(/home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap.c) |
| |
| 337 | | | AirPDcapDecryptWPABroadcastKey(P_EAPOL_RSN_KEY pEAPKey, guint8 *decryption_key, PAIRPDCAP_SEC_ASSOCIATION sa) |
| 338 | | | { |
| 339 | | | guint8 new_key[32]; |
| 340 | | | guint8 key_version; |
| 341 | | | guint8 *szEncryptedKey; |
| 342 | | | guint16 key_len = 0; |
| 343 | | | static AIRPDCAP_KEY_ITEM dummy_key; |
| 344 | | | |
| 345 | | | |
| 346 | | | |
| 347 | | | |
| 348 | | | |
| 349 | | | key_version = AIRPDCAP_EAP_KEY_DESCR_VER(pEAPKey->key_information[1]);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/crypt/airpdcap_int.h |
| |
84 | #define AIRPDCAP_EAP_KEY_DESCR_VER(KeyInfo_1) ((UCHAR)(KeyInfo_1 & 0x3)) |
| |
|
| 350 | | | if (key_version == AIRPDCAP_WPA_KEY_VER_NOT_CCMP){ |
| 351 | | | |
| 352 | | | key_len = pntohs(pEAPKey->key_length);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
37 | #define pntohs(p) ((guint16) \ |
38 | ((guint16)*((const guint8 *)(p)+0)<<8| \ |
39 | (guint16)*((const guint8 *)(p)+1)<<0)) |
| |
|
| 353 | | | }else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){ |
| 354 | | | |
| 355 | | | key_len = pntohs(pEAPKey->key_data_len);
x /home/sate/Testcases/c/cve/wireshark-1.2.0/epan/pint.h |
| |
37 | #define pntohs(p) ((guint16) \ |
38 | ((guint16)*((const guint8 *)(p)+0)<<8| \ |
39 | (guint16)*((const guint8 *)(p)+1)<<0)) |
| |
|
| 356 | | | } |
| 357 | | | if (key_len > sizeof(RSN_IE) || key_len == 0) { |
| 358 | | | return; |
| 359 | | | } |
| 360 | | | |
| 361 | | | |
| 362 | | | szEncryptedKey = g_memdup(pEAPKey->ie, key_len); |
| 363 | | | |
| 364 | | | DEBUG_DUMP("Encrypted Broadcast key:", szEncryptedKey, key_len); |
| 365 | | | DEBUG_DUMP("KeyIV:", pEAPKey->key_iv, 16); |
| 366 | | | DEBUG_DUMP("decryption_key:", decryption_key, 16); |
| 367 | | | |
| 368 | | | |
| 369 | | | memcpy(new_key, pEAPKey->key_iv, 16); |
| 370 | | | memcpy(new_key+16, decryption_key, 16); |
| 371 | | | DEBUG_DUMP("FullDecrKey:", new_key, 32); |
| 372 | | | |
| 373 | | | if (key_version == AIRPDCAP_WPA_KEY_VER_NOT_CCMP){ |
| 374 | | | guint8 dummy[256]; |
| 375 | | | |
| 376 | | | |
| 377 | | | |
| 378 | | | |
| 379 | | | rc4_state_struct rc4_state; |
| 380 | | | crypt_rc4_init(&rc4_state, new_key, sizeof(new_key)); |
| 381 | | | |
| 382 | | | |
| 383 | | | crypt_rc4(&rc4_state, dummy, 256); |
| 384 | | | crypt_rc4(&rc4_state, szEncryptedKey, key_len); |
| 385 | | | |
| 386 | | | } else if (key_version == AIRPDCAP_WPA_KEY_VER_AES_CCMP){ |
Redundant Condition
key_version == 2 always evaluates to true. This may be because: - There is a constant assignment to one or more of the variables involved.
- An earlier conditional statement has already ensured that key_version == 2 cannot be false.
- A crashing bug occurs on every path where key_version == 2 could have evaluated to false. Look for a preceding Null Pointer Dereference or Division By Zero warning.
|
|
| 387 | | | |
| 388 | | | |
| 389 | | | guint8 key_found; |
| 390 | | | guint16 key_index; |
| 391 | | | guint8 *decrypted_data; |
| 392 | | | |
| 393 | | | |
| 394 | | | decrypted_data = (guint8 *) g_malloc(key_len); |
| 395 | | | |
| 396 | | | AES_unwrap(decryption_key, 16, szEncryptedKey, key_len, decrypted_data); |
| 397 | | | |
| 398 | | | |
| 399 | | | |
| 400 | | | |
| 401 | | | |
| 402 | | | |
| 403 | | | key_found = FALSE; |
| 404 | | | key_index = 0; |
| 405 | | | while(key_index < key_len && !key_found){ |
| 406 | | | guint8 rsn_id; |
| 407 | | | |
| 408 | | | |
| 409 | | | rsn_id = decrypted_data[key_index]; |
| 410 | | | |
| 411 | | | if (rsn_id != 0xdd){ |
| 412 | | | key_index += decrypted_data[key_index+1]+2; |
| 413 | | | }else{ |
| 414 | | | key_found = TRUE; |
| 415 | | | } |
| 416 | | | } |
| 417 | | | |
| 418 | | | if (key_found){ |
| 419 | | | |
| 420 | | | memcpy(szEncryptedKey, decrypted_data+key_index+8, key_len-key_index-8); |
| 421 | | | } |
| 422 | | | |
| 423 | | | g_free(decrypted_data); |
| 424 | | | } |
| 425 | | | |
| 426 | | | |
| 427 | | | DEBUG_DUMP("Broadcast key:", szEncryptedKey, key_len); |
| 428 | | | |
| 429 | | | |
| 430 | | | sa->key = &dummy_key; |
| 431 | | | sa->validKey = TRUE; |
| 432 | | | sa->wpa.key_ver = key_version; |
| 433 | | | |
| 434 | | | |
| 435 | | | |
| 436 | | | memset(sa->wpa.ptk, 0, sizeof(sa->wpa.ptk)); |
| 437 | | | memcpy(sa->wpa.ptk+32, szEncryptedKey, key_len); |
| 438 | | | g_free(szEncryptedKey); |
| 439 | | | } |
| |