From b3a6d9d40064e15720c3bbd6cfbfbf970a770a03 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 16 Dec 2010 16:11:54 +0200 Subject: [PATCH] wlantest: Add send command for injecting raw frames This can be used by external programs (e.g., wlantest_cli) to inject raw frames (hex dump of the frame header and body). The data can be requested to be sent as-is or protected with the current key. --- src/utils/common.c | 2 +- src/utils/common.h | 1 + wlantest/ctrl.c | 84 ++++++++++++++++++++++++++ wlantest/inject.c | 42 +++++++++++-- wlantest/wlantest_cli.c | 124 +++++++++++++++++++++++++++++++++++++++ wlantest/wlantest_ctrl.h | 2 + 6 files changed, 250 insertions(+), 5 deletions(-) diff --git a/src/utils/common.c b/src/utils/common.c index 1b8ea80e7..718be4ae0 100644 --- a/src/utils/common.c +++ b/src/utils/common.c @@ -29,7 +29,7 @@ static int hex2num(char c) } -static int hex2byte(const char *hex) +int hex2byte(const char *hex) { int a, b; a = hex2num(*hex++); diff --git a/src/utils/common.h b/src/utils/common.h index babfc7b2a..4b50b2b44 100644 --- a/src/utils/common.h +++ b/src/utils/common.h @@ -437,6 +437,7 @@ typedef u64 __bitwise le64; int hwaddr_aton(const char *txt, u8 *addr); int hwaddr_aton2(const char *txt, u8 *addr); +int hex2byte(const char *hex); int hexstr2bin(const char *hex, u8 *buf, size_t len); void inc_byte_array(u8 *counter, size_t len); void wpa_get_ntp_timestamp(u8 *buf); diff --git a/wlantest/ctrl.c b/wlantest/ctrl.c index d5c71486a..01449cbb5 100644 --- a/wlantest/ctrl.c +++ b/wlantest/ctrl.c @@ -962,6 +962,87 @@ static void ctrl_info_bss(struct wlantest *wt, int sock, u8 *cmd, size_t clen) } +static void ctrl_send_(struct wlantest *wt, int sock, u8 *cmd, size_t clen) +{ + struct wlantest_bss *bss; + struct wlantest_sta *sta; + u8 *bssid, *sta_addr; + int prot; + u8 *frame; + size_t frame_len; + int ret = 0; + struct ieee80211_hdr *hdr; + u16 fc; + + frame = attr_get(cmd, clen, WLANTEST_ATTR_FRAME, &frame_len); + prot = attr_get_int(cmd, clen, WLANTEST_ATTR_INJECT_PROTECTION); + if (frame == NULL || frame_len < 24 || prot < 0) { + wpa_printf(MSG_INFO, "Invalid send command parameters"); + ctrl_send_simple(wt, sock, WLANTEST_CTRL_INVALID_CMD); + return; + } + + hdr = (struct ieee80211_hdr *) frame; + fc = le_to_host16(hdr->frame_control); + switch (WLAN_FC_GET_TYPE(fc)) { + case WLAN_FC_TYPE_MGMT: + bssid = hdr->addr3; + if (os_memcmp(hdr->addr2, hdr->addr3, ETH_ALEN) == 0) + sta_addr = hdr->addr1; + else + sta_addr = hdr->addr2; + break; + case WLAN_FC_TYPE_DATA: + switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) { + case 0: + bssid = hdr->addr3; + sta_addr = hdr->addr2; + break; + case WLAN_FC_TODS: + bssid = hdr->addr1; + sta_addr = hdr->addr2; + break; + case WLAN_FC_FROMDS: + bssid = hdr->addr2; + sta_addr = hdr->addr1; + break; + default: + wpa_printf(MSG_INFO, "Unsupported inject frame"); + ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE); + return; + } + break; + default: + wpa_printf(MSG_INFO, "Unsupported inject frame"); + ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE); + return; + } + + bss = bss_find(wt, bssid); + if (bss == NULL) { + wpa_printf(MSG_INFO, "Unknown BSSID"); + ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE); + return; + } + + sta = sta_find(bss, sta_addr); + if (sta == NULL) { + wpa_printf(MSG_INFO, "Unknown STA address"); + ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE); + return; + } + + ret = wlantest_inject(wt, bss, sta, frame, frame_len, prot); + + if (ret) + wpa_printf(MSG_INFO, "Failed to inject frame"); + else + wpa_printf(MSG_INFO, "Frame injected successfully"); + ctrl_send_simple(wt, sock, ret == 0 ? WLANTEST_CTRL_SUCCESS : + WLANTEST_CTRL_FAILURE); +} + + static void ctrl_read(int sock, void *eloop_ctx, void *sock_ctx) { struct wlantest *wt = eloop_ctx; @@ -1036,6 +1117,9 @@ static void ctrl_read(int sock, void *eloop_ctx, void *sock_ctx) case WLANTEST_CTRL_INFO_BSS: ctrl_info_bss(wt, sock, buf + 4, len - 4); break; + case WLANTEST_CTRL_SEND: + ctrl_send_(wt, sock, buf + 4, len - 4); + break; default: ctrl_send_simple(wt, sock, WLANTEST_CTRL_UNKNOWN_CMD); break; diff --git a/wlantest/inject.c b/wlantest/inject.c index 23642a859..20ec34421 100644 --- a/wlantest/inject.c +++ b/wlantest/inject.c @@ -209,12 +209,37 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss, int tid = 0; u8 *qos = NULL; int hdrlen; + struct wlantest_tdls *tdls = NULL; + const u8 *tk = NULL; hdr = (struct ieee80211_hdr *) frame; hdrlen = 24; fc = le_to_host16(hdr->frame_control); - if (sta == NULL) { + if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 0) { + struct wlantest_sta *sta2; + bss = bss_get(wt, hdr->addr3); + if (bss == NULL) + return -1; + sta = sta_find(bss, hdr->addr2); + sta2 = sta_find(bss, hdr->addr1); + if (sta == NULL || sta2 == NULL) + return -1; + dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) + { + if ((tdls->init == sta && tdls->resp == sta2) || + (tdls->init == sta2 && tdls->resp == sta)) { + if (!tdls->link_up) + wpa_printf(MSG_DEBUG, "TDLS: Link not " + "up, but injecting Data " + "frame on direct link"); + tk = tdls->tpk.tk; + break; + } + } + } + + if (tk == NULL && sta == NULL) { if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT) return wlantest_inject_bip(wt, bss, frame, len, incorrect_key); @@ -222,7 +247,7 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss, incorrect_key); } - if (!sta->ptk_set) + if (tk == NULL && !sta->ptk_set) return -1; if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT) @@ -237,14 +262,23 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss, tid = qos[0] & 0x0f; } } - if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0) + if (tk) { + if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0) + pn = tdls->rsc_init[tid]; + else + pn = tdls->rsc_resp[tid]; + } else if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0) pn = sta->rsc_fromds[tid]; else pn = sta->rsc_tods[tid]; inc_byte_array(pn, 6); os_memset(dummy, 0x11, sizeof(dummy)); - if (sta->pairwise_cipher == WPA_CIPHER_TKIP) + if (tk) + crypt = ccmp_encrypt(incorrect_key ? dummy : tk, + frame, len, hdrlen, qos, pn, 0, + &crypt_len); + else if (sta->pairwise_cipher == WPA_CIPHER_TKIP) crypt = tkip_encrypt(incorrect_key ? dummy : sta->ptk.tk1, frame, len, hdrlen, qos, pn, 0, &crypt_len); diff --git a/wlantest/wlantest_cli.c b/wlantest/wlantest_cli.c index b8aa0437a..81768a8bc 100644 --- a/wlantest/wlantest_cli.c +++ b/wlantest/wlantest_cli.c @@ -817,6 +817,127 @@ static char ** complete_inject(int s, const char *str, int pos) } +static u8 * add_hex(u8 *pos, u8 *end, const char *str) +{ + const char *s; + int val; + + s = str; + while (*s) { + while (*s == ' ' || *s == '\t' || *s == '\r' || *s == '\n' || + *s == ':') + s++; + if (*s == '\0') + break; + if (*s == '#') { + while (*s != '\0' && *s != '\r' && *s != '\n') + s++; + continue; + } + + val = hex2byte(s); + if (val < 0) { + printf("Invalid hex encoding '%s'\n", s); + return NULL; + } + if (pos == end) { + printf("Too long frame\n"); + return NULL; + } + *pos++ = val; + s += 2; + } + + return pos; +} + + +static int cmd_send(int s, int argc, char *argv[]) +{ + u8 resp[WLANTEST_CTRL_MAX_RESP_LEN]; + u8 buf[WLANTEST_CTRL_MAX_CMD_LEN], *end, *pos, *len_pos; + int rlen; + enum wlantest_inject_protection prot; + int arg; + + /* */ + + if (argc < 2) { + printf("send needs two arguments: protected/unprotected, " + "raw frame as hex dump\n"); + return -1; + } + + pos = buf; + end = buf + sizeof(buf); + WPA_PUT_BE32(pos, WLANTEST_CTRL_SEND); + pos += 4; + + if (os_strcasecmp(argv[0], "normal") == 0) + prot = WLANTEST_INJECT_NORMAL; + else if (os_strcasecmp(argv[0], "protected") == 0) + prot = WLANTEST_INJECT_PROTECTED; + else if (os_strcasecmp(argv[0], "unprotected") == 0) + prot = WLANTEST_INJECT_UNPROTECTED; + else if (os_strcasecmp(argv[0], "incorrect") == 0) + prot = WLANTEST_INJECT_INCORRECT_KEY; + else { + printf("Unknown protection type '%s'\n", argv[1]); + printf("Protection types: normal protected unprotected " + "incorrect\n"); + return -1; + } + pos = attr_add_be32(pos, end, WLANTEST_ATTR_INJECT_PROTECTION, prot); + + WPA_PUT_BE32(pos, WLANTEST_ATTR_FRAME); + pos += 4; + len_pos = pos; + pos += 4; + + for (arg = 1; pos && arg < argc; arg++) + pos = add_hex(pos, end, argv[arg]); + if (pos == NULL) + return -1; + + WPA_PUT_BE32(len_pos, pos - len_pos - 4); + + rlen = cmd_send_and_recv(s, buf, pos - buf, resp, sizeof(resp)); + if (rlen < 0) + return -1; + printf("OK\n"); + return 0; +} + + +static char ** complete_send(int s, const char *str, int pos) +{ + int arg = get_cmd_arg_num(str, pos); + char **res = NULL; + + switch (arg) { + case 1: + res = os_zalloc(5 * sizeof(char *)); + if (res == NULL) + break; + res[0] = os_strdup("normal"); + if (res[0] == NULL) + break; + res[1] = os_strdup("protected"); + if (res[1] == NULL) + break; + res[2] = os_strdup("unprotected"); + if (res[2] == NULL) + break; + res[3] = os_strdup("incorrect"); + if (res[3] == NULL) + break; + break; + } + + return res; +} + + static int cmd_version(int s, int argc, char *argv[]) { u8 resp[WLANTEST_CTRL_MAX_RESP_LEN]; @@ -1121,6 +1242,9 @@ static const struct wlantest_cli_cmd wlantest_cli_commands[] = { { "inject", cmd_inject, " ", complete_inject }, + { "send", cmd_send, + " ", + complete_send }, { "version", cmd_version, "= get wlantest version", NULL }, { "add_passphrase", cmd_add_passphrase, " = add a known passphrase", NULL }, diff --git a/wlantest/wlantest_ctrl.h b/wlantest/wlantest_ctrl.h index 911ffaf13..cd13c1c73 100644 --- a/wlantest/wlantest_ctrl.h +++ b/wlantest/wlantest_ctrl.h @@ -38,6 +38,7 @@ enum wlantest_ctrl_cmd { WLANTEST_CTRL_ADD_PASSPHRASE, WLANTEST_CTRL_INFO_STA, WLANTEST_CTRL_INFO_BSS, + WLANTEST_CTRL_SEND, }; enum wlantest_ctrl_attr { @@ -54,6 +55,7 @@ enum wlantest_ctrl_attr { WLANTEST_ATTR_STA_INFO, WLANTEST_ATTR_BSS_INFO, WLANTEST_ATTR_INFO, + WLANTEST_ATTR_FRAME, }; enum wlantest_bss_counter {