From d695b280e9972311ae8c4bc688c0898ade1281e6 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 30 Mar 2019 18:14:07 +0100
Subject: [PATCH 1/1] wireless-ap: Check that secret has the correct length and
 no invalid characters

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/functions/functions.util     | 13 +++++++++++++
 src/functions/functions.wireless | 23 +++++++++++------------
 src/hooks/ports/wireless-ap      | 14 +++++++++++---
 3 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/src/functions/functions.util b/src/functions/functions.util
index 4c1dbb41..7379a988 100644
--- a/src/functions/functions.util
+++ b/src/functions/functions.util
@@ -745,6 +745,19 @@ contains_spaces() {
 	return ${EXIT_FALSE}
 }
 
+contains_non_ascii_characters() {
+	local value="$@"
+
+	# Strip away all ASCII characters
+	local non_ascii="${value//[[:ascii:]]/}"
+
+	if isset non_ascii; then
+		return ${EXIT_TRUE}
+	fi
+
+	return ${EXIT_FALSE}
+}
+
 string_match() {
 	local match=${1}
 	local string=${2}
diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
index 12204c07..733a3562 100644
--- a/src/functions/functions.wireless
+++ b/src/functions/functions.wireless
@@ -397,24 +397,23 @@ wireless_set_channel() {
 }
 
 wireless_pre_shared_key_is_valid() {
-	local encryption_mode="${1}"
-	local psk="${2}"
+	local psk="${1}"
 
 	# Length of the PSK
 	local l="${#psk}"
 
-	case "${encryption_mode}" in
-		# For WPA*, the key must be between 8 and 63 chars
-		WPA2-PSK|WPA2-PSK-SHA256|WPA-PSK|WPA-PSK-SHA256)
-			if [ ${l} -ge 8 ] && [ ${l} -le 63 ]; then
-				return ${EXIT_TRUE}
-			fi
+	# For WPA*, the key must be between 8 and 63 chars
+	if [ ${l} -lt 8 ] || [ ${l} -gt 63 ]; then
+		return ${EXIT_FALSE}
+	fi
 
-			return ${EXIT_FALSE}
-			;;
-	esac
+	# Can only contain ASCII chararcters
+	if contains_non_ascii_characters "${psk}"; then
+		return ${EXIT_FALSE}
+	fi
 
-	return ${EXIT_ERROR}
+	# Seems OK
+	return ${EXIT_TRUE}
 }
 
 wireless_client_is_connected() {
diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
index 25285858..26e14d63 100644
--- a/src/hooks/ports/wireless-ap
+++ b/src/hooks/ports/wireless-ap
@@ -156,9 +156,17 @@ hook_parse_cmdline() {
 	fi
 
 	# Check if SECRET is set when WPA* is enabled
-	if ! isset SECRET && (enabled WPA3_PERSONAL || enabled WPA2_PERSONAL); then
-		error "Secret is not set when PSK authentication is enabled"
-		return ${EXIT_ERROR}
+	if enabled WPA3_PERSONAL || enabled WPA2_PERSONAL; then
+		if ! isset SECRET; then
+			error "Secret is not set when PSK authentication is enabled"
+			return ${EXIT_ERROR}
+		fi
+
+		# Check if SECRET is valid
+		if ! wireless_pre_shared_key_is_valid "${SECRET}"; then
+			error "The secret is in an invalid format"
+			return ${EXIT_ERROR}
+		fi
 	fi
 
 	# Save address of phy do identify it again
-- 
2.39.2