Skip to content

Commit

Permalink
Use QoS TID when building AAD for CCMP decryption
Browse files Browse the repository at this point in the history 
Fixes #190
  • Loading branch information
@mfontanini
mfontanini committed Mar 11, 2017
1 parent a71a3d2 commit ad0a1ca
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
6 changes: 6 additions & 0 deletions src/crypto.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,12 @@ SNAP* SessionKeys::ccmp_decrypt_unicast(const Dot11Data& dot11, RawPDU& raw) con
counter[14] = (total_sz >> 8) & 0xff;
counter[15] = total_sz & 0xff;

if (dot11.subtype() == Dot11::QOS_DATA_DATA) {
const uint32_t offset = (dot11.from_ds() && dot11.to_ds()) ? 30 : 24;
AAD[offset] = static_cast<const Dot11QoSData&>(dot11).qos_control() & 0x0f;
counter[1] = AAD[offset];
}

AES_encrypt(counter, MIC, &ctx);
xor_range(MIC, AAD, MIC, 16);
AES_encrypt(MIC, MIC, &ctx);
Expand Down
32 changes: 31 additions & 1 deletion tests/src/wpa2_decrypt_test.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include "dot11/dot11_data.h"
#include "udp.h"
#include "tcp.h"
#include "arp.h"

using namespace Tins;

Expand All @@ -21,8 +22,9 @@ class WPA2DecryptTest : public testing::Test {
public:
typedef HWAddress<6> address_type;
static const uint8_t ccmp_packets[7][652];
static const uint8_t ccmp_qos_packets[6][212];
static const uint8_t tkip_packets[7][211];
static const size_t ccmp_packets_size[], tkip_packets_size[];
static const size_t ccmp_packets_size[], ccmp_qos_packets_size[], tkip_packets_size[];

struct handshake {
handshake(const string& ssid, const address_type& bssid, const address_type& client_hw)
Expand Down Expand Up @@ -79,6 +81,15 @@ const uint8_t WPA2DecryptTest::ccmp_packets[7][652] = {
{0, 0, 24, 0, 142, 88, 0, 0, 16, 108, 108, 9, 192, 0, 100, 0, 0, 41, 0, 0, 190, 202, 53, 174, 8, 66, 44, 0, 0, 13, 147, 130, 54, 58, 0, 12, 65, 130, 178, 85, 0, 12, 65, 130, 178, 83, 240, 252, 1, 0, 0, 32, 0, 0, 0, 0, 119, 49, 71, 116, 105, 136, 85, 205, 132, 196, 180, 119, 142, 132, 254, 142, 107, 185, 34, 64, 127, 182, 129, 59, 98, 183, 207, 159, 167, 27, 149, 169, 74, 170, 255, 149, 57, 187, 223, 19, 162, 165, 18, 63, 50, 153, 100, 9, 247, 29, 231, 199, 141, 125, 148, 9, 183, 62, 244, 101, 50, 254, 146, 237, 122, 204, 152, 151, 197, 153, 31, 122, 219, 59, 230, 26, 123, 231, 100, 31, 201, 119, 175, 228, 12, 189, 233, 235, 65, 148, 46, 143, 49, 144, 44, 76, 79, 143, 126, 163, 219, 81, 122, 250, 102, 252, 179, 97, 116, 151, 128, 138, 29, 29, 171, 64, 93, 233, 245, 44, 35, 244, 249, 140, 160, 198, 188, 44, 120, 38, 104, 52, 107, 70, 115, 34, 239, 117, 195, 195, 20, 193, 85, 224, 22, 142, 205, 27, 155, 34, 62, 19, 32, 199, 200, 3, 59, 253, 188, 180, 177, 41, 150, 247, 98, 199, 127, 43, 239, 236, 116, 51, 19, 185, 188, 97, 156, 151, 64, 144, 20, 103, 61, 23, 210, 236, 235, 23, 216, 116, 121, 14, 191, 150, 210, 255, 195, 230, 167, 53, 254, 207, 35, 28, 18, 209, 240, 112, 156, 181, 151, 30, 81, 215, 6, 225, 106, 153, 48, 91, 102, 171, 115, 62, 46, 70, 255, 39, 183, 219, 199, 73, 97, 127, 92, 18, 153, 206, 150, 200, 7, 153, 82, 151, 34, 170, 177, 94, 178, 149, 202, 164, 210, 176, 112, 106, 73, 213, 101, 14, 195, 115, 168, 153, 217, 52, 76, 130, 116, 159, 226, 247, 234, 238, 6, 250, 141, 149, 133, 208, 40, 106, 172, 130, 187, 114, 216, 250, 124, 47, 4, 227, 198, 97, 125, 69, 2, 219, 87, 123, 79, 150, 116, 187, 239, 120, 236, 199, 185, 96, 30, 112, 233, 237, 179, 28, 46, 149, 102, 253, 150, 133, 179, 71, 7, 119, 201, 39, 196, 106, 251, 100, 195, 201, 47, 109, 227, 158, 27, 70, 207, 241, 222, 179, 225, 220, 189, 224, 97, 134, 11, 150, 127, 235, 224, 222, 110, 141, 224, 0, 167, 126, 72, 155, 185, 162, 128, 141, 120, 39, 165, 5, 211, 222, 20, 11, 129, 222, 142, 149, 130, 136, 106, 105, 118, 135, 9, 220, 180, 196, 117, 66, 82, 215, 186, 107, 252, 85, 41, 131, 238, 85, 233, 197, 228, 157, 49, 42, 57, 52, 40, 235, 240, 208, 248, 180, 26, 153, 227, 223, 33, 247, 236, 162, 226, 253, 63, 144, 199, 157, 164, 56, 185, 19, 8, 197, 210, 129, 90, 177, 16, 119, 165, 208, 244, 247, 253, 121, 10, 51, 15, 215, 140, 231, 51, 198, 168, 11, 54, 126, 135, 145, 13, 161, 192, 119, 16, 184, 30, 235, 23, 133, 20, 247, 139, 30, 235, 110, 211, 13, 39, 76, 4, 153, 83, 236, 215, 52, 107, 75, 188, 73, 74, 60, 203, 80, 194, 127, 7, 65, 225, 195, 139, 166, 176, 22, 151, 54, 204, 159, 5, 254, 82, 145, 230, 163, 254, 191, 206, 29, 198, 78, 198, 232, 238, 247, 104, 245, 100, 67, 108, 90, 88, 177, 136, 32, 28, 76, 108, 195, 172, 251, 121, 158, 23, 52, 33, 118, 205, 239, 50, 163, 118, 65, 150, 69, 109, 152, 70, 31, 235, 102, 126, 254, 209, 228, 148, 203, 137, 34, 20, 69, 141, 180, 177, 154, 155, 35, 101, 1, 78, 207, 67, 117, 29, 104, 9, 244, 3, 220, 131, 61, 190, 202, 53, 174}
};

const uint8_t WPA2DecryptTest::ccmp_qos_packets[6][212] = {
{ 0, 0, 18, 0, 46, 72, 0, 0, 0, 2, 133, 9, 160, 0, 220, 0, 0, 0, 128, 0, 0, 0, 255, 255, 255, 255, 255, 255, 234, 8, 107, 231, 33, 218, 234, 8, 107, 231, 33, 218, 16, 118, 178, 33, 38, 40, 0, 0, 0, 0, 100, 0, 49, 0, 0, 7, 84, 101, 115, 116, 105, 110, 103, 1, 8, 130, 132, 139, 150, 12, 18, 24, 36, 3, 1, 6, 5, 4, 0, 1, 0, 0, 42, 1, 2, 50, 4, 48, 72, 96, 108, 45, 26, 239, 17, 27, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 61, 22, 6, 7, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 127, 8, 0, 0, 0, 0, 0, 0, 0, 64, 221, 24, 0, 80, 242, 2, 1, 1, 128, 0, 3, 164, 0, 0, 39, 164, 0, 0, 66, 67, 94, 0, 98, 50, 47, 0, 221, 9, 0, 3, 127, 1, 1, 0, 0, 255, 127, 48, 20, 1, 0, 0, 15, 172, 4, 1, 0, 0, 15, 172, 4, 1, 0, 0, 15, 172, 2, 0, 0 },
{ 0, 0, 18, 0, 46, 72, 0, 0, 0, 2, 133, 9, 160, 0, 220, 0, 0, 0, 136, 2, 58, 1, 140, 123, 157, 105, 9, 17, 234, 8, 107, 231, 33, 218, 234, 8, 107, 231, 33, 218, 0, 0, 6, 0, 170, 170, 3, 0, 0, 0, 136, 142, 2, 3, 0, 95, 2, 0, 138, 0, 16, 0, 0, 0, 0, 0, 0, 0, 1, 36, 134, 168, 19, 133, 30, 4, 145, 162, 245, 14, 253, 175, 250, 91, 26, 133, 121, 10, 46, 52, 193, 62, 33, 9, 195, 138, 114, 186, 130, 13, 121, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
{ 0, 0, 18, 0, 46, 72, 0, 0, 0, 2, 133, 9, 160, 0, 212, 0, 0, 0, 136, 1, 58, 1, 234, 8, 107, 231, 33, 218, 140, 123, 157, 105, 9, 17, 234, 8, 107, 231, 33, 218, 0, 0, 0, 0, 170, 170, 3, 0, 0, 0, 136, 142, 2, 3, 0, 117, 2, 1, 10, 0, 16, 0, 0, 0, 0, 0, 0, 0, 1, 185, 15, 144, 240, 135, 131, 195, 230, 224, 206, 6, 115, 152, 193, 57, 247, 207, 189, 130, 18, 16, 144, 246, 255, 72, 6, 64, 54, 1, 177, 13, 141, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 241, 201, 157, 151, 101, 162, 70, 81, 34, 123, 24, 54, 82, 23, 135, 43, 0, 22, 48, 20, 1, 0, 0, 15, 172, 4, 1, 0, 0, 15, 172, 4, 1, 0, 0, 15, 172, 2, 12, 0 },
{ 0, 0, 18, 0, 46, 72, 0, 0, 0, 2, 133, 9, 160, 0, 224, 0, 0, 0, 136, 2, 58, 1, 140, 123, 157, 105, 9, 17, 234, 8, 107, 231, 33, 218, 234, 8, 107, 231, 33, 218, 16, 0, 6, 0, 170, 170, 3, 0, 0, 0, 136, 142, 2, 3, 0, 151, 2, 19, 202, 0, 16, 0, 0, 0, 0, 0, 0, 0, 2, 36, 134, 168, 19, 133, 30, 4, 145, 162, 245, 14, 253, 175, 250, 91, 26, 133, 121, 10, 46, 52, 193, 62, 33, 9, 195, 138, 114, 186, 130, 13, 121, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 112, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 182, 188, 36, 244, 126, 153, 16, 21, 165, 68, 51, 21, 99, 232, 1, 0, 56, 224, 33, 172, 28, 130, 64, 168, 64, 122, 19, 12, 113, 96, 203, 205, 46, 209, 246, 12, 195, 191, 81, 52, 92, 168, 228, 34, 174, 105, 66, 199, 79, 39, 39, 68, 148, 221, 76, 238, 31, 239, 18, 205, 180, 164, 77, 85, 4, 160, 255, 90, 11, 0, 228, 34, 79 },
{ 0, 0, 18, 0, 46, 72, 0, 0, 0, 2, 133, 9, 160, 0, 216, 0, 0, 0, 136, 1, 58, 1, 234, 8, 107, 231, 33, 218, 140, 123, 157, 105, 9, 17, 234, 8, 107, 231, 33, 218, 16, 0, 0, 0, 170, 170, 3, 0, 0, 0, 136, 142, 2, 3, 0, 95, 2, 3, 10, 0, 16, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 180, 81, 43, 43, 243, 213, 192, 56, 174, 32, 141, 69, 172, 1, 201, 193, 0, 0 },
{ 0, 0, 21, 0, 42, 72, 8, 0, 0, 0, 133, 9, 128, 4, 225, 0, 0, 0, 39, 0, 7, 136, 65, 44, 0, 234, 8, 107, 231, 33, 218, 140, 123, 157, 105, 9, 17, 236, 8, 107, 231, 33, 218, 16, 0, 6, 0, 5, 0, 0, 32, 0, 0, 0, 0, 27, 145, 139, 201, 131, 102, 105, 133, 248, 73, 15, 118, 83, 59, 241, 213, 220, 137, 172, 31, 142, 107, 61, 249, 216, 186, 52, 53, 203, 197, 91, 208, 23, 153, 118, 224, 221, 43, 248, 239, 148, 101, 122, 191 }
};

const uint8_t WPA2DecryptTest::tkip_packets[7][211] = {
// Beacon
{0, 0, 18, 0, 46, 72, 0, 0, 0, 2, 108, 9, 160, 0, 221, 3, 0, 0, 128, 0, 0, 0, 255, 255, 255, 255, 255, 255, 0, 27, 17, 210, 27, 235, 0, 27, 17, 210, 27, 235, 128, 178, 129, 97, 244, 15, 0, 0, 0, 0, 100, 0, 17, 0, 0, 4, 78, 79, 68, 79, 1, 4, 130, 132, 139, 150, 3, 1, 1, 5, 4, 0, 1, 0, 0, 48, 20, 1, 0, 0, 15, 172, 2, 1, 0, 0, 15, 172, 2, 1, 0, 0, 15, 172, 2, 0, 0, 221, 9, 0, 3, 127, 1, 1, 0, 32, 255, 127},
Expand All @@ -96,6 +107,10 @@ const size_t WPA2DecryptTest::ccmp_packets_size[] = {
168, 181, 181, 239, 159, 404, 652
};

const size_t WPA2DecryptTest::ccmp_qos_packets_size[] = {
212, 151, 173, 207, 151, 99
};

const size_t WPA2DecryptTest::tkip_packets_size[] = {
108, 149, 171, 211, 149, 134, 134
};
Expand Down Expand Up @@ -147,6 +162,21 @@ TEST_F(WPA2DecryptTest, DecryptCCMPUsingBeacon) {
}
}

TEST_F(WPA2DecryptTest, DecryptCCMPQosUsingBeacon) {
Crypto::WPA2Decrypter decrypter;
decrypter.add_ap_data("password1", "Testing");
for(size_t i = 0; i < 6; ++i) {
RadioTap radio(ccmp_qos_packets[i], ccmp_qos_packets_size[i]);
if (i > 4) {
ASSERT_TRUE(decrypter.decrypt(radio));
EXPECT_TRUE(radio.find_pdu<ARP>() != 0);
}
else {
ASSERT_FALSE(decrypter.decrypt(radio));
}
}
}

TEST_F(WPA2DecryptTest, DecryptCCMPWithoutUsingBeacon) {
Crypto::WPA2Decrypter decrypter;
decrypter.add_ap_data("Induction", "Coherer", "00:0c:41:82:b2:55");
Expand Down

0 comments on commit ad0a1ca

Please sign in to comment.