Commit graph

289 commits

Author SHA1 Message Date
Jouni Malinen
fb448ee2b2 wlantest: Learn MLD MAC address from EAPOL-Key msg 1/4 and 2/4
IEEE P802.11be indicates the MLD MAC addresses, i.e., the Authenticator
and Supplicant addresses, in the MAC Address KDE in EAPOL-Key msg 1/4
and 2/4. Learn those addresses so that wlantest can be extended to
support MLO.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-05 21:08:24 +03:00
Jouni Malinen
ce7bdb54e5 wlantest: Extend Management frame decryption to support GCMP and CCMP-256
Data frame processing had already been extended to support additional
cipher suites, but Robust Management frame processing was still using a
hardcoded cipher suite (CCMP-128). Extend it to support GCMP-128,
GCMP-256, and CCMP-256 as well.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-29 21:46:09 +03:00
Jouni Malinen
cc046a1ff8 wlantest: Extend protected Data frame checks for GCMP and CCMP-256
The same rules that apply to CCMP-128 apply also for GCMP-128, CCMP-256,
and GCMP-256 here.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-29 21:31:52 +03:00
Gokul Sivakumar
a9ec233624 wlantest: Add the missing command line option -W to the usage text
Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-12-11 21:54:39 +02:00
Gokul Sivakumar
2ac53e48d5 wlantest: Delete each entry from the WEP list before freeing the entry
To be consistent with how all the other dl lists like passphrase, PMK,
and PTK lists are freed, delete each entry from the WEP list before
freeing the entry.

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-12-11 21:53:40 +02:00
Gokul Sivakumar
d9d0b94e3b wlantest: Replace the duplicate functions with reuse of cli.h
The definitions of max_args, get_cmd_arg_num(), and tokenize_cmd() are
already shared by the hostapd_cli and wpa_cli commands by including the
cli.h header. So follow the same for wlantest_cli and remove the
duplicate function defitions.

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-12-11 21:50:41 +02:00
Gokul Sivakumar
daea5ceada wlantest: Add new cli "help" command
Having a help cli command to view all the supported commands is helpful
when running the wlantest_cli manually instead via the python test
scripts.

$ wlantest_cli help
commands:
  ping = test connection to wlantest
  terminate = terminate wlantest
  list_bss = get BSS list
  list_sta <BSSID> = get STA list
  flush = drop all collected BSS data
  clear_sta_counters <BSSID> <STA> = clear STA counters
  clear_bss_counters <BSSID> = clear BSS counters
  get_sta_counter <counter> <BSSID> <STA> = get STA counter value
  get_bss_counter <counter> <BSSID> = get BSS counter value
  inject <frame> <prot> <sender> <BSSID> <STA/ff:ff:ff:ff:ff:ff>
  send <prot> <raw frame as hex dump>
  version = get wlantest version
  add_passphrase <passphrase> = add a known passphrase
  add_wepkey <WEP key> = add a known WEP key
  info_sta <field> <BSSID> <STA> = get STA information
  info_bss <field> <BSSID> = get BSS information
  clear_tdls_counters <BSSID> <STA1> <STA2> = clear TDLS counters
  get_tdls_counter <counter> <BSSID> <STA1> <STA2> = get TDLS counter value
  get_bss_counter <counter> <BSSID> = get BSS counter value
  relog = re-open log-file (allow rolling logs)
  get_tx_tid <BSSID> <STA> <TID> = get STA TX TID counter value
  get_rx_tid <BSSID> <STA> <TID> = get STA RX TID counter value
  help = show this usage help

$ wlantest_cli help add_passphrase
commands:
  add_passphrase <passphrase> = add a known passphrase

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-12-11 21:44:21 +02:00
Gokul Sivakumar
30cf0d107f wlantest: Properly free allocated memory on error exit paths
In the cases when a failure is experienced, the value "-1" was returned
from the main() function without doing any cleanup or deinit.

For example, if wlantest was started with the following set of command
line arguments then later when returning after a failure from main()
function, the memory allocated as part of handling the "-p" getopt
command line option was not freed. To fix memory leaks in this case,
properly free the previously allocated memory with the help of
wlantest_deinit() before returning from main().

$ sudo valgrind --leak-check=full --show-leak-kinds=all --verbose \
> --track-origins=yes --log-file=valgrind-out.txt \
> ./wlantest -i hwsim0 -dd -c -p "asdfasdfasdfasdf" -W "abcd"
Invalid WEP key 'abcd'

Memory leak reported by Valgrind when running wlantest as mentioned above.

==513454== HEAP SUMMARY:
==513454==     in use at exit: 128 bytes in 1 blocks
==513454==   total heap usage: 4 allocs, 3 frees, 5,720 bytes allocated
==513454==
==513454== Searching for pointers to 1 not-freed blocks
==513454== Checked 76,936 bytes
==513454==
==513454== 128 bytes in 1 blocks are definitely lost in loss record 1 of 1
==513454==    at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==513454==    by 0x1396CA: os_zalloc (in /home/ubuntu/hostap/wlantest/wlantest)
==513454==    by 0x10C345: add_passphrase (wlantest.c:125)
==513454==    by 0x10C345: main (wlantest.c:425)
==513454==
==513454== LEAK SUMMARY:
==513454==    definitely lost: 128 bytes in 1 blocks
==513454==    indirectly lost: 0 bytes in 0 blocks
==513454==      possibly lost: 0 bytes in 0 blocks
==513454==    still reachable: 0 bytes in 0 blocks
==513454==         suppressed: 0 bytes in 0 blocks
==513454==
==513454== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-12-11 21:37:06 +02:00
Jouni Malinen
22828b6dba wlantest: Fix PMK length and passphrase-based key derivation for FT
The change to support variable length PMK in wlantest missed couple of
places where the PMK length did not get used or set properly. In
particular, this ended up breaking FT key derivation for the case where
a passphrase was used to derive a potential per-BSS PMK. Fix this by
setting and using the PMK length properly.

Fixes: 6c29d95a90 ("wlantest: Support variable length PMK")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-14 16:28:02 +03:00
Arowa Suliman
7b365376fd Replace "dummy" with "stub" in wlantest injection
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:53:11 +03:00
Arowa Suliman
ed5e1b7223 Replace "dummy" with "stub" in comments/documentation
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:50 +03:00
Jouni Malinen
ced15c8ba8 wlantest: TKIP frame reassembly for Michael MIC check in fragmented case
Reassemble the full MSDU when processing TKIP protected fragmented
frames so that the Michael MIC can be validated once the last fragment
has been received.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
3332657d69 wlantest: Report decrypted TKIP frames even if cannot check Michael MIC
This can be useful for debugging, so return successfully decrypted TKIP
frame even if the Michael MIC cannot be verified (fragment reassembly
not yet supported) or if the Michael MIC value is incorrect. Add a note
in the frame to point out that the Michael MIC was not verified or is
incorrect.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
73f65cc6c4 wlantest: Support HT Control field in QoS Data frames
Extend Data frame processing (and decryption) to handle +HTC frames by
skipping the HT Control field at the end of the frame header. While this
is not an exact match of the rules in IEEE Std 802.11-2020 for when the
HT Control field is present in frames (e.g., no check of the TXVECTOR
value), this is good enough to cover the most likely used cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-06 23:32:54 +03:00
Jouni Malinen
2950851ace Rename the Frame Control field subfield Order define to +HTC
This moves the implementation closer to the current IEEE 802.11 standard
since B15 of Frame Control field was renamed to +HTC to match it newer
uses.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-06 12:12:51 +03:00
Jouni Malinen
e90ededb4b wlantest: Skip Mesh Control field from the beginning of payload
This allows correct processing of Data frames with Mesh Control field by
finding the LLC/SNAP header after that field.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-09 20:20:24 +02:00
Jouni Malinen
503901e72d wlantest: Check all configured TKs if no matching GTK is known
This allows group-addressed frames to be decrypted by listing all
possible GTKs in the PTK file.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-09 17:29:48 +02:00
Jouni Malinen
32360ad498 wlantest: Fix broadcast EAPOL-Key frame handling
This resulted in an attempt to dereference a NULL pointer since sta_addr
is not known in this type of a case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:06 +02:00
Brian Norris
1e537a2756 wlantest: Avoid unaligned iphdr pointers
Buffers passed to rx_data_ip() may not be naturally-aligned, and so we
get unpredictable behavior when we cast that to an IP header. In
particular, this code may crash on ARM.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2021-02-13 23:07:34 +02:00
Jouni Malinen
6a12acbb78 wlantest: Add new key_mgmt and rsn_capab values for BSS/STA debug prints
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 13:57:03 +02:00
Jouni Malinen
136bbf15c3 wlantest: Add more details about protected FTM frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 13:11:34 +02:00
Jouni Malinen
b9fd8191a5 wlantest: Recognize the FTM bit in the CCMP Key ID octet
This previously reserved bit is now used in FTM to help select the
appropriate replay counter. Silence the warning about use of a reserved
bit for this. wlantest does not yet support the actual replay counter
processing for FTM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 12:30:03 +02:00
Jouni Malinen
f56eec7c1a wlantest: Process Action No Ack frames like Action frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 12:00:12 +02:00
Jouni Malinen
56a04ae1a1 wlantest: Support TK list for Management frame decryption
Use the TKs from the PTK file (-T command line argument) to try to
decrypt encrypted Management frames if no BSS/STA key can be found based
on addresses.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 11:37:58 +02:00
Ilan Peer
d87f4aea11 FILS: Extend the fils_pmk_to_ptk() function to also derive KDK
Extend the fils_pmk_to_ptk() to also derive Key Derivation
Key (KDK) which can later be used for secure LTF measurements.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
6e834db74e FT: Extend the wpa_pmk_r1_to_ptk() function to also derive KDK
Extend the wpa_pmk_r1_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
46c232eb76 WPA: Extend the wpa_pmk_to_ptk() function to also derive KDK
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
8d4dce244d wlantest: Include PASN into build
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:35:50 +02:00
Thomas Pedersen
be96f4e8d2 wlantest: Allow missing RSNE in S1G beacon
S1G beacons save a few bytes by not requiring the RSNE in beacon if RSN
BSS is configured. Handle this in wlantest by only clearing RSNE from
the BSS info if frame is a Probe Response frame.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
2020-12-04 12:01:54 +02:00
Johannes Berg
283eee8eed gitignore: Clean up a bit
Now that we no longer leave build artifacts outside the build folder, we
can clean up the gitignore a bit. Also move more things to per-folder
files that we mostly had already anyway.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 19:32:50 +03:00
Johannes Berg
87098d3324 build: Put archive files into build/ folder too
This is something I hadn't previously done, but there are
cases where it's needed, e.g., building 'wlantest' and then
one of the tests/fuzzing/*/ projects, they use a different
configuration (fuzzing vs. not fuzzing).

Perhaps more importantly, this gets rid of the last thing
that was dumped into the source directories, apart from
the binaries themselves.

Note that due to the use of thin archives, this required
building with absolute paths.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 11:16:00 +03:00
Johannes Berg
722138cd25 build: Put object files into build/ folder
Instead of building in the source tree, put most object
files into the build/ folder at the root, and put each
thing that's being built into a separate folder.

This then allows us to build hostapd and wpa_supplicant
(or other combinations) without "make clean" inbetween.

For the tests keep the objects in place for now (and to
do that, add the build rule) so that we don't have to
rewrite all of that with $(call BUILDOBJS,...) which is
just noise there.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:51:39 +03:00
Johannes Berg
0430bc8267 build: Add a common-clean target
Clean up in a more common fashion as well, initially for ../src/.

Also add $(Q) to the clean target in src/

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:48:41 +03:00
Johannes Berg
a41a29192e build: Pull common fragments into a build.rules file
Some things are used by most of the binaries, pull them
into a common rule fragment that we can use properly.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:47:29 +03:00
Jouni Malinen
0482414743 wlantest: Fix EAPOL-Key Key Data padding removal
The case where a single 0xdd octet without any 0x00 octets is used as
padding was addressed incorrectly and that ended up truncating one octet
of the actual plaintext version of the Key Data value. Fix this by
removing the unnecessary change to the p pointer before calculating the
new length since p is already pointing to one past the last octet of the
full plaintext.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-09-30 00:19:53 +03:00
Brian Norris
22c06de911 wlantest: Avoid heap-overflow on unexpected data
We're doing a sort of bounds check, based on the previous loop, but only
after we've already tried to read off the end.

This squashes some ASAN errors I'm seeing when running the ap_ft hwsim
test module.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-08-22 12:45:09 +03:00
Jouni Malinen
6e47dd04ff wlantest: Fix RSNE check in FT 4-way handshake msg 3/4
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-25 13:42:08 +03:00
Jouni Malinen
b6a3bcffd7 wlantest: Validate FT elements in Reassociation Response frame
Verify that RSNE, MDE, and FTE have valid information in FT
Reassociation Response frames. In addition, decrypt GTK, IGTK, and BIGTK
from the frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-24 00:35:56 +03:00
Jouni Malinen
e10144c910 wlantest: Validate FT elements in Reassociation Request frame
Verify that RSNE, MDE, and FTE have valid information in FT
Reassociation Request frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-24 00:35:53 +03:00
Jouni Malinen
59d9994ac7 wlantest: Store PMK-R1 in STA entry
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 22:01:12 +03:00
Jouni Malinen
bfc4569f89 wlantest: Store PMK-R0 length explicitly
PMK-R0 is not of fixed length, so store its length explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 21:45:20 +03:00
Jouni Malinen
7cd17a4b5e wlantest: Handle FT over-the-DS association state update cleanly
It is expected for the STA entry on the target AP to move directly from
State 1 to State 3 when performing FT over-the-DS (i.e., FT Action
Request/Response frame exchange through the old AP followed by
Reassociation Request/Response frame exchange with the target AP).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 21:11:33 +03:00
Jouni Malinen
d73bbae492 wlantest: Do not include rt library for OS X builds
That is not needed or available by default, so simply drop it from the
build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
d4c3964117 wlantest: Link without libwlantest
The ar operations with embedded libraries were not exactly portable
or strictly speaking necessary. Drop that library completely to make
this more portable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
c25dc978a6 wlantest: Comment out Linux packet socket from OS X build
For now, allow wlantest to be built on OS X without support for
live sniffer capturing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
e13f836dde wlantest: Comment out ICMP processing from OS X builds
For now, allow this to be compiled without ICMP support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
e9db8b59c9 wlantest: Use BSD compatible UDP header struct
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
116bbf7953 wlantest: Add frame number fo replay detected messages
This makes it easier to find the relevant frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 00:06:59 +03:00
Jouni Malinen
c8a3565947 wlantest: Remove duplicate PN/RSC prints from replay cases
The PN and RSC are already printed in the "replay detected" debug
message so there is no point in having separate hexdumps of the same
values immediately after that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 00:04:32 +03:00
Jouni Malinen
3e537313e8 wlantest: Add debug print with frame number for decryption failures
This makes it more convenient to find the frames that could not be
decrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 00:00:17 +03:00