Check the return of pbkdf2_sha1() for errors

pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
This commit is contained in:
Juliusz Sosinowicz 2022-04-29 16:11:54 +02:00 committed by Jouni Malinen
parent 013cd694d9
commit ca26224815
5 changed files with 41 additions and 15 deletions

View file

@ -461,9 +461,12 @@ static int hostapd_derive_psk(struct hostapd_ssid *ssid)
wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
(u8 *) ssid->wpa_passphrase,
os_strlen(ssid->wpa_passphrase));
pbkdf2_sha1(ssid->wpa_passphrase,
ssid->ssid, ssid->ssid_len,
4096, ssid->wpa_psk->psk, PMK_LEN);
if (pbkdf2_sha1(ssid->wpa_passphrase,
ssid->ssid, ssid->ssid_len,
4096, ssid->wpa_psk->psk, PMK_LEN) != 0) {
wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
return -1;
}
wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
ssid->wpa_psk->psk, PMK_LEN);
return 0;

View file

@ -391,10 +391,14 @@ static const u8 * hostapd_wpa_auth_get_psk(void *ctx, const u8 *addr,
psk = sta->psk->psk;
for (pos = sta->psk; pos; pos = pos->next) {
if (pos->is_passphrase) {
pbkdf2_sha1(pos->passphrase,
hapd->conf->ssid.ssid,
hapd->conf->ssid.ssid_len, 4096,
pos->psk, PMK_LEN);
if (pbkdf2_sha1(pos->passphrase,
hapd->conf->ssid.ssid,
hapd->conf->ssid.ssid_len, 4096,
pos->psk, PMK_LEN) != 0) {
wpa_printf(MSG_WARNING,
"Error in pbkdf2_sha1()");
continue;
}
pos->is_passphrase = 0;
}
if (pos->psk == prev_psk) {

View file

@ -3426,8 +3426,11 @@ char * wpa_config_get_no_key(struct wpa_ssid *ssid, const char *var)
void wpa_config_update_psk(struct wpa_ssid *ssid)
{
#ifndef CONFIG_NO_PBKDF2
pbkdf2_sha1(ssid->passphrase, ssid->ssid, ssid->ssid_len, 4096,
ssid->psk, PMK_LEN);
if (pbkdf2_sha1(ssid->passphrase, ssid->ssid, ssid->ssid_len, 4096,
ssid->psk, PMK_LEN) != 0) {
wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
return;
}
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
ssid->psk, PMK_LEN);
ssid->psk_set = 1;

View file

@ -58,7 +58,11 @@ int main(int argc, char *argv[])
return 1;
}
pbkdf2_sha1(passphrase, (u8 *) ssid, os_strlen(ssid), 4096, psk, 32);
if (pbkdf2_sha1(passphrase, (u8 *) ssid, os_strlen(ssid), 4096, psk, 32)
!= 0) {
fprintf(stderr, "Error in pbkdf2_sha1()\n");
return 1;
}
printf("network={\n");
printf("\tssid=\"%s\"\n", ssid);

View file

@ -1774,9 +1774,15 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
ssid->passphrase && !sae_only) {
u8 psk[PMK_LEN];
pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
4096, psk, PMK_LEN);
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
if (pbkdf2_sha1(ssid->passphrase, bss->ssid,
bss->ssid_len,
4096, psk, PMK_LEN) != 0) {
wpa_msg(wpa_s, MSG_WARNING,
"Error in pbkdf2_sha1()");
return -1;
}
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
psk, PMK_LEN);
wpa_sm_set_pmk(wpa_s->wpa, psk, PMK_LEN, NULL, NULL);
psk_set = 1;
@ -1810,8 +1816,14 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
#ifndef CONFIG_NO_PBKDF2
if (wpabuf_len(pw) >= 8 && wpabuf_len(pw) < 64 && bss)
{
pbkdf2_sha1(pw_str, bss->ssid, bss->ssid_len,
4096, psk, PMK_LEN);
if (pbkdf2_sha1(pw_str, bss->ssid,
bss->ssid_len,
4096, psk, PMK_LEN) != 0) {
wpa_msg(wpa_s, MSG_WARNING,
"Error in pbkdf2_sha1()");
ext_password_free(pw);
return -1;
}
os_memset(pw_str, 0, sizeof(pw_str));
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from "
"external passphrase)",