From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 29 Apr 2022 14:11:54 +0000 (+0200)
Subject: wolfSSL: Check for the too-short-password error in pbkdf2_sha1()
X-Git-Tag: hostap_2_11~1973
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c3f68f2a04e1585916beb41ff963f018cdf6e08;p=thirdparty%2Fhostap.git

wolfSSL: Check for the too-short-password error in pbkdf2_sha1()

This may fail with FIPS builds because the FIPS requirement is that the
password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---

diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index 15c368e42..f47beebeb 100644
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -27,6 +27,7 @@
 #include <wolfssl/wolfcrypt/cmac.h>
 #include <wolfssl/wolfcrypt/ecc.h>
 #include <wolfssl/wolfcrypt/asn_public.h>
+#include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/openssl/bn.h>
 
 
@@ -282,9 +283,18 @@ int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
 int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
 		int iterations, u8 *buf, size_t buflen)
 {
-	if (wc_PBKDF2(buf, (const byte*)passphrase, os_strlen(passphrase), ssid,
-		      ssid_len, iterations, buflen, WC_SHA) != 0)
+	int ret;
+
+	ret = wc_PBKDF2(buf, (const byte *) passphrase, os_strlen(passphrase),
+			ssid, ssid_len, iterations, buflen, WC_SHA);
+	if (ret != 0) {
+		if (ret == HMAC_MIN_KEYLEN_E) {
+			wpa_printf(MSG_ERROR,
+				   "wolfSSL: Password is too short. Make sure your password is at least %d characters long. This is a requirement for FIPS builds.",
+				   HMAC_FIPS_MIN_KEY);
+		}
 		return -1;
+	}
 	return 0;
 }