2 * Received Data frame processing
3 * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
10 #include <linux/if_ether.h>
12 #include "utils/common.h"
13 #include "common/defs.h"
14 #include "common/ieee802_11_defs.h"
18 static const char * data_stype(u16 stype)
21 case WLAN_FC_STYPE_DATA:
23 case WLAN_FC_STYPE_DATA_CFACK:
25 case WLAN_FC_STYPE_DATA_CFPOLL:
27 case WLAN_FC_STYPE_DATA_CFACKPOLL:
28 return "DATA-CFACKPOLL";
29 case WLAN_FC_STYPE_NULLFUNC:
31 case WLAN_FC_STYPE_CFACK:
33 case WLAN_FC_STYPE_CFPOLL:
35 case WLAN_FC_STYPE_CFACKPOLL:
37 case WLAN_FC_STYPE_QOS_DATA:
39 case WLAN_FC_STYPE_QOS_DATA_CFACK:
40 return "QOSDATA-CFACK";
41 case WLAN_FC_STYPE_QOS_DATA_CFPOLL:
42 return "QOSDATA-CFPOLL";
43 case WLAN_FC_STYPE_QOS_DATA_CFACKPOLL:
44 return "QOSDATA-CFACKPOLL";
45 case WLAN_FC_STYPE_QOS_NULL:
47 case WLAN_FC_STYPE_QOS_CFPOLL:
49 case WLAN_FC_STYPE_QOS_CFACKPOLL:
50 return "QOS-CFACKPOLL";
56 static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
57 const u8 *sta_addr, const u8 *dst, const u8 *src,
58 u16 ethertype, const u8 *data, size_t len, int prot,
63 rx_data_eapol(wt, dst, src, data, len, prot);
66 rx_data_ip(wt, bssid, sta_addr, dst, src, data, len,
70 rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len);
76 static void rx_data_process(struct wlantest *wt, const u8 *bssid,
78 const u8 *dst, const u8 *src,
79 const u8 *data, size_t len, int prot,
85 if (len >= 8 && os_memcmp(data, "\xaa\xaa\x03\x00\x00\x00", 6) == 0) {
86 rx_data_eth(wt, bssid, sta_addr, dst, src,
87 WPA_GET_BE16(data + 6), data + 8, len - 8, prot,
92 wpa_hexdump(MSG_DEBUG, "Unrecognized LLC", data, len > 8 ? 8 : len);
96 static u8 * try_all_ptk(struct wlantest *wt, int pairwise_cipher,
97 const struct ieee80211_hdr *hdr,
98 const u8 *data, size_t data_len, size_t *decrypted_len)
100 struct wlantest_ptk *ptk;
102 int prev_level = wpa_debug_level;
104 wpa_debug_level = MSG_WARNING;
105 dl_list_for_each(ptk, &wt->ptk, struct wlantest_ptk, list) {
107 if ((pairwise_cipher == WPA_CIPHER_CCMP ||
108 pairwise_cipher == 0) && ptk->ptk_len == 48) {
109 decrypted = ccmp_decrypt(ptk->ptk.tk1, hdr, data,
110 data_len, decrypted_len);
112 if ((pairwise_cipher == WPA_CIPHER_TKIP ||
113 pairwise_cipher == 0) && ptk->ptk_len == 64) {
114 decrypted = tkip_decrypt(ptk->ptk.tk1, hdr, data,
115 data_len, decrypted_len);
118 wpa_debug_level = prev_level;
119 add_note(wt, MSG_DEBUG, "Found PTK match from list of all known PTKs");
123 wpa_debug_level = prev_level;
129 static void rx_data_bss_prot_group(struct wlantest *wt,
130 const struct ieee80211_hdr *hdr,
131 const u8 *qos, const u8 *dst, const u8 *src,
132 const u8 *data, size_t len)
134 struct wlantest_bss *bss;
140 bss = bss_get(wt, hdr->addr2);
144 add_note(wt, MSG_INFO, "Too short group addressed data frame");
148 if (bss->group_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
150 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
151 MACSTR " did not have ExtIV bit set to 1",
152 MAC2STR(bss->bssid));
156 if (bss->group_cipher == WPA_CIPHER_TKIP) {
157 if (data[3] & 0x1f) {
158 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
159 " used non-zero reserved bit",
160 MAC2STR(bss->bssid));
162 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
163 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
164 " used incorrect WEPSeed[1] (was 0x%x, "
166 MAC2STR(bss->bssid), data[1],
167 (data[0] | 0x20) & 0x7f);
169 } else if (bss->group_cipher == WPA_CIPHER_CCMP) {
170 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
171 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
172 " used non-zero reserved bit",
173 MAC2STR(bss->bssid));
177 keyid = data[3] >> 6;
178 if (bss->gtk_len[keyid] == 0 && bss->group_cipher != WPA_CIPHER_WEP40)
180 add_note(wt, MSG_MSGDUMP, "No GTK known to decrypt the frame "
181 "(A2=" MACSTR " KeyID=%d)",
182 MAC2STR(hdr->addr2), keyid);
186 if (bss->group_cipher == WPA_CIPHER_TKIP)
187 tkip_get_pn(pn, data);
188 else if (bss->group_cipher == WPA_CIPHER_WEP40)
189 goto skip_replay_det;
191 ccmp_get_pn(pn, data);
192 if (os_memcmp(pn, bss->rsc[keyid], 6) <= 0) {
193 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
194 add_note(wt, MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR
195 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
196 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
198 WLAN_GET_SEQ_SEQ(seq_ctrl),
199 WLAN_GET_SEQ_FRAG(seq_ctrl));
200 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
201 wpa_hexdump(MSG_INFO, "RSC", bss->rsc[keyid], 6);
205 if (bss->group_cipher == WPA_CIPHER_TKIP)
206 decrypted = tkip_decrypt(bss->gtk[keyid], hdr, data, len,
208 else if (bss->group_cipher == WPA_CIPHER_WEP40)
209 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
211 decrypted = ccmp_decrypt(bss->gtk[keyid], hdr, data, len,
214 rx_data_process(wt, bss->bssid, NULL, dst, src, decrypted,
216 os_memcpy(bss->rsc[keyid], pn, 6);
217 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
220 add_note(wt, MSG_DEBUG, "Failed to decrypt frame");
225 static void rx_data_bss_prot(struct wlantest *wt,
226 const struct ieee80211_hdr *hdr, const u8 *qos,
227 const u8 *dst, const u8 *src, const u8 *data,
230 struct wlantest_bss *bss;
231 struct wlantest_sta *sta, *sta2;
233 u16 fc = le_to_host16(hdr->frame_control);
238 struct wlantest_tdls *tdls = NULL, *found;
240 int ptk_iter_done = 0;
241 int try_ptk_iter = 0;
243 if (hdr->addr1[0] & 0x01) {
244 rx_data_bss_prot_group(wt, hdr, qos, dst, src, data, len);
248 if (fc & WLAN_FC_TODS) {
249 bss = bss_get(wt, hdr->addr1);
252 sta = sta_get(bss, hdr->addr2);
254 sta->counters[WLANTEST_STA_COUNTER_PROT_DATA_TX]++;
255 } else if (fc & WLAN_FC_FROMDS) {
256 bss = bss_get(wt, hdr->addr2);
259 sta = sta_get(bss, hdr->addr1);
261 bss = bss_get(wt, hdr->addr3);
264 sta = sta_find(bss, hdr->addr2);
265 sta2 = sta_find(bss, hdr->addr1);
266 if (sta == NULL || sta2 == NULL)
269 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
271 if ((tdls->init == sta && tdls->resp == sta2) ||
272 (tdls->init == sta2 && tdls->resp == sta)) {
280 add_note(wt, MSG_DEBUG,
281 "TDLS: Link not up, but Data "
288 (!sta->ptk_set && sta->pairwise_cipher != WPA_CIPHER_WEP40)) &&
290 add_note(wt, MSG_MSGDUMP, "No PTK known to decrypt the frame");
291 if (dl_list_empty(&wt->ptk))
297 add_note(wt, MSG_INFO, "Too short encrypted data frame");
303 if (sta->pairwise_cipher & (WPA_CIPHER_TKIP | WPA_CIPHER_CCMP) &&
305 add_note(wt, MSG_INFO, "Expected TKIP/CCMP frame from "
306 MACSTR " did not have ExtIV bit set to 1",
311 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) {
312 if (data[3] & 0x1f) {
313 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
314 " used non-zero reserved bit",
315 MAC2STR(hdr->addr2));
317 if (data[1] != ((data[0] | 0x20) & 0x7f)) {
318 add_note(wt, MSG_INFO, "TKIP frame from " MACSTR
319 " used incorrect WEPSeed[1] (was 0x%x, "
321 MAC2STR(hdr->addr2), data[1],
322 (data[0] | 0x20) & 0x7f);
324 } else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP) {
325 if (data[2] != 0 || (data[3] & 0x1f) != 0) {
326 add_note(wt, MSG_INFO, "CCMP frame from " MACSTR
327 " used non-zero reserved bit",
328 MAC2STR(hdr->addr2));
332 keyid = data[3] >> 6;
334 add_note(wt, MSG_INFO, "Unexpected non-zero KeyID %d in "
335 "individually addressed Data frame from " MACSTR,
336 keyid, MAC2STR(hdr->addr2));
341 if (fc & WLAN_FC_TODS)
347 if (fc & WLAN_FC_TODS)
353 if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
354 rsc = tdls->rsc_init[tid];
356 rsc = tdls->rsc_resp[tid];
357 } else if (fc & WLAN_FC_TODS)
358 rsc = sta->rsc_tods[tid];
360 rsc = sta->rsc_fromds[tid];
363 if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP)
364 tkip_get_pn(pn, data);
365 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
366 goto skip_replay_det;
368 ccmp_get_pn(pn, data);
369 if (os_memcmp(pn, rsc, 6) <= 0) {
370 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
371 add_note(wt, MSG_INFO, "CCMP/TKIP replay detected: A1=" MACSTR
372 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u",
373 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
375 WLAN_GET_SEQ_SEQ(seq_ctrl),
376 WLAN_GET_SEQ_FRAG(seq_ctrl));
377 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
378 wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
383 decrypted = ccmp_decrypt(tk, hdr, data, len, &dlen);
384 else if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
385 decrypted = tkip_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
386 else if (sta->pairwise_cipher == WPA_CIPHER_WEP40)
387 decrypted = wep_decrypt(wt, hdr, data, len, &dlen);
388 else if (sta->ptk_set)
389 decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
391 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, data,
395 if (!decrypted && !ptk_iter_done) {
396 decrypted = try_all_ptk(wt, sta->pairwise_cipher, hdr, data,
399 add_note(wt, MSG_DEBUG, "Current PTK did not work, but found a match from all known PTKs");
403 u16 fc = le_to_host16(hdr->frame_control);
404 const u8 *peer_addr = NULL;
405 if (!(fc & (WLAN_FC_FROMDS | WLAN_FC_TODS)))
406 peer_addr = hdr->addr1;
407 os_memcpy(rsc, pn, 6);
408 rx_data_process(wt, bss->bssid, sta->addr, dst, src, decrypted,
410 write_pcap_decrypted(wt, (const u8 *) hdr, 24 + (qos ? 2 : 0),
412 } else if (!try_ptk_iter)
413 add_note(wt, MSG_DEBUG, "Failed to decrypt frame");
418 static void rx_data_bss(struct wlantest *wt, const struct ieee80211_hdr *hdr,
419 const u8 *qos, const u8 *dst, const u8 *src,
420 const u8 *data, size_t len)
422 u16 fc = le_to_host16(hdr->frame_control);
423 int prot = !!(fc & WLAN_FC_ISWEP);
426 u8 ack = (qos[0] & 0x60) >> 5;
427 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
428 " len=%u%s tid=%u%s%s",
429 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
430 prot ? " Prot" : "", qos[0] & 0x0f,
431 (qos[0] & 0x10) ? " EOSP" : "",
433 (ack == 1 ? " NoAck" :
434 (ack == 2 ? " NoExpAck" : " BA")));
436 wpa_printf(MSG_MSGDUMP, "BSS DATA: " MACSTR " -> " MACSTR
438 MAC2STR(src), MAC2STR(dst), (unsigned int) len,
439 prot ? " Prot" : "");
443 rx_data_bss_prot(wt, hdr, qos, dst, src, data, len);
445 const u8 *bssid, *sta_addr, *peer_addr;
446 struct wlantest_bss *bss;
448 if (fc & WLAN_FC_TODS) {
450 sta_addr = hdr->addr2;
452 } else if (fc & WLAN_FC_FROMDS) {
454 sta_addr = hdr->addr1;
458 sta_addr = hdr->addr2;
459 peer_addr = hdr->addr1;
462 bss = bss_get(wt, bssid);
464 struct wlantest_sta *sta = sta_get(bss, sta_addr);
468 int tid = qos[0] & 0x0f;
469 if (fc & WLAN_FC_TODS)
474 if (fc & WLAN_FC_TODS)
482 rx_data_process(wt, bssid, sta_addr, dst, src, data, len, 0,
488 static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *bssid,
492 struct wlantest_bss *bss;
493 struct wlantest_sta *sta1, *sta2;
494 struct wlantest_tdls *tdls, *found = NULL;
496 bss = bss_find(wt, bssid);
499 sta1 = sta_find(bss, sta1_addr);
502 sta2 = sta_find(bss, sta2_addr);
506 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
507 if ((tdls->init == sta1 && tdls->resp == sta2) ||
508 (tdls->init == sta2 && tdls->resp == sta1)) {
519 static void add_direct_link(struct wlantest *wt, const u8 *bssid,
520 const u8 *sta1_addr, const u8 *sta2_addr)
522 struct wlantest_tdls *tdls;
524 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
529 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_DIRECT_LINK]++;
531 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_DIRECT_LINK]++;
535 static void add_ap_path(struct wlantest *wt, const u8 *bssid,
536 const u8 *sta1_addr, const u8 *sta2_addr)
538 struct wlantest_tdls *tdls;
540 tdls = get_tdls(wt, bssid, sta1_addr, sta2_addr);
545 tdls->counters[WLANTEST_TDLS_COUNTER_INVALID_AP_PATH]++;
547 tdls->counters[WLANTEST_TDLS_COUNTER_VALID_AP_PATH]++;
551 void rx_data(struct wlantest *wt, const u8 *data, size_t len)
553 const struct ieee80211_hdr *hdr;
556 const u8 *qos = NULL;
561 hdr = (const struct ieee80211_hdr *) data;
562 fc = le_to_host16(hdr->frame_control);
563 stype = WLAN_FC_GET_STYPE(fc);
565 if ((fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) ==
566 (WLAN_FC_TODS | WLAN_FC_FROMDS))
576 switch (fc & (WLAN_FC_TODS | WLAN_FC_FROMDS)) {
578 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s IBSS DA=" MACSTR " SA="
579 MACSTR " BSSID=" MACSTR,
580 data_stype(WLAN_FC_GET_STYPE(fc)),
581 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
582 fc & WLAN_FC_ISWEP ? " Prot" : "",
583 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
584 MAC2STR(hdr->addr3));
585 add_direct_link(wt, hdr->addr3, hdr->addr1, hdr->addr2);
586 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr2,
587 data + hdrlen, len - hdrlen);
590 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
591 " BSSID=" MACSTR " SA=" MACSTR,
592 data_stype(WLAN_FC_GET_STYPE(fc)),
593 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
594 fc & WLAN_FC_ISWEP ? " Prot" : "",
595 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
596 MAC2STR(hdr->addr3));
597 add_ap_path(wt, hdr->addr2, hdr->addr1, hdr->addr3);
598 rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr3,
599 data + hdrlen, len - hdrlen);
602 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s ToDS BSSID=" MACSTR
603 " SA=" MACSTR " DA=" MACSTR,
604 data_stype(WLAN_FC_GET_STYPE(fc)),
605 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
606 fc & WLAN_FC_ISWEP ? " Prot" : "",
607 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
608 MAC2STR(hdr->addr3));
609 add_ap_path(wt, hdr->addr1, hdr->addr3, hdr->addr2);
610 rx_data_bss(wt, hdr, qos, hdr->addr3, hdr->addr2,
611 data + hdrlen, len - hdrlen);
613 case WLAN_FC_TODS | WLAN_FC_FROMDS:
614 wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s WDS RA=" MACSTR " TA="
615 MACSTR " DA=" MACSTR " SA=" MACSTR,
616 data_stype(WLAN_FC_GET_STYPE(fc)),
617 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
618 fc & WLAN_FC_ISWEP ? " Prot" : "",
619 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
621 MAC2STR((const u8 *) (hdr + 1)));