wlantest: Add send command for injecting raw frames

This can be used by external programs (e.g., wlantest_cli) to inject raw frames (hex dump of the frame header and body). The data can be requested to be sent as-is or protected with the current key.
2010-12-16 16:11:54 +02:00 · 2010-12-16 16:11:54 +02:00 · b3a6d9d400
commit b3a6d9d400
parent b993e77b5b
6 changed files with 250 additions and 5 deletions
--- a/src/utils/common.c
+++ b/src/utils/common.c
@ -29,7 +29,7 @@ static int hex2num(char c)
 }


-static int hex2byte(const char *hex)
+int hex2byte(const char *hex)
 {
 	int a, b;
 	a = hex2num(*hex++);
--- a/src/utils/common.h
+++ b/src/utils/common.h
@ -437,6 +437,7 @@ typedef u64 __bitwise le64;

 int hwaddr_aton(const char *txt, u8 *addr);
 int hwaddr_aton2(const char *txt, u8 *addr);
+int hex2byte(const char *hex);
 int hexstr2bin(const char *hex, u8 *buf, size_t len);
 void inc_byte_array(u8 *counter, size_t len);
 void wpa_get_ntp_timestamp(u8 *buf);
--- a/wlantest/ctrl.c
+++ b/wlantest/ctrl.c
@ -962,6 +962,87 @@ static void ctrl_info_bss(struct wlantest *wt, int sock, u8 *cmd, size_t clen)
 }


+static void ctrl_send_(struct wlantest *wt, int sock, u8 *cmd, size_t clen)
+{
+	struct wlantest_bss *bss;
+	struct wlantest_sta *sta;
+	u8 *bssid, *sta_addr;
+	int prot;
+	u8 *frame;
+	size_t frame_len;
+	int ret = 0;
+	struct ieee80211_hdr *hdr;
+	u16 fc;
+
+	frame = attr_get(cmd, clen, WLANTEST_ATTR_FRAME, &frame_len);
+	prot = attr_get_int(cmd, clen, WLANTEST_ATTR_INJECT_PROTECTION);
+	if (frame == NULL || frame_len < 24 || prot < 0) {
+		wpa_printf(MSG_INFO, "Invalid send command parameters");
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_INVALID_CMD);
+		return;
+	}
+
+	hdr = (struct ieee80211_hdr *) frame;
+	fc = le_to_host16(hdr->frame_control);
+	switch (WLAN_FC_GET_TYPE(fc)) {
+	case WLAN_FC_TYPE_MGMT:
+		bssid = hdr->addr3;
+		if (os_memcmp(hdr->addr2, hdr->addr3, ETH_ALEN) == 0)
+			sta_addr = hdr->addr1;
+		else
+			sta_addr = hdr->addr2;
+		break;
+	case WLAN_FC_TYPE_DATA:
+		switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
+		case 0:
+			bssid = hdr->addr3;
+			sta_addr = hdr->addr2;
+			break;
+		case WLAN_FC_TODS:
+			bssid = hdr->addr1;
+			sta_addr = hdr->addr2;
+			break;
+		case WLAN_FC_FROMDS:
+			bssid = hdr->addr2;
+			sta_addr = hdr->addr1;
+			break;
+		default:
+			wpa_printf(MSG_INFO, "Unsupported inject frame");
+			ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
+			return;
+		}
+		break;
+	default:
+		wpa_printf(MSG_INFO, "Unsupported inject frame");
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
+		return;
+	}
+
+	bss = bss_find(wt, bssid);
+	if (bss == NULL) {
+		wpa_printf(MSG_INFO, "Unknown BSSID");
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
+		return;
+	}
+
+	sta = sta_find(bss, sta_addr);
+	if (sta == NULL) {
+		wpa_printf(MSG_INFO, "Unknown STA address");
+		ctrl_send_simple(wt, sock, WLANTEST_CTRL_FAILURE);
+		return;
+	}
+
+	ret = wlantest_inject(wt, bss, sta, frame, frame_len, prot);
+
+	if (ret)
+		wpa_printf(MSG_INFO, "Failed to inject frame");
+	else
+		wpa_printf(MSG_INFO, "Frame injected successfully");
+	ctrl_send_simple(wt, sock, ret == 0 ? WLANTEST_CTRL_SUCCESS :
+			 WLANTEST_CTRL_FAILURE);
+}
+
+
 static void ctrl_read(int sock, void *eloop_ctx, void *sock_ctx)
 {
 	struct wlantest *wt = eloop_ctx;
@ -1036,6 +1117,9 @@ static void ctrl_read(int sock, void *eloop_ctx, void *sock_ctx)
 	case WLANTEST_CTRL_INFO_BSS:
 		ctrl_info_bss(wt, sock, buf + 4, len - 4);
 		break;
+	case WLANTEST_CTRL_SEND:
+		ctrl_send_(wt, sock, buf + 4, len - 4);
+		break;
 	default:
 		ctrl_send_simple(wt, sock, WLANTEST_CTRL_UNKNOWN_CMD);
 		break;
--- a/wlantest/inject.c
+++ b/wlantest/inject.c
@ -209,12 +209,37 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
 	int tid = 0;
 	u8 *qos = NULL;
 	int hdrlen;
+	struct wlantest_tdls *tdls = NULL;
+	const u8 *tk = NULL;

 	hdr = (struct ieee80211_hdr *) frame;
 	hdrlen = 24;
 	fc = le_to_host16(hdr->frame_control);

-	if (sta == NULL) {
+	if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 0) {
+		struct wlantest_sta *sta2;
+		bss = bss_get(wt, hdr->addr3);
+		if (bss == NULL)
+			return -1;
+		sta = sta_find(bss, hdr->addr2);
+		sta2 = sta_find(bss, hdr->addr1);
+		if (sta == NULL || sta2 == NULL)
+			return -1;
+		dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
+		{
+			if ((tdls->init == sta && tdls->resp == sta2) ||
+			    (tdls->init == sta2 && tdls->resp == sta)) {
+				if (!tdls->link_up)
+					wpa_printf(MSG_DEBUG, "TDLS: Link not "
+						   "up, but injecting Data "
+						   "frame on direct link");
+				tk = tdls->tpk.tk;
+				break;
+			}
+		}
+	}
+
+	if (tk == NULL && sta == NULL) {
 		if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
 			return wlantest_inject_bip(wt, bss, frame, len,
 						   incorrect_key);
@ -222,7 +247,7 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
 					       incorrect_key);
 	}

-	if (!sta->ptk_set)
+	if (tk == NULL && !sta->ptk_set)
 		return -1;

 	if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
@ -237,14 +262,23 @@ static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
 			tid = qos[0] & 0x0f;
 		}
 	}
-	if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0)
+	if (tk) {
+		if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
+			pn = tdls->rsc_init[tid];
+		else
+			pn = tdls->rsc_resp[tid];
+	} else if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0)
 		pn = sta->rsc_fromds[tid];
 	else
 		pn = sta->rsc_tods[tid];
 	inc_byte_array(pn, 6);

 	os_memset(dummy, 0x11, sizeof(dummy));
-	if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
+	if (tk) 
+		crypt = ccmp_encrypt(incorrect_key ? dummy : tk,
+				     frame, len, hdrlen, qos, pn, 0,
+				     &crypt_len);
+	else if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
 		crypt = tkip_encrypt(incorrect_key ? dummy : sta->ptk.tk1,
 				     frame, len, hdrlen, qos, pn, 0,
 				     &crypt_len);
--- a/wlantest/wlantest_cli.c
+++ b/wlantest/wlantest_cli.c
@ -817,6 +817,127 @@ static char ** complete_inject(int s, const char *str, int pos)
 }


+static u8 * add_hex(u8 *pos, u8 *end, const char *str)
+{
+	const char *s;
+	int val;
+
+	s = str;
+	while (*s) {
+		while (*s == ' ' || *s == '\t' || *s == '\r' || *s == '\n' ||
+		       *s == ':')
+			s++;
+		if (*s == '\0')
+			break;
+		if (*s == '#') {
+			while (*s != '\0' && *s != '\r' && *s != '\n')
+				s++;
+			continue;
+		}
+
+		val = hex2byte(s);
+		if (val < 0) {
+			printf("Invalid hex encoding '%s'\n", s);
+			return NULL;
+		}
+		if (pos == end) {
+			printf("Too long frame\n");
+			return NULL;
+		}
+		*pos++ = val;
+		s += 2;
+	}
+
+	return pos;
+}
+
+
+static int cmd_send(int s, int argc, char *argv[])
+{
+	u8 resp[WLANTEST_CTRL_MAX_RESP_LEN];
+	u8 buf[WLANTEST_CTRL_MAX_CMD_LEN], *end, *pos, *len_pos;
+	int rlen;
+	enum wlantest_inject_protection prot;
+	int arg;
+
+	/* <prot> <raw frame as hex dump> */
+
+	if (argc < 2) {
+		printf("send needs two arguments: protected/unprotected, "
+		       "raw frame as hex dump\n");
+		return -1;
+	}
+
+	pos = buf;
+	end = buf + sizeof(buf);
+	WPA_PUT_BE32(pos, WLANTEST_CTRL_SEND);
+	pos += 4;
+
+	if (os_strcasecmp(argv[0], "normal") == 0)
+		prot = WLANTEST_INJECT_NORMAL;
+	else if (os_strcasecmp(argv[0], "protected") == 0)
+		prot = WLANTEST_INJECT_PROTECTED;
+	else if (os_strcasecmp(argv[0], "unprotected") == 0)
+		prot = WLANTEST_INJECT_UNPROTECTED;
+	else if (os_strcasecmp(argv[0], "incorrect") == 0)
+		prot = WLANTEST_INJECT_INCORRECT_KEY;
+	else {
+		printf("Unknown protection type '%s'\n", argv[1]);
+		printf("Protection types: normal protected unprotected "
+		       "incorrect\n");
+		return -1;
+	}
+	pos = attr_add_be32(pos, end, WLANTEST_ATTR_INJECT_PROTECTION, prot);
+
+	WPA_PUT_BE32(pos, WLANTEST_ATTR_FRAME);
+	pos += 4;
+	len_pos = pos;
+	pos += 4;
+
+	for (arg = 1; pos && arg < argc; arg++)
+		pos = add_hex(pos, end, argv[arg]);
+	if (pos == NULL)
+		return -1;
+
+	WPA_PUT_BE32(len_pos, pos - len_pos - 4);
+
+	rlen = cmd_send_and_recv(s, buf, pos - buf, resp, sizeof(resp));
+	if (rlen < 0)
+		return -1;
+	printf("OK\n");
+	return 0;
+}
+
+
+static char ** complete_send(int s, const char *str, int pos)
+{
+	int arg = get_cmd_arg_num(str, pos);
+	char **res = NULL;
+
+	switch (arg) {
+	case 1:
+		res = os_zalloc(5 * sizeof(char *));
+		if (res == NULL)
+			break;
+		res[0] = os_strdup("normal");
+		if (res[0] == NULL)
+			break;
+		res[1] = os_strdup("protected");
+		if (res[1] == NULL)
+			break;
+		res[2] = os_strdup("unprotected");
+		if (res[2] == NULL)
+			break;
+		res[3] = os_strdup("incorrect");
+		if (res[3] == NULL)
+			break;
+		break;
+	}
+
+	return res;
+}
+
+
 static int cmd_version(int s, int argc, char *argv[])
 {
 	u8 resp[WLANTEST_CTRL_MAX_RESP_LEN];
@ -1121,6 +1242,9 @@ static const struct wlantest_cli_cmd wlantest_cli_commands[] = {
 	{ "inject", cmd_inject,
 	  "<frame> <prot> <sender> <BSSID> <STA/ff:ff:ff:ff:ff:ff>",
 	  complete_inject },
+	{ "send", cmd_send,
+	  "<prot> <raw frame as hex dump>",
+	  complete_send },
 	{ "version", cmd_version, "= get wlantest version", NULL },
 	{ "add_passphrase", cmd_add_passphrase,
 	  "<passphrase> = add a known passphrase", NULL },
--- a/wlantest/wlantest_ctrl.h
+++ b/wlantest/wlantest_ctrl.h
@ -38,6 +38,7 @@ enum wlantest_ctrl_cmd {
 	WLANTEST_CTRL_ADD_PASSPHRASE,
 	WLANTEST_CTRL_INFO_STA,
 	WLANTEST_CTRL_INFO_BSS,
+	WLANTEST_CTRL_SEND,
 };

 enum wlantest_ctrl_attr {
@ -54,6 +55,7 @@ enum wlantest_ctrl_attr {
 	WLANTEST_ATTR_STA_INFO,
 	WLANTEST_ATTR_BSS_INFO,
 	WLANTEST_ATTR_INFO,
+	WLANTEST_ATTR_FRAME,
 };

 enum wlantest_bss_counter {