jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
hostap/src/ap/taxonomy.c

292 lines
7.4 KiB
C
Raw Normal View History

Passive Client Taxonomy Implement the signature mechanism described in the paper "Passive Taxonomy of Wifi Clients using MLME Frame Contents" published by Denton Gentry and Avery Pennarun. http://research.google.com/pubs/pub45429.html https://arxiv.org/abs/1608.01725 This involves: 1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs a memory overhead of up to several kilobytes per associated station. 2. If enabled, store the Probe Request and (Re)Associate Request frame in struct sta_info. 3. Implement code to extract the ID of each Information Element, plus selected fields and bitmasks from certain IEs, into a descriptive text string. This is done in a new source file, src/ap/taxonomy.c. 4. Implement a "signature qq:rr:ss:tt:uu:vv" command in hostapd_cli to retrieve the signature. Signatures take the form of a text string. For example, a signature for the Nexus 5X is: wifi4|probe:0,1,127,45,191,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:338061b2, vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:00000a0201000040|assoc:0,1,48,45, 221(0050f2,2),191,127,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:339071b2, vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:0000000000000040 Signed-off-by: dgentry@google.com (Denton Gentry) Signed-off-by: denny@geekhold.com (Denton Gentry) Signed-off-by: rofrankel@google.com (Richard Frankel) Signed-off-by: richard@frankel.tv (Richard Frankel)
2016-08-15 06:42:48 +02:00
/*
* hostapd / Client taxonomy
* Copyright (c) 2015 Google, Inc.
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*
* Parse a series of IEs, as in Probe Request or (Re)Association Request frames,
* and render them to a descriptive string. The tag number of standard options
* is written to the string, while the vendor ID and subtag are written for
* vendor options.
*
* Example strings:
* 0,1,50,45,221(00904c,51)
* 0,1,33,36,48,45,221(00904c,51),221(0050f2,2)
*/
#include "utils/includes.h"
#include "utils/common.h"
#include "common/wpa_ctrl.h"
#include "hostapd.h"
#include "sta_info.h"
/* Copy a string with no funny schtuff allowed; only alphanumerics. */
static void no_mischief_strncpy(char *dst, const char *src, size_t n)
{
size_t i;
for (i = 0; i < n; i++) {
unsigned char s = src[i];
int is_lower = s >= 'a' && s <= 'z';
int is_upper = s >= 'A' && s <= 'Z';
int is_digit = s >= '0' && s <= '9';
if (is_lower || is_upper || is_digit) {
/* TODO: if any manufacturer uses Unicode within the
* WPS header, it will get mangled here. */
dst[i] = s;
} else {
/* Note that even spaces will be transformed to
* underscores, so 'Nexus 7' will turn into 'Nexus_7'.
* This is deliberate, to make the string easier to
* parse. */
dst[i] = '_';
}
}
}
static int get_wps_name(char *name, size_t name_len,
const u8 *data, size_t data_len)
{
/* Inside the WPS IE are a series of attributes, using two byte IDs
* and two byte lengths. We're looking for the model name, if
* present. */
while (data_len >= 4) {
u16 id, elen;
id = WPA_GET_BE16(data);
elen = WPA_GET_BE16(data + 2);
data += 4;
data_len -= 4;
if (elen > data_len)
return 0;
if (id == 0x1023) {
/* Model name, like 'Nexus 7' */
size_t n = (elen < name_len) ? elen : name_len;
no_mischief_strncpy(name, (const char *) data, n);
return n;
}
data += elen;
data_len -= elen;
}
return 0;
}
static void ie_to_string(char *fstr, size_t fstr_len, const struct wpabuf *ies)
{
char *fpos = fstr;
char *fend = fstr + fstr_len;
char htcap[7 + 4 + 1]; /* ",htcap:" + %04hx + trailing NUL */
char htagg[7 + 2 + 1]; /* ",htagg:" + %02hx + trailing NUL */
char htmcs[7 + 8 + 1]; /* ",htmcs:" + %08x + trailing NUL */
char vhtcap[8 + 8 + 1]; /* ",vhtcap:" + %08x + trailing NUL */
char vhtrxmcs[10 + 8 + 1]; /* ",vhtrxmcs:" + %08x + trailing NUL */
char vhttxmcs[10 + 8 + 1]; /* ",vhttxmcs:" + %08x + trailing NUL */
#define MAX_EXTCAP 254
char extcap[8 + 2 * MAX_EXTCAP + 1]; /* ",extcap:" + hex + trailing NUL
*/
char txpow[7 + 4 + 1]; /* ",txpow:" + %04hx + trailing NUL */
#define WPS_NAME_LEN 32
char wps[WPS_NAME_LEN + 5 + 1]; /* room to prepend ",wps:" + trailing
* NUL */
int num = 0;
const u8 *ie;
size_t ie_len;
int ret;
os_memset(htcap, 0, sizeof(htcap));
os_memset(htagg, 0, sizeof(htagg));
os_memset(htmcs, 0, sizeof(htmcs));
os_memset(vhtcap, 0, sizeof(vhtcap));
os_memset(vhtrxmcs, 0, sizeof(vhtrxmcs));
os_memset(vhttxmcs, 0, sizeof(vhttxmcs));
os_memset(extcap, 0, sizeof(extcap));
os_memset(txpow, 0, sizeof(txpow));
os_memset(wps, 0, sizeof(wps));
*fpos = '\0';
if (!ies)
return;
ie = wpabuf_head(ies);
ie_len = wpabuf_len(ies);
while (ie_len >= 2) {
u8 id, elen;
char *sep = (num++ == 0) ? "" : ",";
id = *ie++;
elen = *ie++;
ie_len -= 2;
if (elen > ie_len)
break;
if (id == WLAN_EID_VENDOR_SPECIFIC && elen >= 4) {
/* Vendor specific */
if (WPA_GET_BE32(ie) == WPS_IE_VENDOR_TYPE) {
/* WPS */
char model_name[WPS_NAME_LEN + 1];
const u8 *data = &ie[4];
size_t data_len = elen - 4;
os_memset(model_name, 0, sizeof(model_name));
if (get_wps_name(model_name, WPS_NAME_LEN, data,
data_len)) {
os_snprintf(wps, sizeof(wps),
",wps:%s", model_name);
}
}
ret = os_snprintf(fpos, fend - fpos,
"%s%d(%02x%02x%02x,%d)",
sep, id, ie[0], ie[1], ie[2], ie[3]);
} else {
if (id == WLAN_EID_HT_CAP && elen >= 2) {
/* HT Capabilities (802.11n) */
os_snprintf(htcap, sizeof(htcap),
",htcap:%04hx",
WPA_GET_LE16(ie));
}
if (id == WLAN_EID_HT_CAP && elen >= 3) {
/* HT Capabilities (802.11n), A-MPDU information
*/
os_snprintf(htagg, sizeof(htagg),
",htagg:%02hx", (u16) ie[2]);
}
if (id == WLAN_EID_HT_CAP && elen >= 7) {
/* HT Capabilities (802.11n), MCS information */
os_snprintf(htmcs, sizeof(htmcs),
",htmcs:%08hx",
(u16) WPA_GET_LE32(ie + 3));
}
if (id == WLAN_EID_VHT_CAP && elen >= 4) {
/* VHT Capabilities (802.11ac) */
os_snprintf(vhtcap, sizeof(vhtcap),
",vhtcap:%08x",
WPA_GET_LE32(ie));
}
if (id == WLAN_EID_VHT_CAP && elen >= 8) {
/* VHT Capabilities (802.11ac), RX MCS
* information */
os_snprintf(vhtrxmcs, sizeof(vhtrxmcs),
",vhtrxmcs:%08x",
WPA_GET_LE32(ie + 4));
}
if (id == WLAN_EID_VHT_CAP && elen >= 12) {
/* VHT Capabilities (802.11ac), TX MCS
* information */
os_snprintf(vhttxmcs, sizeof(vhttxmcs),
",vhttxmcs:%08x",
WPA_GET_LE32(ie + 8));
}
if (id == WLAN_EID_EXT_CAPAB) {
/* Extended Capabilities */
int i;
int len = (elen < MAX_EXTCAP) ? elen :
MAX_EXTCAP;
char *p = extcap;
p += os_snprintf(extcap, sizeof(extcap),
",extcap:");
for (i = 0; i < len; i++) {
int lim;
lim = sizeof(extcap) -
os_strlen(extcap);
if (lim <= 0)
break;
p += os_snprintf(p, lim, "%02x",
*(ie + i));
}
}
if (id == WLAN_EID_PWR_CAPABILITY && elen == 2) {
/* TX Power */
os_snprintf(txpow, sizeof(txpow),
",txpow:%04hx",
WPA_GET_LE16(ie));
}
ret = os_snprintf(fpos, fend - fpos, "%s%d", sep, id);
}
if (os_snprintf_error(fend - fpos, ret))
goto fail;
fpos += ret;
ie += elen;
ie_len -= elen;
}
ret = os_snprintf(fpos, fend - fpos, "%s%s%s%s%s%s%s%s%s",
htcap, htagg, htmcs, vhtcap, vhtrxmcs, vhttxmcs,
txpow, extcap, wps);
if (os_snprintf_error(fend - fpos, ret)) {
fail:
fstr[0] = '\0';
}
}
int retrieve_sta_taxonomy(const struct hostapd_data *hapd,
struct sta_info *sta, char *buf, size_t buflen)
{
int ret;
char *pos, *end;
if (!sta->probe_ie_taxonomy || !sta->assoc_ie_taxonomy)
return 0;
ret = os_snprintf(buf, buflen, "wifi4|probe:");
if (os_snprintf_error(buflen, ret))
return 0;
pos = buf + ret;
end = buf + buflen;
ie_to_string(pos, end - pos, sta->probe_ie_taxonomy);
pos = os_strchr(pos, '\0');
if (pos >= end)
return 0;
ret = os_snprintf(pos, end - pos, "|assoc:");
if (os_snprintf_error(end - pos, ret))
return 0;
pos += ret;
ie_to_string(pos, end - pos, sta->assoc_ie_taxonomy);
pos = os_strchr(pos, '\0');
return pos - buf;
}
void taxonomy_sta_info_probe_req(const struct hostapd_data *hapd,
struct sta_info *sta,
const u8 *ie, size_t ie_len)
{
wpabuf_free(sta->probe_ie_taxonomy);
sta->probe_ie_taxonomy = wpabuf_alloc_copy(ie, ie_len);
}
taxonomy: Store Probe Request frames in hostapd_sta_info A weakness in the initial client taxonomy mechanism is from storing both the Probe and Associate in struct sta_info. struct sta_info is created after a client associates (or starts authentication frame exchange), which means that any Probe Request frames sent prior to association are not retained. The Associate Request frame has to be seen, and then another Probe Request frame after association, before we have a signature for the client. Most clients send lots of Probe Request frames (lots and lots and lots of Probes, actually), but a few do not. ChromeOS is notably sparing in sending Probe Request frames, it can take a long time before a signature for a ChromeOS device is available. Store the most recent Probe Request frame in struct hostapd_sta_info tracking list. When a struct sta_info is created, move the Probe Request frame information from struct hostapd_sta_info to struct sta_info. Signed-off-by: dgentry@google.com (Denton Gentry) Signed-off-by: denny@geekhold.com (Denton Gentry) Signed-off-by: rofrankel@google.com (Richard Frankel) Signed-off-by: richard@frankel.tv (Richard Frankel)
2016-08-15 06:42:49 +02:00
void taxonomy_hostapd_sta_info_probe_req(const struct hostapd_data *hapd,
struct hostapd_sta_info *info,
const u8 *ie, size_t ie_len)
{
wpabuf_free(info->probe_ie_taxonomy);
info->probe_ie_taxonomy = wpabuf_alloc_copy(ie, ie_len);
}
Passive Client Taxonomy Implement the signature mechanism described in the paper "Passive Taxonomy of Wifi Clients using MLME Frame Contents" published by Denton Gentry and Avery Pennarun. http://research.google.com/pubs/pub45429.html https://arxiv.org/abs/1608.01725 This involves: 1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs a memory overhead of up to several kilobytes per associated station. 2. If enabled, store the Probe Request and (Re)Associate Request frame in struct sta_info. 3. Implement code to extract the ID of each Information Element, plus selected fields and bitmasks from certain IEs, into a descriptive text string. This is done in a new source file, src/ap/taxonomy.c. 4. Implement a "signature qq:rr:ss:tt:uu:vv" command in hostapd_cli to retrieve the signature. Signatures take the form of a text string. For example, a signature for the Nexus 5X is: wifi4|probe:0,1,127,45,191,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:338061b2, vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:00000a0201000040|assoc:0,1,48,45, 221(0050f2,2),191,127,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:339071b2, vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:0000000000000040 Signed-off-by: dgentry@google.com (Denton Gentry) Signed-off-by: denny@geekhold.com (Denton Gentry) Signed-off-by: rofrankel@google.com (Richard Frankel) Signed-off-by: richard@frankel.tv (Richard Frankel)
2016-08-15 06:42:48 +02:00
void taxonomy_sta_info_assoc_req(const struct hostapd_data *hapd,
struct sta_info *sta,
const u8 *ie, size_t ie_len)
{
wpabuf_free(sta->assoc_ie_taxonomy);
sta->assoc_ie_taxonomy = wpabuf_alloc_copy(ie, ie_len);
}
Reference in a new issue Copy permalink