[10/15] mka: Do not print contents of SAK to debug log

Message ID	20180302201103.16264-11-msiedzik@extremenetworks.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: <msiedzik@extremenetworks.com> To: <hostap@lists.infradead.org> Subject: [PATCH 10/15] mka: Do not print contents of SAK to debug log Date: Fri, 2 Mar 2018 15:10:58 -0500 Message-ID: <20180302201103.16264-11-msiedzik@extremenetworks.com> In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com> References: <20180302201103.16264-1-msiedzik@extremenetworks.com> MIME-Version: 1.0 summary: Content analysis details: (-4.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [63.128.21.183 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Cc: Mike Siedzik <msiedzik@extremenetworks.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	MKA bugfixes and enhancements \| expand [00/15] MKA bugfixes and enhancements [01/15] mka: When matching CKNs ensure that lengths are identical [02/15] mka: Ignore MACsec SAK Use Old Key parameter if we don't remember our old key [03/15] mka: Incorrect conf_offset sent in MKPDU when in policy mode "SHOULD_SECURE" [04/15] mka: Loss of live peers should result in connect PENDING not AUTHENTICATED [05/15] mka: finish implementation of CP state machine "port_enabled" parameter [06/15] mka: KaY setting Parameter Set Body Length incorrectly [07/15] mka: Detect duplicate MAC addresses during key server election [08/15] mka: MKPDU SAK Use Body's Delay Protect bit set incorrectly [09/15] mka: Lowest acceptable Packet Number (LPN) calculated and used incorrectly [10/15] mka: Do not print contents of SAK to debug log [11/15] mka: Fix a few minor bugs in CP state machine [12/15] mka: resources leaked when duplicated SCI detected [13/15] mka: do not ignore MKPDU parameter set decoding failures [14/15] mka: consider missing MKPDU parameter sets a failure [15/15] mka: do not update potential peer liveness timer

Message ID

20180302201103.16264-11-msiedzik@extremenetworks.com

State

Accepted

Headers

From: <msiedzik@extremenetworks.com>
To: <hostap@lists.infradead.org>
Subject: [PATCH 10/15] mka: Do not print contents of SAK to debug log
Date: Fri, 2 Mar 2018 15:10:58 -0500
Message-ID: <20180302201103.16264-11-msiedzik@extremenetworks.com>
In-Reply-To: <20180302201103.16264-1-msiedzik@extremenetworks.com>
References: <20180302201103.16264-1-msiedzik@extremenetworks.com>
MIME-Version: 1.0
Precedence: list
Cc: Mike Siedzik <msiedzik@extremenetworks.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

MKA bugfixes and enhancements | expand

Commit Message

Michael Siedzik March 2, 2018, 8:10 p.m. UTC

From: Mike Siedzik <msiedzik@extremenetworks.com>

Log newly generated SAKs as well as unwrapped SAKs with wpa_hexdump_key()
rather than wpa_hexdump(). By default, the wpa_hexdump_key() function
will not display sensitive key data.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
---
 src/pae/ieee802_1x_kay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
2.11.1

Comments

Jouni Malinen March 12, 2018, 11:51 p.m. UTC | #1

On Fri, Mar 02, 2018 at 03:10:58PM -0500, msiedzik@extremenetworks.com wrote:
> Log newly generated SAKs as well as unwrapped SAKs with wpa_hexdump_key()
> rather than wpa_hexdump(). By default, the wpa_hexdump_key() function
> will not display sensitive key data.

Thanks, applied.

diff --git a/src/pae/ieee802_1x_kay.c b/src/pae/ieee802_1x_kay.c
index 4ac4fdc15..27022d994 100644
--- a/src/pae/ieee802_1x_kay.c
+++ b/src/pae/ieee802_1x_kay.c
@@ -1644,7 +1644,7 @@  ieee802_1x_mka_decode_dist_sak_body(
                os_free(unwrap_sak);
                return -1;
        }
-       wpa_hexdump(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len);
+       wpa_hexdump_key(MSG_DEBUG, "\tAES Key Unwrap of SAK:", unwrap_sak, sak_len);

        sa_key = os_zalloc(sizeof(*sa_key));
        if (!sa_key) {
@@ -2035,7 +2035,7 @@  ieee802_1x_kay_generate_new_sak(struct ieee802_1x_mka_participant *participant)
                wpa_printf(MSG_ERROR, "KaY: SAK Length not support");
                goto fail;
        }
-       wpa_hexdump(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
+       wpa_hexdump_key(MSG_DEBUG, "KaY: generated new SAK", key, key_len);
        os_free(context);
        context = NULL;

[10/15] mka: Do not print contents of SAK to debug log

Commit Message

Comments

Patch