]> git.ipfire.org Git - thirdparty/hostap.git/blame - wlantest/rx_mgmt.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
wlantest: Add support for protecting injected broadcast frames
[thirdparty/hostap.git] / wlantest / rx_mgmt.c
CommitLineData
2d73f0a8
JM		 1/*
2 * Received Management frame processing
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "utils/includes.h"
16
17#include "utils/common.h"
18#include "common/ieee802_11_defs.h"
19#include "common/ieee802_11_common.h"
bacc3128 20#include "crypto/aes_wrap.h"
2d73f0a8
JM		 21#include "wlantest.h"
22
23
24static const char * mgmt_stype(u16 stype)
25{
26 switch (stype) {
27 case WLAN_FC_STYPE_ASSOC_REQ:
28 return "ASSOC-REQ";
29 case WLAN_FC_STYPE_ASSOC_RESP:
30 return "ASSOC-RESP";
31 case WLAN_FC_STYPE_REASSOC_REQ:
32 return "REASSOC-REQ";
33 case WLAN_FC_STYPE_REASSOC_RESP:
34 return "REASSOC-RESP";
35 case WLAN_FC_STYPE_PROBE_REQ:
36 return "PROBE-REQ";
37 case WLAN_FC_STYPE_PROBE_RESP:
38 return "PROBE-RESP";
39 case WLAN_FC_STYPE_BEACON:
40 return "BEACON";
41 case WLAN_FC_STYPE_ATIM:
42 return "ATIM";
43 case WLAN_FC_STYPE_DISASSOC:
44 return "DISASSOC";
45 case WLAN_FC_STYPE_AUTH:
46 return "AUTH";
47 case WLAN_FC_STYPE_DEAUTH:
48 return "DEAUTH";
49 case WLAN_FC_STYPE_ACTION:
50 return "ACTION";
51 }
52 return "??";
53}
54
55
56static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len)
57{
58 const struct ieee80211_mgmt *mgmt;
59 struct wlantest_bss *bss;
60 struct ieee802_11_elems elems;
61
62 mgmt = (const struct ieee80211_mgmt *) data;
63 bss = bss_get(wt, mgmt->bssid);
64 if (bss == NULL)
65 return;
66 if (bss->proberesp_seen)
67 return; /* do not override with Beacon data */
68 bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info);
69 if (ieee802_11_parse_elems(mgmt->u.beacon.variable,
70 len - (mgmt->u.beacon.variable - data),
71 &elems, 0) == ParseFailed) {
72 if (bss->parse_error_reported)
73 return;
74 wpa_printf(MSG_INFO, "Invalid IEs in a Beacon frame from "
75 MACSTR, MAC2STR(mgmt->sa));
76 bss->parse_error_reported = 1;
77 return;
78 }
79
53650bca 80 bss_update(wt, bss, &elems);
2d73f0a8
JM		 81}
82
83
84static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len)
85{
86 const struct ieee80211_mgmt *mgmt;
87 struct wlantest_bss *bss;
88 struct ieee802_11_elems elems;
89
90 mgmt = (const struct ieee80211_mgmt *) data;
91 bss = bss_get(wt, mgmt->bssid);
92 if (bss == NULL)
93 return;
94
95 bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info);
96 if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
97 len - (mgmt->u.probe_resp.variable - data),
98 &elems, 0) == ParseFailed) {
99 if (bss->parse_error_reported)
100 return;
101 wpa_printf(MSG_INFO, "Invalid IEs in a Probe Response frame "
102 "from " MACSTR, MAC2STR(mgmt->sa));
103 bss->parse_error_reported = 1;
104 return;
105 }
106
53650bca 107 bss_update(wt, bss, &elems);
2d73f0a8
JM		 108}
109
110
111static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len)
112{
113 const struct ieee80211_mgmt *mgmt;
114 struct wlantest_bss *bss;
115 struct wlantest_sta *sta;
116 u16 alg, trans, status;
117
118 mgmt = (const struct ieee80211_mgmt *) data;
119 bss = bss_get(wt, mgmt->bssid);
120 if (bss == NULL)
121 return;
122 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
123 sta = sta_get(bss, mgmt->da);
124 else
125 sta = sta_get(bss, mgmt->sa);
126 if (sta == NULL)
127 return;
128
129 if (len < 24 + 6) {
130 wpa_printf(MSG_INFO, "Too short Authentication frame from "
131 MACSTR, MAC2STR(mgmt->sa));
132 return;
133 }
134
135 alg = le_to_host16(mgmt->u.auth.auth_alg);
136 trans = le_to_host16(mgmt->u.auth.auth_transaction);
137 status = le_to_host16(mgmt->u.auth.status_code);
138
139 wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR
140 " (alg=%u trans=%u status=%u)",
141 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status);
142
143 if (alg == 0 && trans == 2 && status == 0) {
144 if (sta->state == STATE1) {
145 wpa_printf(MSG_DEBUG, "STA " MACSTR
146 " moved to State 2 with " MACSTR,
147 MAC2STR(sta->addr), MAC2STR(bss->bssid));
148 sta->state = STATE2;
149 }
150 }
6d5ce9fc
JM		 151
152 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
153 sta->counters[WLANTEST_STA_COUNTER_AUTH_RX]++;
154 else
155 sta->counters[WLANTEST_STA_COUNTER_AUTH_TX]++;
2d73f0a8
JM		 156}
157
158
47fe6880
JM		 159static void rx_mgmt_deauth(struct wlantest *wt, const u8 *data, size_t len,
160 int valid)
2d73f0a8
JM		 161{
162 const struct ieee80211_mgmt *mgmt;
163 struct wlantest_bss *bss;
164 struct wlantest_sta *sta;
165
166 mgmt = (const struct ieee80211_mgmt *) data;
167 bss = bss_get(wt, mgmt->bssid);
168 if (bss == NULL)
169 return;
170 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
171 sta = sta_get(bss, mgmt->da);
172 else
173 sta = sta_get(bss, mgmt->sa);
174 if (sta == NULL)
175 return;
176
177 if (len < 24 + 2) {
178 wpa_printf(MSG_INFO, "Too short Deauthentication frame from "
179 MACSTR, MAC2STR(mgmt->sa));
180 return;
181 }
182
183 wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR
184 " (reason=%u)",
185 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
186 le_to_host16(mgmt->u.deauth.reason_code));
47fe6880
JM		 187 wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24);
188
6d5ce9fc
JM		 189 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
190 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_RX :
191 WLANTEST_STA_COUNTER_INVALID_DEAUTH_RX]++;
192 else
193 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_TX :
194 WLANTEST_STA_COUNTER_INVALID_DEAUTH_TX]++;
195
47fe6880
JM		 196 if (!valid) {
197 wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State "
198 "since Disassociation frame was not protected "
199 "correctly", MAC2STR(sta->addr));
200 return;
201 }
2d73f0a8
JM		 202
203 if (sta->state != STATE1) {
204 wpa_printf(MSG_DEBUG, "STA " MACSTR
205 " moved to State 1 with " MACSTR,
206 MAC2STR(sta->addr), MAC2STR(bss->bssid));
207 sta->state = STATE1;
208 }
209}
210
211
212static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len)
213{
214 const struct ieee80211_mgmt *mgmt;
215 struct wlantest_bss *bss;
216 struct wlantest_sta *sta;
021a6fe4 217 struct ieee802_11_elems elems;
2d73f0a8
JM		 218
219 mgmt = (const struct ieee80211_mgmt *) data;
220 bss = bss_get(wt, mgmt->bssid);
221 if (bss == NULL)
222 return;
223 sta = sta_get(bss, mgmt->sa);
224 if (sta == NULL)
225 return;
226
227 if (len < 24 + 4) {
228 wpa_printf(MSG_INFO, "Too short Association Request frame "
229 "from " MACSTR, MAC2STR(mgmt->sa));
230 return;
231 }
232
233 wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR
234 " (capab=0x%x listen_int=%u)",
235 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
236 le_to_host16(mgmt->u.assoc_req.capab_info),
237 le_to_host16(mgmt->u.assoc_req.listen_interval));
021a6fe4 238
6d5ce9fc
JM		 239 sta->counters[WLANTEST_STA_COUNTER_ASSOCREQ_TX]++;
240
021a6fe4
JM		 241 if (ieee802_11_parse_elems(mgmt->u.assoc_req.variable,
242 len - (mgmt->u.assoc_req.variable - data),
243 &elems, 0) == ParseFailed) {
244 wpa_printf(MSG_INFO, "Invalid IEs in Association Request "
245 "frame from " MACSTR, MAC2STR(mgmt->sa));
246 return;
247 }
248
249 sta_update_assoc(sta, &elems);
2d73f0a8
JM		 250}
251
252
253static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
254{
255 const struct ieee80211_mgmt *mgmt;
256 struct wlantest_bss *bss;
257 struct wlantest_sta *sta;
258 u16 capab, status, aid;
259
260 mgmt = (const struct ieee80211_mgmt *) data;
261 bss = bss_get(wt, mgmt->bssid);
262 if (bss == NULL)
263 return;
264 sta = sta_get(bss, mgmt->da);
265 if (sta == NULL)
266 return;
267
268 if (len < 24 + 6) {
269 wpa_printf(MSG_INFO, "Too short Association Response frame "
270 "from " MACSTR, MAC2STR(mgmt->sa));
271 return;
272 }
273
274 capab = le_to_host16(mgmt->u.assoc_resp.capab_info);
275 status = le_to_host16(mgmt->u.assoc_resp.status_code);
276 aid = le_to_host16(mgmt->u.assoc_resp.aid);
277
278 wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR
279 " (capab=0x%x status=%u aid=%u)",
280 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
281 aid & 0x3fff);
282
283 if (status)
284 return;
285
286 if ((aid & 0xc000) != 0xc000) {
287 wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
288 "in Association Response from " MACSTR,
289 MAC2STR(mgmt->sa));
290 }
291 sta->aid = aid & 0xc000;
292
293 if (sta->state < STATE2) {
294 wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when "
295 "getting associated", MAC2STR(sta->addr));
296 }
297
298 if (sta->state < STATE3) {
299 wpa_printf(MSG_DEBUG, "STA " MACSTR
300 " moved to State 3 with " MACSTR,
301 MAC2STR(sta->addr), MAC2STR(bss->bssid));
302 sta->state = STATE3;
303 }
304}
305
306
307static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data,
308 size_t len)
309{
310 const struct ieee80211_mgmt *mgmt;
311 struct wlantest_bss *bss;
312 struct wlantest_sta *sta;
021a6fe4 313 struct ieee802_11_elems elems;
2d73f0a8
JM		 314
315 mgmt = (const struct ieee80211_mgmt *) data;
316 bss = bss_get(wt, mgmt->bssid);
317 if (bss == NULL)
318 return;
319 sta = sta_get(bss, mgmt->sa);
320 if (sta == NULL)
321 return;
322
323 if (len < 24 + 4 + ETH_ALEN) {
324 wpa_printf(MSG_INFO, "Too short Reassociation Request frame "
325 "from " MACSTR, MAC2STR(mgmt->sa));
326 return;
327 }
328
329 wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR
330 " (capab=0x%x listen_int=%u current_ap=" MACSTR ")",
331 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
332 le_to_host16(mgmt->u.reassoc_req.capab_info),
333 le_to_host16(mgmt->u.reassoc_req.listen_interval),
334 MAC2STR(mgmt->u.reassoc_req.current_ap));
021a6fe4 335
6d5ce9fc
JM		 336 sta->counters[WLANTEST_STA_COUNTER_REASSOCREQ_TX]++;
337
021a6fe4
JM		 338 if (ieee802_11_parse_elems(mgmt->u.reassoc_req.variable,
339 len - (mgmt->u.reassoc_req.variable - data),
340 &elems, 0) == ParseFailed) {
341 wpa_printf(MSG_INFO, "Invalid IEs in Reassociation Request "
342 "frame from " MACSTR, MAC2STR(mgmt->sa));
343 return;
344 }
345
346 sta_update_assoc(sta, &elems);
2d73f0a8
JM		 347}
348
349
350static void rx_mgmt_reassoc_resp(struct wlantest *wt, const u8 *data,
351 size_t len)
352{
353 const struct ieee80211_mgmt *mgmt;
354 struct wlantest_bss *bss;
355 struct wlantest_sta *sta;
356 u16 capab, status, aid;
357
358 mgmt = (const struct ieee80211_mgmt *) data;
359 bss = bss_get(wt, mgmt->bssid);
360 if (bss == NULL)
361 return;
362 sta = sta_get(bss, mgmt->da);
363 if (sta == NULL)
364 return;
365
366 if (len < 24 + 6) {
367 wpa_printf(MSG_INFO, "Too short Reassociation Response frame "
368 "from " MACSTR, MAC2STR(mgmt->sa));
369 return;
370 }
371
372 capab = le_to_host16(mgmt->u.reassoc_resp.capab_info);
373 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
374 aid = le_to_host16(mgmt->u.reassoc_resp.aid);
375
376 wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR
377 " (capab=0x%x status=%u aid=%u)",
378 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
379 aid & 0x3fff);
380
381 if (status)
382 return;
383
384 if ((aid & 0xc000) != 0xc000) {
385 wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
386 "in Reassociation Response from " MACSTR,
387 MAC2STR(mgmt->sa));
388 }
389 sta->aid = aid & 0xc000;
390
391 if (sta->state < STATE2) {
392 wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when "
393 "getting associated", MAC2STR(sta->addr));
394 }
395
396 if (sta->state < STATE3) {
397 wpa_printf(MSG_DEBUG, "STA " MACSTR
398 " moved to State 3 with " MACSTR,
399 MAC2STR(sta->addr), MAC2STR(bss->bssid));
400 sta->state = STATE3;
401 }
402}
403
404
47fe6880
JM		 405static void rx_mgmt_disassoc(struct wlantest *wt, const u8 *data, size_t len,
406 int valid)
2d73f0a8
JM		 407{
408 const struct ieee80211_mgmt *mgmt;
409 struct wlantest_bss *bss;
410 struct wlantest_sta *sta;
411
412 mgmt = (const struct ieee80211_mgmt *) data;
413 bss = bss_get(wt, mgmt->bssid);
414 if (bss == NULL)
415 return;
416 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
417 sta = sta_get(bss, mgmt->da);
418 else
419 sta = sta_get(bss, mgmt->sa);
420 if (sta == NULL)
421 return;
422
423 if (len < 24 + 2) {
424 wpa_printf(MSG_INFO, "Too short Disassociation frame from "
425 MACSTR, MAC2STR(mgmt->sa));
426 return;
427 }
428
429 wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR
430 " (reason=%u)",
431 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
432 le_to_host16(mgmt->u.disassoc.reason_code));
47fe6880
JM		 433 wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24);
434
6d5ce9fc
JM		 435 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
436 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_RX :
437 WLANTEST_STA_COUNTER_INVALID_DISASSOC_RX]++;
438 else
439 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_TX :
440 WLANTEST_STA_COUNTER_INVALID_DISASSOC_TX]++;
441
47fe6880
JM		 442 if (!valid) {
443 wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State "
444 "since Disassociation frame was not protected "
445 "correctly", MAC2STR(sta->addr));
446 return;
447 }
2d73f0a8
JM		 448
449 if (sta->state < STATE2) {
450 wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 or 3 "
451 "when getting disassociated", MAC2STR(sta->addr));
452 }
453
454 if (sta->state > STATE2) {
455 wpa_printf(MSG_DEBUG, "STA " MACSTR
456 " moved to State 2 with " MACSTR,
457 MAC2STR(sta->addr), MAC2STR(bss->bssid));
458 sta->state = STATE2;
459 }
460}
461
462
6d5ce9fc
JM		 463static void rx_mgmt_action_sa_query_req(struct wlantest *wt,
464 struct wlantest_sta *sta,
465 const struct ieee80211_mgmt *mgmt,
466 size_t len, int valid)
467{
468 const u8 *rx_id;
469 u8 *id;
470
471 rx_id = (const u8 *) mgmt->u.action.u.sa_query_req.trans_id;
472 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
473 id = sta->ap_sa_query_tr;
474 else
475 id = sta->sta_sa_query_tr;
476 wpa_printf(MSG_INFO, "SA Query Request " MACSTR " -> " MACSTR
477 " (trans_id=%02x%02x)%s",
478 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1],
479 valid ? "" : " (invalid protection)");
480 os_memcpy(id, mgmt->u.action.u.sa_query_req.trans_id, 2);
481 if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0)
482 sta->counters[valid ?
483 WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_TX :
484 WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_TX]++;
485 else
486 sta->counters[valid ?
487 WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_RX :
488 WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_RX]++;
489}
490
491
492static void rx_mgmt_action_sa_query_resp(struct wlantest *wt,
493 struct wlantest_sta *sta,
494 const struct ieee80211_mgmt *mgmt,
495 size_t len, int valid)
496{
497 const u8 *rx_id;
498 u8 *id;
499 int match;
500
501 rx_id = (const u8 *) mgmt->u.action.u.sa_query_resp.trans_id;
502 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
503 id = sta->sta_sa_query_tr;
504 else
505 id = sta->ap_sa_query_tr;
506 match = os_memcmp(rx_id, id, 2) == 0;
507 wpa_printf(MSG_INFO, "SA Query Response " MACSTR " -> " MACSTR
508 " (trans_id=%02x%02x; %s)%s",
509 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1],
510 match ? "match" : "mismatch",
511 valid ? "" : " (invalid protection)");
512 if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0)
513 sta->counters[(valid && match) ?
514 WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_TX :
515 WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_TX]++;
516 else
517 sta->counters[(valid && match) ?
518 WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_RX :
519 WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_RX]++;
520}
521
522
0819b65b
JM		 523static void rx_mgmt_action_sa_query(struct wlantest *wt,
524 struct wlantest_sta *sta,
525 const struct ieee80211_mgmt *mgmt,
2102ecf0 526 size_t len, int valid)
0819b65b 527{
0819b65b
JM		 528 if (len < 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) {
529 wpa_printf(MSG_INFO, "Too short SA Query frame from " MACSTR,
530 MAC2STR(mgmt->sa));
531 return;
532 }
533
534 if (len > 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) {
535 size_t elen = len - (24 + 2 + WLAN_SA_QUERY_TR_ID_LEN);
536 wpa_printf(MSG_INFO, "Unexpected %u octets of extra data at "
537 "the end of SA Query frame from " MACSTR,
538 (unsigned) elen, MAC2STR(mgmt->sa));
539 wpa_hexdump(MSG_INFO, "SA Query extra data",
540 ((const u8 *) mgmt) + len - elen, elen);
541 }
542
543 switch (mgmt->u.action.u.sa_query_req.action) {
544 case WLAN_SA_QUERY_REQUEST:
6d5ce9fc 545 rx_mgmt_action_sa_query_req(wt, sta, mgmt, len, valid);
0819b65b
JM		 546 break;
547 case WLAN_SA_QUERY_RESPONSE:
6d5ce9fc 548 rx_mgmt_action_sa_query_resp(wt, sta, mgmt, len, valid);
0819b65b
JM		 549 break;
550 default:
551 wpa_printf(MSG_INFO, "Unexpected SA Query action value %u "
552 "from " MACSTR,
553 mgmt->u.action.u.sa_query_req.action,
554 MAC2STR(mgmt->sa));
555 }
556}
557
558
2102ecf0
JM		 559static void rx_mgmt_action(struct wlantest *wt, const u8 *data, size_t len,
560 int valid)
0819b65b
JM		 561{
562 const struct ieee80211_mgmt *mgmt;
563 struct wlantest_bss *bss;
564 struct wlantest_sta *sta;
565
566 mgmt = (const struct ieee80211_mgmt *) data;
ad41bb2e
JM		 567 if (mgmt->da[0] & 0x01) {
568 wpa_printf(MSG_DEBUG, "Group addressed Action frame: DA="
569 MACSTR " SA=" MACSTR " BSSID=" MACSTR
570 " category=%u",
571 MAC2STR(mgmt->da), MAC2STR(mgmt->sa),
572 MAC2STR(mgmt->bssid), mgmt->u.action.category);
0819b65b 573 return; /* Ignore group addressed Action frames for now */
ad41bb2e 574 }
0819b65b
JM		 575 bss = bss_get(wt, mgmt->bssid);
576 if (bss == NULL)
577 return;
578 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
579 sta = sta_get(bss, mgmt->da);
580 else
581 sta = sta_get(bss, mgmt->sa);
582 if (sta == NULL)
583 return;
584
585 if (len < 24 + 1) {
586 wpa_printf(MSG_INFO, "Too short Action frame from "
587 MACSTR, MAC2STR(mgmt->sa));
588 return;
589 }
590
591 wpa_printf(MSG_DEBUG, "ACTION " MACSTR " -> " MACSTR
2102ecf0 592 " (category=%u) (valid=%d)",
0819b65b 593 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
2102ecf0 594 mgmt->u.action.category, valid);
0819b65b
JM		 595 wpa_hexdump(MSG_MSGDUMP, "ACTION payload", data + 24, len - 24);
596
597 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
598 sta->state < STATE3) {
599 wpa_printf(MSG_INFO, "Action frame sent when STA is not in "
600 "State 3 (SA=" MACSTR " DATA=" MACSTR ")",
601 MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
602 }
603
604 switch (mgmt->u.action.category) {
605 case WLAN_ACTION_SA_QUERY:
2102ecf0 606 rx_mgmt_action_sa_query(wt, sta, mgmt, len, valid);
0819b65b
JM		 607 break;
608 }
609}
610
611
bacc3128
JM		 612static int check_mmie_mic(const u8 *igtk, const u8 *data, size_t len)
613{
614 u8 *buf;
615 u8 mic[16];
616 u16 fc;
617 const struct ieee80211_hdr *hdr;
618
619 buf = os_malloc(len + 20 - 24);
620 if (buf == NULL)
621 return -1;
622
623 /* BIP AAD: FC(masked) A1 A2 A3 */
624 hdr = (const struct ieee80211_hdr *) data;
625 fc = le_to_host16(hdr->frame_control);
626 fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA);
627 WPA_PUT_LE16(buf, fc);
628 os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN);
629
630 /* Frame body with MMIE MIC masked to zero */
631 os_memcpy(buf + 20, data + 24, len - 24 - 8);
632 os_memset(buf + 20 + len - 24 - 8, 0, 8);
633
634 wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, len + 20 - 24);
635 /* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */
636 if (omac1_aes_128(igtk, buf, len + 20 - 24, mic) < 0) {
637 os_free(buf);
638 return -1;
639 }
640
641 os_free(buf);
642
643 if (os_memcmp(data + len - 8, mic, 8) != 0)
644 return -1;
645
646 return 0;
647}
648
649
650static int check_bip(struct wlantest *wt, const u8 *data, size_t len)
651{
652 const struct ieee80211_mgmt *mgmt;
653 u16 fc, stype;
654 const u8 *mmie;
f3b9ed70 655 u16 keyid;
bacc3128
JM		 656 struct wlantest_bss *bss;
657
658 mgmt = (const struct ieee80211_mgmt *) data;
659 fc = le_to_host16(mgmt->frame_control);
660 stype = WLAN_FC_GET_STYPE(fc);
661
662 if (stype == WLAN_FC_STYPE_ACTION) {
663 if (len < 24 + 1)
664 return 0;
665 if (mgmt->u.action.category == WLAN_ACTION_PUBLIC)
666 return 0; /* Not a robust management frame */
667 }
668
669 bss = bss_get(wt, mgmt->bssid);
670 if (bss == NULL)
671 return 0; /* No key known yet */
672
673 if (len < 24 + 18 || data[len - 18] != WLAN_EID_MMIE ||
674 data[len - 17] != 16) {
675 /* No MMIE */
994d6a88 676 if (bss->rsn_capab & WPA_CAPABILITY_MFPC) {
bacc3128
JM		 677 wpa_printf(MSG_INFO, "Robust group-addressed "
678 "management frame sent without BIP by "
679 MACSTR, MAC2STR(mgmt->sa));
6d5ce9fc 680 bss->counters[WLANTEST_BSS_COUNTER_MISSING_BIP_MMIE]++;
bacc3128
JM		 681 return -1;
682 }
683 return 0;
684 }
685
686 mmie = data + len - 16;
687 keyid = WPA_GET_LE16(mmie);
f3b9ed70
JM		 688 if (keyid & 0xf000) {
689 wpa_printf(MSG_INFO, "MMIE KeyID reserved bits not zero "
690 "(%04x) from " MACSTR, keyid, MAC2STR(mgmt->sa));
691 keyid &= 0x0fff;
692 }
bacc3128
JM		 693 if (keyid < 4 || keyid > 5) {
694 wpa_printf(MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR,
695 keyid, MAC2STR(mgmt->sa));
6d5ce9fc 696 bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++;
bacc3128
JM		 697 return 0;
698 }
699 wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid);
700 wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6);
701 wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, 8);
702
703 if (!bss->igtk_set[keyid]) {
704 wpa_printf(MSG_DEBUG, "No IGTK known to validate BIP frame");
705 return 0;
706 }
707
4d4c2915 708 if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) {
bacc3128
JM		 709 wpa_printf(MSG_INFO, "BIP replay detected: SA=" MACSTR,
710 MAC2STR(mgmt->sa));
711 wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6);
712 wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6);
713 }
714
715 if (check_mmie_mic(bss->igtk[keyid], data, len) < 0) {
716 wpa_printf(MSG_INFO, "Invalid MMIE MIC in a frame from "
717 MACSTR, MAC2STR(mgmt->sa));
6d5ce9fc 718 bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++;
bacc3128
JM		 719 return -1;
720 }
721
722 wpa_printf(MSG_DEBUG, "Valid MMIE MIC");
723 os_memcpy(bss->ipn[keyid], mmie + 2, 6);
6d5ce9fc 724 bss->counters[WLANTEST_BSS_COUNTER_VALID_BIP_MMIE]++;
bacc3128
JM		 725
726 return 0;
727}
728
729
47fe6880
JM		 730static u8 * mgmt_ccmp_decrypt(struct wlantest *wt, const u8 *data, size_t len,
731 size_t *dlen)
732{
733 struct wlantest_bss *bss;
734 struct wlantest_sta *sta;
735 const struct ieee80211_hdr *hdr;
736 int keyid;
42e79f82 737 u8 *decrypted, *frame = NULL;
47fe6880
JM		 738 u8 pn[6], *rsc;
739
740 hdr = (const struct ieee80211_hdr *) data;
741 bss = bss_get(wt, hdr->addr3);
742 if (bss == NULL)
743 return NULL;
744 if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
745 sta = sta_get(bss, hdr->addr2);
746 else
747 sta = sta_get(bss, hdr->addr1);
748 if (sta == NULL || !sta->ptk_set) {
749 wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
750 return NULL;
751 }
752
20062114
JM		 753 if (len < 24 + 4)
754 return NULL;
755
756 if (!(data[24 + 3] & 0x20)) {
757 wpa_printf(MSG_INFO, "Expected CCMP frame from " MACSTR
758 " did not have ExtIV bit set to 1",
759 MAC2STR(hdr->addr2));
760 return NULL;
761 }
762
16b8b6ea
JM		 763 if (data[24 + 2] != 0 || (data[24 + 3] & 0x1f) != 0) {
764 wpa_printf(MSG_INFO, "CCMP mgmt frame from " MACSTR " used "
765 "non-zero reserved bit", MAC2STR(hdr->addr2));
766 }
767
20062114 768 keyid = data[24 + 3] >> 6;
47fe6880
JM		 769 if (keyid != 0) {
770 wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in "
771 "individually addressed Management frame from "
772 MACSTR, keyid, MAC2STR(hdr->addr2));
773 }
774
775 if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
776 rsc = sta->rsc_tods[16];
777 else
778 rsc = sta->rsc_fromds[16];
779
30febd70 780 ccmp_get_pn(pn, data + 24);
47fe6880
JM		 781 if (os_memcmp(pn, rsc, 6) <= 0) {
782 wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
783 MAC2STR(hdr->addr2));
784 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
785 wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
786 }
787
788 decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data + 24, len - 24, dlen);
42e79f82 789 if (decrypted) {
47fe6880 790 os_memcpy(rsc, pn, 6);
42e79f82
JM		 791 frame = os_malloc(24 + *dlen);
792 if (frame) {
793 os_memcpy(frame, data, 24);
794 os_memcpy(frame + 24, decrypted, *dlen);
795 *dlen += 24;
796 }
47fe6880
JM		 797 }
798
799 os_free(decrypted);
800
801 return frame;
802}
803
804
2102ecf0
JM		 805static int check_mgmt_ccmp(struct wlantest *wt, const u8 *data, size_t len)
806{
807 const struct ieee80211_mgmt *mgmt;
808 u16 fc;
809 struct wlantest_bss *bss;
810 struct wlantest_sta *sta;
811
812 mgmt = (const struct ieee80211_mgmt *) data;
813 fc = le_to_host16(mgmt->frame_control);
814
815 if (WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION) {
816 if (len > 24 &&
817 mgmt->u.action.category == WLAN_ACTION_PUBLIC)
818 return 0; /* Not a robust management frame */
819 }
820
821 bss = bss_get(wt, mgmt->bssid);
822 if (bss == NULL)
823 return 0;
824 if (os_memcmp(mgmt->da, mgmt->bssid, ETH_ALEN) == 0)
825 sta = sta_get(bss, mgmt->sa);
826 else
827 sta = sta_get(bss, mgmt->da);
828 if (sta == NULL)
829 return 0;
830
831 if (sta->rsn_capab & WPA_CAPABILITY_MFPC) {
832 wpa_printf(MSG_INFO, "Robust individually-addressed "
833 "management frame sent without CCMP by "
834 MACSTR, MAC2STR(mgmt->sa));
835 return -1;
836 }
837
838 return 0;
839}
840
841
2d73f0a8
JM		 842void rx_mgmt(struct wlantest *wt, const u8 *data, size_t len)
843{
844 const struct ieee80211_hdr *hdr;
845 u16 fc, stype;
47fe6880
JM		 846 int valid = 1;
847 u8 *decrypted = NULL;
848 size_t dlen;
2d73f0a8
JM		 849
850 if (len < 24)
851 return;
852
853 hdr = (const struct ieee80211_hdr *) data;
854 fc = le_to_host16(hdr->frame_control);
855 wt->rx_mgmt++;
856 stype = WLAN_FC_GET_STYPE(fc);
857
bacc3128
JM		 858 if ((hdr->addr1[0] & 0x01) &&
859 (stype == WLAN_FC_STYPE_DEAUTH ||
860 stype == WLAN_FC_STYPE_DISASSOC ||
2102ecf0
JM		 861 stype == WLAN_FC_STYPE_ACTION)) {
862 if (check_bip(wt, data, len) < 0)
863 valid = 0;
864 }
bacc3128 865
2d73f0a8
JM		 866 wpa_printf((stype == WLAN_FC_STYPE_BEACON ||
867 stype == WLAN_FC_STYPE_PROBE_RESP ||
868 stype == WLAN_FC_STYPE_PROBE_REQ) ?
869 MSG_EXCESSIVE : MSG_MSGDUMP,
870 "MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR,
871 mgmt_stype(stype),
872 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
873 fc & WLAN_FC_ISWEP ? " Prot" : "",
874 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
875 MAC2STR(hdr->addr3));
876
47fe6880
JM		 877 if ((fc & WLAN_FC_ISWEP) &&
878 !(hdr->addr1[0] & 0x01) &&
879 (stype == WLAN_FC_STYPE_DEAUTH ||
880 stype == WLAN_FC_STYPE_DISASSOC ||
881 stype == WLAN_FC_STYPE_ACTION)) {
882 decrypted = mgmt_ccmp_decrypt(wt, data, len, &dlen);
883 if (decrypted) {
64f45d07 884 write_pcap_decrypted(wt, decrypted, dlen, NULL, 0);
47fe6880
JM		 885 data = decrypted;
886 len = dlen;
887 } else
888 valid = 0;
889 }
890
2102ecf0
JM		 891 if (!(fc & WLAN_FC_ISWEP) &&
892 !(hdr->addr1[0] & 0x01) &&
893 (stype == WLAN_FC_STYPE_DEAUTH ||
894 stype == WLAN_FC_STYPE_DISASSOC ||
895 stype == WLAN_FC_STYPE_ACTION)) {
896 if (check_mgmt_ccmp(wt, data, len) < 0)
897 valid = 0;
898 }
47fe6880 899
2d73f0a8
JM		 900 switch (stype) {
901 case WLAN_FC_STYPE_BEACON:
902 rx_mgmt_beacon(wt, data, len);
903 break;
904 case WLAN_FC_STYPE_PROBE_RESP:
905 rx_mgmt_probe_resp(wt, data, len);
906 break;
907 case WLAN_FC_STYPE_AUTH:
908 rx_mgmt_auth(wt, data, len);
909 break;
910 case WLAN_FC_STYPE_DEAUTH:
47fe6880 911 rx_mgmt_deauth(wt, data, len, valid);
2d73f0a8
JM		 912 break;
913 case WLAN_FC_STYPE_ASSOC_REQ:
914 rx_mgmt_assoc_req(wt, data, len);
915 break;
916 case WLAN_FC_STYPE_ASSOC_RESP:
917 rx_mgmt_assoc_resp(wt, data, len);
918 break;
919 case WLAN_FC_STYPE_REASSOC_REQ:
920 rx_mgmt_reassoc_req(wt, data, len);
921 break;
922 case WLAN_FC_STYPE_REASSOC_RESP:
923 rx_mgmt_reassoc_resp(wt, data, len);
924 break;
925 case WLAN_FC_STYPE_DISASSOC:
47fe6880 926 rx_mgmt_disassoc(wt, data, len, valid);
2d73f0a8 927 break;
0819b65b 928 case WLAN_FC_STYPE_ACTION:
2102ecf0 929 rx_mgmt_action(wt, data, len, valid);
0819b65b 930 break;
2d73f0a8 931 }
47fe6880
JM		 932
933 os_free(decrypted);
2d73f0a8 934}
Unnamed repository; edit this file 'description' to name the repository.