From 5ed2ba7e068ea5e2996299bb384a8be6c03ab5d2 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Date: Tue, 20 Oct 2020 14:33:09 +0400
Subject: [PATCH] fragattack: fix SSP to SPP

---
 research/README.md        | 8 ++++----
 research/fragattack.py    | 2 +-
 research/fraginternals.py | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/research/README.md b/research/README.md
index d498ca68f..707577055 100644
--- a/research/README.md
+++ b/research/README.md
@@ -249,7 +249,7 @@ device and are further discussed below the table.
 | `ping-frag-sep`                  | Send a normal fragmented ping with fragments separated by another frame.
 | `ping-frag-sep --pn-per-qos`     | Same as above, but also works if the target only accepts consecutive PNs.
 | <div align="center">*A-MSDU attacks (§3)*</div>
-| `ping I,E --amsdu`               | Send a ping encapsulated in a normal (non SSP protected) A-MSDU frame.
+| `ping I,E --amsdu`               | Send a ping encapsulated in a normal (non SPP protected) A-MSDU frame.
 | <div align="center">*Mixed key attacks (§4)*</div>
 | `ping I,F,BE,AE`                 | Inject two fragments encrypted under a different key.
 | `ping I,F,BE,AE --pn-per-qos`    | Same as above, but also works if the target only accepts consecutive PNs.
@@ -306,7 +306,7 @@ include) these reference CVEs as a way to easily refer to each type of discovere
 ## 7.2. A-MSDU attack tests (§3 -- CVE-2020-24588)
 
 The test `ping I,E --amsdu` checks if an implementation supports A-MSDUs, in which case it is vulnerable to
-attacks. To prevent attacks, the network must mandate the usage of SSP A-MSDUs (and drop all non-SSP A-MSDUs).
+attacks. To prevent attacks, the network must mandate the usage of SPP A-MSDUs (and drop all non-SPP A-MSDUs).
 It's currently unclear how to prevent this attack in a backward-compatible manner. See Section 3 of the paper
 for details.
 
@@ -461,7 +461,7 @@ presence of a certain vulnerability class, there is no need to test the other at
 | -------------------------------------- | ---------------------------------
 | <div align="center">*A-MSDU attacks (§3)*</div>
 | `ping I,E --amsdu-fake`                | If this test succeeds, the A-MSDU flag is ignored (§3.5).
-| `ping I,E --amsdu-fake --amsdu-ssp`    | Check if the A-MSDU flag is authenticated but then ignored (§3.5).
+| `ping I,E --amsdu-fake --amsdu-spp`    | Check if the A-MSDU flag is authenticated but then ignored (§3.5).
 | `amsdu-inject`                         | Send A-MSDU frame whose start is also a valid LLC/SNAP header (§3.2).
 | `amsdu-inject-bad`                     | Same as above, but against targets that incorrectly parse the frame.
 | <div align="center">*Mixed key attacks (§4)*</div>
@@ -501,7 +501,7 @@ understand how the tested device handles A-MSDU frames:
   support A-MSDU frames). This behaviour is not ideal, although it is unlikely that an attacker can abuse this in
   practice (see Section 3.5 in the paper).
 
-- `ping I,E --amsdu-fake --amsdu-ssp`: If this tests succeeds, the receiver authenticates the QoS A-MSDU flag of every
+- `ping I,E --amsdu-fake --amsdu-spp`: If this tests succeeds, the receiver authenticates the QoS A-MSDU flag of every
   received frame (i.e. it will not mask it to zero on reception) but then treats all received frames as normal frames
   (meaning it does not support the reception of real A-MSDU frames). This behaviour is not ideal, although it is unlikely
   that an attacker can abuse this in practice (see Section 3.5 in the paper).
diff --git a/research/fragattack.py b/research/fragattack.py
index cb8fd0cec..b0f25a935 100755
--- a/research/fragattack.py
+++ b/research/fragattack.py
@@ -181,7 +181,7 @@ if __name__ == "__main__":
 	parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.")
 	parser.add_argument('--amsdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.")
 	parser.add_argument('--amsdu-fake', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.")
-	parser.add_argument('--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.")
+	parser.add_argument('--amsdu-spp', '--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.")
 	parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.")
 	parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.")
 	parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.")
diff --git a/research/fraginternals.py b/research/fraginternals.py
index 7b87fea4b..414f3cc4c 100644
--- a/research/fraginternals.py
+++ b/research/fraginternals.py
@@ -441,7 +441,7 @@ class Station():
 			# TODO: Implement and test this function
 			encrypted = encrypt_tkip(frame, key, self.pn[idx], keyid)
 		elif len(key) == 16:
-			encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_ssp)
+			encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_spp)
 		else:
 			encrypted = encrypt_wep(frame, key, self.pn[idx], keyid)