From patchwork Thu May  2 09:32:17 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Johannes Berg <johannes@sipsolutions.net>
X-Patchwork-Id: 240915
Return-Path: <hostap-bounces@lists.shmoo.com>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171])
	by ozlabs.org (Postfix) with ESMTP id B1CDB2C00A3
	for <patchwork-incoming@ozlabs.org>;
	Thu,  2 May 2013 19:32:37 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by maxx.maxx.shmoo.com (Postfix) with ESMTP id 4C6209C1F8;
	Thu,  2 May 2013 05:32:34 -0400 (EDT)
X-Virus-Scanned: amavisd-new at maxx.shmoo.com
Received: from maxx.maxx.shmoo.com ([127.0.0.1])
	by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id NpEZ1j88u1JE; Thu,  2 May 2013 05:32:34 -0400 (EDT)
Received: from maxx.shmoo.com (localhost [127.0.0.1])
	by maxx.maxx.shmoo.com (Postfix) with ESMTP id 923729C1D4;
	Thu,  2 May 2013 05:32:29 -0400 (EDT)
X-Original-To: mailman-post+hostap@maxx.shmoo.com
Delivered-To: mailman-post+hostap@maxx.shmoo.com
Received: from localhost (localhost [127.0.0.1])
	by maxx.maxx.shmoo.com (Postfix) with ESMTP id 56B209C1D4
	for <mailman-post+hostap@maxx.shmoo.com>;
	Thu,  2 May 2013 05:32:28 -0400 (EDT)
X-Virus-Scanned: amavisd-new at maxx.shmoo.com
Received: from maxx.maxx.shmoo.com ([127.0.0.1])
	by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id tVaXXT7PG2YG for <mailman-post+hostap@maxx.shmoo.com>;
	Thu,  2 May 2013 05:32:23 -0400 (EDT)
Received: from sipsolutions.net (s3.sipsolutions.net [144.76.43.152])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	by maxx.maxx.shmoo.com (Postfix) with ESMTPS id 381B29C198
	for <hostap@lists.shmoo.com>; Thu,  2 May 2013 05:32:23 -0400 (EDT)
Received: by sipsolutions.net with esmtpsa
	(TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80)
	(envelope-from <johannes@sipsolutions.net>)
	id 1UXpsD-0003dO-0w; Thu, 02 May 2013 11:32:21 +0200
From: Johannes Berg <johannes@sipsolutions.net>
To: hostap@lists.shmoo.com
Subject: [PATCH] hostapd: add GTK MIC corruption test option
Date: Thu,  2 May 2013 11:32:17 +0200
Message-Id: <1367487137-6563-1-git-send-email-johannes@sipsolutions.net>
X-Mailer: git-send-email 1.8.0
Cc: Johannes Berg <johannes.berg@intel.com>
X-BeenThere: hostap@lists.shmoo.com
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: HostAP Project <hostap.lists.shmoo.com>
List-Unsubscribe: <http://lists.shmoo.com/mailman/options/hostap>,
	<mailto:hostap-request@lists.shmoo.com?subject=unsubscribe>
List-Archive: <http://lists.shmoo.com/pipermail/hostap>
List-Post: <mailto:hostap@lists.shmoo.com>
List-Help: <mailto:hostap-request@lists.shmoo.com?subject=help>
List-Subscribe: <http://lists.shmoo.com/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.shmoo.com?subject=subscribe>
MIME-Version: 1.0
Sender: hostap-bounces@lists.shmoo.com
Errors-To: hostap-bounces@lists.shmoo.com

From: Johannes Berg <johannes.berg@intel.com>

For some testing it can be useful to force the GTK MIC to be
corrupt. Add an option to allow setting a probability for
corrupting the key MIC and use it in the WPA code, increasing
the first byte of the MIC by one to corrupt it if desired.

Change-Id: Ibb729cda701ea2445d2702629f38472eaf210499
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
---
 hostapd/config_file.c  | 1 +
 hostapd/hostapd.conf   | 3 +++
 src/ap/ap_config.c     | 1 +
 src/ap/ap_config.h     | 1 +
 src/ap/wpa_auth.c      | 9 +++++++++
 src/ap/wpa_auth.h      | 3 +++
 src/ap/wpa_auth_glue.c | 9 +++++++--
 7 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 21104d3..62136ca 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2893,6 +2893,7 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		PARSE_TEST_PROBABILITY(ignore_auth_probability)
 		PARSE_TEST_PROBABILITY(ignore_assoc_probability)
 		PARSE_TEST_PROBABILITY(ignore_reassoc_probability)
+		PARSE_TEST_PROBABILITY(corrupt_gtk_rekey_mic_probability)
 #endif /* CONFIG_TESTING_OPTIONS */
 		} else if (os_strcmp(buf, "vendor_elements") == 0) {
 			struct wpabuf *elems;
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 6a1c500..442807d 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1540,6 +1540,9 @@ own_ip_addr=127.0.0.1
 #
 # Ignore reassociation requests with the given probability
 #ignore_reassoc_probability=0.0
+#
+# Corrupt GTK rekey packets (by ...) with the given probability
+#corrupt_gtk_rekey_mic_probability=0.0
 
 ##### Multiple BSSID support ##################################################
 #
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 70b26a6..7ab86fc 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -168,6 +168,7 @@ struct hostapd_config * hostapd_config_defaults(void)
 	conf->ignore_auth_probability = 0.0d;
 	conf->ignore_assoc_probability = 0.0d;
 	conf->ignore_reassoc_probability = 0.0d;
+	conf->corrupt_gtk_rekey_mic_probability = 0.0d;
 #endif /* CONFIG_TESTING_OPTIONS */
 
 	return conf;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index f9629a2..16134da 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -526,6 +526,7 @@ struct hostapd_config {
 	double ignore_auth_probability;
 	double ignore_assoc_probability;
 	double ignore_reassoc_probability;
+	double corrupt_gtk_rekey_mic_probability;
 #endif /* CONFIG_TESTING_OPTIONS */
 };
 
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 4ecae2d..dfe0354 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1347,6 +1347,15 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
 		}
 		wpa_eapol_key_mic(sm->PTK.kck, version, (u8 *) hdr, len,
 				  key->key_mic);
+#ifdef CONFIG_TESTING_OPTIONS
+		if (!pairwise &&
+		    wpa_auth->conf.corrupt_gtk_rekey_mic_probability > 0.0d &&
+		    drand48() < wpa_auth->conf.corrupt_gtk_rekey_mic_probability) {
+			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+					"Corrupting GTK MIC");
+			key->key_mic[0]++;
+		}
+#endif
 	}
 
 	wpa_auth_set_eapol(sm->wpa_auth, sm->addr, WPA_EAPOL_inc_EapolFramesTx,
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 465eec6..8dc6a6f 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -160,6 +160,9 @@ struct wpa_auth_config {
 #endif /* CONFIG_IEEE80211R */
 	int disable_gtk;
 	int ap_mlme;
+#ifdef CONFIG_TESTING_OPTIONS
+	double corrupt_gtk_rekey_mic_probability;
+#endif
 };
 
 typedef enum {
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index fdaaaff..fc2c1d0 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -28,6 +28,7 @@
 
 
 static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
+				  struct hostapd_config *iconf,
 				  struct wpa_auth_config *wconf)
 {
 	os_memset(wconf, 0, sizeof(*wconf));
@@ -74,6 +75,10 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 #ifdef CONFIG_HS20
 	wconf->disable_gtk = conf->disable_dgaf;
 #endif /* CONFIG_HS20 */
+#ifdef CONFIG_TESTING_OPTIONS
+	wconf->corrupt_gtk_rekey_mic_probability =
+		iconf->corrupt_gtk_rekey_mic_probability;
+#endif
 }
 
 
@@ -509,7 +514,7 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
 	const u8 *wpa_ie;
 	size_t wpa_ie_len;
 
-	hostapd_wpa_auth_conf(hapd->conf, &_conf);
+	hostapd_wpa_auth_conf(hapd->conf, hapd->iconf, &_conf);
 	if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_EAPOL_TX_STATUS)
 		_conf.tx_status = 1;
 	if (hapd->iface->drv_flags & WPA_DRIVER_FLAGS_AP_MLME)
@@ -583,7 +588,7 @@ int hostapd_setup_wpa(struct hostapd_data *hapd)
 void hostapd_reconfig_wpa(struct hostapd_data *hapd)
 {
 	struct wpa_auth_config wpa_auth_conf;
-	hostapd_wpa_auth_conf(hapd->conf, &wpa_auth_conf);
+	hostapd_wpa_auth_conf(hapd->conf, hapd->iconf, &wpa_auth_conf);
 	wpa_reconfig(hapd->wpa_auth, &wpa_auth_conf);
 }