Gitiles
Code Review Sign In
192.168.1.100 / T108 / e958203796650e3959a43708d67534bf36f4c83b / . / package / kernel / asr-wl / asr-hostapd / asr-hostapd-2023-06-22 / wlantest / rx_mgmt.c
blob: 62adaa848b090f591c8815457db3a7066e5e7df8 [file] [log] [blame]
b.liue9582032025-04-17 19:18:16 +0800[diff] [blame^]1/*
2 * Received Management frame processing
3 * Copyright (c) 2010-2020, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "utils/includes.h"
10
11#include "utils/common.h"
12#include "common/defs.h"
13#include "common/ieee802_11_defs.h"
14#include "common/ieee802_11_common.h"
15#include "common/wpa_common.h"
16#include "crypto/aes.h"
17#include "crypto/aes_siv.h"
18#include "crypto/aes_wrap.h"
19#include "wlantest.h"
20
21
22static int check_mmie_mic(unsigned int mgmt_group_cipher,
23 const u8 *igtk, size_t igtk_len,
24 const u8 *data, size_t len);
25
26
27static const char * mgmt_stype(u16 stype)
28{
29 switch (stype) {
30 case WLAN_FC_STYPE_ASSOC_REQ:
31 return "ASSOC-REQ";
32 case WLAN_FC_STYPE_ASSOC_RESP:
33 return "ASSOC-RESP";
34 case WLAN_FC_STYPE_REASSOC_REQ:
35 return "REASSOC-REQ";
36 case WLAN_FC_STYPE_REASSOC_RESP:
37 return "REASSOC-RESP";
38 case WLAN_FC_STYPE_PROBE_REQ:
39 return "PROBE-REQ";
40 case WLAN_FC_STYPE_PROBE_RESP:
41 return "PROBE-RESP";
42 case WLAN_FC_STYPE_BEACON:
43 return "BEACON";
44 case WLAN_FC_STYPE_ATIM:
45 return "ATIM";
46 case WLAN_FC_STYPE_DISASSOC:
47 return "DISASSOC";
48 case WLAN_FC_STYPE_AUTH:
49 return "AUTH";
50 case WLAN_FC_STYPE_DEAUTH:
51 return "DEAUTH";
52 case WLAN_FC_STYPE_ACTION:
53 return "ACTION";
54 case WLAN_FC_STYPE_ACTION_NO_ACK:
55 return "ACTION-NO-ACK";
56 }
57 return "??";
58}
59
60
61static void parse_basic_ml(const u8 *ie, size_t len, bool ap)
62{
63 const u8 *pos, *end, *ci_end, *info_end;
64 u16 ctrl, eml, cap;
65 const struct element *elem;
66
67 pos = ie;
68 end = ie + len;
69
70 if (end - pos < 2)
71 return;
72 ctrl = WPA_GET_LE16(pos);
73 wpa_printf(MSG_DEBUG,
74 "Multi-Link Control: Type=%u Reserved=%u Presence Bitmap=0x%x",
75 ctrl & MULTI_LINK_CONTROL_TYPE_MASK,
76 ctrl & BIT(3),
77 ctrl >> 4);
78 pos += 2;
79
80 /* Common Info */
81
82 if (end - pos < 1)
83 return;
84 len = *pos;
85 if (len > end - pos) {
86 wpa_printf(MSG_INFO,
87 "Truncated Multi-Link Common Info (len=%zu left=%zu)",
88 len, (size_t) (end - pos));
89 return;
90 }
91 if (len < 1 + ETH_ALEN) {
92 wpa_printf(MSG_INFO,
93 "No room for MLD MAC Address in Multi-Link Common Info");
94 return;
95 }
96 ci_end = pos + len;
97 pos += 1 + ETH_ALEN;
98
99 if (ctrl & BASIC_MULTI_LINK_CTRL_PRES_LINK_ID) {
100 if (ci_end - pos < 1) {
101 wpa_printf(MSG_INFO,
102 "No room for Link ID Info in Multi-Link Common Info");
103 return;
104 }
105 wpa_printf(MSG_DEBUG, "Link ID Info: 0x%x", *pos);
106 if (!ap)
107 wpa_printf(MSG_INFO,
108 "Unexpected Link ID Info in Common Info from a non-AP STA");
109 pos++;
110 }
111 if (ctrl & BASIC_MULTI_LINK_CTRL_PRES_BSS_PARAM_CH_COUNT) {
112 if (ci_end - pos < 1) {
113 wpa_printf(MSG_INFO,
114 "No room for BSS Parameters Change Count in Multi-Link Common Info");
115 return;
116 }
117 wpa_printf(MSG_DEBUG, "BSS Parameters Change Count: %u", *pos);
118 if (!ap)
119 wpa_printf(MSG_INFO,
120 "Unexpected BSS Parameters Change Count in Common Info from a non-AP STA");
121 pos++;
122 }
123 if (ctrl & BASIC_MULTI_LINK_CTRL_PRES_MSD_INFO) {
124 if (ci_end - pos < 2) {
125 wpa_printf(MSG_INFO,
126 "No room for Medium Synchronization Delay Information in Multi-Link Common Info");
127 return;
128 }
129 wpa_printf(MSG_DEBUG,
130 "Medium Synchronization Delay Information: 0x%x",
131 WPA_GET_LE16(pos));
132 if (!ap)
133 wpa_printf(MSG_INFO,
134 "Unexpected Medium Synchronization Delay Information in Common Info from a non-AP STA");
135 pos += 2;
136 }
137 if (ctrl & BASIC_MULTI_LINK_CTRL_PRES_EML_CAPA) {
138 if (ci_end - pos < 2) {
139 wpa_printf(MSG_INFO,
140 "No room for EML Capabilities in Multi-Link Common Info");
141 return;
142 }
143 eml = WPA_GET_LE16(pos);
144 pos += 2;
145 wpa_printf(MSG_DEBUG,
146 "EML Capabilities: 0x%x (EMLSR=%u EMLSR_Padding_Delay=%u EMLSR_Transition_Delay=%u EMLMR=%u EMLMR_Delay=%u Transition_Timeout=%u Reserved=%u)",
147 eml,
148 !!(eml & EHT_ML_EML_CAPA_EMLSR_SUPP),
149 (eml & EHT_ML_EML_CAPA_EMLSR_PADDING_DELAY_MASK) >>
150 1,
151 (eml & EHT_ML_EML_CAPA_EMLSR_TRANS_DELAY_MASK) >> 4,
152 !!(eml & EHT_ML_EML_CAPA_EMLMR_SUPP),
153 (eml & EHT_ML_EML_CAPA_EMLMR_DELAY_MASK) >> 8,
154 (eml & EHT_ML_EML_CAPA_TRANSITION_TIMEOUT_MASK) >>
155 11,
156 !!(eml & BIT(15)));
157 }
158 if (ctrl & BASIC_MULTI_LINK_CTRL_PRES_MLD_CAPA) {
159 if (ci_end - pos < 2) {
160 wpa_printf(MSG_INFO,
161 "No room for MLD Capabilities and Operations in Multi-Link Common Info");
162 return;
163 }
164 cap = WPA_GET_LE16(pos);
165 pos += 2;
166 wpa_printf(MSG_DEBUG,
167 "MLD Capabilities and Operations: 0x%x (Max_Simultaneous_Links=%u SRS=%u T2L=0x%x Freq_Sep_STR=0x%x AAR=%u Reserved=0x%x)",
168 cap,
169 cap & EHT_ML_MLD_CAPA_MAX_NUM_SIM_LINKS_MASK,
170 !!(cap & EHT_ML_MLD_CAPA_SRS_SUPP),
171 (cap &
172 EHT_ML_MLD_CAPA_TID_TO_LINK_MAP_NEG_SUPP_MSK) >> 5,
173 (cap & EHT_ML_MLD_CAPA_FREQ_SEP_FOR_STR_MASK) >> 7,
174 !!(cap & EHT_ML_MLD_CAPA_AAR_SUPP),
175 (cap & 0xe000) >> 13);
176 }
177 if (ctrl & BASIC_MULTI_LINK_CTRL_PRES_AP_MLD_ID) {
178 if (ci_end - pos < 1) {
179 wpa_printf(MSG_INFO,
180 "No room for AP MLD ID in Multi-Link Common Info");
181 return;
182 }
183 wpa_printf(MSG_DEBUG, "AP MLD ID: %u", *pos);
184 pos++;
185 }
186
187 if (pos < ci_end) {
188 wpa_hexdump(MSG_INFO,
189 "Extra information at the end of Common Info",
190 pos, ci_end - pos);
191 pos = ci_end;
192 }
193
194 /* Link Info */
195
196 for_each_element(elem, pos, end - pos) {
197 if (elem->id != EHT_ML_SUB_ELEM_PER_STA_PROFILE) {
198 wpa_printf(MSG_DEBUG, "Link Info subelement id=%u",
199 elem->id);
200 wpa_hexdump(MSG_DEBUG, "Link Info subelement data",
201 elem->data, elem->datalen);
202 continue;
203 }
204
205 pos = elem->data;
206 end = pos + elem->datalen;
207
208 if (end - pos < 2) {
209 wpa_printf(MSG_INFO,
210 "Truncated Per-STA Profile subelement");
211 continue;
212 }
213 ctrl = WPA_GET_LE16(pos);
214 pos += 2;
215
216 wpa_printf(MSG_DEBUG, "Per-STA Profile: len=%u Link_ID=%u Complete=%u Reserved=0x%x",
217 elem->datalen,
218 ctrl & BASIC_MLE_STA_CTRL_LINK_ID_MASK,
219 !!(ctrl & BASIC_MLE_STA_CTRL_COMPLETE_PROFILE),
220 (ctrl & 0xf000) >> 12);
221
222 if (end - pos < 1) {
223 wpa_printf(MSG_INFO, "No room for STA Info field");
224 continue;
225 }
226 len = *pos;
227 if (len < 1 || len > end - pos) {
228 wpa_printf(MSG_INFO, "Truncated STA Info field");
229 continue;
230 }
231 info_end = pos + len;
232 pos++;
233 if (ctrl & BASIC_MLE_STA_CTRL_PRES_STA_MAC) {
234 if (info_end - pos < ETH_ALEN) {
235 wpa_printf(MSG_INFO,
236 "Truncated STA MAC Address in STA Info");
237 continue;
238 }
239 wpa_printf(MSG_DEBUG, "STA MAC Address: " MACSTR,
240 MAC2STR(pos));
241 pos += ETH_ALEN;
242 }
243 if (ctrl & BASIC_MLE_STA_CTRL_PRES_BEACON_INT) {
244 if (info_end - pos < 2) {
245 wpa_printf(MSG_INFO,
246 "Truncated Beacon Interval in STA Info");
247 continue;
248 }
249 wpa_printf(MSG_DEBUG, "Beacon Interval: %u",
250 WPA_GET_LE16(pos));
251 pos += 2;
252 }
253 if (ctrl & BASIC_MLE_STA_CTRL_PRES_TSF_OFFSET) {
254 if (info_end - pos < 8) {
255 wpa_printf(MSG_INFO,
256 "Truncated TSF Offset in STA Info");
257 continue;
258 }
259 wpa_printf(MSG_DEBUG, "TSF Offset: 0x%llx",
260 (long long unsigned) WPA_GET_LE64(pos));
261 pos += 8;
262 }
263 if (ctrl & BASIC_MLE_STA_CTRL_PRES_DTIM_INFO) {
264 if (info_end - pos < 2) {
265 wpa_printf(MSG_INFO,
266 "Truncated DTIM Info in STA Info");
267 continue;
268 }
269 wpa_printf(MSG_DEBUG, "DTIM Info: 0x%x",
270 WPA_GET_LE16(pos));
271 pos += 2;
272 }
273 if ((ctrl & (BASIC_MLE_STA_CTRL_COMPLETE_PROFILE |
274 BASIC_MLE_STA_CTRL_PRES_NSTR_LINK_PAIR)) ==
275 (BASIC_MLE_STA_CTRL_COMPLETE_PROFILE |
276 BASIC_MLE_STA_CTRL_PRES_NSTR_LINK_PAIR)) {
277 if (ctrl & BASIC_MLE_STA_CTRL_NSTR_BITMAP) {
278 if (info_end - pos < 2) {
279 wpa_printf(MSG_INFO,
280 "Truncated NSTR Indication Bitmap in STA Info");
281 continue;
282 }
283 wpa_printf(MSG_DEBUG, "NSTR Indication Bitmap: 0x%04x",
284 WPA_GET_LE16(pos));
285 pos += 2;
286 } else {
287 if (info_end - pos < 1) {
288 wpa_printf(MSG_INFO,
289 "Truncated NSTR Indication Bitmap in STA Info");
290 continue;
291 }
292 wpa_printf(MSG_DEBUG, "NSTR Indication Bitmap: 0x%02x",
293 *pos);
294 pos++;
295 }
296 }
297 if (ctrl & BASIC_MLE_STA_CTRL_PRES_BSS_PARAM_COUNT) {
298 if (info_end - pos < 1) {
299 wpa_printf(MSG_INFO,
300 "Truncated BSS Parameters Change Count in STA Info");
301 continue;
302 }
303 wpa_printf(MSG_DEBUG, "BSS Parameters Change Count: %u",
304 *pos);
305 pos++;
306 }
307 if (info_end > pos) {
308 wpa_hexdump(MSG_INFO,
309 "Extra information at the end of STA Info",
310 pos, ci_end - pos);
311 pos = info_end;
312 }
313
314 wpa_hexdump(MSG_DEBUG, "STA Profile", pos, end - pos);
315 }
316}
317
318
319static void rx_mgmt_beacon(struct wlantest *wt, const u8 *data, size_t len)
320{
321 const struct ieee80211_mgmt *mgmt;
322 struct wlantest_bss *bss;
323 struct ieee802_11_elems elems;
324 size_t offset;
325 const u8 *mme;
326 size_t mic_len;
327 u16 keyid;
328
329 mgmt = (const struct ieee80211_mgmt *) data;
330 offset = mgmt->u.beacon.variable - data;
331 if (len < offset)
332 return;
333 bss = bss_get(wt, mgmt->bssid);
334 if (bss == NULL)
335 return;
336 /* do not override with Beacon data */
337 if (!bss->proberesp_seen)
338 bss->capab_info = le_to_host16(mgmt->u.beacon.capab_info);
339 if (ieee802_11_parse_elems(mgmt->u.beacon.variable, len - offset,
340 &elems, 0) == ParseFailed) {
341 if (bss->parse_error_reported)
342 return;
343 add_note(wt, MSG_INFO, "Invalid IEs in a Beacon frame from "
344 MACSTR, MAC2STR(mgmt->sa));
345 bss->parse_error_reported = 1;
346 return;
347 }
348
349 if (elems.rsnxe) {
350 os_memcpy(bss->rsnxe, elems.rsnxe, elems.rsnxe_len);
351 bss->rsnxe_len = elems.rsnxe_len;
352 } else {
353 bss->rsnxe_len = 0;
354 }
355
356 if (!bss->proberesp_seen)
357 bss_update(wt, bss, &elems, 1);
358
359 mme = get_ie(mgmt->u.beacon.variable, len - offset, WLAN_EID_MMIE);
360 if (!mme) {
361 if (bss->bigtk_idx) {
362 add_note(wt, MSG_INFO,
363 "Unexpected unprotected Beacon frame from "
364 MACSTR, MAC2STR(mgmt->sa));
365 bss->counters[WLANTEST_BSS_COUNTER_MISSING_BIP_MMIE]++;
366 }
367 return;
368 }
369
370 mic_len = bss->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC ? 8 : 16;
371 if (len < 24 + 10 + mic_len ||
372 data[len - (10 + mic_len)] != WLAN_EID_MMIE ||
373 data[len - (10 + mic_len - 1)] != 8 + mic_len) {
374 add_note(wt, MSG_INFO, "Invalid MME in a Beacon frame from "
375 MACSTR, MAC2STR(mgmt->sa));
376 return;
377 }
378
379 mme += 2;
380 keyid = WPA_GET_LE16(mme);
381 if (keyid < 6 || keyid > 7) {
382 add_note(wt, MSG_INFO, "Unexpected MME KeyID %u from " MACSTR,
383 keyid, MAC2STR(mgmt->sa));
384 bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++;
385 return;
386 }
387
388 wpa_printf(MSG_DEBUG, "Beacon frame MME KeyID %u", keyid);
389 wpa_hexdump(MSG_MSGDUMP, "MME IPN", mme + 2, 6);
390 wpa_hexdump(MSG_MSGDUMP, "MME MIC", mme + 8, mic_len);
391
392 if (!bss->igtk_len[keyid]) {
393 add_note(wt, MSG_DEBUG,
394 "No BIGTK known to validate BIP frame from " MACSTR,
395 MAC2STR(mgmt->sa));
396 return;
397 }
398
399 if (os_memcmp(mme + 2, bss->ipn[keyid], 6) <= 0) {
400 add_note(wt, MSG_INFO, "BIP replay detected: SA=" MACSTR,
401 MAC2STR(mgmt->sa));
402 wpa_hexdump(MSG_INFO, "RX IPN", mme + 2, 6);
403 wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6);
404 }
405
406 if (check_mmie_mic(bss->mgmt_group_cipher, bss->igtk[keyid],
407 bss->igtk_len[keyid], data, len) < 0) {
408 add_note(wt, MSG_INFO, "Invalid MME MIC in a Beacon frame from "
409 MACSTR, MAC2STR(mgmt->sa));
410 bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++;
411 return;
412 }
413
414 add_note(wt, MSG_DEBUG, "Valid MME MIC in Beacon frame");
415 os_memcpy(bss->ipn[keyid], mme + 2, 6);
416}
417
418
419static void rx_mgmt_probe_resp(struct wlantest *wt, const u8 *data, size_t len)
420{
421 const struct ieee80211_mgmt *mgmt;
422 struct wlantest_bss *bss;
423 struct ieee802_11_elems elems;
424 size_t offset;
425
426 mgmt = (const struct ieee80211_mgmt *) data;
427 offset = mgmt->u.probe_resp.variable - data;
428 if (len < offset)
429 return;
430 bss = bss_get(wt, mgmt->bssid);
431 if (bss == NULL)
432 return;
433
434 bss->counters[WLANTEST_BSS_COUNTER_PROBE_RESPONSE]++;
435 bss->capab_info = le_to_host16(mgmt->u.probe_resp.capab_info);
436 if (ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - offset,
437 &elems, 0) == ParseFailed) {
438 if (bss->parse_error_reported)
439 return;
440 add_note(wt, MSG_INFO, "Invalid IEs in a Probe Response frame "
441 "from " MACSTR, MAC2STR(mgmt->sa));
442 bss->parse_error_reported = 1;
443 return;
444 }
445
446 bss_update(wt, bss, &elems, 2);
447}
448
449
450static void process_fils_auth(struct wlantest *wt, struct wlantest_bss *bss,
451 struct wlantest_sta *sta,
452 const struct ieee80211_mgmt *mgmt, size_t len)
453{
454 struct ieee802_11_elems elems;
455 u16 trans;
456 struct wpa_ie_data data;
457
458 if (sta->auth_alg != WLAN_AUTH_FILS_SK ||
459 len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth))
460 return;
461
462 trans = le_to_host16(mgmt->u.auth.auth_transaction);
463
464 if (ieee802_11_parse_elems(mgmt->u.auth.variable,
465 len - IEEE80211_HDRLEN -
466 sizeof(mgmt->u.auth), &elems, 0) ==
467 ParseFailed)
468 return;
469
470 if (trans == 1) {
471 if (!elems.rsn_ie) {
472 add_note(wt, MSG_INFO,
473 "FILS Authentication frame missing RSNE");
474 return;
475 }
476 if (wpa_parse_wpa_ie_rsn(elems.rsn_ie - 2,
477 elems.rsn_ie_len + 2, &data) < 0) {
478 add_note(wt, MSG_INFO,
479 "Invalid RSNE in FILS Authentication frame");
480 return;
481 }
482 sta->key_mgmt = data.key_mgmt;
483 sta->pairwise_cipher = data.pairwise_cipher;
484 }
485
486 if (!elems.fils_nonce) {
487 add_note(wt, MSG_INFO,
488 "FILS Authentication frame missing nonce");
489 return;
490 }
491
492 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
493 os_memcpy(sta->anonce, elems.fils_nonce, FILS_NONCE_LEN);
494 else
495 os_memcpy(sta->snonce, elems.fils_nonce, FILS_NONCE_LEN);
496}
497
498
499static void process_ft_auth(struct wlantest *wt, struct wlantest_bss *bss,
500 struct wlantest_sta *sta,
501 const struct ieee80211_mgmt *mgmt, size_t len)
502{
503 u16 trans;
504 struct wpa_ft_ies parse;
505 struct wpa_ptk ptk;
506 u8 ptk_name[WPA_PMK_NAME_LEN];
507 struct wlantest_bss *old_bss;
508 struct wlantest_sta *old_sta = NULL;
509
510 if (sta->auth_alg != WLAN_AUTH_FT ||
511 len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth))
512 return;
513
514 trans = le_to_host16(mgmt->u.auth.auth_transaction);
515
516 if (wpa_ft_parse_ies(mgmt->u.auth.variable,
517 len - IEEE80211_HDRLEN - sizeof(mgmt->u.auth),
518 &parse, 0)) {
519 add_note(wt, MSG_INFO,
520 "Could not parse FT Authentication Response frame");
521 return;
522 }
523
524 if (trans == 1) {
525 sta->key_mgmt = parse.key_mgmt;
526 sta->pairwise_cipher = parse.pairwise_cipher;
527 return;
528 }
529
530 if (trans != 2)
531 return;
532
533 /* TODO: Should find the latest updated PMK-R0 value here instead
534 * copying the one from the first found matching old STA entry. */
535 dl_list_for_each(old_bss, &wt->bss, struct wlantest_bss, list) {
536 if (old_bss == bss)
537 continue;
538 old_sta = sta_find(old_bss, sta->addr);
539 if (old_sta)
540 break;
541 }
542 if (!old_sta)
543 return;
544
545 os_memcpy(sta->pmk_r0, old_sta->pmk_r0, old_sta->pmk_r0_len);
546 sta->pmk_r0_len = old_sta->pmk_r0_len;
547 os_memcpy(sta->pmk_r0_name, old_sta->pmk_r0_name,
548 sizeof(sta->pmk_r0_name));
549
550 if (parse.r1kh_id)
551 os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
552
553 if (wpa_derive_pmk_r1(sta->pmk_r0, sta->pmk_r0_len, sta->pmk_r0_name,
554 bss->r1kh_id, sta->addr, sta->pmk_r1,
555 sta->pmk_r1_name) < 0)
556 return;
557 sta->pmk_r1_len = sta->pmk_r0_len;
558
559 if (!parse.fte_anonce || !parse.fte_snonce ||
560 wpa_pmk_r1_to_ptk(sta->pmk_r1, sta->pmk_r1_len, parse.fte_snonce,
561 parse.fte_anonce, sta->addr, bss->bssid,
562 sta->pmk_r1_name, &ptk, ptk_name, sta->key_mgmt,
563 sta->pairwise_cipher, 0) < 0)
564 return;
565
566 sta_new_ptk(wt, sta, &ptk);
567}
568
569
570static void process_sae_auth(struct wlantest *wt, struct wlantest_bss *bss,
571 struct wlantest_sta *sta,
572 const struct ieee80211_mgmt *mgmt, size_t len)
573{
574 u16 trans, status, group;
575
576 if (sta->auth_alg != WLAN_AUTH_SAE ||
577 len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth) + 2)
578 return;
579
580 trans = le_to_host16(mgmt->u.auth.auth_transaction);
581 if (trans != 1)
582 return;
583
584 status = le_to_host16(mgmt->u.auth.status_code);
585 if (status != WLAN_STATUS_SUCCESS &&
586 status != WLAN_STATUS_SAE_HASH_TO_ELEMENT &&
587 status != WLAN_STATUS_SAE_PK)
588 return;
589
590 group = WPA_GET_LE16(mgmt->u.auth.variable);
591 wpa_printf(MSG_DEBUG, "SAE Commit using group %u", group);
592 sta->sae_group = group;
593}
594
595
596static void rx_mgmt_auth(struct wlantest *wt, const u8 *data, size_t len)
597{
598 const struct ieee80211_mgmt *mgmt;
599 struct wlantest_bss *bss;
600 struct wlantest_sta *sta;
601 u16 alg, trans, status;
602 bool from_ap;
603
604 mgmt = (const struct ieee80211_mgmt *) data;
605 bss = bss_get(wt, mgmt->bssid);
606 if (bss == NULL)
607 return;
608 from_ap = os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0;
609 if (from_ap)
610 sta = sta_get(bss, mgmt->da);
611 else
612 sta = sta_get(bss, mgmt->sa);
613 if (sta == NULL)
614 return;
615
616 if (len < 24 + 6) {
617 add_note(wt, MSG_INFO, "Too short Authentication frame from "
618 MACSTR, MAC2STR(mgmt->sa));
619 return;
620 }
621
622 alg = le_to_host16(mgmt->u.auth.auth_alg);
623 sta->auth_alg = alg;
624 trans = le_to_host16(mgmt->u.auth.auth_transaction);
625 status = le_to_host16(mgmt->u.auth.status_code);
626
627 wpa_printf(MSG_DEBUG, "AUTH " MACSTR " -> " MACSTR
628 " (alg=%u trans=%u status=%u)",
629 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), alg, trans, status);
630
631 if (status == WLAN_STATUS_SUCCESS &&
632 ((alg == WLAN_AUTH_OPEN && trans == 2) ||
633 (alg == WLAN_AUTH_SAE && trans == 2 && from_ap))) {
634 if (sta->state == STATE1) {
635 add_note(wt, MSG_DEBUG, "STA " MACSTR
636 " moved to State 2 with " MACSTR,
637 MAC2STR(sta->addr), MAC2STR(bss->bssid));
638 sta->state = STATE2;
639 }
640 }
641
642 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
643 sta->counters[WLANTEST_STA_COUNTER_AUTH_RX]++;
644 else
645 sta->counters[WLANTEST_STA_COUNTER_AUTH_TX]++;
646
647 process_fils_auth(wt, bss, sta, mgmt, len);
648 process_ft_auth(wt, bss, sta, mgmt, len);
649 process_sae_auth(wt, bss, sta, mgmt, len);
650}
651
652
653static void deauth_all_stas(struct wlantest *wt, struct wlantest_bss *bss)
654{
655 struct wlantest_sta *sta;
656 dl_list_for_each(sta, &bss->sta, struct wlantest_sta, list) {
657 if (sta->state == STATE1)
658 continue;
659 add_note(wt, MSG_DEBUG, "STA " MACSTR
660 " moved to State 1 with " MACSTR,
661 MAC2STR(sta->addr), MAC2STR(bss->bssid));
662 sta->state = STATE1;
663 }
664}
665
666
667static void tdls_link_down(struct wlantest *wt, struct wlantest_bss *bss,
668 struct wlantest_sta *sta)
669{
670 struct wlantest_tdls *tdls;
671 dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
672 if ((tdls->init == sta || tdls->resp == sta) && tdls->link_up)
673 {
674 add_note(wt, MSG_DEBUG, "TDLS: Set link down based on "
675 "STA deauth/disassoc");
676 tdls->link_up = 0;
677 }
678 }
679}
680
681
682static void rx_mgmt_deauth(struct wlantest *wt, const u8 *data, size_t len,
683 int valid)
684{
685 const struct ieee80211_mgmt *mgmt;
686 struct wlantest_bss *bss;
687 struct wlantest_sta *sta;
688 u16 fc, reason;
689
690 mgmt = (const struct ieee80211_mgmt *) data;
691 bss = bss_get(wt, mgmt->bssid);
692 if (bss == NULL)
693 return;
694 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
695 sta = sta_get(bss, mgmt->da);
696 else
697 sta = sta_get(bss, mgmt->sa);
698
699 if (len < 24 + 2) {
700 add_note(wt, MSG_INFO, "Too short Deauthentication frame from "
701 MACSTR, MAC2STR(mgmt->sa));
702 return;
703 }
704
705 reason = le_to_host16(mgmt->u.deauth.reason_code);
706 wpa_printf(MSG_DEBUG, "DEAUTH " MACSTR " -> " MACSTR
707 " (reason=%u) (valid=%d)",
708 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
709 reason, valid);
710 wpa_hexdump(MSG_MSGDUMP, "DEAUTH payload", data + 24, len - 24);
711
712 if (sta == NULL) {
713 if (valid && mgmt->da[0] == 0xff)
714 deauth_all_stas(wt, bss);
715 return;
716 }
717
718 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) {
719 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_RX :
720 WLANTEST_STA_COUNTER_INVALID_DEAUTH_RX]++;
721 if (sta->pwrmgt && !sta->pspoll)
722 sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_ASLEEP]++;
723 else
724 sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_AWAKE]++;
725
726 fc = le_to_host16(mgmt->frame_control);
727 if (!(fc & WLAN_FC_ISWEP) && reason == 6)
728 sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_RC6]++;
729 else if (!(fc & WLAN_FC_ISWEP) && reason == 7)
730 sta->counters[WLANTEST_STA_COUNTER_DEAUTH_RX_RC7]++;
731 } else
732 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DEAUTH_TX :
733 WLANTEST_STA_COUNTER_INVALID_DEAUTH_TX]++;
734
735 if (!valid) {
736 add_note(wt, MSG_INFO, "Do not change STA " MACSTR " State "
737 "since Disassociation frame was not protected "
738 "correctly", MAC2STR(sta->addr));
739 return;
740 }
741
742 if (sta->state != STATE1) {
743 add_note(wt, MSG_DEBUG, "STA " MACSTR
744 " moved to State 1 with " MACSTR,
745 MAC2STR(sta->addr), MAC2STR(bss->bssid));
746 sta->state = STATE1;
747 }
748 tdls_link_down(wt, bss, sta);
749}
750
751
752static const u8 * get_fils_session(const u8 *ies, size_t ies_len)
753{
754 const u8 *ie, *end;
755
756 ie = ies;
757 end = ((const u8 *) ie) + ies_len;
758 while (ie + 1 < end) {
759 if (ie + 2 + ie[1] > end)
760 break;
761 if (ie[0] == WLAN_EID_EXTENSION &&
762 ie[1] >= 1 + FILS_SESSION_LEN &&
763 ie[2] == WLAN_EID_EXT_FILS_SESSION)
764 return ie;
765 ie += 2 + ie[1];
766 }
767 return NULL;
768}
769
770
771static int try_rmsk(struct wlantest *wt, struct wlantest_bss *bss,
772 struct wlantest_sta *sta, struct wlantest_pmk *pmk,
773 const u8 *frame_start, const u8 *frame_ad,
774 const u8 *frame_ad_end, const u8 *encr_end)
775{
776 size_t pmk_len = 0;
777 u8 pmk_buf[PMK_LEN_MAX];
778 struct wpa_ptk ptk;
779 u8 ick[FILS_ICK_MAX_LEN];
780 size_t ick_len;
781 const u8 *aad[5];
782 size_t aad_len[5];
783 u8 buf[2000];
784
785 if (fils_rmsk_to_pmk(sta->key_mgmt, pmk->pmk, pmk->pmk_len,
786 sta->snonce, sta->anonce, NULL, 0,
787 pmk_buf, &pmk_len) < 0)
788 return -1;
789
790 if (fils_pmk_to_ptk(pmk_buf, pmk_len, sta->addr, bss->bssid,
791 sta->snonce, sta->anonce, NULL, 0,
792 &ptk, ick, &ick_len,
793 sta->key_mgmt, sta->pairwise_cipher,
794 NULL, NULL, 0) < 0)
795 return -1;
796
797 /* Check AES-SIV decryption with the derived key */
798
799 /* AES-SIV AAD vectors */
800
801 /* The STA's MAC address */
802 aad[0] = sta->addr;
803 aad_len[0] = ETH_ALEN;
804 /* The AP's BSSID */
805 aad[1] = bss->bssid;
806 aad_len[1] = ETH_ALEN;
807 /* The STA's nonce */
808 aad[2] = sta->snonce;
809 aad_len[2] = FILS_NONCE_LEN;
810 /* The AP's nonce */
811 aad[3] = sta->anonce;
812 aad_len[3] = FILS_NONCE_LEN;
813 /*
814 * The (Re)Association Request frame from the Capability Information
815 * field to the FILS Session element (both inclusive).
816 */
817 aad[4] = frame_ad;
818 aad_len[4] = frame_ad_end - frame_ad;
819
820 if (encr_end - frame_ad_end < AES_BLOCK_SIZE ||
821 encr_end - frame_ad_end > sizeof(buf))
822 return -1;
823 if (aes_siv_decrypt(ptk.kek, ptk.kek_len,
824 frame_ad_end, encr_end - frame_ad_end,
825 5, aad, aad_len, buf) < 0) {
826 wpa_printf(MSG_DEBUG,
827 "FILS: Derived PTK did not match AES-SIV data");
828 return -1;
829 }
830
831 add_note(wt, MSG_DEBUG, "Derived FILS PTK");
832 os_memcpy(&sta->ptk, &ptk, sizeof(ptk));
833 sta->ptk_set = 1;
834 sta->counters[WLANTEST_STA_COUNTER_PTK_LEARNED]++;
835 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Request elements",
836 buf, encr_end - frame_ad_end - AES_BLOCK_SIZE);
837
838 if (wt->write_pcap_dumper || wt->pcapng) {
839 write_pcap_decrypted(wt, frame_start,
840 frame_ad_end - frame_start,
841 buf,
842 encr_end - frame_ad_end - AES_BLOCK_SIZE);
843 }
844
845 return 0;
846}
847
848
849static void derive_fils_keys(struct wlantest *wt, struct wlantest_bss *bss,
850 struct wlantest_sta *sta, const u8 *frame_start,
851 const u8 *frame_ad, const u8 *frame_ad_end,
852 const u8 *encr_end)
853{
854 struct wlantest_pmk *pmk;
855
856 wpa_printf(MSG_DEBUG, "Trying to derive PTK for " MACSTR
857 " from FILS rMSK", MAC2STR(sta->addr));
858
859 dl_list_for_each(pmk, &bss->pmk, struct wlantest_pmk,
860 list) {
861 wpa_printf(MSG_DEBUG, "Try per-BSS PMK");
862 if (try_rmsk(wt, bss, sta, pmk, frame_start, frame_ad,
863 frame_ad_end, encr_end) == 0)
864 return;
865 }
866
867 dl_list_for_each(pmk, &wt->pmk, struct wlantest_pmk, list) {
868 wpa_printf(MSG_DEBUG, "Try global PMK");
869 if (try_rmsk(wt, bss, sta, pmk, frame_start, frame_ad,
870 frame_ad_end, encr_end) == 0)
871 return;
872 }
873}
874
875
876static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len)
877{
878 const struct ieee80211_mgmt *mgmt;
879 struct wlantest_bss *bss;
880 struct wlantest_sta *sta;
881 struct ieee802_11_elems elems;
882 const u8 *ie;
883 size_t ie_len;
884
885 mgmt = (const struct ieee80211_mgmt *) data;
886 bss = bss_get(wt, mgmt->bssid);
887 if (bss == NULL)
888 return;
889 sta = sta_get(bss, mgmt->sa);
890 if (sta == NULL)
891 return;
892
893 if (len < 24 + 4) {
894 add_note(wt, MSG_INFO, "Too short Association Request frame "
895 "from " MACSTR, MAC2STR(mgmt->sa));
896 return;
897 }
898
899 wpa_printf(MSG_DEBUG, "ASSOCREQ " MACSTR " -> " MACSTR
900 " (capab=0x%x listen_int=%u)",
901 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
902 le_to_host16(mgmt->u.assoc_req.capab_info),
903 le_to_host16(mgmt->u.assoc_req.listen_interval));
904
905 sta->counters[WLANTEST_STA_COUNTER_ASSOCREQ_TX]++;
906
907 ie = mgmt->u.assoc_req.variable;
908 ie_len = len - (mgmt->u.assoc_req.variable - data);
909
910 if (sta->auth_alg == WLAN_AUTH_FILS_SK) {
911 const u8 *session, *frame_ad, *frame_ad_end, *encr_end;
912
913 session = get_fils_session(ie, ie_len);
914 if (session) {
915 frame_ad = (const u8 *) &mgmt->u.assoc_req.capab_info;
916 frame_ad_end = session + 2 + session[1];
917 encr_end = data + len;
918 derive_fils_keys(wt, bss, sta, data, frame_ad,
919 frame_ad_end, encr_end);
920 ie_len = session - ie;
921 }
922 }
923
924 if (ieee802_11_parse_elems(ie, ie_len, &elems, 0) == ParseFailed) {
925 add_note(wt, MSG_INFO, "Invalid IEs in Association Request "
926 "frame from " MACSTR, MAC2STR(mgmt->sa));
927 return;
928 }
929
930 if (elems.rsnxe) {
931 os_memcpy(sta->rsnxe, elems.rsnxe, elems.rsnxe_len);
932 sta->rsnxe_len = elems.rsnxe_len;
933 }
934
935 sta->assocreq_capab_info = le_to_host16(mgmt->u.assoc_req.capab_info);
936 sta->assocreq_listen_int =
937 le_to_host16(mgmt->u.assoc_req.listen_interval);
938 os_free(sta->assocreq_ies);
939 sta->assocreq_ies_len = len - (mgmt->u.assoc_req.variable - data);
940 sta->assocreq_ies = os_malloc(sta->assocreq_ies_len);
941 if (sta->assocreq_ies)
942 os_memcpy(sta->assocreq_ies, mgmt->u.assoc_req.variable,
943 sta->assocreq_ies_len);
944
945 sta->assocreq_seen = 1;
946 sta_update_assoc(sta, &elems);
947 if (elems.basic_mle)
948 parse_basic_ml(elems.basic_mle, elems.basic_mle_len, false);
949}
950
951
952static void decrypt_fils_assoc_resp(struct wlantest *wt,
953 struct wlantest_bss *bss,
954 struct wlantest_sta *sta,
955 const u8 *frame_start, const u8 *frame_ad,
956 const u8 *frame_ad_end, const u8 *encr_end)
957{
958 const u8 *aad[5];
959 size_t aad_len[5];
960 u8 buf[2000];
961
962 if (!sta->ptk_set)
963 return;
964
965 /* Check AES-SIV decryption with the derived key */
966
967 /* AES-SIV AAD vectors */
968
969 /* The AP's BSSID */
970 aad[0] = bss->bssid;
971 aad_len[0] = ETH_ALEN;
972 /* The STA's MAC address */
973 aad[1] = sta->addr;
974 aad_len[1] = ETH_ALEN;
975 /* The AP's nonce */
976 aad[2] = sta->anonce;
977 aad_len[2] = FILS_NONCE_LEN;
978 /* The STA's nonce */
979 aad[3] = sta->snonce;
980 aad_len[3] = FILS_NONCE_LEN;
981 /*
982 * The (Re)Association Response frame from the Capability Information
983 * field to the FILS Session element (both inclusive).
984 */
985 aad[4] = frame_ad;
986 aad_len[4] = frame_ad_end - frame_ad;
987
988 if (encr_end - frame_ad_end < AES_BLOCK_SIZE ||
989 encr_end - frame_ad_end > sizeof(buf))
990 return;
991 if (aes_siv_decrypt(sta->ptk.kek, sta->ptk.kek_len,
992 frame_ad_end, encr_end - frame_ad_end,
993 5, aad, aad_len, buf) < 0) {
994 wpa_printf(MSG_DEBUG,
995 "FILS: Derived PTK did not match AES-SIV data");
996 return;
997 }
998
999 wpa_hexdump(MSG_DEBUG, "FILS: Decrypted Association Response elements",
1000 buf, encr_end - frame_ad_end - AES_BLOCK_SIZE);
1001
1002 if (wt->write_pcap_dumper || wt->pcapng) {
1003 write_pcap_decrypted(wt, frame_start,
1004 frame_ad_end - frame_start,
1005 buf,
1006 encr_end - frame_ad_end - AES_BLOCK_SIZE);
1007 }
1008}
1009
1010
1011static void rx_mgmt_assoc_resp(struct wlantest *wt, const u8 *data, size_t len)
1012{
1013 const struct ieee80211_mgmt *mgmt;
1014 struct wlantest_bss *bss;
1015 struct wlantest_sta *sta;
1016 u16 capab, status, aid;
1017 const u8 *ies;
1018 size_t ies_len;
1019 struct wpa_ft_ies parse;
1020 const u8 *ml;
1021
1022 mgmt = (const struct ieee80211_mgmt *) data;
1023 bss = bss_get(wt, mgmt->bssid);
1024 if (bss == NULL)
1025 return;
1026 sta = sta_get(bss, mgmt->da);
1027 if (sta == NULL)
1028 return;
1029
1030 if (len < 24 + 6) {
1031 add_note(wt, MSG_INFO, "Too short Association Response frame "
1032 "from " MACSTR, MAC2STR(mgmt->sa));
1033 return;
1034 }
1035
1036 ies = mgmt->u.assoc_resp.variable;
1037 ies_len = len - (mgmt->u.assoc_resp.variable - data);
1038
1039 capab = le_to_host16(mgmt->u.assoc_resp.capab_info);
1040 status = le_to_host16(mgmt->u.assoc_resp.status_code);
1041 aid = le_to_host16(mgmt->u.assoc_resp.aid);
1042
1043 wpa_printf(MSG_DEBUG, "ASSOCRESP " MACSTR " -> " MACSTR
1044 " (capab=0x%x status=%u aid=%u)",
1045 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
1046 aid & 0x3fff);
1047
1048 ml = get_ml_ie(ies, ies_len, MULTI_LINK_CONTROL_TYPE_BASIC);
1049 if (ml)
1050 parse_basic_ml(ml + 3, ml[1], true);
1051
1052 if (sta->auth_alg == WLAN_AUTH_FILS_SK) {
1053 const u8 *session, *frame_ad, *frame_ad_end, *encr_end;
1054
1055 session = get_fils_session(ies, ies_len);
1056 if (session) {
1057 frame_ad = (const u8 *) &mgmt->u.assoc_resp.capab_info;
1058 frame_ad_end = session + 2 + session[1];
1059 encr_end = data + len;
1060 decrypt_fils_assoc_resp(wt, bss, sta, data, frame_ad,
1061 frame_ad_end, encr_end);
1062 ies_len = session - ies;
1063 }
1064 }
1065
1066 if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1067 struct ieee802_11_elems elems;
1068 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) ==
1069 ParseFailed) {
1070 add_note(wt, MSG_INFO, "Failed to parse IEs in "
1071 "AssocResp from " MACSTR,
1072 MAC2STR(mgmt->sa));
1073 } else if (elems.timeout_int == NULL ||
1074 elems.timeout_int[0] !=
1075 WLAN_TIMEOUT_ASSOC_COMEBACK) {
1076 add_note(wt, MSG_INFO, "No valid Timeout Interval IE "
1077 "with Assoc Comeback time in AssocResp "
1078 "(status=30) from " MACSTR,
1079 MAC2STR(mgmt->sa));
1080 } else {
1081 sta->counters[
1082 WLANTEST_STA_COUNTER_ASSOCRESP_COMEBACK]++;
1083 }
1084 }
1085
1086 if (status)
1087 return;
1088
1089 if ((aid & 0xc000) != 0xc000) {
1090 add_note(wt, MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
1091 "in Association Response from " MACSTR,
1092 MAC2STR(mgmt->sa));
1093 }
1094 sta->aid = aid & 0xc000;
1095
1096 if (sta->state < STATE2) {
1097 add_note(wt, MSG_DEBUG,
1098 "STA " MACSTR " was not in State 2 when "
1099 "getting associated", MAC2STR(sta->addr));
1100 }
1101
1102 if (sta->state < STATE3) {
1103 add_note(wt, MSG_DEBUG, "STA " MACSTR
1104 " moved to State 3 with " MACSTR,
1105 MAC2STR(sta->addr), MAC2STR(bss->bssid));
1106 sta->state = STATE3;
1107 }
1108
1109 if (wpa_ft_parse_ies(ies, ies_len, &parse, 0) == 0) {
1110 if (parse.r0kh_id) {
1111 os_memcpy(bss->r0kh_id, parse.r0kh_id,
1112 parse.r0kh_id_len);
1113 bss->r0kh_id_len = parse.r0kh_id_len;
1114 }
1115 if (parse.r1kh_id)
1116 os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
1117 }
1118}
1119
1120
1121static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data,
1122 size_t len)
1123{
1124 const struct ieee80211_mgmt *mgmt;
1125 struct wlantest_bss *bss;
1126 struct wlantest_sta *sta;
1127 struct ieee802_11_elems elems;
1128 const u8 *ie;
1129 size_t ie_len;
1130
1131 mgmt = (const struct ieee80211_mgmt *) data;
1132 bss = bss_get(wt, mgmt->bssid);
1133 if (bss == NULL)
1134 return;
1135 sta = sta_get(bss, mgmt->sa);
1136 if (sta == NULL)
1137 return;
1138
1139 if (len < 24 + 4 + ETH_ALEN) {
1140 add_note(wt, MSG_INFO, "Too short Reassociation Request frame "
1141 "from " MACSTR, MAC2STR(mgmt->sa));
1142 return;
1143 }
1144
1145 wpa_printf(MSG_DEBUG, "REASSOCREQ " MACSTR " -> " MACSTR
1146 " (capab=0x%x listen_int=%u current_ap=" MACSTR ")",
1147 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
1148 le_to_host16(mgmt->u.reassoc_req.capab_info),
1149 le_to_host16(mgmt->u.reassoc_req.listen_interval),
1150 MAC2STR(mgmt->u.reassoc_req.current_ap));
1151
1152 sta->counters[WLANTEST_STA_COUNTER_REASSOCREQ_TX]++;
1153
1154 ie = mgmt->u.reassoc_req.variable;
1155 ie_len = len - (mgmt->u.reassoc_req.variable - data);
1156
1157 if (sta->auth_alg == WLAN_AUTH_FILS_SK) {
1158 const u8 *session, *frame_ad, *frame_ad_end, *encr_end;
1159
1160 session = get_fils_session(ie, ie_len);
1161 if (session) {
1162 frame_ad = (const u8 *) &mgmt->u.reassoc_req.capab_info;
1163 frame_ad_end = session + 2 + session[1];
1164 encr_end = data + len;
1165 derive_fils_keys(wt, bss, sta, data, frame_ad,
1166 frame_ad_end, encr_end);
1167 ie_len = session - ie;
1168 }
1169 }
1170
1171 if (ieee802_11_parse_elems(ie, ie_len, &elems, 0) == ParseFailed) {
1172 add_note(wt, MSG_INFO, "Invalid IEs in Reassociation Request "
1173 "frame from " MACSTR, MAC2STR(mgmt->sa));
1174 return;
1175 }
1176
1177 if (elems.rsnxe) {
1178 os_memcpy(sta->rsnxe, elems.rsnxe, elems.rsnxe_len);
1179 sta->rsnxe_len = elems.rsnxe_len;
1180 }
1181
1182 sta->assocreq_capab_info =
1183 le_to_host16(mgmt->u.reassoc_req.capab_info);
1184 sta->assocreq_listen_int =
1185 le_to_host16(mgmt->u.reassoc_req.listen_interval);
1186 os_free(sta->assocreq_ies);
1187 sta->assocreq_ies_len = len - (mgmt->u.reassoc_req.variable - data);
1188 sta->assocreq_ies = os_malloc(sta->assocreq_ies_len);
1189 if (sta->assocreq_ies)
1190 os_memcpy(sta->assocreq_ies, mgmt->u.reassoc_req.variable,
1191 sta->assocreq_ies_len);
1192
1193 sta->assocreq_seen = 1;
1194 sta_update_assoc(sta, &elems);
1195 if (elems.basic_mle)
1196 parse_basic_ml(elems.basic_mle, elems.basic_mle_len, false);
1197
1198 if (elems.ftie) {
1199 struct wpa_ft_ies parse;
1200 int use_sha384;
1201 struct rsn_mdie *mde;
1202 const u8 *anonce, *snonce, *fte_mic;
1203 u8 fte_elem_count;
1204 unsigned int count;
1205 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1206 size_t mic_len = 16;
1207 const u8 *kck;
1208 size_t kck_len;
1209
1210 use_sha384 = wpa_key_mgmt_sha384(sta->key_mgmt);
1211
1212 if (wpa_ft_parse_ies(ie, ie_len, &parse, sta->key_mgmt) < 0) {
1213 add_note(wt, MSG_INFO, "FT: Failed to parse FT IEs");
1214 return;
1215 }
1216
1217 if (!parse.rsn) {
1218 add_note(wt, MSG_INFO, "FT: No RSNE in Reassoc Req");
1219 return;
1220 }
1221
1222 if (!parse.rsn_pmkid) {
1223 add_note(wt, MSG_INFO, "FT: No PMKID in RSNE");
1224 return;
1225 }
1226
1227 if (os_memcmp_const(parse.rsn_pmkid, sta->pmk_r1_name,
1228 WPA_PMK_NAME_LEN) != 0) {
1229 add_note(wt, MSG_INFO,
1230 "FT: PMKID in Reassoc Req did not match PMKR1Name");
1231 wpa_hexdump(MSG_DEBUG,
1232 "FT: Received RSNE[PMKR1Name]",
1233 parse.rsn_pmkid, WPA_PMK_NAME_LEN);
1234 wpa_hexdump(MSG_DEBUG,
1235 "FT: Previously derived PMKR1Name",
1236 sta->pmk_r1_name, WPA_PMK_NAME_LEN);
1237 return;
1238 }
1239
1240 mde = (struct rsn_mdie *) parse.mdie;
1241 if (!mde || parse.mdie_len < sizeof(*mde) ||
1242 os_memcmp(mde->mobility_domain, bss->mdid,
1243 MOBILITY_DOMAIN_ID_LEN) != 0) {
1244 add_note(wt, MSG_INFO, "FT: Invalid MDE");
1245 }
1246
1247 if (use_sha384) {
1248 struct rsn_ftie_sha384 *fte;
1249
1250 fte = (struct rsn_ftie_sha384 *) parse.ftie;
1251 if (!fte || parse.ftie_len < sizeof(*fte)) {
1252 add_note(wt, MSG_INFO, "FT: Invalid FTE");
1253 return;
1254 }
1255
1256 anonce = fte->anonce;
1257 snonce = fte->snonce;
1258 fte_elem_count = fte->mic_control[1];
1259 fte_mic = fte->mic;
1260 } else {
1261 struct rsn_ftie *fte;
1262
1263 fte = (struct rsn_ftie *) parse.ftie;
1264 if (!fte || parse.ftie_len < sizeof(*fte)) {
1265 add_note(wt, MSG_INFO, "FT: Invalid FTIE");
1266 return;
1267 }
1268
1269 anonce = fte->anonce;
1270 snonce = fte->snonce;
1271 fte_elem_count = fte->mic_control[1];
1272 fte_mic = fte->mic;
1273 }
1274
1275 if (os_memcmp(snonce, sta->snonce, WPA_NONCE_LEN) != 0) {
1276 add_note(wt, MSG_INFO, "FT: SNonce mismatch in FTIE");
1277 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
1278 snonce, WPA_NONCE_LEN);
1279 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
1280 sta->snonce, WPA_NONCE_LEN);
1281 return;
1282 }
1283
1284 if (os_memcmp(anonce, sta->anonce, WPA_NONCE_LEN) != 0) {
1285 add_note(wt, MSG_INFO, "FT: ANonce mismatch in FTIE");
1286 wpa_hexdump(MSG_DEBUG, "FT: Received ANonce",
1287 anonce, WPA_NONCE_LEN);
1288 wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
1289 sta->anonce, WPA_NONCE_LEN);
1290 return;
1291 }
1292
1293 if (!parse.r0kh_id) {
1294 add_note(wt, MSG_INFO, "FT: No R0KH-ID subelem in FTE");
1295 return;
1296 }
1297 os_memcpy(bss->r0kh_id, parse.r0kh_id, parse.r0kh_id_len);
1298 bss->r0kh_id_len = parse.r0kh_id_len;
1299
1300 if (!parse.r1kh_id) {
1301 add_note(wt, MSG_INFO, "FT: No R1KH-ID subelem in FTE");
1302 return;
1303 }
1304
1305 os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
1306
1307 if (!parse.rsn_pmkid ||
1308 os_memcmp_const(parse.rsn_pmkid, sta->pmk_r1_name,
1309 WPA_PMK_NAME_LEN)) {
1310 add_note(wt, MSG_INFO,
1311 "FT: No matching PMKR1Name (PMKID) in RSNE (pmkid=%d)",
1312 !!parse.rsn_pmkid);
1313 return;
1314 }
1315
1316 count = 3;
1317 if (parse.ric)
1318 count += ieee802_11_ie_count(parse.ric, parse.ric_len);
1319 if (parse.rsnxe)
1320 count++;
1321 if (fte_elem_count != count) {
1322 add_note(wt, MSG_INFO,
1323 "FT: Unexpected IE count in MIC Control: received %u expected %u",
1324 fte_elem_count, count);
1325 return;
1326 }
1327
1328 if (wpa_key_mgmt_fils(sta->key_mgmt)) {
1329 kck = sta->ptk.kck2;
1330 kck_len = sta->ptk.kck2_len;
1331 } else {
1332 kck = sta->ptk.kck;
1333 kck_len = sta->ptk.kck_len;
1334 }
1335 if (wpa_ft_mic(sta->key_mgmt, kck, kck_len,
1336 sta->addr, bss->bssid, 5,
1337 parse.mdie - 2, parse.mdie_len + 2,
1338 parse.ftie - 2, parse.ftie_len + 2,
1339 parse.rsn - 2, parse.rsn_len + 2,
1340 parse.ric, parse.ric_len,
1341 parse.rsnxe ? parse.rsnxe - 2 : NULL,
1342 parse.rsnxe ? parse.rsnxe_len + 2 : 0,
1343 mic) < 0) {
1344 add_note(wt, MSG_INFO, "FT: Failed to calculate MIC");
1345 return;
1346 }
1347
1348 if (os_memcmp_const(mic, fte_mic, mic_len) != 0) {
1349 add_note(wt, MSG_INFO, "FT: Invalid MIC in FTE");
1350 wpa_printf(MSG_DEBUG,
1351 "FT: addr=" MACSTR " auth_addr=" MACSTR,
1352 MAC2STR(sta->addr),
1353 MAC2STR(bss->bssid));
1354 wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC",
1355 fte_mic, mic_len);
1356 wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC",
1357 mic, mic_len);
1358 wpa_hexdump(MSG_MSGDUMP, "FT: MDE",
1359 parse.mdie - 2, parse.mdie_len + 2);
1360 wpa_hexdump(MSG_MSGDUMP, "FT: FTE",
1361 parse.ftie - 2, parse.ftie_len + 2);
1362 wpa_hexdump(MSG_MSGDUMP, "FT: RSN",
1363 parse.rsn - 2, parse.rsn_len + 2);
1364 wpa_hexdump(MSG_MSGDUMP, "FT: RSNXE",
1365 parse.rsnxe ? parse.rsnxe - 2 : NULL,
1366 parse.rsnxe ? parse.rsnxe_len + 2 : 0);
1367 return;
1368 }
1369
1370 add_note(wt, MSG_INFO, "FT: Valid FTE MIC");
1371 }
1372}
1373
1374
1375static void process_gtk_subelem(struct wlantest *wt, struct wlantest_bss *bss,
1376 struct wlantest_sta *sta,
1377 const u8 *kek, size_t kek_len,
1378 const u8 *gtk_elem,
1379 size_t gtk_elem_len)
1380{
1381 u8 gtk[32];
1382 int keyidx;
1383 enum wpa_alg alg;
1384 size_t gtk_len, keylen;
1385 const u8 *rsc;
1386
1387 if (!gtk_elem) {
1388 add_note(wt, MSG_INFO, "FT: No GTK included in FTE");
1389 return;
1390 }
1391
1392 wpa_hexdump(MSG_DEBUG, "FT: Received GTK in Reassoc Resp",
1393 gtk_elem, gtk_elem_len);
1394
1395 if (gtk_elem_len < 11 + 24 || (gtk_elem_len - 11) % 8 ||
1396 gtk_elem_len - 19 > sizeof(gtk)) {
1397 add_note(wt, MSG_INFO, "FT: Invalid GTK sub-elem length %zu",
1398 gtk_elem_len);
1399 return;
1400 }
1401 gtk_len = gtk_elem_len - 19;
1402 if (aes_unwrap(kek, kek_len, gtk_len / 8, gtk_elem + 11, gtk)) {
1403 add_note(wt, MSG_INFO,
1404 "FT: AES unwrap failed - could not decrypt GTK");
1405 return;
1406 }
1407
1408 keylen = wpa_cipher_key_len(bss->group_cipher);
1409 alg = wpa_cipher_to_alg(bss->group_cipher);
1410 if (alg == WPA_ALG_NONE) {
1411 add_note(wt, MSG_INFO, "FT: Unsupported Group Cipher %d",
1412 bss->group_cipher);
1413 return;
1414 }
1415
1416 if (gtk_len < keylen) {
1417 add_note(wt, MSG_INFO, "FT: Too short GTK in FTE");
1418 return;
1419 }
1420
1421 /* Key Info[2] | Key Length[1] | RSC[8] | Key[5..32]. */
1422
1423 keyidx = WPA_GET_LE16(gtk_elem) & 0x03;
1424
1425 if (gtk_elem[2] != keylen) {
1426 add_note(wt, MSG_INFO,
1427 "FT: GTK length mismatch: received %u negotiated %zu",
1428 gtk_elem[2], keylen);
1429 return;
1430 }
1431
1432 add_note(wt, MSG_DEBUG, "GTK KeyID=%u", keyidx);
1433 wpa_hexdump(MSG_DEBUG, "FT: GTK from Reassoc Resp", gtk, keylen);
1434 if (bss->group_cipher == WPA_CIPHER_TKIP) {
1435 /* Swap Tx/Rx keys for Michael MIC */
1436 u8 tmp[8];
1437
1438 os_memcpy(tmp, gtk + 16, 8);
1439 os_memcpy(gtk + 16, gtk + 24, 8);
1440 os_memcpy(gtk + 24, tmp, 8);
1441 }
1442
1443 bss->gtk_len[keyidx] = gtk_len;
1444 sta->gtk_len = gtk_len;
1445 os_memcpy(bss->gtk[keyidx], gtk, gtk_len);
1446 os_memcpy(sta->gtk, gtk, gtk_len);
1447 rsc = gtk_elem + 2;
1448 bss->rsc[keyidx][0] = rsc[5];
1449 bss->rsc[keyidx][1] = rsc[4];
1450 bss->rsc[keyidx][2] = rsc[3];
1451 bss->rsc[keyidx][3] = rsc[2];
1452 bss->rsc[keyidx][4] = rsc[1];
1453 bss->rsc[keyidx][5] = rsc[0];
1454 bss->gtk_idx = keyidx;
1455 sta->gtk_idx = keyidx;
1456 wpa_hexdump(MSG_DEBUG, "RSC", bss->rsc[keyidx], 6);
1457}
1458
1459
1460static void process_igtk_subelem(struct wlantest *wt, struct wlantest_bss *bss,
1461 struct wlantest_sta *sta,
1462 const u8 *kek, size_t kek_len,
1463 const u8 *igtk_elem, size_t igtk_elem_len)
1464{
1465 u8 igtk[WPA_IGTK_MAX_LEN];
1466 size_t igtk_len;
1467 u16 keyidx;
1468 const u8 *ipn;
1469
1470 if (bss->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC &&
1471 bss->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_128 &&
1472 bss->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_256 &&
1473 bss->mgmt_group_cipher != WPA_CIPHER_BIP_CMAC_256)
1474 return;
1475
1476 if (!igtk_elem) {
1477 add_note(wt, MSG_INFO, "FT: No IGTK included in FTE");
1478 return;
1479 }
1480
1481 wpa_hexdump(MSG_DEBUG, "FT: Received IGTK in Reassoc Resp",
1482 igtk_elem, igtk_elem_len);
1483
1484 igtk_len = wpa_cipher_key_len(bss->mgmt_group_cipher);
1485 if (igtk_elem_len != 2 + 6 + 1 + igtk_len + 8) {
1486 add_note(wt, MSG_INFO, "FT: Invalid IGTK sub-elem length %zu",
1487 igtk_elem_len);
1488 return;
1489 }
1490 if (igtk_elem[8] != igtk_len) {
1491 add_note(wt, MSG_INFO,
1492 "FT: Invalid IGTK sub-elem Key Length %d",
1493 igtk_elem[8]);
1494 return;
1495 }
1496
1497 if (aes_unwrap(kek, kek_len, igtk_len / 8, igtk_elem + 9, igtk)) {
1498 add_note(wt, MSG_INFO,
1499 "FT: AES unwrap failed - could not decrypt IGTK");
1500 return;
1501 }
1502
1503 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
1504
1505 keyidx = WPA_GET_LE16(igtk_elem);
1506
1507 wpa_hexdump(MSG_DEBUG, "FT: IGTK from Reassoc Resp", igtk, igtk_len);
1508
1509 if (keyidx < 4 || keyidx > 5) {
1510 add_note(wt, MSG_INFO, "Unexpected IGTK KeyID %u", keyidx);
1511 return;
1512 }
1513
1514 add_note(wt, MSG_DEBUG, "IGTK KeyID %u", keyidx);
1515 wpa_hexdump(MSG_DEBUG, "IPN", igtk_elem + 2, 6);
1516 wpa_hexdump(MSG_DEBUG, "IGTK", igtk, igtk_len);
1517 os_memcpy(bss->igtk[keyidx], igtk, igtk_len);
1518 bss->igtk_len[keyidx] = igtk_len;
1519 ipn = igtk_elem + 2;
1520 bss->ipn[keyidx][0] = ipn[5];
1521 bss->ipn[keyidx][1] = ipn[4];
1522 bss->ipn[keyidx][2] = ipn[3];
1523 bss->ipn[keyidx][3] = ipn[2];
1524 bss->ipn[keyidx][4] = ipn[1];
1525 bss->ipn[keyidx][5] = ipn[0];
1526 bss->igtk_idx = keyidx;
1527}
1528
1529
1530static void process_bigtk_subelem(struct wlantest *wt, struct wlantest_bss *bss,
1531 struct wlantest_sta *sta,
1532 const u8 *kek, size_t kek_len,
1533 const u8 *bigtk_elem, size_t bigtk_elem_len)
1534{
1535 u8 bigtk[WPA_BIGTK_MAX_LEN];
1536 size_t bigtk_len;
1537 u16 keyidx;
1538 const u8 *ipn;
1539
1540 if (!bigtk_elem ||
1541 (bss->mgmt_group_cipher != WPA_CIPHER_AES_128_CMAC &&
1542 bss->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_128 &&
1543 bss->mgmt_group_cipher != WPA_CIPHER_BIP_GMAC_256 &&
1544 bss->mgmt_group_cipher != WPA_CIPHER_BIP_CMAC_256))
1545 return;
1546
1547 wpa_hexdump_key(MSG_DEBUG, "FT: Received BIGTK in Reassoc Resp",
1548 bigtk_elem, bigtk_elem_len);
1549
1550 bigtk_len = wpa_cipher_key_len(bss->mgmt_group_cipher);
1551 if (bigtk_elem_len != 2 + 6 + 1 + bigtk_len + 8) {
1552 add_note(wt, MSG_INFO,
1553 "FT: Invalid BIGTK sub-elem length %zu",
1554 bigtk_elem_len);
1555 return;
1556 }
1557 if (bigtk_elem[8] != bigtk_len) {
1558 add_note(wt, MSG_INFO,
1559 "FT: Invalid BIGTK sub-elem Key Length %d",
1560 bigtk_elem[8]);
1561 return;
1562 }
1563
1564 if (aes_unwrap(kek, kek_len, bigtk_len / 8, bigtk_elem + 9, bigtk)) {
1565 add_note(wt, MSG_INFO,
1566 "FT: AES unwrap failed - could not decrypt BIGTK");
1567 return;
1568 }
1569
1570 /* KeyID[2] | IPN[6] | Key Length[1] | Key[16+8] */
1571
1572 keyidx = WPA_GET_LE16(bigtk_elem);
1573
1574 wpa_hexdump(MSG_DEBUG, "FT: BIGTK from Reassoc Resp", bigtk, bigtk_len);
1575
1576 if (keyidx < 6 || keyidx > 7) {
1577 add_note(wt, MSG_INFO, "Unexpected BIGTK KeyID %u", keyidx);
1578 return;
1579 }
1580
1581 add_note(wt, MSG_DEBUG, "BIGTK KeyID %u", keyidx);
1582 wpa_hexdump(MSG_DEBUG, "BIPN", bigtk_elem + 2, 6);
1583 wpa_hexdump(MSG_DEBUG, "BIGTK", bigtk, bigtk_len);
1584 os_memcpy(bss->igtk[keyidx], bigtk, bigtk_len);
1585 bss->igtk_len[keyidx] = bigtk_len;
1586 ipn = bigtk_elem + 2;
1587 bss->ipn[keyidx][0] = ipn[5];
1588 bss->ipn[keyidx][1] = ipn[4];
1589 bss->ipn[keyidx][2] = ipn[3];
1590 bss->ipn[keyidx][3] = ipn[2];
1591 bss->ipn[keyidx][4] = ipn[1];
1592 bss->ipn[keyidx][5] = ipn[0];
1593 bss->bigtk_idx = keyidx;
1594}
1595
1596
1597static void rx_mgmt_reassoc_resp(struct wlantest *wt, const u8 *data,
1598 size_t len)
1599{
1600 const struct ieee80211_mgmt *mgmt;
1601 struct wlantest_bss *bss;
1602 struct wlantest_sta *sta;
1603 u16 capab, status, aid;
1604 const u8 *ies;
1605 size_t ies_len;
1606 struct ieee802_11_elems elems;
1607 const u8 *ml;
1608
1609 mgmt = (const struct ieee80211_mgmt *) data;
1610 bss = bss_get(wt, mgmt->bssid);
1611 if (bss == NULL)
1612 return;
1613 sta = sta_get(bss, mgmt->da);
1614 if (sta == NULL)
1615 return;
1616
1617 if (len < 24 + 6) {
1618 add_note(wt, MSG_INFO, "Too short Reassociation Response frame "
1619 "from " MACSTR, MAC2STR(mgmt->sa));
1620 return;
1621 }
1622
1623 ies = mgmt->u.reassoc_resp.variable;
1624 ies_len = len - (mgmt->u.reassoc_resp.variable - data);
1625
1626 capab = le_to_host16(mgmt->u.reassoc_resp.capab_info);
1627 status = le_to_host16(mgmt->u.reassoc_resp.status_code);
1628 aid = le_to_host16(mgmt->u.reassoc_resp.aid);
1629
1630 wpa_printf(MSG_DEBUG, "REASSOCRESP " MACSTR " -> " MACSTR
1631 " (capab=0x%x status=%u aid=%u)",
1632 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), capab, status,
1633 aid & 0x3fff);
1634
1635 ml = get_ml_ie(ies, ies_len, MULTI_LINK_CONTROL_TYPE_BASIC);
1636 if (ml)
1637 parse_basic_ml(ml + 3, ml[1], true);
1638
1639 if (sta->auth_alg == WLAN_AUTH_FILS_SK) {
1640 const u8 *session, *frame_ad, *frame_ad_end, *encr_end;
1641
1642 session = get_fils_session(ies, ies_len);
1643 if (session) {
1644 frame_ad = (const u8 *)
1645 &mgmt->u.reassoc_resp.capab_info;
1646 frame_ad_end = session + 2 + session[1];
1647 encr_end = data + len;
1648 decrypt_fils_assoc_resp(wt, bss, sta, data, frame_ad,
1649 frame_ad_end, encr_end);
1650 ies_len = session - ies;
1651 }
1652 }
1653
1654 if (ieee802_11_parse_elems(ies, ies_len, &elems, 0) == ParseFailed) {
1655 add_note(wt, MSG_INFO,
1656 "Failed to parse IEs in ReassocResp from " MACSTR,
1657 MAC2STR(mgmt->sa));
1658 }
1659
1660 if (status == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY) {
1661 if (!elems.timeout_int ||
1662 elems.timeout_int[0] != WLAN_TIMEOUT_ASSOC_COMEBACK) {
1663 add_note(wt, MSG_INFO, "No valid Timeout Interval IE "
1664 "with Assoc Comeback time in ReassocResp "
1665 "(status=30) from " MACSTR,
1666 MAC2STR(mgmt->sa));
1667 } else {
1668 sta->counters[
1669 WLANTEST_STA_COUNTER_REASSOCRESP_COMEBACK]++;
1670 }
1671 }
1672
1673 if (status)
1674 return;
1675
1676 if ((aid & 0xc000) != 0xc000) {
1677 add_note(wt, MSG_DEBUG, "Two MSBs of the AID were not set to 1 "
1678 "in Reassociation Response from " MACSTR,
1679 MAC2STR(mgmt->sa));
1680 }
1681 sta->aid = aid & 0xc000;
1682
1683 if (sta->state < STATE2 && !sta->ft_over_ds) {
1684 add_note(wt, MSG_DEBUG,
1685 "STA " MACSTR " was not in State 2 when "
1686 "getting associated", MAC2STR(sta->addr));
1687 }
1688
1689 if (sta->state < STATE3) {
1690 add_note(wt, MSG_DEBUG, "STA " MACSTR
1691 " moved to State 3 with " MACSTR,
1692 MAC2STR(sta->addr), MAC2STR(bss->bssid));
1693 sta->state = STATE3;
1694 }
1695
1696 if (elems.ftie) {
1697 struct wpa_ft_ies parse;
1698 int use_sha384;
1699 struct rsn_mdie *mde;
1700 const u8 *anonce, *snonce, *fte_mic;
1701 u8 fte_elem_count;
1702 unsigned int count;
1703 u8 mic[WPA_EAPOL_KEY_MIC_MAX_LEN];
1704 size_t mic_len = 16;
1705 const u8 *kck, *kek;
1706 size_t kck_len, kek_len;
1707
1708 use_sha384 = wpa_key_mgmt_sha384(sta->key_mgmt);
1709
1710 if (wpa_ft_parse_ies(ies, ies_len, &parse, sta->key_mgmt) < 0) {
1711 add_note(wt, MSG_INFO, "FT: Failed to parse FT IEs");
1712 return;
1713 }
1714
1715 if (!parse.rsn) {
1716 add_note(wt, MSG_INFO, "FT: No RSNE in Reassoc Resp");
1717 return;
1718 }
1719
1720 if (!parse.rsn_pmkid) {
1721 add_note(wt, MSG_INFO, "FT: No PMKID in RSNE");
1722 return;
1723 }
1724
1725 if (os_memcmp_const(parse.rsn_pmkid, sta->pmk_r1_name,
1726 WPA_PMK_NAME_LEN) != 0) {
1727 add_note(wt, MSG_INFO,
1728 "FT: PMKID in Reassoc Resp did not match PMKR1Name");
1729 wpa_hexdump(MSG_DEBUG,
1730 "FT: Received RSNE[PMKR1Name]",
1731 parse.rsn_pmkid, WPA_PMK_NAME_LEN);
1732 wpa_hexdump(MSG_DEBUG,
1733 "FT: Previously derived PMKR1Name",
1734 sta->pmk_r1_name, WPA_PMK_NAME_LEN);
1735 return;
1736 }
1737
1738 mde = (struct rsn_mdie *) parse.mdie;
1739 if (!mde || parse.mdie_len < sizeof(*mde) ||
1740 os_memcmp(mde->mobility_domain, bss->mdid,
1741 MOBILITY_DOMAIN_ID_LEN) != 0) {
1742 add_note(wt, MSG_INFO, "FT: Invalid MDE");
1743 }
1744
1745 if (use_sha384) {
1746 struct rsn_ftie_sha384 *fte;
1747
1748 fte = (struct rsn_ftie_sha384 *) parse.ftie;
1749 if (!fte || parse.ftie_len < sizeof(*fte)) {
1750 add_note(wt, MSG_INFO, "FT: Invalid FTE");
1751 return;
1752 }
1753
1754 anonce = fte->anonce;
1755 snonce = fte->snonce;
1756 fte_elem_count = fte->mic_control[1];
1757 fte_mic = fte->mic;
1758 } else {
1759 struct rsn_ftie *fte;
1760
1761 fte = (struct rsn_ftie *) parse.ftie;
1762 if (!fte || parse.ftie_len < sizeof(*fte)) {
1763 add_note(wt, MSG_INFO, "FT: Invalid FTIE");
1764 return;
1765 }
1766
1767 anonce = fte->anonce;
1768 snonce = fte->snonce;
1769 fte_elem_count = fte->mic_control[1];
1770 fte_mic = fte->mic;
1771 }
1772
1773 if (os_memcmp(snonce, sta->snonce, WPA_NONCE_LEN) != 0) {
1774 add_note(wt, MSG_INFO, "FT: SNonce mismatch in FTIE");
1775 wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
1776 snonce, WPA_NONCE_LEN);
1777 wpa_hexdump(MSG_DEBUG, "FT: Expected SNonce",
1778 sta->snonce, WPA_NONCE_LEN);
1779 return;
1780 }
1781
1782 if (os_memcmp(anonce, sta->anonce, WPA_NONCE_LEN) != 0) {
1783 add_note(wt, MSG_INFO, "FT: ANonce mismatch in FTIE");
1784 wpa_hexdump(MSG_DEBUG, "FT: Received ANonce",
1785 anonce, WPA_NONCE_LEN);
1786 wpa_hexdump(MSG_DEBUG, "FT: Expected ANonce",
1787 sta->anonce, WPA_NONCE_LEN);
1788 return;
1789 }
1790
1791 if (!parse.r0kh_id) {
1792 add_note(wt, MSG_INFO, "FT: No R0KH-ID subelem in FTE");
1793 return;
1794 }
1795
1796 if (parse.r0kh_id_len != bss->r0kh_id_len ||
1797 os_memcmp_const(parse.r0kh_id, bss->r0kh_id,
1798 parse.r0kh_id_len) != 0) {
1799 add_note(wt, MSG_INFO,
1800 "FT: R0KH-ID in FTE did not match the current R0KH-ID");
1801 wpa_hexdump(MSG_DEBUG, "FT: R0KH-ID in FTIE",
1802 parse.r0kh_id, parse.r0kh_id_len);
1803 wpa_hexdump(MSG_DEBUG, "FT: The current R0KH-ID",
1804 bss->r0kh_id, bss->r0kh_id_len);
1805 os_memcpy(bss->r0kh_id, parse.r0kh_id,
1806 parse.r0kh_id_len);
1807 bss->r0kh_id_len = parse.r0kh_id_len;
1808 }
1809
1810 if (!parse.r1kh_id) {
1811 add_note(wt, MSG_INFO, "FT: No R1KH-ID subelem in FTE");
1812 return;
1813 }
1814
1815 if (os_memcmp_const(parse.r1kh_id, bss->r1kh_id,
1816 FT_R1KH_ID_LEN) != 0) {
1817 add_note(wt, MSG_INFO,
1818 "FT: Unknown R1KH-ID used in ReassocResp");
1819 os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
1820 }
1821
1822 count = 3;
1823 if (parse.ric)
1824 count += ieee802_11_ie_count(parse.ric, parse.ric_len);
1825 if (parse.rsnxe)
1826 count++;
1827 if (fte_elem_count != count) {
1828 add_note(wt, MSG_INFO,
1829 "FT: Unexpected IE count in MIC Control: received %u expected %u",
1830 fte_elem_count, count);
1831 return;
1832 }
1833
1834 if (wpa_key_mgmt_fils(sta->key_mgmt)) {
1835 kck = sta->ptk.kck2;
1836 kck_len = sta->ptk.kck2_len;
1837 kek = sta->ptk.kek2;
1838 kek_len = sta->ptk.kek2_len;
1839 } else {
1840 kck = sta->ptk.kck;
1841 kck_len = sta->ptk.kck_len;
1842 kek = sta->ptk.kek;
1843 kek_len = sta->ptk.kek_len;
1844 }
1845 if (wpa_ft_mic(sta->key_mgmt, kck, kck_len,
1846 sta->addr, bss->bssid, 6,
1847 parse.mdie - 2, parse.mdie_len + 2,
1848 parse.ftie - 2, parse.ftie_len + 2,
1849 parse.rsn - 2, parse.rsn_len + 2,
1850 parse.ric, parse.ric_len,
1851 parse.rsnxe ? parse.rsnxe - 2 : NULL,
1852 parse.rsnxe ? parse.rsnxe_len + 2 : 0,
1853 mic) < 0) {
1854 add_note(wt, MSG_INFO, "FT: Failed to calculate MIC");
1855 return;
1856 }
1857
1858 if (os_memcmp_const(mic, fte_mic, mic_len) != 0) {
1859 add_note(wt, MSG_INFO, "FT: Invalid MIC in FTE");
1860 wpa_printf(MSG_DEBUG,
1861 "FT: addr=" MACSTR " auth_addr=" MACSTR,
1862 MAC2STR(sta->addr),
1863 MAC2STR(bss->bssid));
1864 wpa_hexdump(MSG_MSGDUMP, "FT: Received MIC",
1865 fte_mic, mic_len);
1866 wpa_hexdump(MSG_MSGDUMP, "FT: Calculated MIC",
1867 mic, mic_len);
1868 wpa_hexdump(MSG_MSGDUMP, "FT: MDE",
1869 parse.mdie - 2, parse.mdie_len + 2);
1870 wpa_hexdump(MSG_MSGDUMP, "FT: FTE",
1871 parse.ftie - 2, parse.ftie_len + 2);
1872 wpa_hexdump(MSG_MSGDUMP, "FT: RSN",
1873 parse.rsn - 2, parse.rsn_len + 2);
1874 wpa_hexdump(MSG_MSGDUMP, "FT: RSNXE",
1875 parse.rsnxe ? parse.rsnxe - 2 : NULL,
1876 parse.rsnxe ? parse.rsnxe_len + 2 : 0);
1877 return;
1878 }
1879
1880 add_note(wt, MSG_INFO, "FT: Valid FTE MIC");
1881
1882 if (wpa_compare_rsn_ie(wpa_key_mgmt_ft(sta->key_mgmt),
1883 bss->rsnie, 2 + bss->rsnie[1],
1884 parse.rsn - 2, parse.rsn_len + 2)) {
1885 add_note(wt, MSG_INFO,
1886 "FT: RSNE mismatch between Beacon/ProbeResp and FT protocol Reassociation Response frame");
1887 wpa_hexdump(MSG_INFO, "RSNE in Beacon/ProbeResp",
1888 &bss->rsnie[2], bss->rsnie[1]);
1889 wpa_hexdump(MSG_INFO,
1890 "RSNE in FT protocol Reassociation Response frame",
1891 parse.rsn ? parse.rsn - 2 : NULL,
1892 parse.rsn ? parse.rsn_len + 2 : 0);
1893 }
1894
1895 process_gtk_subelem(wt, bss, sta, kek, kek_len,
1896 parse.gtk, parse.gtk_len);
1897 process_igtk_subelem(wt, bss, sta, kek, kek_len,
1898 parse.igtk, parse.igtk_len);
1899 process_bigtk_subelem(wt, bss, sta, kek, kek_len,
1900 parse.bigtk, parse.bigtk_len);
1901 }
1902}
1903
1904
1905static void disassoc_all_stas(struct wlantest *wt, struct wlantest_bss *bss)
1906{
1907 struct wlantest_sta *sta;
1908 dl_list_for_each(sta, &bss->sta, struct wlantest_sta, list) {
1909 if (sta->state <= STATE2)
1910 continue;
1911 add_note(wt, MSG_DEBUG, "STA " MACSTR
1912 " moved to State 2 with " MACSTR,
1913 MAC2STR(sta->addr), MAC2STR(bss->bssid));
1914 sta->state = STATE2;
1915 }
1916}
1917
1918
1919static void rx_mgmt_disassoc(struct wlantest *wt, const u8 *data, size_t len,
1920 int valid)
1921{
1922 const struct ieee80211_mgmt *mgmt;
1923 struct wlantest_bss *bss;
1924 struct wlantest_sta *sta;
1925 u16 fc, reason;
1926
1927 mgmt = (const struct ieee80211_mgmt *) data;
1928 bss = bss_get(wt, mgmt->bssid);
1929 if (bss == NULL)
1930 return;
1931 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
1932 sta = sta_get(bss, mgmt->da);
1933 else
1934 sta = sta_get(bss, mgmt->sa);
1935
1936 if (len < 24 + 2) {
1937 add_note(wt, MSG_INFO, "Too short Disassociation frame from "
1938 MACSTR, MAC2STR(mgmt->sa));
1939 return;
1940 }
1941
1942 reason = le_to_host16(mgmt->u.disassoc.reason_code);
1943 wpa_printf(MSG_DEBUG, "DISASSOC " MACSTR " -> " MACSTR
1944 " (reason=%u) (valid=%d)",
1945 MAC2STR(mgmt->sa), MAC2STR(mgmt->da),
1946 reason, valid);
1947 wpa_hexdump(MSG_MSGDUMP, "DISASSOC payload", data + 24, len - 24);
1948
1949 if (sta == NULL) {
1950 if (valid && mgmt->da[0] == 0xff)
1951 disassoc_all_stas(wt, bss);
1952 return;
1953 }
1954
1955 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) {
1956 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_RX :
1957 WLANTEST_STA_COUNTER_INVALID_DISASSOC_RX]++;
1958 if (sta->pwrmgt && !sta->pspoll)
1959 sta->counters[
1960 WLANTEST_STA_COUNTER_DISASSOC_RX_ASLEEP]++;
1961 else
1962 sta->counters[
1963 WLANTEST_STA_COUNTER_DISASSOC_RX_AWAKE]++;
1964
1965 fc = le_to_host16(mgmt->frame_control);
1966 if (!(fc & WLAN_FC_ISWEP) && reason == 6)
1967 sta->counters[WLANTEST_STA_COUNTER_DISASSOC_RX_RC6]++;
1968 else if (!(fc & WLAN_FC_ISWEP) && reason == 7)
1969 sta->counters[WLANTEST_STA_COUNTER_DISASSOC_RX_RC7]++;
1970 } else
1971 sta->counters[valid ? WLANTEST_STA_COUNTER_VALID_DISASSOC_TX :
1972 WLANTEST_STA_COUNTER_INVALID_DISASSOC_TX]++;
1973
1974 if (!valid) {
1975 add_note(wt, MSG_INFO, "Do not change STA " MACSTR " State "
1976 "since Disassociation frame was not protected "
1977 "correctly", MAC2STR(sta->addr));
1978 return;
1979 }
1980
1981 if (sta->state < STATE2) {
1982 add_note(wt, MSG_DEBUG,
1983 "STA " MACSTR " was not in State 2 or 3 "
1984 "when getting disassociated", MAC2STR(sta->addr));
1985 }
1986
1987 if (sta->state > STATE2) {
1988 add_note(wt, MSG_DEBUG, "STA " MACSTR
1989 " moved to State 2 with " MACSTR,
1990 MAC2STR(sta->addr), MAC2STR(bss->bssid));
1991 sta->state = STATE2;
1992 }
1993 tdls_link_down(wt, bss, sta);
1994}
1995
1996
1997static void rx_mgmt_action_ft_request(struct wlantest *wt,
1998 const struct ieee80211_mgmt *mgmt,
1999 size_t len)
2000{
2001 const u8 *ies;
2002 size_t ies_len;
2003 struct wpa_ft_ies parse;
2004 struct wlantest_bss *bss;
2005 struct wlantest_sta *sta;
2006
2007 if (len < 24 + 2 + 2 * ETH_ALEN) {
2008 add_note(wt, MSG_INFO, "Too short FT Request frame");
2009 return;
2010 }
2011
2012 wpa_printf(MSG_DEBUG, "FT Request: STA Address: " MACSTR
2013 " Target AP Address: " MACSTR,
2014 MAC2STR(mgmt->u.action.u.ft_action_req.sta_addr),
2015 MAC2STR(mgmt->u.action.u.ft_action_req.target_ap_addr));
2016 ies = mgmt->u.action.u.ft_action_req.variable;
2017 ies_len = len - (24 + 2 + 2 * ETH_ALEN);
2018 wpa_hexdump(MSG_DEBUG, "FT Request frame body", ies, ies_len);
2019
2020 if (wpa_ft_parse_ies(ies, ies_len, &parse, 0)) {
2021 add_note(wt, MSG_INFO, "Could not parse FT Request frame body");
2022 return;
2023 }
2024
2025 bss = bss_get(wt, mgmt->u.action.u.ft_action_resp.target_ap_addr);
2026 if (!bss) {
2027 add_note(wt, MSG_INFO, "No BSS entry for Target AP");
2028 return;
2029 }
2030
2031 sta = sta_get(bss, mgmt->sa);
2032 if (!sta)
2033 return;
2034
2035 sta->ft_over_ds = true;
2036 sta->key_mgmt = parse.key_mgmt;
2037 sta->pairwise_cipher = parse.pairwise_cipher;
2038}
2039
2040
2041static void rx_mgmt_action_ft_response(struct wlantest *wt,
2042 struct wlantest_sta *sta,
2043 const struct ieee80211_mgmt *mgmt,
2044 size_t len)
2045{
2046 struct wlantest_bss *bss;
2047 struct wlantest_sta *new_sta;
2048 const u8 *ies;
2049 size_t ies_len;
2050 struct wpa_ft_ies parse;
2051 struct wpa_ptk ptk;
2052 u8 ptk_name[WPA_PMK_NAME_LEN];
2053
2054 if (len < 24 + 2 + 2 * ETH_ALEN + 2) {
2055 add_note(wt, MSG_INFO, "Too short FT Response frame from "
2056 MACSTR, MAC2STR(mgmt->sa));
2057 return;
2058 }
2059
2060 wpa_printf(MSG_DEBUG, "FT Response: STA Address: " MACSTR
2061 " Target AP Address: " MACSTR " Status Code: %u",
2062 MAC2STR(mgmt->u.action.u.ft_action_resp.sta_addr),
2063 MAC2STR(mgmt->u.action.u.ft_action_resp.target_ap_addr),
2064 le_to_host16(mgmt->u.action.u.ft_action_resp.status_code));
2065 ies = mgmt->u.action.u.ft_action_req.variable;
2066 ies_len = len - (24 + 2 + 2 * ETH_ALEN);
2067 wpa_hexdump(MSG_DEBUG, "FT Response frame body", ies, ies_len);
2068
2069 if (wpa_ft_parse_ies(ies, ies_len, &parse, 0)) {
2070 add_note(wt, MSG_INFO,
2071 "Could not parse FT Response frame body");
2072 return;
2073 }
2074
2075 bss = bss_get(wt, mgmt->u.action.u.ft_action_resp.target_ap_addr);
2076 if (!bss) {
2077 add_note(wt, MSG_INFO, "No BSS entry for Target AP");
2078 return;
2079 }
2080
2081 if (parse.r1kh_id)
2082 os_memcpy(bss->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
2083
2084 if (wpa_derive_pmk_r1(sta->pmk_r0, sta->pmk_r0_len, sta->pmk_r0_name,
2085 bss->r1kh_id, sta->addr, sta->pmk_r1,
2086 sta->pmk_r1_name) < 0)
2087 return;
2088 sta->pmk_r1_len = sta->pmk_r0_len;
2089
2090 new_sta = sta_get(bss, sta->addr);
2091 if (!new_sta)
2092 return;
2093 os_memcpy(new_sta->pmk_r0, sta->pmk_r0, sta->pmk_r0_len);
2094 new_sta->pmk_r0_len = sta->pmk_r0_len;
2095 os_memcpy(new_sta->pmk_r0_name, sta->pmk_r0_name,
2096 sizeof(sta->pmk_r0_name));
2097 os_memcpy(new_sta->pmk_r1, sta->pmk_r1, sta->pmk_r1_len);
2098 new_sta->pmk_r1_len = sta->pmk_r1_len;
2099 os_memcpy(new_sta->pmk_r1_name, sta->pmk_r1_name,
2100 sizeof(sta->pmk_r1_name));
2101 if (!parse.fte_anonce || !parse.fte_snonce ||
2102 wpa_pmk_r1_to_ptk(sta->pmk_r1, sta->pmk_r1_len, parse.fte_snonce,
2103 parse.fte_anonce, new_sta->addr, bss->bssid,
2104 sta->pmk_r1_name, &ptk, ptk_name,
2105 new_sta->key_mgmt, new_sta->pairwise_cipher,
2106 0) < 0)
2107 return;
2108
2109 sta_new_ptk(wt, new_sta, &ptk);
2110 os_memcpy(new_sta->snonce, parse.fte_snonce, WPA_NONCE_LEN);
2111 os_memcpy(new_sta->anonce, parse.fte_anonce, WPA_NONCE_LEN);
2112}
2113
2114
2115static void rx_mgmt_action_ft(struct wlantest *wt, struct wlantest_sta *sta,
2116 const struct ieee80211_mgmt *mgmt,
2117 size_t len, int valid)
2118{
2119 if (len < 24 + 2) {
2120 add_note(wt, MSG_INFO, "Too short FT Action frame from " MACSTR,
2121 MAC2STR(mgmt->sa));
2122 return;
2123 }
2124
2125 switch (mgmt->u.action.u.ft_action_req.action) {
2126 case 1:
2127 rx_mgmt_action_ft_request(wt, mgmt, len);
2128 break;
2129 case 2:
2130 rx_mgmt_action_ft_response(wt, sta, mgmt, len);
2131 break;
2132 default:
2133 add_note(wt, MSG_INFO, "Unsupported FT action value %u from "
2134 MACSTR, mgmt->u.action.u.ft_action_req.action,
2135 MAC2STR(mgmt->sa));
2136 }
2137}
2138
2139
2140static void rx_mgmt_action_sa_query_req(struct wlantest *wt,
2141 struct wlantest_sta *sta,
2142 const struct ieee80211_mgmt *mgmt,
2143 size_t len, int valid)
2144{
2145 const u8 *rx_id;
2146 u8 *id;
2147
2148 rx_id = (const u8 *) mgmt->u.action.u.sa_query_req.trans_id;
2149 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
2150 id = sta->ap_sa_query_tr;
2151 else
2152 id = sta->sta_sa_query_tr;
2153 add_note(wt, MSG_INFO, "SA Query Request " MACSTR " -> " MACSTR
2154 " (trans_id=%02x%02x)%s",
2155 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1],
2156 valid ? "" : " (invalid protection)");
2157 os_memcpy(id, mgmt->u.action.u.sa_query_req.trans_id, 2);
2158 if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0)
2159 sta->counters[valid ?
2160 WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_TX :
2161 WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_TX]++;
2162 else
2163 sta->counters[valid ?
2164 WLANTEST_STA_COUNTER_VALID_SAQUERYREQ_RX :
2165 WLANTEST_STA_COUNTER_INVALID_SAQUERYREQ_RX]++;
2166}
2167
2168
2169static void rx_mgmt_action_sa_query_resp(struct wlantest *wt,
2170 struct wlantest_sta *sta,
2171 const struct ieee80211_mgmt *mgmt,
2172 size_t len, int valid)
2173{
2174 const u8 *rx_id;
2175 u8 *id;
2176 int match;
2177
2178 rx_id = (const u8 *) mgmt->u.action.u.sa_query_resp.trans_id;
2179 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
2180 id = sta->sta_sa_query_tr;
2181 else
2182 id = sta->ap_sa_query_tr;
2183 match = os_memcmp(rx_id, id, 2) == 0;
2184 add_note(wt, MSG_INFO, "SA Query Response " MACSTR " -> " MACSTR
2185 " (trans_id=%02x%02x; %s)%s",
2186 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), rx_id[0], rx_id[1],
2187 match ? "match" : "mismatch",
2188 valid ? "" : " (invalid protection)");
2189 if (os_memcmp(mgmt->sa, sta->addr, ETH_ALEN) == 0)
2190 sta->counters[(valid && match) ?
2191 WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_TX :
2192 WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_TX]++;
2193 else
2194 sta->counters[(valid && match) ?
2195 WLANTEST_STA_COUNTER_VALID_SAQUERYRESP_RX :
2196 WLANTEST_STA_COUNTER_INVALID_SAQUERYRESP_RX]++;
2197}
2198
2199
2200static void rx_mgmt_action_sa_query(struct wlantest *wt,
2201 struct wlantest_sta *sta,
2202 const struct ieee80211_mgmt *mgmt,
2203 size_t len, int valid)
2204{
2205 if (len < 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) {
2206 add_note(wt, MSG_INFO, "Too short SA Query frame from " MACSTR,
2207 MAC2STR(mgmt->sa));
2208 return;
2209 }
2210
2211 if (len > 24 + 2 + WLAN_SA_QUERY_TR_ID_LEN) {
2212 size_t elen = len - (24 + 2 + WLAN_SA_QUERY_TR_ID_LEN);
2213 add_note(wt, MSG_INFO, "Unexpected %u octets of extra data at "
2214 "the end of SA Query frame from " MACSTR,
2215 (unsigned) elen, MAC2STR(mgmt->sa));
2216 wpa_hexdump(MSG_INFO, "SA Query extra data",
2217 ((const u8 *) mgmt) + len - elen, elen);
2218 }
2219
2220 switch (mgmt->u.action.u.sa_query_req.action) {
2221 case WLAN_SA_QUERY_REQUEST:
2222 rx_mgmt_action_sa_query_req(wt, sta, mgmt, len, valid);
2223 break;
2224 case WLAN_SA_QUERY_RESPONSE:
2225 rx_mgmt_action_sa_query_resp(wt, sta, mgmt, len, valid);
2226 break;
2227 default:
2228 add_note(wt, MSG_INFO, "Unexpected SA Query action value %u "
2229 "from " MACSTR,
2230 mgmt->u.action.u.sa_query_req.action,
2231 MAC2STR(mgmt->sa));
2232 }
2233}
2234
2235
2236static void
2237rx_mgmt_location_measurement_report(struct wlantest *wt,
2238 const struct ieee80211_mgmt *mgmt,
2239 size_t len, bool no_ack)
2240{
2241 const u8 *pos = mgmt->u.action.u.public_action.variable;
2242 const u8 *end = ((const u8 *) mgmt) + len;
2243
2244 if (end - pos < 1) {
2245 add_note(wt, MSG_INFO,
2246 "Too short Location Measurement Report frame from "
2247 MACSTR, MAC2STR(mgmt->sa));
2248 return;
2249 }
2250
2251 wpa_printf(MSG_DEBUG, "Location Measurement Report " MACSTR " --> "
2252 MACSTR " (dialog token %u)",
2253 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), *pos);
2254 pos++;
2255
2256 if (!no_ack)
2257 add_note(wt, MSG_INFO,
2258 "Protected Fine Timing Measurement Report incorrectly as an Action frame from "
2259 MACSTR, MAC2STR(mgmt->sa));
2260
2261 wpa_hexdump(MSG_MSGDUMP, "Location Measurement Report contents",
2262 pos, end - pos);
2263}
2264
2265
2266static void rx_mgmt_action_no_bss_public(struct wlantest *wt,
2267 const struct ieee80211_mgmt *mgmt,
2268 size_t len, bool no_ack)
2269{
2270 switch (mgmt->u.action.u.public_action.action) {
2271 case WLAN_PA_LOCATION_MEASUREMENT_REPORT:
2272 rx_mgmt_location_measurement_report(wt, mgmt, len, no_ack);
2273 break;
2274 }
2275}
2276
2277
2278static void rx_mgmt_prot_ftm_request(struct wlantest *wt,
2279 const struct ieee80211_mgmt *mgmt,
2280 size_t len, bool no_ack)
2281{
2282 wpa_printf(MSG_DEBUG, "Protected Fine Timing Measurement Request "
2283 MACSTR " --> " MACSTR,
2284 MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
2285 if (no_ack)
2286 add_note(wt, MSG_INFO,
2287 "Protected Fine Timing Measurement Request incorrectly as an Action No Ack frame from "
2288 MACSTR, MAC2STR(mgmt->sa));
2289}
2290
2291
2292static void rx_mgmt_prot_ftm(struct wlantest *wt,
2293 const struct ieee80211_mgmt *mgmt,
2294 size_t len, bool no_ack)
2295{
2296 wpa_printf(MSG_DEBUG, "Protected Fine Timing Measurement "
2297 MACSTR " --> " MACSTR,
2298 MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
2299 if (no_ack)
2300 add_note(wt, MSG_INFO,
2301 "Protected Fine Timing Measurement incorrectly as an Action No Ack frame from "
2302 MACSTR, MAC2STR(mgmt->sa));
2303}
2304
2305
2306static void rx_mgmt_prot_ftm_report(struct wlantest *wt,
2307 const struct ieee80211_mgmt *mgmt,
2308 size_t len, bool no_ack)
2309{
2310 wpa_printf(MSG_DEBUG, "Protected Fine Timing Measurement Report "
2311 MACSTR " --> " MACSTR,
2312 MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
2313 if (!no_ack)
2314 add_note(wt, MSG_INFO,
2315 "Protected Fine Timing Measurement Report incorrectly as an Action frame from "
2316 MACSTR, MAC2STR(mgmt->sa));
2317}
2318
2319
2320static void
2321rx_mgmt_action_no_bss_protected_ftm(struct wlantest *wt,
2322 const struct ieee80211_mgmt *mgmt,
2323 size_t len, bool no_ack)
2324{
2325 switch (mgmt->u.action.u.public_action.action) {
2326 case WLAN_PROT_FTM_REQUEST:
2327 rx_mgmt_prot_ftm_request(wt, mgmt, len, no_ack);
2328 break;
2329 case WLAN_PROT_FTM:
2330 rx_mgmt_prot_ftm(wt, mgmt, len, no_ack);
2331 break;
2332 case WLAN_PROT_FTM_REPORT:
2333 rx_mgmt_prot_ftm_report(wt, mgmt, len, no_ack);
2334 break;
2335 }
2336}
2337
2338
2339static void rx_mgmt_action_no_bss(struct wlantest *wt,
2340 const struct ieee80211_mgmt *mgmt, size_t len,
2341 bool no_ack)
2342{
2343 switch (mgmt->u.action.category) {
2344 case WLAN_ACTION_PUBLIC:
2345 rx_mgmt_action_no_bss_public(wt, mgmt, len, no_ack);
2346 break;
2347 case WLAN_ACTION_PROTECTED_FTM:
2348 rx_mgmt_action_no_bss_protected_ftm(wt, mgmt, len, no_ack);
2349 break;
2350 }
2351}
2352
2353
2354static void rx_mgmt_action(struct wlantest *wt, const u8 *data, size_t len,
2355 int valid, bool no_ack)
2356{
2357 const struct ieee80211_mgmt *mgmt;
2358 struct wlantest_bss *bss;
2359 struct wlantest_sta *sta;
2360
2361 mgmt = (const struct ieee80211_mgmt *) data;
2362 if (mgmt->da[0] & 0x01) {
2363 add_note(wt, MSG_DEBUG, "Group addressed Action frame: DA="
2364 MACSTR " SA=" MACSTR " BSSID=" MACSTR
2365 " category=%u",
2366 MAC2STR(mgmt->da), MAC2STR(mgmt->sa),
2367 MAC2STR(mgmt->bssid), mgmt->u.action.category);
2368 return; /* Ignore group addressed Action frames for now */
2369 }
2370
2371 if (len < 24 + 2) {
2372 add_note(wt, MSG_INFO, "Too short Action frame from " MACSTR,
2373 MAC2STR(mgmt->sa));
2374 return;
2375 }
2376
2377 wpa_printf(MSG_DEBUG, "ACTION%s " MACSTR " -> " MACSTR
2378 " BSSID=" MACSTR " (category=%u) (valid=%d)",
2379 no_ack ? "-NO-ACK" : "",
2380 MAC2STR(mgmt->sa), MAC2STR(mgmt->da), MAC2STR(mgmt->bssid),
2381 mgmt->u.action.category, valid);
2382 wpa_hexdump(MSG_MSGDUMP, "ACTION payload", data + 24, len - 24);
2383
2384 if (is_broadcast_ether_addr(mgmt->bssid)) {
2385 rx_mgmt_action_no_bss(wt, mgmt, len, no_ack);
2386 return;
2387 }
2388 bss = bss_get(wt, mgmt->bssid);
2389 if (bss == NULL)
2390 return;
2391 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) {
2392 sta = sta_find_mlo(wt, bss, mgmt->da);
2393 if (!sta)
2394 sta = sta_get(bss, mgmt->da);
2395 } else {
2396 sta = sta_find_mlo(wt, bss, mgmt->sa);
2397 if (!sta)
2398 sta = sta_get(bss, mgmt->sa);
2399 }
2400 if (sta == NULL)
2401 return;
2402
2403 if (mgmt->u.action.category != WLAN_ACTION_PUBLIC &&
2404 sta->state < STATE3) {
2405 add_note(wt, MSG_INFO, "Action frame sent when STA is not in "
2406 "State 3 (SA=" MACSTR " DATA=" MACSTR ")",
2407 MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
2408 }
2409
2410 switch (mgmt->u.action.category) {
2411 case WLAN_ACTION_FT:
2412 rx_mgmt_action_ft(wt, sta, mgmt, len, valid);
2413 break;
2414 case WLAN_ACTION_SA_QUERY:
2415 rx_mgmt_action_sa_query(wt, sta, mgmt, len, valid);
2416 break;
2417 }
2418}
2419
2420
2421static int check_mmie_mic(unsigned int mgmt_group_cipher,
2422 const u8 *igtk, size_t igtk_len,
2423 const u8 *data, size_t len)
2424{
2425 u8 *buf;
2426 u8 mic[16];
2427 u16 fc;
2428 const struct ieee80211_hdr *hdr;
2429 int ret, mic_len;
2430
2431 if (!mgmt_group_cipher || igtk_len < 16)
2432 return -1;
2433 mic_len = mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC ? 8 : 16;
2434
2435 if (len < 24 || len - 24 < mic_len)
2436 return -1;
2437
2438 buf = os_malloc(len + 20 - 24);
2439 if (buf == NULL)
2440 return -1;
2441
2442 /* BIP AAD: FC(masked) A1 A2 A3 */
2443 hdr = (const struct ieee80211_hdr *) data;
2444 fc = le_to_host16(hdr->frame_control);
2445 fc &= ~(WLAN_FC_RETRY | WLAN_FC_PWRMGT | WLAN_FC_MOREDATA);
2446 WPA_PUT_LE16(buf, fc);
2447 os_memcpy(buf + 2, hdr->addr1, 3 * ETH_ALEN);
2448
2449 /* Frame body with MMIE MIC masked to zero */
2450 os_memcpy(buf + 20, data + 24, len - 24 - mic_len);
2451 os_memset(buf + 20 + len - 24 - mic_len, 0, mic_len);
2452
2453 if (WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_BEACON) {
2454 /* Timestamp field masked to zero */
2455 os_memset(buf + 20, 0, 8);
2456 }
2457
2458 wpa_hexdump(MSG_MSGDUMP, "BIP: AAD|Body(masked)", buf, len + 20 - 24);
2459 /* MIC = L(AES-128-CMAC(AAD || Frame Body(masked)), 0, 64) */
2460 if (mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC) {
2461 ret = omac1_aes_128(igtk, buf, len + 20 - 24, mic);
2462 } else if (mgmt_group_cipher == WPA_CIPHER_BIP_CMAC_256) {
2463 ret = omac1_aes_256(igtk, buf, len + 20 - 24, mic);
2464 } else if (mgmt_group_cipher == WPA_CIPHER_BIP_GMAC_128 ||
2465 mgmt_group_cipher == WPA_CIPHER_BIP_GMAC_256) {
2466 u8 nonce[12], *npos;
2467 const u8 *ipn;
2468
2469 ipn = data + len - mic_len - 6;
2470
2471 /* Nonce: A2 | IPN */
2472 os_memcpy(nonce, hdr->addr2, ETH_ALEN);
2473 npos = nonce + ETH_ALEN;
2474 *npos++ = ipn[5];
2475 *npos++ = ipn[4];
2476 *npos++ = ipn[3];
2477 *npos++ = ipn[2];
2478 *npos++ = ipn[1];
2479 *npos++ = ipn[0];
2480
2481 ret = aes_gmac(igtk, igtk_len, nonce, sizeof(nonce),
2482 buf, len + 20 - 24, mic);
2483 } else {
2484 ret = -1;
2485 }
2486 if (ret < 0) {
2487 os_free(buf);
2488 return -1;
2489 }
2490
2491 os_free(buf);
2492
2493 if (os_memcmp(data + len - mic_len, mic, mic_len) != 0)
2494 return -1;
2495
2496 return 0;
2497}
2498
2499
2500static int check_bip(struct wlantest *wt, const u8 *data, size_t len)
2501{
2502 const struct ieee80211_mgmt *mgmt;
2503 u16 fc, stype;
2504 const u8 *mmie;
2505 u16 keyid;
2506 struct wlantest_bss *bss;
2507 size_t mic_len;
2508
2509 mgmt = (const struct ieee80211_mgmt *) data;
2510 fc = le_to_host16(mgmt->frame_control);
2511 stype = WLAN_FC_GET_STYPE(fc);
2512
2513 if (stype == WLAN_FC_STYPE_ACTION ||
2514 stype == WLAN_FC_STYPE_ACTION_NO_ACK) {
2515 if (len < 24 + 1)
2516 return 0;
2517 if (mgmt->u.action.category == WLAN_ACTION_PUBLIC)
2518 return 0; /* Not a robust management frame */
2519 }
2520
2521 bss = bss_get(wt, mgmt->bssid);
2522 if (bss == NULL)
2523 return 0; /* No key known yet */
2524
2525 mic_len = bss->mgmt_group_cipher == WPA_CIPHER_AES_128_CMAC ? 8 : 16;
2526
2527 if (len < 24 + 10 + mic_len ||
2528 data[len - (10 + mic_len)] != WLAN_EID_MMIE ||
2529 data[len - (10 + mic_len - 1)] != 8 + mic_len) {
2530 /* No MMIE */
2531 if (bss->rsn_capab & WPA_CAPABILITY_MFPC) {
2532 add_note(wt, MSG_INFO, "Robust group-addressed "
2533 "management frame sent without BIP by "
2534 MACSTR, MAC2STR(mgmt->sa));
2535 bss->counters[WLANTEST_BSS_COUNTER_MISSING_BIP_MMIE]++;
2536 return -1;
2537 }
2538 return 0;
2539 }
2540
2541 mmie = data + len - (8 + mic_len);
2542 keyid = WPA_GET_LE16(mmie);
2543 if (keyid & 0xf000) {
2544 add_note(wt, MSG_INFO, "MMIE KeyID reserved bits not zero "
2545 "(%04x) from " MACSTR, keyid, MAC2STR(mgmt->sa));
2546 keyid &= 0x0fff;
2547 }
2548 if (keyid < 4 || keyid > 5) {
2549 add_note(wt, MSG_INFO, "Unexpected MMIE KeyID %u from " MACSTR,
2550 keyid, MAC2STR(mgmt->sa));
2551 bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++;
2552 return 0;
2553 }
2554 wpa_printf(MSG_DEBUG, "MMIE KeyID %u", keyid);
2555 wpa_hexdump(MSG_MSGDUMP, "MMIE IPN", mmie + 2, 6);
2556 wpa_hexdump(MSG_MSGDUMP, "MMIE MIC", mmie + 8, mic_len);
2557
2558 if (!bss->igtk_len[keyid]) {
2559 add_note(wt, MSG_DEBUG, "No IGTK known to validate BIP frame");
2560 return 0;
2561 }
2562
2563 if (os_memcmp(mmie + 2, bss->ipn[keyid], 6) <= 0) {
2564 add_note(wt, MSG_INFO, "BIP replay detected: SA=" MACSTR,
2565 MAC2STR(mgmt->sa));
2566 wpa_hexdump(MSG_INFO, "RX IPN", mmie + 2, 6);
2567 wpa_hexdump(MSG_INFO, "Last RX IPN", bss->ipn[keyid], 6);
2568 }
2569
2570 if (check_mmie_mic(bss->mgmt_group_cipher, bss->igtk[keyid],
2571 bss->igtk_len[keyid], data, len) < 0) {
2572 add_note(wt, MSG_INFO, "Invalid MMIE MIC in a frame from "
2573 MACSTR, MAC2STR(mgmt->sa));
2574 bss->counters[WLANTEST_BSS_COUNTER_INVALID_BIP_MMIE]++;
2575 return -1;
2576 }
2577
2578 add_note(wt, MSG_DEBUG, "Valid MMIE MIC");
2579 os_memcpy(bss->ipn[keyid], mmie + 2, 6);
2580 bss->counters[WLANTEST_BSS_COUNTER_VALID_BIP_MMIE]++;
2581
2582 if (stype == WLAN_FC_STYPE_DEAUTH)
2583 bss->counters[WLANTEST_BSS_COUNTER_BIP_DEAUTH]++;
2584 else if (stype == WLAN_FC_STYPE_DISASSOC)
2585 bss->counters[WLANTEST_BSS_COUNTER_BIP_DISASSOC]++;
2586
2587 return 0;
2588}
2589
2590
2591static u8 * try_tk(struct wpa_ptk *ptk, size_t ptk_len,
2592 const u8 *data, size_t len, size_t *dlen)
2593{
2594 const struct ieee80211_hdr *hdr;
2595 u8 *decrypted, *frame;
2596
2597 hdr = (const struct ieee80211_hdr *) data;
2598 if (ptk_len == 16) {
2599 decrypted = ccmp_decrypt(ptk->tk, hdr, NULL, NULL, NULL,
2600 data + 24, len - 24, dlen);
2601 if (!decrypted)
2602 decrypted = gcmp_decrypt(ptk->tk, 16, hdr, NULL, NULL,
2603 NULL,
2604 data + 24, len - 24, dlen);
2605 } else if (ptk_len == 32) {
2606 decrypted = ccmp_256_decrypt(ptk->tk, hdr, NULL, NULL, NULL,
2607 data + 24, len - 24, dlen);
2608 if (!decrypted)
2609 decrypted = gcmp_decrypt(ptk->tk, 32, hdr, NULL, NULL,
2610 NULL,
2611 data + 24, len - 24, dlen);
2612 } else {
2613 decrypted = NULL;
2614 }
2615 if (!decrypted)
2616 return NULL;
2617
2618 frame = os_malloc(24 + *dlen);
2619 if (frame) {
2620 os_memcpy(frame, data, 24);
2621 os_memcpy(frame + 24, decrypted, *dlen);
2622 *dlen += 24;
2623 }
2624 os_free(decrypted);
2625 return frame;
2626}
2627
2628
2629static u8 * mgmt_decrypt_tk(struct wlantest *wt, const u8 *data, size_t len,
2630 size_t *dlen)
2631{
2632 struct wlantest_ptk *ptk;
2633 u8 *decrypted;
2634 int prev_level = wpa_debug_level;
2635 int keyid;
2636
2637 keyid = data[24 + 3] >> 6;
2638
2639 wpa_debug_level = MSG_WARNING;
2640 dl_list_for_each(ptk, &wt->ptk, struct wlantest_ptk, list) {
2641 decrypted = try_tk(&ptk->ptk, ptk->ptk_len, data, len, dlen);
2642 if (decrypted) {
2643 wpa_debug_level = prev_level;
2644 add_note(wt, MSG_DEBUG,
2645 "Found TK match from the list of all known TKs");
2646 write_decrypted_note(wt, decrypted, ptk->ptk.tk,
2647 ptk->ptk.tk_len, keyid);
2648 return decrypted;
2649 }
2650 }
2651 wpa_debug_level = prev_level;
2652
2653 return NULL;
2654}
2655
2656
2657static u8 * mgmt_decrypt(struct wlantest *wt, const u8 *data, size_t len,
2658 size_t *dlen)
2659{
2660 struct wlantest_bss *bss;
2661 struct wlantest_sta *sta;
2662 const struct ieee80211_hdr *hdr;
2663 int keyid;
2664 u8 *decrypted, *frame = NULL;
2665 u8 pn[6], *rsc;
2666 u16 fc;
2667 u8 mask;
2668 size_t hdrlen = 24;
2669
2670 hdr = (const struct ieee80211_hdr *) data;
2671 fc = le_to_host16(hdr->frame_control);
2672
2673 if (fc & WLAN_FC_HTC)
2674 hdrlen += 4; /* HT Control field */
2675
2676 if (len < hdrlen + 4)
2677 return NULL;
2678
2679 if (!(data[hdrlen + 3] & 0x20)) {
2680 add_note(wt, MSG_INFO, "Expected CCMP/GCMP frame from " MACSTR
2681 " did not have ExtIV bit set to 1",
2682 MAC2STR(hdr->addr2));
2683 return NULL;
2684 }
2685
2686 mask = 0x1f;
2687 if (WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION ||
2688 WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION_NO_ACK)
2689 mask &= ~0x10; /* FTM */
2690 if (data[hdrlen + 2] != 0 || (data[hdrlen + 3] & mask) != 0) {
2691 add_note(wt, MSG_INFO, "CCMP/GCMP mgmt frame from " MACSTR
2692 " used non-zero reserved bit", MAC2STR(hdr->addr2));
2693 }
2694
2695 keyid = data[hdrlen + 3] >> 6;
2696 if (keyid != 0) {
2697 add_note(wt, MSG_INFO, "Unexpected non-zero KeyID %d in "
2698 "individually addressed Management frame from "
2699 MACSTR, keyid, MAC2STR(hdr->addr2));
2700 }
2701
2702 bss = bss_get(wt, hdr->addr3);
2703 if (bss == NULL)
2704 return mgmt_decrypt_tk(wt, data, len, dlen);
2705 if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0) {
2706 sta = sta_find_mlo(wt, bss, hdr->addr2);
2707 if (!sta)
2708 sta = sta_get(bss, hdr->addr2);
2709 } else {
2710 sta = sta_find_mlo(wt, bss, hdr->addr1);
2711 if (!sta)
2712 sta = sta_get(bss, hdr->addr1);
2713 }
2714 if (sta == NULL || !sta->ptk_set) {
2715 decrypted = mgmt_decrypt_tk(wt, data, len, dlen);
2716 if (!decrypted)
2717 add_note(wt, MSG_MSGDUMP,
2718 "No PTK known to decrypt the frame");
2719 return decrypted;
2720 }
2721
2722 if (os_memcmp(hdr->addr1, hdr->addr3, ETH_ALEN) == 0)
2723 rsc = sta->rsc_tods[16];
2724 else
2725 rsc = sta->rsc_fromds[16];
2726
2727 ccmp_get_pn(pn, data + hdrlen);
2728 if (os_memcmp(pn, rsc, 6) <= 0) {
2729 u16 seq_ctrl = le_to_host16(hdr->seq_ctrl);
2730 add_note(wt, MSG_INFO, "replay detected: A1=" MACSTR
2731 " A2=" MACSTR " A3=" MACSTR " seq=%u frag=%u%s",
2732 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
2733 MAC2STR(hdr->addr3),
2734 WLAN_GET_SEQ_SEQ(seq_ctrl),
2735 WLAN_GET_SEQ_FRAG(seq_ctrl),
2736 (le_to_host16(hdr->frame_control) & WLAN_FC_RETRY) ?
2737 " Retry" : "");
2738 wpa_hexdump(MSG_INFO, "RX PN", pn, 6);
2739 wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
2740 }
2741
2742 if (sta->pairwise_cipher == WPA_CIPHER_CCMP_256) {
2743 decrypted = ccmp_256_decrypt(sta->ptk.tk, hdr, NULL, NULL, NULL,
2744 data + hdrlen, len - hdrlen, dlen);
2745 write_decrypted_note(wt, decrypted, sta->ptk.tk, 32, keyid);
2746 } else if (sta->pairwise_cipher == WPA_CIPHER_GCMP ||
2747 sta->pairwise_cipher == WPA_CIPHER_GCMP_256) {
2748 decrypted = gcmp_decrypt(sta->ptk.tk, sta->ptk.tk_len, hdr,
2749 NULL, NULL, NULL,
2750 data + hdrlen, len - hdrlen, dlen);
2751 write_decrypted_note(wt, decrypted, sta->ptk.tk,
2752 sta->ptk.tk_len, keyid);
2753 } else {
2754 decrypted = ccmp_decrypt(sta->ptk.tk, hdr, NULL, NULL, NULL,
2755 data + hdrlen, len - hdrlen, dlen);
2756 write_decrypted_note(wt, decrypted, sta->ptk.tk, 16, keyid);
2757 }
2758 if (decrypted) {
2759 os_memcpy(rsc, pn, 6);
2760 frame = os_malloc(hdrlen + *dlen);
2761 if (frame) {
2762 os_memcpy(frame, data, hdrlen);
2763 os_memcpy(frame + hdrlen, decrypted, *dlen);
2764 *dlen += hdrlen;
2765 }
2766 } else {
2767 /* Assume the frame was corrupted and there was no FCS to check.
2768 * Allow retry of this particular frame to be processed so that
2769 * it could end up getting decrypted if it was received without
2770 * corruption. */
2771 sta->allow_duplicate = 1;
2772 }
2773
2774 os_free(decrypted);
2775
2776 return frame;
2777}
2778
2779
2780static bool is_robust_action_category(u8 category)
2781{
2782 return category != WLAN_ACTION_PUBLIC &&
2783 category != WLAN_ACTION_HT &&
2784 category != WLAN_ACTION_UNPROTECTED_WNM &&
2785 category != WLAN_ACTION_SELF_PROTECTED &&
2786 category != WLAN_ACTION_UNPROTECTED_DMG &&
2787 category != WLAN_ACTION_VHT &&
2788 category != WLAN_ACTION_UNPROTECTED_S1G &&
2789 category != WLAN_ACTION_HE &&
2790 category != WLAN_ACTION_EHT &&
2791 category != WLAN_ACTION_VENDOR_SPECIFIC;
2792}
2793
2794
2795static int check_mgmt_ccmp_gcmp(struct wlantest *wt, const u8 *data, size_t len)
2796{
2797 const struct ieee80211_mgmt *mgmt;
2798 u16 fc;
2799 struct wlantest_bss *bss;
2800 struct wlantest_sta *sta;
2801 int category = -1;
2802
2803 mgmt = (const struct ieee80211_mgmt *) data;
2804 fc = le_to_host16(mgmt->frame_control);
2805
2806 if ((WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION ||
2807 WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION_NO_ACK) &&
2808 len > 24) {
2809 category = mgmt->u.action.category;
2810 if (!is_robust_action_category(category))
2811 return 0; /* Not a robust management frame */
2812 }
2813
2814 bss = bss_get(wt, mgmt->bssid);
2815 if (bss == NULL)
2816 return 0;
2817 if (os_memcmp(mgmt->da, mgmt->bssid, ETH_ALEN) == 0)
2818 sta = sta_get(bss, mgmt->sa);
2819 else
2820 sta = sta_get(bss, mgmt->da);
2821 if (sta == NULL)
2822 return 0;
2823
2824 if ((bss->rsn_capab & WPA_CAPABILITY_MFPC) &&
2825 (sta->rsn_capab & WPA_CAPABILITY_MFPC) &&
2826 (sta->state == STATE3 ||
2827 WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION ||
2828 WLAN_FC_GET_STYPE(fc) == WLAN_FC_STYPE_ACTION_NO_ACK)) {
2829 add_note(wt, MSG_INFO,
2830 "Robust individually-addressed management frame (stype=%u category=%d) sent without CCMP/GCMP by "
2831 MACSTR, WLAN_FC_GET_STYPE(fc), category,
2832 MAC2STR(mgmt->sa));
2833 return -1;
2834 }
2835
2836 return 0;
2837}
2838
2839
2840void rx_mgmt(struct wlantest *wt, const u8 *data, size_t len)
2841{
2842 const struct ieee80211_hdr *hdr;
2843 u16 fc, stype;
2844 int valid = 1;
2845 u8 *decrypted = NULL;
2846 size_t dlen;
2847
2848 if (len < 24)
2849 return;
2850
2851 hdr = (const struct ieee80211_hdr *) data;
2852 fc = le_to_host16(hdr->frame_control);
2853 wt->rx_mgmt++;
2854 stype = WLAN_FC_GET_STYPE(fc);
2855
2856 if ((hdr->addr1[0] & 0x01) &&
2857 (stype == WLAN_FC_STYPE_DEAUTH ||
2858 stype == WLAN_FC_STYPE_DISASSOC ||
2859 stype == WLAN_FC_STYPE_ACTION ||
2860 stype == WLAN_FC_STYPE_ACTION_NO_ACK)) {
2861 if (check_bip(wt, data, len) < 0)
2862 valid = 0;
2863 }
2864
2865 wpa_printf((stype == WLAN_FC_STYPE_BEACON ||
2866 stype == WLAN_FC_STYPE_PROBE_RESP ||
2867 stype == WLAN_FC_STYPE_PROBE_REQ) ?
2868 MSG_EXCESSIVE : MSG_MSGDUMP,
2869 "MGMT %s%s%s DA=" MACSTR " SA=" MACSTR " BSSID=" MACSTR,
2870 mgmt_stype(stype),
2871 fc & WLAN_FC_PWRMGT ? " PwrMgt" : "",
2872 fc & WLAN_FC_ISWEP ? " Prot" : "",
2873 MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
2874 MAC2STR(hdr->addr3));
2875
2876 if ((fc & WLAN_FC_ISWEP) &&
2877 !(hdr->addr1[0] & 0x01) &&
2878 (stype == WLAN_FC_STYPE_DEAUTH ||
2879 stype == WLAN_FC_STYPE_DISASSOC ||
2880 stype == WLAN_FC_STYPE_ACTION ||
2881 stype == WLAN_FC_STYPE_ACTION_NO_ACK)) {
2882 decrypted = mgmt_decrypt(wt, data, len, &dlen);
2883 if (decrypted) {
2884 write_pcap_decrypted(wt, decrypted, dlen, NULL, 0);
2885 data = decrypted;
2886 len = dlen;
2887 } else
2888 valid = 0;
2889 }
2890
2891 if (!(fc & WLAN_FC_ISWEP) &&
2892 !(hdr->addr1[0] & 0x01) &&
2893 (stype == WLAN_FC_STYPE_DEAUTH ||
2894 stype == WLAN_FC_STYPE_DISASSOC ||
2895 stype == WLAN_FC_STYPE_ACTION ||
2896 stype == WLAN_FC_STYPE_ACTION_NO_ACK)) {
2897 if (check_mgmt_ccmp_gcmp(wt, data, len) < 0)
2898 valid = 0;
2899 }
2900
2901 switch (stype) {
2902 case WLAN_FC_STYPE_BEACON:
2903 rx_mgmt_beacon(wt, data, len);
2904 break;
2905 case WLAN_FC_STYPE_PROBE_RESP:
2906 rx_mgmt_probe_resp(wt, data, len);
2907 break;
2908 case WLAN_FC_STYPE_AUTH:
2909 rx_mgmt_auth(wt, data, len);
2910 break;
2911 case WLAN_FC_STYPE_DEAUTH:
2912 rx_mgmt_deauth(wt, data, len, valid);
2913 break;
2914 case WLAN_FC_STYPE_ASSOC_REQ:
2915 rx_mgmt_assoc_req(wt, data, len);
2916 break;
2917 case WLAN_FC_STYPE_ASSOC_RESP:
2918 rx_mgmt_assoc_resp(wt, data, len);
2919 break;
2920 case WLAN_FC_STYPE_REASSOC_REQ:
2921 rx_mgmt_reassoc_req(wt, data, len);
2922 break;
2923 case WLAN_FC_STYPE_REASSOC_RESP:
2924 rx_mgmt_reassoc_resp(wt, data, len);
2925 break;
2926 case WLAN_FC_STYPE_DISASSOC:
2927 rx_mgmt_disassoc(wt, data, len, valid);
2928 break;
2929 case WLAN_FC_STYPE_ACTION:
2930 rx_mgmt_action(wt, data, len, valid, false);
2931 break;
2932 case WLAN_FC_STYPE_ACTION_NO_ACK:
2933 rx_mgmt_action(wt, data, len, valid, true);
2934 break;
2935 }
2936
2937 os_free(decrypted);
2938
2939 wt->last_mgmt_valid = valid;
2940}
2941
2942
2943static void rx_mgmt_deauth_ack(struct wlantest *wt,
2944 const struct ieee80211_hdr *hdr)
2945{
2946 const struct ieee80211_mgmt *mgmt;
2947 struct wlantest_bss *bss;
2948 struct wlantest_sta *sta;
2949
2950 mgmt = (const struct ieee80211_mgmt *) hdr;
2951 bss = bss_get(wt, mgmt->bssid);
2952 if (bss == NULL)
2953 return;
2954 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
2955 sta = sta_get(bss, mgmt->da);
2956 else
2957 sta = sta_get(bss, mgmt->sa);
2958 if (sta == NULL)
2959 return;
2960
2961 add_note(wt, MSG_DEBUG, "DEAUTH from " MACSTR " acknowledged by "
2962 MACSTR, MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
2963 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) {
2964 int c;
2965 c = wt->last_mgmt_valid ?
2966 WLANTEST_STA_COUNTER_VALID_DEAUTH_RX_ACK :
2967 WLANTEST_STA_COUNTER_INVALID_DEAUTH_RX_ACK;
2968 sta->counters[c]++;
2969 }
2970}
2971
2972
2973static void rx_mgmt_disassoc_ack(struct wlantest *wt,
2974 const struct ieee80211_hdr *hdr)
2975{
2976 const struct ieee80211_mgmt *mgmt;
2977 struct wlantest_bss *bss;
2978 struct wlantest_sta *sta;
2979
2980 mgmt = (const struct ieee80211_mgmt *) hdr;
2981 bss = bss_get(wt, mgmt->bssid);
2982 if (bss == NULL)
2983 return;
2984 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0)
2985 sta = sta_get(bss, mgmt->da);
2986 else
2987 sta = sta_get(bss, mgmt->sa);
2988 if (sta == NULL)
2989 return;
2990
2991 add_note(wt, MSG_DEBUG, "DISASSOC from " MACSTR " acknowledged by "
2992 MACSTR, MAC2STR(mgmt->sa), MAC2STR(mgmt->da));
2993 if (os_memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN) == 0) {
2994 int c;
2995 c = wt->last_mgmt_valid ?
2996 WLANTEST_STA_COUNTER_VALID_DISASSOC_RX_ACK :
2997 WLANTEST_STA_COUNTER_INVALID_DISASSOC_RX_ACK;
2998 sta->counters[c]++;
2999 }
3000}
3001
3002
3003void rx_mgmt_ack(struct wlantest *wt, const struct ieee80211_hdr *hdr)
3004{
3005 u16 fc, stype;
3006 fc = le_to_host16(hdr->frame_control);
3007 stype = WLAN_FC_GET_STYPE(fc);
3008
3009 wpa_printf(MSG_MSGDUMP, "MGMT ACK: stype=%u a1=" MACSTR " a2=" MACSTR
3010 " a3=" MACSTR,
3011 stype, MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
3012 MAC2STR(hdr->addr3));
3013
3014 switch (stype) {
3015 case WLAN_FC_STYPE_DEAUTH:
3016 rx_mgmt_deauth_ack(wt, hdr);
3017 break;
3018 case WLAN_FC_STYPE_DISASSOC:
3019 rx_mgmt_disassoc_ack(wt, hdr);
3020 break;
3021 }
3022}