FILS: Fix KEK2 derivation for FILS+FT

The offset update for copying KEK2 from the extended PTK was overriding
the offset instead of incrementing it (a likely copy-paste error from
the first offset assignment based on KCK). This resulted in KEK2 being
set to incorrect segment of PTK. Fix this by updating the offset
properly so that KEK2 is copied from the correct place at the end of the
PTK.

Fixes: 2f37387812a5 ("FILS: Add more complete support for FT-FILS use cases")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 2c5b2eba2357078389deaf5e3f8809f2620be800..ed2d1c2a023639b3ae9d5526c5532da82096ce55 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -1791,7 +1791,7 @@ int wpa_pmk_r1_to_ptk(const u8 *pmk_r1, size_t pmk_r1_len,
        os_memcpy(ptk->tk, tmp + offset, ptk->tk_len);
        offset += ptk->tk_len;
        os_memcpy(ptk->kck2, tmp + offset, ptk->kck2_len);
-       offset = ptk->kck2_len;
+       offset += ptk->kck2_len;
        os_memcpy(ptk->kek2, tmp + offset, ptk->kek2_len);
 
        wpa_hexdump_key(MSG_DEBUG, "FT: KCK", ptk->kck, ptk->kck_len);