]> git.ipfire.org Git - thirdparty/hostap.git/blob - wlantest/rx_tdls.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
AOSP: P2P find stopped ctrl_iface event of p2p_flush
[thirdparty/hostap.git] / wlantest / rx_tdls.c
1 /*
2 * Received Data frame processing for TDLS packets
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/sha256.h"
13 #include "crypto/crypto.h"
14 #include "crypto/aes_wrap.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ieee802_11_common.h"
17 #include "wlantest.h"
18
19
20 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *linkid,
21 int create_new, const u8 *bssid)
22 {
23 struct wlantest_bss *bss;
24 struct wlantest_sta *init, *resp;
25 struct wlantest_tdls *tdls;
26
27 bss = bss_find(wt, linkid);
28 if (bss == NULL && bssid) {
29 bss = bss_find(wt, bssid);
30 if (bss)
31 wpa_printf(MSG_INFO, "TDLS: Incorrect BSSID " MACSTR
32 " in LinkId?! (init=" MACSTR " resp="
33 MACSTR ")",
34 MAC2STR(linkid), MAC2STR(linkid + ETH_ALEN),
35 MAC2STR(linkid + 2 * ETH_ALEN));
36 }
37 if (bss == NULL)
38 return NULL;
39
40 init = sta_find(bss, linkid + ETH_ALEN);
41 if (init == NULL)
42 return NULL;
43
44 resp = sta_find(bss, linkid + 2 * ETH_ALEN);
45 if (resp == NULL)
46 return NULL;
47
48 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
49 if (tdls->init == init && tdls->resp == resp)
50 return tdls;
51 }
52
53 if (!create_new)
54 return NULL;
55
56 tdls = os_zalloc(sizeof(*tdls));
57 if (tdls == NULL)
58 return NULL;
59 tdls->init = init;
60 tdls->resp = resp;
61 dl_list_add(&bss->tdls, &tdls->list);
62 return tdls;
63 }
64
65
66 static int tdls_derive_tpk(struct wlantest_tdls *tdls, const u8 *bssid,
67 const u8 *ftie, u8 ftie_len)
68 {
69 const struct rsn_ftie *f;
70 u8 key_input[SHA256_MAC_LEN];
71 const u8 *nonce[2];
72 size_t len[2];
73 u8 data[3 * ETH_ALEN];
74
75 if (ftie == NULL || ftie_len < sizeof(struct rsn_ftie))
76 return 0;
77
78 f = (const struct rsn_ftie *) ftie;
79 wpa_hexdump(MSG_DEBUG, "TDLS ANonce", f->anonce, WPA_NONCE_LEN);
80 wpa_hexdump(MSG_DEBUG, "TDLS SNonce", f->snonce, WPA_NONCE_LEN);
81
82 /*
83 * IEEE Std 802.11z-2010 8.5.9.1:
84 * TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
85 */
86 len[0] = WPA_NONCE_LEN;
87 len[1] = WPA_NONCE_LEN;
88 if (os_memcmp(f->anonce, f->snonce, WPA_NONCE_LEN) < 0) {
89 nonce[0] = f->anonce;
90 nonce[1] = f->snonce;
91 } else {
92 nonce[0] = f->snonce;
93 nonce[1] = f->anonce;
94 }
95 sha256_vector(2, nonce, len, key_input);
96 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
97 key_input, SHA256_MAC_LEN);
98
99 /*
100 * TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
101 * min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
102 * TODO: is N_KEY really included in KDF Context and if so, in which
103 * presentation format (little endian 16-bit?) is it used? It gets
104 * added by the KDF anyway..
105 */
106
107 if (os_memcmp(tdls->init->addr, tdls->resp->addr, ETH_ALEN) < 0) {
108 os_memcpy(data, tdls->init->addr, ETH_ALEN);
109 os_memcpy(data + ETH_ALEN, tdls->resp->addr, ETH_ALEN);
110 } else {
111 os_memcpy(data, tdls->resp->addr, ETH_ALEN);
112 os_memcpy(data + ETH_ALEN, tdls->init->addr, ETH_ALEN);
113 }
114 os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
115 wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
116
117 sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
118 (u8 *) &tdls->tpk, sizeof(tdls->tpk));
119 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
120 tdls->tpk.kck, sizeof(tdls->tpk.kck));
121 wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
122 tdls->tpk.tk, sizeof(tdls->tpk.tk));
123
124 return 1;
125 }
126
127
128 static int tdls_verify_mic(struct wlantest_tdls *tdls, u8 trans_seq,
129 struct ieee802_11_elems *elems)
130 {
131 u8 *buf, *pos;
132 int len;
133 u8 mic[16];
134 int ret;
135 const struct rsn_ftie *rx_ftie;
136 struct rsn_ftie *tmp_ftie;
137
138 if (elems->link_id == NULL || elems->rsn_ie == NULL ||
139 elems->timeout_int == NULL || elems->ftie == NULL)
140 return -1;
141
142 len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len +
143 2 + elems->timeout_int_len + 2 + elems->ftie_len;
144
145 buf = os_zalloc(len);
146 if (buf == NULL)
147 return -1;
148
149 pos = buf;
150 /* 1) TDLS initiator STA MAC address */
151 os_memcpy(pos, elems->link_id + ETH_ALEN, ETH_ALEN);
152 pos += ETH_ALEN;
153 /* 2) TDLS responder STA MAC address */
154 os_memcpy(pos, elems->link_id + 2 * ETH_ALEN, ETH_ALEN);
155 pos += ETH_ALEN;
156 /* 3) Transaction Sequence number */
157 *pos++ = trans_seq;
158 /* 4) Link Identifier IE */
159 os_memcpy(pos, elems->link_id - 2, 2 + 18);
160 pos += 2 + 18;
161 /* 5) RSN IE */
162 os_memcpy(pos, elems->rsn_ie - 2, 2 + elems->rsn_ie_len);
163 pos += 2 + elems->rsn_ie_len;
164 /* 6) Timeout Interval IE */
165 os_memcpy(pos, elems->timeout_int - 2, 2 + elems->timeout_int_len);
166 pos += 2 + elems->timeout_int_len;
167 /* 7) FTIE, with the MIC field of the FTIE set to 0 */
168 os_memcpy(pos, elems->ftie - 2, 2 + elems->ftie_len);
169 pos += 2;
170 tmp_ftie = (struct rsn_ftie *) pos;
171 os_memset(tmp_ftie->mic, 0, 16);
172 pos += elems->ftie_len;
173
174 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
175 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", tdls->tpk.kck, 16);
176 ret = omac1_aes_128(tdls->tpk.kck, buf, pos - buf, mic);
177 os_free(buf);
178 if (ret)
179 return -1;
180 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
181 rx_ftie = (const struct rsn_ftie *) elems->ftie;
182
183 if (os_memcmp(mic, rx_ftie->mic, 16) == 0) {
184 wpa_printf(MSG_DEBUG, "TDLS: Valid MIC");
185 return 0;
186 }
187 wpa_printf(MSG_DEBUG, "TDLS: Invalid MIC");
188 return -1;
189 }
190
191
192 static void rx_data_tdls_setup_request(struct wlantest *wt, const u8 *bssid,
193 const u8 *sta_addr, const u8 *dst,
194 const u8 *src,
195 const u8 *data, size_t len)
196 {
197 struct ieee802_11_elems elems;
198 struct wlantest_tdls *tdls;
199
200 if (len < 3) {
201 wpa_printf(MSG_INFO, "Too short TDLS Setup Request " MACSTR
202 " -> " MACSTR, MAC2STR(src), MAC2STR(dst));
203 return;
204 }
205 wpa_printf(MSG_DEBUG, "TDLS Setup Request " MACSTR " -> "
206 MACSTR, MAC2STR(src), MAC2STR(dst));
207
208 if (ieee802_11_parse_elems(data + 3, len - 3, &elems, 1) ==
209 ParseFailed || elems.link_id == NULL)
210 return;
211 wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
212 " initiator STA " MACSTR " responder STA " MACSTR,
213 MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
214 MAC2STR(elems.link_id + 2 * ETH_ALEN));
215 tdls = get_tdls(wt, elems.link_id, 1, bssid);
216 if (tdls) {
217 tdls->counters[WLANTEST_TDLS_COUNTER_SETUP_REQ]++;
218 tdls->dialog_token = data[0];
219 }
220 }
221
222
223 static void rx_data_tdls_setup_response_failure(struct wlantest *wt,
224 const u8 *bssid,
225 const u8 *sta_addr,
226 u8 dialog_token, u16 status)
227 {
228 struct wlantest_bss *bss;
229 struct wlantest_tdls *tdls;
230 struct wlantest_sta *sta;
231
232 if (status == WLAN_STATUS_SUCCESS) {
233 wpa_printf(MSG_INFO, "TDLS: Invalid TDLS Setup Response from "
234 MACSTR, MAC2STR(sta_addr));
235 return;
236 }
237
238 bss = bss_find(wt, bssid);
239 if (!bss)
240 return;
241 sta = sta_find(bss, sta_addr);
242 if (!sta)
243 return;
244
245 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
246 if (tdls->resp == sta) {
247 if (dialog_token != tdls->dialog_token) {
248 wpa_printf(MSG_DEBUG, "TDLS: Dialog token "
249 "mismatch in TDLS Setup Response "
250 "(failure)");
251 break;
252 }
253 wpa_printf(MSG_DEBUG, "TDLS: Found matching TDLS "
254 "setup session based on dialog token");
255 tdls->counters[
256 WLANTEST_TDLS_COUNTER_SETUP_RESP_FAIL]++;
257 break;
258 }
259 }
260 }
261
262
263 static void rx_data_tdls_setup_response(struct wlantest *wt, const u8 *bssid,
264 const u8 *sta_addr, const u8 *dst,
265 const u8 *src,
266 const u8 *data, size_t len)
267 {
268 u16 status;
269 struct ieee802_11_elems elems;
270 struct wlantest_tdls *tdls;
271
272 if (len < 3) {
273 wpa_printf(MSG_INFO, "Too short TDLS Setup Response " MACSTR
274 " -> " MACSTR, MAC2STR(src), MAC2STR(dst));
275 return;
276 }
277 status = WPA_GET_LE16(data);
278 wpa_printf(MSG_DEBUG, "TDLS Setup Response " MACSTR " -> "
279 MACSTR " (status %d)",
280 MAC2STR(src), MAC2STR(dst), status);
281 if (len < 5 && status == 0) {
282 wpa_printf(MSG_INFO, "Too short TDLS Setup Response " MACSTR
283 " -> " MACSTR, MAC2STR(src), MAC2STR(dst));
284 return;
285 }
286
287 if (len < 5 ||
288 ieee802_11_parse_elems(data + 5, len - 5, &elems, 1) ==
289 ParseFailed || elems.link_id == NULL) {
290 /* Need to match TDLS link based on Dialog Token */
291 rx_data_tdls_setup_response_failure(wt, bssid, sta_addr,
292 data[2], status);
293 return;
294 }
295 wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
296 " initiator STA " MACSTR " responder STA " MACSTR,
297 MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
298 MAC2STR(elems.link_id + 2 * ETH_ALEN));
299
300 tdls = get_tdls(wt, elems.link_id, 1, bssid);
301 if (!tdls)
302 return;
303 if (status)
304 tdls->counters[WLANTEST_TDLS_COUNTER_SETUP_RESP_FAIL]++;
305 else
306 tdls->counters[WLANTEST_TDLS_COUNTER_SETUP_RESP_OK]++;
307
308 if (status != WLAN_STATUS_SUCCESS)
309 return;
310
311 if (tdls_derive_tpk(tdls, bssid, elems.ftie, elems.ftie_len) < 1)
312 return;
313 if (tdls_verify_mic(tdls, 2, &elems) == 0) {
314 tdls->dialog_token = data[2];
315 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token for the link: %u",
316 tdls->dialog_token);
317 }
318 }
319
320
321 static void rx_data_tdls_setup_confirm_failure(struct wlantest *wt,
322 const u8 *bssid,
323 const u8 *src,
324 u8 dialog_token, u16 status)
325 {
326 struct wlantest_bss *bss;
327 struct wlantest_tdls *tdls;
328 struct wlantest_sta *sta;
329
330 if (status == WLAN_STATUS_SUCCESS) {
331 wpa_printf(MSG_INFO, "TDLS: Invalid TDLS Setup Confirm from "
332 MACSTR, MAC2STR(src));
333 return;
334 }
335
336 bss = bss_find(wt, bssid);
337 if (!bss)
338 return;
339 sta = sta_find(bss, src);
340 if (!sta)
341 return;
342
343 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
344 if (tdls->init == sta) {
345 if (dialog_token != tdls->dialog_token) {
346 wpa_printf(MSG_DEBUG, "TDLS: Dialog token "
347 "mismatch in TDLS Setup Confirm "
348 "(failure)");
349 break;
350 }
351 wpa_printf(MSG_DEBUG, "TDLS: Found matching TDLS "
352 "setup session based on dialog token");
353 tdls->counters[
354 WLANTEST_TDLS_COUNTER_SETUP_CONF_FAIL]++;
355 break;
356 }
357 }
358 }
359
360
361 static void rx_data_tdls_setup_confirm(struct wlantest *wt, const u8 *bssid,
362 const u8 *sta_addr, const u8 *dst,
363 const u8 *src,
364 const u8 *data, size_t len)
365 {
366 u16 status;
367 struct ieee802_11_elems elems;
368 struct wlantest_tdls *tdls;
369 u8 link_id[3 * ETH_ALEN];
370
371 if (len < 3) {
372 wpa_printf(MSG_INFO, "Too short TDLS Setup Confirm " MACSTR
373 " -> " MACSTR, MAC2STR(src), MAC2STR(dst));
374 return;
375 }
376 status = WPA_GET_LE16(data);
377 wpa_printf(MSG_DEBUG, "TDLS Setup Confirm " MACSTR " -> "
378 MACSTR " (status %d)",
379 MAC2STR(src), MAC2STR(dst), status);
380
381 if (ieee802_11_parse_elems(data + 3, len - 3, &elems, 1) ==
382 ParseFailed || elems.link_id == NULL) {
383 /* Need to match TDLS link based on Dialog Token */
384 rx_data_tdls_setup_confirm_failure(wt, bssid, src,
385 data[2], status);
386 return;
387 }
388 wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
389 " initiator STA " MACSTR " responder STA " MACSTR,
390 MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
391 MAC2STR(elems.link_id + 2 * ETH_ALEN));
392
393 tdls = get_tdls(wt, elems.link_id, 1, bssid);
394 if (tdls == NULL)
395 return;
396 if (status)
397 tdls->counters[WLANTEST_TDLS_COUNTER_SETUP_CONF_FAIL]++;
398 else
399 tdls->counters[WLANTEST_TDLS_COUNTER_SETUP_CONF_OK]++;
400
401 if (status != WLAN_STATUS_SUCCESS)
402 return;
403
404 tdls->link_up = 1;
405 if (tdls_derive_tpk(tdls, bssid, elems.ftie, elems.ftie_len) < 1) {
406 if (elems.ftie == NULL)
407 goto remove_reverse;
408 return;
409 }
410 if (tdls_verify_mic(tdls, 3, &elems) == 0) {
411 tdls->dialog_token = data[2];
412 wpa_printf(MSG_DEBUG, "TDLS: Dialog Token for the link: %u",
413 tdls->dialog_token);
414 }
415
416 remove_reverse:
417 /*
418 * The TDLS link itself is bidirectional, but there is explicit
419 * initiator/responder roles. Remove the other direction of the link
420 * (if it exists) to make sure that the link counters are stored for
421 * the current TDLS entery.
422 */
423 os_memcpy(link_id, elems.link_id, ETH_ALEN);
424 os_memcpy(link_id + ETH_ALEN, elems.link_id + 2 * ETH_ALEN, ETH_ALEN);
425 os_memcpy(link_id + 2 * ETH_ALEN, elems.link_id + ETH_ALEN, ETH_ALEN);
426 tdls = get_tdls(wt, link_id, 0, bssid);
427 if (tdls) {
428 wpa_printf(MSG_DEBUG, "TDLS: Remove reverse link entry");
429 tdls_deinit(tdls);
430 }
431 }
432
433
434 static int tdls_verify_mic_teardown(struct wlantest_tdls *tdls, u8 trans_seq,
435 const u8 *reason_code,
436 struct ieee802_11_elems *elems)
437 {
438 u8 *buf, *pos;
439 int len;
440 u8 mic[16];
441 int ret;
442 const struct rsn_ftie *rx_ftie;
443 struct rsn_ftie *tmp_ftie;
444
445 if (elems->link_id == NULL || elems->ftie == NULL)
446 return -1;
447
448 len = 2 + 18 + 2 + 1 + 1 + 2 + elems->ftie_len;
449
450 buf = os_zalloc(len);
451 if (buf == NULL)
452 return -1;
453
454 pos = buf;
455 /* 1) Link Identifier IE */
456 os_memcpy(pos, elems->link_id - 2, 2 + 18);
457 pos += 2 + 18;
458 /* 2) Reason Code */
459 os_memcpy(pos, reason_code, 2);
460 pos += 2;
461 /* 3) Dialog token */
462 *pos++ = tdls->dialog_token;
463 /* 4) Transaction Sequence number */
464 *pos++ = trans_seq;
465 /* 5) FTIE, with the MIC field of the FTIE set to 0 */
466 os_memcpy(pos, elems->ftie - 2, 2 + elems->ftie_len);
467 pos += 2;
468 tmp_ftie = (struct rsn_ftie *) pos;
469 os_memset(tmp_ftie->mic, 0, 16);
470 pos += elems->ftie_len;
471
472 wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
473 wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", tdls->tpk.kck, 16);
474 ret = omac1_aes_128(tdls->tpk.kck, buf, pos - buf, mic);
475 os_free(buf);
476 if (ret)
477 return -1;
478 wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
479 rx_ftie = (const struct rsn_ftie *) elems->ftie;
480
481 if (os_memcmp(mic, rx_ftie->mic, 16) == 0) {
482 wpa_printf(MSG_DEBUG, "TDLS: Valid MIC");
483 return 0;
484 }
485 wpa_printf(MSG_DEBUG, "TDLS: Invalid MIC");
486 return -1;
487 }
488
489
490 static void rx_data_tdls_teardown(struct wlantest *wt, const u8 *bssid,
491 const u8 *sta_addr, const u8 *dst,
492 const u8 *src,
493 const u8 *data, size_t len)
494 {
495 u16 reason;
496 struct ieee802_11_elems elems;
497 struct wlantest_tdls *tdls;
498
499 if (len < 2)
500 return;
501 reason = WPA_GET_LE16(data);
502 wpa_printf(MSG_DEBUG, "TDLS Teardown " MACSTR " -> "
503 MACSTR " (reason %d)",
504 MAC2STR(src), MAC2STR(dst), reason);
505
506 if (ieee802_11_parse_elems(data + 2, len - 2, &elems, 1) ==
507 ParseFailed || elems.link_id == NULL)
508 return;
509 wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
510 " initiator STA " MACSTR " responder STA " MACSTR,
511 MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
512 MAC2STR(elems.link_id + 2 * ETH_ALEN));
513
514 tdls = get_tdls(wt, elems.link_id, 1, bssid);
515 if (tdls) {
516 tdls->link_up = 0;
517 tdls->counters[WLANTEST_TDLS_COUNTER_TEARDOWN]++;
518 tdls_verify_mic_teardown(tdls, 4, data, &elems);
519 }
520 }
521
522
523 static void rx_data_tdls(struct wlantest *wt, const u8 *bssid,
524 const u8 *sta_addr, const u8 *dst, const u8 *src,
525 const u8 *data, size_t len)
526 {
527 /* data contains the payload of a TDLS Action frame */
528 if (len < 2 || data[0] != WLAN_ACTION_TDLS) {
529 wpa_hexdump(MSG_DEBUG, "Unrecognized encapsulated TDLS frame",
530 data, len);
531 return;
532 }
533
534 switch (data[1]) {
535 case WLAN_TDLS_SETUP_REQUEST:
536 rx_data_tdls_setup_request(wt, bssid, sta_addr, dst, src,
537 data + 2, len - 2);
538 break;
539 case WLAN_TDLS_SETUP_RESPONSE:
540 rx_data_tdls_setup_response(wt, bssid, sta_addr, dst, src,
541 data + 2, len - 2);
542 break;
543 case WLAN_TDLS_SETUP_CONFIRM:
544 rx_data_tdls_setup_confirm(wt, bssid, sta_addr, dst, src,
545 data + 2, len - 2);
546 break;
547 case WLAN_TDLS_TEARDOWN:
548 rx_data_tdls_teardown(wt, bssid, sta_addr, dst, src, data + 2,
549 len - 2);
550 break;
551 case WLAN_TDLS_DISCOVERY_REQUEST:
552 wpa_printf(MSG_DEBUG, "TDLS Discovery Request " MACSTR " -> "
553 MACSTR, MAC2STR(src), MAC2STR(dst));
554 break;
555 }
556 }
557
558
559 void rx_data_80211_encap(struct wlantest *wt, const u8 *bssid,
560 const u8 *sta_addr, const u8 *dst, const u8 *src,
561 const u8 *data, size_t len)
562 {
563 wpa_hexdump(MSG_EXCESSIVE, "802.11 data encap frame", data, len);
564 if (len < 1)
565 return;
566 if (data[0] == 0x02)
567 rx_data_tdls(wt, bssid, sta_addr, dst, src, data + 1, len - 1);
568 }
Unnamed repository; edit this file 'description' to name the repository.