From 549c5b97b93cfe38e5d5d2dc95f4168f64cf856f Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 18 Aug 2017 15:57:07 +0200
Subject: [PATCH] wireless networks: Validate any PSKs for WPA*

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/functions/functions.wireless          | 26 +++++++++++++++++
 src/functions/functions.wireless-networks | 34 +++++++++++++++++++++--
 2 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/src/functions/functions.wireless b/src/functions/functions.wireless
index 7ddb59cb..d12efc65 100644
--- a/src/functions/functions.wireless
+++ b/src/functions/functions.wireless
@@ -329,6 +329,32 @@ wireless_set_channel() {
 	cmd iw dev "${device}" set channel "${channel}"
 }
 
+wireless_pre_shared_key_is_valid() {
+	local encryption_mode="${1}"
+	local psk="${2}"
+
+	# Length of the PSK
+	local l="${#psk}"
+
+	case "${encryption_mode}" in
+		# For WPA*, the key must be between 8 and 63 chars
+		WPA2-PSK|WPA2-PSK-SHA256|WPA-PSK|WPA-PSK-SHA256)
+			if [ ${l} -ge 8 ] && [ ${l} -le 63 ]; then
+				return ${EXIT_TRUE}
+			fi
+
+			return ${EXIT_FALSE}
+			;;
+
+		WEP)
+			# XXX need to check if the key is entered in
+			# hex or ascii and then count the bytes
+			;;
+	esac
+
+	return ${EXIT_ERROR}
+}
+
 wireless_ibss_join() {
 	local device=${1}
 	assert isset device
diff --git a/src/functions/functions.wireless-networks b/src/functions/functions.wireless-networks
index e2af14cd..1d39bcda 100644
--- a/src/functions/functions.wireless-networks
+++ b/src/functions/functions.wireless-networks
@@ -32,7 +32,7 @@ cli_wireless_network() {
 		*)
 			local ssid="${1}"
 			local key="${2//-/_}"
-			shift
+			shift 2
 
 			if ! wireless_network_exists "${ssid}"; then
 				error "No such wireless network: ${ssid}"
@@ -270,7 +270,23 @@ wireless_network_encryption_mode() {
 		return ${EXIT_ERROR}
 	fi
 
-	if ! wireless_network_write_config_key "${ssid}" "ENCRYPTION_MODE" ${mode^^}; then
+	local ${WIRELESS_NETWORK_CONFIG_SETTINGS}
+	if ! wireless_network_read_config "${ssid}"; then
+		error "Could not read configuration for ${ssid}"
+		return ${EXIT_ERROR}
+	fi
+
+	# Validate the PSK when changing mode and reset if needed
+	if isset PSK && [ "${mode}" != "NONE" ] && \
+			! wireless_pre_shared_key_is_valid "${mode}" "${PSK}"; then
+		log WARNING "The configured pre-shared-key is incompatible with this encryption mode and has been reset"
+		PSK=""
+	fi
+
+	# Save new encryption mode
+	ENCRYPTION_MODE="${mode}"
+
+	if ! wireless_network_write_config "${ssid}"; then
 		log ERROR "Could not write configuration settings"
 		return ${EXIT_ERROR}
 	fi
@@ -284,6 +300,20 @@ wireless_network_pre_shared_key() {
 	local ssid="${1}"
 	local psk="${2}"
 
+	local ${WIRELESS_NETWORK_CONFIG_SETTINGS}
+	if ! wireless_network_read_config "${ssid}"; then
+		error "Could not read configuration for ${ssid}"
+		return ${EXIT_ERROR}
+	fi
+
+	# Validate the key if encryption mode is known
+	if isset ENCRYPTION_MODE && [ "${ENCRYPTION_MODE}" != "NONE" ]; then
+		if ! wireless_pre_share_key_is_valid "${ENCRYPTION_MODE}" "${psk}"; then
+			error "The pre-shared-key is invalid for this wireless network: ${psk}"
+			return ${EXIT_ERROR}
+		fi
+	fi
+
 	if ! wireless_network_write_config_key "${ssid}" "PSK" "${psk}"; then
 		log ERROR "Could not write configuration settings"
 		return ${EXIT_ERROR}
-- 
2.39.2