forked from osmocom/wireshark
DTLS: add support for use_srtp extension (RFC 5764)
Decryption support will be added later. Tested with dtls-srtp-ws-sip.pcapng from the linked bug. Change-Id: Ida1a2da754ef9aef16ad15ff64455b6f8e703ffd Ping-Bug: 13193 Reviewed-on: https://code.wireshark.org/review/18996 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This commit is contained in:
parent
f96e9d067b
commit
89bc07c5d5
|
@ -78,6 +78,17 @@ static proto_tree *top_tree;
|
|||
*
|
||||
*********************************************************************/
|
||||
|
||||
/* https://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
|
||||
static const value_string srtp_protection_profile_vals[] = {
|
||||
{ 0x0001, "SRTP_AES128_CM_HMAC_SHA1_80" }, /* RFC 5764 */
|
||||
{ 0x0002, "SRTP_AES128_CM_HMAC_SHA1_32" },
|
||||
{ 0x0005, "SRTP_NULL_HMAC_SHA1_80" },
|
||||
{ 0x0006, "SRTP_NULL_HMAC_SHA1_32" },
|
||||
{ 0x0007, "SRTP_AEAD_AES_128_GCM" }, /* RFC 7714 */
|
||||
{ 0x0008, "SRTP_AEAD_AES_256_GCM" },
|
||||
{ 0x00, NULL },
|
||||
};
|
||||
|
||||
/* Initialize the protocol and registered fields */
|
||||
static gint dtls_tap = -1;
|
||||
static gint exported_pdu_tap = -1;
|
||||
|
@ -116,6 +127,11 @@ static gint hf_dtls_fragment_count = -1;
|
|||
static gint hf_dtls_reassembled_in = -1;
|
||||
static gint hf_dtls_reassembled_length = -1;
|
||||
|
||||
static gint hf_dtls_hs_ext_use_srtp_protection_profiles_length = -1;
|
||||
static gint hf_dtls_hs_ext_use_srtp_protection_profile = -1;
|
||||
static gint hf_dtls_hs_ext_use_srtp_mki_length = -1;
|
||||
static gint hf_dtls_hs_ext_use_srtp_mki = -1;
|
||||
|
||||
/* header fields used in ssl-utils, but defined here. */
|
||||
static dtls_hfs_t dtls_hfs = { -1, -1 };
|
||||
|
||||
|
@ -1298,7 +1314,7 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
|
|||
|
||||
case SSL_HND_HELLO_RETRY_REQUEST:
|
||||
ssl_dissect_hnd_hello_retry_request(&dissect_dtls_hf, sub_tvb, pinfo, ssl_hand_tree,
|
||||
0, length, session, ssl);
|
||||
0, length, session, ssl, TRUE);
|
||||
break;
|
||||
|
||||
case SSL_HND_CERTIFICATE:
|
||||
|
@ -1478,6 +1494,59 @@ dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb, proto_tree *tree,
|
|||
return offset;
|
||||
}
|
||||
|
||||
gint
|
||||
dtls_dissect_hnd_hello_ext_use_srtp(tvbuff_t *tvb, proto_tree *tree,
|
||||
guint32 offset, guint32 ext_len)
|
||||
{
|
||||
/* From https://tools.ietf.org/html/rfc5764#section-4.1.1
|
||||
*
|
||||
* uint8 SRTPProtectionProfile[2];
|
||||
*
|
||||
* struct {
|
||||
* SRTPProtectionProfiles SRTPProtectionProfiles;
|
||||
* opaque srtp_mki<0..255>;
|
||||
* } UseSRTPData;
|
||||
*
|
||||
* SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
|
||||
*/
|
||||
|
||||
guint32 profiles_length, profiles_end, mki_length;
|
||||
|
||||
if (ext_len < 2) {
|
||||
/* XXX expert info, record too small */
|
||||
return offset + ext_len;
|
||||
}
|
||||
|
||||
/* SRTPProtectionProfiles list length */
|
||||
proto_tree_add_item_ret_uint(tree, hf_dtls_hs_ext_use_srtp_protection_profiles_length,
|
||||
tvb, offset, 2, ENC_BIG_ENDIAN, &profiles_length);
|
||||
if (profiles_length > ext_len - 2) {
|
||||
/* XXX expert info because length exceeds extension_data field */
|
||||
profiles_length = ext_len - 2;
|
||||
}
|
||||
offset += 2;
|
||||
|
||||
/* SRTPProtectionProfiles list items */
|
||||
profiles_end = offset + profiles_length;
|
||||
while (offset < profiles_end) {
|
||||
proto_tree_add_item(tree, hf_dtls_hs_ext_use_srtp_protection_profile,
|
||||
tvb, offset, 2, ENC_BIG_ENDIAN);
|
||||
offset += 2;
|
||||
}
|
||||
|
||||
/* MKI */
|
||||
proto_tree_add_item_ret_uint(tree, hf_dtls_hs_ext_use_srtp_mki_length,
|
||||
tvb, offset, 1, ENC_NA, &mki_length);
|
||||
offset++;
|
||||
if (mki_length > 0) {
|
||||
proto_tree_add_item(tree, hf_dtls_hs_ext_use_srtp_mki,
|
||||
tvb, offset, mki_length, ENC_NA);
|
||||
offset += mki_length;
|
||||
}
|
||||
|
||||
return offset;
|
||||
}
|
||||
|
||||
/*********************************************************************
|
||||
*
|
||||
* Support Functions
|
||||
|
@ -1754,6 +1823,22 @@ proto_register_dtls(void)
|
|||
{ "Reassembled DTLS length", "dtls.reassembled.length",
|
||||
FT_UINT32, BASE_DEC, NULL, 0x00, NULL, HFILL }
|
||||
},
|
||||
{ &hf_dtls_hs_ext_use_srtp_protection_profiles_length,
|
||||
{ "SRTP Protection Profiles Length", "dtls.use_srtp.protection_profiles_length",
|
||||
FT_UINT16, BASE_DEC, NULL, 0x00, NULL, HFILL }
|
||||
},
|
||||
{ &hf_dtls_hs_ext_use_srtp_protection_profile,
|
||||
{ "SRTP Protection Profile", "dtls.use_srtp.protection_profile",
|
||||
FT_UINT16, BASE_HEX, VALS(srtp_protection_profile_vals), 0x00, NULL, HFILL }
|
||||
},
|
||||
{ &hf_dtls_hs_ext_use_srtp_mki_length,
|
||||
{ "MKI Length", "dtls.use_srtp.mki_length",
|
||||
FT_UINT8, BASE_DEC, NULL, 0x00, NULL, HFILL }
|
||||
},
|
||||
{ &hf_dtls_hs_ext_use_srtp_mki,
|
||||
{ "MKI", "dtls.use_srtp.mki",
|
||||
FT_BYTES, BASE_NONE, NULL, 0x00, NULL, HFILL }
|
||||
},
|
||||
SSL_COMMON_HF_LIST(dissect_dtls_hf, "dtls")
|
||||
};
|
||||
|
||||
|
|
|
@ -29,4 +29,11 @@
|
|||
WS_DLL_PUBLIC void dtls_dissector_add(guint port, dissector_handle_t handle);
|
||||
WS_DLL_PUBLIC void dtls_dissector_delete(guint port, dissector_handle_t handle);
|
||||
|
||||
|
||||
/* Shared with packet-ssl-utils.c */
|
||||
|
||||
gint
|
||||
dtls_dissect_hnd_hello_ext_use_srtp(tvbuff_t *tvb, proto_tree *tree,
|
||||
guint32 offset, guint32 ext_len);
|
||||
|
||||
#endif /* __PACKET_DTLS_H__ */
|
||||
|
|
|
@ -53,6 +53,7 @@
|
|||
#include "packet-x509if.h"
|
||||
#include "packet-ssl-utils.h"
|
||||
#include "packet-ssl.h"
|
||||
#include "packet-dtls.h"
|
||||
#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
|
||||
#include <gnutls/abstract.h>
|
||||
#endif
|
||||
|
@ -6128,7 +6129,8 @@ ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
|
|||
static gint
|
||||
ssl_dissect_hnd_hello_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
|
||||
packet_info* pinfo, guint32 offset, guint32 left, guint8 hnd_type,
|
||||
SslSession *session, SslDecryptSession *ssl);
|
||||
SslSession *session, SslDecryptSession *ssl,
|
||||
gboolean is_dtls);
|
||||
void
|
||||
ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
||||
packet_info *pinfo, proto_tree *tree, guint32 offset,
|
||||
|
@ -6243,7 +6245,7 @@ ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
|||
if (length > offset - start_offset) {
|
||||
ssl_dissect_hnd_hello_ext(hf, tvb, tree, pinfo, offset,
|
||||
length - (offset - start_offset), SSL_HND_CLIENT_HELLO,
|
||||
session, ssl);
|
||||
session, ssl, dtls_hfs != NULL);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -6327,7 +6329,7 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
|||
if (length > offset - start_offset) {
|
||||
ssl_dissect_hnd_hello_ext(hf, tvb, tree, pinfo, offset,
|
||||
length - (offset - start_offset), SSL_HND_SERVER_HELLO,
|
||||
session, ssl);
|
||||
session, ssl, is_dtls);
|
||||
}
|
||||
}
|
||||
/* Client Hello and Server Hello dissections. }}} */
|
||||
|
@ -6384,7 +6386,8 @@ ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
|||
void
|
||||
ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
||||
packet_info* pinfo, proto_tree *tree, guint32 offset, guint32 length,
|
||||
SslSession *session, SslDecryptSession *ssl)
|
||||
SslSession *session, SslDecryptSession *ssl,
|
||||
gboolean is_dtls)
|
||||
{
|
||||
/* struct {
|
||||
* ProtocolVersion server_version;
|
||||
|
@ -6401,7 +6404,7 @@ ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
|||
if (length > offset - start_offset) {
|
||||
ssl_dissect_hnd_hello_ext(hf, tvb, tree, pinfo, offset,
|
||||
length - (offset - start_offset), SSL_HND_HELLO_RETRY_REQUEST,
|
||||
session, ssl);
|
||||
session, ssl, is_dtls);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -6768,7 +6771,8 @@ ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tr
|
|||
static gint
|
||||
ssl_dissect_hnd_hello_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
|
||||
packet_info* pinfo, guint32 offset, guint32 left, guint8 hnd_type,
|
||||
SslSession *session, SslDecryptSession *ssl)
|
||||
SslSession *session, SslDecryptSession *ssl,
|
||||
gboolean is_dtls)
|
||||
{
|
||||
guint16 extension_length;
|
||||
guint16 ext_type;
|
||||
|
@ -6856,6 +6860,14 @@ ssl_dissect_hnd_hello_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *t
|
|||
case SSL_HND_HELLO_EXT_SERVER_NAME:
|
||||
offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, ext_tree, offset, ext_len);
|
||||
break;
|
||||
case SSL_HND_HELLO_EXT_USE_SRTP:
|
||||
if (is_dtls) {
|
||||
offset = dtls_dissect_hnd_hello_ext_use_srtp(tvb, ext_tree, offset, ext_len);
|
||||
} else {
|
||||
// XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
|
||||
offset += ext_len;
|
||||
}
|
||||
break;
|
||||
case SSL_HND_HELLO_EXT_HEARTBEAT:
|
||||
proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
|
||||
tvb, offset, 1, ENC_BIG_ENDIAN);
|
||||
|
|
|
@ -842,7 +842,8 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info*
|
|||
extern void
|
||||
ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info* pinfo,
|
||||
proto_tree *tree, guint32 offset, guint32 length,
|
||||
SslSession *session, SslDecryptSession *ssl);
|
||||
SslSession *session, SslDecryptSession *ssl,
|
||||
gboolean is_dtls);
|
||||
|
||||
extern void
|
||||
ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
|
||||
|
|
|
@ -2061,7 +2061,7 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
|
|||
|
||||
case SSL_HND_HELLO_RETRY_REQUEST:
|
||||
ssl_dissect_hnd_hello_retry_request(&dissect_ssl3_hf, tvb, pinfo, ssl_hand_tree,
|
||||
offset, length, session, ssl);
|
||||
offset, length, session, ssl, FALSE);
|
||||
break;
|
||||
|
||||
case SSL_HND_CERTIFICATE:
|
||||
|
|
Loading…
Reference in New Issue