FILS: Fix AES-SIV AAD for (Re)Association Request frame decryption

The hostapd processing of the AES-SIV AAD was incorrect. The design for
the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector
with concatenated data to separate vectors. The change in the
implementation had missed the change in the aes_siv_decrypt() call for
the num_elem parameter. This happened to work with the mac80211
implementation due to a similar error there.

Fix this by using the correct numbers of vectors in the SIV AAD so that
all the vectors get checked. The last vector was also 14 octets too long
due to incorrect starting pointer, so fix that as well. The changes here
are not backwards compatible, i.e., a similar fix in the Linux mac80211
is needed to make things interoperate again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

src/ap/wpa_auth.c

@@ -2230,10 +2230,10 @@ int fils_decrypt_assoc(struct wpa_state_machine *sm, const u8 *fils_session,
 	 * field to the FILS Session element (both inclusive).
 	 */
 	aad[4] = (const u8 *) &mgmt->u.assoc_req.capab_info;
-	aad_len[4] = crypt - aad[0];
+	aad_len[4] = crypt - aad[4];
 
 	if (aes_siv_decrypt(sm->PTK.kek, sm->PTK.kek_len, crypt, end - crypt,
-			    1, aad, aad_len, pos + (crypt - ie_start)) < 0) {
+			    5, aad, aad_len, pos + (crypt - ie_start)) < 0) {
 		wpa_printf(MSG_DEBUG,
 			   "FILS: Invalid AES-SIV data in the frame");
 		return -1;