[PATCH 10/15] mka: Do not print contents of SAK to debug log

msiedzik at extremenetworks.com msiedzik at extremenetworks.com
Fri Mar 2 12:10:58 PST 2018

From: Mike Siedzik <msiedzik at extremenetworks.com>

Log newly generated SAKs as well as unwrapped SAKs with wpa_hexdump_key()
rather than wpa_hexdump(). By default, the wpa_hexdump_key() function
will not display sensitive key data.

Signed-off-by: Michael Siedzik <msiedzik at extremenetworks.com>
 src/pae/ieee802_1x_kay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 4ac4fdc15..27022d994 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1644,7 +1644,7 @@ ieee802_1x_mka_decode_dist_sak_body(
                return -1;
-       wpa_hexdump(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len);
+       wpa_hexdump_key(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len);

        sa_key = os_zalloc(sizeof(*sa_key));
        if (!sa_key) {
@@ -2035,7 +2035,7 @@ ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
                wpa_printf(MSG_ERROR, "KaY: SAK Length not support");
                goto fail;
-       wpa_hexdump(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
+       wpa_hexdump_key(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
        context = NULL;



This e-mail and any attachments to it may contain confidential and proprietary material and is solely for the use of the intended recipient. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed.

More information about the Hostap mailing list