PASN: Optional KEK derivation in PTK

author Shivani Baranwal <quic_shivbara@quicinc.com>

Sun, 4 Aug 2024 20:02:07 +0000 (01:32 +0530)

committer Jouni Malinen <j@w1.fi>

Thu, 5 Sep 2024 20:56:16 +0000 (23:56 +0300)
author Shivani Baranwal <quic_shivbara@quicinc.com>
Sun, 4 Aug 2024 20:02:07 +0000 (01:32 +0530)
committer Jouni Malinen <j@w1.fi>
Thu, 5 Sep 2024 20:56:16 +0000 (23:56 +0300)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c

index 230fdb7b2d31a7f4da9876f41ed7428aaf380f9a..d4552f2f4a0e1b5fc052d70b9e45319de7689209 100644 (file)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2481,7 +2481,8 @@ static void pasn_fils_auth_resp(struct hostapd_data *hapd,
                               wpabuf_head(pasn->secret),
                               wpabuf_len(pasn->secret),
                               pasn_get_ptk(sta->pasn), pasn_get_akmp(sta->pasn),
-                             pasn_get_cipher(sta->pasn), sta->pasn->kdk_len);
+                             pasn_get_cipher(sta->pasn), sta->pasn->kdk_len,
+                             sta->pasn->kek_len);
         if (ret) {
                 wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
                 goto fail;
diff --git a/src/common/common_module_tests.c b/src/common/common_module_tests.c

index a95ae36dc078194039923380da27487e7eae98f7..5763c51f4c83f026036381cfce1f93571bf92d23 100644 (file)
--- a/src/common/common_module_tests.c
+++ b/src/common/common_module_tests.c
@@ -651,7 +651,7 @@ static int pasn_test_pasn_auth(void)
                               spa_addr, bssid,
                               dhss, sizeof(dhss),
                               &ptk, WPA_KEY_MGMT_PASN, WPA_CIPHER_CCMP,
-                             WPA_KDK_MAX_LEN);
+                             WPA_KDK_MAX_LEN, 0);
  
         if (ret)
                 return ret;
diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c

index eb74c0393fbc1b62de9550bc7086c535fe8bddb6..a8c7c416d10de7d60fd959f75cce0e8c30e8464c 100644 (file)
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -1456,15 +1456,18 @@ bool pasn_use_sha384(int akmp, int cipher)
   * @akmp: Negotiated AKM
   * @cipher: Negotiated pairwise cipher
   * @kdk_len: the length in octets that should be derived for HTLK. Can be zero.
+ * @kek_len: The length in octets that should be derived for KEK. Can be zero.
   * Returns: 0 on success, -1 on failure
   */
  int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
                     const u8 *spa, const u8 *bssid,
                     const u8 *dhss, size_t dhss_len,
                     struct wpa_ptk *ptk, int akmp, int cipher,
-                   size_t kdk_len)
+                   size_t kdk_len, size_t kek_len)
  {
-       u8 tmp[WPA_KCK_MAX_LEN + WPA_TK_MAX_LEN + WPA_KDK_MAX_LEN];
+       u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN +
+              WPA_KDK_MAX_LEN];
+       const u8 *pos;
         u8 *data;
         size_t data_len, ptk_len;
         int ret = -1;
@@ -1499,7 +1502,7 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
         ptk->kck_len = WPA_PASN_KCK_LEN;
         ptk->tk_len = wpa_cipher_key_len(cipher);
         ptk->kdk_len = kdk_len;
-       ptk->kek_len = 0;
+       ptk->kek_len = kek_len;
         ptk->kek2_len = 0;
         ptk->kck2_len = 0;
  
@@ -1510,7 +1513,7 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
                 goto err;
         }
  
-       ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len;
+       ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len + ptk->kek_len;
         if (ptk_len > sizeof(tmp))
                 goto err;
  
@@ -1538,13 +1541,21 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
  
         os_memcpy(ptk->kck, tmp, WPA_PASN_KCK_LEN);
         wpa_hexdump_key(MSG_DEBUG, "PASN: KCK:", ptk->kck, WPA_PASN_KCK_LEN);
+       pos = &tmp[WPA_PASN_KCK_LEN];
+
+       if (kek_len) {
+               os_memcpy(ptk->kek, pos, kek_len);
+               wpa_hexdump_key(MSG_DEBUG, "PASN: KEK:",
+                               ptk->kek, ptk->kek_len);
+               pos += kek_len;
+       }
  
-       os_memcpy(ptk->tk, tmp + WPA_PASN_KCK_LEN, ptk->tk_len);
+       os_memcpy(ptk->tk, pos, ptk->tk_len);
         wpa_hexdump_key(MSG_DEBUG, "PASN: TK:", ptk->tk, ptk->tk_len);
+       pos += ptk->tk_len;
  
         if (kdk_len) {
-               os_memcpy(ptk->kdk, tmp + WPA_PASN_KCK_LEN + ptk->tk_len,
-                         ptk->kdk_len);
+               os_memcpy(ptk->kdk, pos, ptk->kdk_len);
                 wpa_hexdump_key(MSG_DEBUG, "PASN: KDK:",
                                 ptk->kdk, ptk->kdk_len);
         }
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h

index 6f513f2b6397f88722e714698c1f63bc0ef44c53..e608d3cbed3e4e0c4b5316933d3095845dd07b45 100644 (file)
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -770,7 +770,7 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
                     const u8 *spa, const u8 *bssid,
                     const u8 *dhss, size_t dhss_len,
                     struct wpa_ptk *ptk, int akmp, int cipher,
-                   size_t kdk_len);
+                   size_t kdk_len, size_t kek_len);
  
  u8 pasn_mic_len(int akmp, int cipher);
  
diff --git a/src/pasn/pasn_common.h b/src/pasn/pasn_common.h

index 54792f43e7d256383d58ad1c8caf0e371c0e351f..eb0c16abf983ea9b81b1e3e05a9b1162497265d7 100644 (file)
--- a/src/pasn/pasn_common.h
+++ b/src/pasn/pasn_common.h
@@ -66,6 +66,7 @@ struct pasn_data {
         size_t extra_ies_len;
  
         /* External modules do not access below variables */
+       size_t kek_len;
         u16 group;
         bool secure_ltf;
         int freq;
diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c

index d273067b707808593ba0b909d830af02eecaf761..c9771c70b6490b5f3cf190bbf93ab1aec011af86 100644 (file)
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@@ -1233,7 +1233,7 @@ int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
                               pasn->own_addr, pasn->peer_addr,
                               wpabuf_head(secret), wpabuf_len(secret),
                               &pasn->ptk, pasn->akmp, pasn->cipher,
-                             pasn->kdk_len);
+                             pasn->kdk_len, pasn->kek_len);
         if (ret) {
                 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
                 goto fail;
diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c

index f6e44a53cb7889a827a4c46b1880613d3bd28ed9..09e9f0d2ded9dfa8558dae2257e8eb311799e522 100644 (file)
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -349,7 +349,7 @@ pasn_derive_keys(struct pasn_data *pasn,
         ret = pasn_pmk_to_ptk(pmk, pmk_len, peer_addr, own_addr,
                               wpabuf_head(secret), wpabuf_len(secret),
                               &pasn->ptk, pasn->akmp,
-                             pasn->cipher, pasn->kdk_len);
+                             pasn->cipher, pasn->kdk_len, pasn->kek_len);
         if (ret) {
                 wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
                 return -1;
author	Shivani Baranwal <quic_shivbara@quicinc.com>
	Sun, 4 Aug 2024 20:02:07 +0000 (01:32 +0530)
committer	Jouni Malinen <j@w1.fi>
	Thu, 5 Sep 2024 20:56:16 +0000 (23:56 +0300)
src/ap/ieee802_11.c		patch \| blob \| blame \| history
src/common/common_module_tests.c		patch \| blob \| blame \| history
src/common/wpa_common.c		patch \| blob \| blame \| history
src/common/wpa_common.h		patch \| blob \| blame \| history
src/pasn/pasn_common.h		patch \| blob \| blame \| history
src/pasn/pasn_initiator.c		patch \| blob \| blame \| history
src/pasn/pasn_responder.c		patch \| blob \| blame \| history