From 4b814187acf36b74479f6bd61d3ca98ff5d5734c Mon Sep 17 00:00:00 2001 From: Mikael Kanstrup Date: Tue, 2 Apr 2019 15:50:08 +0200 Subject: [PATCH] ieee80211: Fix WPA1 decryption PTK key derivation algorithm for WPA1 uses SHA1 not MD5. MD5 is used for MIC only. To avoid regression also add a decrypt test for WPA1 with GTK rekeying. Change-Id: Iabcf40c2f74d5dbc1d72cba0718c77020d97f61f Fixes: v3.1.0rc0-342-g9cf77ec5e1 ("ieee80211: Support decrypting WPA3-Personal / SAE captures") Reviewed-on: https://code.wireshark.org/review/32691 Petri-Dish: Anders Broman Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte --- epan/crypt/dot11decrypt.c | 4 ++-- test/captures/wpa1-gtk-rekey.pcapng.gz | Bin 0 -> 7114 bytes test/suite_decryption.py | 11 +++++++++++ 3 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 test/captures/wpa1-gtk-rekey.pcapng.gz diff --git a/epan/crypt/dot11decrypt.c b/epan/crypt/dot11decrypt.c index fe0d2593df..5395db9638 100644 --- a/epan/crypt/dot11decrypt.c +++ b/epan/crypt/dot11decrypt.c @@ -2269,7 +2269,7 @@ Dot11DecryptDerivePtk( sa->wpa.cipher = 2; /* TKIP */ ptk_len_bits = 512; DerivePtk = Dot11DecryptRsnaPrfX; - algo = GCRY_MD_MD5; + algo = GCRY_MD_SHA1; } else if (key_version == DOT11DECRYPT_WPA_KEY_VER_AES_CCMP) { sa->wpa.cipher = 4; /* CCMP-128 */ ptk_len_bits = 384; @@ -2309,7 +2309,7 @@ Dot11DecryptRsnaPrfX( UCHAR R[100]; INT offset=sizeof("Pairwise key expansion"); UCHAR output[80]; /* allow for sha1 overflow. */ - int hash_len = (hash_algo == GCRY_MD_MD5) ? 16 : 20; + int hash_len = 20; memset(R, 0, 100); diff --git a/test/captures/wpa1-gtk-rekey.pcapng.gz b/test/captures/wpa1-gtk-rekey.pcapng.gz new file mode 100644 index 0000000000000000000000000000000000000000..88e4c067a8729c2481d676aa79367d8941d197f4 GIT binary patch literal 7114 zcmV;*8#Uw~iwFP!000001J#@dR1@3QfQN)$Ls6*`P>Lu>lis9AQ<`)vfb=d%2kAwr z(yJhXB2r>OK{}`u0g;X%T~L}-mHsE7&)jSB?#+GgWvzeKA~{JWXTDv|-h1{8Atoau zt^@$!oWyZ@9QgC@j|~J!0?@rp+2NYG9jDeYsJ^+Q1L9duLkFsGikna96fe|`A1VVC z;5o&ssN@CZbho}{1wDUWL6C?47-sy^o6O>cW+S%O2%Ea0B7<@iH9$qM?+upPD6<%&ZeqL@%6JB8vQ*&W6 z#LNJIU`Ftsh5z~Oy@LyY07AgY%9D@B-qC>w{wWdsUDCf`0DjDY5C6;Ge+kqq-#TDw ze;_d&J`Ue|hYH|PfV?GK_t&d9Ss5!^ca&|-oHZA;JPT;@8sn)H02UC5HMnSX|v7paLB+jSzt@7;P zW4qrt=ipzG0mN|j*+e`{NvAva#~LBOvEhPnNe=Q8BIpo2aKaA+@Iw+Jyp5)D!%$oMY=34v z@0W~*aR~7>Lez|ccGzTOaV$W?IQ4HB!B_v+jL7Rlf_uFL)Aa#~7N%Ln!urra;tVi7 z0^@~`c~Pzp7|Qiw9I_v)HBii_>Mez4zR@4^{cam*^gj5{`3jNdJNnuZb`w6niINXM z$>$V8i3|S_t^R)Kj7n3}<(jLTyN9Qjw~z02KmUM0KU{fUEWusR{JwhF|; z)Zt_G-&hf`8-h}H-e|a`0i4=D)BUohA^0fH{&5h;D?>Wo;e&OsMEE!nX7UXSF&5cB<{7_NV(K6MX#E5HpZbTo^q3`^pY#sC{DYx63*}yn{hcJ3 zwhFa8h#G;A`2T}E$Z@pvnP3&_I68wi9zl@f(PiX#1o|u9zuJoDtnIWo*vrCg#__&h zPp{p3^Jg4I=Eh|(M8my+mK%ze`=7;kq%Cw%;z*b7JxVPhlGSvxz>Pm}&mnOumU>h* z!^h3Paqsz$EGqwrjRv4Nd#F5bw%M|-dS93|SUP=?;HCQ=c~O$AyLN`MY%XVF&7#o~9K`Y-SmATimL&)Lbf_lzw z=Ew;1ro_N56DwIt=Ey+YM@P!F(Kdsb*-K~QR7{JrecNL0=vW&+taoU5;Cxl%_QT?N zv9fT%jCW#)Q!z-;?x0>uXnmg!pL{VhdW(T7bZ1Y%vABU8Ie%U?>CTwq*u z7Ja`!F~VMYw*JDE7lwZRYPctvgdAGM=r1Za2%b1_g-aQ_sk(kRG^hUtZ4O5=TX0=- zy!$FWk~SlkglG7?x(6Z>nZH6qzFHNx z78$*eG;n?@T`t1lLRl`(d@-Zosj?H*I|)3>r??jPO_`3FWkO|6F1UXKtKUe!87vsb z0uo^Ca^Ov+hP???)sfNeJK(7@Zx5OK2y7dzR{>$kC*J93Pi7}d@Ly(sTMfQ#F5$7e zk+DMVajoEWk^W81-eDvG0-4)g_PXT0@x^+Erv8uR~obkU%n0#yeNdyzi}{$z*2(ca(+`GD z$ivd@gQP`y(=y&{i(e65%}+9Asrw$=%-e{&oDW%dHVnnN1s1M(c;;<=opwUj8(~j- ztNSOWEInyy2xcAMEh!Q`8>8XW)#{t2=aLnaFMP==PUdd2SaMfU*V5^`nUx9N(1nf; zGB)SCmKIb>ahmLb{c(?6Zi?rQkL-NDE~7%1IyOgn{{FzX&X>Uhd3lN7v};%ClNygw znY1(|w!~_aC?{}UTZiaXY}H6gZH2x&&sy;g;x6dTnwu^_+QA5#I6)YZ8$crI8ES9R zQ_m%Mx>!-Hwt#SMv4Ti;>y0Zj>m|k|!A658F>VI)Wxd7o<>Mo_Smv1DrhrHz0h+aISt)^wv{&+ZH^)PYxo0y!! zCmve^4M*#^T-~>=!VJ!W3tFUhxs?JaH~XePTlT1u*omBN>zyIJQ8c5`=@w*rzLF~S zwEa@IIYU;%%iJ~SM)~AYz!FF0mK2-8QUZZPjgVM%%3I-yaH}H&ygAo}D^DNmOKzz< zfA%i_(dGJsSvxBS4zY&`XfoWLP%W!VYM8D>=;A0kR&?ew1wxp1Nog$eQvR7Aa9U z$3`9STG+bRm)f@0VxW2DPRB_C);ZLd+Z_F9D73%qA9#+#t_ce5m%nR)lJ4>I@HuD0484-wAs%aAC!(!!#z zbfxn_-b@Au;X-4nB<${`#Y_j?tkUkhA`$)9_|!Uqo_D7g`S4qnBD#vK;!Ngm8sw;k zi$D){q`6#<(DHLH)Nm#2sbr@i^@mVM>vvUu7gam4>DgnaPFH1aE%Ruc%<<`R4HF4> z6YiVS(H~m3!zGsN&BM=%RDI=!)+Bkg=vH5N##nRu8^QP^+t*}|0vxXxTzHs&r@U24 zH9jfMMCEXSwPJD8TJOCh)FXw`KDuvSP{PW#%M4UAc`k)8;)O&qE_5`NRMu`h^<7=M zKt1?AK0|;>e~rL?IF!6V_>{Ww8Tl8ts!J)FE}Tz1U!KF0iyI@@xC6OYY@L70>iFcP zZ-f(Oa<1(K$2c#DP7F8TZsuo}z5~P$i?^;a6s9>UKk_IIIO6ACvmzc;w{}a(Ka!m0 z(~CEC9pBJ?DR!_88+O z@CKcmRpd9AQK;bShNv31&^tbz%XAJz@6D6rzH%%L8D6^eZ15{xWc~<`ta9ifv3CW# z`P6C^->Q1XnT{0r5YJ*&1&_jTJ5S71 zFOkh27o(^)e8TmCOEzxM4xJ!nX}WgtsK~yk+oduUG)%!`PiE<| zb08UP&f|E2TQA+Dd5!K>W}Z*VnH=!y@GDTSQ*GMrV7Fgi7;T`_$jzmRR#*~@?Vv?V=L>)1Odd>{v}%Rqn>d%q0#vv2a2Ss_OzQyNn4fXVlv3}_-KwB;yK80_ zE!K)`gYh|qRG)zoh`5|$zf{4RzCC~2J3GOlc~e(Xo27!YLfC(}QT6@NhElz!cvp^l zjgPk(k_0Askl@b>IA)OF`# zbpAJ*_MOm-OrnrLX~872HZq0Jq1opOtPs@7j@X7e;`*c=FSi0y^Fq=yJg}`FYM#1)?R*H5X_1o!GKIhAhgjavr3poxb#fbD{np>P= zAf`JQ^jZID96;twxTZCX>3L;r4At^3mam=DbU937eEu5)3B+N>u091i!e=mz|F9TQ zD)8Us{14(ka-WVpYGV#{pALOIsfEWA{JnTWTB_YmTzv?)XTJaWLOf2l%2ZAyRG4qx ztw}UipH+R~0h{^_&DvE33u}{Q!Kt^_V?F*4Z<`3+JeX}wb{p_p zkI!ehEI;;uCHod_P`CQHNi<#e@|O7vG3kpZ1o5aq{-d|>Kz?6O^VccIM{CdNo^MkDL=F97O3-GG0{Jf?lRT6j%Pv?psM`8VfqA~9h% zg0{R9h+`trv2kz_&>1_)p-^44w9a=TsQ?$5}7M#D*@t(N%ILoea|B!HEK=}NU zmQTLw%u}vxupGjmAK7aIvrs{%{??UwP@@+-m@T@wlF zuR#I1#xiQgQM8PZSXBt#|CkZk-eVb6Us2n82z@;n3*pDdLOem{GtHcUD04H4bano|51T^? z-&^`cE;W^xU$zR@Pexo$l46!*&0yST{a0wI_6D;XxU?7Z6WKJ{<(d` zZ#w>$&!Rs6mq`SmU}MDo1MeYi0^caT`)O#H^zWIUJpmg#bc~qqcn2wnjpu^0$;f5_ zy$sjlNgays1*UlO+tg*%H>FLkMip=1Dd2$&pUnFT#&0?j?7=sEopsX@+I)~9FF7MgoVr_i5QBtqg`upDQ%^bh4@nh&xQA*`-g)~8St zZ!xC%pf(Zm*bU46c{|$j1*V*fiI7fDEOYv{2Gn9|cOZ$%)EmqB)ru#y;kVdtjL5H_ z_Rd{UK z*```!M$%@lsx|oxKD^qsJA1OBe*#bCew`KTP>+o`B(_oiz#EUT!i(Vpkru*ShQ3uy z&bb$r86#d~SHHYolD*FIEA}I^huGf!o&B%+)=2;q*BG&Xs-kUk;jGz-q5*^5K(4YH zHIV;DAnM&&y&i(GRrbpelgRJ-7MqhtN^7qYGsq~rzN5}9*--)IBiAJey6&&qvyOZ&8Cg^i?y#Frm6V!Q2cryJp#(mr*%4Huc z`|-==QZ&~v(62Y%B+9_+SdL%0E*%*6#buHpRQ_1jr%uEin!X)+eQG2@asn{W=YJz_ z6>t)aV9IHnM8zM3WqroIg?_}e59*%;sSn1oe}=7SFJatYOoEJuVcG69URS?is!v!F zmGccO+x@sr#5Sg!wMh_A1Qzu9Ge^}U&aKo4K&bQU4BGq(f#+9pC}RKE^!YO{W(Lb= zvSe9^DV-bh!I1fOe3iwrr@>@Z2WLdnC9*?jUOU8c2$^lF{ zA;}QgTUgeo_ZtdEjBBW5md-dV`==ib7c0g!R5HXg0gJI8!3i6dA&7Ael}t&MiUobnA#p04G!(=1TAfoe040DT_D{Jsd~|1M z^nf3KFLQpIWAqZ+Tdf!GO3T}e<<77akw_b zL~m6cc&yXitXeKWb88KYb*lQgfZp*Y6Pi<{>CHy*T3oziC)ovw@672MZ;6TLr(3HFbR82|J6wy@_)ig18>6KKp z?=|5hdIX<)EdL}+ENcS)xi#Z6YAtmVy3vl4{;PH$A3htI@rRB)m+x#zyZ$wKbI^+v z`2Ct9LY4@;5*bW&9-BPKpMk|bID%7qW$-knwHhy6=a4;}D=?)MH5PsO+
  • T2T+| z`}th_9jjdZynF9`-lwB&n|4oxbS)-0!w7vtp)W>np0H!_i*~ z{3YWQZ+brXI6^}y%j(F-U~snQ-XGXXa9>{ zNOtni`{G456-fe&x?gtJOi=gL-t$Qtc3$In(#!w+fqn4vU2a3XTlfq)f*%vgCZrur z>q=_L#76E$3W(k~RGu5=^?@d-|A@o9jD3K8Q!+zZgwZwsMsj>yuQu&YW1Ruu4si$W zh(>UumfTc3>N-=aukj4VwR|#FeI}Ok;|HtpvzYpEM>0e!3(NIJME8~!YEJamN=K6+ z=i< zn?X%Ip=SF(tcCbZEX2MBM?af`e~gXb-@}EE#|if5!h?^IH^edi5B)ZnKNw5^08UCH Am;e9( literal 0 HcmV?d00001 diff --git a/test/suite_decryption.py b/test/suite_decryption.py index 754c9bffc6..68f189588a 100644 --- a/test/suite_decryption.py +++ b/test/suite_decryption.py @@ -101,6 +101,17 @@ class case_decrypt_80211(subprocesstest.SubprocessTestCase): self.assertTrue(self.grepOutput('Who has 192.168.5.2')) self.assertTrue(self.grepOutput('DHCP ACK')) + def test_80211_wpa1_gtk_rekey(self, cmd_tshark, capture_file): + '''Decode WPA1 with multiple GTK rekeys''' + # Included in git sources test/captures/wpa1-gtk-rekey.pcapng.gz + self.assertRun((cmd_tshark, + '-o', 'wlan.enable_decryption: TRUE', + '-r', capture_file('wpa1-gtk-rekey.pcapng.gz'), + '-Y', 'wlan.analysis.tk == "d0e57d224c1bb8806089d8c23154074c" || wlan.analysis.gtk == "6eaf63f4ad7997ced353723de3029f4d" || wlan.analysis.gtk == "fb42811bcb59b7845376246454fbdab7"', + )) + self.assertTrue(self.grepOutput('DHCP Discover')) + self.assertEqual(self.countOutput('ICMP.*Echo .ping'), 8) + @fixtures.mark_usefixtures('test_env') @fixtures.uses_fixtures class case_decrypt_dtls(subprocesstest.SubprocessTestCase):