]>
Commit | Line | Data |
---|---|---|
2d73f0a8 JM |
1 | /* |
2 | * Received Management frame processing | |
3 | * Copyright (c) 2010, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * Alternatively, this software may be distributed under the terms of BSD | |
10 | * license. | |
11 | * | |
12 | * See README and COPYING for more details. | |
13 | */ | |
14 | ||
15 | #include "utils/includes.h" | |
16 | ||
17 | #include "utils/common.h" | |
18 | #include "common/ieee802_11_defs.h" | |
19 | #include "common/ieee802_11_common.h" | |
bacc3128 | 20 | #include "crypto/aes_wrap.h" |
2d73f0a8 JM |
21 | #include "wlantest.h" |
22 | ||
23 | ||
24 | static const char * mgmt_stype(u16 stype) | |
25 | { | |
26 | switch (stype) { | |
27 | case WLAN_FC_STYPE_ASSOC_REQ: | |
28 | return "ASSOC-REQ"; | |
29 | case WLAN_FC_STYPE_ASSOC_RESP: | |
30 | return "ASSOC-RESP"; | |
31 | case WLAN_FC_STYPE_REASSOC_REQ: | |
32 | return "REASSOC-REQ"; | |
33 | case WLAN_FC_STYPE_REASSOC_RESP: | |
34 | return "REASSOC-RESP"; | |
35 | case WLAN_FC_STYPE_PROBE_REQ: | |
36 | return "PROBE-REQ"; | |
37 | case WLAN_FC_STYPE_PROBE_RESP: | |
38 | return "PROBE-RESP"; | |
39 | case WLAN_FC_STYPE_BEACON: | |
40 | return "BEACON"; | |
41 | case WLAN_FC_STYPE_ATIM: | |
42 | return "ATIM"; | |
43 | case WLAN_FC_STYPE_DISASSOC: | |
44 | return "DISASSOC"; | |
45 | case WLAN_FC_STYPE_AUTH: | |
46 | return "AUTH"; | |
47 | case WLAN_FC_STYPE_DEAUTH: | |
48 | return "DEAUTH"; | |
49 | case WLAN_FC_STYPE_ACTION: | |
50 | return "ACTION"; | |
51 | } | |
52 | return "??"; | |
53 | } | |
54 | ||
55 | ||
56 | static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len) | |
57 | { | |
58 | const struct ieee80211_mgmt *mgmt; | |
59 | struct wlantest_bss *bss; | |
60 | struct ieee802_11_elems elems; | |
61 | ||
62 | mgmt = (const struct ieee80211_mgmt *) data; | |
63 | bss = bss_get(wt, mgmt->bssid); | |
64 | if (bss == NULL) | |
65 | return; | |
66 | if (bss->proberesp_seen) | |
67 | return; /* do not override with Beacon data */ | |
68 | bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info); | |
69 | if (ieee802_11_parse_elems(mgmt->u.beacon.variable, | |
70 | len - (mgmt->u.beacon.variable - data), | |
71 | &elems, 0) == ParseFailed) { | |
72 | if (bss->parse_error_reported) | |
73 | return; | |
74 | wpa_printf(MSG_INFO, "Invalid IEs in a Beacon frame from " | |
75 | MACSTR, MAC2STR(mgmt->sa)); | |
76 | bss->parse_error_reported = 1; | |
77 | return; | |
78 | } | |
79 | ||
53650bca | 80 | bss_update(wt, bss, &elems); |
2d73f0a8 JM |
81 | } |
82 | ||
83 | ||
84 | static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len) | |
85 | { | |
86 | const struct ieee80211_mgmt *mgmt; | |
87 | struct wlantest_bss *bss; | |
88 | struct ieee802_11_elems elems; | |
89 | ||
90 | mgmt = (const struct ieee80211_mgmt *) data; | |
91 | bss = bss_get(wt, mgmt->bssid); | |
92 | if (bss == NULL) | |
93 | return; | |
94 | ||
95 | bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info); | |
96 | if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable, | |
97 | len - (mgmt->u.probe_resp.variable - data), | |
98 | &elems, 0) == ParseFailed) { | |
99 | if (bss->parse_error_reported) | |
100 | return; | |
101 | wpa_printf(MSG_INFO, "Invalid IEs in a Probe Response frame " | |
102 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
103 | bss->parse_error_reported = 1; | |
104 | return; | |
105 | } | |
106 | ||
53650bca | 107 | bss_update(wt, bss, &elems); |
2d73f0a8 JM |
108 | } |
109 | ||
110 | ||
111 | static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len) | |
112 | { | |
113 | const struct ieee80211_mgmt *mgmt; | |
114 | struct wlantest_bss *bss; | |
115 | struct wlantest_sta *sta; | |
116 | u16 alg, trans, status; | |
117 | ||
118 | mgmt = (const struct ieee80211_mgmt *) data; | |
119 | bss = bss_get(wt, mgmt->bssid); | |
120 | if (bss == NULL) | |
121 | return; | |
122 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
123 | sta = sta_get(bss, mgmt->da); | |
124 | else | |
125 | sta = sta_get(bss, mgmt->sa); | |
126 | if (sta == NULL) | |
127 | return; | |
128 | ||
129 | if (len < 24 + 6) { | |
130 | wpa_printf(MSG_INFO, "Too short Authentication frame from " | |
131 | MACSTR, MAC2STR(mgmt->sa)); | |
132 | return; | |
133 | } | |
134 | ||
135 | alg = le_to_host16(mgmt->u.auth.auth_alg); | |
136 | trans = le_to_host16(mgmt->u.auth.auth_transaction); | |
137 | status = le_to_host16(mgmt->u.auth.status_code); | |
138 | ||
139 | wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR | |
140 | " (alg=%u trans=%u status=%u)", | |
141 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status); | |
142 | ||
143 | if (alg == 0 && trans == 2 && status == 0) { | |
144 | if (sta->state == STATE1) { | |
145 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
146 | " moved to State 2 with " MACSTR, | |
147 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
148 | sta->state = STATE2; | |
149 | } | |
150 | } | |
6d5ce9fc JM |
151 | |
152 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
153 | sta->counters[WLANTEST_STA_COUNTER_AUTH_RX]++; | |
154 | else | |
155 | sta->counters[WLANTEST_STA_COUNTER_AUTH_TX]++; | |
2d73f0a8 JM |
156 | } |
157 | ||
158 | ||
47fe6880 JM |
159 | static void rx_mgmt_deauth(struct wlantest *wt, const u8 *data, size_t len, |
160 | int valid) | |
2d73f0a8 JM |
161 | { |
162 | const struct ieee80211_mgmt *mgmt; | |
163 | struct wlantest_bss *bss; | |
164 | struct wlantest_sta *sta; | |
165 | ||
166 | mgmt = (const struct ieee80211_mgmt *) data; | |
167 | bss = bss_get(wt, mgmt->bssid); | |
168 | if (bss == NULL) | |
169 | return; | |
170 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
171 | sta = sta_get(bss, mgmt->da); | |
172 | else | |
173 | sta = sta_get(bss, mgmt->sa); | |
174 | if (sta == NULL) | |
175 | return; | |
176 | ||
177 | if (len < 24 + 2) { | |
178 | wpa_printf(MSG_INFO, "Too short Deauthentication frame from " | |
179 | MACSTR, MAC2STR(mgmt->sa)); | |
180 | return; | |
181 | } | |
182 | ||
183 | wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR | |
184 | " (reason=%u)", | |
185 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
186 | le_to_host16(mgmt->u.deauth.reason_code)); | |
47fe6880 JM |
187 | wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24); |
188 | ||
6d5ce9fc JM |
189 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) |
190 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_RX : | |
191 | WLANTEST_STA_COUNTER_INVALID_DEAUTH_RX]++; | |
192 | else | |
193 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_TX : | |
194 | WLANTEST_STA_COUNTER_INVALID_DEAUTH_TX]++; | |
195 | ||
47fe6880 JM |
196 | if (!valid) { |
197 | wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State " | |
198 | "since Disassociation frame was not protected " | |
199 | "correctly", MAC2STR(sta->addr)); | |
200 | return; | |
201 | } | |
2d73f0a8 JM |
202 | |
203 | if (sta->state != STATE1) { | |
204 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
205 | " moved to State 1 with " MACSTR, | |
206 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
207 | sta->state = STATE1; | |
208 | } | |
209 | } | |
210 | ||
211 | ||
212 | static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len) | |
213 | { | |
214 | const struct ieee80211_mgmt *mgmt; | |
215 | struct wlantest_bss *bss; | |
216 | struct wlantest_sta *sta; | |
021a6fe4 | 217 | struct ieee802_11_elems elems; |
2d73f0a8 JM |
218 | |
219 | mgmt = (const struct ieee80211_mgmt *) data; | |
220 | bss = bss_get(wt, mgmt->bssid); | |
221 | if (bss == NULL) | |
222 | return; | |
223 | sta = sta_get(bss, mgmt->sa); | |
224 | if (sta == NULL) | |
225 | return; | |
226 | ||
227 | if (len < 24 + 4) { | |
228 | wpa_printf(MSG_INFO, "Too short Association Request frame " | |
229 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
230 | return; | |
231 | } | |
232 | ||
233 | wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR | |
234 | " (capab=0x%x listen_int=%u)", | |
235 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
236 | le_to_host16(mgmt->u.assoc_req.capab_info), | |
237 | le_to_host16(mgmt->u.assoc_req.listen_interval)); | |
021a6fe4 | 238 | |
6d5ce9fc JM |
239 | sta->counters[WLANTEST_STA_COUNTER_ASSOCREQ_TX]++; |
240 | ||
021a6fe4 JM |
241 | if (ieee802_11_parse_elems(mgmt->u.assoc_req.variable, |
242 | len - (mgmt->u.assoc_req.variable - data), | |
243 | &elems, 0) == ParseFailed) { | |
244 | wpa_printf(MSG_INFO, "Invalid IEs in Association Request " | |
245 | "frame from " MACSTR, MAC2STR(mgmt->sa)); | |
246 | return; | |
247 | } | |
248 | ||
249 | sta_update_assoc(sta, &elems); | |
2d73f0a8 JM |
250 | } |
251 | ||
252 | ||
253 | static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len) | |
254 | { | |
255 | const struct ieee80211_mgmt *mgmt; | |
256 | struct wlantest_bss *bss; | |
257 | struct wlantest_sta *sta; | |
258 | u16 capab, status, aid; | |
259 | ||
260 | mgmt = (const struct ieee80211_mgmt *) data; | |
261 | bss = bss_get(wt, mgmt->bssid); | |
262 | if (bss == NULL) | |
263 | return; | |
264 | sta = sta_get(bss, mgmt->da); | |
265 | if (sta == NULL) | |
266 | return; | |
267 | ||
268 | if (len < 24 + 6) { | |
269 | wpa_printf(MSG_INFO, "Too short Association Response frame " | |
270 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
271 | return; | |
272 | } | |
273 | ||
274 | capab = le_to_host16(mgmt->u.assoc_resp.capab_info); | |
275 | status = le_to_host16(mgmt->u.assoc_resp.status_code); | |
276 | aid = le_to_host16(mgmt->u.assoc_resp.aid); | |
277 | ||
278 | wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR | |
279 | " (capab=0x%x status=%u aid=%u)", | |
280 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status, | |
281 | aid & 0x3fff); | |
282 | ||
283 | if (status) | |
284 | return; | |
285 | ||
286 | if ((aid & 0xc000) != 0xc000) { | |
287 | wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 " | |
288 | "in Association Response from " MACSTR, | |
289 | MAC2STR(mgmt->sa)); | |
290 | } | |
291 | sta->aid = aid & 0xc000; | |
292 | ||
293 | if (sta->state < STATE2) { | |
294 | wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when " | |
295 | "getting associated", MAC2STR(sta->addr)); | |
296 | } | |
297 | ||
298 | if (sta->state < STATE3) { | |
299 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
300 | " moved to State 3 with " MACSTR, | |
301 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
302 | sta->state = STATE3; | |
303 | } | |
304 | } | |
305 | ||
306 | ||
307 | static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data, | |
308 | size_t len) | |
309 | { | |
310 | const struct ieee80211_mgmt *mgmt; | |
311 | struct wlantest_bss *bss; | |
312 | struct wlantest_sta *sta; | |
021a6fe4 | 313 | struct ieee802_11_elems elems; |
2d73f0a8 JM |
314 | |
315 | mgmt = (const struct ieee80211_mgmt *) data; | |
316 | bss = bss_get(wt, mgmt->bssid); | |
317 | if (bss == NULL) | |
318 | return; | |
319 | sta = sta_get(bss, mgmt->sa); | |
320 | if (sta == NULL) | |
321 | return; | |
322 | ||
323 | if (len < 24 + 4 + ETH_ALEN) { | |
324 | wpa_printf(MSG_INFO, "Too short Reassociation Request frame " | |
325 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
326 | return; | |
327 | } | |
328 | ||
329 | wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR | |
330 | " (capab=0x%x listen_int=%u current_ap=" MACSTR ")", | |
331 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
332 | le_to_host16(mgmt->u.reassoc_req.capab_info), | |
333 | le_to_host16(mgmt->u.reassoc_req.listen_interval), | |
334 | MAC2STR(mgmt->u.reassoc_req.current_ap)); | |
021a6fe4 | 335 | |
6d5ce9fc JM |
336 | sta->counters[WLANTEST_STA_COUNTER_REASSOCREQ_TX]++; |
337 | ||
021a6fe4 JM |
338 | if (ieee802_11_parse_elems(mgmt->u.reassoc_req.variable, |
339 | len - (mgmt->u.reassoc_req.variable - data), | |
340 | &elems, 0) == ParseFailed) { | |
341 | wpa_printf(MSG_INFO, "Invalid IEs in Reassociation Request " | |
342 | "frame from " MACSTR, MAC2STR(mgmt->sa)); | |
343 | return; | |
344 | } | |
345 | ||
346 | sta_update_assoc(sta, &elems); | |
2d73f0a8 JM |
347 | } |
348 | ||
349 | ||
350 | static void rx_mgmt_reassoc_resp(struct wlantest *wt, const u8 *data, | |
351 | size_t len) | |
352 | { | |
353 | const struct ieee80211_mgmt *mgmt; | |
354 | struct wlantest_bss *bss; | |
355 | struct wlantest_sta *sta; | |
356 | u16 capab, status, aid; | |
357 | ||
358 | mgmt = (const struct ieee80211_mgmt *) data; | |
359 | bss = bss_get(wt, mgmt->bssid); | |
360 | if (bss == NULL) | |
361 | return; | |
362 | sta = sta_get(bss, mgmt->da); | |
363 | if (sta == NULL) | |
364 | return; | |
365 | ||
366 | if (len < 24 + 6) { | |
367 | wpa_printf(MSG_INFO, "Too short Reassociation Response frame " | |
368 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
369 | return; | |
370 | } | |
371 | ||
372 | capab = le_to_host16(mgmt->u.reassoc_resp.capab_info); | |
373 | status = le_to_host16(mgmt->u.reassoc_resp.status_code); | |
374 | aid = le_to_host16(mgmt->u.reassoc_resp.aid); | |
375 | ||
376 | wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR | |
377 | " (capab=0x%x status=%u aid=%u)", | |
378 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status, | |
379 | aid & 0x3fff); | |
380 | ||
381 | if (status) | |
382 | return; | |
383 | ||
384 | if ((aid & 0xc000) != 0xc000) { | |
385 | wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 " | |
386 | "in Reassociation Response from " MACSTR, | |
387 | MAC2STR(mgmt->sa)); | |
388 | } | |
389 | sta->aid = aid & 0xc000; | |
390 | ||
391 | if (sta->state < STATE2) { | |
392 | wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when " | |
393 | "getting associated", MAC2STR(sta->addr)); | |
394 | } | |
395 | ||
396 | if (sta->state < STATE3) { | |
397 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
398 | " moved to State 3 with " MACSTR, | |
399 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
400 | sta->state = STATE3; | |
401 | } | |
402 | } | |
403 | ||
404 | ||
47fe6880 JM |
405 | static void rx_mgmt_disassoc(struct wlantest *wt, const u8 *data, size_t len, |
406 | int valid) | |
2d73f0a8 JM |
407 | { |
408 | const struct ieee80211_mgmt *mgmt; | |
409 | struct wlantest_bss *bss; | |
410 | struct wlantest_sta *sta; | |
411 | ||
412 | mgmt = (const struct ieee80211_mgmt *) data; | |
413 | bss = bss_get(wt, mgmt->bssid); | |
414 | if (bss == NULL) | |
415 | return; | |
416 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
417 | sta = sta_get(bss, mgmt->da); | |
418 | else | |
419 | sta = sta_get(bss, mgmt->sa); | |
420 | if (sta == NULL) | |
421 | return; | |
422 | ||
423 | if (len < 24 + 2) { | |
424 | wpa_printf(MSG_INFO, "Too short Disassociation frame from " | |
425 | MACSTR, MAC2STR(mgmt->sa)); | |
426 | return; | |
427 | } | |
428 | ||
429 | wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR | |
430 | " (reason=%u)", | |
431 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
432 | le_to_host16(mgmt->u.disassoc.reason_code)); | |
47fe6880 JM |
433 | wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24); |
434 | ||
6d5ce9fc JM |
435 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) |
436 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_RX : | |
437 | WLANTEST_STA_COUNTER_INVALID_DISASSOC_RX]++; | |
438 | else | |
439 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_TX : | |
440 | WLANTEST_STA_COUNTER_INVALID_DISASSOC_TX]++; | |
441 | ||
47fe6880 JM |
442 | if (!valid) { |
443 | wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State " | |
444 | "since Disassociation frame was not protected " | |
445 | "correctly", MAC2STR(sta->addr)); | |
446 | return; | |
447 | } | |
2d73f0a8 JM |
448 | |
449 | if (sta->state < STATE2) { | |
450 | wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 or 3 " | |
451 | "when getting disassociated", MAC2STR(sta->addr)); | |
452 | } | |
453 | ||
454 | if (sta->state > STATE2) { | |
455 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
456 | " moved to State 2 with " MACSTR, | |
457 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
458 | sta->state = STATE2; | |
459 | } | |
460 | } | |
461 | ||
462 | ||
6d5ce9fc JM |
463 | static void rx_mgmt_action_sa_query_req(struct wlantest *wt, |
464 | struct wlantest_sta *sta, | |
465 | const struct ieee80211_mgmt *mgmt, | |
466 | size_t len, int valid) | |
467 | { | |
468 | const u8 *rx_id; | |
469 | u8 *id; | |
470 | ||
471 | rx_id = (const u8 *) mgmt->u.action.u.sa_query_req.trans_id; | |
472 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
473 | id = sta->ap_sa_query_tr; | |
474 | else | |
475 | id = sta->sta_sa_query_tr; | |
476 | wpa_printf(MSG_INFO, "SA Query Request " MACSTR " -> " MACSTR | |
477 | " (trans_id=%02x%02x)%s", | |
478 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1], | |
479 | valid ? "" : " (invalid protection)"); | |
480 | os_memcpy(id, mgmt->u.action.u.sa_query_req.trans_id, 2); | |
481 | if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0) | |
482 | sta->counters[valid ? | |
483 | WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_TX : | |
484 | WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_TX]++; | |
485 | else | |
486 | sta->counters[valid ? | |
487 | WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_RX : | |
488 | WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_RX]++; | |
489 | } | |
490 | ||
491 | ||
492 | static void rx_mgmt_action_sa_query_resp(struct wlantest *wt, | |
493 | struct wlantest_sta *sta, | |
494 | const struct ieee80211_mgmt *mgmt, | |
495 | size_t len, int valid) | |
496 | { | |
497 | const u8 *rx_id; | |
498 | u8 *id; | |
499 | int match; | |
500 | ||
501 | rx_id = (const u8 *) mgmt->u.action.u.sa_query_resp.trans_id; | |
502 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
503 | id = sta->sta_sa_query_tr; | |
504 | else | |
505 | id = sta->ap_sa_query_tr; | |
506 | match = os_memcmp(rx_id, id, 2) == 0; | |
507 | wpa_printf(MSG_INFO, "SA Query Response " MACSTR " -> " MACSTR | |
508 | " (trans_id=%02x%02x; %s)%s", | |
509 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1], | |
510 | match ? "match" : "mismatch", | |
511 | valid ? "" : " (invalid protection)"); | |
512 | if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0) | |
513 | sta->counters[(valid && match) ? | |
514 | WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_TX : | |
515 | WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_TX]++; | |
516 | else | |
517 | sta->counters[(valid && match) ? | |
518 | WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_RX : | |
519 | WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_RX]++; | |
520 | } | |
521 | ||
522 | ||
0819b65b JM |
523 | static void rx_mgmt_action_sa_query(struct wlantest *wt, |
524 | struct wlantest_sta *sta, | |
525 | const struct ieee80211_mgmt *mgmt, | |
2102ecf0 | 526 | size_t len, int valid) |
0819b65b | 527 | { |
0819b65b JM |
528 | if (len < 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) { |
529 | wpa_printf(MSG_INFO, "Too short SA Query frame from " MACSTR, | |
530 | MAC2STR(mgmt->sa)); | |
531 | return; | |
532 | } | |
533 | ||
534 | if (len > 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) { | |
535 | size_t elen = len - (24 + 2 + WLAN_SA_QUERY_TR_ID_LEN); | |
536 | wpa_printf(MSG_INFO, "Unexpected %u octets of extra data at " | |
537 | "the end of SA Query frame from " MACSTR, | |
538 | (unsigned) elen, MAC2STR(mgmt->sa)); | |
539 | wpa_hexdump(MSG_INFO, "SA Query extra data", | |
540 | ((const u8 *) mgmt) + len - elen, elen); | |
541 | } | |
542 | ||
543 | switch (mgmt->u.action.u.sa_query_req.action) { | |
544 | case WLAN_SA_QUERY_REQUEST: | |
6d5ce9fc | 545 | rx_mgmt_action_sa_query_req(wt, sta, mgmt, len, valid); |
0819b65b JM |
546 | break; |
547 | case WLAN_SA_QUERY_RESPONSE: | |
6d5ce9fc | 548 | rx_mgmt_action_sa_query_resp(wt, sta, mgmt, len, valid); |
0819b65b JM |
549 | break; |
550 | default: | |
551 | wpa_printf(MSG_INFO, "Unexpected SA Query action value %u " | |
552 | "from " MACSTR, | |
553 | mgmt->u.action.u.sa_query_req.action, | |
554 | MAC2STR(mgmt->sa)); | |
555 | } | |
556 | } | |
557 | ||
558 | ||
2102ecf0 JM |
559 | static void rx_mgmt_action(struct wlantest *wt, const u8 *data, size_t len, |
560 | int valid) | |
0819b65b JM |
561 | { |
562 | const struct ieee80211_mgmt *mgmt; | |
563 | struct wlantest_bss *bss; | |
564 | struct wlantest_sta *sta; | |
565 | ||
566 | mgmt = (const struct ieee80211_mgmt *) data; | |
ad41bb2e JM |
567 | if (mgmt->da[0] & 0x01) { |
568 | wpa_printf(MSG_DEBUG, "Group addressed Action frame: DA=" | |
569 | MACSTR " SA=" MACSTR " BSSID=" MACSTR | |
570 | " category=%u", | |
571 | MAC2STR(mgmt->da), MAC2STR(mgmt->sa), | |
572 | MAC2STR(mgmt->bssid), mgmt->u.action.category); | |
0819b65b | 573 | return; /* Ignore group addressed Action frames for now */ |
ad41bb2e | 574 | } |
0819b65b JM |
575 | bss = bss_get(wt, mgmt->bssid); |
576 | if (bss == NULL) | |
577 | return; | |
578 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
579 | sta = sta_get(bss, mgmt->da); | |
580 | else | |
581 | sta = sta_get(bss, mgmt->sa); | |
582 | if (sta == NULL) | |
583 | return; | |
584 | ||
585 | if (len < 24 + 1) { | |
586 | wpa_printf(MSG_INFO, "Too short Action frame from " | |
587 | MACSTR, MAC2STR(mgmt->sa)); | |
588 | return; | |
589 | } | |
590 | ||
591 | wpa_printf(MSG_DEBUG, "ACTION " MACSTR " -> " MACSTR | |
2102ecf0 | 592 | " (category=%u) (valid=%d)", |
0819b65b | 593 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), |
2102ecf0 | 594 | mgmt->u.action.category, valid); |
0819b65b JM |
595 | wpa_hexdump(MSG_MSGDUMP, "ACTION payload", data + 24, len - 24); |
596 | ||
597 | if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && | |
598 | sta->state < STATE3) { | |
599 | wpa_printf(MSG_INFO, "Action frame sent when STA is not in " | |
600 | "State 3 (SA=" MACSTR " DATA=" MACSTR ")", | |
601 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da)); | |
602 | } | |
603 | ||
604 | switch (mgmt->u.action.category) { | |
605 | case WLAN_ACTION_SA_QUERY: | |
2102ecf0 | 606 | rx_mgmt_action_sa_query(wt, sta, mgmt, len, valid); |
0819b65b JM |
607 | break; |
608 | } | |
609 | } | |
610 | ||
611 | ||
bacc3128 JM |
612 | static int check_mmie_mic(const u8 *igtk, const u8 *data, size_t len) |
613 | { | |
614 | u8 *buf; | |
615 | u8 mic[16]; | |
616 | u16 fc; | |
617 | const struct ieee80211_hdr *hdr; | |
618 | ||
619 | buf = os_malloc(len + 20 - 24); | |
620 | if (buf == NULL) | |
621 | return -1; | |
622 | ||
623 | /* BIP AAD: FC(masked) A1 A2 A3 */ | |
624 | hdr = (const struct ieee80211_hdr *) data; | |
625 | fc = le_to_host16(hdr->frame_control); | |
626 | fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA); | |
627 | WPA_PUT_LE16(buf, fc); | |
628 | os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN); | |
629 | ||
630 | /* Frame body with MMIE MIC masked to zero */ | |
631 | os_memcpy(buf + 20, data + 24, len - 24 - 8); | |
632 | os_memset(buf + 20 + len - 24 - 8, 0, 8); | |
633 | ||
634 | wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, len + 20 - 24); | |
635 | /* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */ | |
636 | if (omac1_aes_128(igtk, buf, len + 20 - 24, mic) < 0) { | |
637 | os_free(buf); | |
638 | return -1; | |
639 | } | |
640 | ||
641 | os_free(buf); | |
642 | ||
643 | if (os_memcmp(data + len - 8, mic, 8) != 0) | |
644 | return -1; | |
645 | ||
646 | return 0; | |
647 | } | |
648 | ||
649 | ||
650 | static int check_bip(struct wlantest *wt, const u8 *data, size_t len) | |
651 | { | |
652 | const struct ieee80211_mgmt *mgmt; | |
653 | u16 fc, stype; | |
654 | const u8 *mmie; | |
f3b9ed70 | 655 | u16 keyid; |
bacc3128 JM |
656 | struct wlantest_bss *bss; |
657 | ||
658 | mgmt = (const struct ieee80211_mgmt *) data; | |
659 | fc = le_to_host16(mgmt->frame_control); | |
660 | stype = WLAN_FC_GET_STYPE(fc); | |
661 | ||
662 | if (stype == WLAN_FC_STYPE_ACTION) { | |
663 | if (len < 24 + 1) | |
664 | return 0; | |
665 | if (mgmt->u.action.category == WLAN_ACTION_PUBLIC) | |
666 | return 0; /* Not a robust management frame */ | |
667 | } | |
668 | ||
669 | bss = bss_get(wt, mgmt->bssid); | |
670 | if (bss == NULL) | |
671 | return 0; /* No key known yet */ | |
672 | ||
673 | if (len < 24 + 18 || data[len - 18] != WLAN_EID_MMIE || | |
674 | data[len - 17] != 16) { | |
675 | /* No MMIE */ | |
994d6a88 | 676 | if (bss->rsn_capab & WPA_CAPABILITY_MFPC) { |
bacc3128 JM |
677 | wpa_printf(MSG_INFO, "Robust group-addressed " |
678 | "management frame sent without BIP by " | |
679 | MACSTR, MAC2STR(mgmt->sa)); | |
6d5ce9fc | 680 | bss->counters[WLANTEST_BSS_COUNTER_MISSING_BIP_MMIE]++; |
bacc3128 JM |
681 | return -1; |
682 | } | |
683 | return 0; | |
684 | } | |
685 | ||
686 | mmie = data + len - 16; | |
687 | keyid = WPA_GET_LE16(mmie); | |
f3b9ed70 JM |
688 | if (keyid & 0xf000) { |
689 | wpa_printf(MSG_INFO, "MMIE KeyID reserved bits not zero " | |
690 | "(%04x) from " MACSTR, keyid, MAC2STR(mgmt->sa)); | |
691 | keyid &= 0x0fff; | |
692 | } | |
bacc3128 JM |
693 | if (keyid < 4 || keyid > 5) { |
694 | wpa_printf(MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR, | |
695 | keyid, MAC2STR(mgmt->sa)); | |
6d5ce9fc | 696 | bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++; |
bacc3128 JM |
697 | return 0; |
698 | } | |
699 | wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid); | |
700 | wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6); | |
701 | wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, 8); | |
702 | ||
703 | if (!bss->igtk_set[keyid]) { | |
704 | wpa_printf(MSG_DEBUG, "No IGTK known to validate BIP frame"); | |
705 | return 0; | |
706 | } | |
707 | ||
4d4c2915 | 708 | if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) { |
bacc3128 JM |
709 | wpa_printf(MSG_INFO, "BIP replay detected: SA=" MACSTR, |
710 | MAC2STR(mgmt->sa)); | |
711 | wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6); | |
712 | wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6); | |
713 | } | |
714 | ||
715 | if (check_mmie_mic(bss->igtk[keyid], data, len) < 0) { | |
716 | wpa_printf(MSG_INFO, "Invalid MMIE MIC in a frame from " | |
717 | MACSTR, MAC2STR(mgmt->sa)); | |
6d5ce9fc | 718 | bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++; |
bacc3128 JM |
719 | return -1; |
720 | } | |
721 | ||
722 | wpa_printf(MSG_DEBUG, "Valid MMIE MIC"); | |
723 | os_memcpy(bss->ipn[keyid], mmie + 2, 6); | |
6d5ce9fc | 724 | bss->counters[WLANTEST_BSS_COUNTER_VALID_BIP_MMIE]++; |
bacc3128 JM |
725 | |
726 | return 0; | |
727 | } | |
728 | ||
729 | ||
47fe6880 JM |
730 | static u8 * mgmt_ccmp_decrypt(struct wlantest *wt, const u8 *data, size_t len, |
731 | size_t *dlen) | |
732 | { | |
733 | struct wlantest_bss *bss; | |
734 | struct wlantest_sta *sta; | |
735 | const struct ieee80211_hdr *hdr; | |
736 | int keyid; | |
42e79f82 | 737 | u8 *decrypted, *frame = NULL; |
47fe6880 JM |
738 | u8 pn[6], *rsc; |
739 | ||
740 | hdr = (const struct ieee80211_hdr *) data; | |
741 | bss = bss_get(wt, hdr->addr3); | |
742 | if (bss == NULL) | |
743 | return NULL; | |
744 | if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) | |
745 | sta = sta_get(bss, hdr->addr2); | |
746 | else | |
747 | sta = sta_get(bss, hdr->addr1); | |
748 | if (sta == NULL || !sta->ptk_set) { | |
749 | wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame"); | |
750 | return NULL; | |
751 | } | |
752 | ||
20062114 JM |
753 | if (len < 24 + 4) |
754 | return NULL; | |
755 | ||
756 | if (!(data[24 + 3] & 0x20)) { | |
757 | wpa_printf(MSG_INFO, "Expected CCMP frame from " MACSTR | |
758 | " did not have ExtIV bit set to 1", | |
759 | MAC2STR(hdr->addr2)); | |
760 | return NULL; | |
761 | } | |
762 | ||
16b8b6ea JM |
763 | if (data[24 + 2] != 0 || (data[24 + 3] & 0x1f) != 0) { |
764 | wpa_printf(MSG_INFO, "CCMP mgmt frame from " MACSTR " used " | |
765 | "non-zero reserved bit", MAC2STR(hdr->addr2)); | |
766 | } | |
767 | ||
20062114 | 768 | keyid = data[24 + 3] >> 6; |
47fe6880 JM |
769 | if (keyid != 0) { |
770 | wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in " | |
771 | "individually addressed Management frame from " | |
772 | MACSTR, keyid, MAC2STR(hdr->addr2)); | |
773 | } | |
774 | ||
775 | if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) | |
776 | rsc = sta->rsc_tods[16]; | |
777 | else | |
778 | rsc = sta->rsc_fromds[16]; | |
779 | ||
30febd70 | 780 | ccmp_get_pn(pn, data + 24); |
47fe6880 JM |
781 | if (os_memcmp(pn, rsc, 6) <= 0) { |
782 | wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR, | |
783 | MAC2STR(hdr->addr2)); | |
784 | wpa_hexdump(MSG_INFO, "RX PN", pn, 6); | |
785 | wpa_hexdump(MSG_INFO, "RSC", rsc, 6); | |
786 | } | |
787 | ||
788 | decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data + 24, len - 24, dlen); | |
42e79f82 | 789 | if (decrypted) { |
47fe6880 | 790 | os_memcpy(rsc, pn, 6); |
42e79f82 JM |
791 | frame = os_malloc(24 + *dlen); |
792 | if (frame) { | |
793 | os_memcpy(frame, data, 24); | |
794 | os_memcpy(frame + 24, decrypted, *dlen); | |
795 | *dlen += 24; | |
796 | } | |
47fe6880 JM |
797 | } |
798 | ||
799 | os_free(decrypted); | |
800 | ||
801 | return frame; | |
802 | } | |
803 | ||
804 | ||
2102ecf0 JM |
805 | static int check_mgmt_ccmp(struct wlantest *wt, const u8 *data, size_t len) |
806 | { | |
807 | const struct ieee80211_mgmt *mgmt; | |
808 | u16 fc; | |
809 | struct wlantest_bss *bss; | |
810 | struct wlantest_sta *sta; | |
811 | ||
812 | mgmt = (const struct ieee80211_mgmt *) data; | |
813 | fc = le_to_host16(mgmt->frame_control); | |
814 | ||
815 | if (WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION) { | |
816 | if (len > 24 && | |
817 | mgmt->u.action.category == WLAN_ACTION_PUBLIC) | |
818 | return 0; /* Not a robust management frame */ | |
819 | } | |
820 | ||
821 | bss = bss_get(wt, mgmt->bssid); | |
822 | if (bss == NULL) | |
823 | return 0; | |
824 | if (os_memcmp(mgmt->da, mgmt->bssid, ETH_ALEN) == 0) | |
825 | sta = sta_get(bss, mgmt->sa); | |
826 | else | |
827 | sta = sta_get(bss, mgmt->da); | |
828 | if (sta == NULL) | |
829 | return 0; | |
830 | ||
831 | if (sta->rsn_capab & WPA_CAPABILITY_MFPC) { | |
832 | wpa_printf(MSG_INFO, "Robust individually-addressed " | |
833 | "management frame sent without CCMP by " | |
834 | MACSTR, MAC2STR(mgmt->sa)); | |
835 | return -1; | |
836 | } | |
837 | ||
838 | return 0; | |
839 | } | |
840 | ||
841 | ||
2d73f0a8 JM |
842 | void rx_mgmt(struct wlantest *wt, const u8 *data, size_t len) |
843 | { | |
844 | const struct ieee80211_hdr *hdr; | |
845 | u16 fc, stype; | |
47fe6880 JM |
846 | int valid = 1; |
847 | u8 *decrypted = NULL; | |
848 | size_t dlen; | |
2d73f0a8 JM |
849 | |
850 | if (len < 24) | |
851 | return; | |
852 | ||
853 | hdr = (const struct ieee80211_hdr *) data; | |
854 | fc = le_to_host16(hdr->frame_control); | |
855 | wt->rx_mgmt++; | |
856 | stype = WLAN_FC_GET_STYPE(fc); | |
857 | ||
bacc3128 JM |
858 | if ((hdr->addr1[0] & 0x01) && |
859 | (stype == WLAN_FC_STYPE_DEAUTH || | |
860 | stype == WLAN_FC_STYPE_DISASSOC || | |
2102ecf0 JM |
861 | stype == WLAN_FC_STYPE_ACTION)) { |
862 | if (check_bip(wt, data, len) < 0) | |
863 | valid = 0; | |
864 | } | |
bacc3128 | 865 | |
2d73f0a8 JM |
866 | wpa_printf((stype == WLAN_FC_STYPE_BEACON || |
867 | stype == WLAN_FC_STYPE_PROBE_RESP || | |
868 | stype == WLAN_FC_STYPE_PROBE_REQ) ? | |
869 | MSG_EXCESSIVE : MSG_MSGDUMP, | |
870 | "MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR, | |
871 | mgmt_stype(stype), | |
872 | fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", | |
873 | fc & WLAN_FC_ISWEP ? " Prot" : "", | |
874 | MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), | |
875 | MAC2STR(hdr->addr3)); | |
876 | ||
47fe6880 JM |
877 | if ((fc & WLAN_FC_ISWEP) && |
878 | !(hdr->addr1[0] & 0x01) && | |
879 | (stype == WLAN_FC_STYPE_DEAUTH || | |
880 | stype == WLAN_FC_STYPE_DISASSOC || | |
881 | stype == WLAN_FC_STYPE_ACTION)) { | |
882 | decrypted = mgmt_ccmp_decrypt(wt, data, len, &dlen); | |
883 | if (decrypted) { | |
64f45d07 | 884 | write_pcap_decrypted(wt, decrypted, dlen, NULL, 0); |
47fe6880 JM |
885 | data = decrypted; |
886 | len = dlen; | |
887 | } else | |
888 | valid = 0; | |
889 | } | |
890 | ||
2102ecf0 JM |
891 | if (!(fc & WLAN_FC_ISWEP) && |
892 | !(hdr->addr1[0] & 0x01) && | |
893 | (stype == WLAN_FC_STYPE_DEAUTH || | |
894 | stype == WLAN_FC_STYPE_DISASSOC || | |
895 | stype == WLAN_FC_STYPE_ACTION)) { | |
896 | if (check_mgmt_ccmp(wt, data, len) < 0) | |
897 | valid = 0; | |
898 | } | |
47fe6880 | 899 | |
2d73f0a8 JM |
900 | switch (stype) { |
901 | case WLAN_FC_STYPE_BEACON: | |
902 | rx_mgmt_beacon(wt, data, len); | |
903 | break; | |
904 | case WLAN_FC_STYPE_PROBE_RESP: | |
905 | rx_mgmt_probe_resp(wt, data, len); | |
906 | break; | |
907 | case WLAN_FC_STYPE_AUTH: | |
908 | rx_mgmt_auth(wt, data, len); | |
909 | break; | |
910 | case WLAN_FC_STYPE_DEAUTH: | |
47fe6880 | 911 | rx_mgmt_deauth(wt, data, len, valid); |
2d73f0a8 JM |
912 | break; |
913 | case WLAN_FC_STYPE_ASSOC_REQ: | |
914 | rx_mgmt_assoc_req(wt, data, len); | |
915 | break; | |
916 | case WLAN_FC_STYPE_ASSOC_RESP: | |
917 | rx_mgmt_assoc_resp(wt, data, len); | |
918 | break; | |
919 | case WLAN_FC_STYPE_REASSOC_REQ: | |
920 | rx_mgmt_reassoc_req(wt, data, len); | |
921 | break; | |
922 | case WLAN_FC_STYPE_REASSOC_RESP: | |
923 | rx_mgmt_reassoc_resp(wt, data, len); | |
924 | break; | |
925 | case WLAN_FC_STYPE_DISASSOC: | |
47fe6880 | 926 | rx_mgmt_disassoc(wt, data, len, valid); |
2d73f0a8 | 927 | break; |
0819b65b | 928 | case WLAN_FC_STYPE_ACTION: |
2102ecf0 | 929 | rx_mgmt_action(wt, data, len, valid); |
0819b65b | 930 | break; |
2d73f0a8 | 931 | } |
47fe6880 JM |
932 | |
933 | os_free(decrypted); | |
2d73f0a8 | 934 | } |