[linux-block.git] / net / mac80211 / fils_aead.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * FILS AEAD for (Re)Association Request/Response frames
 * Copyright 2016, Qualcomm Atheros, Inc.
 */

#include <crypto/aes.h>
#include <crypto/hash.h>
#include <crypto/skcipher.h>
#include <crypto/utils.h>

#include "ieee80211_i.h"
#include "aes_cmac.h"
#include "fils_aead.h"

static void gf_mulx(u8 *pad)
{
	u64 a = get_unaligned_be64(pad);
	u64 b = get_unaligned_be64(pad + 8);

	put_unaligned_be64((a << 1) | (b >> 63), pad);
	put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8);
}

static int aes_s2v(struct crypto_shash *tfm,
		   size_t num_elem, const u8 *addr[], size_t len[], u8 *v)
{
	u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {};
	SHASH_DESC_ON_STACK(desc, tfm);
	size_t i;

	desc->tfm = tfm;

	/* D = AES-CMAC(K, <zero>) */
	crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d);

	for (i = 0; i < num_elem - 1; i++) {
		/* D = dbl(D) xor AES_CMAC(K, Si) */
		gf_mulx(d); /* dbl */
		crypto_shash_digest(desc, addr[i], len[i], tmp);
		crypto_xor(d, tmp, AES_BLOCK_SIZE);
	}

	crypto_shash_init(desc);

	if (len[i] >= AES_BLOCK_SIZE) {
		/* len(Sn) >= 128 */
		/* T = Sn xorend D */
		crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE);
		crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE,
			   AES_BLOCK_SIZE);
	} else {
		/* len(Sn) < 128 */
		/* T = dbl(D) xor pad(Sn) */
		gf_mulx(d); /* dbl */
		crypto_xor(d, addr[i], len[i]);
		d[len[i]] ^= 0x80;
	}
	/* V = AES-CMAC(K, T) */
	crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v);

	return 0;
}

/* Note: addr[] and len[] needs to have one extra slot at the end. */
static int aes_siv_encrypt(const u8 *key, size_t key_len,
			   const u8 *plain, size_t plain_len,
			   size_t num_elem, const u8 *addr[],
			   size_t len[], u8 *out)
{
	u8 v[AES_BLOCK_SIZE];
	struct crypto_shash *tfm;
	struct crypto_skcipher *tfm2;
	struct skcipher_request *req;
	int res;
	struct scatterlist src[1], dst[1];
	u8 *tmp;

	key_len /= 2; /* S2V key || CTR key */

	addr[num_elem] = plain;
	len[num_elem] = plain_len;
	num_elem++;

	/* S2V */

	tfm = crypto_alloc_shash("cmac(aes)", 0, 0);
	if (IS_ERR(tfm))
		return PTR_ERR(tfm);
	/* K1 for S2V */
	res = crypto_shash_setkey(tfm, key, key_len);
	if (!res)
		res = aes_s2v(tfm, num_elem, addr, len, v);
	crypto_free_shash(tfm);
	if (res)
		return res;

	/* Use a temporary buffer of the plaintext to handle need for
	 * overwriting this during AES-CTR.
	 */
	tmp = kmemdup(plain, plain_len, GFP_KERNEL);
	if (!tmp)
		return -ENOMEM;

	/* IV for CTR before encrypted data */
	memcpy(out, v, AES_BLOCK_SIZE);

	/* Synthetic IV to be used as the initial counter in CTR:
	 * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31)
	 */
	v[8] &= 0x7f;
	v[12] &= 0x7f;

	/* CTR */

	tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(tfm2)) {
		kfree(tmp);
		return PTR_ERR(tfm2);
	}
	/* K2 for CTR */
	res = crypto_skcipher_setkey(tfm2, key + key_len, key_len);
	if (res)
		goto fail;

	req = skcipher_request_alloc(tfm2, GFP_KERNEL);
	if (!req) {
		res = -ENOMEM;
		goto fail;
	}

	sg_init_one(src, tmp, plain_len);
	sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len);
	skcipher_request_set_crypt(req, src, dst, plain_len, v);
	res = crypto_skcipher_encrypt(req);
	skcipher_request_free(req);
fail:
	kfree(tmp);
	crypto_free_skcipher(tfm2);
	return res;
}

/* Note: addr[] and len[] needs to have one extra slot at the end. */
static int aes_siv_decrypt(const u8 *key, size_t key_len,
			   const u8 *iv_crypt, size_t iv_c_len,
			   size_t num_elem, const u8 *addr[], size_t len[],
			   u8 *out)
{
	struct crypto_shash *tfm;
	struct crypto_skcipher *tfm2;
	struct skcipher_request *req;
	struct scatterlist src[1], dst[1];
	size_t crypt_len;
	int res;
	u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE];
	u8 check[AES_BLOCK_SIZE];

	crypt_len = iv_c_len - AES_BLOCK_SIZE;
	key_len /= 2; /* S2V key || CTR key */
	addr[num_elem] = out;
	len[num_elem] = crypt_len;
	num_elem++;

	memcpy(iv, iv_crypt, AES_BLOCK_SIZE);
	memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE);

	/* Synthetic IV to be used as the initial counter in CTR:
	 * Q = V bitand (1^64 || 0^1 || 1^31 || 0^1 || 1^31)
	 */
	iv[8] &= 0x7f;
	iv[12] &= 0x7f;

	/* CTR */

	tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(tfm2))
		return PTR_ERR(tfm2);
	/* K2 for CTR */
	res = crypto_skcipher_setkey(tfm2, key + key_len, key_len);
	if (res) {
		crypto_free_skcipher(tfm2);
		return res;
	}

	req = skcipher_request_alloc(tfm2, GFP_KERNEL);
	if (!req) {
		crypto_free_skcipher(tfm2);
		return -ENOMEM;
	}

	sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len);
	sg_init_one(dst, out, crypt_len);
	skcipher_request_set_crypt(req, src, dst, crypt_len, iv);
	res = crypto_skcipher_decrypt(req);
	skcipher_request_free(req);
	crypto_free_skcipher(tfm2);
	if (res)
		return res;

	/* S2V */

	tfm = crypto_alloc_shash("cmac(aes)", 0, 0);
	if (IS_ERR(tfm))
		return PTR_ERR(tfm);
	/* K1 for S2V */
	res = crypto_shash_setkey(tfm, key, key_len);
	if (!res)
		res = aes_s2v(tfm, num_elem, addr, len, check);
	crypto_free_shash(tfm);
	if (res)
		return res;
	if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0)
		return -EINVAL;
	return 0;
}

int fils_encrypt_assoc_req(struct sk_buff *skb,
			   struct ieee80211_mgd_assoc_data *assoc_data)
{
	struct ieee80211_mgmt *mgmt = (void *)skb->data;
	u8 *capab, *ies, *encr;
	const u8 *addr[5 + 1];
	const struct element *session;
	size_t len[5 + 1];
	size_t crypt_len;

	if (ieee80211_is_reassoc_req(mgmt->frame_control)) {
		capab = (u8 *)&mgmt->u.reassoc_req.capab_info;
		ies = mgmt->u.reassoc_req.variable;
	} else {
		capab = (u8 *)&mgmt->u.assoc_req.capab_info;
		ies = mgmt->u.assoc_req.variable;
	}

	session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION,
					 ies, skb->data + skb->len - ies);
	if (!session || session->datalen != 1 + 8)
		return -EINVAL;
	/* encrypt after FILS Session element */
	encr = (u8 *)session->data + 1 + 8;

	/* AES-SIV AAD vectors */

	/* The STA's MAC address */
	addr[0] = mgmt->sa;
	len[0] = ETH_ALEN;
	/* The AP's BSSID */
	addr[1] = mgmt->da;
	len[1] = ETH_ALEN;
	/* The STA's nonce */
	addr[2] = assoc_data->fils_nonces;
	len[2] = FILS_NONCE_LEN;
	/* The AP's nonce */
	addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN];
	len[3] = FILS_NONCE_LEN;
	/* The (Re)Association Request frame from the Capability Information
	 * field to the FILS Session element (both inclusive).
	 */
	addr[4] = capab;
	len[4] = encr - capab;

	crypt_len = skb->data + skb->len - encr;
	skb_put(skb, AES_BLOCK_SIZE);
	return aes_siv_encrypt(assoc_data->fils_kek, assoc_data->fils_kek_len,
			       encr, crypt_len, 5, addr, len, encr);
}

int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata,
			    u8 *frame, size_t *frame_len,
			    struct ieee80211_mgd_assoc_data *assoc_data)
{
	struct ieee80211_mgmt *mgmt = (void *)frame;
	u8 *capab, *ies, *encr;
	const u8 *addr[5 + 1];
	const struct element *session;
	size_t len[5 + 1];
	int res;
	size_t crypt_len;

	if (*frame_len < 24 + 6)
		return -EINVAL;

	capab = (u8 *)&mgmt->u.assoc_resp.capab_info;
	ies = mgmt->u.assoc_resp.variable;
	session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION,
					 ies, frame + *frame_len - ies);
	if (!session || session->datalen != 1 + 8) {
		mlme_dbg(sdata,
			 "No (valid) FILS Session element in (Re)Association Response frame from %pM",
			 mgmt->sa);
		return -EINVAL;
	}
	/* decrypt after FILS Session element */
	encr = (u8 *)session->data + 1 + 8;

	/* AES-SIV AAD vectors */

	/* The AP's BSSID */
	addr[0] = mgmt->sa;
	len[0] = ETH_ALEN;
	/* The STA's MAC address */
	addr[1] = mgmt->da;
	len[1] = ETH_ALEN;
	/* The AP's nonce */
	addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN];
	len[2] = FILS_NONCE_LEN;
	/* The STA's nonce */
	addr[3] = assoc_data->fils_nonces;
	len[3] = FILS_NONCE_LEN;
	/* The (Re)Association Response frame from the Capability Information
	 * field to the FILS Session element (both inclusive).
	 */
	addr[4] = capab;
	len[4] = encr - capab;

	crypt_len = frame + *frame_len - encr;
	if (crypt_len < AES_BLOCK_SIZE) {
		mlme_dbg(sdata,
			 "Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM",
			 mgmt->sa);
		return -EINVAL;
	}
	res = aes_siv_decrypt(assoc_data->fils_kek, assoc_data->fils_kek_len,
			      encr, crypt_len, 5, addr, len, encr);
	if (res != 0) {
		mlme_dbg(sdata,
			 "AES-SIV decryption of (Re)Association Response frame from %pM failed",
			 mgmt->sa);
		return res;
	}
	*frame_len -= AES_BLOCK_SIZE;
	return 0;
}
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
39404fee JM	2	/*
	3	* FILS AEAD for (Re)Association Request/Response frames
	4	* Copyright 2016, Qualcomm Atheros, Inc.
39404fee JM	5	*/
	6
	7	#include <crypto/aes.h>
fe8de3da	8	#include <crypto/hash.h>
39404fee	9	#include <crypto/skcipher.h>
8da1985f	10	#include <crypto/utils.h>
39404fee JM	11
	12	#include "ieee80211_i.h"
	13	#include "aes_cmac.h"
	14	#include "fils_aead.h"
	15
fe8de3da AB	16	static void gf_mulx(u8 *pad)
	17	{
	18	u64 a = get_unaligned_be64(pad);
	19	u64 b = get_unaligned_be64(pad + 8);
	20
	21	put_unaligned_be64((a << 1) \| (b >> 63), pad);
	22	put_unaligned_be64((b << 1) ^ ((a >> 63) ? 0x87 : 0), pad + 8);
	23	}
	24
	25	static int aes_s2v(struct crypto_shash *tfm,
39404fee JM	26	size_t num_elem, const u8 addr[], size_t len[], u8 v)
39404fee JM	27	{
fe8de3da AB	28	u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {};
fe8de3da AB	29	SHASH_DESC_ON_STACK(desc, tfm);
39404fee	30	size_t i;
fe8de3da AB	31
fe8de3da AB	32	desc->tfm = tfm;
39404fee JM	33
39404fee JM	34	/* D = AES-CMAC(K, <zero>) */
fe8de3da	35	crypto_shash_digest(desc, tmp, AES_BLOCK_SIZE, d);
39404fee JM	36
	37	for (i = 0; i < num_elem - 1; i++) {
	38	/* D = dbl(D) xor AES_CMAC(K, Si) */
	39	gf_mulx(d); /* dbl */
fe8de3da	40	crypto_shash_digest(desc, addr[i], len[i], tmp);
39404fee JM	41	crypto_xor(d, tmp, AES_BLOCK_SIZE);
	42	}
	43
fe8de3da AB	44	crypto_shash_init(desc);
fe8de3da AB	45
39404fee JM	46	if (len[i] >= AES_BLOCK_SIZE) {
39404fee JM	47	/* len(Sn) >= 128 */
39404fee	48	/* T = Sn xorend D */
fe8de3da AB	49	crypto_shash_update(desc, addr[i], len[i] - AES_BLOCK_SIZE);
	50	crypto_xor(d, addr[i] + len[i] - AES_BLOCK_SIZE,
	51	AES_BLOCK_SIZE);
39404fee JM	52	} else {
	53	/* len(Sn) < 128 */
	54	/* T = dbl(D) xor pad(Sn) */
	55	gf_mulx(d); /* dbl */
fe8de3da AB	56	crypto_xor(d, addr[i], len[i]);
fe8de3da AB	57	d[len[i]] ^= 0x80;
39404fee JM	58	}
39404fee JM	59	/* V = AES-CMAC(K, T) */
fe8de3da	60	crypto_shash_finup(desc, d, AES_BLOCK_SIZE, v);
39404fee JM	61
	62	return 0;
	63	}
	64
	65	/* Note: addr[] and len[] needs to have one extra slot at the end. */
	66	static int aes_siv_encrypt(const u8 *key, size_t key_len,
	67	const u8 *plain, size_t plain_len,
	68	size_t num_elem, const u8 *addr[],
	69	size_t len[], u8 *out)
	70	{
	71	u8 v[AES_BLOCK_SIZE];
fe8de3da	72	struct crypto_shash *tfm;
39404fee JM	73	struct crypto_skcipher *tfm2;
	74	struct skcipher_request *req;
	75	int res;
	76	struct scatterlist src[1], dst[1];
	77	u8 *tmp;
	78
	79	key_len /= 2; /* S2V key \|\| CTR key */
	80
	81	addr[num_elem] = plain;
	82	len[num_elem] = plain_len;
	83	num_elem++;
	84
	85	/* S2V */
	86
fe8de3da	87	tfm = crypto_alloc_shash("cmac(aes)", 0, 0);
39404fee JM	88	if (IS_ERR(tfm))
	89	return PTR_ERR(tfm);
	90	/* K1 for S2V */
fe8de3da	91	res = crypto_shash_setkey(tfm, key, key_len);
39404fee JM	92	if (!res)
39404fee JM	93	res = aes_s2v(tfm, num_elem, addr, len, v);
fe8de3da	94	crypto_free_shash(tfm);
39404fee JM	95	if (res)
	96	return res;
	97
	98	/* Use a temporary buffer of the plaintext to handle need for
	99	* overwriting this during AES-CTR.
	100	*/
	101	tmp = kmemdup(plain, plain_len, GFP_KERNEL);
51487718 AB	102	if (!tmp)
51487718 AB	103	return -ENOMEM;
39404fee JM	104
	105	/* IV for CTR before encrypted data */
	106	memcpy(out, v, AES_BLOCK_SIZE);
	107
	108	/* Synthetic IV to be used as the initial counter in CTR:
	109	* Q = V bitand (1^64 \|\| 0^1 \|\| 1^31 \|\| 0^1 \|\| 1^31)
	110	*/
	111	v[8] &= 0x7f;
	112	v[12] &= 0x7f;
	113
	114	/* CTR */
	115
01fba20b	116	tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
39404fee JM	117	if (IS_ERR(tfm2)) {
	118	kfree(tmp);
	119	return PTR_ERR(tfm2);
	120	}
	121	/* K2 for CTR */
	122	res = crypto_skcipher_setkey(tfm2, key + key_len, key_len);
	123	if (res)
	124	goto fail;
	125
	126	req = skcipher_request_alloc(tfm2, GFP_KERNEL);
	127	if (!req) {
	128	res = -ENOMEM;
	129	goto fail;
	130	}
	131
	132	sg_init_one(src, tmp, plain_len);
	133	sg_init_one(dst, out + AES_BLOCK_SIZE, plain_len);
	134	skcipher_request_set_crypt(req, src, dst, plain_len, v);
	135	res = crypto_skcipher_encrypt(req);
	136	skcipher_request_free(req);
	137	fail:
	138	kfree(tmp);
	139	crypto_free_skcipher(tfm2);
	140	return res;
	141	}
	142
	143	/* Note: addr[] and len[] needs to have one extra slot at the end. */
	144	static int aes_siv_decrypt(const u8 *key, size_t key_len,
	145	const u8 *iv_crypt, size_t iv_c_len,
	146	size_t num_elem, const u8 *addr[], size_t len[],
	147	u8 *out)
	148	{
fe8de3da	149	struct crypto_shash *tfm;
39404fee JM	150	struct crypto_skcipher *tfm2;
	151	struct skcipher_request *req;
	152	struct scatterlist src[1], dst[1];
	153	size_t crypt_len;
	154	int res;
	155	u8 frame_iv[AES_BLOCK_SIZE], iv[AES_BLOCK_SIZE];
	156	u8 check[AES_BLOCK_SIZE];
	157
	158	crypt_len = iv_c_len - AES_BLOCK_SIZE;
	159	key_len /= 2; /* S2V key \|\| CTR key */
	160	addr[num_elem] = out;
	161	len[num_elem] = crypt_len;
	162	num_elem++;
	163
	164	memcpy(iv, iv_crypt, AES_BLOCK_SIZE);
	165	memcpy(frame_iv, iv_crypt, AES_BLOCK_SIZE);
	166
	167	/* Synthetic IV to be used as the initial counter in CTR:
	168	* Q = V bitand (1^64 \|\| 0^1 \|\| 1^31 \|\| 0^1 \|\| 1^31)
	169	*/
	170	iv[8] &= 0x7f;
	171	iv[12] &= 0x7f;
	172
	173	/* CTR */
	174
01fba20b	175	tfm2 = crypto_alloc_skcipher("ctr(aes)", 0, CRYPTO_ALG_ASYNC);
39404fee JM	176	if (IS_ERR(tfm2))
	177	return PTR_ERR(tfm2);
	178	/* K2 for CTR */
	179	res = crypto_skcipher_setkey(tfm2, key + key_len, key_len);
	180	if (res) {
	181	crypto_free_skcipher(tfm2);
	182	return res;
	183	}
	184
	185	req = skcipher_request_alloc(tfm2, GFP_KERNEL);
	186	if (!req) {
	187	crypto_free_skcipher(tfm2);
	188	return -ENOMEM;
	189	}
	190
	191	sg_init_one(src, iv_crypt + AES_BLOCK_SIZE, crypt_len);
	192	sg_init_one(dst, out, crypt_len);
	193	skcipher_request_set_crypt(req, src, dst, crypt_len, iv);
	194	res = crypto_skcipher_decrypt(req);
	195	skcipher_request_free(req);
	196	crypto_free_skcipher(tfm2);
	197	if (res)
	198	return res;
	199
	200	/* S2V */
	201
fe8de3da	202	tfm = crypto_alloc_shash("cmac(aes)", 0, 0);
39404fee JM	203	if (IS_ERR(tfm))
	204	return PTR_ERR(tfm);
	205	/* K1 for S2V */
fe8de3da	206	res = crypto_shash_setkey(tfm, key, key_len);
39404fee JM	207	if (!res)
39404fee JM	208	res = aes_s2v(tfm, num_elem, addr, len, check);
fe8de3da	209	crypto_free_shash(tfm);
39404fee JM	210	if (res)
	211	return res;
	212	if (memcmp(check, frame_iv, AES_BLOCK_SIZE) != 0)
	213	return -EINVAL;
	214	return 0;
	215	}
	216
	217	int fils_encrypt_assoc_req(struct sk_buff *skb,
	218	struct ieee80211_mgd_assoc_data *assoc_data)
	219	{
	220	struct ieee80211_mgmt mgmt = (void )skb->data;
	221	u8 capab, ies, *encr;
ba9d0db9 JB	222	const u8 *addr[5 + 1];
ba9d0db9 JB	223	const struct element *session;
39404fee JM	224	size_t len[5 + 1];
	225	size_t crypt_len;
	226
	227	if (ieee80211_is_reassoc_req(mgmt->frame_control)) {
	228	capab = (u8 *)&mgmt->u.reassoc_req.capab_info;
	229	ies = mgmt->u.reassoc_req.variable;
	230	} else {
	231	capab = (u8 *)&mgmt->u.assoc_req.capab_info;
	232	ies = mgmt->u.assoc_req.variable;
	233	}
	234
ba9d0db9 JB	235	session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION,
	236	ies, skb->data + skb->len - ies);
	237	if (!session \|\| session->datalen != 1 + 8)
39404fee JM	238	return -EINVAL;
39404fee JM	239	/* encrypt after FILS Session element */
ba9d0db9	240	encr = (u8 *)session->data + 1 + 8;
39404fee JM	241
	242	/* AES-SIV AAD vectors */
	243
	244	/* The STA's MAC address */
	245	addr[0] = mgmt->sa;
	246	len[0] = ETH_ALEN;
	247	/* The AP's BSSID */
	248	addr[1] = mgmt->da;
	249	len[1] = ETH_ALEN;
	250	/* The STA's nonce */
	251	addr[2] = assoc_data->fils_nonces;
	252	len[2] = FILS_NONCE_LEN;
	253	/* The AP's nonce */
	254	addr[3] = &assoc_data->fils_nonces[FILS_NONCE_LEN];
	255	len[3] = FILS_NONCE_LEN;
	256	/* The (Re)Association Request frame from the Capability Information
	257	* field to the FILS Session element (both inclusive).
	258	*/
	259	addr[4] = capab;
	260	len[4] = encr - capab;
	261
	262	crypt_len = skb->data + skb->len - encr;
	263	skb_put(skb, AES_BLOCK_SIZE);
	264	return aes_siv_encrypt(assoc_data->fils_kek, assoc_data->fils_kek_len,
e479ab65	265	encr, crypt_len, 5, addr, len, encr);
39404fee JM	266	}
	267
	268	int fils_decrypt_assoc_resp(struct ieee80211_sub_if_data *sdata,
	269	u8 frame, size_t frame_len,
	270	struct ieee80211_mgd_assoc_data *assoc_data)
	271	{
	272	struct ieee80211_mgmt mgmt = (void )frame;
	273	u8 capab, ies, *encr;
ba9d0db9 JB	274	const u8 *addr[5 + 1];
ba9d0db9 JB	275	const struct element *session;
39404fee JM	276	size_t len[5 + 1];
	277	int res;
	278	size_t crypt_len;
	279
	280	if (*frame_len < 24 + 6)
	281	return -EINVAL;
	282
	283	capab = (u8 *)&mgmt->u.assoc_resp.capab_info;
	284	ies = mgmt->u.assoc_resp.variable;
ba9d0db9 JB	285	session = cfg80211_find_ext_elem(WLAN_EID_EXT_FILS_SESSION,
	286	ies, frame + *frame_len - ies);
	287	if (!session \|\| session->datalen != 1 + 8) {
39404fee JM	288	mlme_dbg(sdata,
	289	"No (valid) FILS Session element in (Re)Association Response frame from %pM",
	290	mgmt->sa);
	291	return -EINVAL;
	292	}
	293	/* decrypt after FILS Session element */
ba9d0db9	294	encr = (u8 *)session->data + 1 + 8;
39404fee JM	295
	296	/* AES-SIV AAD vectors */
	297
	298	/* The AP's BSSID */
	299	addr[0] = mgmt->sa;
	300	len[0] = ETH_ALEN;
	301	/* The STA's MAC address */
	302	addr[1] = mgmt->da;
	303	len[1] = ETH_ALEN;
	304	/* The AP's nonce */
	305	addr[2] = &assoc_data->fils_nonces[FILS_NONCE_LEN];
	306	len[2] = FILS_NONCE_LEN;
	307	/* The STA's nonce */
	308	addr[3] = assoc_data->fils_nonces;
	309	len[3] = FILS_NONCE_LEN;
	310	/* The (Re)Association Response frame from the Capability Information
	311	* field to the FILS Session element (both inclusive).
	312	*/
	313	addr[4] = capab;
	314	len[4] = encr - capab;
	315
	316	crypt_len = frame + *frame_len - encr;
	317	if (crypt_len < AES_BLOCK_SIZE) {
	318	mlme_dbg(sdata,
	319	"Not enough room for AES-SIV data after FILS Session element in (Re)Association Response frame from %pM",
	320	mgmt->sa);
	321	return -EINVAL;
	322	}
	323	res = aes_siv_decrypt(assoc_data->fils_kek, assoc_data->fils_kek_len,
	324	encr, crypt_len, 5, addr, len, encr);
	325	if (res != 0) {
	326	mlme_dbg(sdata,
	327	"AES-SIV decryption of (Re)Association Response frame from %pM failed",
	328	mgmt->sa);
	329	return res;
	330	}
	331	*frame_len -= AES_BLOCK_SIZE;
	332	return 0;
	333	}