]>
Commit | Line | Data |
---|---|---|
2d73f0a8 JM |
1 | /* |
2 | * Received Management frame processing | |
98cd3d1c | 3 | * Copyright (c) 2010-2015, Jouni Malinen <j@w1.fi> |
2d73f0a8 | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
2d73f0a8 JM |
7 | */ |
8 | ||
9 | #include "utils/includes.h" | |
10 | ||
11 | #include "utils/common.h" | |
0e1aa64d | 12 | #include "common/defs.h" |
2d73f0a8 JM |
13 | #include "common/ieee802_11_defs.h" |
14 | #include "common/ieee802_11_common.h" | |
c72df3c6 JM |
15 | #include "common/wpa_common.h" |
16 | #include "crypto/aes.h" | |
17 | #include "crypto/aes_siv.h" | |
bacc3128 | 18 | #include "crypto/aes_wrap.h" |
2d73f0a8 JM |
19 | #include "wlantest.h" |
20 | ||
21 | ||
22 | static const char * mgmt_stype(u16 stype) | |
23 | { | |
24 | switch (stype) { | |
25 | case WLAN_FC_STYPE_ASSOC_REQ: | |
26 | return "ASSOC-REQ"; | |
27 | case WLAN_FC_STYPE_ASSOC_RESP: | |
28 | return "ASSOC-RESP"; | |
29 | case WLAN_FC_STYPE_REASSOC_REQ: | |
30 | return "REASSOC-REQ"; | |
31 | case WLAN_FC_STYPE_REASSOC_RESP: | |
32 | return "REASSOC-RESP"; | |
33 | case WLAN_FC_STYPE_PROBE_REQ: | |
34 | return "PROBE-REQ"; | |
35 | case WLAN_FC_STYPE_PROBE_RESP: | |
36 | return "PROBE-RESP"; | |
37 | case WLAN_FC_STYPE_BEACON: | |
38 | return "BEACON"; | |
39 | case WLAN_FC_STYPE_ATIM: | |
40 | return "ATIM"; | |
41 | case WLAN_FC_STYPE_DISASSOC: | |
42 | return "DISASSOC"; | |
43 | case WLAN_FC_STYPE_AUTH: | |
44 | return "AUTH"; | |
45 | case WLAN_FC_STYPE_DEAUTH: | |
46 | return "DEAUTH"; | |
47 | case WLAN_FC_STYPE_ACTION: | |
48 | return "ACTION"; | |
49 | } | |
50 | return "??"; | |
51 | } | |
52 | ||
53 | ||
54 | static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len) | |
55 | { | |
56 | const struct ieee80211_mgmt *mgmt; | |
57 | struct wlantest_bss *bss; | |
58 | struct ieee802_11_elems elems; | |
762a0bfb | 59 | size_t offset; |
2d73f0a8 JM |
60 | |
61 | mgmt = (const struct ieee80211_mgmt *) data; | |
762a0bfb JM |
62 | offset = mgmt->u.beacon.variable - data; |
63 | if (len < offset) | |
64 | return; | |
2d73f0a8 JM |
65 | bss = bss_get(wt, mgmt->bssid); |
66 | if (bss == NULL) | |
67 | return; | |
68 | if (bss->proberesp_seen) | |
69 | return; /* do not override with Beacon data */ | |
70 | bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info); | |
762a0bfb | 71 | if (ieee802_11_parse_elems(mgmt->u.beacon.variable, len - offset, |
2d73f0a8 JM |
72 | &elems, 0) == ParseFailed) { |
73 | if (bss->parse_error_reported) | |
74 | return; | |
e4d99217 JM |
75 | add_note(wt, MSG_INFO, "Invalid IEs in a Beacon frame from " |
76 | MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
77 | bss->parse_error_reported = 1; |
78 | return; | |
79 | } | |
80 | ||
53650bca | 81 | bss_update(wt, bss, &elems); |
2d73f0a8 JM |
82 | } |
83 | ||
84 | ||
85 | static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len) | |
86 | { | |
87 | const struct ieee80211_mgmt *mgmt; | |
88 | struct wlantest_bss *bss; | |
89 | struct ieee802_11_elems elems; | |
762a0bfb | 90 | size_t offset; |
2d73f0a8 JM |
91 | |
92 | mgmt = (const struct ieee80211_mgmt *) data; | |
762a0bfb JM |
93 | offset = mgmt->u.probe_resp.variable - data; |
94 | if (len < offset) | |
95 | return; | |
2d73f0a8 JM |
96 | bss = bss_get(wt, mgmt->bssid); |
97 | if (bss == NULL) | |
98 | return; | |
99 | ||
ae98e1f5 | 100 | bss->counters[WLANTEST_BSS_COUNTER_PROBE_RESPONSE]++; |
2d73f0a8 | 101 | bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info); |
762a0bfb | 102 | if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - offset, |
2d73f0a8 JM |
103 | &elems, 0) == ParseFailed) { |
104 | if (bss->parse_error_reported) | |
105 | return; | |
e4d99217 JM |
106 | add_note(wt, MSG_INFO, "Invalid IEs in a Probe Response frame " |
107 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
108 | bss->parse_error_reported = 1; |
109 | return; | |
110 | } | |
111 | ||
53650bca | 112 | bss_update(wt, bss, &elems); |
2d73f0a8 JM |
113 | } |
114 | ||
115 | ||
c72df3c6 JM |
116 | static void process_fils_auth(struct wlantest *wt, struct wlantest_bss *bss, |
117 | struct wlantest_sta *sta, | |
118 | const struct ieee80211_mgmt *mgmt, size_t len) | |
119 | { | |
120 | struct ieee802_11_elems elems; | |
121 | u16 trans; | |
122 | struct wpa_ie_data data; | |
123 | ||
124 | if (sta->auth_alg != WLAN_AUTH_FILS_SK || | |
125 | len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) | |
126 | return; | |
127 | ||
128 | trans = le_to_host16(mgmt->u.auth.auth_transaction); | |
129 | ||
130 | if (ieee802_11_parse_elems(mgmt->u.auth.variable, | |
131 | len - IEEE80211_HDRLEN - | |
132 | sizeof(mgmt->u.auth), &elems, 0) == | |
133 | ParseFailed) | |
134 | return; | |
135 | ||
136 | if (trans == 1) { | |
137 | if (!elems.rsn_ie) { | |
138 | add_note(wt, MSG_INFO, | |
139 | "FILS Authentication frame missing RSNE"); | |
140 | return; | |
141 | } | |
142 | if (wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2, | |
143 | elems.rsn_ie_len + 2, &data) < 0) { | |
144 | add_note(wt, MSG_INFO, | |
145 | "Invalid RSNE in FILS Authentication frame"); | |
146 | return; | |
147 | } | |
148 | sta->key_mgmt = data.key_mgmt; | |
149 | sta->pairwise_cipher = data.pairwise_cipher; | |
150 | } | |
151 | ||
152 | if (!elems.fils_nonce) { | |
153 | add_note(wt, MSG_INFO, | |
154 | "FILS Authentication frame missing nonce"); | |
155 | return; | |
156 | } | |
157 | ||
158 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
159 | os_memcpy(sta->anonce, elems.fils_nonce, FILS_NONCE_LEN); | |
160 | else | |
161 | os_memcpy(sta->snonce, elems.fils_nonce, FILS_NONCE_LEN); | |
162 | } | |
163 | ||
164 | ||
c38c62ff JM |
165 | static void process_ft_auth(struct wlantest *wt, struct wlantest_bss *bss, |
166 | struct wlantest_sta *sta, | |
167 | const struct ieee80211_mgmt *mgmt, size_t len) | |
168 | { | |
169 | u16 trans; | |
170 | struct wpa_ft_ies parse; | |
171 | u8 pmk_r1[PMK_LEN]; | |
172 | u8 pmk_r1_name[WPA_PMK_NAME_LEN]; | |
173 | struct wpa_ptk ptk; | |
174 | u8 ptk_name[WPA_PMK_NAME_LEN]; | |
175 | struct wlantest_bss *old_bss; | |
176 | struct wlantest_sta *old_sta = NULL; | |
177 | ||
178 | if (sta->auth_alg != WLAN_AUTH_FT || | |
179 | len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) | |
180 | return; | |
181 | ||
182 | trans = le_to_host16(mgmt->u.auth.auth_transaction); | |
183 | ||
184 | if (wpa_ft_parse_ies(mgmt->u.auth.variable, | |
185 | len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth), | |
186 | &parse, -1)) { | |
187 | add_note(wt, MSG_INFO, | |
188 | "Could not parse FT Authentication Response frame"); | |
189 | return; | |
190 | } | |
191 | ||
192 | if (trans == 1) { | |
193 | sta->key_mgmt = parse.key_mgmt; | |
194 | sta->pairwise_cipher = parse.pairwise_cipher; | |
195 | return; | |
196 | } | |
197 | ||
198 | if (trans != 2) | |
199 | return; | |
200 | ||
201 | /* TODO: Should find the latest updated PMK-R0 value here instead | |
202 | * copying the one from the first found matching old STA entry. */ | |
203 | dl_list_for_each(old_bss, &wt->bss, struct wlantest_bss, list) { | |
204 | if (old_bss == bss) | |
205 | continue; | |
206 | old_sta = sta_find(old_bss, sta->addr); | |
207 | if (old_sta) | |
208 | break; | |
209 | } | |
210 | if (!old_sta) | |
211 | return; | |
212 | ||
213 | os_memcpy(sta->pmk_r0, old_sta->pmk_r0, sizeof(sta->pmk_r0)); | |
214 | os_memcpy(sta->pmk_r0_name, old_sta->pmk_r0_name, | |
215 | sizeof(sta->pmk_r0_name)); | |
216 | ||
217 | if (parse.r1kh_id) | |
218 | os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); | |
219 | ||
220 | if (wpa_derive_pmk_r1(sta->pmk_r0, PMK_LEN, sta->pmk_r0_name, | |
221 | bss->r1kh_id, sta->addr, pmk_r1, pmk_r1_name) < 0) | |
222 | return; | |
223 | wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN); | |
224 | ||
225 | if (!parse.fte_anonce || !parse.fte_snonce || | |
226 | wpa_pmk_r1_to_ptk(pmk_r1, PMK_LEN, parse.fte_snonce, | |
227 | parse.fte_anonce, sta->addr, bss->bssid, | |
228 | pmk_r1_name, &ptk, ptk_name, sta->key_mgmt, | |
229 | sta->pairwise_cipher) < 0) | |
230 | return; | |
231 | ||
232 | add_note(wt, MSG_DEBUG, "Derived new PTK"); | |
233 | os_memcpy(&sta->ptk, &ptk, sizeof(ptk)); | |
234 | sta->ptk_set = 1; | |
235 | os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods)); | |
236 | os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds)); | |
237 | } | |
238 | ||
239 | ||
2d73f0a8 JM |
240 | static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len) |
241 | { | |
242 | const struct ieee80211_mgmt *mgmt; | |
243 | struct wlantest_bss *bss; | |
244 | struct wlantest_sta *sta; | |
245 | u16 alg, trans, status; | |
246 | ||
247 | mgmt = (const struct ieee80211_mgmt *) data; | |
248 | bss = bss_get(wt, mgmt->bssid); | |
249 | if (bss == NULL) | |
250 | return; | |
251 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
252 | sta = sta_get(bss, mgmt->da); | |
253 | else | |
254 | sta = sta_get(bss, mgmt->sa); | |
255 | if (sta == NULL) | |
256 | return; | |
257 | ||
258 | if (len < 24 + 6) { | |
e4d99217 JM |
259 | add_note(wt, MSG_INFO, "Too short Authentication frame from " |
260 | MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
261 | return; |
262 | } | |
263 | ||
264 | alg = le_to_host16(mgmt->u.auth.auth_alg); | |
c72df3c6 | 265 | sta->auth_alg = alg; |
2d73f0a8 JM |
266 | trans = le_to_host16(mgmt->u.auth.auth_transaction); |
267 | status = le_to_host16(mgmt->u.auth.status_code); | |
268 | ||
269 | wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR | |
270 | " (alg=%u trans=%u status=%u)", | |
271 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status); | |
272 | ||
273 | if (alg == 0 && trans == 2 && status == 0) { | |
274 | if (sta->state == STATE1) { | |
e4d99217 JM |
275 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
276 | " moved to State 2 with " MACSTR, | |
277 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
2d73f0a8 JM |
278 | sta->state = STATE2; |
279 | } | |
280 | } | |
6d5ce9fc JM |
281 | |
282 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
283 | sta->counters[WLANTEST_STA_COUNTER_AUTH_RX]++; | |
284 | else | |
285 | sta->counters[WLANTEST_STA_COUNTER_AUTH_TX]++; | |
c72df3c6 JM |
286 | |
287 | process_fils_auth(wt, bss, sta, mgmt, len); | |
c38c62ff | 288 | process_ft_auth(wt, bss, sta, mgmt, len); |
2d73f0a8 JM |
289 | } |
290 | ||
291 | ||
e4d99217 | 292 | static void deauth_all_stas(struct wlantest *wt, struct wlantest_bss *bss) |
38484f69 JM |
293 | { |
294 | struct wlantest_sta *sta; | |
295 | dl_list_for_each(sta, &bss->sta, struct wlantest_sta, list) { | |
296 | if (sta->state == STATE1) | |
297 | continue; | |
e4d99217 JM |
298 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
299 | " moved to State 1 with " MACSTR, | |
300 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
38484f69 JM |
301 | sta->state = STATE1; |
302 | } | |
303 | } | |
304 | ||
305 | ||
e4d99217 JM |
306 | static void tdls_link_down(struct wlantest *wt, struct wlantest_bss *bss, |
307 | struct wlantest_sta *sta) | |
719e7eb2 JM |
308 | { |
309 | struct wlantest_tdls *tdls; | |
310 | dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) { | |
311 | if ((tdls->init == sta || tdls->resp == sta) && tdls->link_up) | |
312 | { | |
e4d99217 JM |
313 | add_note(wt, MSG_DEBUG, "TDLS: Set link down based on " |
314 | "STA deauth/disassoc"); | |
719e7eb2 JM |
315 | tdls->link_up = 0; |
316 | } | |
317 | } | |
318 | } | |
319 | ||
320 | ||
47fe6880 JM |
321 | static void rx_mgmt_deauth(struct wlantest *wt, const u8 *data, size_t len, |
322 | int valid) | |
2d73f0a8 JM |
323 | { |
324 | const struct ieee80211_mgmt *mgmt; | |
325 | struct wlantest_bss *bss; | |
326 | struct wlantest_sta *sta; | |
62f05ce9 | 327 | u16 fc, reason; |
2d73f0a8 JM |
328 | |
329 | mgmt = (const struct ieee80211_mgmt *) data; | |
330 | bss = bss_get(wt, mgmt->bssid); | |
331 | if (bss == NULL) | |
332 | return; | |
333 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
334 | sta = sta_get(bss, mgmt->da); | |
335 | else | |
336 | sta = sta_get(bss, mgmt->sa); | |
2d73f0a8 JM |
337 | |
338 | if (len < 24 + 2) { | |
e4d99217 JM |
339 | add_note(wt, MSG_INFO, "Too short Deauthentication frame from " |
340 | MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
341 | return; |
342 | } | |
343 | ||
62f05ce9 | 344 | reason = le_to_host16(mgmt->u.deauth.reason_code); |
2d73f0a8 | 345 | wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR |
107ad4e3 | 346 | " (reason=%u) (valid=%d)", |
2d73f0a8 | 347 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), |
62f05ce9 | 348 | reason, valid); |
47fe6880 JM |
349 | wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24); |
350 | ||
38484f69 JM |
351 | if (sta == NULL) { |
352 | if (valid && mgmt->da[0] == 0xff) | |
e4d99217 | 353 | deauth_all_stas(wt, bss); |
107ad4e3 | 354 | return; |
38484f69 | 355 | } |
107ad4e3 | 356 | |
e7ba4e2c | 357 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) { |
6d5ce9fc JM |
358 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_RX : |
359 | WLANTEST_STA_COUNTER_INVALID_DEAUTH_RX]++; | |
e7ba4e2c JM |
360 | if (sta->pwrmgt && !sta->pspoll) |
361 | sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_ASLEEP]++; | |
362 | else | |
363 | sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_AWAKE]++; | |
62f05ce9 JM |
364 | |
365 | fc = le_to_host16(mgmt->frame_control); | |
366 | if (!(fc & WLAN_FC_ISWEP) && reason == 6) | |
367 | sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_RC6]++; | |
368 | else if (!(fc & WLAN_FC_ISWEP) && reason == 7) | |
369 | sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_RC7]++; | |
e7ba4e2c | 370 | } else |
6d5ce9fc JM |
371 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_TX : |
372 | WLANTEST_STA_COUNTER_INVALID_DEAUTH_TX]++; | |
373 | ||
47fe6880 | 374 | if (!valid) { |
e4d99217 JM |
375 | add_note(wt, MSG_INFO, "Do not change STA " MACSTR " State " |
376 | "since Disassociation frame was not protected " | |
377 | "correctly", MAC2STR(sta->addr)); | |
47fe6880 JM |
378 | return; |
379 | } | |
2d73f0a8 JM |
380 | |
381 | if (sta->state != STATE1) { | |
e4d99217 JM |
382 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
383 | " moved to State 1 with " MACSTR, | |
384 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
2d73f0a8 JM |
385 | sta->state = STATE1; |
386 | } | |
e4d99217 | 387 | tdls_link_down(wt, bss, sta); |
2d73f0a8 JM |
388 | } |
389 | ||
390 | ||
c72df3c6 JM |
391 | static const u8 * get_fils_session(const u8 *ies, size_t ies_len) |
392 | { | |
393 | const u8 *ie, *end; | |
394 | ||
395 | ie = ies; | |
396 | end = ((const u8 *) ie) + ies_len; | |
397 | while (ie + 1 < end) { | |
398 | if (ie + 2 + ie[1] > end) | |
399 | break; | |
400 | if (ie[0] == WLAN_EID_EXTENSION && | |
401 | ie[1] >= 1 + FILS_SESSION_LEN && | |
402 | ie[2] == WLAN_EID_EXT_FILS_SESSION) | |
403 | return ie; | |
404 | ie += 2 + ie[1]; | |
405 | } | |
406 | return NULL; | |
407 | } | |
408 | ||
409 | ||
410 | static int try_rmsk(struct wlantest *wt, struct wlantest_bss *bss, | |
411 | struct wlantest_sta *sta, struct wlantest_pmk *pmk, | |
412 | const u8 *frame_start, const u8 *frame_ad, | |
413 | const u8 *frame_ad_end, const u8 *encr_end) | |
414 | { | |
415 | size_t pmk_len = 0; | |
416 | u8 pmk_buf[PMK_LEN_MAX]; | |
417 | struct wpa_ptk ptk; | |
418 | u8 ick[FILS_ICK_MAX_LEN]; | |
419 | size_t ick_len; | |
420 | const u8 *aad[5]; | |
421 | size_t aad_len[5]; | |
422 | u8 buf[2000]; | |
423 | ||
424 | if (fils_rmsk_to_pmk(sta->key_mgmt, pmk->pmk, pmk->pmk_len, | |
425 | sta->snonce, sta->anonce, NULL, 0, | |
426 | pmk_buf, &pmk_len) < 0) | |
427 | return -1; | |
428 | ||
429 | if (fils_pmk_to_ptk(pmk_buf, pmk_len, sta->addr, bss->bssid, | |
4cada9dc JM |
430 | sta->snonce, sta->anonce, NULL, 0, |
431 | &ptk, ick, &ick_len, | |
c72df3c6 JM |
432 | sta->key_mgmt, sta->pairwise_cipher, |
433 | NULL, NULL) < 0) | |
434 | return -1; | |
435 | ||
436 | /* Check AES-SIV decryption with the derived key */ | |
437 | ||
438 | /* AES-SIV AAD vectors */ | |
439 | ||
440 | /* The STA's MAC address */ | |
441 | aad[0] = sta->addr; | |
442 | aad_len[0] = ETH_ALEN; | |
443 | /* The AP's BSSID */ | |
444 | aad[1] = bss->bssid; | |
445 | aad_len[1] = ETH_ALEN; | |
446 | /* The STA's nonce */ | |
447 | aad[2] = sta->snonce; | |
448 | aad_len[2] = FILS_NONCE_LEN; | |
449 | /* The AP's nonce */ | |
450 | aad[3] = sta->anonce; | |
451 | aad_len[3] = FILS_NONCE_LEN; | |
452 | /* | |
453 | * The (Re)Association Request frame from the Capability Information | |
454 | * field to the FILS Session element (both inclusive). | |
455 | */ | |
456 | aad[4] = frame_ad; | |
457 | aad_len[4] = frame_ad_end - frame_ad; | |
458 | ||
459 | if (encr_end - frame_ad_end < AES_BLOCK_SIZE || | |
460 | encr_end - frame_ad_end > sizeof(buf)) | |
461 | return -1; | |
462 | if (aes_siv_decrypt(ptk.kek, ptk.kek_len, | |
463 | frame_ad_end, encr_end - frame_ad_end, | |
464 | 5, aad, aad_len, buf) < 0) { | |
465 | wpa_printf(MSG_DEBUG, | |
466 | "FILS: Derived PTK did not match AES-SIV data"); | |
467 | return -1; | |
468 | } | |
469 | ||
470 | add_note(wt, MSG_DEBUG, "Derived FILS PTK"); | |
471 | os_memcpy(&sta->ptk, &ptk, sizeof(ptk)); | |
472 | sta->ptk_set = 1; | |
473 | sta->counters[WLANTEST_STA_COUNTER_PTK_LEARNED]++; | |
474 | wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements", | |
475 | buf, encr_end - frame_ad_end - AES_BLOCK_SIZE); | |
476 | ||
477 | if (wt->write_pcap_dumper || wt->pcapng) { | |
478 | write_pcap_decrypted(wt, frame_start, | |
479 | frame_ad_end - frame_start, | |
480 | buf, | |
481 | encr_end - frame_ad_end - AES_BLOCK_SIZE); | |
482 | } | |
483 | ||
484 | return 0; | |
485 | } | |
486 | ||
487 | ||
488 | static void derive_fils_keys(struct wlantest *wt, struct wlantest_bss *bss, | |
489 | struct wlantest_sta *sta, const u8 *frame_start, | |
490 | const u8 *frame_ad, const u8 *frame_ad_end, | |
491 | const u8 *encr_end) | |
492 | { | |
493 | struct wlantest_pmk *pmk; | |
494 | ||
495 | wpa_printf(MSG_DEBUG, "Trying to derive PTK for " MACSTR | |
496 | " from FILS rMSK", MAC2STR(sta->addr)); | |
497 | ||
498 | dl_list_for_each(pmk, &bss->pmk, struct wlantest_pmk, | |
499 | list) { | |
500 | wpa_printf(MSG_DEBUG, "Try per-BSS PMK"); | |
501 | if (try_rmsk(wt, bss, sta, pmk, frame_start, frame_ad, | |
502 | frame_ad_end, encr_end) == 0) | |
503 | return; | |
504 | } | |
505 | ||
506 | dl_list_for_each(pmk, &wt->pmk, struct wlantest_pmk, list) { | |
507 | wpa_printf(MSG_DEBUG, "Try global PMK"); | |
508 | if (try_rmsk(wt, bss, sta, pmk, frame_start, frame_ad, | |
509 | frame_ad_end, encr_end) == 0) | |
510 | return; | |
511 | } | |
512 | } | |
513 | ||
514 | ||
2d73f0a8 JM |
515 | static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len) |
516 | { | |
517 | const struct ieee80211_mgmt *mgmt; | |
518 | struct wlantest_bss *bss; | |
519 | struct wlantest_sta *sta; | |
021a6fe4 | 520 | struct ieee802_11_elems elems; |
c72df3c6 JM |
521 | const u8 *ie; |
522 | size_t ie_len; | |
2d73f0a8 JM |
523 | |
524 | mgmt = (const struct ieee80211_mgmt *) data; | |
525 | bss = bss_get(wt, mgmt->bssid); | |
526 | if (bss == NULL) | |
527 | return; | |
528 | sta = sta_get(bss, mgmt->sa); | |
529 | if (sta == NULL) | |
530 | return; | |
531 | ||
532 | if (len < 24 + 4) { | |
e4d99217 JM |
533 | add_note(wt, MSG_INFO, "Too short Association Request frame " |
534 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
535 | return; |
536 | } | |
537 | ||
538 | wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR | |
539 | " (capab=0x%x listen_int=%u)", | |
540 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
541 | le_to_host16(mgmt->u.assoc_req.capab_info), | |
542 | le_to_host16(mgmt->u.assoc_req.listen_interval)); | |
021a6fe4 | 543 | |
6d5ce9fc JM |
544 | sta->counters[WLANTEST_STA_COUNTER_ASSOCREQ_TX]++; |
545 | ||
c72df3c6 JM |
546 | ie = mgmt->u.assoc_req.variable; |
547 | ie_len = len - (mgmt->u.assoc_req.variable - data); | |
548 | ||
549 | if (sta->auth_alg == WLAN_AUTH_FILS_SK) { | |
550 | const u8 *session, *frame_ad, *frame_ad_end, *encr_end; | |
551 | ||
552 | session = get_fils_session(ie, ie_len); | |
553 | if (session) { | |
554 | frame_ad = (const u8 *) &mgmt->u.assoc_req.capab_info; | |
555 | frame_ad_end = session + 2 + session[1]; | |
556 | encr_end = data + len; | |
557 | derive_fils_keys(wt, bss, sta, data, frame_ad, | |
558 | frame_ad_end, encr_end); | |
559 | ie_len = session - ie; | |
560 | } | |
561 | } | |
562 | ||
563 | if (ieee802_11_parse_elems(ie, ie_len, &elems, 0) == ParseFailed) { | |
e4d99217 JM |
564 | add_note(wt, MSG_INFO, "Invalid IEs in Association Request " |
565 | "frame from " MACSTR, MAC2STR(mgmt->sa)); | |
021a6fe4 JM |
566 | return; |
567 | } | |
568 | ||
990153b4 JM |
569 | sta->assocreq_capab_info = le_to_host16(mgmt->u.assoc_req.capab_info); |
570 | sta->assocreq_listen_int = | |
571 | le_to_host16(mgmt->u.assoc_req.listen_interval); | |
572 | os_free(sta->assocreq_ies); | |
573 | sta->assocreq_ies_len = len - (mgmt->u.assoc_req.variable - data); | |
574 | sta->assocreq_ies = os_malloc(sta->assocreq_ies_len); | |
575 | if (sta->assocreq_ies) | |
576 | os_memcpy(sta->assocreq_ies, mgmt->u.assoc_req.variable, | |
577 | sta->assocreq_ies_len); | |
578 | ||
021a6fe4 | 579 | sta_update_assoc(sta, &elems); |
2d73f0a8 JM |
580 | } |
581 | ||
582 | ||
c72df3c6 JM |
583 | static void decrypt_fils_assoc_resp(struct wlantest *wt, |
584 | struct wlantest_bss *bss, | |
585 | struct wlantest_sta *sta, | |
586 | const u8 *frame_start, const u8 *frame_ad, | |
587 | const u8 *frame_ad_end, const u8 *encr_end) | |
588 | { | |
589 | const u8 *aad[5]; | |
590 | size_t aad_len[5]; | |
591 | u8 buf[2000]; | |
592 | ||
593 | if (!sta->ptk_set) | |
594 | return; | |
595 | ||
596 | /* Check AES-SIV decryption with the derived key */ | |
597 | ||
598 | /* AES-SIV AAD vectors */ | |
599 | ||
600 | /* The AP's BSSID */ | |
601 | aad[0] = bss->bssid; | |
602 | aad_len[0] = ETH_ALEN; | |
603 | /* The STA's MAC address */ | |
604 | aad[1] = sta->addr; | |
605 | aad_len[1] = ETH_ALEN; | |
606 | /* The AP's nonce */ | |
607 | aad[2] = sta->anonce; | |
608 | aad_len[2] = FILS_NONCE_LEN; | |
609 | /* The STA's nonce */ | |
610 | aad[3] = sta->snonce; | |
611 | aad_len[3] = FILS_NONCE_LEN; | |
612 | /* | |
613 | * The (Re)Association Response frame from the Capability Information | |
614 | * field to the FILS Session element (both inclusive). | |
615 | */ | |
616 | aad[4] = frame_ad; | |
617 | aad_len[4] = frame_ad_end - frame_ad; | |
618 | ||
619 | if (encr_end - frame_ad_end < AES_BLOCK_SIZE || | |
620 | encr_end - frame_ad_end > sizeof(buf)) | |
621 | return; | |
622 | if (aes_siv_decrypt(sta->ptk.kek, sta->ptk.kek_len, | |
623 | frame_ad_end, encr_end - frame_ad_end, | |
624 | 5, aad, aad_len, buf) < 0) { | |
625 | wpa_printf(MSG_DEBUG, | |
626 | "FILS: Derived PTK did not match AES-SIV data"); | |
627 | return; | |
628 | } | |
629 | ||
630 | wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Response elements", | |
631 | buf, encr_end - frame_ad_end - AES_BLOCK_SIZE); | |
632 | ||
633 | if (wt->write_pcap_dumper || wt->pcapng) { | |
634 | write_pcap_decrypted(wt, frame_start, | |
635 | frame_ad_end - frame_start, | |
636 | buf, | |
637 | encr_end - frame_ad_end - AES_BLOCK_SIZE); | |
638 | } | |
639 | } | |
640 | ||
641 | ||
2d73f0a8 JM |
642 | static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len) |
643 | { | |
644 | const struct ieee80211_mgmt *mgmt; | |
645 | struct wlantest_bss *bss; | |
646 | struct wlantest_sta *sta; | |
647 | u16 capab, status, aid; | |
3fb62bda JM |
648 | const u8 *ies; |
649 | size_t ies_len; | |
650 | struct wpa_ft_ies parse; | |
2d73f0a8 JM |
651 | |
652 | mgmt = (const struct ieee80211_mgmt *) data; | |
653 | bss = bss_get(wt, mgmt->bssid); | |
654 | if (bss == NULL) | |
655 | return; | |
656 | sta = sta_get(bss, mgmt->da); | |
657 | if (sta == NULL) | |
658 | return; | |
659 | ||
660 | if (len < 24 + 6) { | |
e4d99217 JM |
661 | add_note(wt, MSG_INFO, "Too short Association Response frame " |
662 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
663 | return; |
664 | } | |
665 | ||
3fb62bda JM |
666 | ies = mgmt->u.assoc_resp.variable; |
667 | ies_len = len - (mgmt->u.assoc_resp.variable - data); | |
668 | ||
2d73f0a8 JM |
669 | capab = le_to_host16(mgmt->u.assoc_resp.capab_info); |
670 | status = le_to_host16(mgmt->u.assoc_resp.status_code); | |
671 | aid = le_to_host16(mgmt->u.assoc_resp.aid); | |
672 | ||
673 | wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR | |
674 | " (capab=0x%x status=%u aid=%u)", | |
675 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status, | |
676 | aid & 0x3fff); | |
677 | ||
c72df3c6 JM |
678 | if (sta->auth_alg == WLAN_AUTH_FILS_SK) { |
679 | const u8 *session, *frame_ad, *frame_ad_end, *encr_end; | |
680 | ||
681 | session = get_fils_session(ies, ies_len); | |
682 | if (session) { | |
683 | frame_ad = (const u8 *) &mgmt->u.assoc_resp.capab_info; | |
684 | frame_ad_end = session + 2 + session[1]; | |
685 | encr_end = data + len; | |
686 | decrypt_fils_assoc_resp(wt, bss, sta, data, frame_ad, | |
687 | frame_ad_end, encr_end); | |
688 | ies_len = session - ies; | |
689 | } | |
690 | } | |
691 | ||
cdd71e30 JM |
692 | if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) { |
693 | struct ieee802_11_elems elems; | |
cdd71e30 JM |
694 | if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == |
695 | ParseFailed) { | |
e4d99217 JM |
696 | add_note(wt, MSG_INFO, "Failed to parse IEs in " |
697 | "AssocResp from " MACSTR, | |
698 | MAC2STR(mgmt->sa)); | |
6908d459 | 699 | } else if (elems.timeout_int == NULL || |
6908d459 JM |
700 | elems.timeout_int[0] != |
701 | WLAN_TIMEOUT_ASSOC_COMEBACK) { | |
e4d99217 JM |
702 | add_note(wt, MSG_INFO, "No valid Timeout Interval IE " |
703 | "with Assoc Comeback time in AssocResp " | |
704 | "(status=30) from " MACSTR, | |
705 | MAC2STR(mgmt->sa)); | |
cdd71e30 JM |
706 | } else { |
707 | sta->counters[ | |
708 | WLANTEST_STA_COUNTER_ASSOCRESP_COMEBACK]++; | |
709 | } | |
710 | } | |
711 | ||
2d73f0a8 JM |
712 | if (status) |
713 | return; | |
714 | ||
715 | if ((aid & 0xc000) != 0xc000) { | |
e4d99217 JM |
716 | add_note(wt, MSG_DEBUG, "Two MSBs of the AID were not set to 1 " |
717 | "in Association Response from " MACSTR, | |
718 | MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
719 | } |
720 | sta->aid = aid & 0xc000; | |
721 | ||
722 | if (sta->state < STATE2) { | |
e4d99217 JM |
723 | add_note(wt, MSG_DEBUG, |
724 | "STA " MACSTR " was not in State 2 when " | |
725 | "getting associated", MAC2STR(sta->addr)); | |
2d73f0a8 JM |
726 | } |
727 | ||
728 | if (sta->state < STATE3) { | |
e4d99217 JM |
729 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
730 | " moved to State 3 with " MACSTR, | |
731 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
2d73f0a8 JM |
732 | sta->state = STATE3; |
733 | } | |
3fb62bda | 734 | |
9a33737a | 735 | if (wpa_ft_parse_ies(ies, ies_len, &parse, 0) == 0) { |
3fb62bda JM |
736 | if (parse.r0kh_id) { |
737 | os_memcpy(bss->r0kh_id, parse.r0kh_id, | |
738 | parse.r0kh_id_len); | |
739 | bss->r0kh_id_len = parse.r0kh_id_len; | |
740 | } | |
741 | if (parse.r1kh_id) | |
742 | os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); | |
743 | } | |
2d73f0a8 JM |
744 | } |
745 | ||
746 | ||
747 | static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data, | |
748 | size_t len) | |
749 | { | |
750 | const struct ieee80211_mgmt *mgmt; | |
751 | struct wlantest_bss *bss; | |
752 | struct wlantest_sta *sta; | |
021a6fe4 | 753 | struct ieee802_11_elems elems; |
c72df3c6 JM |
754 | const u8 *ie; |
755 | size_t ie_len; | |
2d73f0a8 JM |
756 | |
757 | mgmt = (const struct ieee80211_mgmt *) data; | |
758 | bss = bss_get(wt, mgmt->bssid); | |
759 | if (bss == NULL) | |
760 | return; | |
761 | sta = sta_get(bss, mgmt->sa); | |
762 | if (sta == NULL) | |
763 | return; | |
764 | ||
765 | if (len < 24 + 4 + ETH_ALEN) { | |
e4d99217 JM |
766 | add_note(wt, MSG_INFO, "Too short Reassociation Request frame " |
767 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
768 | return; |
769 | } | |
770 | ||
771 | wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR | |
772 | " (capab=0x%x listen_int=%u current_ap=" MACSTR ")", | |
773 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), | |
774 | le_to_host16(mgmt->u.reassoc_req.capab_info), | |
775 | le_to_host16(mgmt->u.reassoc_req.listen_interval), | |
776 | MAC2STR(mgmt->u.reassoc_req.current_ap)); | |
021a6fe4 | 777 | |
6d5ce9fc JM |
778 | sta->counters[WLANTEST_STA_COUNTER_REASSOCREQ_TX]++; |
779 | ||
c72df3c6 JM |
780 | ie = mgmt->u.reassoc_req.variable; |
781 | ie_len = len - (mgmt->u.reassoc_req.variable - data); | |
782 | ||
783 | if (sta->auth_alg == WLAN_AUTH_FILS_SK) { | |
784 | const u8 *session, *frame_ad, *frame_ad_end, *encr_end; | |
785 | ||
786 | session = get_fils_session(ie, ie_len); | |
787 | if (session) { | |
788 | frame_ad = (const u8 *) &mgmt->u.reassoc_req.capab_info; | |
789 | frame_ad_end = session + 2 + session[1]; | |
790 | encr_end = data + len; | |
791 | derive_fils_keys(wt, bss, sta, data, frame_ad, | |
792 | frame_ad_end, encr_end); | |
793 | ie_len = session - ie; | |
794 | } | |
795 | } | |
796 | ||
797 | if (ieee802_11_parse_elems(ie, ie_len, &elems, 0) == ParseFailed) { | |
e4d99217 JM |
798 | add_note(wt, MSG_INFO, "Invalid IEs in Reassociation Request " |
799 | "frame from " MACSTR, MAC2STR(mgmt->sa)); | |
021a6fe4 JM |
800 | return; |
801 | } | |
802 | ||
990153b4 JM |
803 | sta->assocreq_capab_info = |
804 | le_to_host16(mgmt->u.reassoc_req.capab_info); | |
805 | sta->assocreq_listen_int = | |
806 | le_to_host16(mgmt->u.reassoc_req.listen_interval); | |
807 | os_free(sta->assocreq_ies); | |
808 | sta->assocreq_ies_len = len - (mgmt->u.reassoc_req.variable - data); | |
809 | sta->assocreq_ies = os_malloc(sta->assocreq_ies_len); | |
810 | if (sta->assocreq_ies) | |
811 | os_memcpy(sta->assocreq_ies, mgmt->u.reassoc_req.variable, | |
812 | sta->assocreq_ies_len); | |
813 | ||
021a6fe4 | 814 | sta_update_assoc(sta, &elems); |
c38c62ff JM |
815 | |
816 | /* TODO: FT protocol: verify FTE MIC and update GTK/IGTK for the BSS */ | |
2d73f0a8 JM |
817 | } |
818 | ||
819 | ||
820 | static void rx_mgmt_reassoc_resp(struct wlantest *wt, const u8 *data, | |
821 | size_t len) | |
822 | { | |
823 | const struct ieee80211_mgmt *mgmt; | |
824 | struct wlantest_bss *bss; | |
825 | struct wlantest_sta *sta; | |
826 | u16 capab, status, aid; | |
c72df3c6 JM |
827 | const u8 *ies; |
828 | size_t ies_len; | |
2d73f0a8 JM |
829 | |
830 | mgmt = (const struct ieee80211_mgmt *) data; | |
831 | bss = bss_get(wt, mgmt->bssid); | |
832 | if (bss == NULL) | |
833 | return; | |
834 | sta = sta_get(bss, mgmt->da); | |
835 | if (sta == NULL) | |
836 | return; | |
837 | ||
838 | if (len < 24 + 6) { | |
e4d99217 JM |
839 | add_note(wt, MSG_INFO, "Too short Reassociation Response frame " |
840 | "from " MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
841 | return; |
842 | } | |
843 | ||
c72df3c6 JM |
844 | ies = mgmt->u.reassoc_resp.variable; |
845 | ies_len = len - (mgmt->u.reassoc_resp.variable - data); | |
846 | ||
2d73f0a8 JM |
847 | capab = le_to_host16(mgmt->u.reassoc_resp.capab_info); |
848 | status = le_to_host16(mgmt->u.reassoc_resp.status_code); | |
849 | aid = le_to_host16(mgmt->u.reassoc_resp.aid); | |
850 | ||
851 | wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR | |
852 | " (capab=0x%x status=%u aid=%u)", | |
853 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status, | |
854 | aid & 0x3fff); | |
855 | ||
c72df3c6 JM |
856 | if (sta->auth_alg == WLAN_AUTH_FILS_SK) { |
857 | const u8 *session, *frame_ad, *frame_ad_end, *encr_end; | |
858 | ||
859 | session = get_fils_session(ies, ies_len); | |
860 | if (session) { | |
861 | frame_ad = (const u8 *) | |
862 | &mgmt->u.reassoc_resp.capab_info; | |
863 | frame_ad_end = session + 2 + session[1]; | |
864 | encr_end = data + len; | |
865 | decrypt_fils_assoc_resp(wt, bss, sta, data, frame_ad, | |
866 | frame_ad_end, encr_end); | |
867 | ies_len = session - ies; | |
868 | } | |
869 | } | |
870 | ||
cdd71e30 JM |
871 | if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) { |
872 | struct ieee802_11_elems elems; | |
c72df3c6 | 873 | |
cdd71e30 JM |
874 | if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == |
875 | ParseFailed) { | |
e4d99217 JM |
876 | add_note(wt, MSG_INFO, "Failed to parse IEs in " |
877 | "ReassocResp from " MACSTR, | |
878 | MAC2STR(mgmt->sa)); | |
6908d459 | 879 | } else if (elems.timeout_int == NULL || |
6908d459 JM |
880 | elems.timeout_int[0] != |
881 | WLAN_TIMEOUT_ASSOC_COMEBACK) { | |
e4d99217 JM |
882 | add_note(wt, MSG_INFO, "No valid Timeout Interval IE " |
883 | "with Assoc Comeback time in ReassocResp " | |
884 | "(status=30) from " MACSTR, | |
885 | MAC2STR(mgmt->sa)); | |
cdd71e30 JM |
886 | } else { |
887 | sta->counters[ | |
888 | WLANTEST_STA_COUNTER_REASSOCRESP_COMEBACK]++; | |
889 | } | |
890 | } | |
891 | ||
2d73f0a8 JM |
892 | if (status) |
893 | return; | |
894 | ||
895 | if ((aid & 0xc000) != 0xc000) { | |
e4d99217 JM |
896 | add_note(wt, MSG_DEBUG, "Two MSBs of the AID were not set to 1 " |
897 | "in Reassociation Response from " MACSTR, | |
898 | MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
899 | } |
900 | sta->aid = aid & 0xc000; | |
901 | ||
902 | if (sta->state < STATE2) { | |
e4d99217 JM |
903 | add_note(wt, MSG_DEBUG, |
904 | "STA " MACSTR " was not in State 2 when " | |
905 | "getting associated", MAC2STR(sta->addr)); | |
2d73f0a8 JM |
906 | } |
907 | ||
908 | if (sta->state < STATE3) { | |
e4d99217 JM |
909 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
910 | " moved to State 3 with " MACSTR, | |
911 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
2d73f0a8 JM |
912 | sta->state = STATE3; |
913 | } | |
914 | } | |
915 | ||
916 | ||
e4d99217 | 917 | static void disassoc_all_stas(struct wlantest *wt, struct wlantest_bss *bss) |
38484f69 JM |
918 | { |
919 | struct wlantest_sta *sta; | |
920 | dl_list_for_each(sta, &bss->sta, struct wlantest_sta, list) { | |
921 | if (sta->state <= STATE2) | |
922 | continue; | |
e4d99217 JM |
923 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
924 | " moved to State 2 with " MACSTR, | |
925 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
38484f69 JM |
926 | sta->state = STATE2; |
927 | } | |
928 | } | |
929 | ||
930 | ||
47fe6880 JM |
931 | static void rx_mgmt_disassoc(struct wlantest *wt, const u8 *data, size_t len, |
932 | int valid) | |
2d73f0a8 JM |
933 | { |
934 | const struct ieee80211_mgmt *mgmt; | |
935 | struct wlantest_bss *bss; | |
936 | struct wlantest_sta *sta; | |
62f05ce9 | 937 | u16 fc, reason; |
2d73f0a8 JM |
938 | |
939 | mgmt = (const struct ieee80211_mgmt *) data; | |
940 | bss = bss_get(wt, mgmt->bssid); | |
941 | if (bss == NULL) | |
942 | return; | |
943 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
944 | sta = sta_get(bss, mgmt->da); | |
945 | else | |
946 | sta = sta_get(bss, mgmt->sa); | |
2d73f0a8 JM |
947 | |
948 | if (len < 24 + 2) { | |
e4d99217 JM |
949 | add_note(wt, MSG_INFO, "Too short Disassociation frame from " |
950 | MACSTR, MAC2STR(mgmt->sa)); | |
2d73f0a8 JM |
951 | return; |
952 | } | |
953 | ||
62f05ce9 | 954 | reason = le_to_host16(mgmt->u.disassoc.reason_code); |
2d73f0a8 | 955 | wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR |
107ad4e3 | 956 | " (reason=%u) (valid=%d)", |
2d73f0a8 | 957 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), |
62f05ce9 | 958 | reason, valid); |
47fe6880 JM |
959 | wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24); |
960 | ||
38484f69 JM |
961 | if (sta == NULL) { |
962 | if (valid && mgmt->da[0] == 0xff) | |
e4d99217 | 963 | disassoc_all_stas(wt, bss); |
107ad4e3 | 964 | return; |
38484f69 | 965 | } |
107ad4e3 | 966 | |
e7ba4e2c | 967 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) { |
6d5ce9fc JM |
968 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_RX : |
969 | WLANTEST_STA_COUNTER_INVALID_DISASSOC_RX]++; | |
e7ba4e2c JM |
970 | if (sta->pwrmgt && !sta->pspoll) |
971 | sta->counters[ | |
972 | WLANTEST_STA_COUNTER_DISASSOC_RX_ASLEEP]++; | |
973 | else | |
974 | sta->counters[ | |
975 | WLANTEST_STA_COUNTER_DISASSOC_RX_AWAKE]++; | |
62f05ce9 JM |
976 | |
977 | fc = le_to_host16(mgmt->frame_control); | |
978 | if (!(fc & WLAN_FC_ISWEP) && reason == 6) | |
979 | sta->counters[WLANTEST_STA_COUNTER_DISASSOC_RX_RC6]++; | |
980 | else if (!(fc & WLAN_FC_ISWEP) && reason == 7) | |
981 | sta->counters[WLANTEST_STA_COUNTER_DISASSOC_RX_RC7]++; | |
e7ba4e2c | 982 | } else |
6d5ce9fc JM |
983 | sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_TX : |
984 | WLANTEST_STA_COUNTER_INVALID_DISASSOC_TX]++; | |
985 | ||
47fe6880 | 986 | if (!valid) { |
e4d99217 JM |
987 | add_note(wt, MSG_INFO, "Do not change STA " MACSTR " State " |
988 | "since Disassociation frame was not protected " | |
989 | "correctly", MAC2STR(sta->addr)); | |
47fe6880 JM |
990 | return; |
991 | } | |
2d73f0a8 JM |
992 | |
993 | if (sta->state < STATE2) { | |
e4d99217 JM |
994 | add_note(wt, MSG_DEBUG, |
995 | "STA " MACSTR " was not in State 2 or 3 " | |
996 | "when getting disassociated", MAC2STR(sta->addr)); | |
2d73f0a8 JM |
997 | } |
998 | ||
999 | if (sta->state > STATE2) { | |
e4d99217 JM |
1000 | add_note(wt, MSG_DEBUG, "STA " MACSTR |
1001 | " moved to State 2 with " MACSTR, | |
1002 | MAC2STR(sta->addr), MAC2STR(bss->bssid)); | |
2d73f0a8 JM |
1003 | sta->state = STATE2; |
1004 | } | |
e4d99217 | 1005 | tdls_link_down(wt, bss, sta); |
2d73f0a8 JM |
1006 | } |
1007 | ||
1008 | ||
c38c62ff JM |
1009 | static void rx_mgmt_action_ft_request(struct wlantest *wt, |
1010 | const struct ieee80211_mgmt *mgmt, | |
1011 | size_t len) | |
1012 | { | |
1013 | const u8 *ies; | |
1014 | size_t ies_len; | |
1015 | struct wpa_ft_ies parse; | |
1016 | struct wlantest_bss *bss; | |
1017 | struct wlantest_sta *sta; | |
1018 | ||
1019 | if (len < 24 + 2 + 2 * ETH_ALEN) { | |
1020 | add_note(wt, MSG_INFO, "Too short FT Request frame"); | |
1021 | return; | |
1022 | } | |
1023 | ||
1024 | wpa_printf(MSG_DEBUG, "FT Request: STA Address: " MACSTR | |
1025 | " Target AP Address: " MACSTR, | |
1026 | MAC2STR(mgmt->u.action.u.ft_action_req.sta_addr), | |
1027 | MAC2STR(mgmt->u.action.u.ft_action_req.target_ap_addr)); | |
1028 | ies = mgmt->u.action.u.ft_action_req.variable; | |
1029 | ies_len = len - (24 + 2 + 2 * ETH_ALEN); | |
1030 | wpa_hexdump(MSG_DEBUG, "FT Request frame body", ies, ies_len); | |
1031 | ||
1032 | if (wpa_ft_parse_ies(ies, ies_len, &parse, -1)) { | |
1033 | add_note(wt, MSG_INFO, "Could not parse FT Request frame body"); | |
1034 | return; | |
1035 | } | |
1036 | ||
1037 | bss = bss_get(wt, mgmt->u.action.u.ft_action_resp.target_ap_addr); | |
1038 | if (!bss) { | |
1039 | add_note(wt, MSG_INFO, "No BSS entry for Target AP"); | |
1040 | return; | |
1041 | } | |
1042 | ||
1043 | sta = sta_get(bss, mgmt->sa); | |
1044 | if (!sta) | |
1045 | return; | |
1046 | ||
1047 | sta->key_mgmt = parse.key_mgmt; | |
1048 | sta->pairwise_cipher = parse.pairwise_cipher; | |
1049 | } | |
1050 | ||
1051 | ||
1052 | static void rx_mgmt_action_ft_response(struct wlantest *wt, | |
1053 | struct wlantest_sta *sta, | |
1054 | const struct ieee80211_mgmt *mgmt, | |
1055 | size_t len) | |
1056 | { | |
1057 | struct wlantest_bss *bss; | |
1058 | struct wlantest_sta *new_sta; | |
1059 | const u8 *ies; | |
1060 | size_t ies_len; | |
1061 | struct wpa_ft_ies parse; | |
1062 | u8 pmk_r1[PMK_LEN]; | |
1063 | u8 pmk_r1_name[WPA_PMK_NAME_LEN]; | |
1064 | struct wpa_ptk ptk; | |
1065 | u8 ptk_name[WPA_PMK_NAME_LEN]; | |
1066 | ||
1067 | if (len < 24 + 2 + 2 * ETH_ALEN + 2) { | |
1068 | add_note(wt, MSG_INFO, "Too short FT Response frame from " | |
1069 | MACSTR, MAC2STR(mgmt->sa)); | |
1070 | return; | |
1071 | } | |
1072 | ||
1073 | wpa_printf(MSG_DEBUG, "FT Response: STA Address: " MACSTR | |
1074 | " Target AP Address: " MACSTR " Status Code: %u", | |
1075 | MAC2STR(mgmt->u.action.u.ft_action_resp.sta_addr), | |
1076 | MAC2STR(mgmt->u.action.u.ft_action_resp.target_ap_addr), | |
1077 | le_to_host16(mgmt->u.action.u.ft_action_resp.status_code)); | |
1078 | ies = mgmt->u.action.u.ft_action_req.variable; | |
1079 | ies_len = len - (24 + 2 + 2 * ETH_ALEN); | |
1080 | wpa_hexdump(MSG_DEBUG, "FT Response frame body", ies, ies_len); | |
1081 | ||
1082 | if (wpa_ft_parse_ies(ies, ies_len, &parse, -1)) { | |
1083 | add_note(wt, MSG_INFO, | |
1084 | "Could not parse FT Response frame body"); | |
1085 | return; | |
1086 | } | |
1087 | ||
1088 | bss = bss_get(wt, mgmt->u.action.u.ft_action_resp.target_ap_addr); | |
1089 | if (!bss) { | |
1090 | add_note(wt, MSG_INFO, "No BSS entry for Target AP"); | |
1091 | return; | |
1092 | } | |
1093 | ||
1094 | if (parse.r1kh_id) | |
1095 | os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN); | |
1096 | ||
1097 | if (wpa_derive_pmk_r1(sta->pmk_r0, PMK_LEN, sta->pmk_r0_name, | |
1098 | bss->r1kh_id, sta->addr, pmk_r1, pmk_r1_name) < 0) | |
1099 | return; | |
1100 | wpa_hexdump(MSG_DEBUG, "FT: PMKR1Name", pmk_r1_name, WPA_PMK_NAME_LEN); | |
1101 | ||
1102 | new_sta = sta_get(bss, sta->addr); | |
1103 | if (!new_sta) | |
1104 | return; | |
1105 | os_memcpy(new_sta->pmk_r0, sta->pmk_r0, sizeof(sta->pmk_r0)); | |
1106 | os_memcpy(new_sta->pmk_r0_name, sta->pmk_r0_name, | |
1107 | sizeof(sta->pmk_r0_name)); | |
1108 | if (!parse.fte_anonce || !parse.fte_snonce || | |
1109 | wpa_pmk_r1_to_ptk(pmk_r1, PMK_LEN, parse.fte_snonce, | |
1110 | parse.fte_anonce, new_sta->addr, bss->bssid, | |
1111 | pmk_r1_name, &ptk, ptk_name, new_sta->key_mgmt, | |
1112 | new_sta->pairwise_cipher) < 0) | |
1113 | return; | |
1114 | ||
1115 | add_note(wt, MSG_DEBUG, "Derived new PTK"); | |
1116 | os_memcpy(&new_sta->ptk, &ptk, sizeof(ptk)); | |
1117 | new_sta->ptk_set = 1; | |
1118 | os_memset(new_sta->rsc_tods, 0, sizeof(new_sta->rsc_tods)); | |
1119 | os_memset(new_sta->rsc_fromds, 0, sizeof(new_sta->rsc_fromds)); | |
1120 | } | |
1121 | ||
1122 | ||
1123 | static void rx_mgmt_action_ft(struct wlantest *wt, struct wlantest_sta *sta, | |
1124 | const struct ieee80211_mgmt *mgmt, | |
1125 | size_t len, int valid) | |
1126 | { | |
1127 | if (len < 24 + 2) { | |
1128 | add_note(wt, MSG_INFO, "Too short FT Action frame from " MACSTR, | |
1129 | MAC2STR(mgmt->sa)); | |
1130 | return; | |
1131 | } | |
1132 | ||
1133 | switch (mgmt->u.action.u.ft_action_req.action) { | |
1134 | case 1: | |
1135 | rx_mgmt_action_ft_request(wt, mgmt, len); | |
1136 | break; | |
1137 | case 2: | |
1138 | rx_mgmt_action_ft_response(wt, sta, mgmt, len); | |
1139 | break; | |
1140 | default: | |
1141 | add_note(wt, MSG_INFO, "Unsupported FT action value %u from " | |
1142 | MACSTR, mgmt->u.action.u.ft_action_req.action, | |
1143 | MAC2STR(mgmt->sa)); | |
1144 | } | |
1145 | } | |
1146 | ||
1147 | ||
6d5ce9fc JM |
1148 | static void rx_mgmt_action_sa_query_req(struct wlantest *wt, |
1149 | struct wlantest_sta *sta, | |
1150 | const struct ieee80211_mgmt *mgmt, | |
1151 | size_t len, int valid) | |
1152 | { | |
1153 | const u8 *rx_id; | |
1154 | u8 *id; | |
1155 | ||
1156 | rx_id = (const u8 *) mgmt->u.action.u.sa_query_req.trans_id; | |
1157 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
1158 | id = sta->ap_sa_query_tr; | |
1159 | else | |
1160 | id = sta->sta_sa_query_tr; | |
e4d99217 JM |
1161 | add_note(wt, MSG_INFO, "SA Query Request " MACSTR " -> " MACSTR |
1162 | " (trans_id=%02x%02x)%s", | |
1163 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1], | |
1164 | valid ? "" : " (invalid protection)"); | |
6d5ce9fc JM |
1165 | os_memcpy(id, mgmt->u.action.u.sa_query_req.trans_id, 2); |
1166 | if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0) | |
1167 | sta->counters[valid ? | |
1168 | WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_TX : | |
1169 | WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_TX]++; | |
1170 | else | |
1171 | sta->counters[valid ? | |
1172 | WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_RX : | |
1173 | WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_RX]++; | |
1174 | } | |
1175 | ||
1176 | ||
1177 | static void rx_mgmt_action_sa_query_resp(struct wlantest *wt, | |
1178 | struct wlantest_sta *sta, | |
1179 | const struct ieee80211_mgmt *mgmt, | |
1180 | size_t len, int valid) | |
1181 | { | |
1182 | const u8 *rx_id; | |
1183 | u8 *id; | |
1184 | int match; | |
1185 | ||
1186 | rx_id = (const u8 *) mgmt->u.action.u.sa_query_resp.trans_id; | |
1187 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
1188 | id = sta->sta_sa_query_tr; | |
1189 | else | |
1190 | id = sta->ap_sa_query_tr; | |
1191 | match = os_memcmp(rx_id, id, 2) == 0; | |
e4d99217 JM |
1192 | add_note(wt, MSG_INFO, "SA Query Response " MACSTR " -> " MACSTR |
1193 | " (trans_id=%02x%02x; %s)%s", | |
1194 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1], | |
1195 | match ? "match" : "mismatch", | |
1196 | valid ? "" : " (invalid protection)"); | |
6d5ce9fc JM |
1197 | if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0) |
1198 | sta->counters[(valid && match) ? | |
1199 | WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_TX : | |
1200 | WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_TX]++; | |
1201 | else | |
1202 | sta->counters[(valid && match) ? | |
1203 | WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_RX : | |
1204 | WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_RX]++; | |
1205 | } | |
1206 | ||
1207 | ||
0819b65b JM |
1208 | static void rx_mgmt_action_sa_query(struct wlantest *wt, |
1209 | struct wlantest_sta *sta, | |
1210 | const struct ieee80211_mgmt *mgmt, | |
2102ecf0 | 1211 | size_t len, int valid) |
0819b65b | 1212 | { |
0819b65b | 1213 | if (len < 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) { |
e4d99217 JM |
1214 | add_note(wt, MSG_INFO, "Too short SA Query frame from " MACSTR, |
1215 | MAC2STR(mgmt->sa)); | |
0819b65b JM |
1216 | return; |
1217 | } | |
1218 | ||
1219 | if (len > 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) { | |
1220 | size_t elen = len - (24 + 2 + WLAN_SA_QUERY_TR_ID_LEN); | |
e4d99217 JM |
1221 | add_note(wt, MSG_INFO, "Unexpected %u octets of extra data at " |
1222 | "the end of SA Query frame from " MACSTR, | |
1223 | (unsigned) elen, MAC2STR(mgmt->sa)); | |
0819b65b JM |
1224 | wpa_hexdump(MSG_INFO, "SA Query extra data", |
1225 | ((const u8 *) mgmt) + len - elen, elen); | |
1226 | } | |
1227 | ||
1228 | switch (mgmt->u.action.u.sa_query_req.action) { | |
1229 | case WLAN_SA_QUERY_REQUEST: | |
6d5ce9fc | 1230 | rx_mgmt_action_sa_query_req(wt, sta, mgmt, len, valid); |
0819b65b JM |
1231 | break; |
1232 | case WLAN_SA_QUERY_RESPONSE: | |
6d5ce9fc | 1233 | rx_mgmt_action_sa_query_resp(wt, sta, mgmt, len, valid); |
0819b65b JM |
1234 | break; |
1235 | default: | |
e4d99217 JM |
1236 | add_note(wt, MSG_INFO, "Unexpected SA Query action value %u " |
1237 | "from " MACSTR, | |
1238 | mgmt->u.action.u.sa_query_req.action, | |
1239 | MAC2STR(mgmt->sa)); | |
0819b65b JM |
1240 | } |
1241 | } | |
1242 | ||
1243 | ||
2102ecf0 JM |
1244 | static void rx_mgmt_action(struct wlantest *wt, const u8 *data, size_t len, |
1245 | int valid) | |
0819b65b JM |
1246 | { |
1247 | const struct ieee80211_mgmt *mgmt; | |
1248 | struct wlantest_bss *bss; | |
1249 | struct wlantest_sta *sta; | |
1250 | ||
1251 | mgmt = (const struct ieee80211_mgmt *) data; | |
ad41bb2e | 1252 | if (mgmt->da[0] & 0x01) { |
e4d99217 JM |
1253 | add_note(wt, MSG_DEBUG, "Group addressed Action frame: DA=" |
1254 | MACSTR " SA=" MACSTR " BSSID=" MACSTR | |
1255 | " category=%u", | |
1256 | MAC2STR(mgmt->da), MAC2STR(mgmt->sa), | |
1257 | MAC2STR(mgmt->bssid), mgmt->u.action.category); | |
0819b65b | 1258 | return; /* Ignore group addressed Action frames for now */ |
ad41bb2e | 1259 | } |
0819b65b JM |
1260 | bss = bss_get(wt, mgmt->bssid); |
1261 | if (bss == NULL) | |
1262 | return; | |
1263 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
1264 | sta = sta_get(bss, mgmt->da); | |
1265 | else | |
1266 | sta = sta_get(bss, mgmt->sa); | |
1267 | if (sta == NULL) | |
1268 | return; | |
1269 | ||
1270 | if (len < 24 + 1) { | |
e4d99217 JM |
1271 | add_note(wt, MSG_INFO, "Too short Action frame from " MACSTR, |
1272 | MAC2STR(mgmt->sa)); | |
0819b65b JM |
1273 | return; |
1274 | } | |
1275 | ||
1276 | wpa_printf(MSG_DEBUG, "ACTION " MACSTR " -> " MACSTR | |
2102ecf0 | 1277 | " (category=%u) (valid=%d)", |
0819b65b | 1278 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da), |
2102ecf0 | 1279 | mgmt->u.action.category, valid); |
0819b65b JM |
1280 | wpa_hexdump(MSG_MSGDUMP, "ACTION payload", data + 24, len - 24); |
1281 | ||
1282 | if (mgmt->u.action.category != WLAN_ACTION_PUBLIC && | |
1283 | sta->state < STATE3) { | |
e4d99217 JM |
1284 | add_note(wt, MSG_INFO, "Action frame sent when STA is not in " |
1285 | "State 3 (SA=" MACSTR " DATA=" MACSTR ")", | |
1286 | MAC2STR(mgmt->sa), MAC2STR(mgmt->da)); | |
0819b65b JM |
1287 | } |
1288 | ||
1289 | switch (mgmt->u.action.category) { | |
c38c62ff JM |
1290 | case WLAN_ACTION_FT: |
1291 | rx_mgmt_action_ft(wt, sta, mgmt, len, valid); | |
1292 | break; | |
0819b65b | 1293 | case WLAN_ACTION_SA_QUERY: |
2102ecf0 | 1294 | rx_mgmt_action_sa_query(wt, sta, mgmt, len, valid); |
0819b65b JM |
1295 | break; |
1296 | } | |
1297 | } | |
1298 | ||
1299 | ||
0e1aa64d JM |
1300 | static int check_mmie_mic(unsigned int mgmt_group_cipher, |
1301 | const u8 *igtk, size_t igtk_len, | |
cb80fada | 1302 | const u8 *data, size_t len) |
bacc3128 JM |
1303 | { |
1304 | u8 *buf; | |
1305 | u8 mic[16]; | |
1306 | u16 fc; | |
1307 | const struct ieee80211_hdr *hdr; | |
cb80fada JM |
1308 | int ret, mic_len; |
1309 | ||
0e1aa64d | 1310 | if (!mgmt_group_cipher || igtk_len < 16) |
cb80fada | 1311 | return -1; |
0e1aa64d | 1312 | mic_len = mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC ? 8 : 16; |
cb80fada JM |
1313 | |
1314 | if (len < 24 || len - 24 < mic_len) | |
1315 | return -1; | |
bacc3128 JM |
1316 | |
1317 | buf = os_malloc(len + 20 - 24); | |
1318 | if (buf == NULL) | |
1319 | return -1; | |
1320 | ||
1321 | /* BIP AAD: FC(masked) A1 A2 A3 */ | |
1322 | hdr = (const struct ieee80211_hdr *) data; | |
1323 | fc = le_to_host16(hdr->frame_control); | |
1324 | fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA); | |
1325 | WPA_PUT_LE16(buf, fc); | |
1326 | os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN); | |
1327 | ||
1328 | /* Frame body with MMIE MIC masked to zero */ | |
cb80fada JM |
1329 | os_memcpy(buf + 20, data + 24, len - 24 - mic_len); |
1330 | os_memset(buf + 20 + len - 24 - mic_len, 0, mic_len); | |
bacc3128 JM |
1331 | |
1332 | wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, len + 20 - 24); | |
1333 | /* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */ | |
0e1aa64d | 1334 | if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) { |
cb80fada | 1335 | ret = omac1_aes_128(igtk, buf, len + 20 - 24, mic); |
0e1aa64d JM |
1336 | } else if (mgmt_group_cipher == WPA_CIPHER_BIP_CMAC_256) { |
1337 | ret = omac1_aes_256(igtk, buf, len + 20 - 24, mic); | |
1338 | } else if (mgmt_group_cipher == WPA_CIPHER_BIP_GMAC_128 || | |
1339 | mgmt_group_cipher == WPA_CIPHER_BIP_GMAC_256) { | |
1340 | u8 nonce[12], *npos; | |
1341 | const u8 *ipn; | |
1342 | ||
1343 | ipn = data + len - mic_len - 6; | |
1344 | ||
1345 | /* Nonce: A2 | IPN */ | |
1346 | os_memcpy(nonce, hdr->addr2, ETH_ALEN); | |
1347 | npos = nonce + ETH_ALEN; | |
1348 | *npos++ = ipn[5]; | |
1349 | *npos++ = ipn[4]; | |
1350 | *npos++ = ipn[3]; | |
1351 | *npos++ = ipn[2]; | |
1352 | *npos++ = ipn[1]; | |
1353 | *npos++ = ipn[0]; | |
1354 | ||
1355 | ret = aes_gmac(igtk, igtk_len, nonce, sizeof(nonce), | |
1356 | buf, len + 20 - 24, mic); | |
1357 | } else { | |
1358 | ret = -1; | |
1359 | } | |
cb80fada | 1360 | if (ret < 0) { |
bacc3128 JM |
1361 | os_free(buf); |
1362 | return -1; | |
1363 | } | |
1364 | ||
1365 | os_free(buf); | |
1366 | ||
cb80fada | 1367 | if (os_memcmp(data + len - mic_len, mic, mic_len) != 0) |
bacc3128 JM |
1368 | return -1; |
1369 | ||
1370 | return 0; | |
1371 | } | |
1372 | ||
1373 | ||
1374 | static int check_bip(struct wlantest *wt, const u8 *data, size_t len) | |
1375 | { | |
1376 | const struct ieee80211_mgmt *mgmt; | |
1377 | u16 fc, stype; | |
1378 | const u8 *mmie; | |
f3b9ed70 | 1379 | u16 keyid; |
bacc3128 | 1380 | struct wlantest_bss *bss; |
cb80fada | 1381 | size_t mic_len; |
bacc3128 JM |
1382 | |
1383 | mgmt = (const struct ieee80211_mgmt *) data; | |
1384 | fc = le_to_host16(mgmt->frame_control); | |
1385 | stype = WLAN_FC_GET_STYPE(fc); | |
1386 | ||
1387 | if (stype == WLAN_FC_STYPE_ACTION) { | |
1388 | if (len < 24 + 1) | |
1389 | return 0; | |
1390 | if (mgmt->u.action.category == WLAN_ACTION_PUBLIC) | |
1391 | return 0; /* Not a robust management frame */ | |
1392 | } | |
1393 | ||
1394 | bss = bss_get(wt, mgmt->bssid); | |
1395 | if (bss == NULL) | |
1396 | return 0; /* No key known yet */ | |
1397 | ||
0e1aa64d | 1398 | mic_len = bss->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC ? 8 : 16; |
cb80fada JM |
1399 | |
1400 | if (len < 24 + 10 + mic_len || | |
1401 | data[len - (10 + mic_len)] != WLAN_EID_MMIE || | |
1402 | data[len - (10 + mic_len - 1)] != 8 + mic_len) { | |
bacc3128 | 1403 | /* No MMIE */ |
994d6a88 | 1404 | if (bss->rsn_capab & WPA_CAPABILITY_MFPC) { |
e4d99217 JM |
1405 | add_note(wt, MSG_INFO, "Robust group-addressed " |
1406 | "management frame sent without BIP by " | |
1407 | MACSTR, MAC2STR(mgmt->sa)); | |
6d5ce9fc | 1408 | bss->counters[WLANTEST_BSS_COUNTER_MISSING_BIP_MMIE]++; |
bacc3128 JM |
1409 | return -1; |
1410 | } | |
1411 | return 0; | |
1412 | } | |
1413 | ||
cb80fada | 1414 | mmie = data + len - (8 + mic_len); |
bacc3128 | 1415 | keyid = WPA_GET_LE16(mmie); |
f3b9ed70 | 1416 | if (keyid & 0xf000) { |
e4d99217 JM |
1417 | add_note(wt, MSG_INFO, "MMIE KeyID reserved bits not zero " |
1418 | "(%04x) from " MACSTR, keyid, MAC2STR(mgmt->sa)); | |
f3b9ed70 JM |
1419 | keyid &= 0x0fff; |
1420 | } | |
bacc3128 | 1421 | if (keyid < 4 || keyid > 5) { |
e4d99217 JM |
1422 | add_note(wt, MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR, |
1423 | keyid, MAC2STR(mgmt->sa)); | |
6d5ce9fc | 1424 | bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++; |
bacc3128 JM |
1425 | return 0; |
1426 | } | |
1427 | wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid); | |
1428 | wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6); | |
cb80fada | 1429 | wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, mic_len); |
bacc3128 | 1430 | |
cb80fada | 1431 | if (!bss->igtk_len[keyid]) { |
e4d99217 | 1432 | add_note(wt, MSG_DEBUG, "No IGTK known to validate BIP frame"); |
bacc3128 JM |
1433 | return 0; |
1434 | } | |
1435 | ||
4d4c2915 | 1436 | if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) { |
e4d99217 JM |
1437 | add_note(wt, MSG_INFO, "BIP replay detected: SA=" MACSTR, |
1438 | MAC2STR(mgmt->sa)); | |
bacc3128 JM |
1439 | wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6); |
1440 | wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6); | |
1441 | } | |
1442 | ||
0e1aa64d JM |
1443 | if (check_mmie_mic(bss->mgmt_group_cipher, bss->igtk[keyid], |
1444 | bss->igtk_len[keyid], data, len) < 0) { | |
e4d99217 JM |
1445 | add_note(wt, MSG_INFO, "Invalid MMIE MIC in a frame from " |
1446 | MACSTR, MAC2STR(mgmt->sa)); | |
6d5ce9fc | 1447 | bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++; |
bacc3128 JM |
1448 | return -1; |
1449 | } | |
1450 | ||
e4d99217 | 1451 | add_note(wt, MSG_DEBUG, "Valid MMIE MIC"); |
bacc3128 | 1452 | os_memcpy(bss->ipn[keyid], mmie + 2, 6); |
6d5ce9fc | 1453 | bss->counters[WLANTEST_BSS_COUNTER_VALID_BIP_MMIE]++; |
bacc3128 | 1454 | |
783a082c JM |
1455 | if (stype == WLAN_FC_STYPE_DEAUTH) |
1456 | bss->counters[WLANTEST_BSS_COUNTER_BIP_DEAUTH]++; | |
1457 | else if (stype == WLAN_FC_STYPE_DISASSOC) | |
1458 | bss->counters[WLANTEST_BSS_COUNTER_BIP_DISASSOC]++; | |
1459 | ||
bacc3128 JM |
1460 | return 0; |
1461 | } | |
1462 | ||
1463 | ||
47fe6880 JM |
1464 | static u8 * mgmt_ccmp_decrypt(struct wlantest *wt, const u8 *data, size_t len, |
1465 | size_t *dlen) | |
1466 | { | |
1467 | struct wlantest_bss *bss; | |
1468 | struct wlantest_sta *sta; | |
1469 | const struct ieee80211_hdr *hdr; | |
1470 | int keyid; | |
42e79f82 | 1471 | u8 *decrypted, *frame = NULL; |
47fe6880 JM |
1472 | u8 pn[6], *rsc; |
1473 | ||
1474 | hdr = (const struct ieee80211_hdr *) data; | |
1475 | bss = bss_get(wt, hdr->addr3); | |
1476 | if (bss == NULL) | |
1477 | return NULL; | |
1478 | if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) | |
1479 | sta = sta_get(bss, hdr->addr2); | |
1480 | else | |
1481 | sta = sta_get(bss, hdr->addr1); | |
1482 | if (sta == NULL || !sta->ptk_set) { | |
e4d99217 | 1483 | add_note(wt, MSG_MSGDUMP, "No PTK known to decrypt the frame"); |
47fe6880 JM |
1484 | return NULL; |
1485 | } | |
1486 | ||
20062114 JM |
1487 | if (len < 24 + 4) |
1488 | return NULL; | |
1489 | ||
1490 | if (!(data[24 + 3] & 0x20)) { | |
e4d99217 JM |
1491 | add_note(wt, MSG_INFO, "Expected CCMP frame from " MACSTR |
1492 | " did not have ExtIV bit set to 1", | |
1493 | MAC2STR(hdr->addr2)); | |
20062114 JM |
1494 | return NULL; |
1495 | } | |
1496 | ||
16b8b6ea | 1497 | if (data[24 + 2] != 0 || (data[24 + 3] & 0x1f) != 0) { |
e4d99217 JM |
1498 | add_note(wt, MSG_INFO, "CCMP mgmt frame from " MACSTR " used " |
1499 | "non-zero reserved bit", MAC2STR(hdr->addr2)); | |
16b8b6ea JM |
1500 | } |
1501 | ||
20062114 | 1502 | keyid = data[24 + 3] >> 6; |
47fe6880 | 1503 | if (keyid != 0) { |
e4d99217 JM |
1504 | add_note(wt, MSG_INFO, "Unexpected non-zero KeyID %d in " |
1505 | "individually addressed Management frame from " | |
1506 | MACSTR, keyid, MAC2STR(hdr->addr2)); | |
47fe6880 JM |
1507 | } |
1508 | ||
1509 | if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) | |
1510 | rsc = sta->rsc_tods[16]; | |
1511 | else | |
1512 | rsc = sta->rsc_fromds[16]; | |
1513 | ||
30febd70 | 1514 | ccmp_get_pn(pn, data + 24); |
47fe6880 | 1515 | if (os_memcmp(pn, rsc, 6) <= 0) { |
01b397dd | 1516 | u16 seq_ctrl = le_to_host16(hdr->seq_ctrl); |
e4d99217 | 1517 | add_note(wt, MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR |
3a3cb8ee | 1518 | " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u%s", |
e4d99217 JM |
1519 | MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), |
1520 | MAC2STR(hdr->addr3), | |
1521 | WLAN_GET_SEQ_SEQ(seq_ctrl), | |
3a3cb8ee AKP |
1522 | WLAN_GET_SEQ_FRAG(seq_ctrl), |
1523 | (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ? | |
1524 | " Retry" : ""); | |
47fe6880 JM |
1525 | wpa_hexdump(MSG_INFO, "RX PN", pn, 6); |
1526 | wpa_hexdump(MSG_INFO, "RSC", rsc, 6); | |
1527 | } | |
1528 | ||
98cd3d1c | 1529 | decrypted = ccmp_decrypt(sta->ptk.tk, hdr, data + 24, len - 24, dlen); |
42e79f82 | 1530 | if (decrypted) { |
47fe6880 | 1531 | os_memcpy(rsc, pn, 6); |
42e79f82 JM |
1532 | frame = os_malloc(24 + *dlen); |
1533 | if (frame) { | |
1534 | os_memcpy(frame, data, 24); | |
1535 | os_memcpy(frame + 24, decrypted, *dlen); | |
1536 | *dlen += 24; | |
1537 | } | |
b3c43c3c JM |
1538 | } else { |
1539 | /* Assume the frame was corrupted and there was no FCS to check. | |
1540 | * Allow retry of this particular frame to be processed so that | |
1541 | * it could end up getting decrypted if it was received without | |
1542 | * corruption. */ | |
1543 | sta->allow_duplicate = 1; | |
47fe6880 JM |
1544 | } |
1545 | ||
1546 | os_free(decrypted); | |
1547 | ||
1548 | return frame; | |
1549 | } | |
1550 | ||
1551 | ||
2102ecf0 JM |
1552 | static int check_mgmt_ccmp(struct wlantest *wt, const u8 *data, size_t len) |
1553 | { | |
1554 | const struct ieee80211_mgmt *mgmt; | |
1555 | u16 fc; | |
1556 | struct wlantest_bss *bss; | |
1557 | struct wlantest_sta *sta; | |
1558 | ||
1559 | mgmt = (const struct ieee80211_mgmt *) data; | |
1560 | fc = le_to_host16(mgmt->frame_control); | |
1561 | ||
1562 | if (WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION) { | |
1563 | if (len > 24 && | |
1564 | mgmt->u.action.category == WLAN_ACTION_PUBLIC) | |
1565 | return 0; /* Not a robust management frame */ | |
1566 | } | |
1567 | ||
1568 | bss = bss_get(wt, mgmt->bssid); | |
1569 | if (bss == NULL) | |
1570 | return 0; | |
1571 | if (os_memcmp(mgmt->da, mgmt->bssid, ETH_ALEN) == 0) | |
1572 | sta = sta_get(bss, mgmt->sa); | |
1573 | else | |
1574 | sta = sta_get(bss, mgmt->da); | |
1575 | if (sta == NULL) | |
1576 | return 0; | |
1577 | ||
f665867b JM |
1578 | if ((sta->rsn_capab & WPA_CAPABILITY_MFPC) && |
1579 | (sta->state == STATE3 || | |
1580 | WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION)) { | |
e4d99217 JM |
1581 | add_note(wt, MSG_INFO, "Robust individually-addressed " |
1582 | "management frame sent without CCMP by " | |
1583 | MACSTR, MAC2STR(mgmt->sa)); | |
2102ecf0 JM |
1584 | return -1; |
1585 | } | |
1586 | ||
1587 | return 0; | |
1588 | } | |
1589 | ||
1590 | ||
2d73f0a8 JM |
1591 | void rx_mgmt(struct wlantest *wt, const u8 *data, size_t len) |
1592 | { | |
1593 | const struct ieee80211_hdr *hdr; | |
1594 | u16 fc, stype; | |
47fe6880 JM |
1595 | int valid = 1; |
1596 | u8 *decrypted = NULL; | |
1597 | size_t dlen; | |
2d73f0a8 JM |
1598 | |
1599 | if (len < 24) | |
1600 | return; | |
1601 | ||
1602 | hdr = (const struct ieee80211_hdr *) data; | |
1603 | fc = le_to_host16(hdr->frame_control); | |
1604 | wt->rx_mgmt++; | |
1605 | stype = WLAN_FC_GET_STYPE(fc); | |
1606 | ||
bacc3128 JM |
1607 | if ((hdr->addr1[0] & 0x01) && |
1608 | (stype == WLAN_FC_STYPE_DEAUTH || | |
1609 | stype == WLAN_FC_STYPE_DISASSOC || | |
2102ecf0 JM |
1610 | stype == WLAN_FC_STYPE_ACTION)) { |
1611 | if (check_bip(wt, data, len) < 0) | |
1612 | valid = 0; | |
1613 | } | |
bacc3128 | 1614 | |
2d73f0a8 JM |
1615 | wpa_printf((stype == WLAN_FC_STYPE_BEACON || |
1616 | stype == WLAN_FC_STYPE_PROBE_RESP || | |
1617 | stype == WLAN_FC_STYPE_PROBE_REQ) ? | |
1618 | MSG_EXCESSIVE : MSG_MSGDUMP, | |
1619 | "MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR, | |
1620 | mgmt_stype(stype), | |
1621 | fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", | |
1622 | fc & WLAN_FC_ISWEP ? " Prot" : "", | |
1623 | MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), | |
1624 | MAC2STR(hdr->addr3)); | |
1625 | ||
47fe6880 JM |
1626 | if ((fc & WLAN_FC_ISWEP) && |
1627 | !(hdr->addr1[0] & 0x01) && | |
1628 | (stype == WLAN_FC_STYPE_DEAUTH || | |
1629 | stype == WLAN_FC_STYPE_DISASSOC || | |
1630 | stype == WLAN_FC_STYPE_ACTION)) { | |
1631 | decrypted = mgmt_ccmp_decrypt(wt, data, len, &dlen); | |
1632 | if (decrypted) { | |
64f45d07 | 1633 | write_pcap_decrypted(wt, decrypted, dlen, NULL, 0); |
47fe6880 JM |
1634 | data = decrypted; |
1635 | len = dlen; | |
1636 | } else | |
1637 | valid = 0; | |
1638 | } | |
1639 | ||
2102ecf0 JM |
1640 | if (!(fc & WLAN_FC_ISWEP) && |
1641 | !(hdr->addr1[0] & 0x01) && | |
1642 | (stype == WLAN_FC_STYPE_DEAUTH || | |
1643 | stype == WLAN_FC_STYPE_DISASSOC || | |
1644 | stype == WLAN_FC_STYPE_ACTION)) { | |
1645 | if (check_mgmt_ccmp(wt, data, len) < 0) | |
1646 | valid = 0; | |
1647 | } | |
47fe6880 | 1648 | |
2d73f0a8 JM |
1649 | switch (stype) { |
1650 | case WLAN_FC_STYPE_BEACON: | |
1651 | rx_mgmt_beacon(wt, data, len); | |
1652 | break; | |
1653 | case WLAN_FC_STYPE_PROBE_RESP: | |
1654 | rx_mgmt_probe_resp(wt, data, len); | |
1655 | break; | |
1656 | case WLAN_FC_STYPE_AUTH: | |
1657 | rx_mgmt_auth(wt, data, len); | |
1658 | break; | |
1659 | case WLAN_FC_STYPE_DEAUTH: | |
47fe6880 | 1660 | rx_mgmt_deauth(wt, data, len, valid); |
2d73f0a8 JM |
1661 | break; |
1662 | case WLAN_FC_STYPE_ASSOC_REQ: | |
1663 | rx_mgmt_assoc_req(wt, data, len); | |
1664 | break; | |
1665 | case WLAN_FC_STYPE_ASSOC_RESP: | |
1666 | rx_mgmt_assoc_resp(wt, data, len); | |
1667 | break; | |
1668 | case WLAN_FC_STYPE_REASSOC_REQ: | |
1669 | rx_mgmt_reassoc_req(wt, data, len); | |
1670 | break; | |
1671 | case WLAN_FC_STYPE_REASSOC_RESP: | |
1672 | rx_mgmt_reassoc_resp(wt, data, len); | |
1673 | break; | |
1674 | case WLAN_FC_STYPE_DISASSOC: | |
47fe6880 | 1675 | rx_mgmt_disassoc(wt, data, len, valid); |
2d73f0a8 | 1676 | break; |
0819b65b | 1677 | case WLAN_FC_STYPE_ACTION: |
2102ecf0 | 1678 | rx_mgmt_action(wt, data, len, valid); |
0819b65b | 1679 | break; |
2d73f0a8 | 1680 | } |
47fe6880 JM |
1681 | |
1682 | os_free(decrypted); | |
fb8f5fc6 JM |
1683 | |
1684 | wt->last_mgmt_valid = valid; | |
1685 | } | |
1686 | ||
1687 | ||
1688 | static void rx_mgmt_deauth_ack(struct wlantest *wt, | |
1689 | const struct ieee80211_hdr *hdr) | |
1690 | { | |
1691 | const struct ieee80211_mgmt *mgmt; | |
1692 | struct wlantest_bss *bss; | |
1693 | struct wlantest_sta *sta; | |
1694 | ||
1695 | mgmt = (const struct ieee80211_mgmt *) hdr; | |
1696 | bss = bss_get(wt, mgmt->bssid); | |
1697 | if (bss == NULL) | |
1698 | return; | |
1699 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
1700 | sta = sta_get(bss, mgmt->da); | |
1701 | else | |
1702 | sta = sta_get(bss, mgmt->sa); | |
1703 | if (sta == NULL) | |
1704 | return; | |
1705 | ||
e4d99217 JM |
1706 | add_note(wt, MSG_DEBUG, "DEAUTH from " MACSTR " acknowledged by " |
1707 | MACSTR, MAC2STR(mgmt->sa), MAC2STR(mgmt->da)); | |
fb8f5fc6 JM |
1708 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) { |
1709 | int c; | |
1710 | c = wt->last_mgmt_valid ? | |
1711 | WLANTEST_STA_COUNTER_VALID_DEAUTH_RX_ACK : | |
1712 | WLANTEST_STA_COUNTER_INVALID_DEAUTH_RX_ACK; | |
1713 | sta->counters[c]++; | |
1714 | } | |
1715 | } | |
1716 | ||
1717 | ||
1718 | static void rx_mgmt_disassoc_ack(struct wlantest *wt, | |
1719 | const struct ieee80211_hdr *hdr) | |
1720 | { | |
1721 | const struct ieee80211_mgmt *mgmt; | |
1722 | struct wlantest_bss *bss; | |
1723 | struct wlantest_sta *sta; | |
1724 | ||
1725 | mgmt = (const struct ieee80211_mgmt *) hdr; | |
1726 | bss = bss_get(wt, mgmt->bssid); | |
1727 | if (bss == NULL) | |
1728 | return; | |
1729 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) | |
1730 | sta = sta_get(bss, mgmt->da); | |
1731 | else | |
1732 | sta = sta_get(bss, mgmt->sa); | |
1733 | if (sta == NULL) | |
1734 | return; | |
1735 | ||
e4d99217 JM |
1736 | add_note(wt, MSG_DEBUG, "DISASSOC from " MACSTR " acknowledged by " |
1737 | MACSTR, MAC2STR(mgmt->sa), MAC2STR(mgmt->da)); | |
fb8f5fc6 JM |
1738 | if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) { |
1739 | int c; | |
1740 | c = wt->last_mgmt_valid ? | |
1741 | WLANTEST_STA_COUNTER_VALID_DISASSOC_RX_ACK : | |
1742 | WLANTEST_STA_COUNTER_INVALID_DISASSOC_RX_ACK; | |
1743 | sta->counters[c]++; | |
1744 | } | |
1745 | } | |
1746 | ||
1747 | ||
1748 | void rx_mgmt_ack(struct wlantest *wt, const struct ieee80211_hdr *hdr) | |
1749 | { | |
1750 | u16 fc, stype; | |
1751 | fc = le_to_host16(hdr->frame_control); | |
1752 | stype = WLAN_FC_GET_STYPE(fc); | |
1753 | ||
1754 | wpa_printf(MSG_MSGDUMP, "MGMT ACK: stype=%u a1=" MACSTR " a2=" MACSTR | |
1755 | " a3=" MACSTR, | |
1756 | stype, MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), | |
1757 | MAC2STR(hdr->addr3)); | |
1758 | ||
1759 | switch (stype) { | |
1760 | case WLAN_FC_STYPE_DEAUTH: | |
1761 | rx_mgmt_deauth_ack(wt, hdr); | |
1762 | break; | |
1763 | case WLAN_FC_STYPE_DISASSOC: | |
1764 | rx_mgmt_disassoc_ack(wt, hdr); | |
1765 | break; | |
1766 | } | |
2d73f0a8 | 1767 | } |