WPS: Fix debug prints in wps_derive_psk() error case

Check for hmac_sha256() failures and exit from wps_derive_psk() without printing out the derived keys if anything fails. This removes a valgrind warning on uninitialized value when running the ap_wps_m3_oom test case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-16 19:35:03 +03:00 · 2016-05-16 19:35:03 +03:00 · aae125e2cf
commit aae125e2cf
parent 7d1007a674
4 changed files with 16 additions and 11 deletions
--- a/src/wps/wps_common.c
+++ b/src/wps/wps_common.c
@ -129,23 +129,26 @@ int wps_derive_keys(struct wps_data *wps)
 }


-void wps_derive_psk(struct wps_data *wps, const u8 *dev_passwd,
-		    size_t dev_passwd_len)
+int wps_derive_psk(struct wps_data *wps, const u8 *dev_passwd,
+		   size_t dev_passwd_len)
 {
 	u8 hash[SHA256_MAC_LEN];

-	hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, dev_passwd,
-		    (dev_passwd_len + 1) / 2, hash);
+	if (hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN, dev_passwd,
+			(dev_passwd_len + 1) / 2, hash) < 0)
+		return -1;
 	os_memcpy(wps->psk1, hash, WPS_PSK_LEN);
-	hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN,
-		    dev_passwd + (dev_passwd_len + 1) / 2,
-		    dev_passwd_len / 2, hash);
+	if (hmac_sha256(wps->authkey, WPS_AUTHKEY_LEN,
+			dev_passwd + (dev_passwd_len + 1) / 2,
+			dev_passwd_len / 2, hash) < 0)
+		return -1;
 	os_memcpy(wps->psk2, hash, WPS_PSK_LEN);

 	wpa_hexdump_ascii_key(MSG_DEBUG, "WPS: Device Password",
 			      dev_passwd, dev_passwd_len);
 	wpa_hexdump_key(MSG_DEBUG, "WPS: PSK1", wps->psk1, WPS_PSK_LEN);
 	wpa_hexdump_key(MSG_DEBUG, "WPS: PSK2", wps->psk2, WPS_PSK_LEN);
+	return 0;
 }


--- a/src/wps/wps_enrollee.c
+++ b/src/wps/wps_enrollee.c
@ -173,7 +173,8 @@ static struct wpabuf * wps_build_m3(struct wps_data *wps)
 		wpa_printf(MSG_DEBUG, "WPS: No Device Password available");
 		return NULL;
 	}
-	wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);
+	if (wps_derive_psk(wps, wps->dev_password, wps->dev_password_len) < 0)
+		return NULL;

 	if (wps->wps->ap && random_pool_ready() != 1) {
 		wpa_printf(MSG_INFO,
--- a/src/wps/wps_i.h
+++ b/src/wps/wps_i.h
@ -132,8 +132,8 @@ struct wps_data {
 void wps_kdf(const u8 *key, const u8 *label_prefix, size_t label_prefix_len,
 	     const char *label, u8 *res, size_t res_len);
 int wps_derive_keys(struct wps_data *wps);
-void wps_derive_psk(struct wps_data *wps, const u8 *dev_passwd,
-		    size_t dev_passwd_len);
+int wps_derive_psk(struct wps_data *wps, const u8 *dev_passwd,
+		   size_t dev_passwd_len);
 struct wpabuf * wps_decrypt_encr_settings(struct wps_data *wps, const u8 *encr,
 					  size_t encr_len);
 void wps_fail_event(struct wps_context *wps, enum wps_msg_type msg,
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@ -1928,7 +1928,8 @@ static struct wpabuf * wps_build_m4(struct wps_data *wps)

 	wpa_printf(MSG_DEBUG, "WPS: Building Message M4");

-	wps_derive_psk(wps, wps->dev_password, wps->dev_password_len);
+	if (wps_derive_psk(wps, wps->dev_password, wps->dev_password_len) < 0)
+		return NULL;

 	plain = wpabuf_alloc(200);
 	if (plain == NULL)