2 * Received Data frame processing
3 * Copyright (c) 2010-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "common/defs.h"
13 #include "common/ieee802_11_defs.h"
17 static const char * data_stype(u16 stype)
20 case WLAN_FC_STYPE_DATA:
22 case WLAN_FC_STYPE_DATA_CFACK:
24 case WLAN_FC_STYPE_DATA_CFPOLL:
26 case WLAN_FC_STYPE_DATA_CFACKPOLL:
27 return "DATA-CFACKPOLL";
28 case WLAN_FC_STYPE_NULLFUNC:
30 case WLAN_FC_STYPE_CFACK:
32 case WLAN_FC_STYPE_CFPOLL:
34 case WLAN_FC_STYPE_CFACKPOLL:
36 case WLAN_FC_STYPE_QOS_DATA:
38 case WLAN_FC_STYPE_QOS_DATA_CFACK:
39 return "QOSDATA-CFACK";
40 case WLAN_FC_STYPE_QOS_DATA_CFPOLL:
41 return "QOSDATA-CFPOLL";
42 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL:
43 return "QOSDATA-CFACKPOLL";
44 case WLAN_FC_STYPE_QOS_NULL:
46 case WLAN_FC_STYPE_QOS_CFPOLL:
48 case WLAN_FC_STYPE_QOS_CFACKPOLL:
49 return "QOS-CFACKPOLL";
55 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
56 const u8 *sta_addr, const u8 *dst, const u8 *src,
57 u16 ethertype, const u8 *data, size_t len, int prot,
62 rx_data_eapol(wt, dst, src, data, len, prot);
65 rx_data_ip(wt, bssid, sta_addr, dst, src, data, len,
69 rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len);
75 static void rx_data_process(struct wlantest *wt, const u8 *bssid,
77 const u8 *dst, const u8 *src,
78 const u8 *data, size_t len, int prot,
84 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) {
85 rx_data_eth(wt, bssid, sta_addr, dst, src,
86 WPA_GET_BE16(data + 6), data + 8, len - 8, prot,
91 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len);
95 static u8 * try_all_ptk(struct wlantest *wt, int pairwise_cipher,
96 const struct ieee80211_hdr *hdr,
97 const u8 *data, size_t data_len, size_t *decrypted_len)
99 struct wlantest_ptk *ptk;
101 int prev_level = wpa_debug_level;
103 wpa_debug_level = MSG_WARNING;
104 dl_list_for_each(ptk, &wt->ptk, struct wlantest_ptk, list) {
105 unsigned int tk_len = ptk->ptk_len - 32;
107 if ((pairwise_cipher == WPA_CIPHER_CCMP ||
108 pairwise_cipher == 0) && tk_len == 16) {
109 decrypted = ccmp_decrypt(ptk->ptk.tk, hdr, data,
110 data_len, decrypted_len);
111 } else if ((pairwise_cipher == WPA_CIPHER_CCMP_256 ||
112 pairwise_cipher == 0) && tk_len == 32) {
113 decrypted = ccmp_256_decrypt(ptk->ptk.tk, hdr, data,
114 data_len, decrypted_len);
115 } else if ((pairwise_cipher == WPA_CIPHER_GCMP ||
116 pairwise_cipher == WPA_CIPHER_GCMP_256 ||
117 pairwise_cipher == 0) &&
118 (tk_len == 16 || tk_len == 32)) {
119 decrypted = gcmp_decrypt(ptk->ptk.tk, tk_len, hdr,
120 data, data_len, decrypted_len);
121 } else if ((pairwise_cipher == WPA_CIPHER_TKIP ||
122 pairwise_cipher == 0) && tk_len == 32) {
123 decrypted = tkip_decrypt(ptk->ptk.tk, hdr, data,
124 data_len, decrypted_len);
127 wpa_debug_level = prev_level;
128 add_note(wt, MSG_DEBUG, "Found PTK match from list of all known PTKs");
132 wpa_debug_level = prev_level;
138 static void rx_data_bss_prot_group(struct wlantest *wt,
139 const struct ieee80211_hdr *hdr,
140 const u8 *qos, const u8 *dst, const u8 *src,
141 const u8 *data, size_t len)
143 struct wlantest_bss *bss;
145 u8 *decrypted = NULL;
149 bss = bss_get(wt, hdr->addr2);
153 add_note(wt, MSG_INFO, "Too short group addressed data frame");
157 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
159 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
160 MACSTR " did not have ExtIV bit set to 1",
161 MAC2STR(bss->bssid));
165 if (bss->group_cipher == WPA_CIPHER_TKIP) {
166 if (data[3] & 0x1f) {
167 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
168 " used non-zero reserved bit",
169 MAC2STR(bss->bssid));
171 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
172 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
173 " used incorrect WEPSeed[1] (was 0x%x, "
175 MAC2STR(bss->bssid), data[1],
176 (data[0] | 0x20) & 0x7f);
178 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
179 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
180 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
181 " used non-zero reserved bit",
182 MAC2STR(bss->bssid));
186 keyid = data[3] >> 6;
187 if (bss->gtk_len[keyid] == 0 && bss->group_cipher != WPA_CIPHER_WEP40)
189 add_note(wt, MSG_MSGDUMP, "No GTK known to decrypt the frame "
190 "(A2=" MACSTR " KeyID=%d)",
191 MAC2STR(hdr->addr2), keyid);
195 if (bss->group_cipher == WPA_CIPHER_TKIP)
196 tkip_get_pn(pn, data);
197 else if (bss->group_cipher == WPA_CIPHER_WEP40)
198 goto skip_replay_det;
200 ccmp_get_pn(pn, data);
201 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
202 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
203 add_note(wt, MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR
204 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u%s",
205 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
207 WLAN_GET_SEQ_SEQ(seq_ctrl),
208 WLAN_GET_SEQ_FRAG(seq_ctrl),
209 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
211 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
212 wpa_hexdump(MSG_INFO, "RSC", bss->rsc[keyid], 6);
216 if (bss->group_cipher == WPA_CIPHER_TKIP)
217 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len,
219 else if (bss->group_cipher == WPA_CIPHER_WEP40)
220 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
221 else if (bss->group_cipher == WPA_CIPHER_CCMP)
222 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, data, len,
224 else if (bss->group_cipher == WPA_CIPHER_CCMP_256)
225 decrypted = ccmp_256_decrypt(bss->gtk[keyid], hdr, data, len,
227 else if (bss->group_cipher == WPA_CIPHER_GCMP ||
228 bss->group_cipher == WPA_CIPHER_GCMP_256)
229 decrypted = gcmp_decrypt(bss->gtk[keyid], bss->gtk_len[keyid],
230 hdr, data, len, &dlen);
233 rx_data_process(wt, bss->bssid, NULL, dst, src, decrypted,
235 os_memcpy(bss->rsc[keyid], pn, 6);
236 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
239 add_note(wt, MSG_DEBUG, "Failed to decrypt frame");
244 static void rx_data_bss_prot(struct wlantest *wt,
245 const struct ieee80211_hdr *hdr, const u8 *qos,
246 const u8 *dst, const u8 *src, const u8 *data,
249 struct wlantest_bss *bss;
250 struct wlantest_sta *sta, *sta2;
252 u16 fc = le_to_host16(hdr->frame_control);
257 struct wlantest_tdls *tdls = NULL, *found;
259 int ptk_iter_done = 0;
260 int try_ptk_iter = 0;
262 if (hdr->addr1[0] & 0x01) {
263 rx_data_bss_prot_group(wt, hdr, qos, dst, src, data, len);
267 if (fc & WLAN_FC_TODS) {
268 bss = bss_get(wt, hdr->addr1);
271 sta = sta_get(bss, hdr->addr2);
273 sta->counters[WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
274 } else if (fc & WLAN_FC_FROMDS) {
275 bss = bss_get(wt, hdr->addr2);
278 sta = sta_get(bss, hdr->addr1);
280 bss = bss_get(wt, hdr->addr3);
283 sta = sta_find(bss, hdr->addr2);
284 sta2 = sta_find(bss, hdr->addr1);
285 if (sta == NULL || sta2 == NULL)
288 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
290 if ((tdls->init == sta && tdls->resp == sta2) ||
291 (tdls->init == sta2 && tdls->resp == sta)) {
299 add_note(wt, MSG_DEBUG,
300 "TDLS: Link not up, but Data "
307 (!sta->ptk_set && sta->pairwise_cipher != WPA_CIPHER_WEP40)) &&
309 add_note(wt, MSG_MSGDUMP, "No PTK known to decrypt the frame");
310 if (dl_list_empty(&wt->ptk))
316 add_note(wt, MSG_INFO, "Too short encrypted data frame");
322 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
324 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
325 MACSTR " did not have ExtIV bit set to 1",
330 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) {
331 if (data[3] & 0x1f) {
332 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
333 " used non-zero reserved bit",
334 MAC2STR(hdr->addr2));
336 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
337 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
338 " used incorrect WEPSeed[1] (was 0x%x, "
340 MAC2STR(hdr->addr2), data[1],
341 (data[0] | 0x20) & 0x7f);
343 } else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP) {
344 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
345 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
346 " used non-zero reserved bit",
347 MAC2STR(hdr->addr2));
351 keyid = data[3] >> 6;
353 add_note(wt, MSG_INFO, "Unexpected non-zero KeyID %d in "
354 "individually addressed Data frame from " MACSTR,
355 keyid, MAC2STR(hdr->addr2));
360 if (fc & WLAN_FC_TODS)
366 if (fc & WLAN_FC_TODS)
372 if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
373 rsc = tdls->rsc_init[tid];
375 rsc = tdls->rsc_resp[tid];
376 } else if (fc & WLAN_FC_TODS)
377 rsc = sta->rsc_tods[tid];
379 rsc = sta->rsc_fromds[tid];
382 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP)
383 tkip_get_pn(pn, data);
384 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
385 goto skip_replay_det;
387 ccmp_get_pn(pn, data);
388 if (os_memcmp(pn, rsc, 6) <= 0) {
389 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
390 add_note(wt, MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR
391 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u%s",
392 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
394 WLAN_GET_SEQ_SEQ(seq_ctrl),
395 WLAN_GET_SEQ_FRAG(seq_ctrl),
396 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
398 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
399 wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
404 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256)
405 decrypted = ccmp_256_decrypt(tk, hdr, data, len, &dlen);
406 else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
407 sta->pairwise_cipher == WPA_CIPHER_GCMP_256)
408 decrypted = gcmp_decrypt(tk, sta->tk_len, hdr, data,
411 decrypted = ccmp_decrypt(tk, hdr, data, len, &dlen);
412 } else if (sta->pairwise_cipher == WPA_CIPHER_TKIP) {
413 decrypted = tkip_decrypt(sta->ptk.tk, hdr, data, len, &dlen);
414 } else if (sta->pairwise_cipher == WPA_CIPHER_WEP40) {
415 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
416 } else if (sta->ptk_set) {
417 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256)
418 decrypted = ccmp_256_decrypt(sta->ptk.tk, hdr, data,
420 else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
421 sta->pairwise_cipher == WPA_CIPHER_GCMP_256)
422 decrypted = gcmp_decrypt(sta->ptk.tk, sta->tk_len,
423 hdr, data, len, &dlen);
425 decrypted = ccmp_decrypt(sta->ptk.tk, hdr, data, len,
428 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, data,
432 if (!decrypted && !ptk_iter_done) {
433 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, data,
436 add_note(wt, MSG_DEBUG, "Current PTK did not work, but found a match from all known PTKs");
440 u16 fc = le_to_host16(hdr->frame_control);
441 const u8 *peer_addr = NULL;
442 if (!(fc & (WLAN_FC_FROMDS | WLAN_FC_TODS)))
443 peer_addr = hdr->addr1;
444 os_memcpy(rsc, pn, 6);
445 rx_data_process(wt, bss->bssid, sta->addr, dst, src, decrypted,
447 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
449 } else if (!try_ptk_iter)
450 add_note(wt, MSG_DEBUG, "Failed to decrypt frame");
455 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr,
456 const u8 *qos, const u8 *dst, const u8 *src,
457 const u8 *data, size_t len)
459 u16 fc = le_to_host16(hdr->frame_control);
460 int prot = !!(fc & WLAN_FC_ISWEP);
463 u8 ack = (qos[0] & 0x60) >> 5;
464 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
465 " len=%u%s tid=%u%s%s",
466 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
467 prot ? " Prot" : "", qos[0] & 0x0f,
468 (qos[0] & 0x10) ? " EOSP" : "",
470 (ack == 1 ? " NoAck" :
471 (ack == 2 ? " NoExpAck" : " BA")));
473 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
475 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
476 prot ? " Prot" : "");
480 rx_data_bss_prot(wt, hdr, qos, dst, src, data, len);
482 const u8 *bssid, *sta_addr, *peer_addr;
483 struct wlantest_bss *bss;
485 if (fc & WLAN_FC_TODS) {
487 sta_addr = hdr->addr2;
489 } else if (fc & WLAN_FC_FROMDS) {
491 sta_addr = hdr->addr1;
495 sta_addr = hdr->addr2;
496 peer_addr = hdr->addr1;
499 bss = bss_get(wt, bssid);
501 struct wlantest_sta *sta = sta_get(bss, sta_addr);
505 int tid = qos[0] & 0x0f;
506 if (fc & WLAN_FC_TODS)
511 if (fc & WLAN_FC_TODS)
519 rx_data_process(wt, bssid, sta_addr, dst, src, data, len, 0,
525 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *bssid,
529 struct wlantest_bss *bss;
530 struct wlantest_sta *sta1, *sta2;
531 struct wlantest_tdls *tdls, *found = NULL;
533 bss = bss_find(wt, bssid);
536 sta1 = sta_find(bss, sta1_addr);
539 sta2 = sta_find(bss, sta2_addr);
543 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
544 if ((tdls->init == sta1 && tdls->resp == sta2) ||
545 (tdls->init == sta2 && tdls->resp == sta1)) {
556 static void add_direct_link(struct wlantest *wt, const u8 *bssid,
557 const u8 *sta1_addr, const u8 *sta2_addr)
559 struct wlantest_tdls *tdls;
561 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
566 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_DIRECT_LINK]++;
568 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_DIRECT_LINK]++;
572 static void add_ap_path(struct wlantest *wt, const u8 *bssid,
573 const u8 *sta1_addr, const u8 *sta2_addr)
575 struct wlantest_tdls *tdls;
577 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
582 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_AP_PATH]++;
584 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_AP_PATH]++;
588 void rx_data(struct wlantest *wt, const u8 *data, size_t len)
590 const struct ieee80211_hdr *hdr;
593 const u8 *qos = NULL;
598 hdr = (const struct ieee80211_hdr *) data;
599 fc = le_to_host16(hdr->frame_control);
600 stype = WLAN_FC_GET_STYPE(fc);
602 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
603 (WLAN_FC_TODS | WLAN_FC_FROMDS))
613 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
615 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA="
616 MACSTR " BSSID=" MACSTR,
617 data_stype(WLAN_FC_GET_STYPE(fc)),
618 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
619 fc & WLAN_FC_ISWEP ? " Prot" : "",
620 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
621 MAC2STR(hdr->addr3));
622 add_direct_link(wt, hdr->addr3, hdr->addr1, hdr->addr2);
623 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr2,
624 data + hdrlen, len - hdrlen);
627 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
628 " BSSID=" MACSTR " SA=" MACSTR,
629 data_stype(WLAN_FC_GET_STYPE(fc)),
630 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
631 fc & WLAN_FC_ISWEP ? " Prot" : "",
632 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
633 MAC2STR(hdr->addr3));
634 add_ap_path(wt, hdr->addr2, hdr->addr1, hdr->addr3);
635 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr3,
636 data + hdrlen, len - hdrlen);
639 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR
640 " SA=" MACSTR " DA=" MACSTR,
641 data_stype(WLAN_FC_GET_STYPE(fc)),
642 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
643 fc & WLAN_FC_ISWEP ? " Prot" : "",
644 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
645 MAC2STR(hdr->addr3));
646 add_ap_path(wt, hdr->addr1, hdr->addr3, hdr->addr2);
647 rx_data_bss(wt, hdr, qos, hdr->addr3, hdr->addr2,
648 data + hdrlen, len - hdrlen);
650 case WLAN_FC_TODS | WLAN_FC_FROMDS:
651 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA="
652 MACSTR " DA=" MACSTR " SA=" MACSTR,
653 data_stype(WLAN_FC_GET_STYPE(fc)),
654 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
655 fc & WLAN_FC_ISWEP ? " Prot" : "",
656 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
658 MAC2STR((const u8 *) (hdr + 1)));
projects / mech_eap.git / blob