1 /*
2  * wpa_supplicant - WPA/RSN IE and KDE processing
3  * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "wpa.h"
13 #include "pmksa_cache.h"
14 #include "common/ieee802_11_defs.h"
15 #include "wpa_i.h"
16 #include "wpa_ie.h"
17 
18 
19 /**
20  * wpa_parse_wpa_ie - Parse WPA/RSN IE
21  * @wpa_ie: Pointer to WPA or RSN IE
22  * @wpa_ie_len: Length of the WPA/RSN IE
23  * @data: Pointer to data area for parsing results
24  * Returns: 0 on success, -1 on failure
25  *
26  * Parse the contents of WPA or RSN IE and write the parsed data into data.
27  */
wpa_parse_wpa_ie(const u8 * wpa_ie,size_t wpa_ie_len,struct wpa_ie_data * data)28 int wpa_parse_wpa_ie(const u8 *wpa_ie, size_t wpa_ie_len,
29 		     struct wpa_ie_data *data)
30 {
31 	if (wpa_ie_len >= 1 && wpa_ie[0] == WLAN_EID_RSN)
32 		return wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, data);
33 	if (wpa_ie_len >= 6 && wpa_ie[0] == WLAN_EID_VENDOR_SPECIFIC &&
34 	    wpa_ie[1] >= 4 && WPA_GET_BE32(&wpa_ie[2]) == OSEN_IE_VENDOR_TYPE)
35 		return wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, data);
36 	else
37 		return wpa_parse_wpa_ie_wpa(wpa_ie, wpa_ie_len, data);
38 }
39 
40 
wpa_gen_wpa_ie_wpa(u8 * wpa_ie,size_t wpa_ie_len,int pairwise_cipher,int group_cipher,int key_mgmt)41 static int wpa_gen_wpa_ie_wpa(u8 *wpa_ie, size_t wpa_ie_len,
42 			      int pairwise_cipher, int group_cipher,
43 			      int key_mgmt)
44 {
45 	u8 *pos;
46 	struct wpa_ie_hdr *hdr;
47 	u32 suite;
48 
49 	if (wpa_ie_len < sizeof(*hdr) + WPA_SELECTOR_LEN +
50 	    2 + WPA_SELECTOR_LEN + 2 + WPA_SELECTOR_LEN)
51 		return -1;
52 
53 	hdr = (struct wpa_ie_hdr *) wpa_ie;
54 	hdr->elem_id = WLAN_EID_VENDOR_SPECIFIC;
55 	RSN_SELECTOR_PUT(hdr->oui, WPA_OUI_TYPE);
56 	WPA_PUT_LE16(hdr->version, WPA_VERSION);
57 	pos = (u8 *) (hdr + 1);
58 
59 	suite = wpa_cipher_to_suite(WPA_PROTO_WPA, group_cipher);
60 	if (suite == 0) {
61 		wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
62 			   group_cipher);
63 		return -1;
64 	}
65 	RSN_SELECTOR_PUT(pos, suite);
66 	pos += WPA_SELECTOR_LEN;
67 
68 	*pos++ = 1;
69 	*pos++ = 0;
70 	suite = wpa_cipher_to_suite(WPA_PROTO_WPA, pairwise_cipher);
71 	if (suite == 0 ||
72 	    (!wpa_cipher_valid_pairwise(pairwise_cipher) &&
73 	     pairwise_cipher != WPA_CIPHER_NONE)) {
74 		wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
75 			   pairwise_cipher);
76 		return -1;
77 	}
78 	RSN_SELECTOR_PUT(pos, suite);
79 	pos += WPA_SELECTOR_LEN;
80 
81 	*pos++ = 1;
82 	*pos++ = 0;
83 	if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
84 		RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_UNSPEC_802_1X);
85 	} else if (key_mgmt == WPA_KEY_MGMT_PSK) {
86 		RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_PSK_OVER_802_1X);
87 	} else if (key_mgmt == WPA_KEY_MGMT_WPA_NONE) {
88 		RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_NONE);
89 	} else if (key_mgmt == WPA_KEY_MGMT_CCKM) {
90 		RSN_SELECTOR_PUT(pos, WPA_AUTH_KEY_MGMT_CCKM);
91 	} else {
92 		wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
93 			   key_mgmt);
94 		return -1;
95 	}
96 	pos += WPA_SELECTOR_LEN;
97 
98 	/* WPA Capabilities; use defaults, so no need to include it */
99 
100 	hdr->len = (pos - wpa_ie) - 2;
101 
102 	WPA_ASSERT((size_t) (pos - wpa_ie) <= wpa_ie_len);
103 
104 	return pos - wpa_ie;
105 }
106 
107 
wpa_gen_wpa_ie_rsn(u8 * rsn_ie,size_t rsn_ie_len,int pairwise_cipher,int group_cipher,int key_mgmt,int mgmt_group_cipher,struct wpa_sm * sm)108 static int wpa_gen_wpa_ie_rsn(u8 *rsn_ie, size_t rsn_ie_len,
109 			      int pairwise_cipher, int group_cipher,
110 			      int key_mgmt, int mgmt_group_cipher,
111 			      struct wpa_sm *sm)
112 {
113 	u8 *pos;
114 	struct rsn_ie_hdr *hdr;
115 	u16 capab;
116 	u32 suite;
117 
118 	if (rsn_ie_len < sizeof(*hdr) + RSN_SELECTOR_LEN +
119 	    2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN + 2 +
120 	    (sm->cur_pmksa ? 2 + PMKID_LEN : 0)) {
121 		wpa_printf(MSG_DEBUG, "RSN: Too short IE buffer (%lu bytes)",
122 			   (unsigned long) rsn_ie_len);
123 		return -1;
124 	}
125 
126 	hdr = (struct rsn_ie_hdr *) rsn_ie;
127 	hdr->elem_id = WLAN_EID_RSN;
128 	WPA_PUT_LE16(hdr->version, RSN_VERSION);
129 	pos = (u8 *) (hdr + 1);
130 
131 	suite = wpa_cipher_to_suite(WPA_PROTO_RSN, group_cipher);
132 	if (suite == 0) {
133 		wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
134 			   group_cipher);
135 		return -1;
136 	}
137 	RSN_SELECTOR_PUT(pos, suite);
138 	pos += RSN_SELECTOR_LEN;
139 
140 	*pos++ = 1;
141 	*pos++ = 0;
142 	suite = wpa_cipher_to_suite(WPA_PROTO_RSN, pairwise_cipher);
143 	if (suite == 0 ||
144 	    (!wpa_cipher_valid_pairwise(pairwise_cipher) &&
145 	     pairwise_cipher != WPA_CIPHER_NONE)) {
146 		wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
147 			   pairwise_cipher);
148 		return -1;
149 	}
150 	RSN_SELECTOR_PUT(pos, suite);
151 	pos += RSN_SELECTOR_LEN;
152 
153 	*pos++ = 1;
154 	*pos++ = 0;
155 	if (key_mgmt == WPA_KEY_MGMT_IEEE8021X) {
156 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_UNSPEC_802_1X);
157 	} else if (key_mgmt == WPA_KEY_MGMT_PSK) {
158 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_OVER_802_1X);
159 	} else if (key_mgmt == WPA_KEY_MGMT_CCKM) {
160 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_CCKM);
161 #ifdef CONFIG_IEEE80211R
162 	} else if (key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X) {
163 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X);
164 #ifdef CONFIG_SHA384
165 	} else if (key_mgmt == WPA_KEY_MGMT_FT_IEEE8021X_SHA384) {
166 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_802_1X_SHA384);
167 #endif /* CONFIG_SHA384 */
168 	} else if (key_mgmt == WPA_KEY_MGMT_FT_PSK) {
169 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_PSK);
170 #endif /* CONFIG_IEEE80211R */
171 #ifdef CONFIG_IEEE80211W
172 	} else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SHA256) {
173 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SHA256);
174 	} else if (key_mgmt == WPA_KEY_MGMT_PSK_SHA256) {
175 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_PSK_SHA256);
176 #endif /* CONFIG_IEEE80211W */
177 #ifdef CONFIG_SAE
178 	} else if (key_mgmt == WPA_KEY_MGMT_SAE) {
179 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_SAE);
180 	} else if (key_mgmt == WPA_KEY_MGMT_FT_SAE) {
181 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_SAE);
182 #endif /* CONFIG_SAE */
183 	} else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) {
184 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B_192);
185 	} else if (key_mgmt == WPA_KEY_MGMT_IEEE8021X_SUITE_B) {
186 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_802_1X_SUITE_B);
187 #ifdef CONFIG_FILS
188 	} else if (key_mgmt & WPA_KEY_MGMT_FILS_SHA256) {
189 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA256);
190 	} else if (key_mgmt & WPA_KEY_MGMT_FILS_SHA384) {
191 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FILS_SHA384);
192 #ifdef CONFIG_IEEE80211R
193 	} else if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) {
194 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA256);
195 	} else if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) {
196 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_FT_FILS_SHA384);
197 #endif /* CONFIG_IEEE80211R */
198 #endif /* CONFIG_FILS */
199 #ifdef CONFIG_OWE
200 	} else if (key_mgmt & WPA_KEY_MGMT_OWE) {
201 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OWE);
202 #endif /* CONFIG_OWE */
203 #ifdef CONFIG_DPP
204 	} else if (key_mgmt & WPA_KEY_MGMT_DPP) {
205 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_DPP);
206 #endif /* CONFIG_DPP */
207 #ifdef CONFIG_HS20
208 	} else if (key_mgmt & WPA_KEY_MGMT_OSEN) {
209 		RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN);
210 #endif /* CONFIG_HS20 */
211 	} else {
212 		wpa_printf(MSG_WARNING, "Invalid key management type (%d).",
213 			   key_mgmt);
214 		return -1;
215 	}
216 	pos += RSN_SELECTOR_LEN;
217 
218 	/* RSN Capabilities */
219 	capab = 0;
220 #ifdef CONFIG_IEEE80211W
221 	if (sm->mfp)
222 		capab |= WPA_CAPABILITY_MFPC;
223 	if (sm->mfp == 2)
224 		capab |= WPA_CAPABILITY_MFPR;
225 #endif /* CONFIG_IEEE80211W */
226 	if (sm->ocv)
227 		capab |= WPA_CAPABILITY_OCVC;
228 	WPA_PUT_LE16(pos, capab);
229 	pos += 2;
230 
231 	if (sm->cur_pmksa) {
232 		/* PMKID Count (2 octets, little endian) */
233 		*pos++ = 1;
234 		*pos++ = 0;
235 		/* PMKID */
236 		os_memcpy(pos, sm->cur_pmksa->pmkid, PMKID_LEN);
237 		pos += PMKID_LEN;
238 	}
239 
240 #ifdef CONFIG_IEEE80211W
241 	if (wpa_cipher_valid_mgmt_group(mgmt_group_cipher)) {
242 		if (!sm->cur_pmksa) {
243 			/* PMKID Count */
244 			WPA_PUT_LE16(pos, 0);
245 			pos += 2;
246 		}
247 
248 		/* Management Group Cipher Suite */
249 		RSN_SELECTOR_PUT(pos, wpa_cipher_to_suite(WPA_PROTO_RSN,
250 							  mgmt_group_cipher));
251 		pos += RSN_SELECTOR_LEN;
252 	}
253 #endif /* CONFIG_IEEE80211W */
254 
255 	hdr->len = (pos - rsn_ie) - 2;
256 
257 	WPA_ASSERT((size_t) (pos - rsn_ie) <= rsn_ie_len);
258 
259 	return pos - rsn_ie;
260 }
261 
262 
263 #ifdef CONFIG_HS20
wpa_gen_wpa_ie_osen(u8 * wpa_ie,size_t wpa_ie_len,int pairwise_cipher,int group_cipher,int key_mgmt)264 static int wpa_gen_wpa_ie_osen(u8 *wpa_ie, size_t wpa_ie_len,
265 			       int pairwise_cipher, int group_cipher,
266 			       int key_mgmt)
267 {
268 	u8 *pos, *len;
269 	u32 suite;
270 
271 	if (wpa_ie_len < 2 + 4 + RSN_SELECTOR_LEN +
272 	    2 + RSN_SELECTOR_LEN + 2 + RSN_SELECTOR_LEN)
273 		return -1;
274 
275 	pos = wpa_ie;
276 	*pos++ = WLAN_EID_VENDOR_SPECIFIC;
277 	len = pos++; /* to be filled */
278 	WPA_PUT_BE24(pos, OUI_WFA);
279 	pos += 3;
280 	*pos++ = HS20_OSEN_OUI_TYPE;
281 
282 	/* Group Data Cipher Suite */
283 	suite = wpa_cipher_to_suite(WPA_PROTO_RSN, group_cipher);
284 	if (suite == 0) {
285 		wpa_printf(MSG_WARNING, "Invalid group cipher (%d).",
286 			   group_cipher);
287 		return -1;
288 	}
289 	RSN_SELECTOR_PUT(pos, suite);
290 	pos += RSN_SELECTOR_LEN;
291 
292 	/* Pairwise Cipher Suite Count and List */
293 	WPA_PUT_LE16(pos, 1);
294 	pos += 2;
295 	suite = wpa_cipher_to_suite(WPA_PROTO_RSN, pairwise_cipher);
296 	if (suite == 0 ||
297 	    (!wpa_cipher_valid_pairwise(pairwise_cipher) &&
298 	     pairwise_cipher != WPA_CIPHER_NONE)) {
299 		wpa_printf(MSG_WARNING, "Invalid pairwise cipher (%d).",
300 			   pairwise_cipher);
301 		return -1;
302 	}
303 	RSN_SELECTOR_PUT(pos, suite);
304 	pos += RSN_SELECTOR_LEN;
305 
306 	/* AKM Suite Count and List */
307 	WPA_PUT_LE16(pos, 1);
308 	pos += 2;
309 	RSN_SELECTOR_PUT(pos, RSN_AUTH_KEY_MGMT_OSEN);
310 	pos += RSN_SELECTOR_LEN;
311 
312 	*len = pos - len - 1;
313 
314 	WPA_ASSERT((size_t) (pos - wpa_ie) <= wpa_ie_len);
315 
316 	return pos - wpa_ie;
317 }
318 #endif /* CONFIG_HS20 */
319 
320 
321 /**
322  * wpa_gen_wpa_ie - Generate WPA/RSN IE based on current security policy
323  * @sm: Pointer to WPA state machine data from wpa_sm_init()
324  * @wpa_ie: Pointer to memory area for the generated WPA/RSN IE
325  * @wpa_ie_len: Maximum length of the generated WPA/RSN IE
326  * Returns: Length of the generated WPA/RSN IE or -1 on failure
327  */
wpa_gen_wpa_ie(struct wpa_sm * sm,u8 * wpa_ie,size_t wpa_ie_len)328 int wpa_gen_wpa_ie(struct wpa_sm *sm, u8 *wpa_ie, size_t wpa_ie_len)
329 {
330 	if (sm->proto == WPA_PROTO_RSN)
331 		return wpa_gen_wpa_ie_rsn(wpa_ie, wpa_ie_len,
332 					  sm->pairwise_cipher,
333 					  sm->group_cipher,
334 					  sm->key_mgmt, sm->mgmt_group_cipher,
335 					  sm);
336 #ifdef CONFIG_HS20
337 	else if (sm->proto == WPA_PROTO_OSEN)
338 		return wpa_gen_wpa_ie_osen(wpa_ie, wpa_ie_len,
339 					   sm->pairwise_cipher,
340 					   sm->group_cipher,
341 					   sm->key_mgmt);
342 #endif /* CONFIG_HS20 */
343 	else
344 		return wpa_gen_wpa_ie_wpa(wpa_ie, wpa_ie_len,
345 					  sm->pairwise_cipher,
346 					  sm->group_cipher,
347 					  sm->key_mgmt);
348 }
349 
350 
351 /**
352  * wpa_parse_vendor_specific - Parse Vendor Specific IEs
353  * @pos: Pointer to the IE header
354  * @end: Pointer to the end of the Key Data buffer
355  * @ie: Pointer to parsed IE data
356  * Returns: 0 on success, 1 if end mark is found, -1 on failure
357  */
wpa_parse_vendor_specific(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)358 static int wpa_parse_vendor_specific(const u8 *pos, const u8 *end,
359 				     struct wpa_eapol_ie_parse *ie)
360 {
361 	unsigned int oui;
362 
363 	if (pos[1] < 4) {
364 		wpa_printf(MSG_MSGDUMP, "Too short vendor specific IE ignored (len=%u)",
365 			   pos[1]);
366 		return 1;
367 	}
368 
369 	oui = WPA_GET_BE24(&pos[2]);
370 	if (oui == OUI_MICROSOFT && pos[5] == WMM_OUI_TYPE && pos[1] > 4) {
371 		if (pos[6] == WMM_OUI_SUBTYPE_INFORMATION_ELEMENT) {
372 			ie->wmm = &pos[2];
373 			ie->wmm_len = pos[1];
374 			wpa_hexdump(MSG_DEBUG, "WPA: WMM IE",
375 				    ie->wmm, ie->wmm_len);
376 		} else if (pos[6] == WMM_OUI_SUBTYPE_PARAMETER_ELEMENT) {
377 			ie->wmm = &pos[2];
378 			ie->wmm_len = pos[1];
379 			wpa_hexdump(MSG_DEBUG, "WPA: WMM Parameter Element",
380 				    ie->wmm, ie->wmm_len);
381 		}
382 	}
383 	return 0;
384 }
385 
386 
387 /**
388  * wpa_parse_generic - Parse EAPOL-Key Key Data Generic IEs
389  * @pos: Pointer to the IE header
390  * @end: Pointer to the end of the Key Data buffer
391  * @ie: Pointer to parsed IE data
392  * Returns: 0 on success, 1 if end mark is found, -1 on failure
393  */
wpa_parse_generic(const u8 * pos,const u8 * end,struct wpa_eapol_ie_parse * ie)394 static int wpa_parse_generic(const u8 *pos, const u8 *end,
395 			     struct wpa_eapol_ie_parse *ie)
396 {
397 	if (pos[1] == 0)
398 		return 1;
399 
400 	if (pos[1] >= 6 &&
401 	    RSN_SELECTOR_GET(pos + 2) == WPA_OUI_TYPE &&
402 	    pos[2 + WPA_SELECTOR_LEN] == 1 &&
403 	    pos[2 + WPA_SELECTOR_LEN + 1] == 0) {
404 		ie->wpa_ie = pos;
405 		ie->wpa_ie_len = pos[1] + 2;
406 		wpa_hexdump(MSG_DEBUG, "WPA: WPA IE in EAPOL-Key",
407 			    ie->wpa_ie, ie->wpa_ie_len);
408 		return 0;
409 	}
410 
411 	if (1 + RSN_SELECTOR_LEN < end - pos &&
412 	    pos[1] >= RSN_SELECTOR_LEN + PMKID_LEN &&
413 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_PMKID) {
414 		ie->pmkid = pos + 2 + RSN_SELECTOR_LEN;
415 		wpa_hexdump(MSG_DEBUG, "WPA: PMKID in EAPOL-Key",
416 			    pos, pos[1] + 2);
417 		return 0;
418 	}
419 
420 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
421 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_GROUPKEY) {
422 		ie->gtk = pos + 2 + RSN_SELECTOR_LEN;
423 		ie->gtk_len = pos[1] - RSN_SELECTOR_LEN;
424 		wpa_hexdump_key(MSG_DEBUG, "WPA: GTK in EAPOL-Key",
425 				pos, pos[1] + 2);
426 		return 0;
427 	}
428 
429 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
430 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_MAC_ADDR) {
431 		ie->mac_addr = pos + 2 + RSN_SELECTOR_LEN;
432 		ie->mac_addr_len = pos[1] - RSN_SELECTOR_LEN;
433 		wpa_hexdump(MSG_DEBUG, "WPA: MAC Address in EAPOL-Key",
434 			    pos, pos[1] + 2);
435 		return 0;
436 	}
437 
438 #ifdef CONFIG_IEEE80211W
439 	if (pos[1] > RSN_SELECTOR_LEN + 2 &&
440 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_IGTK) {
441 		ie->igtk = pos + 2 + RSN_SELECTOR_LEN;
442 		ie->igtk_len = pos[1] - RSN_SELECTOR_LEN;
443 		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK in EAPOL-Key",
444 				pos, pos[1] + 2);
445 		return 0;
446 	}
447 #endif /* CONFIG_IEEE80211W */
448 
449 #ifdef CONFIG_P2P
450 	if (pos[1] >= RSN_SELECTOR_LEN + 1 &&
451 	    RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_IP_ADDR_REQ) {
452 		ie->ip_addr_req = pos + 2 + RSN_SELECTOR_LEN;
453 		wpa_hexdump(MSG_DEBUG, "WPA: IP Address Request in EAPOL-Key",
454 			    ie->ip_addr_req, pos[1] - RSN_SELECTOR_LEN);
455 		return 0;
456 	}
457 
458 	if (pos[1] >= RSN_SELECTOR_LEN + 3 * 4 &&
459 	    RSN_SELECTOR_GET(pos + 2) == WFA_KEY_DATA_IP_ADDR_ALLOC) {
460 		ie->ip_addr_alloc = pos + 2 + RSN_SELECTOR_LEN;
461 		wpa_hexdump(MSG_DEBUG,
462 			    "WPA: IP Address Allocation in EAPOL-Key",
463 			    ie->ip_addr_alloc, pos[1] - RSN_SELECTOR_LEN);
464 		return 0;
465 	}
466 #endif /* CONFIG_P2P */
467 
468 #ifdef CONFIG_OCV
469 	if (pos[1] >= RSN_SELECTOR_LEN + 1 &&
470 	    RSN_SELECTOR_GET(pos + 2) == RSN_KEY_DATA_OCI) {
471 		ie->oci = pos + 2 + RSN_SELECTOR_LEN;
472 		ie->oci_len = pos[1] - RSN_SELECTOR_LEN;
473 		wpa_hexdump(MSG_DEBUG, "WPA: OCI KDE in EAPOL-Key",
474 			    pos, pos[1] + 2);
475 		return 0;
476 	}
477 #endif /* CONFIG_OCV */
478 
479 	return 0;
480 }
481 
482 
483 /**
484  * wpa_supplicant_parse_ies - Parse EAPOL-Key Key Data IEs
485  * @buf: Pointer to the Key Data buffer
486  * @len: Key Data Length
487  * @ie: Pointer to parsed IE data
488  * Returns: 0 on success, -1 on failure
489  */
wpa_supplicant_parse_ies(const u8 * buf,size_t len,struct wpa_eapol_ie_parse * ie)490 int wpa_supplicant_parse_ies(const u8 *buf, size_t len,
491 			     struct wpa_eapol_ie_parse *ie)
492 {
493 	const u8 *pos, *end;
494 	int ret = 0;
495 
496 	os_memset(ie, 0, sizeof(*ie));
497 	for (pos = buf, end = pos + len; end - pos > 1; pos += 2 + pos[1]) {
498 		if (pos[0] == 0xdd &&
499 		    ((pos == buf + len - 1) || pos[1] == 0)) {
500 			/* Ignore padding */
501 			break;
502 		}
503 		if (2 + pos[1] > end - pos) {
504 			wpa_printf(MSG_DEBUG, "WPA: EAPOL-Key Key Data "
505 				   "underflow (ie=%d len=%d pos=%d)",
506 				   pos[0], pos[1], (int) (pos - buf));
507 			wpa_hexdump_key(MSG_DEBUG, "WPA: Key Data",
508 					buf, len);
509 			ret = -1;
510 			break;
511 		}
512 		if (*pos == WLAN_EID_RSN) {
513 			ie->rsn_ie = pos;
514 			ie->rsn_ie_len = pos[1] + 2;
515 			wpa_hexdump(MSG_DEBUG, "WPA: RSN IE in EAPOL-Key",
516 				    ie->rsn_ie, ie->rsn_ie_len);
517 		} else if (*pos == WLAN_EID_MOBILITY_DOMAIN &&
518 			   pos[1] >= sizeof(struct rsn_mdie)) {
519 			ie->mdie = pos;
520 			ie->mdie_len = pos[1] + 2;
521 			wpa_hexdump(MSG_DEBUG, "WPA: MDIE in EAPOL-Key",
522 				    ie->mdie, ie->mdie_len);
523 		} else if (*pos == WLAN_EID_FAST_BSS_TRANSITION &&
524 			   pos[1] >= sizeof(struct rsn_ftie)) {
525 			ie->ftie = pos;
526 			ie->ftie_len = pos[1] + 2;
527 			wpa_hexdump(MSG_DEBUG, "WPA: FTIE in EAPOL-Key",
528 				    ie->ftie, ie->ftie_len);
529 		} else if (*pos == WLAN_EID_TIMEOUT_INTERVAL && pos[1] >= 5) {
530 			if (pos[2] == WLAN_TIMEOUT_REASSOC_DEADLINE) {
531 				ie->reassoc_deadline = pos;
532 				wpa_hexdump(MSG_DEBUG, "WPA: Reassoc Deadline "
533 					    "in EAPOL-Key",
534 					    ie->reassoc_deadline, pos[1] + 2);
535 			} else if (pos[2] == WLAN_TIMEOUT_KEY_LIFETIME) {
536 				ie->key_lifetime = pos;
537 				wpa_hexdump(MSG_DEBUG, "WPA: KeyLifetime "
538 					    "in EAPOL-Key",
539 					    ie->key_lifetime, pos[1] + 2);
540 			} else {
541 				wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized "
542 					    "EAPOL-Key Key Data IE",
543 					    pos, 2 + pos[1]);
544 			}
545 		} else if (*pos == WLAN_EID_LINK_ID) {
546 			if (pos[1] >= 18) {
547 				ie->lnkid = pos;
548 				ie->lnkid_len = pos[1] + 2;
549 			}
550 		} else if (*pos == WLAN_EID_EXT_CAPAB) {
551 			ie->ext_capab = pos;
552 			ie->ext_capab_len = pos[1] + 2;
553 		} else if (*pos == WLAN_EID_SUPP_RATES) {
554 			ie->supp_rates = pos;
555 			ie->supp_rates_len = pos[1] + 2;
556 		} else if (*pos == WLAN_EID_EXT_SUPP_RATES) {
557 			ie->ext_supp_rates = pos;
558 			ie->ext_supp_rates_len = pos[1] + 2;
559 		} else if (*pos == WLAN_EID_HT_CAP &&
560 			   pos[1] >= sizeof(struct ieee80211_ht_capabilities)) {
561 			ie->ht_capabilities = pos + 2;
562 		} else if (*pos == WLAN_EID_VHT_AID) {
563 			if (pos[1] >= 2)
564 				ie->aid = WPA_GET_LE16(pos + 2) & 0x3fff;
565 		} else if (*pos == WLAN_EID_VHT_CAP &&
566 			   pos[1] >= sizeof(struct ieee80211_vht_capabilities))
567 		{
568 			ie->vht_capabilities = pos + 2;
569 		} else if (*pos == WLAN_EID_QOS && pos[1] >= 1) {
570 			ie->qosinfo = pos[2];
571 		} else if (*pos == WLAN_EID_SUPPORTED_CHANNELS) {
572 			ie->supp_channels = pos + 2;
573 			ie->supp_channels_len = pos[1];
574 		} else if (*pos == WLAN_EID_SUPPORTED_OPERATING_CLASSES) {
575 			/*
576 			 * The value of the Length field of the Supported
577 			 * Operating Classes element is between 2 and 253.
578 			 * Silently skip invalid elements to avoid interop
579 			 * issues when trying to use the value.
580 			 */
581 			if (pos[1] >= 2 && pos[1] <= 253) {
582 				ie->supp_oper_classes = pos + 2;
583 				ie->supp_oper_classes_len = pos[1];
584 			}
585 		} else if (*pos == WLAN_EID_VENDOR_SPECIFIC) {
586 			ret = wpa_parse_generic(pos, end, ie);
587 			if (ret < 0)
588 				break;
589 			if (ret > 0) {
590 				ret = 0;
591 				break;
592 			}
593 
594 			ret = wpa_parse_vendor_specific(pos, end, ie);
595 			if (ret < 0)
596 				break;
597 			if (ret > 0) {
598 				ret = 0;
599 				break;
600 			}
601 		} else {
602 			wpa_hexdump(MSG_DEBUG, "WPA: Unrecognized EAPOL-Key "
603 				    "Key Data IE", pos, 2 + pos[1]);
604 		}
605 	}
606 
607 	return ret;
608 }
609