Check the return of pbkdf2_sha1() for errors

pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>

src/ap/ap_config.c

@@ -461,9 +461,12 @@ static int hostapd_derive_psk(struct hostapd_ssid *ssid)
 	wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
 			      (u8 *) ssid->wpa_passphrase,
 			      os_strlen(ssid->wpa_passphrase));
-	pbkdf2_sha1(ssid->wpa_passphrase,
-		    ssid->ssid, ssid->ssid_len,
-		    4096, ssid->wpa_psk->psk, PMK_LEN);
+	if (pbkdf2_sha1(ssid->wpa_passphrase,
+			ssid->ssid, ssid->ssid_len,
+			4096, ssid->wpa_psk->psk, PMK_LEN) != 0) {
+		wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
+		return -1;
+	}
 	wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
 			ssid->wpa_psk->psk, PMK_LEN);
 	return 0;

src/ap/wpa_auth_glue.c

@@ -391,10 +391,14 @@ static const u8 * hostapd_wpa_auth_get_psk(void *ctx, const u8 *addr,
 		psk = sta->psk->psk;
 		for (pos = sta->psk; pos; pos = pos->next) {
 			if (pos->is_passphrase) {
-				pbkdf2_sha1(pos->passphrase,
-					    hapd->conf->ssid.ssid,
-					    hapd->conf->ssid.ssid_len, 4096,
-					    pos->psk, PMK_LEN);
+				if (pbkdf2_sha1(pos->passphrase,
+						hapd->conf->ssid.ssid,
+						hapd->conf->ssid.ssid_len, 4096,
+						pos->psk, PMK_LEN) != 0) {
+					wpa_printf(MSG_WARNING,
+						   "Error in pbkdf2_sha1()");
+					continue;
+				}
 				pos->is_passphrase = 0;
 			}
 			if (pos->psk == prev_psk) {