FT: Extend PMKR1Name derivation for FT-SAE-EXT-KEY
Provide key length instead of SHA384/SHA256 selection to the helper function so that the new SHA512 option can be covered for FT-SAE-EXT-KEY. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
parent
9fd2455642
commit
dcd46edf5f
5 changed files with 33 additions and 13 deletions
|
@ -2475,7 +2475,7 @@ int fils_auth_pmk_to_ptk(struct wpa_state_machine *sm, const u8 *pmk,
|
||||||
|
|
||||||
res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
|
res = wpa_derive_pmk_r1_name(pmk_r0_name, conf->r1_key_holder,
|
||||||
sm->addr, sm->pmk_r1_name,
|
sm->addr, sm->pmk_r1_name,
|
||||||
use_sha384);
|
fils_ft_len);
|
||||||
forced_memzero(pmk_r0, PMK_LEN_MAX);
|
forced_memzero(pmk_r0, PMK_LEN_MAX);
|
||||||
if (res < 0)
|
if (res < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
|
@ -3205,7 +3205,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
|
||||||
parse.rsn_pmkid, WPA_PMK_NAME_LEN);
|
parse.rsn_pmkid, WPA_PMK_NAME_LEN);
|
||||||
if (wpa_derive_pmk_r1_name(parse.rsn_pmkid,
|
if (wpa_derive_pmk_r1_name(parse.rsn_pmkid,
|
||||||
sm->wpa_auth->conf.r1_key_holder, sm->addr,
|
sm->wpa_auth->conf.r1_key_holder, sm->addr,
|
||||||
pmk_r1_name, use_sha384) < 0)
|
pmk_r1_name, pmk_r1_len) < 0)
|
||||||
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
return WLAN_STATUS_UNSPECIFIED_FAILURE;
|
||||||
|
|
||||||
if (conf->ft_psk_generate_local &&
|
if (conf->ft_psk_generate_local &&
|
||||||
|
|
|
@ -2084,11 +2084,14 @@ int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
|
||||||
* IEEE Std 802.11r-2008 - 8.5.1.5.4
|
* IEEE Std 802.11r-2008 - 8.5.1.5.4
|
||||||
*/
|
*/
|
||||||
int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
|
int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
|
||||||
const u8 *s1kh_id, u8 *pmk_r1_name, int use_sha384)
|
const u8 *s1kh_id, u8 *pmk_r1_name,
|
||||||
|
size_t pmk_r1_len)
|
||||||
{
|
{
|
||||||
u8 hash[48];
|
u8 hash[64];
|
||||||
const u8 *addr[4];
|
const u8 *addr[4];
|
||||||
size_t len[4];
|
size_t len[4];
|
||||||
|
int res;
|
||||||
|
const char *title;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
|
* PMKR1Name = Truncate-128(Hash("FT-R1N" || PMKR0Name ||
|
||||||
|
@ -2103,14 +2106,31 @@ int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
|
||||||
addr[3] = s1kh_id;
|
addr[3] = s1kh_id;
|
||||||
len[3] = ETH_ALEN;
|
len[3] = ETH_ALEN;
|
||||||
|
|
||||||
|
res = -1;
|
||||||
|
#ifdef CONFIG_SHA512
|
||||||
|
if (pmk_r1_len == SHA512_MAC_LEN) {
|
||||||
|
title = "FT: PMKR1Name (using SHA512)";
|
||||||
|
res = sha512_vector(4, addr, len, hash);
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_SHA512 */
|
||||||
#ifdef CONFIG_SHA384
|
#ifdef CONFIG_SHA384
|
||||||
if (use_sha384 && sha384_vector(4, addr, len, hash) < 0)
|
if (pmk_r1_len == SHA384_MAC_LEN) {
|
||||||
return -1;
|
title = "FT: PMKR1Name (using SHA384)";
|
||||||
|
res = sha384_vector(4, addr, len, hash);
|
||||||
|
}
|
||||||
#endif /* CONFIG_SHA384 */
|
#endif /* CONFIG_SHA384 */
|
||||||
if (!use_sha384 && sha256_vector(4, addr, len, hash) < 0)
|
if (pmk_r1_len == SHA256_MAC_LEN) {
|
||||||
return -1;
|
title = "FT: PMKR1Name (using SHA256)";
|
||||||
|
res = sha256_vector(4, addr, len, hash);
|
||||||
|
}
|
||||||
|
if (res < 0) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"FT: Failed to derive PMKR1Name (PMK-R1 len %zu)",
|
||||||
|
pmk_r1_len);
|
||||||
|
return res;
|
||||||
|
}
|
||||||
os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
|
os_memcpy(pmk_r1_name, hash, WPA_PMK_NAME_LEN);
|
||||||
wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN);
|
wpa_hexdump(MSG_DEBUG, title, pmk_r1_name, WPA_PMK_NAME_LEN);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2158,8 +2178,7 @@ int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
|
||||||
wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
|
wpa_hexdump_key(MSG_DEBUG, "FT: PMK-R1", pmk_r1, pmk_r0_len);
|
||||||
|
|
||||||
return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
|
return wpa_derive_pmk_r1_name(pmk_r0_name, r1kh_id, s1kh_id,
|
||||||
pmk_r1_name,
|
pmk_r1_name, pmk_r0_len);
|
||||||
pmk_r0_len == SHA384_MAC_LEN);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -477,7 +477,8 @@ int wpa_derive_pmk_r0(const u8 *xxkey, size_t xxkey_len,
|
||||||
const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
|
const u8 *s0kh_id, u8 *pmk_r0, u8 *pmk_r0_name,
|
||||||
int use_sha384);
|
int use_sha384);
|
||||||
int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
|
int wpa_derive_pmk_r1_name(const u8 *pmk_r0_name, const u8 *r1kh_id,
|
||||||
const u8 *s1kh_id, u8 *pmk_r1_name, int use_sha384);
|
const u8 *s1kh_id, u8 *pmk_r1_name,
|
||||||
|
size_t pmk_r1_len);
|
||||||
int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
|
int wpa_derive_pmk_r1(const u8 *pmk_r0, size_t pmk_r0_len,
|
||||||
const u8 *pmk_r0_name,
|
const u8 *pmk_r0_name,
|
||||||
const u8 *r1kh_id, const u8 *s1kh_id,
|
const u8 *r1kh_id, const u8 *s1kh_id,
|
||||||
|
|
|
@ -4618,7 +4618,7 @@ static int fils_ft_build_assoc_req_rsne(struct wpa_sm *sm, struct wpabuf *buf)
|
||||||
MAC2STR(sm->r1kh_id));
|
MAC2STR(sm->r1kh_id));
|
||||||
pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
|
pos = wpabuf_put(buf, WPA_PMK_NAME_LEN);
|
||||||
if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
|
if (wpa_derive_pmk_r1_name(sm->pmk_r0_name, sm->r1kh_id, sm->own_addr,
|
||||||
sm->pmk_r1_name, use_sha384) < 0) {
|
sm->pmk_r1_name, sm->fils_ft_len) < 0) {
|
||||||
wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
|
wpa_printf(MSG_WARNING, "FILS+FT: Could not derive PMKR1Name");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue