1 /* packet-eapol.c
2 * Routines for EAPOL and EAPOL-Key IEEE 802.1X-2010 PDU dissection
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
10
11 #include "config.h"
12
13 #include <epan/packet.h>
14 #include <epan/etypes.h>
15 #include <epan/eapol_keydes_types.h>
16 #include <epan/proto_data.h>
17
18 #include "packet-eapol.h"
19
20 void proto_register_eapol(void);
21 void proto_reg_handoff_eapol(void);
22
23 int proto_eapol = -1;
24 static int hf_eapol_version = -1;
25 static int hf_eapol_type = -1;
26 static int hf_eapol_len = -1;
27 static int hf_eapol_keydes_type = -1;
28 static int hf_eapol_keydes_body = -1;
29 static int hf_eapol_keydes_key_len = -1;
30 static int hf_eapol_keydes_replay_counter = -1;
31 static int hf_eapol_keydes_key_iv = -1;
32 static int hf_eapol_keydes_key_index = -1;
33 static int hf_eapol_keydes_key_index_type = -1;
34 static int hf_eapol_keydes_key_index_number = -1;
35 static int hf_eapol_keydes_key_signature = -1;
36 static int hf_eapol_keydes_key = -1;
37 static int hf_eapol_keydes_key_generated_locally = -1;
38
39 static gint ett_eapol = -1;
40 static gint ett_eapol_key_index = -1;
41 static gint ett_keyinfo = -1;
42
43 static dissector_table_t eapol_type_dissector_table;
44 static dissector_table_t eapol_keydes_type_dissector_table;
45
46 static dissector_handle_t eapol_handle;
47
48 #define EAPOL_HDR_LEN 4
49
50 #define EAPOL_2001 1
51 #define EAPOL_2004 2
52 #define EAPOL_2010 3
53
54 static const value_string eapol_version_vals[] = {
55 { EAPOL_2001, "802.1X-2001" },
56 { EAPOL_2004, "802.1X-2004" },
57 { EAPOL_2010, "802.1X-2010" },
58 { 0, NULL }
59 };
60
61 static const value_string eapol_type_vals[] = {
62 { EAPOL_EAP, "EAP Packet" },
63 { EAPOL_START, "Start" },
64 { EAPOL_LOGOFF, "Logoff" },
65 { EAPOL_KEY, "Key" },
66 { EAPOL_ENCAP_ASF_ALERT, "Encapsulated ASF Alert" },
67 { EAPOL_MKA, "MKA" },
68 { EAPOL_ANNOUNCEMENT_GENERIC, "Announcement (Generic)" },
69 { EAPOL_ANNOUNCEMENT_SPECIFIC, "Announcement (Specific)" },
70 { EAPOL_ANNOUNCEMENT_REQUEST, "Announcement Request" },
71 { 0, NULL }
72 };
73
74 static const value_string eapol_keydes_type_vals[] = {
75 { EAPOL_RC4_KEY, "RC4 Descriptor" },
76 { EAPOL_RSN_KEY, "EAPOL RSN Key" },
77 { EAPOL_WPA_KEY, "EAPOL WPA Key" },
78 { 0, NULL }
79 };
80
81 static const true_false_string keytype_tfs = { "Unicast", "Broadcast" };
82
83 #define KEYDES_KEY_INDEX_TYPE_MASK 0x80
84 #define KEYDES_KEY_INDEX_NUMBER_MASK 0x7F
85
86 static int
dissect_eapol(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree,void * data _U_)87 dissect_eapol(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
88 {
89 int offset = 0;
90 guint8 eapol_type;
91 guint16 eapol_len;
92 guint len;
93 proto_tree *ti;
94 proto_tree *eapol_tree;
95 tvbuff_t *next_tvb;
96
97 col_set_str(pinfo->cinfo, COL_PROTOCOL, "EAPOL");
98 col_clear(pinfo->cinfo, COL_INFO);
99
100 ti = proto_tree_add_item(tree, proto_eapol, tvb, 0, -1, ENC_NA);
101 eapol_tree = proto_item_add_subtree(ti, ett_eapol);
102
103 proto_tree_add_item(eapol_tree, hf_eapol_version, tvb, offset, 1, ENC_BIG_ENDIAN);
104 offset++;
105
106 eapol_type = tvb_get_guint8(tvb, offset);
107 proto_tree_add_item(eapol_tree, hf_eapol_type, tvb, offset, 1, ENC_BIG_ENDIAN);
108 col_add_str(pinfo->cinfo, COL_INFO,
109 val_to_str(eapol_type, eapol_type_vals, "Unknown Type (0x%02X)"));
110 offset++;
111
112 eapol_len = tvb_get_ntohs(tvb, offset);
113 len = EAPOL_HDR_LEN + eapol_len;
114 set_actual_length(tvb, len);
115 if (tree) {
116 proto_item_set_len(ti, len);
117 proto_tree_add_item(eapol_tree, hf_eapol_len, tvb, offset, 2, ENC_BIG_ENDIAN);
118 }
119 offset += 2;
120
121 /* Save eapol key type packets for IEEE 802.11 dissector */
122 if (!pinfo->fd->visited && eapol_type == EAPOL_KEY) {
123 proto_eapol_key_frame_t *key_frame = wmem_new(pinfo->pool, proto_eapol_key_frame_t);
124 key_frame->type = 0;
125 key_frame->len = len;
126 key_frame->data = (guint8 *)wmem_alloc(pinfo->pool, len);
127 tvb_memcpy(tvb, key_frame->data, 0, len);
128 p_add_proto_data(pinfo->pool, pinfo, proto_eapol, EAPOL_KEY_FRAME_KEY, key_frame);
129 }
130
131 next_tvb = tvb_new_subset_remaining(tvb, offset);
132 if (!dissector_try_uint_new(eapol_type_dissector_table,
133 eapol_type, next_tvb, pinfo, tree,
134 FALSE, eapol_tree)) {
135 call_data_dissector(next_tvb, pinfo, tree);
136 }
137 return tvb_captured_length(tvb);
138 }
139
140 static int
dissect_eapol_key(tvbuff_t * tvb,packet_info * pinfo,proto_tree * tree _U_,void * data)141 dissect_eapol_key(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void* data)
142 {
143 guint8 keydesc_type;
144 int offset = 0;
145 tvbuff_t *next_tvb;
146 proto_tree* eapol_tree = (proto_tree*)data;
147
148 keydesc_type = tvb_get_guint8(tvb, offset);
149 proto_tree_add_item(eapol_tree, hf_eapol_keydes_type, tvb, offset, 1, ENC_BIG_ENDIAN);
150 offset += 1;
151 next_tvb = tvb_new_subset_remaining(tvb, offset);
152
153 /* Save keydesc_type for IEEE 802.11 dissector */
154 if (!pinfo->fd->visited) {
155 proto_eapol_key_frame_t *key_frame = (proto_eapol_key_frame_t *)
156 p_get_proto_data(pinfo->pool, pinfo, proto_eapol, EAPOL_KEY_FRAME_KEY);
157 if (key_frame) {
158 key_frame->type = keydesc_type;
159 }
160 }
161
162 if (!dissector_try_uint_new(eapol_keydes_type_dissector_table,
163 keydesc_type, next_tvb, pinfo, eapol_tree,
164 FALSE, NULL)) {
165 proto_tree_add_item(eapol_tree, hf_eapol_keydes_body, tvb, offset, -1, ENC_NA);
166 }
167
168 return tvb_captured_length(tvb);
169 }
170
171 static int
dissect_eapol_rc4_key(tvbuff_t * tvb,packet_info * pinfo _U_,proto_tree * tree,void * data _U_)172 dissect_eapol_rc4_key(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_)
173 {
174 int offset = 0;
175 guint16 eapol_key_len;
176 gboolean generated_locally;
177 proto_tree *ti;
178 proto_tree *key_index_tree;
179 gint eapol_len;
180
181 eapol_key_len = tvb_get_ntohs(tvb, offset);
182 proto_tree_add_item(tree, hf_eapol_keydes_key_len, tvb, offset, 2, ENC_BIG_ENDIAN);
183 offset += 2;
184 proto_tree_add_item(tree, hf_eapol_keydes_replay_counter, tvb,
185 offset, 8, ENC_BIG_ENDIAN);
186 offset += 8;
187 proto_tree_add_item(tree, hf_eapol_keydes_key_iv, tvb,
188 offset, 16, ENC_NA);
189 offset += 16;
190 ti = proto_tree_add_item(tree, hf_eapol_keydes_key_index, tvb, offset, 1, ENC_BIG_ENDIAN);
191 key_index_tree = proto_item_add_subtree(ti, ett_eapol_key_index);
192 proto_tree_add_item(key_index_tree, hf_eapol_keydes_key_index_type,
193 tvb, offset, 1, ENC_BIG_ENDIAN);
194 proto_tree_add_item(key_index_tree, hf_eapol_keydes_key_index_number,
195 tvb, offset, 1, ENC_BIG_ENDIAN);
196 offset += 1;
197 proto_tree_add_item(tree, hf_eapol_keydes_key_signature, tvb,
198 offset, 16, ENC_NA);
199 offset += 16;
200 if (eapol_key_len != 0) {
201 /*
202 * Body length of EAPOL-Key message in which we're contained is 1 byte
203 * larger than the reported length of the key descriptor we were handed,
204 * that 1 byte being the Key Descriptor Type.
205 */
206 eapol_len = 1 + tvb_reported_length(tvb);
207
208 /* IEEE 802.1X-2004 7.6.3.6: If no bytes remain, then */
209 generated_locally = eapol_len <= 44; /* Size of rc4 key with no key content */
210 if (!generated_locally) {
211 proto_tree_add_item(tree, hf_eapol_keydes_key, tvb, offset,
212 eapol_key_len, ENC_NA);
213 }
214
215 proto_tree_add_boolean(tree, hf_eapol_keydes_key_generated_locally, tvb, offset,
216 0, generated_locally);
217 }
218 return tvb_captured_length(tvb);
219 }
220
221 void
proto_register_eapol(void)222 proto_register_eapol(void)
223 {
224 static hf_register_info hf[] = {
225 { &hf_eapol_version, {
226 "Version", "eapol.version",
227 FT_UINT8, BASE_DEC, VALS(eapol_version_vals), 0x0,
228 NULL, HFILL }},
229
230 { &hf_eapol_type, {
231 "Type", "eapol.type",
232 FT_UINT8, BASE_DEC, VALS(eapol_type_vals), 0x0,
233 NULL, HFILL }},
234
235 { &hf_eapol_len, {
236 "Length", "eapol.len",
237 FT_UINT16, BASE_DEC, NULL, 0x0,
238 NULL, HFILL }},
239
240 { &hf_eapol_keydes_type, {
241 "Key Descriptor Type", "eapol.keydes.type",
242 FT_UINT8, BASE_DEC, VALS(eapol_keydes_type_vals), 0x0,
243 NULL, HFILL }},
244
245 { &hf_eapol_keydes_body, {
246 "Key Descriptor Body", "eapol.keydes.body",
247 FT_BYTES, BASE_NONE, NULL, 0x0,
248 NULL, HFILL }},
249
250 { &hf_eapol_keydes_key_len, {
251 "Key Length", "eapol.keydes.key_len",
252 FT_UINT16, BASE_DEC, NULL, 0x0,
253 NULL, HFILL }},
254
255 { &hf_eapol_keydes_replay_counter, {
256 "Replay Counter", "eapol.keydes.replay_counter",
257 FT_UINT64, BASE_DEC, NULL, 0x0,
258 NULL, HFILL }},
259
260 { &hf_eapol_keydes_key_iv, {
261 "Key IV", "eapol.keydes.key_iv",
262 FT_BYTES, BASE_NONE, NULL, 0x0,
263 NULL, HFILL }},
264
265 { &hf_eapol_keydes_key_index, {
266 "Key Index", "eapol.keydes.key_index",
267 FT_UINT8, BASE_HEX, NULL, 0x0,
268 NULL, HFILL }},
269
270 { &hf_eapol_keydes_key_index_type, {
271 "Type", "eapol.keydes.key_index.type",
272 FT_BOOLEAN, 8, TFS(&keytype_tfs), KEYDES_KEY_INDEX_TYPE_MASK ,
273 NULL, HFILL }},
274
275 { &hf_eapol_keydes_key_index_number, {
276 "Number", "eapol.keydes.key_index.number",
277 FT_UINT8, BASE_DEC, NULL, KEYDES_KEY_INDEX_NUMBER_MASK,
278 NULL, HFILL }},
279
280 { &hf_eapol_keydes_key_signature, {
281 "Key Signature", "eapol.keydes.key_signature",
282 FT_BYTES, BASE_NONE, NULL, 0x0,
283 NULL, HFILL }},
284
285 { &hf_eapol_keydes_key, {
286 "Key", "eapol.keydes.key",
287 FT_BYTES, BASE_NONE, NULL, 0x0,
288 NULL, HFILL }},
289
290 { &hf_eapol_keydes_key_generated_locally, {
291 "Key Generated Locally", "eapol.keydes.key.generated_locally",
292 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
293 NULL, HFILL }},
294 };
295
296 static gint *ett[] = {
297 &ett_eapol,
298 &ett_keyinfo,
299 &ett_eapol_key_index
300 };
301
302 proto_eapol = proto_register_protocol("802.1X Authentication", "EAPOL", "eapol");
303 eapol_handle = register_dissector("eapol", dissect_eapol, proto_eapol);
304
305 proto_register_field_array(proto_eapol, hf, array_length(hf));
306 proto_register_subtree_array(ett, array_length(ett));
307
308 eapol_type_dissector_table = register_dissector_table("eapol.type",
309 "EAPOL Packet Type",
310 proto_eapol, FT_UINT8,
311 BASE_DEC);
312 eapol_keydes_type_dissector_table = register_dissector_table("eapol.keydes.type",
313 "EAPOL Key Descriptor Type",
314 proto_eapol, FT_UINT8,
315 BASE_DEC);
316 }
317
318 void
proto_reg_handoff_eapol(void)319 proto_reg_handoff_eapol(void)
320 {
321 dissector_handle_t eapol_rc4_key_handle, eapol_key_handle;
322
323 dissector_add_uint("ethertype", ETHERTYPE_EAPOL, eapol_handle);
324 dissector_add_uint("ethertype", ETHERTYPE_RSN_PREAUTH, eapol_handle);
325
326 /*
327 * EAPOL key descriptor types.
328 */
329 eapol_rc4_key_handle = create_dissector_handle(dissect_eapol_rc4_key, proto_eapol);
330 dissector_add_uint("eapol.keydes.type", EAPOL_RC4_KEY, eapol_rc4_key_handle);
331 eapol_key_handle = create_dissector_handle(dissect_eapol_key, proto_eapol);
332 dissector_add_uint("eapol.type", EAPOL_KEY, eapol_key_handle);
333 }
334
335 /*
336 * Editor modelines
337 *
338 * Local Variables:
339 * c-basic-offset: 2
340 * tab-width: 8
341 * indent-tabs-mode: nil
342 * End:
343 *
344 * ex: set shiftwidth=2 tabstop=8 expandtab:
345 * :indentSize=2:tabSize=8:noTabs=true:
346 */
347