From e75335384a29987bf856bdf0a70af1c1b2a606eb Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Sat, 2 Sep 2017 01:31:47 +0300
Subject: [PATCH] SAE: Add testing code for reflection attack

Allow hostapd to be configured to perform SAE reflection attack for SAE
testing purposes with sae_reflection_attack=1 configuration parameter.
This is included only in CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 hostapd/config_file.c |  2 ++
 src/ap/ap_config.h    |  1 +
 src/ap/ieee802_11.c   | 12 ++++++++++++
 3 files changed, 15 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index cc799d482..7f1965b06 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3561,6 +3561,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 
 		wpabuf_free(bss->own_ie_override);
 		bss->own_ie_override = tmp;
+	} else if (os_strcmp(buf, "sae_reflection_attack") == 0) {
+		bss->sae_reflection_attack = atoi(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
 	} else if (os_strcmp(buf, "vendor_elements") == 0) {
 		if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 8e5ff524d..79048de0b 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -588,6 +588,7 @@ struct hostapd_bss_config {
 	u8 bss_load_test[5];
 	u8 bss_load_test_set;
 	struct wpabuf *own_ie_override;
+	int sae_reflection_attack;
 #endif /* CONFIG_TESTING_OPTIONS */
 
 #define MESH_ENABLED BIT(0)
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 799961146..e35ed3a08 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -786,6 +786,18 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 	int resp = WLAN_STATUS_SUCCESS;
 	struct wpabuf *data = NULL;
 
+#ifdef CONFIG_TESTING_OPTIONS
+	if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
+		const u8 *pos, *end;
+
+		wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack");
+		pos = mgmt->u.auth.variable;
+		end = ((const u8 *) mgmt) + len;
+		send_auth_reply(hapd, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE,
+				auth_transaction, resp, pos, end - pos);
+		goto remove_sta;
+	}
+#endif /* CONFIG_TESTING_OPTIONS */
 	if (!sta->sae) {
 		if (auth_transaction != 1 ||
 		    status_code != WLAN_STATUS_SUCCESS) {