rx_eapol.c 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059
  1. /*
  2. * Received Data frame processing for EAPOL messages
  3. * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #include "utils/includes.h"
  9. #include "utils/common.h"
  10. #include "crypto/aes_wrap.h"
  11. #include "crypto/crypto.h"
  12. #include "common/defs.h"
  13. #include "common/ieee802_11_defs.h"
  14. #include "common/ieee802_11_common.h"
  15. #include "common/eapol_common.h"
  16. #include "common/wpa_common.h"
  17. #include "rsn_supp/wpa_ie.h"
  18. #include "wlantest.h"
  19. static int is_zero(const u8 *buf, size_t len)
  20. {
  21. size_t i;
  22. for (i = 0; i < len; i++) {
  23. if (buf[i])
  24. return 0;
  25. }
  26. return 1;
  27. }
  28. static int check_mic(const u8 *kck, int ver, const u8 *data, size_t len)
  29. {
  30. u8 *buf;
  31. int ret = -1;
  32. struct ieee802_1x_hdr *hdr;
  33. struct wpa_eapol_key *key;
  34. u8 rx_mic[16];
  35. buf = os_malloc(len);
  36. if (buf == NULL)
  37. return -1;
  38. os_memcpy(buf, data, len);
  39. hdr = (struct ieee802_1x_hdr *) buf;
  40. key = (struct wpa_eapol_key *) (hdr + 1);
  41. os_memcpy(rx_mic, key->key_mic, 16);
  42. os_memset(key->key_mic, 0, 16);
  43. if (wpa_eapol_key_mic(kck, ver, buf, len, key->key_mic) == 0 &&
  44. os_memcmp(rx_mic, key->key_mic, 16) == 0)
  45. ret = 0;
  46. os_free(buf);
  47. return ret;
  48. }
  49. static void rx_data_eapol_key_1_of_4(struct wlantest *wt, const u8 *dst,
  50. const u8 *src, const u8 *data, size_t len)
  51. {
  52. struct wlantest_bss *bss;
  53. struct wlantest_sta *sta;
  54. const struct ieee802_1x_hdr *eapol;
  55. const struct wpa_eapol_key *hdr;
  56. wpa_printf(MSG_DEBUG, "EAPOL-Key 1/4 " MACSTR " -> " MACSTR,
  57. MAC2STR(src), MAC2STR(dst));
  58. bss = bss_get(wt, src);
  59. if (bss == NULL)
  60. return;
  61. sta = sta_get(bss, dst);
  62. if (sta == NULL)
  63. return;
  64. eapol = (const struct ieee802_1x_hdr *) data;
  65. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  66. if (is_zero(hdr->key_nonce, WPA_NONCE_LEN)) {
  67. wpa_printf(MSG_INFO, "EAPOL-Key 1/4 from " MACSTR " used "
  68. "zero nonce", MAC2STR(src));
  69. }
  70. if (!is_zero(hdr->key_rsc, 8)) {
  71. wpa_printf(MSG_INFO, "EAPOL-Key 1/4 from " MACSTR " used "
  72. "non-zero Key RSC", MAC2STR(src));
  73. }
  74. os_memcpy(sta->anonce, hdr->key_nonce, WPA_NONCE_LEN);
  75. }
  76. static int try_pmk(struct wlantest_bss *bss, struct wlantest_sta *sta,
  77. u16 ver, const u8 *data, size_t len,
  78. struct wlantest_pmk *pmk)
  79. {
  80. struct wpa_ptk ptk;
  81. size_t ptk_len = sta->pairwise_cipher == WPA_CIPHER_TKIP ? 64 : 48;
  82. wpa_pmk_to_ptk(pmk->pmk, sizeof(pmk->pmk),
  83. "Pairwise key expansion",
  84. bss->bssid, sta->addr, sta->anonce, sta->snonce,
  85. (u8 *) &ptk, ptk_len,
  86. wpa_key_mgmt_sha256(sta->key_mgmt));
  87. if (check_mic(ptk.kck, ver, data, len) < 0)
  88. return -1;
  89. wpa_printf(MSG_INFO, "Derived PTK for STA " MACSTR " BSSID " MACSTR,
  90. MAC2STR(sta->addr), MAC2STR(bss->bssid));
  91. sta->counters[WLANTEST_STA_COUNTER_PTK_LEARNED]++;
  92. if (sta->ptk_set) {
  93. /*
  94. * Rekeying - use new PTK for EAPOL-Key frames, but continue
  95. * using the old PTK for frame decryption.
  96. */
  97. os_memcpy(&sta->tptk, &ptk, sizeof(ptk));
  98. wpa_hexdump(MSG_DEBUG, "TPTK:KCK", sta->tptk.kck, 16);
  99. wpa_hexdump(MSG_DEBUG, "TPTK:KEK", sta->tptk.kek, 16);
  100. wpa_hexdump(MSG_DEBUG, "TPTK:TK1", sta->tptk.tk1, 16);
  101. if (ptk_len > 48)
  102. wpa_hexdump(MSG_DEBUG, "TPTK:TK2", sta->tptk.u.tk2,
  103. 16);
  104. sta->tptk_set = 1;
  105. return 0;
  106. }
  107. os_memcpy(&sta->ptk, &ptk, sizeof(ptk));
  108. wpa_hexdump(MSG_DEBUG, "PTK:KCK", sta->ptk.kck, 16);
  109. wpa_hexdump(MSG_DEBUG, "PTK:KEK", sta->ptk.kek, 16);
  110. wpa_hexdump(MSG_DEBUG, "PTK:TK1", sta->ptk.tk1, 16);
  111. if (ptk_len > 48)
  112. wpa_hexdump(MSG_DEBUG, "PTK:TK2", sta->ptk.u.tk2, 16);
  113. sta->ptk_set = 1;
  114. os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods));
  115. os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds));
  116. return 0;
  117. }
  118. static void derive_ptk(struct wlantest *wt, struct wlantest_bss *bss,
  119. struct wlantest_sta *sta, u16 ver,
  120. const u8 *data, size_t len)
  121. {
  122. struct wlantest_pmk *pmk;
  123. wpa_printf(MSG_DEBUG, "Trying to derive PTK for " MACSTR,
  124. MAC2STR(sta->addr));
  125. dl_list_for_each(pmk, &bss->pmk, struct wlantest_pmk, list) {
  126. wpa_printf(MSG_DEBUG, "Try per-BSS PMK");
  127. if (try_pmk(bss, sta, ver, data, len, pmk) == 0)
  128. return;
  129. }
  130. dl_list_for_each(pmk, &wt->pmk, struct wlantest_pmk, list) {
  131. wpa_printf(MSG_DEBUG, "Try global PMK");
  132. if (try_pmk(bss, sta, ver, data, len, pmk) == 0)
  133. return;
  134. }
  135. wpa_printf(MSG_DEBUG, "No matching PMK found to derive PTK");
  136. }
  137. static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
  138. const u8 *src, const u8 *data, size_t len)
  139. {
  140. struct wlantest_bss *bss;
  141. struct wlantest_sta *sta;
  142. const struct ieee802_1x_hdr *eapol;
  143. const struct wpa_eapol_key *hdr;
  144. const u8 *key_data, *kck;
  145. u16 key_info, key_data_len;
  146. struct wpa_eapol_ie_parse ie;
  147. wpa_printf(MSG_DEBUG, "EAPOL-Key 2/4 " MACSTR " -> " MACSTR,
  148. MAC2STR(src), MAC2STR(dst));
  149. bss = bss_get(wt, dst);
  150. if (bss == NULL)
  151. return;
  152. sta = sta_get(bss, src);
  153. if (sta == NULL)
  154. return;
  155. eapol = (const struct ieee802_1x_hdr *) data;
  156. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  157. if (is_zero(hdr->key_nonce, WPA_NONCE_LEN)) {
  158. wpa_printf(MSG_INFO, "EAPOL-Key 2/4 from " MACSTR " used "
  159. "zero nonce", MAC2STR(src));
  160. }
  161. if (!is_zero(hdr->key_rsc, 8)) {
  162. wpa_printf(MSG_INFO, "EAPOL-Key 2/4 from " MACSTR " used "
  163. "non-zero Key RSC", MAC2STR(src));
  164. }
  165. os_memcpy(sta->snonce, hdr->key_nonce, WPA_NONCE_LEN);
  166. key_info = WPA_GET_BE16(hdr->key_info);
  167. key_data_len = WPA_GET_BE16(hdr->key_data_length);
  168. derive_ptk(wt, bss, sta, key_info & WPA_KEY_INFO_TYPE_MASK, data, len);
  169. if (!sta->ptk_set && !sta->tptk_set) {
  170. wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 2/4");
  171. return;
  172. }
  173. kck = sta->ptk.kck;
  174. if (sta->tptk_set) {
  175. wpa_printf(MSG_DEBUG, "Use TPTK for validation EAPOL-Key MIC");
  176. kck = sta->tptk.kck;
  177. }
  178. if (check_mic(kck, key_info & WPA_KEY_INFO_TYPE_MASK, data, len) < 0) {
  179. wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 2/4 MIC");
  180. return;
  181. }
  182. wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 2/4");
  183. key_data = (const u8 *) (hdr + 1);
  184. if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
  185. wpa_printf(MSG_INFO, "Failed to parse EAPOL-Key Key Data");
  186. return;
  187. }
  188. if (ie.wpa_ie) {
  189. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - WPA IE",
  190. ie.wpa_ie, ie.wpa_ie_len);
  191. if (os_memcmp(ie.wpa_ie, sta->rsnie, ie.wpa_ie_len) != 0) {
  192. struct ieee802_11_elems elems;
  193. wpa_printf(MSG_INFO, "Mismatch in WPA IE between "
  194. "EAPOL-Key 2/4 and (Re)Association "
  195. "Request from " MACSTR, MAC2STR(sta->addr));
  196. wpa_hexdump(MSG_INFO, "WPA IE in EAPOL-Key",
  197. ie.wpa_ie, ie.wpa_ie_len);
  198. wpa_hexdump(MSG_INFO, "WPA IE in (Re)Association "
  199. "Request",
  200. sta->rsnie,
  201. sta->rsnie[0] ? 2 + sta->rsnie[1] : 0);
  202. /*
  203. * The sniffer may have missed (Re)Association
  204. * Request, so try to survive with the information from
  205. * EAPOL-Key.
  206. */
  207. os_memset(&elems, 0, sizeof(elems));
  208. elems.wpa_ie = ie.wpa_ie + 2;
  209. elems.wpa_ie_len = ie.wpa_ie_len - 2;
  210. wpa_printf(MSG_DEBUG, "Update STA data based on WPA "
  211. "IE in EAPOL-Key 2/4");
  212. sta_update_assoc(sta, &elems);
  213. }
  214. }
  215. if (ie.rsn_ie) {
  216. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - RSN IE",
  217. ie.rsn_ie, ie.rsn_ie_len);
  218. if (os_memcmp(ie.rsn_ie, sta->rsnie, ie.rsn_ie_len) != 0) {
  219. struct ieee802_11_elems elems;
  220. wpa_printf(MSG_INFO, "Mismatch in RSN IE between "
  221. "EAPOL-Key 2/4 and (Re)Association "
  222. "Request from " MACSTR, MAC2STR(sta->addr));
  223. wpa_hexdump(MSG_INFO, "RSN IE in EAPOL-Key",
  224. ie.rsn_ie, ie.rsn_ie_len);
  225. wpa_hexdump(MSG_INFO, "RSN IE in (Re)Association "
  226. "Request",
  227. sta->rsnie,
  228. sta->rsnie[0] ? 2 + sta->rsnie[1] : 0);
  229. /*
  230. * The sniffer may have missed (Re)Association
  231. * Request, so try to survive with the information from
  232. * EAPOL-Key.
  233. */
  234. os_memset(&elems, 0, sizeof(elems));
  235. elems.rsn_ie = ie.rsn_ie + 2;
  236. elems.rsn_ie_len = ie.rsn_ie_len - 2;
  237. wpa_printf(MSG_DEBUG, "Update STA data based on RSN "
  238. "IE in EAPOL-Key 2/4");
  239. sta_update_assoc(sta, &elems);
  240. }
  241. }
  242. }
  243. static u8 * decrypt_eapol_key_data_rc4(const u8 *kek,
  244. const struct wpa_eapol_key *hdr,
  245. size_t *len)
  246. {
  247. u8 ek[32], *buf;
  248. u16 keydatalen = WPA_GET_BE16(hdr->key_data_length);
  249. buf = os_malloc(keydatalen);
  250. if (buf == NULL)
  251. return NULL;
  252. os_memcpy(ek, hdr->key_iv, 16);
  253. os_memcpy(ek + 16, kek, 16);
  254. os_memcpy(buf, hdr + 1, keydatalen);
  255. if (rc4_skip(ek, 32, 256, buf, keydatalen)) {
  256. wpa_printf(MSG_INFO, "RC4 failed");
  257. os_free(buf);
  258. return NULL;
  259. }
  260. *len = keydatalen;
  261. return buf;
  262. }
  263. static u8 * decrypt_eapol_key_data_aes(const u8 *kek,
  264. const struct wpa_eapol_key *hdr,
  265. size_t *len)
  266. {
  267. u8 *buf;
  268. u16 keydatalen = WPA_GET_BE16(hdr->key_data_length);
  269. if (keydatalen % 8) {
  270. wpa_printf(MSG_INFO, "Unsupported AES-WRAP len %d",
  271. keydatalen);
  272. return NULL;
  273. }
  274. keydatalen -= 8; /* AES-WRAP adds 8 bytes */
  275. buf = os_malloc(keydatalen);
  276. if (buf == NULL)
  277. return NULL;
  278. if (aes_unwrap(kek, keydatalen / 8, (u8 *) (hdr + 1), buf)) {
  279. os_free(buf);
  280. wpa_printf(MSG_INFO, "AES unwrap failed - "
  281. "could not decrypt EAPOL-Key key data");
  282. return NULL;
  283. }
  284. *len = keydatalen;
  285. return buf;
  286. }
  287. static u8 * decrypt_eapol_key_data(const u8 *kek, u16 ver,
  288. const struct wpa_eapol_key *hdr,
  289. size_t *len)
  290. {
  291. switch (ver) {
  292. case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
  293. return decrypt_eapol_key_data_rc4(kek, hdr, len);
  294. case WPA_KEY_INFO_TYPE_HMAC_SHA1_AES:
  295. case WPA_KEY_INFO_TYPE_AES_128_CMAC:
  296. return decrypt_eapol_key_data_aes(kek, hdr, len);
  297. default:
  298. wpa_printf(MSG_INFO, "Unsupported EAPOL-Key Key Descriptor "
  299. "Version %u", ver);
  300. return NULL;
  301. }
  302. }
  303. static void learn_kde_keys(struct wlantest_bss *bss, struct wlantest_sta *sta,
  304. const u8 *buf, size_t len, const u8 *rsc)
  305. {
  306. struct wpa_eapol_ie_parse ie;
  307. if (wpa_supplicant_parse_ies(buf, len, &ie) < 0) {
  308. wpa_printf(MSG_INFO, "Failed to parse EAPOL-Key Key Data");
  309. return;
  310. }
  311. if (ie.wpa_ie) {
  312. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - WPA IE",
  313. ie.wpa_ie, ie.wpa_ie_len);
  314. }
  315. if (ie.rsn_ie) {
  316. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - RSN IE",
  317. ie.rsn_ie, ie.rsn_ie_len);
  318. }
  319. if (ie.gtk) {
  320. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - GTK KDE",
  321. ie.gtk, ie.gtk_len);
  322. if (ie.gtk_len >= 2 && ie.gtk_len <= 2 + 32) {
  323. int id;
  324. id = ie.gtk[0] & 0x03;
  325. wpa_printf(MSG_DEBUG, "GTK KeyID=%u tx=%u",
  326. id, !!(ie.gtk[0] & 0x04));
  327. if ((ie.gtk[0] & 0xf8) || ie.gtk[1])
  328. wpa_printf(MSG_INFO, "GTK KDE: Reserved field "
  329. "set: %02x %02x",
  330. ie.gtk[0], ie.gtk[1]);
  331. wpa_hexdump(MSG_DEBUG, "GTK", ie.gtk + 2,
  332. ie.gtk_len - 2);
  333. bss->gtk_len[id] = ie.gtk_len - 2;
  334. sta->gtk_len = ie.gtk_len - 2;
  335. os_memcpy(bss->gtk[id], ie.gtk + 2, ie.gtk_len - 2);
  336. os_memcpy(sta->gtk, ie.gtk + 2, ie.gtk_len - 2);
  337. bss->rsc[id][0] = rsc[5];
  338. bss->rsc[id][1] = rsc[4];
  339. bss->rsc[id][2] = rsc[3];
  340. bss->rsc[id][3] = rsc[2];
  341. bss->rsc[id][4] = rsc[1];
  342. bss->rsc[id][5] = rsc[0];
  343. bss->gtk_idx = id;
  344. sta->gtk_idx = id;
  345. wpa_hexdump(MSG_DEBUG, "RSC", bss->rsc[id], 6);
  346. } else {
  347. wpa_printf(MSG_INFO, "Invalid GTK KDE length %u",
  348. (unsigned) ie.gtk_len);
  349. }
  350. }
  351. if (ie.igtk) {
  352. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - IGTK KDE",
  353. ie.igtk, ie.igtk_len);
  354. if (ie.igtk_len == 24) {
  355. u16 id;
  356. id = WPA_GET_LE16(ie.igtk);
  357. if (id > 5) {
  358. wpa_printf(MSG_INFO, "Unexpected IGTK KeyID "
  359. "%u", id);
  360. } else {
  361. const u8 *ipn;
  362. wpa_printf(MSG_DEBUG, "IGTK KeyID %u", id);
  363. wpa_hexdump(MSG_DEBUG, "IPN", ie.igtk + 2, 6);
  364. wpa_hexdump(MSG_DEBUG, "IGTK", ie.igtk + 8,
  365. 16);
  366. os_memcpy(bss->igtk[id], ie.igtk + 8, 16);
  367. bss->igtk_set[id] = 1;
  368. ipn = ie.igtk + 2;
  369. bss->ipn[id][0] = ipn[5];
  370. bss->ipn[id][1] = ipn[4];
  371. bss->ipn[id][2] = ipn[3];
  372. bss->ipn[id][3] = ipn[2];
  373. bss->ipn[id][4] = ipn[1];
  374. bss->ipn[id][5] = ipn[0];
  375. bss->igtk_idx = id;
  376. }
  377. } else {
  378. wpa_printf(MSG_INFO, "Invalid IGTK KDE length %u",
  379. (unsigned) ie.igtk_len);
  380. }
  381. }
  382. }
  383. static void rx_data_eapol_key_3_of_4(struct wlantest *wt, const u8 *dst,
  384. const u8 *src, const u8 *data, size_t len)
  385. {
  386. struct wlantest_bss *bss;
  387. struct wlantest_sta *sta;
  388. const struct ieee802_1x_hdr *eapol;
  389. const struct wpa_eapol_key *hdr;
  390. const u8 *key_data, *kck, *kek;
  391. int recalc = 0;
  392. u16 key_info, ver;
  393. u8 *decrypted_buf = NULL;
  394. const u8 *decrypted;
  395. size_t decrypted_len = 0;
  396. struct wpa_eapol_ie_parse ie;
  397. wpa_printf(MSG_DEBUG, "EAPOL-Key 3/4 " MACSTR " -> " MACSTR,
  398. MAC2STR(src), MAC2STR(dst));
  399. bss = bss_get(wt, src);
  400. if (bss == NULL)
  401. return;
  402. sta = sta_get(bss, dst);
  403. if (sta == NULL)
  404. return;
  405. eapol = (const struct ieee802_1x_hdr *) data;
  406. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  407. key_info = WPA_GET_BE16(hdr->key_info);
  408. if (os_memcmp(sta->anonce, hdr->key_nonce, WPA_NONCE_LEN) != 0) {
  409. wpa_printf(MSG_INFO, "EAPOL-Key ANonce mismatch between 1/4 "
  410. "and 3/4");
  411. recalc = 1;
  412. }
  413. os_memcpy(sta->anonce, hdr->key_nonce, WPA_NONCE_LEN);
  414. if (recalc) {
  415. derive_ptk(wt, bss, sta, key_info & WPA_KEY_INFO_TYPE_MASK,
  416. data, len);
  417. }
  418. if (!sta->ptk_set && !sta->tptk_set) {
  419. wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 3/4");
  420. return;
  421. }
  422. kek = sta->ptk.kek;
  423. kck = sta->ptk.kck;
  424. if (sta->tptk_set) {
  425. wpa_printf(MSG_DEBUG, "Use TPTK for validation EAPOL-Key MIC");
  426. kck = sta->tptk.kck;
  427. kek = sta->tptk.kek;
  428. }
  429. if (check_mic(kck, key_info & WPA_KEY_INFO_TYPE_MASK, data, len) < 0) {
  430. wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 3/4 MIC");
  431. return;
  432. }
  433. wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 3/4");
  434. key_data = (const u8 *) (hdr + 1);
  435. if (!(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
  436. if (sta->proto & WPA_PROTO_RSN)
  437. wpa_printf(MSG_INFO, "EAPOL-Key 3/4 without "
  438. "EncrKeyData bit");
  439. decrypted = key_data;
  440. decrypted_len = WPA_GET_BE16(hdr->key_data_length);
  441. } else {
  442. ver = key_info & WPA_KEY_INFO_TYPE_MASK;
  443. decrypted_buf = decrypt_eapol_key_data(kek, ver, hdr,
  444. &decrypted_len);
  445. if (decrypted_buf == NULL) {
  446. wpa_printf(MSG_INFO, "Failed to decrypt EAPOL-Key Key "
  447. "Data");
  448. return;
  449. }
  450. decrypted = decrypted_buf;
  451. wpa_hexdump(MSG_DEBUG, "Decrypted EAPOL-Key Key Data",
  452. decrypted, decrypted_len);
  453. }
  454. if (wt->write_pcap_dumper && decrypted != key_data) {
  455. /* Fill in a dummy Data frame header */
  456. u8 buf[24 + 8 + sizeof(*eapol) + sizeof(*hdr)];
  457. struct ieee80211_hdr *h;
  458. struct wpa_eapol_key *k;
  459. const u8 *p;
  460. u8 *pos;
  461. size_t plain_len;
  462. plain_len = decrypted_len;
  463. p = decrypted;
  464. while (p + 1 < decrypted + decrypted_len) {
  465. if (p[0] == 0xdd && p[1] == 0x00) {
  466. /* Remove padding */
  467. plain_len = p - decrypted;
  468. break;
  469. }
  470. p += 2 + p[1];
  471. }
  472. os_memset(buf, 0, sizeof(buf));
  473. h = (struct ieee80211_hdr *) buf;
  474. h->frame_control = host_to_le16(0x0208);
  475. os_memcpy(h->addr1, dst, ETH_ALEN);
  476. os_memcpy(h->addr2, src, ETH_ALEN);
  477. os_memcpy(h->addr3, src, ETH_ALEN);
  478. pos = (u8 *) (h + 1);
  479. os_memcpy(pos, "\xaa\xaa\x03\x00\x00\x00\x88\x8e", 8);
  480. pos += 8;
  481. os_memcpy(pos, eapol, sizeof(*eapol));
  482. pos += sizeof(*eapol);
  483. os_memcpy(pos, hdr, sizeof(*hdr));
  484. k = (struct wpa_eapol_key *) pos;
  485. WPA_PUT_BE16(k->key_info,
  486. key_info & ~WPA_KEY_INFO_ENCR_KEY_DATA);
  487. WPA_PUT_BE16(k->key_data_length, plain_len);
  488. write_pcap_decrypted(wt, buf, sizeof(buf),
  489. decrypted, plain_len);
  490. }
  491. if (wpa_supplicant_parse_ies(decrypted, decrypted_len, &ie) < 0) {
  492. wpa_printf(MSG_INFO, "Failed to parse EAPOL-Key Key Data");
  493. os_free(decrypted_buf);
  494. return;
  495. }
  496. if ((ie.wpa_ie &&
  497. os_memcmp(ie.wpa_ie, bss->wpaie, ie.wpa_ie_len) != 0) ||
  498. (ie.wpa_ie == NULL && bss->wpaie[0])) {
  499. wpa_printf(MSG_INFO, "Mismatch in WPA IE between "
  500. "EAPOL-Key 3/4 and Beacon/Probe Response "
  501. "from " MACSTR, MAC2STR(bss->bssid));
  502. wpa_hexdump(MSG_INFO, "WPA IE in EAPOL-Key",
  503. ie.wpa_ie, ie.wpa_ie_len);
  504. wpa_hexdump(MSG_INFO, "WPA IE in Beacon/Probe "
  505. "Response",
  506. bss->wpaie,
  507. bss->wpaie[0] ? 2 + bss->wpaie[1] : 0);
  508. }
  509. if ((ie.rsn_ie &&
  510. os_memcmp(ie.rsn_ie, bss->rsnie, ie.rsn_ie_len) != 0) ||
  511. (ie.rsn_ie == NULL && bss->rsnie[0])) {
  512. wpa_printf(MSG_INFO, "Mismatch in RSN IE between "
  513. "EAPOL-Key 3/4 and Beacon/Probe Response "
  514. "from " MACSTR, MAC2STR(bss->bssid));
  515. wpa_hexdump(MSG_INFO, "RSN IE in EAPOL-Key",
  516. ie.rsn_ie, ie.rsn_ie_len);
  517. wpa_hexdump(MSG_INFO, "RSN IE in (Re)Association "
  518. "Request",
  519. bss->rsnie,
  520. bss->rsnie[0] ? 2 + bss->rsnie[1] : 0);
  521. }
  522. learn_kde_keys(bss, sta, decrypted, decrypted_len, hdr->key_rsc);
  523. os_free(decrypted_buf);
  524. }
  525. static void rx_data_eapol_key_4_of_4(struct wlantest *wt, const u8 *dst,
  526. const u8 *src, const u8 *data, size_t len)
  527. {
  528. struct wlantest_bss *bss;
  529. struct wlantest_sta *sta;
  530. const struct ieee802_1x_hdr *eapol;
  531. const struct wpa_eapol_key *hdr;
  532. u16 key_info;
  533. const u8 *kck;
  534. wpa_printf(MSG_DEBUG, "EAPOL-Key 4/4 " MACSTR " -> " MACSTR,
  535. MAC2STR(src), MAC2STR(dst));
  536. bss = bss_get(wt, dst);
  537. if (bss == NULL)
  538. return;
  539. sta = sta_get(bss, src);
  540. if (sta == NULL)
  541. return;
  542. eapol = (const struct ieee802_1x_hdr *) data;
  543. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  544. if (!is_zero(hdr->key_rsc, 8)) {
  545. wpa_printf(MSG_INFO, "EAPOL-Key 4/4 from " MACSTR " used "
  546. "non-zero Key RSC", MAC2STR(src));
  547. }
  548. key_info = WPA_GET_BE16(hdr->key_info);
  549. if (!sta->ptk_set && !sta->tptk_set) {
  550. wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 4/4");
  551. return;
  552. }
  553. kck = sta->ptk.kck;
  554. if (sta->tptk_set) {
  555. wpa_printf(MSG_DEBUG, "Use TPTK for validation EAPOL-Key MIC");
  556. kck = sta->tptk.kck;
  557. }
  558. if (check_mic(kck, key_info & WPA_KEY_INFO_TYPE_MASK, data, len) < 0) {
  559. wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 4/4 MIC");
  560. return;
  561. }
  562. wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 4/4");
  563. if (sta->tptk_set) {
  564. wpa_printf(MSG_DEBUG, "Update PTK (rekeying)");
  565. os_memcpy(&sta->ptk, &sta->tptk, sizeof(sta->ptk));
  566. sta->ptk_set = 1;
  567. sta->tptk_set = 0;
  568. os_memset(sta->rsc_tods, 0, sizeof(sta->rsc_tods));
  569. os_memset(sta->rsc_fromds, 0, sizeof(sta->rsc_fromds));
  570. }
  571. }
  572. static void rx_data_eapol_key_1_of_2(struct wlantest *wt, const u8 *dst,
  573. const u8 *src, const u8 *data, size_t len)
  574. {
  575. struct wlantest_bss *bss;
  576. struct wlantest_sta *sta;
  577. const struct ieee802_1x_hdr *eapol;
  578. const struct wpa_eapol_key *hdr;
  579. const u8 *key_data;
  580. u16 key_info, ver;
  581. u8 *decrypted;
  582. size_t decrypted_len = 0;
  583. wpa_printf(MSG_DEBUG, "EAPOL-Key 1/2 " MACSTR " -> " MACSTR,
  584. MAC2STR(src), MAC2STR(dst));
  585. bss = bss_get(wt, src);
  586. if (bss == NULL)
  587. return;
  588. sta = sta_get(bss, dst);
  589. if (sta == NULL)
  590. return;
  591. eapol = (const struct ieee802_1x_hdr *) data;
  592. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  593. key_info = WPA_GET_BE16(hdr->key_info);
  594. if (!sta->ptk_set) {
  595. wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 1/2");
  596. return;
  597. }
  598. if (sta->ptk_set &&
  599. check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
  600. data, len) < 0) {
  601. wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 1/2 MIC");
  602. return;
  603. }
  604. wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 1/2");
  605. key_data = (const u8 *) (hdr + 1);
  606. if (sta->proto & WPA_PROTO_RSN &&
  607. !(key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
  608. wpa_printf(MSG_INFO, "EAPOL-Key 1/2 without EncrKeyData bit");
  609. return;
  610. }
  611. ver = key_info & WPA_KEY_INFO_TYPE_MASK;
  612. decrypted = decrypt_eapol_key_data(sta->ptk.kek, ver, hdr,
  613. &decrypted_len);
  614. if (decrypted == NULL) {
  615. wpa_printf(MSG_INFO, "Failed to decrypt EAPOL-Key Key Data");
  616. return;
  617. }
  618. wpa_hexdump(MSG_DEBUG, "Decrypted EAPOL-Key Key Data",
  619. decrypted, decrypted_len);
  620. if (wt->write_pcap_dumper) {
  621. /* Fill in a dummy Data frame header */
  622. u8 buf[24 + 8 + sizeof(*eapol) + sizeof(*hdr)];
  623. struct ieee80211_hdr *h;
  624. struct wpa_eapol_key *k;
  625. u8 *pos;
  626. size_t plain_len;
  627. plain_len = decrypted_len;
  628. pos = decrypted;
  629. while (pos + 1 < decrypted + decrypted_len) {
  630. if (pos[0] == 0xdd && pos[1] == 0x00) {
  631. /* Remove padding */
  632. plain_len = pos - decrypted;
  633. break;
  634. }
  635. pos += 2 + pos[1];
  636. }
  637. os_memset(buf, 0, sizeof(buf));
  638. h = (struct ieee80211_hdr *) buf;
  639. h->frame_control = host_to_le16(0x0208);
  640. os_memcpy(h->addr1, dst, ETH_ALEN);
  641. os_memcpy(h->addr2, src, ETH_ALEN);
  642. os_memcpy(h->addr3, src, ETH_ALEN);
  643. pos = (u8 *) (h + 1);
  644. os_memcpy(pos, "\xaa\xaa\x03\x00\x00\x00\x88\x8e", 8);
  645. pos += 8;
  646. os_memcpy(pos, eapol, sizeof(*eapol));
  647. pos += sizeof(*eapol);
  648. os_memcpy(pos, hdr, sizeof(*hdr));
  649. k = (struct wpa_eapol_key *) pos;
  650. WPA_PUT_BE16(k->key_info,
  651. key_info & ~WPA_KEY_INFO_ENCR_KEY_DATA);
  652. WPA_PUT_BE16(k->key_data_length, plain_len);
  653. write_pcap_decrypted(wt, buf, sizeof(buf),
  654. decrypted, plain_len);
  655. }
  656. if (sta->proto & WPA_PROTO_RSN)
  657. learn_kde_keys(bss, sta, decrypted, decrypted_len,
  658. hdr->key_rsc);
  659. else {
  660. int klen = bss->group_cipher == WPA_CIPHER_TKIP ? 32 : 16;
  661. if (decrypted_len == klen) {
  662. const u8 *rsc = hdr->key_rsc;
  663. int id;
  664. id = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
  665. WPA_KEY_INFO_KEY_INDEX_SHIFT;
  666. wpa_printf(MSG_DEBUG, "GTK key index %d", id);
  667. wpa_hexdump(MSG_DEBUG, "GTK", decrypted,
  668. decrypted_len);
  669. bss->gtk_len[id] = decrypted_len;
  670. os_memcpy(bss->gtk[id], decrypted, decrypted_len);
  671. bss->rsc[id][0] = rsc[5];
  672. bss->rsc[id][1] = rsc[4];
  673. bss->rsc[id][2] = rsc[3];
  674. bss->rsc[id][3] = rsc[2];
  675. bss->rsc[id][4] = rsc[1];
  676. bss->rsc[id][5] = rsc[0];
  677. wpa_hexdump(MSG_DEBUG, "RSC", bss->rsc[id], 6);
  678. } else {
  679. wpa_printf(MSG_INFO, "Unexpected WPA Key Data length "
  680. "in Group Key msg 1/2 from " MACSTR,
  681. MAC2STR(src));
  682. }
  683. }
  684. os_free(decrypted);
  685. }
  686. static void rx_data_eapol_key_2_of_2(struct wlantest *wt, const u8 *dst,
  687. const u8 *src, const u8 *data, size_t len)
  688. {
  689. struct wlantest_bss *bss;
  690. struct wlantest_sta *sta;
  691. const struct ieee802_1x_hdr *eapol;
  692. const struct wpa_eapol_key *hdr;
  693. u16 key_info;
  694. wpa_printf(MSG_DEBUG, "EAPOL-Key 2/2 " MACSTR " -> " MACSTR,
  695. MAC2STR(src), MAC2STR(dst));
  696. bss = bss_get(wt, dst);
  697. if (bss == NULL)
  698. return;
  699. sta = sta_get(bss, src);
  700. if (sta == NULL)
  701. return;
  702. eapol = (const struct ieee802_1x_hdr *) data;
  703. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  704. if (!is_zero(hdr->key_rsc, 8)) {
  705. wpa_printf(MSG_INFO, "EAPOL-Key 2/2 from " MACSTR " used "
  706. "non-zero Key RSC", MAC2STR(src));
  707. }
  708. key_info = WPA_GET_BE16(hdr->key_info);
  709. if (!sta->ptk_set) {
  710. wpa_printf(MSG_DEBUG, "No PTK known to process EAPOL-Key 2/2");
  711. return;
  712. }
  713. if (sta->ptk_set &&
  714. check_mic(sta->ptk.kck, key_info & WPA_KEY_INFO_TYPE_MASK,
  715. data, len) < 0) {
  716. wpa_printf(MSG_INFO, "Mismatch in EAPOL-Key 2/2 MIC");
  717. return;
  718. }
  719. wpa_printf(MSG_DEBUG, "Valid MIC found in EAPOL-Key 2/2");
  720. }
  721. static void rx_data_eapol_key(struct wlantest *wt, const u8 *dst,
  722. const u8 *src, const u8 *data, size_t len,
  723. int prot)
  724. {
  725. const struct ieee802_1x_hdr *eapol;
  726. const struct wpa_eapol_key *hdr;
  727. const u8 *key_data;
  728. u16 key_info, key_length, ver, key_data_length;
  729. eapol = (const struct ieee802_1x_hdr *) data;
  730. hdr = (const struct wpa_eapol_key *) (eapol + 1);
  731. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key",
  732. (const u8 *) hdr, len - sizeof(*eapol));
  733. if (len < sizeof(*hdr)) {
  734. wpa_printf(MSG_INFO, "Too short EAPOL-Key frame from " MACSTR,
  735. MAC2STR(src));
  736. return;
  737. }
  738. if (hdr->type == EAPOL_KEY_TYPE_RC4) {
  739. /* TODO: EAPOL-Key RC4 for WEP */
  740. wpa_printf(MSG_INFO, "EAPOL-Key Descriptor Type RC4 from "
  741. MACSTR, MAC2STR(src));
  742. return;
  743. }
  744. if (hdr->type != EAPOL_KEY_TYPE_RSN &&
  745. hdr->type != EAPOL_KEY_TYPE_WPA) {
  746. wpa_printf(MSG_INFO, "Unsupported EAPOL-Key Descriptor Type "
  747. "%u from " MACSTR, hdr->type, MAC2STR(src));
  748. return;
  749. }
  750. key_info = WPA_GET_BE16(hdr->key_info);
  751. key_length = WPA_GET_BE16(hdr->key_length);
  752. key_data_length = WPA_GET_BE16(hdr->key_data_length);
  753. key_data = (const u8 *) (hdr + 1);
  754. if (key_data + key_data_length > data + len) {
  755. wpa_printf(MSG_INFO, "Truncated EAPOL-Key from " MACSTR,
  756. MAC2STR(src));
  757. return;
  758. }
  759. if (key_data + key_data_length < data + len) {
  760. wpa_hexdump(MSG_DEBUG, "Extra data after EAPOL-Key Key Data "
  761. "field", key_data + key_data_length,
  762. data + len - key_data - key_data_length);
  763. }
  764. ver = key_info & WPA_KEY_INFO_TYPE_MASK;
  765. wpa_printf(MSG_DEBUG, "EAPOL-Key ver=%u %c idx=%u%s%s%s%s%s%s%s%s "
  766. "datalen=%u",
  767. ver, key_info & WPA_KEY_INFO_KEY_TYPE ? 'P' : 'G',
  768. (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
  769. WPA_KEY_INFO_KEY_INDEX_SHIFT,
  770. (key_info & WPA_KEY_INFO_INSTALL) ? " Install" : "",
  771. (key_info & WPA_KEY_INFO_ACK) ? " ACK" : "",
  772. (key_info & WPA_KEY_INFO_MIC) ? " MIC" : "",
  773. (key_info & WPA_KEY_INFO_SECURE) ? " Secure" : "",
  774. (key_info & WPA_KEY_INFO_ERROR) ? " Error" : "",
  775. (key_info & WPA_KEY_INFO_REQUEST) ? " Request" : "",
  776. (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) ? " Encr" : "",
  777. (key_info & WPA_KEY_INFO_SMK_MESSAGE) ? " SMK" : "",
  778. key_data_length);
  779. if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
  780. ver != WPA_KEY_INFO_TYPE_HMAC_SHA1_AES &&
  781. ver != WPA_KEY_INFO_TYPE_AES_128_CMAC) {
  782. wpa_printf(MSG_INFO, "Unsupported EAPOL-Key Key Descriptor "
  783. "Version %u from " MACSTR, ver, MAC2STR(src));
  784. return;
  785. }
  786. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Replay Counter",
  787. hdr->replay_counter, WPA_REPLAY_COUNTER_LEN);
  788. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Nonce",
  789. hdr->key_nonce, WPA_NONCE_LEN);
  790. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key IV",
  791. hdr->key_iv, 16);
  792. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key RSC",
  793. hdr->key_rsc, WPA_KEY_RSC_LEN);
  794. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key MIC",
  795. hdr->key_mic, 16);
  796. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data",
  797. key_data, key_data_length);
  798. if (hdr->type == EAPOL_KEY_TYPE_RSN &&
  799. (key_info & (WPA_KEY_INFO_KEY_INDEX_MASK | BIT(14) | BIT(15))) !=
  800. 0) {
  801. wpa_printf(MSG_INFO, "RSN EAPOL-Key with non-zero reserved "
  802. "Key Info bits 0x%x from " MACSTR,
  803. key_info, MAC2STR(src));
  804. }
  805. if (hdr->type == EAPOL_KEY_TYPE_WPA &&
  806. (key_info & (WPA_KEY_INFO_ENCR_KEY_DATA |
  807. WPA_KEY_INFO_SMK_MESSAGE |BIT(14) | BIT(15))) != 0) {
  808. wpa_printf(MSG_INFO, "WPA EAPOL-Key with non-zero reserved "
  809. "Key Info bits 0x%x from " MACSTR,
  810. key_info, MAC2STR(src));
  811. }
  812. if (key_length > 32) {
  813. wpa_printf(MSG_INFO, "EAPOL-Key with invalid Key Length %d "
  814. "from " MACSTR, key_length, MAC2STR(src));
  815. }
  816. if (ver != WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 &&
  817. !is_zero(hdr->key_iv, 16)) {
  818. wpa_printf(MSG_INFO, "EAPOL-Key with non-zero Key IV "
  819. "(reserved with ver=%d) field from " MACSTR,
  820. ver, MAC2STR(src));
  821. wpa_hexdump(MSG_INFO, "EAPOL-Key Key IV (reserved)",
  822. hdr->key_iv, 16);
  823. }
  824. if (!is_zero(hdr->key_id, 8)) {
  825. wpa_printf(MSG_INFO, "EAPOL-Key with non-zero Key ID "
  826. "(reserved) field from " MACSTR, MAC2STR(src));
  827. wpa_hexdump(MSG_INFO, "EAPOL-Key Key ID (reserved)",
  828. hdr->key_id, 8);
  829. }
  830. if (hdr->key_rsc[6] || hdr->key_rsc[7]) {
  831. wpa_printf(MSG_INFO, "EAPOL-Key with non-zero Key RSC octets "
  832. "(last two are unused)" MACSTR, MAC2STR(src));
  833. }
  834. if (key_info & (WPA_KEY_INFO_ERROR | WPA_KEY_INFO_REQUEST))
  835. return;
  836. if (key_info & WPA_KEY_INFO_SMK_MESSAGE)
  837. return;
  838. if (key_info & WPA_KEY_INFO_KEY_TYPE) {
  839. /* 4-Way Handshake */
  840. switch (key_info & (WPA_KEY_INFO_SECURE |
  841. WPA_KEY_INFO_MIC |
  842. WPA_KEY_INFO_ACK |
  843. WPA_KEY_INFO_INSTALL)) {
  844. case WPA_KEY_INFO_ACK:
  845. rx_data_eapol_key_1_of_4(wt, dst, src, data, len);
  846. break;
  847. case WPA_KEY_INFO_MIC:
  848. if (key_data_length == 0)
  849. rx_data_eapol_key_4_of_4(wt, dst, src, data,
  850. len);
  851. else
  852. rx_data_eapol_key_2_of_4(wt, dst, src, data,
  853. len);
  854. break;
  855. case WPA_KEY_INFO_MIC | WPA_KEY_INFO_ACK |
  856. WPA_KEY_INFO_INSTALL:
  857. /* WPA does not include Secure bit in 3/4 */
  858. rx_data_eapol_key_3_of_4(wt, dst, src, data, len);
  859. break;
  860. case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
  861. WPA_KEY_INFO_ACK | WPA_KEY_INFO_INSTALL:
  862. rx_data_eapol_key_3_of_4(wt, dst, src, data, len);
  863. break;
  864. case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC:
  865. if (key_data_length == 0)
  866. rx_data_eapol_key_4_of_4(wt, dst, src, data,
  867. len);
  868. else
  869. rx_data_eapol_key_2_of_4(wt, dst, src, data,
  870. len);
  871. break;
  872. default:
  873. wpa_printf(MSG_DEBUG, "Unsupported EAPOL-Key frame");
  874. break;
  875. }
  876. } else {
  877. /* Group Key Handshake */
  878. switch (key_info & (WPA_KEY_INFO_SECURE |
  879. WPA_KEY_INFO_MIC |
  880. WPA_KEY_INFO_ACK)) {
  881. case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC |
  882. WPA_KEY_INFO_ACK:
  883. rx_data_eapol_key_1_of_2(wt, dst, src, data, len);
  884. break;
  885. case WPA_KEY_INFO_SECURE | WPA_KEY_INFO_MIC:
  886. rx_data_eapol_key_2_of_2(wt, dst, src, data, len);
  887. break;
  888. default:
  889. wpa_printf(MSG_DEBUG, "Unsupported EAPOL-Key frame");
  890. break;
  891. }
  892. }
  893. }
  894. void rx_data_eapol(struct wlantest *wt, const u8 *dst, const u8 *src,
  895. const u8 *data, size_t len, int prot)
  896. {
  897. const struct ieee802_1x_hdr *hdr;
  898. u16 length;
  899. const u8 *p;
  900. wpa_hexdump(MSG_EXCESSIVE, "EAPOL", data, len);
  901. if (len < sizeof(*hdr)) {
  902. wpa_printf(MSG_INFO, "Too short EAPOL frame from " MACSTR,
  903. MAC2STR(src));
  904. return;
  905. }
  906. hdr = (const struct ieee802_1x_hdr *) data;
  907. length = be_to_host16(hdr->length);
  908. wpa_printf(MSG_DEBUG, "RX EAPOL: " MACSTR " -> " MACSTR "%s ver=%u "
  909. "type=%u len=%u",
  910. MAC2STR(src), MAC2STR(dst), prot ? " Prot" : "",
  911. hdr->version, hdr->type, length);
  912. if (hdr->version < 1 || hdr->version > 3) {
  913. wpa_printf(MSG_INFO, "Unexpected EAPOL version %u from "
  914. MACSTR, hdr->version, MAC2STR(src));
  915. }
  916. if (sizeof(*hdr) + length > len) {
  917. wpa_printf(MSG_INFO, "Truncated EAPOL frame from " MACSTR,
  918. MAC2STR(src));
  919. return;
  920. }
  921. if (sizeof(*hdr) + length < len) {
  922. wpa_printf(MSG_INFO, "EAPOL frame with %d extra bytes",
  923. (int) (len - sizeof(*hdr) - length));
  924. }
  925. p = (const u8 *) (hdr + 1);
  926. switch (hdr->type) {
  927. case IEEE802_1X_TYPE_EAP_PACKET:
  928. wpa_hexdump(MSG_MSGDUMP, "EAPOL - EAP packet", p, length);
  929. break;
  930. case IEEE802_1X_TYPE_EAPOL_START:
  931. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Start", p, length);
  932. break;
  933. case IEEE802_1X_TYPE_EAPOL_LOGOFF:
  934. wpa_hexdump(MSG_MSGDUMP, "EAPOL-Logoff", p, length);
  935. break;
  936. case IEEE802_1X_TYPE_EAPOL_KEY:
  937. rx_data_eapol_key(wt, dst, src, data, sizeof(*hdr) + length,
  938. prot);
  939. break;
  940. case IEEE802_1X_TYPE_EAPOL_ENCAPSULATED_ASF_ALERT:
  941. wpa_hexdump(MSG_MSGDUMP, "EAPOL - Encapsulated ASF alert",
  942. p, length);
  943. break;
  944. default:
  945. wpa_hexdump(MSG_MSGDUMP, "Unknown EAPOL payload", p, length);
  946. break;
  947. }
  948. }