1 /* 2 * Received Data frame processing 3 * Copyright (c) 2010-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "common/defs.h" 13 #include "common/ieee802_11_defs.h" 14 #include "wlantest.h" 15 16 data_stype(u16 stype)17 static const char * data_stype(u16 stype) 18 { 19 switch (stype) { 20 case WLAN_FC_STYPE_DATA: 21 return "DATA"; 22 case WLAN_FC_STYPE_DATA_CFACK: 23 return "DATA-CFACK"; 24 case WLAN_FC_STYPE_DATA_CFPOLL: 25 return "DATA-CFPOLL"; 26 case WLAN_FC_STYPE_DATA_CFACKPOLL: 27 return "DATA-CFACKPOLL"; 28 case WLAN_FC_STYPE_NULLFUNC: 29 return "NULLFUNC"; 30 case WLAN_FC_STYPE_CFACK: 31 return "CFACK"; 32 case WLAN_FC_STYPE_CFPOLL: 33 return "CFPOLL"; 34 case WLAN_FC_STYPE_CFACKPOLL: 35 return "CFACKPOLL"; 36 case WLAN_FC_STYPE_QOS_DATA: 37 return "QOSDATA"; 38 case WLAN_FC_STYPE_QOS_DATA_CFACK: 39 return "QOSDATA-CFACK"; 40 case WLAN_FC_STYPE_QOS_DATA_CFPOLL: 41 return "QOSDATA-CFPOLL"; 42 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL: 43 return "QOSDATA-CFACKPOLL"; 44 case WLAN_FC_STYPE_QOS_NULL: 45 return "QOS-NULL"; 46 case WLAN_FC_STYPE_QOS_CFPOLL: 47 return "QOS-CFPOLL"; 48 case WLAN_FC_STYPE_QOS_CFACKPOLL: 49 return "QOS-CFACKPOLL"; 50 } 51 return "??"; 52 } 53 54 55 static void rx_data_eth(struct wlantest *wt, const u8 *bssid, 56 const u8 *sta_addr, const u8 *dst, const u8 *src, 57 u16 ethertype, const u8 *data, size_t len, int prot, 58 const u8 *peer_addr); 59 rx_data_vlan(struct wlantest * wt,const u8 * bssid,const u8 * sta_addr,const u8 * dst,const u8 * src,const u8 * data,size_t len,int prot,const u8 * peer_addr)60 static void rx_data_vlan(struct wlantest *wt, const u8 *bssid, 61 const u8 *sta_addr, const u8 *dst, const u8 *src, 62 const u8 *data, size_t len, int prot, 63 const u8 *peer_addr) 64 { 65 u16 tag; 66 67 if (len < 4) 68 return; 69 tag = WPA_GET_BE16(data); 70 wpa_printf(MSG_MSGDUMP, "VLAN tag: Priority=%u ID=%u", 71 tag >> 12, tag & 0x0ffff); 72 /* ignore VLAN information and process the original frame */ 73 rx_data_eth(wt, bssid, sta_addr, dst, src, WPA_GET_BE16(data + 2), 74 data + 4, len - 4, prot, peer_addr); 75 } 76 77 rx_data_eth(struct wlantest * wt,const u8 * bssid,const u8 * sta_addr,const u8 * dst,const u8 * src,u16 ethertype,const u8 * data,size_t len,int prot,const u8 * peer_addr)78 static void rx_data_eth(struct wlantest *wt, const u8 *bssid, 79 const u8 *sta_addr, const u8 *dst, const u8 *src, 80 u16 ethertype, const u8 *data, size_t len, int prot, 81 const u8 *peer_addr) 82 { 83 switch (ethertype) { 84 case ETH_P_PAE: 85 rx_data_eapol(wt, bssid, sta_addr, dst, src, data, len, prot); 86 break; 87 case ETH_P_IP: 88 rx_data_ip(wt, bssid, sta_addr, dst, src, data, len, 89 peer_addr); 90 break; 91 case 0x890d: 92 rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len); 93 break; 94 case ETH_P_8021Q: 95 rx_data_vlan(wt, bssid, sta_addr, dst, src, data, len, prot, 96 peer_addr); 97 break; 98 } 99 } 100 101 rx_data_process(struct wlantest * wt,struct wlantest_bss * bss,const u8 * bssid,const u8 * sta_addr,const u8 * dst,const u8 * src,const u8 * data,size_t len,int prot,const u8 * peer_addr,const u8 * qos)102 static void rx_data_process(struct wlantest *wt, struct wlantest_bss *bss, 103 const u8 *bssid, 104 const u8 *sta_addr, 105 const u8 *dst, const u8 *src, 106 const u8 *data, size_t len, int prot, 107 const u8 *peer_addr, const u8 *qos) 108 { 109 if (len == 0) 110 return; 111 112 if (bss && bss->mesh && qos && !(qos[0] & BIT(7)) && 113 (qos[1] & BIT(0))) { 114 u8 addr_ext_mode; 115 size_t mesh_control_len = 6; 116 117 /* Skip Mesh Control field if this is not an A-MSDU */ 118 if (len < mesh_control_len) { 119 wpa_printf(MSG_DEBUG, 120 "Not enough room for Mesh Control field"); 121 return; 122 } 123 124 addr_ext_mode = data[0] & 0x03; 125 if (addr_ext_mode == 3) { 126 wpa_printf(MSG_DEBUG, 127 "Reserved Mesh Control :: Address Extension Mode"); 128 return; 129 } 130 131 mesh_control_len += addr_ext_mode * ETH_ALEN; 132 if (len < mesh_control_len) { 133 wpa_printf(MSG_DEBUG, 134 "Not enough room for Mesh Address Extension"); 135 return; 136 } 137 138 len -= mesh_control_len; 139 data += mesh_control_len; 140 } 141 142 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) { 143 rx_data_eth(wt, bssid, sta_addr, dst, src, 144 WPA_GET_BE16(data + 6), data + 8, len - 8, prot, 145 peer_addr); 146 return; 147 } 148 149 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len); 150 } 151 152 try_ptk(struct wlantest * wt,int pairwise_cipher,struct wpa_ptk * ptk,const struct ieee80211_hdr * hdr,const u8 * a1,const u8 * a2,const u8 * a3,const u8 * data,size_t data_len,size_t * decrypted_len)153 static u8 * try_ptk(struct wlantest *wt, int pairwise_cipher, 154 struct wpa_ptk *ptk, const struct ieee80211_hdr *hdr, 155 const u8 *a1, const u8 *a2, const u8 *a3, 156 const u8 *data, size_t data_len, size_t *decrypted_len) 157 { 158 u8 *decrypted; 159 unsigned int tk_len = ptk->tk_len; 160 161 decrypted = NULL; 162 if ((pairwise_cipher == WPA_CIPHER_CCMP || 163 pairwise_cipher == 0) && tk_len == 16) { 164 decrypted = ccmp_decrypt(ptk->tk, hdr, a1, a2, a3, data, 165 data_len, decrypted_len); 166 } else if ((pairwise_cipher == WPA_CIPHER_CCMP_256 || 167 pairwise_cipher == 0) && tk_len == 32) { 168 decrypted = ccmp_256_decrypt(ptk->tk, hdr, a1, a2, a3, data, 169 data_len, decrypted_len); 170 } else if ((pairwise_cipher == WPA_CIPHER_GCMP || 171 pairwise_cipher == WPA_CIPHER_GCMP_256 || 172 pairwise_cipher == 0) && 173 (tk_len == 16 || tk_len == 32)) { 174 decrypted = gcmp_decrypt(ptk->tk, tk_len, hdr, a1, a2, a3, 175 data, data_len, decrypted_len); 176 } else if ((pairwise_cipher == WPA_CIPHER_TKIP || 177 pairwise_cipher == 0) && tk_len == 32) { 178 enum michael_mic_result mic_res; 179 180 decrypted = tkip_decrypt(ptk->tk, hdr, data, data_len, 181 decrypted_len, &mic_res, 182 &wt->tkip_frag); 183 if (decrypted && mic_res == MICHAEL_MIC_INCORRECT) 184 add_note(wt, MSG_INFO, "Invalid Michael MIC"); 185 else if (decrypted && mic_res == MICHAEL_MIC_NOT_VERIFIED) 186 add_note(wt, MSG_DEBUG, "Michael MIC not verified"); 187 } 188 189 return decrypted; 190 } 191 192 try_all_ptk(struct wlantest * wt,int pairwise_cipher,const struct ieee80211_hdr * hdr,const u8 * a1,const u8 * a2,const u8 * a3,int keyid,const u8 * data,size_t data_len,size_t * decrypted_len)193 static u8 * try_all_ptk(struct wlantest *wt, int pairwise_cipher, 194 const struct ieee80211_hdr *hdr, 195 const u8 *a1, const u8 *a2, const u8 *a3, int keyid, 196 const u8 *data, size_t data_len, size_t *decrypted_len) 197 { 198 struct wlantest_ptk *ptk; 199 u8 *decrypted; 200 int prev_level = wpa_debug_level; 201 202 wpa_debug_level = MSG_WARNING; 203 dl_list_for_each(ptk, &wt->ptk, struct wlantest_ptk, list) { 204 decrypted = try_ptk(wt, pairwise_cipher, &ptk->ptk, hdr, a1, a2, 205 a3, data, data_len, decrypted_len); 206 if (decrypted) { 207 wpa_debug_level = prev_level; 208 add_note(wt, MSG_DEBUG, 209 "Found PTK match from list of all known PTKs"); 210 write_decrypted_note(wt, decrypted, ptk->ptk.tk, 211 ptk->ptk.tk_len, keyid); 212 return decrypted; 213 } 214 } 215 wpa_debug_level = prev_level; 216 217 return NULL; 218 } 219 220 check_plaintext_prot(struct wlantest * wt,const struct ieee80211_hdr * hdr,const u8 * data,size_t len)221 static void check_plaintext_prot(struct wlantest *wt, 222 const struct ieee80211_hdr *hdr, 223 const u8 *data, size_t len) 224 { 225 if (len < 8 + 3 || data[8] != 0xaa || data[9] != 0xaa || 226 data[10] != 0x03) 227 return; 228 229 add_note(wt, MSG_DEBUG, 230 "Plaintext payload in protected frame"); 231 wpa_printf(MSG_INFO, "Plaintext payload in protected frame #%u: A2=" 232 MACSTR " seq=%u", 233 wt->frame_num, MAC2STR(hdr->addr2), 234 WLAN_GET_SEQ_SEQ(le_to_host16(hdr->seq_ctrl))); 235 } 236 237 rx_data_bss_prot_group(struct wlantest * wt,const struct ieee80211_hdr * hdr,size_t hdrlen,const u8 * qos,const u8 * dst,const u8 * src,const u8 * data,size_t len)238 static void rx_data_bss_prot_group(struct wlantest *wt, 239 const struct ieee80211_hdr *hdr, 240 size_t hdrlen, 241 const u8 *qos, const u8 *dst, const u8 *src, 242 const u8 *data, size_t len) 243 { 244 struct wlantest_bss *bss; 245 int keyid; 246 u8 *decrypted = NULL; 247 size_t dlen; 248 u8 pn[6]; 249 int replay = 0; 250 251 bss = bss_get(wt, hdr->addr2); 252 if (bss == NULL) 253 return; 254 if (len < 4) { 255 add_note(wt, MSG_INFO, "Too short group addressed data frame"); 256 return; 257 } 258 259 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) && 260 !(data[3] & 0x20)) { 261 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from " 262 MACSTR " did not have ExtIV bit set to 1", 263 MAC2STR(bss->bssid)); 264 return; 265 } 266 267 if (bss->group_cipher == WPA_CIPHER_TKIP) { 268 if (data[3] & 0x1f) { 269 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR 270 " used non-zero reserved bit", 271 MAC2STR(bss->bssid)); 272 } 273 if (data[1] != ((data[0] | 0x20) & 0x7f)) { 274 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR 275 " used incorrect WEPSeed[1] (was 0x%x, " 276 "expected 0x%x)", 277 MAC2STR(bss->bssid), data[1], 278 (data[0] | 0x20) & 0x7f); 279 } 280 } else if (bss->group_cipher == WPA_CIPHER_CCMP) { 281 if (data[2] != 0 || (data[3] & 0x1f) != 0) { 282 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR 283 " used non-zero reserved bit", 284 MAC2STR(bss->bssid)); 285 } 286 } 287 288 check_plaintext_prot(wt, hdr, data, len); 289 keyid = data[3] >> 6; 290 if (bss->gtk_len[keyid] == 0 && 291 (bss->group_cipher != WPA_CIPHER_WEP40 || 292 dl_list_empty(&wt->wep))) { 293 decrypted = try_all_ptk(wt, bss->group_cipher, hdr, NULL, NULL, 294 NULL, keyid, data, len, &dlen); 295 if (decrypted) 296 goto process; 297 add_note(wt, MSG_MSGDUMP, 298 "No GTK known to decrypt the frame (A2=" MACSTR 299 " KeyID=%d)", 300 MAC2STR(hdr->addr2), keyid); 301 return; 302 } 303 304 if (bss->group_cipher == WPA_CIPHER_TKIP) 305 tkip_get_pn(pn, data); 306 else if (bss->group_cipher == WPA_CIPHER_WEP40) 307 goto skip_replay_det; 308 else 309 ccmp_get_pn(pn, data); 310 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) { 311 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl); 312 char pn_hex[6 * 2 + 1], rsc_hex[6 * 2 + 1]; 313 314 wpa_snprintf_hex(pn_hex, sizeof(pn_hex), pn, 6); 315 wpa_snprintf_hex(rsc_hex, sizeof(rsc_hex), bss->rsc[keyid], 6); 316 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR 317 " A2=" MACSTR " A3=" MACSTR 318 " seq=%u frag=%u%s keyid=%d #%u %s<=%s", 319 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), 320 MAC2STR(hdr->addr3), 321 WLAN_GET_SEQ_SEQ(seq_ctrl), 322 WLAN_GET_SEQ_FRAG(seq_ctrl), 323 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ? 324 " Retry" : "", 325 keyid, wt->frame_num, pn_hex, rsc_hex); 326 replay = 1; 327 } 328 329 skip_replay_det: 330 if (bss->group_cipher == WPA_CIPHER_TKIP) { 331 enum michael_mic_result mic_res; 332 333 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len, 334 &dlen, &mic_res, &wt->tkip_frag); 335 if (decrypted && mic_res == MICHAEL_MIC_INCORRECT) 336 add_note(wt, MSG_INFO, "Invalid Michael MIC"); 337 else if (decrypted && mic_res == MICHAEL_MIC_NOT_VERIFIED) 338 add_note(wt, MSG_DEBUG, "Michael MIC not verified"); 339 } else if (bss->group_cipher == WPA_CIPHER_WEP40) { 340 decrypted = wep_decrypt(wt, hdr, data, len, &dlen); 341 } else if (bss->group_cipher == WPA_CIPHER_CCMP) { 342 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, NULL, NULL, NULL, 343 data, len, &dlen); 344 } else if (bss->group_cipher == WPA_CIPHER_CCMP_256) { 345 decrypted = ccmp_256_decrypt(bss->gtk[keyid], hdr, 346 NULL, NULL, NULL, 347 data, len, &dlen); 348 } else if (bss->group_cipher == WPA_CIPHER_GCMP || 349 bss->group_cipher == WPA_CIPHER_GCMP_256) { 350 decrypted = gcmp_decrypt(bss->gtk[keyid], bss->gtk_len[keyid], 351 hdr, NULL, NULL, NULL, 352 data, len, &dlen); 353 } 354 355 if (decrypted) { 356 char gtk[65]; 357 358 wpa_snprintf_hex(gtk, sizeof(gtk), bss->gtk[keyid], 359 bss->gtk_len[keyid]); 360 add_note(wt, MSG_EXCESSIVE, "GTK[%d] %s", keyid, gtk); 361 process: 362 rx_data_process(wt, bss, bss->bssid, NULL, dst, src, decrypted, 363 dlen, 1, NULL, qos); 364 if (!replay) 365 os_memcpy(bss->rsc[keyid], pn, 6); 366 write_pcap_decrypted(wt, (const u8 *) hdr, hdrlen, 367 decrypted, dlen); 368 } else { 369 wpa_printf(MSG_DEBUG, "Failed to decrypt frame (group) #%u A2=" 370 MACSTR " seq=%u", 371 wt->frame_num, MAC2STR(hdr->addr2), 372 WLAN_GET_SEQ_SEQ(le_to_host16(hdr->seq_ctrl))); 373 add_note(wt, MSG_DEBUG, "Failed to decrypt frame (group)"); 374 } 375 os_free(decrypted); 376 } 377 378 try_ptk_decrypt(struct wlantest * wt,struct wlantest_sta * sta,const struct ieee80211_hdr * hdr,const u8 * a1,const u8 * a2,const u8 * a3,int keyid,const u8 * data,size_t len,const u8 * tk,size_t tk_len,size_t * dlen)379 static u8 * try_ptk_decrypt(struct wlantest *wt, struct wlantest_sta *sta, 380 const struct ieee80211_hdr *hdr, 381 const u8 *a1, const u8 *a2, const u8 *a3, 382 int keyid, 383 const u8 *data, size_t len, 384 const u8 *tk, size_t tk_len, size_t *dlen) 385 { 386 u8 *decrypted = NULL; 387 388 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256) 389 decrypted = ccmp_256_decrypt(tk, hdr, a1, a2, a3, 390 data, len, dlen); 391 else if (sta->pairwise_cipher == WPA_CIPHER_GCMP || 392 sta->pairwise_cipher == WPA_CIPHER_GCMP_256) 393 decrypted = gcmp_decrypt(tk, tk_len, hdr, a1, a2, a3, 394 data, len, dlen); 395 else 396 decrypted = ccmp_decrypt(tk, hdr, a1, a2, a3, data, len, dlen); 397 write_decrypted_note(wt, decrypted, tk, tk_len, keyid); 398 399 return decrypted; 400 } 401 402 rx_data_bss_prot(struct wlantest * wt,const struct ieee80211_hdr * hdr,size_t hdrlen,const u8 * qos,const u8 * dst,const u8 * src,const u8 * data,size_t len)403 static void rx_data_bss_prot(struct wlantest *wt, 404 const struct ieee80211_hdr *hdr, size_t hdrlen, 405 const u8 *qos, const u8 *dst, const u8 *src, 406 const u8 *data, size_t len) 407 { 408 struct wlantest_bss *bss, *bss2; 409 struct wlantest_sta *sta, *sta2; 410 int keyid; 411 u16 fc = le_to_host16(hdr->frame_control); 412 u8 *decrypted = NULL; 413 size_t dlen; 414 int tid; 415 u8 pn[6], *rsc = NULL; 416 struct wlantest_tdls *tdls = NULL, *found; 417 const u8 *tk = NULL; 418 int ptk_iter_done = 0; 419 int try_ptk_iter = 0; 420 int replay = 0; 421 int only_zero_tk = 0; 422 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl); 423 const u8 *a1 = NULL, *a2 = NULL, *a3 = NULL; 424 enum { NO, YES, UNKNOWN } a1_is_sta = UNKNOWN; 425 426 if (hdr->addr1[0] & 0x01) { 427 rx_data_bss_prot_group(wt, hdr, hdrlen, qos, dst, src, 428 data, len); 429 return; 430 } 431 432 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 433 (WLAN_FC_TODS | WLAN_FC_FROMDS)) { 434 bss = bss_find(wt, hdr->addr1); 435 if (bss) { 436 sta = sta_find_mlo(wt, bss, hdr->addr2); 437 if (sta) { 438 a1_is_sta = NO; 439 sta->counters[ 440 WLANTEST_STA_COUNTER_PROT_DATA_TX]++; 441 } 442 if (!sta || !sta->ptk_set) { 443 bss2 = bss_find(wt, hdr->addr2); 444 if (bss2) { 445 sta2 = sta_find_mlo(wt, bss2, 446 hdr->addr1); 447 if (sta2 && (!sta || sta2->ptk_set)) { 448 a1_is_sta = YES; 449 bss = bss2; 450 sta = sta2; 451 } 452 } 453 } 454 } else { 455 bss = bss_find(wt, hdr->addr2); 456 if (!bss) 457 return; 458 sta = sta_find_mlo(wt, bss, hdr->addr1); 459 if (sta) 460 a1_is_sta = YES; 461 } 462 } else if (fc & WLAN_FC_TODS) { 463 bss = bss_get(wt, hdr->addr1); 464 if (bss == NULL) 465 return; 466 sta = sta_find_mlo(wt, bss, hdr->addr2); 467 if (!sta) 468 sta = sta_get(bss, hdr->addr2); 469 if (sta) 470 sta->counters[WLANTEST_STA_COUNTER_PROT_DATA_TX]++; 471 a1_is_sta = NO; 472 } else if (fc & WLAN_FC_FROMDS) { 473 bss = bss_get(wt, hdr->addr2); 474 if (bss == NULL) 475 return; 476 sta = sta_find_mlo(wt, bss, hdr->addr1); 477 if (!sta) 478 sta = sta_get(bss, hdr->addr1); 479 if (sta) 480 a1_is_sta = YES; 481 } else { 482 bss = bss_get(wt, hdr->addr3); 483 if (bss == NULL) 484 return; 485 sta = sta_find(bss, hdr->addr2); 486 sta2 = sta_find(bss, hdr->addr1); 487 if (sta == NULL || sta2 == NULL) 488 return; 489 found = NULL; 490 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) 491 { 492 if ((tdls->init == sta && tdls->resp == sta2) || 493 (tdls->init == sta2 && tdls->resp == sta)) { 494 found = tdls; 495 if (tdls->link_up) 496 break; 497 } 498 } 499 if (found) { 500 if (!found->link_up) 501 add_note(wt, MSG_DEBUG, 502 "TDLS: Link not up, but Data " 503 "frame seen"); 504 tk = found->tpk.tk; 505 tdls = found; 506 } 507 } 508 check_plaintext_prot(wt, hdr, data, len); 509 if ((sta == NULL || 510 (!sta->ptk_set && sta->pairwise_cipher != WPA_CIPHER_WEP40)) && 511 tk == NULL) { 512 add_note(wt, MSG_MSGDUMP, "No PTK known to decrypt the frame"); 513 if (dl_list_empty(&wt->ptk)) { 514 if (len >= 4 && sta) { 515 keyid = data[3] >> 6; 516 only_zero_tk = 1; 517 goto check_zero_tk; 518 } 519 return; 520 } 521 522 try_ptk_iter = 1; 523 } 524 525 if (len < 4) { 526 add_note(wt, MSG_INFO, "Too short encrypted data frame"); 527 return; 528 } 529 530 if (sta == NULL) 531 return; 532 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP | 533 WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256 | 534 WPA_CIPHER_CCMP_256) && 535 !(data[3] & 0x20)) { 536 add_note(wt, MSG_INFO, "Expected TKIP/CCMP/GCMP frame from " 537 MACSTR " did not have ExtIV bit set to 1", 538 MAC2STR(src)); 539 return; 540 } 541 542 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) { 543 if (data[3] & 0x1f) { 544 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR 545 " used non-zero reserved bit", 546 MAC2STR(hdr->addr2)); 547 } 548 if (data[1] != ((data[0] | 0x20) & 0x7f)) { 549 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR 550 " used incorrect WEPSeed[1] (was 0x%x, " 551 "expected 0x%x)", 552 MAC2STR(hdr->addr2), data[1], 553 (data[0] | 0x20) & 0x7f); 554 } 555 } else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP || 556 sta->pairwise_cipher == WPA_CIPHER_GCMP || 557 sta->pairwise_cipher == WPA_CIPHER_GCMP_256 || 558 sta->pairwise_cipher == WPA_CIPHER_CCMP_256) { 559 if (data[2] != 0 || (data[3] & 0x1f) != 0) { 560 add_note(wt, MSG_INFO, "CCMP/GCMP frame from " MACSTR 561 " used non-zero reserved bit", 562 MAC2STR(hdr->addr2)); 563 } 564 } 565 566 keyid = data[3] >> 6; 567 if (keyid != 0 && 568 (!(sta->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) || 569 !(bss->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) || 570 keyid != 1)) { 571 add_note(wt, MSG_INFO, 572 "Unexpected KeyID %d in individually addressed Data frame from " 573 MACSTR, 574 keyid, MAC2STR(hdr->addr2)); 575 } 576 577 if (qos) { 578 tid = qos[0] & 0x0f; 579 if (a1_is_sta == NO) 580 sta->tx_tid[tid]++; 581 else 582 sta->rx_tid[tid]++; 583 } else { 584 tid = 0; 585 if (a1_is_sta == NO) 586 sta->tx_tid[16]++; 587 else 588 sta->rx_tid[16]++; 589 } 590 if (tk) { 591 if (ether_addr_equal(hdr->addr2, tdls->init->addr)) 592 rsc = tdls->rsc_init[tid]; 593 else 594 rsc = tdls->rsc_resp[tid]; 595 } else if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 596 (WLAN_FC_TODS | WLAN_FC_FROMDS)) { 597 if (a1_is_sta == NO) 598 rsc = sta->rsc_tods[tid]; 599 else 600 rsc = sta->rsc_fromds[tid]; 601 } else if (a1_is_sta == NO) 602 rsc = sta->rsc_tods[tid]; 603 else 604 rsc = sta->rsc_fromds[tid]; 605 606 607 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) 608 tkip_get_pn(pn, data); 609 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40) 610 goto skip_replay_det; 611 else 612 ccmp_get_pn(pn, data); 613 if (os_memcmp(pn, rsc, 6) <= 0) { 614 char pn_hex[6 * 2 + 1], rsc_hex[6 * 2 + 1]; 615 616 wpa_snprintf_hex(pn_hex, sizeof(pn_hex), pn, 6); 617 wpa_snprintf_hex(rsc_hex, sizeof(rsc_hex), rsc, 6); 618 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR 619 " A2=" MACSTR " A3=" MACSTR 620 " seq=%u frag=%u%s keyid=%d tid=%d #%u %s<=%s", 621 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), 622 MAC2STR(hdr->addr3), 623 WLAN_GET_SEQ_SEQ(seq_ctrl), 624 WLAN_GET_SEQ_FRAG(seq_ctrl), 625 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ? 626 " Retry" : "", 627 keyid, tid, wt->frame_num, pn_hex, rsc_hex); 628 replay = 1; 629 } 630 631 skip_replay_det: 632 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) && 633 !is_zero_ether_addr(sta->mld_mac_addr) && 634 !is_zero_ether_addr(bss->mld_mac_addr) && 635 a1_is_sta != UNKNOWN) { 636 if (a1_is_sta == YES) { 637 a1 = sta->mld_mac_addr; 638 a2 = bss->mld_mac_addr; 639 } else { 640 a1 = bss->mld_mac_addr; 641 a2 = sta->mld_mac_addr; 642 } 643 644 if (ether_addr_equal(hdr->addr3, bss->bssid)) 645 a3 = bss->mld_mac_addr; 646 } 647 648 if (tk) { 649 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256) { 650 decrypted = ccmp_256_decrypt(tk, hdr, a1, a2, a3, 651 data, len, &dlen); 652 write_decrypted_note(wt, decrypted, tk, 32, keyid); 653 } else if (sta->pairwise_cipher == WPA_CIPHER_GCMP || 654 sta->pairwise_cipher == WPA_CIPHER_GCMP_256) { 655 decrypted = gcmp_decrypt(tk, sta->ptk.tk_len, hdr, 656 a1, a2, a3, data, len, &dlen); 657 write_decrypted_note(wt, decrypted, tk, sta->ptk.tk_len, 658 keyid); 659 } else { 660 decrypted = ccmp_decrypt(tk, hdr, a1, a2, a3, data, len, 661 &dlen); 662 write_decrypted_note(wt, decrypted, tk, 16, keyid); 663 } 664 } else if (sta->pairwise_cipher == WPA_CIPHER_TKIP) { 665 enum michael_mic_result mic_res; 666 667 decrypted = tkip_decrypt(sta->ptk.tk, hdr, data, len, &dlen, 668 &mic_res, &wt->tkip_frag); 669 if (decrypted && mic_res == MICHAEL_MIC_INCORRECT) 670 add_note(wt, MSG_INFO, "Invalid Michael MIC"); 671 else if (decrypted && mic_res == MICHAEL_MIC_NOT_VERIFIED) 672 add_note(wt, MSG_DEBUG, "Michael MIC not verified"); 673 write_decrypted_note(wt, decrypted, sta->ptk.tk, 32, keyid); 674 } else if (sta->pairwise_cipher == WPA_CIPHER_WEP40) { 675 decrypted = wep_decrypt(wt, hdr, data, len, &dlen); 676 } else if (sta->ptk_set) { 677 decrypted = try_ptk_decrypt(wt, sta, hdr, a1, a2, a3, 678 keyid, data, len, 679 sta->ptk.tk, sta->ptk.tk_len, 680 &dlen); 681 } else { 682 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, 683 a1, a2, a3, 684 keyid, data, len, &dlen); 685 ptk_iter_done = 1; 686 } 687 if (!decrypted && !ptk_iter_done) { 688 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, 689 a1, a2, a3, 690 keyid, data, len, &dlen); 691 if (decrypted) { 692 add_note(wt, MSG_DEBUG, "Current PTK did not work, but found a match from all known PTKs"); 693 } 694 } 695 check_zero_tk: 696 if (!decrypted) { 697 struct wpa_ptk zero_ptk; 698 int old_debug_level = wpa_debug_level; 699 700 os_memset(&zero_ptk, 0, sizeof(zero_ptk)); 701 zero_ptk.tk_len = wpa_cipher_key_len(sta->pairwise_cipher); 702 wpa_debug_level = MSG_ERROR; 703 decrypted = try_ptk(wt, sta->pairwise_cipher, &zero_ptk, hdr, 704 a1, a2, a3, data, len, &dlen); 705 wpa_debug_level = old_debug_level; 706 if (decrypted) { 707 add_note(wt, MSG_DEBUG, 708 "Frame was encrypted with zero TK"); 709 wpa_printf(MSG_INFO, "Zero TK used in frame #%u: A2=" 710 MACSTR " seq=%u", 711 wt->frame_num, MAC2STR(hdr->addr2), 712 WLAN_GET_SEQ_SEQ( 713 le_to_host16(hdr->seq_ctrl))); 714 write_decrypted_note(wt, decrypted, zero_ptk.tk, 715 zero_ptk.tk_len, keyid); 716 } 717 } 718 if (decrypted) { 719 u16 fc = le_to_host16(hdr->frame_control); 720 const u8 *peer_addr = NULL; 721 if (!(fc & (WLAN_FC_FROMDS | WLAN_FC_TODS))) 722 peer_addr = hdr->addr1; 723 if (!replay && rsc) 724 os_memcpy(rsc, pn, 6); 725 rx_data_process(wt, bss, bss->bssid, sta->addr, dst, src, 726 decrypted, dlen, 1, peer_addr, qos); 727 write_pcap_decrypted(wt, (const u8 *) hdr, hdrlen, 728 decrypted, dlen); 729 } else if (sta->tptk_set) { 730 /* Check whether TPTK has a matching TK that could be used to 731 * decrypt the frame. That could happen if EAPOL-Key msg 4/4 732 * was missing in the capture and this was PTK rekeying. */ 733 decrypted = try_ptk_decrypt(wt, sta, hdr, a1, a2, a3, 734 keyid, data, len, 735 sta->tptk.tk, sta->tptk.tk_len, 736 &dlen); 737 if (decrypted) { 738 add_note(wt, MSG_DEBUG, 739 "Update PTK (rekeying; no valid EAPOL-Key msg 4/4 seen)"); 740 os_memcpy(&sta->ptk, &sta->tptk, sizeof(sta->ptk)); 741 sta->ptk_set = 1; 742 sta->tptk_set = 0; 743 os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods)); 744 os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds)); 745 } 746 } else { 747 if (!try_ptk_iter && !only_zero_tk) { 748 wpa_printf(MSG_DEBUG, 749 "Failed to decrypt frame #%u A2=" MACSTR 750 " seq=%u", 751 wt->frame_num, MAC2STR(hdr->addr2), 752 WLAN_GET_SEQ_SEQ(seq_ctrl)); 753 add_note(wt, MSG_DEBUG, "Failed to decrypt frame"); 754 } 755 756 /* Assume the frame was corrupted and there was no FCS to check. 757 * Allow retry of this particular frame to be processed so that 758 * it could end up getting decrypted if it was received without 759 * corruption. */ 760 sta->allow_duplicate = 1; 761 } 762 os_free(decrypted); 763 } 764 765 rx_data_bss(struct wlantest * wt,const struct ieee80211_hdr * hdr,size_t hdrlen,const u8 * qos,const u8 * dst,const u8 * src,const u8 * data,size_t len)766 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr, 767 size_t hdrlen, const u8 *qos, const u8 *dst, 768 const u8 *src, const u8 *data, size_t len) 769 { 770 u16 fc = le_to_host16(hdr->frame_control); 771 int prot = !!(fc & WLAN_FC_ISWEP); 772 773 if (qos) { 774 u8 ack = (qos[0] & 0x60) >> 5; 775 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR 776 " len=%u%s tid=%u%s%s%s%s", 777 MAC2STR(src), MAC2STR(dst), (unsigned int) len, 778 prot ? " Prot" : "", qos[0] & 0x0f, 779 (fc & WLAN_FC_TODS) ? " ToDS" : "", 780 (fc & WLAN_FC_FROMDS) ? " FromDS" : "", 781 (qos[0] & 0x10) ? " EOSP" : "", 782 ack == 0 ? "" : 783 (ack == 1 ? " NoAck" : 784 (ack == 2 ? " NoExpAck" : " BA"))); 785 } else { 786 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR 787 " len=%u%s%s%s", 788 MAC2STR(src), MAC2STR(dst), (unsigned int) len, 789 prot ? " Prot" : "", 790 (fc & WLAN_FC_TODS) ? " ToDS" : "", 791 (fc & WLAN_FC_FROMDS) ? " FromDS" : ""); 792 } 793 794 if (prot) 795 rx_data_bss_prot(wt, hdr, hdrlen, qos, dst, src, data, len); 796 else { 797 const u8 *bssid, *sta_addr, *peer_addr; 798 struct wlantest_bss *bss; 799 800 if (fc & WLAN_FC_TODS) { 801 bssid = hdr->addr1; 802 sta_addr = hdr->addr2; 803 peer_addr = NULL; 804 } else if (fc & WLAN_FC_FROMDS) { 805 bssid = hdr->addr2; 806 sta_addr = hdr->addr1; 807 peer_addr = NULL; 808 } else { 809 bssid = hdr->addr3; 810 sta_addr = hdr->addr2; 811 peer_addr = hdr->addr1; 812 } 813 814 bss = bss_get(wt, bssid); 815 if (bss) { 816 struct wlantest_sta *sta; 817 818 sta = sta_find_mlo(wt, bss, sta_addr); 819 if (!sta) 820 sta = sta_get(bss, sta_addr); 821 822 if (sta) { 823 if (qos) { 824 int tid = qos[0] & 0x0f; 825 if (fc & WLAN_FC_TODS) 826 sta->tx_tid[tid]++; 827 else 828 sta->rx_tid[tid]++; 829 } else { 830 if (fc & WLAN_FC_TODS) 831 sta->tx_tid[16]++; 832 else 833 sta->rx_tid[16]++; 834 } 835 } 836 } 837 838 rx_data_process(wt, bss, bssid, sta_addr, dst, src, data, len, 839 0, peer_addr, qos); 840 } 841 } 842 843 get_tdls(struct wlantest * wt,const u8 * bssid,const u8 * sta1_addr,const u8 * sta2_addr)844 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *bssid, 845 const u8 *sta1_addr, 846 const u8 *sta2_addr) 847 { 848 struct wlantest_bss *bss; 849 struct wlantest_sta *sta1, *sta2; 850 struct wlantest_tdls *tdls, *found = NULL; 851 852 bss = bss_find(wt, bssid); 853 if (bss == NULL) 854 return NULL; 855 sta1 = sta_find(bss, sta1_addr); 856 if (sta1 == NULL) 857 return NULL; 858 sta2 = sta_find(bss, sta2_addr); 859 if (sta2 == NULL) 860 return NULL; 861 862 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) { 863 if ((tdls->init == sta1 && tdls->resp == sta2) || 864 (tdls->init == sta2 && tdls->resp == sta1)) { 865 found = tdls; 866 if (tdls->link_up) 867 break; 868 } 869 } 870 871 return found; 872 } 873 874 add_direct_link(struct wlantest * wt,const u8 * bssid,const u8 * sta1_addr,const u8 * sta2_addr)875 static void add_direct_link(struct wlantest *wt, const u8 *bssid, 876 const u8 *sta1_addr, const u8 *sta2_addr) 877 { 878 struct wlantest_tdls *tdls; 879 880 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr); 881 if (tdls == NULL) 882 return; 883 884 if (tdls->link_up) 885 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_DIRECT_LINK]++; 886 else 887 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_DIRECT_LINK]++; 888 } 889 890 add_ap_path(struct wlantest * wt,const u8 * bssid,const u8 * sta1_addr,const u8 * sta2_addr)891 static void add_ap_path(struct wlantest *wt, const u8 *bssid, 892 const u8 *sta1_addr, const u8 *sta2_addr) 893 { 894 struct wlantest_tdls *tdls; 895 896 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr); 897 if (tdls == NULL) 898 return; 899 900 if (tdls->link_up) 901 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_AP_PATH]++; 902 else 903 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_AP_PATH]++; 904 } 905 906 rx_data(struct wlantest * wt,const u8 * data,size_t len)907 void rx_data(struct wlantest *wt, const u8 *data, size_t len) 908 { 909 const struct ieee80211_hdr *hdr; 910 u16 fc, stype; 911 size_t hdrlen; 912 const u8 *qos = NULL; 913 914 if (len < 24) 915 return; 916 917 hdr = (const struct ieee80211_hdr *) data; 918 fc = le_to_host16(hdr->frame_control); 919 stype = WLAN_FC_GET_STYPE(fc); 920 hdrlen = 24; 921 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) == 922 (WLAN_FC_TODS | WLAN_FC_FROMDS)) 923 hdrlen += ETH_ALEN; 924 if (stype & 0x08) { 925 qos = data + hdrlen; 926 hdrlen += 2; 927 } 928 if ((fc & WLAN_FC_HTC) && (stype & 0x08)) 929 hdrlen += 4; /* HT Control field */ 930 if (len < hdrlen) 931 return; 932 wt->rx_data++; 933 934 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) { 935 case 0: 936 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA=" 937 MACSTR " BSSID=" MACSTR, 938 data_stype(WLAN_FC_GET_STYPE(fc)), 939 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", 940 fc & WLAN_FC_ISWEP ? " Prot" : "", 941 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), 942 MAC2STR(hdr->addr3)); 943 add_direct_link(wt, hdr->addr3, hdr->addr1, hdr->addr2); 944 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr2, 945 data + hdrlen, len - hdrlen); 946 break; 947 case WLAN_FC_FROMDS: 948 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR 949 " BSSID=" MACSTR " SA=" MACSTR, 950 data_stype(WLAN_FC_GET_STYPE(fc)), 951 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", 952 fc & WLAN_FC_ISWEP ? " Prot" : "", 953 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), 954 MAC2STR(hdr->addr3)); 955 add_ap_path(wt, hdr->addr2, hdr->addr1, hdr->addr3); 956 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr3, 957 data + hdrlen, len - hdrlen); 958 break; 959 case WLAN_FC_TODS: 960 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR 961 " SA=" MACSTR " DA=" MACSTR, 962 data_stype(WLAN_FC_GET_STYPE(fc)), 963 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", 964 fc & WLAN_FC_ISWEP ? " Prot" : "", 965 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), 966 MAC2STR(hdr->addr3)); 967 add_ap_path(wt, hdr->addr1, hdr->addr3, hdr->addr2); 968 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr3, hdr->addr2, 969 data + hdrlen, len - hdrlen); 970 break; 971 case WLAN_FC_TODS | WLAN_FC_FROMDS: 972 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA=" 973 MACSTR " DA=" MACSTR " SA=" MACSTR, 974 data_stype(WLAN_FC_GET_STYPE(fc)), 975 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "", 976 fc & WLAN_FC_ISWEP ? " Prot" : "", 977 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2), 978 MAC2STR(hdr->addr3), 979 MAC2STR((const u8 *) (hdr + 1))); 980 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr2, 981 data + hdrlen, len - hdrlen); 982 break; 983 } 984 } 985