dot15d4: fix aux_sec_header incorrect parsing (#4969)

* dot15d4: fix aux_sec_header incorrect parsing (#4928)

Fix two bugs preventing correct parsing of 802.15.4 frames with the
security bit set:

1. Replace `is True` identity check with truthiness check in
   ConditionalField lambdas for Dot15d4Data, Dot15d4Beacon, and
   Dot15d4Cmd. In Python 3, `1 is True` is False because `is` checks
   object identity, not equality, so aux_sec_header was never parsed.

2. Add extract_padding() to Dot15d4AuxSecurityHeader so that remaining
   bytes after the header fields are returned to the parent packet
   instead of being consumed as payload.

* test: wrap encrypted beacon test with no_debug_dissector

The encrypted beacon payload cannot be parsed as ZigBeeBeacon, which
raises an exception when conf.debug_dissector is True (as in CI).

* dot15d4: prevent dissection of encrypted payloads as upper layers

When sec_sc_seclevel >= 4 (ENC, ENC-MIC-*), the payload after
aux_sec_header is encrypted and must not be passed to upper layer
dissectors (SixLoWPAN, ZigBee, etc.). Add encrypted payload checks
to guess_payload_class() in Dot15d4Data, Dot15d4Beacon, and
Dot15d4Cmd.

Author: T3pp31

scapy/layers/dot15d4.py

@@ -221,6 +221,9 @@ class Dot15d4AuxSecurityHeader(Packet):
                          lambda pkt: pkt.getfieldval("sec_sc_keyidmode") != 0),
     ]
 
+    def extract_padding(self, s):
+        return b"", s
+
 
 class Dot15d4Data(Packet):
     name = "802.15.4 Data"
@@ -233,10 +236,14 @@ class Dot15d4Data(Packet):
                          lambda pkt:pkt.underlayer.getfieldval("fcf_srcaddrmode") != 0),  # noqa: E501
         # Security field present if fcf_security == True
         ConditionalField(PacketField("aux_sec_header", Dot15d4AuxSecurityHeader(), Dot15d4AuxSecurityHeader),  # noqa: E501
-                         lambda pkt:pkt.underlayer.getfieldval("fcf_security") is True),  # noqa: E501
+                         lambda pkt:pkt.underlayer.getfieldval("fcf_security")),  # noqa: E501
     ]
 
     def guess_payload_class(self, payload):
+        # Encrypted payloads (sec_sc_seclevel >= 4) cannot be dissected further
+        if self.aux_sec_header is not None and \
+                self.aux_sec_header.sec_sc_seclevel >= 4:
+            return conf.raw_layer
         # TODO: See how it's done in wireshark:
         # https://github.com/wireshark/wireshark/blob/93c60b3b7c801dddd11d8c7f2a0ea4b7d02d700a/epan/dissectors/packet-ieee802154.c#L2061  # noqa: E501
         # it's too magic to me
@@ -268,7 +275,7 @@ class Dot15d4Beacon(Packet):
         dot15d4AddressField("src_addr", None, length_of="fcf_srcaddrmode"),
         # Security field present if fcf_security == True
         ConditionalField(PacketField("aux_sec_header", Dot15d4AuxSecurityHeader(), Dot15d4AuxSecurityHeader),  # noqa: E501
-                         lambda pkt:pkt.underlayer.getfieldval("fcf_security") is True),  # noqa: E501
+                         lambda pkt:pkt.underlayer.getfieldval("fcf_security")),  # noqa: E501
 
         # Superframe spec field:
         BitField("sf_sforder", 15, 4),  # not used by ZigBee
@@ -306,6 +313,13 @@ class Dot15d4Beacon(Packet):
         # TODO beacon payload
     ]
 
+    def guess_payload_class(self, payload):
+        # Encrypted payloads (sec_sc_seclevel >= 4) cannot be dissected further
+        if self.aux_sec_header is not None and \
+                self.aux_sec_header.sec_sc_seclevel >= 4:
+            return conf.raw_layer
+        return Packet.guess_payload_class(self, payload)
+
     def mysummary(self):
         return self.sprintf("802.15.4 Beacon ( %Dot15d4Beacon.src_panid%:%Dot15d4Beacon.src_addr% ) assocPermit(%Dot15d4Beacon.sf_assocpermit%) panCoord(%Dot15d4Beacon.sf_pancoord%)")  # noqa: E501
 
@@ -323,7 +337,7 @@ class Dot15d4Cmd(Packet):
                          lambda pkt:pkt.underlayer.getfieldval("fcf_srcaddrmode") != 0),  # noqa: E501
         # Security field present if fcf_security == True
         ConditionalField(PacketField("aux_sec_header", Dot15d4AuxSecurityHeader(), Dot15d4AuxSecurityHeader),  # noqa: E501
-                         lambda pkt:pkt.underlayer.getfieldval("fcf_security") is True),  # noqa: E501
+                         lambda pkt:pkt.underlayer.getfieldval("fcf_security")),  # noqa: E501
         ByteEnumField("cmd_id", 0, {
             1: "AssocReq",  # Association request
             2: "AssocResp",  # Association response
@@ -345,6 +359,10 @@ def mysummary(self):
     # command frame payloads are complete: DataReq, PANIDConflictNotify, OrphanNotify, BeaconReq don't have any payload  # noqa: E501
     # Although BeaconReq can have an optional ZigBee Beacon payload (implemented in ZigBeeBeacon)  # noqa: E501
     def guess_payload_class(self, payload):
+        # Encrypted payloads (sec_sc_seclevel >= 4) cannot be dissected further
+        if self.aux_sec_header is not None and \
+                self.aux_sec_header.sec_sc_seclevel >= 4:
+            return conf.raw_layer
         if self.cmd_id == 1:
             return Dot15d4CmdAssocReq
         elif self.cmd_id == 2:

test/scapy/layers/dot15d4.uts

@@ -325,6 +325,80 @@ p = Dot15d4AuxSecurityHeader(b"\x18\x05\x00\x00\x00\xff\xee\xdd\xcc\xbb\xaa\x00\
 assert p.sec_sc_keyidmode == 3
 assert p.sec_keyid_keysource == 11024999611375677183
 
+= Dot15d4AuxSecurityHeader - extract_padding does not consume trailing bytes
+
+p = Dot15d4AuxSecurityHeader(b"\x04\x05\x00\x00\x00\xAA\xBB")
+assert p.sec_sc_seclevel == 4
+assert p.sec_framecounter == 0x5
+assert Raw not in p
+assert Padding in p
+assert p[Padding].load == b"\xAA\xBB"
+
+= Dot15d4 Beacon with aux_sec_header (issue #4928)
+
+# Given: raw bytes for a Dot15d4 Beacon frame with fcf_security=1
+# Note: remaining bytes are encrypted data, so ZigBeeBeacon dissection is expected to fail
+with no_debug_dissector():
+    pkt = Dot15d4(b'\x08\xD0\x84\x21\x43\x01\x00\x00\x00\x00\x48\xDE\xAC\x02\x05\x00\x00\x00\x55\xCF\x00\x00\x51\x52\x53\x54\x22\x3B\xC1\xEC\x84\x1A\xB5\x53')
+
+assert pkt.fcf_frametype == 0
+assert pkt.fcf_security == 1
+assert Dot15d4Beacon in pkt
+assert pkt[Dot15d4Beacon].aux_sec_header is not None
+assert pkt[Dot15d4Beacon].aux_sec_header.sec_sc_seclevel == 2
+assert pkt[Dot15d4Beacon].aux_sec_header.sec_sc_keyidmode == 0
+assert pkt[Dot15d4Beacon].aux_sec_header.sec_framecounter == 0x5
+assert Raw in pkt
+
+= Dot15d4 Data with aux_sec_header - build & dissect round-trip
+
+# Given: a Dot15d4 Data frame with fcf_security=1
+pkt = Dot15d4(fcf_frametype=1, fcf_security=1, fcf_destaddrmode=2, fcf_srcaddrmode=2) / Dot15d4Data(dest_panid=0x1234, dest_addr=0xFFFF, src_panid=0x1234, src_addr=0x0001, aux_sec_header=Dot15d4AuxSecurityHeader(sec_sc_seclevel=5, sec_sc_keyidmode=1, sec_keyid_keyindex=0x01))
+# When: packet is serialized and re-dissected
+pkt2 = Dot15d4(raw(pkt))
+# Then: aux_sec_header is correctly parsed
+assert pkt2.fcf_security == 1
+assert Dot15d4Data in pkt2
+assert pkt2[Dot15d4Data].aux_sec_header is not None
+assert pkt2[Dot15d4Data].aux_sec_header.sec_sc_seclevel == 5
+assert pkt2[Dot15d4Data].aux_sec_header.sec_sc_keyidmode == 1
+assert pkt2[Dot15d4Data].aux_sec_header.sec_keyid_keyindex == 0x01
+
+= Dot15d4 Cmd with aux_sec_header - build & dissect round-trip
+
+# Given: a Dot15d4 Command frame with fcf_security=1
+pkt = Dot15d4(fcf_frametype=3, fcf_security=1, fcf_destaddrmode=2, fcf_srcaddrmode=2) / Dot15d4Cmd(dest_panid=0x1234, dest_addr=0xFFFF, src_panid=0x1234, src_addr=0x0001, aux_sec_header=Dot15d4AuxSecurityHeader(sec_sc_seclevel=5, sec_sc_keyidmode=1, sec_keyid_keyindex=0x01), cmd_id=4)
+# When: packet is serialized and re-dissected
+pkt2 = Dot15d4(raw(pkt))
+# Then: aux_sec_header is correctly parsed
+assert pkt2.fcf_security == 1
+assert Dot15d4Cmd in pkt2
+assert pkt2[Dot15d4Cmd].aux_sec_header is not None
+assert pkt2[Dot15d4Cmd].aux_sec_header.sec_sc_seclevel == 5
+assert pkt2[Dot15d4Cmd].aux_sec_header.sec_sc_keyidmode == 1
+
+= Dot15d4 Data with encrypted payload (seclevel >= 4) stays Raw
+
+# Given: a Data frame with seclevel=4 (ENC) and trailing encrypted bytes
+pkt = Dot15d4(fcf_frametype=1, fcf_security=1, fcf_destaddrmode=2, fcf_srcaddrmode=2) / Dot15d4Data(dest_panid=0x1234, dest_addr=0xFFFF, src_panid=0x1234, src_addr=0x0001, aux_sec_header=Dot15d4AuxSecurityHeader(sec_sc_seclevel=4, sec_sc_keyidmode=1, sec_keyid_keyindex=0x01)) / Raw(b'\xaa\xbb\xcc\xdd')
+# When: packet is serialized and re-dissected
+pkt2 = Dot15d4(raw(pkt))
+# Then: encrypted payload must not be dissected as SixLoWPAN/ZigBee
+assert pkt2[Dot15d4Data].aux_sec_header.sec_sc_seclevel == 4
+assert Raw in pkt2
+from scapy.layers.sixlowpan import SixLoWPAN
+assert SixLoWPAN not in pkt2
+
+= Dot15d4 Beacon without aux_sec_header (fcf_security=0)
+
+# Given: raw bytes for a Dot15d4 Beacon frame with fcf_security=0
+pkt = Dot15d4FCS(b'\x00\x80\x89\xaa\x99\x00\x00\xff\xcf\x00\x00\x00"\x84\xfe\xca\xef\xbe\xed\xfe\xce\xfa\xff\xff\xff\x00X\xa4')
+# When: packet is dissected
+# Then: fcf_security is not set and aux_sec_header is None
+assert pkt.fcf_security == 0
+assert Dot15d4Beacon in pkt
+assert pkt[Dot15d4Beacon].aux_sec_header is None
+
 # RPL: unimplemented
 #p = SixLoWPAN(b"\x7b\x3b\x3a\x1a\x9b\x02\xae\x30\x21\x00\x00\xef\x05\x12\x00\x80\x20\x02\x0d\xb8\x00\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x33\x44\x09\x04\x00\x00\x00\x00\x06\x04\x00\x01\xef\xff")
 #p.show2()