From 327bd4253115abc757ebaf5f1bddd9f5ad2253e4 Mon Sep 17 00:00:00 2001 From: Roshan Pius Date: Thu, 22 Jun 2017 13:17:16 -0700 Subject: WifiConfigManager: Ignore masked EAP passwords Whenever an app retrieves one of the saved network configuration using the WifiManager API's, we mask out the |preSharedKey|, |wepKeys| and |enterpriseConfig.getPassword()| fields. These apps may however pass the same network configuration (with some changes) back to the framework via WifiManager.updateNetwork() or WifiManager.connect() API's. Since the current update API does not specify which field within the WifiConfiguration is modified, framework tries to copy over all the fields sent in thus overriding the real password with the masked value sent by the app. Ideally the apps should create a new WifiConfiguration with just the fields that they want to modify and send it via WifiManager.updateNetwork(). But, since this is a very common mistake we have some protection against this in the framework for the |preSharedKey| and |wepKeys|. But, we're missing this protection for the |enterpriseConfig.getPassword()| fields. Bug: 62893342 Test: Unit tests. Test: Manual test to ensure that masked password sent from settings is ignored. Test: Regression tests. Change-Id: I163c8c44b2717364aff88cb7ca1b2faa3aa6cce9 --- .../android/server/wifi/WifiConfigManagerTest.java | 44 ++++++++++++++++++++++ .../server/wifi/WifiConfigurationTestUtil.java | 1 + 2 files changed, 45 insertions(+) (limited to 'tests') diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java index e85686fa7..9fa67a000 100644 --- a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java +++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java @@ -1380,6 +1380,50 @@ public class WifiConfigManagerTest { verifyUpdateNetworkWithCredentialChangeHasEverConnectedFalse(eapNetwork); } + /** + * Verifies that if the app sends back the masked passwords in an update, we ignore it. + */ + @Test + public void testUpdateIgnoresMaskedPasswords() { + WifiConfiguration someRandomNetworkWithAllMaskedFields = + WifiConfigurationTestUtil.createEapNetwork(); + someRandomNetworkWithAllMaskedFields.wepKeys = WifiConfigurationTestUtil.TEST_WEP_KEYS; + someRandomNetworkWithAllMaskedFields.preSharedKey = WifiConfigurationTestUtil.TEST_PSK; + someRandomNetworkWithAllMaskedFields.enterpriseConfig.setPassword( + WifiConfigurationTestUtil.TEST_EAP_PASSWORD); + + NetworkUpdateResult result = + verifyAddNetworkToWifiConfigManager(someRandomNetworkWithAllMaskedFields); + + // All of these passwords must be masked in this retrieved network config. + WifiConfiguration retrievedNetworkWithMaskedPassword = + mWifiConfigManager.getConfiguredNetwork(result.getNetworkId()); + assertPasswordsMaskedInWifiConfiguration(retrievedNetworkWithMaskedPassword); + // Ensure that the passwords are present internally. + WifiConfiguration retrievedNetworkWithPassword = + mWifiConfigManager.getConfiguredNetworkWithPassword(result.getNetworkId()); + assertEquals(someRandomNetworkWithAllMaskedFields.preSharedKey, + retrievedNetworkWithPassword.preSharedKey); + assertEquals(someRandomNetworkWithAllMaskedFields.wepKeys, + retrievedNetworkWithPassword.wepKeys); + assertEquals(someRandomNetworkWithAllMaskedFields.enterpriseConfig.getPassword(), + retrievedNetworkWithPassword.enterpriseConfig.getPassword()); + + // Now update the same network config using the masked config. + verifyUpdateNetworkToWifiConfigManager(retrievedNetworkWithMaskedPassword); + + // Retrieve the network config with password and ensure that they have not been overwritten + // with *. + retrievedNetworkWithPassword = + mWifiConfigManager.getConfiguredNetworkWithPassword(result.getNetworkId()); + assertEquals(someRandomNetworkWithAllMaskedFields.preSharedKey, + retrievedNetworkWithPassword.preSharedKey); + assertEquals(someRandomNetworkWithAllMaskedFields.wepKeys, + retrievedNetworkWithPassword.wepKeys); + assertEquals(someRandomNetworkWithAllMaskedFields.enterpriseConfig.getPassword(), + retrievedNetworkWithPassword.enterpriseConfig.getPassword()); + } + /** * Verifies the ordering of network list generated using * {@link WifiConfigManager#retrievePnoNetworkList()}. diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java index b53732a91..f7bf5b022 100644 --- a/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java +++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java @@ -65,6 +65,7 @@ public class WifiConfigurationTestUtil { public static final String[] TEST_WEP_KEYS = {"\"WifiConfigurationTestUtilWep1\"", "\"WifiConfigurationTestUtilWep2\"", "45342312ab", "45342312ab45342312ab34ac12"}; + public static final String TEST_EAP_PASSWORD = "WifiConfigurationTestUtilEapPassword"; public static final int TEST_WEP_TX_KEY_INDEX = 1; public static final String TEST_FQDN = "WifiConfigurationTestUtilFQDN"; public static final String TEST_PROVIDER_FRIENDLY_NAME = -- cgit v1.2.3