[src/trunk]: src/external/bsd/wpa/dist/src http://w1.fi/security/2016-1/0001-...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5cd2ef2a63a0
branches:  trunk
changeset: 345035:5cd2ef2a63a0
user:      christos <christos%NetBSD.org@localhost>
date:      Tue May 03 18:19:44 2016 +0000

description:
http://w1.fi/security/2016-1/0001-WPS-Reject-a-Credential-with-invalid-passphrase.patch
WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a Credential received from a WPS Registrar both as
STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
WPA2PSK authentication type and includes an invalid passphrase.

This fixes an issue where hostapd or wpa_supplicant could have updated
the configuration file PSK/passphrase parameter with arbitrary data from
an external device (Registrar) that may not be fully trusted. Should
such data include a newline character, the resulting configuration file
could become invalid and fail to be parsed.

diffstat:

 external/bsd/wpa/dist/src/utils/common.c         |  12 ++++++++++++
 external/bsd/wpa/dist/src/utils/common.h         |   1 +
 external/bsd/wpa/dist/src/wps/wps_attr_process.c |  10 ++++++++++
 3 files changed, 23 insertions(+), 0 deletions(-)

diffs (53 lines):

diff -r ef0fa494d82e -r 5cd2ef2a63a0 external/bsd/wpa/dist/src/utils/common.c
--- a/external/bsd/wpa/dist/src/utils/common.c  Tue May 03 18:18:15 2016 +0000
+++ b/external/bsd/wpa/dist/src/utils/common.c  Tue May 03 18:19:44 2016 +0000
@@ -671,6 +671,18 @@
 }
 
 
+int has_ctrl_char(const u8 *data, size_t len)
+{
+       size_t i;
+
+       for (i = 0; i < len; i++) {
+               if (data[i] < 32 || data[i] == 127)
+                       return 1;
+       }
+       return 0;
+}
+
+
 size_t merge_byte_arrays(u8 *res, size_t res_len,
                         const u8 *src1, size_t src1_len,
                         const u8 *src2, size_t src2_len)
diff -r ef0fa494d82e -r 5cd2ef2a63a0 external/bsd/wpa/dist/src/utils/common.h
--- a/external/bsd/wpa/dist/src/utils/common.h  Tue May 03 18:18:15 2016 +0000
+++ b/external/bsd/wpa/dist/src/utils/common.h  Tue May 03 18:19:44 2016 +0000
@@ -501,6 +501,7 @@
 
 char * wpa_config_parse_string(const char *value, size_t *len);
 int is_hex(const u8 *data, size_t len);
+int has_ctrl_char(const u8 *data, size_t len);
 size_t merge_byte_arrays(u8 *res, size_t res_len,
                         const u8 *src1, size_t src1_len,
                         const u8 *src2, size_t src2_len);
diff -r ef0fa494d82e -r 5cd2ef2a63a0 external/bsd/wpa/dist/src/wps/wps_attr_process.c
--- a/external/bsd/wpa/dist/src/wps/wps_attr_process.c  Tue May 03 18:18:15 2016 +0000
+++ b/external/bsd/wpa/dist/src/wps/wps_attr_process.c  Tue May 03 18:19:44 2016 +0000
@@ -229,6 +229,16 @@
                cred->key_len--;
 #endif /* CONFIG_WPS_STRICT */
        }
+
+
+       if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
+           (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
+               wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
+               wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
+                                     cred->key, cred->key_len);
+               return -1;
+       }
+
        return 0;
 }