2007-01-12 00:54:13 +00:00
|
|
|
/**
|
|
|
|
* airpdcap_rijndael.c
|
|
|
|
*
|
|
|
|
* $Id$
|
|
|
|
*
|
|
|
|
* @version 3.0 (December 2000)
|
|
|
|
*
|
|
|
|
* Optimised ANSI C code for the Rijndael cipher (now AES)
|
|
|
|
*
|
|
|
|
* @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
|
|
|
|
* @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
|
|
|
|
* @author Paulo Barreto <paulo.barreto@terra.com.br>
|
|
|
|
*
|
|
|
|
* This code is hereby placed in the public domain.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
|
|
|
|
* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
|
|
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
|
|
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
|
|
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
|
|
* OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
|
|
|
|
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2006-12-05 21:06:09 +00:00
|
|
|
/******************************************************************************/
|
|
|
|
/* File includes */
|
|
|
|
/* */
|
|
|
|
#include "airpdcap_rijndael.h"
|
|
|
|
|
|
|
|
#include "airpdcap_debug.h"
|
2009-07-29 10:01:14 +00:00
|
|
|
#include <glib.h>
|
2012-01-15 12:29:44 +00:00
|
|
|
#include "aes.h"
|
Add WPA group key decryption from Brian Stormont, via bug 1420:
Although this patch successfully recognizes group keys and decrypts packets
properly using the group key, there is a limitation. If an AP is using key
rotation, clicking on individual packets in a trace may not properly decrypt a
packet encrypted with a group key. This is because the current structure used
in Wireshark only supports one active unicast and one active group key. If a
new key has been seen, but you are looking at a packet encrypted with an older
key, it will not decrypt. The summary lines, however, do show the packets
properly decrypted.
I've written up a much longer and more detailed explanation in a comment in the
code, along with a proposed idea for a solution, plus a clunky work-around in
the GUI when using the current code.
I also suspect there might still be a problem with decrypting TKIP groups keys
that are sent using WPA2 authentication. In the most common operation, if you
are using WPA2, you'll also be using AES keys. It's not a common AP
configuration to use WPA2 with TKIP. In fact, most APs don't seem to support
it. Since it is an uncommon setup, I haven't put aside the time to test this
patch against such an AP. I do have access to an AP that supports this, so
when I have the time I'll test it and if needed, will submit another patch to
handle that odd-ball condition.
From me:
Remove the decrypt element of s_rijndael_ctx (which was unused, as indicated
in the comments).
Preserve the GPL licensing text in several files (which the patch shouldn't
have removed).
Remove changes that added whitespace.
Convert C++-style comments to C-style.
Update to include recent SVN changes (e.g. renaming variables named "index").
Remove extraneous printf's.
Define DEBUG_DUMP in airpdcap_debug.h.
Comment out some instances of DEBUG_DUMP.
Change malloc/free to g_malloc/g_free.
Use g_memdup instead of allocating and copying.
Use gint16 instead of INT16 in airpdcap_rijndael.c.
Add Brian to AUTHORS.
svn path=/trunk/; revision=25879
2008-07-30 22:32:21 +00:00
|
|
|
|
|
|
|
/* Based on RFC 3394 and NIST AES Key Wrap Specification pseudo-code.
|
|
|
|
|
|
|
|
This function is used to unwrap an encrypted AES key. One example of its use is
|
|
|
|
in the WPA-2 protocol to get the group key.
|
|
|
|
*/
|
|
|
|
UCHAR
|
|
|
|
AES_unwrap(UCHAR *kek, UINT16 key_len, UCHAR *cipher_text, UINT16 cipher_len, UCHAR *output)
|
|
|
|
{
|
|
|
|
UCHAR a[8], b[16];
|
|
|
|
UCHAR *r;
|
|
|
|
UCHAR *c;
|
|
|
|
gint16 i, j, n;
|
|
|
|
rijndael_ctx ctx;
|
|
|
|
|
2008-08-25 15:22:48 +00:00
|
|
|
if (! kek || cipher_len < 16 || ! cipher_text || ! output) {
|
|
|
|
return 1; /* We don't do anything with the return value */
|
|
|
|
}
|
|
|
|
|
Add WPA group key decryption from Brian Stormont, via bug 1420:
Although this patch successfully recognizes group keys and decrypts packets
properly using the group key, there is a limitation. If an AP is using key
rotation, clicking on individual packets in a trace may not properly decrypt a
packet encrypted with a group key. This is because the current structure used
in Wireshark only supports one active unicast and one active group key. If a
new key has been seen, but you are looking at a packet encrypted with an older
key, it will not decrypt. The summary lines, however, do show the packets
properly decrypted.
I've written up a much longer and more detailed explanation in a comment in the
code, along with a proposed idea for a solution, plus a clunky work-around in
the GUI when using the current code.
I also suspect there might still be a problem with decrypting TKIP groups keys
that are sent using WPA2 authentication. In the most common operation, if you
are using WPA2, you'll also be using AES keys. It's not a common AP
configuration to use WPA2 with TKIP. In fact, most APs don't seem to support
it. Since it is an uncommon setup, I haven't put aside the time to test this
patch against such an AP. I do have access to an AP that supports this, so
when I have the time I'll test it and if needed, will submit another patch to
handle that odd-ball condition.
From me:
Remove the decrypt element of s_rijndael_ctx (which was unused, as indicated
in the comments).
Preserve the GPL licensing text in several files (which the patch shouldn't
have removed).
Remove changes that added whitespace.
Convert C++-style comments to C-style.
Update to include recent SVN changes (e.g. renaming variables named "index").
Remove extraneous printf's.
Define DEBUG_DUMP in airpdcap_debug.h.
Comment out some instances of DEBUG_DUMP.
Change malloc/free to g_malloc/g_free.
Use g_memdup instead of allocating and copying.
Use gint16 instead of INT16 in airpdcap_rijndael.c.
Add Brian to AUTHORS.
svn path=/trunk/; revision=25879
2008-07-30 22:32:21 +00:00
|
|
|
/* Initialize variables */
|
|
|
|
|
|
|
|
n = (cipher_len/8)-1; /* the algorithm works on 64-bits at a time */
|
|
|
|
memcpy(a, cipher_text, 8);
|
|
|
|
r = output;
|
|
|
|
c = cipher_text;
|
|
|
|
memcpy(r, c+8, cipher_len - 8);
|
|
|
|
|
|
|
|
/* Compute intermediate values */
|
|
|
|
|
|
|
|
for (j=5; j >= 0; --j){
|
|
|
|
r = output + (n - 1) * 8;
|
|
|
|
/* DEBUG_DUMP("r1", (r-8), 8); */
|
|
|
|
/* DEBUG_DUMP("r2", r, 8); */
|
|
|
|
for (i = n; i >= 1; --i){
|
|
|
|
UINT16 t = (n*j) + i;
|
|
|
|
/* DEBUG_DUMP("a", a, 8); */
|
|
|
|
memcpy(b, a, 8);
|
|
|
|
b[7] ^= t;
|
|
|
|
/* DEBUG_DUMP("a plus t", b, 8); */
|
|
|
|
memcpy(b+8, r, 8);
|
|
|
|
rijndael_set_key(&ctx, kek, key_len*8 /*bits*/);
|
|
|
|
rijndael_decrypt(&ctx, b, b); /* NOTE: we are using the same src and dst buffer. It's ok. */
|
|
|
|
/* DEBUG_DUMP("aes decrypt", b, 16) */
|
|
|
|
memcpy(a,b,8);
|
|
|
|
memcpy(r, b+8, 8);
|
|
|
|
r -= 8;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* DEBUG_DUMP("a", a, 8); */
|
|
|
|
/* DEBUG_DUMP("output", output, cipher_len - 8); */
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-12-05 21:06:09 +00:00
|
|
|
/* */
|
2006-12-27 23:05:55 +00:00
|
|
|
/******************************************************************************/
|