf(MSG_DEBUG,
1599 				   "%s: invalid group cipher 0x%x (%08x)",
1600 				   __func__, data->group_cipher,
1601 				   WPA_GET_BE32(pos));
1602 			return -1;
1603 		}
1604 		pos += RSN_SELECTOR_LEN;
1605 		left -= RSN_SELECTOR_LEN;
1606 	} else if (left > 0) {
1607 		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1608 			   __func__, left);
1609 		return -3;
1610 	}
1611 
1612 	if (left >= 2) {
1613 		data->pairwise_cipher = 0;
1614 		count = WPA_GET_LE16(pos);
1615 		pos += 2;
1616 		left -= 2;
1617 		if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1618 			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1619 				   "count %u left %u", __func__, count, left);
1620 			return -4;
1621 		}
1622 		if (count)
1623 			data->has_pairwise = 1;
1624 		for (i = 0; i < count; i++) {
1625 			data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
1626 			pos += RSN_SELECTOR_LEN;
1627 			left -= RSN_SELECTOR_LEN;
1628 		}
1629 		if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
1630 			wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
1631 				   "pairwise cipher", __func__);
1632 			return -1;
1633 		}
1634 	} else if (left == 1) {
1635 		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1636 			   __func__);
1637 		return -5;
1638 	}
1639 
1640 	if (left >= 2) {
1641 		data->key_mgmt = 0;
1642 		count = WPA_GET_LE16(pos);
1643 		pos += 2;
1644 		left -= 2;
1645 		if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1646 			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1647 				   "count %u left %u", __func__, count, left);
1648 			return -6;
1649 		}
1650 		for (i = 0; i < count; i++) {
1651 			data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
1652 			pos += RSN_SELECTOR_LEN;
1653 			left -= RSN_SELECTOR_LEN;
1654 		}
1655 	} else if (left == 1) {
1656 		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1657 			   __func__);
1658 		return -7;
1659 	}
1660 
1661 	if (left >= 2) {
1662 		data->capabilities = WPA_GET_LE16(pos);
1663 		pos += 2;
1664 		left -= 2;
1665 	}
1666 
1667 	if (left >= 2) {
1668 		u16 num_pmkid = WPA_GET_LE16(pos);
1669 		pos += 2;
1670 		left -= 2;
1671 		if (num_pmkid > (unsigned int) left / PMKID_LEN) {
1672 			wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
1673 				   "(num_pmkid=%u left=%d)",
1674 				   __func__, num_pmkid, left);
1675 			data->num_pmkid = 0;
1676 			return -9;
1677 		} else {
1678 			data->num_pmkid = num_pmkid;
1679 			data->pmkid = pos;
1680 			pos += data->num_pmkid * PMKID_LEN;
1681 			left -= data->num_pmkid * PMKID_LEN;
1682 		}
1683 	}
1684 
1685 	if (left >= 4) {
1686 		data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
1687 		if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
1688 			wpa_printf(MSG_DEBUG,
1689 				   "%s: Unsupported management group cipher 0x%x (%08x)",
1690 				   __func__, data->mgmt_group_cipher,
1691 				   WPA_GET_BE32(pos));
1692 			return -10;
1693 		}
1694 		pos += RSN_SELECTOR_LEN;
1695 		left -= RSN_SELECTOR_LEN;
1696 	}
1697 
1698 	if (left > 0) {
1699 		wpa_hexdump(MSG_DEBUG,
1700 			    "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
1701 			    pos, left);
1702 	}
1703 
1704 	return 0;
1705 }
1706 
1707 
1708 static int wpa_selector_to_bitfield(const u8 *s)
1709 {
1710 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
1711 		return WPA_CIPHER_NONE;
1712 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
1713 		return WPA_CIPHER_TKIP;
1714 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
1715 		return WPA_CIPHER_CCMP;
1716 	return 0;
1717 }
1718 
1719 
1720 static int wpa_key_mgmt_to_bitfield(const u8 *s)
1721 {
1722 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
1723 		return WPA_KEY_MGMT_IEEE8021X;
1724 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1725 		return WPA_KEY_MGMT_PSK;
1726 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
1727 		return WPA_KEY_MGMT_WPA_NONE;
1728 	return 0;
1729 }
1730 
1731 
1732 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
1733 			 struct wpa_ie_data *data)
1734 {
1735 	const struct wpa_ie_hdr *hdr;
1736 	const u8 *pos;
1737 	int left;
1738 	int i, count;
1739 
1740 	os_memset(data, 0, sizeof(*data));
1741 	data->proto = WPA_PROTO_WPA;
1742 	data->pairwise_cipher = WPA_CIPHER_TKIP;
1743 	data->group_cipher = WPA_CIPHER_TKIP;
1744 	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1745 	data->capabilities = 0;
1746 	data->pmkid = NULL;
1747 	data->num_pmkid = 0;
1748 	data->mgmt_group_cipher = 0;
1749 
1750 	if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
1751 		wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1752 			   __func__, (unsigned long) wpa_ie_len);
1753 		return -1;
1754 	}
1755 
1756 	hdr = (const struct wpa_ie_hdr *) wpa_ie;
1757 
1758 	if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
1759 	    hdr->len != wpa_ie_len - 2 ||
1760 	    RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
1761 	    WPA_GET_LE16(hdr->version) != WPA_VERSION) {
1762 		wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1763 			   __func__);
1764 		return -2;
1765 	}
1766 
1767 	pos = (const u8 *) (hdr + 1);
1768 	left = wpa_ie_len - sizeof(*hdr);
1769 
1770 	if (left >= WPA_SELECTOR_LEN) {
1771 		data->group_cipher = wpa_selector_to_bitfield(pos);
1772 		pos += WPA_SELECTOR_LEN;
1773 		left -= WPA_SELECTOR_LEN;
1774 	} else if (left > 0) {
1775 		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1776 			   __func__, left);
1777 		return -3;
1778 	}
1779 
1780 	if (left >= 2) {
1781 		data->pairwise_cipher = 0;
1782 		count = WPA_GET_LE16(pos);
1783 		pos += 2;
1784 		left -= 2;
1785 		if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1786 			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1787 				   "count %u left %u", __func__, count, left);
1788 			return -4;
1789 		}
1790 		for (i = 0; i < count; i++) {
1791 			data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
1792 			pos += WPA_SELECTOR_LEN;
1793 			left -= WPA_SELECTOR_LEN;
1794 		}
1795 	} else if (left == 1) {
1796 		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1797 			   __func__);
1798 		return -5;
1799 	}
1800 
1801 	if (left >= 2) {
1802 		data->key_mgmt = 0;
1803 		count = WPA_GET_LE16(pos);
1804 		pos += 2;
1805 		left -= 2;
1806 		if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1807 			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1808 				   "count %u left %u", __func__, count, left);
1809 			return -6;
1810 		}
1811 		for (i = 0; i < count; i++) {
1812 			data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
1813 			pos += WPA_SELECTOR_LEN;
1814 			left -= WPA_SELECTOR_LEN;
1815 		}
1816 	} else if (left == 1) {
1817 		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1818 			   __func__);
1819 		return -7;
1820 	}
1821 
1822 	if (left >= 2) {
1823 		data->capabilities = WPA_GET_LE16(pos);
1824 		pos += 2;
1825 		left -= 2;
1826 	}
1827 
1828 	if (left > 0) {
1829 		wpa_hexdump(MSG_DEBUG,
1830 			    "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
1831 			    pos, left);
1832 	}
1833 
1834 	return 0;
1835 }
1836 
1837 
1838 int wpa_default_rsn_cipher(int freq)
1839 {
1840 	if (freq > 56160)
1841 		return WPA_CIPHER_GCMP; /* DMG */
1842 
1843 	return WPA_CIPHER_CCMP;
1844 }
1845 
1846 
1847 #ifdef CONFIG_IEEE80211R
1848 
1849 /**
1850  * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
1851  *
1852  * IEEE Std 802.11r-2008 - 8.5.1.5.3
1853  */
1854 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
1855 		      const u8 *ssid, size_t ssid_len,
1856 		      const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
1857 		      const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
1858 		      int use_sha384)
1859 {
1860 	u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
1861 	       FT_R0KH_ID_MAX_LEN + ETH_ALEN];
1862 	u8 *pos, r0_key_data[64], hash[48];
1863 	const u8 *addr[2];
1864 	size_t len[2];
1865 	size_t q = use_sha384 ? 48 : 32;
1866 	size_t r0_key_data_len = q + 16;
1867 
1868 	/*
1869 	 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
1870 	 *                       SSIDlength || SSID || MDID || R0KHlength ||
1871 	 *                       R0KH-ID || S0KH-ID)
1872 	 * XXKey is either the second 256 bits of MSK or PSK; or the first
1873 	 * 384 bits of MSK for FT-EAP-SHA384.
1874 	 * PMK-R0 = L(R0-Key-Data, 0, Q)
1875 	 * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128)
1876 	 * Q = 384 for FT-EAP-SHA384; otherwise, 256
1877 	 */
1878 	if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
1879 		return -1;
1880 	wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-%s",
1881 		   use_sha384 ? "SHA384" : "SHA256");
1882 	wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len);
1883 	wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len);
1884 	wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN);
1885 	wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len);
1886 	wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR, MAC2STR(s0kh_id));
1887 	pos = buf;
1888 	*pos++ = ssid_len;
1889 	os_memcpy(pos, ssid, ssid_len);
1890 	pos += ssid_len;
1891 	os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
1892 	pos += MOBILITY_DOMAIN_ID_LEN;
1893 	*pos++ = r0kh_id_len;
1894 	os_memcpy(pos, r0kh_id, r0kh_id_len);
1895 	pos += r0kh_id_len;
1896 	os_memcpy(pos, s0kh_id, ETH_ALEN);
1897 	pos += ETH_ALEN;
1898 
1899 #ifdef CONFIG_SHA384
1900 	if (use_sha384) {
1901 		if (xxkey_len != SHA384_MAC_LEN) {
1902 			wpa_printf(MSG_ERROR,
1903 				   "FT: Unexpected XXKey length %d (expected %d)",
1904 				   (int) xxkey_len, SHA384_MAC_LEN);
1905 			return -1;
1906 		}
1907 		if (sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1908 			       r0_key_data, r0_key_data_len) < 0)
1909 			return -1;
1910 	}
1911 #endif /* CONFIG_SHA384 */
1912 	if (!use_sha384) {
1913 		if (xxkey_len != PMK_LEN) {
1914 			wpa_printf(MSG_ERROR,
1915 				   "FT: Unexpected XXKey length %d (expected %d)",
1916 				   (int) xxkey_len, PMK_LEN);
1917 			return -1;
1918 		}
1919 		if (sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1920 			       r0_key_data, r0_key_data_len) < 0)
1921 			return -1;
1922 	}
1923 	os_memcpy(pmk_r0, r0_key_data, q);
1924 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q);
1925 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16);
1926 
1927 	/*
1928 	 * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt)
1929 	 */
1930 	addr[0] = (const u8 *) "FT-R0N";
1931 	len[0] = 6;
1932 	addr[1] = &r0_key_data[q];
1933 	len[1] = 16;
1934 
1935 #ifdef CONFIG_SHA384
1936 	if (use_sha384 && sha384_vector(2, addr, len, hash) < 0)
1937 		return -1;
1938 #endif /* CONFIG_SHA384 */
1939 	if (!use_sha384 && sha256_vector(2, addr, len, hash) < 0)
1940 		return -1;
1941 	os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
1942 	wpa_hexdump(MSG_DEBUG, "FT: PMKR0Name", pmk_r0_name, WPA_PMK_NAME_LEN);
1943 	forced_memzero(r0_key_data, sizeof(r0_key_data));
1944 	return 0;
1945 }
1946 
1947 
1948 /**
1949  * wpa_derive_pmk_r1_name - Derive PMKR1Name
1950  *
1951  * IEEE Std 802.11r-2008 - 8.5.1.5.4
1952  */
1953 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
1954 			   const u8 *s1kh_id, u8 *pmk_r1_name, int use_sha384)
1955 {
1956 	u8 hash[48];
1957 	const u8 *addr[4];
1958 	size_t len[4];
1959 
1960 	/*
1961 	 * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
1962 	 *                               R1KH-ID || S1KH-ID))
1963 	 */
1964 	addr[0] = (const u8 *) "FT-R1N";
1965 	len[0] = 6;
1966 	addr[1] = pmk_r0_name;
1967 	len[1] = WPA_PMK_NAME_LEN;
1968 	addr[2] = r1kh_id;
1969 	len[2] = FT_R1KH_ID_LEN;
1970 	addr[3] = s1kh_id;
1971 	len[3] = ETH_ALEN;
1972 
1973 #ifdef CONFIG_SHA384
1974 	if (use_sha384 && sha384_vector(4, addr, len, hash) < 0)
1975 		return -1;
1976 #endif /* CONFIG_SHA384 */
1977 	if (!use_sha384 && sha256_vector(4, addr, len, hash) < 0)
1978 		return -1;
1979 	os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
1980 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
1981 	return 0;
1982 }
1983 
1984 
1985 /**
1986  * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
1987  *
1988  * IEEE Std 802.11r-2008 - 8.5.1.5.4
1989  */
1990 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
1991 		      const u8 *pmk_r0_name,
1992 		      const u8 *r1kh_id, const u8 *s1kh_id,
1993 		      u8 *pmk_r1, u8 *pmk_r1_name)
1994 {
1995 	u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
1996 	u8 *pos;
1997 
1998 	/* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
1999 	wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-%s",
2000 		   pmk_r0_len == SHA384_MAC_LEN ? "SHA384" : "SHA256");
2001 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len);
2002 	wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN);
2003 	wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR, MAC2STR(s1kh_id));
2004 	pos = buf;
2005 	os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
2006 	pos += FT_R1KH_ID_LEN;
2007 	os_memcpy(pos, s1kh_id, ETH_ALEN);
2008 	pos += ETH_ALEN;
2009 
2010 #ifdef CONFIG_SHA384
2011 	if (pmk_r0_len == SHA384_MAC_LEN &&
2012 	    sha384_prf(pmk_r0, pmk_r0_len, "FT-R1",
2013 		       buf, pos - buf, pmk_r1, pmk_r0_len) < 0)
2014 		return -1;
2015 #endif /* CONFIG_SHA384 */
2016 	if (pmk_r0_len == PMK_LEN &&
2017 	    sha256_prf(pmk_r0, pmk_r0_len, "FT-R1",
2018 		       buf, pos - buf, pmk_r1, pmk_r0_len) < 0)
2019 		return -1;
2020 	if (pmk_r0_len != SHA384_MAC_LEN && pmk_r0_len != PMK_LEN) {
2021 		wpa_printf(MSG_ERROR, "FT: Unexpected PMK-R0 length %d",
2022 			   (int) pmk_r0_len);
2023 		return -1;
2024 	}
2025 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
2026 
2027 	return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
2028 				      pmk_r1_name,
2029 				      pmk_r0_len == SHA384_MAC_LEN);
2030 }
2031 
2032 
2033 /**
2034  * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
2035  *
2036  * IEEE Std 802.11r-2008 - 8.5.1.5.5
2037  */
2038 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len,
2039 		      const u8 *snonce, const u8 *anonce,
2040 		      const u8 *sta_addr, const u8 *bssid,
2041 		      const u8 *pmk_r1_name,
2042 		      struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher,
2043 		      size_t kdk_len)
2044 {
2045 	u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
2046 	u8 *pos, hash[32];
2047 	const u8 *addr[6];
2048 	size_t len[6];
2049 	u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
2050 	       WPA_KDK_MAX_LEN];
2051 	size_t ptk_len, offset;
2052 	int use_sha384 = wpa_key_mgmt_sha384(akmp);
2053 
2054 	if (kdk_len > WPA_KDK_MAX_LEN) {
2055 		wpa_printf(MSG_ERROR,
2056 			   "FT: KDK len=%zu exceeds max supported len",
2057 			   kdk_len);
2058 		return -1;
2059 	}
2060 
2061 	/*
2062 	 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
2063 	 *                  BSSID || STA-ADDR)
2064 	 */
2065 	wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-%s",
2066 		   use_sha384 ? "SHA384" : "SHA256");
2067 	wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len);
2068 	wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN);
2069 	wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN);
2070 	wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR " STA-ADDR=" MACSTR,
2071 		   MAC2STR(bssid), MAC2STR(sta_addr));
2072 	pos = buf;
2073 	os_memcpy(pos, snonce, WPA_NONCE_LEN);
2074 	pos += WPA_NONCE_LEN;
2075 	os_memcpy(pos, anonce, WPA_NONCE_LEN);
2076 	pos += WPA_NONCE_LEN;
2077 	os_memcpy(pos, bssid, ETH_ALEN);
2078 	pos += ETH_ALEN;
2079 	os_memcpy(pos, sta_addr, ETH_ALEN);
2080 	pos += ETH_ALEN;
2081 
2082 	ptk->kck_len = wpa_kck_len(akmp, PMK_LEN);
2083 	ptk->kck2_len = wpa_kck2_len(akmp);
2084 	ptk->kek_len = wpa_kek_len(akmp, PMK_LEN);
2085 	ptk->kek2_len = wpa_kek2_len(akmp);
2086 	ptk->tk_len = wpa_cipher_key_len(cipher);
2087 	ptk->kdk_len = kdk_len;
2088 	ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len +
2089 		ptk->kck2_len + ptk->kek2_len + ptk->kdk_len;
2090 
2091 #ifdef CONFIG_SHA384
2092 	if (use_sha384) {
2093 		if (pmk_r1_len != SHA384_MAC_LEN) {
2094 			wpa_printf(MSG_ERROR,
2095 				   "FT: Unexpected PMK-R1 length %d (expected %d)",
2096 				   (int) pmk_r1_len, SHA384_MAC_LEN);
2097 			return -1;
2098 		}
2099 		if (sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2100 			       buf, pos - buf, tmp, ptk_len) < 0)
2101 			return -1;
2102 	}
2103 #endif /* CONFIG_SHA384 */
2104 	if (!use_sha384) {
2105 		if (pmk_r1_len != PMK_LEN) {
2106 			wpa_printf(MSG_ERROR,
2107 				   "FT: Unexpected PMK-R1 length %d (expected %d)",
2108 				   (int) pmk_r1_len, PMK_LEN);
2109 			return -1;
2110 		}
2111 		if (sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK",
2112 			       buf, pos - buf, tmp, ptk_len) < 0)
2113 			return -1;
2114 	}
2115 	wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len);
2116 
2117 	/*
2118 	 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
2119 	 *                                ANonce || BSSID || STA-ADDR))
2120 	 */
2121 	wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
2122 	addr[0] = pmk_r1_name;
2123 	len[0] = WPA_PMK_NAME_LEN;
2124 	addr[1] = (const u8 *) "FT-PTKN";
2125 	len[1] = 7;
2126 	addr[2] = snonce;
2127 	len[2] = WPA_NONCE_LEN;
2128 	addr[3] = anonce;
2129 	len[3] = WPA_NONCE_LEN;
2130 	addr[4] = bssid;
2131 	len[4] = ETH_ALEN;
2132 	addr[5] = sta_addr;
2133 	len[5] = ETH_ALEN;
2134 
2135 	if (sha256_vector(6, addr, len, hash) < 0)
2136 		return -1;
2137 	os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
2138 
2139 	os_memcpy(ptk->kck, tmp, ptk->kck_len);
2140 	offset = ptk->kck_len;
2141 	os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
2142 	offset += ptk->kek_len;
2143 	os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
2144 	offset += ptk->tk_len;
2145 	os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len);
2146 	offset += ptk->kck2_len;
2147 	os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len);
2148 	offset += ptk->kek2_len;
2149 	os_memcpy(ptk->kdk, tmp + offset, ptk->kdk_len);
2150 
2151 	wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
2152 	wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
2153 	if (ptk->kck2_len)
2154 		wpa_hexdump_key(MSG_DEBUG, "FT: KCK2",
2155 				ptk->kck2, ptk->kck2_len);
2156 	if (ptk->kek2_len)
2157 		wpa_hexdump_key(MSG_DEBUG, "FT: KEK2",
2158 				ptk->kek2, ptk->kek2_len);
2159 	if (ptk->kdk_len)
2160 		wpa_hexdump_key(MSG_DEBUG, "FT: KDK", ptk->kdk, ptk->kdk_len);
2161 
2162 	wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
2163 	wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
2164 
2165 	forced_memzero(tmp, sizeof(tmp));
2166 
2167 	return 0;
2168 }
2169 
2170 #endif /* CONFIG_IEEE80211R */
2171 
2172 
2173 /**
2174  * rsn_pmkid - Calculate PMK identifier
2175  * @pmk: Pairwise master key
2176  * @pmk_len: Length of pmk in bytes
2177  * @aa: Authenticator address
2178  * @spa: Supplicant address
2179  * @pmkid: Buffer for PMKID
2180  * @akmp: Negotiated key management protocol
2181  *
2182  * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy
2183  * AKM: 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16
2184  * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA))
2185  * AKM: 00-0F-AC:11
2186  * See rsn_pmkid_suite_b()
2187  * AKM: 00-0F-AC:12
2188  * See rsn_pmkid_suite_b_192()
2189  * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17
2190  * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA))
2191  * Otherwise:
2192  * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA))
2193  */
2194 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
2195 	       u8 *pmkid, int akmp)
2196 {
2197 	char *title = "PMK Name";
2198 	const u8 *addr[3];
2199 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2200 	unsigned char hash[SHA384_MAC_LEN];
2201 
2202 	addr[0] = (u8 *) title;
2203 	addr[1] = aa;
2204 	addr[2] = spa;
2205 
2206 	if (0) {
2207 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384)
2208 	} else if (wpa_key_mgmt_sha384(akmp)) {
2209 		wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384");
2210 		hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash);
2211 #endif /* CONFIG_FILS || CONFIG_SHA384 */
2212 	} else if (wpa_key_mgmt_sha256(akmp)) {
2213 		wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256");
2214 		hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
2215 	} else {
2216 		wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1");
2217 		hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
2218 	}
2219 	wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN);
2220 	os_memcpy(pmkid, hash, PMKID_LEN);
2221 }
2222 
2223 
2224 #ifdef CONFIG_SUITEB
2225 /**
2226  * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
2227  * @kck: Key confirmation key
2228  * @kck_len: Length of kck in bytes
2229  * @aa: Authenticator address
2230  * @spa: Supplicant address
2231  * @pmkid: Buffer for PMKID
2232  * Returns: 0 on success, -1 on failure
2233  *
2234  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
2235  * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
2236  */
2237 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
2238 		      const u8 *spa, u8 *pmkid)
2239 {
2240 	char *title = "PMK Name";
2241 	const u8 *addr[3];
2242 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2243 	unsigned char hash[SHA256_MAC_LEN];
2244 
2245 	addr[0] = (u8 *) title;
2246 	addr[1] = aa;
2247 	addr[2] = spa;
2248 
2249 	if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
2250 		return -1;
2251 	os_memcpy(pmkid, hash, PMKID_LEN);
2252 	return 0;
2253 }
2254 #endif /* CONFIG_SUITEB */
2255 
2256 
2257 #ifdef CONFIG_SUITEB192
2258 /**
2259  * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
2260  * @kck: Key confirmation key
2261  * @kck_len: Length of kck in bytes
2262  * @aa: Authenticator address
2263  * @spa: Supplicant address
2264  * @pmkid: Buffer for PMKID
2265  * Returns: 0 on success, -1 on failure
2266  *
2267  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
2268  * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
2269  */
2270 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
2271 			  const u8 *spa, u8 *pmkid)
2272 {
2273 	char *title = "PMK Name";
2274 	const u8 *addr[3];
2275 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
2276 	unsigned char hash[SHA384_MAC_LEN];
2277 
2278 	addr[0] = (u8 *) title;
2279 	addr[1] = aa;
2280 	addr[2] = spa;
2281 
2282 	if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
2283 		return -1;
2284 	os_memcpy(pmkid, hash, PMKID_LEN);
2285 	return 0;
2286 }
2287 #endif /* CONFIG_SUITEB192 */
2288 
2289 
2290 /**
2291  * wpa_cipher_txt - Convert cipher suite to a text string
2292  * @cipher: Cipher suite (WPA_CIPHER_* enum)
2293  * Returns: Pointer to a text string of the cipher suite name
2294  */
2295 const char * wpa_cipher_txt(int cipher)
2296 {
2297 	switch (cipher) {
2298 	case WPA_CIPHER_NONE:
2299 		return "NONE";
2300 #ifdef CONFIG_WEP
2301 	case WPA_CIPHER_WEP40:
2302 		return "WEP-40";
2303 	case WPA_CIPHER_WEP104:
2304 		return "WEP-104";
2305 #endif /* CONFIG_WEP */
2306 	case WPA_CIPHER_TKIP:
2307 		return "TKIP";
2308 	case WPA_CIPHER_CCMP:
2309 		return "CCMP";
2310 	case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
2311 		return "CCMP+TKIP";
2312 	case WPA_CIPHER_GCMP:
2313 		return "GCMP";
2314 	case WPA_CIPHER_GCMP_256:
2315 		return "GCMP-256";
2316 	case WPA_CIPHER_CCMP_256:
2317 		return "CCMP-256";
2318 	case WPA_CIPHER_AES_128_CMAC:
2319 		return "BIP";
2320 	case WPA_CIPHER_BIP_GMAC_128:
2321 		return "BIP-GMAC-128";
2322 	case WPA_CIPHER_BIP_GMAC_256:
2323 		return "BIP-GMAC-256";
2324 	case WPA_CIPHER_BIP_CMAC_256:
2325 		return "BIP-CMAC-256";
2326 	case WPA_CIPHER_GTK_NOT_USED:
2327 		return "GTK_NOT_USED";
2328 	default:
2329 		return "UNKNOWN";
2330 	}
2331 }
2332 
2333 
2334 /**
2335  * wpa_key_mgmt_txt - Convert key management suite to a text string
2336  * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
2337  * @proto: WPA/WPA2 version (WPA_PROTO_*)
2338  * Returns: Pointer to a text string of the key management suite name
2339  */
2340 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
2341 {
2342 	switch (key_mgmt) {
2343 	case WPA_KEY_MGMT_IEEE8021X:
2344 		if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2345 			return "WPA2+WPA/IEEE 802.1X/EAP";
2346 		return proto == WPA_PROTO_RSN ?
2347 			"WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
2348 	case WPA_KEY_MGMT_PSK:
2349 		if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
2350 			return "WPA2-PSK+WPA-PSK";
2351 		return proto == WPA_PROTO_RSN ?
2352 			"WPA2-PSK" : "WPA-PSK";
2353 	case WPA_KEY_MGMT_NONE:
2354 		return "NONE";
2355 	case WPA_KEY_MGMT_WPA_NONE:
2356 		return "WPA-NONE";
2357 	case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
2358 		return "IEEE 802.1X (no WPA)";
2359 #ifdef CONFIG_IEEE80211R
2360 	case WPA_KEY_MGMT_FT_IEEE8021X:
2361 		return "FT-EAP";
2362 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2363 		return "FT-EAP-SHA384";
2364 	case WPA_KEY_MGMT_FT_PSK:
2365 		return "FT-PSK";
2366 #endif /* CONFIG_IEEE80211R */
2367 	case WPA_KEY_MGMT_IEEE8021X_SHA256:
2368 		return "WPA2-EAP-SHA256";
2369 	case WPA_KEY_MGMT_PSK_SHA256:
2370 		return "WPA2-PSK-SHA256";
2371 	case WPA_KEY_MGMT_WPS:
2372 		return "WPS";
2373 	case WPA_KEY_MGMT_SAE:
2374 		return "SAE";
2375 	case WPA_KEY_MGMT_FT_SAE:
2376 		return "FT-SAE";
2377 	case WPA_KEY_MGMT_OSEN:
2378 		return "OSEN";
2379 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2380 		return "WPA2-EAP-SUITE-B";
2381 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2382 		return "WPA2-EAP-SUITE-B-192";
2383 	case WPA_KEY_MGMT_FILS_SHA256:
2384 		return "FILS-SHA256";
2385 	case WPA_KEY_MGMT_FILS_SHA384:
2386 		return "FILS-SHA384";
2387 	case WPA_KEY_MGMT_FT_FILS_SHA256:
2388 		return "FT-FILS-SHA256";
2389 	case WPA_KEY_MGMT_FT_FILS_SHA384:
2390 		return "FT-FILS-SHA384";
2391 	case WPA_KEY_MGMT_OWE:
2392 		return "OWE";
2393 	case WPA_KEY_MGMT_DPP:
2394 		return "DPP";
2395 	case WPA_KEY_MGMT_PASN:
2396 		return "PASN";
2397 	default:
2398 		return "UNKNOWN";
2399 	}
2400 }
2401 
2402 
2403 u32 wpa_akm_to_suite(int akm)
2404 {
2405 	if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
2406 		return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
2407 	if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
2408 		return RSN_AUTH_KEY_MGMT_FT_802_1X;
2409 	if (akm & WPA_KEY_MGMT_FT_PSK)
2410 		return RSN_AUTH_KEY_MGMT_FT_PSK;
2411 	if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
2412 		return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2413 	if (akm & WPA_KEY_MGMT_IEEE8021X)
2414 		return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
2415 	if (akm & WPA_KEY_MGMT_PSK_SHA256)
2416 		return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2417 	if (akm & WPA_KEY_MGMT_PSK)
2418 		return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
2419 	if (akm & WPA_KEY_MGMT_CCKM)
2420 		return RSN_AUTH_KEY_MGMT_CCKM;
2421 	if (akm & WPA_KEY_MGMT_OSEN)
2422 		return RSN_AUTH_KEY_MGMT_OSEN;
2423 	if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
2424 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2425 	if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
2426 		return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2427 	if (akm & WPA_KEY_MGMT_FILS_SHA256)
2428 		return RSN_AUTH_KEY_MGMT_FILS_SHA256;
2429 	if (akm & WPA_KEY_MGMT_FILS_SHA384)
2430 		return RSN_AUTH_KEY_MGMT_FILS_SHA384;
2431 	if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
2432 		return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
2433 	if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
2434 		return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
2435 	if (akm & WPA_KEY_MGMT_SAE)
2436 		return RSN_AUTH_KEY_MGMT_SAE;
2437 	if (akm & WPA_KEY_MGMT_FT_SAE)
2438 		return RSN_AUTH_KEY_MGMT_FT_SAE;
2439 	if (akm & WPA_KEY_MGMT_OWE)
2440 		return RSN_AUTH_KEY_MGMT_OWE;
2441 	if (akm & WPA_KEY_MGMT_DPP)
2442 		return RSN_AUTH_KEY_MGMT_DPP;
2443 	return 0;
2444 }
2445 
2446 
2447 int wpa_compare_rsn_ie(int ft_initial_assoc,
2448 		       const u8 *ie1, size_t ie1len,
2449 		       const u8 *ie2, size_t ie2len)
2450 {
2451 	if (ie1 == NULL || ie2 == NULL)
2452 		return -1;
2453 
2454 	if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
2455 		return 0; /* identical IEs */
2456 
2457 #ifdef CONFIG_IEEE80211R
2458 	if (ft_initial_assoc) {
2459 		struct wpa_ie_data ie1d, ie2d;
2460 		/*
2461 		 * The PMKID-List in RSN IE is different between Beacon/Probe
2462 		 * Response/(Re)Association Request frames and EAPOL-Key
2463 		 * messages in FT initial mobility domain association. Allow
2464 		 * for this, but verify that other parts of the RSN IEs are
2465 		 * identical.
2466 		 */
2467 		if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
2468 		    wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
2469 			return -1;
2470 		if (ie1d.proto == ie2d.proto &&
2471 		    ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
2472 		    ie1d.group_cipher == ie2d.group_cipher &&
2473 		    ie1d.key_mgmt == ie2d.key_mgmt &&
2474 		    ie1d.capabilities == ie2d.capabilities &&
2475 		    ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
2476 			return 0;
2477 	}
2478 #endif /* CONFIG_IEEE80211R */
2479 
2480 	return -1;
2481 }
2482 
2483 
2484 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
2485 {
2486 	u8 *start, *end, *rpos, *rend;
2487 	int added = 0;
2488 
2489 	start = ies;
2490 	end = ies + *ies_len;
2491 
2492 	while (start < end) {
2493 		if (*start == WLAN_EID_RSN)
2494 			break;
2495 		start += 2 + start[1];
2496 	}
2497 	if (start >= end) {
2498 		wpa_printf(MSG_ERROR, "RSN: Could not find RSNE in IEs data");
2499 		return -1;
2500 	}
2501 	wpa_hexdump(MSG_DEBUG, "RSN: RSNE before modification",
2502 		    start, 2 + start[1]);
2503 
2504 	/* Find start of PMKID-Count */
2505 	rpos = start + 2;
2506 	rend = rpos + start[1];
2507 
2508 	/* Skip Version and Group Data Cipher Suite */
2509 	rpos += 2 + 4;
2510 	/* Skip Pairwise Cipher Suite Count and List */
2511 	rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2512 	/* Skip AKM Suite Count and List */
2513 	rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2514 
2515 	if (rpos == rend) {
2516 		/* Add RSN Capabilities */
2517 		os_memmove(rpos + 2, rpos, end - rpos);
2518 		*rpos++ = 0;
2519 		*rpos++ = 0;
2520 		added += 2;
2521 		start[1] += 2;
2522 		rend = rpos;
2523 	} else {
2524 		/* Skip RSN Capabilities */
2525 		rpos += 2;
2526 		if (rpos > rend) {
2527 			wpa_printf(MSG_ERROR,
2528 				   "RSN: Could not parse RSNE in IEs data");
2529 			return -1;
2530 		}
2531 	}
2532 
2533 	if (rpos == rend) {
2534 		/* No PMKID-Count field included; add it */
2535 		os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
2536 		WPA_PUT_LE16(rpos, 1);
2537 		rpos += 2;
2538 		os_memcpy(rpos, pmkid, PMKID_LEN);
2539 		added += 2 + PMKID_LEN;
2540 		start[1] += 2 + PMKID_LEN;
2541 	} else {
2542 		u16 num_pmkid;
2543 
2544 		if (rend - rpos < 2)
2545 			return -1;
2546 		num_pmkid = WPA_GET_LE16(rpos);
2547 		/* PMKID-Count was included; use it */
2548 		if (num_pmkid != 0) {
2549 			u8 *after;
2550 
2551 			if (num_pmkid * PMKID_LEN > rend - rpos - 2)
2552 				return -1;
2553 			/*
2554 			 * PMKID may have been included in RSN IE in
2555 			 * (Re)Association Request frame, so remove the old
2556 			 * PMKID(s) first before adding the new one.
2557 			 */
2558 			wpa_printf(MSG_DEBUG,
2559 				   "RSN: Remove %u old PMKID(s) from RSNE",
2560 				   num_pmkid);
2561 			after = rpos + 2 + num_pmkid * PMKID_LEN;
2562 			os_memmove(rpos + 2, after, end - after);
2563 			start[1] -= num_pmkid * PMKID_LEN;
2564 			added -= num_pmkid * PMKID_LEN;
2565 		}
2566 		WPA_PUT_LE16(rpos, 1);
2567 		rpos += 2;
2568 		os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
2569 		os_memcpy(rpos, pmkid, PMKID_LEN);
2570 		added += PMKID_LEN;
2571 		start[1] += PMKID_LEN;
2572 	}
2573 
2574 	wpa_hexdump(MSG_DEBUG, "RSN: RSNE after modification (PMKID inserted)",
2575 		    start, 2 + start[1]);
2576 
2577 	*ies_len += added;
2578 
2579 	return 0;
2580 }
2581 
2582 
2583 int wpa_cipher_key_len(int cipher)
2584 {
2585 	switch (cipher) {
2586 	case WPA_CIPHER_CCMP_256:
2587 	case WPA_CIPHER_GCMP_256:
2588 	case WPA_CIPHER_BIP_GMAC_256:
2589 	case WPA_CIPHER_BIP_CMAC_256:
2590 		return 32;
2591 	case WPA_CIPHER_CCMP:
2592 	case WPA_CIPHER_GCMP:
2593 	case WPA_CIPHER_AES_128_CMAC:
2594 	case WPA_CIPHER_BIP_GMAC_128:
2595 		return 16;
2596 	case WPA_CIPHER_TKIP:
2597 		return 32;
2598 	}
2599 
2600 	return 0;
2601 }
2602 
2603 
2604 int wpa_cipher_rsc_len(int cipher)
2605 {
2606 	switch (cipher) {
2607 	case WPA_CIPHER_CCMP_256:
2608 	case WPA_CIPHER_GCMP_256:
2609 	case WPA_CIPHER_CCMP:
2610 	case WPA_CIPHER_GCMP:
2611 	case WPA_CIPHER_TKIP:
2612 		return 6;
2613 	}
2614 
2615 	return 0;
2616 }
2617 
2618 
2619 enum wpa_alg wpa_cipher_to_alg(int cipher)
2620 {
2621 	switch (cipher) {
2622 	case WPA_CIPHER_CCMP_256:
2623 		return WPA_ALG_CCMP_256;
2624 	case WPA_CIPHER_GCMP_256:
2625 		return WPA_ALG_GCMP_256;
2626 	case WPA_CIPHER_CCMP:
2627 		return WPA_ALG_CCMP;
2628 	case WPA_CIPHER_GCMP:
2629 		return WPA_ALG_GCMP;
2630 	case WPA_CIPHER_TKIP:
2631 		return WPA_ALG_TKIP;
2632 	case WPA_CIPHER_AES_128_CMAC:
2633 		return WPA_ALG_BIP_CMAC_128;
2634 	case WPA_CIPHER_BIP_GMAC_128:
2635 		return WPA_ALG_BIP_GMAC_128;
2636 	case WPA_CIPHER_BIP_GMAC_256:
2637 		return WPA_ALG_BIP_GMAC_256;
2638 	case WPA_CIPHER_BIP_CMAC_256:
2639 		return WPA_ALG_BIP_CMAC_256;
2640 	}
2641 	return WPA_ALG_NONE;
2642 }
2643 
2644 
2645 int wpa_cipher_valid_pairwise(int cipher)
2646 {
2647 #ifdef CONFIG_NO_TKIP
2648 	return cipher == WPA_CIPHER_CCMP_256 ||
2649 		cipher == WPA_CIPHER_GCMP_256 ||
2650 		cipher == WPA_CIPHER_CCMP ||
2651 		cipher == WPA_CIPHER_GCMP;
2652 #else /* CONFIG_NO_TKIP */
2653 	return cipher == WPA_CIPHER_CCMP_256 ||
2654 		cipher == WPA_CIPHER_GCMP_256 ||
2655 		cipher == WPA_CIPHER_CCMP ||
2656 		cipher == WPA_CIPHER_GCMP ||
2657 		cipher == WPA_CIPHER_TKIP;
2658 #endif /* CONFIG_NO_TKIP */
2659 }
2660 
2661 
2662 u32 wpa_cipher_to_suite(int proto, int cipher)
2663 {
2664 	if (cipher & WPA_CIPHER_CCMP_256)
2665 		return RSN_CIPHER_SUITE_CCMP_256;
2666 	if (cipher & WPA_CIPHER_GCMP_256)
2667 		return RSN_CIPHER_SUITE_GCMP_256;
2668 	if (cipher & WPA_CIPHER_CCMP)
2669 		return (proto == WPA_PROTO_RSN ?
2670 			RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
2671 	if (cipher & WPA_CIPHER_GCMP)
2672 		return RSN_CIPHER_SUITE_GCMP;
2673 	if (cipher & WPA_CIPHER_TKIP)
2674 		return (proto == WPA_PROTO_RSN ?
2675 			RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
2676 	if (cipher & WPA_CIPHER_NONE)
2677 		return (proto == WPA_PROTO_RSN ?
2678 			RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
2679 	if (cipher & WPA_CIPHER_GTK_NOT_USED)
2680 		return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
2681 	if (cipher & WPA_CIPHER_AES_128_CMAC)
2682 		return RSN_CIPHER_SUITE_AES_128_CMAC;
2683 	if (cipher & WPA_CIPHER_BIP_GMAC_128)
2684 		return RSN_CIPHER_SUITE_BIP_GMAC_128;
2685 	if (cipher & WPA_CIPHER_BIP_GMAC_256)
2686 		return RSN_CIPHER_SUITE_BIP_GMAC_256;
2687 	if (cipher & WPA_CIPHER_BIP_CMAC_256)
2688 		return RSN_CIPHER_SUITE_BIP_CMAC_256;
2689 	return 0;
2690 }
2691 
2692 
2693 int rsn_cipher_put_suites(u8 *start, int ciphers)
2694 {
2695 	u8 *pos = start;
2696 
2697 	if (ciphers & WPA_CIPHER_CCMP_256) {
2698 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
2699 		pos += RSN_SELECTOR_LEN;
2700 	}
2701 	if (ciphers & WPA_CIPHER_GCMP_256) {
2702 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
2703 		pos += RSN_SELECTOR_LEN;
2704 	}
2705 	if (ciphers & WPA_CIPHER_CCMP) {
2706 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2707 		pos += RSN_SELECTOR_LEN;
2708 	}
2709 	if (ciphers & WPA_CIPHER_GCMP) {
2710 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
2711 		pos += RSN_SELECTOR_LEN;
2712 	}
2713 	if (ciphers & WPA_CIPHER_TKIP) {
2714 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
2715 		pos += RSN_SELECTOR_LEN;
2716 	}
2717 	if (ciphers & WPA_CIPHER_NONE) {
2718 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
2719 		pos += RSN_SELECTOR_LEN;
2720 	}
2721 
2722 	return (pos - start) / RSN_SELECTOR_LEN;
2723 }
2724 
2725 
2726 int wpa_cipher_put_suites(u8 *start, int ciphers)
2727 {
2728 	u8 *pos = start;
2729 
2730 	if (ciphers & WPA_CIPHER_CCMP) {
2731 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
2732 		pos += WPA_SELECTOR_LEN;
2733 	}
2734 	if (ciphers & WPA_CIPHER_TKIP) {
2735 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
2736 		pos += WPA_SELECTOR_LEN;
2737 	}
2738 	if (ciphers & WPA_CIPHER_NONE) {
2739 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
2740 		pos += WPA_SELECTOR_LEN;
2741 	}
2742 
2743 	return (pos - start) / RSN_SELECTOR_LEN;
2744 }
2745 
2746 
2747 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
2748 {
2749 	if (ciphers & WPA_CIPHER_CCMP_256)
2750 		return WPA_CIPHER_CCMP_256;
2751 	if (ciphers & WPA_CIPHER_GCMP_256)
2752 		return WPA_CIPHER_GCMP_256;
2753 	if (ciphers & WPA_CIPHER_CCMP)
2754 		return WPA_CIPHER_CCMP;
2755 	if (ciphers & WPA_CIPHER_GCMP)
2756 		return WPA_CIPHER_GCMP;
2757 	if (ciphers & WPA_CIPHER_TKIP)
2758 		return WPA_CIPHER_TKIP;
2759 	if (none_allowed && (ciphers & WPA_CIPHER_NONE))
2760 		return WPA_CIPHER_NONE;
2761 	return -1;
2762 }
2763 
2764 
2765 int wpa_pick_group_cipher(int ciphers)
2766 {
2767 	if (ciphers & WPA_CIPHER_CCMP_256)
2768 		return WPA_CIPHER_CCMP_256;
2769 	if (ciphers & WPA_CIPHER_GCMP_256)
2770 		return WPA_CIPHER_GCMP_256;
2771 	if (ciphers & WPA_CIPHER_CCMP)
2772 		return WPA_CIPHER_CCMP;
2773 	if (ciphers & WPA_CIPHER_GCMP)
2774 		return WPA_CIPHER_GCMP;
2775 	if (ciphers & WPA_CIPHER_GTK_NOT_USED)
2776 		return WPA_CIPHER_GTK_NOT_USED;
2777 	if (ciphers & WPA_CIPHER_TKIP)
2778 		return WPA_CIPHER_TKIP;
2779 	return -1;
2780 }
2781 
2782 
2783 int wpa_parse_cipher(const char *value)
2784 {
2785 	int val = 0, last;
2786 	char *start, *end, *buf;
2787 
2788 	buf = os_strdup(value);
2789 	if (buf == NULL)
2790 		return -1;
2791 	start = buf;
2792 
2793 	while (*start != '\0') {
2794 		while (*start == ' ' || *start == '\t')
2795 			start++;
2796 		if (*start == '\0')
2797 			break;
2798 		end = start;
2799 		while (*end != ' ' && *end != '\t' && *end != '\0')
2800 			end++;
2801 		last = *end == '\0';
2802 		*end = '\0';
2803 		if (os_strcmp(start, "CCMP-256") == 0)
2804 			val |= WPA_CIPHER_CCMP_256;
2805 		else if (os_strcmp(start, "GCMP-256") == 0)
2806 			val |= WPA_CIPHER_GCMP_256;
2807 		else if (os_strcmp(start, "CCMP") == 0)
2808 			val |= WPA_CIPHER_CCMP;
2809 		else if (os_strcmp(start, "GCMP") == 0)
2810 			val |= WPA_CIPHER_GCMP;
2811 #ifndef CONFIG_NO_TKIP
2812 		else if (os_strcmp(start, "TKIP") == 0)
2813 			val |= WPA_CIPHER_TKIP;
2814 #endif /* CONFIG_NO_TKIP */
2815 #ifdef CONFIG_WEP
2816 		else if (os_strcmp(start, "WEP104") == 0)
2817 			val |= WPA_CIPHER_WEP104;
2818 		else if (os_strcmp(start, "WEP40") == 0)
2819 			val |= WPA_CIPHER_WEP40;
2820 #endif /* CONFIG_WEP */
2821 		else if (os_strcmp(start, "NONE") == 0)
2822 			val |= WPA_CIPHER_NONE;
2823 		else if (os_strcmp(start, "GTK_NOT_USED") == 0)
2824 			val |= WPA_CIPHER_GTK_NOT_USED;
2825 		else if (os_strcmp(start, "AES-128-CMAC") == 0)
2826 			val |= WPA_CIPHER_AES_128_CMAC;
2827 		else if (os_strcmp(start, "BIP-GMAC-128") == 0)
2828 			val |= WPA_CIPHER_BIP_GMAC_128;
2829 		else if (os_strcmp(start, "BIP-GMAC-256") == 0)
2830 			val |= WPA_CIPHER_BIP_GMAC_256;
2831 		else if (os_strcmp(start, "BIP-CMAC-256") == 0)
2832 			val |= WPA_CIPHER_BIP_CMAC_256;
2833 		else {
2834 			os_free(buf);
2835 			return -1;
2836 		}
2837 
2838 		if (last)
2839 			break;
2840 		start = end + 1;
2841 	}
2842 	os_free(buf);
2843 
2844 	return val;
2845 }
2846 
2847 
2848 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
2849 {
2850 	char *pos = start;
2851 	int ret;
2852 
2853 	if (ciphers & WPA_CIPHER_CCMP_256) {
2854 		ret = os_snprintf(pos, end - pos, "%sCCMP-256",
2855 				  pos == start ? "" : delim);
2856 		if (os_snprintf_error(end - pos, ret))
2857 			return -1;
2858 		pos += ret;
2859 	}
2860 	if (ciphers & WPA_CIPHER_GCMP_256) {
2861 		ret = os_snprintf(pos, end - pos, "%sGCMP-256",
2862 				  pos == start ? "" : delim);
2863 		if (os_snprintf_error(end - pos, ret))
2864 			return -1;
2865 		pos += ret;
2866 	}
2867 	if (ciphers & WPA_CIPHER_CCMP) {
2868 		ret = os_snprintf(pos, end - pos, "%sCCMP",
2869 				  pos == start ? "" : delim);
2870 		if (os_snprintf_error(end - pos, ret))
2871 			return -1;
2872 		pos += ret;
2873 	}
2874 	if (ciphers & WPA_CIPHER_GCMP) {
2875 		ret = os_snprintf(pos, end - pos, "%sGCMP",
2876 				  pos == start ? "" : delim);
2877 		if (os_snprintf_error(end - pos, ret))
2878 			return -1;
2879 		pos += ret;
2880 	}
2881 	if (ciphers & WPA_CIPHER_TKIP) {
2882 		ret = os_snprintf(pos, end - pos, "%sTKIP",
2883 				  pos == start ? "" : delim);
2884 		if (os_snprintf_error(end - pos, ret))
2885 			return -1;
2886 		pos += ret;
2887 	}
2888 	if (ciphers & WPA_CIPHER_AES_128_CMAC) {
2889 		ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC",
2890 				  pos == start ? "" : delim);
2891 		if (os_snprintf_error(end - pos, ret))
2892 			return -1;
2893 		pos += ret;
2894 	}
2895 	if (ciphers & WPA_CIPHER_BIP_GMAC_128) {
2896 		ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128",
2897 				  pos == start ? "" : delim);
2898 		if (os_snprintf_error(end - pos, ret))
2899 			return -1;
2900 		pos += ret;
2901 	}
2902 	if (ciphers & WPA_CIPHER_BIP_GMAC_256) {
2903 		ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256",
2904 				  pos == start ? "" : delim);
2905 		if (os_snprintf_error(end - pos, ret))
2906 			return -1;
2907 		pos += ret;
2908 	}
2909 	if (ciphers & WPA_CIPHER_BIP_CMAC_256) {
2910 		ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256",
2911 				  pos == start ? "" : delim);
2912 		if (os_snprintf_error(end - pos, ret))
2913 			return -1;
2914 		pos += ret;
2915 	}
2916 	if (ciphers & WPA_CIPHER_NONE) {
2917 		ret = os_snprintf(pos, end - pos, "%sNONE",
2918 				  pos == start ? "" : delim);
2919 		if (os_snprintf_error(end - pos, ret))
2920 			return -1;
2921 		pos += ret;
2922 	}
2923 
2924 	return pos - start;
2925 }
2926 
2927 
2928 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
2929 {
2930 	int pairwise = 0;
2931 
2932 	/* Select group cipher based on the enabled pairwise cipher suites */
2933 	if (wpa & 1)
2934 		pairwise |= wpa_pairwise;
2935 	if (wpa & 2)
2936 		pairwise |= rsn_pairwise;
2937 
2938 	if (pairwise & WPA_CIPHER_TKIP)
2939 		return WPA_CIPHER_TKIP;
2940 	if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
2941 		return WPA_CIPHER_GCMP;
2942 	if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
2943 			 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
2944 		return WPA_CIPHER_GCMP_256;
2945 	if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
2946 			 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
2947 		return WPA_CIPHER_CCMP_256;
2948 	return WPA_CIPHER_CCMP;
2949 }
2950 
2951 
2952 #ifdef CONFIG_FILS
2953 int fils_domain_name_hash(const char *domain, u8 *hash)
2954 {
2955 	char buf[255], *wpos = buf;
2956 	const char *pos = domain;
2957 	size_t len;
2958 	const u8 *addr[1];
2959 	u8 mac[SHA256_MAC_LEN];
2960 
2961 	for (len = 0; len < sizeof(buf) && *pos; len++) {
2962 		if (isalpha(*pos) && isupper(*pos))
2963 			*wpos++ = tolower(*pos);
2964 		else
2965 			*wpos++ = *pos;
2966 		pos++;
2967 	}
2968 
2969 	addr[0] = (const u8 *) buf;
2970 	if (sha256_vector(1, addr, &len, mac) < 0)
2971 		return -1;
2972 	os_memcpy(hash, mac, 2);
2973 	return 0;
2974 }
2975 #endif /* CONFIG_FILS */
2976 
2977 
2978 /**
2979  * wpa_parse_vendor_specific - Parse Vendor Specific IEs
2980  * @pos: Pointer to the IE header
2981  * @end: Pointer to the end of the Key Data buffer
2982  * @ie: Pointer to parsed IE data
2983  */
2984 static void wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
2985 				      struct wpa_eapol_ie_parse *ie)
2986 {
2987 	unsigned int oui;
2988 
2989 	if (pos[1] < 4) {
2990 		wpa_printf(MSG_MSGDUMP,
2991 			   "Too short vendor specific IE ignored (len=%u)",
2992 			   pos[1]);
2993 		return;
2994 	}
2995 
2996 	oui = WPA_GET_BE24(&pos[2]);
2997 	if (oui == OUI_MICROSOFT && pos[5] == WMM_OUI_TYPE && pos[1] > 4) {
2998 		if (pos[6] == WMM_OUI_SUBTYPE_INFORMATION_ELEMENT) {
2999 			ie->wmm = &pos[2];
3000 			ie->wmm_len = pos[1];
3001 			wpa_hexdump(MSG_DEBUG, "WPA: WMM IE",
3002 				    ie->wmm, ie->wmm_len);
3003 		} else if (pos[6] == WMM_OUI_SUBTYPE_PARAMETER_ELEMENT) {
3004 			ie->wmm = &pos[2];
3005 			ie->wmm_len = pos[1];
3006 			wpa_hexdump(MSG_DEBUG, "WPA: WMM Parameter Element",
3007 				    ie->wmm, ie->wmm_len);
3008 		}
3009 	}
3010 }
3011 
3012 
3013 /**
3014  * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
3015  * @pos: Pointer to the IE header
3016  * @ie: Pointer to parsed IE data
3017  * Returns: 0 on success, 1 if end mark is found, 2 if KDE is not recognized
3018  */
3019 static int wpa_parse_generic(const u8 *pos, struct wpa_eapol_ie_parse *ie)
3020 {
3021 	if (pos[1] == 0)
3022 		return 1;
3023 
3024 	if (pos[1] >= 6 &&
3025 	    RSN_SELECTOR_GET(pos + 2) == WPA_OUI_TYPE &&
3026 	    pos[2 + WPA_SELECTOR_LEN] == 1 &&
3027 	    pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
3028 		ie->wpa_ie = pos;
3029 		ie->wpa_ie_len = pos[1] + 2;
3030 		wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key",
3031 			    ie->wpa_ie, ie->wpa_ie_len);
3032 		return 0;
3033 	}
3034 
3035 	if (pos[1] >= 4 && WPA_GET_BE32(pos + 2) == OSEN_IE_VENDOR_TYPE) {
3036 		ie->osen = pos;
3037 		ie->osen_len = pos[1] + 2;
3038 		return 0;
3039 	}
3040 
3041 	if (pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
3042 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
3043 		ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
3044 		wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key",
3045 			    pos, pos[1] + 2);
3046 		return 0;
3047 	}
3048 
3049 	if (pos[1] >= RSN_SELECTOR_LEN + 2 &&
3050 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_KEYID) {
3051 		ie->key_id = pos + 2 + RSN_SELECTOR_LEN;
3052 		wpa_hexdump(MSG_DEBUG, "WPA: KeyID in EAPOL-Key",
3053 			    pos, pos[1] + 2);
3054 		return 0;
3055 	}
3056 
3057 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
3058 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
3059 		ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
3060 		ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
3061 		wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key",
3062 				pos, pos[1] + 2);
3063 		return 0;
3064 	}
3065 
3066 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
3067 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_MAC_ADDR) {
3068 		ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN;
3069 		ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN;
3070 		wpa_hexdump(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key",
3071 			    pos, pos[1] + 2);
3072 		return 0;
3073 	}
3074 
3075 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
3076 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_IGTK) {
3077 		ie->igtk = pos + 2 + RSN_SELECTOR_LEN;
3078 		ie->igtk_len = pos[1] - RSN_SELECTOR_LEN;
3079 		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key",
3080 				pos, pos[1] + 2);
3081 		return 0;
3082 	}
3083 
3084 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
3085 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_BIGTK) {
3086 		ie->bigtk = pos + 2 + RSN_SELECTOR_LEN;
3087 		ie->bigtk_len = pos[1] - RSN_SELECTOR_LEN;
3088 		wpa_hexdump_key(MSG_DEBUG, "WPA: BIGTK in EAPOL-Key",
3089 				pos, pos[1] + 2);
3090 		return 0;
3091 	}
3092 
3093 	if (pos[1] >= RSN_SELECTOR_LEN + 1 &&
3094 	    RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_IP_ADDR_REQ) {
3095 		ie->ip_addr_req = pos + 2 + RSN_SELECTOR_LEN;
3096 		wpa_hexdump(MSG_DEBUG, "WPA: IP Address Request in EAPOL-Key",
3097 			    ie->ip_addr_req, pos[1] - RSN_SELECTOR_LEN);
3098 		return 0;
3099 	}
3100 
3101 	if (pos[1] >= RSN_SELECTOR_LEN + 3 * 4 &&
3102 	    RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_IP_ADDR_ALLOC) {
3103 		ie->ip_addr_alloc = pos + 2 + RSN_SELECTOR_LEN;
3104 		wpa_hexdump(MSG_DEBUG,
3105 			    "WPA: IP Address Allocation in EAPOL-Key",
3106 			    ie->ip_addr_alloc, pos[1] - RSN_SELECTOR_LEN);
3107 		return 0;
3108 	}
3109 
3110 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
3111 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_OCI) {
3112 		ie->oci = pos + 2 + RSN_SELECTOR_LEN;
3113 		ie->oci_len = pos[1] - RSN_SELECTOR_LEN;
3114 		wpa_hexdump(MSG_DEBUG, "WPA: OCI KDE in EAPOL-Key",
3115 			    pos, pos[1] + 2);
3116 		return 0;
3117 	}
3118 
3119 	if (pos[1] >= RSN_SELECTOR_LEN + 1 &&
3120 	    RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_TRANSITION_DISABLE) {
3121 		ie->transition_disable = pos + 2 + RSN_SELECTOR_LEN;
3122 		ie->transition_disable_len = pos[1] - RSN_SELECTOR_LEN;
3123 		wpa_hexdump(MSG_DEBUG,
3124 			    "WPA: Transition Disable KDE in EAPOL-Key",
3125 			    pos, pos[1] + 2);
3126 		return 0;
3127 	}
3128 
3129 	if (pos[1] >= RSN_SELECTOR_LEN + 2 &&
3130 	    RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_DPP) {
3131 		ie->dpp_kde = pos + 2 + RSN_SELECTOR_LEN;
3132 		ie->dpp_kde_len = pos[1] - RSN_SELECTOR_LEN;
3133 		wpa_hexdump(MSG_DEBUG, "WPA: DPP KDE in EAPOL-Key",
3134 			    pos, pos[1] + 2);
3135 		return 0;
3136 	}
3137 
3138 	return 2;
3139 }
3140 
3141 
3142 /**
3143  * wpa_parse_kde_ies - Parse EAPOL-Key Key Data IEs
3144  * @buf: Pointer to the Key Data buffer
3145  * @len: Key Data Length
3146  * @ie: Pointer to parsed IE data
3147  * Returns: 0 on success, -1 on failure
3148  */
3149 int wpa_parse_kde_ies(const u8 *buf, size_t len, struct wpa_eapol_ie_parse *ie)
3150 {
3151 	const u8 *pos, *end;
3152 	int ret = 0;
3153 
3154 	os_memset(ie, 0, sizeof(*ie));
3155 	for (pos = buf, end = pos + len; end - pos > 1; pos += 2 + pos[1]) {
3156 		if (pos[0] == 0xdd &&
3157 		    ((pos == buf + len - 1) || pos[1] == 0)) {
3158 			/* Ignore padding */
3159 			break;
3160 		}
3161 		if (2 + pos[1] > end - pos) {
3162 			wpa_printf(MSG_DEBUG,
3163 				   "WPA: EAPOL-Key Key Data underflow (ie=%d len=%d pos=%d)",
3164 				   pos[0], pos[1], (int) (pos - buf));
3165 			wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data", buf, len);
3166 			ret = -1;
3167 			break;
3168 		}
3169 		if (*pos == WLAN_EID_RSN) {
3170 			ie->rsn_ie = pos;
3171 			ie->rsn_ie_len = pos[1] + 2;
3172 			wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
3173 				    ie->rsn_ie, ie->rsn_ie_len);
3174 		} else if (*pos == WLAN_EID_RSNX) {
3175 			ie->rsnxe = pos;
3176 			ie->rsnxe_len = pos[1] + 2;
3177 			wpa_hexdump(MSG_DEBUG, "WPA: RSNXE in EAPOL-Key",
3178 				    ie->rsnxe, ie->rsnxe_len);
3179 		} else if (*pos == WLAN_EID_MOBILITY_DOMAIN) {
3180 			ie->mdie = pos;
3181 			ie->mdie_len = pos[1] + 2;
3182 			wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
3183 				    ie->mdie, ie->mdie_len);
3184 		} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION) {
3185 			ie->ftie = pos;
3186 			ie->ftie_len = pos[1] + 2;
3187 			wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
3188 				    ie->ftie, ie->ftie_len);
3189 		} else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) {
3190 			if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) {
3191 				ie->reassoc_deadline = pos;
3192 				wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline "
3193 					    "in EAPOL-Key",
3194 					    ie->reassoc_deadline, pos[1] + 2);
3195 			} else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) {
3196 				ie->key_lifetime = pos;
3197 				wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime "
3198 					    "in EAPOL-Key",
3199 					    ie->key_lifetime, pos[1] + 2);
3200 			} else {
3201 				wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized "
3202 					    "EAPOL-Key Key Data IE",
3203 					    pos, 2 + pos[1]);
3204 			}
3205 		} else if (*pos == WLAN_EID_LINK_ID) {
3206 			if (pos[1] >= 18) {
3207 				ie->lnkid = pos;
3208 				ie->lnkid_len = pos[1] + 2;
3209 			}
3210 		} else if (*pos == WLAN_EID_EXT_CAPAB) {
3211 			ie->ext_capab = pos;
3212 			ie->ext_capab_len = pos[1] + 2;
3213 		} else if (*pos == WLAN_EID_SUPP_RATES) {
3214 			ie->supp_rates = pos;
3215 			ie->supp_rates_len = pos[1] + 2;
3216 		} else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
3217 			ie->ext_supp_rates = pos;
3218 			ie->ext_supp_rates_len = pos[1] + 2;
3219 		} else if (*pos == WLAN_EID_HT_CAP &&
3220 			   pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
3221 			ie->ht_capabilities = pos + 2;
3222 		} else if (*pos == WLAN_EID_VHT_AID) {
3223 			if (pos[1] >= 2)
3224 				ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
3225 		} else if (*pos == WLAN_EID_VHT_CAP &&
3226 			   pos[1] >= sizeof(struct ieee80211_vht_capabilities))
3227 		{
3228 			ie->vht_capabilities = pos + 2;
3229 		} else if (*pos == WLAN_EID_EXTENSION &&
3230 			   pos[1] >= 1 + IEEE80211_HE_CAPAB_MIN_LEN &&
3231 			   pos[2] == WLAN_EID_EXT_HE_CAPABILITIES) {
3232 			ie->he_capabilities = pos + 3;
3233 			ie->he_capab_len = pos[1] - 1;
3234 		} else if (*pos == WLAN_EID_EXTENSION &&
3235 			   pos[1] >= 1 +
3236 			   sizeof(struct ieee80211_he_6ghz_band_cap) &&
3237 			   pos[2] == WLAN_EID_EXT_HE_6GHZ_BAND_CAP) {
3238 			ie->he_6ghz_capabilities = pos + 3;
3239 		} else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
3240 			ie->qosinfo = pos[2];
3241 		} else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {
3242 			ie->supp_channels = pos + 2;
3243 			ie->supp_channels_len = pos[1];
3244 		} else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
3245 			/*
3246 			 * The value of the Length field of the Supported
3247 			 * Operating Classes element is between 2 and 253.
3248 			 * Silently skip invalid elements to avoid interop
3249 			 * issues when trying to use the value.
3250 			 */
3251 			if (pos[1] >= 2 && pos[1] <= 253) {
3252 				ie->supp_oper_classes = pos + 2;
3253 				ie->supp_oper_classes_len = pos[1];
3254 			}
3255 		} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
3256 			ret = wpa_parse_generic(pos, ie);
3257 			if (ret == 1) {
3258 				/* end mark found */
3259 				ret = 0;
3260 				break;
3261 			}
3262 
3263 			if (ret == 2) {
3264 				/* not a known KDE */
3265 				wpa_parse_vendor_specific(pos, end, ie);
3266 			}
3267 
3268 			ret = 0;
3269 		} else {
3270 			wpa_hexdump(MSG_DEBUG,
3271 				    "WPA: Unrecognized EAPOL-Key Key Data IE",
3272 				    pos, 2 + pos[1]);
3273 		}
3274 	}
3275 
3276 	return ret;
3277 }
3278 
3279 
3280 #ifdef CONFIG_PASN
3281 
3282 /*
3283  * wpa_pasn_build_auth_header - Add the MAC header and initialize Authentication
3284  * frame for PASN
3285  *
3286  * @buf: Buffer in which the header will be added
3287  * @bssid: The BSSID of the AP
3288  * @src: Source address
3289  * @dst: Destination address
3290  * @trans_seq: Authentication transaction sequence number
3291  * @status: Authentication status
3292  */
3293 void wpa_pasn_build_auth_header(struct wpabuf *buf, const u8 *bssid,
3294 				const u8 *src, const u8 *dst,
3295 				u8 trans_seq, u16 status)
3296 {
3297 	struct ieee80211_mgmt *auth;
3298 
3299 	wpa_printf(MSG_DEBUG, "PASN: Add authentication header. trans_seq=%u",
3300 		   trans_seq);
3301 
3302 	auth = wpabuf_put(buf, offsetof(struct ieee80211_mgmt,
3303 					u.auth.variable));
3304 
3305 	auth->frame_control = host_to_le16((WLAN_FC_TYPE_MGMT << 2) |
3306 					   (WLAN_FC_STYPE_AUTH << 4));
3307 
3308 	os_memcpy(auth->da, dst, ETH_ALEN);
3309 	os_memcpy(auth->sa, src, ETH_ALEN);
3310 	os_memcpy(auth->bssid, bssid, ETH_ALEN);
3311 	auth->seq_ctrl = 0;
3312 
3313 	auth->u.auth.auth_alg = host_to_le16(WLAN_AUTH_PASN);
3314 	auth->u.auth.auth_transaction = host_to_le16(trans_seq);
3315 	auth->u.auth.status_code = host_to_le16(status);
3316 }
3317 
3318 
3319 /*
3320  * wpa_pasn_add_rsne - Add an RSNE for PASN authentication
3321  * @buf: Buffer in which the IE will be added
3322  * @pmkid: Optional PMKID. Can be NULL.
3323  * @akmp: Authentication and key management protocol
3324  * @cipher: The cipher suite
3325  */
3326 int wpa_pasn_add_rsne(struct wpabuf *buf, const u8 *pmkid, int akmp, int cipher)
3327 {
3328 	struct rsn_ie_hdr *hdr;
3329 	u32 suite;
3330 	u16 capab;
3331 	u8 *pos;
3332 	u8 rsne_len;
3333 
3334 	wpa_printf(MSG_DEBUG, "PASN: Add RSNE");
3335 
3336 	rsne_len = sizeof(*hdr) + RSN_SELECTOR_LEN +
3337 		2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN +
3338 		2 + RSN_SELECTOR_LEN + 2 + (pmkid ? PMKID_LEN : 0);
3339 
3340 	if (wpabuf_tailroom(buf) < rsne_len)
3341 		return -1;
3342 	hdr = wpabuf_put(buf, rsne_len);
3343 	hdr->elem_id = WLAN_EID_RSN;
3344 	hdr->len = rsne_len - 2;
3345 	WPA_PUT_LE16(hdr->version, RSN_VERSION);
3346 	pos = (u8 *) (hdr + 1);
3347 
3348 	/* Group addressed data is not allowed */
3349 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
3350 	pos += RSN_SELECTOR_LEN;
3351 
3352 	/* Add the pairwise cipher */
3353 	WPA_PUT_LE16(pos, 1);
3354 	pos += 2;
3355 	suite = wpa_cipher_to_suite(WPA_PROTO_RSN, cipher);
3356 	RSN_SELECTOR_PUT(pos, suite);
3357 	pos += RSN_SELECTOR_LEN;
3358 
3359 	/* Add the AKM suite */
3360 	WPA_PUT_LE16(pos, 1);
3361 	pos += 2;
3362 
3363 	switch (akmp) {
3364 	case WPA_KEY_MGMT_PASN:
3365 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PASN);
3366 		break;
3367 #ifdef CONFIG_SAE
3368 	case WPA_KEY_MGMT_SAE:
3369 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
3370 		break;
3371 #endif /* CONFIG_SAE */
3372 #ifdef CONFIG_FILS
3373 	case WPA_KEY_MGMT_FILS_SHA256:
3374 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA256);
3375 		break;
3376 	case WPA_KEY_MGMT_FILS_SHA384:
3377 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA384);
3378 		break;
3379 #endif /* CONFIG_FILS */
3380 #ifdef CONFIG_IEEE80211R
3381 	case WPA_KEY_MGMT_FT_PSK:
3382 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
3383 		break;
3384 	case WPA_KEY_MGMT_FT_IEEE8021X:
3385 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
3386 		break;
3387 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
3388 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
3389 		break;
3390 #endif /* CONFIG_IEEE80211R */
3391 	default:
3392 		wpa_printf(MSG_ERROR, "PASN: Invalid AKMP=0x%x", akmp);
3393 		return -1;
3394 	}
3395 	pos += RSN_SELECTOR_LEN;
3396 
3397 	/* RSN Capabilities: PASN mandates both MFP capable and required */
3398 	capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR;
3399 	WPA_PUT_LE16(pos, capab);
3400 	pos += 2;
3401 
3402 	if (pmkid) {
3403 		wpa_printf(MSG_DEBUG, "PASN: Adding PMKID");
3404 
3405 		WPA_PUT_LE16(pos, 1);
3406 		pos += 2;
3407 		os_memcpy(pos, pmkid, PMKID_LEN);
3408 		pos += PMKID_LEN;
3409 	} else {
3410 		WPA_PUT_LE16(pos, 0);
3411 		pos += 2;
3412 	}
3413 
3414 	/* Group addressed management is not allowed */
3415 	RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED);
3416 
3417 	return 0;
3418 }
3419 
3420 
3421 /*
3422  * wpa_pasn_add_parameter_ie - Add PASN Parameters IE for PASN authentication
3423  * @buf: Buffer in which the IE will be added
3424  * @pasn_group: Finite Cyclic Group ID for PASN authentication
3425  * @wrapped_data_format: Format of the data in the Wrapped Data IE
3426  * @pubkey: A buffer holding the local public key. Can be NULL
3427  * @compressed: In case pubkey is included, indicates if the public key is
3428  *     compressed (only x coordinate is included) or not (both x and y
3429  *     coordinates are included)
3430  * @comeback: A buffer holding the comeback token. Can be NULL
3431  * @after: If comeback is set, defined the comeback time in seconds. -1 to not
3432  *	include the Comeback After field (frames from non-AP STA).
3433  */
3434 void wpa_pasn_add_parameter_ie(struct wpabuf *buf, u16 pasn_group,
3435 			       u8 wrapped_data_format,
3436 			       const struct wpabuf *pubkey, bool compressed,
3437 			       const struct wpabuf *comeback, int after)
3438 {
3439 	struct pasn_parameter_ie *params;
3440 
3441 	wpa_printf(MSG_DEBUG, "PASN: Add PASN Parameters element");
3442 
3443 	params = wpabuf_put(buf, sizeof(*params));
3444 
3445 	params->id = WLAN_EID_EXTENSION;
3446 	params->len = sizeof(*params) - 2;
3447 	params->id_ext = WLAN_EID_EXT_PASN_PARAMS;
3448 	params->control = 0;
3449 	params->wrapped_data_format = wrapped_data_format;
3450 
3451 	if (comeback) {
3452 		wpa_printf(MSG_DEBUG, "PASN: Adding comeback data");
3453 
3454 		/*
3455 		 * 2 octets for the 'after' field + 1 octet for the length +
3456 		 * actual cookie data
3457 		 */
3458 		if (after >= 0)
3459 			params->len += 2;
3460 		params->len += 1 + wpabuf_len(comeback);
3461 		params->control |= WPA_PASN_CTRL_COMEBACK_INFO_PRESENT;
3462 
3463 		if (after >= 0)
3464 			wpabuf_put_le16(buf, after);
3465 		wpabuf_put_u8(buf, wpabuf_len(comeback));
3466 		wpabuf_put_buf(buf, comeback);
3467 	}
3468 
3469 	if (pubkey) {
3470 		wpa_printf(MSG_DEBUG,
3471 			   "PASN: Adding public key and group ID %u",
3472 			   pasn_group);
3473 
3474 		/*
3475 		 * 2 octets for the finite cyclic group + 2 octets public key
3476 		 * length + 1 octet for the compressed/uncompressed indication +
3477 		 * the actual key.
3478 		 */
3479 		params->len += 2 + 1 + 1 + wpabuf_len(pubkey);
3480 		params->control |= WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT;
3481 
3482 		wpabuf_put_le16(buf, pasn_group);
3483 
3484 		/*
3485 		 * The first octet indicates whether the public key is
3486 		 * compressed, as defined in RFC 5480 section 2.2.
3487 		 */
3488 		wpabuf_put_u8(buf, wpabuf_len(pubkey) + 1);
3489 		wpabuf_put_u8(buf, compressed ? WPA_PASN_PUBKEY_COMPRESSED_0 :
3490 			      WPA_PASN_PUBKEY_UNCOMPRESSED);
3491 
3492 		wpabuf_put_buf(buf, pubkey);
3493 	}
3494 }
3495 
3496 /*
3497  * wpa_pasn_add_wrapped_data - Add a Wrapped Data IE to PASN Authentication
3498  * frame. If needed, the Wrapped Data IE would be fragmented.
3499  *
3500  * @buf: Buffer in which the IE will be added
3501  * @wrapped_data_buf: Buffer holding the wrapped data
3502  */
3503 int wpa_pasn_add_wrapped_data(struct wpabuf *buf,
3504 			      struct wpabuf *wrapped_data_buf)
3505 {
3506 	const u8 *data;
3507 	size_t data_len;
3508 	u8 len;
3509 
3510 	if (!wrapped_data_buf)
3511 		return 0;
3512 
3513 	wpa_printf(MSG_DEBUG, "PASN: Add wrapped data");
3514 
3515 	data = wpabuf_head_u8(wrapped_data_buf);
3516 	data_len = wpabuf_len(wrapped_data_buf);
3517 
3518 	/* nothing to add */
3519 	if (!data_len)
3520 		return 0;
3521 
3522 	if (data_len <= 254)
3523 		len = 1 + data_len;
3524 	else
3525 		len = 255;
3526 
3527 	if (wpabuf_tailroom(buf) < 3 + data_len)
3528 		return -1;
3529 
3530 	wpabuf_put_u8(buf, WLAN_EID_EXTENSION);
3531 	wpabuf_put_u8(buf, len);
3532 	wpabuf_put_u8(buf, WLAN_EID_EXT_WRAPPED_DATA);
3533 	wpabuf_put_data(buf, data, len - 1);
3534 
3535 	data += len - 1;
3536 	data_len -= len - 1;
3537 
3538 	while (data_len) {
3539 		if (wpabuf_tailroom(buf) < 1 + data_len)
3540 			return -1;
3541 		wpabuf_put_u8(buf, WLAN_EID_FRAGMENT);
3542 		len = data_len > 255 ? 255 : data_len;
3543 		wpabuf_put_u8(buf, len);
3544 		wpabuf_put_data(buf, data, len);
3545 		data += len;
3546 		data_len -= len;
3547 	}
3548 
3549 	return 0;
3550 }
3551 
3552 
3553 /*
3554  * wpa_pasn_validate_rsne - Validate PSAN specific data of RSNE
3555  * @data: Parsed representation of an RSNE
3556  * Returns -1 for invalid data; otherwise 0
3557  */
3558 int wpa_pasn_validate_rsne(const struct wpa_ie_data *data)
3559 {
3560 	u16 capab = WPA_CAPABILITY_MFPC | WPA_CAPABILITY_MFPR;
3561 
3562 	if (data->proto != WPA_PROTO_RSN)
3563 		return -1;
3564 
3565 	if ((data->capabilities & capab) != capab) {
3566 		wpa_printf(MSG_DEBUG, "PASN: Invalid RSNE capabilities");
3567 		return -1;
3568 	}
3569 
3570 	if (!data->has_group || data->group_cipher != WPA_CIPHER_GTK_NOT_USED) {
3571 		wpa_printf(MSG_DEBUG, "PASN: Invalid group data cipher");
3572 		return -1;
3573 	}
3574 
3575 	if (!data->has_pairwise || !data->pairwise_cipher ||
3576 	    (data->pairwise_cipher & (data->pairwise_cipher - 1))) {
3577 		wpa_printf(MSG_DEBUG, "PASN: No valid pairwise suite");
3578 		return -1;
3579 	}
3580 
3581 	switch (data->key_mgmt) {
3582 #ifdef CONFIG_SAE
3583 	case WPA_KEY_MGMT_SAE:
3584 	/* fall through */
3585 #endif /* CONFIG_SAE */
3586 #ifdef CONFIG_FILS
3587 	case WPA_KEY_MGMT_FILS_SHA256:
3588 	case WPA_KEY_MGMT_FILS_SHA384:
3589 	/* fall through */
3590 #endif /* CONFIG_FILS */
3591 #ifdef CONFIG_IEEE80211R
3592 	case WPA_KEY_MGMT_FT_PSK:
3593 	case WPA_KEY_MGMT_FT_IEEE8021X:
3594 	case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
3595 	/* fall through */
3596 #endif /* CONFIG_IEEE80211R */
3597 	case WPA_KEY_MGMT_PASN:
3598 		break;
3599 	default:
3600 		wpa_printf(MSG_ERROR, "PASN: invalid key_mgmt: 0x%0x",
3601 			   data->key_mgmt);
3602 		return -1;
3603 	}
3604 
3605 	if (data->mgmt_group_cipher != WPA_CIPHER_GTK_NOT_USED) {
3606 		wpa_printf(MSG_DEBUG, "PASN: Invalid group mgmt cipher");
3607 		return -1;
3608 	}
3609 
3610 	if (data->num_pmkid > 1) {
3611 		wpa_printf(MSG_DEBUG, "PASN: Invalid number of PMKIDs");
3612 		return -1;
3613 	}
3614 
3615 	return 0;
3616 }
3617 
3618 
3619 /*
3620  * wpa_pasn_parse_parameter_ie - Validates PASN Parameters IE
3621  * @data: Pointer to the PASN Parameters IE (starting with the EID).
3622  * @len: Length of the data in the PASN Parameters IE
3623  * @from_ap: Whether this was received from an AP
3624  * @pasn_params: On successful return would hold the parsed PASN parameters.
3625  * Returns: -1 for invalid data; otherwise 0
3626  *
3627  * Note: On successful return, the pointers in &pasn_params point to the data in
3628  * the IE and are not locally allocated (so they should not be freed etc.).
3629  */
3630 int wpa_pasn_parse_parameter_ie(const u8 *data, u8 len, bool from_ap,
3631 				struct wpa_pasn_params_data *pasn_params)
3632 {
3633 	struct pasn_parameter_ie *params = (struct pasn_parameter_ie *) data;
3634 	const u8 *pos = (const u8 *) (params + 1);
3635 
3636 	if (!pasn_params) {
3637 		wpa_printf(MSG_DEBUG, "PASN: Invalid params");
3638 		return -1;
3639 	}
3640 
3641 	if (!params || ((size_t) (params->len + 2) < sizeof(*params)) ||
3642 	    len < sizeof(*params) || params->len + 2 != len) {
3643 		wpa_printf(MSG_DEBUG,
3644 			   "PASN: Invalid parameters IE. len=(%u, %u)",
3645 			   params ? params->len : 0, len);
3646 		return -1;
3647 	}
3648 
3649 	os_memset(pasn_params, 0, sizeof(*pasn_params));
3650 
3651 	switch (params->wrapped_data_format) {
3652 	case WPA_PASN_WRAPPED_DATA_NO:
3653 	case WPA_PASN_WRAPPED_DATA_SAE:
3654 	case WPA_PASN_WRAPPED_DATA_FILS_SK:
3655 	case WPA_PASN_WRAPPED_DATA_FT:
3656 		break;
3657 	default:
3658 		wpa_printf(MSG_DEBUG, "PASN: Invalid wrapped data format");
3659 		return -1;
3660 	}
3661 
3662 	pasn_params->wrapped_data_format = params->wrapped_data_format;
3663 
3664 	len -= sizeof(*params);
3665 
3666 	if (params->control & WPA_PASN_CTRL_COMEBACK_INFO_PRESENT) {
3667 		if (from_ap) {
3668 			if (len < 2) {
3669 				wpa_printf(MSG_DEBUG,
3670 					   "PASN: Invalid Parameters IE: Truncated Comeback After");
3671 				return -1;
3672 			}
3673 			pasn_params->after = WPA_GET_LE16(pos);
3674 			pos += 2;
3675 			len -= 2;
3676 		}
3677 
3678 		if (len < 1 || len < 1 + *pos) {
3679 			wpa_printf(MSG_DEBUG,
3680 				   "PASN: Invalid Parameters IE: comeback len");
3681 			return -1;
3682 		}
3683 
3684 		pasn_params->comeback_len = *pos++;
3685 		len--;
3686 		pasn_params->comeback = pos;
3687 		len -=  pasn_params->comeback_len;
3688 		pos += pasn_params->comeback_len;
3689 	}
3690 
3691 	if (params->control & WPA_PASN_CTRL_GROUP_AND_KEY_PRESENT) {
3692 		if (len < 3 || len < 3 + pos[2]) {
3693 			wpa_printf(MSG_DEBUG,
3694 				   "PASN: Invalid Parameters IE: group and key");
3695 			return -1;
3696 		}
3697 
3698 		pasn_params->group = WPA_GET_LE16(pos);
3699 		pos += 2;
3700 		len -= 2;
3701 		pasn_params->pubkey_len = *pos++;
3702 		len--;
3703 		pasn_params->pubkey = pos;
3704 		len -= pasn_params->pubkey_len;
3705 		pos += pasn_params->pubkey_len;
3706 	}
3707 
3708 	if (len) {
3709 		wpa_printf(MSG_DEBUG,
3710 			   "PASN: Invalid Parameters IE. Bytes left=%u", len);
3711 		return -1;
3712 	}
3713 
3714 	return 0;
3715 }
3716 
3717 
3718 void wpa_pasn_add_rsnxe(struct wpabuf *buf, u16 capab)
3719 {
3720 	size_t flen;
3721 
3722 	flen = (capab & 0xff00) ? 2 : 1;
3723 	if (!capab)
3724 		return; /* no supported extended RSN capabilities */
3725 	if (wpabuf_tailroom(buf) < 2 + flen)
3726 		return;
3727 	capab |= flen - 1; /* bit 0-3 = Field length (n - 1) */
3728 
3729 	wpabuf_put_u8(buf, WLAN_EID_RSNX);
3730 	wpabuf_put_u8(buf, flen);
3731 	wpabuf_put_u8(buf, capab & 0x00ff);
3732 	capab >>= 8;
3733 	if (capab)
3734 		wpabuf_put_u8(buf, capab);
3735 }
3736 
3737 #endif /* CONFIG_PASN */
3738