1 /*
2 * Received Data frame processing
3 * Copyright (c) 2010-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "common/defs.h"
13 #include "common/ieee802_11_defs.h"
14 #include "wlantest.h"
15
16
data_stype(u16 stype)17 static const char * data_stype(u16 stype)
18 {
19 switch (stype) {
20 case WLAN_FC_STYPE_DATA:
21 return "DATA";
22 case WLAN_FC_STYPE_DATA_CFACK:
23 return "DATA-CFACK";
24 case WLAN_FC_STYPE_DATA_CFPOLL:
25 return "DATA-CFPOLL";
26 case WLAN_FC_STYPE_DATA_CFACKPOLL:
27 return "DATA-CFACKPOLL";
28 case WLAN_FC_STYPE_NULLFUNC:
29 return "NULLFUNC";
30 case WLAN_FC_STYPE_CFACK:
31 return "CFACK";
32 case WLAN_FC_STYPE_CFPOLL:
33 return "CFPOLL";
34 case WLAN_FC_STYPE_CFACKPOLL:
35 return "CFACKPOLL";
36 case WLAN_FC_STYPE_QOS_DATA:
37 return "QOSDATA";
38 case WLAN_FC_STYPE_QOS_DATA_CFACK:
39 return "QOSDATA-CFACK";
40 case WLAN_FC_STYPE_QOS_DATA_CFPOLL:
41 return "QOSDATA-CFPOLL";
42 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL:
43 return "QOSDATA-CFACKPOLL";
44 case WLAN_FC_STYPE_QOS_NULL:
45 return "QOS-NULL";
46 case WLAN_FC_STYPE_QOS_CFPOLL:
47 return "QOS-CFPOLL";
48 case WLAN_FC_STYPE_QOS_CFACKPOLL:
49 return "QOS-CFACKPOLL";
50 }
51 return "??";
52 }
53
54
55 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
56 const u8 *sta_addr, const u8 *dst, const u8 *src,
57 u16 ethertype, const u8 *data, size_t len, int prot,
58 const u8 *peer_addr);
59
rx_data_vlan(struct wlantest * wt,const u8 * bssid,const u8 * sta_addr,const u8 * dst,const u8 * src,const u8 * data,size_t len,int prot,const u8 * peer_addr)60 static void rx_data_vlan(struct wlantest *wt, const u8 *bssid,
61 const u8 *sta_addr, const u8 *dst, const u8 *src,
62 const u8 *data, size_t len, int prot,
63 const u8 *peer_addr)
64 {
65 u16 tag;
66
67 if (len < 4)
68 return;
69 tag = WPA_GET_BE16(data);
70 wpa_printf(MSG_MSGDUMP, "VLAN tag: Priority=%u ID=%u",
71 tag >> 12, tag & 0x0ffff);
72 /* ignore VLAN information and process the original frame */
73 rx_data_eth(wt, bssid, sta_addr, dst, src, WPA_GET_BE16(data + 2),
74 data + 4, len - 4, prot, peer_addr);
75 }
76
77
rx_data_eth(struct wlantest * wt,const u8 * bssid,const u8 * sta_addr,const u8 * dst,const u8 * src,u16 ethertype,const u8 * data,size_t len,int prot,const u8 * peer_addr)78 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
79 const u8 *sta_addr, const u8 *dst, const u8 *src,
80 u16 ethertype, const u8 *data, size_t len, int prot,
81 const u8 *peer_addr)
82 {
83 switch (ethertype) {
84 case ETH_P_PAE:
85 rx_data_eapol(wt, bssid, sta_addr, dst, src, data, len, prot);
86 break;
87 case ETH_P_IP:
88 rx_data_ip(wt, bssid, sta_addr, dst, src, data, len,
89 peer_addr);
90 break;
91 case 0x890d:
92 rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len);
93 break;
94 case ETH_P_8021Q:
95 rx_data_vlan(wt, bssid, sta_addr, dst, src, data, len, prot,
96 peer_addr);
97 break;
98 }
99 }
100
101
rx_data_process(struct wlantest * wt,struct wlantest_bss * bss,const u8 * bssid,const u8 * sta_addr,const u8 * dst,const u8 * src,const u8 * data,size_t len,int prot,const u8 * peer_addr,const u8 * qos)102 static void rx_data_process(struct wlantest *wt, struct wlantest_bss *bss,
103 const u8 *bssid,
104 const u8 *sta_addr,
105 const u8 *dst, const u8 *src,
106 const u8 *data, size_t len, int prot,
107 const u8 *peer_addr, const u8 *qos)
108 {
109 if (len == 0)
110 return;
111
112 if (bss && bss->mesh && qos && !(qos[0] & BIT(7)) &&
113 (qos[1] & BIT(0))) {
114 u8 addr_ext_mode;
115 size_t mesh_control_len = 6;
116
117 /* Skip Mesh Control field if this is not an A-MSDU */
118 if (len < mesh_control_len) {
119 wpa_printf(MSG_DEBUG,
120 "Not enough room for Mesh Control field");
121 return;
122 }
123
124 addr_ext_mode = data[0] & 0x03;
125 if (addr_ext_mode == 3) {
126 wpa_printf(MSG_DEBUG,
127 "Reserved Mesh Control :: Address Extension Mode");
128 return;
129 }
130
131 mesh_control_len += addr_ext_mode * ETH_ALEN;
132 if (len < mesh_control_len) {
133 wpa_printf(MSG_DEBUG,
134 "Not enough room for Mesh Address Extension");
135 return;
136 }
137
138 len -= mesh_control_len;
139 data += mesh_control_len;
140 }
141
142 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) {
143 rx_data_eth(wt, bssid, sta_addr, dst, src,
144 WPA_GET_BE16(data + 6), data + 8, len - 8, prot,
145 peer_addr);
146 return;
147 }
148
149 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len);
150 }
151
152
try_ptk(struct wlantest * wt,int pairwise_cipher,struct wpa_ptk * ptk,const struct ieee80211_hdr * hdr,const u8 * a1,const u8 * a2,const u8 * a3,const u8 * data,size_t data_len,size_t * decrypted_len)153 static u8 * try_ptk(struct wlantest *wt, int pairwise_cipher,
154 struct wpa_ptk *ptk, const struct ieee80211_hdr *hdr,
155 const u8 *a1, const u8 *a2, const u8 *a3,
156 const u8 *data, size_t data_len, size_t *decrypted_len)
157 {
158 u8 *decrypted;
159 unsigned int tk_len = ptk->tk_len;
160
161 decrypted = NULL;
162 if ((pairwise_cipher == WPA_CIPHER_CCMP ||
163 pairwise_cipher == 0) && tk_len == 16) {
164 decrypted = ccmp_decrypt(ptk->tk, hdr, a1, a2, a3, data,
165 data_len, decrypted_len);
166 } else if ((pairwise_cipher == WPA_CIPHER_CCMP_256 ||
167 pairwise_cipher == 0) && tk_len == 32) {
168 decrypted = ccmp_256_decrypt(ptk->tk, hdr, a1, a2, a3, data,
169 data_len, decrypted_len);
170 } else if ((pairwise_cipher == WPA_CIPHER_GCMP ||
171 pairwise_cipher == WPA_CIPHER_GCMP_256 ||
172 pairwise_cipher == 0) &&
173 (tk_len == 16 || tk_len == 32)) {
174 decrypted = gcmp_decrypt(ptk->tk, tk_len, hdr, a1, a2, a3,
175 data, data_len, decrypted_len);
176 } else if ((pairwise_cipher == WPA_CIPHER_TKIP ||
177 pairwise_cipher == 0) && tk_len == 32) {
178 enum michael_mic_result mic_res;
179
180 decrypted = tkip_decrypt(ptk->tk, hdr, data, data_len,
181 decrypted_len, &mic_res,
182 &wt->tkip_frag);
183 if (decrypted && mic_res == MICHAEL_MIC_INCORRECT)
184 add_note(wt, MSG_INFO, "Invalid Michael MIC");
185 else if (decrypted && mic_res == MICHAEL_MIC_NOT_VERIFIED)
186 add_note(wt, MSG_DEBUG, "Michael MIC not verified");
187 }
188
189 return decrypted;
190 }
191
192
try_all_ptk(struct wlantest * wt,int pairwise_cipher,const struct ieee80211_hdr * hdr,const u8 * a1,const u8 * a2,const u8 * a3,int keyid,const u8 * data,size_t data_len,size_t * decrypted_len)193 static u8 * try_all_ptk(struct wlantest *wt, int pairwise_cipher,
194 const struct ieee80211_hdr *hdr,
195 const u8 *a1, const u8 *a2, const u8 *a3, int keyid,
196 const u8 *data, size_t data_len, size_t *decrypted_len)
197 {
198 struct wlantest_ptk *ptk;
199 u8 *decrypted;
200 int prev_level = wpa_debug_level;
201
202 wpa_debug_level = MSG_WARNING;
203 dl_list_for_each(ptk, &wt->ptk, struct wlantest_ptk, list) {
204 decrypted = try_ptk(wt, pairwise_cipher, &ptk->ptk, hdr, a1, a2,
205 a3, data, data_len, decrypted_len);
206 if (decrypted) {
207 wpa_debug_level = prev_level;
208 add_note(wt, MSG_DEBUG,
209 "Found PTK match from list of all known PTKs");
210 write_decrypted_note(wt, decrypted, ptk->ptk.tk,
211 ptk->ptk.tk_len, keyid);
212 return decrypted;
213 }
214 }
215 wpa_debug_level = prev_level;
216
217 return NULL;
218 }
219
220
check_plaintext_prot(struct wlantest * wt,const struct ieee80211_hdr * hdr,const u8 * data,size_t len)221 static void check_plaintext_prot(struct wlantest *wt,
222 const struct ieee80211_hdr *hdr,
223 const u8 *data, size_t len)
224 {
225 if (len < 8 + 3 || data[8] != 0xaa || data[9] != 0xaa ||
226 data[10] != 0x03)
227 return;
228
229 add_note(wt, MSG_DEBUG,
230 "Plaintext payload in protected frame");
231 wpa_printf(MSG_INFO, "Plaintext payload in protected frame #%u: A2="
232 MACSTR " seq=%u",
233 wt->frame_num, MAC2STR(hdr->addr2),
234 WLAN_GET_SEQ_SEQ(le_to_host16(hdr->seq_ctrl)));
235 }
236
237
rx_data_bss_prot_group(struct wlantest * wt,const struct ieee80211_hdr * hdr,size_t hdrlen,const u8 * qos,const u8 * dst,const u8 * src,const u8 * data,size_t len)238 static void rx_data_bss_prot_group(struct wlantest *wt,
239 const struct ieee80211_hdr *hdr,
240 size_t hdrlen,
241 const u8 *qos, const u8 *dst, const u8 *src,
242 const u8 *data, size_t len)
243 {
244 struct wlantest_bss *bss;
245 int keyid;
246 u8 *decrypted = NULL;
247 size_t dlen;
248 u8 pn[6];
249 int replay = 0;
250
251 bss = bss_get(wt, hdr->addr2);
252 if (bss == NULL)
253 return;
254 if (len < 4) {
255 add_note(wt, MSG_INFO, "Too short group addressed data frame");
256 return;
257 }
258
259 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
260 !(data[3] & 0x20)) {
261 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
262 MACSTR " did not have ExtIV bit set to 1",
263 MAC2STR(bss->bssid));
264 return;
265 }
266
267 if (bss->group_cipher == WPA_CIPHER_TKIP) {
268 if (data[3] & 0x1f) {
269 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
270 " used non-zero reserved bit",
271 MAC2STR(bss->bssid));
272 }
273 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
274 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
275 " used incorrect WEPSeed[1] (was 0x%x, "
276 "expected 0x%x)",
277 MAC2STR(bss->bssid), data[1],
278 (data[0] | 0x20) & 0x7f);
279 }
280 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
281 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
282 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
283 " used non-zero reserved bit",
284 MAC2STR(bss->bssid));
285 }
286 }
287
288 check_plaintext_prot(wt, hdr, data, len);
289 keyid = data[3] >> 6;
290 if (bss->gtk_len[keyid] == 0 &&
291 (bss->group_cipher != WPA_CIPHER_WEP40 ||
292 dl_list_empty(&wt->wep))) {
293 decrypted = try_all_ptk(wt, bss->group_cipher, hdr, NULL, NULL,
294 NULL, keyid, data, len, &dlen);
295 if (decrypted)
296 goto process;
297 add_note(wt, MSG_MSGDUMP,
298 "No GTK known to decrypt the frame (A2=" MACSTR
299 " KeyID=%d)",
300 MAC2STR(hdr->addr2), keyid);
301 return;
302 }
303
304 if (bss->group_cipher == WPA_CIPHER_TKIP)
305 tkip_get_pn(pn, data);
306 else if (bss->group_cipher == WPA_CIPHER_WEP40)
307 goto skip_replay_det;
308 else
309 ccmp_get_pn(pn, data);
310 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
311 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
312 char pn_hex[6 * 2 + 1], rsc_hex[6 * 2 + 1];
313
314 wpa_snprintf_hex(pn_hex, sizeof(pn_hex), pn, 6);
315 wpa_snprintf_hex(rsc_hex, sizeof(rsc_hex), bss->rsc[keyid], 6);
316 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR
317 " A2=" MACSTR " A3=" MACSTR
318 " seq=%u frag=%u%s keyid=%d #%u %s<=%s",
319 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
320 MAC2STR(hdr->addr3),
321 WLAN_GET_SEQ_SEQ(seq_ctrl),
322 WLAN_GET_SEQ_FRAG(seq_ctrl),
323 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
324 " Retry" : "",
325 keyid, wt->frame_num, pn_hex, rsc_hex);
326 replay = 1;
327 }
328
329 skip_replay_det:
330 if (bss->group_cipher == WPA_CIPHER_TKIP) {
331 enum michael_mic_result mic_res;
332
333 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len,
334 &dlen, &mic_res, &wt->tkip_frag);
335 if (decrypted && mic_res == MICHAEL_MIC_INCORRECT)
336 add_note(wt, MSG_INFO, "Invalid Michael MIC");
337 else if (decrypted && mic_res == MICHAEL_MIC_NOT_VERIFIED)
338 add_note(wt, MSG_DEBUG, "Michael MIC not verified");
339 } else if (bss->group_cipher == WPA_CIPHER_WEP40) {
340 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
341 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
342 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, NULL, NULL, NULL,
343 data, len, &dlen);
344 } else if (bss->group_cipher == WPA_CIPHER_CCMP_256) {
345 decrypted = ccmp_256_decrypt(bss->gtk[keyid], hdr,
346 NULL, NULL, NULL,
347 data, len, &dlen);
348 } else if (bss->group_cipher == WPA_CIPHER_GCMP ||
349 bss->group_cipher == WPA_CIPHER_GCMP_256) {
350 decrypted = gcmp_decrypt(bss->gtk[keyid], bss->gtk_len[keyid],
351 hdr, NULL, NULL, NULL,
352 data, len, &dlen);
353 }
354
355 if (decrypted) {
356 char gtk[65];
357
358 wpa_snprintf_hex(gtk, sizeof(gtk), bss->gtk[keyid],
359 bss->gtk_len[keyid]);
360 add_note(wt, MSG_EXCESSIVE, "GTK[%d] %s", keyid, gtk);
361 process:
362 rx_data_process(wt, bss, bss->bssid, NULL, dst, src, decrypted,
363 dlen, 1, NULL, qos);
364 if (!replay)
365 os_memcpy(bss->rsc[keyid], pn, 6);
366 write_pcap_decrypted(wt, (const u8 *) hdr, hdrlen,
367 decrypted, dlen);
368 } else {
369 wpa_printf(MSG_DEBUG, "Failed to decrypt frame (group) #%u A2="
370 MACSTR " seq=%u",
371 wt->frame_num, MAC2STR(hdr->addr2),
372 WLAN_GET_SEQ_SEQ(le_to_host16(hdr->seq_ctrl)));
373 add_note(wt, MSG_DEBUG, "Failed to decrypt frame (group)");
374 }
375 os_free(decrypted);
376 }
377
378
try_ptk_decrypt(struct wlantest * wt,struct wlantest_sta * sta,const struct ieee80211_hdr * hdr,const u8 * a1,const u8 * a2,const u8 * a3,int keyid,const u8 * data,size_t len,const u8 * tk,size_t tk_len,size_t * dlen)379 static u8 * try_ptk_decrypt(struct wlantest *wt, struct wlantest_sta *sta,
380 const struct ieee80211_hdr *hdr,
381 const u8 *a1, const u8 *a2, const u8 *a3,
382 int keyid,
383 const u8 *data, size_t len,
384 const u8 *tk, size_t tk_len, size_t *dlen)
385 {
386 u8 *decrypted = NULL;
387
388 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256)
389 decrypted = ccmp_256_decrypt(tk, hdr, a1, a2, a3,
390 data, len, dlen);
391 else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
392 sta->pairwise_cipher == WPA_CIPHER_GCMP_256)
393 decrypted = gcmp_decrypt(tk, tk_len, hdr, a1, a2, a3,
394 data, len, dlen);
395 else
396 decrypted = ccmp_decrypt(tk, hdr, a1, a2, a3, data, len, dlen);
397 write_decrypted_note(wt, decrypted, tk, tk_len, keyid);
398
399 return decrypted;
400 }
401
402
rx_data_bss_prot(struct wlantest * wt,const struct ieee80211_hdr * hdr,size_t hdrlen,const u8 * qos,const u8 * dst,const u8 * src,const u8 * data,size_t len)403 static void rx_data_bss_prot(struct wlantest *wt,
404 const struct ieee80211_hdr *hdr, size_t hdrlen,
405 const u8 *qos, const u8 *dst, const u8 *src,
406 const u8 *data, size_t len)
407 {
408 struct wlantest_bss *bss, *bss2;
409 struct wlantest_sta *sta, *sta2;
410 int keyid;
411 u16 fc = le_to_host16(hdr->frame_control);
412 u8 *decrypted = NULL;
413 size_t dlen;
414 int tid;
415 u8 pn[6], *rsc = NULL;
416 struct wlantest_tdls *tdls = NULL, *found;
417 const u8 *tk = NULL;
418 int ptk_iter_done = 0;
419 int try_ptk_iter = 0;
420 int replay = 0;
421 int only_zero_tk = 0;
422 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
423 const u8 *a1 = NULL, *a2 = NULL, *a3 = NULL;
424 enum { NO, YES, UNKNOWN } a1_is_sta = UNKNOWN;
425
426 if (hdr->addr1[0] & 0x01) {
427 rx_data_bss_prot_group(wt, hdr, hdrlen, qos, dst, src,
428 data, len);
429 return;
430 }
431
432 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
433 (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
434 bss = bss_find(wt, hdr->addr1);
435 if (bss) {
436 sta = sta_find_mlo(wt, bss, hdr->addr2);
437 if (sta) {
438 a1_is_sta = NO;
439 sta->counters[
440 WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
441 }
442 if (!sta || !sta->ptk_set) {
443 bss2 = bss_find(wt, hdr->addr2);
444 if (bss2) {
445 sta2 = sta_find_mlo(wt, bss2,
446 hdr->addr1);
447 if (sta2 && (!sta || sta2->ptk_set)) {
448 a1_is_sta = YES;
449 bss = bss2;
450 sta = sta2;
451 }
452 }
453 }
454 } else {
455 bss = bss_find(wt, hdr->addr2);
456 if (!bss)
457 return;
458 sta = sta_find_mlo(wt, bss, hdr->addr1);
459 if (sta)
460 a1_is_sta = YES;
461 }
462 } else if (fc & WLAN_FC_TODS) {
463 bss = bss_get(wt, hdr->addr1);
464 if (bss == NULL)
465 return;
466 sta = sta_find_mlo(wt, bss, hdr->addr2);
467 if (!sta)
468 sta = sta_get(bss, hdr->addr2);
469 if (sta)
470 sta->counters[WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
471 a1_is_sta = NO;
472 } else if (fc & WLAN_FC_FROMDS) {
473 bss = bss_get(wt, hdr->addr2);
474 if (bss == NULL)
475 return;
476 sta = sta_find_mlo(wt, bss, hdr->addr1);
477 if (!sta)
478 sta = sta_get(bss, hdr->addr1);
479 if (sta)
480 a1_is_sta = YES;
481 } else {
482 bss = bss_get(wt, hdr->addr3);
483 if (bss == NULL)
484 return;
485 sta = sta_find(bss, hdr->addr2);
486 sta2 = sta_find(bss, hdr->addr1);
487 if (sta == NULL || sta2 == NULL)
488 return;
489 found = NULL;
490 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
491 {
492 if ((tdls->init == sta && tdls->resp == sta2) ||
493 (tdls->init == sta2 && tdls->resp == sta)) {
494 found = tdls;
495 if (tdls->link_up)
496 break;
497 }
498 }
499 if (found) {
500 if (!found->link_up)
501 add_note(wt, MSG_DEBUG,
502 "TDLS: Link not up, but Data "
503 "frame seen");
504 tk = found->tpk.tk;
505 tdls = found;
506 }
507 }
508 check_plaintext_prot(wt, hdr, data, len);
509 if ((sta == NULL ||
510 (!sta->ptk_set && sta->pairwise_cipher != WPA_CIPHER_WEP40)) &&
511 tk == NULL) {
512 add_note(wt, MSG_MSGDUMP, "No PTK known to decrypt the frame");
513 if (dl_list_empty(&wt->ptk)) {
514 if (len >= 4 && sta) {
515 keyid = data[3] >> 6;
516 only_zero_tk = 1;
517 goto check_zero_tk;
518 }
519 return;
520 }
521
522 try_ptk_iter = 1;
523 }
524
525 if (len < 4) {
526 add_note(wt, MSG_INFO, "Too short encrypted data frame");
527 return;
528 }
529
530 if (sta == NULL)
531 return;
532 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP |
533 WPA_CIPHER_GCMP | WPA_CIPHER_GCMP_256 |
534 WPA_CIPHER_CCMP_256) &&
535 !(data[3] & 0x20)) {
536 add_note(wt, MSG_INFO, "Expected TKIP/CCMP/GCMP frame from "
537 MACSTR " did not have ExtIV bit set to 1",
538 MAC2STR(src));
539 return;
540 }
541
542 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) {
543 if (data[3] & 0x1f) {
544 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
545 " used non-zero reserved bit",
546 MAC2STR(hdr->addr2));
547 }
548 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
549 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
550 " used incorrect WEPSeed[1] (was 0x%x, "
551 "expected 0x%x)",
552 MAC2STR(hdr->addr2), data[1],
553 (data[0] | 0x20) & 0x7f);
554 }
555 } else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP ||
556 sta->pairwise_cipher == WPA_CIPHER_GCMP ||
557 sta->pairwise_cipher == WPA_CIPHER_GCMP_256 ||
558 sta->pairwise_cipher == WPA_CIPHER_CCMP_256) {
559 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
560 add_note(wt, MSG_INFO, "CCMP/GCMP frame from " MACSTR
561 " used non-zero reserved bit",
562 MAC2STR(hdr->addr2));
563 }
564 }
565
566 keyid = data[3] >> 6;
567 if (keyid != 0 &&
568 (!(sta->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) ||
569 !(bss->rsn_capab & WPA_CAPABILITY_EXT_KEY_ID_FOR_UNICAST) ||
570 keyid != 1)) {
571 add_note(wt, MSG_INFO,
572 "Unexpected KeyID %d in individually addressed Data frame from "
573 MACSTR,
574 keyid, MAC2STR(hdr->addr2));
575 }
576
577 if (qos) {
578 tid = qos[0] & 0x0f;
579 if (a1_is_sta == NO)
580 sta->tx_tid[tid]++;
581 else
582 sta->rx_tid[tid]++;
583 } else {
584 tid = 0;
585 if (a1_is_sta == NO)
586 sta->tx_tid[16]++;
587 else
588 sta->rx_tid[16]++;
589 }
590 if (tk) {
591 if (ether_addr_equal(hdr->addr2, tdls->init->addr))
592 rsc = tdls->rsc_init[tid];
593 else
594 rsc = tdls->rsc_resp[tid];
595 } else if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
596 (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
597 if (a1_is_sta == NO)
598 rsc = sta->rsc_tods[tid];
599 else
600 rsc = sta->rsc_fromds[tid];
601 } else if (a1_is_sta == NO)
602 rsc = sta->rsc_tods[tid];
603 else
604 rsc = sta->rsc_fromds[tid];
605
606
607 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP)
608 tkip_get_pn(pn, data);
609 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
610 goto skip_replay_det;
611 else
612 ccmp_get_pn(pn, data);
613 if (os_memcmp(pn, rsc, 6) <= 0) {
614 char pn_hex[6 * 2 + 1], rsc_hex[6 * 2 + 1];
615
616 wpa_snprintf_hex(pn_hex, sizeof(pn_hex), pn, 6);
617 wpa_snprintf_hex(rsc_hex, sizeof(rsc_hex), rsc, 6);
618 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR
619 " A2=" MACSTR " A3=" MACSTR
620 " seq=%u frag=%u%s keyid=%d tid=%d #%u %s<=%s",
621 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
622 MAC2STR(hdr->addr3),
623 WLAN_GET_SEQ_SEQ(seq_ctrl),
624 WLAN_GET_SEQ_FRAG(seq_ctrl),
625 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
626 " Retry" : "",
627 keyid, tid, wt->frame_num, pn_hex, rsc_hex);
628 replay = 1;
629 }
630
631 skip_replay_det:
632 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) &&
633 !is_zero_ether_addr(sta->mld_mac_addr) &&
634 !is_zero_ether_addr(bss->mld_mac_addr) &&
635 a1_is_sta != UNKNOWN) {
636 if (a1_is_sta == YES) {
637 a1 = sta->mld_mac_addr;
638 a2 = bss->mld_mac_addr;
639 } else {
640 a1 = bss->mld_mac_addr;
641 a2 = sta->mld_mac_addr;
642 }
643
644 if (ether_addr_equal(hdr->addr3, bss->bssid))
645 a3 = bss->mld_mac_addr;
646 }
647
648 if (tk) {
649 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256) {
650 decrypted = ccmp_256_decrypt(tk, hdr, a1, a2, a3,
651 data, len, &dlen);
652 write_decrypted_note(wt, decrypted, tk, 32, keyid);
653 } else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
654 sta->pairwise_cipher == WPA_CIPHER_GCMP_256) {
655 decrypted = gcmp_decrypt(tk, sta->ptk.tk_len, hdr,
656 a1, a2, a3, data, len, &dlen);
657 write_decrypted_note(wt, decrypted, tk, sta->ptk.tk_len,
658 keyid);
659 } else {
660 decrypted = ccmp_decrypt(tk, hdr, a1, a2, a3, data, len,
661 &dlen);
662 write_decrypted_note(wt, decrypted, tk, 16, keyid);
663 }
664 } else if (sta->pairwise_cipher == WPA_CIPHER_TKIP) {
665 enum michael_mic_result mic_res;
666
667 decrypted = tkip_decrypt(sta->ptk.tk, hdr, data, len, &dlen,
668 &mic_res, &wt->tkip_frag);
669 if (decrypted && mic_res == MICHAEL_MIC_INCORRECT)
670 add_note(wt, MSG_INFO, "Invalid Michael MIC");
671 else if (decrypted && mic_res == MICHAEL_MIC_NOT_VERIFIED)
672 add_note(wt, MSG_DEBUG, "Michael MIC not verified");
673 write_decrypted_note(wt, decrypted, sta->ptk.tk, 32, keyid);
674 } else if (sta->pairwise_cipher == WPA_CIPHER_WEP40) {
675 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
676 } else if (sta->ptk_set) {
677 decrypted = try_ptk_decrypt(wt, sta, hdr, a1, a2, a3,
678 keyid, data, len,
679 sta->ptk.tk, sta->ptk.tk_len,
680 &dlen);
681 } else {
682 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr,
683 a1, a2, a3,
684 keyid, data, len, &dlen);
685 ptk_iter_done = 1;
686 }
687 if (!decrypted && !ptk_iter_done) {
688 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr,
689 a1, a2, a3,
690 keyid, data, len, &dlen);
691 if (decrypted) {
692 add_note(wt, MSG_DEBUG, "Current PTK did not work, but found a match from all known PTKs");
693 }
694 }
695 check_zero_tk:
696 if (!decrypted) {
697 struct wpa_ptk zero_ptk;
698 int old_debug_level = wpa_debug_level;
699
700 os_memset(&zero_ptk, 0, sizeof(zero_ptk));
701 zero_ptk.tk_len = wpa_cipher_key_len(sta->pairwise_cipher);
702 wpa_debug_level = MSG_ERROR;
703 decrypted = try_ptk(wt, sta->pairwise_cipher, &zero_ptk, hdr,
704 a1, a2, a3, data, len, &dlen);
705 wpa_debug_level = old_debug_level;
706 if (decrypted) {
707 add_note(wt, MSG_DEBUG,
708 "Frame was encrypted with zero TK");
709 wpa_printf(MSG_INFO, "Zero TK used in frame #%u: A2="
710 MACSTR " seq=%u",
711 wt->frame_num, MAC2STR(hdr->addr2),
712 WLAN_GET_SEQ_SEQ(
713 le_to_host16(hdr->seq_ctrl)));
714 write_decrypted_note(wt, decrypted, zero_ptk.tk,
715 zero_ptk.tk_len, keyid);
716 }
717 }
718 if (decrypted) {
719 u16 fc = le_to_host16(hdr->frame_control);
720 const u8 *peer_addr = NULL;
721 if (!(fc & (WLAN_FC_FROMDS | WLAN_FC_TODS)))
722 peer_addr = hdr->addr1;
723 if (!replay && rsc)
724 os_memcpy(rsc, pn, 6);
725 rx_data_process(wt, bss, bss->bssid, sta->addr, dst, src,
726 decrypted, dlen, 1, peer_addr, qos);
727 write_pcap_decrypted(wt, (const u8 *) hdr, hdrlen,
728 decrypted, dlen);
729 } else if (sta->tptk_set) {
730 /* Check whether TPTK has a matching TK that could be used to
731 * decrypt the frame. That could happen if EAPOL-Key msg 4/4
732 * was missing in the capture and this was PTK rekeying. */
733 decrypted = try_ptk_decrypt(wt, sta, hdr, a1, a2, a3,
734 keyid, data, len,
735 sta->tptk.tk, sta->tptk.tk_len,
736 &dlen);
737 if (decrypted) {
738 add_note(wt, MSG_DEBUG,
739 "Update PTK (rekeying; no valid EAPOL-Key msg 4/4 seen)");
740 os_memcpy(&sta->ptk, &sta->tptk, sizeof(sta->ptk));
741 sta->ptk_set = 1;
742 sta->tptk_set = 0;
743 os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods));
744 os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds));
745 }
746 } else {
747 if (!try_ptk_iter && !only_zero_tk) {
748 wpa_printf(MSG_DEBUG,
749 "Failed to decrypt frame #%u A2=" MACSTR
750 " seq=%u",
751 wt->frame_num, MAC2STR(hdr->addr2),
752 WLAN_GET_SEQ_SEQ(seq_ctrl));
753 add_note(wt, MSG_DEBUG, "Failed to decrypt frame");
754 }
755
756 /* Assume the frame was corrupted and there was no FCS to check.
757 * Allow retry of this particular frame to be processed so that
758 * it could end up getting decrypted if it was received without
759 * corruption. */
760 sta->allow_duplicate = 1;
761 }
762 os_free(decrypted);
763 }
764
765
rx_data_bss(struct wlantest * wt,const struct ieee80211_hdr * hdr,size_t hdrlen,const u8 * qos,const u8 * dst,const u8 * src,const u8 * data,size_t len)766 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr,
767 size_t hdrlen, const u8 *qos, const u8 *dst,
768 const u8 *src, const u8 *data, size_t len)
769 {
770 u16 fc = le_to_host16(hdr->frame_control);
771 int prot = !!(fc & WLAN_FC_ISWEP);
772
773 if (qos) {
774 u8 ack = (qos[0] & 0x60) >> 5;
775 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
776 " len=%u%s tid=%u%s%s%s%s",
777 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
778 prot ? " Prot" : "", qos[0] & 0x0f,
779 (fc & WLAN_FC_TODS) ? " ToDS" : "",
780 (fc & WLAN_FC_FROMDS) ? " FromDS" : "",
781 (qos[0] & 0x10) ? " EOSP" : "",
782 ack == 0 ? "" :
783 (ack == 1 ? " NoAck" :
784 (ack == 2 ? " NoExpAck" : " BA")));
785 } else {
786 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
787 " len=%u%s%s%s",
788 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
789 prot ? " Prot" : "",
790 (fc & WLAN_FC_TODS) ? " ToDS" : "",
791 (fc & WLAN_FC_FROMDS) ? " FromDS" : "");
792 }
793
794 if (prot)
795 rx_data_bss_prot(wt, hdr, hdrlen, qos, dst, src, data, len);
796 else {
797 const u8 *bssid, *sta_addr, *peer_addr;
798 struct wlantest_bss *bss;
799
800 if (fc & WLAN_FC_TODS) {
801 bssid = hdr->addr1;
802 sta_addr = hdr->addr2;
803 peer_addr = NULL;
804 } else if (fc & WLAN_FC_FROMDS) {
805 bssid = hdr->addr2;
806 sta_addr = hdr->addr1;
807 peer_addr = NULL;
808 } else {
809 bssid = hdr->addr3;
810 sta_addr = hdr->addr2;
811 peer_addr = hdr->addr1;
812 }
813
814 bss = bss_get(wt, bssid);
815 if (bss) {
816 struct wlantest_sta *sta;
817
818 sta = sta_find_mlo(wt, bss, sta_addr);
819 if (!sta)
820 sta = sta_get(bss, sta_addr);
821
822 if (sta) {
823 if (qos) {
824 int tid = qos[0] & 0x0f;
825 if (fc & WLAN_FC_TODS)
826 sta->tx_tid[tid]++;
827 else
828 sta->rx_tid[tid]++;
829 } else {
830 if (fc & WLAN_FC_TODS)
831 sta->tx_tid[16]++;
832 else
833 sta->rx_tid[16]++;
834 }
835 }
836 }
837
838 rx_data_process(wt, bss, bssid, sta_addr, dst, src, data, len,
839 0, peer_addr, qos);
840 }
841 }
842
843
get_tdls(struct wlantest * wt,const u8 * bssid,const u8 * sta1_addr,const u8 * sta2_addr)844 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *bssid,
845 const u8 *sta1_addr,
846 const u8 *sta2_addr)
847 {
848 struct wlantest_bss *bss;
849 struct wlantest_sta *sta1, *sta2;
850 struct wlantest_tdls *tdls, *found = NULL;
851
852 bss = bss_find(wt, bssid);
853 if (bss == NULL)
854 return NULL;
855 sta1 = sta_find(bss, sta1_addr);
856 if (sta1 == NULL)
857 return NULL;
858 sta2 = sta_find(bss, sta2_addr);
859 if (sta2 == NULL)
860 return NULL;
861
862 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
863 if ((tdls->init == sta1 && tdls->resp == sta2) ||
864 (tdls->init == sta2 && tdls->resp == sta1)) {
865 found = tdls;
866 if (tdls->link_up)
867 break;
868 }
869 }
870
871 return found;
872 }
873
874
add_direct_link(struct wlantest * wt,const u8 * bssid,const u8 * sta1_addr,const u8 * sta2_addr)875 static void add_direct_link(struct wlantest *wt, const u8 *bssid,
876 const u8 *sta1_addr, const u8 *sta2_addr)
877 {
878 struct wlantest_tdls *tdls;
879
880 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
881 if (tdls == NULL)
882 return;
883
884 if (tdls->link_up)
885 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_DIRECT_LINK]++;
886 else
887 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_DIRECT_LINK]++;
888 }
889
890
add_ap_path(struct wlantest * wt,const u8 * bssid,const u8 * sta1_addr,const u8 * sta2_addr)891 static void add_ap_path(struct wlantest *wt, const u8 *bssid,
892 const u8 *sta1_addr, const u8 *sta2_addr)
893 {
894 struct wlantest_tdls *tdls;
895
896 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
897 if (tdls == NULL)
898 return;
899
900 if (tdls->link_up)
901 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_AP_PATH]++;
902 else
903 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_AP_PATH]++;
904 }
905
906
rx_data(struct wlantest * wt,const u8 * data,size_t len)907 void rx_data(struct wlantest *wt, const u8 *data, size_t len)
908 {
909 const struct ieee80211_hdr *hdr;
910 u16 fc, stype;
911 size_t hdrlen;
912 const u8 *qos = NULL;
913
914 if (len < 24)
915 return;
916
917 hdr = (const struct ieee80211_hdr *) data;
918 fc = le_to_host16(hdr->frame_control);
919 stype = WLAN_FC_GET_STYPE(fc);
920 hdrlen = 24;
921 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
922 (WLAN_FC_TODS | WLAN_FC_FROMDS))
923 hdrlen += ETH_ALEN;
924 if (stype & 0x08) {
925 qos = data + hdrlen;
926 hdrlen += 2;
927 }
928 if ((fc & WLAN_FC_HTC) && (stype & 0x08))
929 hdrlen += 4; /* HT Control field */
930 if (len < hdrlen)
931 return;
932 wt->rx_data++;
933
934 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
935 case 0:
936 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA="
937 MACSTR " BSSID=" MACSTR,
938 data_stype(WLAN_FC_GET_STYPE(fc)),
939 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
940 fc & WLAN_FC_ISWEP ? " Prot" : "",
941 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
942 MAC2STR(hdr->addr3));
943 add_direct_link(wt, hdr->addr3, hdr->addr1, hdr->addr2);
944 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr2,
945 data + hdrlen, len - hdrlen);
946 break;
947 case WLAN_FC_FROMDS:
948 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
949 " BSSID=" MACSTR " SA=" MACSTR,
950 data_stype(WLAN_FC_GET_STYPE(fc)),
951 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
952 fc & WLAN_FC_ISWEP ? " Prot" : "",
953 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
954 MAC2STR(hdr->addr3));
955 add_ap_path(wt, hdr->addr2, hdr->addr1, hdr->addr3);
956 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr3,
957 data + hdrlen, len - hdrlen);
958 break;
959 case WLAN_FC_TODS:
960 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR
961 " SA=" MACSTR " DA=" MACSTR,
962 data_stype(WLAN_FC_GET_STYPE(fc)),
963 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
964 fc & WLAN_FC_ISWEP ? " Prot" : "",
965 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
966 MAC2STR(hdr->addr3));
967 add_ap_path(wt, hdr->addr1, hdr->addr3, hdr->addr2);
968 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr3, hdr->addr2,
969 data + hdrlen, len - hdrlen);
970 break;
971 case WLAN_FC_TODS | WLAN_FC_FROMDS:
972 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA="
973 MACSTR " DA=" MACSTR " SA=" MACSTR,
974 data_stype(WLAN_FC_GET_STYPE(fc)),
975 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
976 fc & WLAN_FC_ISWEP ? " Prot" : "",
977 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
978 MAC2STR(hdr->addr3),
979 MAC2STR((const u8 *) (hdr + 1)));
980 rx_data_bss(wt, hdr, hdrlen, qos, hdr->addr1, hdr->addr2,
981 data + hdrlen, len - hdrlen);
982 break;
983 }
984 }
985