/******************************************************************************
* FunctionName : espconn_port
* Description : access port value for client so that we don't end up bouncing
* all connections at the same time .
* Parameters : none
* Returns : access port value
*******************************************************************************/
uint32 ICACHE_FLASH_ATTR
espconn_port(void)
{
uint32 port = 0;
static uint32 randnum = 0;
do {
port = os_random();
if (port < 0) {
port = os_random() - port;
}
port %= 0xc350;
if (port < 0x400) {
port += 0x400;
}
} while (port == randnum);
randnum = port;
return port;
}
//generates and sends the attack response
void send_response(){
char response[512];
const char *attacker_country = countries[os_random()%n_countries];
const char *vector = vector_names[os_random()%n_vector_names];
const char *response_str = responses[os_random()%n_responses];
os_sprintf(response,"{%s(%s);uses %s;%s}",attacker_country,attackip,vector, response_str);
uart1_tx_buffer(response,strlen(response));
}
static struct wpabuf *
eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id)
{
struct wpabuf *req;
wpa_printf(MSG_DEBUG, "EAP-pwd: ID/Request");
req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
sizeof(struct eap_pwd_hdr) +
sizeof(struct eap_pwd_id) + data->id_server_len,
EAP_CODE_REQUEST, id);
if (req == NULL) {
eap_pwd_state(data, FAILURE);
return NULL;
}
/* an lfsr is good enough to generate unpredictable tokens */
data->token = os_random();
wpabuf_put_u8(req, EAP_PWD_OPCODE_ID_EXCH);
wpabuf_put_be16(req, data->group_num);
wpabuf_put_u8(req, EAP_PWD_DEFAULT_RAND_FUNC);
wpabuf_put_u8(req, EAP_PWD_DEFAULT_PRF);
wpabuf_put_data(req, &data->token, sizeof(data->token));
wpabuf_put_u8(req, EAP_PWD_PREP_NONE);
wpabuf_put_data(req, data->id_server, data->id_server_len);
return req;
}
static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data,
u8 id)
{
wpa_printf(MSG_DEBUG, "EAP-pwd: ID/Request");
/*
* if we're fragmenting then we already have an id request, just return
*/
if (data->out_frag_pos)
return;
data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) +
data->id_server_len);
if (data->outbuf == NULL) {
eap_pwd_state(data, FAILURE);
return;
}
/* an lfsr is good enough to generate unpredictable tokens */
data->token = os_random();
wpabuf_put_be16(data->outbuf, data->group_num);
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_RAND_FUNC);
wpabuf_put_u8(data->outbuf, EAP_PWD_DEFAULT_PRF);
wpabuf_put_data(data->outbuf, &data->token, sizeof(data->token));
wpabuf_put_u8(data->outbuf, data->password_hash ? EAP_PWD_PREP_MS :
EAP_PWD_PREP_NONE);
wpabuf_put_data(data->outbuf, data->id_server, data->id_server_len);
}
void ICACHE_FLASH_ATTR
sp_LightPairGenKey(uint8* key_buf)// length must be 16 bytes
{
int i;
uint32 r_v;
for(i=0;i<4;i++){
r_v = os_random();
os_memcpy(key_buf+4*i,&r_v,4);
}
}
/**
* wps_generate_pin - Generate a random PIN
* Returns: Eight digit PIN (i.e., including the checksum digit)
*/
unsigned int wps_generate_pin(void)
{
unsigned int val;
/* Generate seven random digits for the PIN */
if (random_get_bytes((unsigned char *) &val, sizeof(val)) < 0) {
struct os_time now;
os_get_time(&now);
val = os_random() ^ now.sec ^ now.usec;
}
val %= 10000000;
/* Append checksum digit */
return val * 10 + wps_pin_checksum(val);
}
/* Create Request Authenticator. The value should be unique over the lifetime
* of the shared secret between authenticator and authentication server.
* Use one-way MD5 hash calculated from current timestamp and some data given
* by the caller. */
void radius_msg_make_authenticator(struct radius_msg *msg,
const u8 *data, size_t len)
{
struct os_time tv;
long int l;
const u8 *addr[3];
size_t elen[3];
os_get_time(&tv);
l = os_random();
addr[0] = (u8 *) &tv;
elen[0] = sizeof(tv);
addr[1] = data;
elen[1] = len;
addr[2] = (u8 *) &l;
elen[2] = sizeof(l);
md5_vector(3, addr, elen, msg->hdr->authenticator);
}
static pana_session_t *
paa_sess_create(const paa_config_t * const paa_cfg, const sockaddr_in4_t * const peeraddr)
{
paa_ctx_t * ctx;
cfg = paa_cfg;
pana_session_t * out = NULL;
out = szalloc(pana_session_t);
out->session_id = paa_get_available_sess_id();
out->seq_tx = os_random();
out->ctx = szalloc(paa_ctx_t);
ctx = out->ctx;
ctx->paaglobal = paa_cfg;
out->peer_addr = *peeraddr;
out->sa = szalloc(pana_sa_t);
ctx->eap_config = get_eap_config(paa_cfg->eap_cfg);
ctx->stats_flags = SF_CELARED;
ctx->method_data = eap_md5_init();
/* TODO */
ctx->eap_ret = szalloc(*ctx->eap_ret);
ctx->reauth_timer.enabled = FALSE;
// Initialization Action:
//
// OPTIMIZED_INIT=Set|Unset;
// NONCE_SENT=Unset;
// RtxTimerStop();
out->cstate = PAA_STATE_INITIAL;
OPTIMIZED_INIT_Set();
NONCE_SENT_Unset();
RtxTimerStop(out);
out->next = NULL;
return out;
}
/******************************************************************************
* FunctionName : espconn_port
* Description : access port value for client so that we don't end up bouncing
* all connections at the same time .
* Parameters : none
* Returns : access port value
*******************************************************************************/
uint32 espconn_port(void)
{
uint32 port = 0;
static uint32 randnum = 0;
do {
port = system_get_time();
if (port < 0) {
port = os_random() - port;
}
port %= 0xc350;
if (port < 0x400) {
port += 0x400;
}
} while (port == randnum);
randnum = port;
return port;
}
int radius_msg_add_mppe_keys(struct radius_msg *msg,
const u8 *req_authenticator,
const u8 *secret, size_t secret_len,
const u8 *send_key, size_t send_key_len,
const u8 *recv_key, size_t recv_key_len)
{
struct radius_attr_hdr *attr;
u32 vendor_id = htonl(RADIUS_VENDOR_ID_MICROSOFT);
u8 *buf;
struct radius_attr_vendor *vhdr;
u8 *pos;
size_t elen;
int hlen;
u16 salt;
hlen = sizeof(vendor_id) + sizeof(*vhdr) + 2;
/* MS-MPPE-Send-Key */
buf = os_malloc(hlen + send_key_len + 16);
if (buf == NULL) {
return 0;
}
pos = buf;
os_memcpy(pos, &vendor_id, sizeof(vendor_id));
pos += sizeof(vendor_id);
vhdr = (struct radius_attr_vendor *) pos;
vhdr->vendor_type = RADIUS_VENDOR_ATTR_MS_MPPE_SEND_KEY;
pos = (u8 *) (vhdr + 1);
salt = os_random() | 0x8000;
*pos++ = salt >> 8;
*pos++ = salt;
encrypt_ms_key(send_key, send_key_len, salt, req_authenticator, secret,
secret_len, pos, &elen);
vhdr->vendor_length = hlen + elen - sizeof(vendor_id);
attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
buf, hlen + elen);
os_free(buf);
if (attr == NULL) {
return 0;
}
/* MS-MPPE-Recv-Key */
buf = os_malloc(hlen + send_key_len + 16);
if (buf == NULL) {
return 0;
}
pos = buf;
os_memcpy(pos, &vendor_id, sizeof(vendor_id));
pos += sizeof(vendor_id);
vhdr = (struct radius_attr_vendor *) pos;
vhdr->vendor_type = RADIUS_VENDOR_ATTR_MS_MPPE_RECV_KEY;
pos = (u8 *) (vhdr + 1);
salt ^= 1;
*pos++ = salt >> 8;
*pos++ = salt;
encrypt_ms_key(recv_key, recv_key_len, salt, req_authenticator, secret,
secret_len, pos, &elen);
vhdr->vendor_length = hlen + elen - sizeof(vendor_id);
attr = radius_msg_add_attr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
buf, hlen + elen);
os_free(buf);
if (attr == NULL) {
return 0;
}
return 1;
}
static void
wpa_supplicant_event_michael_mic_failure(struct wpa_supplicant *wpa_s,
union wpa_event_data *data)
{
int pairwise;
struct os_time t;
wpa_msg(wpa_s, MSG_WARNING, "Michael MIC failure detected");
pairwise = (data && data->michael_mic_failure.unicast);
os_get_time(&t);
if ((wpa_s->last_michael_mic_error &&
t.sec - wpa_s->last_michael_mic_error <= 60) ||
wpa_s->pending_mic_error_report) {
if (wpa_s->pending_mic_error_report) {
/*
* Send the pending MIC error report immediately since
* we are going to start countermeasures and AP better
* do the same.
*/
wpa_sm_key_request(wpa_s->wpa, 1,
wpa_s->pending_mic_error_pairwise);
}
/* Send the new MIC error report immediately since we are going
* to start countermeasures and AP better do the same.
*/
wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
/* initialize countermeasures */
wpa_s->countermeasures = 1;
wpa_msg(wpa_s, MSG_WARNING, "TKIP countermeasures started");
/*
* Need to wait for completion of request frame. We do not get
* any callback for the message completion, so just wait a
* short while and hope for the best. */
os_sleep(0, 10000);
wpa_drv_set_countermeasures(wpa_s, 1);
wpa_supplicant_deauthenticate(wpa_s,
WLAN_REASON_MICHAEL_MIC_FAILURE);
eloop_cancel_timeout(wpa_supplicant_stop_countermeasures,
wpa_s, NULL);
eloop_register_timeout(60, 0,
wpa_supplicant_stop_countermeasures,
wpa_s, NULL);
/* TODO: mark the AP rejected for 60 second. STA is
* allowed to associate with another AP.. */
} else {
#ifdef CONFIG_DELAYED_MIC_ERROR_REPORT
if (wpa_s->mic_errors_seen) {
/*
* Reduce the effectiveness of Michael MIC error
* reports as a means for attacking against TKIP if
* more than one MIC failure is noticed with the same
* PTK. We delay the transmission of the reports by a
* random time between 0 and 60 seconds in order to
* force the attacker wait 60 seconds before getting
* the information on whether a frame resulted in a MIC
* failure.
*/
u8 rval[4];
int sec;
if (os_get_random(rval, sizeof(rval)) < 0)
sec = os_random() % 60;
else
sec = WPA_GET_BE32(rval) % 60;
wpa_printf(MSG_DEBUG, "WPA: Delay MIC error report %d "
"seconds", sec);
wpa_s->pending_mic_error_report = 1;
wpa_s->pending_mic_error_pairwise = pairwise;
eloop_cancel_timeout(
wpa_supplicant_delayed_mic_error_report,
wpa_s, NULL);
eloop_register_timeout(
sec, os_random() % 1000000,
wpa_supplicant_delayed_mic_error_report,
wpa_s, NULL);
} else {
wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
}
#else /* CONFIG_DELAYED_MIC_ERROR_REPORT */
wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
#endif /* CONFIG_DELAYED_MIC_ERROR_REPORT */
}
wpa_s->last_michael_mic_error = t.sec;
wpa_s->mic_errors_seen++;
}
/**
* ap_handle_timer - Per STA timer handler
* @eloop_ctx: struct hostapd_data *
* @timeout_ctx: struct sta_info *
*
* This function is called to check station activity and to remove inactive
* stations.
*/
void ap_handle_timer(void *eloop_ctx, void *timeout_ctx)
{
struct hostapd_data *hapd = eloop_ctx;
struct sta_info *sta = timeout_ctx;
unsigned long next_time = 0;
wpa_printf(MSG_DEBUG, "%s: " MACSTR " flags=0x%x timeout_next=%d",
__func__, MAC2STR(sta->addr), sta->flags,
sta->timeout_next);
if (sta->timeout_next == STA_REMOVE) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_INFO, "deauthenticated due to "
"local deauth request");
ap_free_sta(hapd, sta);
return;
}
if ((sta->flags & WLAN_STA_ASSOC) &&
(sta->timeout_next == STA_NULLFUNC ||
sta->timeout_next == STA_DISASSOC)) {
int inactive_sec;
/*
* Add random value to timeout so that we don't end up bouncing
* all stations at the same time if we have lots of associated
* stations that are idle (but keep re-associating).
*/
int fuzz = os_random() % 20;
inactive_sec = hostapd_drv_get_inact_sec(hapd, sta->addr);
if (inactive_sec == -1) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG,
"Check inactivity: Could not "
"get station info from kernel driver for "
MACSTR, MAC2STR(sta->addr));
/*
* The driver may not support this functionality.
* Anyway, try again after the next inactivity timeout,
* but do not disconnect the station now.
*/
next_time = hapd->conf->ap_max_inactivity + fuzz;
} else if (inactive_sec < hapd->conf->ap_max_inactivity &&
sta->flags & WLAN_STA_ASSOC) {
/* station activity detected; reset timeout state */
wpa_msg(hapd->msg_ctx, MSG_DEBUG,
"Station " MACSTR " has been active %is ago",
MAC2STR(sta->addr), inactive_sec);
sta->timeout_next = STA_NULLFUNC;
next_time = hapd->conf->ap_max_inactivity + fuzz -
inactive_sec;
} else {
wpa_msg(hapd->msg_ctx, MSG_DEBUG,
"Station " MACSTR " has been "
"inactive too long: %d sec, max allowed: %d",
MAC2STR(sta->addr), inactive_sec,
hapd->conf->ap_max_inactivity);
if (hapd->conf->skip_inactivity_poll)
sta->timeout_next = STA_DISASSOC;
}
}
if ((sta->flags & WLAN_STA_ASSOC) &&
sta->timeout_next == STA_DISASSOC &&
!(sta->flags & WLAN_STA_PENDING_POLL) &&
!hapd->conf->skip_inactivity_poll) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR
" has ACKed data poll", MAC2STR(sta->addr));
/* data nullfunc frame poll did not produce TX errors; assume
* station ACKed it */
sta->timeout_next = STA_NULLFUNC;
next_time = hapd->conf->ap_max_inactivity;
}
if (next_time) {
wpa_printf(MSG_DEBUG, "%s: register ap_handle_timer timeout "
"for " MACSTR " (%lu seconds)",
__func__, MAC2STR(sta->addr), next_time);
eloop_register_timeout(next_time, 0, ap_handle_timer, hapd,
sta);
return;
}
if (sta->timeout_next == STA_NULLFUNC &&
(sta->flags & WLAN_STA_ASSOC)) {
wpa_printf(MSG_DEBUG, " Polling STA");
sta->flags |= WLAN_STA_PENDING_POLL;
hostapd_drv_poll_client(hapd, hapd->own_addr, sta->addr,
sta->flags & WLAN_STA_WMM);
} else if (sta->timeout_next != STA_REMOVE) {
int deauth = sta->timeout_next == STA_DEAUTH;
wpa_dbg(hapd->msg_ctx, MSG_DEBUG,
"Timeout, sending %s info to STA " MACSTR,
deauth ? "deauthentication" : "disassociation",
MAC2STR(sta->addr));
if (deauth) {
hostapd_drv_sta_deauth(
hapd, sta->addr,
WLAN_REASON_PREV_AUTH_NOT_VALID);
} else {
hostapd_drv_sta_disassoc(
hapd, sta->addr,
WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
}
}
switch (sta->timeout_next) {
case STA_NULLFUNC:
sta->timeout_next = STA_DISASSOC;
wpa_printf(MSG_DEBUG, "%s: register ap_handle_timer timeout "
"for " MACSTR " (%d seconds - AP_DISASSOC_DELAY)",
__func__, MAC2STR(sta->addr), AP_DISASSOC_DELAY);
eloop_register_timeout(AP_DISASSOC_DELAY, 0, ap_handle_timer,
hapd, sta);
break;
case STA_DISASSOC:
ap_sta_set_authorized(hapd, sta, 0);
sta->flags &= ~WLAN_STA_ASSOC;
ieee802_1x_notify_port_enabled(sta->eapol_sm, 0);
if (!sta->acct_terminate_cause)
sta->acct_terminate_cause =
RADIUS_ACCT_TERMINATE_CAUSE_IDLE_TIMEOUT;
accounting_sta_stop(hapd, sta);
ieee802_1x_free_station(sta);
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_INFO, "disassociated due to "
"inactivity");
sta->timeout_next = STA_DEAUTH;
wpa_printf(MSG_DEBUG, "%s: register ap_handle_timer timeout "
"for " MACSTR " (%d seconds - AP_DEAUTH_DELAY)",
__func__, MAC2STR(sta->addr), AP_DEAUTH_DELAY);
eloop_register_timeout(AP_DEAUTH_DELAY, 0, ap_handle_timer,
hapd, sta);
mlme_disassociate_indication(
hapd, sta, WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
break;
case STA_DEAUTH:
case STA_REMOVE:
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_INFO, "deauthenticated due to "
"inactivity (timer DEAUTH/REMOVE)");
if (!sta->acct_terminate_cause)
sta->acct_terminate_cause =
RADIUS_ACCT_TERMINATE_CAUSE_IDLE_TIMEOUT;
mlme_deauthenticate_indication(
hapd, sta,
WLAN_REASON_PREV_AUTH_NOT_VALID);
ap_free_sta(hapd, sta);
break;
}
}
struct wpabuf * ndef_build_wifi_hr(void)
{
struct wpabuf *rn, *cr, *ac_payload, *ac, *hr_payload, *hr;
struct wpabuf *hc;
rn = wpabuf_alloc(2);
if (rn == NULL)
return NULL;
wpabuf_put_be16(rn, os_random() & 0xffff);
cr = ndef_build_record(FLAG_MESSAGE_BEGIN | FLAG_TNF_NFC_FORUM, "cr", 2,
NULL, 0, rn);
wpabuf_free(rn);
if (cr == NULL)
return NULL;
ac_payload = wpabuf_alloc(4);
if (ac_payload == NULL) {
wpabuf_free(cr);
return NULL;
}
wpabuf_put_u8(ac_payload, 0x01); /* Carrier Flags: CRS=1 "active" */
wpabuf_put_u8(ac_payload, 0x01); /* Carrier Data Reference Length */
wpabuf_put_u8(ac_payload, '0'); /* Carrier Data Reference: "0" */
wpabuf_put_u8(ac_payload, 0); /* Aux Data Reference Count */
ac = ndef_build_record(FLAG_MESSAGE_END | FLAG_TNF_NFC_FORUM, "ac", 2,
NULL, 0, ac_payload);
wpabuf_free(ac_payload);
if (ac == NULL) {
wpabuf_free(cr);
return NULL;
}
hr_payload = wpabuf_alloc(1 + wpabuf_len(cr) + wpabuf_len(ac));
if (hr_payload == NULL) {
wpabuf_free(cr);
wpabuf_free(ac);
return NULL;
}
wpabuf_put_u8(hr_payload, 0x12); /* Connection Handover Version 1.2 */
wpabuf_put_buf(hr_payload, cr);
wpabuf_put_buf(hr_payload, ac);
wpabuf_free(cr);
wpabuf_free(ac);
hr = ndef_build_record(FLAG_MESSAGE_BEGIN | FLAG_TNF_NFC_FORUM, "Hr", 2,
NULL, 0, hr_payload);
wpabuf_free(hr_payload);
if (hr == NULL)
return NULL;
hc = ndef_build_wifi_hc(0);
if (hc == NULL) {
wpabuf_free(hr);
return NULL;
}
return wpabuf_concat(hr, hc);
}