From d77f33041886948ec2acd9240a774ac09e0e26e9 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 4 Feb 2017 13:05:58 +0200 Subject: [PATCH] FILS: Fix AES-SIV AAD for (Re)Association Request frame decryption The hostapd processing of the AES-SIV AAD was incorrect. The design for the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector with concatenated data to separate vectors. The change in the implementation had missed the change in the aes_siv_decrypt() call for the num_elem parameter. This happened to work with the mac80211 implementation due to a similar error there. Fix this by using the correct numbers of vectors in the SIV AAD so that all the vectors get checked. The last vector was also 14 octets too long due to incorrect starting pointer, so fix that as well. The changes here are not backwards compatible, i.e., a similar fix in the Linux mac80211 is needed to make things interoperate again. Signed-off-by: Jouni Malinen --- src/ap/wpa_auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 7372a69e6..66b2d506d 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -2230,10 +2230,10 @@ int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session, * field to the FILS Session element (both inclusive). */ aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info; - aad_len[4] = crypt - aad[0]; + aad_len[4] = crypt - aad[4]; if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt, - 1, aad, aad_len, pos + (crypt - ie_start)) < 0) { + 5, aad, aad_len, pos + (crypt - ie_start)) < 0) { wpa_printf(MSG_DEBUG, "FILS: Invalid AES-SIV data in the frame"); return -1;