forked from osmocom/wireshark
dot11decrypt: Fix decryption of MFP enabled connections
MFP enabled connections with SHA-256 key management (IEEE 802.11w) use EAPOL key version == 3. This case was missing making decryption of such connections fail. Allow key version 3 to handle these too. Change-Id: If9e3fcc5c3bbfb46e82b39dfed5b2a74787a4f16 Reviewed-on: https://code.wireshark.org/review/36534 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
f998e785d5
commit
3e9ce48d24
|
@ -328,8 +328,8 @@ Dot11DecryptCopyKey(PDOT11DECRYPT_SEC_ASSOCIATION sa, PDOT11DECRYPT_KEY_ITEM key
|
|||
key->KeyData.Wpa.Cipher = sa->wpa.cipher;
|
||||
if (sa->wpa.key_ver==DOT11DECRYPT_WPA_KEY_VER_NOT_CCMP)
|
||||
key->KeyType=DOT11DECRYPT_KEY_TYPE_TKIP;
|
||||
else if (sa->wpa.key_ver == DOT11DECRYPT_WPA_KEY_VER_AES_CCMP ||
|
||||
sa->wpa.key_ver == 0)
|
||||
else if (sa->wpa.key_ver == 0 || sa->wpa.key_ver == 3 ||
|
||||
sa->wpa.key_ver == DOT11DECRYPT_WPA_KEY_VER_AES_CCMP)
|
||||
{
|
||||
switch (sa->wpa.cipher) {
|
||||
case 1:
|
||||
|
@ -1587,8 +1587,11 @@ Dot11DecryptRsna4WHandshake(
|
|||
}
|
||||
memcpy(eapol, eapol_raw, tot_len);
|
||||
|
||||
if (eapol_parsed->key_version == 0) {
|
||||
/* PTK derivation is based on Authentication Key Management Type */
|
||||
/* From IEEE 802.11-2016 12.7.2 EAPOL-Key frames */
|
||||
if (eapol_parsed->key_version == 0 || eapol_parsed->key_version == 3 ||
|
||||
eapol_parsed->key_version == DOT11DECRYPT_WPA_KEY_VER_AES_CCMP)
|
||||
{
|
||||
/* PTK derivation is based on Authentication Key Management Type */
|
||||
akm = eapol_parsed->akm;
|
||||
cipher = eapol_parsed->cipher;
|
||||
group_cipher = eapol_parsed->group_cipher;
|
||||
|
@ -1597,11 +1600,9 @@ Dot11DecryptRsna4WHandshake(
|
|||
akm = 2;
|
||||
cipher = 2;
|
||||
group_cipher = 2;
|
||||
} else if (eapol_parsed->key_version == DOT11DECRYPT_WPA_KEY_VER_AES_CCMP) {
|
||||
/* CCMP-128 */
|
||||
akm = eapol_parsed->akm;
|
||||
cipher = eapol_parsed->cipher;
|
||||
group_cipher = eapol_parsed->group_cipher;
|
||||
} else {
|
||||
DEBUG_PRINT_LINE("EAPOL key_version not supported", DEBUG_LEVEL_3);
|
||||
return DOT11DECRYPT_RET_NO_VALID_HANDSHAKE;
|
||||
}
|
||||
|
||||
/* derive the PTK from the BSSID, STA MAC, PMK, SNonce, ANonce */
|
||||
|
|
Binary file not shown.
|
@ -65,6 +65,19 @@ class case_decrypt_80211(subprocesstest.SubprocessTestCase):
|
|||
))
|
||||
self.assertEqual(self.countOutput('802.11.*SN=.*FN=.*Flags='), 3)
|
||||
|
||||
def test_80211_wpa2_psk_mfp(self, cmd_tshark, capture_file, features):
|
||||
'''IEEE 802.11 decode WPA2 PSK with MFP enabled (802.11w)'''
|
||||
# Included in git sources test/captures/wpa2-psk-mfp.pcapng.gz
|
||||
if not features.have_libgcrypt16:
|
||||
self.skipTest('Requires GCrypt 1.6 or later.')
|
||||
self.assertRun((cmd_tshark,
|
||||
'-o', 'wlan.enable_decryption: TRUE',
|
||||
'-r', capture_file('wpa2-psk-mfp.pcapng.gz'),
|
||||
'-Y', 'wlan.analysis.tk == 4e30e8c019bea43ea5262b10853b818d || wlan.analysis.gtk == 70cdbf2e5bc0ca22e53930818a5d80e4',
|
||||
))
|
||||
self.assertTrue(self.grepOutput('Who has 192.168.5.5')) # Verifies GTK is correct
|
||||
self.assertTrue(self.grepOutput('DHCP Request')) # Verifies TK is correct
|
||||
self.assertTrue(self.grepOutput('Echo \(ping\) request')) # Verifies TK is correct
|
||||
|
||||
def test_80211_wpa_tdls(self, cmd_tshark, capture_file, features):
|
||||
'''WPA decode traffic in a TDLS (Tunneled Direct-Link Setup) session (802.11z)'''
|
||||
|
|
Loading…
Reference in New Issue