wlantest: Add support for decrypting TDLS frames
Derive TPK based on TDLS TPK Handshake and decrypt frames on the direct link with TPK-TK.
This commit is contained in:
parent
89c38e32c7
commit
b39f58347d
8 changed files with 436 additions and 8 deletions
|
@ -254,6 +254,11 @@ ParseRes ieee802_11_parse_elems(const u8 *start, size_t len,
|
||||||
elems->ht_operation = pos;
|
elems->ht_operation = pos;
|
||||||
elems->ht_operation_len = elen;
|
elems->ht_operation_len = elen;
|
||||||
break;
|
break;
|
||||||
|
case WLAN_EID_LINK_ID:
|
||||||
|
if (elen < 18)
|
||||||
|
break;
|
||||||
|
elems->link_id = pos;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
unknown++;
|
unknown++;
|
||||||
if (!show_errors)
|
if (!show_errors)
|
||||||
|
|
|
@ -41,6 +41,7 @@ struct ieee802_11_elems {
|
||||||
const u8 *ht_operation;
|
const u8 *ht_operation;
|
||||||
const u8 *vendor_ht_cap;
|
const u8 *vendor_ht_cap;
|
||||||
const u8 *p2p;
|
const u8 *p2p;
|
||||||
|
const u8 *link_id;
|
||||||
|
|
||||||
u8 ssid_len;
|
u8 ssid_len;
|
||||||
u8 supp_rates_len;
|
u8 supp_rates_len;
|
||||||
|
|
|
@ -212,6 +212,7 @@
|
||||||
#define WLAN_EID_20_40_BSS_INTOLERANT 73
|
#define WLAN_EID_20_40_BSS_INTOLERANT 73
|
||||||
#define WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS 74
|
#define WLAN_EID_OVERLAPPING_BSS_SCAN_PARAMS 74
|
||||||
#define WLAN_EID_MMIE 76
|
#define WLAN_EID_MMIE 76
|
||||||
|
#define WLAN_EID_LINK_ID 101
|
||||||
#define WLAN_EID_ADV_PROTO 108
|
#define WLAN_EID_ADV_PROTO 108
|
||||||
#define WLAN_EID_VENDOR_SPECIFIC 221
|
#define WLAN_EID_VENDOR_SPECIFIC 221
|
||||||
|
|
||||||
|
@ -226,6 +227,7 @@
|
||||||
#define WLAN_ACTION_FT 6
|
#define WLAN_ACTION_FT 6
|
||||||
#define WLAN_ACTION_HT 7
|
#define WLAN_ACTION_HT 7
|
||||||
#define WLAN_ACTION_SA_QUERY 8
|
#define WLAN_ACTION_SA_QUERY 8
|
||||||
|
#define WLAN_ACTION_TDLS 12
|
||||||
#define WLAN_ACTION_WMM 17 /* WMM Specification 1.1 */
|
#define WLAN_ACTION_WMM 17 /* WMM Specification 1.1 */
|
||||||
#define WLAN_ACTION_VENDOR_SPECIFIC 127
|
#define WLAN_ACTION_VENDOR_SPECIFIC 127
|
||||||
|
|
||||||
|
@ -242,6 +244,19 @@
|
||||||
|
|
||||||
#define WLAN_SA_QUERY_TR_ID_LEN 2
|
#define WLAN_SA_QUERY_TR_ID_LEN 2
|
||||||
|
|
||||||
|
/* TDLS action codes */
|
||||||
|
#define WLAN_TDLS_SETUP_REQUEST 0
|
||||||
|
#define WLAN_TDLS_SETUP_RESPONSE 1
|
||||||
|
#define WLAN_TDLS_SETUP_CONFIRM 2
|
||||||
|
#define WLAN_TDLS_TEARDOWN 3
|
||||||
|
#define WLAN_TDLS_PEER_TRAFFIC_INDICATION 4
|
||||||
|
#define WLAN_TDLS_CHANNEL_SWITCH_REQUEST 5
|
||||||
|
#define WLAN_TDLS_CHANNEL_SWITCH_RESPONSE 6
|
||||||
|
#define WLAN_TDLS_PEER_PSM_REQUEST 7
|
||||||
|
#define WLAN_TDLS_PEER_PSM_RESPONSE 8
|
||||||
|
#define WLAN_TDLS_PEER_TRAFFIC_RESPONSE 9
|
||||||
|
#define WLAN_TDLS_DISCOVERY_REQUEST 10
|
||||||
|
|
||||||
/* Timeout Interval Type */
|
/* Timeout Interval Type */
|
||||||
#define WLAN_TIMEOUT_REASSOC_DEADLINE 1
|
#define WLAN_TIMEOUT_REASSOC_DEADLINE 1
|
||||||
#define WLAN_TIMEOUT_KEY_LIFETIME 2
|
#define WLAN_TIMEOUT_KEY_LIFETIME 2
|
||||||
|
|
|
@ -58,6 +58,7 @@ OBJS += rx_mgmt.o
|
||||||
OBJS += rx_data.o
|
OBJS += rx_data.o
|
||||||
OBJS += rx_eapol.o
|
OBJS += rx_eapol.o
|
||||||
OBJS += rx_ip.o
|
OBJS += rx_ip.o
|
||||||
|
OBJS += rx_tdls.o
|
||||||
OBJS += bss.o
|
OBJS += bss.o
|
||||||
OBJS += sta.o
|
OBJS += sta.o
|
||||||
OBJS += crc32.o
|
OBJS += crc32.o
|
||||||
|
|
|
@ -50,6 +50,7 @@ struct wlantest_bss * bss_get(struct wlantest *wt, const u8 *bssid)
|
||||||
return NULL;
|
return NULL;
|
||||||
dl_list_init(&bss->sta);
|
dl_list_init(&bss->sta);
|
||||||
dl_list_init(&bss->pmk);
|
dl_list_init(&bss->pmk);
|
||||||
|
dl_list_init(&bss->tdls);
|
||||||
os_memcpy(bss->bssid, bssid, ETH_ALEN);
|
os_memcpy(bss->bssid, bssid, ETH_ALEN);
|
||||||
dl_list_add(&wt->bss, &bss->list);
|
dl_list_add(&wt->bss, &bss->list);
|
||||||
wpa_printf(MSG_DEBUG, "Discovered new BSS - " MACSTR,
|
wpa_printf(MSG_DEBUG, "Discovered new BSS - " MACSTR,
|
||||||
|
@ -69,10 +70,13 @@ void bss_deinit(struct wlantest_bss *bss)
|
||||||
{
|
{
|
||||||
struct wlantest_sta *sta, *n;
|
struct wlantest_sta *sta, *n;
|
||||||
struct wlantest_pmk *pmk, *np;
|
struct wlantest_pmk *pmk, *np;
|
||||||
|
struct wlantest_tdls *tdls, *nt;
|
||||||
dl_list_for_each_safe(sta, n, &bss->sta, struct wlantest_sta, list)
|
dl_list_for_each_safe(sta, n, &bss->sta, struct wlantest_sta, list)
|
||||||
sta_deinit(sta);
|
sta_deinit(sta);
|
||||||
dl_list_for_each_safe(pmk, np, &bss->pmk, struct wlantest_pmk, list)
|
dl_list_for_each_safe(pmk, np, &bss->pmk, struct wlantest_pmk, list)
|
||||||
pmk_deinit(pmk);
|
pmk_deinit(pmk);
|
||||||
|
dl_list_for_each_safe(tdls, nt, &bss->tdls, struct wlantest_tdls, list)
|
||||||
|
os_free(tdls);
|
||||||
dl_list_del(&bss->list);
|
dl_list_del(&bss->list);
|
||||||
os_free(bss);
|
os_free(bss);
|
||||||
}
|
}
|
||||||
|
|
|
@ -70,6 +70,9 @@ static void rx_data_eth(struct wlantest *wt, const u8 *bssid,
|
||||||
case ETH_P_IP:
|
case ETH_P_IP:
|
||||||
rx_data_ip(wt, bssid, sta_addr, dst, src, data, len);
|
rx_data_ip(wt, bssid, sta_addr, dst, src, data, len);
|
||||||
break;
|
break;
|
||||||
|
case 0x890d:
|
||||||
|
rx_data_80211_encap(wt, bssid, sta_addr, dst, src, data, len);
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -182,13 +185,15 @@ static void rx_data_bss_prot(struct wlantest *wt,
|
||||||
size_t len)
|
size_t len)
|
||||||
{
|
{
|
||||||
struct wlantest_bss *bss;
|
struct wlantest_bss *bss;
|
||||||
struct wlantest_sta *sta;
|
struct wlantest_sta *sta, *sta2;
|
||||||
int keyid;
|
int keyid;
|
||||||
u16 fc = le_to_host16(hdr->frame_control);
|
u16 fc = le_to_host16(hdr->frame_control);
|
||||||
u8 *decrypted;
|
u8 *decrypted;
|
||||||
size_t dlen;
|
size_t dlen;
|
||||||
int tid;
|
int tid;
|
||||||
u8 pn[6], *rsc;
|
u8 pn[6], *rsc;
|
||||||
|
struct wlantest_tdls *tdls = NULL;
|
||||||
|
const u8 *tk = NULL;
|
||||||
|
|
||||||
if (hdr->addr1[0] & 0x01) {
|
if (hdr->addr1[0] & 0x01) {
|
||||||
rx_data_bss_prot_group(wt, hdr, qos, dst, src, data, len);
|
rx_data_bss_prot_group(wt, hdr, qos, dst, src, data, len);
|
||||||
|
@ -200,13 +205,32 @@ static void rx_data_bss_prot(struct wlantest *wt,
|
||||||
if (bss == NULL)
|
if (bss == NULL)
|
||||||
return;
|
return;
|
||||||
sta = sta_get(bss, hdr->addr2);
|
sta = sta_get(bss, hdr->addr2);
|
||||||
} else {
|
} else if (fc & WLAN_FC_FROMDS) {
|
||||||
bss = bss_get(wt, hdr->addr2);
|
bss = bss_get(wt, hdr->addr2);
|
||||||
if (bss == NULL)
|
if (bss == NULL)
|
||||||
return;
|
return;
|
||||||
sta = sta_get(bss, hdr->addr1);
|
sta = sta_get(bss, hdr->addr1);
|
||||||
|
} else {
|
||||||
|
bss = bss_get(wt, hdr->addr3);
|
||||||
|
if (bss == NULL)
|
||||||
|
return;
|
||||||
|
sta = sta_find(bss, hdr->addr2);
|
||||||
|
sta2 = sta_find(bss, hdr->addr1);
|
||||||
|
if (sta == NULL || sta2 == NULL)
|
||||||
|
return;
|
||||||
|
dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list)
|
||||||
|
{
|
||||||
|
if ((tdls->init == sta && tdls->resp == sta2) ||
|
||||||
|
(tdls->init == sta2 && tdls->resp == sta)) {
|
||||||
|
if (!tdls->link_up)
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS: Link not "
|
||||||
|
"up, but Data frame seen");
|
||||||
|
tk = tdls->tpk.tk;
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
if (sta == NULL || !sta->ptk_set) {
|
}
|
||||||
|
}
|
||||||
|
if ((sta == NULL || !sta->ptk_set) && tk == NULL) {
|
||||||
wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
|
wpa_printf(MSG_MSGDUMP, "No PTK known to decrypt the frame");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -224,7 +248,7 @@ static void rx_data_bss_prot(struct wlantest *wt,
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sta->pairwise_cipher == WPA_CIPHER_TKIP) {
|
if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP) {
|
||||||
if (data[3] & 0x1f) {
|
if (data[3] & 0x1f) {
|
||||||
wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
|
wpa_printf(MSG_INFO, "TKIP frame from " MACSTR " used "
|
||||||
"non-zero reserved bit",
|
"non-zero reserved bit",
|
||||||
|
@ -237,7 +261,7 @@ static void rx_data_bss_prot(struct wlantest *wt,
|
||||||
MAC2STR(hdr->addr2), data[1],
|
MAC2STR(hdr->addr2), data[1],
|
||||||
(data[0] | 0x20) & 0x7f);
|
(data[0] | 0x20) & 0x7f);
|
||||||
}
|
}
|
||||||
} else if (sta->pairwise_cipher == WPA_CIPHER_CCMP) {
|
} else if (tk || sta->pairwise_cipher == WPA_CIPHER_CCMP) {
|
||||||
if (data[2] != 0 || (data[3] & 0x1f) != 0) {
|
if (data[2] != 0 || (data[3] & 0x1f) != 0) {
|
||||||
wpa_printf(MSG_INFO, "CCMP frame from " MACSTR " used "
|
wpa_printf(MSG_INFO, "CCMP frame from " MACSTR " used "
|
||||||
"non-zero reserved bit",
|
"non-zero reserved bit",
|
||||||
|
@ -256,13 +280,18 @@ static void rx_data_bss_prot(struct wlantest *wt,
|
||||||
tid = qos[0] & 0x0f;
|
tid = qos[0] & 0x0f;
|
||||||
else
|
else
|
||||||
tid = 0;
|
tid = 0;
|
||||||
if (fc & WLAN_FC_TODS)
|
if (tk) {
|
||||||
|
if (os_memcmp(hdr->addr2, tdls->init->addr, ETH_ALEN) == 0)
|
||||||
|
rsc = tdls->rsc_init[tid];
|
||||||
|
else
|
||||||
|
rsc = tdls->rsc_resp[tid];
|
||||||
|
} else if (fc & WLAN_FC_TODS)
|
||||||
rsc = sta->rsc_tods[tid];
|
rsc = sta->rsc_tods[tid];
|
||||||
else
|
else
|
||||||
rsc = sta->rsc_fromds[tid];
|
rsc = sta->rsc_fromds[tid];
|
||||||
|
|
||||||
|
|
||||||
if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
|
if (tk == NULL && sta->pairwise_cipher == WPA_CIPHER_TKIP)
|
||||||
tkip_get_pn(pn, data);
|
tkip_get_pn(pn, data);
|
||||||
else
|
else
|
||||||
ccmp_get_pn(pn, data);
|
ccmp_get_pn(pn, data);
|
||||||
|
@ -273,7 +302,9 @@ static void rx_data_bss_prot(struct wlantest *wt,
|
||||||
wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
|
wpa_hexdump(MSG_INFO, "RSC", rsc, 6);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
|
if (tk)
|
||||||
|
decrypted = ccmp_decrypt(tk, hdr, data, len, &dlen);
|
||||||
|
else if (sta->pairwise_cipher == WPA_CIPHER_TKIP)
|
||||||
decrypted = tkip_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
|
decrypted = tkip_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
|
||||||
else
|
else
|
||||||
decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
|
decrypted = ccmp_decrypt(sta->ptk.tk1, hdr, data, len, &dlen);
|
||||||
|
@ -362,6 +393,8 @@ void rx_data(struct wlantest *wt, const u8 *data, size_t len)
|
||||||
fc & WLAN_FC_ISWEP ? " Prot" : "",
|
fc & WLAN_FC_ISWEP ? " Prot" : "",
|
||||||
MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
|
MAC2STR(hdr->addr1), MAC2STR(hdr->addr2),
|
||||||
MAC2STR(hdr->addr3));
|
MAC2STR(hdr->addr3));
|
||||||
|
rx_data_bss(wt, hdr, qos, hdr->addr1, hdr->addr2,
|
||||||
|
data + hdrlen, len - hdrlen);
|
||||||
break;
|
break;
|
||||||
case WLAN_FC_FROMDS:
|
case WLAN_FC_FROMDS:
|
||||||
wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
|
wpa_printf(MSG_EXCESSIVE, "DATA %s%s%s FromDS DA=" MACSTR
|
||||||
|
|
352
wlantest/rx_tdls.c
Normal file
352
wlantest/rx_tdls.c
Normal file
|
@ -0,0 +1,352 @@
|
||||||
|
/*
|
||||||
|
* Received Data frame processing for TDLS packets
|
||||||
|
* Copyright (c) 2010, Jouni Malinen <j@w1.fi>
|
||||||
|
*
|
||||||
|
* This program is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
|
* published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* Alternatively, this software may be distributed under the terms of BSD
|
||||||
|
* license.
|
||||||
|
*
|
||||||
|
* See README and COPYING for more details.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "utils/includes.h"
|
||||||
|
|
||||||
|
#include "utils/common.h"
|
||||||
|
#include "crypto/sha256.h"
|
||||||
|
#include "crypto/crypto.h"
|
||||||
|
#include "crypto/aes_wrap.h"
|
||||||
|
#include "common/ieee802_11_defs.h"
|
||||||
|
#include "common/ieee802_11_common.h"
|
||||||
|
#include "wlantest.h"
|
||||||
|
|
||||||
|
|
||||||
|
static struct wlantest_tdls * get_tdls(struct wlantest *wt, const u8 *linkid)
|
||||||
|
{
|
||||||
|
struct wlantest_bss *bss;
|
||||||
|
struct wlantest_sta *init, *resp;
|
||||||
|
struct wlantest_tdls *tdls;
|
||||||
|
|
||||||
|
bss = bss_find(wt, linkid);
|
||||||
|
if (bss == NULL)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
init = sta_find(bss, linkid + ETH_ALEN);
|
||||||
|
if (init == NULL)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
resp = sta_find(bss, linkid + 2 * ETH_ALEN);
|
||||||
|
if (resp == NULL)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
dl_list_for_each(tdls, &bss->tdls, struct wlantest_tdls, list) {
|
||||||
|
if (tdls->init == init && tdls->resp == resp)
|
||||||
|
return tdls;
|
||||||
|
}
|
||||||
|
|
||||||
|
tdls = os_zalloc(sizeof(*tdls));
|
||||||
|
if (tdls == NULL)
|
||||||
|
return NULL;
|
||||||
|
tdls->init = init;
|
||||||
|
tdls->resp = resp;
|
||||||
|
dl_list_add(&bss->tdls, &tdls->list);
|
||||||
|
return tdls;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int tdls_derive_tpk(struct wlantest_tdls *tdls, const u8 *bssid,
|
||||||
|
const u8 *ftie, u8 ftie_len)
|
||||||
|
{
|
||||||
|
const struct rsn_ftie *f;
|
||||||
|
u8 key_input[SHA256_MAC_LEN];
|
||||||
|
const u8 *nonce[2];
|
||||||
|
size_t len[2];
|
||||||
|
u8 data[3 * ETH_ALEN];
|
||||||
|
|
||||||
|
if (ftie == NULL || ftie_len < sizeof(struct rsn_ftie))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
f = (const struct rsn_ftie *) ftie;
|
||||||
|
wpa_hexdump(MSG_DEBUG, "TDLS ANonce", f->anonce, WPA_NONCE_LEN);
|
||||||
|
wpa_hexdump(MSG_DEBUG, "TDLS SNonce", f->snonce, WPA_NONCE_LEN);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* IEEE Std 802.11z-2010 8.5.9.1:
|
||||||
|
* TPK-Key-Input = SHA-256(min(SNonce, ANonce) || max(SNonce, ANonce))
|
||||||
|
*/
|
||||||
|
len[0] = WPA_NONCE_LEN;
|
||||||
|
len[1] = WPA_NONCE_LEN;
|
||||||
|
if (os_memcmp(f->anonce, f->snonce, WPA_NONCE_LEN) < 0) {
|
||||||
|
nonce[0] = f->anonce;
|
||||||
|
nonce[1] = f->snonce;
|
||||||
|
} else {
|
||||||
|
nonce[0] = f->snonce;
|
||||||
|
nonce[1] = f->anonce;
|
||||||
|
}
|
||||||
|
sha256_vector(2, nonce, len, key_input);
|
||||||
|
wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-Key-Input",
|
||||||
|
key_input, SHA256_MAC_LEN);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TPK-Key-Data = KDF-N_KEY(TPK-Key-Input, "TDLS PMK",
|
||||||
|
* min(MAC_I, MAC_R) || max(MAC_I, MAC_R) || BSSID || N_KEY)
|
||||||
|
* TODO: is N_KEY really included in KDF Context and if so, in which
|
||||||
|
* presentation format (little endian 16-bit?) is it used? It gets
|
||||||
|
* added by the KDF anyway..
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (os_memcmp(tdls->init->addr, tdls->resp->addr, ETH_ALEN) < 0) {
|
||||||
|
os_memcpy(data, tdls->init->addr, ETH_ALEN);
|
||||||
|
os_memcpy(data + ETH_ALEN, tdls->resp->addr, ETH_ALEN);
|
||||||
|
} else {
|
||||||
|
os_memcpy(data, tdls->resp->addr, ETH_ALEN);
|
||||||
|
os_memcpy(data + ETH_ALEN, tdls->init->addr, ETH_ALEN);
|
||||||
|
}
|
||||||
|
os_memcpy(data + 2 * ETH_ALEN, bssid, ETH_ALEN);
|
||||||
|
wpa_hexdump(MSG_DEBUG, "TDLS: KDF Context", data, sizeof(data));
|
||||||
|
|
||||||
|
sha256_prf(key_input, SHA256_MAC_LEN, "TDLS PMK", data, sizeof(data),
|
||||||
|
(u8 *) &tdls->tpk, sizeof(tdls->tpk));
|
||||||
|
wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-KCK",
|
||||||
|
tdls->tpk.kck, sizeof(tdls->tpk.kck));
|
||||||
|
wpa_hexdump_key(MSG_DEBUG, "TDLS: TPK-TK",
|
||||||
|
tdls->tpk.tk, sizeof(tdls->tpk.tk));
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int tdls_verify_mic(struct wlantest_tdls *tdls, u8 trans_seq,
|
||||||
|
struct ieee802_11_elems *elems)
|
||||||
|
{
|
||||||
|
u8 *buf, *pos;
|
||||||
|
int len;
|
||||||
|
u8 mic[16];
|
||||||
|
int ret;
|
||||||
|
const struct rsn_ftie *rx_ftie;
|
||||||
|
struct rsn_ftie *tmp_ftie;
|
||||||
|
|
||||||
|
if (elems->link_id == NULL || elems->rsn_ie == NULL ||
|
||||||
|
elems->timeout_int == NULL || elems->ftie == NULL)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
len = 2 * ETH_ALEN + 1 + 2 + 18 + 2 + elems->rsn_ie_len +
|
||||||
|
2 + elems->timeout_int_len + 2 + elems->ftie_len;
|
||||||
|
|
||||||
|
buf = os_zalloc(len);
|
||||||
|
if (buf == NULL)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
pos = buf;
|
||||||
|
/* 1) TDLS initiator STA MAC address */
|
||||||
|
os_memcpy(pos, elems->link_id + ETH_ALEN, ETH_ALEN);
|
||||||
|
pos += ETH_ALEN;
|
||||||
|
/* 2) TDLS responder STA MAC address */
|
||||||
|
os_memcpy(pos, elems->link_id + 2 * ETH_ALEN, ETH_ALEN);
|
||||||
|
pos += ETH_ALEN;
|
||||||
|
/* 3) Transaction Sequence number */
|
||||||
|
*pos++ = trans_seq;
|
||||||
|
/* 4) Link Identifier IE */
|
||||||
|
os_memcpy(pos, elems->link_id - 2, 2 + 18);
|
||||||
|
pos += 2 + 18;
|
||||||
|
/* 5) RSN IE */
|
||||||
|
os_memcpy(pos, elems->rsn_ie - 2, 2 + elems->rsn_ie_len);
|
||||||
|
pos += 2 + elems->rsn_ie_len;
|
||||||
|
/* 6) Timeout Interval IE */
|
||||||
|
os_memcpy(pos, elems->timeout_int - 2, 2 + elems->timeout_int_len);
|
||||||
|
pos += 2 + elems->timeout_int_len;
|
||||||
|
/* 7) FTIE, with the MIC field of the FTIE set to 0 */
|
||||||
|
os_memcpy(pos, elems->ftie - 2, 2 + elems->ftie_len);
|
||||||
|
pos += 2;
|
||||||
|
tmp_ftie = (struct rsn_ftie *) pos;
|
||||||
|
os_memset(tmp_ftie->mic, 0, 16);
|
||||||
|
pos += elems->ftie_len;
|
||||||
|
|
||||||
|
wpa_hexdump(MSG_DEBUG, "TDLS: Data for FTIE MIC", buf, pos - buf);
|
||||||
|
wpa_hexdump_key(MSG_DEBUG, "TDLS: KCK", tdls->tpk.kck, 16);
|
||||||
|
ret = omac1_aes_128(tdls->tpk.kck, buf, pos - buf, mic);
|
||||||
|
os_free(buf);
|
||||||
|
if (ret)
|
||||||
|
return -1;
|
||||||
|
wpa_hexdump(MSG_DEBUG, "TDLS: FTIE MIC", mic, 16);
|
||||||
|
rx_ftie = (const struct rsn_ftie *) elems->ftie;
|
||||||
|
|
||||||
|
if (os_memcmp(mic, rx_ftie->mic, 16) == 0) {
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS: Valid MIC");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS: Invalid MIC");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void rx_data_tdls_setup_request(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst,
|
||||||
|
const u8 *src,
|
||||||
|
const u8 *data, size_t len)
|
||||||
|
{
|
||||||
|
struct ieee802_11_elems elems;
|
||||||
|
|
||||||
|
if (len < 3)
|
||||||
|
return;
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Setup Request " MACSTR " -> "
|
||||||
|
MACSTR, MAC2STR(src), MAC2STR(dst));
|
||||||
|
|
||||||
|
if (ieee802_11_parse_elems(data + 3, len - 3, &elems, 1) ==
|
||||||
|
ParseFailed || elems.link_id == NULL)
|
||||||
|
return;
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
|
||||||
|
" initiator STA " MACSTR " responder STA " MACSTR,
|
||||||
|
MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
|
||||||
|
MAC2STR(elems.link_id + 2 * ETH_ALEN));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void rx_data_tdls_setup_response(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst,
|
||||||
|
const u8 *src,
|
||||||
|
const u8 *data, size_t len)
|
||||||
|
{
|
||||||
|
u16 status;
|
||||||
|
struct ieee802_11_elems elems;
|
||||||
|
struct wlantest_tdls *tdls;
|
||||||
|
|
||||||
|
if (len < 5)
|
||||||
|
return;
|
||||||
|
status = WPA_GET_LE16(data);
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Setup Response " MACSTR " -> "
|
||||||
|
MACSTR " (status %d)",
|
||||||
|
MAC2STR(src), MAC2STR(dst), status);
|
||||||
|
if (status != WLAN_STATUS_SUCCESS)
|
||||||
|
return;
|
||||||
|
|
||||||
|
if (ieee802_11_parse_elems(data + 5, len - 5, &elems, 1) ==
|
||||||
|
ParseFailed || elems.link_id == NULL)
|
||||||
|
return;
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
|
||||||
|
" initiator STA " MACSTR " responder STA " MACSTR,
|
||||||
|
MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
|
||||||
|
MAC2STR(elems.link_id + 2 * ETH_ALEN));
|
||||||
|
|
||||||
|
tdls = get_tdls(wt, elems.link_id);
|
||||||
|
if (!tdls)
|
||||||
|
return;
|
||||||
|
if (tdls_derive_tpk(tdls, bssid, elems.ftie, elems.ftie_len) < 1)
|
||||||
|
return;
|
||||||
|
tdls_verify_mic(tdls, 2, &elems);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void rx_data_tdls_setup_confirm(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst,
|
||||||
|
const u8 *src,
|
||||||
|
const u8 *data, size_t len)
|
||||||
|
{
|
||||||
|
u16 status;
|
||||||
|
struct ieee802_11_elems elems;
|
||||||
|
struct wlantest_tdls *tdls;
|
||||||
|
|
||||||
|
if (len < 3)
|
||||||
|
return;
|
||||||
|
status = WPA_GET_LE16(data);
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Setup Confirm " MACSTR " -> "
|
||||||
|
MACSTR " (status %d)",
|
||||||
|
MAC2STR(src), MAC2STR(dst), status);
|
||||||
|
if (status != WLAN_STATUS_SUCCESS)
|
||||||
|
return;
|
||||||
|
|
||||||
|
if (ieee802_11_parse_elems(data + 3, len - 3, &elems, 1) ==
|
||||||
|
ParseFailed || elems.link_id == NULL)
|
||||||
|
return;
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
|
||||||
|
" initiator STA " MACSTR " responder STA " MACSTR,
|
||||||
|
MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
|
||||||
|
MAC2STR(elems.link_id + 2 * ETH_ALEN));
|
||||||
|
|
||||||
|
tdls = get_tdls(wt, elems.link_id);
|
||||||
|
if (tdls)
|
||||||
|
tdls->link_up = 1;
|
||||||
|
if (tdls_derive_tpk(tdls, bssid, elems.ftie, elems.ftie_len) < 1)
|
||||||
|
return;
|
||||||
|
tdls_verify_mic(tdls, 3, &elems);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void rx_data_tdls_teardown(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst,
|
||||||
|
const u8 *src,
|
||||||
|
const u8 *data, size_t len)
|
||||||
|
{
|
||||||
|
u16 reason;
|
||||||
|
struct ieee802_11_elems elems;
|
||||||
|
struct wlantest_tdls *tdls;
|
||||||
|
|
||||||
|
if (len < 2)
|
||||||
|
return;
|
||||||
|
reason = WPA_GET_LE16(data);
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Teardown " MACSTR " -> "
|
||||||
|
MACSTR " (reason %d)",
|
||||||
|
MAC2STR(src), MAC2STR(dst), reason);
|
||||||
|
|
||||||
|
if (ieee802_11_parse_elems(data + 2, len - 2, &elems, 1) ==
|
||||||
|
ParseFailed || elems.link_id == NULL)
|
||||||
|
return;
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Link Identifier: BSSID " MACSTR
|
||||||
|
" initiator STA " MACSTR " responder STA " MACSTR,
|
||||||
|
MAC2STR(elems.link_id), MAC2STR(elems.link_id + ETH_ALEN),
|
||||||
|
MAC2STR(elems.link_id + 2 * ETH_ALEN));
|
||||||
|
|
||||||
|
tdls = get_tdls(wt, elems.link_id);
|
||||||
|
if (tdls)
|
||||||
|
tdls->link_up = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void rx_data_tdls(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst, const u8 *src,
|
||||||
|
const u8 *data, size_t len)
|
||||||
|
{
|
||||||
|
/* data contains the payload of a TDLS Action frame */
|
||||||
|
if (len < 2 || data[0] != WLAN_ACTION_TDLS) {
|
||||||
|
wpa_hexdump(MSG_DEBUG, "Unrecognized encapsulated TDLS frame",
|
||||||
|
data, len);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (data[1]) {
|
||||||
|
case WLAN_TDLS_SETUP_REQUEST:
|
||||||
|
rx_data_tdls_setup_request(wt, bssid, sta_addr, dst, src,
|
||||||
|
data + 2, len - 2);
|
||||||
|
break;
|
||||||
|
case WLAN_TDLS_SETUP_RESPONSE:
|
||||||
|
rx_data_tdls_setup_response(wt, bssid, sta_addr, dst, src,
|
||||||
|
data + 2, len - 2);
|
||||||
|
break;
|
||||||
|
case WLAN_TDLS_SETUP_CONFIRM:
|
||||||
|
rx_data_tdls_setup_confirm(wt, bssid, sta_addr, dst, src,
|
||||||
|
data + 2, len - 2);
|
||||||
|
break;
|
||||||
|
case WLAN_TDLS_TEARDOWN:
|
||||||
|
rx_data_tdls_teardown(wt, bssid, sta_addr, dst, src, data + 2,
|
||||||
|
len - 2);
|
||||||
|
break;
|
||||||
|
case WLAN_TDLS_DISCOVERY_REQUEST:
|
||||||
|
wpa_printf(MSG_DEBUG, "TDLS Discovery Request " MACSTR " -> "
|
||||||
|
MACSTR, MAC2STR(src), MAC2STR(dst));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void rx_data_80211_encap(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst, const u8 *src,
|
||||||
|
const u8 *data, size_t len)
|
||||||
|
{
|
||||||
|
wpa_hexdump(MSG_EXCESSIVE, "802.11 data encap frame", data, len);
|
||||||
|
if (len < 1)
|
||||||
|
return;
|
||||||
|
if (data[0] == 0x02)
|
||||||
|
rx_data_tdls(wt, bssid, sta_addr, dst, src, data + 1, len - 1);
|
||||||
|
}
|
|
@ -84,6 +84,19 @@ struct wlantest_sta {
|
||||||
le16 seq_ctrl_to_ap[17];
|
le16 seq_ctrl_to_ap[17];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
struct wlantest_tdls {
|
||||||
|
struct dl_list list;
|
||||||
|
struct wlantest_sta *init;
|
||||||
|
struct wlantest_sta *resp;
|
||||||
|
struct tpk {
|
||||||
|
u8 kck[16];
|
||||||
|
u8 tk[16];
|
||||||
|
} tpk;
|
||||||
|
int link_up;
|
||||||
|
u8 rsc_init[16 + 1][6];
|
||||||
|
u8 rsc_resp[16 + 1][6];
|
||||||
|
};
|
||||||
|
|
||||||
struct wlantest_bss {
|
struct wlantest_bss {
|
||||||
struct dl_list list;
|
struct dl_list list;
|
||||||
u8 bssid[ETH_ALEN];
|
u8 bssid[ETH_ALEN];
|
||||||
|
@ -111,6 +124,7 @@ struct wlantest_bss {
|
||||||
int igtk_idx;
|
int igtk_idx;
|
||||||
u8 ipn[6][6];
|
u8 ipn[6][6];
|
||||||
u32 counters[NUM_WLANTEST_BSS_COUNTER];
|
u32 counters[NUM_WLANTEST_BSS_COUNTER];
|
||||||
|
struct dl_list tdls; /* struct wlantest_tdls */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct wlantest_radius {
|
struct wlantest_radius {
|
||||||
|
@ -167,6 +181,9 @@ void rx_data_eapol(struct wlantest *wt, const u8 *dst, const u8 *src,
|
||||||
const u8 *data, size_t len, int prot);
|
const u8 *data, size_t len, int prot);
|
||||||
void rx_data_ip(struct wlantest *wt, const u8 *bssid, const u8 *sta_addr,
|
void rx_data_ip(struct wlantest *wt, const u8 *bssid, const u8 *sta_addr,
|
||||||
const u8 *dst, const u8 *src, const u8 *data, size_t len);
|
const u8 *dst, const u8 *src, const u8 *data, size_t len);
|
||||||
|
void rx_data_80211_encap(struct wlantest *wt, const u8 *bssid,
|
||||||
|
const u8 *sta_addr, const u8 *dst, const u8 *src,
|
||||||
|
const u8 *data, size_t len);
|
||||||
|
|
||||||
struct wlantest_bss * bss_find(struct wlantest *wt, const u8 *bssid);
|
struct wlantest_bss * bss_find(struct wlantest *wt, const u8 *bssid);
|
||||||
struct wlantest_bss * bss_get(struct wlantest *wt, const u8 *bssid);
|
struct wlantest_bss * bss_get(struct wlantest *wt, const u8 *bssid);
|
||||||
|
|
Loading…
Reference in a new issue