[PATCH v3 11/25] WPA: Add support for KEK derivation in PTK
Shivani Baranwal
quic_shivbara at quicinc.com
Mon Aug 5 02:33:09 PDT 2024
Add support to derive KEK in PTK to encrypt keys and passwords in
opportunistic P2P pairing defined in P2P2.
Signed-off-by: Shivani Baranwal <quic_shivbara at quicinc.com>
---
src/ap/ieee802_11.c | 3 ++-
src/common/common_module_tests.c | 2 +-
src/common/wpa_common.c | 20 +++++++++++++-------
src/common/wpa_common.h | 4 +++-
src/pasn/pasn_common.h | 1 +
src/pasn/pasn_initiator.c | 2 +-
src/pasn/pasn_responder.c | 2 +-
7 files changed, 22 insertions(+), 12 deletions(-)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index fd1de5e..38fcba5 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2462,7 +2462,8 @@ static void pasn_fils_auth_resp(struct hostapd_data *hapd,
wpabuf_head(pasn->secret),
wpabuf_len(pasn->secret),
pasn_get_ptk(sta->pasn), pasn_get_akmp(sta->pasn),
- pasn_get_cipher(sta->pasn), sta->pasn->kdk_len);
+ pasn_get_cipher(sta->pasn), sta->pasn->kdk_len,
+ sta->pasn->kek_len);
if (ret) {
wpa_printf(MSG_DEBUG, "PASN: FILS: Failed to derive PTK");
goto fail;
diff --git a/src/common/common_module_tests.c b/src/common/common_module_tests.c
index a95ae36..5763c51 100644
--- a/src/common/common_module_tests.c
+++ b/src/common/common_module_tests.c
@@ -651,7 +651,7 @@ static int pasn_test_pasn_auth(void)
spa_addr, bssid,
dhss, sizeof(dhss),
&ptk, WPA_KEY_MGMT_PASN, WPA_CIPHER_CCMP,
- WPA_KDK_MAX_LEN);
+ WPA_KDK_MAX_LEN, 0);
if (ret)
return ret;
diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index f62f3a2..28f478c 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -1462,9 +1462,9 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
const u8 *spa, const u8 *bssid,
const u8 *dhss, size_t dhss_len,
struct wpa_ptk *ptk, int akmp, int cipher,
- size_t kdk_len)
+ size_t kdk_len, size_t kek_len)
{
- u8 tmp[WPA_KCK_MAX_LEN + WPA_TK_MAX_LEN + WPA_KDK_MAX_LEN];
+ u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN + WPA_KDK_MAX_LEN];
u8 *data;
size_t data_len, ptk_len;
int ret = -1;
@@ -1499,7 +1499,7 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
ptk->kck_len = WPA_PASN_KCK_LEN;
ptk->tk_len = wpa_cipher_key_len(cipher);
ptk->kdk_len = kdk_len;
- ptk->kek_len = 0;
+ ptk->kek_len = kek_len;
ptk->kek2_len = 0;
ptk->kck2_len = 0;
@@ -1510,7 +1510,7 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
goto err;
}
- ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len;
+ ptk_len = ptk->kck_len + ptk->tk_len + ptk->kdk_len + ptk->kek_len;
if (ptk_len > sizeof(tmp))
goto err;
@@ -1539,12 +1539,18 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
os_memcpy(ptk->kck, tmp, WPA_PASN_KCK_LEN);
wpa_hexdump_key(MSG_DEBUG, "PASN: KCK:", ptk->kck, WPA_PASN_KCK_LEN);
- os_memcpy(ptk->tk, tmp + WPA_PASN_KCK_LEN, ptk->tk_len);
+ if (kek_len) {
+ os_memcpy(ptk->kek, tmp + WPA_PASN_KCK_LEN, ptk->kek_len);
+ wpa_hexdump_key(MSG_DEBUG, "PASN: KEK:",
+ ptk->kek, ptk->kek_len);
+ }
+
+ os_memcpy(ptk->tk, tmp + WPA_PASN_KCK_LEN + ptk->kek_len, ptk->tk_len);
wpa_hexdump_key(MSG_DEBUG, "PASN: TK:", ptk->tk, ptk->tk_len);
if (kdk_len) {
- os_memcpy(ptk->kdk, tmp + WPA_PASN_KCK_LEN + ptk->tk_len,
- ptk->kdk_len);
+ os_memcpy(ptk->kdk, tmp + WPA_PASN_KCK_LEN + ptk->kek_len +
+ ptk->tk_len, ptk->kdk_len);
wpa_hexdump_key(MSG_DEBUG, "PASN: KDK:",
ptk->kdk, ptk->kdk_len);
}
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index 6f513f2..8f77d38 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -249,6 +249,8 @@ struct wpa_eapol_key {
#define WPA_PASN_KCK_LEN 32
#define WPA_PASN_MIC_MAX_LEN 24
#define WPA_LTF_KEYSEED_MAX_LEN 48
+#define WPA_KEK_128 16
+#define WPA_KEK_256 32
/**
* struct wpa_ptk - WPA Pairwise Transient Key
@@ -770,7 +772,7 @@ int pasn_pmk_to_ptk(const u8 *pmk, size_t pmk_len,
const u8 *spa, const u8 *bssid,
const u8 *dhss, size_t dhss_len,
struct wpa_ptk *ptk, int akmp, int cipher,
- size_t kdk_len);
+ size_t kdk_len, size_t kek_len);
u8 pasn_mic_len(int akmp, int cipher);
diff --git a/src/pasn/pasn_common.h b/src/pasn/pasn_common.h
index 36710c2..42ff83b 100644
--- a/src/pasn/pasn_common.h
+++ b/src/pasn/pasn_common.h
@@ -66,6 +66,7 @@ struct pasn_data {
size_t extra_ies_len;
/* External modules do not access below variables */
+ size_t kek_len;
u16 group;
bool secure_ltf;
int freq;
diff --git a/src/pasn/pasn_initiator.c b/src/pasn/pasn_initiator.c
index d273067..c9771c7 100644
--- a/src/pasn/pasn_initiator.c
+++ b/src/pasn/pasn_initiator.c
@@ -1233,7 +1233,7 @@ int wpa_pasn_auth_rx(struct pasn_data *pasn, const u8 *data, size_t len,
pasn->own_addr, pasn->peer_addr,
wpabuf_head(secret), wpabuf_len(secret),
&pasn->ptk, pasn->akmp, pasn->cipher,
- pasn->kdk_len);
+ pasn->kdk_len, pasn->kek_len);
if (ret) {
wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
goto fail;
diff --git a/src/pasn/pasn_responder.c b/src/pasn/pasn_responder.c
index b991364..fd67fba 100644
--- a/src/pasn/pasn_responder.c
+++ b/src/pasn/pasn_responder.c
@@ -349,7 +349,7 @@ pasn_derive_keys(struct pasn_data *pasn,
ret = pasn_pmk_to_ptk(pmk, pmk_len, peer_addr, own_addr,
wpabuf_head(secret), wpabuf_len(secret),
&pasn->ptk, pasn->akmp,
- pasn->cipher, pasn->kdk_len);
+ pasn->cipher, pasn->kdk_len, pasn->kek_len);
if (ret) {
wpa_printf(MSG_DEBUG, "PASN: Failed to derive PTK");
return -1;
--
2.7.4
More information about the Hostap
mailing list