From b866786338e6652125aa4f09ecd630febb6c9fb2 Mon Sep 17 00:00:00 2001
From: Ilan Peer <ilan.peer@intel.com>
Date: Mon, 15 Mar 2021 14:57:03 +0200
Subject: [PATCH] PASN: For testing purposes allow to corrupt MIC

For testing purposes, add support for corrupting the MIC in PASN
Authentication frames for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
---
 hostapd/config_file.c            | 2 ++
 src/ap/ap_config.h               | 3 +++
 src/ap/ieee802_11.c              | 7 +++++++
 wpa_supplicant/config.c          | 1 +
 wpa_supplicant/config.h          | 4 ++++
 wpa_supplicant/pasn_supplicant.c | 7 +++++++
 6 files changed, 24 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 80842b8f4..eabf61be0 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4664,6 +4664,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 #ifdef CONFIG_TESTING_OPTIONS
 	} else if (os_strcmp(buf, "force_kdk_derivation") == 0) {
 		bss->force_kdk_derivation = atoi(pos);
+	} else if (os_strcmp(buf, "pasn_corrupt_mic") == 0) {
+		bss->pasn_corrupt_mic = atoi(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
 	} else if (os_strcmp(buf, "pasn_groups") == 0) {
 		if (hostapd_parse_intlist(&bss->pasn_groups, pos)) {
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 88200c688..4857adf53 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -874,6 +874,9 @@ struct hostapd_bss_config {
 	 * secure LTF. Allow forcing KDK derivation for testing purposes.
 	 */
 	int force_kdk_derivation;
+
+	/* If set, corrupt the MIC in the 2nd Authentication frame of PASN */
+	int pasn_corrupt_mic;
 #endif /* CONFIG_TESTING_OPTIONS */
 
 	int *pasn_groups;
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index cba8868ae..eb05efd8b 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2995,6 +2995,13 @@ static int handle_auth_pasn_resp(struct hostapd_data *hapd,
 		goto fail;
 	}
 
+#ifdef CONFIG_TESTING_OPTIONS
+	if (hapd->conf->pasn_corrupt_mic) {
+		wpa_printf(MSG_DEBUG, "PASN: frame 2: Corrupt MIC");
+		mic[0] = ~mic[0];
+	}
+#endif /* CONFIG_TESTING_OPTIONS */
+
 	os_memcpy(ptr, mic, mic_len);
 
 done:
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index ce5c80d02..e8e9fd432 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -5208,6 +5208,7 @@ static const struct global_parse_data global_fields[] = {
 #ifdef CONFIG_PASN
 #ifdef CONFIG_TESTING_OPTIONS
 	{ INT_RANGE(force_kdk_derivation, 0, 1), 0 },
+	{ INT_RANGE(pasn_corrupt_mic, 0, 1), 0 },
 #endif /* CONFIG_TESTING_OPTIONS */
 #endif /* CONFIG_PASN */
 };
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index aac4a9dff..68679c6e3 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -1648,6 +1648,10 @@ struct wpa_config {
 	 * secure LTF. Allow forcing KDK derivation for testing purposes.
 	 */
 	int force_kdk_derivation;
+
+	/* If set, corrupt the MIC in the 3rd Authentication frame of PASN */
+	int pasn_corrupt_mic;
+
 #endif /* CONFIG_TESTING_OPTIONS */
 #endif /* CONFIG_PASN*/
 };
diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index 35d732ed5..f7c61542f 100644
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -779,6 +779,13 @@ static struct wpabuf * wpas_pasn_build_auth_3(struct wpa_supplicant *wpa_s)
 		goto fail;
 	}
 
+#ifdef CONFIG_TESTING_OPTIONS
+	if (wpa_s->conf->pasn_corrupt_mic) {
+		wpa_printf(MSG_DEBUG, "PASN: frame 3: Corrupt MIC");
+		mic[0] = ~mic[0];
+	}
+#endif /* CONFIG_TESTING_OPTIONS */
+
 	os_memcpy(ptr, mic, mic_len);
 
 	pasn->trans_seq++;