Commit graph

278 commits

Author SHA1 Message Date
Jouni Malinen
ced15c8ba8 wlantest: TKIP frame reassembly for Michael MIC check in fragmented case
Reassemble the full MSDU when processing TKIP protected fragmented
frames so that the Michael MIC can be validated once the last fragment
has been received.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
3332657d69 wlantest: Report decrypted TKIP frames even if cannot check Michael MIC
This can be useful for debugging, so return successfully decrypted TKIP
frame even if the Michael MIC cannot be verified (fragment reassembly
not yet supported) or if the Michael MIC value is incorrect. Add a note
in the frame to point out that the Michael MIC was not verified or is
incorrect.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
73f65cc6c4 wlantest: Support HT Control field in QoS Data frames
Extend Data frame processing (and decryption) to handle +HTC frames by
skipping the HT Control field at the end of the frame header. While this
is not an exact match of the rules in IEEE Std 802.11-2020 for when the
HT Control field is present in frames (e.g., no check of the TXVECTOR
value), this is good enough to cover the most likely used cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-06 23:32:54 +03:00
Jouni Malinen
2950851ace Rename the Frame Control field subfield Order define to +HTC
This moves the implementation closer to the current IEEE 802.11 standard
since B15 of Frame Control field was renamed to +HTC to match it newer
uses.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-06 12:12:51 +03:00
Jouni Malinen
e90ededb4b wlantest: Skip Mesh Control field from the beginning of payload
This allows correct processing of Data frames with Mesh Control field by
finding the LLC/SNAP header after that field.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-09 20:20:24 +02:00
Jouni Malinen
503901e72d wlantest: Check all configured TKs if no matching GTK is known
This allows group-addressed frames to be decrypted by listing all
possible GTKs in the PTK file.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-09 17:29:48 +02:00
Jouni Malinen
32360ad498 wlantest: Fix broadcast EAPOL-Key frame handling
This resulted in an attempt to dereference a NULL pointer since sta_addr
is not known in this type of a case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:06 +02:00
Brian Norris
1e537a2756 wlantest: Avoid unaligned iphdr pointers
Buffers passed to rx_data_ip() may not be naturally-aligned, and so we
get unpredictable behavior when we cast that to an IP header. In
particular, this code may crash on ARM.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2021-02-13 23:07:34 +02:00
Jouni Malinen
6a12acbb78 wlantest: Add new key_mgmt and rsn_capab values for BSS/STA debug prints
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 13:57:03 +02:00
Jouni Malinen
136bbf15c3 wlantest: Add more details about protected FTM frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 13:11:34 +02:00
Jouni Malinen
b9fd8191a5 wlantest: Recognize the FTM bit in the CCMP Key ID octet
This previously reserved bit is now used in FTM to help select the
appropriate replay counter. Silence the warning about use of a reserved
bit for this. wlantest does not yet support the actual replay counter
processing for FTM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 12:30:03 +02:00
Jouni Malinen
f56eec7c1a wlantest: Process Action No Ack frames like Action frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 12:00:12 +02:00
Jouni Malinen
56a04ae1a1 wlantest: Support TK list for Management frame decryption
Use the TKs from the PTK file (-T command line argument) to try to
decrypt encrypted Management frames if no BSS/STA key can be found based
on addresses.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 11:37:58 +02:00
Ilan Peer
d87f4aea11 FILS: Extend the fils_pmk_to_ptk() function to also derive KDK
Extend the fils_pmk_to_ptk() to also derive Key Derivation
Key (KDK) which can later be used for secure LTF measurements.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
6e834db74e FT: Extend the wpa_pmk_r1_to_ptk() function to also derive KDK
Extend the wpa_pmk_r1_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
46c232eb76 WPA: Extend the wpa_pmk_to_ptk() function to also derive KDK
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
8d4dce244d wlantest: Include PASN into build
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:35:50 +02:00
Thomas Pedersen
be96f4e8d2 wlantest: Allow missing RSNE in S1G beacon
S1G beacons save a few bytes by not requiring the RSNE in beacon if RSN
BSS is configured. Handle this in wlantest by only clearing RSNE from
the BSS info if frame is a Probe Response frame.

Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
2020-12-04 12:01:54 +02:00
Johannes Berg
283eee8eed gitignore: Clean up a bit
Now that we no longer leave build artifacts outside the build folder, we
can clean up the gitignore a bit. Also move more things to per-folder
files that we mostly had already anyway.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 19:32:50 +03:00
Johannes Berg
87098d3324 build: Put archive files into build/ folder too
This is something I hadn't previously done, but there are
cases where it's needed, e.g., building 'wlantest' and then
one of the tests/fuzzing/*/ projects, they use a different
configuration (fuzzing vs. not fuzzing).

Perhaps more importantly, this gets rid of the last thing
that was dumped into the source directories, apart from
the binaries themselves.

Note that due to the use of thin archives, this required
building with absolute paths.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-11 11:16:00 +03:00
Johannes Berg
722138cd25 build: Put object files into build/ folder
Instead of building in the source tree, put most object
files into the build/ folder at the root, and put each
thing that's being built into a separate folder.

This then allows us to build hostapd and wpa_supplicant
(or other combinations) without "make clean" inbetween.

For the tests keep the objects in place for now (and to
do that, add the build rule) so that we don't have to
rewrite all of that with $(call BUILDOBJS,...) which is
just noise there.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:51:39 +03:00
Johannes Berg
0430bc8267 build: Add a common-clean target
Clean up in a more common fashion as well, initially for ../src/.

Also add $(Q) to the clean target in src/

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:48:41 +03:00
Johannes Berg
a41a29192e build: Pull common fragments into a build.rules file
Some things are used by most of the binaries, pull them
into a common rule fragment that we can use properly.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:47:29 +03:00
Jouni Malinen
0482414743 wlantest: Fix EAPOL-Key Key Data padding removal
The case where a single 0xdd octet without any 0x00 octets is used as
padding was addressed incorrectly and that ended up truncating one octet
of the actual plaintext version of the Key Data value. Fix this by
removing the unnecessary change to the p pointer before calculating the
new length since p is already pointing to one past the last octet of the
full plaintext.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-09-30 00:19:53 +03:00
Brian Norris
22c06de911 wlantest: Avoid heap-overflow on unexpected data
We're doing a sort of bounds check, based on the previous loop, but only
after we've already tried to read off the end.

This squashes some ASAN errors I'm seeing when running the ap_ft hwsim
test module.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-08-22 12:45:09 +03:00
Jouni Malinen
6e47dd04ff wlantest: Fix RSNE check in FT 4-way handshake msg 3/4
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-25 13:42:08 +03:00
Jouni Malinen
b6a3bcffd7 wlantest: Validate FT elements in Reassociation Response frame
Verify that RSNE, MDE, and FTE have valid information in FT
Reassociation Response frames. In addition, decrypt GTK, IGTK, and BIGTK
from the frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-24 00:35:56 +03:00
Jouni Malinen
e10144c910 wlantest: Validate FT elements in Reassociation Request frame
Verify that RSNE, MDE, and FTE have valid information in FT
Reassociation Request frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-24 00:35:53 +03:00
Jouni Malinen
59d9994ac7 wlantest: Store PMK-R1 in STA entry
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 22:01:12 +03:00
Jouni Malinen
bfc4569f89 wlantest: Store PMK-R0 length explicitly
PMK-R0 is not of fixed length, so store its length explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 21:45:20 +03:00
Jouni Malinen
7cd17a4b5e wlantest: Handle FT over-the-DS association state update cleanly
It is expected for the STA entry on the target AP to move directly from
State 1 to State 3 when performing FT over-the-DS (i.e., FT Action
Request/Response frame exchange through the old AP followed by
Reassociation Request/Response frame exchange with the target AP).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 21:11:33 +03:00
Jouni Malinen
d73bbae492 wlantest: Do not include rt library for OS X builds
That is not needed or available by default, so simply drop it from the
build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
d4c3964117 wlantest: Link without libwlantest
The ar operations with embedded libraries were not exactly portable
or strictly speaking necessary. Drop that library completely to make
this more portable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
c25dc978a6 wlantest: Comment out Linux packet socket from OS X build
For now, allow wlantest to be built on OS X without support for
live sniffer capturing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
e13f836dde wlantest: Comment out ICMP processing from OS X builds
For now, allow this to be compiled without ICMP support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
e9db8b59c9 wlantest: Use BSD compatible UDP header struct
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 18:53:59 +03:00
Jouni Malinen
116bbf7953 wlantest: Add frame number fo replay detected messages
This makes it easier to find the relevant frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 00:06:59 +03:00
Jouni Malinen
c8a3565947 wlantest: Remove duplicate PN/RSC prints from replay cases
The PN and RSC are already printed in the "replay detected" debug
message so there is no point in having separate hexdumps of the same
values immediately after that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 00:04:32 +03:00
Jouni Malinen
3e537313e8 wlantest: Add debug print with frame number for decryption failures
This makes it more convenient to find the frames that could not be
decrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 00:00:17 +03:00
Jouni Malinen
866c3acb8c wlantest: Do not report decryption failures for WEP keys if no keys
If no WEP keys are available, there is not going to be an attempt to
decrypt the frame, so don't claim decryption failed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-03 23:56:10 +03:00
Jouni Malinen
08ac6f807d wlantest: Update PTK after rekeying even if EAPOL-Key msg 4/4 is missing
Update TPTK to PTK if a valid EAPOL-Key msg 2/4 and 3/4 are available,
but 4/4 is missing. This avoids certain cases where the new TK could be
derived, but it was not being used to try to decrypt following encrypted
frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-01 18:46:14 +03:00
Jouni Malinen
0dc58cfa95 wlantest: Do not report decryption keys when checking only zero TK
All the "Failed to decrypt frame" debug prints were confusing since
those were not supposed to be shown unless there were one or more real
TKs available. The recently added check for zero TK added these notes
for that case which is not really correct, so get rid of them.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-01 18:30:33 +03:00
Jouni Malinen
8e467e3cf4 wlantest: Check for zero TK even when the real PTK is not known
This makes it easier to analyze certain encryption issues. Also print
out an error at the default INFO debug verbosity with the frame number.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-23 17:58:43 +02:00
Alexander Wetzel
6ea7a152c6 wlantest: Basic Extended Key ID support
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-16 00:07:20 +02:00
Jouni Malinen
a8d2ca9e23 wlantest: Do not report PMF failure without BSS supporting PMF
Previously, missing CCMP protection on Robust Management frames was
reported based on the STA having indicated MFPC=1. That is not accurate
since the AP/BSS may have MFPC=0. Report this failure only if both the
AP and STA have indicated MFPC=1, i.e., when PMF has been negotiated for
the association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-14 18:20:31 +02:00
Jouni Malinen
80d4122159 wlantest: Detect and report plaintext payload in protected frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-14 17:36:41 +02:00
Jouni Malinen
f5f7286ba5 wlantest: Try to decrypt frame with zero TK
If none of the known PTKs have a working TK, check whether an encrypted
frame is encrypted with all zeros TK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 23:18:59 +02:00
Jouni Malinen
f5849f1c7c wlantest: Add more notes about decryption into pcapng
Note the used TK/GTK and KeyID in frame notes when writing decrypted
frames to a PCAPNG file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 01:30:00 +02:00
Jouni Malinen
0e3e3a9ab5 wlantest: Update BSS IEs based on EAPOL-Key msg 3/4
If no Beacon or Probe Response frame has been seen in the capture, use
the IEs from EAPOL-Key msg 3/4 to set up BSS information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 00:51:07 +02:00
Jouni Malinen
a8a277c169 wlantest: Get STA IEs based on EAPOL-Key msg 2/4 before PTK derivation
The previous implementation tried to update STA IE information based on
EAPOL-Key msg 2/4 to be able to handle captures that do not include the
(Re)Association Request frame. This was not sufficient (OSEN was not
included) and was done too late (the parsed information is needed for
PMK-to-PTK derivation).

Move the IE update step to happen before trying to derive the PTK if no
(Re)Association Request frame has been seen.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 00:35:23 +02:00