Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

wlantest: Add send command for injecting raw frames

This can be used by external programs (e.g., wlantest_cli) to inject
raw frames (hex dump of the frame header and body). The data can be
requested to be sent as-is or protected with the current key.
Jouni Malinen 14 years ago
parent
b993e77b5b
commit
b3a6d9d400
6 changed files with 250 additions and 5 deletions
Split View Show Diff Stats
  1. 1 1
      src/utils/common.c
  2. 1 0
      src/utils/common.h
  3. 84 0
      wlantest/ctrl.c
  4. 38 4
      wlantest/inject.c
  5. 124 0
      wlantest/wlantest_cli.c
  6. 2 0
      wlantest/wlantest_ctrl.h

+ 1 - 1
src/utils/common.c
View File 

@@ -29,7 +29,7 @@ static int hex2num(char c)
 
 }
 
 
 
-static int hex2byte(const char *hex)
 
+int hex2byte(const char *hex)
 
 {
 
 	int a, b;
 
 	a = hex2num(*hex++);

+ 1 - 0
src/utils/common.h
View File 

@@ -437,6 +437,7 @@ typedef u64 __bitwise le64;
 
 
 int hwaddr_aton(const char *txt, u8 *addr);
 
 int hwaddr_aton2(const char *txt, u8 *addr);
 
+int hex2byte(const char *hex);
 
 int hexstr2bin(const char *hex, u8 *buf, size_t len);
 
 void inc_byte_array(u8 *counter, size_t len);
 
 void wpa_get_ntp_timestamp(u8 *buf);

+ 84 - 0
wlantest/ctrl.c
View File 

@@ -962,6 +962,87 @@ static void ctrl_info_bss(struct wlantest *wt, int sock, u8 *cmd, size_t clen)
 
 }
 
 
 
+static void ctrl_send_(struct wlantest *wt, int sock, u8 *cmd, size_t clen)
 
+{
 
+	struct wlantest_bss *bss;
 
+	struct wlantest_sta *sta;
 
+	u8 *bssid, *sta_addr;
 
+	int prot;
 
+	u8 *frame;
 
+	size_t frame_len;
 
+	int ret = 0;
 
+	struct ieee80211_hdr *hdr;
 
+	u16 fc;
 
+
 
+	frame = attr_get(cmd, clen, WLANTEST_ATTR_FRAME, &frame_len);
 
+	prot = attr_get_int(cmd, clen, WLANTEST_ATTR_INJECT_PROTECTION);
 
+	if (frame == NULL || frame_len < 24 || prot < 0) {
 
+		wpa_printf(MSG_INFO, "Invalid send command parameters");
 
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_INVALID_CMD);
 
+		return;
 
+	}
 
+
 
+	hdr = (struct ieee80211_hdr *) frame;
 
+	fc = le_to_host16(hdr->frame_control);
 
+	switch (WLAN_FC_GET_TYPE(fc)) {
 
+	case WLAN_FC_TYPE_MGMT:
 
+		bssid = hdr->addr3;
 
+		if (os_memcmp(hdr->addr2, hdr->addr3, ETH_ALEN) == 0)
 
+			sta_addr = hdr->addr1;
 
+		else
 
+			sta_addr = hdr->addr2;
 
+		break;
 
+	case WLAN_FC_TYPE_DATA:
 
+		switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
 
+		case 0:
 
+			bssid = hdr->addr3;
 
+			sta_addr = hdr->addr2;
 
+			break;
 
+		case WLAN_FC_TODS:
 
+			bssid = hdr->addr1;
 
+			sta_addr = hdr->addr2;
 
+			break;
 
+		case WLAN_FC_FROMDS:
 
+			bssid = hdr->addr2;
 
+			sta_addr = hdr->addr1;
 
+			break;
 
+		default:
 
+			wpa_printf(MSG_INFO, "Unsupported inject frame");
 
+			ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
 
+			return;
 
+		}
 
+		break;
 
+	default:
 
+		wpa_printf(MSG_INFO, "Unsupported inject frame");
 
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
 
+		return;
 
+	}
 
+
 
+	bss = bss_find(wt, bssid);
 
+	if (bss == NULL) {
 
+		wpa_printf(MSG_INFO, "Unknown BSSID");
 
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
 
+		return;
 
+	}
 
+
 
+	sta = sta_find(bss, sta_addr);
 
+	if (sta == NULL) {
 
+		wpa_printf(MSG_INFO, "Unknown STA address");
 
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
 
+		return;
 
+	}
 
+
 
+	ret = wlantest_inject(wt, bss, sta, frame, frame_len, prot);
 
+
 
+	if (ret)
 
+		wpa_printf(MSG_INFO, "Failed to inject frame");
 
+	else
 
+		wpa_printf(MSG_INFO, "Frame injected successfully");
 
+	ctrl_send_simple(wt, sock, ret == 0 ? WLANTEST_CTRL_SUCCESS :
 
+			 WLANTEST_CTRL_FAILURE);
 
+}
 
+
 
+
 
 static void ctrl_read(int sock, void *eloop_ctx, void *sock_ctx)
 
 {
 
 	struct wlantest *wt = eloop_ctx;
 
@@ -1036,6 +1117,9 @@ static void ctrl_read(int sock, void *eloop_ctx, void *sock_ctx)
 
 	case WLANTEST_CTRL_INFO_BSS:
 
 		ctrl_info_bss(wt, sock, buf + 4, len - 4);
 
 		break;
 
+	case WLANTEST_CTRL_SEND:
 
+		ctrl_send_(wt, sock, buf + 4, len - 4);
 
+		break;
 
 	default:
 
 		ctrl_send_simple(wt, sock, WLANTEST_CTRL_UNKNOWN_CMD);
 
 		break;

+ 38 - 4
wlantest/inject.c
View File 

@@ -209,12 +209,37 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
 
 	int tid = 0;
 
 	u8 *qos = NULL;
 
 	int hdrlen;
 
+	struct wlantest_tdls *tdls = NULL;
 
+	const u8 *tk = NULL;
 
 
 	hdr = (struct ieee80211_hdr *) frame;
 
 	hdrlen = 24;
 
 	fc = le_to_host16(hdr->frame_control);
 
 
-	if (sta == NULL) {
 
+	if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 0) {
 
+		struct wlantest_sta *sta2;
 
+		bss = bss_get(wt, hdr->addr3);
 
+		if (bss == NULL)
 
+			return -1;
 
+		sta = sta_find(bss, hdr->addr2);
 
+		sta2 = sta_find(bss, hdr->addr1);
 
+		if (sta == NULL || sta2 == NULL)
 
+			return -1;
 
+		dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
 
+		{
 
+			if ((tdls->init == sta && tdls->resp == sta2) ||
 
+			    (tdls->init == sta2 && tdls->resp == sta)) {
 
+				if (!tdls->link_up)
 
+					wpa_printf(MSG_DEBUG, "TDLS: Link not "
 
+						   "up, but injecting Data "
 
+						   "frame on direct link");
 
+				tk = tdls->tpk.tk;
 
+				break;
 
+			}
 
+		}
 
+	}
 
+
 
+	if (tk == NULL && sta == NULL) {
 
 		if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
 
 			return wlantest_inject_bip(wt, bss, frame, len,
 
 						   incorrect_key);
 
@@ -222,7 +247,7 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
 
 					       incorrect_key);
 
 	}
 
 
-	if (!sta->ptk_set)
 
+	if (tk == NULL && !sta->ptk_set)
 
 		return -1;
 
 
 	if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
 
@@ -237,14 +262,23 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
 
 			tid = qos[0] & 0x0f;
 
 		}
 
 	}
 
-	if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0)
 
+	if (tk) {
 
+		if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
 
+			pn = tdls->rsc_init[tid];
 
+		else
 
+			pn = tdls->rsc_resp[tid];
 
+	} else if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0)
 
 		pn = sta->rsc_fromds[tid];
 
 	else
 
 		pn = sta->rsc_tods[tid];
 
 	inc_byte_array(pn, 6);
 
 
 	os_memset(dummy, 0x11, sizeof(dummy));
 
-	if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
 
+	if (tk) 
+		crypt = ccmp_encrypt(incorrect_key ? dummy : tk,
 
+				     frame, len, hdrlen, qos, pn, 0,
 
+				     &crypt_len);
 
+	else if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
 
 		crypt = tkip_encrypt(incorrect_key ? dummy : sta->ptk.tk1,
 
 				     frame, len, hdrlen, qos, pn, 0,
 
 				     &crypt_len);

+ 124 - 0
wlantest/wlantest_cli.c
View File 

@@ -817,6 +817,127 @@ static char ** complete_inject(int s, const char *str, int pos)
 
 }
 
 
 
+static u8 * add_hex(u8 *pos, u8 *end, const char *str)
 
+{
 
+	const char *s;
 
+	int val;
 
+
 
+	s = str;
 
+	while (*s) {
 
+		while (*s == ' ' || *s == '\t' || *s == '\r' || *s == '\n' ||
 
+		       *s == ':')
 
+			s++;
 
+		if (*s == '\0')
 
+			break;
 
+		if (*s == '#') {
 
+			while (*s != '\0' && *s != '\r' && *s != '\n')
 
+				s++;
 
+			continue;
 
+		}
 
+
 
+		val = hex2byte(s);
 
+		if (val < 0) {
 
+			printf("Invalid hex encoding '%s'\n", s);
 
+			return NULL;
 
+		}
 
+		if (pos == end) {
 
+			printf("Too long frame\n");
 
+			return NULL;
 
+		}
 
+		*pos++ = val;
 
+		s += 2;
 
+	}
 
+
 
+	return pos;
 
+}
 
+
 
+
 
+static int cmd_send(int s, int argc, char *argv[])
 
+{
 
+	u8 resp[WLANTEST_CTRL_MAX_RESP_LEN];
 
+	u8 buf[WLANTEST_CTRL_MAX_CMD_LEN], *end, *pos, *len_pos;
 
+	int rlen;
 
+	enum wlantest_inject_protection prot;
 
+	int arg;
 
+
 
+	/* <prot> <raw frame as hex dump> */
 
+
 
+	if (argc < 2) {
 
+		printf("send needs two arguments: protected/unprotected, "
 
+		       "raw frame as hex dump\n");
 
+		return -1;
 
+	}
 
+
 
+	pos = buf;
 
+	end = buf + sizeof(buf);
 
+	WPA_PUT_BE32(pos, WLANTEST_CTRL_SEND);
 
+	pos += 4;
 
+
 
+	if (os_strcasecmp(argv[0], "normal") == 0)
 
+		prot = WLANTEST_INJECT_NORMAL;
 
+	else if (os_strcasecmp(argv[0], "protected") == 0)
 
+		prot = WLANTEST_INJECT_PROTECTED;
 
+	else if (os_strcasecmp(argv[0], "unprotected") == 0)
 
+		prot = WLANTEST_INJECT_UNPROTECTED;
 
+	else if (os_strcasecmp(argv[0], "incorrect") == 0)
 
+		prot = WLANTEST_INJECT_INCORRECT_KEY;
 
+	else {
 
+		printf("Unknown protection type '%s'\n", argv[1]);
 
+		printf("Protection types: normal protected unprotected "
 
+		       "incorrect\n");
 
+		return -1;
 
+	}
 
+	pos = attr_add_be32(pos, end, WLANTEST_ATTR_INJECT_PROTECTION, prot);
 
+
 
+	WPA_PUT_BE32(pos, WLANTEST_ATTR_FRAME);
 
+	pos += 4;
 
+	len_pos = pos;
 
+	pos += 4;
 
+
 
+	for (arg = 1; pos && arg < argc; arg++)
 
+		pos = add_hex(pos, end, argv[arg]);
 
+	if (pos == NULL)
 
+		return -1;
 
+
 
+	WPA_PUT_BE32(len_pos, pos - len_pos - 4);
 
+
 
+	rlen = cmd_send_and_recv(s, buf, pos - buf, resp, sizeof(resp));
 
+	if (rlen < 0)
 
+		return -1;
 
+	printf("OK\n");
 
+	return 0;
 
+}
 
+
 
+
 
+static char ** complete_send(int s, const char *str, int pos)
 
+{
 
+	int arg = get_cmd_arg_num(str, pos);
 
+	char **res = NULL;
 
+
 
+	switch (arg) {
 
+	case 1:
 
+		res = os_zalloc(5 * sizeof(char *));
 
+		if (res == NULL)
 
+			break;
 
+		res[0] = os_strdup("normal");
 
+		if (res[0] == NULL)
 
+			break;
 
+		res[1] = os_strdup("protected");
 
+		if (res[1] == NULL)
 
+			break;
 
+		res[2] = os_strdup("unprotected");
 
+		if (res[2] == NULL)
 
+			break;
 
+		res[3] = os_strdup("incorrect");
 
+		if (res[3] == NULL)
 
+			break;
 
+		break;
 
+	}
 
+
 
+	return res;
 
+}
 
+
 
+
 
 static int cmd_version(int s, int argc, char *argv[])
 
 {
 
 	u8 resp[WLANTEST_CTRL_MAX_RESP_LEN];
 
@@ -1121,6 +1242,9 @@ static const struct wlantest_cli_cmd wlantest_cli_commands[] = {
 
 	{ "inject", cmd_inject,
 
 	  "<frame> <prot> <sender> <BSSID> <STA/ff:ff:ff:ff:ff:ff>",
 
 	  complete_inject },
 
+	{ "send", cmd_send,
 
+	  "<prot> <raw frame as hex dump>",
 
+	  complete_send },
 
 	{ "version", cmd_version, "= get wlantest version", NULL },
 
 	{ "add_passphrase", cmd_add_passphrase,
 
 	  "<passphrase> = add a known passphrase", NULL },

+ 2 - 0
wlantest/wlantest_ctrl.h
View File 

@@ -38,6 +38,7 @@ enum wlantest_ctrl_cmd {
 
 	WLANTEST_CTRL_ADD_PASSPHRASE,
 
 	WLANTEST_CTRL_INFO_STA,
 
 	WLANTEST_CTRL_INFO_BSS,
 
+	WLANTEST_CTRL_SEND,
 
 };
 
 
 enum wlantest_ctrl_attr {
 
@@ -54,6 +55,7 @@ enum wlantest_ctrl_attr {
 
 	WLANTEST_ATTR_STA_INFO,
 
 	WLANTEST_ATTR_BSS_INFO,
 
 	WLANTEST_ATTR_INFO,
 
+	WLANTEST_ATTR_FRAME,
 
 };
 
 
 enum wlantest_bss_counter {