diff options
| author | Jouni Malinen <jouni@qca.qualcomm.com> | 2016-03-04 17:20:18 +0200 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2016-08-24 08:07:35 -0600 |
| commit | 73044a19e262212d9bf4f3646bf56e303350006f (patch) | |
| tree | 7fb89d4f4175688733dabab79602149ca7427985 | |
| parent | 8df9925a4e0db87a85057090fde026a76be1984f (diff) | |
| download | android_external_wpa_supplicant_8-73044a19e262212d9bf4f3646bf56e303350006f.tar.gz android_external_wpa_supplicant_8-73044a19e262212d9bf4f3646bf56e303350006f.tar.bz2 android_external_wpa_supplicant_8-73044a19e262212d9bf4f3646bf56e303350006f.zip | |
WPS: Reject a Credential with invalid passphrase
WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a Credential received from a WPS Registrar both as
STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
WPA2PSK authentication type and includes an invalid passphrase.
This fixes an issue where hostapd or wpa_supplicant could have updated
the configuration file PSK/passphrase parameter with arbitrary data from
an external device (Registrar) that may not be fully trusted. Should
such data include a newline character, the resulting configuration file
could become invalid and fail to be parsed
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: ecbb0b3dc122b0d290987cf9c84010bbe53e1022
Git-repo: git://w1.fi/srv/git/hostap.git
Change-Id: I2b439a72af08a744ce5bf74a05b2cac817fe5b05
CRs-fixed: 1007548
| -rw-r--r-- | src/utils/common.c | 12 | ||||
| -rw-r--r-- | src/utils/common.h | 1 | ||||
| -rw-r--r-- | src/wps/wps_attr_process.c | 10 |
3 files changed, 23 insertions, 0 deletions
diff --git a/src/utils/common.c b/src/utils/common.c index 9c7d0d40..fe10c23b 100644 --- a/src/utils/common.c +++ b/src/utils/common.c @@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len) } +int has_ctrl_char(const u8 *data, size_t len) +{ + size_t i; + + for (i = 0; i < len; i++) { + if (data[i] < 32 || data[i] == 127) + return 1; + } + return 0; +} + + size_t merge_byte_arrays(u8 *res, size_t res_len, const u8 *src1, size_t src1_len, const u8 *src2, size_t src2_len) diff --git a/src/utils/common.h b/src/utils/common.h index 6f0de699..d858ea47 100644 --- a/src/utils/common.h +++ b/src/utils/common.h @@ -480,6 +480,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len); char * wpa_config_parse_string(const char *value, size_t *len); int is_hex(const u8 *data, size_t len); +int has_ctrl_char(const u8 *data, size_t len); size_t merge_byte_arrays(u8 *res, size_t res_len, const u8 *src1, size_t src1_len, const u8 *src2, size_t src2_len); diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c index eadb22fe..e8c45793 100644 --- a/src/wps/wps_attr_process.c +++ b/src/wps/wps_attr_process.c @@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred) cred->key_len--; #endif /* CONFIG_WPS_STRICT */ } + + + if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) && + (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) { + wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase"); + wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key", + cred->key, cred->key_len); + return -1; + } + return 0; } |