forked from espressif/esp-idf
fix(blufi): Fixed some security issue in blufi example
This commit is contained in:
zhanghaipeng
@ -364,18 +364,33 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
|
|||||||
BLUFI_INFO("Recv STA BSSID %s\n", sta_config.sta.ssid);
|
BLUFI_INFO("Recv STA BSSID %s\n", sta_config.sta.ssid);
|
||||||
break;
|
break;
|
||||||
case ESP_BLUFI_EVENT_RECV_STA_SSID:
|
case ESP_BLUFI_EVENT_RECV_STA_SSID:
|
||||||
|
if (param->sta_ssid.ssid_len >= sizeof(sta_config.sta.ssid)/sizeof(sta_config.sta.ssid[0])) {
|
||||||
|
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
|
||||||
|
BLUFI_INFO("Invalid STA SSID\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
strncpy((char *)sta_config.sta.ssid, (char *)param->sta_ssid.ssid, param->sta_ssid.ssid_len);
|
strncpy((char *)sta_config.sta.ssid, (char *)param->sta_ssid.ssid, param->sta_ssid.ssid_len);
|
||||||
sta_config.sta.ssid[param->sta_ssid.ssid_len] = '\0';
|
sta_config.sta.ssid[param->sta_ssid.ssid_len] = '\0';
|
||||||
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
|
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
|
||||||
BLUFI_INFO("Recv STA SSID %s\n", sta_config.sta.ssid);
|
BLUFI_INFO("Recv STA SSID %s\n", sta_config.sta.ssid);
|
||||||
break;
|
break;
|
||||||
case ESP_BLUFI_EVENT_RECV_STA_PASSWD:
|
case ESP_BLUFI_EVENT_RECV_STA_PASSWD:
|
||||||
|
if (param->sta_passwd.passwd_len >= sizeof(sta_config.sta.password)/sizeof(sta_config.sta.password[0])) {
|
||||||
|
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
|
||||||
|
BLUFI_INFO("Invalid STA PASSWORD\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
strncpy((char *)sta_config.sta.password, (char *)param->sta_passwd.passwd, param->sta_passwd.passwd_len);
|
strncpy((char *)sta_config.sta.password, (char *)param->sta_passwd.passwd, param->sta_passwd.passwd_len);
|
||||||
sta_config.sta.password[param->sta_passwd.passwd_len] = '\0';
|
sta_config.sta.password[param->sta_passwd.passwd_len] = '\0';
|
||||||
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
|
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
|
||||||
BLUFI_INFO("Recv STA PASSWORD %s\n", sta_config.sta.password);
|
BLUFI_INFO("Recv STA PASSWORD %s\n", sta_config.sta.password);
|
||||||
break;
|
break;
|
||||||
case ESP_BLUFI_EVENT_RECV_SOFTAP_SSID:
|
case ESP_BLUFI_EVENT_RECV_SOFTAP_SSID:
|
||||||
|
if (param->softap_ssid.ssid_len >= sizeof(ap_config.ap.ssid)/sizeof(ap_config.ap.ssid[0])) {
|
||||||
|
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
|
||||||
|
BLUFI_INFO("Invalid SOFTAP SSID\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
strncpy((char *)ap_config.ap.ssid, (char *)param->softap_ssid.ssid, param->softap_ssid.ssid_len);
|
strncpy((char *)ap_config.ap.ssid, (char *)param->softap_ssid.ssid, param->softap_ssid.ssid_len);
|
||||||
ap_config.ap.ssid[param->softap_ssid.ssid_len] = '\0';
|
ap_config.ap.ssid[param->softap_ssid.ssid_len] = '\0';
|
||||||
ap_config.ap.ssid_len = param->softap_ssid.ssid_len;
|
ap_config.ap.ssid_len = param->softap_ssid.ssid_len;
|
||||||
@ -383,6 +398,11 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
|
|||||||
BLUFI_INFO("Recv SOFTAP SSID %s, ssid len %d\n", ap_config.ap.ssid, ap_config.ap.ssid_len);
|
BLUFI_INFO("Recv SOFTAP SSID %s, ssid len %d\n", ap_config.ap.ssid, ap_config.ap.ssid_len);
|
||||||
break;
|
break;
|
||||||
case ESP_BLUFI_EVENT_RECV_SOFTAP_PASSWD:
|
case ESP_BLUFI_EVENT_RECV_SOFTAP_PASSWD:
|
||||||
|
if (param->softap_passwd.passwd_len >= sizeof(ap_config.sta.ssid)/sizeof(ap_config.sta.ssid[0])) {
|
||||||
|
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
|
||||||
|
BLUFI_INFO("Invalid SOFTAP PASSWD\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
strncpy((char *)ap_config.ap.password, (char *)param->softap_passwd.passwd, param->softap_passwd.passwd_len);
|
strncpy((char *)ap_config.ap.password, (char *)param->softap_passwd.passwd, param->softap_passwd.passwd_len);
|
||||||
ap_config.ap.password[param->softap_passwd.passwd_len] = '\0';
|
ap_config.ap.password[param->softap_passwd.passwd_len] = '\0';
|
||||||
esp_wifi_set_config(WIFI_IF_AP, &ap_config);
|
esp_wifi_set_config(WIFI_IF_AP, &ap_config);
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
|
* SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: Unlicense OR CC0-1.0
|
* SPDX-License-Identifier: Unlicense OR CC0-1.0
|
||||||
*/
|
*/
|
||||||
@ -67,6 +67,12 @@ extern void btc_blufi_report_error(esp_blufi_error_state_t state);
|
|||||||
|
|
||||||
void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free)
|
void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free)
|
||||||
{
|
{
|
||||||
|
if (data == NULL || len < 3) {
|
||||||
|
BLUFI_ERROR("BLUFI Invalid data format");
|
||||||
|
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
int ret;
|
int ret;
|
||||||
uint8_t type = data[0];
|
uint8_t type = data[0];
|
||||||
|
|
||||||
@ -96,6 +102,13 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
|
|||||||
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
|
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (len < (blufi_sec->dh_param_len + 1)) {
|
||||||
|
BLUFI_ERROR("%s, invalid dh param len\n", __func__);
|
||||||
|
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
uint8_t *param = blufi_sec->dh_param;
|
uint8_t *param = blufi_sec->dh_param;
|
||||||
memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len);
|
memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len);
|
||||||
ret = mbedtls_dhm_read_params(&blufi_sec->dhm, ¶m, ¶m[blufi_sec->dh_param_len]);
|
ret = mbedtls_dhm_read_params(&blufi_sec->dhm, ¶m, ¶m[blufi_sec->dh_param_len]);
|
||||||
@ -108,6 +121,12 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
|
|||||||
blufi_sec->dh_param = NULL;
|
blufi_sec->dh_param = NULL;
|
||||||
|
|
||||||
const int dhm_len = mbedtls_dhm_get_len(&blufi_sec->dhm);
|
const int dhm_len = mbedtls_dhm_get_len(&blufi_sec->dhm);
|
||||||
|
|
||||||
|
if (dhm_len > DH_SELF_PUB_KEY_LEN) {
|
||||||
|
BLUFI_ERROR("%s dhm len not support %d\n", __func__, dhm_len);
|
||||||
|
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, dhm_len, myrand, NULL);
|
ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, dhm_len, myrand, NULL);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
BLUFI_ERROR("%s make public failed %d\n", __func__, ret);
|
BLUFI_ERROR("%s make public failed %d\n", __func__, ret);
|
||||||
|
|||||||
Reference in New Issue
Block a user