commit | 88a8a98934215f591605028e200b6eca8f7cc45a | [log] [tgz] |
---|---|---|
author | Jimmy Chen <jimmycmchen@google.com> | Wed Dec 28 15:19:08 2022 +0800 |
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | Thu Apr 06 00:38:28 2023 +0000 |
tree | 0edb13f5972cec4e46f063c8d65289592bdb3674 | |
parent | 4830c1fe17f5abdd9af98301a8304be8c5583eb8 [diff] |
[TOFU] Don't send credentials in an unauthenticated TLS tunnel Fix the security vulnerability reported in the security report. Do not send the user credentials in phase2 before the user approves the server certificate. This is done by connecting with no credentials for the purpose of getting the server certificate chain only, and reconnecting once the user approves with full certificate chain authentication. Updated-PDD: TRUE Bug: 250574778 Bug: 251910611 Test: atest InsecureEapNetworkHandlerTest ClientModeImplTest Test: Integration test with WPA-Enterprise network with an S device and a T device. (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb630e6a13189321d0e83037adc9e7b30dc6d796) Merged-In: Ib3501f5e04881b11ea9ab52472dd233f2aa82c7a Change-Id: Ib3501f5e04881b11ea9ab52472dd233f2aa82c7a