SAE-PK: Check minimum password length more accurate

Get the Sec value from the password to check the minimum length based on
the used Sec.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/common/sae_pk.c b/src/common/sae_pk.c
index bb9c979a146b8818b7b03b4b97e63e6216a61458..60979aab308792283498656f64c41a8e2c85ccb5 100644 (file)
--- a/src/common/sae_pk.c
+++ b/src/common/sae_pk.c
@@ -25,14 +25,25 @@ static const char *sae_pk_base32_table = "abcdefghijklmnopqrstuvwxyz234567";
 
 bool sae_pk_valid_password(const char *pw)
 {
-       int pos;
-
-       if (os_strlen(pw) < 9) {
-                /* Not long enough to meet the minimum required resistance to
-                 * preimage attacks, so do not consider this valid for SAE-PK.
-                 */
+       int pos, sec;
+       const char *idx;
+       size_t pw_len = os_strlen(pw);
+
+       /* Check whether the password is long enough to meet the minimum
+        * required resistance to preimage attacks. This makes it less likely to
+        * recognize non-SAE-PK passwords as suitable for SAE-PK. */
+       if (pw_len < 1)
                return false;
-       }
+       /* Fetch Sec from the two MSBs */
+       idx = os_strchr(sae_pk_base32_table, pw[0]);
+       if (!idx)
+               return false;
+       sec = ((u8) ((idx - sae_pk_base32_table) & 0x1f)) >> 3;
+       if ((sec == 2 && pw_len < 14) ||
+           (sec == 3 && pw_len < 13) ||
+           (sec == 4 && pw_len < 11) ||
+           (sec == 5 && pw_len < 9))
+               return false; /* too short password */
 
        for (pos = 0; pw[pos]; pos++) {
                if (pos && pos % 5 == 4) {