From 4c3fbb23460efb30f9028f2190c5d7b22e9cee5d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 8 Jun 2020 14:49:31 +0300 Subject: [PATCH] SAE-PK: Check minimum password length more accurate Get the Sec value from the password to check the minimum length based on the used Sec. Signed-off-by: Jouni Malinen --- src/common/sae_pk.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/common/sae_pk.c b/src/common/sae_pk.c index bb9c979a1..60979aab3 100644 --- a/src/common/sae_pk.c +++ b/src/common/sae_pk.c @@ -25,14 +25,25 @@ static const char *sae_pk_base32_table = "abcdefghijklmnopqrstuvwxyz234567"; bool sae_pk_valid_password(const char *pw) { - int pos; + int pos, sec; + const char *idx; + size_t pw_len = os_strlen(pw); - if (os_strlen(pw) < 9) { - /* Not long enough to meet the minimum required resistance to - * preimage attacks, so do not consider this valid for SAE-PK. - */ + /* Check whether the password is long enough to meet the minimum + * required resistance to preimage attacks. This makes it less likely to + * recognize non-SAE-PK passwords as suitable for SAE-PK. */ + if (pw_len < 1) return false; - } + /* Fetch Sec from the two MSBs */ + idx = os_strchr(sae_pk_base32_table, pw[0]); + if (!idx) + return false; + sec = ((u8) ((idx - sae_pk_base32_table) & 0x1f)) >> 3; + if ((sec == 2 && pw_len < 14) || + (sec == 3 && pw_len < 13) || + (sec == 4 && pw_len < 11) || + (sec == 5 && pw_len < 9)) + return false; /* too short password */ for (pos = 0; pw[pos]; pos++) { if (pos && pos % 5 == 4) {