2 * Received Data frame processing
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
15 #include "utils/includes.h"
16 #include <linux/if_ether.h>
18 #include "utils/common.h"
19 #include "common/defs.h"
20 #include "common/ieee802_11_defs.h"
24 static const char * data_stype(u16 stype)
27 case WLAN_FC_STYPE_DATA:
29 case WLAN_FC_STYPE_DATA_CFACK:
31 case WLAN_FC_STYPE_DATA_CFPOLL:
33 case WLAN_FC_STYPE_DATA_CFACKPOLL:
34 return "DATA-CFACKPOLL";
35 case WLAN_FC_STYPE_NULLFUNC:
37 case WLAN_FC_STYPE_CFACK:
39 case WLAN_FC_STYPE_CFPOLL:
41 case WLAN_FC_STYPE_CFACKPOLL:
43 case WLAN_FC_STYPE_QOS_DATA:
45 case WLAN_FC_STYPE_QOS_DATA_CFACK:
46 return "QOSDATA-CFACK";
47 case WLAN_FC_STYPE_QOS_DATA_CFPOLL:
48 return "QOSDATA-CFPOLL";
49 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL:
50 return "QOSDATA-CFACKPOLL";
51 case WLAN_FC_STYPE_QOS_NULL:
53 case WLAN_FC_STYPE_QOS_CFPOLL:
55 case WLAN_FC_STYPE_QOS_CFACKPOLL:
56 return "QOS-CFACKPOLL";
62 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
63 const u8 *sta_addr, const u8 *dst, const u8 *src,
64 u16 ethertype, const u8 *data, size_t len, int prot,
69 rx_data_eapol(wt, dst, src, data, len, prot);
72 rx_data_ip(wt, bssid, sta_addr, dst, src, data, len,
76 rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len);
82 static void rx_data_process(struct wlantest *wt, const u8 *bssid,
84 const u8 *dst, const u8 *src,
85 const u8 *data, size_t len, int prot,
91 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) {
92 rx_data_eth(wt, bssid, sta_addr, dst, src,
93 WPA_GET_BE16(data + 6), data + 8, len - 8, prot,
98 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len);
102 static void rx_data_bss_prot_group(struct wlantest *wt,
103 const struct ieee80211_hdr *hdr,
104 const u8 *qos, const u8 *dst, const u8 *src,
105 const u8 *data, size_t len)
107 struct wlantest_bss *bss;
113 bss = bss_get(wt, hdr->addr2);
117 wpa_printf(MSG_INFO, "Too short group addressed data frame");
121 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
123 wpa_printf(MSG_INFO, "Expected TKIP/CCMP frame from "
124 MACSTR " did not have ExtIV bit set to 1",
125 MAC2STR(bss->bssid));
129 if (bss->group_cipher == WPA_CIPHER_TKIP) {
130 if (data[3] & 0x1f) {
131 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
132 "non-zero reserved bit",
133 MAC2STR(bss->bssid));
135 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
136 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
137 "incorrect WEPSeed[1] (was 0x%x, expected "
139 MAC2STR(bss->bssid), data[1],
140 (data[0] | 0x20) & 0x7f);
142 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
143 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
144 wpa_printf(MSG_INFO, "CCMP frame from " MACSTR " used "
145 "non-zero reserved bit",
146 MAC2STR(bss->bssid));
150 keyid = data[3] >> 6;
151 if (bss->gtk_len[keyid] == 0 && bss->group_cipher != WPA_CIPHER_WEP40)
153 wpa_printf(MSG_MSGDUMP, "No GTK known to decrypt the frame "
154 "(A2=" MACSTR " KeyID=%d)",
155 MAC2STR(hdr->addr2), keyid);
159 if (bss->group_cipher == WPA_CIPHER_TKIP)
160 tkip_get_pn(pn, data);
161 else if (bss->group_cipher == WPA_CIPHER_WEP40)
162 goto skip_replay_det;
164 ccmp_get_pn(pn, data);
165 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
166 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
167 wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR
168 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
169 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
171 WLAN_GET_SEQ_SEQ(seq_ctrl),
172 WLAN_GET_SEQ_FRAG(seq_ctrl));
173 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
174 wpa_hexdump(MSG_INFO, "RSC", bss->rsc[keyid], 6);
178 if (bss->group_cipher == WPA_CIPHER_TKIP)
179 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len,
181 else if (bss->group_cipher == WPA_CIPHER_WEP40)
182 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
184 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, data, len,
187 rx_data_process(wt, bss->bssid, NULL, dst, src, decrypted,
189 os_memcpy(bss->rsc[keyid], pn, 6);
190 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
197 static void rx_data_bss_prot(struct wlantest *wt,
198 const struct ieee80211_hdr *hdr, const u8 *qos,
199 const u8 *dst, const u8 *src, const u8 *data,
202 struct wlantest_bss *bss;
203 struct wlantest_sta *sta, *sta2;
205 u16 fc = le_to_host16(hdr->frame_control);
210 struct wlantest_tdls *tdls = NULL;
213 if (hdr->addr1[0] & 0x01) {
214 rx_data_bss_prot_group(wt, hdr, qos, dst, src, data, len);
218 if (fc & WLAN_FC_TODS) {
219 bss = bss_get(wt, hdr->addr1);
222 sta = sta_get(bss, hdr->addr2);
224 sta->counters[WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
225 } else if (fc & WLAN_FC_FROMDS) {
226 bss = bss_get(wt, hdr->addr2);
229 sta = sta_get(bss, hdr->addr1);
231 bss = bss_get(wt, hdr->addr3);
234 sta = sta_find(bss, hdr->addr2);
235 sta2 = sta_find(bss, hdr->addr1);
236 if (sta == NULL || sta2 == NULL)
238 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
240 if ((tdls->init == sta && tdls->resp == sta2) ||
241 (tdls->init == sta2 && tdls->resp == sta)) {
243 wpa_printf(MSG_DEBUG, "TDLS: Link not "
244 "up, but Data frame seen");
251 (!sta->ptk_set && sta->pairwise_cipher != WPA_CIPHER_WEP40)) &&
253 wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
258 wpa_printf(MSG_INFO, "Too short encrypted data frame");
262 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
264 wpa_printf(MSG_INFO, "Expected TKIP/CCMP frame from "
265 MACSTR " did not have ExtIV bit set to 1",
270 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) {
271 if (data[3] & 0x1f) {
272 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
273 "non-zero reserved bit",
274 MAC2STR(hdr->addr2));
276 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
277 wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
278 "incorrect WEPSeed[1] (was 0x%x, expected "
280 MAC2STR(hdr->addr2), data[1],
281 (data[0] | 0x20) & 0x7f);
283 } else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP) {
284 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
285 wpa_printf(MSG_INFO, "CCMP frame from " MACSTR " used "
286 "non-zero reserved bit",
287 MAC2STR(hdr->addr2));
291 keyid = data[3] >> 6;
293 wpa_printf(MSG_INFO, "Unexpected non-zero KeyID %d in "
294 "individually addressed Data frame from " MACSTR,
295 keyid, MAC2STR(hdr->addr2));
303 if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
304 rsc = tdls->rsc_init[tid];
306 rsc = tdls->rsc_resp[tid];
307 } else if (fc & WLAN_FC_TODS)
308 rsc = sta->rsc_tods[tid];
310 rsc = sta->rsc_fromds[tid];
313 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP)
314 tkip_get_pn(pn, data);
315 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
316 goto skip_replay_det;
318 ccmp_get_pn(pn, data);
319 if (os_memcmp(pn, rsc, 6) <= 0) {
320 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
321 wpa_printf(MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR
322 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
323 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
325 WLAN_GET_SEQ_SEQ(seq_ctrl),
326 WLAN_GET_SEQ_FRAG(seq_ctrl));
327 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
328 wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
333 decrypted = ccmp_decrypt(tk, hdr, data, len, &dlen);
334 else if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
335 decrypted = tkip_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
336 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
337 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
339 decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
341 u16 fc = le_to_host16(hdr->frame_control);
342 const u8 *peer_addr = NULL;
343 if (!(fc & (WLAN_FC_FROMDS | WLAN_FC_TODS)))
344 peer_addr = hdr->addr1;
345 rx_data_process(wt, bss->bssid, sta->addr, dst, src, decrypted,
347 os_memcpy(rsc, pn, 6);
348 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
355 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr,
356 const u8 *qos, const u8 *dst, const u8 *src,
357 const u8 *data, size_t len)
359 u16 fc = le_to_host16(hdr->frame_control);
360 int prot = !!(fc & WLAN_FC_ISWEP);
363 u8 ack = (qos[0] & 0x60) >> 5;
364 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
365 " len=%u%s tid=%u%s%s",
366 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
367 prot ? " Prot" : "", qos[0] & 0x0f,
368 (qos[0] & 0x10) ? " EOSP" : "",
370 (ack == 1 ? " NoAck" :
371 (ack == 2 ? " NoExpAck" : " BA")));
373 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
375 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
376 prot ? " Prot" : "");
380 rx_data_bss_prot(wt, hdr, qos, dst, src, data, len);
382 const u8 *bssid, *sta_addr, *peer_addr;
383 if (fc & WLAN_FC_TODS) {
385 sta_addr = hdr->addr2;
387 } else if (fc & WLAN_FC_FROMDS) {
389 sta_addr = hdr->addr1;
393 sta_addr = hdr->addr2;
394 peer_addr = hdr->addr1;
396 rx_data_process(wt, bssid, sta_addr, dst, src, data, len, 0,
402 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *bssid,
406 struct wlantest_bss *bss;
407 struct wlantest_sta *sta1, *sta2;
408 struct wlantest_tdls *tdls;
410 bss = bss_find(wt, bssid);
413 sta1 = sta_find(bss, sta1_addr);
416 sta2 = sta_find(bss, sta2_addr);
420 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
421 if ((tdls->init == sta1 && tdls->resp == sta2) ||
422 (tdls->init == sta2 && tdls->resp == sta1))
430 static void add_direct_link(struct wlantest *wt, const u8 *bssid,
431 const u8 *sta1_addr, const u8 *sta2_addr)
433 struct wlantest_tdls *tdls;
435 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
440 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_DIRECT_LINK]++;
442 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_DIRECT_LINK]++;
446 static void add_ap_path(struct wlantest *wt, const u8 *bssid,
447 const u8 *sta1_addr, const u8 *sta2_addr)
449 struct wlantest_tdls *tdls;
451 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
456 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_AP_PATH]++;
458 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_AP_PATH]++;
462 void rx_data(struct wlantest *wt, const u8 *data, size_t len)
464 const struct ieee80211_hdr *hdr;
467 const u8 *qos = NULL;
472 hdr = (const struct ieee80211_hdr *) data;
473 fc = le_to_host16(hdr->frame_control);
474 stype = WLAN_FC_GET_STYPE(fc);
476 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
477 (WLAN_FC_TODS | WLAN_FC_FROMDS))
487 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
489 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA="
490 MACSTR " BSSID=" MACSTR,
491 data_stype(WLAN_FC_GET_STYPE(fc)),
492 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
493 fc & WLAN_FC_ISWEP ? " Prot" : "",
494 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
495 MAC2STR(hdr->addr3));
496 add_direct_link(wt, hdr->addr3, hdr->addr1, hdr->addr2);
497 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr2,
498 data + hdrlen, len - hdrlen);
501 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
502 " BSSID=" MACSTR " SA=" MACSTR,
503 data_stype(WLAN_FC_GET_STYPE(fc)),
504 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
505 fc & WLAN_FC_ISWEP ? " Prot" : "",
506 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
507 MAC2STR(hdr->addr3));
508 add_ap_path(wt, hdr->addr2, hdr->addr1, hdr->addr3);
509 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr2,
510 data + hdrlen, len - hdrlen);
513 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR
514 " SA=" MACSTR " DA=" MACSTR,
515 data_stype(WLAN_FC_GET_STYPE(fc)),
516 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
517 fc & WLAN_FC_ISWEP ? " Prot" : "",
518 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
519 MAC2STR(hdr->addr3));
520 add_ap_path(wt, hdr->addr1, hdr->addr3, hdr->addr2);
521 rx_data_bss(wt, hdr, qos, hdr->addr3, hdr->addr2,
522 data + hdrlen, len - hdrlen);
524 case WLAN_FC_TODS | WLAN_FC_FROMDS:
525 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA="
526 MACSTR " DA=" MACSTR " SA=" MACSTR,
527 data_stype(WLAN_FC_GET_STYPE(fc)),
528 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
529 fc & WLAN_FC_ISWEP ? " Prot" : "",
530 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
532 MAC2STR((const u8 *) (hdr + 1)));