Loading nixos/tests/wpa_supplicant.nix +7 −5 Original line number Diff line number Diff line Loading @@ -8,6 +8,8 @@ let maintainers = [ oddlama rnhmjoj ]; }; naughtyPassphrase = ''!,./;'[]\-=<>?:"{}|_+@$%^&*()`~ # ceci n'est pas un commentaire''; runConnectionTest = name: extraConfig: runTest { name = "wpa_supplicant-${name}"; inherit meta; Loading @@ -28,7 +30,7 @@ let ssid = "nixos-test-sae"; authentication = { mode = "wpa3-sae"; saePasswords = [ { password = "reproducibility"; } ]; saePasswords = [ { password = naughtyPassphrase; } ]; }; bssid = "02:00:00:00:00:00"; }; Loading @@ -37,8 +39,8 @@ let authentication = { mode = "wpa3-sae-transition"; saeAddToMacAllow = true; saePasswordsFile = pkgs.writeText "password" "reproducibility"; wpaPasswordFile = pkgs.writeText "password" "reproducibility"; saePasswordsFile = pkgs.writeText "password" naughtyPassphrase; wpaPasswordFile = pkgs.writeText "password" naughtyPassphrase; }; bssid = "02:00:00:00:00:01"; }; Loading @@ -46,7 +48,7 @@ let ssid = "nixos-test-wpa2"; authentication = { mode = "wpa2-sha256"; wpaPassword = "reproducibility"; wpaPassword = naughtyPassphrase; }; bssid = "02:00:00:00:00:02"; }; Loading @@ -66,7 +68,7 @@ let # secrets secretsFile = pkgs.writeText "wpa-secrets" '' psk_nixos_test=reproducibility psk_nixos_test=${naughtyPassphrase} ''; } extraConfig Loading pkgs/os-specific/linux/wpa_supplicant/default.nix +1 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,7 @@ stdenv.mkDerivation rec { hash = "sha256-X6mBbj7BkW66aYeSCiI3JKBJv10etLQxaTRfRgwsFmM="; revert = true; }) ./unsurprising-ext-password.patch ]; # TODO: Patch epoll so that the dbus actually responds Loading pkgs/os-specific/linux/wpa_supplicant/unsurprising-ext-password.patch 0 → 100644 +66 −0 Original line number Diff line number Diff line From e5ac0dd1af48e085bb824082ef3b64afba673ded Mon Sep 17 00:00:00 2001 From: rnhmjoj <rnhmjoj@inventati.org> Date: Wed, 18 Sep 2024 13:43:44 +0200 Subject: [PATCH] ext_password_file: do not use wpa_config_get_line To: hostap@lists.infradead.org The file-based backed of the ext_password framework uses `wpa_config_get_line` to read the passwords line-by-line from a file. This function is meant to parse a single line from the wpa_supplicant.conf file, so it handles whitespace, quotes and other characters specially. Its behavior, however, it's not compatible with the rest of the ext_password framework implementation. For example, if a passphrase contains a `#` character it must be quoted to prevent parsing the remaining characters as an inline comment, but the code handling the external password in `wpa_supplicant_get_psk` does not handle quotes. The result is that either it will hash the enclosing quotes, producing a wrong PSK, or if the passphrase is long enough, fail the length check. As a consequence, some passphrases are impossible to input correctly. To solve this and other issues, this patch changes the behaviour of the `ext_password_file_get` function (which was not documented in details, at least w.r.t. special characters) to simply treat all characters literally: including trailing whitespaces (except CR and LF), `#` for inline comments, etc. Empty lines and full-line comments are still supported. Signed-off-by: Michele Guerini Rocco <rnhmjoj@inventati.org> --- src/utils/ext_password_file.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/utils/ext_password_file.c b/src/utils/ext_password_file.c index 4bb0095f3..f631ff15c 100644 --- a/src/utils/ext_password_file.c +++ b/src/utils/ext_password_file.c @@ -9,7 +9,6 @@ #include "includes.h" #include "utils/common.h" -#include "utils/config.h" #include "ext_password_i.h" @@ -97,7 +96,16 @@ static struct wpabuf * ext_password_file_get(void *ctx, const char *name) wpa_printf(MSG_DEBUG, "EXT PW FILE: get(%s)", name); - while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) { + while ((pos = fgets(buf, sizeof(buf), f))) { + line++; + + /* Strip newline characters */ + pos[strcspn(pos, "\r\n")] = 0; + + /* Skip comments and empty lines */ + if (*pos == '#' || *pos == '\0') + continue; + char *sep = os_strchr(pos, '='); if (!sep) { -- 2.44.1 Loading
nixos/tests/wpa_supplicant.nix +7 −5 Original line number Diff line number Diff line Loading @@ -8,6 +8,8 @@ let maintainers = [ oddlama rnhmjoj ]; }; naughtyPassphrase = ''!,./;'[]\-=<>?:"{}|_+@$%^&*()`~ # ceci n'est pas un commentaire''; runConnectionTest = name: extraConfig: runTest { name = "wpa_supplicant-${name}"; inherit meta; Loading @@ -28,7 +30,7 @@ let ssid = "nixos-test-sae"; authentication = { mode = "wpa3-sae"; saePasswords = [ { password = "reproducibility"; } ]; saePasswords = [ { password = naughtyPassphrase; } ]; }; bssid = "02:00:00:00:00:00"; }; Loading @@ -37,8 +39,8 @@ let authentication = { mode = "wpa3-sae-transition"; saeAddToMacAllow = true; saePasswordsFile = pkgs.writeText "password" "reproducibility"; wpaPasswordFile = pkgs.writeText "password" "reproducibility"; saePasswordsFile = pkgs.writeText "password" naughtyPassphrase; wpaPasswordFile = pkgs.writeText "password" naughtyPassphrase; }; bssid = "02:00:00:00:00:01"; }; Loading @@ -46,7 +48,7 @@ let ssid = "nixos-test-wpa2"; authentication = { mode = "wpa2-sha256"; wpaPassword = "reproducibility"; wpaPassword = naughtyPassphrase; }; bssid = "02:00:00:00:00:02"; }; Loading @@ -66,7 +68,7 @@ let # secrets secretsFile = pkgs.writeText "wpa-secrets" '' psk_nixos_test=reproducibility psk_nixos_test=${naughtyPassphrase} ''; } extraConfig Loading
pkgs/os-specific/linux/wpa_supplicant/default.nix +1 −0 Original line number Diff line number Diff line Loading @@ -22,6 +22,7 @@ stdenv.mkDerivation rec { hash = "sha256-X6mBbj7BkW66aYeSCiI3JKBJv10etLQxaTRfRgwsFmM="; revert = true; }) ./unsurprising-ext-password.patch ]; # TODO: Patch epoll so that the dbus actually responds Loading
pkgs/os-specific/linux/wpa_supplicant/unsurprising-ext-password.patch 0 → 100644 +66 −0 Original line number Diff line number Diff line From e5ac0dd1af48e085bb824082ef3b64afba673ded Mon Sep 17 00:00:00 2001 From: rnhmjoj <rnhmjoj@inventati.org> Date: Wed, 18 Sep 2024 13:43:44 +0200 Subject: [PATCH] ext_password_file: do not use wpa_config_get_line To: hostap@lists.infradead.org The file-based backed of the ext_password framework uses `wpa_config_get_line` to read the passwords line-by-line from a file. This function is meant to parse a single line from the wpa_supplicant.conf file, so it handles whitespace, quotes and other characters specially. Its behavior, however, it's not compatible with the rest of the ext_password framework implementation. For example, if a passphrase contains a `#` character it must be quoted to prevent parsing the remaining characters as an inline comment, but the code handling the external password in `wpa_supplicant_get_psk` does not handle quotes. The result is that either it will hash the enclosing quotes, producing a wrong PSK, or if the passphrase is long enough, fail the length check. As a consequence, some passphrases are impossible to input correctly. To solve this and other issues, this patch changes the behaviour of the `ext_password_file_get` function (which was not documented in details, at least w.r.t. special characters) to simply treat all characters literally: including trailing whitespaces (except CR and LF), `#` for inline comments, etc. Empty lines and full-line comments are still supported. Signed-off-by: Michele Guerini Rocco <rnhmjoj@inventati.org> --- src/utils/ext_password_file.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/utils/ext_password_file.c b/src/utils/ext_password_file.c index 4bb0095f3..f631ff15c 100644 --- a/src/utils/ext_password_file.c +++ b/src/utils/ext_password_file.c @@ -9,7 +9,6 @@ #include "includes.h" #include "utils/common.h" -#include "utils/config.h" #include "ext_password_i.h" @@ -97,7 +96,16 @@ static struct wpabuf * ext_password_file_get(void *ctx, const char *name) wpa_printf(MSG_DEBUG, "EXT PW FILE: get(%s)", name); - while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) { + while ((pos = fgets(buf, sizeof(buf), f))) { + line++; + + /* Strip newline characters */ + pos[strcspn(pos, "\r\n")] = 0; + + /* Skip comments and empty lines */ + if (*pos == '#' || *pos == '\0') + continue; + char *sep = os_strchr(pos, '='); if (!sep) { -- 2.44.1
