From 7a674c006b3d09735c9340ad74f02556fbd91cbd Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Sun, 4 Sep 2016 01:23:37 +0200
Subject: [PATCH] ssl: fix TLS renegotiation, add test for this

A handshake starts a new session, be sure to clear the previous state to
avoid creating a decoder with wrong secrets.

Renegotiations are also kind of transparant to the application layer, so
be sure to re-use an existing SslFlow. This fixes the Follow SSL stream
functionality which would previously ignore everything except for the
first session.

The capture file contains a crafted HTTP request/response over TLS 1.2,
interleaved with renegotiations. The HTTP response contains the Python
script used to generate the traffic. Surprise!

Change-Id: I0110ce76893d4a79330845e53e47e10f1c79e47e
Reviewed-on: https://code.wireshark.org/review/17480
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
---
 epan/dissectors/packet-ssl-utils.c   |  57 +++++++++++++++++++++++++--
 test/captures/tls-renegotiation.pcap | Bin 0 -> 12935 bytes
 test/suite-decryption.sh             |  17 ++++++++
 3 files changed, 70 insertions(+), 4 deletions(-)
 create mode 100644 test/captures/tls-renegotiation.pcap

diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 7c8f37622c..5ac15f01f1 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -2780,7 +2780,6 @@ ssl_create_decoder(const SslCipherSuite *cipher_suite, gint compression,
     }
     dec->seq = 0;
     dec->decomp = ssl_create_decompressor(compression);
-    dec->flow = ssl_create_flow();
 
     /* TODO this does nothing as dec->evp is always NULL. */
     if (dec->evp)
@@ -3222,6 +3221,10 @@ create_decoders:
         goto fail;
     }
 
+    /* Continue the SSL stream after renegotiation with new keys. */
+    ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
+    ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
+
     ssl_debug_printf("%s: client seq %d, server seq %d\n",
         G_STRFUNC, ssl_session->client_new->seq, ssl_session->server_new->seq);
     g_free(key_block.data);
@@ -4109,6 +4112,48 @@ ssl_get_session(conversation_t *conversation, dissector_handle_t ssl_handle)
     return ssl_session;
 }
 
+/* Resets the decryption parameters for the next decoder. */
+static void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, gboolean is_client)
+{
+    if (ssl) {
+        /* Ensure that secrets are not restored using stale identifiers. Split
+         * between client and server in case the packets somehow got out of order. */
+        gint clear_flags = SSL_HAVE_SESSION_KEY | SSL_MASTER_SECRET | SSL_PRE_MASTER_SECRET;
+
+        if (is_client) {
+            clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET;
+            ssl->session_id.data_len = 0;
+            ssl->session_ticket.data_len = 0;
+            ssl->master_secret.data_len = 0;
+            ssl->client_random.data_len = 0;
+        } else {
+            clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET | SSL_NEW_SESSION_TICKET;
+            ssl->server_random.data_len = 0;
+            ssl->pre_master_secret.data_len = 0;
+#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+            ssl->private_key = NULL;
+#endif
+            ssl->psk.data_len = 0;
+        }
+
+        if (ssl->state & clear_flags) {
+            ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
+                    G_STRFUNC, ssl->state & clear_flags, is_client ? "client" : "server");
+            ssl->state &= ~clear_flags;
+        }
+    }
+
+    /* These flags might be used for non-decryption purposes and may affect the
+     * dissection, so reset them as well. */
+    if (is_client) {
+        session->client_cert_type = 0;
+    } else {
+        session->compression = 0;
+        session->server_cert_type = 0;
+        /* session->is_session_resumed is already handled in the ServerHello dissection. */
+    }
+}
+
 static guint32
 ssl_starttls(dissector_handle_t ssl_handle, packet_info *pinfo,
                  dissector_handle_t app_handle, guint32 last_nontls_frame)
@@ -5441,12 +5486,16 @@ ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
 static gint
 ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                              proto_tree *tree, guint32 offset,
-                             SslDecryptSession *ssl, gboolean from_server)
+                             SslSession *session, SslDecryptSession *ssl,
+                             gboolean from_server)
 {
     nstime_t     gmt_unix_time;
     guint8       sessid_length;
     proto_tree  *rnd_tree;
 
+    /* Prepare for renegotiation by resetting the state. */
+    ssl_reset_session(session, ssl, !from_server);
+
     if (ssl) {
         StringInfo *rnd;
         if (from_server)
@@ -5778,7 +5827,7 @@ ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
     offset += 2;
 
     /* dissect fields that are also present in ClientHello */
-    offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, ssl, FALSE);
+    offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, FALSE);
 
     /* fields specific for DTLS (cookie_len, cookie) */
     if (dtls_hfs != NULL) {
@@ -5898,7 +5947,7 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
     offset += 2;
 
     /* dissect fields that are also present in ClientHello */
-    offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, ssl, TRUE);
+    offset = ssl_dissect_hnd_hello_common(hf, tvb, tree, offset, session, ssl, TRUE);
 
     if (ssl) {
         /* store selected cipher suite for decryption */
diff --git a/test/captures/tls-renegotiation.pcap b/test/captures/tls-renegotiation.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7d772a58f5223ee5007a81f248e45e179842f317
GIT binary patch
literal 12935
zcmaJ{1yq#V_nn}-OG-cq>6T7u5J5^x>FyAuI~7qnr9-4ax*G&RLQ+6lkQ5N%Ki~Lx
zKi>QMxNF_DnBik{_CEXEb1uVJdwC`VgaG>ALI8nbFFelsHAAV;K=QD!fqiwMfTTen
zA;_s1NDS$2iw_6{26l%8u4;Nx-U;wz2Bfg?oE-#$AY4o!Kv2+-H*%oB`(P*(89>gw
z78wKrkcH|lk#SW!BwV;8t6}J;8F>F689={8u7M#-z<v|3uP%7Z+>oE}n7c2L|BCq(
zhF;@~1J*cafW-*@9WQ_i#A-*42Fig!0sHELBgR9{;D|<lL?nSBM*I_z2nq)2!vxlW
zLI>-E+U=vYT9D)N>n-lLW3g01`@B?fXsBD59v}-xhk#&dVFO*j9%cd2!hSO*h#EwR
z1V(}&K@q`-5JV^f7y*I+g;9q<p%5?x0)c|CVc`Qod%}YLZy8o9fuJ=oFN6L|;F|QL
ze7*mY;ROvEC>8>O?|;hx30kQF5Y_7chzOGb<neDApdbMl8ZQ*O-{2)Y)i%Wj71V>h
zw=;SYlbEORaH*{mQFSf}#}*R=69I$;lL00KAOk>=2u2tI9Rvda{{n$e+5N#sux*e5
zmjM+NV`ckb#%QL79TN$aDOfi62PPPdjtF8W;J{<YL4rO+fMTFp+ZjE!Hn($fW~U^^
z<ltq$%g)Wg&cn;YtpmK|VE_B&fBckR`c-r=A_(di1!DILgZTM@vTfA}(B_zz3?C-#
zN#wqh!DAyHI<1>gHqzjJU+1LYE+yP$ZIOMe;xQx@6+zTdc#?j!R7cvahIjck?EqeF
z$y{EwfWOc)I&HM$ILU}CMqbevAH8ncSBySrLuidr$!w&=g`c9gOyBTrifXC}?G@HP
zB~^IgotKq(9;g`hT^Is0893`cyD~ckj4cHg0uchiETc1_=ZdS$;dgV9@Q06|Ji()3
zWv2qZO^ZOnPUQRN2QYvK@DUK%p<wXERl+bip)jVZ=rYIR0T3MN{-6>qsSlEND()Xw
zAAbwpeMgm@7m?|J?vfYEaFcZ2+FU)C-EC<$)K|!L?tNGCvOGyw%y@Q{)m$4FizXRs
zC-YjjetOHYk3f__gi_UByhfjl#0Yo?a))K~rTOBB8RN}-3Br`^1CmEB@~qBYTPnE^
z7aN|J!HfVxz=F8~F#T7UMgQCMkYDgh?Yy+;@7mATbK$y&0yDkApKAZ`78-~I<~v|t
zT|n)F(IDplBLDUu5lLW(=l|dI!8jn0Kgd@s=@i4yyHhF3YKV}*n>SHQ^p}?%ZRo+M
zkym163<hHJ2gd~;UX;KhSN}KQUHy|J@v^)hcbqMfdF1(S^_BQi|6nr2cHmm}I?g&*
z{t$M8N24b1)%o>V?YUOiQ8}-6p(2B@alq?yx*zVt)D*G@-|6b`j>;7!vcOo90i+it
z1Tfv;WdsuA6i-+$Ei4$;JKWicWPCvI;11HM=_h&jNR7c>&$48mE)BDUuE5)(U91i^
zv05)oCZOy;Uj&iqFK>BHeW`qZ3Mk)y2Mr_y(+JpC7hEUSm1;nzhq#wI{XTB)p`<4j
zaQTve^)G1t)(HVPb%CT7!dg-;>}_UHMva!Qc1OJ{2ekT`7X{^xQd-l=NAg7y@JOXT
zjrqrPay`G-7E+yz;ol-42H);BeV128tv4z+!NYWkn$@C@*k7>da7R7q_vA09M#a~)
zj+AEptoM)uie8m04w<feV`>X+Z*aAvpt|K=Q*wKt<XJT{vDV%N??8XPqreBEnDxjD
zah*;{L`R00^7a0G%t2wgteNT0pvMq0D7#P&+4dDJt-qim5UYEM)AN=ev{W`t>EMya
z4Pu+z)5kBBuTc@kvS;JC8NYQy7%D-sZ?mO;hbrAcbZHioq@4F$olj)w5YRHe<60MA
zz+K#aspW4M7jU_7$v|K(HoxLx9GI2}0HR(kIw%j87GPgp@D7#;1;G*Z{)k8dLyY=6
zJ2U_yF)TZVt&f`W<oJ*MgiaNo85BEkQEbV)4UEnfHPGllny2y2JvhE`CK{V_Up68`
zRkH4<$$=G*S+-!DnO~&wQ7NLy!Yu{+gD~ow??hb$8d#@q6O#+Z;mD;m)s~_Ztg5w5
za{*y*%41wp&MP%Q*cxb;VgELj3<PGX1eg%|SA<}Ng-rt>{_MsAt-=%l_SFR!VhRd|
z3qgK~_?NT^aA^S{2LBd9ABM;Z*fb+n!xrU`KeJxHN=Lq=K$qL!PNz4l#oTl(NqHoY
zCUAu9`#W2AO1a6V2fBoKUdA?z?_AhrWWOsVwJ`}OVLEU><nrcK^P#um>>=P*9F=M@
znVSCfGh1Xf2355#BhV_Z5}nUds;2^!pz7quQA)g{&ql`>^EuY~<!AoIWl5>iCF-xT
zI6pLo+}AiL`_sOx>Jb={$ub7>4}YCGayaIOPg|rtSl0<z3l|dglJ@_EEEI+bX?8_O
zfVMs$BxNrahyym!0sHC#goM(ryay1~NdJgP0yYDa{4JybfCvcbTTzFlym)W-1-iof
zvFvbinV@x5HDr99Fnv40%4$Jr2|84Dnu0`2lRoZJJAF(?nE))pScVHrKQjK86%*MC
zO3~s8K70L|)>&lslNcmz#^uAhl(CGWUFK2`RQrA$(KU-^%!<BAPuN<j;2Ul)X4We$
zRY|cXv6m-CW0^}!)`A5AVGjlMnIVni*Bi$MH;~h;HP@#lWFh?I+gW*3Bv<{0js0cE
z2)oqO9+nlia}k8J{MC-DLw6(l&w%>H2n4B%9}}mlOUWMJ4zkcDt#lcmoQAHc;i791
zlOCHeil_0MB5(DO$Y$t*qdIBm=_On5$c1iq4xdWRG?|n{hHi~2e%-EmLZS6JKJCKc
z1SR<4*AEU{n1gB=<VD-_Iu4wOZhh56B|9_+X_0CHqrpAdK|1_Kv#cxZ(E_&pH@t7m
z(_(E#Oj&0mE57%<pEArM4Mi@ZK6cRFrHC4|6E!LN<&c$vJ$`86{%bIZ#^I;a{@G{=
zj*U2UNCv+lm*`L$vFL47jOX~Xwe=3&Jad{a=yQH1+c{1A^>(5g!o1<t-fokiZe1ik
z>bs&n9sT=zWH-l-V@U1f(eAIMxFSRd3}O!6F<h{CX&iQ=OZf%SkaSArOGg|fsxXGv
zLDkLTNlyuNy7l%x++o$9bz8PEo>$<WMAlvtwQ=T}<Co00&)ez}OT?5AvAav@5kqxm
zMf2p$hg!;p(Mh(Q-j#G0EqC{E%J;qj{{1aKv|&&&x8g_pY_S787rfLKdF!s%`3&B1
zx%iJia_fXmF9}f#M6C_Qs;84n;`NbjTbkW*p3p>6jndh?F{?mc&Y;W5+g8YLVm=&(
zPDK9rNjraQaB6wGaJg00!F1M-%sZUToNtRYwOxL7gLOY^r|<@lvqAU<5Z|XR$5Gw%
z!&mNZF>S8#&1wAzIG24bn{gnHm2WUWr+*+k3oK3|(q59~uzMI4zGGw<%r3@vEB4K(
z{V(oet%)T{1IIX^fGl7I^xvZj6aqhq{&lq~6n5c~+l7^+^OceW3djIJjO)h&Il$U4
zu&*w73pRp60Yv^6mnHf8Z2Jq51nhjF`Hzw`0Em@NR6GyC*7&F-m_PXo@`Ny(Ov}Ka
z)tW(Gs|yq;ZhppyG*9Z(TElHPBK8#h@lP(XZ;;aPW<_J>W|rK}z@0HX1-#|MjeBK8
z>xRaoy|ZnqqgXx>aSnm4kK~mn?sss7e>&<C>Nc7ZeBS#|vT|e@%0fwh%f0^@Q}vjv
zxiWKs-wt#~=++i}r;1lPgS0pfz0*#1+wyY>Q&qYG8Qr;p-NH9cuO{A{Jwh4@&bOCw
zc?mRPc2zF#rrK^a#66Z6me8eu=un=FMklr*5xZh^dve^7kfKF~p!2W1$$MweC}cgE
zB!H<{_q!6LO&`%$PkC<#X=zdOA4s8>Fof(hNE`4t*&T`++o55(7avg8*RB_y5V77u
z`fiAj8&gFmhD)bA0rF%S0}`M;gawL$i4W|n3!Z?0l{z2+>a~{%_<hRC?WQLcS;J-^
zy9>AfpMYT_gIQZ&<N`6ZW<SAk2t}R|_35t#2J#BYFBfFp<SC3VM5oD&L{0tEJ-hB+
zU?k>N7-wsn=~^83_(a+sPuSNb6F;7S>?6pW;-mU!ebr*c%4zqbe0aw;$j3G1^UCw_
zA+@Oh_m&V|w~PoZQ_=FUaO?1yGX=VMq-MMXs4%j9G(v#KDcethpx(Xih3RFU@9mAC
z2mzh!LFo{pvWVM1Up?eNB*l!F6`<l!Nudej#?6RR-+92{&Yee_J1;SHG!MJRG#D2v
z+wr}OUB3{Ef+xszfmC<(NaSc=_mH!j*vH9!wR8L9qL-jDvl$;o7)EVVE|oZgg@ao|
zH%pW2)_OBMLHtDM4?d<OjP|_AX7bK>!adNulpRxd$IovwcGx{#vyzJ(B;wh0e=wc#
z4R&fkN+CW0o$g1k$T4c=dj}PR(!-vx1g*lx%xh{60bX-WmkIh^Aw||MTnb{an)AI<
zb5=mj0f=$0AfOOfu7Q1Z!RLvmP((PQ`yUZWV2Cz<r#u-z1O_Xy8)UlAcILaR#@y_}
zdv>Zl>#8gK2vqz`OK_ffyOlUs-c!G2a;W+9L7lNbvEU@aia0g*g1LWE?l<n4j`PK_
zDj+OIcIY)kSL%VVG>|UC`t3voF_;s}U_|Y%5Y2;yl?)(0%0j$ua6*C;CB8)bOS&?+
zbO6!+4Nem<#5^FQ88I^98p8|;;^tB|xEdc~ZhEYtin15B>o+@lk85ZAa4vgUhaSsv
zm$Ub@kHVYa-GhONI1UEuxhhe`b_H#Yef?r0!fl0zvPI7q5^V6lJ8cGXGqAG#nuwDk
z8Pyx9(e!{Ea+*F!y-?X4+eXjSWW*I&sKUQB^#g6ZC@0qWwG){o#khSE8*RM%q6g;a
zH%M#cD5IjDE^cOq4@aJM8vP7F+X6=Wza6vE02dPRlJ@_EEY^St>2^g(fc6A{cnm|l
zW^if*5Y-6(h)4o<yD~Vz5dk56nNI>;6HG(UZ^%fE;+D#$m4!VvGr5=CBuKG;PL@e}
z_p})!M&ZPDD}8Zw;>OubURYzDKe;iE?I-*EKKBviB_w7`9Anps;UrBP&e9gp#BK5r
zF%4#2G-{z%)ZX@uU$U%UXXDZzwV_RVEGQWvxuhDQkUbD@&G8CmH`_fUM}q|cVRyBX
z%-5lpIGou~DM8zG;_k*-y7Tn>*;s2`X$I=jL(ft>S0m0=<NE|9q+0Cch)*7MpISHL
ztQo&X?O{>8`Dlhg>JyHQ=th`g@B8*!qej#BYEXhnPk!}}HHzz=b)0bGtvyuwLP>c@
zL%aXni;rnDNHA$pd3e(+9fRB}<cZmjR!1Yvo9;};y(mdI_#A1k9Gnpu^Jp4(baR@T
zKj`IiQb%O!LJ8}ICq}U==1nK86K%9jSX)0Lm91s5de?Tcc@cUhi9kNP-xTH&)v3o;
zf3w~>%ZzgyJwtIt1v!H})(=7PqBFuijp;<(B#<f|N7nSN!1gD>oEgkg37sjWe)r?Y
z_-<bB>!vKu+YbFXtOv$FQi+D^FMO>Ua>n#v-3(u;>Yb_GuE!^DO4VJG61j(j)jY!Z
zpqplK<<WlK;~OFkQ}mG&RLY{rwbhge#gjDXknAmd%z24U&;Yh@zg&&elRgNc%LV#J
zYra)G&GHSB!7Vq89R(Ur7ak-mvLc-cJ@blUqPS&gUk*?U6MGt-BDfw`?DR{nf0-h!
z`wlAV#*AdG0S8k(+9%y-ljoUK?vcnR6Nue6Z^!#9rtc8OSKg51RdY#mrBKoGxjXPB
zUTl$S)exByO-|D%$;Y0WZSa}ofkN1Km!(FsuuR%T7h8K)YeIw}e`g+-Cu@aj5hJ6$
z?XBMs@f_P81<fx%CV`@9$A7iY6a}w7$#J?L!#Gpumz4Kvg<K1}BF`EHa4x&^;)Hp9
z)0ga0ETIbugmz~|^+FMonK(<9+YOEtsCh;bdlb9}F3v*Q8zHZR(WjMw0^-QNt|Xzz
z@RR88KSTaLiHbE`xRlvoB^mjrl61~Nyl!wp0TB5kE=%$sh$P_1D}&SDC0R;#p&@y|
zc2Sbcjn8R!R|CTN@cBpPIH$fZjN6nh46h2o)=7)Dy@zzWX)m&}1dHC%PkmTtCSBh6
zB4aHs(!}dyW*kv{UoUC`toBKlRu-KbZ<FI0%R$TSm`U%7=UlvjPf=!N^=Ls`1BE<y
zXlrCwEnVH)zkRuf!AO@+mI%6Q2>nFzK0l&(iO){gJ@Q4XS5p8QMc<88Cc#B~jg6RS
zAzWP<ZR3f0H0uvfJJV3SvEY3<K|=c?&CsrnSC9FqMeOAO&X+gx8J3bH`JzA07dac%
zs^00Dijtl?+O<oB&^rIj1X3twv|Q$Oj;Y>~@zk&u(PZOO;2O3WpLaTApQ+B7`AgKA
z-n(Sm!|d$*NsfY)InD|rrGAoVm?6<SCKN7HwC{v)fs_*EAzn8)H311wue?ma?^9Np
zEj{UN5NvSry)rocoq*xgy1NH~QFiJNB=yF@SlM~=)^-n)PfG~q@q&>HzB0XJXIFVD
z5?!EL<XtnNY+){8Hf@(6Y!*f-CfZzsV2;9HM7LM2Sl90@$mp0M!GNCAgjt6`@w_O&
zOC6$c@rA&MGj8G(x`9!Kd8GMdhUT3ag0rRF{yn{eMXl`;@$wAm7x`xU7Ayru143(^
zrvo*gJa8GwB!#n48f;70Lz@_^O~H25iqCsFUH5Ja79hO*nDa?3Q*C2zN-ufS=xDZE
zXivWG?INVH^mh3!wG>0VGCV=SjC9`gs%N}UxVyu%+ib}uowuy+C0lgtp*O!jl%o^4
zdr|14&;BUuMTSRc&B&_~c!JmsP>|f{9Bz(lzg@9gz3+@VBOd#c$2_WpV9}_mU+2kt
z8f+30zL%5ORKXt(@a{0#kTeJ;Dofb(l;XxNHkFtF39=PNx~2_6QQ<ZB{xU(oE97mE
z3zv#Ftmfjc)ZEf#8~jm@a^2vB21j)IBO(b5@$bPY7au@`4^Fg5a^K>SUKB+x6xI-w
zkoUxFPEVDEBxMVd;76_=KC>7e*Pla;J>5lEv{zjrv3-h`ovWlIq7&b7GX-2LUq%TK
zZInm7hUiK&5S9kyGOXWDRPly6u@6S{%7mCpg}jlA4<PEcqhCXGr3FBI*ziZhe@uwE
zDgYv!Xm)V2K9p3jRr_@kD|gqR%9Cp3!PweB+v-hpjfQ42=^BPKZKBH65REfK<o09i
zwD8du?b=66E#16}h@Pnll|Wc_u(1Anuz{k(^{=@M>#vOV!7|$Z&y2#uQUMTWN3lS#
zD-3-9zfss?r4>%J{}S;p>DuAa0YvpKN8#KE7*Q2?d#FJ+es-Tfa0>S$!(iHkOfpT{
z`dY#^hQ<SIgn^m|_dW#QzoB~r>Bvybu!Cnh<jpb=#wjd}YlvaMiB(^QafR6NzlZ^0
zL;#5I#;`znuqz#~uP*qtE)j|eAoAb;BO=VI7g7Hp76Bs$HXM$uZTvYR+ke!8zpsT6
zR$DZeHD*3|h^NB!h^`XcF+hn=Q(tlTokcu<oYO)kP~YSY=f{FEjNyA+S_(`KGxLdj
zDcO=THXl3$mcQ#rx6*wzb`}UTvj|u%5)#_;*{i9!#papU=Zoy(=BF}bDmwckpj`0)
zEzXh(8SC@=N$wX)E0ef<JI^Lh>Rxht%AY2)ae39r7DrGy<y(B75`-W%DGN%y{nh?+
zeSrRvva0q@26VYuPHr>>6qlp;i+1Nh*();>CO-xXxk`mmP%RT}c4l27j@*{t_MS^U
zhnMNhPQF`jwvqGx1*J#n`TRmC;pe-CuMOAh*%l(qALGT|FIdI6CpubUjX|+=PSqBW
zW$`p#2+B2$HQK5}C#}QQ>pkkT{HVG2n|-jC>spZ@PP$Wz<2TftuO;40E^O<MM7_z~
zC1PlAvK2iw30C{;LEf`Tea=T=f26(Om^Cm)Ck&*m6_&RDHo{69+>aNRY5U8M$LUG$
zfH@)be`gllk8mT%j$?ry!%P6|s|#)fwUu@NQGNc8h$P_93z@%-5D8cdaCpW}Fy`(X
zIo|t(mS}gZZX7O8{U|SUy75>ri<%y3&Y|O|TTS{dkJjyjpYta5jdFYv+jQOhM%8bz
z+jBTQkgbpI8qxWNgFi(_F~)fKMV=!OKBsh$Hy^U;r99URD|ymlL1ttio76}!_PMV>
zqu*5!JM0`fRf3+Qv=7pfvMT)`0p|Ug8)mf*aY?!(7fWPwV=cRIxB+yG`r|at;C@3(
zJ-qE;iwKP1-@Q$H`lhEa1nDrW)GMv{WyZFz;WEqDw-D>Nn2gZv;zmC3n-q`tCAWHh
z&jk%*p-hrhp=vVE-?w_|@%mcOZrO9nKi%6Upz9Cu!ROiSvV1<_bGy0*k@~16Bn?}A
zhstYr>?jIZKA1U08m|XPVc-N7r~#%lu&*xo?Yabt1+Qg+OTmBF@;f#cE>&XKT#$AC
z<{yGb!nwqb2i7rk&DKj&quz14z&AErV%9==)01VKrkXjr#1JIpWL7ac&Kxc-C#;yj
zlyV>5LWgAbZ{0L>NO@RJE+s%|u+h%&eq|+cmsFpz6hC5Ty6%%Xi3bsr^oOLKrxX?s
znA00i83fNLZX2IcXsJ>b`zJhuaao3ahJB44JK%Qwb;;$o9aV{8b}aap9TQ;Yi3AWE
zNx|23mQFb0-$(dA5Mg$_(n1RWM0jT*N{J2XQWY3^$S|lR=2DRCJXg;8sj=u6M1*H9
z9^F~ojRa?<1C6*OyAX7Pm7R^T;b1e2P&fX`sPYmy!{}QpAguEO@HIrC*zlxPToU~&
zX$7#P>B5L+U8%b&SXc!B;t?alb)BUPPPFS1@h_sfaOnV||LZI(FvKc&XF=ZRccTa(
zCO<+aKfzr%(;JDDH)}}`ZED;alcw6a*(?jn6EOTh|GF2=LYOs8>Io1A0TaS?#Bkum
z$}hvXLM-NA#DFkX0K`EU;x(NG7eM4!{39aF-&Z;d91-4G%9eHPG?{UD)>e{sTG`tf
zkeaQLbjIqQR@HbC?l}=;FV4N`m&+#nMz}#F_@M5Uh==GcjwcC;8;3@*PG8<fFNitr
zy37{z%+5$vC~F53eJ+^7bm^agGJYC02xvLGUF#M_=FQD*&D(AkkY<xo<1fXmDI4lx
zk8z{EbY)JgDIu)LoHToG&Pa9ei<gFK$F~t#roqhK;tJnrnQgO)P6BaCLH;)VIQlzg
zNC{k@I<(r0@wPT_baVx(F8nU!O4aOoQz^#H9JL%UvASn<^})oJ$dL|qrwc*Sa$7ce
zyg}V7!p&?B@;H4YENOGg;7EJ*X7}tsl*iQ_ats_*KmGY*O}KhmKJ^G%=Ksvp1XsVu
zOJDu;%5Q5ZT9VzkCF?@@EHIm1k44L0?|W>uO;G6>YB}Q5uQVNLc$202x-oUEq&X!O
zrZ1FFX!krfp0y_)v+X>E=z}*<GGwt{SM;I+X`8>+2rJ!iKb~Hu?JqyZq$ibO!Hn?Y
zio^dl!X0LW>pDvhfT;fYkBB7T7gsvVr4c|GWh)X&A%up5jSXR@w}cb?`E;PS(P>uD
z$()Ol`0e{r^EsfO(+WLhDQ)@EDhwN>zS&dXlP>VF4DxUM{E%!c=^NIZtyHd6=kbOm
z-Adi27XxYC%IXPS%4cTzZ?^~96b{Q6$6gr-QXVqW@;Dv!tA*z9YBnp6q)L4b9|ngZ
zMfmZYNb+o{IZNBN4d1buIX)6`7qBFzdz)CJ@eP9b!xDZPe@Kzoh>AaD%S~Gm&@k<H
zs|X>S3<(<wWxlD0jE}(9%&z-7LQjic_hd8}o4O$F6n+|~pfE_L=e1L&+Uo}P4$jcL
ztVL8Rf8L#Pp~O_5sGrn#7)56|Ui(T2>kfCz;bVrDyWPV>WbU+u_Ws3k=it~rAcbZu
z2-kHMJa{ehUJCxZmdmhQxE_?kI?KB&odqs9oQol6LHBSr7lMY(W*%D(Zp%|TQie}-
z@5E0~P1iT}(s~XsTo96c5uI*Qr)OC41Zu#!;HT6%gJ1WG+*11l_L)Q&ciV07L~VGH
zWg*YxB)M!*=(62_65#J~!6u)O*8c57GpDzb%f6m*{SR*G$y~p4J%9^$$93n@N-x}w
z$Cq4w+wnmu%#NY|vg6+6xfEG}2>O8ng71I#U6l2eJ^)ck;*W?hJ0i_p_T4<#KXc@+
zz&Z;`X|l)}HE7~y+;~|QQ`KzJ>m&8M)?Y15V?;5}jJ)NJvL&&XDE0clj|&J%wiFkV
zJRW*JOM6+z8m*W9O9Z))OyFZR!gAT5h}RI&%dMJS+3Bj}n(P|&+MO^~%}+z0V`;n7
zYWHJ#iP|<vX33IoWc7S`rc`_!Q?FY*gcIn{fqr!JX+hWgG?tn>8<ZA}g%G^tGA8BB
zocr9n7&#+2V}f!u-05Ms^d~6K2x^YopskW@$nEn~w(sPPI+>nLR?j~^j&Pqt0X;z+
z!*u!%J0<l=$po9|8j<``pP>d9dl1c4;Go-KKG$rwUYiYfc7SvdVUdtOuW@sURDmpf
zy4XAnPW!O)iaEY0-<OeD&GMa8(i_(`gMwn^eIadXHeD|E3H16^q24_XY3WW+1CSbW
zxGs5^U(8;Uizof9kybUmqqc=t;PDN<E+^8U;P;~53ZyxhJaJyPYW?%0b+dL*eC1!K
zbot7VmitQVY@H@7o9(tKW>!(%B(Qb(@RHNk)i?5+PDfA89OJJFc}lhQ60OEW>fOi~
z!I@$E7q^?@Z^chM9sTe*U$a|j<RtTbr~8XB;yDAfXWDb`Ywq*v9Ns-%OV2e;aKfr(
z5ZZJ$4j|^SBEV1$)Et(0&b+RwNXaTY&%e={;9x#pNcB$E1S0-Od5ZQu%`An8qYzF=
z!z0*Lt-o6KOAH<Aq<)XKgLVcgSLO!}H&$V_dp~5}^eMBw1x?uJmyrh$I+_bfe+*W{
zc+PZ$U&h!Tu#R78_Xq(6D?{~LhAI?W0tY-4RJF3;o-%D*WfU45EHSP1E}YKP&=CcM
zHZbveH{ik4i4xz5HfJ!IC4zpy@RozkPaZb?4rX#DgO~AVDYOJtWD2J<G)K|zXr2Xf
zee(htkE<R(S0Nf-`<_rVUSES%s2?q;#Qjrpu<^w=DY<Uhqvx6N%{xdcEFwzjuGtV#
z&DdRz^i_6$JRB3=HRba#U3>%7Hy{D+gPl3g#x3ox^}E(&bSvEb&$y%eunj!R`#LE`
zRjb;p2C?rnA7&-=(2X0i>fcfnt-H&VsldHDSVky6olm(FEv*-(X&0`^dqAh=OCsA_
zfE&ans!Ja4V0_QQQ99>6#OvqC;)M$L+IV)V`e`_Z!>_lJiEmH8k4m0r(be1<v8Ugw
zR8scNv3Ub|FIALbXhcgeN2VCUMq_D@XY*_8W2fd^gJ8()UMTWwJJo<bmKmmo3ajUO
z)47VbR=u{v9o_H#D9#YwwplX{yJbI8W}%R}&eNJgdf)qPFLz(0>U2avh7#sL0)Gj*
zW9P4GyC_7vF<-y8Dcb7f>LyOcBXx1r0v;$2C%<8{d}IC)KcFhqdEU508j7?evd1E5
zLCo7!-NcWUw;#Y2SE}^EUT0slTkzGRi(X$uUZmG+Pu{tg#T?1tGs)73*h`WHe_YI+
zMy<%J3xwKVxZp4)SDhOqKLs;u>)X4r=qkmqirZ{pd7y;67!-MTKSYu|(K@G|(U!<D
zqKV%BhPej|xH*Hzoy5ZJZ6lkz{thS3h{6~SW%!NLX#*WXErHR7i}Pis)VT)`6%5?_
zalA<w)LM)^0fGzLBdC_QyIE+KQdO8Zst~X~VY$Sr*U`}{@;zG<DV%OK)qHz_O-wH{
zDO#yQC5_m2_LkB7+3Ij&(eo42GO@hgRJ8fcj3?Vfry2Q+xF@E=n~}^#bLIQo9>RL<
z<N6))lc5*3XUj89uZP;0(?^0!s-5O@<>fN>Uzv7bYhdQ~ig?qds(lRkOwc-LIT4h$
zfbdbyX>kI*?-d#!XI1H~0oM8F7z5{GHuv(ZQfY3+2@q*X299jf4`BaPub*QWwnHam
zKNPkiwAFVpvMLUGNc!T?#zd|>S}nk;qHn>){AD*zF3Ywmp~`7%VKk0)U(ydtU&67q
z&D^+9pF6@&8=dI|<9uXQ-ktqm>hTGPYD#5&m%iu7%-F^lYiH7o&1R!cvhFxv_L}%0
zsfBmc=9x)nsQ51|D`ZB$cl@bKZG~LPbCsh*w#z>swz6ijG1k#V*AuriwC!EwG@rfh
zqh#}zF!K%I*=EdbayhpO#^L2T*G96fv{J_XGA8uMO!61chG4yL{5<6-E6Be^YyQm=
z<6$k5ki$8yrwt7+4I17Oy8Y5!Ly4D?KT_X0*}RqeQkXw%ryx6>GO$wkeOons`#eK5
z$jXznG_K2%#PgXm-Nf*Y4WYbX8+z@`g{II~(uE=6kyr}P<%YXGa)xe0#h?VeGvxtw
zlE4AmmH04(*W!n{GRvN5T_1{*=GAP@^<#w+6(%`skvh$P#wj!U9gltuvx<F;d_Tu1
ztM;gFa@P8BRN!%9>HW+{gDoElc)l$;uB<<l9vE^RFkFGCX}n)aO^lYG6c3+P+SRn+
zO7)M*9=AVxP&g}3zS>QogOJJS@7`C<s8M8pYiF{J!1CB#a3~U0?pq|)p>U2X3#p(`
zE9VaGS@2AiwSCdf29C{_cfJB>7p4cK(wjjdBD|*9`VCNz1Fm?pn?)S0(tUI-M{~G>
z3ewsniBmg^rkz5`S*N9Z-7Dn&(Kq6>j0UKtD(O?D#2yfgOC&{cReb(j*_vUz!gqiC
z!!J&}{C)*+&nnX~E)N0mG*$@(F$G@KPykZFSeSz@!X}YTD;rWivVq0^33#!yTR~i@
zFPQ5_T2%7Bna~RQS}98ZcF{yOb@G{JYYAop)kwlz3;0Eg#VK_9g<C=;+Hgy@5}t|A
z92Dz##6gFtTZ7g)ZgvaHovLhc>rmYPHfBD1y{9kcs8r(j!w7mM5D2x{(>2I|Pd9P2
zI{o7PZAbMH>rZ^qiSql$7A=kAvmsh9W@5xf!dIg>8#zO%&*Hq+pQr~Yv(b#+Z!KW_
z#dYTG#g~@OYw^|WB(4yPM*p?7ANmV#Hk#d^oQEH6tZOq1K8Z<4&-EIQu;P><#Rslb
zh0vmpGAyi1K%@;t<7gK>fWZo(^4d?D@Zm$^yUQ`?uOTtih3k=tFAieK|K@yP49Y_Q
z5TiO#uDL?4^utHBqf5l!quL`A_^5_^_2!T#c8RFog>uc^7)k(-@#!Vvl^9KZNnkPl
zeK&?9iV*@I%DGasZqZ_}#;g?byy1*+vOlRNrnNy`ufA6_=4i=KV{UOHATONvt*kbS
x2#)UQ!y5pxXjmA$uu&1%R~P&*H4GH+D-jj)Wf*@EGX<W!5BoP?^fD0W{{VO9zS;l)

literal 0
HcmV?d00001

diff --git a/test/suite-decryption.sh b/test/suite-decryption.sh
index 0d5ba25043..2d7aff666d 100755
--- a/test/suite-decryption.sh
+++ b/test/suite-decryption.sh
@@ -245,6 +245,22 @@ decryption_step_ssl_master_secret() {
 	test_step_ok
 }
 
+# TLS 1.2 with renegotiation
+decryption_step_ssl_renegotiation() {
+	TEST_KEYS_FILE="$TESTS_DIR/keys/rsasnakeoil2.key"
+	if [ "$WS_SYSTEM" == "Windows" ] ; then
+		TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`"
+	fi
+	output=$($TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.content_length \
+		-o ssl.keys_list:"0.0.0.0,4433,http,$TEST_KEYS_FILE" \
+		-r "$CAPTURE_DIR/tls-renegotiation.pcap" -Y http)
+	if [[ "$output" != 0*2151* ]]; then
+		test_step_failed "Failed to decrypt SSL with renegotiation"
+		return
+	fi
+	test_step_ok
+}
+
 # ZigBee
 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022
 decryption_step_zigbee() {
@@ -492,6 +508,7 @@ tshark_decryption_suite() {
 	test_step_add "SSL Decryption (RSA private key with p smaller than q)" decryption_step_ssl_rsa_pq
 	test_step_add "SSL Decryption (private key with password)" decryption_step_ssl_with_password
 	test_step_add "SSL Decryption (master secret)" decryption_step_ssl_master_secret
+	test_step_add "SSL Decryption (renegotiation)" decryption_step_ssl_renegotiation
 	test_step_add "ZigBee Decryption" decryption_step_zigbee
 	test_step_add "ANSI C12.22 Decryption" decryption_step_c1222
 	test_step_add "DVB-CI Decryption" decryption_step_dvb_ci