2 * Received Data frame processing
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
15 #include "utils/includes.h"
17 #include "utils/common.h"
18 #include "crypto/aes_wrap.h"
19 #include "crypto/crypto.h"
20 #include "common/defs.h"
21 #include "common/ieee802_11_defs.h"
22 #include "common/eapol_common.h"
23 #include "common/wpa_common.h"
24 #include "rsn_supp/wpa_ie.h"
28 static int is_zero(const u8 *buf, size_t len)
31 for (i = 0; i < len; i++) {
39 static const char * data_stype(u16 stype)
42 case WLAN_FC_STYPE_DATA:
44 case WLAN_FC_STYPE_DATA_CFACK:
46 case WLAN_FC_STYPE_DATA_CFPOLL:
48 case WLAN_FC_STYPE_DATA_CFACKPOLL:
49 return "DATA-CFACKPOLL";
50 case WLAN_FC_STYPE_NULLFUNC:
52 case WLAN_FC_STYPE_CFACK:
54 case WLAN_FC_STYPE_CFPOLL:
56 case WLAN_FC_STYPE_CFACKPOLL:
58 case WLAN_FC_STYPE_QOS_DATA:
60 case WLAN_FC_STYPE_QOS_DATA_CFACK:
61 return "QOSDATA-CFACK";
62 case WLAN_FC_STYPE_QOS_DATA_CFPOLL:
63 return "QOSDATA-CFPOLL";
64 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL:
65 return "QOSDATA-CFACKPOLL";
66 case WLAN_FC_STYPE_QOS_NULL:
68 case WLAN_FC_STYPE_QOS_CFPOLL:
70 case WLAN_FC_STYPE_QOS_CFACKPOLL:
71 return "QOS-CFACKPOLL";
77 static int check_mic(const u8 *kck, int ver, const u8 *data, size_t len)
81 struct ieee802_1x_hdr *hdr;
82 struct wpa_eapol_key *key;
88 os_memcpy(buf, data, len);
89 hdr = (struct ieee802_1x_hdr *) buf;
90 key = (struct wpa_eapol_key *) (hdr + 1);
92 os_memcpy(rx_mic, key->key_mic, 16);
93 os_memset(key->key_mic, 0, 16);
95 if (wpa_eapol_key_mic(kck, ver, buf, len, key->key_mic) == 0 &&
96 os_memcmp(rx_mic, key->key_mic, 16) == 0)
105 static void rx_data_eapol_key_1_of_4(struct wlantest *wt, const u8 *dst,
106 const u8 *src, const u8 *data, size_t len)
108 struct wlantest_bss *bss;
109 struct wlantest_sta *sta;
110 const struct ieee802_1x_hdr *eapol;
111 const struct wpa_eapol_key *hdr;
113 wpa_printf(MSG_DEBUG, "EAPOL-Key 1/4 " MACSTR " -> " MACSTR,
114 MAC2STR(src), MAC2STR(dst));
115 bss = bss_get(wt, src);
118 sta = sta_get(bss, dst);
122 eapol = (const struct ieee802_1x_hdr *) data;
123 hdr = (const struct wpa_eapol_key *) (eapol + 1);
124 if (is_zero(hdr->key_nonce, WPA_NONCE_LEN)) {
125 wpa_printf(MSG_INFO, "EAPOL-Key 1/4 from " MACSTR " used "
126 "zero nonce", MAC2STR(src));
128 if (!is_zero(hdr->key_rsc, 8)) {
129 wpa_printf(MSG_INFO, "EAPOL-Key 1/4 from " MACSTR " used "
130 "non-zero Key RSC", MAC2STR(src));
132 os_memcpy(sta->anonce, hdr->key_nonce, WPA_NONCE_LEN);
136 static int try_pmk(struct wlantest_bss *bss, struct wlantest_sta *sta,
137 u16 ver, const u8 *data, size_t len,
138 struct wlantest_pmk *pmk)
141 size_t ptk_len = sta->pairwise_cipher == WPA_CIPHER_TKIP ? 64 : 48;
142 wpa_pmk_to_ptk(pmk->pmk, sizeof(pmk->pmk),
143 "Pairwise key expansion",
144 bss->bssid, sta->addr, sta->anonce, sta->snonce,
145 (u8 *) &ptk, ptk_len,
146 wpa_key_mgmt_sha256(sta->key_mgmt));
147 if (check_mic(ptk.kck, ver, data, len) < 0)
150 wpa_printf(MSG_INFO, "Derived PTK for STA " MACSTR " BSSID " MACSTR,
151 MAC2STR(sta->addr), MAC2STR(bss->bssid));
152 sta->counters[WLANTEST_STA_COUNTER_PTK_LEARNED]++;
153 os_memcpy(&sta->ptk, &ptk, sizeof(ptk));
154 wpa_hexdump(MSG_DEBUG, "PTK:KCK", sta->ptk.kck, 16);
155 wpa_hexdump(MSG_DEBUG, "PTK:KEK", sta->ptk.kek, 16);
156 wpa_hexdump(MSG_DEBUG, "PTK:TK1", sta->ptk.tk1, 16);
158 wpa_hexdump(MSG_DEBUG, "PTK:TK2", sta->ptk.u.tk2, 16);
160 os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods));
161 os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds));
166 static void derive_ptk(struct wlantest *wt, struct wlantest_bss *bss,
167 struct wlantest_sta *sta, u16 ver,
168 const u8 *data, size_t len)
170 struct wlantest_pmk *pmk;
172 dl_list_for_each(pmk, &bss->pmk, struct wlantest_pmk, list) {
173 if (try_pmk(bss, sta, ver, data, len, pmk) == 0)
177 dl_list_for_each(pmk, &wt->pmk, struct wlantest_pmk, list) {
178 if (try_pmk(bss, sta, ver, data, len, pmk) == 0)
184 static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
185 const u8 *src, const u8 *data, size_t len)
187 struct wlantest_bss *bss;
188 struct wlantest_sta *sta;
189 const struct ieee802_1x_hdr *eapol;
190 const struct wpa_eapol_key *hdr;
192 u16 key_info, key_data_len;
193 struct wpa_eapol_ie_parse ie;
195 wpa_printf(MSG_DEBUG, "EAPOL-Key 2/4 " MACSTR " -> " MACSTR,
196 MAC2STR(src), MAC2STR(dst));
197 bss = bss_get(wt, dst);
200 sta = sta_get(bss, src);
204 eapol = (const struct ieee802_1x_hdr *) data;
205 hdr = (const struct wpa_eapol_key *) (eapol + 1);
206 if (is_zero(hdr->key_nonce, WPA_NONCE_LEN)) {
207 wpa_printf(MSG_INFO, "EAPOL-Key 2/4 from " MACSTR " used "
208 "zero nonce", MAC2STR(src));
210 if (!is_zero(hdr->key_rsc, 8)) {
211 wpa_printf(MSG_INFO, "EAPOL-Key 2/4 from " MACSTR " used "
212 "non-zero Key RSC", MAC2STR(src));
214 os_memcpy(sta->snonce, hdr->key_nonce, WPA_NONCE_LEN);
215 key_info = WPA_GET_BE16(hdr->key_info);
216 key_data_len = WPA_GET_BE16(hdr->key_data_length);
217 derive_ptk(wt, bss, sta, key_info & WPA_KEY_INFO_TYPE_MASK, data, len);
220 wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 2/4");
224 if (check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
226 wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 2/4 MIC");
229 wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 2/4");
231 key_data = (const u8 *) (hdr + 1);
233 if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
234 wpa_printf(MSG_INFO, "Failed to parse EAPOL-Key Key Data");
239 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - WPA IE",
240 ie.wpa_ie, ie.wpa_ie_len);
241 if (os_memcmp(ie.wpa_ie, sta->rsnie, ie.wpa_ie_len) != 0) {
242 wpa_printf(MSG_INFO, "Mismatch in WPA IE between "
243 "EAPOL-Key 2/4 and (Re)Association "
244 "Request from " MACSTR, MAC2STR(sta->addr));
245 wpa_hexdump(MSG_INFO, "WPA IE in EAPOL-Key",
246 ie.wpa_ie, ie.wpa_ie_len);
247 wpa_hexdump(MSG_INFO, "WPA IE in (Re)Association "
250 sta->rsnie[0] ? 2 + sta->rsnie[1] : 0);
255 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - RSN IE",
256 ie.rsn_ie, ie.rsn_ie_len);
257 if (os_memcmp(ie.rsn_ie, sta->rsnie, ie.rsn_ie_len) != 0) {
258 wpa_printf(MSG_INFO, "Mismatch in RSN IE between "
259 "EAPOL-Key 2/4 and (Re)Association "
260 "Request from " MACSTR, MAC2STR(sta->addr));
261 wpa_hexdump(MSG_INFO, "RSN IE in EAPOL-Key",
262 ie.rsn_ie, ie.rsn_ie_len);
263 wpa_hexdump(MSG_INFO, "RSN IE in (Re)Association "
266 sta->rsnie[0] ? 2 + sta->rsnie[1] : 0);
272 static u8 * decrypt_eapol_key_data_rc4(const u8 *kek,
273 const struct wpa_eapol_key *hdr,
277 u16 keydatalen = WPA_GET_BE16(hdr->key_data_length);
279 buf = os_malloc(keydatalen);
283 os_memcpy(ek, hdr->key_iv, 16);
284 os_memcpy(ek + 16, kek, 16);
285 os_memcpy(buf, hdr + 1, keydatalen);
286 if (rc4_skip(ek, 32, 256, buf, keydatalen)) {
287 wpa_printf(MSG_INFO, "RC4 failed");
297 static u8 * decrypt_eapol_key_data_aes(const u8 *kek,
298 const struct wpa_eapol_key *hdr,
302 u16 keydatalen = WPA_GET_BE16(hdr->key_data_length);
304 if (keydatalen % 8) {
305 wpa_printf(MSG_INFO, "Unsupported AES-WRAP len %d",
309 keydatalen -= 8; /* AES-WRAP adds 8 bytes */
310 buf = os_malloc(keydatalen);
313 if (aes_unwrap(kek, keydatalen / 8, (u8 *) (hdr + 1), buf)) {
315 wpa_printf(MSG_INFO, "AES unwrap failed - "
316 "could not decrypt EAPOL-Key key data");
325 static u8 * decrypt_eapol_key_data(const u8 *kek, u16 ver,
326 const struct wpa_eapol_key *hdr,
330 case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
331 return decrypt_eapol_key_data_rc4(kek, hdr, len);
332 case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
333 case WPA_KEY_INFO_TYPE_AES_128_CMAC:
334 return decrypt_eapol_key_data_aes(kek, hdr, len);
336 wpa_printf(MSG_INFO, "Unsupported EAPOL-Key Key Descriptor "
343 static void learn_kde_keys(struct wlantest_bss *bss, const u8 *buf, size_t len,
346 struct wpa_eapol_ie_parse ie;
348 if (wpa_supplicant_parse_ies(buf, len, &ie) < 0) {
349 wpa_printf(MSG_INFO, "Failed to parse EAPOL-Key Key Data");
354 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - WPA IE",
355 ie.wpa_ie, ie.wpa_ie_len);
359 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - RSN IE",
360 ie.rsn_ie, ie.rsn_ie_len);
364 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - GTK KDE",
366 if (ie.gtk_len >= 2 && ie.gtk_len <= 2 + 32) {
368 id = ie.gtk[0] & 0x03;
369 wpa_printf(MSG_DEBUG, "GTK KeyID=%u tx=%u",
370 id, !!(ie.gtk[0] & 0x04));
371 if ((ie.gtk[0] & 0xf8) || ie.gtk[1])
372 wpa_printf(MSG_INFO, "GTK KDE: Reserved field "
374 ie.gtk[0], ie.gtk[1]);
375 wpa_hexdump(MSG_DEBUG, "GTK", ie.gtk + 2,
377 bss->gtk_len[id] = ie.gtk_len - 2;
378 os_memcpy(bss->gtk[id], ie.gtk + 2, ie.gtk_len - 2);
379 bss->rsc[id][0] = rsc[5];
380 bss->rsc[id][1] = rsc[4];
381 bss->rsc[id][2] = rsc[3];
382 bss->rsc[id][3] = rsc[2];
383 bss->rsc[id][4] = rsc[1];
384 bss->rsc[id][5] = rsc[0];
386 wpa_hexdump(MSG_DEBUG, "RSC", bss->rsc[id], 6);
388 wpa_printf(MSG_INFO, "Invalid GTK KDE length %u",
389 (unsigned) ie.gtk_len);
394 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - IGTK KDE",
395 ie.igtk, ie.igtk_len);
396 if (ie.igtk_len == 24) {
398 id = WPA_GET_LE16(ie.igtk);
400 wpa_printf(MSG_INFO, "Unexpected IGTK KeyID "
404 wpa_printf(MSG_DEBUG, "IGTK KeyID %u", id);
405 wpa_hexdump(MSG_DEBUG, "IPN", ie.igtk + 2, 6);
406 wpa_hexdump(MSG_DEBUG, "IGTK", ie.igtk + 8,
408 os_memcpy(bss->igtk[id], ie.igtk + 8, 16);
409 bss->igtk_set[id] = 1;
411 bss->ipn[id][0] = ipn[5];
412 bss->ipn[id][1] = ipn[4];
413 bss->ipn[id][2] = ipn[3];
414 bss->ipn[id][3] = ipn[2];
415 bss->ipn[id][4] = ipn[1];
416 bss->ipn[id][5] = ipn[0];
420 wpa_printf(MSG_INFO, "Invalid IGTK KDE length %u",
421 (unsigned) ie.igtk_len);
427 static void rx_data_eapol_key_3_of_4(struct wlantest *wt, const u8 *dst,
428 const u8 *src, const u8 *data, size_t len)
430 struct wlantest_bss *bss;
431 struct wlantest_sta *sta;
432 const struct ieee802_1x_hdr *eapol;
433 const struct wpa_eapol_key *hdr;
437 u8 *decrypted_buf = NULL;
439 size_t decrypted_len = 0;
440 struct wpa_eapol_ie_parse ie;
442 wpa_printf(MSG_DEBUG, "EAPOL-Key 3/4 " MACSTR " -> " MACSTR,
443 MAC2STR(src), MAC2STR(dst));
444 bss = bss_get(wt, src);
447 sta = sta_get(bss, dst);
451 eapol = (const struct ieee802_1x_hdr *) data;
452 hdr = (const struct wpa_eapol_key *) (eapol + 1);
453 key_info = WPA_GET_BE16(hdr->key_info);
455 if (os_memcmp(sta->anonce, hdr->key_nonce, WPA_NONCE_LEN) != 0) {
456 wpa_printf(MSG_INFO, "EAPOL-Key ANonce mismatch between 1/4 "
460 os_memcpy(sta->anonce, hdr->key_nonce, WPA_NONCE_LEN);
462 derive_ptk(wt, bss, sta, key_info & WPA_KEY_INFO_TYPE_MASK,
467 wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 3/4");
471 if (check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
473 wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 3/4 MIC");
476 wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 3/4");
478 key_data = (const u8 *) (hdr + 1);
479 if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
480 if (sta->proto & WPA_PROTO_RSN)
481 wpa_printf(MSG_INFO, "EAPOL-Key 3/4 without "
483 decrypted = key_data;
484 decrypted_len = WPA_GET_BE16(hdr->key_data_length);
486 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
487 decrypted_buf = decrypt_eapol_key_data(sta->ptk.kek, ver, hdr,
489 if (decrypted_buf == NULL) {
490 wpa_printf(MSG_INFO, "Failed to decrypt EAPOL-Key Key "
494 decrypted = decrypted_buf;
495 wpa_hexdump(MSG_DEBUG, "Decrypted EAPOL-Key Key Data",
496 decrypted, decrypted_len);
498 if (wt->write_pcap_dumper && decrypted != key_data) {
499 /* Fill in a dummy Data frame header */
500 u8 buf[24 + 8 + sizeof(*eapol) + sizeof(*hdr)];
501 struct ieee80211_hdr *h;
502 struct wpa_eapol_key *k;
507 plain_len = decrypted_len;
509 while (p + 1 < decrypted + decrypted_len) {
510 if (p[0] == 0xdd && p[1] == 0x00) {
512 plain_len = p - decrypted;
518 os_memset(buf, 0, sizeof(buf));
519 h = (struct ieee80211_hdr *) buf;
520 h->frame_control = host_to_le16(0x0208);
521 os_memcpy(h->addr1, dst, ETH_ALEN);
522 os_memcpy(h->addr2, src, ETH_ALEN);
523 os_memcpy(h->addr3, src, ETH_ALEN);
524 pos = (u8 *) (h + 1);
525 os_memcpy(pos, "\xaa\xaa\x03\x00\x00\x00\x88\x8e", 8);
527 os_memcpy(pos, eapol, sizeof(*eapol));
528 pos += sizeof(*eapol);
529 os_memcpy(pos, hdr, sizeof(*hdr));
530 k = (struct wpa_eapol_key *) pos;
531 WPA_PUT_BE16(k->key_info,
532 key_info & ~WPA_KEY_INFO_ENCR_KEY_DATA);
533 WPA_PUT_BE16(k->key_data_length, plain_len);
534 write_pcap_decrypted(wt, buf, sizeof(buf),
535 decrypted, plain_len);
538 if (wpa_supplicant_parse_ies(decrypted, decrypted_len, &ie) < 0) {
539 wpa_printf(MSG_INFO, "Failed to parse EAPOL-Key Key Data");
540 os_free(decrypted_buf);
545 os_memcmp(ie.wpa_ie, bss->wpaie, ie.wpa_ie_len) != 0) ||
546 (ie.wpa_ie == NULL && bss->wpaie[0])) {
547 wpa_printf(MSG_INFO, "Mismatch in WPA IE between "
548 "EAPOL-Key 3/4 and Beacon/Probe Response "
549 "from " MACSTR, MAC2STR(bss->bssid));
550 wpa_hexdump(MSG_INFO, "WPA IE in EAPOL-Key",
551 ie.wpa_ie, ie.wpa_ie_len);
552 wpa_hexdump(MSG_INFO, "WPA IE in Beacon/Probe "
555 bss->wpaie[0] ? 2 + bss->wpaie[1] : 0);
559 os_memcmp(ie.rsn_ie, bss->rsnie, ie.rsn_ie_len) != 0) ||
560 (ie.rsn_ie == NULL && bss->rsnie[0])) {
561 wpa_printf(MSG_INFO, "Mismatch in RSN IE between "
562 "EAPOL-Key 3/4 and Beacon/Probe Response "
563 "from " MACSTR, MAC2STR(bss->bssid));
564 wpa_hexdump(MSG_INFO, "RSN IE in EAPOL-Key",
565 ie.rsn_ie, ie.rsn_ie_len);
566 wpa_hexdump(MSG_INFO, "RSN IE in (Re)Association "
569 bss->rsnie[0] ? 2 + bss->rsnie[1] : 0);
572 learn_kde_keys(bss, decrypted, decrypted_len, hdr->key_rsc);
573 os_free(decrypted_buf);
577 static void rx_data_eapol_key_4_of_4(struct wlantest *wt, const u8 *dst,
578 const u8 *src, const u8 *data, size_t len)
580 struct wlantest_bss *bss;
581 struct wlantest_sta *sta;
582 const struct ieee802_1x_hdr *eapol;
583 const struct wpa_eapol_key *hdr;
586 wpa_printf(MSG_DEBUG, "EAPOL-Key 4/4 " MACSTR " -> " MACSTR,
587 MAC2STR(src), MAC2STR(dst));
588 bss = bss_get(wt, dst);
591 sta = sta_get(bss, src);
595 eapol = (const struct ieee802_1x_hdr *) data;
596 hdr = (const struct wpa_eapol_key *) (eapol + 1);
597 if (!is_zero(hdr->key_rsc, 8)) {
598 wpa_printf(MSG_INFO, "EAPOL-Key 4/4 from " MACSTR " used "
599 "non-zero Key RSC", MAC2STR(src));
601 key_info = WPA_GET_BE16(hdr->key_info);
604 wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 4/4");
609 check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
611 wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 4/4 MIC");
614 wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 4/4");
618 static void rx_data_eapol_key_1_of_2(struct wlantest *wt, const u8 *dst,
619 const u8 *src, const u8 *data, size_t len)
621 struct wlantest_bss *bss;
622 struct wlantest_sta *sta;
623 const struct ieee802_1x_hdr *eapol;
624 const struct wpa_eapol_key *hdr;
628 size_t decrypted_len = 0;
630 wpa_printf(MSG_DEBUG, "EAPOL-Key 1/2 " MACSTR " -> " MACSTR,
631 MAC2STR(src), MAC2STR(dst));
632 bss = bss_get(wt, src);
635 sta = sta_get(bss, dst);
639 eapol = (const struct ieee802_1x_hdr *) data;
640 hdr = (const struct wpa_eapol_key *) (eapol + 1);
641 key_info = WPA_GET_BE16(hdr->key_info);
644 wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 1/2");
649 check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
651 wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 1/2 MIC");
654 wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 1/2");
656 key_data = (const u8 *) (hdr + 1);
657 if (sta->proto & WPA_PROTO_RSN &&
658 !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
659 wpa_printf(MSG_INFO, "EAPOL-Key 1/2 without EncrKeyData bit");
662 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
663 decrypted = decrypt_eapol_key_data(sta->ptk.kek, ver, hdr,
665 if (decrypted == NULL) {
666 wpa_printf(MSG_INFO, "Failed to decrypt EAPOL-Key Key Data");
669 wpa_hexdump(MSG_DEBUG, "Decrypted EAPOL-Key Key Data",
670 decrypted, decrypted_len);
671 if (wt->write_pcap_dumper) {
672 /* Fill in a dummy Data frame header */
673 u8 buf[24 + 8 + sizeof(*eapol) + sizeof(*hdr)];
674 struct ieee80211_hdr *h;
675 struct wpa_eapol_key *k;
679 plain_len = decrypted_len;
681 while (pos + 1 < decrypted + decrypted_len) {
682 if (pos[0] == 0xdd && pos[1] == 0x00) {
684 plain_len = pos - decrypted;
690 os_memset(buf, 0, sizeof(buf));
691 h = (struct ieee80211_hdr *) buf;
692 h->frame_control = host_to_le16(0x0208);
693 os_memcpy(h->addr1, dst, ETH_ALEN);
694 os_memcpy(h->addr2, src, ETH_ALEN);
695 os_memcpy(h->addr3, src, ETH_ALEN);
696 pos = (u8 *) (h + 1);
697 os_memcpy(pos, "\xaa\xaa\x03\x00\x00\x00\x88\x8e", 8);
699 os_memcpy(pos, eapol, sizeof(*eapol));
700 pos += sizeof(*eapol);
701 os_memcpy(pos, hdr, sizeof(*hdr));
702 k = (struct wpa_eapol_key *) pos;
703 WPA_PUT_BE16(k->key_info,
704 key_info & ~WPA_KEY_INFO_ENCR_KEY_DATA);
705 WPA_PUT_BE16(k->key_data_length, plain_len);
706 write_pcap_decrypted(wt, buf, sizeof(buf),
707 decrypted, plain_len);
709 if (sta->proto & WPA_PROTO_RSN)
710 learn_kde_keys(bss, decrypted, decrypted_len, hdr->key_rsc);
712 int len = bss->group_cipher == WPA_CIPHER_TKIP ? 32 : 16;
713 if (decrypted_len == len) {
714 const u8 *rsc = hdr->key_rsc;
716 id = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
717 WPA_KEY_INFO_KEY_INDEX_SHIFT;
718 wpa_printf(MSG_DEBUG, "GTK key index %d", id);
719 wpa_hexdump(MSG_DEBUG, "GTK", decrypted,
721 bss->gtk_len[id] = decrypted_len;
722 os_memcpy(bss->gtk[id], decrypted, decrypted_len);
723 bss->rsc[id][0] = rsc[5];
724 bss->rsc[id][1] = rsc[4];
725 bss->rsc[id][2] = rsc[3];
726 bss->rsc[id][3] = rsc[2];
727 bss->rsc[id][4] = rsc[1];
728 bss->rsc[id][5] = rsc[0];
729 wpa_hexdump(MSG_DEBUG, "RSC", bss->rsc[id], 6);
731 wpa_printf(MSG_INFO, "Unexpected WPA Key Data length "
732 "in Group Key msg 1/2 from " MACSTR,
740 static void rx_data_eapol_key_2_of_2(struct wlantest *wt, const u8 *dst,
741 const u8 *src, const u8 *data, size_t len)
743 struct wlantest_bss *bss;
744 struct wlantest_sta *sta;
745 const struct ieee802_1x_hdr *eapol;
746 const struct wpa_eapol_key *hdr;
749 wpa_printf(MSG_DEBUG, "EAPOL-Key 2/2 " MACSTR " -> " MACSTR,
750 MAC2STR(src), MAC2STR(dst));
751 bss = bss_get(wt, dst);
754 sta = sta_get(bss, src);
758 eapol = (const struct ieee802_1x_hdr *) data;
759 hdr = (const struct wpa_eapol_key *) (eapol + 1);
760 if (!is_zero(hdr->key_rsc, 8)) {
761 wpa_printf(MSG_INFO, "EAPOL-Key 2/2 from " MACSTR " used "
762 "non-zero Key RSC", MAC2STR(src));
764 key_info = WPA_GET_BE16(hdr->key_info);
767 wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 2/2");
772 check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
774 wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 2/2 MIC");
777 wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 2/2");
781 static void rx_data_eapol_key(struct wlantest *wt, const u8 *dst,
782 const u8 *src, const u8 *data, size_t len,
785 const struct ieee802_1x_hdr *eapol;
786 const struct wpa_eapol_key *hdr;
788 u16 key_info, key_length, ver, key_data_length;
790 eapol = (const struct ieee802_1x_hdr *) data;
791 hdr = (const struct wpa_eapol_key *) (eapol + 1);
793 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key",
794 (const u8 *) hdr, len - sizeof(*eapol));
795 if (len < sizeof(*hdr)) {
796 wpa_printf(MSG_INFO, "Too short EAPOL-Key frame from " MACSTR,
801 if (hdr->type == EAPOL_KEY_TYPE_RC4) {
802 /* TODO: EAPOL-Key RC4 for WEP */
803 wpa_printf(MSG_INFO, "EAPOL-Key Descriptor Type RC4 from "
804 MACSTR, MAC2STR(src));
808 if (hdr->type != EAPOL_KEY_TYPE_RSN &&
809 hdr->type != EAPOL_KEY_TYPE_WPA) {
810 wpa_printf(MSG_INFO, "Unsupported EAPOL-Key Descriptor Type "
811 "%u from " MACSTR, hdr->type, MAC2STR(src));
815 key_info = WPA_GET_BE16(hdr->key_info);
816 key_length = WPA_GET_BE16(hdr->key_length);
817 key_data_length = WPA_GET_BE16(hdr->key_data_length);
818 key_data = (const u8 *) (hdr + 1);
819 if (key_data + key_data_length > data + len) {
820 wpa_printf(MSG_INFO, "Truncated EAPOL-Key from " MACSTR,
824 if (key_data + key_data_length < data + len) {
825 wpa_hexdump(MSG_DEBUG, "Extra data after EAPOL-Key Key Data "
826 "field", key_data + key_data_length,
827 data + len - key_data - key_data_length);
831 ver = key_info & WPA_KEY_INFO_TYPE_MASK;
832 wpa_printf(MSG_DEBUG, "EAPOL-Key ver=%u %c idx=%u%s%s%s%s%s%s%s%s "
834 ver, key_info & WPA_KEY_INFO_KEY_TYPE ? 'P' : 'G',
835 (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
836 WPA_KEY_INFO_KEY_INDEX_SHIFT,
837 (key_info & WPA_KEY_INFO_INSTALL) ? " Install" : "",
838 (key_info & WPA_KEY_INFO_ACK) ? " ACK" : "",
839 (key_info & WPA_KEY_INFO_MIC) ? " MIC" : "",
840 (key_info & WPA_KEY_INFO_SECURE) ? " Secure" : "",
841 (key_info & WPA_KEY_INFO_ERROR) ? " Error" : "",
842 (key_info & WPA_KEY_INFO_REQUEST) ? " Request" : "",
843 (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) ? " Encr" : "",
844 (key_info & WPA_KEY_INFO_SMK_MESSAGE) ? " SMK" : "",
847 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
848 ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
849 ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
850 wpa_printf(MSG_INFO, "Unsupported EAPOL-Key Key Descriptor "
851 "Version %u from " MACSTR, ver, MAC2STR(src));
855 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Replay Counter",
856 hdr->replay_counter, WPA_REPLAY_COUNTER_LEN);
857 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Nonce",
858 hdr->key_nonce, WPA_NONCE_LEN);
859 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key IV",
861 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key RSC",
862 hdr->key_rsc, WPA_KEY_RSC_LEN);
863 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key MIC",
865 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data",
866 key_data, key_data_length);
868 if (hdr->type == EAPOL_KEY_TYPE_RSN &&
869 (key_info & (WPA_KEY_INFO_KEY_INDEX_MASK | BIT(14) | BIT(15))) !=
871 wpa_printf(MSG_INFO, "RSN EAPOL-Key with non-zero reserved "
872 "Key Info bits 0x%x from " MACSTR,
873 key_info, MAC2STR(src));
876 if (hdr->type == EAPOL_KEY_TYPE_WPA &&
877 (key_info & (WPA_KEY_INFO_ENCR_KEY_DATA |
878 WPA_KEY_INFO_SMK_MESSAGE |BIT(14) | BIT(15))) != 0) {
879 wpa_printf(MSG_INFO, "WPA EAPOL-Key with non-zero reserved "
880 "Key Info bits 0x%x from " MACSTR,
881 key_info, MAC2STR(src));
884 if (key_length > 32) {
885 wpa_printf(MSG_INFO, "EAPOL-Key with invalid Key Length %d "
886 "from " MACSTR, key_length, MAC2STR(src));
889 if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
890 !is_zero(hdr->key_iv, 16)) {
891 wpa_printf(MSG_INFO, "EAPOL-Key with non-zero Key IV "
892 "(reserved with ver=%d) field from " MACSTR,
894 wpa_hexdump(MSG_INFO, "EAPOL-Key Key IV (reserved)",
898 if (!is_zero(hdr->key_id, 8)) {
899 wpa_printf(MSG_INFO, "EAPOL-Key with non-zero Key ID "
900 "(reserved) field from " MACSTR, MAC2STR(src));
901 wpa_hexdump(MSG_INFO, "EAPOL-Key Key ID (reserved)",
905 if (hdr->key_rsc[6] || hdr->key_rsc[7]) {
906 wpa_printf(MSG_INFO, "EAPOL-Key with non-zero Key RSC octets "
907 "(last two are unused)" MACSTR, MAC2STR(src));
910 if (key_info & (WPA_KEY_INFO_ERROR | WPA_KEY_INFO_REQUEST))
913 if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
916 if (key_info & WPA_KEY_INFO_KEY_TYPE) {
917 /* 4-Way Handshake */
918 switch (key_info & (WPA_KEY_INFO_SECURE |
921 WPA_KEY_INFO_INSTALL)) {
922 case WPA_KEY_INFO_ACK:
923 rx_data_eapol_key_1_of_4(wt, dst, src, data, len);
925 case WPA_KEY_INFO_MIC:
926 if (key_data_length == 0)
927 rx_data_eapol_key_4_of_4(wt, dst, src, data,
930 rx_data_eapol_key_2_of_4(wt, dst, src, data,
933 case WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK |
934 WPA_KEY_INFO_INSTALL:
935 /* WPA does not include Secure bit in 3/4 */
936 rx_data_eapol_key_3_of_4(wt, dst, src, data, len);
938 case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
939 WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL:
940 rx_data_eapol_key_3_of_4(wt, dst, src, data, len);
942 case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC:
943 rx_data_eapol_key_4_of_4(wt, dst, src, data, len);
946 wpa_printf(MSG_DEBUG, "Unsupported EAPOL-Key frame");
950 /* Group Key Handshake */
951 switch (key_info & (WPA_KEY_INFO_SECURE |
954 case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
956 rx_data_eapol_key_1_of_2(wt, dst, src, data, len);
958 case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC:
959 rx_data_eapol_key_2_of_2(wt, dst, src, data, len);
962 wpa_printf(MSG_DEBUG, "Unsupported EAPOL-Key frame");
969 static void rx_data_eapol(struct wlantest *wt, const u8 *dst, const u8 *src,
970 const u8 *data, size_t len, int prot)
972 const struct ieee802_1x_hdr *hdr;
976 wpa_hexdump(MSG_EXCESSIVE, "EAPOL", data, len);
977 if (len < sizeof(*hdr)) {
978 wpa_printf(MSG_INFO, "Too short EAPOL frame from " MACSTR,
983 hdr = (const struct ieee802_1x_hdr *) data;
984 length = be_to_host16(hdr->length);
985 wpa_printf(MSG_DEBUG, "RX EAPOL: " MACSTR " -> " MACSTR "%s ver=%u "
987 MAC2STR(src), MAC2STR(dst), prot ? " Prot" : "",
988 hdr->version, hdr->type, length);
989 if (hdr->version < 1 || hdr->version > 3) {
990 wpa_printf(MSG_INFO, "Unexpected EAPOL version %u from "
991 MACSTR, hdr->version, MAC2STR(src));
993 if (sizeof(*hdr) + length > len) {
994 wpa_printf(MSG_INFO, "Truncated EAPOL frame from " MACSTR,
999 if (sizeof(*hdr) + length < len) {
1000 wpa_printf(MSG_INFO, "EAPOL frame with %d extra bytes",
1001 (int) (len - sizeof(*hdr) - length));
1003 p = (const u8 *) (hdr + 1);
1005 switch (hdr->type) {
1006 case IEEE802_1X_TYPE_EAP_PACKET:
1007 wpa_hexdump(MSG_MSGDUMP, "EAPOL - EAP packet", p, length);
1009 case IEEE802_1X_TYPE_EAPOL_START:
1010 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Start", p, length);
1012 case IEEE802_1X_TYPE_EAPOL_LOGOFF:
1013 wpa_hexdump(MSG_MSGDUMP, "EAPOL-Logoff", p, length);
1015 case IEEE802_1X_TYPE_EAPOL_KEY:
1016 rx_data_eapol_key(wt, dst, src, data, sizeof(*hdr) + length,
1019 case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
1020 wpa_hexdump(MSG_MSGDUMP, "EAPOL - Encapsulated ASF alert",
1024 wpa_hexdump(MSG_MSGDUMP, "Unknown EAPOL payload", p, length);
1030 static void rx_data_eth(struct wlantest *wt, const u8 *dst, const u8 *src,
1031 u16 ethertype, const u8 *data, size_t len, int prot)
1033 if (ethertype == ETH_P_PAE)
1034 rx_data_eapol(wt, dst, src, data, len, prot);
1038 static void rx_data_process(struct wlantest *wt, const u8 *dst, const u8 *src,
1039 const u8 *data, size_t len, int prot)
1044 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) {
1045 rx_data_eth(wt, dst, src, WPA_GET_BE16(data + 6),
1046 data + 8, len - 8, prot);
1050 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len);
1054 static void rx_data_bss_prot_group(struct wlantest *wt,
1055 const struct ieee80211_hdr *hdr,
1056 const u8 *qos, const u8 *dst, const u8 *src,
1057 const u8 *data, size_t len)
1059 struct wlantest_bss *bss;
1065 bss = bss_get(wt, hdr->addr2);
1069 wpa_printf(MSG_INFO, "Too short group addressed data frame");
1073 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
1074 !(data[3] & 0x20)) {
1075 wpa_printf(MSG_INFO, "Expected TKIP/CCMP frame from "
1076 MACSTR " did not have ExtIV bit set to 1",
1077 MAC2STR(bss->bssid));
1081 if (bss->group_cipher == WPA_CIPHER_TKIP) {
1082 if (data[3] & 0x1f) {
1083 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
1084 "non-zero reserved bit",
1085 MAC2STR(bss->bssid));
1087 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
1088 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
1089 "incorrect WEPSeed[1] (was 0x%x, expected "
1091 MAC2STR(bss->bssid), data[1],
1092 (data[0] | 0x20) & 0x7f);
1094 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
1095 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
1096 wpa_printf(MSG_INFO, "CCMP frame from " MACSTR " used "
1097 "non-zero reserved bit",
1098 MAC2STR(bss->bssid));
1102 keyid = data[3] >> 6;
1103 if (bss->gtk_len[keyid] == 0) {
1104 wpa_printf(MSG_MSGDUMP, "No GTK known to decrypt the frame "
1105 "(A2=" MACSTR " KeyID=%d)",
1106 MAC2STR(hdr->addr2), keyid);
1110 if (bss->group_cipher == WPA_CIPHER_TKIP)
1111 tkip_get_pn(pn, data);
1113 ccmp_get_pn(pn, data);
1114 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
1115 wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
1116 MAC2STR(hdr->addr2));
1117 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
1118 wpa_hexdump(MSG_INFO, "RSC", bss->rsc[keyid], 6);
1121 if (bss->group_cipher == WPA_CIPHER_TKIP)
1122 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len,
1125 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, data, len,
1128 rx_data_process(wt, dst, src, decrypted, dlen, 1);
1129 os_memcpy(bss->rsc[keyid], pn, 6);
1130 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
1137 static void rx_data_bss_prot(struct wlantest *wt,
1138 const struct ieee80211_hdr *hdr, const u8 *qos,
1139 const u8 *dst, const u8 *src, const u8 *data,
1142 struct wlantest_bss *bss;
1143 struct wlantest_sta *sta;
1145 u16 fc = le_to_host16(hdr->frame_control);
1151 if (hdr->addr1[0] & 0x01) {
1152 rx_data_bss_prot_group(wt, hdr, qos, dst, src, data, len);
1156 if (fc & WLAN_FC_TODS) {
1157 bss = bss_get(wt, hdr->addr1);
1160 sta = sta_get(bss, hdr->addr2);
1162 bss = bss_get(wt, hdr->addr2);
1165 sta = sta_get(bss, hdr->addr1);
1167 if (sta == NULL || !sta->ptk_set) {
1168 wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
1173 wpa_printf(MSG_INFO, "Too short encrypted data frame");
1177 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
1178 !(data[3] & 0x20)) {
1179 wpa_printf(MSG_INFO, "Expected TKIP/CCMP frame from "
1180 MACSTR " did not have ExtIV bit set to 1",
1185 if (sta->pairwise_cipher == WPA_CIPHER_TKIP) {
1186 if (data[3] & 0x1f) {
1187 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
1188 "non-zero reserved bit",
1189 MAC2STR(hdr->addr2));
1191 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
1192 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
1193 "incorrect WEPSeed[1] (was 0x%x, expected "
1195 MAC2STR(hdr->addr2), data[1],
1196 (data[0] | 0x20) & 0x7f);
1198 } else if (sta->pairwise_cipher == WPA_CIPHER_CCMP) {
1199 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
1200 wpa_printf(MSG_INFO, "CCMP frame from " MACSTR " used "
1201 "non-zero reserved bit",
1202 MAC2STR(hdr->addr2));
1206 keyid = data[3] >> 6;
1208 wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in "
1209 "individually addressed Data frame from " MACSTR,
1210 keyid, MAC2STR(hdr->addr2));
1214 tid = qos[0] & 0x0f;
1217 if (fc & WLAN_FC_TODS)
1218 rsc = sta->rsc_tods[tid];
1220 rsc = sta->rsc_fromds[tid];
1223 if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
1224 tkip_get_pn(pn, data);
1226 ccmp_get_pn(pn, data);
1227 if (os_memcmp(pn, rsc, 6) <= 0) {
1228 wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: SA=" MACSTR,
1229 MAC2STR(hdr->addr2));
1230 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
1231 wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
1234 if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
1235 decrypted = tkip_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
1237 decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
1239 rx_data_process(wt, dst, src, decrypted, dlen, 1);
1240 os_memcpy(rsc, pn, 6);
1241 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
1248 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr,
1249 const u8 *qos, const u8 *dst, const u8 *src,
1250 const u8 *data, size_t len)
1252 u16 fc = le_to_host16(hdr->frame_control);
1253 int prot = !!(fc & WLAN_FC_ISWEP);
1256 u8 ack = (qos[0] & 0x60) >> 5;
1257 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
1258 " len=%u%s tid=%u%s%s",
1259 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
1260 prot ? " Prot" : "", qos[0] & 0x0f,
1261 (qos[0] & 0x10) ? " EOSP" : "",
1263 (ack == 1 ? " NoAck" :
1264 (ack == 2 ? " NoExpAck" : " BA")));
1266 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
1268 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
1269 prot ? " Prot" : "");
1273 rx_data_bss_prot(wt, hdr, qos, dst, src, data, len);
1275 rx_data_process(wt, dst, src, data, len, 0);
1279 void rx_data(struct wlantest *wt, const u8 *data, size_t len)
1281 const struct ieee80211_hdr *hdr;
1284 const u8 *qos = NULL;
1289 hdr = (const struct ieee80211_hdr *) data;
1290 fc = le_to_host16(hdr->frame_control);
1291 stype = WLAN_FC_GET_STYPE(fc);
1293 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
1294 (WLAN_FC_TODS | WLAN_FC_FROMDS))
1297 qos = data + hdrlen;
1304 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
1306 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA="
1307 MACSTR " BSSID=" MACSTR,
1308 data_stype(WLAN_FC_GET_STYPE(fc)),
1309 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
1310 fc & WLAN_FC_ISWEP ? " Prot" : "",
1311 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
1312 MAC2STR(hdr->addr3));
1314 case WLAN_FC_FROMDS:
1315 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
1316 " BSSID=" MACSTR " SA=" MACSTR,
1317 data_stype(WLAN_FC_GET_STYPE(fc)),
1318 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
1319 fc & WLAN_FC_ISWEP ? " Prot" : "",
1320 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
1321 MAC2STR(hdr->addr3));
1322 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr2,
1323 data + hdrlen, len - hdrlen);
1326 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR
1327 " SA=" MACSTR " DA=" MACSTR,
1328 data_stype(WLAN_FC_GET_STYPE(fc)),
1329 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
1330 fc & WLAN_FC_ISWEP ? " Prot" : "",
1331 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
1332 MAC2STR(hdr->addr3));
1333 rx_data_bss(wt, hdr, qos, hdr->addr3, hdr->addr2,
1334 data + hdrlen, len - hdrlen);
1336 case WLAN_FC_TODS | WLAN_FC_FROMDS:
1337 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA="
1338 MACSTR " DA=" MACSTR " SA=" MACSTR,
1339 data_stype(WLAN_FC_GET_STYPE(fc)),
1340 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
1341 fc & WLAN_FC_ISWEP ? " Prot" : "",
1342 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
1343 MAC2STR(hdr->addr3),
1344 MAC2STR((const u8 *) (hdr + 1)));