xref: /freebsd/contrib/wpa/src/common/wpa_common.c (revision d3d381b2b194b4d24853e92eecef55f262688d1a)
1 /*
2  * WPA/RSN - Shared functions for supplicant and authenticator
3  * Copyright (c) 2002-2015, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/md5.h"
13 #include "crypto/sha1.h"
14 #include "crypto/sha256.h"
15 #include "crypto/sha384.h"
16 #include "crypto/aes_wrap.h"
17 #include "crypto/crypto.h"
18 #include "ieee802_11_defs.h"
19 #include "defs.h"
20 #include "wpa_common.h"
21 
22 
23 static unsigned int wpa_kck_len(int akmp)
24 {
25 	if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
26 		return 24;
27 	return 16;
28 }
29 
30 
31 static unsigned int wpa_kek_len(int akmp)
32 {
33 	if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
34 		return 32;
35 	return 16;
36 }
37 
38 
39 unsigned int wpa_mic_len(int akmp)
40 {
41 	if (akmp == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
42 		return 24;
43 	return 16;
44 }
45 
46 
47 /**
48  * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
49  * @key: EAPOL-Key Key Confirmation Key (KCK)
50  * @key_len: KCK length in octets
51  * @akmp: WPA_KEY_MGMT_* used in key derivation
52  * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
53  * @buf: Pointer to the beginning of the EAPOL header (version field)
54  * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
55  * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
56  * Returns: 0 on success, -1 on failure
57  *
58  * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
59  * to be cleared (all zeroes) when calling this function.
60  *
61  * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
62  * description of the Key MIC calculation. It includes packet data from the
63  * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
64  * happened during final editing of the standard and the correct behavior is
65  * defined in the last draft (IEEE 802.11i/D10).
66  */
67 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
68 		      const u8 *buf, size_t len, u8 *mic)
69 {
70 	u8 hash[SHA384_MAC_LEN];
71 
72 	switch (ver) {
73 #ifndef CONFIG_FIPS
74 	case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
75 		return hmac_md5(key, key_len, buf, len, mic);
76 #endif /* CONFIG_FIPS */
77 	case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
78 		if (hmac_sha1(key, key_len, buf, len, hash))
79 			return -1;
80 		os_memcpy(mic, hash, MD5_MAC_LEN);
81 		break;
82 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
83 	case WPA_KEY_INFO_TYPE_AES_128_CMAC:
84 		return omac1_aes_128(key, buf, len, mic);
85 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
86 	case WPA_KEY_INFO_TYPE_AKM_DEFINED:
87 		switch (akmp) {
88 #ifdef CONFIG_HS20
89 		case WPA_KEY_MGMT_OSEN:
90 			return omac1_aes_128(key, buf, len, mic);
91 #endif /* CONFIG_HS20 */
92 #ifdef CONFIG_SUITEB
93 		case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
94 			if (hmac_sha256(key, key_len, buf, len, hash))
95 				return -1;
96 			os_memcpy(mic, hash, MD5_MAC_LEN);
97 			break;
98 #endif /* CONFIG_SUITEB */
99 #ifdef CONFIG_SUITEB192
100 		case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
101 			if (hmac_sha384(key, key_len, buf, len, hash))
102 				return -1;
103 			os_memcpy(mic, hash, 24);
104 			break;
105 #endif /* CONFIG_SUITEB192 */
106 		default:
107 			return -1;
108 		}
109 		break;
110 	default:
111 		return -1;
112 	}
113 
114 	return 0;
115 }
116 
117 
118 /**
119  * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
120  * @pmk: Pairwise master key
121  * @pmk_len: Length of PMK
122  * @label: Label to use in derivation
123  * @addr1: AA or SA
124  * @addr2: SA or AA
125  * @nonce1: ANonce or SNonce
126  * @nonce2: SNonce or ANonce
127  * @ptk: Buffer for pairwise transient key
128  * @akmp: Negotiated AKM
129  * @cipher: Negotiated pairwise cipher
130  * Returns: 0 on success, -1 on failure
131  *
132  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
133  * PTK = PRF-X(PMK, "Pairwise key expansion",
134  *             Min(AA, SA) || Max(AA, SA) ||
135  *             Min(ANonce, SNonce) || Max(ANonce, SNonce))
136  *
137  * STK = PRF-X(SMK, "Peer key expansion",
138  *             Min(MAC_I, MAC_P) || Max(MAC_I, MAC_P) ||
139  *             Min(INonce, PNonce) || Max(INonce, PNonce))
140  */
141 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
142 		   const u8 *addr1, const u8 *addr2,
143 		   const u8 *nonce1, const u8 *nonce2,
144 		   struct wpa_ptk *ptk, int akmp, int cipher)
145 {
146 	u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN];
147 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
148 	size_t ptk_len;
149 
150 	if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
151 		os_memcpy(data, addr1, ETH_ALEN);
152 		os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
153 	} else {
154 		os_memcpy(data, addr2, ETH_ALEN);
155 		os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
156 	}
157 
158 	if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
159 		os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
160 		os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
161 			  WPA_NONCE_LEN);
162 	} else {
163 		os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
164 		os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
165 			  WPA_NONCE_LEN);
166 	}
167 
168 	ptk->kck_len = wpa_kck_len(akmp);
169 	ptk->kek_len = wpa_kek_len(akmp);
170 	ptk->tk_len = wpa_cipher_key_len(cipher);
171 	ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
172 
173 #ifdef CONFIG_SUITEB192
174 	if (wpa_key_mgmt_sha384(akmp))
175 		sha384_prf(pmk, pmk_len, label, data, sizeof(data),
176 			   tmp, ptk_len);
177 	else
178 #endif /* CONFIG_SUITEB192 */
179 #ifdef CONFIG_IEEE80211W
180 	if (wpa_key_mgmt_sha256(akmp))
181 		sha256_prf(pmk, pmk_len, label, data, sizeof(data),
182 			   tmp, ptk_len);
183 	else
184 #endif /* CONFIG_IEEE80211W */
185 		sha1_prf(pmk, pmk_len, label, data, sizeof(data), tmp, ptk_len);
186 
187 	wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
188 		   MAC2STR(addr1), MAC2STR(addr2));
189 	wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
190 	wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
191 	wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
192 	wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
193 
194 	os_memcpy(ptk->kck, tmp, ptk->kck_len);
195 	wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
196 
197 	os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
198 	wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
199 
200 	os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
201 	wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
202 
203 	os_memset(tmp, 0, sizeof(tmp));
204 	return 0;
205 }
206 
207 
208 #ifdef CONFIG_IEEE80211R
209 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,
210 	       const u8 *ap_addr, u8 transaction_seqnum,
211 	       const u8 *mdie, size_t mdie_len,
212 	       const u8 *ftie, size_t ftie_len,
213 	       const u8 *rsnie, size_t rsnie_len,
214 	       const u8 *ric, size_t ric_len, u8 *mic)
215 {
216 	const u8 *addr[9];
217 	size_t len[9];
218 	size_t i, num_elem = 0;
219 	u8 zero_mic[16];
220 
221 	if (kck_len != 16) {
222 		wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
223 			   (unsigned int) kck_len);
224 		return -1;
225 	}
226 
227 	addr[num_elem] = sta_addr;
228 	len[num_elem] = ETH_ALEN;
229 	num_elem++;
230 
231 	addr[num_elem] = ap_addr;
232 	len[num_elem] = ETH_ALEN;
233 	num_elem++;
234 
235 	addr[num_elem] = &transaction_seqnum;
236 	len[num_elem] = 1;
237 	num_elem++;
238 
239 	if (rsnie) {
240 		addr[num_elem] = rsnie;
241 		len[num_elem] = rsnie_len;
242 		num_elem++;
243 	}
244 	if (mdie) {
245 		addr[num_elem] = mdie;
246 		len[num_elem] = mdie_len;
247 		num_elem++;
248 	}
249 	if (ftie) {
250 		if (ftie_len < 2 + sizeof(struct rsn_ftie))
251 			return -1;
252 
253 		/* IE hdr and mic_control */
254 		addr[num_elem] = ftie;
255 		len[num_elem] = 2 + 2;
256 		num_elem++;
257 
258 		/* MIC field with all zeros */
259 		os_memset(zero_mic, 0, sizeof(zero_mic));
260 		addr[num_elem] = zero_mic;
261 		len[num_elem] = sizeof(zero_mic);
262 		num_elem++;
263 
264 		/* Rest of FTIE */
265 		addr[num_elem] = ftie + 2 + 2 + 16;
266 		len[num_elem] = ftie_len - (2 + 2 + 16);
267 		num_elem++;
268 	}
269 	if (ric) {
270 		addr[num_elem] = ric;
271 		len[num_elem] = ric_len;
272 		num_elem++;
273 	}
274 
275 	for (i = 0; i < num_elem; i++)
276 		wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
277 	if (omac1_aes_128_vector(kck, num_elem, addr, len, mic))
278 		return -1;
279 
280 	return 0;
281 }
282 
283 
284 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
285 			     struct wpa_ft_ies *parse)
286 {
287 	const u8 *end, *pos;
288 
289 	parse->ftie = ie;
290 	parse->ftie_len = ie_len;
291 
292 	pos = ie + sizeof(struct rsn_ftie);
293 	end = ie + ie_len;
294 
295 	while (end - pos >= 2) {
296 		u8 id, len;
297 
298 		id = *pos++;
299 		len = *pos++;
300 		if (len > end - pos)
301 			break;
302 
303 		switch (id) {
304 		case FTIE_SUBELEM_R1KH_ID:
305 			if (len != FT_R1KH_ID_LEN) {
306 				wpa_printf(MSG_DEBUG,
307 					   "FT: Invalid R1KH-ID length in FTIE: %d",
308 					   len);
309 				return -1;
310 			}
311 			parse->r1kh_id = pos;
312 			break;
313 		case FTIE_SUBELEM_GTK:
314 			parse->gtk = pos;
315 			parse->gtk_len = len;
316 			break;
317 		case FTIE_SUBELEM_R0KH_ID:
318 			if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
319 				wpa_printf(MSG_DEBUG,
320 					   "FT: Invalid R0KH-ID length in FTIE: %d",
321 					   len);
322 				return -1;
323 			}
324 			parse->r0kh_id = pos;
325 			parse->r0kh_id_len = len;
326 			break;
327 #ifdef CONFIG_IEEE80211W
328 		case FTIE_SUBELEM_IGTK:
329 			parse->igtk = pos;
330 			parse->igtk_len = len;
331 			break;
332 #endif /* CONFIG_IEEE80211W */
333 		}
334 
335 		pos += len;
336 	}
337 
338 	return 0;
339 }
340 
341 
342 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
343 		     struct wpa_ft_ies *parse)
344 {
345 	const u8 *end, *pos;
346 	struct wpa_ie_data data;
347 	int ret;
348 	const struct rsn_ftie *ftie;
349 	int prot_ie_count = 0;
350 
351 	os_memset(parse, 0, sizeof(*parse));
352 	if (ies == NULL)
353 		return 0;
354 
355 	pos = ies;
356 	end = ies + ies_len;
357 	while (end - pos >= 2) {
358 		u8 id, len;
359 
360 		id = *pos++;
361 		len = *pos++;
362 		if (len > end - pos)
363 			break;
364 
365 		switch (id) {
366 		case WLAN_EID_RSN:
367 			parse->rsn = pos;
368 			parse->rsn_len = len;
369 			ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
370 						   parse->rsn_len + 2,
371 						   &data);
372 			if (ret < 0) {
373 				wpa_printf(MSG_DEBUG, "FT: Failed to parse "
374 					   "RSN IE: %d", ret);
375 				return -1;
376 			}
377 			if (data.num_pmkid == 1 && data.pmkid)
378 				parse->rsn_pmkid = data.pmkid;
379 			break;
380 		case WLAN_EID_MOBILITY_DOMAIN:
381 			if (len < sizeof(struct rsn_mdie))
382 				return -1;
383 			parse->mdie = pos;
384 			parse->mdie_len = len;
385 			break;
386 		case WLAN_EID_FAST_BSS_TRANSITION:
387 			if (len < sizeof(*ftie))
388 				return -1;
389 			ftie = (const struct rsn_ftie *) pos;
390 			prot_ie_count = ftie->mic_control[1];
391 			if (wpa_ft_parse_ftie(pos, len, parse) < 0)
392 				return -1;
393 			break;
394 		case WLAN_EID_TIMEOUT_INTERVAL:
395 			if (len != 5)
396 				break;
397 			parse->tie = pos;
398 			parse->tie_len = len;
399 			break;
400 		case WLAN_EID_RIC_DATA:
401 			if (parse->ric == NULL)
402 				parse->ric = pos - 2;
403 			break;
404 		}
405 
406 		pos += len;
407 	}
408 
409 	if (prot_ie_count == 0)
410 		return 0; /* no MIC */
411 
412 	/*
413 	 * Check that the protected IE count matches with IEs included in the
414 	 * frame.
415 	 */
416 	if (parse->rsn)
417 		prot_ie_count--;
418 	if (parse->mdie)
419 		prot_ie_count--;
420 	if (parse->ftie)
421 		prot_ie_count--;
422 	if (prot_ie_count < 0) {
423 		wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
424 			   "the protected IE count");
425 		return -1;
426 	}
427 
428 	if (prot_ie_count == 0 && parse->ric) {
429 		wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
430 			   "included in protected IE count");
431 		return -1;
432 	}
433 
434 	/* Determine the end of the RIC IE(s) */
435 	if (parse->ric) {
436 		pos = parse->ric;
437 		while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
438 		       prot_ie_count) {
439 			prot_ie_count--;
440 			pos += 2 + pos[1];
441 		}
442 		parse->ric_len = pos - parse->ric;
443 	}
444 	if (prot_ie_count) {
445 		wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
446 			   "frame", (int) prot_ie_count);
447 		return -1;
448 	}
449 
450 	return 0;
451 }
452 #endif /* CONFIG_IEEE80211R */
453 
454 
455 static int rsn_selector_to_bitfield(const u8 *s)
456 {
457 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
458 		return WPA_CIPHER_NONE;
459 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
460 		return WPA_CIPHER_TKIP;
461 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
462 		return WPA_CIPHER_CCMP;
463 #ifdef CONFIG_IEEE80211W
464 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
465 		return WPA_CIPHER_AES_128_CMAC;
466 #endif /* CONFIG_IEEE80211W */
467 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
468 		return WPA_CIPHER_GCMP;
469 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
470 		return WPA_CIPHER_CCMP_256;
471 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
472 		return WPA_CIPHER_GCMP_256;
473 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
474 		return WPA_CIPHER_BIP_GMAC_128;
475 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
476 		return WPA_CIPHER_BIP_GMAC_256;
477 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
478 		return WPA_CIPHER_BIP_CMAC_256;
479 	if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
480 		return WPA_CIPHER_GTK_NOT_USED;
481 	return 0;
482 }
483 
484 
485 static int rsn_key_mgmt_to_bitfield(const u8 *s)
486 {
487 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
488 		return WPA_KEY_MGMT_IEEE8021X;
489 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
490 		return WPA_KEY_MGMT_PSK;
491 #ifdef CONFIG_IEEE80211R
492 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
493 		return WPA_KEY_MGMT_FT_IEEE8021X;
494 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
495 		return WPA_KEY_MGMT_FT_PSK;
496 #endif /* CONFIG_IEEE80211R */
497 #ifdef CONFIG_IEEE80211W
498 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
499 		return WPA_KEY_MGMT_IEEE8021X_SHA256;
500 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
501 		return WPA_KEY_MGMT_PSK_SHA256;
502 #endif /* CONFIG_IEEE80211W */
503 #ifdef CONFIG_SAE
504 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
505 		return WPA_KEY_MGMT_SAE;
506 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
507 		return WPA_KEY_MGMT_FT_SAE;
508 #endif /* CONFIG_SAE */
509 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
510 		return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
511 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
512 		return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
513 	if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
514 		return WPA_KEY_MGMT_OSEN;
515 	return 0;
516 }
517 
518 
519 int wpa_cipher_valid_group(int cipher)
520 {
521 	return wpa_cipher_valid_pairwise(cipher) ||
522 		cipher == WPA_CIPHER_GTK_NOT_USED;
523 }
524 
525 
526 #ifdef CONFIG_IEEE80211W
527 int wpa_cipher_valid_mgmt_group(int cipher)
528 {
529 	return cipher == WPA_CIPHER_AES_128_CMAC ||
530 		cipher == WPA_CIPHER_BIP_GMAC_128 ||
531 		cipher == WPA_CIPHER_BIP_GMAC_256 ||
532 		cipher == WPA_CIPHER_BIP_CMAC_256;
533 }
534 #endif /* CONFIG_IEEE80211W */
535 
536 
537 /**
538  * wpa_parse_wpa_ie_rsn - Parse RSN IE
539  * @rsn_ie: Buffer containing RSN IE
540  * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
541  * @data: Pointer to structure that will be filled in with parsed data
542  * Returns: 0 on success, <0 on failure
543  */
544 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
545 			 struct wpa_ie_data *data)
546 {
547 	const u8 *pos;
548 	int left;
549 	int i, count;
550 
551 	os_memset(data, 0, sizeof(*data));
552 	data->proto = WPA_PROTO_RSN;
553 	data->pairwise_cipher = WPA_CIPHER_CCMP;
554 	data->group_cipher = WPA_CIPHER_CCMP;
555 	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
556 	data->capabilities = 0;
557 	data->pmkid = NULL;
558 	data->num_pmkid = 0;
559 #ifdef CONFIG_IEEE80211W
560 	data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
561 #else /* CONFIG_IEEE80211W */
562 	data->mgmt_group_cipher = 0;
563 #endif /* CONFIG_IEEE80211W */
564 
565 	if (rsn_ie_len == 0) {
566 		/* No RSN IE - fail silently */
567 		return -1;
568 	}
569 
570 	if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
571 		wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
572 			   __func__, (unsigned long) rsn_ie_len);
573 		return -1;
574 	}
575 
576 	if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
577 	    rsn_ie[1] == rsn_ie_len - 2 &&
578 	    WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
579 		pos = rsn_ie + 6;
580 		left = rsn_ie_len - 6;
581 
582 		data->proto = WPA_PROTO_OSEN;
583 	} else {
584 		const struct rsn_ie_hdr *hdr;
585 
586 		hdr = (const struct rsn_ie_hdr *) rsn_ie;
587 
588 		if (hdr->elem_id != WLAN_EID_RSN ||
589 		    hdr->len != rsn_ie_len - 2 ||
590 		    WPA_GET_LE16(hdr->version) != RSN_VERSION) {
591 			wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
592 				   __func__);
593 			return -2;
594 		}
595 
596 		pos = (const u8 *) (hdr + 1);
597 		left = rsn_ie_len - sizeof(*hdr);
598 	}
599 
600 	if (left >= RSN_SELECTOR_LEN) {
601 		data->group_cipher = rsn_selector_to_bitfield(pos);
602 		if (!wpa_cipher_valid_group(data->group_cipher)) {
603 			wpa_printf(MSG_DEBUG,
604 				   "%s: invalid group cipher 0x%x (%08x)",
605 				   __func__, data->group_cipher,
606 				   WPA_GET_BE32(pos));
607 			return -1;
608 		}
609 		pos += RSN_SELECTOR_LEN;
610 		left -= RSN_SELECTOR_LEN;
611 	} else if (left > 0) {
612 		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
613 			   __func__, left);
614 		return -3;
615 	}
616 
617 	if (left >= 2) {
618 		data->pairwise_cipher = 0;
619 		count = WPA_GET_LE16(pos);
620 		pos += 2;
621 		left -= 2;
622 		if (count == 0 || count > left / RSN_SELECTOR_LEN) {
623 			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
624 				   "count %u left %u", __func__, count, left);
625 			return -4;
626 		}
627 		for (i = 0; i < count; i++) {
628 			data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
629 			pos += RSN_SELECTOR_LEN;
630 			left -= RSN_SELECTOR_LEN;
631 		}
632 #ifdef CONFIG_IEEE80211W
633 		if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
634 			wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
635 				   "pairwise cipher", __func__);
636 			return -1;
637 		}
638 #endif /* CONFIG_IEEE80211W */
639 	} else if (left == 1) {
640 		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
641 			   __func__);
642 		return -5;
643 	}
644 
645 	if (left >= 2) {
646 		data->key_mgmt = 0;
647 		count = WPA_GET_LE16(pos);
648 		pos += 2;
649 		left -= 2;
650 		if (count == 0 || count > left / RSN_SELECTOR_LEN) {
651 			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
652 				   "count %u left %u", __func__, count, left);
653 			return -6;
654 		}
655 		for (i = 0; i < count; i++) {
656 			data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
657 			pos += RSN_SELECTOR_LEN;
658 			left -= RSN_SELECTOR_LEN;
659 		}
660 	} else if (left == 1) {
661 		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
662 			   __func__);
663 		return -7;
664 	}
665 
666 	if (left >= 2) {
667 		data->capabilities = WPA_GET_LE16(pos);
668 		pos += 2;
669 		left -= 2;
670 	}
671 
672 	if (left >= 2) {
673 		u16 num_pmkid = WPA_GET_LE16(pos);
674 		pos += 2;
675 		left -= 2;
676 		if (num_pmkid > (unsigned int) left / PMKID_LEN) {
677 			wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
678 				   "(num_pmkid=%u left=%d)",
679 				   __func__, num_pmkid, left);
680 			data->num_pmkid = 0;
681 			return -9;
682 		} else {
683 			data->num_pmkid = num_pmkid;
684 			data->pmkid = pos;
685 			pos += data->num_pmkid * PMKID_LEN;
686 			left -= data->num_pmkid * PMKID_LEN;
687 		}
688 	}
689 
690 #ifdef CONFIG_IEEE80211W
691 	if (left >= 4) {
692 		data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
693 		if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
694 			wpa_printf(MSG_DEBUG,
695 				   "%s: Unsupported management group cipher 0x%x (%08x)",
696 				   __func__, data->mgmt_group_cipher,
697 				   WPA_GET_BE32(pos));
698 			return -10;
699 		}
700 		pos += RSN_SELECTOR_LEN;
701 		left -= RSN_SELECTOR_LEN;
702 	}
703 #endif /* CONFIG_IEEE80211W */
704 
705 	if (left > 0) {
706 		wpa_hexdump(MSG_DEBUG,
707 			    "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
708 			    pos, left);
709 	}
710 
711 	return 0;
712 }
713 
714 
715 static int wpa_selector_to_bitfield(const u8 *s)
716 {
717 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
718 		return WPA_CIPHER_NONE;
719 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
720 		return WPA_CIPHER_TKIP;
721 	if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
722 		return WPA_CIPHER_CCMP;
723 	return 0;
724 }
725 
726 
727 static int wpa_key_mgmt_to_bitfield(const u8 *s)
728 {
729 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
730 		return WPA_KEY_MGMT_IEEE8021X;
731 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
732 		return WPA_KEY_MGMT_PSK;
733 	if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
734 		return WPA_KEY_MGMT_WPA_NONE;
735 	return 0;
736 }
737 
738 
739 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
740 			 struct wpa_ie_data *data)
741 {
742 	const struct wpa_ie_hdr *hdr;
743 	const u8 *pos;
744 	int left;
745 	int i, count;
746 
747 	os_memset(data, 0, sizeof(*data));
748 	data->proto = WPA_PROTO_WPA;
749 	data->pairwise_cipher = WPA_CIPHER_TKIP;
750 	data->group_cipher = WPA_CIPHER_TKIP;
751 	data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
752 	data->capabilities = 0;
753 	data->pmkid = NULL;
754 	data->num_pmkid = 0;
755 	data->mgmt_group_cipher = 0;
756 
757 	if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
758 		wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
759 			   __func__, (unsigned long) wpa_ie_len);
760 		return -1;
761 	}
762 
763 	hdr = (const struct wpa_ie_hdr *) wpa_ie;
764 
765 	if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
766 	    hdr->len != wpa_ie_len - 2 ||
767 	    RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
768 	    WPA_GET_LE16(hdr->version) != WPA_VERSION) {
769 		wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
770 			   __func__);
771 		return -2;
772 	}
773 
774 	pos = (const u8 *) (hdr + 1);
775 	left = wpa_ie_len - sizeof(*hdr);
776 
777 	if (left >= WPA_SELECTOR_LEN) {
778 		data->group_cipher = wpa_selector_to_bitfield(pos);
779 		pos += WPA_SELECTOR_LEN;
780 		left -= WPA_SELECTOR_LEN;
781 	} else if (left > 0) {
782 		wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
783 			   __func__, left);
784 		return -3;
785 	}
786 
787 	if (left >= 2) {
788 		data->pairwise_cipher = 0;
789 		count = WPA_GET_LE16(pos);
790 		pos += 2;
791 		left -= 2;
792 		if (count == 0 || count > left / WPA_SELECTOR_LEN) {
793 			wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
794 				   "count %u left %u", __func__, count, left);
795 			return -4;
796 		}
797 		for (i = 0; i < count; i++) {
798 			data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
799 			pos += WPA_SELECTOR_LEN;
800 			left -= WPA_SELECTOR_LEN;
801 		}
802 	} else if (left == 1) {
803 		wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
804 			   __func__);
805 		return -5;
806 	}
807 
808 	if (left >= 2) {
809 		data->key_mgmt = 0;
810 		count = WPA_GET_LE16(pos);
811 		pos += 2;
812 		left -= 2;
813 		if (count == 0 || count > left / WPA_SELECTOR_LEN) {
814 			wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
815 				   "count %u left %u", __func__, count, left);
816 			return -6;
817 		}
818 		for (i = 0; i < count; i++) {
819 			data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
820 			pos += WPA_SELECTOR_LEN;
821 			left -= WPA_SELECTOR_LEN;
822 		}
823 	} else if (left == 1) {
824 		wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
825 			   __func__);
826 		return -7;
827 	}
828 
829 	if (left >= 2) {
830 		data->capabilities = WPA_GET_LE16(pos);
831 		pos += 2;
832 		left -= 2;
833 	}
834 
835 	if (left > 0) {
836 		wpa_hexdump(MSG_DEBUG,
837 			    "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
838 			    pos, left);
839 	}
840 
841 	return 0;
842 }
843 
844 
845 #ifdef CONFIG_IEEE80211R
846 
847 /**
848  * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
849  *
850  * IEEE Std 802.11r-2008 - 8.5.1.5.3
851  */
852 void wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
853 		       const u8 *ssid, size_t ssid_len,
854 		       const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
855 		       const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name)
856 {
857 	u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
858 	       FT_R0KH_ID_MAX_LEN + ETH_ALEN];
859 	u8 *pos, r0_key_data[48], hash[32];
860 	const u8 *addr[2];
861 	size_t len[2];
862 
863 	/*
864 	 * R0-Key-Data = KDF-384(XXKey, "FT-R0",
865 	 *                       SSIDlength || SSID || MDID || R0KHlength ||
866 	 *                       R0KH-ID || S0KH-ID)
867 	 * XXKey is either the second 256 bits of MSK or PSK.
868 	 * PMK-R0 = L(R0-Key-Data, 0, 256)
869 	 * PMK-R0Name-Salt = L(R0-Key-Data, 256, 128)
870 	 */
871 	if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
872 		return;
873 	pos = buf;
874 	*pos++ = ssid_len;
875 	os_memcpy(pos, ssid, ssid_len);
876 	pos += ssid_len;
877 	os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
878 	pos += MOBILITY_DOMAIN_ID_LEN;
879 	*pos++ = r0kh_id_len;
880 	os_memcpy(pos, r0kh_id, r0kh_id_len);
881 	pos += r0kh_id_len;
882 	os_memcpy(pos, s0kh_id, ETH_ALEN);
883 	pos += ETH_ALEN;
884 
885 	sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
886 		   r0_key_data, sizeof(r0_key_data));
887 	os_memcpy(pmk_r0, r0_key_data, PMK_LEN);
888 
889 	/*
890 	 * PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt)
891 	 */
892 	addr[0] = (const u8 *) "FT-R0N";
893 	len[0] = 6;
894 	addr[1] = r0_key_data + PMK_LEN;
895 	len[1] = 16;
896 
897 	sha256_vector(2, addr, len, hash);
898 	os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
899 }
900 
901 
902 /**
903  * wpa_derive_pmk_r1_name - Derive PMKR1Name
904  *
905  * IEEE Std 802.11r-2008 - 8.5.1.5.4
906  */
907 void wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
908 			    const u8 *s1kh_id, u8 *pmk_r1_name)
909 {
910 	u8 hash[32];
911 	const u8 *addr[4];
912 	size_t len[4];
913 
914 	/*
915 	 * PMKR1Name = Truncate-128(SHA-256("FT-R1N" || PMKR0Name ||
916 	 *                                  R1KH-ID || S1KH-ID))
917 	 */
918 	addr[0] = (const u8 *) "FT-R1N";
919 	len[0] = 6;
920 	addr[1] = pmk_r0_name;
921 	len[1] = WPA_PMK_NAME_LEN;
922 	addr[2] = r1kh_id;
923 	len[2] = FT_R1KH_ID_LEN;
924 	addr[3] = s1kh_id;
925 	len[3] = ETH_ALEN;
926 
927 	sha256_vector(4, addr, len, hash);
928 	os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
929 }
930 
931 
932 /**
933  * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
934  *
935  * IEEE Std 802.11r-2008 - 8.5.1.5.4
936  */
937 void wpa_derive_pmk_r1(const u8 *pmk_r0, const u8 *pmk_r0_name,
938 		       const u8 *r1kh_id, const u8 *s1kh_id,
939 		       u8 *pmk_r1, u8 *pmk_r1_name)
940 {
941 	u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
942 	u8 *pos;
943 
944 	/* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
945 	pos = buf;
946 	os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
947 	pos += FT_R1KH_ID_LEN;
948 	os_memcpy(pos, s1kh_id, ETH_ALEN);
949 	pos += ETH_ALEN;
950 
951 	sha256_prf(pmk_r0, PMK_LEN, "FT-R1", buf, pos - buf, pmk_r1, PMK_LEN);
952 
953 	wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id, pmk_r1_name);
954 }
955 
956 
957 /**
958  * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
959  *
960  * IEEE Std 802.11r-2008 - 8.5.1.5.5
961  */
962 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, const u8 *snonce, const u8 *anonce,
963 		      const u8 *sta_addr, const u8 *bssid,
964 		      const u8 *pmk_r1_name,
965 		      struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher)
966 {
967 	u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
968 	u8 *pos, hash[32];
969 	const u8 *addr[6];
970 	size_t len[6];
971 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
972 	size_t ptk_len;
973 
974 	/*
975 	 * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
976 	 *                  BSSID || STA-ADDR)
977 	 */
978 	pos = buf;
979 	os_memcpy(pos, snonce, WPA_NONCE_LEN);
980 	pos += WPA_NONCE_LEN;
981 	os_memcpy(pos, anonce, WPA_NONCE_LEN);
982 	pos += WPA_NONCE_LEN;
983 	os_memcpy(pos, bssid, ETH_ALEN);
984 	pos += ETH_ALEN;
985 	os_memcpy(pos, sta_addr, ETH_ALEN);
986 	pos += ETH_ALEN;
987 
988 	ptk->kck_len = wpa_kck_len(akmp);
989 	ptk->kek_len = wpa_kek_len(akmp);
990 	ptk->tk_len = wpa_cipher_key_len(cipher);
991 	ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
992 
993 	sha256_prf(pmk_r1, PMK_LEN, "FT-PTK", buf, pos - buf, tmp, ptk_len);
994 
995 	/*
996 	 * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
997 	 *                                ANonce || BSSID || STA-ADDR))
998 	 */
999 	addr[0] = pmk_r1_name;
1000 	len[0] = WPA_PMK_NAME_LEN;
1001 	addr[1] = (const u8 *) "FT-PTKN";
1002 	len[1] = 7;
1003 	addr[2] = snonce;
1004 	len[2] = WPA_NONCE_LEN;
1005 	addr[3] = anonce;
1006 	len[3] = WPA_NONCE_LEN;
1007 	addr[4] = bssid;
1008 	len[4] = ETH_ALEN;
1009 	addr[5] = sta_addr;
1010 	len[5] = ETH_ALEN;
1011 
1012 	sha256_vector(6, addr, len, hash);
1013 	os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
1014 
1015 	os_memcpy(ptk->kck, tmp, ptk->kck_len);
1016 	os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
1017 	os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
1018 
1019 	wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
1020 	wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
1021 	wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
1022 	wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
1023 
1024 	os_memset(tmp, 0, sizeof(tmp));
1025 
1026 	return 0;
1027 }
1028 
1029 #endif /* CONFIG_IEEE80211R */
1030 
1031 
1032 /**
1033  * rsn_pmkid - Calculate PMK identifier
1034  * @pmk: Pairwise master key
1035  * @pmk_len: Length of pmk in bytes
1036  * @aa: Authenticator address
1037  * @spa: Supplicant address
1038  * @pmkid: Buffer for PMKID
1039  * @use_sha256: Whether to use SHA256-based KDF
1040  *
1041  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
1042  * PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AA || SPA)
1043  */
1044 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
1045 	       u8 *pmkid, int use_sha256)
1046 {
1047 	char *title = "PMK Name";
1048 	const u8 *addr[3];
1049 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1050 	unsigned char hash[SHA256_MAC_LEN];
1051 
1052 	addr[0] = (u8 *) title;
1053 	addr[1] = aa;
1054 	addr[2] = spa;
1055 
1056 #ifdef CONFIG_IEEE80211W
1057 	if (use_sha256)
1058 		hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
1059 	else
1060 #endif /* CONFIG_IEEE80211W */
1061 		hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
1062 	os_memcpy(pmkid, hash, PMKID_LEN);
1063 }
1064 
1065 
1066 #ifdef CONFIG_SUITEB
1067 /**
1068  * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
1069  * @kck: Key confirmation key
1070  * @kck_len: Length of kck in bytes
1071  * @aa: Authenticator address
1072  * @spa: Supplicant address
1073  * @pmkid: Buffer for PMKID
1074  * Returns: 0 on success, -1 on failure
1075  *
1076  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1077  * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
1078  */
1079 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
1080 		      const u8 *spa, u8 *pmkid)
1081 {
1082 	char *title = "PMK Name";
1083 	const u8 *addr[3];
1084 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1085 	unsigned char hash[SHA256_MAC_LEN];
1086 
1087 	addr[0] = (u8 *) title;
1088 	addr[1] = aa;
1089 	addr[2] = spa;
1090 
1091 	if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
1092 		return -1;
1093 	os_memcpy(pmkid, hash, PMKID_LEN);
1094 	return 0;
1095 }
1096 #endif /* CONFIG_SUITEB */
1097 
1098 
1099 #ifdef CONFIG_SUITEB192
1100 /**
1101  * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
1102  * @kck: Key confirmation key
1103  * @kck_len: Length of kck in bytes
1104  * @aa: Authenticator address
1105  * @spa: Supplicant address
1106  * @pmkid: Buffer for PMKID
1107  * Returns: 0 on success, -1 on failure
1108  *
1109  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1110  * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
1111  */
1112 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
1113 			  const u8 *spa, u8 *pmkid)
1114 {
1115 	char *title = "PMK Name";
1116 	const u8 *addr[3];
1117 	const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1118 	unsigned char hash[SHA384_MAC_LEN];
1119 
1120 	addr[0] = (u8 *) title;
1121 	addr[1] = aa;
1122 	addr[2] = spa;
1123 
1124 	if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
1125 		return -1;
1126 	os_memcpy(pmkid, hash, PMKID_LEN);
1127 	return 0;
1128 }
1129 #endif /* CONFIG_SUITEB192 */
1130 
1131 
1132 /**
1133  * wpa_cipher_txt - Convert cipher suite to a text string
1134  * @cipher: Cipher suite (WPA_CIPHER_* enum)
1135  * Returns: Pointer to a text string of the cipher suite name
1136  */
1137 const char * wpa_cipher_txt(int cipher)
1138 {
1139 	switch (cipher) {
1140 	case WPA_CIPHER_NONE:
1141 		return "NONE";
1142 	case WPA_CIPHER_WEP40:
1143 		return "WEP-40";
1144 	case WPA_CIPHER_WEP104:
1145 		return "WEP-104";
1146 	case WPA_CIPHER_TKIP:
1147 		return "TKIP";
1148 	case WPA_CIPHER_CCMP:
1149 		return "CCMP";
1150 	case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
1151 		return "CCMP+TKIP";
1152 	case WPA_CIPHER_GCMP:
1153 		return "GCMP";
1154 	case WPA_CIPHER_GCMP_256:
1155 		return "GCMP-256";
1156 	case WPA_CIPHER_CCMP_256:
1157 		return "CCMP-256";
1158 	case WPA_CIPHER_GTK_NOT_USED:
1159 		return "GTK_NOT_USED";
1160 	default:
1161 		return "UNKNOWN";
1162 	}
1163 }
1164 
1165 
1166 /**
1167  * wpa_key_mgmt_txt - Convert key management suite to a text string
1168  * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
1169  * @proto: WPA/WPA2 version (WPA_PROTO_*)
1170  * Returns: Pointer to a text string of the key management suite name
1171  */
1172 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
1173 {
1174 	switch (key_mgmt) {
1175 	case WPA_KEY_MGMT_IEEE8021X:
1176 		if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1177 			return "WPA2+WPA/IEEE 802.1X/EAP";
1178 		return proto == WPA_PROTO_RSN ?
1179 			"WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
1180 	case WPA_KEY_MGMT_PSK:
1181 		if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1182 			return "WPA2-PSK+WPA-PSK";
1183 		return proto == WPA_PROTO_RSN ?
1184 			"WPA2-PSK" : "WPA-PSK";
1185 	case WPA_KEY_MGMT_NONE:
1186 		return "NONE";
1187 	case WPA_KEY_MGMT_WPA_NONE:
1188 		return "WPA-NONE";
1189 	case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
1190 		return "IEEE 802.1X (no WPA)";
1191 #ifdef CONFIG_IEEE80211R
1192 	case WPA_KEY_MGMT_FT_IEEE8021X:
1193 		return "FT-EAP";
1194 	case WPA_KEY_MGMT_FT_PSK:
1195 		return "FT-PSK";
1196 #endif /* CONFIG_IEEE80211R */
1197 #ifdef CONFIG_IEEE80211W
1198 	case WPA_KEY_MGMT_IEEE8021X_SHA256:
1199 		return "WPA2-EAP-SHA256";
1200 	case WPA_KEY_MGMT_PSK_SHA256:
1201 		return "WPA2-PSK-SHA256";
1202 #endif /* CONFIG_IEEE80211W */
1203 	case WPA_KEY_MGMT_WPS:
1204 		return "WPS";
1205 	case WPA_KEY_MGMT_SAE:
1206 		return "SAE";
1207 	case WPA_KEY_MGMT_FT_SAE:
1208 		return "FT-SAE";
1209 	case WPA_KEY_MGMT_OSEN:
1210 		return "OSEN";
1211 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
1212 		return "WPA2-EAP-SUITE-B";
1213 	case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
1214 		return "WPA2-EAP-SUITE-B-192";
1215 	default:
1216 		return "UNKNOWN";
1217 	}
1218 }
1219 
1220 
1221 u32 wpa_akm_to_suite(int akm)
1222 {
1223 	if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
1224 		return WLAN_AKM_SUITE_FT_8021X;
1225 	if (akm & WPA_KEY_MGMT_FT_PSK)
1226 		return WLAN_AKM_SUITE_FT_PSK;
1227 	if (akm & WPA_KEY_MGMT_IEEE8021X)
1228 		return WLAN_AKM_SUITE_8021X;
1229 	if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
1230 		return WLAN_AKM_SUITE_8021X_SHA256;
1231 	if (akm & WPA_KEY_MGMT_IEEE8021X)
1232 		return WLAN_AKM_SUITE_8021X;
1233 	if (akm & WPA_KEY_MGMT_PSK_SHA256)
1234 		return WLAN_AKM_SUITE_PSK_SHA256;
1235 	if (akm & WPA_KEY_MGMT_PSK)
1236 		return WLAN_AKM_SUITE_PSK;
1237 	if (akm & WPA_KEY_MGMT_CCKM)
1238 		return WLAN_AKM_SUITE_CCKM;
1239 	if (akm & WPA_KEY_MGMT_OSEN)
1240 		return WLAN_AKM_SUITE_OSEN;
1241 	if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
1242 		return WLAN_AKM_SUITE_8021X_SUITE_B;
1243 	if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
1244 		return WLAN_AKM_SUITE_8021X_SUITE_B_192;
1245 	return 0;
1246 }
1247 
1248 
1249 int wpa_compare_rsn_ie(int ft_initial_assoc,
1250 		       const u8 *ie1, size_t ie1len,
1251 		       const u8 *ie2, size_t ie2len)
1252 {
1253 	if (ie1 == NULL || ie2 == NULL)
1254 		return -1;
1255 
1256 	if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
1257 		return 0; /* identical IEs */
1258 
1259 #ifdef CONFIG_IEEE80211R
1260 	if (ft_initial_assoc) {
1261 		struct wpa_ie_data ie1d, ie2d;
1262 		/*
1263 		 * The PMKID-List in RSN IE is different between Beacon/Probe
1264 		 * Response/(Re)Association Request frames and EAPOL-Key
1265 		 * messages in FT initial mobility domain association. Allow
1266 		 * for this, but verify that other parts of the RSN IEs are
1267 		 * identical.
1268 		 */
1269 		if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
1270 		    wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
1271 			return -1;
1272 		if (ie1d.proto == ie2d.proto &&
1273 		    ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
1274 		    ie1d.group_cipher == ie2d.group_cipher &&
1275 		    ie1d.key_mgmt == ie2d.key_mgmt &&
1276 		    ie1d.capabilities == ie2d.capabilities &&
1277 		    ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
1278 			return 0;
1279 	}
1280 #endif /* CONFIG_IEEE80211R */
1281 
1282 	return -1;
1283 }
1284 
1285 
1286 #ifdef CONFIG_IEEE80211R
1287 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
1288 {
1289 	u8 *start, *end, *rpos, *rend;
1290 	int added = 0;
1291 
1292 	start = ies;
1293 	end = ies + *ies_len;
1294 
1295 	while (start < end) {
1296 		if (*start == WLAN_EID_RSN)
1297 			break;
1298 		start += 2 + start[1];
1299 	}
1300 	if (start >= end) {
1301 		wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in "
1302 			   "IEs data");
1303 		return -1;
1304 	}
1305 	wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification",
1306 		    start, 2 + start[1]);
1307 
1308 	/* Find start of PMKID-Count */
1309 	rpos = start + 2;
1310 	rend = rpos + start[1];
1311 
1312 	/* Skip Version and Group Data Cipher Suite */
1313 	rpos += 2 + 4;
1314 	/* Skip Pairwise Cipher Suite Count and List */
1315 	rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1316 	/* Skip AKM Suite Count and List */
1317 	rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
1318 
1319 	if (rpos == rend) {
1320 		/* Add RSN Capabilities */
1321 		os_memmove(rpos + 2, rpos, end - rpos);
1322 		*rpos++ = 0;
1323 		*rpos++ = 0;
1324 		added += 2;
1325 		start[1] += 2;
1326 		rend = rpos;
1327 	} else {
1328 		/* Skip RSN Capabilities */
1329 		rpos += 2;
1330 		if (rpos > rend) {
1331 			wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in "
1332 				   "IEs data");
1333 			return -1;
1334 		}
1335 	}
1336 
1337 	if (rpos == rend) {
1338 		/* No PMKID-Count field included; add it */
1339 		os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
1340 		WPA_PUT_LE16(rpos, 1);
1341 		rpos += 2;
1342 		os_memcpy(rpos, pmkid, PMKID_LEN);
1343 		added += 2 + PMKID_LEN;
1344 		start[1] += 2 + PMKID_LEN;
1345 	} else {
1346 		u16 num_pmkid;
1347 
1348 		if (rend - rpos < 2)
1349 			return -1;
1350 		num_pmkid = WPA_GET_LE16(rpos);
1351 		/* PMKID-Count was included; use it */
1352 		if (num_pmkid != 0) {
1353 			u8 *after;
1354 
1355 			if (num_pmkid * PMKID_LEN > rend - rpos - 2)
1356 				return -1;
1357 			/*
1358 			 * PMKID may have been included in RSN IE in
1359 			 * (Re)Association Request frame, so remove the old
1360 			 * PMKID(s) first before adding the new one.
1361 			 */
1362 			wpa_printf(MSG_DEBUG,
1363 				   "FT: Remove %u old PMKID(s) from RSN IE",
1364 				   num_pmkid);
1365 			after = rpos + 2 + num_pmkid * PMKID_LEN;
1366 			os_memmove(rpos + 2, after, rend - after);
1367 			start[1] -= num_pmkid * PMKID_LEN;
1368 			added -= num_pmkid * PMKID_LEN;
1369 		}
1370 		WPA_PUT_LE16(rpos, 1);
1371 		rpos += 2;
1372 		os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
1373 		os_memcpy(rpos, pmkid, PMKID_LEN);
1374 		added += PMKID_LEN;
1375 		start[1] += PMKID_LEN;
1376 	}
1377 
1378 	wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification "
1379 		    "(PMKID inserted)", start, 2 + start[1]);
1380 
1381 	*ies_len += added;
1382 
1383 	return 0;
1384 }
1385 #endif /* CONFIG_IEEE80211R */
1386 
1387 
1388 int wpa_cipher_key_len(int cipher)
1389 {
1390 	switch (cipher) {
1391 	case WPA_CIPHER_CCMP_256:
1392 	case WPA_CIPHER_GCMP_256:
1393 	case WPA_CIPHER_BIP_GMAC_256:
1394 	case WPA_CIPHER_BIP_CMAC_256:
1395 		return 32;
1396 	case WPA_CIPHER_CCMP:
1397 	case WPA_CIPHER_GCMP:
1398 	case WPA_CIPHER_AES_128_CMAC:
1399 	case WPA_CIPHER_BIP_GMAC_128:
1400 		return 16;
1401 	case WPA_CIPHER_TKIP:
1402 		return 32;
1403 	}
1404 
1405 	return 0;
1406 }
1407 
1408 
1409 int wpa_cipher_rsc_len(int cipher)
1410 {
1411 	switch (cipher) {
1412 	case WPA_CIPHER_CCMP_256:
1413 	case WPA_CIPHER_GCMP_256:
1414 	case WPA_CIPHER_CCMP:
1415 	case WPA_CIPHER_GCMP:
1416 	case WPA_CIPHER_TKIP:
1417 		return 6;
1418 	}
1419 
1420 	return 0;
1421 }
1422 
1423 
1424 int wpa_cipher_to_alg(int cipher)
1425 {
1426 	switch (cipher) {
1427 	case WPA_CIPHER_CCMP_256:
1428 		return WPA_ALG_CCMP_256;
1429 	case WPA_CIPHER_GCMP_256:
1430 		return WPA_ALG_GCMP_256;
1431 	case WPA_CIPHER_CCMP:
1432 		return WPA_ALG_CCMP;
1433 	case WPA_CIPHER_GCMP:
1434 		return WPA_ALG_GCMP;
1435 	case WPA_CIPHER_TKIP:
1436 		return WPA_ALG_TKIP;
1437 	case WPA_CIPHER_AES_128_CMAC:
1438 		return WPA_ALG_IGTK;
1439 	case WPA_CIPHER_BIP_GMAC_128:
1440 		return WPA_ALG_BIP_GMAC_128;
1441 	case WPA_CIPHER_BIP_GMAC_256:
1442 		return WPA_ALG_BIP_GMAC_256;
1443 	case WPA_CIPHER_BIP_CMAC_256:
1444 		return WPA_ALG_BIP_CMAC_256;
1445 	}
1446 	return WPA_ALG_NONE;
1447 }
1448 
1449 
1450 int wpa_cipher_valid_pairwise(int cipher)
1451 {
1452 	return cipher == WPA_CIPHER_CCMP_256 ||
1453 		cipher == WPA_CIPHER_GCMP_256 ||
1454 		cipher == WPA_CIPHER_CCMP ||
1455 		cipher == WPA_CIPHER_GCMP ||
1456 		cipher == WPA_CIPHER_TKIP;
1457 }
1458 
1459 
1460 u32 wpa_cipher_to_suite(int proto, int cipher)
1461 {
1462 	if (cipher & WPA_CIPHER_CCMP_256)
1463 		return RSN_CIPHER_SUITE_CCMP_256;
1464 	if (cipher & WPA_CIPHER_GCMP_256)
1465 		return RSN_CIPHER_SUITE_GCMP_256;
1466 	if (cipher & WPA_CIPHER_CCMP)
1467 		return (proto == WPA_PROTO_RSN ?
1468 			RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
1469 	if (cipher & WPA_CIPHER_GCMP)
1470 		return RSN_CIPHER_SUITE_GCMP;
1471 	if (cipher & WPA_CIPHER_TKIP)
1472 		return (proto == WPA_PROTO_RSN ?
1473 			RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
1474 	if (cipher & WPA_CIPHER_NONE)
1475 		return (proto == WPA_PROTO_RSN ?
1476 			RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
1477 	if (cipher & WPA_CIPHER_GTK_NOT_USED)
1478 		return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
1479 	if (cipher & WPA_CIPHER_AES_128_CMAC)
1480 		return RSN_CIPHER_SUITE_AES_128_CMAC;
1481 	if (cipher & WPA_CIPHER_BIP_GMAC_128)
1482 		return RSN_CIPHER_SUITE_BIP_GMAC_128;
1483 	if (cipher & WPA_CIPHER_BIP_GMAC_256)
1484 		return RSN_CIPHER_SUITE_BIP_GMAC_256;
1485 	if (cipher & WPA_CIPHER_BIP_CMAC_256)
1486 		return RSN_CIPHER_SUITE_BIP_CMAC_256;
1487 	return 0;
1488 }
1489 
1490 
1491 int rsn_cipher_put_suites(u8 *start, int ciphers)
1492 {
1493 	u8 *pos = start;
1494 
1495 	if (ciphers & WPA_CIPHER_CCMP_256) {
1496 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
1497 		pos += RSN_SELECTOR_LEN;
1498 	}
1499 	if (ciphers & WPA_CIPHER_GCMP_256) {
1500 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
1501 		pos += RSN_SELECTOR_LEN;
1502 	}
1503 	if (ciphers & WPA_CIPHER_CCMP) {
1504 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
1505 		pos += RSN_SELECTOR_LEN;
1506 	}
1507 	if (ciphers & WPA_CIPHER_GCMP) {
1508 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
1509 		pos += RSN_SELECTOR_LEN;
1510 	}
1511 	if (ciphers & WPA_CIPHER_TKIP) {
1512 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
1513 		pos += RSN_SELECTOR_LEN;
1514 	}
1515 	if (ciphers & WPA_CIPHER_NONE) {
1516 		RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
1517 		pos += RSN_SELECTOR_LEN;
1518 	}
1519 
1520 	return (pos - start) / RSN_SELECTOR_LEN;
1521 }
1522 
1523 
1524 int wpa_cipher_put_suites(u8 *start, int ciphers)
1525 {
1526 	u8 *pos = start;
1527 
1528 	if (ciphers & WPA_CIPHER_CCMP) {
1529 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
1530 		pos += WPA_SELECTOR_LEN;
1531 	}
1532 	if (ciphers & WPA_CIPHER_TKIP) {
1533 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
1534 		pos += WPA_SELECTOR_LEN;
1535 	}
1536 	if (ciphers & WPA_CIPHER_NONE) {
1537 		RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
1538 		pos += WPA_SELECTOR_LEN;
1539 	}
1540 
1541 	return (pos - start) / RSN_SELECTOR_LEN;
1542 }
1543 
1544 
1545 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
1546 {
1547 	if (ciphers & WPA_CIPHER_CCMP_256)
1548 		return WPA_CIPHER_CCMP_256;
1549 	if (ciphers & WPA_CIPHER_GCMP_256)
1550 		return WPA_CIPHER_GCMP_256;
1551 	if (ciphers & WPA_CIPHER_CCMP)
1552 		return WPA_CIPHER_CCMP;
1553 	if (ciphers & WPA_CIPHER_GCMP)
1554 		return WPA_CIPHER_GCMP;
1555 	if (ciphers & WPA_CIPHER_TKIP)
1556 		return WPA_CIPHER_TKIP;
1557 	if (none_allowed && (ciphers & WPA_CIPHER_NONE))
1558 		return WPA_CIPHER_NONE;
1559 	return -1;
1560 }
1561 
1562 
1563 int wpa_pick_group_cipher(int ciphers)
1564 {
1565 	if (ciphers & WPA_CIPHER_CCMP_256)
1566 		return WPA_CIPHER_CCMP_256;
1567 	if (ciphers & WPA_CIPHER_GCMP_256)
1568 		return WPA_CIPHER_GCMP_256;
1569 	if (ciphers & WPA_CIPHER_CCMP)
1570 		return WPA_CIPHER_CCMP;
1571 	if (ciphers & WPA_CIPHER_GCMP)
1572 		return WPA_CIPHER_GCMP;
1573 	if (ciphers & WPA_CIPHER_GTK_NOT_USED)
1574 		return WPA_CIPHER_GTK_NOT_USED;
1575 	if (ciphers & WPA_CIPHER_TKIP)
1576 		return WPA_CIPHER_TKIP;
1577 	return -1;
1578 }
1579 
1580 
1581 int wpa_parse_cipher(const char *value)
1582 {
1583 	int val = 0, last;
1584 	char *start, *end, *buf;
1585 
1586 	buf = os_strdup(value);
1587 	if (buf == NULL)
1588 		return -1;
1589 	start = buf;
1590 
1591 	while (*start != '\0') {
1592 		while (*start == ' ' || *start == '\t')
1593 			start++;
1594 		if (*start == '\0')
1595 			break;
1596 		end = start;
1597 		while (*end != ' ' && *end != '\t' && *end != '\0')
1598 			end++;
1599 		last = *end == '\0';
1600 		*end = '\0';
1601 		if (os_strcmp(start, "CCMP-256") == 0)
1602 			val |= WPA_CIPHER_CCMP_256;
1603 		else if (os_strcmp(start, "GCMP-256") == 0)
1604 			val |= WPA_CIPHER_GCMP_256;
1605 		else if (os_strcmp(start, "CCMP") == 0)
1606 			val |= WPA_CIPHER_CCMP;
1607 		else if (os_strcmp(start, "GCMP") == 0)
1608 			val |= WPA_CIPHER_GCMP;
1609 		else if (os_strcmp(start, "TKIP") == 0)
1610 			val |= WPA_CIPHER_TKIP;
1611 		else if (os_strcmp(start, "WEP104") == 0)
1612 			val |= WPA_CIPHER_WEP104;
1613 		else if (os_strcmp(start, "WEP40") == 0)
1614 			val |= WPA_CIPHER_WEP40;
1615 		else if (os_strcmp(start, "NONE") == 0)
1616 			val |= WPA_CIPHER_NONE;
1617 		else if (os_strcmp(start, "GTK_NOT_USED") == 0)
1618 			val |= WPA_CIPHER_GTK_NOT_USED;
1619 		else {
1620 			os_free(buf);
1621 			return -1;
1622 		}
1623 
1624 		if (last)
1625 			break;
1626 		start = end + 1;
1627 	}
1628 	os_free(buf);
1629 
1630 	return val;
1631 }
1632 
1633 
1634 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
1635 {
1636 	char *pos = start;
1637 	int ret;
1638 
1639 	if (ciphers & WPA_CIPHER_CCMP_256) {
1640 		ret = os_snprintf(pos, end - pos, "%sCCMP-256",
1641 				  pos == start ? "" : delim);
1642 		if (os_snprintf_error(end - pos, ret))
1643 			return -1;
1644 		pos += ret;
1645 	}
1646 	if (ciphers & WPA_CIPHER_GCMP_256) {
1647 		ret = os_snprintf(pos, end - pos, "%sGCMP-256",
1648 				  pos == start ? "" : delim);
1649 		if (os_snprintf_error(end - pos, ret))
1650 			return -1;
1651 		pos += ret;
1652 	}
1653 	if (ciphers & WPA_CIPHER_CCMP) {
1654 		ret = os_snprintf(pos, end - pos, "%sCCMP",
1655 				  pos == start ? "" : delim);
1656 		if (os_snprintf_error(end - pos, ret))
1657 			return -1;
1658 		pos += ret;
1659 	}
1660 	if (ciphers & WPA_CIPHER_GCMP) {
1661 		ret = os_snprintf(pos, end - pos, "%sGCMP",
1662 				  pos == start ? "" : delim);
1663 		if (os_snprintf_error(end - pos, ret))
1664 			return -1;
1665 		pos += ret;
1666 	}
1667 	if (ciphers & WPA_CIPHER_TKIP) {
1668 		ret = os_snprintf(pos, end - pos, "%sTKIP",
1669 				  pos == start ? "" : delim);
1670 		if (os_snprintf_error(end - pos, ret))
1671 			return -1;
1672 		pos += ret;
1673 	}
1674 	if (ciphers & WPA_CIPHER_NONE) {
1675 		ret = os_snprintf(pos, end - pos, "%sNONE",
1676 				  pos == start ? "" : delim);
1677 		if (os_snprintf_error(end - pos, ret))
1678 			return -1;
1679 		pos += ret;
1680 	}
1681 
1682 	return pos - start;
1683 }
1684 
1685 
1686 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
1687 {
1688 	int pairwise = 0;
1689 
1690 	/* Select group cipher based on the enabled pairwise cipher suites */
1691 	if (wpa & 1)
1692 		pairwise |= wpa_pairwise;
1693 	if (wpa & 2)
1694 		pairwise |= rsn_pairwise;
1695 
1696 	if (pairwise & WPA_CIPHER_TKIP)
1697 		return WPA_CIPHER_TKIP;
1698 	if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
1699 		return WPA_CIPHER_GCMP;
1700 	if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
1701 			 WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
1702 		return WPA_CIPHER_GCMP_256;
1703 	if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
1704 			 WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
1705 		return WPA_CIPHER_CCMP_256;
1706 	return WPA_CIPHER_CCMP;
1707 }
1708