WPS: Be more careful with pre-configured DH parameters

Make the implementation more robust against error cases with
pre-configured DH parameters.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/wps/wps_attr_build.c b/src/wps/wps_attr_build.c
index 29aee8eeca945fe66b1dc7127dd485b27ab07db1..a7e9ad7e8a573c1edf13e776b6be5f7eb2b5fc37 100644 (file)
--- a/src/wps/wps_attr_build.c
+++ b/src/wps/wps_attr_build.c
@@ -24,8 +24,18 @@ int wps_build_public_key(struct wps_data *wps, struct wpabuf *msg)
 
        wpa_printf(MSG_DEBUG, "WPS:  * Public Key");
        wpabuf_free(wps->dh_privkey);
+       wps->dh_privkey = NULL;
        if (wps->dev_pw_id != DEV_PW_DEFAULT && wps->wps->dh_privkey) {
                wpa_printf(MSG_DEBUG, "WPS: Using pre-configured DH keys");
+               if (wps->wps->dh_ctx == NULL) {
+                       wpa_printf(MSG_DEBUG, "WPS: wps->wps->dh_ctx == NULL");
+                       return -1;
+               }
+               if (wps->wps->dh_pubkey == NULL) {
+                       wpa_printf(MSG_DEBUG,
+                                  "WPS: wps->wps->dh_pubkey == NULL");
+                       return -1;
+               }
                wps->dh_privkey = wpabuf_dup(wps->wps->dh_privkey);
                wps->dh_ctx = wps->wps->dh_ctx;
                wps->wps->dh_ctx = NULL;
@@ -34,13 +44,22 @@ int wps_build_public_key(struct wps_data *wps, struct wpabuf *msg)
        } else if (wps->dev_pw_id >= 0x10 && wps->wps->ap &&
                   wps->dev_pw_id == wps->wps->ap_nfc_dev_pw_id) {
                wpa_printf(MSG_DEBUG, "WPS: Using NFC password token DH keys");
+               if (wps->wps->ap_nfc_dh_privkey == NULL) {
+                       wpa_printf(MSG_DEBUG,
+                                  "WPS: wps->wps->ap_nfc_dh_privkey == NULL");
+                       return -1;
+               }
+               if (wps->wps->ap_nfc_dh_pubkey == NULL) {
+                       wpa_printf(MSG_DEBUG,
+                                  "WPS: wps->wps->ap_nfc_dh_pubkey == NULL");
+                       return -1;
+               }
                wps->dh_privkey = wpabuf_dup(wps->wps->ap_nfc_dh_privkey);
                pubkey = wpabuf_dup(wps->wps->ap_nfc_dh_pubkey);
                wps->dh_ctx = dh5_init_fixed(wps->dh_privkey, pubkey);
 #endif /* CONFIG_WPS_NFC */
        } else {
                wpa_printf(MSG_DEBUG, "WPS: Generate new DH keys");
-               wps->dh_privkey = NULL;
                dh5_free(wps->dh_ctx);
                wps->dh_ctx = dh5_init(&wps->dh_privkey, &pubkey);
                pubkey = wpabuf_zeropad(pubkey, 192);

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 603ce919543188e6719c2d27a7fb25d457339f65..cd0f493fe687b7809e0e105a9d2c7800aeb978ac 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1905,8 +1905,13 @@ int wpas_wps_start_nfc(struct wpa_supplicant *wpa_s, const u8 *bssid)
                return -1;
        }
        wps->dh_ctx = dh5_init_fixed(wps->dh_privkey, wps->dh_pubkey);
-       if (wps->dh_ctx == NULL)
+       if (wps->dh_ctx == NULL) {
+               wpabuf_free(wps->dh_pubkey);
+               wps->dh_pubkey = NULL;
+               wpabuf_free(wps->dh_privkey);
+               wps->dh_privkey = NULL;
                return -1;
+       }
 
        wpa_snprintf_hex_uppercase(pw, sizeof(pw),
                                   wpabuf_head(wpa_s->conf->wps_nfc_dev_pw),