Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing purposes

The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 269f9f3cdbd161eb2b247a2e91c8a35e9ab2c9ad..98e9fd21b605a5591c02676dbd8de3100da895b1 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4176,6 +4176,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
        } else if (os_strcmp(buf, "sae_commit_override") == 0) {
                wpabuf_free(bss->sae_commit_override);
                bss->sae_commit_override = wpabuf_parse_bin(pos);
+       } else if (os_strcmp(buf, "rsne_override_eapol") == 0) {
+               wpabuf_free(bss->rsne_override_eapol);
+               bss->rsne_override_eapol = wpabuf_parse_bin(pos);
        } else if (os_strcmp(buf, "rsnxe_override_eapol") == 0) {
                wpabuf_free(bss->rsnxe_override_eapol);
                bss->rsnxe_override_eapol = wpabuf_parse_bin(pos);

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 50974094add37b366bcc4567d977e9ea9c2bd4a9..0166c31648c4f5a20e322d455c3ae4510a7d9e9b 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -902,6 +902,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 #ifdef CONFIG_TESTING_OPTIONS
        wpabuf_free(conf->own_ie_override);
        wpabuf_free(conf->sae_commit_override);
+       wpabuf_free(conf->rsne_override_eapol);
        wpabuf_free(conf->rsnxe_override_eapol);
        wpabuf_free(conf->gtk_rsc_override);
        wpabuf_free(conf->igtk_rsc_override);

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 5d86a332a49d9fda29e14a216e65c11b6d4dc1ce..8b57500cef1e3a95d30db29395d04d9511d77160 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -677,6 +677,7 @@ struct hostapd_bss_config {
        struct wpabuf *own_ie_override;
        int sae_reflection_attack;
        struct wpabuf *sae_commit_override;
+       struct wpabuf *rsne_override_eapol;
        struct wpabuf *rsnxe_override_eapol;
        struct wpabuf *gtk_rsc_override;
        struct wpabuf *igtk_rsc_override;

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index f914875fe2d282b6b0f4bc9ce546702de4478d79..ab20705f0f3b0bb71723d25844944c5f9844043d 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -3260,7 +3260,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
        struct wpa_group *gsm = sm->group;
        u8 *wpa_ie;
        int secure, gtkidx, encr = 0;
-       u8 *wpa_ie_buf = NULL;
+       u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL;
 
        SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
        sm->TimeoutEvt = FALSE;
@@ -3295,6 +3295,15 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
                wpa_ie_len = wpa_ie[1] + 2;
        }
 #ifdef CONFIG_TESTING_OPTIONS
+       if (sm->wpa_auth->conf.rsne_override_eapol_set) {
+               wpa_ie_buf2 = replace_ie(
+                       "RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
+                       sm->wpa_auth->conf.rsne_override_eapol,
+                       sm->wpa_auth->conf.rsne_override_eapol_len);
+               if (!wpa_ie_buf2)
+                       goto done;
+               wpa_ie = wpa_ie_buf2;
+       }
        if (sm->wpa_auth->conf.rsnxe_override_eapol_set) {
                wpa_ie_buf = replace_ie(
                        "RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
@@ -3458,6 +3467,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 done:
        os_free(kde);
        os_free(wpa_ie_buf);
+       os_free(wpa_ie_buf2);
 }
 
 

diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 93d7f74f26c1c6c015bd92f88c58614b8e86bdfb..d1324d50148839c7a100214d5df8f171bbfef2e7 100644 (file)
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -221,10 +221,13 @@ struct wpa_auth_config {
        double corrupt_gtk_rekey_mic_probability;
        u8 own_ie_override[MAX_OWN_IE_OVERRIDE];
        size_t own_ie_override_len;
+       u8 rsne_override_eapol[MAX_OWN_IE_OVERRIDE];
+       size_t rsne_override_eapol_len;
        u8 rsnxe_override_eapol[MAX_OWN_IE_OVERRIDE];
        size_t rsnxe_override_eapol_len;
        u8 gtk_rsc_override[WPA_KEY_RSC_LEN];
        u8 igtk_rsc_override[WPA_KEY_RSC_LEN];
+       unsigned int rsne_override_eapol_set:1;
        unsigned int rsnxe_override_eapol_set:1;
        unsigned int gtk_rsc_override_set:1;
        unsigned int igtk_rsc_override_set:1;

diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 4a303b039dfe939762dcaf57f2b03b2d43fdfcd6..ff2302cd21c48877e50313ff1285563b49af7493 100644 (file)
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -121,6 +121,15 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
                          wpabuf_head(conf->own_ie_override),
                          wconf->own_ie_override_len);
        }
+       if (conf->rsne_override_eapol &&
+           wpabuf_len(conf->rsne_override_eapol) <= MAX_OWN_IE_OVERRIDE) {
+               wconf->rsne_override_eapol_set = 1;
+               wconf->rsne_override_eapol_len =
+                       wpabuf_len(conf->rsne_override_eapol);
+               os_memcpy(wconf->rsne_override_eapol,
+                         wpabuf_head(conf->rsne_override_eapol),
+                         wconf->rsne_override_eapol_len);
+       }
        if (conf->rsnxe_override_eapol &&
            wpabuf_len(conf->rsnxe_override_eapol) <= MAX_OWN_IE_OVERRIDE) {
                wconf->rsnxe_override_eapol_set = 1;