[thirdparty/hostap.git] / wlantest / rx_mgmt.c

/*
 * Received Management frame processing
 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Alternatively, this software may be distributed under the terms of BSD
 * license.
 *
 * See README and COPYING for more details.
 */

#include "utils/includes.h"

#include "utils/common.h"
#include "common/ieee802_11_defs.h"
#include "common/ieee802_11_common.h"
#include "crypto/aes_wrap.h"
#include "wlantest.h"


static const char * mgmt_stype(u16 stype)
{
	switch (stype) {
	case WLAN_FC_STYPE_ASSOC_REQ:
		return "ASSOC-REQ";
	case WLAN_FC_STYPE_ASSOC_RESP:
		return "ASSOC-RESP";
	case WLAN_FC_STYPE_REASSOC_REQ:
		return "REASSOC-REQ";
	case WLAN_FC_STYPE_REASSOC_RESP:
		return "REASSOC-RESP";
	case WLAN_FC_STYPE_PROBE_REQ:
		return "PROBE-REQ";
	case WLAN_FC_STYPE_PROBE_RESP:
		return "PROBE-RESP";
	case WLAN_FC_STYPE_BEACON:
		return "BEACON";
	case WLAN_FC_STYPE_ATIM:
		return "ATIM";
	case WLAN_FC_STYPE_DISASSOC:
		return "DISASSOC";
	case WLAN_FC_STYPE_AUTH:
		return "AUTH";
	case WLAN_FC_STYPE_DEAUTH:
		return "DEAUTH";
	case WLAN_FC_STYPE_ACTION:
		return "ACTION";
	}
	return "??";
}


static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct ieee802_11_elems elems;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	if (bss->proberesp_seen)
		return; /* do not override with Beacon data */
	bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info);
	if (ieee802_11_parse_elems(mgmt->u.beacon.variable,
				   len - (mgmt->u.beacon.variable - data),
				   &elems, 0) == ParseFailed) {
		if (bss->parse_error_reported)
			return;
		wpa_printf(MSG_INFO, "Invalid IEs in a Beacon frame from "
			   MACSTR, MAC2STR(mgmt->sa));
		bss->parse_error_reported = 1;
		return;
	}

	bss_update(wt, bss, &elems);
}


static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct ieee802_11_elems elems;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;

	bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info);
	if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
				   len - (mgmt->u.probe_resp.variable - data),
				   &elems, 0) == ParseFailed) {
		if (bss->parse_error_reported)
			return;
		wpa_printf(MSG_INFO, "Invalid IEs in a Probe Response frame "
			   "from " MACSTR, MAC2STR(mgmt->sa));
		bss->parse_error_reported = 1;
		return;
	}

	bss_update(wt, bss, &elems);
}


static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;
	u16 alg, trans, status;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
		sta = sta_get(bss, mgmt->da);
	else
		sta = sta_get(bss, mgmt->sa);
	if (sta == NULL)
		return;

	if (len < 24 + 6) {
		wpa_printf(MSG_INFO, "Too short Authentication frame from "
			   MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	alg = le_to_host16(mgmt->u.auth.auth_alg);
	trans = le_to_host16(mgmt->u.auth.auth_transaction);
	status = le_to_host16(mgmt->u.auth.status_code);

	wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR
		   " (alg=%u trans=%u status=%u)",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status);

	if (alg == 0 && trans == 2 && status == 0) {
		if (sta->state == STATE1) {
			wpa_printf(MSG_DEBUG, "STA " MACSTR
				   " moved to State 2 with " MACSTR,
				   MAC2STR(sta->addr), MAC2STR(bss->bssid));
			sta->state = STATE2;
		}
	}
}


static void rx_mgmt_deauth(struct wlantest *wt, const u8 *data, size_t len,
			   int valid)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
		sta = sta_get(bss, mgmt->da);
	else
		sta = sta_get(bss, mgmt->sa);
	if (sta == NULL)
		return;

	if (len < 24 + 2) {
		wpa_printf(MSG_INFO, "Too short Deauthentication frame from "
			   MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR
		   " (reason=%u)",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
		   le_to_host16(mgmt->u.deauth.reason_code));
	wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24);

	if (!valid) {
		wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State "
			   "since Disassociation frame was not protected "
			   "correctly", MAC2STR(sta->addr));
		return;
	}

	if (sta->state != STATE1) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR
			   " moved to State 1 with " MACSTR,
			   MAC2STR(sta->addr), MAC2STR(bss->bssid));
		sta->state = STATE1;
	}
}


static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;
	struct ieee802_11_elems elems;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	sta = sta_get(bss, mgmt->sa);
	if (sta == NULL)
		return;

	if (len < 24 + 4) {
		wpa_printf(MSG_INFO, "Too short Association Request frame "
			   "from " MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR
		   " (capab=0x%x listen_int=%u)",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
		   le_to_host16(mgmt->u.assoc_req.capab_info),
		   le_to_host16(mgmt->u.assoc_req.listen_interval));

	if (ieee802_11_parse_elems(mgmt->u.assoc_req.variable,
				   len - (mgmt->u.assoc_req.variable - data),
				   &elems, 0) == ParseFailed) {
		wpa_printf(MSG_INFO, "Invalid IEs in Association Request "
			   "frame from " MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	sta_update_assoc(sta, &elems);
}


static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;
	u16 capab, status, aid;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	sta = sta_get(bss, mgmt->da);
	if (sta == NULL)
		return;

	if (len < 24 + 6) {
		wpa_printf(MSG_INFO, "Too short Association Response frame "
			   "from " MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	capab = le_to_host16(mgmt->u.assoc_resp.capab_info);
	status = le_to_host16(mgmt->u.assoc_resp.status_code);
	aid = le_to_host16(mgmt->u.assoc_resp.aid);

	wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR
		   " (capab=0x%x status=%u aid=%u)",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
		   aid & 0x3fff);

	if (status)
		return;

	if ((aid & 0xc000) != 0xc000) {
		wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
			   "in Association Response from " MACSTR,
			   MAC2STR(mgmt->sa));
	}
	sta->aid = aid & 0xc000;

	if (sta->state < STATE2) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when "
			   "getting associated", MAC2STR(sta->addr));
	}

	if (sta->state < STATE3) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR
			   " moved to State 3 with " MACSTR,
			   MAC2STR(sta->addr), MAC2STR(bss->bssid));
		sta->state = STATE3;
	}
}


static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data,
				size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;
	struct ieee802_11_elems elems;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	sta = sta_get(bss, mgmt->sa);
	if (sta == NULL)
		return;

	if (len < 24 + 4 + ETH_ALEN) {
		wpa_printf(MSG_INFO, "Too short Reassociation Request frame "
			   "from " MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR
		   " (capab=0x%x listen_int=%u current_ap=" MACSTR ")",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
		   le_to_host16(mgmt->u.reassoc_req.capab_info),
		   le_to_host16(mgmt->u.reassoc_req.listen_interval),
		   MAC2STR(mgmt->u.reassoc_req.current_ap));

	if (ieee802_11_parse_elems(mgmt->u.reassoc_req.variable,
				   len - (mgmt->u.reassoc_req.variable - data),
				   &elems, 0) == ParseFailed) {
		wpa_printf(MSG_INFO, "Invalid IEs in Reassociation Request "
			   "frame from " MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	sta_update_assoc(sta, &elems);
}


static void rx_mgmt_reassoc_resp(struct wlantest *wt, const u8 *data,
				 size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;
	u16 capab, status, aid;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	sta = sta_get(bss, mgmt->da);
	if (sta == NULL)
		return;

	if (len < 24 + 6) {
		wpa_printf(MSG_INFO, "Too short Reassociation Response frame "
			   "from " MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	capab = le_to_host16(mgmt->u.reassoc_resp.capab_info);
	status = le_to_host16(mgmt->u.reassoc_resp.status_code);
	aid = le_to_host16(mgmt->u.reassoc_resp.aid);

	wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR
		   " (capab=0x%x status=%u aid=%u)",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
		   aid & 0x3fff);

	if (status)
		return;

	if ((aid & 0xc000) != 0xc000) {
		wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
			   "in Reassociation Response from " MACSTR,
			   MAC2STR(mgmt->sa));
	}
	sta->aid = aid & 0xc000;

	if (sta->state < STATE2) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when "
			   "getting associated", MAC2STR(sta->addr));
	}

	if (sta->state < STATE3) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR
			   " moved to State 3 with " MACSTR,
			   MAC2STR(sta->addr), MAC2STR(bss->bssid));
		sta->state = STATE3;
	}
}


static void rx_mgmt_disassoc(struct wlantest *wt, const u8 *data, size_t len,
			     int valid)
{
	const struct ieee80211_mgmt *mgmt;
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;

	mgmt = (const struct ieee80211_mgmt *) data;
	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return;
	if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
		sta = sta_get(bss, mgmt->da);
	else
		sta = sta_get(bss, mgmt->sa);
	if (sta == NULL)
		return;

	if (len < 24 + 2) {
		wpa_printf(MSG_INFO, "Too short Disassociation frame from "
			   MACSTR, MAC2STR(mgmt->sa));
		return;
	}

	wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR
		   " (reason=%u)",
		   MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
		   le_to_host16(mgmt->u.disassoc.reason_code));
	wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24);

	if (!valid) {
		wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State "
			   "since Disassociation frame was not protected "
			   "correctly", MAC2STR(sta->addr));
		return;
	}

	if (sta->state < STATE2) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 or 3 "
			   "when getting disassociated", MAC2STR(sta->addr));
	}

	if (sta->state > STATE2) {
		wpa_printf(MSG_DEBUG, "STA " MACSTR
			   " moved to State 2 with " MACSTR,
			   MAC2STR(sta->addr), MAC2STR(bss->bssid));
		sta->state = STATE2;
	}
}


static int check_mmie_mic(const u8 *igtk, const u8 *data, size_t len)
{
	u8 *buf;
	u8 mic[16];
	u16 fc;
	const struct ieee80211_hdr *hdr;

	buf = os_malloc(len + 20 - 24);
	if (buf == NULL)
		return -1;

	/* BIP AAD: FC(masked) A1 A2 A3 */
	hdr = (const struct ieee80211_hdr *) data;
	fc = le_to_host16(hdr->frame_control);
	fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA);
	WPA_PUT_LE16(buf, fc);
	os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN);

	/* Frame body with MMIE MIC masked to zero */
	os_memcpy(buf + 20, data + 24, len - 24 - 8);
	os_memset(buf + 20 + len - 24 - 8, 0, 8);

	wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, len + 20 - 24);
	/* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */
	if (omac1_aes_128(igtk, buf, len + 20 - 24, mic) < 0) {
		os_free(buf);
		return -1;
	}

	os_free(buf);

	if (os_memcmp(data + len - 8, mic, 8) != 0)
		return -1;

	return 0;
}


static int check_bip(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_mgmt *mgmt;
	u16 fc, stype;
	const u8 *mmie;
	int keyid;
	struct wlantest_bss *bss;

	mgmt = (const struct ieee80211_mgmt *) data;
	fc = le_to_host16(mgmt->frame_control);
	stype = WLAN_FC_GET_STYPE(fc);

	if (stype == WLAN_FC_STYPE_ACTION) {
		if (len < 24 + 1)
			return 0;
		if (mgmt->u.action.category == WLAN_ACTION_PUBLIC)
			return 0; /* Not a robust management frame */
	}

	bss = bss_get(wt, mgmt->bssid);
	if (bss == NULL)
		return 0; /* No key known yet */

	if (len < 24 + 18 || data[len - 18] != WLAN_EID_MMIE ||
	    data[len - 17] != 16) {
		/* No MMIE */
		/* TODO: use MFPC flag in RSN IE instead of IGTK flags */
		if (bss->igtk_set[4] || bss->igtk_set[5]) {
			wpa_printf(MSG_INFO, "Robust group-addressed "
				   "management frame sent without BIP by "
				   MACSTR, MAC2STR(mgmt->sa));
			return -1;
		}
		return 0;
	}

	mmie = data + len - 16;
	keyid = WPA_GET_LE16(mmie);
	if (keyid < 4 || keyid > 5) {
		wpa_printf(MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR,
			   keyid, MAC2STR(mgmt->sa));
		return 0;
	}
	wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid);
	wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6);
	wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, 8);

	if (!bss->igtk_set[keyid]) {
		wpa_printf(MSG_DEBUG, "No IGTK known to validate BIP frame");
		return 0;
	}

	if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) {
		wpa_printf(MSG_INFO, "BIP replay detected: SA=" MACSTR,
			   MAC2STR(mgmt->sa));
		wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6);
		wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6);
	}

	if (check_mmie_mic(bss->igtk[keyid], data, len) < 0) {
		wpa_printf(MSG_INFO, "Invalid MMIE MIC in a frame from "
			   MACSTR, MAC2STR(mgmt->sa));
		return -1;
	}

	wpa_printf(MSG_DEBUG, "Valid MMIE MIC");
	os_memcpy(bss->ipn[keyid], mmie + 2, 6);

	return 0;
}


static u8 * mgmt_ccmp_decrypt(struct wlantest *wt, const u8 *data, size_t len,
			      size_t *dlen)
{
	struct wlantest_bss *bss;
	struct wlantest_sta *sta;
	const struct ieee80211_hdr *hdr;
	int keyid;
	u8 *decrypted, *frame;
	u8 pn[6], *rsc;

	hdr = (const struct ieee80211_hdr *) data;
	bss = bss_get(wt, hdr->addr3);
	if (bss == NULL)
		return NULL;
	if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
		sta = sta_get(bss, hdr->addr2);
	else
		sta = sta_get(bss, hdr->addr1);
	if (sta == NULL || !sta->ptk_set) {
		wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
		return NULL;
	}

	keyid = data[3] >> 6;
	if (keyid != 0) {
		wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in "
			   "individually addressed Management frame from "
			   MACSTR, keyid, MAC2STR(hdr->addr2));
	}

	if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
		rsc = sta->rsc_tods[16];
	else
		rsc = sta->rsc_fromds[16];

	ccmp_get_pn(pn, data);
	if (os_memcmp(pn, rsc, 6) <= 0) {
		wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
			   MAC2STR(hdr->addr2));
		wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
		wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
	}

	decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data + 24, len - 24, dlen);
	if (decrypted)
		os_memcpy(rsc, pn, 6);

	frame = os_malloc(24 + *dlen);
	if (frame) {
		os_memcpy(frame, data, 24);
		os_memcpy(frame + 24, decrypted, *dlen);
		*dlen += 24;
	}

	os_free(decrypted);

	return frame;
}


void rx_mgmt(struct wlantest *wt, const u8 *data, size_t len)
{
	const struct ieee80211_hdr *hdr;
	u16 fc, stype;
	int valid = 1;
	u8 *decrypted = NULL;
	size_t dlen;

	if (len < 24)
		return;

	hdr = (const struct ieee80211_hdr *) data;
	fc = le_to_host16(hdr->frame_control);
	wt->rx_mgmt++;
	stype = WLAN_FC_GET_STYPE(fc);

	if ((hdr->addr1[0] & 0x01) &&
	    (stype == WLAN_FC_STYPE_DEAUTH ||
	     stype == WLAN_FC_STYPE_DISASSOC ||
	     stype == WLAN_FC_STYPE_ACTION))
		check_bip(wt, data, len);

	wpa_printf((stype == WLAN_FC_STYPE_BEACON ||
		    stype == WLAN_FC_STYPE_PROBE_RESP ||
		    stype == WLAN_FC_STYPE_PROBE_REQ) ?
		   MSG_EXCESSIVE : MSG_MSGDUMP,
		   "MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR,
		   mgmt_stype(stype),
		   fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
		   fc & WLAN_FC_ISWEP ? " Prot" : "",
		   MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
		   MAC2STR(hdr->addr3));

	if ((fc & WLAN_FC_ISWEP) &&
	    !(hdr->addr1[0] & 0x01) &&
	    (stype == WLAN_FC_STYPE_DEAUTH ||
	     stype == WLAN_FC_STYPE_DISASSOC ||
	     stype == WLAN_FC_STYPE_ACTION)) {
		decrypted = mgmt_ccmp_decrypt(wt, data, len, &dlen);
		if (decrypted) {
			data = decrypted;
			len = dlen;
		} else
			valid = 0;
	}


	switch (stype) {
	case WLAN_FC_STYPE_BEACON:
		rx_mgmt_beacon(wt, data, len);
		break;
	case WLAN_FC_STYPE_PROBE_RESP:
		rx_mgmt_probe_resp(wt, data, len);
		break;
	case WLAN_FC_STYPE_AUTH:
		rx_mgmt_auth(wt, data, len);
		break;
	case WLAN_FC_STYPE_DEAUTH:
		rx_mgmt_deauth(wt, data, len, valid);
		break;
	case WLAN_FC_STYPE_ASSOC_REQ:
		rx_mgmt_assoc_req(wt, data, len);
		break;
	case WLAN_FC_STYPE_ASSOC_RESP:
		rx_mgmt_assoc_resp(wt, data, len);
		break;
	case WLAN_FC_STYPE_REASSOC_REQ:
		rx_mgmt_reassoc_req(wt, data, len);
		break;
	case WLAN_FC_STYPE_REASSOC_RESP:
		rx_mgmt_reassoc_resp(wt, data, len);
		break;
	case WLAN_FC_STYPE_DISASSOC:
		rx_mgmt_disassoc(wt, data, len, valid);
		break;
	}

	os_free(decrypted);
}
Commit	Line	Data
2d73f0a8 JM	1	/*
	2	* Received Management frame processing
	3	* Copyright (c) 2010, Jouni Malinen <j@w1.fi>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* Alternatively, this software may be distributed under the terms of BSD
	10	* license.
	11	*
	12	* See README and COPYING for more details.
	13	*/
	14
	15	#include "utils/includes.h"
	16
	17	#include "utils/common.h"
	18	#include "common/ieee802_11_defs.h"
	19	#include "common/ieee802_11_common.h"
bacc3128	20	#include "crypto/aes_wrap.h"
2d73f0a8 JM	21	#include "wlantest.h"
	22
	23
	24	static const char * mgmt_stype(u16 stype)
	25	{
	26	switch (stype) {
	27	case WLAN_FC_STYPE_ASSOC_REQ:
	28	return "ASSOC-REQ";
	29	case WLAN_FC_STYPE_ASSOC_RESP:
	30	return "ASSOC-RESP";
	31	case WLAN_FC_STYPE_REASSOC_REQ:
	32	return "REASSOC-REQ";
	33	case WLAN_FC_STYPE_REASSOC_RESP:
	34	return "REASSOC-RESP";
	35	case WLAN_FC_STYPE_PROBE_REQ:
	36	return "PROBE-REQ";
	37	case WLAN_FC_STYPE_PROBE_RESP:
	38	return "PROBE-RESP";
	39	case WLAN_FC_STYPE_BEACON:
	40	return "BEACON";
	41	case WLAN_FC_STYPE_ATIM:
	42	return "ATIM";
	43	case WLAN_FC_STYPE_DISASSOC:
	44	return "DISASSOC";
	45	case WLAN_FC_STYPE_AUTH:
	46	return "AUTH";
	47	case WLAN_FC_STYPE_DEAUTH:
	48	return "DEAUTH";
	49	case WLAN_FC_STYPE_ACTION:
	50	return "ACTION";
	51	}
	52	return "??";
	53	}
	54
	55
	56	static void rx_mgmt_beacon(struct wlantest wt, const u8 data, size_t len)
	57	{
	58	const struct ieee80211_mgmt *mgmt;
	59	struct wlantest_bss *bss;
	60	struct ieee802_11_elems elems;
	61
	62	mgmt = (const struct ieee80211_mgmt *) data;
	63	bss = bss_get(wt, mgmt->bssid);
	64	if (bss == NULL)
	65	return;
	66	if (bss->proberesp_seen)
	67	return; /* do not override with Beacon data */
	68	bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info);
	69	if (ieee802_11_parse_elems(mgmt->u.beacon.variable,
	70	len - (mgmt->u.beacon.variable - data),
	71	&elems, 0) == ParseFailed) {
	72	if (bss->parse_error_reported)
	73	return;
	74	wpa_printf(MSG_INFO, "Invalid IEs in a Beacon frame from "
	75	MACSTR, MAC2STR(mgmt->sa));
	76	bss->parse_error_reported = 1;
	77	return;
	78	}
	79
53650bca	80	bss_update(wt, bss, &elems);
2d73f0a8 JM	81	}
	82
	83
	84	static void rx_mgmt_probe_resp(struct wlantest wt, const u8 data, size_t len)
	85	{
	86	const struct ieee80211_mgmt *mgmt;
	87	struct wlantest_bss *bss;
	88	struct ieee802_11_elems elems;
	89
	90	mgmt = (const struct ieee80211_mgmt *) data;
	91	bss = bss_get(wt, mgmt->bssid);
	92	if (bss == NULL)
	93	return;
	94
	95	bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info);
	96	if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable,
	97	len - (mgmt->u.probe_resp.variable - data),
	98	&elems, 0) == ParseFailed) {
	99	if (bss->parse_error_reported)
	100	return;
	101	wpa_printf(MSG_INFO, "Invalid IEs in a Probe Response frame "
	102	"from " MACSTR, MAC2STR(mgmt->sa));
	103	bss->parse_error_reported = 1;
	104	return;
	105	}
	106
53650bca	107	bss_update(wt, bss, &elems);
2d73f0a8 JM	108	}
	109
	110
	111	static void rx_mgmt_auth(struct wlantest wt, const u8 data, size_t len)
	112	{
	113	const struct ieee80211_mgmt *mgmt;
	114	struct wlantest_bss *bss;
	115	struct wlantest_sta *sta;
	116	u16 alg, trans, status;
	117
	118	mgmt = (const struct ieee80211_mgmt *) data;
	119	bss = bss_get(wt, mgmt->bssid);
	120	if (bss == NULL)
	121	return;
	122	if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
	123	sta = sta_get(bss, mgmt->da);
	124	else
	125	sta = sta_get(bss, mgmt->sa);
	126	if (sta == NULL)
	127	return;
	128
	129	if (len < 24 + 6) {
	130	wpa_printf(MSG_INFO, "Too short Authentication frame from "
	131	MACSTR, MAC2STR(mgmt->sa));
	132	return;
	133	}
	134
	135	alg = le_to_host16(mgmt->u.auth.auth_alg);
	136	trans = le_to_host16(mgmt->u.auth.auth_transaction);
	137	status = le_to_host16(mgmt->u.auth.status_code);
	138
	139	wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR
	140	" (alg=%u trans=%u status=%u)",
	141	MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status);
	142
	143	if (alg == 0 && trans == 2 && status == 0) {
	144	if (sta->state == STATE1) {
	145	wpa_printf(MSG_DEBUG, "STA " MACSTR
	146	" moved to State 2 with " MACSTR,
	147	MAC2STR(sta->addr), MAC2STR(bss->bssid));
	148	sta->state = STATE2;
	149	}
	150	}
	151	}
	152
	153
47fe6880 JM	154	static void rx_mgmt_deauth(struct wlantest wt, const u8 data, size_t len,
47fe6880 JM	155	int valid)
2d73f0a8 JM	156	{
	157	const struct ieee80211_mgmt *mgmt;
	158	struct wlantest_bss *bss;
	159	struct wlantest_sta *sta;
	160
	161	mgmt = (const struct ieee80211_mgmt *) data;
	162	bss = bss_get(wt, mgmt->bssid);
	163	if (bss == NULL)
	164	return;
	165	if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
	166	sta = sta_get(bss, mgmt->da);
	167	else
	168	sta = sta_get(bss, mgmt->sa);
	169	if (sta == NULL)
	170	return;
	171
	172	if (len < 24 + 2) {
	173	wpa_printf(MSG_INFO, "Too short Deauthentication frame from "
	174	MACSTR, MAC2STR(mgmt->sa));
	175	return;
	176	}
	177
	178	wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR
	179	" (reason=%u)",
	180	MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
	181	le_to_host16(mgmt->u.deauth.reason_code));
47fe6880 JM	182	wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24);
	183
	184	if (!valid) {
	185	wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State "
	186	"since Disassociation frame was not protected "
	187	"correctly", MAC2STR(sta->addr));
	188	return;
	189	}
2d73f0a8 JM	190
	191	if (sta->state != STATE1) {
	192	wpa_printf(MSG_DEBUG, "STA " MACSTR
	193	" moved to State 1 with " MACSTR,
	194	MAC2STR(sta->addr), MAC2STR(bss->bssid));
	195	sta->state = STATE1;
	196	}
	197	}
	198
	199
	200	static void rx_mgmt_assoc_req(struct wlantest wt, const u8 data, size_t len)
	201	{
	202	const struct ieee80211_mgmt *mgmt;
	203	struct wlantest_bss *bss;
	204	struct wlantest_sta *sta;
021a6fe4	205	struct ieee802_11_elems elems;
2d73f0a8 JM	206
	207	mgmt = (const struct ieee80211_mgmt *) data;
	208	bss = bss_get(wt, mgmt->bssid);
	209	if (bss == NULL)
	210	return;
	211	sta = sta_get(bss, mgmt->sa);
	212	if (sta == NULL)
	213	return;
	214
	215	if (len < 24 + 4) {
	216	wpa_printf(MSG_INFO, "Too short Association Request frame "
	217	"from " MACSTR, MAC2STR(mgmt->sa));
	218	return;
	219	}
	220
	221	wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR
	222	" (capab=0x%x listen_int=%u)",
	223	MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
	224	le_to_host16(mgmt->u.assoc_req.capab_info),
	225	le_to_host16(mgmt->u.assoc_req.listen_interval));
021a6fe4 JM	226
	227	if (ieee802_11_parse_elems(mgmt->u.assoc_req.variable,
	228	len - (mgmt->u.assoc_req.variable - data),
	229	&elems, 0) == ParseFailed) {
	230	wpa_printf(MSG_INFO, "Invalid IEs in Association Request "
	231	"frame from " MACSTR, MAC2STR(mgmt->sa));
	232	return;
	233	}
	234
	235	sta_update_assoc(sta, &elems);
2d73f0a8 JM	236	}
	237
	238
	239	static void rx_mgmt_assoc_resp(struct wlantest wt, const u8 data, size_t len)
	240	{
	241	const struct ieee80211_mgmt *mgmt;
	242	struct wlantest_bss *bss;
	243	struct wlantest_sta *sta;
	244	u16 capab, status, aid;
	245
	246	mgmt = (const struct ieee80211_mgmt *) data;
	247	bss = bss_get(wt, mgmt->bssid);
	248	if (bss == NULL)
	249	return;
	250	sta = sta_get(bss, mgmt->da);
	251	if (sta == NULL)
	252	return;
	253
	254	if (len < 24 + 6) {
	255	wpa_printf(MSG_INFO, "Too short Association Response frame "
	256	"from " MACSTR, MAC2STR(mgmt->sa));
	257	return;
	258	}
	259
	260	capab = le_to_host16(mgmt->u.assoc_resp.capab_info);
	261	status = le_to_host16(mgmt->u.assoc_resp.status_code);
	262	aid = le_to_host16(mgmt->u.assoc_resp.aid);
	263
	264	wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR
	265	" (capab=0x%x status=%u aid=%u)",
	266	MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
	267	aid & 0x3fff);
	268
	269	if (status)
	270	return;
	271
	272	if ((aid & 0xc000) != 0xc000) {
	273	wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
	274	"in Association Response from " MACSTR,
	275	MAC2STR(mgmt->sa));
	276	}
	277	sta->aid = aid & 0xc000;
	278
	279	if (sta->state < STATE2) {
	280	wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when "
	281	"getting associated", MAC2STR(sta->addr));
	282	}
	283
	284	if (sta->state < STATE3) {
	285	wpa_printf(MSG_DEBUG, "STA " MACSTR
	286	" moved to State 3 with " MACSTR,
	287	MAC2STR(sta->addr), MAC2STR(bss->bssid));
	288	sta->state = STATE3;
	289	}
	290	}
	291
	292
	293	static void rx_mgmt_reassoc_req(struct wlantest wt, const u8 data,
	294	size_t len)
	295	{
	296	const struct ieee80211_mgmt *mgmt;
	297	struct wlantest_bss *bss;
	298	struct wlantest_sta *sta;
021a6fe4	299	struct ieee802_11_elems elems;
2d73f0a8 JM	300
	301	mgmt = (const struct ieee80211_mgmt *) data;
	302	bss = bss_get(wt, mgmt->bssid);
	303	if (bss == NULL)
	304	return;
	305	sta = sta_get(bss, mgmt->sa);
	306	if (sta == NULL)
	307	return;
	308
	309	if (len < 24 + 4 + ETH_ALEN) {
	310	wpa_printf(MSG_INFO, "Too short Reassociation Request frame "
	311	"from " MACSTR, MAC2STR(mgmt->sa));
	312	return;
	313	}
	314
	315	wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR
	316	" (capab=0x%x listen_int=%u current_ap=" MACSTR ")",
	317	MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
	318	le_to_host16(mgmt->u.reassoc_req.capab_info),
	319	le_to_host16(mgmt->u.reassoc_req.listen_interval),
	320	MAC2STR(mgmt->u.reassoc_req.current_ap));
021a6fe4 JM	321
	322	if (ieee802_11_parse_elems(mgmt->u.reassoc_req.variable,
	323	len - (mgmt->u.reassoc_req.variable - data),
	324	&elems, 0) == ParseFailed) {
	325	wpa_printf(MSG_INFO, "Invalid IEs in Reassociation Request "
	326	"frame from " MACSTR, MAC2STR(mgmt->sa));
	327	return;
	328	}
	329
	330	sta_update_assoc(sta, &elems);
2d73f0a8 JM	331	}
	332
	333
	334	static void rx_mgmt_reassoc_resp(struct wlantest wt, const u8 data,
	335	size_t len)
	336	{
	337	const struct ieee80211_mgmt *mgmt;
	338	struct wlantest_bss *bss;
	339	struct wlantest_sta *sta;
	340	u16 capab, status, aid;
	341
	342	mgmt = (const struct ieee80211_mgmt *) data;
	343	bss = bss_get(wt, mgmt->bssid);
	344	if (bss == NULL)
	345	return;
	346	sta = sta_get(bss, mgmt->da);
	347	if (sta == NULL)
	348	return;
	349
	350	if (len < 24 + 6) {
	351	wpa_printf(MSG_INFO, "Too short Reassociation Response frame "
	352	"from " MACSTR, MAC2STR(mgmt->sa));
	353	return;
	354	}
	355
	356	capab = le_to_host16(mgmt->u.reassoc_resp.capab_info);
	357	status = le_to_host16(mgmt->u.reassoc_resp.status_code);
	358	aid = le_to_host16(mgmt->u.reassoc_resp.aid);
	359
	360	wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR
	361	" (capab=0x%x status=%u aid=%u)",
	362	MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
	363	aid & 0x3fff);
	364
	365	if (status)
	366	return;
	367
	368	if ((aid & 0xc000) != 0xc000) {
	369	wpa_printf(MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
	370	"in Reassociation Response from " MACSTR,
	371	MAC2STR(mgmt->sa));
	372	}
	373	sta->aid = aid & 0xc000;
	374
	375	if (sta->state < STATE2) {
	376	wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 when "
	377	"getting associated", MAC2STR(sta->addr));
	378	}
	379
	380	if (sta->state < STATE3) {
	381	wpa_printf(MSG_DEBUG, "STA " MACSTR
	382	" moved to State 3 with " MACSTR,
	383	MAC2STR(sta->addr), MAC2STR(bss->bssid));
	384	sta->state = STATE3;
	385	}
	386	}
	387
	388
47fe6880 JM	389	static void rx_mgmt_disassoc(struct wlantest wt, const u8 data, size_t len,
47fe6880 JM	390	int valid)
2d73f0a8 JM	391	{
	392	const struct ieee80211_mgmt *mgmt;
	393	struct wlantest_bss *bss;
	394	struct wlantest_sta *sta;
	395
	396	mgmt = (const struct ieee80211_mgmt *) data;
	397	bss = bss_get(wt, mgmt->bssid);
	398	if (bss == NULL)
	399	return;
	400	if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
	401	sta = sta_get(bss, mgmt->da);
	402	else
	403	sta = sta_get(bss, mgmt->sa);
	404	if (sta == NULL)
	405	return;
	406
	407	if (len < 24 + 2) {
	408	wpa_printf(MSG_INFO, "Too short Disassociation frame from "
	409	MACSTR, MAC2STR(mgmt->sa));
	410	return;
	411	}
	412
	413	wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR
	414	" (reason=%u)",
	415	MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
	416	le_to_host16(mgmt->u.disassoc.reason_code));
47fe6880 JM	417	wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24);
	418
	419	if (!valid) {
	420	wpa_printf(MSG_INFO, "Do not change STA " MACSTR " State "
	421	"since Disassociation frame was not protected "
	422	"correctly", MAC2STR(sta->addr));
	423	return;
	424	}
2d73f0a8 JM	425
	426	if (sta->state < STATE2) {
	427	wpa_printf(MSG_DEBUG, "STA " MACSTR " was not in State 2 or 3 "
	428	"when getting disassociated", MAC2STR(sta->addr));
	429	}
	430
	431	if (sta->state > STATE2) {
	432	wpa_printf(MSG_DEBUG, "STA " MACSTR
	433	" moved to State 2 with " MACSTR,
	434	MAC2STR(sta->addr), MAC2STR(bss->bssid));
	435	sta->state = STATE2;
	436	}
	437	}
	438
	439
bacc3128 JM	440	static int check_mmie_mic(const u8 igtk, const u8 data, size_t len)
	441	{
	442	u8 *buf;
	443	u8 mic[16];
	444	u16 fc;
	445	const struct ieee80211_hdr *hdr;
	446
	447	buf = os_malloc(len + 20 - 24);
	448	if (buf == NULL)
	449	return -1;
	450
	451	/* BIP AAD: FC(masked) A1 A2 A3 */
	452	hdr = (const struct ieee80211_hdr *) data;
	453	fc = le_to_host16(hdr->frame_control);
	454	fc &= ~(WLAN_FC_RETRY \| WLAN_FC_PWRMGT \| WLAN_FC_MOREDATA);
	455	WPA_PUT_LE16(buf, fc);
	456	os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN);
	457
	458	/* Frame body with MMIE MIC masked to zero */
	459	os_memcpy(buf + 20, data + 24, len - 24 - 8);
	460	os_memset(buf + 20 + len - 24 - 8, 0, 8);
	461
	462	wpa_hexdump(MSG_MSGDUMP, "BIP: AAD\|Body(masked)", buf, len + 20 - 24);
	463	/* MIC = L(AES-128-CMAC(AAD \|\| Frame Body(masked)), 0, 64) */
	464	if (omac1_aes_128(igtk, buf, len + 20 - 24, mic) < 0) {
	465	os_free(buf);
	466	return -1;
	467	}
	468
	469	os_free(buf);
	470
	471	if (os_memcmp(data + len - 8, mic, 8) != 0)
	472	return -1;
	473
	474	return 0;
	475	}
	476
	477
	478	static int check_bip(struct wlantest wt, const u8 data, size_t len)
	479	{
	480	const struct ieee80211_mgmt *mgmt;
	481	u16 fc, stype;
	482	const u8 *mmie;
	483	int keyid;
	484	struct wlantest_bss *bss;
	485
	486	mgmt = (const struct ieee80211_mgmt *) data;
	487	fc = le_to_host16(mgmt->frame_control);
	488	stype = WLAN_FC_GET_STYPE(fc);
	489
	490	if (stype == WLAN_FC_STYPE_ACTION) {
	491	if (len < 24 + 1)
	492	return 0;
	493	if (mgmt->u.action.category == WLAN_ACTION_PUBLIC)
	494	return 0; /* Not a robust management frame */
	495	}
	496
	497	bss = bss_get(wt, mgmt->bssid);
	498	if (bss == NULL)
	499	return 0; /* No key known yet */
	500
	501	if (len < 24 + 18 \|\| data[len - 18] != WLAN_EID_MMIE \|\|
	502	data[len - 17] != 16) {
	503	/* No MMIE */
504	/* TODO: use MFPC flag in RSN IE instead of IGTK flags */
505	if (bss->igtk_set[4] \|\| bss->igtk_set[5]) {
506	wpa_printf(MSG_INFO, "Robust group-addressed "
507	"management frame sent without BIP by "
508	MACSTR, MAC2STR(mgmt->sa));
509	return -1;
510	}
511	return 0;
512	}
513
514	mmie = data + len - 16;
515	keyid = WPA_GET_LE16(mmie);
516	if (keyid < 4 \|\| keyid > 5) {
517	wpa_printf(MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR,
518	keyid, MAC2STR(mgmt->sa));
519	return 0;
520	}
521	wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid);
522	wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6);
523	wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, 8);
524
525	if (!bss->igtk_set[keyid]) {
526	wpa_printf(MSG_DEBUG, "No IGTK known to validate BIP frame");
527	return 0;
528	}
529
4d4c2915	530	if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) {
bacc3128 JM	531	wpa_printf(MSG_INFO, "BIP replay detected: SA=" MACSTR,
	532	MAC2STR(mgmt->sa));
	533	wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6);
	534	wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6);
	535	}
	536
	537	if (check_mmie_mic(bss->igtk[keyid], data, len) < 0) {
	538	wpa_printf(MSG_INFO, "Invalid MMIE MIC in a frame from "
	539	MACSTR, MAC2STR(mgmt->sa));
	540	return -1;
	541	}
	542
	543	wpa_printf(MSG_DEBUG, "Valid MMIE MIC");
	544	os_memcpy(bss->ipn[keyid], mmie + 2, 6);
	545
	546	return 0;
	547	}
	548
	549
47fe6880 JM	550	static u8 * mgmt_ccmp_decrypt(struct wlantest wt, const u8 data, size_t len,
	551	size_t *dlen)
	552	{
	553	struct wlantest_bss *bss;
	554	struct wlantest_sta *sta;
	555	const struct ieee80211_hdr *hdr;
	556	int keyid;
	557	u8 decrypted, frame;
	558	u8 pn[6], *rsc;
	559
	560	hdr = (const struct ieee80211_hdr *) data;
	561	bss = bss_get(wt, hdr->addr3);
	562	if (bss == NULL)
	563	return NULL;
	564	if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
	565	sta = sta_get(bss, hdr->addr2);
	566	else
	567	sta = sta_get(bss, hdr->addr1);
	568	if (sta == NULL \|\| !sta->ptk_set) {
	569	wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
	570	return NULL;
	571	}
	572
	573	keyid = data[3] >> 6;
	574	if (keyid != 0) {
	575	wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in "
	576	"individually addressed Management frame from "
	577	MACSTR, keyid, MAC2STR(hdr->addr2));
	578	}
	579
	580	if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
	581	rsc = sta->rsc_tods[16];
	582	else
	583	rsc = sta->rsc_fromds[16];
	584
	585	ccmp_get_pn(pn, data);
	586	if (os_memcmp(pn, rsc, 6) <= 0) {
	587	wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
	588	MAC2STR(hdr->addr2));
	589	wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
	590	wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
	591	}
	592
	593	decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data + 24, len - 24, dlen);
	594	if (decrypted)
	595	os_memcpy(rsc, pn, 6);
	596
	597	frame = os_malloc(24 + *dlen);
	598	if (frame) {
	599	os_memcpy(frame, data, 24);
	600	os_memcpy(frame + 24, decrypted, *dlen);
	601	*dlen += 24;
	602	}
	603
	604	os_free(decrypted);
	605
	606	return frame;
	607	}
	608
	609
2d73f0a8 JM	610	void rx_mgmt(struct wlantest wt, const u8 data, size_t len)
	611	{
	612	const struct ieee80211_hdr *hdr;
	613	u16 fc, stype;
47fe6880 JM	614	int valid = 1;
	615	u8 *decrypted = NULL;
	616	size_t dlen;
2d73f0a8 JM	617
	618	if (len < 24)
	619	return;
	620
	621	hdr = (const struct ieee80211_hdr *) data;
	622	fc = le_to_host16(hdr->frame_control);
	623	wt->rx_mgmt++;
	624	stype = WLAN_FC_GET_STYPE(fc);
	625
bacc3128 JM	626	if ((hdr->addr1[0] & 0x01) &&
	627	(stype == WLAN_FC_STYPE_DEAUTH \|\|
	628	stype == WLAN_FC_STYPE_DISASSOC \|\|
	629	stype == WLAN_FC_STYPE_ACTION))
	630	check_bip(wt, data, len);
	631
2d73f0a8 JM	632	wpa_printf((stype == WLAN_FC_STYPE_BEACON \|\|
	633	stype == WLAN_FC_STYPE_PROBE_RESP \|\|
	634	stype == WLAN_FC_STYPE_PROBE_REQ) ?
	635	MSG_EXCESSIVE : MSG_MSGDUMP,
	636	"MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR,
	637	mgmt_stype(stype),
	638	fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
	639	fc & WLAN_FC_ISWEP ? " Prot" : "",
	640	MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
	641	MAC2STR(hdr->addr3));
	642
47fe6880 JM	643	if ((fc & WLAN_FC_ISWEP) &&
	644	!(hdr->addr1[0] & 0x01) &&
	645	(stype == WLAN_FC_STYPE_DEAUTH \|\|
	646	stype == WLAN_FC_STYPE_DISASSOC \|\|
	647	stype == WLAN_FC_STYPE_ACTION)) {
	648	decrypted = mgmt_ccmp_decrypt(wt, data, len, &dlen);
	649	if (decrypted) {
	650	data = decrypted;
	651	len = dlen;
	652	} else
	653	valid = 0;
	654	}
	655
	656
2d73f0a8 JM	657	switch (stype) {
	658	case WLAN_FC_STYPE_BEACON:
	659	rx_mgmt_beacon(wt, data, len);
	660	break;
	661	case WLAN_FC_STYPE_PROBE_RESP:
	662	rx_mgmt_probe_resp(wt, data, len);
	663	break;
	664	case WLAN_FC_STYPE_AUTH:
	665	rx_mgmt_auth(wt, data, len);
	666	break;
	667	case WLAN_FC_STYPE_DEAUTH:
47fe6880	668	rx_mgmt_deauth(wt, data, len, valid);
2d73f0a8 JM	669	break;
	670	case WLAN_FC_STYPE_ASSOC_REQ:
	671	rx_mgmt_assoc_req(wt, data, len);
	672	break;
	673	case WLAN_FC_STYPE_ASSOC_RESP:
	674	rx_mgmt_assoc_resp(wt, data, len);
	675	break;
	676	case WLAN_FC_STYPE_REASSOC_REQ:
	677	rx_mgmt_reassoc_req(wt, data, len);
	678	break;
	679	case WLAN_FC_STYPE_REASSOC_RESP:
	680	rx_mgmt_reassoc_resp(wt, data, len);
	681	break;
	682	case WLAN_FC_STYPE_DISASSOC:
47fe6880	683	rx_mgmt_disassoc(wt, data, len, valid);
2d73f0a8 JM	684	break;
2d73f0a8 JM	685	}
47fe6880 JM	686
47fe6880 JM	687	os_free(decrypted);
2d73f0a8	688	}