WPS: Reject a Credential with invalid passphrase

WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a Credential received from a WPS Registrar both as
STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
WPA2PSK authentication type and includes an invalid passphrase.

This fixes an issue where hostapd or wpa_supplicant could have updated
the configuration file PSK/passphrase parameter with arbitrary data from
an external device (Registrar) that may not be fully trusted. Should
such data include a newline character, the resulting configuration file
could become invalid and fail to be parsed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/utils/common.c b/src/utils/common.c
index 450e2c6519ba6a52d223a9075c728b80e7379cd7..27b7c02de10bb44364a1195b187df19554bab9a4 100644 (file)
--- a/src/utils/common.c
+++ b/src/utils/common.c
@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
 }
 
 
+int has_ctrl_char(const u8 *data, size_t len)
+{
+       size_t i;
+
+       for (i = 0; i < len; i++) {
+               if (data[i] < 32 || data[i] == 127)
+                       return 1;
+       }
+       return 0;
+}
+
+
 size_t merge_byte_arrays(u8 *res, size_t res_len,
                         const u8 *src1, size_t src1_len,
                         const u8 *src2, size_t src2_len)

diff --git a/src/utils/common.h b/src/utils/common.h
index 701dbb236ed545da9d2f8380ebf6d78ef54d6fc1..a97224070385711f985447e7ead464079963f5a4 100644 (file)
--- a/src/utils/common.h
+++ b/src/utils/common.h
@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
 
 char * wpa_config_parse_string(const char *value, size_t *len);
 int is_hex(const u8 *data, size_t len);
+int has_ctrl_char(const u8 *data, size_t len);
 size_t merge_byte_arrays(u8 *res, size_t res_len,
                         const u8 *src1, size_t src1_len,
                         const u8 *src2, size_t src2_len);

diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c
index eadb22fe2e78bf02c33140d400d82b5f49b2983c..e8c4579309ab39138419cce0cc9f2b2c8a0127cf 100644 (file)
--- a/src/wps/wps_attr_process.c
+++ b/src/wps/wps_attr_process.c
@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
                cred->key_len--;
 #endif /* CONFIG_WPS_STRICT */
        }
+
+
+       if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
+           (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
+               wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
+               wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
+                                     cred->key, cred->key_len);
+               return -1;
+       }
+
        return 0;
 }