From a065b80b90b6d559c67b519b3fcd018d803cdd68 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 18 Sep 2024 14:26:21 +0200 Subject: [PATCH 1/2] wpa_supplicant: add patch to fix ext_passwords_file bug This fixes inconsistent behaviour in ext_passwords_file that makes impossible to input passphrases containing certain characters. Closes #342140 --- .../linux/wpa_supplicant/default.nix | 1 + .../unsurprising-ext-password.patch | 66 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 pkgs/os-specific/linux/wpa_supplicant/unsurprising-ext-password.patch diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix index 4770f0956d56..6463e46842a4 100644 --- a/pkgs/os-specific/linux/wpa_supplicant/default.nix +++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix @@ -22,6 +22,7 @@ stdenv.mkDerivation rec { hash = "sha256-X6mBbj7BkW66aYeSCiI3JKBJv10etLQxaTRfRgwsFmM="; revert = true; }) + ./unsurprising-ext-password.patch ]; # TODO: Patch epoll so that the dbus actually responds diff --git a/pkgs/os-specific/linux/wpa_supplicant/unsurprising-ext-password.patch b/pkgs/os-specific/linux/wpa_supplicant/unsurprising-ext-password.patch new file mode 100644 index 000000000000..d971acaeb7b9 --- /dev/null +++ b/pkgs/os-specific/linux/wpa_supplicant/unsurprising-ext-password.patch @@ -0,0 +1,66 @@ +From e5ac0dd1af48e085bb824082ef3b64afba673ded Mon Sep 17 00:00:00 2001 +From: rnhmjoj +Date: Wed, 18 Sep 2024 13:43:44 +0200 +Subject: [PATCH] ext_password_file: do not use wpa_config_get_line +To: hostap@lists.infradead.org + +The file-based backed of the ext_password framework uses +`wpa_config_get_line` to read the passwords line-by-line from a file. +This function is meant to parse a single line from the +wpa_supplicant.conf file, so it handles whitespace, quotes and other +characters specially. + +Its behavior, however, it's not compatible with the rest of the +ext_password framework implementation. For example, if a passphrase +contains a `#` character it must be quoted to prevent parsing the +remaining characters as an inline comment, but the code handling the +external password in `wpa_supplicant_get_psk` does not handle quotes. +The result is that either it will hash the enclosing quotes, producing a +wrong PSK, or if the passphrase is long enough, fail the length check. +As a consequence, some passphrases are impossible to input correctly. + +To solve this and other issues, this patch changes the behaviour of the +`ext_password_file_get` function (which was not documented in details, +at least w.r.t. special characters) to simply treat all characters +literally: including trailing whitespaces (except CR and LF), `#` for +inline comments, etc. Empty lines and full-line comments are still +supported. + +Signed-off-by: Michele Guerini Rocco +--- + src/utils/ext_password_file.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/utils/ext_password_file.c b/src/utils/ext_password_file.c +index 4bb0095f3..f631ff15c 100644 +--- a/src/utils/ext_password_file.c ++++ b/src/utils/ext_password_file.c +@@ -9,7 +9,6 @@ + #include "includes.h" + + #include "utils/common.h" +-#include "utils/config.h" + #include "ext_password_i.h" + + +@@ -97,7 +96,16 @@ static struct wpabuf * ext_password_file_get(void *ctx, const char *name) + + wpa_printf(MSG_DEBUG, "EXT PW FILE: get(%s)", name); + +- while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) { ++ while ((pos = fgets(buf, sizeof(buf), f))) { ++ line++; ++ ++ /* Strip newline characters */ ++ pos[strcspn(pos, "\r\n")] = 0; ++ ++ /* Skip comments and empty lines */ ++ if (*pos == '#' || *pos == '\0') ++ continue; ++ + char *sep = os_strchr(pos, '='); + + if (!sep) { +-- +2.44.1 + From 98c67f661daa23112cef0bedffebf9f285f24dbe Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 18 Sep 2024 14:32:23 +0200 Subject: [PATCH 2/2] nixos/wpa_supplicant: test a naughty passphrase This ensures ASCII punctuation characters are not handled specially. --- nixos/tests/wpa_supplicant.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/nixos/tests/wpa_supplicant.nix b/nixos/tests/wpa_supplicant.nix index 71b9ba358fa1..bdbab88c8b55 100644 --- a/nixos/tests/wpa_supplicant.nix +++ b/nixos/tests/wpa_supplicant.nix @@ -8,6 +8,8 @@ let maintainers = [ oddlama rnhmjoj ]; }; + naughtyPassphrase = ''!,./;'[]\-=<>?:"{}|_+@$%^&*()`~ # ceci n'est pas un commentaire''; + runConnectionTest = name: extraConfig: runTest { name = "wpa_supplicant-${name}"; inherit meta; @@ -27,7 +29,7 @@ let ssid = "nixos-test-sae"; authentication = { mode = "wpa3-sae"; - saePasswords = [ { password = "reproducibility"; } ]; + saePasswords = [ { password = naughtyPassphrase; } ]; }; bssid = "02:00:00:00:00:00"; }; @@ -36,8 +38,8 @@ let authentication = { mode = "wpa3-sae-transition"; saeAddToMacAllow = true; - saePasswordsFile = pkgs.writeText "password" "reproducibility"; - wpaPasswordFile = pkgs.writeText "password" "reproducibility"; + saePasswordsFile = pkgs.writeText "password" naughtyPassphrase; + wpaPasswordFile = pkgs.writeText "password" naughtyPassphrase; }; bssid = "02:00:00:00:00:01"; }; @@ -45,7 +47,7 @@ let ssid = "nixos-test-wpa2"; authentication = { mode = "wpa2-sha256"; - wpaPassword = "reproducibility"; + wpaPassword = naughtyPassphrase; }; bssid = "02:00:00:00:00:02"; }; @@ -65,7 +67,7 @@ let # secrets secretsFile = pkgs.writeText "wpa-secrets" '' - psk_nixos_test=reproducibility + psk_nixos_test=${naughtyPassphrase} ''; } extraConfig