This section of code prevents disassembly of the data field of RSN Key-Data
packets that are flagged as "Protected". From what I can tell the first
comment is wrong and all group key key data fields are encrypted, not just
WPA. The chained IE fields have a null terminating IE of 0 length to
terminate the chain.
ti = proto_tree_add_item(eapol_tree, hf_eapol_wpa_keydes_data,
tvb, offset, eapol_data_len, FALSE);
if ( (keyinfo & KEY_INFO_ENCR_KEY_DATA_MASK) ||
!(keyinfo & KEY_INFO_KEY_TYPE_MASK)) {
/* RSN: EAPOL-Key Key Data is encrypted.
* WPA: Group Keys use encrypted Key Data.
* Cannot parse this without knowing the key. */
} else {
keydes_tree = proto_item_add_subtree(ti, ett_eapol_keydes_data);
ieee_80211_add_tagged_parameters(tvb, offset, pinfo, keydes_tree,
eapol_data_len);
}
I have tested changing the conditional to use && instead of || and it seems to
work fine. This would give the behavior of not attempting to disassemble key
data fields of group keys with protected set, which should always be the case
with group keys. For an example look at frame 28 of the attached capture.
Mike Stevens
Software Engineer
Hobnob, Inc.
Attachment:
filtered-macbook-vs-hostap-again.pcap
Description: Binary data