softap_config_equal does not compare auth_mode/cipher

[Rotzbua]

Software

Release: 2.0.0-alpha1 and earlier
Library: Wifi

Description

Compare function does not compare security relevant settings. The configured authmode and (since v2) cipher is not compared. For those reason softAP() does not return false in case of bug #5038 and leads to an insecure open ap which is a huge security problem if somebody gets access to normally protected content.

Code

arduino-esp32/libraries/WiFi/src/WiFiAP.cpp

Lines 61 to 79 in 371f382

	static bool softap_config_equal(const wifi_config_t& lhs, const wifi_config_t& rhs)
	{
	if(strcmp(reinterpret_cast<const char*>(lhs.ap.ssid), reinterpret_cast<const char*>(rhs.ap.ssid)) != 0) {
	return false;
	}
	if(strcmp(reinterpret_cast<const char*>(lhs.ap.password), reinterpret_cast<const char*>(rhs.ap.password)) != 0) {
	return false;
	}
	if(lhs.ap.channel != rhs.ap.channel) {
	return false;
	}
	if(lhs.ap.ssid_hidden != rhs.ap.ssid_hidden) {
	return false;
	}
	if(lhs.ap.max_connection != rhs.ap.max_connection) {
	return false;
	}
	return true;
	}

Expected

Also authmode/cipher should be checked.