krackattacks/src/ap/taxonomy.c

/*
 * hostapd / Client taxonomy
 * Copyright (c) 2015 Google, Inc.
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 *
 * Parse a series of IEs, as in Probe Request or (Re)Association Request frames,
 * and render them to a descriptive string. The tag number of standard options
 * is written to the string, while the vendor ID and subtag are written for
 * vendor options.
 *
 * Example strings:
 * 0,1,50,45,221(00904c,51)
 * 0,1,33,36,48,45,221(00904c,51),221(0050f2,2)
 */

#include "utils/includes.h"

#include "utils/common.h"
#include "common/wpa_ctrl.h"
#include "hostapd.h"
#include "sta_info.h"


/* Copy a string with no funny schtuff allowed; only alphanumerics. */
static void no_mischief_strncpy(char *dst, const char *src, size_t n)
{
	size_t i;

	for (i = 0; i < n; i++) {
		unsigned char s = src[i];
		int is_lower = s >= 'a' && s <= 'z';
		int is_upper = s >= 'A' && s <= 'Z';
		int is_digit = s >= '0' && s <= '9';

		if (is_lower || is_upper || is_digit) {
			/* TODO: if any manufacturer uses Unicode within the
			 * WPS header, it will get mangled here. */
			dst[i] = s;
		} else {
			/* Note that even spaces will be transformed to
			 * underscores, so 'Nexus 7' will turn into 'Nexus_7'.
			 * This is deliberate, to make the string easier to
			 * parse. */
			dst[i] = '_';
		}
	}
}


static int get_wps_name(char *name, size_t name_len,
			const u8 *data, size_t data_len)
{
	/* Inside the WPS IE are a series of attributes, using two byte IDs
	 * and two byte lengths. We're looking for the model name, if
	 * present. */
	while (data_len >= 4) {
		u16 id, elen;

		id = WPA_GET_BE16(data);
		elen = WPA_GET_BE16(data + 2);
		data += 4;
		data_len -= 4;

		if (elen > data_len)
			return 0;

		if (id == 0x1023) {
			/* Model name, like 'Nexus 7' */
			size_t n = (elen < name_len) ? elen : name_len;
			no_mischief_strncpy(name, (const char *) data, n);
			return n;
		}

		data += elen;
		data_len -= elen;
	}

	return 0;
}


static void ie_to_string(char *fstr, size_t fstr_len, const struct wpabuf *ies)
{
	char *fpos = fstr;
	char *fend = fstr + fstr_len;
	char htcap[7 + 4 + 1]; /* ",htcap:" + %04hx + trailing NUL */
	char htagg[7 + 2 + 1]; /* ",htagg:" + %02hx + trailing NUL */
	char htmcs[7 + 8 + 1]; /* ",htmcs:" + %08x + trailing NUL */
	char vhtcap[8 + 8 + 1]; /* ",vhtcap:" + %08x + trailing NUL */
	char vhtrxmcs[10 + 8 + 1]; /* ",vhtrxmcs:" + %08x + trailing NUL */
	char vhttxmcs[10 + 8 + 1]; /* ",vhttxmcs:" + %08x + trailing NUL */
#define MAX_EXTCAP	254
	char extcap[8 + 2 * MAX_EXTCAP + 1]; /* ",extcap:" + hex + trailing NUL
					      */
	char txpow[7 + 4 + 1]; /* ",txpow:" + %04hx + trailing NUL */
#define WPS_NAME_LEN		32
	char wps[WPS_NAME_LEN + 5 + 1]; /* room to prepend ",wps:" + trailing
					 * NUL */
	int num = 0;
	const u8 *ie;
	size_t ie_len;
	int ret;

	os_memset(htcap, 0, sizeof(htcap));
	os_memset(htagg, 0, sizeof(htagg));
	os_memset(htmcs, 0, sizeof(htmcs));
	os_memset(vhtcap, 0, sizeof(vhtcap));
	os_memset(vhtrxmcs, 0, sizeof(vhtrxmcs));
	os_memset(vhttxmcs, 0, sizeof(vhttxmcs));
	os_memset(extcap, 0, sizeof(extcap));
	os_memset(txpow, 0, sizeof(txpow));
	os_memset(wps, 0, sizeof(wps));
	*fpos = '\0';

	if (!ies)
		return;
	ie = wpabuf_head(ies);
	ie_len = wpabuf_len(ies);

	while (ie_len >= 2) {
		u8 id, elen;
		char *sep = (num++ == 0) ? "" : ",";

		id = *ie++;
		elen = *ie++;
		ie_len -= 2;

		if (elen > ie_len)
			break;

		if (id == WLAN_EID_VENDOR_SPECIFIC && elen >= 4) {
			/* Vendor specific */
			if (WPA_GET_BE32(ie) == WPS_IE_VENDOR_TYPE) {
				/* WPS */
				char model_name[WPS_NAME_LEN + 1];
				const u8 *data = &ie[4];
				size_t data_len = elen - 4;

				os_memset(model_name, 0, sizeof(model_name));
				if (get_wps_name(model_name, WPS_NAME_LEN, data,
						 data_len)) {
					os_snprintf(wps, sizeof(wps),
						    ",wps:%s", model_name);
				}
			}

			ret = os_snprintf(fpos, fend - fpos,
					  "%s%d(%02x%02x%02x,%d)",
					  sep, id, ie[0], ie[1], ie[2], ie[3]);
		} else {
			if (id == WLAN_EID_HT_CAP && elen >= 2) {
				/* HT Capabilities (802.11n) */
				os_snprintf(htcap, sizeof(htcap),
					    ",htcap:%04hx",
					    WPA_GET_LE16(ie));
			}
			if (id == WLAN_EID_HT_CAP && elen >= 3) {
				/* HT Capabilities (802.11n), A-MPDU information
				 */
				os_snprintf(htagg, sizeof(htagg),
					    ",htagg:%02hx", (u16) ie[2]);
			}
			if (id == WLAN_EID_HT_CAP && elen >= 7) {
				/* HT Capabilities (802.11n), MCS information */
				os_snprintf(htmcs, sizeof(htmcs),
					    ",htmcs:%08hx",
					    (u16) WPA_GET_LE32(ie + 3));
			}
			if (id == WLAN_EID_VHT_CAP && elen >= 4) {
				/* VHT Capabilities (802.11ac) */
				os_snprintf(vhtcap, sizeof(vhtcap),
					    ",vhtcap:%08x",
					    WPA_GET_LE32(ie));
			}
			if (id == WLAN_EID_VHT_CAP && elen >= 8) {
				/* VHT Capabilities (802.11ac), RX MCS
				 * information */
				os_snprintf(vhtrxmcs, sizeof(vhtrxmcs),
					    ",vhtrxmcs:%08x",
					    WPA_GET_LE32(ie + 4));
			}
			if (id == WLAN_EID_VHT_CAP && elen >= 12) {
				/* VHT Capabilities (802.11ac), TX MCS
				 * information */
				os_snprintf(vhttxmcs, sizeof(vhttxmcs),
					    ",vhttxmcs:%08x",
					    WPA_GET_LE32(ie + 8));
			}
			if (id == WLAN_EID_EXT_CAPAB) {
				/* Extended Capabilities */
				int i;
				int len = (elen < MAX_EXTCAP) ? elen :
					MAX_EXTCAP;
				char *p = extcap;

				p += os_snprintf(extcap, sizeof(extcap),
						 ",extcap:");
				for (i = 0; i < len; i++) {
					int lim;

					lim = sizeof(extcap) -
						os_strlen(extcap);
					if (lim <= 0)
						break;
					p += os_snprintf(p, lim, "%02x",
							 *(ie + i));
				}
			}
			if (id == WLAN_EID_PWR_CAPABILITY && elen == 2) {
				/* TX Power */
				os_snprintf(txpow, sizeof(txpow),
					    ",txpow:%04hx",
					    WPA_GET_LE16(ie));
			}

			ret = os_snprintf(fpos, fend - fpos, "%s%d", sep, id);
		}
		if (os_snprintf_error(fend - fpos, ret))
			goto fail;
		fpos += ret;

		ie += elen;
		ie_len -= elen;
	}

	ret = os_snprintf(fpos, fend - fpos, "%s%s%s%s%s%s%s%s%s",
			  htcap, htagg, htmcs, vhtcap, vhtrxmcs, vhttxmcs,
			  txpow, extcap, wps);
	if (os_snprintf_error(fend - fpos, ret)) {
	fail:
		fstr[0] = '\0';
	}
}


int retrieve_sta_taxonomy(const struct hostapd_data *hapd,
			  struct sta_info *sta, char *buf, size_t buflen)
{
	int ret;
	char *pos, *end;

	if (!sta->probe_ie_taxonomy || !sta->assoc_ie_taxonomy)
		return 0;

	ret = os_snprintf(buf, buflen, "wifi4|probe:");
	if (os_snprintf_error(buflen, ret))
		return 0;
	pos = buf + ret;
	end = buf + buflen;

	ie_to_string(pos, end - pos, sta->probe_ie_taxonomy);
	pos = os_strchr(pos, '\0');
	if (pos >= end)
		return 0;
	ret = os_snprintf(pos, end - pos, "|assoc:");
	if (os_snprintf_error(end - pos, ret))
		return 0;
	pos += ret;
	ie_to_string(pos, end - pos, sta->assoc_ie_taxonomy);
	pos = os_strchr(pos, '\0');
	return pos - buf;
}


void taxonomy_sta_info_probe_req(const struct hostapd_data *hapd,
				 struct sta_info *sta,
				 const u8 *ie, size_t ie_len)
{
	wpabuf_free(sta->probe_ie_taxonomy);
	sta->probe_ie_taxonomy = wpabuf_alloc_copy(ie, ie_len);
}


void taxonomy_hostapd_sta_info_probe_req(const struct hostapd_data *hapd,
					 struct hostapd_sta_info *info,
					 const u8 *ie, size_t ie_len)
{
	wpabuf_free(info->probe_ie_taxonomy);
	info->probe_ie_taxonomy = wpabuf_alloc_copy(ie, ie_len);
}


void taxonomy_sta_info_assoc_req(const struct hostapd_data *hapd,
				 struct sta_info *sta,
				 const u8 *ie, size_t ie_len)
{
	wpabuf_free(sta->assoc_ie_taxonomy);
	sta->assoc_ie_taxonomy = wpabuf_alloc_copy(ie, ie_len);
}