On Thu, 2011-02-03 at 18:35 +0200, Jouni Malinen wrote: > TKIP countermeasures depend on devices being able to detect Michael > MIC failures on received frames and for stations to report errors to > the AP. In order to test that behavior, it is useful to be able to > send out TKIP frames with incorrect Michael MIC. This testing behavior > has minimal effect on the TX path, so it can be added to mac80211 for > convenient use. > > The interface for using this functionality is a file in mac80211 > netdev debugfs (tkip_mic_test). Writing a MAC address to the file > makes mac80211 generate a dummy data frame that will be sent out using > invalid Michael MIC value. In AP mode, the address needs to be for one > of the associated stations or ff:ff:ff:ff:ff:ff to use a broadcast > frame. In station mode, the address can be anything, e.g., the current > BSSID. It should be noted that this functionality works correctly only > when associated and using TKIP. > > Signed-off-by: Jouni Malinen <jouni.malinen@xxxxxxxxxxx> Acked-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> > --- > include/net/mac80211.h | 4 + > net/mac80211/debugfs_netdev.c | 102 +++++++++++++++++++++++++++++++++++++++++- > net/mac80211/wpa.c | 7 ++ > 3 files changed, 112 insertions(+), 1 deletion(-) > > --- wireless-testing.orig/include/net/mac80211.h 2011-02-03 17:55:31.000000000 +0200 > +++ wireless-testing/include/net/mac80211.h 2011-02-03 17:56:14.000000000 +0200 > @@ -341,6 +341,9 @@ struct ieee80211_bss_conf { > * the off-channel channel when a remain-on-channel offload is done > * in hardware -- normal packets still flow and are expected to be > * handled properly by the device. > + * @IEEE80211_TX_INTFL_TKIP_MIC_FAILURE: Marks this packet to be used for TKIP > + * testing. It will be sent out with incorrect Michael MIC key to allow > + * TKIP countermeasures to be tested. > * > * Note: If you have to add new flags to the enumeration, then don't > * forget to update %IEEE80211_TX_TEMPORARY_FLAGS when necessary. > @@ -370,6 +373,7 @@ enum mac80211_tx_control_flags { > IEEE80211_TX_CTL_LDPC = BIT(22), > IEEE80211_TX_CTL_STBC = BIT(23) | BIT(24), > IEEE80211_TX_CTL_TX_OFFCHAN = BIT(25), > + IEEE80211_TX_INTFL_TKIP_MIC_FAILURE = BIT(26), > }; > > #define IEEE80211_TX_CTL_STBC_SHIFT 23 > --- wireless-testing.orig/net/mac80211/wpa.c 2011-02-03 17:55:31.000000000 +0200 > +++ wireless-testing/net/mac80211/wpa.c 2011-02-03 17:56:14.000000000 +0200 > @@ -46,6 +46,11 @@ ieee80211_tx_h_michael_mic_add(struct ie > data = skb->data + hdrlen; > data_len = skb->len - hdrlen; > > + if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) { > + /* Need to use software crypto for the test */ > + info->control.hw_key = NULL; > + } > + > if (info->control.hw_key && > !(tx->flags & IEEE80211_TX_FRAGMENTED) && > !(tx->key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC)) { > @@ -64,6 +69,8 @@ ieee80211_tx_h_michael_mic_add(struct ie > key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY]; > mic = skb_put(skb, MICHAEL_MIC_LEN); > michael_mic(key, hdr, data, data_len, mic); > + if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) > + mic[0]++; > > return TX_CONTINUE; > } > --- wireless-testing.orig/net/mac80211/debugfs_netdev.c 2011-02-03 17:55:31.000000000 +0200 > +++ wireless-testing/net/mac80211/debugfs_netdev.c 2011-02-03 17:56:14.000000000 +0200 > @@ -36,7 +36,7 @@ static ssize_t ieee80211_if_read( > ret = (*format)(sdata, buf, sizeof(buf)); > read_unlock(&dev_base_lock); > > - if (ret != -EINVAL) > + if (ret >= 0) > ret = simple_read_from_buffer(userbuf, count, ppos, buf, ret); > > return ret; > @@ -220,6 +220,104 @@ static ssize_t ieee80211_if_parse_smps(s > > __IEEE80211_IF_FILE_W(smps); > > +static ssize_t ieee80211_if_fmt_tkip_mic_test( > + const struct ieee80211_sub_if_data *sdata, char *buf, int buflen) > +{ > + return -EOPNOTSUPP; > +} > + > +static int hwaddr_aton(const char *txt, u8 *addr) > +{ > + int i; > + > + for (i = 0; i < ETH_ALEN; i++) { > + int a, b; > + > + a = hex_to_bin(*txt++); > + if (a < 0) > + return -1; > + b = hex_to_bin(*txt++); > + if (b < 0) > + return -1; > + *addr++ = (a << 4) | b; > + if (i < 5 && *txt++ != ':') > + return -1; > + } > + > + return 0; > +} > + > +static ssize_t ieee80211_if_parse_tkip_mic_test( > + struct ieee80211_sub_if_data *sdata, const char *buf, int buflen) > +{ > + struct ieee80211_local *local = sdata->local; > + u8 addr[ETH_ALEN]; > + struct sk_buff *skb; > + struct ieee80211_hdr *hdr; > + __le16 fc; > + > + /* > + * Assume colon-delimited MAC address with possible white space > + * following. > + */ > + if (buflen < 3 * ETH_ALEN - 1) > + return -EINVAL; > + if (hwaddr_aton(buf, addr) < 0) > + return -EINVAL; > + > + if (!ieee80211_sdata_running(sdata)) > + return -ENOTCONN; > + > + skb = dev_alloc_skb(local->hw.extra_tx_headroom + 24 + 100); > + if (!skb) > + return -ENOMEM; > + skb_reserve(skb, local->hw.extra_tx_headroom); > + > + hdr = (struct ieee80211_hdr *) skb_put(skb, 24); > + memset(hdr, 0, 24); > + fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA); > + > + switch (sdata->vif.type) { > + case NL80211_IFTYPE_AP: > + fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS); > + /* DA BSSID SA */ > + memcpy(hdr->addr1, addr, ETH_ALEN); > + memcpy(hdr->addr2, sdata->vif.addr, ETH_ALEN); > + memcpy(hdr->addr3, sdata->vif.addr, ETH_ALEN); > + break; > + case NL80211_IFTYPE_STATION: > + fc |= cpu_to_le16(IEEE80211_FCTL_TODS); > + /* BSSID SA DA */ > + if (sdata->vif.bss_conf.bssid == NULL) { > + dev_kfree_skb(skb); > + return -ENOTCONN; > + } > + memcpy(hdr->addr1, sdata->vif.bss_conf.bssid, ETH_ALEN); > + memcpy(hdr->addr2, sdata->vif.addr, ETH_ALEN); > + memcpy(hdr->addr3, addr, ETH_ALEN); > + break; > + default: > + dev_kfree_skb(skb); > + return -EOPNOTSUPP; > + } > + hdr->frame_control = fc; > + > + /* > + * Add some length to the test frame to make it look bit more valid. > + * The exact contents does not matter since the recipient is required > + * to drop this because of the Michael MIC failure. > + */ > + memset(skb_put(skb, 50), 0, 50); > + > + IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_TKIP_MIC_FAILURE; > + > + ieee80211_tx_skb(sdata, skb); > + > + return buflen; > +} > + > +__IEEE80211_IF_FILE_W(tkip_mic_test); > + > /* AP attributes */ > IEEE80211_IF_FILE(num_sta_ps, u.ap.num_sta_ps, ATOMIC); > IEEE80211_IF_FILE(dtim_count, u.ap.dtim_count, DEC); > @@ -297,6 +395,7 @@ static void add_sta_files(struct ieee802 > DEBUGFS_ADD(last_beacon); > DEBUGFS_ADD(ave_beacon); > DEBUGFS_ADD_MODE(smps, 0600); > + DEBUGFS_ADD_MODE(tkip_mic_test, 0200); > } > > static void add_ap_files(struct ieee80211_sub_if_data *sdata) > @@ -310,6 +409,7 @@ static void add_ap_files(struct ieee8021 > DEBUGFS_ADD(num_sta_ps); > DEBUGFS_ADD(dtim_count); > DEBUGFS_ADD(num_buffered_multicast); > + DEBUGFS_ADD_MODE(tkip_mic_test, 0200); > } > > static void add_wds_files(struct ieee80211_sub_if_data *sdata) > -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html