Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

DPP: Protocol testing for invalid Peer Discovery Req/Resp values

Extend dpp_test to allow more invalid attribute values to be written
into Peer Discovery Request/Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen il y a 7 ans
Parent
18b8c35b41
commit
4b8de0c929
4 fichiers modifiés avec 100 ajouts et 0 suppressions
Vue séparée Afficher les stats Diff
  1. 25 0
      src/ap/dpp_hostapd.c
  2. 53 0
      src/common/dpp.c
  3. 6 0
      src/common/dpp.h
  4. 16 0
      wpa_supplicant/dpp_supplicant.c

+ 25 - 0
src/ap/dpp_hostapd.c
Voir le fichier 

@@ -943,6 +943,10 @@ static void hostapd_dpp_send_peer_disc_resp(struct hostapd_data *hapd,
 
 		wpa_printf(MSG_INFO, "DPP: TESTING - no Transaction ID");
 
 		goto skip_trans_id;
 
 	}
 
+	if (dpp_test == DPP_TEST_INVALID_TRANSACTION_ID_PEER_DISC_RESP) {
 
+		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Transaction ID");
 
+		trans_id ^= 0x01;
 
+	}
 
 #endif /* CONFIG_TESTING_OPTIONS */
 
 
 	/* Transaction ID */
 
@@ -956,6 +960,10 @@ skip_trans_id:
 
 		wpa_printf(MSG_INFO, "DPP: TESTING - no Status");
 
 		goto skip_status;
 
 	}
 
+	if (dpp_test == DPP_TEST_INVALID_STATUS_PEER_DISC_RESP) {
 
+		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Status");
 
+		status = 254;
 
+	}
 
 #endif /* CONFIG_TESTING_OPTIONS */
 
 
 	/* DPP Status */
 
@@ -969,6 +977,23 @@ skip_status:
 
 		wpa_printf(MSG_INFO, "DPP: TESTING - no Connector");
 
 		goto skip_connector;
 
 	}
 
+	if (status == DPP_STATUS_OK &&
 
+	    dpp_test == DPP_TEST_INVALID_CONNECTOR_PEER_DISC_RESP) {
 
+		char *connector;
 
+
 
+		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Connector");
 
+		connector = dpp_corrupt_connector_signature(
 
+			hapd->conf->dpp_connector);
 
+		if (!connector) {
 
+			wpabuf_free(msg);
 
+			return;
 
+		}
 
+		wpabuf_put_le16(msg, DPP_ATTR_CONNECTOR);
 
+		wpabuf_put_le16(msg, os_strlen(connector));
 
+		wpabuf_put_str(msg, connector);
 
+		os_free(connector);
 
+		goto skip_connector;
 
+	}
 
 #endif /* CONFIG_TESTING_OPTIONS */
 
 
 	/* DPP Connector */

+ 53 - 0
src/common/dpp.c
Voir le fichier 

@@ -7250,3 +7250,56 @@ void dpp_pkex_free(struct dpp_pkex *pkex)
 
 	wpabuf_free(pkex->exchange_resp);
 
 	os_free(pkex);
 
 }
 
+
 
+
 
+#ifdef CONFIG_TESTING_OPTIONS
 
+char * dpp_corrupt_connector_signature(const char *connector)
 
+{
 
+	char *tmp, *pos, *signed3 = NULL;
 
+	unsigned char *signature = NULL;
 
+	size_t signature_len = 0, signed3_len;
 
+
 
+	tmp = os_zalloc(os_strlen(connector) + 5);
 
+	if (!tmp)
 
+		goto fail;
 
+	os_memcpy(tmp, connector, os_strlen(connector));
 
+
 
+	pos = os_strchr(tmp, '.');
 
+	if (!pos)
 
+		goto fail;
 
+
 
+	pos = os_strchr(pos + 1, '.');
 
+	if (!pos)
 
+		goto fail;
 
+	pos++;
 
+
 
+	wpa_printf(MSG_DEBUG, "DPP: Original base64url encoded signature: %s",
 
+		   pos);
 
+	signature = base64_url_decode((const unsigned char *) pos,
 
+				      os_strlen(pos), &signature_len);
 
+	if (!signature || signature_len == 0)
 
+		goto fail;
 
+	wpa_hexdump(MSG_DEBUG, "DPP: Original Connector signature",
 
+		    signature, signature_len);
 
+	signature[signature_len - 1] ^= 0x01;
 
+	wpa_hexdump(MSG_DEBUG, "DPP: Corrupted Connector signature",
 
+		    signature, signature_len);
 
+	signed3 = (char *) base64_url_encode(signature, signature_len,
 
+					     &signed3_len, 0);
 
+	if (!signed3)
 
+		goto fail;
 
+	os_memcpy(pos, signed3, signed3_len);
 
+	pos[signed3_len] = '\0';
 
+	wpa_printf(MSG_DEBUG, "DPP: Corrupted base64url encoded signature: %s",
 
+		   pos);
 
+
 
+out:
 
+	os_free(signature);
 
+	os_free(signed3);
 
+	return tmp;
 
+fail:
 
+	os_free(tmp);
 
+	tmp = NULL;
 
+	goto out;
 
+}
 
+#endif /* CONFIG_TESTING_OPTIONS */

+ 6 - 0
src/common/dpp.h
Voir le fichier 

@@ -303,6 +303,10 @@ enum dpp_test_behavior {
 
 	DPP_TEST_INVALID_STATUS_AUTH_RESP = 74,
 
 	DPP_TEST_INVALID_STATUS_AUTH_CONF = 75,
 
 	DPP_TEST_INVALID_CONFIG_ATTR_OBJ_CONF_REQ = 76,
 
+	DPP_TEST_INVALID_TRANSACTION_ID_PEER_DISC_RESP = 77,
 
+	DPP_TEST_INVALID_STATUS_PEER_DISC_RESP = 78,
 
+	DPP_TEST_INVALID_CONNECTOR_PEER_DISC_RESP = 79,
 
+	DPP_TEST_INVALID_CONNECTOR_PEER_DISC_REQ = 80,
 
 };
 
 
 extern enum dpp_test_behavior dpp_test;
 
@@ -385,4 +389,6 @@ int dpp_pkex_rx_commit_reveal_resp(struct dpp_pkex *pkex, const u8 *hdr,
 
 				   const u8 *buf, size_t len);
 
 void dpp_pkex_free(struct dpp_pkex *pkex);
 
 
+char * dpp_corrupt_connector_signature(const char *connector);
 
+
 
 #endif /* DPP_H */

+ 16 - 0
wpa_supplicant/dpp_supplicant.c
Voir le fichier 

@@ -2131,6 +2131,22 @@ skip_trans_id:
 
 		wpa_printf(MSG_INFO, "DPP: TESTING - no Connector");
 
 		goto skip_connector;
 
 	}
 
+	if (dpp_test == DPP_TEST_INVALID_CONNECTOR_PEER_DISC_REQ) {
 
+		char *connector;
 
+
 
+		wpa_printf(MSG_INFO, "DPP: TESTING - invalid Connector");
 
+		connector = dpp_corrupt_connector_signature(
 
+			ssid->dpp_connector);
 
+		if (!connector) {
 
+			wpabuf_free(msg);
 
+			return -1;
 
+		}
 
+		wpabuf_put_le16(msg, DPP_ATTR_CONNECTOR);
 
+		wpabuf_put_le16(msg, os_strlen(connector));
 
+		wpabuf_put_str(msg, connector);
 
+		os_free(connector);
 
+		goto skip_connector;
 
+	}
 
 #endif /* CONFIG_TESTING_OPTIONS */
 
 
 	/* DPP Connector */