From 6fd347ee1c6f00955f24a86c16fc954a4db1e0b2 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Date: Wed, 11 Oct 2023 22:42:55 +0200
Subject: [PATCH] fragattacks: always encrypt EAPOL Request frames

When the parameter --rekey-plaintext is used, the rekey 4-way handshake
itself should be sent in plaintext. But possible EAPOL Request frames,
which ask the AP for a new 4-way handshake, should ideally still be sent
using encryption.

This patch assures that EAPOL (Rekey) Request frames are always sent
encrypted, even when --rekey-plaintext is used.
---
 research/fraginternals.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/research/fraginternals.py b/research/fraginternals.py
index ffe387d77..09d054ecd 100644
--- a/research/fraginternals.py
+++ b/research/fraginternals.py
@@ -535,7 +535,12 @@ class Station():
 			# - Send with high priority, otherwise Action.AfterAuth might be send before
 			#   the EAPOL frame by the Wi-Fi chip.
 			# - Some routers such as the RT-AC51U do the 4-way rekey HS in plaintext.
-			self.send_mon(eapol, plaintext=self.options.rekey_plaintext)
+
+			plaintext = self.options.rekey_plaintext
+			if WPA_key in eapol and eapol[WPA_key].key_info & 2048:
+				plaintext = False
+
+			self.send_mon(eapol, plaintext=plaintext)
 
 	def perform_actions(self, trigger, **kwargs):
 		result = None