network: ensure passphrase is valid when psk is set

If PreSharedKey is set, the current logic does not validate the Passphrase beyond its existence. This can lead to strange situations where an invalid WPA3-PSK passphrase might get used. This can of course only happen if the user (as root) or NetworkManager-iwd-backend writes such a file incorrectly.
2024-12-22 13:02:44 +01:00 · 2021-04-27 09:34:22 -05:00 · 2021-04-27 09:34:22 -05:00 · 654154e721
commit 654154e721
parent 8d58f5b679
1 changed files with 28 additions and 28 deletions
--- a/src/network.c
+++ b/src/network.c
@ -32,6 +32,8 @@

 #include <ell/ell.h>

+#include "ell/useful.h"
+
 #include "src/missing.h"
 #include "src/module.h"
 #include "src/ie.h"
@ -377,56 +379,54 @@ static int network_load_psk(struct network *network, bool need_passphrase)
 	size_t psk_len;
 	uint8_t *psk = l_settings_get_bytes(network->settings, "Security",
 						"PreSharedKey", &psk_len);
-	char *passphrase = l_settings_get_string(network->settings,
+	_auto_(l_free) char *passphrase =
+			l_settings_get_string(network->settings,
 						"Security", "Passphrase");
+	_auto_(l_free) char *path =
+		storage_get_network_file_path(security, ssid);
 	int r;

-	/* PSK can be generated from the passphrase but not the other way */
-	if ((!psk || need_passphrase) && !passphrase) {
+	if (psk && psk_len != 32) {
+		l_error("%s: invalid PreSharedKey format", path);
 		l_free(psk);
-		return -ENOKEY;
+		psk = NULL;
+		psk_len = 0;
+	}
+
+	/* PSK can be generated from the passphrase but not the other way */
+	if (!psk || need_passphrase) {
+		if (!passphrase)
+			return -ENOKEY;
+
+		if (!crypto_passphrase_is_valid(passphrase)) {
+			l_error("%s: invalid Passphrase format", path);
+			return -ENOKEY;
+		}
 	}

 	network_reset_passphrase(network);
 	network_reset_psk(network);
-	network->passphrase = passphrase;
+	network->passphrase = l_steal_ptr(passphrase);

 	if (psk) {
-		char *path;
-
-		if (psk_len == 32) {
-			network->psk = psk;
-			return 0;
-		}
-
-		l_free(psk);
-
-		path = storage_get_network_file_path(security, ssid);
-		l_error("%s: invalid PreSharedKey format", path);
-		l_free(path);
-
-		if (!passphrase)
-			return -EINVAL;
+		network->psk = psk;
+		return 0;
 	}

 	network->psk = l_malloc(32);
-	r = crypto_psk_from_passphrase(passphrase, (uint8_t *) ssid,
+	r = crypto_psk_from_passphrase(network->passphrase, (uint8_t *) ssid,
 					strlen(ssid), network->psk);
 	if (!r) {
 		network->update_psk = true;
 		return 0;
 	}

-	if (r == -ERANGE || r == -EINVAL)
-		l_error("PSK generation failed: invalid passphrase format");
-	else
-		l_error("PSK generation failed: %s.  "
-			"Ensure Crypto Engine is properly configured",
-			strerror(-r));
+	l_error("PSK generation failed: %s", strerror(-r));

 	network_reset_passphrase(network);
 	network_reset_psk(network);
-	return -EINVAL;
+
+	return r;
 }

 void network_sync_psk(struct network *network)