From 6f8d45f37e40e9fb03f3a0823859b200f03af415 Mon Sep 17 00:00:00 2001
From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
Date: Thu, 21 Jan 2021 01:49:12 +0400
Subject: [PATCH] fragattack: improved scapy fix and driver/hostap version
 check

---
 research/README.md        | 36 +++++++++++++++++-------------------
 research/fraginternals.py | 12 ++++++++++--
 research/pysetup.sh       | 14 ++++++++++++++
 research/requirements.txt |  2 +-
 4 files changed, 42 insertions(+), 22 deletions(-)
 create mode 100755 research/pysetup.sh

diff --git a/research/README.md b/research/README.md
index b317fd065..5d3fe1471 100644
--- a/research/README.md
+++ b/research/README.md
@@ -50,8 +50,11 @@ the paper also briefly discusses the applicability of the attacks against WEP.
 
 - Fixed injection of fragmented frames when using ath9k_htc dongles in combination with 802.11n.
 
-- The python `requirements.txt` file now references a patched scapy version to address an
-  [incompatibility](https://github.com/secdev/scapy/commit/46fa40fde4049ad7770481f8806c59640df24059) with Python 3.9.
+- The `pysetup.sh` script has been added to create the python virtual environment. This script also fixes
+  [a bug](https://github.com/secdev/scapy/commit/46fa40fde4049ad7770481f8806c59640df24059) in the scapy library
+  when used with Python 3.9.
+
+- The patched drivers have been updated to properly compile on Linux 5.9.0.
 
 - Fixed the `ping-frag-sep` test. Previously it behaved like `ping-frag-sep --pn-per-qos`. Note that this test
   is not used to detect vulnerabilities but only to better understand implementations.
@@ -99,25 +102,23 @@ sequence or fragment number of injected frames, or may reorder frames of differe
 interferes with the test tool (i.e. the tool might say a device is secure although it's not).
 I have confirmed that the following network cards work properly:
 
-|      Network Card      | USB | 5GHz |        mixed mode       |      injection mode     |      hwsim mode      |
-| ---------------------- | --- | ---- | ----------------------- | ----------------------- | -------------------- |
-| Technoethical N150 HGA | Yes | No   | patched driver/firmware | patched driver/firmware | _under development_  |
-| TP-Link TL-WN722N v1.x | Yes | No   | patched driver/firmware | patched driver/firmware | _under development_  |
-| Alfa AWUS036NHA        | Yes | No   | patched driver/firmware | patched driver/firmware | _under development_  |
-| Intel Wireless-AC 8265 | No  | Yes  | patched driver          | yes                     | _under development_  |
-| Intel Wireless-AC 3160 | No  | Yes  | patched driver          | yes                     | _under development_  |
-| Alfa AWUS036ACM        | Yes | Yes  | patched driver          | yes                     | _under development_  |
-| Netgear WN111v2        | Yes | No   | patched driver          | yes                     | _under development_  |
-| Alfa AWUS036ACH        | Yes | Yes  | **TODO**                | **TODO**                | _under development_  |
+|      Network Card      | USB | 5GHz |        mixed mode       |      injection mode     |
+| ---------------------- | --- | ---- | ----------------------- | ----------------------- |
+| Technoethical N150 HGA | Yes | No   | patched driver/firmware | patched driver/firmware |
+| TP-Link TL-WN722N v1.x | Yes | No   | patched driver/firmware | patched driver/firmware |
+| Alfa AWUS036NHA        | Yes | No   | patched driver/firmware | patched driver/firmware |
+| Intel Wireless-AC 8265 | No  | Yes  | patched driver          | yes                     |
+| Intel Wireless-AC 3160 | No  | Yes  | patched driver          | yes                     |
+| Alfa AWUS036ACM        | Yes | Yes  | patched driver          | yes                     |
+| Netgear WN111v2        | Yes | No   | patched driver          | yes                     |
+| Alfa AWUS036ACH        | Yes | Yes  | **TODO**                | **TODO**                |
 
-The three last colums signify:
+The three two colums signify:
 
 1. Mixed mode: whether the network card can be used in [mixed mode](#id-mixed-mode).
 
 2. Injection mode: whether the network card can be used as a second interface to inject frames in [injection mode](#id-injection-mode).
 
-3. Hwsim mode: whether the network card can be used in the experimental [hwsim mode](#id-hwsim-mode).
-
 _Yes_ indicates the card works out-of-the-box in the given mode. _Patched driver/firmware_
 means that the card is compatible when used with patched drivers and/or firmware.
 _No_ means this mode is not supported by the network card.
@@ -170,10 +171,7 @@ Now clone this repository, build the tools, and configure a virtual python3 envi
 	# git clone https://github.com/vanhoefm/fragattack.git fragattack
 	cd fragattack/research
 	./build.sh
-	python3 -m venv venv
-	source venv/bin/activate
-	pip install wheel
-	pip install -r requirements.txt
+	./pysetup.sh
 
 The above instructions only have to be executed once. After pulling in new code using git you do
 have to execute `./build.sh` again.
diff --git a/research/fraginternals.py b/research/fraginternals.py
index a9cc02a07..46faaff0c 100644
--- a/research/fraginternals.py
+++ b/research/fraginternals.py
@@ -732,8 +732,9 @@ class Daemon(metaclass=abc.ABCMeta):
 				log(STATUS, "To ignore this warning and timeout add the parameter --no-drivercheck")
 				time.sleep(5)
 			elif FRAGVERSION != open("/sys/module/mac80211/parameters/fragattack_version").read().strip():
+				version = open("/sys/module/mac80211/parameters/fragattack_version").read().strip()
 				log(ERROR, f"This script has version {FRAGVERSION} but the modified drivers are version {version}.")
-				log(ERROR, f"Please recompile and reinstall the modified drivers (see the README for details).")
+				log(ERROR, f"Recompile and reinstall the modified drivers or add --no-drivercheck (see the README for details).")
 				quit(1)
 
 		# 1. Assign/create interfaces according to provided options
@@ -801,9 +802,16 @@ class Daemon(metaclass=abc.ABCMeta):
 
 	def connect_wpaspy(self):
 		# Wait until daemon started
-		while not os.path.exists("wpaspy_ctrl/" + self.nic_iface):
+		time_abort = time.time() + 10
+		while not os.path.exists("wpaspy_ctrl/" + self.nic_iface) and time.time() < time_abort:
 			time.sleep(0.1)
 
+		# Abort if daemon didn't start properly
+		if not os.path.exists("wpaspy_ctrl/" + self.nic_iface):
+			log(ERROR, "Unable to connect to control interface. Did hostap/wpa_supplicant start properly?")
+			log(ERROR, "Try recompiling them using ./build.sh and double-check client.conf and hostapd.conf.")
+			quit(1)
+
 		# Open the wpa_supplicant or hostapd control interface
 		try:
 			self.wpaspy_ctrl = Ctrl("wpaspy_ctrl/" + self.nic_iface)
diff --git a/research/pysetup.sh b/research/pysetup.sh
new file mode 100755
index 000000000..decca233d
--- /dev/null
+++ b/research/pysetup.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Start from a clean environment
+rm -rf venv/
+
+# Basic python3 virtual environment
+python3 -m venv venv
+source venv/bin/activate
+pip install wheel
+pip install -r requirements.txt
+
+# Fix a bug in scapy that isn't fixed in the PyPI version yet. For background see
+# https://github.com/secdev/scapy/commit/46fa40fde4049ad7770481f8806c59640df24059
+sed -i 's/find_library("libc")/find_library("c")/g' venv/lib/python*/site-packages/scapy/arch/bpf/core.py
diff --git a/research/requirements.txt b/research/requirements.txt
index 7cf738fc6..ccd2b8d57 100644
--- a/research/requirements.txt
+++ b/research/requirements.txt
@@ -8,7 +8,7 @@ py==1.8.1
 pycryptodome==3.9.7
 pyparsing==2.4.6
 pytest==5.3.5
-git+https://github.com/vanhoefm/scapy.git@v2.4.4fix1#egg=scapy
+scapy==2.4.3
 simpy==3.0.11
 six==1.14.0
 sympy==1.5.1