From 28f49a0a9a9956c23a632f9f0ae4596544894d34 Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Tue, 19 Feb 2019 01:01:48 -0800
Subject: [PATCH] Add --discard-all-secrets to remove decryption secrets.

Bug: 15435
Change-Id: I78503c9c31ab3eda39908b91dca3ef3fb9af34bf
Reviewed-on: https://code.wireshark.org/review/32100
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
---
 doc/editcap.pod       |  7 +++++++
 editcap.c             | 28 ++++++++++++++++++++++++++++
 wiretap/file_access.c | 22 ++++++++++++++++++++++
 wiretap/wtap.c        |  7 +++++++
 wiretap/wtap.h        | 12 ++++++++++++
 5 files changed, 76 insertions(+)

diff --git a/doc/editcap.pod b/doc/editcap.pod
index 58a64b2d3d..5c6c7ac8e0 100644
--- a/doc/editcap.pod
+++ b/doc/editcap.pod
@@ -29,6 +29,7 @@ S<[ B<-t> E<lt>time adjustmentE<gt> ]>
 S<[ B<-T> E<lt>encapsulation typeE<gt> ]>
 S<[ B<-v> ]>
 S<[ B<--inject-secrets> E<lt>secrets typeE<gt>,E<lt>fileE<gt> ]>
+S<[ B<--discard-all-secrets> ]>
 I<infile>
 I<outfile>
 S<[ I<packet#>[-I<packet#>] ... ]>
@@ -349,6 +350,12 @@ I<tls> TLS Key Log as described at L<https://developer.mozilla.org/NSS_Key_Log_F
 This option may be specified multiple times. The available options for
 E<lt>secrets typeE<gt> can be listed with B<--inject-secrets help>.
 
+=item --discard-all-secrets
+
+Discard all decryption secrets from the input file when writing the
+output file.  Does not discard secrets added by B<--inject-secrets> in
+the same command line.
+
 =back
 
 =head1 EXAMPLES
diff --git a/editcap.c b/editcap.c
index 4a0bdb1f4a..5d6564a582 100644
--- a/editcap.c
+++ b/editcap.c
@@ -170,6 +170,7 @@ static gboolean               rem_vlan                  = FALSE;
 static gboolean               dup_detect                = FALSE;
 static gboolean               dup_detect_by_time        = FALSE;
 static gboolean               skip_radiotap             = FALSE;
+static gboolean               remove_all_secrets        = FALSE;
 
 static int                    do_strict_time_adjustment = FALSE;
 static struct time_adjustment strict_time_adj           = {NSTIME_INIT_ZERO, 0}; /* strict time adjustment */
@@ -837,6 +838,10 @@ print_usage(FILE *output)
     fprintf(output, "                         list the encapsulation types.\n");
     fprintf(output, "  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List\n");
     fprintf(output, "                         supported secret types with \"--inject-secrets help\".\n");
+    fprintf(output, "  --discard-all-secrets  Discard all decryption secrets from the input file\n");
+    fprintf(output, "                         when writing the output file.  Does not discard\n");
+    fprintf(output, "                         secrets added by \"--inject-secrets\" in the same\n");
+    fprintf(output, "                         command line.\n");
     fprintf(output, "\n");
     fprintf(output, "Miscellaneous:\n");
     fprintf(output, "  -h                     display this help and exit.\n");
@@ -1013,11 +1018,13 @@ main(int argc, char *argv[])
 #define LONGOPT_SKIP_RADIOTAP_HEADER 0x8101
 #define LONGOPT_SEED                 0x8102
 #define LONGOPT_INJECT_SECRETS       0x8103
+#define LONGOPT_DISCARD_ALL_SECRETS   0x8104
     static const struct option long_options[] = {
         {"novlan", no_argument, NULL, LONGOPT_NO_VLAN},
         {"skip-radiotap-header", no_argument, NULL, LONGOPT_SKIP_RADIOTAP_HEADER},
         {"seed", required_argument, NULL, LONGOPT_SEED},
         {"inject-secrets", required_argument, NULL, LONGOPT_INJECT_SECRETS},
+        {"discard-all-secrets", no_argument, NULL, LONGOPT_DISCARD_ALL_SECRETS},
         {"help", no_argument, NULL, 'h'},
         {"version", no_argument, NULL, 'V'},
         {0, 0, 0, 0 }
@@ -1149,6 +1156,12 @@ main(int argc, char *argv[])
             break;
         }
 
+        case LONGOPT_DISCARD_ALL_SECRETS:
+        {
+            remove_all_secrets = TRUE;
+            break;
+        }
+
         case 'a':
         {
             guint frame_number;
@@ -1469,6 +1482,13 @@ main(int argc, char *argv[])
 
     wtap_dump_params_init(&params, wth);
 
+    /*
+     * Discard any secrets we read in while opening the file.
+     */
+    if (remove_all_secrets) {
+        wtap_dump_params_discard_decryption_secrets(&params);
+    }
+
     if (dsb_filenames) {
         for (guint k = 0; k < dsb_filenames->len; k++) {
             guint32 secrets_type_id = g_array_index(dsb_types, guint32, k);
@@ -1982,6 +2002,14 @@ main(int argc, char *argv[])
                 }
             }
 
+            if (remove_all_secrets) {
+                /*
+                 * Discard any secrets we've read since the last packet
+                 * we wrote.
+                 */
+                wtap_dump_discard_decryption_secrets(pdh);
+            }
+
             /* Attempt to dump out current frame to the output file */
             if (!wtap_dump(pdh, rec, buf, &write_err, &write_err_info)) {
                 cfile_write_failure_message("editcap", argv[optind],
diff --git a/wiretap/file_access.c b/wiretap/file_access.c
index 803dac8d0b..b1022a25fe 100644
--- a/wiretap/file_access.c
+++ b/wiretap/file_access.c
@@ -2718,6 +2718,28 @@ wtap_dump_set_addrinfo_list(wtap_dumper *wdh, addrinfo_lists_t *addrinfo_lists)
 	return TRUE;
 }
 
+void
+wtap_dump_discard_decryption_secrets(wtap_dumper *wdh)
+{
+	/*
+	 * This doesn't free the data, as it might be pointed to
+	 * from other structures; it merely marks all of them as
+	 * having been written to the file, so that they don't
+	 * get written by wtap_dump().
+	 *
+	 * XXX - our APIs for dealing with some metadata, such as
+	 * resolved names, decryption secrets, and interface
+	 * statistics is not very well oriented towards one-pass
+	 * programs; this needs to be cleaned up.  See bug 15502.
+	 */
+	if (wdh->dsbs_growing) {
+		/*
+		 * Pretend we've written all of them.
+		 */
+		wdh->dsbs_growing_written = wdh->dsbs_growing->len;
+	}
+}
+
 gboolean wtap_dump_get_needs_reload(wtap_dumper *wdh) {
         return wdh->needs_reload;
 }
diff --git a/wiretap/wtap.c b/wiretap/wtap.c
index fb77a4b23e..0614656302 100644
--- a/wiretap/wtap.c
+++ b/wiretap/wtap.c
@@ -327,6 +327,13 @@ wtap_dump_params_init(wtap_dump_params *params, wtap *wth)
 	params->dsbs_growing = wth ? wth->dsbs : NULL;
 }
 
+void
+wtap_dump_params_discard_decryption_secrets(wtap_dump_params *params)
+{
+	params->dsbs_initial = NULL;
+	params->dsbs_growing = NULL;
+}
+
 void
 wtap_dump_params_cleanup(wtap_dump_params *params)
 {
diff --git a/wiretap/wtap.h b/wiretap/wtap.h
index 4e2eb7c4f3..3833a82379 100644
--- a/wiretap/wtap.h
+++ b/wiretap/wtap.h
@@ -1997,6 +1997,16 @@ gboolean wtap_dump_supports_comment_types(int filetype, guint32 comment_types);
 WS_DLL_PUBLIC
 void wtap_dump_params_init(wtap_dump_params *params, wtap *wth);
 
+/**
+ * Remove any decryption secret information from the per-file information;
+ * used if we're stripping decryption secrets as we write the file.
+ *
+ * @param params The parameters for wtap_dump_* from which to remove the
+ * decryption secrets..
+ */
+WS_DLL_PUBLIC
+void wtap_dump_params_discard_decryption_secrets(wtap_dump_params *params);
+
 /**
  * Free memory associated with the wtap_dump_params when it is no longer in
  * use by wtap_dumper.
@@ -2083,6 +2093,8 @@ WS_DLL_PUBLIC
 gboolean wtap_dump_set_addrinfo_list(wtap_dumper *wdh, addrinfo_lists_t *addrinfo_lists);
 WS_DLL_PUBLIC
 gboolean wtap_dump_get_needs_reload(wtap_dumper *wdh);
+WS_DLL_PUBLIC
+void wtap_dump_discard_decryption_secrets(wtap_dumper *wdh);
 
 /**
  * Closes open file handles and frees memory associated with wdh. Note that