mka: Do not print contents of SAK to debug log

Log newly generated SAKs as well as unwrapped SAKs with wpa_hexdump_key()
rather than wpa_hexdump(). By default, the wpa_hexdump_key() function
will not display sensitive key data.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 0d93b43a72900b79da21abc870b1d2638549465e..0fe806f19d056f1f0e0abbd205cf52044fe79618 100644 (file)
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1626,7 +1626,8 @@ ieee802_1x_mka_decode_dist_sak_body(
                os_free(unwrap_sak);
                return -1;
        }
-       wpa_hexdump(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len);
+       wpa_hexdump_key(MSG_DEBUG, "\tAES Key Unwrap of SAK:",
+                       unwrap_sak, sak_len);
 
        sa_key = os_zalloc(sizeof(*sa_key));
        if (!sa_key) {
@@ -2017,7 +2018,7 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
                wpa_printf(MSG_ERROR, "KaY: SAK Length not support");
                goto fail;
        }
-       wpa_hexdump(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
+       wpa_hexdump_key(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
        os_free(context);
        context = NULL;