Fix KDF sha256 inputs to match the implementation in w1.fi hostap.

stspdotname · stspdotname · commit 2bfc484c2b7a · 2025-12-01T16:02:36.000Z
Cross-checked with the 802.11 spec, which mentions the use of an extra zero byte in case of PFK and mentions nothing of the sort in case of KDF. I was led here by hints left behind by github user pigworlds in OpenIntelWireless/itlwm#676 ok kevlo@ sthen@
diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ieee80211_crypto.c,v 1.79 2024/04/14 03:26:25 jsg Exp $	*/
+/*	$OpenBSD: ieee80211_crypto.c,v 1.80 2025/12/01 16:02:36 stsp Exp $	*/
 
 /*-
  * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr>
@@ -386,8 +386,6 @@ ieee80211_derive_ptk(enum ieee80211_akm akm, const u_int8_t *pmk,
     const u_int8_t *aa, const u_int8_t *spa, const u_int8_t *anonce,
     const u_int8_t *snonce, struct ieee80211_ptk *ptk)
 {
-	void (*kdf)(const u_int8_t *, size_t, const u_int8_t *, size_t,
-	    const u_int8_t *, size_t, u_int8_t *, size_t);
 	u_int8_t buf[2 * IEEE80211_ADDR_LEN + 2 * EAPOL_KEY_NONCE_LEN];
 	int ret;
 
@@ -401,9 +399,17 @@ ieee80211_derive_ptk(enum ieee80211_akm akm, const u_int8_t *pmk,
 	memcpy(&buf[12], ret ? anonce : snonce, EAPOL_KEY_NONCE_LEN);
 	memcpy(&buf[44], ret ? snonce : anonce, EAPOL_KEY_NONCE_LEN);
 
-	kdf = ieee80211_is_sha256_akm(akm) ? ieee80211_kdf : ieee80211_prf;
-	(*kdf)(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion", 23,
-	    buf, sizeof buf, (u_int8_t *)ptk, sizeof(*ptk));
+	if (ieee80211_is_sha256_akm(akm)) {
+		ieee80211_kdf(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion",
+		    22 /* KDF omits \0 */, buf, sizeof buf, (u_int8_t *)ptk,
+		    /* expected output size of 48 is mixed into hash */
+		    MIN(48, sizeof(*ptk)));
+		CTASSERT(sizeof(struct ieee80211_ptk) >= 48);
+	} else {
+		ieee80211_prf(pmk, IEEE80211_PMK_LEN, "Pairwise key expansion",
+		    23 /* PRF uses \0 */, buf, sizeof buf, (u_int8_t *)ptk,
+		    sizeof(*ptk));
+	}
 }
 
 static void
