Google Git
Sign in
android / platform / packages / modules / Wifi / 88a8a98934215f591605028e200b6eca8f7cc45a
commit88a8a98934215f591605028e200b6eca8f7cc45a[log] [tgz]
authorJimmy Chen <jimmycmchen@google.com>Wed Dec 28 15:19:08 2022 +0800
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Thu Apr 06 00:38:28 2023 +0000
tree0edb13f5972cec4e46f063c8d65289592bdb3674
parent4830c1fe17f5abdd9af98301a8304be8c5583eb8 [diff]
[TOFU] Don't send credentials in an unauthenticated TLS tunnel

Fix the security vulnerability reported in the security report.
Do not send the user credentials in phase2 before the user
approves the server certificate. This is done by connecting
with no credentials for the purpose of getting the server
certificate chain only, and reconnecting once the user approves
with full certificate chain authentication.

Updated-PDD: TRUE
Bug: 250574778
Bug: 251910611
Test: atest InsecureEapNetworkHandlerTest ClientModeImplTest
Test: Integration test with WPA-Enterprise network with an S
device and a T device.
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb630e6a13189321d0e83037adc9e7b30dc6d796)
Merged-In: Ib3501f5e04881b11ea9ab52472dd233f2aa82c7a
Change-Id: Ib3501f5e04881b11ea9ab52472dd233f2aa82c7a
8 files changed
tree: 0edb13f5972cec4e46f063c8d65289592bdb3674
  1. apex/
  2. framework/
  3. OsuLogin/
  4. service/
  5. WifiDialog/
  6. metrics_pdd_hook.py
  7. OWNERS
  8. PREUPLOAD.cfg
  9. TEST_MAPPING
  10. WIFI_OWNERS