Inside print_ie_vendor, the Microsoft OUI is checked for a WPA IE. The
variable name for the OUI was wfa_oui, but this OUI is not actually the
WiFi-Alliance (sometimes refered to as 'wfa') but rather the Microsoft
OUI.
Added handling for several FILS IEs and NL attributes specific to
FILS. Also changed "SAE Data" to "Auth Data" since its now used for
both SAE and FILS.
Unfortunately there is no way to determine the MIC length just from the
eapol frame. 802.11 defined AKMs define the MIC length, but non 802.11
AKMs (e.g. OWE) can define their own MIC length. For this reason it seem
infeasable to track these special AKM's data flow to determine the MIC
length.
To work around this we can just try different MIC lengths (since there
are only 3 after all). This allows us to get key data length and see if
the total packet size equals the frame length + key data length. If the
sizes don't match we can try the next MIC length.
The MIC length was hard coded to 16 bytes everywhere, and since several
AKMs require larger MIC's (24/32) this needed to change. The main issue
was that the MIC was hard coded to 16 bytes inside eapol_key. Instead
of doing this, the MIC, key_data_length, and key_data elements were all
bundled into key_data[0]. In order to retrieve the MIC, key_data_len,
or key_data several macros were introduced which account for the MIC
length provided.
A consequence of this is that all the verify functions inside eapol now
require the MIC length as a parameter because without it they cannot
determine the byte offset of key_data or key_data_length.
The MIC length for a given handshake is set inside the SM when starting
EAPoL. This length is determined by the AKM for the handshake.
Fixes:
CC monitor/pcap.o
monitor/pcap.c: In function ‘pcap_create’:
monitor/pcap.c:121:6: error: ‘S_IRUSR’ undeclared (first use in this function)
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
^
monitor/pcap.c:121:6: note: each undeclared identifier is reported only once for each function it appears in
monitor/pcap.c:121:16: error: ‘S_IWUSR’ undeclared (first use in this function)
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
^
monitor/pcap.c:121:26: error: ‘S_IRGRP’ undeclared (first use in this function)
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
^
monitor/pcap.c:121:36: error: ‘S_IROTH’ undeclared (first use in this function)
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
^
==24195== Syscall param socketcall.sendto(msg) points to uninitialised byte(s)
==24195== at 0x4F3DBEF: sendto (in /lib64/libc-2.26.so)
==24195== by 0x13A453: can_write_data (netlink.c:119)
==24195== by 0x13866B: io_callback (io.c:149)
==24195== by 0x137365: l_main_iterate (main.c:389)
==24195== by 0x1374A3: l_main_run (main.c:436)
==24195== by 0x113524: main (main.c:832)
==24195== Address 0x5205f99 is 57 bytes inside a block of size 88 alloc'd
==24195== at 0x4C2D0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24195== by 0x133931: l_malloc (util.c:62)
==24195== by 0x13AEF3: l_netlink_send (netlink.c:411)
==24195== by 0x112351: rtm_interface_send_message (main.c:276)
==24195== by 0x1126F3: iwmon_interface_lookup (main.c:405)
==24195== by 0x11351F: main (main.c:830)
==24195== Uninitialised value was created by a heap allocation
==24195== at 0x4C2D0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==24195== by 0x133931: l_malloc (util.c:62)
==24195== by 0x11217B: rtm_interface_send_message (main.c:234)
==24195== by 0x1126F3: iwmon_interface_lookup (main.c:405)
==24195== by 0x11351F: main (main.c:830)
==23290== Invalid read of size 4
==23290== at 0x12D334: timeout_destroy (timeout.c:61)
==23290== by 0x12CDD1: l_main_exit (main.c:466)
==23290== by 0x111F3B: main (main.c:835)
==23290== Address 0x5211d80 is 0 bytes inside a block of size 32 free'd
==23290== at 0x4C2E1BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x111F36: main (main.c:833)
==23290== Block was alloc'd at
==23290== at 0x4C2CF8F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x12A74D: l_malloc (util.c:62)
==23290== by 0x12D40F: timeout_create_with_nanoseconds (timeout.c:135)
==23290== by 0x112A31: signal_handler (main.c:661)
==23290== by 0x12D03A: signal_callback (signal.c:82)
==23290== by 0x12CC6D: l_main_iterate (main.c:387)
==23290== by 0x12CD3B: l_main_run (main.c:434)
==23290== by 0x1121F2: main (main.c:821)
==23290==
==23290== Invalid read of size 8
==23290== at 0x12D33B: timeout_destroy (timeout.c:64)
==23290== by 0x12CDD1: l_main_exit (main.c:466)
==23290== by 0x111F3B: main (main.c:835)
==23290== Address 0x5211d90 is 16 bytes inside a block of size 32 free'd
==23290== at 0x4C2E1BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x111F36: main (main.c:833)
==23290== Block was alloc'd at
==23290== at 0x4C2CF8F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x12A74D: l_malloc (util.c:62)
==23290== by 0x12D40F: timeout_create_with_nanoseconds (timeout.c:135)
==23290== by 0x112A31: signal_handler (main.c:661)
==23290== by 0x12D03A: signal_callback (signal.c:82)
==23290== by 0x12CC6D: l_main_iterate (main.c:387)
==23290== by 0x12CD3B: l_main_run (main.c:434)
==23290== by 0x1121F2: main (main.c:821)
==23290==
==23290== Invalid write of size 4
==23290== at 0x12D33F: timeout_destroy (timeout.c:62)
==23290== by 0x12CDD1: l_main_exit (main.c:466)
==23290== by 0x111F3B: main (main.c:835)
==23290== Address 0x5211d80 is 0 bytes inside a block of size 32 free'd
==23290== at 0x4C2E1BB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x111F36: main (main.c:833)
==23290== Block was alloc'd at
==23290== at 0x4C2CF8F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==23290== by 0x12A74D: l_malloc (util.c:62)
==23290== by 0x12D40F: timeout_create_with_nanoseconds (timeout.c:135)
==23290== by 0x112A31: signal_handler (main.c:661)
==23290== by 0x12D03A: signal_callback (signal.c:82)
==23290== by 0x12CC6D: l_main_iterate (main.c:387)
==23290== by 0x12CD3B: l_main_run (main.c:434)
==23290== by 0x1121F2: main (main.c:821)
to fix compilation against MUSL libc.
The struct ethhdr does exists in netinet/if_ether.h and linux/if_ether.h
so including the linux headers after the libc headers lets libc_compat.h
work as intended.
The subtype was only printed if mpdu_validate had returned an error for
the frame, i.e. would not be printed for well formed frames. This was
probably an intent to avoid printing the frame subtype after all the
conents of the body frame had been printed already, but iwmon only
supports printing of Authentication and Deauthentication frames so far.
Kernel v4.10 and later no longer export GENL_ID_GENERATE (which was
defined as 0). iwd was using this symbol to check for unmodified local
values rather than to ask for a dynamically generated netlink ID anyway,
so it makes sense to use the value 0 directly. This will work with
kernels before and after the GENL_ID_GENERATE change.
When printing New Address events, the extra_str buffer is overrun,
resulting in weird stuff happening.
> RTNL: Error (0x02) len 20 > 5.252075
Flags: 0 (0x000)
Sequence number: 189 (0x000000bd)
Port ID: 2116
ACK: 0
==4080== Invalid read of size 1
==4080== at 0x4E8000E: vfprintf (in /lib64/libc-2.20.so)
==4080== by 0x4EA8A24: vsnprintf (in /lib64/libc-2.20.so)
==4080== by 0x4E86011: snprintf (in /lib64/libc-2.20.so)
==4080== by 0x403B64: print_packet (nlmon.c:238)
==4080== by 0x40C8FD: print_nlmsghdr (nlmon.c:3197)
==4080== by 0x40CD9E: print_rtnl_msg (nlmon.c:3266)
==4080== by 0x40CE4F: nlmon_print_rtnl (nlmon.c:3298)
==4080== by 0x40D1CD: nlmon_receive (nlmon.c:3390)
Currently it supports Microsoft specific data which has type
and vesion value 1.
e.g.
Vendor specific: len 22
Microsoft (00:50:f2)
WPA:
Type: 1
Version: 1(0001)
Group Data Cipher Suite: len 4
TKIP (00:50:f2) suite 02
Pairwise Cipher Suite: len 4
TKIP (00:50:f2) suite 02
AKM Suite: len 4
IEEE 802.1X/PMKSA; RSNA/PMKSA caching (00:50:f2) suite 01
Support arbitrarily long bitfields by providing field and mask values
as arrays with their length measured in bytes. Some of the IE fields
easily reach 80 bits or more, thus easily overrunning any integer sizes
used by the OS architecture.
If flags was 0, then an uninitialized buffer was printed. Changed
this so that if flags == 0, then just the value is printed.
If flags != 0, then print flags values to a buffer that is big
enough to hold all the sub-strings.
The buffer that is allocated for the filename is too short and
as sprintf() was used it overflowed the buffer easily when longer
interface name was used.
Additional universal message flags are defined which are applied
only for GET requests (NLM_F_ROOT, NLM_F_ATOMIC, NLM_F_MATCH,
NLM_F_DUMP) and flags which are related to NEW requests
(NLM_F_REPLACE, NLM_F_EXCL, NLM_F_CREATE, NLM_F_APPEND).
Print the SSID IE. If the SSID is not UTF-8 compliant, replace the non-
compliant byte with the UTF-8 substitution character. If the SSID is
hidden, its length and/or all characters are zero; print nothing in
this case.
Memory allocated l_timeout struct from l_timeout_create not being
freed.
==4184== HEAP SUMMARY:
==4184== in use at exit: 32 bytes in 1 blocks
==4184== total heap usage: 50 allocs, 49 frees, 39,902 bytes allocated
==4184==
==4184== 32 bytes in 1 blocks are definitely lost in loss record 1 of 1
==4184== at 0x4C2ABA0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4184== by 0x40706D: l_malloc (util.c:62)
==4184== by 0x408D9A: l_timeout_create (timeout.c:117)
==4184== by 0x40896A: signal_callback (signal.c:82)
==4184== by 0x408692: l_main_run (main.c:346)
==4184== by 0x402474: main (main.c:797)
==4184==
==4184== LEAK SUMMARY:
==4184== definitely lost: 32 bytes in 1 blocks
==4184== indirectly lost: 0 bytes in 0 blocks
==4184== possibly lost: 0 bytes in 0 blocks
==4184== still reachable: 0 bytes in 0 blocks
==4184== suppressed: 0 bytes in 0 blocks
Create a table for IE decoding and modify vendor IE printing to use this
new implementation. Unconditionally print out hexdumps of the IEs in order
to be able to verify the decoded IEs and its byte representation.
Andrew Zaborowski