From 4d64fd37b742cc1da84b2d0488c4ac3270be4b4c Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 7 Mar 2020 16:45:52 +0200
Subject: [PATCH] Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing
 purposes

The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 hostapd/config_file.c  |  3 +++
 src/ap/ap_config.c     |  1 +
 src/ap/ap_config.h     |  1 +
 src/ap/wpa_auth.c      | 12 +++++++++++-
 src/ap/wpa_auth.h      |  3 +++
 src/ap/wpa_auth_glue.c |  9 +++++++++
 6 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 269f9f3cd..98e9fd21b 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4176,6 +4176,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 	} else if (os_strcmp(buf, "sae_commit_override") == 0) {
 		wpabuf_free(bss->sae_commit_override);
 		bss->sae_commit_override = wpabuf_parse_bin(pos);
+	} else if (os_strcmp(buf, "rsne_override_eapol") == 0) {
+		wpabuf_free(bss->rsne_override_eapol);
+		bss->rsne_override_eapol = wpabuf_parse_bin(pos);
 	} else if (os_strcmp(buf, "rsnxe_override_eapol") == 0) {
 		wpabuf_free(bss->rsnxe_override_eapol);
 		bss->rsnxe_override_eapol = wpabuf_parse_bin(pos);
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 50974094a..0166c3164 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -902,6 +902,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 #ifdef CONFIG_TESTING_OPTIONS
 	wpabuf_free(conf->own_ie_override);
 	wpabuf_free(conf->sae_commit_override);
+	wpabuf_free(conf->rsne_override_eapol);
 	wpabuf_free(conf->rsnxe_override_eapol);
 	wpabuf_free(conf->gtk_rsc_override);
 	wpabuf_free(conf->igtk_rsc_override);
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 5d86a332a..8b57500ce 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -677,6 +677,7 @@ struct hostapd_bss_config {
 	struct wpabuf *own_ie_override;
 	int sae_reflection_attack;
 	struct wpabuf *sae_commit_override;
+	struct wpabuf *rsne_override_eapol;
 	struct wpabuf *rsnxe_override_eapol;
 	struct wpabuf *gtk_rsc_override;
 	struct wpabuf *igtk_rsc_override;
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index f914875fe..ab20705f0 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -3260,7 +3260,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 	struct wpa_group *gsm = sm->group;
 	u8 *wpa_ie;
 	int secure, gtkidx, encr = 0;
-	u8 *wpa_ie_buf = NULL;
+	u8 *wpa_ie_buf = NULL, *wpa_ie_buf2 = NULL;
 
 	SM_ENTRY_MA(WPA_PTK, PTKINITNEGOTIATING, wpa_ptk);
 	sm->TimeoutEvt = FALSE;
@@ -3295,6 +3295,15 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 		wpa_ie_len = wpa_ie[1] + 2;
 	}
 #ifdef CONFIG_TESTING_OPTIONS
+	if (sm->wpa_auth->conf.rsne_override_eapol_set) {
+		wpa_ie_buf2 = replace_ie(
+			"RSNE", wpa_ie, &wpa_ie_len, WLAN_EID_RSN,
+			sm->wpa_auth->conf.rsne_override_eapol,
+			sm->wpa_auth->conf.rsne_override_eapol_len);
+		if (!wpa_ie_buf2)
+			goto done;
+		wpa_ie = wpa_ie_buf2;
+	}
 	if (sm->wpa_auth->conf.rsnxe_override_eapol_set) {
 		wpa_ie_buf = replace_ie(
 			"RSNXE", wpa_ie, &wpa_ie_len, WLAN_EID_RSNX,
@@ -3458,6 +3467,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
 done:
 	os_free(kde);
 	os_free(wpa_ie_buf);
+	os_free(wpa_ie_buf2);
 }
 
 
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 93d7f74f2..d1324d501 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -221,10 +221,13 @@ struct wpa_auth_config {
 	double corrupt_gtk_rekey_mic_probability;
 	u8 own_ie_override[MAX_OWN_IE_OVERRIDE];
 	size_t own_ie_override_len;
+	u8 rsne_override_eapol[MAX_OWN_IE_OVERRIDE];
+	size_t rsne_override_eapol_len;
 	u8 rsnxe_override_eapol[MAX_OWN_IE_OVERRIDE];
 	size_t rsnxe_override_eapol_len;
 	u8 gtk_rsc_override[WPA_KEY_RSC_LEN];
 	u8 igtk_rsc_override[WPA_KEY_RSC_LEN];
+	unsigned int rsne_override_eapol_set:1;
 	unsigned int rsnxe_override_eapol_set:1;
 	unsigned int gtk_rsc_override_set:1;
 	unsigned int igtk_rsc_override_set:1;
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 4a303b039..ff2302cd2 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -121,6 +121,15 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 			  wpabuf_head(conf->own_ie_override),
 			  wconf->own_ie_override_len);
 	}
+	if (conf->rsne_override_eapol &&
+	    wpabuf_len(conf->rsne_override_eapol) <= MAX_OWN_IE_OVERRIDE) {
+		wconf->rsne_override_eapol_set = 1;
+		wconf->rsne_override_eapol_len =
+			wpabuf_len(conf->rsne_override_eapol);
+		os_memcpy(wconf->rsne_override_eapol,
+			  wpabuf_head(conf->rsne_override_eapol),
+			  wconf->rsne_override_eapol_len);
+	}
 	if (conf->rsnxe_override_eapol &&
 	    wpabuf_len(conf->rsnxe_override_eapol) <= MAX_OWN_IE_OVERRIDE) {
 		wconf->rsnxe_override_eapol_set = 1;