I'm reasonably sure that I introduced this bug and I apologize for the problems
with my previous patch. The problem is that I did not use all of the seen
keys, I used all except the first key, which in a case of one key is none.
The attached patch fixes the error.
svn path=/trunk/; revision=29843
its own crypt-aes.
change the integer types to glib style integers
this may/will be helpful if/when we implement our own version of
kerberos
aes decryption of dcerpc since the existing libraries can not (yet)
handle when header signing is used.
we should implement our own decryption of this for cfx+aes just as we
did for classic+arcfour
svn path=/trunk/; revision=29228
Airpdcap does not allow for more than one key to be stored for a pair of nodes.
This means that when a device associates more than once the previous keys are
lost. This is ok for the first pass as the newest key is all that is needed
but when the user tries to click on a packet, to get the tree, which used a
previous key all that is seen is the encrypted data. The attached patch stores
previous associations in a linked list and will try all known keys before
decided the packet can't be decrypted. The list of keys is garbage collected
when a new capture is started.
svn path=/trunk/; revision=28449
Although this patch successfully recognizes group keys and decrypts packets
properly using the group key, there is a limitation. If an AP is using key
rotation, clicking on individual packets in a trace may not properly decrypt a
packet encrypted with a group key. This is because the current structure used
in Wireshark only supports one active unicast and one active group key. If a
new key has been seen, but you are looking at a packet encrypted with an older
key, it will not decrypt. The summary lines, however, do show the packets
properly decrypted.
I've written up a much longer and more detailed explanation in a comment in the
code, along with a proposed idea for a solution, plus a clunky work-around in
the GUI when using the current code.
I also suspect there might still be a problem with decrypting TKIP groups keys
that are sent using WPA2 authentication. In the most common operation, if you
are using WPA2, you'll also be using AES keys. It's not a common AP
configuration to use WPA2 with TKIP. In fact, most APs don't seem to support
it. Since it is an uncommon setup, I haven't put aside the time to test this
patch against such an AP. I do have access to an AP that supports this, so
when I have the time I'll test it and if needed, will submit another patch to
handle that odd-ball condition.
From me:
Remove the decrypt element of s_rijndael_ctx (which was unused, as indicated
in the comments).
Preserve the GPL licensing text in several files (which the patch shouldn't
have removed).
Remove changes that added whitespace.
Convert C++-style comments to C-style.
Update to include recent SVN changes (e.g. renaming variables named "index").
Remove extraneous printf's.
Define DEBUG_DUMP in airpdcap_debug.h.
Comment out some instances of DEBUG_DUMP.
Change malloc/free to g_malloc/g_free.
Use g_memdup instead of allocating and copying.
Use gint16 instead of INT16 in airpdcap_rijndael.c.
Add Brian to AUTHORS.
svn path=/trunk/; revision=25879
still declared by <string.h> on some platforms (at least the way we
compile, with all sorts of non-ANSI C/non-POSIX stuff added).
svn path=/trunk/; revision=25551
- Change ugly GLIB version checking statements to GLIB_CHECK_VERSION
- Remove ws_strsplit files because we no longer need to borrow GLIB2's
g_strsplit code for the no longer supported GLIB1 builds
svn path=/trunk/; revision=24829
and call AirPDcapInitContext() where we were previously calling
AirPDcapCleanKeys(). If we're resetting our keys, we should reset our
SA list and other associated data as well.
svn path=/trunk/; revision=24562
est. Use g_ascii_strcasecmp() and g_ascii_strncasecmp(), and supply our
own versions if they're missing from GLib (as is the case with GLib
1.x).
In the code to build the list of named fields for Diameter, don't use
g_strdown(); do our own g_ascii_-style upper-case to lower-case mapping
in the hash function and use g_ascii_strcasecmp() in the compare
function.
We do this because there is no guarantee that toupper(), tolower(), and
functions that use them will, for example, map between "I" and "i" in
all locales; in Turkish locales, for example, there are, in both
upper case and lower case, versions of "i" with and without a dot, and
the upper-case version of "i" is "I"-with-a-dot and the lower-case
version of "I" is "i"-without-a-dot. This causes strings that should
match not to match.
This finishes fixing bug 2010 - an earlier checkin prevented the crash
(as there are other ways to produce the same crash, e.g. a bogus
dictionary.xml file), but didn't fix the case-insensitive string matching.
svn path=/trunk/; revision=23623
process WEP keys. Allow the "wep:" prefix for WEP keys even when
HAVE_AIRPDCAP isn't defined. Add a NULL pointer check to
hex_str_to_bytes(). Fixes bug 1584.
Fixup indentation.
svn path=/trunk/; revision=22151
the WEP/WPA decryption code instead of re-calculating it. Fixes bug
1639.
Remove fcsPresent, radiotapPresent, and associated code from airpdcap.c
since they were always FALSE. Glib-ize some data types. Fixup white
space.
Update the release notes.
svn path=/trunk/; revision=22104
boundary; make it an array of 16 guint32's rather than 64 guint8's, to
ensure that, and add now-necessary casts and remove now-unnecessary
casts.
(Missed on the previous checkin.)
svn path=/trunk/; revision=21541
boundary; make it an array of 16 guint32's rather than 64 guint8's, to
ensure that, and add now-necessary casts and remove now-unnecessary
casts.
svn path=/trunk/; revision=21540
Use the "pnto" macros to fetch 16-bit quantities from a buffer - not
only do they have the right casts to avoid const warnings, they also
work even on platforms (such as SPARC) where you can't dereference
unaligned pointers without a trap.
Similarly, compare a possibly-unaligned (we make no alignment guarantees
in Wireshark) 16-bit quantity against 0 a byte at a time.
svn path=/trunk/; revision=21507
care about, and this code doesn't use GTK+, so it doesn't include any
GTK+ headers and therefore doesn't get the GTK+ version number defined.
svn path=/trunk/; revision=21506
(Temporarily disable the warnings as errors default on Unix to get
to get the buildbots and people with gcc40 going again until those
additional warnings gcc40 generates can be fixed-I'm working on it
ASAP)
Patch for configure.in which disables by default the treatment of
warnings as errors.
It can be enabled with './configure --with-warnings-as-errors'.
The macro will test first if GCC is present. If it's the case,
HAVE_WARNINGS_AS_ERRORS is defined. All the USING_GCC have been replaced
by HAVE_WARNINGS_AS_ERRORS.
With this switch, people won't suffer from unexpected warnings when
downloading svn sources during the transition time ;)
svn path=/trunk/; revision=21153
problems, and there's no guarantee that _SIZE_T is defined on all ANSI C
platforms, so you might end up with a redefinition and a compile failure.
svn path=/trunk/; revision=20931
Create two new files (ws_strsplit.[ch]) that use GTK2 code to override
the buggy g_strsplit() function when compiling for GTK1. Include this
work-around function (ws_strsplit) in libwireshark.def. Add notes on usage
to README.developer. Include epan/ws_strsplit.h in all files that use
g_strsplit().
svn path=/trunk/; revision=20804
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1289
Rename 'svnversion' to 'wireshark_svnversion' to resolve a symbol conflict with
GTK 2.10.6 (hmm, shouldn't GTK not be exporting that symbol or at least naming
it so as to prevent such collisions? Well, so should we, so...)
From Andreas Fink: change #ifdef for size_t in airdcap_interop.h to fix
compile on MacOS X.
svn path=/trunk/; revision=20726
the lack of SSID). Wildcarding combines the passphrase with the last
seen SSID and attempts decryption. The last-seen stack is only one
element tall, which means it may get clobbered on busy and diverse
networks. We can expand it if needed.
Make internal functions static in airpdcap.c. Rearrange the
AIRPDCAP_KEY_ITEM struct so that the passphrase and SSID don't get
clobbered when we set our PSK.
svn path=/trunk/; revision=20572
to GByteArrays. Add format_uri() to strutil, which formats a byte string
with percent-escapes. Fixup whitespace and indentation.
svn path=/trunk/; revision=20397
functions to strutil. Use GByteArrays to store SSIDs for decryption,
and let the user specify arbitrary byte strings using percent-encoded
strings. We should probably add percent encoding for pass phrases as
well, so you can escape the ":" character.
Move the key struct key conversion utilities to airpdcap.c, and remove
duplicate code from packet-ieee80211.c. Fix a lot of indentation.
svn path=/trunk/; revision=20388
maybe the definitions from Makefile.common should better be used - the current Makefile.nmake looks a bit strange compared to others ;-)
svn path=/trunk/; revision=20281
Here are some patches needed to build using HAVE_AIRPCAP
on MingW:
* airpcap.h needs 'WEP_KEY_MAX_SIZE' from <epan/crypt/wep-wpadefs.h>.
* airpcap_loader.h needs <epan/crypt/airpdcap_user.h> and definition of
'decryption_key_t'.
* epan/crypt/airpdcap_interop.h defines 'ntohs()' before <winsock2.h>
gets included. Thus creating a parse error later on.
svn path=/trunk/; revision=20274
#ifdef, and add a link to a -dev mailing list thread pointing out that
it may not be necessary. Fixup whitespace and comments.
svn path=/trunk/; revision=20256
are made, so that if libwireshark is shared, the crypt library is built
appropriately. (This squelches a build warning, at least in OS X, that
linking a shared library with a static library is non-portable; it
should also arrange that the crypt library is built as
position-independent code if necessary.)
DISTCLEANFILES subsumes CLEANFILES, so it doesn't need to list files
already in CLEANFILES.
svn path=/trunk/; revision=20237
distcheck failure. Move the nmake build targets for airpdcap from
epan/dissectors to epan. This will probably break the Windows build.
svn path=/trunk/; revision=20231