search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Witness: set col_info for interfaceInfo_state
[wireshark-wip.git] / epan / crypt / airpdcap.c
blob760fbed49becf9fd33b5a521fd9d1df9a6859184
1 /* airpdcap.c
2 *
3 * $Id$
4 * Copyright (c) 2006 CACE Technologies, Davis (California)
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * Alternatively, this software may be distributed under the terms of the
20 * GNU General Public License ("GPL") version 2 as published by the Free
21 * Software Foundation.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 /****************************************************************************/
37 /* File includes */
38
39 #include "config.h"
40
41 #include <glib.h>
42
43 #include <wsutil/crc32.h>
44 #include <wsutil/rc4.h>
45 #include <wsutil/sha1.h>
46 #include <wsutil/md5.h>
47 #include <wsutil/pint.h>
48
49 #include <epan/tvbuff.h>
50 #include <epan/to_str.h>
51 #include <epan/strutil.h>
52 #include <epan/emem.h>
53 #include <epan/crypt/airpdcap_rijndael.h>
54
55 #include "airpdcap_system.h"
56 #include "airpdcap_int.h"
57
58 #include "airpdcap_debug.h"
59
60 #include "wep-wpadefs.h"
61
62
63 /****************************************************************************/
64
65 /****************************************************************************/
66 /* Constant definitions */
67
68 #define AIRPDCAP_SHA_DIGEST_LEN 20
69
70 /* EAPOL definitions */
71 /**
72 * Length of the EAPOL-Key key confirmation key (KCK) used to calculate
73 * MIC over EAPOL frame and validate an EAPOL packet (128 bits)
74 */
75 #define AIRPDCAP_WPA_KCK_LEN 16
76 /**
77 *Offset of the Key MIC in the EAPOL packet body
78 */
79 #define AIRPDCAP_WPA_MICKEY_OFFSET 77
80 /**
81 * Maximum length of the EAPOL packet (it depends on the maximum MAC
82 * frame size)
83 */
84 #define AIRPDCAP_WPA_MAX_EAPOL_LEN 4095
85 /**
86 * EAPOL Key Descriptor Version 1, used for all EAPOL-Key frames to and
87 * from a STA when neither the group nor pairwise ciphers are CCMP for
88 * Key Descriptor 1.
89 * @note
90 * Defined in 802.11i-2004, page 78
91 */
92 #define AIRPDCAP_WPA_KEY_VER_NOT_CCMP 1
93 /**
94 * EAPOL Key Descriptor Version 2, used for all EAPOL-Key frames to and
95 * from a STA when either the pairwise or the group cipher is AES-CCMP
96 * for Key Descriptor 2.
97 * /note
98 * Defined in 802.11i-2004, page 78
99 */
100 #define AIRPDCAP_WPA_KEY_VER_AES_CCMP 2
101
102 /** Define EAPOL Key Descriptor type values: use 254 for WPA and 2 for WPA2 **/
103 #define AIRPDCAP_RSN_WPA_KEY_DESCRIPTOR 254
104 #define AIRPDCAP_RSN_WPA2_KEY_DESCRIPTOR 2
105
106 /****************************************************************************/
107
108
109
110 /****************************************************************************/
111 /* Macro definitions */
112
113 extern const UINT32 crc32_table[256];
114 #define CRC(crc, ch) (crc = (crc >> 8) ^ crc32_table[(crc ^ (ch)) & 0xff])
115
116 #define AIRPDCAP_GET_TK(ptk) (ptk + 32)
117
118 /****************************************************************************/
119
120 /****************************************************************************/
121 /* Type definitions */
122
123 /* Internal function prototype declarations */
124
125 #ifdef __cplusplus
126 extern "C" {
127 #endif
128
129 /**
130 * It is a step of the PBKDF2 (specifically the PKCS #5 v2.0) defined in
131 * the RFC 2898 to derive a key (used as PMK in WPA)
132 * @param ppbytes [IN] pointer to a password (sequence of between 8 and
133 * 63 ASCII encoded characters)
134 * @param ssid [IN] pointer to the SSID string encoded in max 32 ASCII
135 * encoded characters
136 * @param iterations [IN] times to hash the password (4096 for WPA)
137 * @param count [IN] ???
138 * @param output [OUT] pointer to a preallocated buffer of
139 * AIRPDCAP_SHA_DIGEST_LEN characters that will contain a part of the key
140 */
141 static INT AirPDcapRsnaPwd2PskStep(
142 const guint8 *ppbytes,
143 const guint passLength,
144 const CHAR *ssid,
145 const size_t ssidLength,
146 const INT iterations,
147 const INT count,
148 UCHAR *output)
149 ;
150
151 /**
152 * It calculates the passphrase-to-PSK mapping reccomanded for use with
153 * RSNAs. This implementation uses the PBKDF2 method defined in the RFC
154 * 2898.
155 * @param passphrase [IN] pointer to a password (sequence of between 8 and
156 * 63 ASCII encoded characters)
157 * @param ssid [IN] pointer to the SSID string encoded in max 32 ASCII
158 * encoded characters
159 * @param output [OUT] calculated PSK (to use as PMK in WPA)
160 * @note
161 * Described in 802.11i-2004, page 165
162 */
163 static INT AirPDcapRsnaPwd2Psk(
164 const CHAR *passphrase,
165 const CHAR *ssid,
166 const size_t ssidLength,
167 UCHAR *output)
168 ;
169
170 static INT AirPDcapRsnaMng(
171 UCHAR *decrypt_data,
172 guint mac_header_len,
173 guint *decrypt_len,
174 PAIRPDCAP_KEY_ITEM key,
175 AIRPDCAP_SEC_ASSOCIATION *sa,
176 INT offset)
177 ;
178
179 static INT AirPDcapWepMng(
180 PAIRPDCAP_CONTEXT ctx,
181 UCHAR *decrypt_data,
182 guint mac_header_len,
183 guint *decrypt_len,
184 PAIRPDCAP_KEY_ITEM key,
185 AIRPDCAP_SEC_ASSOCIATION *sa,
186 INT offset)
187 ;
188
189 static INT AirPDcapRsna4WHandshake(
190 PAIRPDCAP_CONTEXT ctx,
191 const UCHAR *data,
192 AIRPDCAP_SEC_ASSOCIATION *sa,
193 PAIRPDCAP_KEY_ITEM key,
194 INT offset)
195 ;
196 /**
197 * It checks whether the specified key is corrected or not.
198 * @note
199 * For a standard WEP key the length will be changed to the standard
200 * length, and the type changed in a generic WEP key.
201 * @param key [IN] pointer to the key to validate
202 * @return
203 * - TRUE: the key contains valid fields and values
204 * - FALSE: the key has some invalid field or value
205 */
206 static INT AirPDcapValidateKey(
207 PAIRPDCAP_KEY_ITEM key)
208 ;
209
210 static INT AirPDcapRsnaMicCheck(
211 UCHAR *eapol,
212 USHORT eapol_len,
213 UCHAR KCK[AIRPDCAP_WPA_KCK_LEN],
214 USHORT key_ver)
215 ;
216
217 /**
218 * @param ctx [IN] pointer to the current context
219 * @param id [IN] id of the association (composed by BSSID and MAC of
220 * the station)
221 * @return
222 * - index of the Security Association structure if found
223 * - -1, if the specified addresses pair BSSID-STA MAC has not been found
224 */
225 static INT AirPDcapGetSa(
226 PAIRPDCAP_CONTEXT ctx,
227 AIRPDCAP_SEC_ASSOCIATION_ID *id)
228 ;
229
230 static INT AirPDcapStoreSa(
231 PAIRPDCAP_CONTEXT ctx,
232 AIRPDCAP_SEC_ASSOCIATION_ID *id)
233 ;
234
235 static const UCHAR * AirPDcapGetStaAddress(
236 const AIRPDCAP_MAC_FRAME_ADDR4 *frame)
237 ;
238
239 static const UCHAR * AirPDcapGetBssidAddress(
240 const AIRPDCAP_MAC_FRAME_ADDR4 *frame)
241 ;
242
243 static void AirPDcapRsnaPrfX(
244 AIRPDCAP_SEC_ASSOCIATION *sa,
245 const UCHAR pmk[32],
246 const UCHAR snonce[32],
247 const INT x, /* for TKIP 512, for CCMP 384 */
248 UCHAR *ptk)
249 ;
250
251 #ifdef __cplusplus
252 }
253 #endif
254
255 /****************************************************************************/
256
257 /****************************************************************************/
258 /* Exported function definitions */
259
260 #ifdef __cplusplus
261 extern "C" {
262 #endif
263
264 const guint8 broadcast_mac[] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
265
266
267 /* NOTE : this assumes the WPA RSN IE format. If it were to be a generic RSN IE, then
268 we would need to change the structure since it could be variable length depending on the number
269 of unicast OUI and auth OUI. */
270 typedef struct {
271 guint8 bElementID;
272 guint8 bLength;
273 guint8 OUI[4];
274 guint16 iVersion;
275 guint8 multicastOUI[4];
276 guint16 iUnicastCount; /* this should always be 1 for WPA client */
277 guint8 unicastOUI[4];
278 guint16 iAuthCount; /* this should always be 1 for WPA client */
279 guint8 authOUI[4];
280 guint16 iWPAcap;
281 } RSN_IE;
282
283 #define EAPKEY_MIC_LEN 16 /* length of the MIC key for EAPoL_Key packet's MIC using MD5 */
284 #define NONCE_LEN 32
285
286 typedef struct {
287 guint8 type;
288 guint8 key_information[2]; /* Make this an array to avoid alignment issues */
289 guint8 key_length[2]; /* Make this an array to avoid alignment issues */
290 guint8 replay_counter[8];
291 guint8 key_nonce[NONCE_LEN];
292 guint8 key_iv[16];
293 guint8 key_sequence_counter[8]; /* also called the RSC */
294 guint8 key_id[8];
295 guint8 key_mic[EAPKEY_MIC_LEN];
296 guint8 key_data_len[2]; /* Make this an array rather than a U16 to avoid alignment shifting */
297 guint8 ie[sizeof(RSN_IE)]; /* Make this an array to avoid alignment issues */
298 } EAPOL_RSN_KEY, * P_EAPOL_RSN_KEY;
299
300
301
302 /* A note about some limitations with the WPA decryption:
303
304 Unless someone takes the time to restructure the current method used for maintaining decryption keys, there
305 will be some anomalies observed when using the decryption feature.
306
307 Currently, there is only one pairwise (unicast) key and one group (broadcast) key saved for each security association
308 (SA). As a result, if a wireless sniffer session captures the traffic of a station (STA) associating with an AP
309 more than once, or captures a STA roaming, then you will not be able to arbitrarilly click on different encrypted
310 packets in the trace and observe their internal decrypted structure. This is because when you click on a packet,
311 Wireshark immediately performs the decryption routine with whatever the last key used was. It does not maintain a
312 cache of all the keys that were used by this STA/AP pairing.
313
314 However, if you are just looking at the summary lines of a capture, it will appear that everything was decrypted properly.
315 This is because when first performing a capture or initially reading a capture file, Wireshark will first
316 process the packets in order. As it encounters new EAPOL packets, it will update its internal key list with the
317 newfound key. Then it will use that key for decrypting subsequent packets. Each time a new key is found, the old key
318 is overwritten. So, if you then click on a packet that was previously decrypted properly, it might suddenly no longer
319 be decrypted because a later EAPOL key had caused the internal decryption key to be updated.
320
321 For broadcast packets, there is a clunky work-around. If the AP is using group-key rotation, you simply have to find the appropriate
322 EAPOL group key packet (usually size is 211 bytes and will have a protocol type of EAPOL and Info field of Key). If you click on it
323 and then click on the broadcast packet you are trying to decrypt, the packet will be decrypted properly. By first
324 clicking on the EAPOL packet for the group-key, you will force Wireshark to parse that packet and load the group-key it
325 contains. That group key will then be used for decrypting all subsequent broadcast packets you click on.
326
327 Ideally, it would be best to maintain an expanding list of SA keys. Perhaps we could associate packet number ranges
328 that they apply to. Then, whenever we need to decrypt a packet, we can determine which key to use based on whether
329 it is broadcast or unicast and within what packet number range it falls.
330
331 Either that, or store two versions of encrypted packets - the orginal packet and its successfully
332 decrypted version. Then Wireshark wouldn't have to decrypt packets on the fly if they were already successfully decrypted.
333
334 */
335
336
337 static void
338 AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption_key, PAIRPDCAP_SEC_ASSOCIATION sa)
339 {
340 guint8 new_key[32];
341 guint8 key_version;
342 guint8 *szEncryptedKey;
343 guint16 key_len = 0;
344 static AIRPDCAP_KEY_ITEM dummy_key; /* needed in case AirPDcapRsnaMng() wants the key structure */
345
346 /* We skip verifying the MIC of the key. If we were implementing a WPA supplicant we'd want to verify, but for a sniffer it's not needed. */
347
348 /* Preparation for decrypting the group key - determine group key data length */
349 /* depending on whether it's a TKIP or AES encryption key */
350 key_version = AIRPDCAP_EAP_KEY_DESCR_VER(pEAPKey->key_information[1]);
351 if (key_version == AIRPDCAP_WPA_KEY_VER_NOT_CCMP){
352 /* TKIP */
353 key_len = pntohs(pEAPKey->key_length);
354 }else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){
355 /* AES */
356 key_len = pntohs(pEAPKey->key_data_len);
357 }
358 if (key_len > sizeof(RSN_IE) || key_len == 0) { /* Don't read past the end of pEAPKey->ie */
359 return;
360 }
361
362 /* Encrypted key is in the information element field of the EAPOL key packet */
363 szEncryptedKey = (guint8 *)g_memdup(pEAPKey->ie, key_len);
364
365 DEBUG_DUMP("Encrypted Broadcast key:", szEncryptedKey, key_len);
366 DEBUG_DUMP("KeyIV:", pEAPKey->key_iv, 16);
367 DEBUG_DUMP("decryption_key:", decryption_key, 16);
368
369 /* Build the full decryption key based on the IV and part of the pairwise key */
370 memcpy(new_key, pEAPKey->key_iv, 16);
371 memcpy(new_key+16, decryption_key, 16);
372 DEBUG_DUMP("FullDecrKey:", new_key, 32);
373
374 if (key_version == AIRPDCAP_WPA_KEY_VER_NOT_CCMP){
375 guint8 dummy[256];
376 /* TKIP key */
377 /* Per 802.11i, Draft 3.0 spec, section 8.5.2, p. 97, line 4-8, */
378 /* group key is decrypted using RC4. Concatenate the IV with the 16 byte EK (PTK+16) to get the decryption key */
379
380 rc4_state_struct rc4_state;
381 crypt_rc4_init(&rc4_state, new_key, sizeof(new_key));
382
383 /* Do dummy 256 iterations of the RC4 algorithm (per 802.11i, Draft 3.0, p. 97 line 6) */
384 crypt_rc4(&rc4_state, dummy, 256);
385 crypt_rc4(&rc4_state, szEncryptedKey, key_len);
386
387 } else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){
388 /* AES CCMP key */
389
390 guint8 key_found;
391 guint16 key_index;
392 guint8 *decrypted_data;
393
394 /* This storage is needed for the AES_unwrap function */
395 decrypted_data = (guint8 *) g_malloc(key_len);
396
397 AES_unwrap(decryption_key, 16, szEncryptedKey, key_len, decrypted_data);
398
399 /* With WPA2 what we get after Broadcast Key decryption is an actual RSN structure.
400 The key itself is stored as a GTK KDE
401 WPA2 IE (1 byte) id = 0xdd, length (1 byte), GTK OUI (4 bytes), key index (1 byte) and 1 reserved byte. Thus we have to
402 pass pointer to the actual key with 8 bytes offset */
403
404 key_found = FALSE;
405 key_index = 0;
406 while(key_index < key_len && !key_found){
407 guint8 rsn_id;
408
409 /* Get RSN ID */
410 rsn_id = decrypted_data[key_index];
411
412 if (rsn_id != 0xdd){
413 key_index += decrypted_data[key_index+1]+2;
414 }else{
415 key_found = TRUE;
416 }
417 }
418
419 if (key_found){
420 /* Skip over the GTK header info, and don't copy past the end of the encrypted data */
421 memcpy(szEncryptedKey, decrypted_data+key_index+8, key_len-key_index-8);
422 }
423
424 g_free(decrypted_data);
425 }
426
427 /* Decrypted key is now in szEncryptedKey with len of key_len */
428 DEBUG_DUMP("Broadcast key:", szEncryptedKey, key_len);
429
430 /* Load the proper key material info into the SA */
431 sa->key = &dummy_key; /* we just need key to be not null because it is checked in AirPDcapRsnaMng(). The WPA key materials are actually in the .wpa structure */
432 sa->validKey = TRUE;
433 sa->wpa.key_ver = key_version;
434
435 /* Since this is a GTK and its size is only 32 bytes (vs. the 64 byte size of a PTK), we fake it and put it in at a 32-byte offset so the */
436 /* AirPDcapRsnaMng() function will extract the right piece of the GTK for decryption. (The first 16 bytes of the GTK are used for decryption.) */
437 memset(sa->wpa.ptk, 0, sizeof(sa->wpa.ptk));
438 memcpy(sa->wpa.ptk+32, szEncryptedKey, key_len);
439 g_free(szEncryptedKey);
440 }
441
442
443 /* Return a pointer the the requested SA. If it doesn't exist create it. */
444 static PAIRPDCAP_SEC_ASSOCIATION
445 AirPDcapGetSaPtr(
446 PAIRPDCAP_CONTEXT ctx,
447 AIRPDCAP_SEC_ASSOCIATION_ID *id)
448 {
449 int sa_index;
450
451 /* search for a cached Security Association for supplied BSSID and STA MAC */
452 if ((sa_index=AirPDcapGetSa(ctx, id))==-1) {
453 /* create a new Security Association if it doesn't currently exist */
454 if ((sa_index=AirPDcapStoreSa(ctx, id))==-1) {
455 return NULL;
456 }
457 }
458 /* get the Security Association structure */
459 return &ctx->sa[sa_index];
460 }
461
462 #define GROUP_KEY_PAYLOAD_LEN (8+4+sizeof(EAPOL_RSN_KEY))
463 static INT AirPDcapScanForGroupKey(
464 PAIRPDCAP_CONTEXT ctx,
465 const guint8 *data,
466 const guint mac_header_len,
467 const guint tot_len
468 )
469 {
470 const UCHAR *addr;
471 AIRPDCAP_SEC_ASSOCIATION_ID id;
472 guint bodyLength;
473 PAIRPDCAP_SEC_ASSOCIATION sta_sa;
474 PAIRPDCAP_SEC_ASSOCIATION sa;
475 int offset = 0;
476 const guint8 dot1x_header[] = {
477 0xAA, /* DSAP=SNAP */
478 0xAA, /* SSAP=SNAP */
479 0x03, /* Control field=Unnumbered frame */
480 0x00, 0x00, 0x00, /* Org. code=encaps. Ethernet */
481 0x88, 0x8E /* Type: 802.1X authentication */
482 };
483
484 const EAPOL_RSN_KEY *pEAPKey;
485 #ifdef _DEBUG
486 CHAR msgbuf[255];
487 #endif
488
489 AIRPDCAP_DEBUG_TRACE_START("AirPDcapScanForGroupKey");
490
491 if (mac_header_len + GROUP_KEY_PAYLOAD_LEN < tot_len) {
492 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Message too short", AIRPDCAP_DEBUG_LEVEL_3);
493 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
494 }
495
496 /* cache offset in the packet data */
497 offset = mac_header_len;
498
499 /* check if the packet has an LLC header and the packet is 802.1X authentication (IEEE 802.1X-2004, pg. 24) */
500 if (memcmp(data+offset, dot1x_header, 8) == 0) {
501
502 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Authentication: EAPOL packet", AIRPDCAP_DEBUG_LEVEL_3);
503
504 /* skip LLC header */
505 offset+=8;
506
507
508 /* check if the packet is a EAPOL-Key (0x03) (IEEE 802.1X-2004, pg. 25) */
509 if (data[offset+1]!=3) {
510 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Not EAPOL-Key", AIRPDCAP_DEBUG_LEVEL_3);
511 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
512 }
513
514 /* get and check the body length (IEEE 802.1X-2004, pg. 25) */
515 bodyLength=pntohs(data+offset+2);
516 if ((tot_len-offset-4) < bodyLength) {
517 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_3);
518 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
519 }
520
521 /* skip EAPOL MPDU and go to the first byte of the body */
522 offset+=4;
523
524 pEAPKey = (const EAPOL_RSN_KEY *) (data+offset);
525
526 /* check if the key descriptor type is valid (IEEE 802.1X-2004, pg. 27) */
527 if (/*pEAPKey->type!=0x1 &&*/ /* RC4 Key Descriptor Type (deprecated) */
528 pEAPKey->type != AIRPDCAP_RSN_WPA2_KEY_DESCRIPTOR && /* IEEE 802.11 Key Descriptor Type (WPA2) */
529 pEAPKey->type != AIRPDCAP_RSN_WPA_KEY_DESCRIPTOR) /* 254 = RSN_KEY_DESCRIPTOR - WPA, */
530 {
531 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Not valid key descriptor type", AIRPDCAP_DEBUG_LEVEL_3);
532 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
533 }
534
535 /* start with descriptor body */
536 offset+=1;
537
538 /* Verify the bitfields: Key = 0(groupwise) Mic = 1 Ack = 1 Secure = 1 */
539 if (AIRPDCAP_EAP_KEY(data[offset+1])!=0 ||
540 AIRPDCAP_EAP_ACK(data[offset+1])!=1 ||
541 AIRPDCAP_EAP_MIC(data[offset]) != 1 ||
542 AIRPDCAP_EAP_SEC(data[offset]) != 1){
543
544 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Key bitfields not correct", AIRPDCAP_DEBUG_LEVEL_3);
545 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
546 }
547
548 /* get BSSID */
549 if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
550 memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
551 #ifdef _DEBUG
552 sprintf(msgbuf, "BSSID: %2X.%2X.%2X.%2X.%2X.%2X\t", id.bssid[0],id.bssid[1],id.bssid[2],id.bssid[3],id.bssid[4],id.bssid[5]);
553 #endif
554 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
555 } else {
556 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "BSSID not found", AIRPDCAP_DEBUG_LEVEL_5);
557 return AIRPDCAP_RET_REQ_DATA;
558 }
559
560 /* force STA address to be the broadcast MAC so we create an SA for the groupkey */
561 memcpy(id.sta, broadcast_mac, AIRPDCAP_MAC_LEN);
562
563 /* get the Security Association structure for the broadcast MAC and AP */
564 sa = AirPDcapGetSaPtr(ctx, &id);
565 if (sa == NULL){
566 return AIRPDCAP_RET_UNSUCCESS;
567 }
568
569 /* Get the SA for the STA, since we need its pairwise key to decrpyt the group key */
570
571 /* get STA address */
572 if ( (addr=AirPDcapGetStaAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
573 memcpy(id.sta, addr, AIRPDCAP_MAC_LEN);
574 #ifdef _DEBUG
575 sprintf(msgbuf, "ST_MAC: %2X.%2X.%2X.%2X.%2X.%2X\t", id.sta[0],id.sta[1],id.sta[2],id.sta[3],id.sta[4],id.sta[5]);
576 #endif
577 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
578 } else {
579 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "SA not found", AIRPDCAP_DEBUG_LEVEL_5);
580 return AIRPDCAP_RET_REQ_DATA;
581 }
582
583 sta_sa = AirPDcapGetSaPtr(ctx, &id);
584 if (sta_sa == NULL){
585 return AIRPDCAP_RET_UNSUCCESS;
586 }
587
588 /* Extract the group key and install it in the SA */
589 AirPDcapDecryptWPABroadcastKey(pEAPKey, sta_sa->wpa.ptk+16, sa);
590
591 }else{
592 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapScanForGroupKey", "Skipping: not an EAPOL packet", AIRPDCAP_DEBUG_LEVEL_3);
593 }
594
595 AIRPDCAP_DEBUG_TRACE_END("AirPDcapScanForGroupKey");
596 return 0;
597 }
598
599
600 INT AirPDcapPacketProcess(
601 PAIRPDCAP_CONTEXT ctx,
602 const guint8 *data,
603 const guint mac_header_len,
604 const guint tot_len,
605 UCHAR *decrypt_data,
606 guint *decrypt_len,
607 PAIRPDCAP_KEY_ITEM key,
608 gboolean mngHandshake,
609 gboolean mngDecrypt)
610 {
611 const UCHAR *addr;
612 AIRPDCAP_SEC_ASSOCIATION_ID id;
613 PAIRPDCAP_SEC_ASSOCIATION sa;
614 int offset = 0;
615 guint bodyLength;
616 const guint8 dot1x_header[] = {
617 0xAA, /* DSAP=SNAP */
618 0xAA, /* SSAP=SNAP */
619 0x03, /* Control field=Unnumbered frame */
620 0x00, 0x00, 0x00, /* Org. code=encaps. Ethernet */
621 0x88, 0x8E /* Type: 802.1X authentication */
622 };
623
624 const guint8 bt_dot1x_header[] = {
625 0xAA, /* DSAP=SNAP */
626 0xAA, /* SSAP=SNAP */
627 0x03, /* Control field=Unnumbered frame */
628 0x00, 0x19, 0x58, /* Org. code=Bluetooth SIG */
629 0x00, 0x03 /* Type: Bluetooth Security */
630 };
631
632 #ifdef _DEBUG
633 CHAR msgbuf[255];
634 #endif
635
636 AIRPDCAP_DEBUG_TRACE_START("AirPDcapPacketProcess");
637
638 if (ctx==NULL) {
639 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "NULL context", AIRPDCAP_DEBUG_LEVEL_5);
640 AIRPDCAP_DEBUG_TRACE_END("AirPDcapPacketProcess");
641 return AIRPDCAP_RET_UNSUCCESS;
642 }
643 if (data==NULL || tot_len==0) {
644 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "NULL data or length=0", AIRPDCAP_DEBUG_LEVEL_5);
645 AIRPDCAP_DEBUG_TRACE_END("AirPDcapPacketProcess");
646 return AIRPDCAP_RET_UNSUCCESS;
647 }
648
649 /* check if the packet is of data type */
650 if (AIRPDCAP_TYPE(data[0])!=AIRPDCAP_TYPE_DATA) {
651 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "not data packet", AIRPDCAP_DEBUG_LEVEL_5);
652 return AIRPDCAP_RET_NO_DATA;
653 }
654
655 /* check correct packet size, to avoid wrong elaboration of encryption algorithms */
656 if (tot_len < (UINT)(mac_header_len+AIRPDCAP_CRYPTED_DATA_MINLEN)) {
657 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "minimum length violated", AIRPDCAP_DEBUG_LEVEL_5);
658 return AIRPDCAP_RET_WRONG_DATA_SIZE;
659 }
660
661 /* get BSSID */
662 if ( (addr=AirPDcapGetBssidAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
663 memcpy(id.bssid, addr, AIRPDCAP_MAC_LEN);
664 #ifdef _DEBUG
665 sprintf(msgbuf, "BSSID: %2X.%2X.%2X.%2X.%2X.%2X\t", id.bssid[0],id.bssid[1],id.bssid[2],id.bssid[3],id.bssid[4],id.bssid[5]);
666 #endif
667 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
668 } else {
669 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "BSSID not found", AIRPDCAP_DEBUG_LEVEL_5);
670 return AIRPDCAP_RET_REQ_DATA;
671 }
672
673 /* get STA address */
674 if ( (addr=AirPDcapGetStaAddress((const AIRPDCAP_MAC_FRAME_ADDR4 *)(data))) != NULL) {
675 memcpy(id.sta, addr, AIRPDCAP_MAC_LEN);
676 #ifdef _DEBUG
677 sprintf(msgbuf, "ST_MAC: %2X.%2X.%2X.%2X.%2X.%2X\t", id.sta[0],id.sta[1],id.sta[2],id.sta[3],id.sta[4],id.sta[5]);
678 #endif
679 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
680 } else {
681 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "SA not found", AIRPDCAP_DEBUG_LEVEL_5);
682 return AIRPDCAP_RET_REQ_DATA;
683 }
684
685 /* get the Security Association structure for the STA and AP */
686 sa = AirPDcapGetSaPtr(ctx, &id);
687 if (sa == NULL){
688 return AIRPDCAP_RET_UNSUCCESS;
689 }
690
691 /* cache offset in the packet data (to scan encryption data) */
692 offset = mac_header_len;
693
694 /* check if data is encrypted (use the WEP bit in the Frame Control field) */
695 if (AIRPDCAP_WEP(data[1])==0)
696 {
697 if (mngHandshake) {
698 /* data is sent in cleartext, check if is an authentication message or end the process */
699 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "Unencrypted data", AIRPDCAP_DEBUG_LEVEL_3);
700
701 /* check if the packet as an LLC header and the packet is 802.1X authentication (IEEE 802.1X-2004, pg. 24) */
702 if (memcmp(data+offset, dot1x_header, 8) == 0 || memcmp(data+offset, bt_dot1x_header, 8) == 0) {
703 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "Authentication: EAPOL packet", AIRPDCAP_DEBUG_LEVEL_3);
704
705 /* skip LLC header */
706 offset+=8;
707
708 /* check the version of the EAPOL protocol used (IEEE 802.1X-2004, pg. 24) */
709 /* TODO EAPOL protocol version to check? */
710 #if 0
711 if (data[offset]!=2) {
712 AIRPDCAP_DEBUG_PRINT_LINE("EAPOL protocol version not recognized", AIRPDCAP_DEBUG_LEVEL_5);
713 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
714 }
715 #endif
716
717 /* check if the packet is a EAPOL-Key (0x03) (IEEE 802.1X-2004, pg. 25) */
718 if (data[offset+1]!=3) {
719 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "Not EAPOL-Key", AIRPDCAP_DEBUG_LEVEL_5);
720 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
721 }
722
723 /* get and check the body length (IEEE 802.1X-2004, pg. 25) */
724 bodyLength=pntohs(data+offset+2);
725 if ((tot_len-offset-4) < bodyLength) {
726 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "EAPOL body too short", AIRPDCAP_DEBUG_LEVEL_5);
727 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
728 }
729
730 /* skip EAPOL MPDU and go to the first byte of the body */
731 offset+=4;
732
733 /* check if the key descriptor type is valid (IEEE 802.1X-2004, pg. 27) */
734 if (/*data[offset]!=0x1 &&*/ /* RC4 Key Descriptor Type (deprecated) */
735 data[offset]!=0x2 && /* IEEE 802.11 Key Descriptor Type */
736 data[offset]!=0xFE) /* TODO what's this value??? */
737 {
738 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "Not valid key descriptor type", AIRPDCAP_DEBUG_LEVEL_5);
739 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
740 }
741
742 /* start with descriptor body */
743 offset+=1;
744
745 /* manage the 4-way handshake to define the key */
746 return AirPDcapRsna4WHandshake(ctx, data, sa, key, offset);
747 } else {
748 /* cleartext message, not authentication */
749 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "No authentication data", AIRPDCAP_DEBUG_LEVEL_5);
750 return AIRPDCAP_RET_NO_DATA_ENCRYPTED;
751 }
752 }
753 } else {
754 if (mngDecrypt) {
755
756 if (decrypt_data==NULL)
757 return AIRPDCAP_RET_UNSUCCESS;
758
759 /* create new header and data to modify */
760 *decrypt_len = tot_len;
761 memcpy(decrypt_data, data, *decrypt_len);
762
763 /* encrypted data */
764 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "Encrypted data", AIRPDCAP_DEBUG_LEVEL_3);
765
766 /* check the Extension IV to distinguish between WEP encryption and WPA encryption */
767 /* refer to IEEE 802.11i-2004, 8.2.1.2, pag.35 for WEP, */
768 /* IEEE 802.11i-2004, 8.3.2.2, pag. 45 for TKIP, */
769 /* IEEE 802.11i-2004, 8.3.3.2, pag. 57 for CCMP */
770 if (AIRPDCAP_EXTIV(data[offset+3])==0) {
771 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "WEP encryption", AIRPDCAP_DEBUG_LEVEL_3);
772 return AirPDcapWepMng(ctx, decrypt_data, mac_header_len, decrypt_len, key, sa, offset);
773 } else {
774 INT status;
775 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "TKIP or CCMP encryption", AIRPDCAP_DEBUG_LEVEL_3);
776
777 /* If index >= 1, then use the group key. This will not work if the AP is using
778 more than one group key simultaneously. I've not seen this in practice, however.
779 Usually an AP will rotate between the two key index values of 1 and 2 whenever
780 it needs to change the group key to be used. */
781 if (AIRPDCAP_KEY_INDEX(data[offset+3])>=1){
782
783 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", "The key index = 1. This is encrypted with a group key.", AIRPDCAP_DEBUG_LEVEL_3);
784
785 /* force STA address to broadcast MAC so we load the SA for the groupkey */
786 memcpy(id.sta, broadcast_mac, AIRPDCAP_MAC_LEN);
787
788 #ifdef _DEBUG
789 sprintf(msgbuf, "ST_MAC: %2X.%2X.%2X.%2X.%2X.%2X\t", id.sta[0],id.sta[1],id.sta[2],id.sta[3],id.sta[4],id.sta[5]);
790 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapPacketProcess", msgbuf, AIRPDCAP_DEBUG_LEVEL_3);
791 #endif
792
793 /* search for a cached Security Association for current BSSID and broadcast MAC */
794 sa = AirPDcapGetSaPtr(ctx, &id);
795 if (sa == NULL){
796 return AIRPDCAP_RET_UNSUCCESS;
797 }
798 }
799
800 /* Decrypt the packet using the appropriate SA */
801 status = AirPDcapRsnaMng(decrypt_data, mac_header_len, decrypt_len, key, sa, offset);
802
803 /* If we successfully decrypted a packet, scan it to see if it contains a group key handshake.
804 The group key handshake could be sent at any time the AP wants to change the key (such as when
805 it is using key rotation) so we must scan every packet. */
806 if (status == AIRPDCAP_RET_SUCCESS)
807 AirPDcapScanForGroupKey(ctx, decrypt_data, mac_header_len, *decrypt_len);
808 return status;
809 }
810 }
811 }
812
813 return AIRPDCAP_RET_UNSUCCESS;
814 }
815
816 INT AirPDcapSetKeys(
817 PAIRPDCAP_CONTEXT ctx,
818 AIRPDCAP_KEY_ITEM keys[],
819 const size_t keys_nr)
820 {
821 INT i;
822 INT success;
823 AIRPDCAP_DEBUG_TRACE_START("AirPDcapSetKeys");
824
825 if (ctx==NULL || keys==NULL) {
826 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapSetKeys", "NULL context or NULL keys array", AIRPDCAP_DEBUG_LEVEL_3);
827 AIRPDCAP_DEBUG_TRACE_END("AirPDcapSetKeys");
828 return 0;
829 }
830
831 if (keys_nr>AIRPDCAP_MAX_KEYS_NR) {
832 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapSetKeys", "Keys number greater than maximum", AIRPDCAP_DEBUG_LEVEL_3);
833 AIRPDCAP_DEBUG_TRACE_END("AirPDcapSetKeys");
834 return 0;
835 }
836
837 /* clean key and SA collections before setting new ones */
838 AirPDcapInitContext(ctx);
839
840 /* check and insert keys */
841 for (i=0, success=0; i<(INT)keys_nr; i++) {
842 if (AirPDcapValidateKey(keys+i)==TRUE) {
843 if (keys[i].KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD) {
844 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapSetKeys", "Set a WPA-PWD key", AIRPDCAP_DEBUG_LEVEL_4);
845 AirPDcapRsnaPwd2Psk(keys[i].UserPwd.Passphrase, keys[i].UserPwd.Ssid, keys[i].UserPwd.SsidLen, keys[i].KeyData.Wpa.Psk);
846 }
847 #ifdef _DEBUG
848 else if (keys[i].KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK) {
849 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapSetKeys", "Set a WPA-PMK key", AIRPDCAP_DEBUG_LEVEL_4);
850 } else if (keys[i].KeyType==AIRPDCAP_KEY_TYPE_WEP) {
851 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapSetKeys", "Set a WEP key", AIRPDCAP_DEBUG_LEVEL_4);
852 } else {
853 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapSetKeys", "Set a key", AIRPDCAP_DEBUG_LEVEL_4);
854 }
855 #endif
856 memcpy(&ctx->keys[success], &keys[i], sizeof(keys[i]));
857 success++;
858 }
859 }
860
861 ctx->keys_nr=success;
862
863 AIRPDCAP_DEBUG_TRACE_END("AirPDcapSetKeys");
864 return success;
865 }
866
867 static void
868 AirPDcapCleanKeys(
869 PAIRPDCAP_CONTEXT ctx)
870 {
871 AIRPDCAP_DEBUG_TRACE_START("AirPDcapCleanKeys");
872
873 if (ctx==NULL) {
874 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapCleanKeys", "NULL context", AIRPDCAP_DEBUG_LEVEL_5);
875 AIRPDCAP_DEBUG_TRACE_END("AirPDcapCleanKeys");
876 return;
877 }
878
879 memset(ctx->keys, 0, sizeof(AIRPDCAP_KEY_ITEM) * AIRPDCAP_MAX_KEYS_NR);
880
881 ctx->keys_nr=0;
882
883 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapCleanKeys", "Keys collection cleaned!", AIRPDCAP_DEBUG_LEVEL_5);
884 AIRPDCAP_DEBUG_TRACE_END("AirPDcapCleanKeys");
885 }
886
887 INT AirPDcapGetKeys(
888 const PAIRPDCAP_CONTEXT ctx,
889 AIRPDCAP_KEY_ITEM keys[],
890 const size_t keys_nr)
891 {
892 UINT i;
893 UINT j;
894 AIRPDCAP_DEBUG_TRACE_START("AirPDcapGetKeys");
895
896 if (ctx==NULL) {
897 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapGetKeys", "NULL context", AIRPDCAP_DEBUG_LEVEL_5);
898 AIRPDCAP_DEBUG_TRACE_END("AirPDcapGetKeys");
899 return 0;
900 } else if (keys==NULL) {
901 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapGetKeys", "NULL keys array", AIRPDCAP_DEBUG_LEVEL_5);
902 AIRPDCAP_DEBUG_TRACE_END("AirPDcapGetKeys");
903 return (INT)ctx->keys_nr;
904 } else {
905 for (i=0, j=0; i<ctx->keys_nr && i<keys_nr && i<AIRPDCAP_MAX_KEYS_NR; i++) {
906 memcpy(&keys[j], &ctx->keys[i], sizeof(keys[j]));
907 j++;
908 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapGetKeys", "Got a key", AIRPDCAP_DEBUG_LEVEL_5);
909 }
910
911 AIRPDCAP_DEBUG_TRACE_END("AirPDcapGetKeys");
912 return j;
913 }
914 }
915
916 /*
917 * XXX - This won't be reliable if a packet containing SSID "B" shows
918 * up in the middle of a 4-way handshake for SSID "A".
919 * We should probably use a small array or hash table to keep multiple
920 * SSIDs.
921 */
922 INT AirPDcapSetLastSSID(
923 PAIRPDCAP_CONTEXT ctx,
924 CHAR *pkt_ssid,
925 size_t pkt_ssid_len)
926 {
927 if (!ctx || !pkt_ssid || pkt_ssid_len < 1 || pkt_ssid_len > WPA_SSID_MAX_SIZE)
928 return AIRPDCAP_RET_UNSUCCESS;
929
930 memcpy(ctx->pkt_ssid, pkt_ssid, pkt_ssid_len);
931 ctx->pkt_ssid_len = pkt_ssid_len;
932
933 return AIRPDCAP_RET_SUCCESS;
934 }
935
936 INT AirPDcapInitContext(
937 PAIRPDCAP_CONTEXT ctx)
938 {
939 AIRPDCAP_DEBUG_TRACE_START("AirPDcapInitContext");
940
941 if (ctx==NULL) {
942 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapInitContext", "NULL context", AIRPDCAP_DEBUG_LEVEL_5);
943 AIRPDCAP_DEBUG_TRACE_END("AirPDcapInitContext");
944 return AIRPDCAP_RET_UNSUCCESS;
945 }
946
947 AirPDcapCleanKeys(ctx);
948
949 ctx->first_free_index=0;
950 ctx->index=-1;
951 ctx->sa_index=-1;
952 ctx->pkt_ssid_len = 0;
953
954 memset(ctx->sa, 0, AIRPDCAP_MAX_SEC_ASSOCIATIONS_NR * sizeof(AIRPDCAP_SEC_ASSOCIATION));
955
956 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapInitContext", "Context initialized!", AIRPDCAP_DEBUG_LEVEL_5);
957 AIRPDCAP_DEBUG_TRACE_END("AirPDcapInitContext");
958 return AIRPDCAP_RET_SUCCESS;
959 }
960
961 INT AirPDcapDestroyContext(
962 PAIRPDCAP_CONTEXT ctx)
963 {
964 AIRPDCAP_DEBUG_TRACE_START("AirPDcapDestroyContext");
965
966 if (ctx==NULL) {
967 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapDestroyContext", "NULL context", AIRPDCAP_DEBUG_LEVEL_5);
968 AIRPDCAP_DEBUG_TRACE_END("AirPDcapDestroyContext");
969 return AIRPDCAP_RET_UNSUCCESS;
970 }
971
972 AirPDcapCleanKeys(ctx);
973
974 ctx->first_free_index=0;
975 ctx->index=-1;
976 ctx->sa_index=-1;
977
978 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapDestroyContext", "Context destroyed!", AIRPDCAP_DEBUG_LEVEL_5);
979 AIRPDCAP_DEBUG_TRACE_END("AirPDcapDestroyContext");
980 return AIRPDCAP_RET_SUCCESS;
981 }
982
983 #ifdef __cplusplus
984 }
985 #endif
986
987 /****************************************************************************/
988
989 /****************************************************************************/
990 /* Internal function definitions */
991
992 #ifdef __cplusplus
993 extern "C" {
994 #endif
995
996 static INT
997 AirPDcapRsnaMng(
998 UCHAR *decrypt_data,
999 guint mac_header_len,
1000 guint *decrypt_len,
1001 PAIRPDCAP_KEY_ITEM key,
1002 AIRPDCAP_SEC_ASSOCIATION *sa,
1003 INT offset)
1004 {
1005 INT ret_value=1;
1006 UCHAR *try_data;
1007 guint try_data_len = *decrypt_len;
1008
1009 if (sa->key==NULL) {
1010 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "No key associated", AIRPDCAP_DEBUG_LEVEL_3);
1011 return AIRPDCAP_RET_REQ_DATA;
1012 }
1013 if (sa->validKey==FALSE) {
1014 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Key not yet valid", AIRPDCAP_DEBUG_LEVEL_3);
1015 return AIRPDCAP_RET_UNSUCCESS;
1016 }
1017
1018 /* allocate a temp buffer for the decryption loop */
1019 try_data=(UCHAR *)ep_alloc(try_data_len);
1020
1021 /* start of loop added by GCS */
1022 for(/* sa */; sa != NULL ;sa=sa->next) {
1023
1024 if (*decrypt_len > try_data_len) {
1025 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Invalid decryption length", AIRPDCAP_DEBUG_LEVEL_3);
1026 return AIRPDCAP_RET_UNSUCCESS;
1027 }
1028
1029 /* copy the encrypted data into a temp buffer */
1030 memcpy(try_data, decrypt_data, *decrypt_len);
1031
1032 if (sa->wpa.key_ver==1) {
1033 /* CCMP -> HMAC-MD5 is the EAPOL-Key MIC, RC4 is the EAPOL-Key encryption algorithm */
1034 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "TKIP", AIRPDCAP_DEBUG_LEVEL_3);
1035 DEBUG_DUMP("ptk", sa->wpa.ptk, 64);
1036 DEBUG_DUMP("ptk portion used", AIRPDCAP_GET_TK(sa->wpa.ptk), 16);
1037
1038 ret_value=AirPDcapTkipDecrypt(try_data+offset, *decrypt_len-offset, try_data+AIRPDCAP_TA_OFFSET, AIRPDCAP_GET_TK(sa->wpa.ptk));
1039 if (ret_value){
1040 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "TKIP failed!", AIRPDCAP_DEBUG_LEVEL_3);
1041 continue;
1042 }
1043
1044 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "TKIP DECRYPTED!!!", AIRPDCAP_DEBUG_LEVEL_3);
1045 /* remove MIC (8bytes) and ICV (4bytes) from the end of packet */
1046 *decrypt_len-=12;
1047 break;
1048 } else {
1049 /* AES-CCMP -> HMAC-SHA1-128 is the EAPOL-Key MIC, AES wep_key wrap is the EAPOL-Key encryption algorithm */
1050 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "CCMP", AIRPDCAP_DEBUG_LEVEL_3);
1051
1052 ret_value=AirPDcapCcmpDecrypt(try_data, mac_header_len, (INT)*decrypt_len, AIRPDCAP_GET_TK(sa->wpa.ptk));
1053 if (ret_value)
1054 continue;
1055
1056 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "CCMP DECRYPTED!!!", AIRPDCAP_DEBUG_LEVEL_3);
1057 /* remove MIC (8bytes) from the end of packet */
1058 *decrypt_len-=8;
1059 break;
1060 }
1061 }
1062 /* end of loop */
1063
1064 /* none of the keys worked */
1065 if(sa == NULL)
1066 return ret_value;
1067
1068 if (*decrypt_len > try_data_len || *decrypt_len < 8) {
1069 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsnaMng", "Invalid decryption length", AIRPDCAP_DEBUG_LEVEL_3);
1070 return AIRPDCAP_RET_UNSUCCESS;
1071 }
1072
1073 /* copy the decrypted data into the decrypt buffer GCS*/
1074 memcpy(decrypt_data, try_data, *decrypt_len);
1075
1076 /* remove protection bit */
1077 decrypt_data[1]&=0xBF;
1078
1079 /* remove TKIP/CCMP header */
1080 offset = mac_header_len;
1081 *decrypt_len-=8;
1082 memmove(decrypt_data+offset, decrypt_data+offset+8, *decrypt_len-offset);
1083
1084 if (key!=NULL) {
1085 memcpy(key, sa->key, sizeof(AIRPDCAP_KEY_ITEM));
1086
1087 if (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)
1088 key->KeyType=AIRPDCAP_KEY_TYPE_TKIP;
1089 else if (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_AES_CCMP)
1090 key->KeyType=AIRPDCAP_KEY_TYPE_CCMP;
1091 }
1092
1093 return AIRPDCAP_RET_SUCCESS;
1094 }
1095
1096 static INT
1097 AirPDcapWepMng(
1098 PAIRPDCAP_CONTEXT ctx,
1099 UCHAR *decrypt_data,
1100 guint mac_header_len,
1101 guint *decrypt_len,
1102 PAIRPDCAP_KEY_ITEM key,
1103 AIRPDCAP_SEC_ASSOCIATION *sa,
1104 INT offset)
1105 {
1106 UCHAR wep_key[AIRPDCAP_WEP_KEY_MAXLEN+AIRPDCAP_WEP_IVLEN];
1107 size_t keylen;
1108 INT ret_value=1;
1109 INT key_index;
1110 AIRPDCAP_KEY_ITEM *tmp_key;
1111 UINT8 useCache=FALSE;
1112 UCHAR *try_data;
1113 guint try_data_len = *decrypt_len;
1114
1115 try_data = (UCHAR *)ep_alloc(try_data_len);
1116
1117 if (sa->key!=NULL)
1118 useCache=TRUE;
1119
1120 for (key_index=0; key_index<(INT)ctx->keys_nr; key_index++) {
1121 /* use the cached one, or try all keys */
1122 if (!useCache) {
1123 tmp_key=&ctx->keys[key_index];
1124 } else {
1125 if (sa->key!=NULL && sa->key->KeyType==AIRPDCAP_KEY_TYPE_WEP) {
1126 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "Try cached WEP key...", AIRPDCAP_DEBUG_LEVEL_3);
1127 tmp_key=sa->key;
1128 } else {
1129 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "Cached key is not valid, try another WEP key...", AIRPDCAP_DEBUG_LEVEL_3);
1130 tmp_key=&ctx->keys[key_index];
1131 }
1132 }
1133
1134 /* obviously, try only WEP keys... */
1135 if (tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WEP)
1136 {
1137 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "Try WEP key...", AIRPDCAP_DEBUG_LEVEL_3);
1138
1139 memset(wep_key, 0, sizeof(wep_key));
1140 memcpy(try_data, decrypt_data, *decrypt_len);
1141
1142 /* Costruct the WEP seed: copy the IV in first 3 bytes and then the WEP key (refer to 802-11i-2004, 8.2.1.4.3, pag. 36) */
1143 memcpy(wep_key, try_data+mac_header_len, AIRPDCAP_WEP_IVLEN);
1144 keylen=tmp_key->KeyData.Wep.WepKeyLen;
1145 memcpy(wep_key+AIRPDCAP_WEP_IVLEN, tmp_key->KeyData.Wep.WepKey, keylen);
1146
1147 ret_value=AirPDcapWepDecrypt(wep_key,
1148 keylen+AIRPDCAP_WEP_IVLEN,
1149 try_data + (mac_header_len+AIRPDCAP_WEP_IVLEN+AIRPDCAP_WEP_KIDLEN),
1150 *decrypt_len-(mac_header_len+AIRPDCAP_WEP_IVLEN+AIRPDCAP_WEP_KIDLEN+AIRPDCAP_CRC_LEN));
1151
1152 if (ret_value == AIRPDCAP_RET_SUCCESS)
1153 memcpy(decrypt_data, try_data, *decrypt_len);
1154 }
1155
1156 if (!ret_value && tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WEP) {
1157 /* the tried key is the correct one, cached in the Security Association */
1158
1159 sa->key=tmp_key;
1160
1161 if (key!=NULL) {
1162 memcpy(key, &sa->key, sizeof(AIRPDCAP_KEY_ITEM));
1163 key->KeyType=AIRPDCAP_KEY_TYPE_WEP;
1164 }
1165
1166 break;
1167 } else {
1168 /* the cached key was not valid, try other keys */
1169
1170 if (useCache==TRUE) {
1171 useCache=FALSE;
1172 key_index--;
1173 }
1174 }
1175 }
1176
1177 if (ret_value)
1178 return ret_value;
1179
1180 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "WEP DECRYPTED!!!", AIRPDCAP_DEBUG_LEVEL_3);
1181
1182 /* remove ICV (4bytes) from the end of packet */
1183 *decrypt_len-=4;
1184
1185 if (*decrypt_len < 4) {
1186 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapWepMng", "Decryption length too short", AIRPDCAP_DEBUG_LEVEL_3);
1187 return AIRPDCAP_RET_UNSUCCESS;
1188 }
1189
1190 /* remove protection bit */
1191 decrypt_data[1]&=0xBF;
1192
1193 /* remove IC header */
1194 offset = mac_header_len;
1195 *decrypt_len-=4;
1196 memcpy(decrypt_data+offset, decrypt_data+offset+AIRPDCAP_WEP_IVLEN+AIRPDCAP_WEP_KIDLEN, *decrypt_len-offset);
1197
1198 return AIRPDCAP_RET_SUCCESS;
1199 }
1200
1201 /* Refer to IEEE 802.11i-2004, 8.5.3, pag. 85 */
1202 static INT
1203 AirPDcapRsna4WHandshake(
1204 PAIRPDCAP_CONTEXT ctx,
1205 const UCHAR *data,
1206 AIRPDCAP_SEC_ASSOCIATION *sa,
1207 PAIRPDCAP_KEY_ITEM key,
1208 INT offset)
1209 {
1210 AIRPDCAP_KEY_ITEM *tmp_key, *tmp_pkt_key, pkt_key;
1211 AIRPDCAP_SEC_ASSOCIATION *tmp_sa;
1212 INT key_index;
1213 INT ret_value=1;
1214 UCHAR useCache=FALSE;
1215 UCHAR eapol[AIRPDCAP_EAPOL_MAX_LEN];
1216 USHORT eapol_len;
1217
1218 if (sa->key!=NULL)
1219 useCache=TRUE;
1220
1221 /* a 4-way handshake packet use a Pairwise key type (IEEE 802.11i-2004, pg. 79) */
1222 if (AIRPDCAP_EAP_KEY(data[offset+1])!=1) {
1223 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Group/STAKey message (not used)", AIRPDCAP_DEBUG_LEVEL_5);
1224 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
1225 }
1226
1227 /* TODO timeouts? */
1228
1229 /* This saves the sa since we are reauthenticating which will overwrite our current sa GCS*/
1230 if(sa->handshake == 4) {
1231 tmp_sa=(AIRPDCAP_SEC_ASSOCIATION *)se_alloc(sizeof(AIRPDCAP_SEC_ASSOCIATION));
1232 memcpy(tmp_sa, sa, sizeof(AIRPDCAP_SEC_ASSOCIATION));
1233 sa->next=tmp_sa;
1234 }
1235
1236 /* TODO consider key-index */
1237
1238 /* TODO considera Deauthentications */
1239
1240 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake...", AIRPDCAP_DEBUG_LEVEL_5);
1241
1242 /* manage 4-way handshake packets; this step completes the 802.1X authentication process (IEEE 802.11i-2004, pag. 85) */
1243
1244 /* message 1: Authenticator->Supplicant (Sec=0, Mic=0, Ack=1, Inst=0, Key=1(pairwise), KeyRSC=0, Nonce=ANonce, MIC=0) */
1245 if (AIRPDCAP_EAP_INST(data[offset+1])==0 &&
1246 AIRPDCAP_EAP_ACK(data[offset+1])==1 &&
1247 AIRPDCAP_EAP_MIC(data[offset])==0)
1248 {
1249 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 1", AIRPDCAP_DEBUG_LEVEL_3);
1250
1251 /* On reception of Message 1, the Supplicant determines whether the Key Replay Counter field value has been */
1252 /* used before with the current PMKSA. If the Key Replay Counter field value is less than or equal to the current */
1253 /* local value, the Supplicant discards the message. */
1254 /* -> not checked, the Authenticator will be send another Message 1 (hopefully!) */
1255
1256 /* save ANonce (from authenticator) to derive the PTK with the SNonce (from the 2 message) */
1257 memcpy(sa->wpa.nonce, data+offset+12, 32);
1258
1259 /* get the Key Descriptor Version (to select algorithm used in decryption -CCMP or TKIP-) */
1260 sa->wpa.key_ver=AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1]);
1261
1262 sa->handshake=1;
1263
1264 return AIRPDCAP_RET_SUCCESS_HANDSHAKE;
1265 }
1266
1267 /* message 2|4: Supplicant->Authenticator (Sec=0|1, Mic=1, Ack=0, Inst=0, Key=1(pairwise), KeyRSC=0, Nonce=SNonce|0, MIC=MIC(KCK,EAPOL)) */
1268 if (AIRPDCAP_EAP_INST(data[offset+1])==0 &&
1269 AIRPDCAP_EAP_ACK(data[offset+1])==0 &&
1270 AIRPDCAP_EAP_MIC(data[offset])==1)
1271 {
1272 if (AIRPDCAP_EAP_SEC(data[offset])==0) {
1273
1274 /* PATCH: some implementations set secure bit to 0 also in the 4th message */
1275 /* to recognize which message is this check if wep_key data length is 0 */
1276 /* in the 4th message */
1277 if (data[offset+92]!=0 || data[offset+93]!=0) {
1278 /* message 2 */
1279 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 2", AIRPDCAP_DEBUG_LEVEL_3);
1280
1281 /* On reception of Message 2, the Authenticator checks that the key replay counter corresponds to the */
1282 /* outstanding Message 1. If not, it silently discards the message. */
1283 /* If the calculated MIC does not match the MIC that the Supplicant included in the EAPOL-Key frame, */
1284 /* the Authenticator silently discards Message 2. */
1285 /* -> not checked; the Supplicant will send another message 2 (hopefully!) */
1286
1287 /* now you can derive the PTK */
1288 for (key_index=0; key_index<(INT)ctx->keys_nr || useCache; key_index++) {
1289 /* use the cached one, or try all keys */
1290 if (!useCache) {
1291 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Try WPA key...", AIRPDCAP_DEBUG_LEVEL_3);
1292 tmp_key=&ctx->keys[key_index];
1293 } else {
1294 /* there is a cached key in the security association, if it's a WPA key try it... */
1295 if (sa->key!=NULL &&
1296 (sa->key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD ||
1297 sa->key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PSK ||
1298 sa->key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK)) {
1299 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Try cached WPA key...", AIRPDCAP_DEBUG_LEVEL_3);
1300 tmp_key=sa->key;
1301 } else {
1302 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "Cached key is of a wrong type, try WPA key...", AIRPDCAP_DEBUG_LEVEL_3);
1303 tmp_key=&ctx->keys[key_index];
1304 }
1305 }
1306
1307 /* obviously, try only WPA keys... */
1308 if (tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD ||
1309 tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PSK ||
1310 tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK)
1311 {
1312 if (tmp_key->KeyType == AIRPDCAP_KEY_TYPE_WPA_PWD && tmp_key->UserPwd.SsidLen == 0 && ctx->pkt_ssid_len > 0 && ctx->pkt_ssid_len <= AIRPDCAP_WPA_SSID_MAX_LEN) {
1313 /* We have a "wildcard" SSID. Use the one from the packet. */
1314 memcpy(&pkt_key, tmp_key, sizeof(pkt_key));
1315 memcpy(&pkt_key.UserPwd.Ssid, ctx->pkt_ssid, ctx->pkt_ssid_len);
1316 pkt_key.UserPwd.SsidLen = ctx->pkt_ssid_len;
1317 AirPDcapRsnaPwd2Psk(pkt_key.UserPwd.Passphrase, pkt_key.UserPwd.Ssid,
1318 pkt_key.UserPwd.SsidLen, pkt_key.KeyData.Wpa.Psk);
1319 tmp_pkt_key = &pkt_key;
1320 } else {
1321 tmp_pkt_key = tmp_key;
1322 }
1323
1324 /* derive the PTK from the BSSID, STA MAC, PMK, SNonce, ANonce */
1325 AirPDcapRsnaPrfX(sa, /* authenticator nonce, bssid, station mac */
1326 tmp_pkt_key->KeyData.Wpa.Pmk, /* PMK */
1327 data+offset+12, /* supplicant nonce */
1328 512,
1329 sa->wpa.ptk);
1330
1331 /* verify the MIC (compare the MIC in the packet included in this message with a MIC calculated with the PTK) */
1332 eapol_len=pntohs(data+offset-3)+4;
1333 memcpy(eapol, &data[offset-5], (eapol_len<AIRPDCAP_EAPOL_MAX_LEN?eapol_len:AIRPDCAP_EAPOL_MAX_LEN));
1334 ret_value=AirPDcapRsnaMicCheck(eapol, /* eapol frame (header also) */
1335 eapol_len, /* eapol frame length */
1336 sa->wpa.ptk, /* Key Confirmation Key */
1337 AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1])); /* EAPOL-Key description version */
1338
1339 /* If the MIC is valid, the Authenticator checks that the RSN information element bit-wise matches */
1340 /* that from the (Re)Association Request message. */
1341 /* i) TODO If these are not exactly the same, the Authenticator uses MLME-DEAUTHENTICATE.request */
1342 /* primitive to terminate the association. */
1343 /* ii) If they do match bit-wise, the Authenticator constructs Message 3. */
1344 }
1345
1346 if (!ret_value &&
1347 (tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PWD ||
1348 tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PSK ||
1349 tmp_key->KeyType==AIRPDCAP_KEY_TYPE_WPA_PMK))
1350 {
1351 /* the temporary key is the correct one, cached in the Security Association */
1352
1353 sa->key=tmp_key;
1354
1355 if (key!=NULL) {
1356 memcpy(key, &tmp_key, sizeof(AIRPDCAP_KEY_ITEM));
1357 if (AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1])==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)
1358 key->KeyType=AIRPDCAP_KEY_TYPE_TKIP;
1359 else if (AIRPDCAP_EAP_KEY_DESCR_VER(data[offset+1])==AIRPDCAP_WPA_KEY_VER_AES_CCMP)
1360 key->KeyType=AIRPDCAP_KEY_TYPE_CCMP;
1361 }
1362
1363 break;
1364 } else {
1365 /* the cached key was not valid, try other keys */
1366
1367 if (useCache==TRUE) {
1368 useCache=FALSE;
1369 key_index--;
1370 }
1371 }
1372 }
1373
1374 if (ret_value) {
1375 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "handshake step failed", AIRPDCAP_DEBUG_LEVEL_3);
1376 return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
1377 }
1378
1379 sa->handshake=2;
1380
1381 return AIRPDCAP_RET_SUCCESS_HANDSHAKE;
1382 } else {
1383 /* message 4 */
1384
1385 /* TODO "Note that when the 4-Way Handshake is first used Message 4 is sent in the clear." */
1386
1387 /* TODO check MIC and Replay Counter */
1388 /* On reception of Message 4, the Authenticator verifies that the Key Replay Counter field value is one */
1389 /* that it used on this 4-Way Handshake; if it is not, it silently discards the message. */
1390 /* If the calculated MIC does not match the MIC that the Supplicant included in the EAPOL-Key frame, the */
1391 /* Authenticator silently discards Message 4. */
1392
1393 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 4 (patched)", AIRPDCAP_DEBUG_LEVEL_3);
1394
1395 sa->handshake=4;
1396
1397 sa->validKey=TRUE;
1398
1399 return AIRPDCAP_RET_SUCCESS_HANDSHAKE;
1400 }
1401 /* END OF PATCH */
1402 /* */
1403 } else {
1404 /* message 4 */
1405
1406 /* TODO "Note that when the 4-Way Handshake is first used Message 4 is sent in the clear." */
1407
1408 /* TODO check MIC and Replay Counter */
1409 /* On reception of Message 4, the Authenticator verifies that the Key Replay Counter field value is one */
1410 /* that it used on this 4-Way Handshake; if it is not, it silently discards the message. */
1411 /* If the calculated MIC does not match the MIC that the Supplicant included in the EAPOL-Key frame, the */
1412 /* Authenticator silently discards Message 4. */
1413
1414 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 4", AIRPDCAP_DEBUG_LEVEL_3);
1415
1416 sa->handshake=4;
1417
1418 sa->validKey=TRUE;
1419
1420 return AIRPDCAP_RET_SUCCESS_HANDSHAKE;
1421 }
1422 }
1423
1424 /* message 3: Authenticator->Supplicant (Sec=1, Mic=1, Ack=1, Inst=0/1, Key=1(pairwise), KeyRSC=???, Nonce=ANonce, MIC=1) */
1425 if (AIRPDCAP_EAP_ACK(data[offset+1])==1 &&
1426 AIRPDCAP_EAP_MIC(data[offset])==1)
1427 {
1428 const EAPOL_RSN_KEY *pEAPKey;
1429 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapRsna4WHandshake", "4-way handshake message 3", AIRPDCAP_DEBUG_LEVEL_3);
1430
1431 /* On reception of Message 3, the Supplicant silently discards the message if the Key Replay Counter field */
1432 /* value has already been used or if the ANonce value in Message 3 differs from the ANonce value in Message 1. */
1433 /* -> not checked, the Authenticator will send another message 3 (hopefully!) */
1434
1435 /* TODO check page 88 (RNS) */
1436
1437 /* If using WPA2 PSK, message 3 will contain an RSN for the group key (GTK KDE).
1438 In order to properly support decrypting WPA2-PSK packets, we need to parse this to get the group key. */
1439 pEAPKey = (const EAPOL_RSN_KEY *)(&(data[offset-1]));
1440 if (pEAPKey->type == AIRPDCAP_RSN_WPA2_KEY_DESCRIPTOR){
1441 PAIRPDCAP_SEC_ASSOCIATION broadcast_sa;
1442 AIRPDCAP_SEC_ASSOCIATION_ID id;
1443
1444 /* Get broadcacst SA for the current BSSID */
1445 memcpy(id.sta, broadcast_mac, AIRPDCAP_MAC_LEN);
1446 memcpy(id.bssid, sa->saId.bssid, AIRPDCAP_MAC_LEN);
1447 broadcast_sa = AirPDcapGetSaPtr(ctx, &id);
1448
1449 if (broadcast_sa == NULL){
1450 return AIRPDCAP_RET_UNSUCCESS;
1451 }
1452 AirPDcapDecryptWPABroadcastKey(pEAPKey, sa->wpa.ptk+16, broadcast_sa);
1453 }
1454
1455 return AIRPDCAP_RET_SUCCESS_HANDSHAKE;
1456 }
1457
1458 return AIRPDCAP_RET_UNSUCCESS;
1459 }
1460
1461 static INT
1462 AirPDcapRsnaMicCheck(
1463 UCHAR *eapol,
1464 USHORT eapol_len,
1465 UCHAR KCK[AIRPDCAP_WPA_KCK_LEN],
1466 USHORT key_ver)
1467 {
1468 UCHAR mic[AIRPDCAP_WPA_MICKEY_LEN];
1469 UCHAR c_mic[20]; /* MIC 16 byte, the HMAC-SHA1 use a buffer of 20 bytes */
1470
1471 /* copy the MIC from the EAPOL packet */
1472 memcpy(mic, eapol+AIRPDCAP_WPA_MICKEY_OFFSET+4, AIRPDCAP_WPA_MICKEY_LEN);
1473
1474 /* set to 0 the MIC in the EAPOL packet (to calculate the MIC) */
1475 memset(eapol+AIRPDCAP_WPA_MICKEY_OFFSET+4, 0, AIRPDCAP_WPA_MICKEY_LEN);
1476
1477 if (key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP) {
1478 /* use HMAC-MD5 for the EAPOL-Key MIC */
1479 md5_hmac(eapol, eapol_len, KCK, AIRPDCAP_WPA_KCK_LEN, c_mic);
1480 } else if (key_ver==AIRPDCAP_WPA_KEY_VER_AES_CCMP) {
1481 /* use HMAC-SHA1-128 for the EAPOL-Key MIC */
1482 sha1_hmac(KCK, AIRPDCAP_WPA_KCK_LEN, eapol, eapol_len, c_mic);
1483 } else
1484 /* key descriptor version not recognized */
1485 return AIRPDCAP_RET_UNSUCCESS;
1486
1487 /* compare calculated MIC with the Key MIC and return result (0 means success) */
1488 return memcmp(mic, c_mic, AIRPDCAP_WPA_MICKEY_LEN);
1489 }
1490
1491 static INT
1492 AirPDcapValidateKey(
1493 PAIRPDCAP_KEY_ITEM key)
1494 {
1495 size_t len;
1496 UCHAR ret=TRUE;
1497 AIRPDCAP_DEBUG_TRACE_START("AirPDcapValidateKey");
1498
1499 if (key==NULL) {
1500 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapValidateKey", "NULL key", AIRPDCAP_DEBUG_LEVEL_5);
1501 AIRPDCAP_DEBUG_TRACE_START("AirPDcapValidateKey");
1502 return FALSE;
1503 }
1504
1505 switch (key->KeyType) {
1506 case AIRPDCAP_KEY_TYPE_WEP:
1507 /* check key size limits */
1508 len=key->KeyData.Wep.WepKeyLen;
1509 if (len<AIRPDCAP_WEP_KEY_MINLEN || len>AIRPDCAP_WEP_KEY_MAXLEN) {
1510 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapValidateKey", "WEP key: key length not accepted", AIRPDCAP_DEBUG_LEVEL_5);
1511 ret=FALSE;
1512 }
1513 break;
1514
1515 case AIRPDCAP_KEY_TYPE_WEP_40:
1516 /* set the standard length and use a generic WEP key type */
1517 key->KeyData.Wep.WepKeyLen=AIRPDCAP_WEP_40_KEY_LEN;
1518 key->KeyType=AIRPDCAP_KEY_TYPE_WEP;
1519 break;
1520
1521 case AIRPDCAP_KEY_TYPE_WEP_104:
1522 /* set the standard length and use a generic WEP key type */
1523 key->KeyData.Wep.WepKeyLen=AIRPDCAP_WEP_104_KEY_LEN;
1524 key->KeyType=AIRPDCAP_KEY_TYPE_WEP;
1525 break;
1526
1527 case AIRPDCAP_KEY_TYPE_WPA_PWD:
1528 /* check passphrase and SSID size limits */
1529 len=strlen(key->UserPwd.Passphrase);
1530 if (len<AIRPDCAP_WPA_PASSPHRASE_MIN_LEN || len>AIRPDCAP_WPA_PASSPHRASE_MAX_LEN) {
1531 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapValidateKey", "WPA-PWD key: passphrase length not accepted", AIRPDCAP_DEBUG_LEVEL_5);
1532 ret=FALSE;
1533 }
1534
1535 len=key->UserPwd.SsidLen;
1536 if (len>AIRPDCAP_WPA_SSID_MAX_LEN) {
1537 AIRPDCAP_DEBUG_PRINT_LINE("AirPDcapValidateKey", "WPA-PWD key: ssid length not accepted", AIRPDCAP_DEBUG_LEVEL_5);
1538 ret=FALSE;
1539 }
1540
1541 break;
1542
1543 case AIRPDCAP_KEY_TYPE_WPA_PSK:
1544 break;
1545
1546 case AIRPDCAP_KEY_TYPE_WPA_PMK:
1547 break;
1548
1549 default:
1550 ret=FALSE;
1551 }
1552
1553 AIRPDCAP_DEBUG_TRACE_END("AirPDcapValidateKey");
1554 return ret;
1555 }
1556
1557 static INT
1558 AirPDcapGetSa(
1559 PAIRPDCAP_CONTEXT ctx,
1560 AIRPDCAP_SEC_ASSOCIATION_ID *id)
1561 {
1562 INT sa_index;
1563
1564 if (ctx->sa_index!=-1) {
1565 /* at least one association was stored */
1566 /* search for the association from sa_index to 0 (most recent added) */
1567 for (sa_index=ctx->sa_index; sa_index>=0; sa_index--) {
1568 if (ctx->sa[sa_index].used) {
1569 if (memcmp(id, &(ctx->sa[sa_index].saId), sizeof(AIRPDCAP_SEC_ASSOCIATION_ID))==0) {
1570 ctx->index=sa_index;
1571 return sa_index;
1572 }
1573 }
1574 }
1575 }
1576
1577 return -1;
1578 }
1579
1580 static INT
1581 AirPDcapStoreSa(
1582 PAIRPDCAP_CONTEXT ctx,
1583 AIRPDCAP_SEC_ASSOCIATION_ID *id)
1584 {
1585 INT last_free;
1586
1587 if (ctx->sa[ctx->first_free_index].used) {
1588 /* last addition was in the middle of the array (and the first_free_index was just incremented by 1) */
1589 /* search for a free space from the first_free_index to AIRPDCAP_STA_INFOS_NR (to avoid free blocks in */
1590 /* the middle) */
1591 for (last_free=ctx->first_free_index; last_free<AIRPDCAP_MAX_SEC_ASSOCIATIONS_NR; last_free++)
1592 if (!ctx->sa[last_free].used)
1593 break;
1594
1595 if (last_free>=AIRPDCAP_MAX_SEC_ASSOCIATIONS_NR) {
1596 /* there is no empty space available. FAILURE */
1597 return -1;
1598 }
1599
1600 /* store first free space index */
1601 ctx->first_free_index=last_free;
1602 }
1603
1604 /* use this info */
1605 ctx->index=ctx->first_free_index;
1606
1607 /* reset the info structure */
1608 memset(ctx->sa+ctx->index, 0, sizeof(AIRPDCAP_SEC_ASSOCIATION));
1609
1610 ctx->sa[ctx->index].used=1;
1611
1612 /* set the info structure */
1613 memcpy(&(ctx->sa[ctx->index].saId), id, sizeof(AIRPDCAP_SEC_ASSOCIATION_ID));
1614
1615 /* increment by 1 the first_free_index (heuristic) */
1616 ctx->first_free_index++;
1617
1618 /* set the sa_index if the added index is greater the the sa_index */
1619 if (ctx->index > ctx->sa_index)
1620 ctx->sa_index=ctx->index;
1621
1622 return ctx->index;
1623 }
1624
1625 /*
1626 * AirPDcapGetBssidAddress() and AirPDcapGetBssidAddress() are used for
1627 * key caching. In each case, it's more important to return a value than
1628 * to return a _correct_ value, so we fudge addresses in some cases, e.g.
1629 * the BSSID in bridged connections.
1630 * FromDS ToDS Sta BSSID
1631 * 0 0 addr2 addr3
1632 * 0 1 addr2 addr1
1633 * 1 0 addr1 addr2
1634 * 1 1 addr2 addr1
1635 */
1636
1637 static const UCHAR *
1638 AirPDcapGetStaAddress(
1639 const AIRPDCAP_MAC_FRAME_ADDR4 *frame)
1640 {
1641 switch(AIRPDCAP_DS_BITS(frame->fc[1])) { /* Bit 1 = FromDS, bit 0 = ToDS */
1642 case 0:
1643 case 1:
1644 return frame->addr2;
1645 case 2:
1646 return frame->addr1;
1647 case 3:
1648 if (memcmp(frame->addr1, frame->addr2, AIRPDCAP_MAC_LEN) < 0)
1649 return frame->addr1;
1650 else
1651 return frame->addr2;
1652
1653 default:
1654 return NULL;
1655 }
1656 }
1657
1658 static const UCHAR *
1659 AirPDcapGetBssidAddress(
1660 const AIRPDCAP_MAC_FRAME_ADDR4 *frame)
1661 {
1662 switch(AIRPDCAP_DS_BITS(frame->fc[1])) { /* Bit 1 = FromDS, bit 0 = ToDS */
1663 case 0:
1664 return frame->addr3;
1665 case 1:
1666 return frame->addr1;
1667 case 2:
1668 return frame->addr2;
1669 case 3:
1670 if (memcmp(frame->addr1, frame->addr2, AIRPDCAP_MAC_LEN) > 0)
1671 return frame->addr1;
1672 else
1673 return frame->addr2;
1674
1675 default:
1676 return NULL;
1677 }
1678 }
1679
1680 /* Function used to derive the PTK. Refer to IEEE 802.11I-2004, pag. 74 */
1681 static void
1682 AirPDcapRsnaPrfX(
1683 AIRPDCAP_SEC_ASSOCIATION *sa,
1684 const UCHAR pmk[32],
1685 const UCHAR snonce[32],
1686 const INT x, /* for TKIP 512, for CCMP 384 */
1687 UCHAR *ptk)
1688 {
1689 UINT8 i;
1690 UCHAR R[100];
1691 INT offset=sizeof("Pairwise key expansion");
1692
1693 memset(R, 0, 100);
1694
1695 memcpy(R, "Pairwise key expansion", offset);
1696
1697 /* Min(AA, SPA) || Max(AA, SPA) */
1698 if (memcmp(sa->saId.sta, sa->saId.bssid, AIRPDCAP_MAC_LEN) < 0)
1699 {
1700 memcpy(R + offset, sa->saId.sta, AIRPDCAP_MAC_LEN);
1701 memcpy(R + offset+AIRPDCAP_MAC_LEN, sa->saId.bssid, AIRPDCAP_MAC_LEN);
1702 }
1703 else
1704 {
1705 memcpy(R + offset, sa->saId.bssid, AIRPDCAP_MAC_LEN);
1706 memcpy(R + offset+AIRPDCAP_MAC_LEN, sa->saId.sta, AIRPDCAP_MAC_LEN);
1707 }
1708
1709 offset+=AIRPDCAP_MAC_LEN*2;
1710
1711 /* Min(ANonce,SNonce) || Max(ANonce,SNonce) */
1712 if( memcmp(snonce, sa->wpa.nonce, 32) < 0 )
1713 {
1714 memcpy(R + offset, snonce, 32);
1715 memcpy(R + offset + 32, sa->wpa.nonce, 32);
1716 }
1717 else
1718 {
1719 memcpy(R + offset, sa->wpa.nonce, 32);
1720 memcpy(R + offset + 32, snonce, 32);
1721 }
1722
1723 offset+=32*2;
1724
1725 for(i = 0; i < (x+159)/160; i++)
1726 {
1727 R[offset] = i;
1728 sha1_hmac(pmk, 32, R, 100, ptk + i * 20);
1729 }
1730 }
1731
1732 static INT
1733 AirPDcapRsnaPwd2PskStep(
1734 const guint8 *ppBytes,
1735 const guint ppLength,
1736 const CHAR *ssid,
1737 const size_t ssidLength,
1738 const INT iterations,
1739 const INT count,
1740 UCHAR *output)
1741 {
1742 UCHAR digest[64], digest1[64];
1743 INT i, j;
1744
1745 if (ssidLength+4 > 36)
1746 return AIRPDCAP_RET_UNSUCCESS;
1747
1748 memset(digest, 0, 64);
1749 memset(digest1, 0, 64);
1750
1751 /* U1 = PRF(P, S || INT(i)) */
1752 memcpy(digest, ssid, ssidLength);
1753 digest[ssidLength] = (UCHAR)((count>>24) & 0xff);
1754 digest[ssidLength+1] = (UCHAR)((count>>16) & 0xff);
1755 digest[ssidLength+2] = (UCHAR)((count>>8) & 0xff);
1756 digest[ssidLength+3] = (UCHAR)(count & 0xff);
1757 sha1_hmac(ppBytes, ppLength, digest, (guint32) ssidLength+4, digest1);
1758
1759 /* output = U1 */
1760 memcpy(output, digest1, AIRPDCAP_SHA_DIGEST_LEN);
1761 for (i = 1; i < iterations; i++) {
1762 /* Un = PRF(P, Un-1) */
1763 sha1_hmac(ppBytes, ppLength, digest1, AIRPDCAP_SHA_DIGEST_LEN, digest);
1764
1765 memcpy(digest1, digest, AIRPDCAP_SHA_DIGEST_LEN);
1766 /* output = output xor Un */
1767 for (j = 0; j < AIRPDCAP_SHA_DIGEST_LEN; j++) {
1768 output[j] ^= digest[j];
1769 }
1770 }
1771
1772 return AIRPDCAP_RET_SUCCESS;
1773 }
1774
1775 static INT
1776 AirPDcapRsnaPwd2Psk(
1777 const CHAR *passphrase,
1778 const CHAR *ssid,
1779 const size_t ssidLength,
1780 UCHAR *output)
1781 {
1782 UCHAR m_output[AIRPDCAP_WPA_PSK_LEN];
1783 GByteArray *pp_ba = g_byte_array_new();
1784
1785 memset(m_output, 0, AIRPDCAP_WPA_PSK_LEN);
1786
1787 if (!uri_str_to_bytes(passphrase, pp_ba)) {
1788 g_byte_array_free(pp_ba, TRUE);
1789 return 0;
1790 }
1791
1792 AirPDcapRsnaPwd2PskStep(pp_ba->data, pp_ba->len, ssid, ssidLength, 4096, 1, m_output);
1793 AirPDcapRsnaPwd2PskStep(pp_ba->data, pp_ba->len, ssid, ssidLength, 4096, 2, &m_output[AIRPDCAP_SHA_DIGEST_LEN]);
1794
1795 memcpy(output, m_output, AIRPDCAP_WPA_PSK_LEN);
1796 g_byte_array_free(pp_ba, TRUE);
1797
1798 return 0;
1799 }
1800
1801 /*
1802 * Returns the decryption_key_t struct given a string describing the key.
1803 * Returns NULL if the input_string cannot be parsed.
1804 */
1805 decryption_key_t*
1806 parse_key_string(gchar* input_string, guint8 key_type)
1807 {
1808 gchar *key;
1809 gchar *ssid;
1810
1811 GString *key_string = NULL;
1812 GByteArray *ssid_ba = NULL, *key_ba;
1813 gboolean res;
1814
1815 gchar **tokens;
1816 guint n = 0;
1817 decryption_key_t *dk;
1818
1819 if(input_string == NULL)
1820 return NULL;
1821
1822 /*
1823 * Parse the input_string. WEP and WPA will be just a string
1824 * of hexadecimal characters (if key is wrong, null will be
1825 * returned...).
1826 * WPA-PWD should be in the form
1827 * <key data>[:<ssid>]
1828 */
1829
1830 switch(key_type)
1831 {
1832 case AIRPDCAP_KEY_TYPE_WEP:
1833 case AIRPDCAP_KEY_TYPE_WEP_40:
1834 case AIRPDCAP_KEY_TYPE_WEP_104:
1835
1836 key_ba = g_byte_array_new();
1837 res = hex_str_to_bytes(input_string, key_ba, FALSE);
1838
1839 if (res && key_ba->len > 0) {
1840 /* Key is correct! It was probably an 'old style' WEP key */
1841 /* Create the decryption_key_t structure, fill it and return it*/
1842 dk = (decryption_key_t *)g_malloc(sizeof(decryption_key_t));
1843
1844 dk->type = AIRPDCAP_KEY_TYPE_WEP;
1845 /* XXX - The current key handling code in the GUI requires
1846 * no separators and lower case */
1847 dk->key = g_string_new(bytes_to_str(key_ba->data, key_ba->len));
1848 g_string_ascii_down(dk->key);
1849 dk->bits = key_ba->len * 8;
1850 dk->ssid = NULL;
1851
1852 g_byte_array_free(key_ba, TRUE);
1853 return dk;
1854 }
1855
1856 /* Key doesn't work */
1857 g_byte_array_free(key_ba, TRUE);
1858 return NULL;
1859
1860 case AIRPDCAP_KEY_TYPE_WPA_PWD:
1861
1862 tokens = g_strsplit(input_string,":",0);
1863
1864 /* Tokens is a null termiated array of strings ... */
1865 while(tokens[n] != NULL)
1866 n++;
1867
1868 if(n < 1)
1869 {
1870 /* Free the array of strings */
1871 g_strfreev(tokens);
1872 return NULL;
1873 }
1874
1875 /*
1876 * The first token is the key
1877 */
1878 key = g_strdup(tokens[0]);
1879
1880 ssid = NULL;
1881 /* Maybe there is a second token (an ssid, if everything else is ok) */
1882 if(n >= 2)
1883 {
1884 ssid = g_strdup(tokens[1]);
1885 }
1886
1887 /* Create a new string */
1888 key_string = g_string_new(key);
1889 ssid_ba = NULL;
1890
1891 /* Two (or more) tokens mean that the user entered a WPA-PWD key ... */
1892 if( ((key_string->len) > WPA_KEY_MAX_CHAR_SIZE) || ((key_string->len) < WPA_KEY_MIN_CHAR_SIZE))
1893 {
1894 g_string_free(key_string, TRUE);
1895
1896 g_free(key);
1897 g_free(ssid);
1898
1899 /* Free the array of strings */
1900 g_strfreev(tokens);
1901 return NULL;
1902 }
1903
1904 if(ssid != NULL) /* more than two tokens found, means that the user specified the ssid */
1905 {
1906 ssid_ba = g_byte_array_new();
1907 if (! uri_str_to_bytes(ssid, ssid_ba)) {
1908 g_string_free(key_string, TRUE);
1909 g_byte_array_free(ssid_ba, TRUE);
1910 g_free(key);
1911 g_free(ssid);
1912 /* Free the array of strings */
1913 g_strfreev(tokens);
1914 return NULL;
1915 }
1916
1917 if(ssid_ba->len > WPA_SSID_MAX_CHAR_SIZE)
1918 {
1919 g_string_free(key_string, TRUE);
1920 g_byte_array_free(ssid_ba, TRUE);
1921
1922 g_free(key);
1923 g_free(ssid);
1924
1925 /* Free the array of strings */
1926 g_strfreev(tokens);
1927 return NULL;
1928 }
1929 }
1930
1931 /* Key was correct!!! Create the new decryption_key_t ... */
1932 dk = (decryption_key_t*)g_malloc(sizeof(decryption_key_t));
1933
1934 dk->type = AIRPDCAP_KEY_TYPE_WPA_PWD;
1935 dk->key = g_string_new(key);
1936 dk->bits = 256; /* This is the length of the array pf bytes that will be generated using key+ssid ...*/
1937 dk->ssid = byte_array_dup(ssid_ba); /* NULL if ssid_ba is NULL */
1938
1939 g_string_free(key_string, TRUE);
1940 if (ssid_ba != NULL)
1941 g_byte_array_free(ssid_ba, TRUE);
1942
1943 g_free(key);
1944 if(ssid != NULL)
1945 g_free(ssid);
1946
1947 /* Free the array of strings */
1948 g_strfreev(tokens);
1949 return dk;
1950
1951 case AIRPDCAP_KEY_TYPE_WPA_PSK:
1952
1953 key_ba = g_byte_array_new();
1954 res = hex_str_to_bytes(input_string, key_ba, FALSE);
1955
1956 /* Two tokens means that the user should have entered a WPA-BIN key ... */
1957 if(!res || ((key_ba->len) != WPA_PSK_KEY_SIZE))
1958 {
1959 g_byte_array_free(key_ba, TRUE);
1960
1961 /* No ssid has been created ... */
1962 return NULL;
1963 }
1964
1965 /* Key was correct!!! Create the new decryption_key_t ... */
1966 dk = (decryption_key_t*)g_malloc(sizeof(decryption_key_t));
1967
1968 dk->type = AIRPDCAP_KEY_TYPE_WPA_PSK;
1969 dk->key = g_string_new(input_string);
1970 dk->bits = (guint) dk->key->len * 4;
1971 dk->ssid = NULL;
1972
1973 g_byte_array_free(key_ba, TRUE);
1974 return dk;
1975 }
1976
1977 /* Type not supported */
1978 return NULL;
1979 }
1980
1981 /*
1982 * Returns a newly allocated string representing the given decryption_key_t
1983 * struct, or NULL if something is wrong...
1984 */
1985 gchar*
1986 get_key_string(decryption_key_t* dk)
1987 {
1988 gchar* output_string = NULL;
1989
1990 if(dk == NULL || dk->key == NULL)
1991 return NULL;
1992
1993 switch(dk->type) {
1994 case AIRPDCAP_KEY_TYPE_WEP:
1995 output_string = g_strdup(dk->key->str);
1996 break;
1997 case AIRPDCAP_KEY_TYPE_WPA_PWD:
1998 if(dk->ssid == NULL)
1999 output_string = g_strdup(dk->key->str);
2000 else
2001 output_string = g_strdup_printf("%s:%s",
2002 dk->key->str, format_uri(dk->ssid, ":"));
2003 break;
2004 case AIRPDCAP_KEY_TYPE_WPA_PMK:
2005 output_string = g_strdup(dk->key->str);
2006 break;
2007 default:
2008 return NULL;
2009 }
2010
2011 return output_string;
2012 }
2013
2014 #ifdef __cplusplus
2015 }
2016 #endif
2017
2018 /****************************************************************************/
2019
2020 /*
2021 * Editor modelines
2022 *
2023 * Local Variables:
2024 * c-basic-offset: 4
2025 * tab-width: 8
2026 * indent-tabs-mode: nil
2027 * End:
2028 *
2029 * ex: set shiftwidth=4 tabstop=8 expandtab:
2030 * :indentSize=4:tabSize=8:noTabs=true:
2031 */