1 /*
2  * Received frame processing for wired interface
3  * Copyright (c) 2010, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 #include <net/ethernet.h>
11 #include <netinet/ip.h>
12 #include <netinet/udp.h>
13 
14 #include "utils/common.h"
15 #include "radius/radius.h"
16 #include "wlantest.h"
17 
18 
radius_get(struct wlantest * wt,u32 srv,u32 cli)19 static struct wlantest_radius * radius_get(struct wlantest *wt, u32 srv,
20 					   u32 cli)
21 {
22 	struct wlantest_radius *r;
23 
24 	dl_list_for_each(r, &wt->radius, struct wlantest_radius, list) {
25 		if (r->srv == srv && r->cli == cli)
26 			return r;
27 	}
28 
29 	r = os_zalloc(sizeof(*r));
30 	if (r == NULL)
31 		return NULL;
32 
33 	r->srv = srv;
34 	r->cli = cli;
35 	dl_list_add(&wt->radius, &r->list);
36 
37 	return r;
38 }
39 
40 
radius_code_string(u8 code)41 static const char * radius_code_string(u8 code)
42 {
43 	switch (code) {
44 	case RADIUS_CODE_ACCESS_REQUEST:
45 		return "Access-Request";
46 	case RADIUS_CODE_ACCESS_ACCEPT:
47 		return "Access-Accept";
48 	case RADIUS_CODE_ACCESS_REJECT:
49 		return "Access-Reject";
50 	case RADIUS_CODE_ACCOUNTING_REQUEST:
51 		return "Accounting-Request";
52 	case RADIUS_CODE_ACCOUNTING_RESPONSE:
53 		return "Accounting-Response";
54 	case RADIUS_CODE_ACCESS_CHALLENGE:
55 		return "Access-Challenge";
56 	case RADIUS_CODE_STATUS_SERVER:
57 		return "Status-Server";
58 	case RADIUS_CODE_STATUS_CLIENT:
59 		return "Status-Client";
60 	case RADIUS_CODE_RESERVED:
61 		return "Reserved";
62 	default:
63 		return "?Unknown?";
64 	}
65 }
66 
67 
process_radius_access_request(struct wlantest * wt,u32 dst,u32 src,const u8 * data,size_t len)68 static void process_radius_access_request(struct wlantest *wt, u32 dst,
69 					  u32 src, const u8 *data, size_t len)
70 {
71 	struct radius_msg *msg;
72 	struct wlantest_radius *r;
73 
74 	msg = radius_msg_parse(data, len);
75 	if (msg == NULL) {
76 		wpa_printf(MSG_DEBUG, "Failed to parse RADIUS Access-Request");
77 		return;
78 	}
79 
80 	r = radius_get(wt, dst, src);
81 	if (r) {
82 		radius_msg_free(r->last_req);
83 		r->last_req = msg;
84 		return;
85 	}
86 	radius_msg_free(msg);
87 }
88 
89 
wlantest_add_pmk(struct wlantest * wt,const u8 * pmk,size_t pmk_len)90 static void wlantest_add_pmk(struct wlantest *wt, const u8 *pmk, size_t pmk_len)
91 {
92 	struct wlantest_pmk *p;
93 
94 	p = os_zalloc(sizeof(*p));
95 	if (p == NULL)
96 		return;
97 	os_memcpy(p->pmk, pmk, pmk_len);
98 	p->pmk_len = pmk_len;
99 	dl_list_add(&wt->pmk, &p->list);
100 	wpa_hexdump(MSG_INFO, "Add PMK", pmk, pmk_len);
101 }
102 
103 
process_radius_access_accept(struct wlantest * wt,u32 dst,u32 src,const u8 * data,size_t len)104 static void process_radius_access_accept(struct wlantest *wt, u32 dst, u32 src,
105 					 const u8 *data, size_t len)
106 {
107 	struct radius_msg *msg;
108 	struct wlantest_radius *r;
109 	struct radius_ms_mppe_keys *keys;
110 	struct wlantest_radius_secret *s;
111 
112 	r = radius_get(wt, src, dst);
113 	if (r == NULL || r->last_req == NULL) {
114 		wpa_printf(MSG_DEBUG, "No RADIUS Access-Challenge found for "
115 			   "decrypting Access-Accept keys");
116 		return;
117 	}
118 
119 	msg = radius_msg_parse(data, len);
120 	if (msg == NULL) {
121 		wpa_printf(MSG_DEBUG, "Failed to parse RADIUS Access-Accept");
122 		return;
123 	}
124 
125 	dl_list_for_each(s, &wt->secret, struct wlantest_radius_secret, list) {
126 		int found = 0;
127 		keys = radius_msg_get_ms_keys(msg, r->last_req,
128 					      (u8 *) s->secret,
129 					      os_strlen(s->secret));
130 		if (keys && keys->send && keys->recv) {
131 			u8 pmk[PMK_LEN_MAX];
132 			size_t pmk_len, len2;
133 
134 			wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Send-Key",
135 					keys->send, keys->send_len);
136 			wpa_hexdump_key(MSG_DEBUG, "MS-MPPE-Recv-Key",
137 					keys->recv, keys->recv_len);
138 			pmk_len = keys->recv_len;
139 			if (pmk_len > PMK_LEN_MAX)
140 				pmk_len = PMK_LEN_MAX;
141 			os_memcpy(pmk, keys->recv, pmk_len);
142 			if (pmk_len < PMK_LEN_MAX) {
143 				len2 = keys->send_len;
144 				if (pmk_len + len2 > PMK_LEN_MAX)
145 					len2 = PMK_LEN_MAX - pmk_len;
146 				os_memcpy(pmk + pmk_len, keys->send, len2);
147 				pmk_len += len2;
148 			}
149 			wlantest_add_pmk(wt, pmk, pmk_len);
150 			found = 1;
151 		}
152 
153 		if (keys) {
154 			os_free(keys->send);
155 			os_free(keys->recv);
156 			os_free(keys);
157 		}
158 
159 		if (found)
160 			break;
161 	}
162 
163 	radius_msg_free(msg);
164 }
165 
166 
process_radius(struct wlantest * wt,u32 dst,u16 dport,u32 src,u16 sport,const u8 * data,size_t len)167 static void process_radius(struct wlantest *wt, u32 dst, u16 dport, u32 src,
168 			   u16 sport, const u8 *data, size_t len)
169 {
170 	struct in_addr addr;
171 	char buf[20];
172 	const struct radius_hdr *hdr;
173 	u16 rlen;
174 
175 	if (len < sizeof(*hdr))
176 		return;
177 	hdr = (const struct radius_hdr *) data;
178 	rlen = be_to_host16(hdr->length);
179 	if (len < rlen)
180 		return;
181 	if (len > rlen)
182 		len = rlen;
183 
184 	addr.s_addr = dst;
185 	snprintf(buf, sizeof(buf), "%s", inet_ntoa(addr));
186 
187 	addr.s_addr = src;
188 	wpa_printf(MSG_DEBUG, "RADIUS %s:%u -> %s:%u id=%u %s",
189 		   inet_ntoa(addr), sport, buf, dport, hdr->identifier,
190 		   radius_code_string(hdr->code));
191 
192 	switch (hdr->code) {
193 	case RADIUS_CODE_ACCESS_REQUEST:
194 		process_radius_access_request(wt, dst, src, data, len);
195 		break;
196 	case RADIUS_CODE_ACCESS_ACCEPT:
197 		process_radius_access_accept(wt, dst, src, data, len);
198 		break;
199 	}
200 }
201 
202 
process_udp(struct wlantest * wt,u32 dst,u32 src,const u8 * data,size_t len)203 static void process_udp(struct wlantest *wt, u32 dst, u32 src,
204 			const u8 *data, size_t len)
205 {
206 	const struct udphdr *udp;
207 	u16 sport, dport, ulen;
208 	const u8 *payload;
209 	size_t plen;
210 
211 	if (len < sizeof(*udp))
212 		return;
213 	udp = (const struct udphdr *) data;
214 	/* TODO: check UDP checksum */
215 	sport = be_to_host16(udp->uh_sport);
216 	dport = be_to_host16(udp->uh_dport);
217 	ulen = be_to_host16(udp->uh_ulen);
218 
219 	if (ulen > len)
220 		return;
221 	if (len < ulen)
222 		len = ulen;
223 
224 	payload = (const u8 *) (udp + 1);
225 	plen = len - sizeof(*udp);
226 
227 	if (sport == 1812 || dport == 1812)
228 		process_radius(wt, dst, dport, src, sport, payload, plen);
229 }
230 
231 
process_ipv4(struct wlantest * wt,const u8 * data,size_t len)232 static void process_ipv4(struct wlantest *wt, const u8 *data, size_t len)
233 {
234 	const struct ip *ip;
235 	const u8 *payload;
236 	size_t plen;
237 	uint16_t frag_off, ip_len;
238 
239 	if (len < sizeof(*ip))
240 		return;
241 
242 	ip = (const struct ip *) data;
243 	if (ip->ip_v != 4)
244 		return;
245 	if (ip->ip_hl < 5)
246 		return;
247 
248 	/* TODO: check header checksum in ip->check */
249 
250 	frag_off = be_to_host16(ip->ip_off);
251 	if (frag_off & 0x1fff) {
252 		wpa_printf(MSG_EXCESSIVE, "IP fragment reassembly not yet "
253 			   "supported");
254 		return;
255 	}
256 
257 	ip_len = be_to_host16(ip->ip_len);
258 	if (ip_len > len)
259 		return;
260 	if (ip_len < len)
261 		len = ip_len;
262 
263 	payload = data + 4 * ip->ip_hl;
264 	plen = len - 4 * ip->ip_hl;
265 	if (payload + plen > data + len)
266 		return;
267 
268 	switch (ip->ip_p) {
269 	case IPPROTO_UDP:
270 		process_udp(wt, ip->ip_dst.s_addr, ip->ip_src.s_addr,
271 			    payload, plen);
272 		break;
273 	}
274 }
275 
276 
wlantest_process_wired(struct wlantest * wt,const u8 * data,size_t len)277 void wlantest_process_wired(struct wlantest *wt, const u8 *data, size_t len)
278 {
279 	const struct ether_header *eth;
280 	u16 ethertype;
281 
282 	wpa_hexdump(MSG_EXCESSIVE, "Process wired frame", data, len);
283 
284 	if (len < sizeof(*eth))
285 		return;
286 
287 	eth = (const struct ether_header *) data;
288 	ethertype = be_to_host16(eth->ether_type);
289 
290 	switch (ethertype) {
291 	case ETHERTYPE_IP:
292 		process_ipv4(wt, data + sizeof(*eth), len - sizeof(*eth));
293 		break;
294 	}
295 }
296