wireshark中的处理如下:
-
#define IS_TKIP(tvb, hdr_len) (tvb_get_guint8(tvb, hdr_len + 1) == \
-
((tvb_get_guint8(tvb, hdr_len) | 0x20) & 0x7f))
-
#define IS_CCMP(tvb, hdr_len) (tvb_get_guint8(tvb, hdr_len + 2) == 0)
-
if (IS_TKIP(tvb, hdr_len)) {
-
algorithm=PROTECTION_ALG_TKIP;
-
wep_tree = proto_tree_add_subtree(hdr_tree, tvb, hdr_len, 8,
-
ett_wep_parameters, NULL, "TKIP parameters");
-
} else if (IS_CCMP(tvb, hdr_len)) {
-
algorithm=PROTECTION_ALG_CCMP;
-
wep_tree = proto_tree_add_subtree(hdr_tree, tvb, hdr_len, 8,
-
ett_wep_parameters, NULL, "CCMP parameters");
-
} else
-
wep_tree = proto_tree_add_subtree(hdr_tree, tvb, hdr_len, 8,
-
ett_wep_parameters, NULL, "TKIP/CCMP parameters");
也就是说wireshark存在不确定的情况,按照协议上看是无法确定出来,我还在困惑这个问题,现在清楚了!
// 路由器的实现是什么样子的
ivp[0] = k->wk_keytsc >> 8; /* TSC1 */
ivp[1] = (ivp[0] | 0x20) & 0x7f; /* WEP seed */
ivp[2] = k->wk_keytsc >> 0; /* TSC0 */
ivp[3] = keyid | IEEE80211_WEP_EXTIV; /* KeyID | ExtID */
ivp[4] = k->wk_keytsc >> 16; /* TSC2 */
ivp[5] = k->wk_keytsc >> 24; /* TSC3 */
ivp[6] = k->wk_keytsc >> 32; /* TSC4 */
ivp[7] = k->wk_keytsc >> 40; /* TSC5 */
xxxx_crypt_tkip.c中的实现是如上,也就符合wireshark的判断
// 再看一下内核无线网卡驱动的代码
-
static void tkip_mixing_phase2(u8 *WEPSeed, const u8 *TK, const u16 *TTAK,
-
u16 IV16)
-
{
-
/* Make temporary area overlap WEP seed so that the final copy can be
-
* avoided on little endian hosts. */
-
u16 *PPK = (u16 *) &WEPSeed[4];
-
-
/* Step 1 - make copy of TTAK and bring in TSC */
-
PPK[0] = TTAK[0];
-
PPK[1] = TTAK[1];
-
PPK[2] = TTAK[2];
-
PPK[3] = TTAK[3];
-
PPK[4] = TTAK[4];
-
PPK[5] = TTAK[4] + IV16;
-
-
/* Step 2 - 96-bit bijective mixing using S-box */
-
PPK[0] += _S_(PPK[5] ^ Mk16_le((u16 *) &TK[0]));
-
PPK[1] += _S_(PPK[0] ^ Mk16_le((u16 *) &TK[2]));
-
PPK[2] += _S_(PPK[1] ^ Mk16_le((u16 *) &TK[4]));
-
PPK[3] += _S_(PPK[2] ^ Mk16_le((u16 *) &TK[6]));
-
PPK[4] += _S_(PPK[3] ^ Mk16_le((u16 *) &TK[8]));
-
PPK[5] += _S_(PPK[4] ^ Mk16_le((u16 *) &TK[10]));
-
-
PPK[0] += RotR1(PPK[5] ^ Mk16_le((u16 *) &TK[12]));
-
PPK[1] += RotR1(PPK[0] ^ Mk16_le((u16 *) &TK[14]));
-
PPK[2] += RotR1(PPK[1]);
-
PPK[3] += RotR1(PPK[2]);
-
PPK[4] += RotR1(PPK[3]);
-
PPK[5] += RotR1(PPK[4]);
-
-
/* Step 3 - bring in last of TK bits, assign 24-bit WEP IV value
-
* WEPSeed[0..2] is transmitted as WEP IV */
-
WEPSeed[0] = Hi8(IV16);
-
WEPSeed[1] = (Hi8(IV16) | 0x20) & 0x7F;
-
WEPSeed[2] = Lo8(IV16);
-
WEPSeed[3] = Lo8((PPK[5] ^ Mk16_le((u16 *) &TK[0])) >> 1);
-
-
#ifdef __BIG_ENDIAN
-
{
-
int i;
-
for (i = 0; i < 6; i++)
-
PPK[i] = (PPK[i] << 8) | (PPK[i] >> 8);
-
}
-
#endif
-
}
在内核代码中出现多处tkip_mixing_phase2函数:tkip.c/ieee80211_crypt_tkip.c/lib80211_crypt_tkip.c,只有tkip.c实现不满足以上的算法。
后来看了下代码,结果也实现了,隐藏在下面的函数里
-
static u8 *write_tkip_iv(u8 *pos, u16 iv16)
-
{
-
*pos++ = iv16 >> 8;
-
*pos++ = ((iv16 >> 8) | 0x20) & 0x7f;
-
*pos++ = iv16 & 0xFF;
-
return pos;
-
}
看这样暂时放心使用,有时间在看看协议去,验证下windows平台
阅读(1622) | 评论(0) | 转发(0) |
