]> git.ipfire.org Git - thirdparty/hostap.git/blob - wlantest/rx_data.c
wlantest: Remove duplicate PN/RSC prints from replay cases
[thirdparty/hostap.git] / wlantest / rx_data.c
1 /*
2 * Received Data frame processing
3 * Copyright (c) 2010-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "common/defs.h"
13 #include "common/ieee802_11_defs.h"
14 #include "wlantest.h"
15
16
17 static const char * data_stype(u16 stype)
18 {
19 switch (stype) {
20 case WLAN_FC_STYPE_DATA:
21 return "DATA";
22 case WLAN_FC_STYPE_DATA_CFACK:
23 return "DATA-CFACK";
24 case WLAN_FC_STYPE_DATA_CFPOLL:
25 return "DATA-CFPOLL";
26 case WLAN_FC_STYPE_DATA_CFACKPOLL:
27 return "DATA-CFACKPOLL";
28 case WLAN_FC_STYPE_NULLFUNC:
29 return "NULLFUNC";
30 case WLAN_FC_STYPE_CFACK:
31 return "CFACK";
32 case WLAN_FC_STYPE_CFPOLL:
33 return "CFPOLL";
34 case WLAN_FC_STYPE_CFACKPOLL:
35 return "CFACKPOLL";
36 case WLAN_FC_STYPE_QOS_DATA:
37 return "QOSDATA";
38 case WLAN_FC_STYPE_QOS_DATA_CFACK:
39 return "QOSDATA-CFACK";
40 case WLAN_FC_STYPE_QOS_DATA_CFPOLL:
41 return "QOSDATA-CFPOLL";
42 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL:
43 return "QOSDATA-CFACKPOLL";
44 case WLAN_FC_STYPE_QOS_NULL:
45 return "QOS-NULL";
46 case WLAN_FC_STYPE_QOS_CFPOLL:
47 return "QOS-CFPOLL";
48 case WLAN_FC_STYPE_QOS_CFACKPOLL:
49 return "QOS-CFACKPOLL";
50 }
51 return "??";
52 }
53
54
55 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
56 const u8 *sta_addr, const u8 *dst, const u8 *src,
57 u16 ethertype, const u8 *data, size_t len, int prot,
58 const u8 *peer_addr);
59
60 static void rx_data_vlan(struct wlantest *wt, const u8 *bssid,
61 const u8 *sta_addr, const u8 *dst, const u8 *src,
62 const u8 *data, size_t len, int prot,
63 const u8 *peer_addr)
64 {
65 u16 tag;
66
67 if (len < 4)
68 return;
69 tag = WPA_GET_BE16(data);
70 wpa_printf(MSG_MSGDUMP, "VLAN tag: Priority=%u ID=%u",
71 tag >> 12, tag & 0x0ffff);
72 /* ignore VLAN information and process the original frame */
73 rx_data_eth(wt, bssid, sta_addr, dst, src, WPA_GET_BE16(data + 2),
74 data + 4, len - 4, prot, peer_addr);
75 }
76
77
78 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
79 const u8 *sta_addr, const u8 *dst, const u8 *src,
80 u16 ethertype, const u8 *data, size_t len, int prot,
81 const u8 *peer_addr)
82 {
83 switch (ethertype) {
84 case ETH_P_PAE:
85 rx_data_eapol(wt, bssid, sta_addr, dst, src, data, len, prot);
86 break;
87 case ETH_P_IP:
88 rx_data_ip(wt, bssid, sta_addr, dst, src, data, len,
89 peer_addr);
90 break;
91 case 0x890d:
92 rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len);
93 break;
94 case ETH_P_8021Q:
95 rx_data_vlan(wt, bssid, sta_addr, dst, src, data, len, prot,
96 peer_addr);
97 break;
98 }
99 }
100
101
102 static void rx_data_process(struct wlantest *wt, const u8 *bssid,
103 const u8 *sta_addr,
104 const u8 *dst, const u8 *src,
105 const u8 *data, size_t len, int prot,
106 const u8 *peer_addr)
107 {
108 if (len == 0)
109 return;
110
111 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) {
112 rx_data_eth(wt, bssid, sta_addr, dst, src,
113 WPA_GET_BE16(data + 6), data + 8, len - 8, prot,
114 peer_addr);
115 return;
116 }
117
118 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len);
119 }
120
121
122 static void write_decrypted_note(struct wlantest *wt, const u8 *decrypted,
123 const u8 *tk, size_t tk_len, int keyid)
124 {
125 char tk_hex[65];
126
127 if (!decrypted)
128 return;
129
130 wpa_snprintf_hex(tk_hex, sizeof(tk_hex), tk, tk_len);
131 add_note(wt, MSG_EXCESSIVE, "TK[%d] %s", keyid, tk_hex);
132 }
133
134
135 static u8 * try_ptk(int pairwise_cipher, struct wpa_ptk *ptk,
136 const struct ieee80211_hdr *hdr,
137 const u8 *data, size_t data_len, size_t *decrypted_len)
138 {
139 u8 *decrypted;
140 unsigned int tk_len = ptk->tk_len;
141
142 decrypted = NULL;
143 if ((pairwise_cipher == WPA_CIPHER_CCMP ||
144 pairwise_cipher == 0) && tk_len == 16) {
145 decrypted = ccmp_decrypt(ptk->tk, hdr, data,
146 data_len, decrypted_len);
147 } else if ((pairwise_cipher == WPA_CIPHER_CCMP_256 ||
148 pairwise_cipher == 0) && tk_len == 32) {
149 decrypted = ccmp_256_decrypt(ptk->tk, hdr, data,
150 data_len, decrypted_len);
151 } else if ((pairwise_cipher == WPA_CIPHER_GCMP ||
152 pairwise_cipher == WPA_CIPHER_GCMP_256 ||
153 pairwise_cipher == 0) &&
154 (tk_len == 16 || tk_len == 32)) {
155 decrypted = gcmp_decrypt(ptk->tk, tk_len, hdr,
156 data, data_len, decrypted_len);
157 } else if ((pairwise_cipher == WPA_CIPHER_TKIP ||
158 pairwise_cipher == 0) && tk_len == 32) {
159 decrypted = tkip_decrypt(ptk->tk, hdr, data, data_len,
160 decrypted_len);
161 }
162
163 return decrypted;
164 }
165
166
167 static u8 * try_all_ptk(struct wlantest *wt, int pairwise_cipher,
168 const struct ieee80211_hdr *hdr, int keyid,
169 const u8 *data, size_t data_len, size_t *decrypted_len)
170 {
171 struct wlantest_ptk *ptk;
172 u8 *decrypted;
173 int prev_level = wpa_debug_level;
174
175 wpa_debug_level = MSG_WARNING;
176 dl_list_for_each(ptk, &wt->ptk, struct wlantest_ptk, list) {
177 decrypted = try_ptk(pairwise_cipher, &ptk->ptk, hdr,
178 data, data_len, decrypted_len);
179 if (decrypted) {
180 wpa_debug_level = prev_level;
181 add_note(wt, MSG_DEBUG,
182 "Found PTK match from list of all known PTKs");
183 write_decrypted_note(wt, decrypted, ptk->ptk.tk,
184 ptk->ptk.tk_len, keyid);
185 return decrypted;
186 }
187 }
188 wpa_debug_level = prev_level;
189
190 return NULL;
191 }
192
193
194 static void check_plaintext_prot(struct wlantest *wt,
195 const struct ieee80211_hdr *hdr,
196 const u8 *data, size_t len)
197 {
198 if (len < 8 + 3 || data[8] != 0xaa || data[9] != 0xaa ||
199 data[10] != 0x03)
200 return;
201
202 add_note(wt, MSG_DEBUG,
203 "Plaintext payload in protected frame");
204 wpa_printf(MSG_INFO, "Plaintext payload in protected frame #%u: A2="
205 MACSTR " seq=%u",
206 wt->frame_num, MAC2STR(hdr->addr2),
207 WLAN_GET_SEQ_SEQ(le_to_host16(hdr->seq_ctrl)));
208 }
209
210
211 static void rx_data_bss_prot_group(struct wlantest *wt,
212 const struct ieee80211_hdr *hdr,
213 size_t hdrlen,
214 const u8 *qos, const u8 *dst, const u8 *src,
215 const u8 *data, size_t len)
216 {
217 struct wlantest_bss *bss;
218 int keyid;
219 u8 *decrypted = NULL;
220 size_t dlen;
221 u8 pn[6];
222 int replay = 0;
223
224 bss = bss_get(wt, hdr->addr2);
225 if (bss == NULL)
226 return;
227 if (len < 4) {
228 add_note(wt, MSG_INFO, "Too short group addressed data frame");
229 return;
230 }
231
232 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
233 !(data[3] & 0x20)) {
234 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
235 MACSTR " did not have ExtIV bit set to 1",
236 MAC2STR(bss->bssid));
237 return;
238 }
239
240 if (bss->group_cipher == WPA_CIPHER_TKIP) {
241 if (data[3] & 0x1f) {
242 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
243 " used non-zero reserved bit",
244 MAC2STR(bss->bssid));
245 }
246 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
247 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
248 " used incorrect WEPSeed[1] (was 0x%x, "
249 "expected 0x%x)",
250 MAC2STR(bss->bssid), data[1],
251 (data[0] | 0x20) & 0x7f);
252 }
253 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
254 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
255 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
256 " used non-zero reserved bit",
257 MAC2STR(bss->bssid));
258 }
259 }
260
261 check_plaintext_prot(wt, hdr, data, len);
262 keyid = data[3] >> 6;
263 if (bss->gtk_len[keyid] == 0 &&
264 (bss->group_cipher != WPA_CIPHER_WEP40 ||
265 dl_list_empty(&wt->wep))) {
266 add_note(wt, MSG_MSGDUMP, "No GTK known to decrypt the frame "
267 "(A2=" MACSTR " KeyID=%d)",
268 MAC2STR(hdr->addr2), keyid);
269 return;
270 }
271
272 if (bss->group_cipher == WPA_CIPHER_TKIP)
273 tkip_get_pn(pn, data);
274 else if (bss->group_cipher == WPA_CIPHER_WEP40)
275 goto skip_replay_det;
276 else
277 ccmp_get_pn(pn, data);
278 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
279 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
280 char pn_hex[6 * 2 + 1], rsc_hex[6 * 2 + 1];
281
282 wpa_snprintf_hex(pn_hex, sizeof(pn_hex), pn, 6);
283 wpa_snprintf_hex(rsc_hex, sizeof(rsc_hex), bss->rsc[keyid], 6);
284 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR
285 " A2=" MACSTR " A3=" MACSTR
286 " seq=%u frag=%u%s keyid=%d %s<=%s",
287 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
288 MAC2STR(hdr->addr3),
289 WLAN_GET_SEQ_SEQ(seq_ctrl),
290 WLAN_GET_SEQ_FRAG(seq_ctrl),
291 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
292 " Retry" : "",
293 keyid, pn_hex, rsc_hex);
294 replay = 1;
295 }
296
297 skip_replay_det:
298 if (bss->group_cipher == WPA_CIPHER_TKIP)
299 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len,
300 &dlen);
301 else if (bss->group_cipher == WPA_CIPHER_WEP40)
302 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
303 else if (bss->group_cipher == WPA_CIPHER_CCMP)
304 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, data, len,
305 &dlen);
306 else if (bss->group_cipher == WPA_CIPHER_CCMP_256)
307 decrypted = ccmp_256_decrypt(bss->gtk[keyid], hdr, data, len,
308 &dlen);
309 else if (bss->group_cipher == WPA_CIPHER_GCMP ||
310 bss->group_cipher == WPA_CIPHER_GCMP_256)
311 decrypted = gcmp_decrypt(bss->gtk[keyid], bss->gtk_len[keyid],
312 hdr, data, len, &dlen);
313
314 if (decrypted) {
315 char gtk[65];
316
317 wpa_snprintf_hex(gtk, sizeof(gtk), bss->gtk[keyid],
318 bss->gtk_len[keyid]);
319 add_note(wt, MSG_EXCESSIVE, "GTK[%d] %s", keyid, gtk);
320 rx_data_process(wt, bss->bssid, NULL, dst, src, decrypted,
321 dlen, 1, NULL);
322 if (!replay)
323 os_memcpy(bss->rsc[keyid], pn, 6);
324 write_pcap_decrypted(wt, (const u8 *) hdr, hdrlen,
325 decrypted, dlen);
326 } else {
327 wpa_printf(MSG_DEBUG, "Failed to decrypt frame (group) #%u A2="
328 MACSTR " seq=%u",
329 wt->frame_num, MAC2STR(hdr->addr2),
330 WLAN_GET_SEQ_SEQ(le_to_host16(hdr->seq_ctrl)));
331 add_note(wt, MSG_DEBUG, "Failed to decrypt frame (group)");
332 }
333 os_free(decrypted);
334 }
335
336
337 static u8 * try_ptk_decrypt(struct wlantest *wt, struct wlantest_sta *sta,
338 const struct ieee80211_hdr *hdr, int keyid,
339 const u8 *data, size_t len,
340 const u8 *tk, size_t tk_len, size_t *dlen)
341 {
342 u8 *decrypted = NULL;
343
344 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256)
345 decrypted = ccmp_256_decrypt(tk, hdr, data, len, dlen);
346 else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
347 sta->pairwise_cipher == WPA_CIPHER_GCMP_256)
348 decrypted = gcmp_decrypt(tk, tk_len, hdr, data, len, dlen);
349 else
350 decrypted = ccmp_decrypt(tk, hdr, data, len, dlen);
351 write_decrypted_note(wt, decrypted, tk, tk_len, keyid);
352
353 return decrypted;
354 }
355
356
357 static void rx_data_bss_prot(struct wlantest *wt,
358 const struct ieee80211_hdr *hdr, size_t hdrlen,
359 const u8 *qos, const u8 *dst, const u8 *src,
360 const u8 *data, size_t len)
361 {
362 struct wlantest_bss *bss, *bss2;
363 struct wlantest_sta *sta, *sta2;
364 int keyid;
365 u16 fc = le_to_host16(hdr->frame_control);
366 u8 *decrypted = NULL;
367 size_t dlen;
368 int tid;
369 u8 pn[6], *rsc = NULL;
370 struct wlantest_tdls *tdls = NULL, *found;
371 const u8 *tk = NULL;
372 int ptk_iter_done = 0;
373 int try_ptk_iter = 0;
374 int replay = 0;
375 int only_zero_tk = 0;
376 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
377
378 if (hdr->addr1[0] & 0x01) {
379 rx_data_bss_prot_group(wt, hdr, hdrlen, qos, dst, src,
380 data, len);
381 return;
382 }
383
384 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
385 (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
386 bss = bss_find(wt, hdr->addr1);
387 if (bss) {
388 sta = sta_find(bss, hdr->addr2);
389 if (sta) {
390 sta->counters[
391 WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
392 }
393 if (!sta || !sta->ptk_set) {
394 bss2 = bss_find(wt, hdr->addr2);
395 if (bss2) {
396 sta2 = sta_find(bss2, hdr->addr1);
397 if (sta2 && (!sta || sta2->ptk_set)) {
398 bss = bss2;
399 sta = sta2;
400 }
401 }
402 }
403 } else {
404 bss = bss_find(wt, hdr->addr2);
405 if (!bss)
406 return;
407 sta = sta_find(bss, hdr->addr1);
408 }
409 } else if (fc & WLAN_FC_TODS) {
410 bss = bss_get(wt, hdr->addr1);
411 if (bss == NULL)
412 return;
413 sta = sta_get(bss, hdr->addr2);
414 if (sta)
415 sta->counters[WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
416 } else if (fc & WLAN_FC_FROMDS) {
417 bss = bss_get(wt, hdr->addr2);
418 if (bss == NULL)
419 return;
420 sta = sta_get(bss, hdr->addr1);
421 } else {
422 bss = bss_get(wt, hdr->addr3);
423 if (bss == NULL)
424 return;
425 sta = sta_find(bss, hdr->addr2);
426 sta2 = sta_find(bss, hdr->addr1);
427 if (sta == NULL || sta2 == NULL)
428 return;
429 found = NULL;
430 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
431 {
432 if ((tdls->init == sta && tdls->resp == sta2) ||
433 (tdls->init == sta2 && tdls->resp == sta)) {
434 found = tdls;
435 if (tdls->link_up)
436 break;
437 }
438 }
439 if (found) {
440 if (!found->link_up)
441 add_note(wt, MSG_DEBUG,
442 "TDLS: Link not up, but Data "
443 "frame seen");
444 tk = found->tpk.tk;
445 tdls = found;
446 }
447 }
448 check_plaintext_prot(wt, hdr, data, len);
449 if ((sta == NULL ||
450 (!sta->ptk_set && sta->pairwise_cipher != WPA_CIPHER_WEP40)) &&
451 tk == NULL) {
452 add_note(wt, MSG_MSGDUMP, "No PTK known to decrypt the frame");
453 if (dl_list_empty(&wt->ptk)) {
454 if (len >= 4 && sta) {
455 keyid = data[3] >> 6;
456 only_zero_tk = 1;
457 goto check_zero_tk;
458 }
459 return;
460 }
461
462 try_ptk_iter = 1;
463 }
464
465 if (len < 4) {
466 add_note(wt, MSG_INFO, "Too short encrypted data frame");
467 return;
468 }
469
470 if (sta == NULL)
471 return;
472 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
473 !(data[3] & 0x20)) {
474 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
475 MACSTR " did not have ExtIV bit set to 1",
476 MAC2STR(src));
477 return;
478 }
479
480 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) {
481 if (data[3] & 0x1f) {
482 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
483 " used non-zero reserved bit",
484 MAC2STR(hdr->addr2));
485 }
486 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
487 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
488 " used incorrect WEPSeed[1] (was 0x%x, "
489 "expected 0x%x)",
490 MAC2STR(hdr->addr2), data[1],
491 (data[0] | 0x20) & 0x7f);
492 }
493 } else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP) {
494 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
495 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
496 " used non-zero reserved bit",
497 MAC2STR(hdr->addr2));
498 }
499 }
500
501 keyid = data[3] >> 6;
502 if (keyid != 0 &&
503 (!(sta->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) ||
504 !(bss->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) ||
505 keyid != 1)) {
506 add_note(wt, MSG_INFO,
507 "Unexpected KeyID %d in individually addressed Data frame from "
508 MACSTR,
509 keyid, MAC2STR(hdr->addr2));
510 }
511
512 if (qos) {
513 tid = qos[0] & 0x0f;
514 if (fc & WLAN_FC_TODS)
515 sta->tx_tid[tid]++;
516 else
517 sta->rx_tid[tid]++;
518 } else {
519 tid = 0;
520 if (fc & WLAN_FC_TODS)
521 sta->tx_tid[16]++;
522 else
523 sta->rx_tid[16]++;
524 }
525 if (tk) {
526 if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
527 rsc = tdls->rsc_init[tid];
528 else
529 rsc = tdls->rsc_resp[tid];
530 } else if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
531 (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
532 if (os_memcmp(sta->addr, hdr->addr2, ETH_ALEN) == 0)
533 rsc = sta->rsc_tods[tid];
534 else
535 rsc = sta->rsc_fromds[tid];
536 } else if (fc & WLAN_FC_TODS)
537 rsc = sta->rsc_tods[tid];
538 else
539 rsc = sta->rsc_fromds[tid];
540
541
542 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP)
543 tkip_get_pn(pn, data);
544 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
545 goto skip_replay_det;
546 else
547 ccmp_get_pn(pn, data);
548 if (os_memcmp(pn, rsc, 6) <= 0) {
549 char pn_hex[6 * 2 + 1], rsc_hex[6 * 2 + 1];
550
551 wpa_snprintf_hex(pn_hex, sizeof(pn_hex), pn, 6);
552 wpa_snprintf_hex(rsc_hex, sizeof(rsc_hex), rsc, 6);
553 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR
554 " A2=" MACSTR " A3=" MACSTR
555 " seq=%u frag=%u%s keyid=%d tid=%d %s<=%s",
556 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
557 MAC2STR(hdr->addr3),
558 WLAN_GET_SEQ_SEQ(seq_ctrl),
559 WLAN_GET_SEQ_FRAG(seq_ctrl),
560 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
561 " Retry" : "",
562 keyid, tid, pn_hex, rsc_hex);
563 replay = 1;
564 }
565
566 skip_replay_det:
567 if (tk) {
568 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256) {
569 decrypted = ccmp_256_decrypt(tk, hdr, data, len, &dlen);
570 write_decrypted_note(wt, decrypted, tk, 32, keyid);
571 } else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
572 sta->pairwise_cipher == WPA_CIPHER_GCMP_256) {
573 decrypted = gcmp_decrypt(tk, sta->ptk.tk_len, hdr, data,
574 len, &dlen);
575 write_decrypted_note(wt, decrypted, tk, sta->ptk.tk_len,
576 keyid);
577 } else {
578 decrypted = ccmp_decrypt(tk, hdr, data, len, &dlen);
579 write_decrypted_note(wt, decrypted, tk, 16, keyid);
580 }
581 } else if (sta->pairwise_cipher == WPA_CIPHER_TKIP) {
582 decrypted = tkip_decrypt(sta->ptk.tk, hdr, data, len, &dlen);
583 write_decrypted_note(wt, decrypted, sta->ptk.tk, 32, keyid);
584 } else if (sta->pairwise_cipher == WPA_CIPHER_WEP40) {
585 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
586 } else if (sta->ptk_set) {
587 decrypted = try_ptk_decrypt(wt, sta, hdr, keyid, data, len,
588 sta->ptk.tk, sta->ptk.tk_len,
589 &dlen);
590 } else {
591 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, keyid,
592 data, len, &dlen);
593 ptk_iter_done = 1;
594 }
595 if (!decrypted && !ptk_iter_done) {
596 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, keyid,
597 data, len, &dlen);
598 if (decrypted) {
599 add_note(wt, MSG_DEBUG, "Current PTK did not work, but found a match from all known PTKs");
600 }
601 }
602 check_zero_tk:
603 if (!decrypted) {
604 struct wpa_ptk zero_ptk;
605 int old_debug_level = wpa_debug_level;
606
607 os_memset(&zero_ptk, 0, sizeof(zero_ptk));
608 zero_ptk.tk_len = wpa_cipher_key_len(sta->pairwise_cipher);
609 wpa_debug_level = MSG_ERROR;
610 decrypted = try_ptk(sta->pairwise_cipher, &zero_ptk, hdr,
611 data, len, &dlen);
612 wpa_debug_level = old_debug_level;
613 if (decrypted) {
614 add_note(wt, MSG_DEBUG,
615 "Frame was encrypted with zero TK");
616 wpa_printf(MSG_INFO, "Zero TK used in frame #%u: A2="
617 MACSTR " seq=%u",
618 wt->frame_num, MAC2STR(hdr->addr2),
619 WLAN_GET_SEQ_SEQ(
620 le_to_host16(hdr->seq_ctrl)));
621 write_decrypted_note(wt, decrypted, zero_ptk.tk,
622 zero_ptk.tk_len, keyid);
623 }
624 }
625 if (decrypted) {
626 u16 fc = le_to_host16(hdr->frame_control);
627 const u8 *peer_addr = NULL;
628 if (!(fc & (WLAN_FC_FROMDS | WLAN_FC_TODS)))
629 peer_addr = hdr->addr1;
630 if (!replay && rsc)
631 os_memcpy(rsc, pn, 6);
632 rx_data_process(wt, bss->bssid, sta->addr, dst, src, decrypted,
633 dlen, 1, peer_addr);
634 write_pcap_decrypted(wt, (const u8 *) hdr, hdrlen,
635 decrypted, dlen);
636 } else if (sta->tptk_set) {
637 /* Check whether TPTK has a matching TK that could be used to
638 * decrypt the frame. That could happen if EAPOL-Key msg 4/4
639 * was missing in the capture and this was PTK rekeying. */
640 decrypted = try_ptk_decrypt(wt, sta, hdr, keyid, data, len,
641 sta->tptk.tk, sta->tptk.tk_len,
642 &dlen);
643 if (decrypted) {
644 add_note(wt, MSG_DEBUG,
645 "Update PTK (rekeying; no valid EAPOL-Key msg 4/4 seen)");
646 os_memcpy(&sta->ptk, &sta->tptk, sizeof(sta->ptk));
647 sta->ptk_set = 1;
648 sta->tptk_set = 0;
649 os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods));
650 os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds));
651 }
652 } else {
653 if (!try_ptk_iter && !only_zero_tk) {
654 wpa_printf(MSG_DEBUG,
655 "Failed to decrypt frame #%u A2=" MACSTR
656 " seq=%u",
657 wt->frame_num, MAC2STR(hdr->addr2),
658 WLAN_GET_SEQ_SEQ(seq_ctrl));
659 add_note(wt, MSG_DEBUG, "Failed to decrypt frame");
660 }
661
662 /* Assume the frame was corrupted and there was no FCS to check.
663 * Allow retry of this particular frame to be processed so that
664 * it could end up getting decrypted if it was received without
665 * corruption. */
666 sta->allow_duplicate = 1;
667 }
668 os_free(decrypted);
669 }
670
671
672 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr,
673 size_t hdrlen, const u8 *qos, const u8 *dst,
674 const u8 *src, const u8 *data, size_t len)
675 {
676 u16 fc = le_to_host16(hdr->frame_control);
677 int prot = !!(fc & WLAN_FC_ISWEP);
678
679 if (qos) {
680 u8 ack = (qos[0] & 0x60) >> 5;
681 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
682 " len=%u%s tid=%u%s%s",
683 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
684 prot ? " Prot" : "", qos[0] & 0x0f,
685 (qos[0] & 0x10) ? " EOSP" : "",
686 ack == 0 ? "" :
687 (ack == 1 ? " NoAck" :
688 (ack == 2 ? " NoExpAck" : " BA")));
689 } else {
690 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
691 " len=%u%s",
692 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
693 prot ? " Prot" : "");
694 }
695
696 if (prot)
697 rx_data_bss_prot(wt, hdr, hdrlen, qos, dst, src, data, len);
698 else {
699 const u8 *bssid, *sta_addr, *peer_addr;
700 struct wlantest_bss *bss;
701
702 if (fc & WLAN_FC_TODS) {
703 bssid = hdr->addr1;
704 sta_addr = hdr->addr2;
705 peer_addr = NULL;
706 } else if (fc & WLAN_FC_FROMDS) {
707 bssid = hdr->addr2;
708 sta_addr = hdr->addr1;
709 peer_addr = NULL;
710 } else {
711 bssid = hdr->addr3;
712 sta_addr = hdr->addr2;
713 peer_addr = hdr->addr1;
714 }
715
716 bss = bss_get(wt, bssid);
717 if (bss) {
718 struct wlantest_sta *sta = sta_get(bss, sta_addr);
719
720 if (sta) {
721 if (qos) {
722 int tid = qos[0] & 0x0f;
723 if (fc & WLAN_FC_TODS)
724 sta->tx_tid[tid]++;
725 else
726 sta->rx_tid[tid]++;
727 } else {
728 if (fc & WLAN_FC_TODS)
729 sta->tx_tid[16]++;
730 else
731 sta->rx_tid[16]++;
732 }
733 }
734 }
735
736 rx_data_process(wt, bssid, sta_addr, dst, src, data, len, 0,
737 peer_addr);
738 }
739 }
740
741
742 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *bssid,
743 const u8 *sta1_addr,
744 const u8 *sta2_addr)
745 {
746 struct wlantest_bss *bss;
747 struct wlantest_sta *sta1, *sta2;
748 struct wlantest_tdls *tdls, *found = NULL;
749
750 bss = bss_find(wt, bssid);
751 if (bss == NULL)
752 return NULL;
753 sta1 = sta_find(bss, sta1_addr);
754 if (sta1 == NULL)
755 return NULL;
756 sta2 = sta_find(bss, sta2_addr);
757 if (sta2 == NULL)
758 return NULL;
759
760 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
761 if ((tdls->init == sta1 && tdls->resp == sta2) ||
762 (tdls->init == sta2 && tdls->resp == sta1)) {
763 found = tdls;
764 if (tdls->link_up)
765 break;
766 }
767 }
768
769 return found;
770 }
771
772
773 static void add_direct_link(struct wlantest *wt, const u8 *bssid,
774 const u8 *sta1_addr, const u8 *sta2_addr)
775 {
776 struct wlantest_tdls *tdls;
777
778 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
779 if (tdls == NULL)
780 return;
781
782 if (tdls->link_up)
783 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_DIRECT_LINK]++;
784 else
785 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_DIRECT_LINK]++;
786 }
787
788
789 static void add_ap_path(struct wlantest *wt, const u8 *bssid,
790 const u8 *sta1_addr, const u8 *sta2_addr)
791 {
792 struct wlantest_tdls *tdls;
793
794 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
795 if (tdls == NULL)
796 return;
797
798 if (tdls->link_up)
799 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_AP_PATH]++;
800 else
801 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_AP_PATH]++;
802 }
803
804
805 void rx_data(struct wlantest *wt, const u8 *data, size_t len)
806 {
807 const struct ieee80211_hdr *hdr;
808 u16 fc, stype;
809 size_t hdrlen;
810 const u8 *qos = NULL;
811
812 if (len < 24)
813 return;
814
815 hdr = (const struct ieee80211_hdr *) data;
816 fc = le_to_host16(hdr->frame_control);
817 stype = WLAN_FC_GET_STYPE(fc);
818 hdrlen = 24;
819 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
820 (WLAN_FC_TODS | WLAN_FC_FROMDS))
821 hdrlen += ETH_ALEN;
822 if (stype & 0x08) {
823 qos = data + hdrlen;
824 hdrlen += 2;
825 }
826 if (len < hdrlen)
827 return;
828 wt->rx_data++;
829
830 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
831 case 0:
832 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA="
833 MACSTR " BSSID=" MACSTR,
834 data_stype(WLAN_FC_GET_STYPE(fc)),
835 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
836 fc & WLAN_FC_ISWEP ? " Prot" : "",
837 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
838 MAC2STR(hdr->addr3));
839 add_direct_link(wt, hdr->addr3, hdr->addr1, hdr->addr2);
840 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr2,
841 data + hdrlen, len - hdrlen);
842 break;
843 case WLAN_FC_FROMDS:
844 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
845 " BSSID=" MACSTR " SA=" MACSTR,
846 data_stype(WLAN_FC_GET_STYPE(fc)),
847 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
848 fc & WLAN_FC_ISWEP ? " Prot" : "",
849 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
850 MAC2STR(hdr->addr3));
851 add_ap_path(wt, hdr->addr2, hdr->addr1, hdr->addr3);
852 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr3,
853 data + hdrlen, len - hdrlen);
854 break;
855 case WLAN_FC_TODS:
856 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR
857 " SA=" MACSTR " DA=" MACSTR,
858 data_stype(WLAN_FC_GET_STYPE(fc)),
859 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
860 fc & WLAN_FC_ISWEP ? " Prot" : "",
861 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
862 MAC2STR(hdr->addr3));
863 add_ap_path(wt, hdr->addr1, hdr->addr3, hdr->addr2);
864 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr3, hdr->addr2,
865 data + hdrlen, len - hdrlen);
866 break;
867 case WLAN_FC_TODS | WLAN_FC_FROMDS:
868 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA="
869 MACSTR " DA=" MACSTR " SA=" MACSTR,
870 data_stype(WLAN_FC_GET_STYPE(fc)),
871 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
872 fc & WLAN_FC_ISWEP ? " Prot" : "",
873 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
874 MAC2STR(hdr->addr3),
875 MAC2STR((const u8 *) (hdr + 1)));
876 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr2,
877 data + hdrlen, len - hdrlen);
878 break;
879 }
880 }