contrib/wpa/src/common/wpa_common.c

   1 /*
   2  * WPA/RSN - Shared functions for supplicant and authenticator
   3  * Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/md5.h"
  13 #include "crypto/sha1.h"
  14 #include "crypto/sha256.h"
  15 #include "crypto/sha384.h"
  16 #include "crypto/sha512.h"
  17 #include "crypto/aes_wrap.h"
  18 #include "crypto/crypto.h"
  19 #include "ieee802_11_defs.h"
  20 #include "defs.h"
  21 #include "wpa_common.h"
  22
  23
  24 static unsigned int wpa_kck_len(int akmp, size_t pmk_len)
  25 {
  26         switch (akmp) {
  27         case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
  28         case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
  29                 return 24;
  30         case WPA_KEY_MGMT_FILS_SHA256:
  31         case WPA_KEY_MGMT_FT_FILS_SHA256:
  32         case WPA_KEY_MGMT_FILS_SHA384:
  33         case WPA_KEY_MGMT_FT_FILS_SHA384:
  34                 return 0;
  35         case WPA_KEY_MGMT_DPP:
  36                 return pmk_len / 2;
  37         case WPA_KEY_MGMT_OWE:
  38                 return pmk_len / 2;
  39         default:
  40                 return 16;
  41         }
  42 }
  43
  44
  45 #ifdef CONFIG_IEEE80211R
  46 static unsigned int wpa_kck2_len(int akmp)
  47 {
  48         switch (akmp) {
  49         case WPA_KEY_MGMT_FT_FILS_SHA256:
  50                 return 16;
  51         case WPA_KEY_MGMT_FT_FILS_SHA384:
  52                 return 24;
  53         default:
  54                 return 0;
  55         }
  56 }
  57 #endif /* CONFIG_IEEE80211R */
  58
  59
  60 static unsigned int wpa_kek_len(int akmp, size_t pmk_len)
  61 {
  62         switch (akmp) {
  63         case WPA_KEY_MGMT_FILS_SHA384:
  64         case WPA_KEY_MGMT_FT_FILS_SHA384:
  65                 return 64;
  66         case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
  67         case WPA_KEY_MGMT_FILS_SHA256:
  68         case WPA_KEY_MGMT_FT_FILS_SHA256:
  69         case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
  70                 return 32;
  71         case WPA_KEY_MGMT_DPP:
  72                 return pmk_len <= 32 ? 16 : 32;
  73         case WPA_KEY_MGMT_OWE:
  74                 return pmk_len <= 32 ? 16 : 32;
  75         default:
  76                 return 16;
  77         }
  78 }
  79
  80
  81 #ifdef CONFIG_IEEE80211R
  82 static unsigned int wpa_kek2_len(int akmp)
  83 {
  84         switch (akmp) {
  85         case WPA_KEY_MGMT_FT_FILS_SHA256:
  86                 return 16;
  87         case WPA_KEY_MGMT_FT_FILS_SHA384:
  88                 return 32;
  89         default:
  90                 return 0;
  91         }
  92 }
  93 #endif /* CONFIG_IEEE80211R */
  94
  95
  96 unsigned int wpa_mic_len(int akmp, size_t pmk_len)
  97 {
  98         switch (akmp) {
  99         case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
 100         case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
 101                 return 24;
 102         case WPA_KEY_MGMT_FILS_SHA256:
 103         case WPA_KEY_MGMT_FILS_SHA384:
 104         case WPA_KEY_MGMT_FT_FILS_SHA256:
 105         case WPA_KEY_MGMT_FT_FILS_SHA384:
 106                 return 0;
 107         case WPA_KEY_MGMT_DPP:
 108                 return pmk_len / 2;
 109         case WPA_KEY_MGMT_OWE:
 110                 return pmk_len / 2;
 111         default:
 112                 return 16;
 113         }
 114 }
 115
 116
 117 /**
 118  * wpa_use_akm_defined - Is AKM-defined Key Descriptor Version used
 119  * @akmp: WPA_KEY_MGMT_* used in key derivation
 120  * Returns: 1 if AKM-defined Key Descriptor Version is used; 0 otherwise
 121  */
 122 int wpa_use_akm_defined(int akmp)
 123 {
 124         return akmp == WPA_KEY_MGMT_OSEN ||
 125                 akmp == WPA_KEY_MGMT_OWE ||
 126                 akmp == WPA_KEY_MGMT_DPP ||
 127                 akmp == WPA_KEY_MGMT_FT_IEEE8021X_SHA384 ||
 128                 wpa_key_mgmt_sae(akmp) ||
 129                 wpa_key_mgmt_suite_b(akmp) ||
 130                 wpa_key_mgmt_fils(akmp);
 131 }
 132
 133
 134 /**
 135  * wpa_use_cmac - Is CMAC integrity algorithm used for EAPOL-Key MIC
 136  * @akmp: WPA_KEY_MGMT_* used in key derivation
 137  * Returns: 1 if CMAC is used; 0 otherwise
 138  */
 139 int wpa_use_cmac(int akmp)
 140 {
 141         return akmp == WPA_KEY_MGMT_OSEN ||
 142                 akmp == WPA_KEY_MGMT_OWE ||
 143                 akmp == WPA_KEY_MGMT_DPP ||
 144                 wpa_key_mgmt_ft(akmp) ||
 145                 wpa_key_mgmt_sha256(akmp) ||
 146                 wpa_key_mgmt_sae(akmp) ||
 147                 wpa_key_mgmt_suite_b(akmp);
 148 }
 149
 150
 151 /**
 152  * wpa_use_aes_key_wrap - Is AES Keywrap algorithm used for EAPOL-Key Key Data
 153  * @akmp: WPA_KEY_MGMT_* used in key derivation
 154  * Returns: 1 if AES Keywrap is used; 0 otherwise
 155  *
 156  * Note: AKM 00-0F-AC:1 and 00-0F-AC:2 have special rules for selecting whether
 157  * to use AES Keywrap based on the negotiated pairwise cipher. This function
 158  * does not cover those special cases.
 159  */
 160 int wpa_use_aes_key_wrap(int akmp)
 161 {
 162         return akmp == WPA_KEY_MGMT_OSEN ||
 163                 akmp == WPA_KEY_MGMT_OWE ||
 164                 akmp == WPA_KEY_MGMT_DPP ||
 165                 wpa_key_mgmt_ft(akmp) ||
 166                 wpa_key_mgmt_sha256(akmp) ||
 167                 wpa_key_mgmt_sae(akmp) ||
 168                 wpa_key_mgmt_suite_b(akmp);
 169 }
 170
 171
 172 /**
 173  * wpa_eapol_key_mic - Calculate EAPOL-Key MIC
 174  * @key: EAPOL-Key Key Confirmation Key (KCK)
 175  * @key_len: KCK length in octets
 176  * @akmp: WPA_KEY_MGMT_* used in key derivation
 177  * @ver: Key descriptor version (WPA_KEY_INFO_TYPE_*)
 178  * @buf: Pointer to the beginning of the EAPOL header (version field)
 179  * @len: Length of the EAPOL frame (from EAPOL header to the end of the frame)
 180  * @mic: Pointer to the buffer to which the EAPOL-Key MIC is written
 181  * Returns: 0 on success, -1 on failure
 182  *
 183  * Calculate EAPOL-Key MIC for an EAPOL-Key packet. The EAPOL-Key MIC field has
 184  * to be cleared (all zeroes) when calling this function.
 185  *
 186  * Note: 'IEEE Std 802.11i-2004 - 8.5.2 EAPOL-Key frames' has an error in the
 187  * description of the Key MIC calculation. It includes packet data from the
 188  * beginning of the EAPOL-Key header, not EAPOL header. This incorrect change
 189  * happened during final editing of the standard and the correct behavior is
 190  * defined in the last draft (IEEE 802.11i/D10).
 191  */
 192 int wpa_eapol_key_mic(const u8 *key, size_t key_len, int akmp, int ver,
 193                       const u8 *buf, size_t len, u8 *mic)
 194 {
 195         u8 hash[SHA512_MAC_LEN];
 196
 197         if (key_len == 0) {
 198                 wpa_printf(MSG_DEBUG,
 199                            "WPA: KCK not set - cannot calculate MIC");
 200                 return -1;
 201         }
 202
 203         switch (ver) {
 204 #ifndef CONFIG_FIPS
 205         case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
 206                 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-MD5");
 207                 return hmac_md5(key, key_len, buf, len, mic);
 208 #endif /* CONFIG_FIPS */
 209         case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
 210                 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using HMAC-SHA1");
 211                 if (hmac_sha1(key, key_len, buf, len, hash))
 212                         return -1;
 213                 os_memcpy(mic, hash, MD5_MAC_LEN);
 214                 break;
 215 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_IEEE80211W)
 216         case WPA_KEY_INFO_TYPE_AES_128_CMAC:
 217                 wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key MIC using AES-CMAC");
 218                 return omac1_aes_128(key, buf, len, mic);
 219 #endif /* CONFIG_IEEE80211R || CONFIG_IEEE80211W */
 220         case WPA_KEY_INFO_TYPE_AKM_DEFINED:
 221                 switch (akmp) {
 222 #ifdef CONFIG_SAE
 223                 case WPA_KEY_MGMT_SAE:
 224                 case WPA_KEY_MGMT_FT_SAE:
 225                         wpa_printf(MSG_DEBUG,
 226                                    "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - SAE)");
 227                         return omac1_aes_128(key, buf, len, mic);
 228 #endif /* CONFIG_SAE */
 229 #ifdef CONFIG_HS20
 230                 case WPA_KEY_MGMT_OSEN:
 231                         wpa_printf(MSG_DEBUG,
 232                                    "WPA: EAPOL-Key MIC using AES-CMAC (AKM-defined - OSEN)");
 233                         return omac1_aes_128(key, buf, len, mic);
 234 #endif /* CONFIG_HS20 */
 235 #ifdef CONFIG_SUITEB
 236                 case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
 237                         wpa_printf(MSG_DEBUG,
 238                                    "WPA: EAPOL-Key MIC using HMAC-SHA256 (AKM-defined - Suite B)");
 239                         if (hmac_sha256(key, key_len, buf, len, hash))
 240                                 return -1;
 241                         os_memcpy(mic, hash, MD5_MAC_LEN);
 242                         break;
 243 #endif /* CONFIG_SUITEB */
 244 #ifdef CONFIG_SUITEB192
 245                 case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
 246                         wpa_printf(MSG_DEBUG,
 247                                    "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - Suite B 192-bit)");
 248                         if (hmac_sha384(key, key_len, buf, len, hash))
 249                                 return -1;
 250                         os_memcpy(mic, hash, 24);
 251                         break;
 252 #endif /* CONFIG_SUITEB192 */
 253 #ifdef CONFIG_OWE
 254                 case WPA_KEY_MGMT_OWE:
 255                         wpa_printf(MSG_DEBUG,
 256                                    "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - OWE)",
 257                                    (unsigned int) key_len * 8 * 2);
 258                         if (key_len == 128 / 8) {
 259                                 if (hmac_sha256(key, key_len, buf, len, hash))
 260                                         return -1;
 261                         } else if (key_len == 192 / 8) {
 262                                 if (hmac_sha384(key, key_len, buf, len, hash))
 263                                         return -1;
 264                         } else if (key_len == 256 / 8) {
 265                                 if (hmac_sha512(key, key_len, buf, len, hash))
 266                                         return -1;
 267                         } else {
 268                                 wpa_printf(MSG_INFO,
 269                                            "OWE: Unsupported KCK length: %u",
 270                                            (unsigned int) key_len);
 271                                 return -1;
 272                         }
 273                         os_memcpy(mic, hash, key_len);
 274                         break;
 275 #endif /* CONFIG_OWE */
 276 #ifdef CONFIG_DPP
 277                 case WPA_KEY_MGMT_DPP:
 278                         wpa_printf(MSG_DEBUG,
 279                                    "WPA: EAPOL-Key MIC using HMAC-SHA%u (AKM-defined - DPP)",
 280                                    (unsigned int) key_len * 8 * 2);
 281                         if (key_len == 128 / 8) {
 282                                 if (hmac_sha256(key, key_len, buf, len, hash))
 283                                         return -1;
 284                         } else if (key_len == 192 / 8) {
 285                                 if (hmac_sha384(key, key_len, buf, len, hash))
 286                                         return -1;
 287                         } else if (key_len == 256 / 8) {
 288                                 if (hmac_sha512(key, key_len, buf, len, hash))
 289                                         return -1;
 290                         } else {
 291                                 wpa_printf(MSG_INFO,
 292                                            "DPP: Unsupported KCK length: %u",
 293                                            (unsigned int) key_len);
 294                                 return -1;
 295                         }
 296                         os_memcpy(mic, hash, key_len);
 297                         break;
 298 #endif /* CONFIG_DPP */
 299 #if defined(CONFIG_IEEE80211R) && defined(CONFIG_SHA384)
 300                 case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
 301                         wpa_printf(MSG_DEBUG,
 302                                    "WPA: EAPOL-Key MIC using HMAC-SHA384 (AKM-defined - FT 802.1X SHA384)");
 303                         if (hmac_sha384(key, key_len, buf, len, hash))
 304                                 return -1;
 305                         os_memcpy(mic, hash, 24);
 306                         break;
 307 #endif /* CONFIG_IEEE80211R && CONFIG_SHA384 */
 308                 default:
 309                         wpa_printf(MSG_DEBUG,
 310                                    "WPA: EAPOL-Key MIC algorithm not known (AKM-defined - akmp=0x%x)",
 311                                    akmp);
 312                         return -1;
 313                 }
 314                 break;
 315         default:
 316                 wpa_printf(MSG_DEBUG,
 317                            "WPA: EAPOL-Key MIC algorithm not known (ver=%d)",
 318                            ver);
 319                 return -1;
 320         }
 321
 322         return 0;
 323 }
 324
 325
 326 /**
 327  * wpa_pmk_to_ptk - Calculate PTK from PMK, addresses, and nonces
 328  * @pmk: Pairwise master key
 329  * @pmk_len: Length of PMK
 330  * @label: Label to use in derivation
 331  * @addr1: AA or SA
 332  * @addr2: SA or AA
 333  * @nonce1: ANonce or SNonce
 334  * @nonce2: SNonce or ANonce
 335  * @ptk: Buffer for pairwise transient key
 336  * @akmp: Negotiated AKM
 337  * @cipher: Negotiated pairwise cipher
 338  * Returns: 0 on success, -1 on failure
 339  *
 340  * IEEE Std 802.11i-2004 - 8.5.1.2 Pairwise key hierarchy
 341  * PTK = PRF-X(PMK, "Pairwise key expansion",
 342  *             Min(AA, SA) || Max(AA, SA) ||
 343  *             Min(ANonce, SNonce) || Max(ANonce, SNonce)
 344  *             [ || Z.x ])
 345  *
 346  * The optional Z.x component is used only with DPP and that part is not defined
 347  * in IEEE 802.11.
 348  */
 349 int wpa_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const char *label,
 350                    const u8 *addr1, const u8 *addr2,
 351                    const u8 *nonce1, const u8 *nonce2,
 352                    struct wpa_ptk *ptk, int akmp, int cipher,
 353                    const u8 *z, size_t z_len)
 354 {
 355 #define MAX_Z_LEN 66 /* with NIST P-521 */
 356         u8 data[2 * ETH_ALEN + 2 * WPA_NONCE_LEN + MAX_Z_LEN];
 357         size_t data_len = 2 * ETH_ALEN + 2 * WPA_NONCE_LEN;
 358         u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
 359         size_t ptk_len;
 360
 361         if (pmk_len == 0) {
 362                 wpa_printf(MSG_ERROR, "WPA: No PMK set for PTK derivation");
 363                 return -1;
 364         }
 365
 366         if (z_len > MAX_Z_LEN)
 367                 return -1;
 368
 369         if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
 370                 os_memcpy(data, addr1, ETH_ALEN);
 371                 os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
 372         } else {
 373                 os_memcpy(data, addr2, ETH_ALEN);
 374                 os_memcpy(data + ETH_ALEN, addr1, ETH_ALEN);
 375         }
 376
 377         if (os_memcmp(nonce1, nonce2, WPA_NONCE_LEN) < 0) {
 378                 os_memcpy(data + 2 * ETH_ALEN, nonce1, WPA_NONCE_LEN);
 379                 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce2,
 380                           WPA_NONCE_LEN);
 381         } else {
 382                 os_memcpy(data + 2 * ETH_ALEN, nonce2, WPA_NONCE_LEN);
 383                 os_memcpy(data + 2 * ETH_ALEN + WPA_NONCE_LEN, nonce1,
 384                           WPA_NONCE_LEN);
 385         }
 386
 387         if (z && z_len) {
 388                 os_memcpy(data + 2 * ETH_ALEN + 2 * WPA_NONCE_LEN, z, z_len);
 389                 data_len += z_len;
 390         }
 391
 392         ptk->kck_len = wpa_kck_len(akmp, pmk_len);
 393         ptk->kek_len = wpa_kek_len(akmp, pmk_len);
 394         ptk->tk_len = wpa_cipher_key_len(cipher);
 395         if (ptk->tk_len == 0) {
 396                 wpa_printf(MSG_ERROR,
 397                            "WPA: Unsupported cipher (0x%x) used in PTK derivation",
 398                            cipher);
 399                 return -1;
 400         }
 401         ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len;
 402
 403         if (wpa_key_mgmt_sha384(akmp)) {
 404 #if defined(CONFIG_SUITEB192) || defined(CONFIG_FILS)
 405                 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
 406                 if (sha384_prf(pmk, pmk_len, label, data, data_len,
 407                                tmp, ptk_len) < 0)
 408                         return -1;
 409 #else /* CONFIG_SUITEB192 || CONFIG_FILS */
 410                 return -1;
 411 #endif /* CONFIG_SUITEB192 || CONFIG_FILS */
 412         } else if (wpa_key_mgmt_sha256(akmp) || akmp == WPA_KEY_MGMT_OWE) {
 413 #if defined(CONFIG_IEEE80211W) || defined(CONFIG_SAE) || defined(CONFIG_FILS)
 414                 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
 415                 if (sha256_prf(pmk, pmk_len, label, data, data_len,
 416                                tmp, ptk_len) < 0)
 417                         return -1;
 418 #else /* CONFIG_IEEE80211W or CONFIG_SAE or CONFIG_FILS */
 419                 return -1;
 420 #endif /* CONFIG_IEEE80211W or CONFIG_SAE or CONFIG_FILS */
 421 #ifdef CONFIG_DPP
 422         } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 32) {
 423                 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA256)");
 424                 if (sha256_prf(pmk, pmk_len, label, data, data_len,
 425                                tmp, ptk_len) < 0)
 426                         return -1;
 427         } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 48) {
 428                 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA384)");
 429                 if (sha384_prf(pmk, pmk_len, label, data, data_len,
 430                                tmp, ptk_len) < 0)
 431                         return -1;
 432         } else if (akmp == WPA_KEY_MGMT_DPP && pmk_len == 64) {
 433                 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA512)");
 434                 if (sha512_prf(pmk, pmk_len, label, data, data_len,
 435                                tmp, ptk_len) < 0)
 436                         return -1;
 437         } else if (akmp == WPA_KEY_MGMT_DPP) {
 438                 wpa_printf(MSG_INFO, "DPP: Unknown PMK length %u",
 439                            (unsigned int) pmk_len);
 440                 return -1;
 441 #endif /* CONFIG_DPP */
 442         } else {
 443                 wpa_printf(MSG_DEBUG, "WPA: PTK derivation using PRF(SHA1)");
 444                 if (sha1_prf(pmk, pmk_len, label, data, data_len, tmp,
 445                              ptk_len) < 0)
 446                         return -1;
 447         }
 448
 449         wpa_printf(MSG_DEBUG, "WPA: PTK derivation - A1=" MACSTR " A2=" MACSTR,
 450                    MAC2STR(addr1), MAC2STR(addr2));
 451         wpa_hexdump(MSG_DEBUG, "WPA: Nonce1", nonce1, WPA_NONCE_LEN);
 452         wpa_hexdump(MSG_DEBUG, "WPA: Nonce2", nonce2, WPA_NONCE_LEN);
 453         if (z && z_len)
 454                 wpa_hexdump_key(MSG_DEBUG, "WPA: Z.x", z, z_len);
 455         wpa_hexdump_key(MSG_DEBUG, "WPA: PMK", pmk, pmk_len);
 456         wpa_hexdump_key(MSG_DEBUG, "WPA: PTK", tmp, ptk_len);
 457
 458         os_memcpy(ptk->kck, tmp, ptk->kck_len);
 459         wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", ptk->kck, ptk->kck_len);
 460
 461         os_memcpy(ptk->kek, tmp + ptk->kck_len, ptk->kek_len);
 462         wpa_hexdump_key(MSG_DEBUG, "WPA: KEK", ptk->kek, ptk->kek_len);
 463
 464         os_memcpy(ptk->tk, tmp + ptk->kck_len + ptk->kek_len, ptk->tk_len);
 465         wpa_hexdump_key(MSG_DEBUG, "WPA: TK", ptk->tk, ptk->tk_len);
 466
 467         ptk->kek2_len = 0;
 468         ptk->kck2_len = 0;
 469
 470         os_memset(tmp, 0, sizeof(tmp));
 471         os_memset(data, 0, data_len);
 472         return 0;
 473 }
 474
 475 #ifdef CONFIG_FILS
 476
 477 int fils_rmsk_to_pmk(int akmp, const u8 *rmsk, size_t rmsk_len,
 478                      const u8 *snonce, const u8 *anonce, const u8 *dh_ss,
 479                      size_t dh_ss_len, u8 *pmk, size_t *pmk_len)
 480 {
 481         u8 nonces[2 * FILS_NONCE_LEN];
 482         const u8 *addr[2];
 483         size_t len[2];
 484         size_t num_elem;
 485         int res;
 486
 487         /* PMK = HMAC-Hash(SNonce || ANonce, rMSK [ || DHss ]) */
 488         wpa_printf(MSG_DEBUG, "FILS: rMSK to PMK derivation");
 489
 490         if (wpa_key_mgmt_sha384(akmp))
 491                 *pmk_len = SHA384_MAC_LEN;
 492         else if (wpa_key_mgmt_sha256(akmp))
 493                 *pmk_len = SHA256_MAC_LEN;
 494         else
 495                 return -1;
 496
 497         wpa_hexdump_key(MSG_DEBUG, "FILS: rMSK", rmsk, rmsk_len);
 498         wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
 499         wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
 500         wpa_hexdump(MSG_DEBUG, "FILS: DHss", dh_ss, dh_ss_len);
 501
 502         os_memcpy(nonces, snonce, FILS_NONCE_LEN);
 503         os_memcpy(&nonces[FILS_NONCE_LEN], anonce, FILS_NONCE_LEN);
 504         addr[0] = rmsk;
 505         len[0] = rmsk_len;
 506         num_elem = 1;
 507         if (dh_ss) {
 508                 addr[1] = dh_ss;
 509                 len[1] = dh_ss_len;
 510                 num_elem++;
 511         }
 512         if (wpa_key_mgmt_sha384(akmp))
 513                 res = hmac_sha384_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
 514                                          addr, len, pmk);
 515         else
 516                 res = hmac_sha256_vector(nonces, 2 * FILS_NONCE_LEN, num_elem,
 517                                          addr, len, pmk);
 518         if (res == 0)
 519                 wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, *pmk_len);
 520         else
 521                 *pmk_len = 0;
 522         return res;
 523 }
 524
 525
 526 int fils_pmkid_erp(int akmp, const u8 *reauth, size_t reauth_len,
 527                    u8 *pmkid)
 528 {
 529         const u8 *addr[1];
 530         size_t len[1];
 531         u8 hash[SHA384_MAC_LEN];
 532         int res;
 533
 534         /* PMKID = Truncate-128(Hash(EAP-Initiate/Reauth)) */
 535         addr[0] = reauth;
 536         len[0] = reauth_len;
 537         if (wpa_key_mgmt_sha384(akmp))
 538                 res = sha384_vector(1, addr, len, hash);
 539         else if (wpa_key_mgmt_sha256(akmp))
 540                 res = sha256_vector(1, addr, len, hash);
 541         else
 542                 return -1;
 543         if (res)
 544                 return res;
 545         os_memcpy(pmkid, hash, PMKID_LEN);
 546         wpa_hexdump(MSG_DEBUG, "FILS: PMKID", pmkid, PMKID_LEN);
 547         return 0;
 548 }
 549
 550
 551 int fils_pmk_to_ptk(const u8 *pmk, size_t pmk_len, const u8 *spa, const u8 *aa,
 552                     const u8 *snonce, const u8 *anonce, const u8 *dhss,
 553                     size_t dhss_len, struct wpa_ptk *ptk,
 554                     u8 *ick, size_t *ick_len, int akmp, int cipher,
 555                     u8 *fils_ft, size_t *fils_ft_len)
 556 {
 557         u8 *data, *pos;
 558         size_t data_len;
 559         u8 tmp[FILS_ICK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
 560                FILS_FT_MAX_LEN];
 561         size_t key_data_len;
 562         const char *label = "FILS PTK Derivation";
 563         int ret = -1;
 564
 565         /*
 566          * FILS-Key-Data = PRF-X(PMK, "FILS PTK Derivation",
 567          *                       SPA || AA || SNonce || ANonce [ || DHss ])
 568          * ICK = L(FILS-Key-Data, 0, ICK_bits)
 569          * KEK = L(FILS-Key-Data, ICK_bits, KEK_bits)
 570          * TK = L(FILS-Key-Data, ICK_bits + KEK_bits, TK_bits)
 571          * If doing FT initial mobility domain association:
 572          * FILS-FT = L(FILS-Key-Data, ICK_bits + KEK_bits + TK_bits,
 573          *             FILS-FT_bits)
 574          */
 575         data_len = 2 * ETH_ALEN + 2 * FILS_NONCE_LEN + dhss_len;
 576         data = os_malloc(data_len);
 577         if (!data)
 578                 goto err;
 579         pos = data;
 580         os_memcpy(pos, spa, ETH_ALEN);
 581         pos += ETH_ALEN;
 582         os_memcpy(pos, aa, ETH_ALEN);
 583         pos += ETH_ALEN;
 584         os_memcpy(pos, snonce, FILS_NONCE_LEN);
 585         pos += FILS_NONCE_LEN;
 586         os_memcpy(pos, anonce, FILS_NONCE_LEN);
 587         pos += FILS_NONCE_LEN;
 588         if (dhss)
 589                 os_memcpy(pos, dhss, dhss_len);
 590
 591         ptk->kck_len = 0;
 592         ptk->kek_len = wpa_kek_len(akmp, pmk_len);
 593         ptk->tk_len = wpa_cipher_key_len(cipher);
 594         if (wpa_key_mgmt_sha384(akmp))
 595                 *ick_len = 48;
 596         else if (wpa_key_mgmt_sha256(akmp))
 597                 *ick_len = 32;
 598         else
 599                 goto err;
 600         key_data_len = *ick_len + ptk->kek_len + ptk->tk_len;
 601
 602         if (fils_ft && fils_ft_len) {
 603                 if (akmp == WPA_KEY_MGMT_FT_FILS_SHA256) {
 604                         *fils_ft_len = 32;
 605                 } else if (akmp == WPA_KEY_MGMT_FT_FILS_SHA384) {
 606                         *fils_ft_len = 48;
 607                 } else {
 608                         *fils_ft_len = 0;
 609                         fils_ft = NULL;
 610                 }
 611                 key_data_len += *fils_ft_len;
 612         }
 613
 614         if (wpa_key_mgmt_sha384(akmp)) {
 615                 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA384)");
 616                 if (sha384_prf(pmk, pmk_len, label, data, data_len,
 617                                tmp, key_data_len) < 0)
 618                         goto err;
 619         } else {
 620                 wpa_printf(MSG_DEBUG, "FILS: PTK derivation using PRF(SHA256)");
 621                 if (sha256_prf(pmk, pmk_len, label, data, data_len,
 622                                tmp, key_data_len) < 0)
 623                         goto err;
 624         }
 625
 626         wpa_printf(MSG_DEBUG, "FILS: PTK derivation - SPA=" MACSTR
 627                    " AA=" MACSTR, MAC2STR(spa), MAC2STR(aa));
 628         wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
 629         wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
 630         if (dhss)
 631                 wpa_hexdump_key(MSG_DEBUG, "FILS: DHss", dhss, dhss_len);
 632         wpa_hexdump_key(MSG_DEBUG, "FILS: PMK", pmk, pmk_len);
 633         wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-Key-Data", tmp, key_data_len);
 634
 635         os_memcpy(ick, tmp, *ick_len);
 636         wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, *ick_len);
 637
 638         os_memcpy(ptk->kek, tmp + *ick_len, ptk->kek_len);
 639         wpa_hexdump_key(MSG_DEBUG, "FILS: KEK", ptk->kek, ptk->kek_len);
 640
 641         os_memcpy(ptk->tk, tmp + *ick_len + ptk->kek_len, ptk->tk_len);
 642         wpa_hexdump_key(MSG_DEBUG, "FILS: TK", ptk->tk, ptk->tk_len);
 643
 644         if (fils_ft && fils_ft_len) {
 645                 os_memcpy(fils_ft, tmp + *ick_len + ptk->kek_len + ptk->tk_len,
 646                           *fils_ft_len);
 647                 wpa_hexdump_key(MSG_DEBUG, "FILS: FILS-FT",
 648                                 fils_ft, *fils_ft_len);
 649         }
 650
 651         ptk->kek2_len = 0;
 652         ptk->kck2_len = 0;
 653
 654         os_memset(tmp, 0, sizeof(tmp));
 655         ret = 0;
 656 err:
 657         bin_clear_free(data, data_len);
 658         return ret;
 659 }
 660
 661
 662 int fils_key_auth_sk(const u8 *ick, size_t ick_len, const u8 *snonce,
 663                      const u8 *anonce, const u8 *sta_addr, const u8 *bssid,
 664                      const u8 *g_sta, size_t g_sta_len,
 665                      const u8 *g_ap, size_t g_ap_len,
 666                      int akmp, u8 *key_auth_sta, u8 *key_auth_ap,
 667                      size_t *key_auth_len)
 668 {
 669         const u8 *addr[6];
 670         size_t len[6];
 671         size_t num_elem = 4;
 672         int res;
 673
 674         wpa_printf(MSG_DEBUG, "FILS: Key-Auth derivation: STA-MAC=" MACSTR
 675                    " AP-BSSID=" MACSTR, MAC2STR(sta_addr), MAC2STR(bssid));
 676         wpa_hexdump_key(MSG_DEBUG, "FILS: ICK", ick, ick_len);
 677         wpa_hexdump(MSG_DEBUG, "FILS: SNonce", snonce, FILS_NONCE_LEN);
 678         wpa_hexdump(MSG_DEBUG, "FILS: ANonce", anonce, FILS_NONCE_LEN);
 679         wpa_hexdump(MSG_DEBUG, "FILS: gSTA", g_sta, g_sta_len);
 680         wpa_hexdump(MSG_DEBUG, "FILS: gAP", g_ap, g_ap_len);
 681
 682         /*
 683          * For (Re)Association Request frame (STA->AP):
 684          * Key-Auth = HMAC-Hash(ICK, SNonce || ANonce || STA-MAC || AP-BSSID
 685          *                      [ || gSTA || gAP ])
 686          */
 687         addr[0] = snonce;
 688         len[0] = FILS_NONCE_LEN;
 689         addr[1] = anonce;
 690         len[1] = FILS_NONCE_LEN;
 691         addr[2] = sta_addr;
 692         len[2] = ETH_ALEN;
 693         addr[3] = bssid;
 694         len[3] = ETH_ALEN;
 695         if (g_sta && g_ap_len && g_ap && g_ap_len) {
 696                 addr[4] = g_sta;
 697                 len[4] = g_sta_len;
 698                 addr[5] = g_ap;
 699                 len[5] = g_ap_len;
 700                 num_elem = 6;
 701         }
 702
 703         if (wpa_key_mgmt_sha384(akmp)) {
 704                 *key_auth_len = 48;
 705                 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
 706                                          key_auth_sta);
 707         } else if (wpa_key_mgmt_sha256(akmp)) {
 708                 *key_auth_len = 32;
 709                 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
 710                                          key_auth_sta);
 711         } else {
 712                 return -1;
 713         }
 714         if (res < 0)
 715                 return res;
 716
 717         /*
 718          * For (Re)Association Response frame (AP->STA):
 719          * Key-Auth = HMAC-Hash(ICK, ANonce || SNonce || AP-BSSID || STA-MAC
 720          *                      [ || gAP || gSTA ])
 721          */
 722         addr[0] = anonce;
 723         addr[1] = snonce;
 724         addr[2] = bssid;
 725         addr[3] = sta_addr;
 726         if (g_sta && g_ap_len && g_ap && g_ap_len) {
 727                 addr[4] = g_ap;
 728                 len[4] = g_ap_len;
 729                 addr[5] = g_sta;
 730                 len[5] = g_sta_len;
 731         }
 732
 733         if (wpa_key_mgmt_sha384(akmp))
 734                 res = hmac_sha384_vector(ick, ick_len, num_elem, addr, len,
 735                                          key_auth_ap);
 736         else if (wpa_key_mgmt_sha256(akmp))
 737                 res = hmac_sha256_vector(ick, ick_len, num_elem, addr, len,
 738                                          key_auth_ap);
 739         if (res < 0)
 740                 return res;
 741
 742         wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (STA)",
 743                     key_auth_sta, *key_auth_len);
 744         wpa_hexdump(MSG_DEBUG, "FILS: Key-Auth (AP)",
 745                     key_auth_ap, *key_auth_len);
 746
 747         return 0;
 748 }
 749
 750 #endif /* CONFIG_FILS */
 751
 752
 753 #ifdef CONFIG_IEEE80211R
 754 int wpa_ft_mic(const u8 *kck, size_t kck_len, const u8 *sta_addr,
 755                const u8 *ap_addr, u8 transaction_seqnum,
 756                const u8 *mdie, size_t mdie_len,
 757                const u8 *ftie, size_t ftie_len,
 758                const u8 *rsnie, size_t rsnie_len,
 759                const u8 *ric, size_t ric_len, u8 *mic)
 760 {
 761         const u8 *addr[9];
 762         size_t len[9];
 763         size_t i, num_elem = 0;
 764         u8 zero_mic[24];
 765         size_t mic_len, fte_fixed_len;
 766
 767         if (kck_len == 16) {
 768                 mic_len = 16;
 769 #ifdef CONFIG_SHA384
 770         } else if (kck_len == 24) {
 771                 mic_len = 24;
 772 #endif /* CONFIG_SHA384 */
 773         } else {
 774                 wpa_printf(MSG_WARNING, "FT: Unsupported KCK length %u",
 775                            (unsigned int) kck_len);
 776                 return -1;
 777         }
 778
 779         fte_fixed_len = sizeof(struct rsn_ftie) - 16 + mic_len;
 780
 781         addr[num_elem] = sta_addr;
 782         len[num_elem] = ETH_ALEN;
 783         num_elem++;
 784
 785         addr[num_elem] = ap_addr;
 786         len[num_elem] = ETH_ALEN;
 787         num_elem++;
 788
 789         addr[num_elem] = &transaction_seqnum;
 790         len[num_elem] = 1;
 791         num_elem++;
 792
 793         if (rsnie) {
 794                 addr[num_elem] = rsnie;
 795                 len[num_elem] = rsnie_len;
 796                 num_elem++;
 797         }
 798         if (mdie) {
 799                 addr[num_elem] = mdie;
 800                 len[num_elem] = mdie_len;
 801                 num_elem++;
 802         }
 803         if (ftie) {
 804                 if (ftie_len < 2 + fte_fixed_len)
 805                         return -1;
 806
 807                 /* IE hdr and mic_control */
 808                 addr[num_elem] = ftie;
 809                 len[num_elem] = 2 + 2;
 810                 num_elem++;
 811
 812                 /* MIC field with all zeros */
 813                 os_memset(zero_mic, 0, mic_len);
 814                 addr[num_elem] = zero_mic;
 815                 len[num_elem] = mic_len;
 816                 num_elem++;
 817
 818                 /* Rest of FTIE */
 819                 addr[num_elem] = ftie + 2 + 2 + mic_len;
 820                 len[num_elem] = ftie_len - (2 + 2 + mic_len);
 821                 num_elem++;
 822         }
 823         if (ric) {
 824                 addr[num_elem] = ric;
 825                 len[num_elem] = ric_len;
 826                 num_elem++;
 827         }
 828
 829         for (i = 0; i < num_elem; i++)
 830                 wpa_hexdump(MSG_MSGDUMP, "FT: MIC data", addr[i], len[i]);
 831 #ifdef CONFIG_SHA384
 832         if (kck_len == 24) {
 833                 u8 hash[SHA384_MAC_LEN];
 834
 835                 if (hmac_sha384_vector(kck, kck_len, num_elem, addr, len, hash))
 836                         return -1;
 837                 os_memcpy(mic, hash, 24);
 838         }
 839 #endif /* CONFIG_SHA384 */
 840         if (kck_len == 16 &&
 841             omac1_aes_128_vector(kck, num_elem, addr, len, mic))
 842                 return -1;
 843
 844         return 0;
 845 }
 846
 847
 848 static int wpa_ft_parse_ftie(const u8 *ie, size_t ie_len,
 849                              struct wpa_ft_ies *parse, int use_sha384)
 850 {
 851         const u8 *end, *pos;
 852
 853         parse->ftie = ie;
 854         parse->ftie_len = ie_len;
 855
 856         pos = ie + (use_sha384 ? sizeof(struct rsn_ftie_sha384) :
 857                     sizeof(struct rsn_ftie));
 858         end = ie + ie_len;
 859         wpa_hexdump(MSG_DEBUG, "FT: Parse FTE subelements", pos, end - pos);
 860
 861         while (end - pos >= 2) {
 862                 u8 id, len;
 863
 864                 id = *pos++;
 865                 len = *pos++;
 866                 if (len > end - pos) {
 867                         wpa_printf(MSG_DEBUG, "FT: Truncated subelement");
 868                         break;
 869                 }
 870
 871                 switch (id) {
 872                 case FTIE_SUBELEM_R1KH_ID:
 873                         if (len != FT_R1KH_ID_LEN) {
 874                                 wpa_printf(MSG_DEBUG,
 875                                            "FT: Invalid R1KH-ID length in FTIE: %d",
 876                                            len);
 877                                 return -1;
 878                         }
 879                         parse->r1kh_id = pos;
 880                         break;
 881                 case FTIE_SUBELEM_GTK:
 882                         parse->gtk = pos;
 883                         parse->gtk_len = len;
 884                         break;
 885                 case FTIE_SUBELEM_R0KH_ID:
 886                         if (len < 1 || len > FT_R0KH_ID_MAX_LEN) {
 887                                 wpa_printf(MSG_DEBUG,
 888                                            "FT: Invalid R0KH-ID length in FTIE: %d",
 889                                            len);
 890                                 return -1;
 891                         }
 892                         parse->r0kh_id = pos;
 893                         parse->r0kh_id_len = len;
 894                         break;
 895 #ifdef CONFIG_IEEE80211W
 896                 case FTIE_SUBELEM_IGTK:
 897                         parse->igtk = pos;
 898                         parse->igtk_len = len;
 899                         break;
 900 #endif /* CONFIG_IEEE80211W */
 901 #ifdef CONFIG_OCV
 902                 case FTIE_SUBELEM_OCI:
 903                         parse->oci = pos;
 904                         parse->oci_len = len;
 905                         break;
 906 #endif /* CONFIG_OCV */
 907                 default:
 908                         wpa_printf(MSG_DEBUG, "FT: Unknown subelem id %u", id);
 909                         break;
 910                 }
 911
 912                 pos += len;
 913         }
 914
 915         return 0;
 916 }
 917
 918
 919 int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
 920                      struct wpa_ft_ies *parse, int use_sha384)
 921 {
 922         const u8 *end, *pos;
 923         struct wpa_ie_data data;
 924         int ret;
 925         const struct rsn_ftie *ftie;
 926         int prot_ie_count = 0;
 927         int update_use_sha384 = 0;
 928
 929         if (use_sha384 < 0) {
 930                 use_sha384 = 0;
 931                 update_use_sha384 = 1;
 932         }
 933
 934         os_memset(parse, 0, sizeof(*parse));
 935         if (ies == NULL)
 936                 return 0;
 937
 938         pos = ies;
 939         end = ies + ies_len;
 940         while (end - pos >= 2) {
 941                 u8 id, len;
 942
 943                 id = *pos++;
 944                 len = *pos++;
 945                 if (len > end - pos)
 946                         break;
 947
 948                 switch (id) {
 949                 case WLAN_EID_RSN:
 950                         wpa_hexdump(MSG_DEBUG, "FT: RSNE", pos, len);
 951                         parse->rsn = pos;
 952                         parse->rsn_len = len;
 953                         ret = wpa_parse_wpa_ie_rsn(parse->rsn - 2,
 954                                                    parse->rsn_len + 2,
 955                                                    &data);
 956                         if (ret < 0) {
 957                                 wpa_printf(MSG_DEBUG, "FT: Failed to parse "
 958                                            "RSN IE: %d", ret);
 959                                 return -1;
 960                         }
 961                         if (data.num_pmkid == 1 && data.pmkid)
 962                                 parse->rsn_pmkid = data.pmkid;
 963                         parse->key_mgmt = data.key_mgmt;
 964                         parse->pairwise_cipher = data.pairwise_cipher;
 965                         if (update_use_sha384) {
 966                                 use_sha384 =
 967                                         wpa_key_mgmt_sha384(parse->key_mgmt);
 968                                 update_use_sha384 = 0;
 969                         }
 970                         break;
 971                 case WLAN_EID_MOBILITY_DOMAIN:
 972                         wpa_hexdump(MSG_DEBUG, "FT: MDE", pos, len);
 973                         if (len < sizeof(struct rsn_mdie))
 974                                 return -1;
 975                         parse->mdie = pos;
 976                         parse->mdie_len = len;
 977                         break;
 978                 case WLAN_EID_FAST_BSS_TRANSITION:
 979                         wpa_hexdump(MSG_DEBUG, "FT: FTE", pos, len);
 980                         if (use_sha384) {
 981                                 const struct rsn_ftie_sha384 *ftie_sha384;
 982
 983                                 if (len < sizeof(*ftie_sha384))
 984                                         return -1;
 985                                 ftie_sha384 =
 986                                         (const struct rsn_ftie_sha384 *) pos;
 987                                 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control",
 988                                             ftie_sha384->mic_control, 2);
 989                                 wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC",
 990                                             ftie_sha384->mic,
 991                                             sizeof(ftie_sha384->mic));
 992                                 wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
 993                                             ftie_sha384->anonce,
 994                                             WPA_NONCE_LEN);
 995                                 wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
 996                                             ftie_sha384->snonce,
 997                                             WPA_NONCE_LEN);
 998                                 prot_ie_count = ftie_sha384->mic_control[1];
 999                                 if (wpa_ft_parse_ftie(pos, len, parse, 1) < 0)
1000                                         return -1;
1001                                 break;
1002                         }
1003
1004                         if (len < sizeof(*ftie))
1005                                 return -1;
1006                         ftie = (const struct rsn_ftie *) pos;
1007                         wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC Control",
1008                                     ftie->mic_control, 2);
1009                         wpa_hexdump(MSG_DEBUG, "FT: FTE-MIC",
1010                                     ftie->mic, sizeof(ftie->mic));
1011                         wpa_hexdump(MSG_DEBUG, "FT: FTE-ANonce",
1012                                     ftie->anonce, WPA_NONCE_LEN);
1013                         wpa_hexdump(MSG_DEBUG, "FT: FTE-SNonce",
1014                                     ftie->snonce, WPA_NONCE_LEN);
1015                         prot_ie_count = ftie->mic_control[1];
1016                         if (wpa_ft_parse_ftie(pos, len, parse, 0) < 0)
1017                                 return -1;
1018                         break;
1019                 case WLAN_EID_TIMEOUT_INTERVAL:
1020                         wpa_hexdump(MSG_DEBUG, "FT: Timeout Interval",
1021                                     pos, len);
1022                         if (len != 5)
1023                                 break;
1024                         parse->tie = pos;
1025                         parse->tie_len = len;
1026                         break;
1027                 case WLAN_EID_RIC_DATA:
1028                         if (parse->ric == NULL)
1029                                 parse->ric = pos - 2;
1030                         break;
1031                 }
1032
1033                 pos += len;
1034         }
1035
1036         if (prot_ie_count == 0)
1037                 return 0; /* no MIC */
1038
1039         /*
1040          * Check that the protected IE count matches with IEs included in the
1041          * frame.
1042          */
1043         if (parse->rsn)
1044                 prot_ie_count--;
1045         if (parse->mdie)
1046                 prot_ie_count--;
1047         if (parse->ftie)
1048                 prot_ie_count--;
1049         if (prot_ie_count < 0) {
1050                 wpa_printf(MSG_DEBUG, "FT: Some required IEs not included in "
1051                            "the protected IE count");
1052                 return -1;
1053         }
1054
1055         if (prot_ie_count == 0 && parse->ric) {
1056                 wpa_printf(MSG_DEBUG, "FT: RIC IE(s) in the frame, but not "
1057                            "included in protected IE count");
1058                 return -1;
1059         }
1060
1061         /* Determine the end of the RIC IE(s) */
1062         if (parse->ric) {
1063                 pos = parse->ric;
1064                 while (end - pos >= 2 && 2 + pos[1] <= end - pos &&
1065                        prot_ie_count) {
1066                         prot_ie_count--;
1067                         pos += 2 + pos[1];
1068                 }
1069                 parse->ric_len = pos - parse->ric;
1070         }
1071         if (prot_ie_count) {
1072                 wpa_printf(MSG_DEBUG, "FT: %d protected IEs missing from "
1073                            "frame", (int) prot_ie_count);
1074                 return -1;
1075         }
1076
1077         return 0;
1078 }
1079 #endif /* CONFIG_IEEE80211R */
1080
1081
1082 static int rsn_selector_to_bitfield(const u8 *s)
1083 {
1084         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NONE)
1085                 return WPA_CIPHER_NONE;
1086         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_TKIP)
1087                 return WPA_CIPHER_TKIP;
1088         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP)
1089                 return WPA_CIPHER_CCMP;
1090 #ifdef CONFIG_IEEE80211W
1091         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_AES_128_CMAC)
1092                 return WPA_CIPHER_AES_128_CMAC;
1093 #endif /* CONFIG_IEEE80211W */
1094         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP)
1095                 return WPA_CIPHER_GCMP;
1096         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_CCMP_256)
1097                 return WPA_CIPHER_CCMP_256;
1098         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_GCMP_256)
1099                 return WPA_CIPHER_GCMP_256;
1100         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_128)
1101                 return WPA_CIPHER_BIP_GMAC_128;
1102         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_GMAC_256)
1103                 return WPA_CIPHER_BIP_GMAC_256;
1104         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_BIP_CMAC_256)
1105                 return WPA_CIPHER_BIP_CMAC_256;
1106         if (RSN_SELECTOR_GET(s) == RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED)
1107                 return WPA_CIPHER_GTK_NOT_USED;
1108         return 0;
1109 }
1110
1111
1112 static int rsn_key_mgmt_to_bitfield(const u8 *s)
1113 {
1114         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_UNSPEC_802_1X)
1115                 return WPA_KEY_MGMT_IEEE8021X;
1116         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1117                 return WPA_KEY_MGMT_PSK;
1118 #ifdef CONFIG_IEEE80211R
1119         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X)
1120                 return WPA_KEY_MGMT_FT_IEEE8021X;
1121         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_PSK)
1122                 return WPA_KEY_MGMT_FT_PSK;
1123 #ifdef CONFIG_SHA384
1124         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384)
1125                 return WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
1126 #endif /* CONFIG_SHA384 */
1127 #endif /* CONFIG_IEEE80211R */
1128 #ifdef CONFIG_IEEE80211W
1129         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SHA256)
1130                 return WPA_KEY_MGMT_IEEE8021X_SHA256;
1131         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_PSK_SHA256)
1132                 return WPA_KEY_MGMT_PSK_SHA256;
1133 #endif /* CONFIG_IEEE80211W */
1134 #ifdef CONFIG_SAE
1135         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_SAE)
1136                 return WPA_KEY_MGMT_SAE;
1137         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_SAE)
1138                 return WPA_KEY_MGMT_FT_SAE;
1139 #endif /* CONFIG_SAE */
1140         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B)
1141                 return WPA_KEY_MGMT_IEEE8021X_SUITE_B;
1142         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192)
1143                 return WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
1144         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA256)
1145                 return WPA_KEY_MGMT_FILS_SHA256;
1146         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FILS_SHA384)
1147                 return WPA_KEY_MGMT_FILS_SHA384;
1148         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA256)
1149                 return WPA_KEY_MGMT_FT_FILS_SHA256;
1150         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_FT_FILS_SHA384)
1151                 return WPA_KEY_MGMT_FT_FILS_SHA384;
1152 #ifdef CONFIG_OWE
1153         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OWE)
1154                 return WPA_KEY_MGMT_OWE;
1155 #endif /* CONFIG_OWE */
1156 #ifdef CONFIG_DPP
1157         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_DPP)
1158                 return WPA_KEY_MGMT_DPP;
1159 #endif /* CONFIG_DPP */
1160         if (RSN_SELECTOR_GET(s) == RSN_AUTH_KEY_MGMT_OSEN)
1161                 return WPA_KEY_MGMT_OSEN;
1162         return 0;
1163 }
1164
1165
1166 int wpa_cipher_valid_group(int cipher)
1167 {
1168         return wpa_cipher_valid_pairwise(cipher) ||
1169                 cipher == WPA_CIPHER_GTK_NOT_USED;
1170 }
1171
1172
1173 #ifdef CONFIG_IEEE80211W
1174 int wpa_cipher_valid_mgmt_group(int cipher)
1175 {
1176         return cipher == WPA_CIPHER_AES_128_CMAC ||
1177                 cipher == WPA_CIPHER_BIP_GMAC_128 ||
1178                 cipher == WPA_CIPHER_BIP_GMAC_256 ||
1179                 cipher == WPA_CIPHER_BIP_CMAC_256;
1180 }
1181 #endif /* CONFIG_IEEE80211W */
1182
1183
1184 /**
1185  * wpa_parse_wpa_ie_rsn - Parse RSN IE
1186  * @rsn_ie: Buffer containing RSN IE
1187  * @rsn_ie_len: RSN IE buffer length (including IE number and length octets)
1188  * @data: Pointer to structure that will be filled in with parsed data
1189  * Returns: 0 on success, <0 on failure
1190  */
1191 int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
1192                          struct wpa_ie_data *data)
1193 {
1194         const u8 *pos;
1195         int left;
1196         int i, count;
1197
1198         os_memset(data, 0, sizeof(*data));
1199         data->proto = WPA_PROTO_RSN;
1200         data->pairwise_cipher = WPA_CIPHER_CCMP;
1201         data->group_cipher = WPA_CIPHER_CCMP;
1202         data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1203         data->capabilities = 0;
1204         data->pmkid = NULL;
1205         data->num_pmkid = 0;
1206 #ifdef CONFIG_IEEE80211W
1207         data->mgmt_group_cipher = WPA_CIPHER_AES_128_CMAC;
1208 #else /* CONFIG_IEEE80211W */
1209         data->mgmt_group_cipher = 0;
1210 #endif /* CONFIG_IEEE80211W */
1211
1212         if (rsn_ie_len == 0) {
1213                 /* No RSN IE - fail silently */
1214                 return -1;
1215         }
1216
1217         if (rsn_ie_len < sizeof(struct rsn_ie_hdr)) {
1218                 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1219                            __func__, (unsigned long) rsn_ie_len);
1220                 return -1;
1221         }
1222
1223         if (rsn_ie_len >= 6 && rsn_ie[1] >= 4 &&
1224             rsn_ie[1] == rsn_ie_len - 2 &&
1225             WPA_GET_BE32(&rsn_ie[2]) == OSEN_IE_VENDOR_TYPE) {
1226                 pos = rsn_ie + 6;
1227                 left = rsn_ie_len - 6;
1228
1229                 data->group_cipher = WPA_CIPHER_GTK_NOT_USED;
1230                 data->has_group = 1;
1231                 data->key_mgmt = WPA_KEY_MGMT_OSEN;
1232                 data->proto = WPA_PROTO_OSEN;
1233         } else {
1234                 const struct rsn_ie_hdr *hdr;
1235
1236                 hdr = (const struct rsn_ie_hdr *) rsn_ie;
1237
1238                 if (hdr->elem_id != WLAN_EID_RSN ||
1239                     hdr->len != rsn_ie_len - 2 ||
1240                     WPA_GET_LE16(hdr->version) != RSN_VERSION) {
1241                         wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1242                                    __func__);
1243                         return -2;
1244                 }
1245
1246                 pos = (const u8 *) (hdr + 1);
1247                 left = rsn_ie_len - sizeof(*hdr);
1248         }
1249
1250         if (left >= RSN_SELECTOR_LEN) {
1251                 data->group_cipher = rsn_selector_to_bitfield(pos);
1252                 data->has_group = 1;
1253                 if (!wpa_cipher_valid_group(data->group_cipher)) {
1254                         wpa_printf(MSG_DEBUG,
1255                                    "%s: invalid group cipher 0x%x (%08x)",
1256                                    __func__, data->group_cipher,
1257                                    WPA_GET_BE32(pos));
1258                         return -1;
1259                 }
1260                 pos += RSN_SELECTOR_LEN;
1261                 left -= RSN_SELECTOR_LEN;
1262         } else if (left > 0) {
1263                 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1264                            __func__, left);
1265                 return -3;
1266         }
1267
1268         if (left >= 2) {
1269                 data->pairwise_cipher = 0;
1270                 count = WPA_GET_LE16(pos);
1271                 pos += 2;
1272                 left -= 2;
1273                 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1274                         wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1275                                    "count %u left %u", __func__, count, left);
1276                         return -4;
1277                 }
1278                 if (count)
1279                         data->has_pairwise = 1;
1280                 for (i = 0; i < count; i++) {
1281                         data->pairwise_cipher |= rsn_selector_to_bitfield(pos);
1282                         pos += RSN_SELECTOR_LEN;
1283                         left -= RSN_SELECTOR_LEN;
1284                 }
1285 #ifdef CONFIG_IEEE80211W
1286                 if (data->pairwise_cipher & WPA_CIPHER_AES_128_CMAC) {
1287                         wpa_printf(MSG_DEBUG, "%s: AES-128-CMAC used as "
1288                                    "pairwise cipher", __func__);
1289                         return -1;
1290                 }
1291 #endif /* CONFIG_IEEE80211W */
1292         } else if (left == 1) {
1293                 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1294                            __func__);
1295                 return -5;
1296         }
1297
1298         if (left >= 2) {
1299                 data->key_mgmt = 0;
1300                 count = WPA_GET_LE16(pos);
1301                 pos += 2;
1302                 left -= 2;
1303                 if (count == 0 || count > left / RSN_SELECTOR_LEN) {
1304                         wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1305                                    "count %u left %u", __func__, count, left);
1306                         return -6;
1307                 }
1308                 for (i = 0; i < count; i++) {
1309                         data->key_mgmt |= rsn_key_mgmt_to_bitfield(pos);
1310                         pos += RSN_SELECTOR_LEN;
1311                         left -= RSN_SELECTOR_LEN;
1312                 }
1313         } else if (left == 1) {
1314                 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1315                            __func__);
1316                 return -7;
1317         }
1318
1319         if (left >= 2) {
1320                 data->capabilities = WPA_GET_LE16(pos);
1321                 pos += 2;
1322                 left -= 2;
1323         }
1324
1325         if (left >= 2) {
1326                 u16 num_pmkid = WPA_GET_LE16(pos);
1327                 pos += 2;
1328                 left -= 2;
1329                 if (num_pmkid > (unsigned int) left / PMKID_LEN) {
1330                         wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
1331                                    "(num_pmkid=%u left=%d)",
1332                                    __func__, num_pmkid, left);
1333                         data->num_pmkid = 0;
1334                         return -9;
1335                 } else {
1336                         data->num_pmkid = num_pmkid;
1337                         data->pmkid = pos;
1338                         pos += data->num_pmkid * PMKID_LEN;
1339                         left -= data->num_pmkid * PMKID_LEN;
1340                 }
1341         }
1342
1343 #ifdef CONFIG_IEEE80211W
1344         if (left >= 4) {
1345                 data->mgmt_group_cipher = rsn_selector_to_bitfield(pos);
1346                 if (!wpa_cipher_valid_mgmt_group(data->mgmt_group_cipher)) {
1347                         wpa_printf(MSG_DEBUG,
1348                                    "%s: Unsupported management group cipher 0x%x (%08x)",
1349                                    __func__, data->mgmt_group_cipher,
1350                                    WPA_GET_BE32(pos));
1351                         return -10;
1352                 }
1353                 pos += RSN_SELECTOR_LEN;
1354                 left -= RSN_SELECTOR_LEN;
1355         }
1356 #endif /* CONFIG_IEEE80211W */
1357
1358         if (left > 0) {
1359                 wpa_hexdump(MSG_DEBUG,
1360                             "wpa_parse_wpa_ie_rsn: ignore trailing bytes",
1361                             pos, left);
1362         }
1363
1364         return 0;
1365 }
1366
1367
1368 static int wpa_selector_to_bitfield(const u8 *s)
1369 {
1370         if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_NONE)
1371                 return WPA_CIPHER_NONE;
1372         if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_TKIP)
1373                 return WPA_CIPHER_TKIP;
1374         if (RSN_SELECTOR_GET(s) == WPA_CIPHER_SUITE_CCMP)
1375                 return WPA_CIPHER_CCMP;
1376         return 0;
1377 }
1378
1379
1380 static int wpa_key_mgmt_to_bitfield(const u8 *s)
1381 {
1382         if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_UNSPEC_802_1X)
1383                 return WPA_KEY_MGMT_IEEE8021X;
1384         if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X)
1385                 return WPA_KEY_MGMT_PSK;
1386         if (RSN_SELECTOR_GET(s) == WPA_AUTH_KEY_MGMT_NONE)
1387                 return WPA_KEY_MGMT_WPA_NONE;
1388         return 0;
1389 }
1390
1391
1392 int wpa_parse_wpa_ie_wpa(const u8 *wpa_ie, size_t wpa_ie_len,
1393                          struct wpa_ie_data *data)
1394 {
1395         const struct wpa_ie_hdr *hdr;
1396         const u8 *pos;
1397         int left;
1398         int i, count;
1399
1400         os_memset(data, 0, sizeof(*data));
1401         data->proto = WPA_PROTO_WPA;
1402         data->pairwise_cipher = WPA_CIPHER_TKIP;
1403         data->group_cipher = WPA_CIPHER_TKIP;
1404         data->key_mgmt = WPA_KEY_MGMT_IEEE8021X;
1405         data->capabilities = 0;
1406         data->pmkid = NULL;
1407         data->num_pmkid = 0;
1408         data->mgmt_group_cipher = 0;
1409
1410         if (wpa_ie_len < sizeof(struct wpa_ie_hdr)) {
1411                 wpa_printf(MSG_DEBUG, "%s: ie len too short %lu",
1412                            __func__, (unsigned long) wpa_ie_len);
1413                 return -1;
1414         }
1415
1416         hdr = (const struct wpa_ie_hdr *) wpa_ie;
1417
1418         if (hdr->elem_id != WLAN_EID_VENDOR_SPECIFIC ||
1419             hdr->len != wpa_ie_len - 2 ||
1420             RSN_SELECTOR_GET(hdr->oui) != WPA_OUI_TYPE ||
1421             WPA_GET_LE16(hdr->version) != WPA_VERSION) {
1422                 wpa_printf(MSG_DEBUG, "%s: malformed ie or unknown version",
1423                            __func__);
1424                 return -2;
1425         }
1426
1427         pos = (const u8 *) (hdr + 1);
1428         left = wpa_ie_len - sizeof(*hdr);
1429
1430         if (left >= WPA_SELECTOR_LEN) {
1431                 data->group_cipher = wpa_selector_to_bitfield(pos);
1432                 pos += WPA_SELECTOR_LEN;
1433                 left -= WPA_SELECTOR_LEN;
1434         } else if (left > 0) {
1435                 wpa_printf(MSG_DEBUG, "%s: ie length mismatch, %u too much",
1436                            __func__, left);
1437                 return -3;
1438         }
1439
1440         if (left >= 2) {
1441                 data->pairwise_cipher = 0;
1442                 count = WPA_GET_LE16(pos);
1443                 pos += 2;
1444                 left -= 2;
1445                 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1446                         wpa_printf(MSG_DEBUG, "%s: ie count botch (pairwise), "
1447                                    "count %u left %u", __func__, count, left);
1448                         return -4;
1449                 }
1450                 for (i = 0; i < count; i++) {
1451                         data->pairwise_cipher |= wpa_selector_to_bitfield(pos);
1452                         pos += WPA_SELECTOR_LEN;
1453                         left -= WPA_SELECTOR_LEN;
1454                 }
1455         } else if (left == 1) {
1456                 wpa_printf(MSG_DEBUG, "%s: ie too short (for key mgmt)",
1457                            __func__);
1458                 return -5;
1459         }
1460
1461         if (left >= 2) {
1462                 data->key_mgmt = 0;
1463                 count = WPA_GET_LE16(pos);
1464                 pos += 2;
1465                 left -= 2;
1466                 if (count == 0 || count > left / WPA_SELECTOR_LEN) {
1467                         wpa_printf(MSG_DEBUG, "%s: ie count botch (key mgmt), "
1468                                    "count %u left %u", __func__, count, left);
1469                         return -6;
1470                 }
1471                 for (i = 0; i < count; i++) {
1472                         data->key_mgmt |= wpa_key_mgmt_to_bitfield(pos);
1473                         pos += WPA_SELECTOR_LEN;
1474                         left -= WPA_SELECTOR_LEN;
1475                 }
1476         } else if (left == 1) {
1477                 wpa_printf(MSG_DEBUG, "%s: ie too short (for capabilities)",
1478                            __func__);
1479                 return -7;
1480         }
1481
1482         if (left >= 2) {
1483                 data->capabilities = WPA_GET_LE16(pos);
1484                 pos += 2;
1485                 left -= 2;
1486         }
1487
1488         if (left > 0) {
1489                 wpa_hexdump(MSG_DEBUG,
1490                             "wpa_parse_wpa_ie_wpa: ignore trailing bytes",
1491                             pos, left);
1492         }
1493
1494         return 0;
1495 }
1496
1497
1498 int wpa_default_rsn_cipher(int freq)
1499 {
1500         if (freq > 56160)
1501                 return WPA_CIPHER_GCMP; /* DMG */
1502
1503         return WPA_CIPHER_CCMP;
1504 }
1505
1506
1507 #ifdef CONFIG_IEEE80211R
1508
1509 /**
1510  * wpa_derive_pmk_r0 - Derive PMK-R0 and PMKR0Name
1511  *
1512  * IEEE Std 802.11r-2008 - 8.5.1.5.3
1513  */
1514 int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
1515                       const u8 *ssid, size_t ssid_len,
1516                       const u8 *mdid, const u8 *r0kh_id, size_t r0kh_id_len,
1517                       const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
1518                       int use_sha384)
1519 {
1520         u8 buf[1 + SSID_MAX_LEN + MOBILITY_DOMAIN_ID_LEN + 1 +
1521                FT_R0KH_ID_MAX_LEN + ETH_ALEN];
1522         u8 *pos, r0_key_data[64], hash[48];
1523         const u8 *addr[2];
1524         size_t len[2];
1525         size_t q = use_sha384 ? 48 : 32;
1526         size_t r0_key_data_len = q + 16;
1527
1528         /*
1529          * R0-Key-Data = KDF-384(XXKey, "FT-R0",
1530          *                       SSIDlength || SSID || MDID || R0KHlength ||
1531          *                       R0KH-ID || S0KH-ID)
1532          * XXKey is either the second 256 bits of MSK or PSK; or the first
1533          * 384 bits of MSK for FT-EAP-SHA384.
1534          * PMK-R0 = L(R0-Key-Data, 0, Q)
1535          * PMK-R0Name-Salt = L(R0-Key-Data, Q, 128)
1536          * Q = 384 for FT-EAP-SHA384; otherwise, 256
1537          */
1538         if (ssid_len > SSID_MAX_LEN || r0kh_id_len > FT_R0KH_ID_MAX_LEN)
1539                 return -1;
1540         wpa_printf(MSG_DEBUG, "FT: Derive PMK-R0 using KDF-%s",
1541                    use_sha384 ? "SHA384" : "SHA256");
1542         wpa_hexdump_key(MSG_DEBUG, "FT: XXKey", xxkey, xxkey_len);
1543         wpa_hexdump_ascii(MSG_DEBUG, "FT: SSID", ssid, ssid_len);
1544         wpa_hexdump(MSG_DEBUG, "FT: MDID", mdid, MOBILITY_DOMAIN_ID_LEN);
1545         wpa_hexdump_ascii(MSG_DEBUG, "FT: R0KH-ID", r0kh_id, r0kh_id_len);
1546         wpa_printf(MSG_DEBUG, "FT: S0KH-ID: " MACSTR, MAC2STR(s0kh_id));
1547         pos = buf;
1548         *pos++ = ssid_len;
1549         os_memcpy(pos, ssid, ssid_len);
1550         pos += ssid_len;
1551         os_memcpy(pos, mdid, MOBILITY_DOMAIN_ID_LEN);
1552         pos += MOBILITY_DOMAIN_ID_LEN;
1553         *pos++ = r0kh_id_len;
1554         os_memcpy(pos, r0kh_id, r0kh_id_len);
1555         pos += r0kh_id_len;
1556         os_memcpy(pos, s0kh_id, ETH_ALEN);
1557         pos += ETH_ALEN;
1558
1559 #ifdef CONFIG_SHA384
1560         if (use_sha384) {
1561                 if (xxkey_len != SHA384_MAC_LEN) {
1562                         wpa_printf(MSG_ERROR,
1563                                    "FT: Unexpected XXKey length %d (expected %d)",
1564                                    (int) xxkey_len, SHA384_MAC_LEN);
1565                         return -1;
1566                 }
1567                 if (sha384_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1568                                r0_key_data, r0_key_data_len) < 0)
1569                         return -1;
1570         }
1571 #endif /* CONFIG_SHA384 */
1572         if (!use_sha384) {
1573                 if (xxkey_len != PMK_LEN) {
1574                         wpa_printf(MSG_ERROR,
1575                                    "FT: Unexpected XXKey length %d (expected %d)",
1576                                    (int) xxkey_len, PMK_LEN);
1577                         return -1;
1578                 }
1579                 if (sha256_prf(xxkey, xxkey_len, "FT-R0", buf, pos - buf,
1580                                r0_key_data, r0_key_data_len) < 0)
1581                         return -1;
1582         }
1583         os_memcpy(pmk_r0, r0_key_data, q);
1584         wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, q);
1585         wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0Name-Salt", &r0_key_data[q], 16);
1586
1587         /*
1588          * PMKR0Name = Truncate-128(Hash("FT-R0N" || PMK-R0Name-Salt)
1589          */
1590         addr[0] = (const u8 *) "FT-R0N";
1591         len[0] = 6;
1592         addr[1] = &r0_key_data[q];
1593         len[1] = 16;
1594
1595 #ifdef CONFIG_SHA384
1596         if (use_sha384 && sha384_vector(2, addr, len, hash) < 0)
1597                 return -1;
1598 #endif /* CONFIG_SHA384 */
1599         if (!use_sha384 && sha256_vector(2, addr, len, hash) < 0)
1600                 return -1;
1601         os_memcpy(pmk_r0_name, hash, WPA_PMK_NAME_LEN);
1602         os_memset(r0_key_data, 0, sizeof(r0_key_data));
1603         return 0;
1604 }
1605
1606
1607 /**
1608  * wpa_derive_pmk_r1_name - Derive PMKR1Name
1609  *
1610  * IEEE Std 802.11r-2008 - 8.5.1.5.4
1611  */
1612 int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
1613                            const u8 *s1kh_id, u8 *pmk_r1_name, int use_sha384)
1614 {
1615         u8 hash[48];
1616         const u8 *addr[4];
1617         size_t len[4];
1618
1619         /*
1620          * PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
1621          *                               R1KH-ID || S1KH-ID))
1622          */
1623         addr[0] = (const u8 *) "FT-R1N";
1624         len[0] = 6;
1625         addr[1] = pmk_r0_name;
1626         len[1] = WPA_PMK_NAME_LEN;
1627         addr[2] = r1kh_id;
1628         len[2] = FT_R1KH_ID_LEN;
1629         addr[3] = s1kh_id;
1630         len[3] = ETH_ALEN;
1631
1632 #ifdef CONFIG_SHA384
1633         if (use_sha384 && sha384_vector(4, addr, len, hash) < 0)
1634                 return -1;
1635 #endif /* CONFIG_SHA384 */
1636         if (!use_sha384 && sha256_vector(4, addr, len, hash) < 0)
1637                 return -1;
1638         os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
1639         return 0;
1640 }
1641
1642
1643 /**
1644  * wpa_derive_pmk_r1 - Derive PMK-R1 and PMKR1Name from PMK-R0
1645  *
1646  * IEEE Std 802.11r-2008 - 8.5.1.5.4
1647  */
1648 int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
1649                       const u8 *pmk_r0_name,
1650                       const u8 *r1kh_id, const u8 *s1kh_id,
1651                       u8 *pmk_r1, u8 *pmk_r1_name)
1652 {
1653         u8 buf[FT_R1KH_ID_LEN + ETH_ALEN];
1654         u8 *pos;
1655
1656         /* PMK-R1 = KDF-256(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID) */
1657         wpa_printf(MSG_DEBUG, "FT: Derive PMK-R1 using KDF-%s",
1658                    pmk_r0_len == SHA384_MAC_LEN ? "SHA384" : "SHA256");
1659         wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R0", pmk_r0, pmk_r0_len);
1660         wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", r1kh_id, FT_R1KH_ID_LEN);
1661         wpa_printf(MSG_DEBUG, "FT: S1KH-ID: " MACSTR, MAC2STR(s1kh_id));
1662         pos = buf;
1663         os_memcpy(pos, r1kh_id, FT_R1KH_ID_LEN);
1664         pos += FT_R1KH_ID_LEN;
1665         os_memcpy(pos, s1kh_id, ETH_ALEN);
1666         pos += ETH_ALEN;
1667
1668 #ifdef CONFIG_SHA384
1669         if (pmk_r0_len == SHA384_MAC_LEN &&
1670             sha384_prf(pmk_r0, pmk_r0_len, "FT-R1",
1671                        buf, pos - buf, pmk_r1, pmk_r0_len) < 0)
1672                 return -1;
1673 #endif /* CONFIG_SHA384 */
1674         if (pmk_r0_len == PMK_LEN &&
1675             sha256_prf(pmk_r0, pmk_r0_len, "FT-R1",
1676                        buf, pos - buf, pmk_r1, pmk_r0_len) < 0)
1677                 return -1;
1678         if (pmk_r0_len != SHA384_MAC_LEN && pmk_r0_len != PMK_LEN) {
1679                 wpa_printf(MSG_ERROR, "FT: Unexpected PMK-R0 length %d",
1680                            (int) pmk_r0_len);
1681                 return -1;
1682         }
1683         wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
1684
1685         return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
1686                                       pmk_r1_name,
1687                                       pmk_r0_len == SHA384_MAC_LEN);
1688 }
1689
1690
1691 /**
1692  * wpa_pmk_r1_to_ptk - Derive PTK and PTKName from PMK-R1
1693  *
1694  * IEEE Std 802.11r-2008 - 8.5.1.5.5
1695  */
1696 int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len,
1697                       const u8 *snonce, const u8 *anonce,
1698                       const u8 *sta_addr, const u8 *bssid,
1699                       const u8 *pmk_r1_name,
1700                       struct wpa_ptk *ptk, u8 *ptk_name, int akmp, int cipher)
1701 {
1702         u8 buf[2 * WPA_NONCE_LEN + 2 * ETH_ALEN];
1703         u8 *pos, hash[32];
1704         const u8 *addr[6];
1705         size_t len[6];
1706         u8 tmp[2 * WPA_KCK_MAX_LEN + 2 * WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
1707         size_t ptk_len, offset;
1708         int use_sha384 = wpa_key_mgmt_sha384(akmp);
1709
1710         /*
1711          * PTK = KDF-PTKLen(PMK-R1, "FT-PTK", SNonce || ANonce ||
1712          *                  BSSID || STA-ADDR)
1713          */
1714         wpa_printf(MSG_DEBUG, "FT: Derive PTK using KDF-%s",
1715                    use_sha384 ? "SHA384" : "SHA256");
1716         wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r1_len);
1717         wpa_hexdump(MSG_DEBUG, "FT: SNonce", snonce, WPA_NONCE_LEN);
1718         wpa_hexdump(MSG_DEBUG, "FT: ANonce", anonce, WPA_NONCE_LEN);
1719         wpa_printf(MSG_DEBUG, "FT: BSSID=" MACSTR " STA-ADDR=" MACSTR,
1720                    MAC2STR(bssid), MAC2STR(sta_addr));
1721         pos = buf;
1722         os_memcpy(pos, snonce, WPA_NONCE_LEN);
1723         pos += WPA_NONCE_LEN;
1724         os_memcpy(pos, anonce, WPA_NONCE_LEN);
1725         pos += WPA_NONCE_LEN;
1726         os_memcpy(pos, bssid, ETH_ALEN);
1727         pos += ETH_ALEN;
1728         os_memcpy(pos, sta_addr, ETH_ALEN);
1729         pos += ETH_ALEN;
1730
1731         ptk->kck_len = wpa_kck_len(akmp, PMK_LEN);
1732         ptk->kck2_len = wpa_kck2_len(akmp);
1733         ptk->kek_len = wpa_kek_len(akmp, PMK_LEN);
1734         ptk->kek2_len = wpa_kek2_len(akmp);
1735         ptk->tk_len = wpa_cipher_key_len(cipher);
1736         ptk_len = ptk->kck_len + ptk->kek_len + ptk->tk_len +
1737                 ptk->kck2_len + ptk->kek2_len;
1738
1739 #ifdef CONFIG_SHA384
1740         if (use_sha384) {
1741                 if (pmk_r1_len != SHA384_MAC_LEN) {
1742                         wpa_printf(MSG_ERROR,
1743                                    "FT: Unexpected PMK-R1 length %d (expected %d)",
1744                                    (int) pmk_r1_len, SHA384_MAC_LEN);
1745                         return -1;
1746                 }
1747                 if (sha384_prf(pmk_r1, pmk_r1_len, "FT-PTK",
1748                                buf, pos - buf, tmp, ptk_len) < 0)
1749                         return -1;
1750         }
1751 #endif /* CONFIG_SHA384 */
1752         if (!use_sha384) {
1753                 if (pmk_r1_len != PMK_LEN) {
1754                         wpa_printf(MSG_ERROR,
1755                                    "FT: Unexpected PMK-R1 length %d (expected %d)",
1756                                    (int) pmk_r1_len, PMK_LEN);
1757                         return -1;
1758                 }
1759                 if (sha256_prf(pmk_r1, pmk_r1_len, "FT-PTK",
1760                                buf, pos - buf, tmp, ptk_len) < 0)
1761                         return -1;
1762         }
1763         wpa_hexdump_key(MSG_DEBUG, "FT: PTK", tmp, ptk_len);
1764
1765         /*
1766          * PTKName = Truncate-128(SHA-256(PMKR1Name || "FT-PTKN" || SNonce ||
1767          *                                ANonce || BSSID || STA-ADDR))
1768          */
1769         wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
1770         addr[0] = pmk_r1_name;
1771         len[0] = WPA_PMK_NAME_LEN;
1772         addr[1] = (const u8 *) "FT-PTKN";
1773         len[1] = 7;
1774         addr[2] = snonce;
1775         len[2] = WPA_NONCE_LEN;
1776         addr[3] = anonce;
1777         len[3] = WPA_NONCE_LEN;
1778         addr[4] = bssid;
1779         len[4] = ETH_ALEN;
1780         addr[5] = sta_addr;
1781         len[5] = ETH_ALEN;
1782
1783         if (sha256_vector(6, addr, len, hash) < 0)
1784                 return -1;
1785         os_memcpy(ptk_name, hash, WPA_PMK_NAME_LEN);
1786
1787         os_memcpy(ptk->kck, tmp, ptk->kck_len);
1788         offset = ptk->kck_len;
1789         os_memcpy(ptk->kek, tmp + offset, ptk->kek_len);
1790         offset += ptk->kek_len;
1791         os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
1792         offset += ptk->tk_len;
1793         os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len);
1794         offset += ptk->kck2_len;
1795         os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len);
1796
1797         wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);
1798         wpa_hexdump_key(MSG_DEBUG, "FT: KEK", ptk->kek, ptk->kek_len);
1799         if (ptk->kck2_len)
1800                 wpa_hexdump_key(MSG_DEBUG, "FT: KCK2",
1801                                 ptk->kck2, ptk->kck2_len);
1802         if (ptk->kek2_len)
1803                 wpa_hexdump_key(MSG_DEBUG, "FT: KEK2",
1804                                 ptk->kek2, ptk->kek2_len);
1805         wpa_hexdump_key(MSG_DEBUG, "FT: TK", ptk->tk, ptk->tk_len);
1806         wpa_hexdump(MSG_DEBUG, "FT: PTKName", ptk_name, WPA_PMK_NAME_LEN);
1807
1808         os_memset(tmp, 0, sizeof(tmp));
1809
1810         return 0;
1811 }
1812
1813 #endif /* CONFIG_IEEE80211R */
1814
1815
1816 /**
1817  * rsn_pmkid - Calculate PMK identifier
1818  * @pmk: Pairwise master key
1819  * @pmk_len: Length of pmk in bytes
1820  * @aa: Authenticator address
1821  * @spa: Supplicant address
1822  * @pmkid: Buffer for PMKID
1823  * @akmp: Negotiated key management protocol
1824  *
1825  * IEEE Std 802.11-2016 - 12.7.1.3 Pairwise key hierarchy
1826  * AKM: 00-0F-AC:5, 00-0F-AC:6, 00-0F-AC:14, 00-0F-AC:16
1827  * PMKID = Truncate-128(HMAC-SHA-256(PMK, "PMK Name" || AA || SPA))
1828  * AKM: 00-0F-AC:11
1829  * See rsn_pmkid_suite_b()
1830  * AKM: 00-0F-AC:12
1831  * See rsn_pmkid_suite_b_192()
1832  * AKM: 00-0F-AC:13, 00-0F-AC:15, 00-0F-AC:17
1833  * PMKID = Truncate-128(HMAC-SHA-384(PMK, "PMK Name" || AA || SPA))
1834  * Otherwise:
1835  * PMKID = Truncate-128(HMAC-SHA-1(PMK, "PMK Name" || AA || SPA))
1836  */
1837 void rsn_pmkid(const u8 *pmk, size_t pmk_len, const u8 *aa, const u8 *spa,
1838                u8 *pmkid, int akmp)
1839 {
1840         char *title = "PMK Name";
1841         const u8 *addr[3];
1842         const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1843         unsigned char hash[SHA384_MAC_LEN];
1844
1845         addr[0] = (u8 *) title;
1846         addr[1] = aa;
1847         addr[2] = spa;
1848
1849         if (0) {
1850 #if defined(CONFIG_FILS) || defined(CONFIG_SHA384)
1851         } else if (wpa_key_mgmt_sha384(akmp)) {
1852                 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-384");
1853                 hmac_sha384_vector(pmk, pmk_len, 3, addr, len, hash);
1854 #endif /* CONFIG_FILS || CONFIG_SHA384 */
1855 #if defined(CONFIG_IEEE80211W) || defined(CONFIG_FILS)
1856         } else if (wpa_key_mgmt_sha256(akmp)) {
1857                 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-256");
1858                 hmac_sha256_vector(pmk, pmk_len, 3, addr, len, hash);
1859 #endif /* CONFIG_IEEE80211W || CONFIG_FILS */
1860         } else {
1861                 wpa_printf(MSG_DEBUG, "RSN: Derive PMKID using HMAC-SHA-1");
1862                 hmac_sha1_vector(pmk, pmk_len, 3, addr, len, hash);
1863         }
1864         wpa_hexdump(MSG_DEBUG, "RSN: Derived PMKID", hash, PMKID_LEN);
1865         os_memcpy(pmkid, hash, PMKID_LEN);
1866 }
1867
1868
1869 #ifdef CONFIG_SUITEB
1870 /**
1871  * rsn_pmkid_suite_b - Calculate PMK identifier for Suite B AKM
1872  * @kck: Key confirmation key
1873  * @kck_len: Length of kck in bytes
1874  * @aa: Authenticator address
1875  * @spa: Supplicant address
1876  * @pmkid: Buffer for PMKID
1877  * Returns: 0 on success, -1 on failure
1878  *
1879  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1880  * PMKID = Truncate(HMAC-SHA-256(KCK, "PMK Name" || AA || SPA))
1881  */
1882 int rsn_pmkid_suite_b(const u8 *kck, size_t kck_len, const u8 *aa,
1883                       const u8 *spa, u8 *pmkid)
1884 {
1885         char *title = "PMK Name";
1886         const u8 *addr[3];
1887         const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1888         unsigned char hash[SHA256_MAC_LEN];
1889
1890         addr[0] = (u8 *) title;
1891         addr[1] = aa;
1892         addr[2] = spa;
1893
1894         if (hmac_sha256_vector(kck, kck_len, 3, addr, len, hash) < 0)
1895                 return -1;
1896         os_memcpy(pmkid, hash, PMKID_LEN);
1897         return 0;
1898 }
1899 #endif /* CONFIG_SUITEB */
1900
1901
1902 #ifdef CONFIG_SUITEB192
1903 /**
1904  * rsn_pmkid_suite_b_192 - Calculate PMK identifier for Suite B AKM
1905  * @kck: Key confirmation key
1906  * @kck_len: Length of kck in bytes
1907  * @aa: Authenticator address
1908  * @spa: Supplicant address
1909  * @pmkid: Buffer for PMKID
1910  * Returns: 0 on success, -1 on failure
1911  *
1912  * IEEE Std 802.11ac-2013 - 11.6.1.3 Pairwise key hierarchy
1913  * PMKID = Truncate(HMAC-SHA-384(KCK, "PMK Name" || AA || SPA))
1914  */
1915 int rsn_pmkid_suite_b_192(const u8 *kck, size_t kck_len, const u8 *aa,
1916                           const u8 *spa, u8 *pmkid)
1917 {
1918         char *title = "PMK Name";
1919         const u8 *addr[3];
1920         const size_t len[3] = { 8, ETH_ALEN, ETH_ALEN };
1921         unsigned char hash[SHA384_MAC_LEN];
1922
1923         addr[0] = (u8 *) title;
1924         addr[1] = aa;
1925         addr[2] = spa;
1926
1927         if (hmac_sha384_vector(kck, kck_len, 3, addr, len, hash) < 0)
1928                 return -1;
1929         os_memcpy(pmkid, hash, PMKID_LEN);
1930         return 0;
1931 }
1932 #endif /* CONFIG_SUITEB192 */
1933
1934
1935 /**
1936  * wpa_cipher_txt - Convert cipher suite to a text string
1937  * @cipher: Cipher suite (WPA_CIPHER_* enum)
1938  * Returns: Pointer to a text string of the cipher suite name
1939  */
1940 const char * wpa_cipher_txt(int cipher)
1941 {
1942         switch (cipher) {
1943         case WPA_CIPHER_NONE:
1944                 return "NONE";
1945         case WPA_CIPHER_WEP40:
1946                 return "WEP-40";
1947         case WPA_CIPHER_WEP104:
1948                 return "WEP-104";
1949         case WPA_CIPHER_TKIP:
1950                 return "TKIP";
1951         case WPA_CIPHER_CCMP:
1952                 return "CCMP";
1953         case WPA_CIPHER_CCMP | WPA_CIPHER_TKIP:
1954                 return "CCMP+TKIP";
1955         case WPA_CIPHER_GCMP:
1956                 return "GCMP";
1957         case WPA_CIPHER_GCMP_256:
1958                 return "GCMP-256";
1959         case WPA_CIPHER_CCMP_256:
1960                 return "CCMP-256";
1961         case WPA_CIPHER_AES_128_CMAC:
1962                 return "BIP";
1963         case WPA_CIPHER_BIP_GMAC_128:
1964                 return "BIP-GMAC-128";
1965         case WPA_CIPHER_BIP_GMAC_256:
1966                 return "BIP-GMAC-256";
1967         case WPA_CIPHER_BIP_CMAC_256:
1968                 return "BIP-CMAC-256";
1969         case WPA_CIPHER_GTK_NOT_USED:
1970                 return "GTK_NOT_USED";
1971         default:
1972                 return "UNKNOWN";
1973         }
1974 }
1975
1976
1977 /**
1978  * wpa_key_mgmt_txt - Convert key management suite to a text string
1979  * @key_mgmt: Key management suite (WPA_KEY_MGMT_* enum)
1980  * @proto: WPA/WPA2 version (WPA_PROTO_*)
1981  * Returns: Pointer to a text string of the key management suite name
1982  */
1983 const char * wpa_key_mgmt_txt(int key_mgmt, int proto)
1984 {
1985         switch (key_mgmt) {
1986         case WPA_KEY_MGMT_IEEE8021X:
1987                 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1988                         return "WPA2+WPA/IEEE 802.1X/EAP";
1989                 return proto == WPA_PROTO_RSN ?
1990                         "WPA2/IEEE 802.1X/EAP" : "WPA/IEEE 802.1X/EAP";
1991         case WPA_KEY_MGMT_PSK:
1992                 if (proto == (WPA_PROTO_RSN | WPA_PROTO_WPA))
1993                         return "WPA2-PSK+WPA-PSK";
1994                 return proto == WPA_PROTO_RSN ?
1995                         "WPA2-PSK" : "WPA-PSK";
1996         case WPA_KEY_MGMT_NONE:
1997                 return "NONE";
1998         case WPA_KEY_MGMT_WPA_NONE:
1999                 return "WPA-NONE";
2000         case WPA_KEY_MGMT_IEEE8021X_NO_WPA:
2001                 return "IEEE 802.1X (no WPA)";
2002 #ifdef CONFIG_IEEE80211R
2003         case WPA_KEY_MGMT_FT_IEEE8021X:
2004                 return "FT-EAP";
2005         case WPA_KEY_MGMT_FT_IEEE8021X_SHA384:
2006                 return "FT-EAP-SHA384";
2007         case WPA_KEY_MGMT_FT_PSK:
2008                 return "FT-PSK";
2009 #endif /* CONFIG_IEEE80211R */
2010 #ifdef CONFIG_IEEE80211W
2011         case WPA_KEY_MGMT_IEEE8021X_SHA256:
2012                 return "WPA2-EAP-SHA256";
2013         case WPA_KEY_MGMT_PSK_SHA256:
2014                 return "WPA2-PSK-SHA256";
2015 #endif /* CONFIG_IEEE80211W */
2016         case WPA_KEY_MGMT_WPS:
2017                 return "WPS";
2018         case WPA_KEY_MGMT_SAE:
2019                 return "SAE";
2020         case WPA_KEY_MGMT_FT_SAE:
2021                 return "FT-SAE";
2022         case WPA_KEY_MGMT_OSEN:
2023                 return "OSEN";
2024         case WPA_KEY_MGMT_IEEE8021X_SUITE_B:
2025                 return "WPA2-EAP-SUITE-B";
2026         case WPA_KEY_MGMT_IEEE8021X_SUITE_B_192:
2027                 return "WPA2-EAP-SUITE-B-192";
2028         case WPA_KEY_MGMT_FILS_SHA256:
2029                 return "FILS-SHA256";
2030         case WPA_KEY_MGMT_FILS_SHA384:
2031                 return "FILS-SHA384";
2032         case WPA_KEY_MGMT_FT_FILS_SHA256:
2033                 return "FT-FILS-SHA256";
2034         case WPA_KEY_MGMT_FT_FILS_SHA384:
2035                 return "FT-FILS-SHA384";
2036         case WPA_KEY_MGMT_OWE:
2037                 return "OWE";
2038         case WPA_KEY_MGMT_DPP:
2039                 return "DPP";
2040         default:
2041                 return "UNKNOWN";
2042         }
2043 }
2044
2045
2046 u32 wpa_akm_to_suite(int akm)
2047 {
2048         if (akm & WPA_KEY_MGMT_FT_IEEE8021X_SHA384)
2049                 return RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384;
2050         if (akm & WPA_KEY_MGMT_FT_IEEE8021X)
2051                 return RSN_AUTH_KEY_MGMT_FT_802_1X;
2052         if (akm & WPA_KEY_MGMT_FT_PSK)
2053                 return RSN_AUTH_KEY_MGMT_FT_PSK;
2054         if (akm & WPA_KEY_MGMT_IEEE8021X_SHA256)
2055                 return RSN_AUTH_KEY_MGMT_802_1X_SHA256;
2056         if (akm & WPA_KEY_MGMT_IEEE8021X)
2057                 return RSN_AUTH_KEY_MGMT_UNSPEC_802_1X;
2058         if (akm & WPA_KEY_MGMT_PSK_SHA256)
2059                 return RSN_AUTH_KEY_MGMT_PSK_SHA256;
2060         if (akm & WPA_KEY_MGMT_PSK)
2061                 return RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X;
2062         if (akm & WPA_KEY_MGMT_CCKM)
2063                 return RSN_AUTH_KEY_MGMT_CCKM;
2064         if (akm & WPA_KEY_MGMT_OSEN)
2065                 return RSN_AUTH_KEY_MGMT_OSEN;
2066         if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B)
2067                 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B;
2068         if (akm & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)
2069                 return RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192;
2070         if (akm & WPA_KEY_MGMT_FILS_SHA256)
2071                 return RSN_AUTH_KEY_MGMT_FILS_SHA256;
2072         if (akm & WPA_KEY_MGMT_FILS_SHA384)
2073                 return RSN_AUTH_KEY_MGMT_FILS_SHA384;
2074         if (akm & WPA_KEY_MGMT_FT_FILS_SHA256)
2075                 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA256;
2076         if (akm & WPA_KEY_MGMT_FT_FILS_SHA384)
2077                 return RSN_AUTH_KEY_MGMT_FT_FILS_SHA384;
2078         return 0;
2079 }
2080
2081
2082 int wpa_compare_rsn_ie(int ft_initial_assoc,
2083                        const u8 *ie1, size_t ie1len,
2084                        const u8 *ie2, size_t ie2len)
2085 {
2086         if (ie1 == NULL || ie2 == NULL)
2087                 return -1;
2088
2089         if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
2090                 return 0; /* identical IEs */
2091
2092 #ifdef CONFIG_IEEE80211R
2093         if (ft_initial_assoc) {
2094                 struct wpa_ie_data ie1d, ie2d;
2095                 /*
2096                  * The PMKID-List in RSN IE is different between Beacon/Probe
2097                  * Response/(Re)Association Request frames and EAPOL-Key
2098                  * messages in FT initial mobility domain association. Allow
2099                  * for this, but verify that other parts of the RSN IEs are
2100                  * identical.
2101                  */
2102                 if (wpa_parse_wpa_ie_rsn(ie1, ie1len, &ie1d) < 0 ||
2103                     wpa_parse_wpa_ie_rsn(ie2, ie2len, &ie2d) < 0)
2104                         return -1;
2105                 if (ie1d.proto == ie2d.proto &&
2106                     ie1d.pairwise_cipher == ie2d.pairwise_cipher &&
2107                     ie1d.group_cipher == ie2d.group_cipher &&
2108                     ie1d.key_mgmt == ie2d.key_mgmt &&
2109                     ie1d.capabilities == ie2d.capabilities &&
2110                     ie1d.mgmt_group_cipher == ie2d.mgmt_group_cipher)
2111                         return 0;
2112         }
2113 #endif /* CONFIG_IEEE80211R */
2114
2115         return -1;
2116 }
2117
2118
2119 #if defined(CONFIG_IEEE80211R) || defined(CONFIG_FILS)
2120 int wpa_insert_pmkid(u8 *ies, size_t *ies_len, const u8 *pmkid)
2121 {
2122         u8 *start, *end, *rpos, *rend;
2123         int added = 0;
2124
2125         start = ies;
2126         end = ies + *ies_len;
2127
2128         while (start < end) {
2129                 if (*start == WLAN_EID_RSN)
2130                         break;
2131                 start += 2 + start[1];
2132         }
2133         if (start >= end) {
2134                 wpa_printf(MSG_ERROR, "FT: Could not find RSN IE in "
2135                            "IEs data");
2136                 return -1;
2137         }
2138         wpa_hexdump(MSG_DEBUG, "FT: RSN IE before modification",
2139                     start, 2 + start[1]);
2140
2141         /* Find start of PMKID-Count */
2142         rpos = start + 2;
2143         rend = rpos + start[1];
2144
2145         /* Skip Version and Group Data Cipher Suite */
2146         rpos += 2 + 4;
2147         /* Skip Pairwise Cipher Suite Count and List */
2148         rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2149         /* Skip AKM Suite Count and List */
2150         rpos += 2 + WPA_GET_LE16(rpos) * RSN_SELECTOR_LEN;
2151
2152         if (rpos == rend) {
2153                 /* Add RSN Capabilities */
2154                 os_memmove(rpos + 2, rpos, end - rpos);
2155                 *rpos++ = 0;
2156                 *rpos++ = 0;
2157                 added += 2;
2158                 start[1] += 2;
2159                 rend = rpos;
2160         } else {
2161                 /* Skip RSN Capabilities */
2162                 rpos += 2;
2163                 if (rpos > rend) {
2164                         wpa_printf(MSG_ERROR, "FT: Could not parse RSN IE in "
2165                                    "IEs data");
2166                         return -1;
2167                 }
2168         }
2169
2170         if (rpos == rend) {
2171                 /* No PMKID-Count field included; add it */
2172                 os_memmove(rpos + 2 + PMKID_LEN, rpos, end + added - rpos);
2173                 WPA_PUT_LE16(rpos, 1);
2174                 rpos += 2;
2175                 os_memcpy(rpos, pmkid, PMKID_LEN);
2176                 added += 2 + PMKID_LEN;
2177                 start[1] += 2 + PMKID_LEN;
2178         } else {
2179                 u16 num_pmkid;
2180
2181                 if (rend - rpos < 2)
2182                         return -1;
2183                 num_pmkid = WPA_GET_LE16(rpos);
2184                 /* PMKID-Count was included; use it */
2185                 if (num_pmkid != 0) {
2186                         u8 *after;
2187
2188                         if (num_pmkid * PMKID_LEN > rend - rpos - 2)
2189                                 return -1;
2190                         /*
2191                          * PMKID may have been included in RSN IE in
2192                          * (Re)Association Request frame, so remove the old
2193                          * PMKID(s) first before adding the new one.
2194                          */
2195                         wpa_printf(MSG_DEBUG,
2196                                    "FT: Remove %u old PMKID(s) from RSN IE",
2197                                    num_pmkid);
2198                         after = rpos + 2 + num_pmkid * PMKID_LEN;
2199                         os_memmove(rpos + 2, after, rend - after);
2200                         start[1] -= num_pmkid * PMKID_LEN;
2201                         added -= num_pmkid * PMKID_LEN;
2202                 }
2203                 WPA_PUT_LE16(rpos, 1);
2204                 rpos += 2;
2205                 os_memmove(rpos + PMKID_LEN, rpos, end + added - rpos);
2206                 os_memcpy(rpos, pmkid, PMKID_LEN);
2207                 added += PMKID_LEN;
2208                 start[1] += PMKID_LEN;
2209         }
2210
2211         wpa_hexdump(MSG_DEBUG, "FT: RSN IE after modification "
2212                     "(PMKID inserted)", start, 2 + start[1]);
2213
2214         *ies_len += added;
2215
2216         return 0;
2217 }
2218 #endif /* CONFIG_IEEE80211R || CONFIG_FILS */
2219
2220
2221 int wpa_cipher_key_len(int cipher)
2222 {
2223         switch (cipher) {
2224         case WPA_CIPHER_CCMP_256:
2225         case WPA_CIPHER_GCMP_256:
2226         case WPA_CIPHER_BIP_GMAC_256:
2227         case WPA_CIPHER_BIP_CMAC_256:
2228                 return 32;
2229         case WPA_CIPHER_CCMP:
2230         case WPA_CIPHER_GCMP:
2231         case WPA_CIPHER_AES_128_CMAC:
2232         case WPA_CIPHER_BIP_GMAC_128:
2233                 return 16;
2234         case WPA_CIPHER_TKIP:
2235                 return 32;
2236         }
2237
2238         return 0;
2239 }
2240
2241
2242 int wpa_cipher_rsc_len(int cipher)
2243 {
2244         switch (cipher) {
2245         case WPA_CIPHER_CCMP_256:
2246         case WPA_CIPHER_GCMP_256:
2247         case WPA_CIPHER_CCMP:
2248         case WPA_CIPHER_GCMP:
2249         case WPA_CIPHER_TKIP:
2250                 return 6;
2251         }
2252
2253         return 0;
2254 }
2255
2256
2257 enum wpa_alg wpa_cipher_to_alg(int cipher)
2258 {
2259         switch (cipher) {
2260         case WPA_CIPHER_CCMP_256:
2261                 return WPA_ALG_CCMP_256;
2262         case WPA_CIPHER_GCMP_256:
2263                 return WPA_ALG_GCMP_256;
2264         case WPA_CIPHER_CCMP:
2265                 return WPA_ALG_CCMP;
2266         case WPA_CIPHER_GCMP:
2267                 return WPA_ALG_GCMP;
2268         case WPA_CIPHER_TKIP:
2269                 return WPA_ALG_TKIP;
2270         case WPA_CIPHER_AES_128_CMAC:
2271                 return WPA_ALG_IGTK;
2272         case WPA_CIPHER_BIP_GMAC_128:
2273                 return WPA_ALG_BIP_GMAC_128;
2274         case WPA_CIPHER_BIP_GMAC_256:
2275                 return WPA_ALG_BIP_GMAC_256;
2276         case WPA_CIPHER_BIP_CMAC_256:
2277                 return WPA_ALG_BIP_CMAC_256;
2278         }
2279         return WPA_ALG_NONE;
2280 }
2281
2282
2283 int wpa_cipher_valid_pairwise(int cipher)
2284 {
2285         return cipher == WPA_CIPHER_CCMP_256 ||
2286                 cipher == WPA_CIPHER_GCMP_256 ||
2287                 cipher == WPA_CIPHER_CCMP ||
2288                 cipher == WPA_CIPHER_GCMP ||
2289                 cipher == WPA_CIPHER_TKIP;
2290 }
2291
2292
2293 u32 wpa_cipher_to_suite(int proto, int cipher)
2294 {
2295         if (cipher & WPA_CIPHER_CCMP_256)
2296                 return RSN_CIPHER_SUITE_CCMP_256;
2297         if (cipher & WPA_CIPHER_GCMP_256)
2298                 return RSN_CIPHER_SUITE_GCMP_256;
2299         if (cipher & WPA_CIPHER_CCMP)
2300                 return (proto == WPA_PROTO_RSN ?
2301                         RSN_CIPHER_SUITE_CCMP : WPA_CIPHER_SUITE_CCMP);
2302         if (cipher & WPA_CIPHER_GCMP)
2303                 return RSN_CIPHER_SUITE_GCMP;
2304         if (cipher & WPA_CIPHER_TKIP)
2305                 return (proto == WPA_PROTO_RSN ?
2306                         RSN_CIPHER_SUITE_TKIP : WPA_CIPHER_SUITE_TKIP);
2307         if (cipher & WPA_CIPHER_NONE)
2308                 return (proto == WPA_PROTO_RSN ?
2309                         RSN_CIPHER_SUITE_NONE : WPA_CIPHER_SUITE_NONE);
2310         if (cipher & WPA_CIPHER_GTK_NOT_USED)
2311                 return RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED;
2312         if (cipher & WPA_CIPHER_AES_128_CMAC)
2313                 return RSN_CIPHER_SUITE_AES_128_CMAC;
2314         if (cipher & WPA_CIPHER_BIP_GMAC_128)
2315                 return RSN_CIPHER_SUITE_BIP_GMAC_128;
2316         if (cipher & WPA_CIPHER_BIP_GMAC_256)
2317                 return RSN_CIPHER_SUITE_BIP_GMAC_256;
2318         if (cipher & WPA_CIPHER_BIP_CMAC_256)
2319                 return RSN_CIPHER_SUITE_BIP_CMAC_256;
2320         return 0;
2321 }
2322
2323
2324 int rsn_cipher_put_suites(u8 *start, int ciphers)
2325 {
2326         u8 *pos = start;
2327
2328         if (ciphers & WPA_CIPHER_CCMP_256) {
2329                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP_256);
2330                 pos += RSN_SELECTOR_LEN;
2331         }
2332         if (ciphers & WPA_CIPHER_GCMP_256) {
2333                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP_256);
2334                 pos += RSN_SELECTOR_LEN;
2335         }
2336         if (ciphers & WPA_CIPHER_CCMP) {
2337                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_CCMP);
2338                 pos += RSN_SELECTOR_LEN;
2339         }
2340         if (ciphers & WPA_CIPHER_GCMP) {
2341                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_GCMP);
2342                 pos += RSN_SELECTOR_LEN;
2343         }
2344         if (ciphers & WPA_CIPHER_TKIP) {
2345                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_TKIP);
2346                 pos += RSN_SELECTOR_LEN;
2347         }
2348         if (ciphers & WPA_CIPHER_NONE) {
2349                 RSN_SELECTOR_PUT(pos, RSN_CIPHER_SUITE_NONE);
2350                 pos += RSN_SELECTOR_LEN;
2351         }
2352
2353         return (pos - start) / RSN_SELECTOR_LEN;
2354 }
2355
2356
2357 int wpa_cipher_put_suites(u8 *start, int ciphers)
2358 {
2359         u8 *pos = start;
2360
2361         if (ciphers & WPA_CIPHER_CCMP) {
2362                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_CCMP);
2363                 pos += WPA_SELECTOR_LEN;
2364         }
2365         if (ciphers & WPA_CIPHER_TKIP) {
2366                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_TKIP);
2367                 pos += WPA_SELECTOR_LEN;
2368         }
2369         if (ciphers & WPA_CIPHER_NONE) {
2370                 RSN_SELECTOR_PUT(pos, WPA_CIPHER_SUITE_NONE);
2371                 pos += WPA_SELECTOR_LEN;
2372         }
2373
2374         return (pos - start) / RSN_SELECTOR_LEN;
2375 }
2376
2377
2378 int wpa_pick_pairwise_cipher(int ciphers, int none_allowed)
2379 {
2380         if (ciphers & WPA_CIPHER_CCMP_256)
2381                 return WPA_CIPHER_CCMP_256;
2382         if (ciphers & WPA_CIPHER_GCMP_256)
2383                 return WPA_CIPHER_GCMP_256;
2384         if (ciphers & WPA_CIPHER_CCMP)
2385                 return WPA_CIPHER_CCMP;
2386         if (ciphers & WPA_CIPHER_GCMP)
2387                 return WPA_CIPHER_GCMP;
2388         if (ciphers & WPA_CIPHER_TKIP)
2389                 return WPA_CIPHER_TKIP;
2390         if (none_allowed && (ciphers & WPA_CIPHER_NONE))
2391                 return WPA_CIPHER_NONE;
2392         return -1;
2393 }
2394
2395
2396 int wpa_pick_group_cipher(int ciphers)
2397 {
2398         if (ciphers & WPA_CIPHER_CCMP_256)
2399                 return WPA_CIPHER_CCMP_256;
2400         if (ciphers & WPA_CIPHER_GCMP_256)
2401                 return WPA_CIPHER_GCMP_256;
2402         if (ciphers & WPA_CIPHER_CCMP)
2403                 return WPA_CIPHER_CCMP;
2404         if (ciphers & WPA_CIPHER_GCMP)
2405                 return WPA_CIPHER_GCMP;
2406         if (ciphers & WPA_CIPHER_GTK_NOT_USED)
2407                 return WPA_CIPHER_GTK_NOT_USED;
2408         if (ciphers & WPA_CIPHER_TKIP)
2409                 return WPA_CIPHER_TKIP;
2410         return -1;
2411 }
2412
2413
2414 int wpa_parse_cipher(const char *value)
2415 {
2416         int val = 0, last;
2417         char *start, *end, *buf;
2418
2419         buf = os_strdup(value);
2420         if (buf == NULL)
2421                 return -1;
2422         start = buf;
2423
2424         while (*start != '\0') {
2425                 while (*start == ' ' || *start == '\t')
2426                         start++;
2427                 if (*start == '\0')
2428                         break;
2429                 end = start;
2430                 while (*end != ' ' && *end != '\t' && *end != '\0')
2431                         end++;
2432                 last = *end == '\0';
2433                 *end = '\0';
2434                 if (os_strcmp(start, "CCMP-256") == 0)
2435                         val |= WPA_CIPHER_CCMP_256;
2436                 else if (os_strcmp(start, "GCMP-256") == 0)
2437                         val |= WPA_CIPHER_GCMP_256;
2438                 else if (os_strcmp(start, "CCMP") == 0)
2439                         val |= WPA_CIPHER_CCMP;
2440                 else if (os_strcmp(start, "GCMP") == 0)
2441                         val |= WPA_CIPHER_GCMP;
2442                 else if (os_strcmp(start, "TKIP") == 0)
2443                         val |= WPA_CIPHER_TKIP;
2444                 else if (os_strcmp(start, "WEP104") == 0)
2445                         val |= WPA_CIPHER_WEP104;
2446                 else if (os_strcmp(start, "WEP40") == 0)
2447                         val |= WPA_CIPHER_WEP40;
2448                 else if (os_strcmp(start, "NONE") == 0)
2449                         val |= WPA_CIPHER_NONE;
2450                 else if (os_strcmp(start, "GTK_NOT_USED") == 0)
2451                         val |= WPA_CIPHER_GTK_NOT_USED;
2452                 else if (os_strcmp(start, "AES-128-CMAC") == 0)
2453                         val |= WPA_CIPHER_AES_128_CMAC;
2454                 else if (os_strcmp(start, "BIP-GMAC-128") == 0)
2455                         val |= WPA_CIPHER_BIP_GMAC_128;
2456                 else if (os_strcmp(start, "BIP-GMAC-256") == 0)
2457                         val |= WPA_CIPHER_BIP_GMAC_256;
2458                 else if (os_strcmp(start, "BIP-CMAC-256") == 0)
2459                         val |= WPA_CIPHER_BIP_CMAC_256;
2460                 else {
2461                         os_free(buf);
2462                         return -1;
2463                 }
2464
2465                 if (last)
2466                         break;
2467                 start = end + 1;
2468         }
2469         os_free(buf);
2470
2471         return val;
2472 }
2473
2474
2475 int wpa_write_ciphers(char *start, char *end, int ciphers, const char *delim)
2476 {
2477         char *pos = start;
2478         int ret;
2479
2480         if (ciphers & WPA_CIPHER_CCMP_256) {
2481                 ret = os_snprintf(pos, end - pos, "%sCCMP-256",
2482                                   pos == start ? "" : delim);
2483                 if (os_snprintf_error(end - pos, ret))
2484                         return -1;
2485                 pos += ret;
2486         }
2487         if (ciphers & WPA_CIPHER_GCMP_256) {
2488                 ret = os_snprintf(pos, end - pos, "%sGCMP-256",
2489                                   pos == start ? "" : delim);
2490                 if (os_snprintf_error(end - pos, ret))
2491                         return -1;
2492                 pos += ret;
2493         }
2494         if (ciphers & WPA_CIPHER_CCMP) {
2495                 ret = os_snprintf(pos, end - pos, "%sCCMP",
2496                                   pos == start ? "" : delim);
2497                 if (os_snprintf_error(end - pos, ret))
2498                         return -1;
2499                 pos += ret;
2500         }
2501         if (ciphers & WPA_CIPHER_GCMP) {
2502                 ret = os_snprintf(pos, end - pos, "%sGCMP",
2503                                   pos == start ? "" : delim);
2504                 if (os_snprintf_error(end - pos, ret))
2505                         return -1;
2506                 pos += ret;
2507         }
2508         if (ciphers & WPA_CIPHER_TKIP) {
2509                 ret = os_snprintf(pos, end - pos, "%sTKIP",
2510                                   pos == start ? "" : delim);
2511                 if (os_snprintf_error(end - pos, ret))
2512                         return -1;
2513                 pos += ret;
2514         }
2515         if (ciphers & WPA_CIPHER_AES_128_CMAC) {
2516                 ret = os_snprintf(pos, end - pos, "%sAES-128-CMAC",
2517                                   pos == start ? "" : delim);
2518                 if (os_snprintf_error(end - pos, ret))
2519                         return -1;
2520                 pos += ret;
2521         }
2522         if (ciphers & WPA_CIPHER_BIP_GMAC_128) {
2523                 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-128",
2524                                   pos == start ? "" : delim);
2525                 if (os_snprintf_error(end - pos, ret))
2526                         return -1;
2527                 pos += ret;
2528         }
2529         if (ciphers & WPA_CIPHER_BIP_GMAC_256) {
2530                 ret = os_snprintf(pos, end - pos, "%sBIP-GMAC-256",
2531                                   pos == start ? "" : delim);
2532                 if (os_snprintf_error(end - pos, ret))
2533                         return -1;
2534                 pos += ret;
2535         }
2536         if (ciphers & WPA_CIPHER_BIP_CMAC_256) {
2537                 ret = os_snprintf(pos, end - pos, "%sBIP-CMAC-256",
2538                                   pos == start ? "" : delim);
2539                 if (os_snprintf_error(end - pos, ret))
2540                         return -1;
2541                 pos += ret;
2542         }
2543         if (ciphers & WPA_CIPHER_NONE) {
2544                 ret = os_snprintf(pos, end - pos, "%sNONE",
2545                                   pos == start ? "" : delim);
2546                 if (os_snprintf_error(end - pos, ret))
2547                         return -1;
2548                 pos += ret;
2549         }
2550
2551         return pos - start;
2552 }
2553
2554
2555 int wpa_select_ap_group_cipher(int wpa, int wpa_pairwise, int rsn_pairwise)
2556 {
2557         int pairwise = 0;
2558
2559         /* Select group cipher based on the enabled pairwise cipher suites */
2560         if (wpa & 1)
2561                 pairwise |= wpa_pairwise;
2562         if (wpa & 2)
2563                 pairwise |= rsn_pairwise;
2564
2565         if (pairwise & WPA_CIPHER_TKIP)
2566                 return WPA_CIPHER_TKIP;
2567         if ((pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP)
2568                 return WPA_CIPHER_GCMP;
2569         if ((pairwise & (WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP |
2570                          WPA_CIPHER_GCMP)) == WPA_CIPHER_GCMP_256)
2571                 return WPA_CIPHER_GCMP_256;
2572         if ((pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
2573                          WPA_CIPHER_GCMP)) == WPA_CIPHER_CCMP_256)
2574                 return WPA_CIPHER_CCMP_256;
2575         return WPA_CIPHER_CCMP;
2576 }
2577
2578
2579 #ifdef CONFIG_FILS
2580 int fils_domain_name_hash(const char *domain, u8 *hash)
2581 {
2582         char buf[255], *wpos = buf;
2583         const char *pos = domain;
2584         size_t len;
2585         const u8 *addr[1];
2586         u8 mac[SHA256_MAC_LEN];
2587
2588         for (len = 0; len < sizeof(buf) && *pos; len++) {
2589                 if (isalpha(*pos) && isupper(*pos))
2590                         *wpos++ = tolower(*pos);
2591                 else
2592                         *wpos++ = *pos;
2593                 pos++;
2594         }
2595
2596         addr[0] = (const u8 *) buf;
2597         if (sha256_vector(1, addr, &len, mac) < 0)
2598                 return -1;
2599         os_memcpy(hash, mac, 2);
2600         return 0;
2601 }
2602 #endif /* CONFIG_FILS */