[airpcap] Decrypt protected management frames (802.11w)

Enable decryption of Protected Management Frames by: - Authorizing decryption for robust management frame (i.e. management frame that may be encrypted): deauth, disassoc and action (Note: Assume all action frames are robust even if it is not the case) - Updating initialization of Additional Authentication Data (AAD) (don't filter-out subtype) and construct nonce (set mgmt flag) for management frames Bug: 11995 Change-Id: I7c34a021e4c49111b85d217c9272d24d0e29ecb2 Reviewed-on: https://code.wireshark.org/review/13232 Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Cedric Izoard <cedric.izoard@ceva-dsp.com> 2016-01-11 14:37:09 +0100
committer: Michael Mann <mmann78@netscape.net> 2016-01-13 03:44:26 +0000
commit: e48882fd0c6cbd44d95c6c55ea3942219fd84261 (patch)
tree: 311219ef588014300e3253d1f7cbe9eb8840b9b2 /epan/crypt
parent: 42ca2a994d3720e4f396d9d64e4223c10b75d9e5 (diff)
download: wireshark-e48882fd0c6cbd44d95c6c55ea3942219fd84261.tar.gz
3 files changed, 49 insertions, 11 deletions
diff --git a/epan/crypt/airpdcap.c b/epan/crypt/airpdcap.c
index b976662a39..5b5dfb3c50 100644
--- a/epan/crypt/airpdcap.c
+++ b/epan/crypt/airpdcap.c
@@ -661,9 +661,13 @@ INT AirPDcapPacketProcess(
         return AIRPDCAP_RET_REQ_DATA;
     }
 
-    /* check if the packet is of data type */
-    if (AIRPDCAP_TYPE(data[0])!=AIRPDCAP_TYPE_DATA) {
-        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "not data packet", AIRPDCAP_DEBUG_LEVEL_5);
+    /* check if the packet is of data or robust managment type */
+    if (!((AIRPDCAP_TYPE(data[0])==AIRPDCAP_TYPE_DATA) ||
+          (AIRPDCAP_TYPE(data[0])==AIRPDCAP_TYPE_MANAGEMENT &&
+           (AIRPDCAP_SUBTYPE(data[0])==AIRPDCAP_SUBTYPE_DISASS ||
+            AIRPDCAP_SUBTYPE(data[0])==AIRPDCAP_SUBTYPE_DEAUTHENTICATION ||
+            AIRPDCAP_SUBTYPE(data[0])==AIRPDCAP_SUBTYPE_ACTION)))) {
+        AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "not data nor robust mgmt packet", AIRPDCAP_DEBUG_LEVEL_5);
         return AIRPDCAP_RET_NO_DATA;
     }
 
@@ -682,7 +686,11 @@ INT AirPDcapPacketProcess(
     /* get BSSID */
     if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
         memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
+#ifdef _DEBUG
+        g_snprintf(msgbuf, MSGBUF_LEN, "BSSID_MAC: %02X.%02X.%02X.%02X.%02X.%02X\t",
+                   id.bssid[0],id.bssid[1],id.bssid[2],id.bssid[3],id.bssid[4],id.bssid[5]);
         AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
+#endif
     } else {
         AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "BSSID not found", AIRPDCAP_DEBUG_LEVEL_5);
         return AIRPDCAP_RET_REQ_DATA;
@@ -691,7 +699,11 @@ INT AirPDcapPacketProcess(
     /* get STA address */
     if ( (addr=AirPDcapGetStaAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
         memcpy(id.sta, addr, AIRPDCAP_MAC_LEN);
+#ifdef _DEBUG
+        g_snprintf(msgbuf, MSGBUF_LEN, "STA_MAC: %02X.%02X.%02X.%02X.%02X.%02X\t",
+                   id.sta[0],id.sta[1],id.sta[2],id.sta[3],id.sta[4],id.sta[5]);
         AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
+#endif
     } else {
         AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "SA not found", AIRPDCAP_DEBUG_LEVEL_5);
         return AIRPDCAP_RET_REQ_DATA;
@@ -1590,11 +1602,11 @@ AirPDcapStoreSa(
  * key caching.  In each case, it's more important to return a value than
  * to return a _correct_ value, so we fudge addresses in some cases, e.g.
  * the BSSID in bridged connections.
- * FromDS    ToDS    Sta    BSSID
- * 0         0       addr2  addr3
- * 0         1       addr2  addr1
- * 1         0       addr1  addr2
- * 1         1       addr2  addr1
+ * FromDS    ToDS   Sta      BSSID
+ * 0         0      addr1/2  addr3
+ * 0         1      addr2    addr1
+ * 1         0      addr1    addr2
+ * 1         1      addr2    addr1
  */
 
 static const UCHAR *
@@ -1603,6 +1615,10 @@ AirPDcapGetStaAddress(
 {
     switch(AIRPDCAP_DS_BITS(frame->fc[1])) { /* Bit 1 = FromDS, bit 0 = ToDS */
         case 0:
+            if (memcmp(frame->addr2, frame->addr3, AIRPDCAP_MAC_LEN) == 0)
+                return frame->addr1;
+            else
+                return frame->addr2;
         case 1:
             return frame->addr2;
         case 2:
diff --git a/epan/crypt/airpdcap_ccmp.c b/epan/crypt/airpdcap_ccmp.c
index cedfe423e2..ac27c26181 100644
--- a/epan/crypt/airpdcap_ccmp.c
+++ b/epan/crypt/airpdcap_ccmp.c
@@ -112,6 +112,7 @@ static void ccmp_init_blocks(
 	UINT8 a[AES_BLOCK_LEN],
 	UINT8 b[AES_BLOCK_LEN])
 {
+	UINT8 mgmt = (AIRPDCAP_TYPE(wh->fc[0]) == AIRPDCAP_TYPE_MANAGEMENT);
 #define IS_4ADDRESS(wh) \
 	((wh->fc[1] & AIRPDCAP_FC1_DIR_MASK) == AIRPDCAP_FC1_DIR_DSTODS)
 #define IS_QOS_DATA(wh) AIRPDCAP_QOS_HAS_SEQ(wh)
@@ -144,7 +145,10 @@ static void ccmp_init_blocks(
 	*/
 	aad[0] = 0;     /* AAD length >> 8 */
 	/* NB: aad[1] set below */
-	aad[2] = (UINT8)(wh->fc[0] & 0x8f);    /* XXX magic #s */
+	if (!mgmt)
+		aad[2] = (UINT8)(wh->fc[0] & 0x8f);    /* XXX magic #s */
+	else
+		aad[2] = wh->fc[0];
 	aad[3] = (UINT8)(wh->fc[1] & 0xc7);    /* XXX magic #s */
 	/* NB: we know 3 addresses are contiguous */
 	memcpy(aad + 4, &wh->addr1[0], 3 * AIRPDCAP_MAC_LEN);
@@ -188,6 +192,8 @@ static void ccmp_init_blocks(
 			b0[1] = 0;
 			aad[1] = 22;
 		}
+		if (mgmt)
+			b0[1] |= 0x10; /* set MGMT flag */
 		memset(&aad[26], 0, 4);
 	}
 
diff --git a/epan/crypt/airpdcap_int.h b/epan/crypt/airpdcap_int.h
index e0d3f1ea95..ec69aece0c 100644
--- a/epan/crypt/airpdcap_int.h
+++ b/epan/crypt/airpdcap_int.h
@@ -51,8 +51,24 @@
 #define	AIRPDCAP_TYPE_CONTROL			1
 #define	AIRPDCAP_TYPE_DATA			2
 
-/* Min length of encrypted data (TKIP=25bytes, CCMP=21bytes)			*/
-#define	AIRPDCAP_CRYPTED_DATA_MINLEN	21
+/* IEEE 802.11 packet subtype values						*/
+#define AIRPDCAP_SUBTYPE_ASSOC_REQ		0
+#define AIRPDCAP_SUBTYPE_ASSOC_RESP		1
+#define AIRPDCAP_SUBTYPE_REASSOC_REQ		2
+#define AIRPDCAP_SUBTYPE_REASSOC_RESP		3
+#define AIRPDCAP_SUBTYPE_PROBE_REQ		4
+#define AIRPDCAP_SUBTYPE_PROBE_RESP		5
+#define AIRPDCAP_SUBTYPE_MEASUREMENT_PILOT	6
+#define AIRPDCAP_SUBTYPE_BEACON			8
+#define AIRPDCAP_SUBTYPE_ATIM			9
+#define AIRPDCAP_SUBTYPE_DISASS			10
+#define AIRPDCAP_SUBTYPE_AUTHENTICATION		11
+#define AIRPDCAP_SUBTYPE_DEAUTHENTICATION	12
+#define AIRPDCAP_SUBTYPE_ACTION			13
+#define AIRPDCAP_SUBTYPE_ACTION_NO_ACK		14
+
+/* Min length of encrypted data (TKIP=21bytes, CCMP=17bytes)			*/
+#define	AIRPDCAP_CRYPTED_DATA_MINLEN	17
 
 #define AIRPDCAP_TA_OFFSET	10
author	Cedric Izoard <cedric.izoard@ceva-dsp.com>	2016-01-11 14:37:09 +0100
committer	Michael Mann <mmann78@netscape.net>	2016-01-13 03:44:26 +0000
commit	e48882fd0c6cbd44d95c6c55ea3942219fd84261 (patch)
tree	311219ef588014300e3253d1f7cbe9eb8840b9b2 /epan/crypt
parent	42ca2a994d3720e4f396d9d64e4223c10b75d9e5 (diff)
download	wireshark-e48882fd0c6cbd44d95c6c55ea3942219fd84261.tar.gz