From a8a277c169bef628ff6a76573b058ebd0914ff3d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 28 Feb 2020 00:31:33 +0200
Subject: [PATCH] wlantest: Get STA IEs based on EAPOL-Key msg 2/4 before PTK
 derivation

The previous implementation tried to update STA IE information based on
EAPOL-Key msg 2/4 to be able to handle captures that do not include the
(Re)Association Request frame. This was not sufficient (OSEN was not
included) and was done too late (the parsed information is needed for
PMK-to-PTK derivation).

Move the IE update step to happen before trying to derive the PTK if no
(Re)Association Request frame has been seen.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 wlantest/rx_eapol.c | 59 +++++++++++++++++++++------------------------
 wlantest/rx_mgmt.c  |  2 ++
 wlantest/wlantest.h |  1 +
 3 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/wlantest/rx_eapol.c b/wlantest/rx_eapol.c
index e4fe7e23e..c58b82c16 100644
--- a/wlantest/rx_eapol.c
+++ b/wlantest/rx_eapol.c
@@ -257,7 +257,35 @@ static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
 	}
 	os_memcpy(sta->snonce, hdr->key_nonce, WPA_NONCE_LEN);
 	key_info = WPA_GET_BE16(hdr->key_info);
+	key_data = mic + mic_len + 2;
 	key_data_len = WPA_GET_BE16(mic + mic_len);
+
+	if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
+		add_note(wt, MSG_INFO, "Failed to parse EAPOL-Key Key Data");
+		return;
+	}
+
+	if (!sta->assocreq_seen) {
+		struct ieee802_11_elems elems;
+
+		os_memset(&elems, 0, sizeof(elems));
+		if (ie.wpa_ie) {
+			elems.wpa_ie = ie.wpa_ie + 2;
+			elems.wpa_ie_len = ie.wpa_ie_len - 2;
+		}
+		if (ie.rsn_ie) {
+			elems.rsn_ie = ie.rsn_ie + 2;
+			elems.rsn_ie_len = ie.rsn_ie_len - 2;
+		}
+		if (ie.osen) {
+			elems.osen = ie.osen + 2;
+			elems.osen_len = ie.osen_len - 2;
+		}
+		wpa_printf(MSG_DEBUG,
+			   "Update STA data based on IEs in EAPOL-Key 2/4");
+		sta_update_assoc(sta, &elems);
+	}
+
 	derive_ptk(wt, bss, sta, key_info & WPA_KEY_INFO_TYPE_MASK, data, len);
 
 	if (!sta->ptk_set && !sta->tptk_set) {
@@ -281,18 +309,10 @@ static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
 	}
 	add_note(wt, MSG_DEBUG, "Valid MIC found in EAPOL-Key 2/4");
 
-	key_data = mic + mic_len + 2;
-
-	if (wpa_supplicant_parse_ies(key_data, key_data_len, &ie) < 0) {
-		add_note(wt, MSG_INFO, "Failed to parse EAPOL-Key Key Data");
-		return;
-	}
-
 	if (ie.wpa_ie) {
 		wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - WPA IE",
 			    ie.wpa_ie, ie.wpa_ie_len);
 		if (os_memcmp(ie.wpa_ie, sta->rsnie, ie.wpa_ie_len) != 0) {
-			struct ieee802_11_elems elems;
 			add_note(wt, MSG_INFO,
 				 "Mismatch in WPA IE between EAPOL-Key 2/4 "
 				 "and (Re)Association Request from " MACSTR,
@@ -303,17 +323,6 @@ static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
 				    "Request",
 				    sta->rsnie,
 				    sta->rsnie[0] ? 2 + sta->rsnie[1] : 0);
-			/*
-			 * The sniffer may have missed (Re)Association
-			 * Request, so try to survive with the information from
-			 * EAPOL-Key.
-			 */
-			os_memset(&elems, 0, sizeof(elems));
-			elems.wpa_ie = ie.wpa_ie + 2;
-			elems.wpa_ie_len = ie.wpa_ie_len - 2;
-			wpa_printf(MSG_DEBUG, "Update STA data based on WPA "
-				   "IE in EAPOL-Key 2/4");
-			sta_update_assoc(sta, &elems);
 		}
 	}
 
@@ -321,7 +330,6 @@ static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
 		wpa_hexdump(MSG_MSGDUMP, "EAPOL-Key Key Data - RSN IE",
 			    ie.rsn_ie, ie.rsn_ie_len);
 		if (os_memcmp(ie.rsn_ie, sta->rsnie, ie.rsn_ie_len) != 0) {
-			struct ieee802_11_elems elems;
 			add_note(wt, MSG_INFO,
 				 "Mismatch in RSN IE between EAPOL-Key 2/4 "
 				 "and (Re)Association Request from " MACSTR,
@@ -332,17 +340,6 @@ static void rx_data_eapol_key_2_of_4(struct wlantest *wt, const u8 *dst,
 				    "Request",
 				    sta->rsnie,
 				    sta->rsnie[0] ? 2 + sta->rsnie[1] : 0);
-			/*
-			 * The sniffer may have missed (Re)Association
-			 * Request, so try to survive with the information from
-			 * EAPOL-Key.
-			 */
-			os_memset(&elems, 0, sizeof(elems));
-			elems.rsn_ie = ie.rsn_ie + 2;
-			elems.rsn_ie_len = ie.rsn_ie_len - 2;
-			wpa_printf(MSG_DEBUG, "Update STA data based on RSN "
-				   "IE in EAPOL-Key 2/4");
-			sta_update_assoc(sta, &elems);
 		}
 	}
 }
diff --git a/wlantest/rx_mgmt.c b/wlantest/rx_mgmt.c
index 92762b8f0..086db4a66 100644
--- a/wlantest/rx_mgmt.c
+++ b/wlantest/rx_mgmt.c
@@ -640,6 +640,7 @@ static void rx_mgmt_assoc_req(struct wlantest *wt, const u8 *data, size_t len)
 		os_memcpy(sta->assocreq_ies, mgmt->u.assoc_req.variable,
 			  sta->assocreq_ies_len);
 
+	sta->assocreq_seen = 1;
 	sta_update_assoc(sta, &elems);
 }
 
@@ -875,6 +876,7 @@ static void rx_mgmt_reassoc_req(struct wlantest *wt, const u8 *data,
 		os_memcpy(sta->assocreq_ies, mgmt->u.reassoc_req.variable,
 			  sta->assocreq_ies_len);
 
+	sta->assocreq_seen = 1;
 	sta_update_assoc(sta, &elems);
 
 	/* TODO: FT protocol: verify FTE MIC and update GTK/IGTK for the BSS */
diff --git a/wlantest/wlantest.h b/wlantest/wlantest.h
index 82eddc11c..69aa155d1 100644
--- a/wlantest/wlantest.h
+++ b/wlantest/wlantest.h
@@ -82,6 +82,7 @@ struct wlantest_sta {
 	u8 ap_sa_query_tr[2];
 	u8 sta_sa_query_tr[2];
 	u32 counters[NUM_WLANTEST_STA_COUNTER];
+	int assocreq_seen;
 	u16 assocreq_capab_info;
 	u16 assocreq_listen_int;
 	u8 *assocreq_ies;