]>
Commit | Line | Data |
---|---|---|
2d73f0a8 JM |
1 | /* |
2 | * Received Management frame processing | |
3 | * Copyright (c) 2010, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * Alternatively, this software may be distributed under the terms of BSD | |
10 | * license. | |
11 | * | |
12 | * See README and COPYING for more details. | |
13 | */ | |
14 | ||
15 | #include "utils/includes.h" | |
16 | ||
17 | #include "utils/common.h" | |
18 | #include "common/ieee802_11_defs.h" | |
19 | #include "common/ieee802_11_common.h" | |
bacc3128 | 20 | #include "crypto/aes_wrap.h" |
2d73f0a8 JM |
21 | #include "wlantest.h" |
22 | ||
23 | ||
24 | static const char * mgmt_stype(u16 stype) | |
25 | { | |
26 | switch (stype) { | |
27 | case WLAN_FC_STYPE_ASSOC_REQ: | |
28 | return "ASSOC-REQ"; | |
29 | case WLAN_FC_STYPE_ASSOC_RESP: | |
30 | return "ASSOC-RESP"; | |
31 | case WLAN_FC_STYPE_REASSOC_REQ: | |
32 | return "REASSOC-REQ"; | |
33 | case WLAN_FC_STYPE_REASSOC_RESP: | |
34 | return "REASSOC-RESP"; | |
35 | case WLAN_FC_STYPE_PROBE_REQ: | |
36 | return "PROBE-REQ"; | |
37 | case WLAN_FC_STYPE_PROBE_RESP: | |
38 | return "PROBE-RESP"; | |
39 | case WLAN_FC_STYPE_BEACON: | |
40 | return "BEACON"; | |
41 | case WLAN_FC_STYPE_ATIM: | |
42 | return "ATIM"; | |
43 | case WLAN_FC_STYPE_DISASSOC: | |
44 | return "DISASSOC"; | |
45 | case WLAN_FC_STYPE_AUTH: | |
46 | return "AUTH"; | |
47 | case WLAN_FC_STYPE_DEAUTH: | |
48 | return "DEAUTH"; | |
49 | case WLAN_FC_STYPE_ACTION: | |
50 | return "ACTION"; | |
51 | } | |
52 | return "??"; | |
53 | } | |
54 | ||
55 | ||
56 | static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len) | |
57 | { | |
58 | const struct ieee80211_mgmt *mgmt; | |
59 | struct wlantest_bss *bss; | |
60 | struct ieee802_11_elems elems; | |
61 | ||
62 | mgmt = (const struct ieee80211_mgmt *) data; | |
63 | bss = bss_get(wt, mgmt->bssid); | |
64 | if (bss == NULL) | |
65 | return; | |
66 | if (bss->proberesp_seen) | |
67 | return; /* do not override with Beacon data */ | |
68 | bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info); | |
69 | if (ieee802_11_parse_elems(mgmt->u.beacon.variable, | |
70 | len - (mgmt->u.beacon.variable - data), | |
71 | &elems, 0) == ParseFailed) { | |
72 | if (bss->parse_error_reported) | |
73 | return; | |
74 | wpa_printf(MSG_INFO, "Invalid IEs in a Beacon frame from " | |
75 | MACSTR, MAC2STR(mgmt->sa)); | |
76 | bss->parse_error_reported = 1; | |
77 | return; | |
78 | } | |
79 | ||
53650bca | 80 | bss_update(wt, bss, &elems); |
2d73f0a8 JM |
81 | } |
82 | ||
83 | ||
84 | static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len) | |
85 | { | |
86 | const struct ieee80211_mgmt *mgmt; | |
87 | struct wlantest_bss *bss; | |
88 | struct ieee802_11_elems elems; | |
89 | ||
90 | mgmt = (const struct ieee80211_mgmt *) data; | |
91 | bss = bss_get(wt, mgmt->bssid); | |
92 | if (bss == NULL) | |
93 | return; | |
94 | ||
95 | bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info); | |
96 | if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable, | |
97 | len - (mgmt->u.probe_resp.variable - data), | |
98 | &elems, 0) == ParseFailed) { | |
99 | if (bss->parse_error_reported) | |
100 | return; | |
101 | wpa_printf(MSG_INFO, "Invalid IEs in a Probe Response frame " | |
102 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
103 | bss->parse_error_reported = 1; | |
104 | return; | |
105 | } | |
106 | ||
53650bca | 107 | bss_update(wt, bss, &elems); |
2d73f0a8 JM |
108 | } |
109 | ||
110 | ||
111 | static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len) | |
112 | { | |
113 | const struct ieee80211_mgmt *mgmt; | |
114 | struct wlantest_bss *bss; | |
115 | struct wlantest_sta *sta; | |
116 | u16 alg, trans, status; | |
117 | ||
118 | mgmt = (const struct ieee80211_mgmt *) data; | |
119 | bss = bss_get(wt, mgmt->bssid); | |
120 | if (bss == NULL) | |
121 | return; | |
122 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
123 | sta = sta_get(bss, mgmt->da); | |
124 | else | |
125 | sta = sta_get(bss, mgmt->sa); | |
126 | if (sta == NULL) | |
127 | return; | |
128 | ||
129 | if (len < 24 + 6) { | |
130 | wpa_printf(MSG_INFO, "Too short Authentication frame from " | |
131 | MACSTR, MAC2STR(mgmt->sa)); | |
132 | return; | |
133 | } | |
134 | ||
135 | alg = le_to_host16(mgmt->u.auth.auth_alg); | |
136 | trans = le_to_host16(mgmt->u.auth.auth_transaction); | |
137 | status = le_to_host16(mgmt->u.auth.status_code); | |
138 | ||
139 | wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR | |
140 | " (alg=%u trans=%u status=%u)", | |
141 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status); | |
142 | ||
143 | if (alg == 0 && trans == 2 && status == 0) { | |
144 | if (sta->state == STATE1) { | |
145 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
146 | " moved to State 2 with " MACSTR, | |
147 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
148 | sta->state = STATE2; | |
149 | } | |
150 | } | |
151 | } | |
152 | ||
153 | ||
47fe6880 JM |
154 | static void rx_mgmt_deauth(struct wlantest *wt, const u8 *data, size_t len, |
155 | int valid) | |
2d73f0a8 JM |
156 | { |
157 | const struct ieee80211_mgmt *mgmt; | |
158 | struct wlantest_bss *bss; | |
159 | struct wlantest_sta *sta; | |
160 | ||
161 | mgmt = (const struct ieee80211_mgmt *) data; | |
162 | bss = bss_get(wt, mgmt->bssid); | |
163 | if (bss == NULL) | |
164 | return; | |
165 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
166 | sta = sta_get(bss, mgmt->da); | |
167 | else | |
168 | sta = sta_get(bss, mgmt->sa); | |
169 | if (sta == NULL) | |
170 | return; | |
171 | ||
172 | if (len < 24 + 2) { | |
173 | wpa_printf(MSG_INFO, "Too short Deauthentication frame from " | |
174 | MACSTR, MAC2STR(mgmt->sa)); | |
175 | return; | |
176 | } | |
177 | ||
178 | wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR | |
179 | " (reason=%u)", | |
180 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
181 | le_to_host16(mgmt->u.deauth.reason_code)); | |
47fe6880 JM |
182 | wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24); |
183 | ||
184 | if (!valid) { | |
185 | wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State " | |
186 | "since Disassociation frame was not protected " | |
187 | "correctly", MAC2STR(sta->addr)); | |
188 | return; | |
189 | } | |
2d73f0a8 JM |
190 | |
191 | if (sta->state != STATE1) { | |
192 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
193 | " moved to State 1 with " MACSTR, | |
194 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
195 | sta->state = STATE1; | |
196 | } | |
197 | } | |
198 | ||
199 | ||
200 | static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len) | |
201 | { | |
202 | const struct ieee80211_mgmt *mgmt; | |
203 | struct wlantest_bss *bss; | |
204 | struct wlantest_sta *sta; | |
021a6fe4 | 205 | struct ieee802_11_elems elems; |
2d73f0a8 JM |
206 | |
207 | mgmt = (const struct ieee80211_mgmt *) data; | |
208 | bss = bss_get(wt, mgmt->bssid); | |
209 | if (bss == NULL) | |
210 | return; | |
211 | sta = sta_get(bss, mgmt->sa); | |
212 | if (sta == NULL) | |
213 | return; | |
214 | ||
215 | if (len < 24 + 4) { | |
216 | wpa_printf(MSG_INFO, "Too short Association Request frame " | |
217 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
218 | return; | |
219 | } | |
220 | ||
221 | wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR | |
222 | " (capab=0x%x listen_int=%u)", | |
223 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
224 | le_to_host16(mgmt->u.assoc_req.capab_info), | |
225 | le_to_host16(mgmt->u.assoc_req.listen_interval)); | |
021a6fe4 JM |
226 | |
227 | if (ieee802_11_parse_elems(mgmt->u.assoc_req.variable, | |
228 | len - (mgmt->u.assoc_req.variable - data), | |
229 | &elems, 0) == ParseFailed) { | |
230 | wpa_printf(MSG_INFO, "Invalid IEs in Association Request " | |
231 | "frame from " MACSTR, MAC2STR(mgmt->sa)); | |
232 | return; | |
233 | } | |
234 | ||
235 | sta_update_assoc(sta, &elems); | |
2d73f0a8 JM |
236 | } |
237 | ||
238 | ||
239 | static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len) | |
240 | { | |
241 | const struct ieee80211_mgmt *mgmt; | |
242 | struct wlantest_bss *bss; | |
243 | struct wlantest_sta *sta; | |
244 | u16 capab, status, aid; | |
245 | ||
246 | mgmt = (const struct ieee80211_mgmt *) data; | |
247 | bss = bss_get(wt, mgmt->bssid); | |
248 | if (bss == NULL) | |
249 | return; | |
250 | sta = sta_get(bss, mgmt->da); | |
251 | if (sta == NULL) | |
252 | return; | |
253 | ||
254 | if (len < 24 + 6) { | |
255 | wpa_printf(MSG_INFO, "Too short Association Response frame " | |
256 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
257 | return; | |
258 | } | |
259 | ||
260 | capab = le_to_host16(mgmt->u.assoc_resp.capab_info); | |
261 | status = le_to_host16(mgmt->u.assoc_resp.status_code); | |
262 | aid = le_to_host16(mgmt->u.assoc_resp.aid); | |
263 | ||
264 | wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR | |
265 | " (capab=0x%x status=%u aid=%u)", | |
266 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status, | |
267 | aid & 0x3fff); | |
268 | ||
269 | if (status) | |
270 | return; | |
271 | ||
272 | if ((aid & 0xc000) != 0xc000) { | |
273 | wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 " | |
274 | "in Association Response from " MACSTR, | |
275 | MAC2STR(mgmt->sa)); | |
276 | } | |
277 | sta->aid = aid & 0xc000; | |
278 | ||
279 | if (sta->state < STATE2) { | |
280 | wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when " | |
281 | "getting associated", MAC2STR(sta->addr)); | |
282 | } | |
283 | ||
284 | if (sta->state < STATE3) { | |
285 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
286 | " moved to State 3 with " MACSTR, | |
287 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
288 | sta->state = STATE3; | |
289 | } | |
290 | } | |
291 | ||
292 | ||
293 | static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data, | |
294 | size_t len) | |
295 | { | |
296 | const struct ieee80211_mgmt *mgmt; | |
297 | struct wlantest_bss *bss; | |
298 | struct wlantest_sta *sta; | |
021a6fe4 | 299 | struct ieee802_11_elems elems; |
2d73f0a8 JM |
300 | |
301 | mgmt = (const struct ieee80211_mgmt *) data; | |
302 | bss = bss_get(wt, mgmt->bssid); | |
303 | if (bss == NULL) | |
304 | return; | |
305 | sta = sta_get(bss, mgmt->sa); | |
306 | if (sta == NULL) | |
307 | return; | |
308 | ||
309 | if (len < 24 + 4 + ETH_ALEN) { | |
310 | wpa_printf(MSG_INFO, "Too short Reassociation Request frame " | |
311 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
312 | return; | |
313 | } | |
314 | ||
315 | wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR | |
316 | " (capab=0x%x listen_int=%u current_ap=" MACSTR ")", | |
317 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
318 | le_to_host16(mgmt->u.reassoc_req.capab_info), | |
319 | le_to_host16(mgmt->u.reassoc_req.listen_interval), | |
320 | MAC2STR(mgmt->u.reassoc_req.current_ap)); | |
021a6fe4 JM |
321 | |
322 | if (ieee802_11_parse_elems(mgmt->u.reassoc_req.variable, | |
323 | len - (mgmt->u.reassoc_req.variable - data), | |
324 | &elems, 0) == ParseFailed) { | |
325 | wpa_printf(MSG_INFO, "Invalid IEs in Reassociation Request " | |
326 | "frame from " MACSTR, MAC2STR(mgmt->sa)); | |
327 | return; | |
328 | } | |
329 | ||
330 | sta_update_assoc(sta, &elems); | |
2d73f0a8 JM |
331 | } |
332 | ||
333 | ||
334 | static void rx_mgmt_reassoc_resp(struct wlantest *wt, const u8 *data, | |
335 | size_t len) | |
336 | { | |
337 | const struct ieee80211_mgmt *mgmt; | |
338 | struct wlantest_bss *bss; | |
339 | struct wlantest_sta *sta; | |
340 | u16 capab, status, aid; | |
341 | ||
342 | mgmt = (const struct ieee80211_mgmt *) data; | |
343 | bss = bss_get(wt, mgmt->bssid); | |
344 | if (bss == NULL) | |
345 | return; | |
346 | sta = sta_get(bss, mgmt->da); | |
347 | if (sta == NULL) | |
348 | return; | |
349 | ||
350 | if (len < 24 + 6) { | |
351 | wpa_printf(MSG_INFO, "Too short Reassociation Response frame " | |
352 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
353 | return; | |
354 | } | |
355 | ||
356 | capab = le_to_host16(mgmt->u.reassoc_resp.capab_info); | |
357 | status = le_to_host16(mgmt->u.reassoc_resp.status_code); | |
358 | aid = le_to_host16(mgmt->u.reassoc_resp.aid); | |
359 | ||
360 | wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR | |
361 | " (capab=0x%x status=%u aid=%u)", | |
362 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status, | |
363 | aid & 0x3fff); | |
364 | ||
365 | if (status) | |
366 | return; | |
367 | ||
368 | if ((aid & 0xc000) != 0xc000) { | |
369 | wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 " | |
370 | "in Reassociation Response from " MACSTR, | |
371 | MAC2STR(mgmt->sa)); | |
372 | } | |
373 | sta->aid = aid & 0xc000; | |
374 | ||
375 | if (sta->state < STATE2) { | |
376 | wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when " | |
377 | "getting associated", MAC2STR(sta->addr)); | |
378 | } | |
379 | ||
380 | if (sta->state < STATE3) { | |
381 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
382 | " moved to State 3 with " MACSTR, | |
383 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
384 | sta->state = STATE3; | |
385 | } | |
386 | } | |
387 | ||
388 | ||
47fe6880 JM |
389 | static void rx_mgmt_disassoc(struct wlantest *wt, const u8 *data, size_t len, |
390 | int valid) | |
2d73f0a8 JM |
391 | { |
392 | const struct ieee80211_mgmt *mgmt; | |
393 | struct wlantest_bss *bss; | |
394 | struct wlantest_sta *sta; | |
395 | ||
396 | mgmt = (const struct ieee80211_mgmt *) data; | |
397 | bss = bss_get(wt, mgmt->bssid); | |
398 | if (bss == NULL) | |
399 | return; | |
400 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
401 | sta = sta_get(bss, mgmt->da); | |
402 | else | |
403 | sta = sta_get(bss, mgmt->sa); | |
404 | if (sta == NULL) | |
405 | return; | |
406 | ||
407 | if (len < 24 + 2) { | |
408 | wpa_printf(MSG_INFO, "Too short Disassociation frame from " | |
409 | MACSTR, MAC2STR(mgmt->sa)); | |
410 | return; | |
411 | } | |
412 | ||
413 | wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR | |
414 | " (reason=%u)", | |
415 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
416 | le_to_host16(mgmt->u.disassoc.reason_code)); | |
47fe6880 JM |
417 | wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24); |
418 | ||
419 | if (!valid) { | |
420 | wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State " | |
421 | "since Disassociation frame was not protected " | |
422 | "correctly", MAC2STR(sta->addr)); | |
423 | return; | |
424 | } | |
2d73f0a8 JM |
425 | |
426 | if (sta->state < STATE2) { | |
427 | wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 or 3 " | |
428 | "when getting disassociated", MAC2STR(sta->addr)); | |
429 | } | |
430 | ||
431 | if (sta->state > STATE2) { | |
432 | wpa_printf(MSG_DEBUG, "STA " MACSTR | |
433 | " moved to State 2 with " MACSTR, | |
434 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
435 | sta->state = STATE2; | |
436 | } | |
437 | } | |
438 | ||
439 | ||
bacc3128 JM |
440 | static int check_mmie_mic(const u8 *igtk, const u8 *data, size_t len) |
441 | { | |
442 | u8 *buf; | |
443 | u8 mic[16]; | |
444 | u16 fc; | |
445 | const struct ieee80211_hdr *hdr; | |
446 | ||
447 | buf = os_malloc(len + 20 - 24); | |
448 | if (buf == NULL) | |
449 | return -1; | |
450 | ||
451 | /* BIP AAD: FC(masked) A1 A2 A3 */ | |
452 | hdr = (const struct ieee80211_hdr *) data; | |
453 | fc = le_to_host16(hdr->frame_control); | |
454 | fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA); | |
455 | WPA_PUT_LE16(buf, fc); | |
456 | os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN); | |
457 | ||
458 | /* Frame body with MMIE MIC masked to zero */ | |
459 | os_memcpy(buf + 20, data + 24, len - 24 - 8); | |
460 | os_memset(buf + 20 + len - 24 - 8, 0, 8); | |
461 | ||
462 | wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, len + 20 - 24); | |
463 | /* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */ | |
464 | if (omac1_aes_128(igtk, buf, len + 20 - 24, mic) < 0) { | |
465 | os_free(buf); | |
466 | return -1; | |
467 | } | |
468 | ||
469 | os_free(buf); | |
470 | ||
471 | if (os_memcmp(data + len - 8, mic, 8) != 0) | |
472 | return -1; | |
473 | ||
474 | return 0; | |
475 | } | |
476 | ||
477 | ||
478 | static int check_bip(struct wlantest *wt, const u8 *data, size_t len) | |
479 | { | |
480 | const struct ieee80211_mgmt *mgmt; | |
481 | u16 fc, stype; | |
482 | const u8 *mmie; | |
483 | int keyid; | |
484 | struct wlantest_bss *bss; | |
485 | ||
486 | mgmt = (const struct ieee80211_mgmt *) data; | |
487 | fc = le_to_host16(mgmt->frame_control); | |
488 | stype = WLAN_FC_GET_STYPE(fc); | |
489 | ||
490 | if (stype == WLAN_FC_STYPE_ACTION) { | |
491 | if (len < 24 + 1) | |
492 | return 0; | |
493 | if (mgmt->u.action.category == WLAN_ACTION_PUBLIC) | |
494 | return 0; /* Not a robust management frame */ | |
495 | } | |
496 | ||
497 | bss = bss_get(wt, mgmt->bssid); | |
498 | if (bss == NULL) | |
499 | return 0; /* No key known yet */ | |
500 | ||
501 | if (len < 24 + 18 || data[len - 18] != WLAN_EID_MMIE || | |
502 | data[len - 17] != 16) { | |
503 | /* No MMIE */ | |
504 | /* TODO: use MFPC flag in RSN IE instead of IGTK flags */ | |
505 | if (bss->igtk_set[4] || bss->igtk_set[5]) { | |
506 | wpa_printf(MSG_INFO, "Robust group-addressed " | |
507 | "management frame sent without BIP by " | |
508 | MACSTR, MAC2STR(mgmt->sa)); | |
509 | return -1; | |
510 | } | |
511 | return 0; | |
512 | } | |
513 | ||
514 | mmie = data + len - 16; | |
515 | keyid = WPA_GET_LE16(mmie); | |
516 | if (keyid < 4 || keyid > 5) { | |
517 | wpa_printf(MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR, | |
518 | keyid, MAC2STR(mgmt->sa)); | |
519 | return 0; | |
520 | } | |
521 | wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid); | |
522 | wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6); | |
523 | wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, 8); | |
524 | ||
525 | if (!bss->igtk_set[keyid]) { | |
526 | wpa_printf(MSG_DEBUG, "No IGTK known to validate BIP frame"); | |
527 | return 0; | |
528 | } | |
529 | ||
4d4c2915 | 530 | if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) { |
bacc3128 JM |
531 | wpa_printf(MSG_INFO, "BIP replay detected: SA=" MACSTR, |
532 | MAC2STR(mgmt->sa)); | |
533 | wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6); | |
534 | wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6); | |
535 | } | |
536 | ||
537 | if (check_mmie_mic(bss->igtk[keyid], data, len) < 0) { | |
538 | wpa_printf(MSG_INFO, "Invalid MMIE MIC in a frame from " | |
539 | MACSTR, MAC2STR(mgmt->sa)); | |
540 | return -1; | |
541 | } | |
542 | ||
543 | wpa_printf(MSG_DEBUG, "Valid MMIE MIC"); | |
544 | os_memcpy(bss->ipn[keyid], mmie + 2, 6); | |
545 | ||
546 | return 0; | |
547 | } | |
548 | ||
549 | ||
47fe6880 JM |
550 | static u8 * mgmt_ccmp_decrypt(struct wlantest *wt, const u8 *data, size_t len, |
551 | size_t *dlen) | |
552 | { | |
553 | struct wlantest_bss *bss; | |
554 | struct wlantest_sta *sta; | |
555 | const struct ieee80211_hdr *hdr; | |
556 | int keyid; | |
557 | u8 *decrypted, *frame; | |
558 | u8 pn[6], *rsc; | |
559 | ||
560 | hdr = (const struct ieee80211_hdr *) data; | |
561 | bss = bss_get(wt, hdr->addr3); | |
562 | if (bss == NULL) | |
563 | return NULL; | |
564 | if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) | |
565 | sta = sta_get(bss, hdr->addr2); | |
566 | else | |
567 | sta = sta_get(bss, hdr->addr1); | |
568 | if (sta == NULL || !sta->ptk_set) { | |
569 | wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame"); | |
570 | return NULL; | |
571 | } | |
572 | ||
573 | keyid = data[3] >> 6; | |
574 | if (keyid != 0) { | |
575 | wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in " | |
576 | "individually addressed Management frame from " | |
577 | MACSTR, keyid, MAC2STR(hdr->addr2)); | |
578 | } | |
579 | ||
580 | if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) | |
581 | rsc = sta->rsc_tods[16]; | |
582 | else | |
583 | rsc = sta->rsc_fromds[16]; | |
584 | ||
585 | ccmp_get_pn(pn, data); | |
586 | if (os_memcmp(pn, rsc, 6) <= 0) { | |
587 | wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR, | |
588 | MAC2STR(hdr->addr2)); | |
589 | wpa_hexdump(MSG_INFO, "RX PN", pn, 6); | |
590 | wpa_hexdump(MSG_INFO, "RSC", rsc, 6); | |
591 | } | |
592 | ||
593 | decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data + 24, len - 24, dlen); | |
594 | if (decrypted) | |
595 | os_memcpy(rsc, pn, 6); | |
596 | ||
597 | frame = os_malloc(24 + *dlen); | |
598 | if (frame) { | |
599 | os_memcpy(frame, data, 24); | |
600 | os_memcpy(frame + 24, decrypted, *dlen); | |
601 | *dlen += 24; | |
602 | } | |
603 | ||
604 | os_free(decrypted); | |
605 | ||
606 | return frame; | |
607 | } | |
608 | ||
609 | ||
2d73f0a8 JM |
610 | void rx_mgmt(struct wlantest *wt, const u8 *data, size_t len) |
611 | { | |
612 | const struct ieee80211_hdr *hdr; | |
613 | u16 fc, stype; | |
47fe6880 JM |
614 | int valid = 1; |
615 | u8 *decrypted = NULL; | |
616 | size_t dlen; | |
2d73f0a8 JM |
617 | |
618 | if (len < 24) | |
619 | return; | |
620 | ||
621 | hdr = (const struct ieee80211_hdr *) data; | |
622 | fc = le_to_host16(hdr->frame_control); | |
623 | wt->rx_mgmt++; | |
624 | stype = WLAN_FC_GET_STYPE(fc); | |
625 | ||
bacc3128 JM |
626 | if ((hdr->addr1[0] & 0x01) && |
627 | (stype == WLAN_FC_STYPE_DEAUTH || | |
628 | stype == WLAN_FC_STYPE_DISASSOC || | |
629 | stype == WLAN_FC_STYPE_ACTION)) | |
630 | check_bip(wt, data, len); | |
631 | ||
2d73f0a8 JM |
632 | wpa_printf((stype == WLAN_FC_STYPE_BEACON || |
633 | stype == WLAN_FC_STYPE_PROBE_RESP || | |
634 | stype == WLAN_FC_STYPE_PROBE_REQ) ? | |
635 | MSG_EXCESSIVE : MSG_MSGDUMP, | |
636 | "MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR, | |
637 | mgmt_stype(stype), | |
638 | fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", | |
639 | fc & WLAN_FC_ISWEP ? " Prot" : "", | |
640 | MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), | |
641 | MAC2STR(hdr->addr3)); | |
642 | ||
47fe6880 JM |
643 | if ((fc & WLAN_FC_ISWEP) && |
644 | !(hdr->addr1[0] & 0x01) && | |
645 | (stype == WLAN_FC_STYPE_DEAUTH || | |
646 | stype == WLAN_FC_STYPE_DISASSOC || | |
647 | stype == WLAN_FC_STYPE_ACTION)) { | |
648 | decrypted = mgmt_ccmp_decrypt(wt, data, len, &dlen); | |
649 | if (decrypted) { | |
650 | data = decrypted; | |
651 | len = dlen; | |
652 | } else | |
653 | valid = 0; | |
654 | } | |
655 | ||
656 | ||
2d73f0a8 JM |
657 | switch (stype) { |
658 | case WLAN_FC_STYPE_BEACON: | |
659 | rx_mgmt_beacon(wt, data, len); | |
660 | break; | |
661 | case WLAN_FC_STYPE_PROBE_RESP: | |
662 | rx_mgmt_probe_resp(wt, data, len); | |
663 | break; | |
664 | case WLAN_FC_STYPE_AUTH: | |
665 | rx_mgmt_auth(wt, data, len); | |
666 | break; | |
667 | case WLAN_FC_STYPE_DEAUTH: | |
47fe6880 | 668 | rx_mgmt_deauth(wt, data, len, valid); |
2d73f0a8 JM |
669 | break; |
670 | case WLAN_FC_STYPE_ASSOC_REQ: | |
671 | rx_mgmt_assoc_req(wt, data, len); | |
672 | break; | |
673 | case WLAN_FC_STYPE_ASSOC_RESP: | |
674 | rx_mgmt_assoc_resp(wt, data, len); | |
675 | break; | |
676 | case WLAN_FC_STYPE_REASSOC_REQ: | |
677 | rx_mgmt_reassoc_req(wt, data, len); | |
678 | break; | |
679 | case WLAN_FC_STYPE_REASSOC_RESP: | |
680 | rx_mgmt_reassoc_resp(wt, data, len); | |
681 | break; | |
682 | case WLAN_FC_STYPE_DISASSOC: | |
47fe6880 | 683 | rx_mgmt_disassoc(wt, data, len, valid); |
2d73f0a8 JM |
684 | break; |
685 | } | |
47fe6880 JM |
686 | |
687 | os_free(decrypted); | |
2d73f0a8 | 688 | } |