AMSDU frames and decryption

[jvillasante]

Hello Matias,

First, congratulations on that great library, libtins has save our lives (more than once) when looking at live captures!

I have an issue with AMSDU frames and decryption. The issue comes from the fact that AMSDU frames are just single MSDU frames wich are aggregated into the AMSDU payload; each AMSDU frame first have an AMSDU header (dst, src, length) and then a SNAP with the data. Now, AMSDU is decrypted as a whole as opposed to decrypting every MSDU subframe individually.

On the attached screenshot of a wireshark decrypted AMSDU frame, we can see that, right after the QOSData comes the first header of the first subframe followed by the SNAP with the data, then the second header of the second subframe followed by the SNAP with the data, and so on for all the subframes.

Here's the issue, I thinkg that the decryption routine for AMSDU frames should return a RawPDU instead of a SNAP. Basically, changing SessionKeys::ccmp_decrypt_unicast() to return a PDU* instead of a SNAP* and then doing:

PDU* SessionKeys::ccmp_decrypt_unicast(Dot11Data const& dot11, RawPDU &raw) const {
    // ...

    if (std::equal(nice_MIC, nice_MIC + sizeof(nice_MIC), MIC))
    {
        // isAmsduFrame() just check `qos_control()` for `AMSDU` bit
        if (is_qos && static_cast<Dot11QoSData const&>(dot11).isAmsduFrame())
        {
            return new RawPDU(&pload[0], total_sz);
        }
        else
        {
            return new SNAP(&pload[0], total_sz);
        }
    }

    return 0;
}

Of course, the same approach needs to be followed for tkip and wep decryption. After doing that, de-aggregating the decrypted AMSDU frames into individual subframes works as expected. What do you think? I'm I missing something? Do you need me to follow up with a capture or anything else?