From patchwork Tue Aug 25 15:48:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Pedersen X-Patchwork-Id: 1351148 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=adapt-ip.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=qaPKJ4Mt; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BbYMC4B70z9sSP for ; Wed, 26 Aug 2020 01:49:11 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=2gJihdm4jv4V66SqA+sGOFgyGRbNOIkXP+n+B1zT4mU=; b=qaPKJ4MtO/hBn9wdTSDnasaNd/ 7BPt1sqROer6BIZ4Grnhem24UapDOlAJtc4T/rZjvIrxEriaXvWHr5uDb0GmeEK1CWMbss3OX4U7d lczjAarsLw4ONuNH3j2b5I+1rOUePXLhUX+9sDxN1diNMia6YN+MqdWEKD7A7FFR2D9ITTpzG3z3t Pvk81+mcUf8UBLKz+5rDT7vThIhdW1QmsQyJlH/6oPWxdQPJO/QyRSlxotMao5QjSesMCZcqj+K3g OejQGC/GOv52cIp77ViIAD6pQhsvtidUgRKd50V6dAeDDOoUrJp9xpuCJzLl4ybQgSAXFl+VlfNbC acx8QVeQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAbBI-0002Gj-B5; Tue, 25 Aug 2020 15:48:16 +0000 Received: from mail.adapt-ip.com ([173.164.178.19] helo=web.adapt-ip.com) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAbBF-0002Fp-HJ for hostap@lists.infradead.org; Tue, 25 Aug 2020 15:48:14 +0000 Received: from localhost (localhost [127.0.0.1]) by web.adapt-ip.com (Postfix) with ESMTP id 3E02C4F774A; Tue, 25 Aug 2020 15:48:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at web.adapt-ip.com Received: from web.adapt-ip.com ([127.0.0.1]) by localhost (web.adapt-ip.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id eJyOFQn1RpuU; Tue, 25 Aug 2020 15:48:07 +0000 (UTC) Received: from localhost.localdomain (unknown [104.220.176.67]) (Authenticated sender: thomas@adapt-ip.com) by web.adapt-ip.com (Postfix) with ESMTPSA id 7BB624F73DB; Tue, 25 Aug 2020 15:48:07 +0000 (UTC) From: Thomas Pedersen To: hostap Subject: [PATCH] ap: reflect status code in SAE reflection attack Date: Tue, 25 Aug 2020 08:48:06 -0700 Message-Id: <20200825154806.17257-1-thomas@adapt-ip.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200825_114813_677944_3F150727 X-CRM114-Status: GOOD ( 10.90 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jouni Malinen , Thomas Pedersen Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org When testing SAE reflection, the incoming commit may have the H2E status code (0x7e), but the AP was always sending back status code 0. The STA would then reject the commit response due to expecting H2E status code. Just reflect the incoming status code so the commit can be rejected based on the SAE contents. Signed-off-by: Thomas Pedersen --- src/ap/ieee802_11.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index c98e77103106..f9b9f3f82b46 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -1241,6 +1241,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta, wpa_printf(MSG_DEBUG, "SAE: TESTING - reflection attack"); pos = mgmt->u.auth.variable; end = ((const u8 *) mgmt) + len; + resp = status_code; send_auth_reply(hapd, sta, mgmt->sa, mgmt->bssid, WLAN_AUTH_SAE, auth_transaction, resp, pos, end - pos, "auth-sae-reflection-attack");