2 * wlantest frame injection
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
15 #include "utils/includes.h"
17 #include "utils/common.h"
18 #include "common/defs.h"
19 #include "common/ieee802_11_defs.h"
20 #include "crypto/aes_wrap.h"
24 static int inject_frame(int s, const void *data, size_t len)
26 #define IEEE80211_RADIOTAP_F_FRAG 0x08
27 unsigned char rtap_hdr[] = {
28 0x00, 0x00, /* radiotap version */
29 0x0e, 0x00, /* radiotap length */
30 0x02, 0xc0, 0x00, 0x00, /* bmap: flags, tx and rx flags */
31 IEEE80211_RADIOTAP_F_FRAG, /* F_FRAG (fragment if required) */
33 0x00, 0x00, /* RX and TX flags to indicate that */
34 0x00, 0x00, /* this is the injected frame directly */
36 struct iovec iov[2] = {
38 .iov_base = &rtap_hdr,
39 .iov_len = sizeof(rtap_hdr),
42 .iov_base = (void *) data,
57 ret = sendmsg(s, &msg, 0);
64 static int is_robust_mgmt(u8 *frame, size_t len)
66 struct ieee80211_mgmt *mgmt;
70 mgmt = (struct ieee80211_mgmt *) frame;
71 fc = le_to_host16(mgmt->frame_control);
72 if (WLAN_FC_GET_TYPE(fc) != WLAN_FC_TYPE_MGMT)
74 stype = WLAN_FC_GET_STYPE(fc);
75 if (stype == WLAN_FC_STYPE_DEAUTH || stype == WLAN_FC_STYPE_DISASSOC)
77 if (stype == WLAN_FC_STYPE_ACTION) {
80 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC)
87 static int wlantest_inject_bip(struct wlantest *wt, struct wlantest_bss *bss,
88 u8 *frame, size_t len, int incorrect_key)
95 struct ieee80211_hdr *hdr;
98 if (!bss->igtk_set[bss->igtk_idx])
102 prot = os_malloc(plen);
105 os_memcpy(prot, frame, len);
107 *pos++ = WLAN_EID_MMIE;
109 WPA_PUT_LE16(pos, bss->igtk_idx);
111 inc_byte_array(bss->ipn[bss->igtk_idx], 6);
112 os_memcpy(pos, bss->ipn[bss->igtk_idx], 6);
114 os_memset(pos, 0, 8); /* MIC */
116 buf = os_malloc(plen + 20 - 24);
122 /* BIP AAD: FC(masked) A1 A2 A3 */
123 hdr = (struct ieee80211_hdr *) frame;
124 fc = le_to_host16(hdr->frame_control);
125 fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA);
126 WPA_PUT_LE16(buf, fc);
127 os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN);
128 os_memcpy(buf + 20, prot + 24, plen - 24);
129 wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, plen + 20 - 24);
130 /* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */
131 os_memset(dummy, 0x11, sizeof(dummy));
132 if (omac1_aes_128(incorrect_key ? dummy : bss->igtk[bss->igtk_idx],
133 buf, plen + 20 - 24, mic) < 0) {
140 os_memcpy(pos, mic, 8);
141 wpa_hexdump(MSG_DEBUG, "BIP MMIE MIC", pos, 8);
143 ret = inject_frame(wt->monitor_sock, prot, plen);
146 return (ret < 0) ? -1 : 0;
150 static int wlantest_inject_prot_bc(struct wlantest *wt,
151 struct wlantest_bss *bss,
152 u8 *frame, size_t len, int incorrect_key)
159 struct ieee80211_hdr *hdr;
163 hdr = (struct ieee80211_hdr *) frame;
165 fc = le_to_host16(hdr->frame_control);
167 if (!bss->gtk_len[bss->gtk_idx])
170 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
171 (WLAN_FC_TODS | WLAN_FC_FROMDS))
173 pn = bss->rsc[bss->gtk_idx];
174 inc_byte_array(pn, 6);
176 os_memset(dummy, 0x11, sizeof(dummy));
177 if (bss->group_cipher == WPA_CIPHER_TKIP)
178 crypt = tkip_encrypt(incorrect_key ? dummy :
179 bss->gtk[bss->gtk_idx],
180 frame, len, hdrlen, NULL, pn,
181 bss->gtk_idx, &crypt_len);
183 crypt = ccmp_encrypt(incorrect_key ? dummy :
184 bss->gtk[bss->gtk_idx],
185 frame, len, hdrlen, NULL, pn,
186 bss->gtk_idx, &crypt_len);
191 ret = inject_frame(wt->monitor_sock, crypt, crypt_len);
194 return (ret < 0) ? -1 : 0;
198 static int wlantest_inject_prot(struct wlantest *wt, struct wlantest_bss *bss,
199 struct wlantest_sta *sta, u8 *frame,
200 size_t len, int incorrect_key)
207 struct ieee80211_hdr *hdr;
212 struct wlantest_tdls *tdls = NULL;
215 hdr = (struct ieee80211_hdr *) frame;
217 fc = le_to_host16(hdr->frame_control);
219 if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA &&
220 (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 0) {
221 struct wlantest_sta *sta2;
222 bss = bss_get(wt, hdr->addr3);
224 wpa_printf(MSG_DEBUG, "No BSS found for TDLS "
228 sta = sta_find(bss, hdr->addr2);
229 sta2 = sta_find(bss, hdr->addr1);
230 if (sta == NULL || sta2 == NULL) {
231 wpa_printf(MSG_DEBUG, "No stations found for TDLS "
235 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
237 if ((tdls->init == sta && tdls->resp == sta2) ||
238 (tdls->init == sta2 && tdls->resp == sta)) {
240 wpa_printf(MSG_DEBUG, "TDLS: Link not "
241 "up, but injecting Data "
242 "frame on direct link");
249 if (tk == NULL && sta == NULL) {
250 if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
251 return wlantest_inject_bip(wt, bss, frame, len,
253 return wlantest_inject_prot_bc(wt, bss, frame, len,
257 if (tk == NULL && !sta->ptk_set) {
258 wpa_printf(MSG_DEBUG, "No key known for injection");
262 if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT)
264 else if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA) {
265 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
266 (WLAN_FC_TODS | WLAN_FC_FROMDS))
268 if (WLAN_FC_GET_STYPE(fc) & 0x08) {
269 qos = frame + hdrlen;
275 if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
276 pn = tdls->rsc_init[tid];
278 pn = tdls->rsc_resp[tid];
279 } else if (os_memcmp(hdr->addr2, bss->bssid, ETH_ALEN) == 0)
280 pn = sta->rsc_fromds[tid];
282 pn = sta->rsc_tods[tid];
283 inc_byte_array(pn, 6);
285 os_memset(dummy, 0x11, sizeof(dummy));
287 crypt = ccmp_encrypt(incorrect_key ? dummy : tk,
288 frame, len, hdrlen, qos, pn, 0,
290 else if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
291 crypt = tkip_encrypt(incorrect_key ? dummy : sta->ptk.tk1,
292 frame, len, hdrlen, qos, pn, 0,
295 crypt = ccmp_encrypt(incorrect_key ? dummy : sta->ptk.tk1,
296 frame, len, hdrlen, qos, pn, 0,
300 wpa_printf(MSG_DEBUG, "Frame encryption failed");
304 wpa_hexdump(MSG_DEBUG, "Inject frame (encrypted)", crypt, crypt_len);
305 ret = inject_frame(wt->monitor_sock, crypt, crypt_len);
307 wpa_printf(MSG_DEBUG, "inject_frame for protected frame: %d", ret);
309 return (ret < 0) ? -1 : 0;
313 int wlantest_inject(struct wlantest *wt, struct wlantest_bss *bss,
314 struct wlantest_sta *sta, u8 *frame, size_t len,
315 enum wlantest_inject_protection prot)
318 struct ieee80211_hdr *hdr;
320 int protectable, protect = 0;
322 wpa_hexdump(MSG_DEBUG, "Inject frame", frame, len);
323 if (wt->monitor_sock < 0) {
324 wpa_printf(MSG_INFO, "Cannot inject frames when monitor "
325 "interface is not in use");
329 hdr = (struct ieee80211_hdr *) frame;
330 fc = le_to_host16(hdr->frame_control);
331 protectable = WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA ||
332 is_robust_mgmt(frame, len);
334 if (prot == WLANTEST_INJECT_PROTECTED ||
335 prot == WLANTEST_INJECT_INCORRECT_KEY) {
337 ((WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT &&
338 !bss->igtk_set[bss->igtk_idx]) ||
339 (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA &&
340 !bss->gtk_len[bss->gtk_idx]))) {
341 wpa_printf(MSG_INFO, "No GTK/IGTK known for "
342 MACSTR " to protect the injected "
343 "frame", MAC2STR(bss->bssid));
346 if (sta && !sta->ptk_set) {
347 wpa_printf(MSG_INFO, "No PTK known for the STA " MACSTR
348 " to encrypt the injected frame",
353 } else if (protectable && prot != WLANTEST_INJECT_UNPROTECTED) {
354 if (sta && sta->ptk_set)
357 if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA &&
358 bss->gtk_len[bss->gtk_idx])
360 if (WLAN_FC_GET_TYPE(fc) == WLAN_FC_TYPE_MGMT &&
361 bss->igtk_set[bss->igtk_idx])
367 return wlantest_inject_prot(
368 wt, bss, sta, frame, len,
369 prot == WLANTEST_INJECT_INCORRECT_KEY);
371 ret = inject_frame(wt->monitor_sock, frame, len);
372 wpa_printf(MSG_DEBUG, "inject_frame for unprotected frame: %d", ret);
373 return (ret < 0) ? -1 : 0;