mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-27 01:38:37 -05:00
467 lines
11 KiB
Objective-C
467 lines
11 KiB
Objective-C
/*
|
|
* WPA Supplicant - iPhone/iPod touch Apple80211 driver interface
|
|
* Copyright (c) 2007, Jouni Malinen <j@w1.fi>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
* Alternatively, this software may be distributed under the terms of BSD
|
|
* license.
|
|
*
|
|
* See README and COPYING for more details.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#define Boolean __DummyBoolean
|
|
#include <CoreFoundation/CoreFoundation.h>
|
|
#undef Boolean
|
|
|
|
#include "common.h"
|
|
#include "driver.h"
|
|
#include "eloop.h"
|
|
#include "ieee802_11_defs.h"
|
|
|
|
#include "MobileApple80211.h"
|
|
|
|
struct wpa_driver_iphone_data {
|
|
void *ctx;
|
|
Apple80211Ref wireless_ctx;
|
|
CFArrayRef scan_results;
|
|
int ctrl_power;
|
|
};
|
|
|
|
|
|
static const void * cfdict_get_key_str(CFDictionaryRef dict, const char *key)
|
|
{
|
|
const void *res;
|
|
CFStringRef str = CFStringCreateWithCString(kCFAllocatorDefault, key,
|
|
kCFStringEncodingMacRoman);
|
|
if (str == NULL)
|
|
return NULL;
|
|
|
|
res = CFDictionaryGetValue(dict, str);
|
|
CFRelease(str);
|
|
return res;
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_get_ssid(void *priv, u8 *ssid)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = priv;
|
|
CFDataRef data;
|
|
int err, len;
|
|
|
|
err = Apple80211CopyValue(drv->wireless_ctx, APPLE80211_VALUE_SSID, 0,
|
|
&data);
|
|
if (err != 0) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211CopyValue(SSID) "
|
|
"failed: %d", err);
|
|
return -1;
|
|
}
|
|
|
|
len = CFDataGetLength(data);
|
|
if (len > 32) {
|
|
CFRelease(data);
|
|
return -1;
|
|
}
|
|
os_memcpy(ssid, CFDataGetBytePtr(data), len);
|
|
CFRelease(data);
|
|
|
|
return len;
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_get_bssid(void *priv, u8 *bssid)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = priv;
|
|
CFStringRef data;
|
|
int err;
|
|
int a1, a2, a3, a4, a5, a6;
|
|
|
|
err = Apple80211CopyValue(drv->wireless_ctx, APPLE80211_VALUE_BSSID, 0,
|
|
&data);
|
|
if (err != 0) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211CopyValue(BSSID) "
|
|
"failed: %d", err);
|
|
return -1;
|
|
}
|
|
|
|
sscanf(CFStringGetCStringPtr(data, kCFStringEncodingMacRoman),
|
|
"%x:%x:%x:%x:%x:%x", &a1, &a2, &a3, &a4, &a5, &a6);
|
|
bssid[0] = a1;
|
|
bssid[1] = a2;
|
|
bssid[2] = a3;
|
|
bssid[3] = a4;
|
|
bssid[4] = a5;
|
|
bssid[5] = a6;
|
|
|
|
CFRelease(data);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static void wpa_driver_iphone_scan_timeout(void *eloop_ctx, void *timeout_ctx)
|
|
{
|
|
wpa_supplicant_event(timeout_ctx, EVENT_SCAN_RESULTS, NULL);
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_scan(void *priv, const u8 *ssid, size_t ssid_len)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = priv;
|
|
int err;
|
|
|
|
if (drv->scan_results) {
|
|
CFRelease(drv->scan_results);
|
|
drv->scan_results = NULL;
|
|
}
|
|
|
|
err = Apple80211Scan(drv->wireless_ctx, &drv->scan_results, NULL);
|
|
if (err) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211Scan failed: %d",
|
|
err);
|
|
return -1;
|
|
}
|
|
|
|
eloop_register_timeout(0, 0, wpa_driver_iphone_scan_timeout, drv,
|
|
drv->ctx);
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_get_scan_results(void *priv,
|
|
struct wpa_scan_result *results,
|
|
size_t max_size)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = priv;
|
|
size_t i, num;
|
|
|
|
if (drv->scan_results == NULL)
|
|
return 0;
|
|
|
|
num = CFArrayGetCount(drv->scan_results);
|
|
if (num > max_size)
|
|
num = max_size;
|
|
os_memset(results, 0, num * sizeof(struct wpa_scan_result));
|
|
|
|
for (i = 0; i < num; i++) {
|
|
struct wpa_scan_result *res = &results[i];
|
|
CFDictionaryRef dict =
|
|
CFArrayGetValueAtIndex(drv->scan_results, i);
|
|
CFDataRef data;
|
|
CFStringRef str;
|
|
CFNumberRef num;
|
|
int val;
|
|
|
|
data = cfdict_get_key_str(dict, "SSID");
|
|
if (data) {
|
|
res->ssid_len = CFDataGetLength(data);
|
|
if (res->ssid_len > 32)
|
|
res->ssid_len = 32;
|
|
os_memcpy(res->ssid, CFDataGetBytePtr(data),
|
|
res->ssid_len);
|
|
}
|
|
|
|
str = cfdict_get_key_str(dict, "BSSID");
|
|
if (str) {
|
|
int a1, a2, a3, a4, a5, a6;
|
|
sscanf(CFStringGetCStringPtr(
|
|
str, kCFStringEncodingMacRoman),
|
|
"%x:%x:%x:%x:%x:%x",
|
|
&a1, &a2, &a3, &a4, &a5, &a6);
|
|
res->bssid[0] = a1;
|
|
res->bssid[1] = a2;
|
|
res->bssid[2] = a3;
|
|
res->bssid[3] = a4;
|
|
res->bssid[4] = a5;
|
|
res->bssid[5] = a6;
|
|
}
|
|
|
|
num = cfdict_get_key_str(dict, "CAPABILITIES");
|
|
if (num) {
|
|
if (CFNumberGetValue(num, kCFNumberSInt32Type, &val))
|
|
res->caps = val;
|
|
}
|
|
|
|
num = cfdict_get_key_str(dict, "CHANNEL");
|
|
if (num) {
|
|
if (CFNumberGetValue(num, kCFNumberSInt32Type, &val))
|
|
res->freq = 2407 + val * 5;
|
|
}
|
|
|
|
num = cfdict_get_key_str(dict, "RSSI");
|
|
if (num) {
|
|
if (CFNumberGetValue(num, kCFNumberSInt32Type, &val))
|
|
res->level = val;
|
|
}
|
|
|
|
num = cfdict_get_key_str(dict, "NOISE");
|
|
if (num) {
|
|
if (CFNumberGetValue(num, kCFNumberSInt32Type, &val))
|
|
res->noise = val;
|
|
}
|
|
|
|
data = cfdict_get_key_str(dict, "IE");
|
|
if (data) {
|
|
u8 *ptr = (u8 *) CFDataGetBytePtr(data);
|
|
int len = CFDataGetLength(data);
|
|
u8 *pos = ptr, *end = ptr + len;
|
|
|
|
while (pos + 2 < end) {
|
|
if (pos + 2 + pos[1] > end)
|
|
break;
|
|
if (pos[0] == WLAN_EID_RSN &&
|
|
pos[1] <= SSID_MAX_WPA_IE_LEN) {
|
|
os_memcpy(res->rsn_ie, pos,
|
|
2 + pos[1]);
|
|
res->rsn_ie_len = 2 + pos[1];
|
|
}
|
|
if (pos[0] == WLAN_EID_VENDOR_SPECIFIC &&
|
|
pos[1] > 4 && pos[2] == 0x00 &&
|
|
pos[3] == 0x50 && pos[4] == 0xf2 &&
|
|
pos[5] == 0x01) {
|
|
os_memcpy(res->wpa_ie, pos,
|
|
2 + pos[1]);
|
|
res->wpa_ie_len = 2 + pos[1];
|
|
}
|
|
|
|
pos = pos + 2 + pos[1];
|
|
}
|
|
}
|
|
}
|
|
|
|
return num;
|
|
}
|
|
|
|
|
|
static void wpa_driver_iphone_assoc_timeout(void *eloop_ctx, void *timeout_ctx)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = eloop_ctx;
|
|
u8 bssid[ETH_ALEN];
|
|
|
|
if (wpa_driver_iphone_get_bssid(drv, bssid) != 0) {
|
|
eloop_register_timeout(1, 0, wpa_driver_iphone_assoc_timeout,
|
|
drv, drv->ctx);
|
|
return;
|
|
}
|
|
|
|
wpa_supplicant_event(timeout_ctx, EVENT_ASSOC, NULL);
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_associate(
|
|
void *priv, struct wpa_driver_associate_params *params)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = priv;
|
|
int i, num, err;
|
|
size_t ssid_len;
|
|
CFDictionaryRef bss = NULL;
|
|
|
|
/*
|
|
* TODO: Consider generating parameters instead of just using an entry
|
|
* from scan results in order to support ap_scan=2.
|
|
*/
|
|
|
|
if (drv->scan_results == NULL) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: No scan results - cannot "
|
|
"associate");
|
|
return -1;
|
|
}
|
|
|
|
num = CFArrayGetCount(drv->scan_results);
|
|
|
|
for (i = 0; i < num; i++) {
|
|
CFDictionaryRef dict =
|
|
CFArrayGetValueAtIndex(drv->scan_results, i);
|
|
CFDataRef data;
|
|
|
|
data = cfdict_get_key_str(dict, "SSID");
|
|
if (data == NULL)
|
|
continue;
|
|
|
|
ssid_len = CFDataGetLength(data);
|
|
if (ssid_len != params->ssid_len ||
|
|
os_memcmp(CFDataGetBytePtr(data), params->ssid, ssid_len)
|
|
!= 0)
|
|
continue;
|
|
|
|
bss = dict;
|
|
break;
|
|
}
|
|
|
|
if (bss == NULL) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Could not find SSID from scan "
|
|
"results - cannot associate");
|
|
return -1;
|
|
}
|
|
|
|
wpa_printf(MSG_DEBUG, "iPhone: Trying to associate with a BSS found "
|
|
"from scan results");
|
|
|
|
err = Apple80211Associate(drv->wireless_ctx, bss, NULL);
|
|
if (err) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211Associate() failed: "
|
|
"%d", err);
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
* Driver is actually already associated; report association from an
|
|
* eloop callback.
|
|
*/
|
|
eloop_cancel_timeout(wpa_driver_iphone_assoc_timeout, drv, drv->ctx);
|
|
eloop_register_timeout(0, 0, wpa_driver_iphone_assoc_timeout, drv,
|
|
drv->ctx);
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_set_key(void *priv, wpa_alg alg, const u8 *addr,
|
|
int key_idx, int set_tx, const u8 *seq,
|
|
size_t seq_len, const u8 *key,
|
|
size_t key_len)
|
|
{
|
|
/*
|
|
* TODO: Need to either support configuring PMK for 4-way handshake or
|
|
* PTK for TKIP/CCMP.
|
|
*/
|
|
return -1;
|
|
}
|
|
|
|
|
|
static int wpa_driver_iphone_get_capa(void *priv, struct wpa_driver_capa *capa)
|
|
{
|
|
os_memset(capa, 0, sizeof(*capa));
|
|
|
|
capa->key_mgmt = WPA_DRIVER_CAPA_KEY_MGMT_WPA |
|
|
WPA_DRIVER_CAPA_KEY_MGMT_WPA2 |
|
|
WPA_DRIVER_CAPA_KEY_MGMT_WPA_PSK |
|
|
WPA_DRIVER_CAPA_KEY_MGMT_WPA2_PSK;
|
|
capa->enc = WPA_DRIVER_CAPA_ENC_WEP40 | WPA_DRIVER_CAPA_ENC_WEP104 |
|
|
WPA_DRIVER_CAPA_ENC_TKIP | WPA_DRIVER_CAPA_ENC_CCMP;
|
|
capa->auth = WPA_DRIVER_AUTH_OPEN | WPA_DRIVER_AUTH_SHARED |
|
|
WPA_DRIVER_AUTH_LEAP;
|
|
capa->flags = WPA_DRIVER_FLAGS_4WAY_HANDSHAKE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
static void * wpa_driver_iphone_init(void *ctx, const char *ifname)
|
|
{
|
|
struct wpa_driver_iphone_data *drv;
|
|
int err;
|
|
char power;
|
|
CFStringRef name;
|
|
CFDictionaryRef dict;
|
|
|
|
drv = os_zalloc(sizeof(*drv));
|
|
if (drv == NULL)
|
|
return NULL;
|
|
drv->ctx = ctx;
|
|
err = Apple80211Open(&drv->wireless_ctx);
|
|
if (err) {
|
|
wpa_printf(MSG_ERROR, "iPhone: Apple80211Open failed: %d",
|
|
err);
|
|
os_free(drv);
|
|
return NULL;
|
|
}
|
|
|
|
name = CFStringCreateWithCString(kCFAllocatorDefault, ifname,
|
|
kCFStringEncodingISOLatin1);
|
|
if (name == NULL) {
|
|
wpa_printf(MSG_ERROR, "iPhone: ifname -> CFString failed");
|
|
Apple80211Close(drv->wireless_ctx);
|
|
os_free(drv);
|
|
return NULL;
|
|
}
|
|
|
|
err = Apple80211BindToInterface(drv->wireless_ctx, name);
|
|
CFRelease(name);
|
|
|
|
if (err) {
|
|
wpa_printf(MSG_ERROR, "iPhone: Apple80211BindToInterface "
|
|
"failed: %d", err);
|
|
Apple80211Close(drv->wireless_ctx);
|
|
os_free(drv);
|
|
return NULL;
|
|
}
|
|
|
|
err = Apple80211GetPower(drv->wireless_ctx, &power);
|
|
if (err)
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211GetPower failed: %d",
|
|
err);
|
|
|
|
wpa_printf(MSG_DEBUG, "iPhone: Power=%d", power);
|
|
|
|
if (!power) {
|
|
drv->ctrl_power = 1;
|
|
err = Apple80211SetPower(drv->wireless_ctx, 1);
|
|
if (err) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211SetPower "
|
|
"failed: %d", err);
|
|
Apple80211Close(drv->wireless_ctx);
|
|
os_free(drv);
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
err = Apple80211GetInfoCopy(drv->wireless_ctx, &dict);
|
|
if (err == 0) {
|
|
CFShow(dict);
|
|
CFRelease(dict);
|
|
} else {
|
|
printf("Apple80211GetInfoCopy: %d\n", err);
|
|
}
|
|
|
|
return drv;
|
|
}
|
|
|
|
|
|
static void wpa_driver_iphone_deinit(void *priv)
|
|
{
|
|
struct wpa_driver_iphone_data *drv = priv;
|
|
int err;
|
|
|
|
eloop_cancel_timeout(wpa_driver_iphone_scan_timeout, drv, drv->ctx);
|
|
eloop_cancel_timeout(wpa_driver_iphone_assoc_timeout, drv, drv->ctx);
|
|
|
|
if (drv->ctrl_power) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Power down the interface");
|
|
err = Apple80211SetPower(drv->wireless_ctx, 0);
|
|
if (err) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211SetPower(0) "
|
|
"failed: %d", err);
|
|
}
|
|
}
|
|
|
|
err = Apple80211Close(drv->wireless_ctx);
|
|
if (err) {
|
|
wpa_printf(MSG_DEBUG, "iPhone: Apple80211Close failed: %d",
|
|
err);
|
|
}
|
|
|
|
if (drv->scan_results)
|
|
CFRelease(drv->scan_results);
|
|
|
|
os_free(drv);
|
|
}
|
|
|
|
|
|
const struct wpa_driver_ops wpa_driver_iphone_ops = {
|
|
.name = "iphone",
|
|
.desc = "iPhone/iPod touch Apple80211 driver",
|
|
.get_ssid = wpa_driver_iphone_get_ssid,
|
|
.get_bssid = wpa_driver_iphone_get_bssid,
|
|
.init = wpa_driver_iphone_init,
|
|
.deinit = wpa_driver_iphone_deinit,
|
|
.scan = wpa_driver_iphone_scan,
|
|
.get_scan_results = wpa_driver_iphone_get_scan_results,
|
|
.associate = wpa_driver_iphone_associate,
|
|
.set_key = wpa_driver_iphone_set_key,
|
|
.get_capa = wpa_driver_iphone_get_capa,
|
|
};
|