From c85b39ec503e331c1de9c9e26331da96615ed066 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 4 Jun 2020 01:36:50 +0300 Subject: [PATCH] SAE-PK: Increment the minimum password length to 9 While this is not explicitly defined as the limit, lambda=8 (i.e., 9 characters with the added hyphen) is needed with Sec=5 to reach the minimum required resistance to preimage attacks, so use this as an implicit definition of the password length constraint. Signed-off-by: Jouni Malinen --- src/common/sae_pk.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/common/sae_pk.c b/src/common/sae_pk.c index 624557a4e..2469534b9 100644 --- a/src/common/sae_pk.c +++ b/src/common/sae_pk.c @@ -27,11 +27,12 @@ bool sae_pk_valid_password(const char *pw) { int pos; - /* Minimum password length for SAE-PK is not defined, but the automatic - * password style determination is more reliable if at least one hyphen - * is forced to be present in the password. */ - if (os_strlen(pw) < 6) + if (os_strlen(pw) < 9) { + /* Not long enough to meet the minimum required resistance to + * preimage attacks, so do not consider this valid for SAE-PK. + */ return false; + } for (pos = 0; pw[pos]; pos++) { if (pos && pos % 5 == 4) {