osmith
/
wireshark
forked from osmocom/wireshark
1
0
Fork 0
Code Pull Requests Releases Wiki Activity

libgcrypt: Require version 1.8.0 

Libgcrypt 1.8.x is required for a large amount of decryption
support and is the current LTS version of libgcrypt. The 1.6 and
1.7 series have been end-of-life since 2017-06-30 and 2019-06-30,
respectively.

The Linux distributions that have versions of libgcrypt before 1.8.0
are nearing or at end of support (RHEL7, SLES 12, Debian stretch,
Ubuntu 16.04LTS) and can be supported by the Wireshark 3.6 LTS release
series.

Remove an enormous amount of ifdefs based on libgcrypt versions
1.6.0, 1.7.0, and 1.8.0. There will be a second pass for the
commons defines HAVE_LIBGCRYPT_AEAD, HAVE_LIBGCRYPT_CHACHA20, and
HAVE_LIBGCRYPT_CHACHA20_POLY1305, which are now always defined.

The ISAKMP dissector has some comments noting that some workarounds
were used for libgcrypt 1.6 that aren't needed with 1.7; perhaps
that could be updated now.
This commit is contained in:
John Thacker 2022-04-20 21:08:29 -04:00
parent 9c115d0ed5
commit b80cdaa243
21 changed files with 9 additions and 654 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CMakeLists.txt
View File

@ -1141,7 +1141,7 @@ find_package(GMODULE2)
reset_find_package(GTHREAD2)
find_package(GTHREAD2 REQUIRED)
reset_find_package(GCRYPT GCRYPT_ERROR_LIBRARY)
find_package(GCRYPT "1.5.0" REQUIRED)
find_package(GCRYPT "1.8.0" REQUIRED)
# C Asynchronous resolver
reset_find_package(CARES)
find_package(CARES "1.5.0" REQUIRED)
@ -1852,31 +1852,6 @@ endif()
feature_summary(WHAT ALL)
# Newer Libgcrypt versions may be required for certain functionality:
# 1.6
# - IEEE 802.11 TDLS, AES-GCMP-128 and AES-GCMP-256 decryption
# - IEEE 802.11 WPA3-Personal / SAE decryption
# - BT Mesh decryption
# - Distributed Object Framework (DOF) decryption
# - IKEv2 integrity check
# - LoRaWAN integrity check
# - LTE PDCP EIA2 integrity check
# - QUIC decryption support
# - SMB3 AES-128-CCM/GCM decryption
# - TLS 1.3 0-RTT decryption
# - TLS GCM/CCM ciphers integrity check
# 1.7
# - QUIC ChaCha20-Poly1305 decryption
# - TLS 1.3 ChaCha20-Poly1305 decryption
# 1.8
# - dcerpc-netlogon NETLOGON_FLAG_AES decryption
# - WireGuard decryption
if(GCRYPT_VERSION VERSION_LESS 1.6.0)
message(WARNING "Libgcrypt version 1.6.0 or newer is strongly recommended for improved decryption support, found ${GCRYPT_VERSION}")
elseif(GCRYPT_VERSION VERSION_LESS 1.8.0)
message(WARNING "Libgcrypt version 1.8.0 or newer is recommended for full decryption functionality, found ${GCRYPT_VERSION}")
endif()
# Should this be part of libui?
if(WIN32)
set(PLATFORM_UI_SRC

14
epan/crypt/CMakeLists.txt
View File

@ -28,16 +28,10 @@ set(CRYPT_FILES
${CUSTOM_CRYPT_SRC}
)
if (GCRYPT_VERSION VERSION_LESS 1.6.0)
list(APPEND CRYPT_FILES
dot11decrypt_ccmp_compat.c
)
else()
list(APPEND CRYPT_FILES
dot11decrypt_ccmp.c
dot11decrypt_gcmp.c
)
endif()
list(APPEND CRYPT_FILES
dot11decrypt_ccmp.c
dot11decrypt_gcmp.c
)
source_group(crypt FILES ${CRYPT_FILES})

38
epan/crypt/dot11decrypt.c
View File

@ -200,13 +200,11 @@ static INT Dot11DecryptRsnaMicCheck(
int akm)
;
#if GCRYPT_VERSION_NUMBER >= 0x010600
static gint
Dot11DecryptFtMicCheck(
const PDOT11DECRYPT_ASSOC_PARSED assoc_parsed,
const guint8 *kck,
size_t kck_len);
#endif
static PDOT11DECRYPT_SEC_ASSOCIATION
Dot11DecryptGetSa(
@ -1814,7 +1812,6 @@ Dot11DecryptRsna4WHandshake(
}
/* Refer to IEEE 802.11-2016 Chapeter 13.8 FT authentication sequence */
#if GCRYPT_VERSION_NUMBER >= 0x010600
gint
Dot11DecryptScanFtAssocForKeys(
const PDOT11DECRYPT_CONTEXT ctx,
@ -1974,18 +1971,6 @@ Dot11DecryptScanFtAssocForKeys(
Dot11DecryptCopyKey(sa, used_key);
return DOT11DECRYPT_RET_SUCCESS_HANDSHAKE;
}
#else
gint
Dot11DecryptScanFtAssocForKeys(
const PDOT11DECRYPT_CONTEXT ctx _U_,
const PDOT11DECRYPT_ASSOC_PARSED assoc_parsed _U_,
guint8 *decrypted_gtk _U_, size_t *decrypted_len _U_,
DOT11DECRYPT_KEY_ITEM* used_item _U_)
{
ws_info("Skipped Dot11DecryptScanFtAssocForKeys, libgcrypt >= 1.6");
return DOT11DECRYPT_RET_UNSUCCESS;
}
#endif
/* From IEEE 802.11-2016 Table 12-8 Integrity and key-wrap algorithms */
static int
@ -1998,7 +1983,6 @@ Dot11DecryptGetIntegrityAlgoFromAkm(int akm, int *algo, gboolean *hmac)
*algo = GCRY_MD_SHA1;
*hmac = TRUE;
break;
#if GCRYPT_VERSION_NUMBER >= 0x010600
case 3:
case 4:
case 5:
@ -2010,7 +1994,6 @@ Dot11DecryptGetIntegrityAlgoFromAkm(int akm, int *algo, gboolean *hmac)
*algo = GCRY_MAC_CMAC_AES;
*hmac = FALSE;
break;
#endif
case 11:
case 18:
*algo = GCRY_MD_SHA256;
@ -2105,7 +2088,6 @@ Dot11DecryptRsnaMicCheck(
* FTE, with the MIC field of the FTE set to 0
* Contents of the RIC-Response (if present)
*/
#if GCRYPT_VERSION_NUMBER >= 0x010600
static gint
Dot11DecryptFtMicCheck(
const PDOT11DECRYPT_ASSOC_PARSED assoc_parsed,
@ -2182,7 +2164,6 @@ Dot11DecryptFtMicCheck(
gcry_mac_close(handle);
return DOT11DECRYPT_RET_SUCCESS;
}
#endif
static INT
Dot11DecryptValidateKey(
@ -2986,36 +2967,22 @@ static INT
Dot11DecryptTDLSDeriveKey(
PDOT11DECRYPT_SEC_ASSOCIATION sa,
const guint8 *data,
#if GCRYPT_VERSION_NUMBER >= 0x010600
guint offset_rsne,
#else
guint offset_rsne _U_,
#endif
guint offset_fte,
#if GCRYPT_VERSION_NUMBER >= 0x010600
guint offset_timeout,
#else
guint offset_timeout _U_,
#endif
guint offset_link,
#if GCRYPT_VERSION_NUMBER >= 0x010600
guint8 action)
#else
guint8 action _U_)
#endif
{
gcry_md_hd_t sha256_handle;
gcry_md_hd_t hmac_handle;
const guint8 *snonce, *anonce, *initiator, *responder, *bssid;
guint8 key_input[32];
#if GCRYPT_VERSION_NUMBER >= 0x010600
guint8 mic[16], seq_num = action + 1;
guint8 zeros[16] = { 0 };
gcry_mac_hd_t cmac_handle;
size_t cmac_len = 16;
size_t cmac_write_len;
#endif
/* Get key input */
anonce = &data[offset_fte + 20];
@ -3060,7 +3027,6 @@ Dot11DecryptTDLSDeriveKey(
gcry_md_close(hmac_handle);
/* Check MIC */
#if GCRYPT_VERSION_NUMBER >= 0x010600
if (gcry_mac_open(&cmac_handle, GCRY_MAC_CMAC_AES, 0, NULL)) {
return DOT11DECRYPT_RET_UNSUCCESS;
}
@ -3094,10 +3060,6 @@ Dot11DecryptTDLSDeriveKey(
return DOT11DECRYPT_RET_UNSUCCESS;
}
gcry_mac_close(cmac_handle);
#else
ws_info("MIC verification failed, need libgcrypt >= 1.6");
return DOT11DECRYPT_RET_UNSUCCESS;
#endif
/* TODO support other akm and ciphers? */
sa->wpa.akm = 2;
sa->wpa.cipher = 4;

262
epan/crypt/dot11decrypt_ccmp_compat.c
View File

@ -1,262 +0,0 @@
/* dot11decrypt_ccmp_compat.c
*
* Copyright (c) 2002-2005 Sam Leffler, Errno Consulting
* Copyright (c) 2006 CACE Technologies, Davis (California)
* All rights reserved.
*
* SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only)
*/
/*
* This file is only used for backwards compatibility with libgcrypt
* versions < 1.6.0 that don't support AEAD. When building towards later
* versions dot11decrypt_ccmp.c file is used instead
*/
/*
* Note: This file was derived from the FreeBSD source code, RELENG 6,
* sys/net80211/ieee80211_crypto_ccmp.c
*/
/****************************************************************************/
/* File includes */
#include "config.h"
#include "dot11decrypt_system.h"
#include "dot11decrypt_int.h"
#include "dot11decrypt_debug.h"
#include <glib.h>
#include <wsutil/wsgcrypt.h>
/****************************************************************************/
/* Internal definitions */
#define AES_BLOCK_LEN 16
#define FC1_AAD_MASK 0xc7
#define FC1_AAD_QOS_MASK 0x47
/****************************************************************************/
/* Internal macros */
#define XOR_BLOCK(b, a, len) { \
INT __i__; \
for (__i__ = 0; __i__ < (INT)(len); __i__++) \
(b)[__i__] ^= (a)[__i__]; \
}
#define CCMP_DECRYPT(_i, _b, _b0, _pos, _a, _len) { \
/* Decrypt, with counter */ \
_b0[14] = (UINT8)((_i >> 8) & 0xff); \
_b0[15] = (UINT8)(_i & 0xff); \
gcry_cipher_encrypt(rijndael_handle, _b, AES_BLOCK_LEN, _b0, AES_BLOCK_LEN); \
XOR_BLOCK(_pos, _b, _len); \
/* Authentication */ \
XOR_BLOCK(_a, _pos, _len); \
gcry_cipher_encrypt(rijndael_handle, _a, AES_BLOCK_LEN, NULL, 0); \
}
#define READ_6(b0, b1, b2, b3, b4, b5) \
((((UINT64)((UINT16)((b4 << 0) | (b5 << 8)))) << 32) | \
((UINT32)((b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24))))
/****************************************************************************/
/* Internal function prototypes declarations */
static void ccmp_init_blocks(
gcry_cipher_hd_t rijndael_handle,
PDOT11DECRYPT_MAC_FRAME wh,
UINT64 pn,
size_t dlen,
UINT8 b0[AES_BLOCK_LEN],
UINT8 aad[2 * AES_BLOCK_LEN],
UINT8 a[AES_BLOCK_LEN],
UINT8 b[AES_BLOCK_LEN])
;
/****************************************************************************/
/* Function definitions */
static void ccmp_init_blocks(
gcry_cipher_hd_t rijndael_handle,
PDOT11DECRYPT_MAC_FRAME wh,
UINT64 pn,
size_t dlen,
UINT8 b0[AES_BLOCK_LEN],
UINT8 aad[2 * AES_BLOCK_LEN],
UINT8 a[AES_BLOCK_LEN],
UINT8 b[AES_BLOCK_LEN])
{
UINT8 mgmt = (DOT11DECRYPT_TYPE(wh->fc[0]) == DOT11DECRYPT_TYPE_MANAGEMENT);
memset(aad, 0, 2*AES_BLOCK_LEN);
/* CCM Initial Block:
* Flag (Include authentication header, M=3 (8-octet MIC),
* L=1 (2-octet Dlen))
* Nonce: 0x00 | A2 | PN
* Dlen */
b0[0] = 0x59;
/* NB: b0[1] set below */
DOT11DECRYPT_ADDR_COPY(b0 + 2, wh->addr2);
b0[8] = (UINT8)(pn >> 40);
b0[9] = (UINT8)(pn >> 32);
b0[10] = (UINT8)(pn >> 24);
b0[11] = (UINT8)(pn >> 16);
b0[12] = (UINT8)(pn >> 8);
b0[13] = (UINT8)(pn >> 0);
b0[14] = (UINT8)((UINT8)(dlen >> 8) & 0xff);
b0[15] = (UINT8)(dlen & 0xff);
/* AAD:
* FC with bits 4..6 and 11..13 masked to zero; 14 is always one; 15 zero when QoS Control field present
* A1 | A2 | A3
* SC with bits 4..15 (seq#) masked to zero
* A4 (if present)
* QC (if present)
*/
aad[0] = 0; /* AAD length >> 8 */
/* NB: aad[1] set below */
if (!mgmt)
aad[2] = (UINT8)(wh->fc[0] & 0x8f); /* XXX magic #s */
else
aad[2] = wh->fc[0];
if (DOT11DECRYPT_IS_QOS_DATA(wh)) {
aad[3] = (UINT8)((wh->fc[1] & FC1_AAD_QOS_MASK) | 0x40);
} else {
aad[3] = (UINT8)((wh->fc[1] & FC1_AAD_MASK) | 0x40);
}
/* NB: we know 3 addresses are contiguous */
memcpy(aad + 4, (guint8 *)wh->addr1, 3 * DOT11DECRYPT_MAC_LEN);
aad[22] = (UINT8)(wh->seq[0] & DOT11DECRYPT_SEQ_FRAG_MASK);
aad[23] = 0; /* all bits masked */
/*
* Construct variable-length portion of AAD based
* on whether this is a 4-address frame/QOS frame.
* We always zero-pad to 32 bytes before running it
* through the cipher.
*
* We also fill in the priority bits of the CCM
* initial block as we know whether or not we have
* a QOS frame.
*/
if (DOT11DECRYPT_IS_4ADDRESS(wh)) {
DOT11DECRYPT_ADDR_COPY(aad + 24,
((PDOT11DECRYPT_MAC_FRAME_ADDR4)wh)->addr4);
if (DOT11DECRYPT_IS_QOS_DATA(wh)) {
PDOT11DECRYPT_MAC_FRAME_ADDR4_QOS qwh4 =
(PDOT11DECRYPT_MAC_FRAME_ADDR4_QOS) wh;
aad[30] = (UINT8)(qwh4->qos[0] & 0x0f);/* just priority bits */
aad[31] = 0;
b0[1] = aad[30];
aad[1] = 22 + DOT11DECRYPT_MAC_LEN + 2;
} else {
memset(&aad[30], 0, 2);
b0[1] = 0;
aad[1] = 22 + DOT11DECRYPT_MAC_LEN;
}
} else {
if (DOT11DECRYPT_IS_QOS_DATA(wh)) {
PDOT11DECRYPT_MAC_FRAME_QOS qwh =
(PDOT11DECRYPT_MAC_FRAME_QOS) wh;
aad[24] = (UINT8)(qwh->qos[0] & 0x0f); /* just priority bits */
aad[25] = 0;
b0[1] = aad[24];
aad[1] = 22 + 2;
} else {
memset(&aad[24], 0, 2);
b0[1] = 0;
aad[1] = 22;
}
if (mgmt)
b0[1] |= 0x10; /* set MGMT flag */
memset(&aad[26], 0, 4);
}
/* Start with the first block and AAD */
gcry_cipher_encrypt(rijndael_handle, a, AES_BLOCK_LEN, b0, AES_BLOCK_LEN);
XOR_BLOCK(a, aad, AES_BLOCK_LEN);
gcry_cipher_encrypt(rijndael_handle, a, AES_BLOCK_LEN, NULL, 0);
XOR_BLOCK(a, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN);
gcry_cipher_encrypt(rijndael_handle, a, AES_BLOCK_LEN, NULL, 0);
b0[0] &= 0x07;
b0[14] = b0[15] = 0;
gcry_cipher_encrypt(rijndael_handle, b, AES_BLOCK_LEN, b0, AES_BLOCK_LEN);
/** //XOR( m + len - 8, b, 8 ); **/
}
int Dot11DecryptCcmpDecrypt(
guint8 *m,
int mac_header_len,
int len,
guint8 *TK1,
int tk_len,
int mic_len)
{
PDOT11DECRYPT_MAC_FRAME wh;
UINT8 aad[2 * AES_BLOCK_LEN];
UINT8 b0[AES_BLOCK_LEN], b[AES_BLOCK_LEN], a[AES_BLOCK_LEN];
UINT8 mic[AES_BLOCK_LEN];
ssize_t data_len;
UINT i;
UINT8 *pos;
UINT space;
INT z = mac_header_len;
gcry_cipher_hd_t rijndael_handle;
UINT64 PN;
UINT8 *ivp=m+z;
if (tk_len > 16 || mic_len > 8) {
/* NOT SUPPORTED*/
return 1;
}
PN = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]);
if (gcry_cipher_open(&rijndael_handle, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0)) {
return 1;
}
if (gcry_cipher_setkey(rijndael_handle, TK1, 16)) {
gcry_cipher_close(rijndael_handle);
return 1;
}
wh = (PDOT11DECRYPT_MAC_FRAME )m;
data_len = len - (z + DOT11DECRYPT_CCMP_HEADER+DOT11DECRYPT_CCMP_TRAILER);
if (data_len < 1) {
gcry_cipher_close(rijndael_handle);
return 0;
}
ccmp_init_blocks(rijndael_handle, wh, PN, data_len, b0, aad, a, b);
memcpy(mic, m+len-DOT11DECRYPT_CCMP_TRAILER, DOT11DECRYPT_CCMP_TRAILER);
XOR_BLOCK(mic, b, DOT11DECRYPT_CCMP_TRAILER);
i = 1;
pos = (UINT8 *)m + z + DOT11DECRYPT_CCMP_HEADER;
space = len - (z + DOT11DECRYPT_CCMP_HEADER);
if (space > data_len)
space = (UINT)data_len;
while (space >= AES_BLOCK_LEN) {
CCMP_DECRYPT(i, b, b0, pos, a, AES_BLOCK_LEN);
pos += AES_BLOCK_LEN;
space -= AES_BLOCK_LEN;
i++;
}
if (space != 0) /* short last block */
CCMP_DECRYPT(i, b, b0, pos, a, space);
gcry_cipher_close(rijndael_handle);
/* MIC Key ?= MIC */
if (memcmp(mic, a, DOT11DECRYPT_CCMP_TRAILER) == 0) {
return 0;
}
/* TODO replay check (IEEE 802.11i-2004, pg. 62) */
/* TODO PN must be incremental (IEEE 802.11i-2004, pg. 62) */
return 1;
}

12
epan/crypt/dot11decrypt_int.h
View File

@ -177,24 +177,12 @@ int Dot11DecryptCcmpDecrypt(
int tk_len,
int mic_len);
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
int Dot11DecryptGcmpDecrypt(
guint8 *m,
int mac_header_len,
int len,
guint8 *TK1,
int tk_len);
#else
static inline int Dot11DecryptGcmpDecrypt(
guint8 *m _U_,
int mac_header_len _U_,
int len _U_,
guint8 *TK1 _U_,
int tk_len _U_)
{
return 1;
}
#endif
INT Dot11DecryptTkipDecrypt(
UCHAR *tkip_mpdu,

13
epan/dissectors/packet-btmesh-proxy.c
View File

@ -155,8 +155,6 @@ static guint32 sequence_counter[E_BTMESH_PROXY_SIDE_LAST];
static guint32 fragment_counter[E_BTMESH_PROXY_SIDE_LAST];
static gboolean first_pass;
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static gint
dissect_btmesh_proxy_configuration_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
@ -281,17 +279,6 @@ dissect_btmesh_proxy_configuration_msg(tvbuff_t *tvb, packet_info *pinfo, proto_
return offset;
}
#else /* GCRYPT_VERSION_NUMBER >= 0x010600 */
static gint
dissect_btmesh_proxy_configuration_msg(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_)
{
proto_tree_add_item(tree, hf_btmesh_proxy_data, tvb, 0, tvb_reported_length(tvb), ENC_NA);
return tvb_reported_length(tvb);
}
#endif/* GCRYPT_VERSION_NUMBER >= 0x010600 */
static gint
dissect_btmesh_proxy_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *proxy_data)
{

63
epan/dissectors/packet-btmesh.c
View File

@ -1740,7 +1740,6 @@ static int hf_bt_characteristic_percentage_8 = -1;
static int hf_bt_characteristic_time_millisecond_24 = -1;
static int hf_bt_characteristic_time_second_16 = -1;
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static const
bt_property_raw_value_entry_t sensor_column_status_hfs = {
.hf_raw_value_a = &hf_btmesh_sensor_column_status_raw_value_a,
@ -1796,7 +1795,6 @@ bt_property_columns_raw_value_t sensor_series_get_hfs = {
.hf_raw_value_a1 = &hf_btmesh_sensor_series_get_raw_value_a1,
.hf_raw_value_a2 = &hf_btmesh_sensor_series_get_raw_value_a2
};
#endif
static int ett_btmesh = -1;
static int ett_btmesh_net_pdu = -1;
@ -2414,8 +2412,6 @@ static const value_string btmesh_defined_or_dash_vals[] = {
{ 0, NULL }
};
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static int * const config_composition_data_status_features_headers[] = {
&hf_btmesh_config_composition_data_status_features_relay,
&hf_btmesh_config_composition_data_status_features_proxy,
@ -2481,8 +2477,6 @@ static const fragment_items btmesh_segmented_control_frag_items = {
"fragments"
};
#endif
static const value_string btmesh_status_code_vals[] = {
{ 0x00, "Success" },
{ 0x01, "Invalid Address" },
@ -2785,7 +2779,6 @@ static const value_string btmesh_properties_vals[] = {
{ PROPERTY_OUTPUT_CURRENT_PERCENT , "Output Current Percent" },
{ 0, NULL }
};
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static const btmesh_property_t btmesh_properties[] = {
{ PHONY_PROPERTY_PERCENTAGE_CHANGE_16 , PHONY_CHARACTERISTIC_PERCENTAGE_CHANGE_16 },
@ -3072,7 +3065,6 @@ static const bt_gatt_characteristic_t bt_gatt_characteristics[] = {
{ CHARACTERISTIC_WIND_CHILL , 1, NULL , DISSECTOR_SIMPLE },
{ 0, 0, NULL, 0},
};
#endif /* GCRYPT_VERSION_NUMBER >= 0x010600 */
/* Upper Transport Message reassembly */
@ -3180,7 +3172,6 @@ upper_transport_init_routine(void)
}
/* A BT Mesh dissector is not realy useful without decryption as all packets are encrypted. Just leave a stub dissector outside of */
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
/* BT Mesh s1 function */
static gboolean
@ -3630,8 +3621,6 @@ btmesh_deobfuscate(tvbuff_t *tvb, packet_info *pinfo, int offset _U_, uat_btmesh
return de_obf_tvb;
}
#endif /* GCRYPT_VERSION_NUMBER >= 0x010600 */
static const gchar *period_interval_unit[] = {"ms", "s", "s", "min"};
static const guint32 period_interval_multiplier[] = {100, 1, 10, 10};
@ -4395,8 +4384,6 @@ format_time_second_16(gchar *buf, guint32 value) {
}
}
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static guint16
find_characteristic_id(guint16 property_id)
{
@ -8123,56 +8110,6 @@ dissect_btmesh_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *da
return offset;
}
#else /* GCRYPT_VERSION_NUMBER >= 0x010600 */
static gboolean
create_master_security_keys(uat_btmesh_record_t * net_key_set _U_)
{
return FALSE;
}
static gboolean
k4(uat_btmesh_record_t *key_set _U_)
{
return FALSE;
}
static gboolean
label_uuid_hash(uat_btmesh_label_uuid_record_t *label_uuid_record _U_)
{
return FALSE;
}
/* Stub dissector if decryption not available on build system */
static gint
dissect_btmesh_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
proto_item *item;
proto_tree *sub_tree;
int offset = 0;
col_set_str(pinfo->cinfo, COL_PROTOCOL, "BT Mesh");
col_clear(pinfo->cinfo, COL_INFO);
item = proto_tree_add_item(tree, proto_btmesh, tvb, offset, -1, ENC_NA);
sub_tree = proto_item_add_subtree(item, ett_btmesh);
/* First byte in plaintext */
/* IVI 1 bit Least significant bit of IV Index */
proto_tree_add_item(sub_tree, hf_btmesh_ivi, tvb, offset, 1, ENC_BIG_ENDIAN);
proto_tree_add_item(sub_tree, hf_btmesh_nid, tvb, offset, 1, ENC_BIG_ENDIAN);
offset++;
proto_tree_add_item(sub_tree, hf_btmesh_obfuscated, tvb, offset, 6, ENC_NA);
offset += 6;
proto_tree_add_item(sub_tree, hf_btmesh_encrypted, tvb, offset, -1, ENC_NA);
return tvb_reported_length(tvb);
}
#endif /* GCRYPT_VERSION_NUMBER >= 0x010600 */
static gint
compute_ascii_key(guchar **ascii_key, const gchar *key, const gchar *key_name, guint expected_octets, char **err)
{

10
epan/dissectors/packet-dcerpc-netlogon.c
View File

@ -6802,7 +6802,6 @@ netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
debugprintf("Found %d passwords \n",list_size);
if( flags & NETLOGON_FLAG_AES )
{
#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
guint8 salt_buf[16] = { 0 };
guint8 sha256[HASH_SHA2_256_LENGTH];
guint64 calculated_cred;
@ -6872,7 +6871,6 @@ netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
}
}
}
#endif
} else if ( flags & NETLOGON_FLAG_STRONGKEY ) {
guint8 zeros[4] = { 0 };
guint8 md5[HASH_MD5_LENGTH];
@ -7877,7 +7875,6 @@ static int get_seal_key(const guint8 *session_key,int key_len,guint8* seal_key)
}
#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
static guint64 uncrypt_sequence_aes(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
{
gcry_error_t err;
@ -7920,7 +7917,6 @@ static guint64 uncrypt_sequence_aes(guint8* session_key,guint64 checksum,guint64
gcry_cipher_close(cipher_hd);
return enc_seq;
}
#endif
static guint64 uncrypt_sequence_strong(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
{
@ -7958,11 +7954,9 @@ static guint64 uncrypt_sequence_strong(guint8* session_key,guint64 checksum,guin
static guint64 uncrypt_sequence(guint32 flags, guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
{
#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
if (flags & NETLOGON_FLAG_AES) {
return uncrypt_sequence_aes(session_key, checksum, enc_seq, is_server);
}
#endif
if (flags & NETLOGON_FLAG_STRONGKEY) {
return uncrypt_sequence_strong(session_key, checksum, enc_seq, is_server);
@ -7971,7 +7965,6 @@ static guint64 uncrypt_sequence(guint32 flags, guint8* session_key,guint64 check
return 0;
}
#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars,
gcry_cipher_hd_t *_cipher_hd)
{
@ -8010,7 +8003,6 @@ static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars,
*_cipher_hd = cipher_hd;
return 0;
}
#endif
static gcry_error_t prepare_decryption_cipher_strong(netlogon_auth_vars *vars,
gcry_cipher_hd_t *_cipher_hd)
@ -8057,11 +8049,9 @@ static gcry_error_t prepare_decryption_cipher(netlogon_auth_vars *vars,
{
*_cipher_hd = NULL;
#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
if (vars->flags & NETLOGON_FLAG_AES) {
return prepare_decryption_cipher_aes(vars, _cipher_hd);
}
#endif
if (vars->flags & NETLOGON_FLAG_STRONGKEY) {
return prepare_decryption_cipher_strong(vars, _cipher_hd);

18
epan/dissectors/packet-dof.c
View File

@ -180,9 +180,6 @@
#include <ctype.h>
#include <wsutil/wsgcrypt.h>
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
#define LIBGCRYPT_OK
#endif
#include <epan/packet.h>
#include <epan/proto.h>
@ -1938,7 +1935,6 @@ static const value_string sgmp_opcode_strings[] = {
#if 0 /* TODO not used yet */
static gboolean sgmp_validate_session_key(sgmp_packet_data *cmd_data, guint8 *confirmation, guint8 *kek, guint8 *key)
{
#ifdef LIBGCRYPT_OK
gcry_mac_hd_t hmac;
gcry_error_t result;
@ -1952,9 +1948,6 @@ static gboolean sgmp_validate_session_key(sgmp_packet_data *cmd_data, guint8 *co
gcry_mac_write(hmac, key, 32);
result = gcry_mac_verify(hmac, confirmation, sizeof(confirmation));
return result == 0;
#else
return FALSE;
#endif
}
#endif
@ -9103,7 +9096,6 @@ static int dissect_sgmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi
return offset;
}
#ifdef LIBGCRYPT_OK
static gboolean validate_session_key(tep_rekey_data *rekey, guint S_length, guint8 *S, guint8 *confirmation, guint8 *key)
{
guint8 pad[16];
@ -9125,12 +9117,6 @@ static gboolean validate_session_key(tep_rekey_data *rekey, guint S_length, guin
result = gcry_mac_verify(hmac, confirmation, 32);
return result == 0;
}
#else
static gboolean validate_session_key(tep_rekey_data *rekey _U_, guint S_length _U_, guint8 *S _U_, guint8 *confirmation _U_, guint8 *key _U_)
{
return FALSE;
}
#endif
static int dissect_tep_dsp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_)
{
@ -11315,11 +11301,7 @@ static void dof_register_dpp_2(void)
{ &ei_dpp_default_flags, { "dof.dpp.v2.flags_included", PI_COMMENTS_GROUP, PI_NOTE, "Default flag value is included explicitly.", EXPFILL } },
{ &ei_dpp_explicit_sender_sid_included, { "dof.dpp.v2.sender_sid_included", PI_PROTOCOL, PI_NOTE, "Explicit SID could be optimized, same as sender.", EXPFILL } },
{ &ei_dpp_explicit_receiver_sid_included, { "dof.dpp.v2.receiver_sid_included", PI_PROTOCOL, PI_NOTE, "Explicit SID could be optimized, same as receiver.", EXPFILL } },
#ifdef LIBGCRYPT_OK
{ &ei_dpp_no_security_context, { "dof.dpp.v2.no_context", PI_UNDECODED, PI_WARN, "No security context to enable packet decryption.", EXPFILL } },
#else
{ &ei_dpp_no_security_context, { "dof.dpp.v2.no_context", PI_UNDECODED, PI_WARN, "This version of wireshark was built without DOF decryption capability", EXPFILL } },
#endif
};
static gint *sett[] =

3
epan/dissectors/packet-isakmp.c
View File

@ -6084,6 +6084,9 @@ dissect_enc(tvbuff_t *tvb,
* - in 1.6.x length must be equal of cipher block length. Aaargh... :-(
* We use accepted for both versions length of block size for GCM (16 bytes).
* For CCM length given must be the same as given to gcry_cipher_ctl(GCRYCTL_SET_CCM_LENGTHS)
*
* XXX: We now require libgcrypt 1.8.0, so presumably this could
* be updated?
*/
guchar *tag;
gint tag_len = icv_len;

19
epan/dissectors/packet-lorawan.c
View File

@ -406,7 +406,6 @@ static device_encryption_keys_t *get_encryption_keys_dev_address(guint32 dev_add
return NULL;
}
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static device_encryption_keys_t *get_encryption_keys_app_eui(const guint8 *appeui)
{
guint i;
@ -452,7 +451,6 @@ calculate_mic(const guint8 *in, guint8 length, const guint8 *key)
gcry_mac_close(mac_hd);
return mac;
}
#endif
/* length should be a multiple of 16, in should be padded to get to a multiple of 16 */
static gboolean
@ -648,9 +646,7 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
guint8 fport;
guint32 dev_address;
guint32 fcnt;
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
proto_item *checksum_item;
#endif
gboolean uplink = TRUE;
device_encryption_keys_t *encryption_keys = NULL;
@ -693,7 +689,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
* cmac = aes128_cmac(AppKey, msg)
* MIC = cmac[0..3]
*/
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
encryption_keys = get_encryption_keys_app_eui(tvb_get_ptr(tvb, current_offset - 18, 8));
if (encryption_keys) {
proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, &ei_lorawan_mic, pinfo,
@ -703,10 +698,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
expert_add_info(pinfo, checksum_item, &ei_lorawan_unverified_mic);
}
#else
proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, NULL, pinfo,
0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
#endif
return tvb_captured_length(tvb);
} else if (mac_mtype == LORAWAN_MAC_MTYPE_JOINACCEPT) {
tf = proto_tree_add_item(lorawan_tree, hf_lorawan_join_accept_type, tvb, current_offset, 12, ENC_NA);
@ -733,7 +724,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
* cmac = aes128_cmac(AppKey, msg)
* MIC = cmac[0..3]
*/
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
encryption_keys = get_encryption_keys_dev_address(dev_address);
if (encryption_keys) {
proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, &ei_lorawan_mic, pinfo, calculate_mic(tvb_get_ptr(tvb, 0, current_offset), current_offset, encryption_keys->appskey->data), ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_VERIFY);
@ -742,10 +732,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
expert_add_info(pinfo, checksum_item, &ei_lorawan_unverified_mic);
}
#else
proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, NULL, pinfo,
0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
#endif
return tvb_captured_length(tvb);
} else if ((mac_mtype >= LORAWAN_MAC_MTYPE_UNCONFIRMEDDATAUP) && (mac_mtype <= LORAWAN_MAC_MTYPE_CONFIRMEDDATADOWN)) {
if (mac_mtype & 1) {
@ -823,7 +809,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
* MIC = cmac[0..3]
* B0 = 0x49 | 0x00 | 0x00 | 0x00 | 0x00 | dir | devAddr | fcntup/fcntdown | len(msg)
*/
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
if (encryption_keys) {
gint frame_length = current_offset;
guint8 *msg = (guint8 *)wmem_alloc0(pinfo->pool, frame_length + 16);
@ -839,10 +824,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d
0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
expert_add_info(pinfo, checksum_item, &ei_lorawan_unverified_mic);
}
#else
proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, NULL, pinfo,
0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
#endif
return tvb_captured_length(tvb);
}

20
epan/dissectors/packet-pdcp-lte.c
View File

@ -1700,8 +1700,6 @@ static tvbuff_t *decipher_payload(tvbuff_t *tvb, packet_info *pinfo, int *offset
/* Try to calculate digest to compare with that found in frame. */
#if defined(HAVE_SNOW3G) || GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ || defined(HAVE_ZUC)
/* We can calculate it for at least some integrity types */
static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, guint8 header,
tvbuff_t *tvb, packet_info *pinfo, gint offset, gboolean *calculated)
{
@ -1753,7 +1751,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings,
}
#endif
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
case eia2:
{
/* AES */
@ -1813,7 +1810,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings,
*calculated = TRUE;
return ((mac[0] << 24) | (mac[1] << 16) | (mac[2] << 8) | mac[3]);
}
#endif
#ifdef HAVE_ZUC
case eia3:
{
@ -1846,22 +1842,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings,
return 0;
}
}
#else /* defined(HAVE_SNOW3G) || GCRYPT_VERSION_NUMBER >= 0x010600 || defined(HAVE_ZUC) */
/* We can't calculate it for any integrity types other than eia0 */
static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, guint8 header _U_,
tvbuff_t *tvb _U_, packet_info *pinfo _U_, gint offset _U_, gboolean *calculated)
{
*calculated = FALSE;
if (pdu_security_settings->integrity == eia0) {
/* Should be zero in this case */
*calculated = TRUE;
}
/* Otherwise, we can't calculate it */
return 0;
}
#endif /* defined(HAVE_SNOW3G) || GCRYPT_VERSION_NUMBER >= 0x010600 || defined(HAVE_ZUC) */
/******************************/
/* Main dissection function. */

2
epan/dissectors/packet-pdcp-nr.c
View File

@ -1739,7 +1739,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings,
}
#endif
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
case nia2:
{
/* AES */
@ -1802,7 +1801,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings,
*calculated = TRUE;
return ((mac[0] << 24) | (mac[1] << 16) | (mac[2] << 8) | mac[3]);
}
#endif
#ifdef HAVE_ZUC
case nia3:
{

13
epan/dissectors/packet-smb2.c
View File

@ -10100,7 +10100,6 @@ static smb2_function smb2_dissector[256] = {
#define SMB3_AES128CCM_NONCE 11
#define SMB3_AES128GCM_NONCE 12
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
static gboolean is_decrypted_header_ok(guint8 *p, size_t size)
{
if (size < 4)
@ -10362,7 +10361,6 @@ decrypt_smb_payload(packet_info *pinfo,
sti->session->server_port = pinfo->srcport;
return data;
}
#endif
/*
Append tvb[offset:offset+length] to out
@ -10668,13 +10666,9 @@ dissect_smb2_transform_header(packet_info *pinfo, proto_tree *tree,
sti->session = smb2_get_session(sti->conv, sti->sesid, NULL, NULL);
smb2_add_session_info(sesid_tree, sesid_item, tvb, sesid_offset, sti->session);
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
if (sti->flags & SMB2_TRANSFORM_FLAGS_ENCRYPTED) {
plain_data = decrypt_smb_payload(pinfo, tvb, offset, offset_aad, sti);
}
#else
(void) offset_aad;
#endif
*enc_tvb = tvb_new_subset_length(tvb, offset, sti->size);
if (plain_data != NULL) {
@ -10829,7 +10823,7 @@ dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb,
return offset;
}
#if GCRYPT_VERSION_NUMBER >= 0x010600
static void
dissect_smb2_signature(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si)
{
@ -10896,7 +10890,6 @@ dissect_smb2_signature(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree
return;
}
#endif
static int
dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain)
@ -11063,11 +11056,7 @@ dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolea
offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si);
/* Signature */
#if GCRYPT_VERSION_NUMBER >= 0x010600
dissect_smb2_signature(pinfo, tvb, offset, header_tree, si);
#else
proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA);
#endif
offset += 16;
proto_item_set_len(header_item, offset);

62
epan/dissectors/packet-ssh.c
View File

@ -83,11 +83,6 @@ void proto_reg_handoff_ssh(void);
/* proto data */
#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */
#define SSH_DECRYPTION_SUPPORTED
#endif
#ifdef SSH_DECRYPTION_SUPPORTED
typedef struct {
guint8 *data;
guint length;
@ -114,7 +109,6 @@ typedef struct {
gboolean from_server;
ssh_message_info_t * messages;
} ssh_packet_info_t;
#endif
typedef struct _ssh_channel_info_t {
guint client_channel_number;
@ -152,12 +146,10 @@ struct ssh_peer_data {
gint length_is_plaintext;
#ifdef SSH_DECRYPTION_SUPPORTED
// see libgcrypt source, gcrypt.h:gcry_cipher_algos
guint cipher_id;
// chacha20 needs two cipher handles
gcry_cipher_hd_t cipher, cipher_2;
#endif
guint sequence_number;
guint32 seq_num_kex_init;
// union ??? -- begin
@ -173,9 +165,7 @@ struct ssh_peer_data {
guint32 seq_num_dh_rep;
// union ??? -- end
guint32 seq_num_new_key;
#ifdef SSH_DECRYPTION_SUPPORTED
ssh_bignum *bn_cookie;
#endif
struct ssh_flow_data * global_data;
};
@ -192,7 +182,6 @@ struct ssh_flow_data {
#define SERVER_PEER_DATA 1
struct ssh_peer_data peer_data[2];
#ifdef SSH_DECRYPTION_SUPPORTED
gchar *session_id;
guint session_id_length;
ssh_bignum *kex_e;
@ -206,13 +195,10 @@ struct ssh_flow_data {
wmem_array_t *kex_shared_secret;
gboolean do_decrypt;
ssh_bignum new_keys[6];
#endif
ssh_channel_info_t *channel_info;
};
#ifdef SSH_DECRYPTION_SUPPORTED
static GHashTable * ssh_master_key_map = NULL;
#endif
static int proto_ssh = -1;
@ -391,12 +377,10 @@ static gboolean ssh_desegment = TRUE;
static dissector_handle_t ssh_handle;
static dissector_handle_t sftp_handle=NULL;
#ifdef SSH_DECRYPTION_SUPPORTED
static const char *pref_keylog_file;
static FILE *ssh_keylog_file;
#define SSH_DECRYPT_DEBUG
#endif
#ifdef SSH_DECRYPT_DEBUG
static const gchar *ssh_debug_file_name = NULL;
@ -569,7 +553,6 @@ static void ssh_choose_algo(gchar *client, gchar *server, gchar **result);
static void ssh_set_mac_length(struct ssh_peer_data *peer_data);
static void ssh_set_kex_specific_dissector(struct ssh_flow_data *global_data);
#ifdef SSH_DECRYPTION_SUPPORTED
static void ssh_keylog_read_file(void);
static void ssh_keylog_process_line(const char *line);
static void ssh_keylog_process_lines(const guint8 *data, guint datalen);
@ -629,8 +612,6 @@ static void set_subdissector_for_channel(struct ssh_peer_data *peer_data, guint
#define SSH_DEBUG_USE_STDERR "-"
#endif /* SSH_DECRYPTION_SUPPORTED */
#ifdef SSH_DECRYPT_DEBUG
static void
ssh_debug_printf(const gchar* fmt,...) G_GNUC_PRINTF(1,2);
@ -680,7 +661,6 @@ dissect_ssh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
global_data->kex_specific_dissector = ssh_dissect_kex_dh;
global_data->peer_data[CLIENT_PEER_DATA].mac_length = -1;
global_data->peer_data[SERVER_PEER_DATA].mac_length = -1;
#ifdef SSH_DECRYPTION_SUPPORTED
global_data->peer_data[CLIENT_PEER_DATA].sequence_number = 0;
global_data->peer_data[SERVER_PEER_DATA].sequence_number = 0;
global_data->peer_data[CLIENT_PEER_DATA].seq_num_kex_init = 0;
@ -715,7 +695,6 @@ dissect_ssh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
global_data->kex_server_host_key_blob = wmem_array_new(wmem_file_scope(), 1);
global_data->kex_shared_secret = wmem_array_new(wmem_file_scope(), 1);
global_data->do_decrypt = TRUE;
#endif
conversation_add_proto_data(conversation, proto_ssh, global_data);
}
@ -854,13 +833,11 @@ ssh_dissect_ssh2(tvbuff_t *tvb, packet_info *pinfo,
offset, ssh2_tree, is_response,
need_desegmentation);
#ifdef SSH_DECRYPTION_SUPPORTED
if (!*need_desegmentation) {
ssh_increment_message_number(pinfo, global_data, is_response);
}else{
break;
}
#endif
} else {
if(!*need_desegmentation){
offset = ssh_try_dissect_encrypted_packet(tvb, pinfo,
@ -1041,13 +1018,8 @@ ssh_tree_add_hostkey(tvbuff_t *tvb, int offset, proto_tree *parent_tree,
proto_tree_add_uint(tree, hf_ssh_hostkey_length, tvb, last_offset, 4, key_len);
// server host key (K_S / Q)
#ifdef SSH_DECRYPTION_SUPPORTED
gchar *data = (gchar *)tvb_memdup(wmem_packet_scope(), tvb, last_offset + 4, key_len);
ssh_hash_buffer_put_string(global_data->kex_server_host_key_blob, data, key_len);
#else
// ignore unused parameter complaint
(void)global_data;
#endif
last_offset += 4;
proto_tree_add_uint(tree, hf_ssh_hostkey_type_length, tvb, last_offset, 4, type_len);
@ -1239,13 +1211,11 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo,
if ((peer_data->frame_key_start == 0) || (peer_data->frame_key_start == pinfo->num)) {
if (!PINFO_FD_VISITED(pinfo)) {
peer_data->frame_key_start = pinfo->num;
#ifdef SSH_DECRYPTION_SUPPORTED
if(global_data->peer_data[is_response].seq_num_kex_init == 0){
global_data->peer_data[is_response].seq_num_kex_init = global_data->peer_data[is_response].sequence_number;
global_data->peer_data[is_response].sequence_number++;
ssh_debug_printf("%s->sequence_number{SSH_MSG_KEXINIT=%d}++ > %d\n", is_response?"server":"client", global_data->peer_data[is_response].seq_num_kex_init, global_data->peer_data[is_response].sequence_number);
}
#endif
}
}
seq_num = global_data->peer_data[is_response].seq_num_kex_init;
@ -1258,13 +1228,11 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo,
global_data->peer_data[SERVER_PEER_DATA].enc_proposals[is_response],
&peer_data->enc);
#ifdef SSH_DECRYPTION_SUPPORTED
if(global_data->peer_data[is_response].seq_num_new_key == 0){
global_data->peer_data[is_response].seq_num_new_key = global_data->peer_data[is_response].sequence_number;
global_data->peer_data[is_response].sequence_number++;
ssh_debug_printf("%s->sequence_number{SSH_MSG_NEWKEYS=%d}++ > %d\n", is_response?"server":"client", global_data->peer_data[is_response].seq_num_new_key, global_data->peer_data[is_response].sequence_number);
}
#endif
/* some ciphers have their own MAC so the "negotiated" one is meaningless */
if(peer_data->enc && (0 == strcmp(peer_data->enc, "aes128-gcm@openssh.com") ||
@ -1289,7 +1257,6 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo,
&peer_data->comp);
// the client sent SSH_MSG_NEWKEYS
#ifdef SSH_DECRYPTION_SUPPORTED
if (!is_response) {
ssh_decryption_set_cipher_id(&global_data->peer_data[CLIENT_PEER_DATA]);
ssh_debug_printf("Activating new keys for CLIENT => SERVER\n");
@ -1299,7 +1266,6 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo,
ssh_debug_printf("Activating new keys for SERVER => CLIENT\n");
ssh_decryption_setup_cipher(&global_data->peer_data[SERVER_PEER_DATA], &global_data->new_keys[1], &global_data->new_keys[3]);
}
#endif
}
seq_num = global_data->peer_data[is_response].seq_num_new_key;
@ -1334,13 +1300,11 @@ static int ssh_dissect_kex_dh(guint8 msg_code, tvbuff_t *tvb,
switch (msg_code) {
case SSH_MSG_KEXDH_INIT:
#ifdef SSH_DECRYPTION_SUPPORTED
// e (client ephemeral key public part)
if (!ssh_read_e(tvb, offset, global_data)) {
proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2,
"Invalid key length: %u", tvb_get_ntohl(tvb, offset));
}
#endif
offset += ssh_tree_add_mpint(tvb, offset, tree, hf_ssh_dh_e);
if(global_data->peer_data[CLIENT_PEER_DATA].seq_num_dh_ini == 0){
@ -1355,14 +1319,12 @@ static int ssh_dissect_kex_dh(guint8 msg_code, tvbuff_t *tvb,
offset += ssh_tree_add_hostkey(tvb, offset, tree, "KEX host key",
ett_key_exchange_host_key, global_data);
#ifdef SSH_DECRYPTION_SUPPORTED
// f (server ephemeral key public part), K_S (host key)
if (!ssh_read_f(tvb, offset, global_data)) {
proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2,
"Invalid key length: %u", tvb_get_ntohl(tvb, offset));
}
ssh_keylog_hash_write_secret(global_data);
#endif
offset += ssh_tree_add_mpint(tvb, offset, tree, hf_ssh_dh_f);
offset += ssh_tree_add_hostsignature(tvb, pinfo, offset, tree, "KEX host signature",
@ -1464,7 +1426,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb,
switch (msg_code) {
case SSH_MSG_KEX_ECDH_INIT:
#ifdef SSH_DECRYPTION_SUPPORTED
if (!ssh_read_e(tvb, offset, global_data)) {
proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2,
"Invalid key length: %u", tvb_get_ntohl(tvb, offset));
@ -1478,10 +1439,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb,
}
}
*seq_num = global_data->peer_data[CLIENT_PEER_DATA].seq_num_ecdh_ini;
#else
// ignore unused parameter complaint
(void)seq_num;
#endif
offset += ssh_tree_add_string(tvb, offset, tree, hf_ssh_ecdh_q_c, hf_ssh_ecdh_q_c_length);
break;
@ -1490,7 +1447,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb,
offset += ssh_tree_add_hostkey(tvb, offset, tree, "KEX host key",
ett_key_exchange_host_key, global_data);
#ifdef SSH_DECRYPTION_SUPPORTED
if (!ssh_read_f(tvb, offset, global_data)){
proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2,
"Invalid key length: %u", tvb_get_ntohl(tvb, offset));
@ -1503,7 +1459,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb,
ssh_debug_printf("%s->sequence_number{SSH_MSG_KEX_ECDH_REPLY=%d}++ > %d\n", SERVER_PEER_DATA?"server":"client", global_data->peer_data[SERVER_PEER_DATA].seq_num_ecdh_rep, global_data->peer_data[SERVER_PEER_DATA].sequence_number);
}
*seq_num = global_data->peer_data[SERVER_PEER_DATA].seq_num_ecdh_rep;
#endif
offset += ssh_tree_add_string(tvb, offset, tree, hf_ssh_ecdh_q_s, hf_ssh_ecdh_q_s_length);
offset += ssh_tree_add_hostsignature(tvb, pinfo, offset, tree, "KEX host signature",
@ -1518,13 +1473,11 @@ static int
ssh_try_dissect_encrypted_packet(tvbuff_t *tvb, packet_info *pinfo,
struct ssh_peer_data *peer_data, int offset, proto_tree *tree)
{
#ifdef SSH_DECRYPTION_SUPPORTED
gboolean can_decrypt = peer_data->cipher != NULL;
if (can_decrypt) {
return ssh_decrypt_packet(tvb, pinfo, peer_data, offset, tree);
}
#endif
return ssh_dissect_encrypted_packet(tvb, pinfo, peer_data, offset, tree);
}
@ -1634,7 +1587,6 @@ ssh_dissect_protocol(tvbuff_t *tvb, packet_info *pinfo,
// V_C / V_S (client and server identification strings) RFC4253 4.2
// format: SSH-protoversion-softwareversion SP comments [CR LF not incl.]
#ifdef SSH_DECRYPTION_SUPPORTED
if (!PINFO_FD_VISITED(pinfo)) {
gchar *data = (gchar *)tvb_memdup(wmem_packet_scope(), tvb, offset, protolen);
if(!is_response){
@ -1643,7 +1595,6 @@ ssh_dissect_protocol(tvbuff_t *tvb, packet_info *pinfo,
ssh_hash_buffer_put_string(global_data->kex_server_version, data, protolen);
}
}
#endif
proto_tree_add_item(tree, hf_ssh_protocol,
tvb, offset, protolen, ENC_ASCII);
@ -1760,11 +1711,7 @@ ssh_choose_algo(gchar *client, gchar *server, gchar **result)
}
static int
#ifdef SSH_DECRYPTION_SUPPORTED
ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo, int offset,
#else
ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset,
#endif
proto_tree *tree, int is_response, struct ssh_flow_data *global_data)
{
int start_offset = offset;
@ -1778,11 +1725,9 @@ ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset,
struct ssh_peer_data *peer_data = &global_data->peer_data[is_response];
key_init_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_key_init, &tf, "Algorithms");
#ifdef SSH_DECRYPTION_SUPPORTED
if (!PINFO_FD_VISITED(pinfo)) {
peer_data->bn_cookie = ssh_kex_make_bignum(tvb_get_ptr(tvb, offset, 16), 16);
}
#endif
proto_tree_add_item(key_init_tree, hf_ssh_cookie,
tvb, offset, 16, ENC_NA);
offset += 16;
@ -1871,7 +1816,6 @@ ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset,
proto_item_set_len(tf, payload_length);
}
#ifdef SSH_DECRYPTION_SUPPORTED
// I_C / I_S (client and server SSH_MSG_KEXINIT payload) RFC4253 4.2
if (!PINFO_FD_VISITED(pinfo)) {
gchar *data = (gchar *)wmem_alloc(wmem_packet_scope(), payload_length + 1);
@ -1883,7 +1827,6 @@ ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset,
ssh_hash_buffer_put_string(global_data->kex_client_key_exchange_init, data, payload_length + 1);
}
}
#endif
return offset;
}
@ -1905,7 +1848,6 @@ ssh_dissect_proposal(tvbuff_t *tvb, int offset, proto_tree *tree,
return offset;
}
#ifdef SSH_DECRYPTION_SUPPORTED
static void
ssh_keylog_read_file(void)
{
@ -3346,8 +3288,6 @@ ssh_hash (gconstpointer v)
}
/* Functions for SSH random hashtables. }}} */
#endif /* SSH_DECRYPTION_SUPPORTED */
void
proto_register_ssh(void)
{
@ -4062,7 +4002,6 @@ proto_register_ssh(void)
"To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
&ssh_desegment);
#ifdef SSH_DECRYPTION_SUPPORTED
ssh_master_key_map = g_hash_table_new(ssh_hash, ssh_equal);
prefs_register_filename_preference(ssh_module, "keylog_file", "Key log filename",
"The path to the file which contains a list of key exchange secrets in the following format:\n"
@ -4075,7 +4014,6 @@ proto_register_ssh(void)
&ssh_debug_file_name, TRUE);
secrets_register_type(SECRETS_TYPE_SSH, ssh_secrets_block_callback);
#endif
ssh_handle = register_dissector("ssh", dissect_ssh, proto_ssh);
}

2
epan/dissectors/packet-tls.c
View File

@ -3920,7 +3920,6 @@ tls_get_alpn(packet_info *pinfo)
}
/* TLS Exporters {{{ */
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
/**
* Computes the TLS 1.3 Exporter value (RFC 8446 Section 7.5).
*
@ -4009,7 +4008,6 @@ tls13_exporter(packet_info *pinfo, gboolean is_early,
return tls13_exporter_common(hash_algo, secret, label, context, context_length, key_length, out);
}
#endif
/* }}} */

51
epan/dissectors/packet-wireguard.c
View File

@ -33,11 +33,6 @@
#include <epan/secrets.h>
#include <wiretap/secrets-types.h>
#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */
/* Decryption requires Curve25519, ChaCha20-Poly1305 (1.7) and Blake2s (1.8). */
#define WG_DECRYPTION_SUPPORTED
#endif
void proto_reg_handoff_wg(void);
void proto_register_wg(void);
@ -78,12 +73,10 @@ static expert_field ei_wg_bad_packet_length = EI_INIT;
static expert_field ei_wg_keepalive = EI_INIT;
static expert_field ei_wg_decryption_error = EI_INIT;
#ifdef WG_DECRYPTION_SUPPORTED
static gboolean pref_dissect_packet = TRUE;
static const char *pref_keylog_file;
static dissector_handle_t ip_handle;
#endif /* WG_DECRYPTION_SUPPORTED */
static dissector_handle_t wg_handle;
@ -105,7 +98,6 @@ static const value_string wg_type_names[] = {
{ 0x00, NULL }
};
#ifdef WG_DECRYPTION_SUPPORTED
/* Decryption types. {{{ */
/*
* Most operations operate on 32 byte units (keys and hash output).
@ -237,7 +229,6 @@ static wg_qqword hash_of_construction;
/** Hash(Hash(CONSTRUCTION) || IDENTIFIER), initialized by wg_decrypt_init. */
static wg_qqword hash_of_c_identifier;
/* Decryption types. }}} */
#endif /* WG_DECRYPTION_SUPPORTED */
/*
* Information required to process and link messages as required on the first
@ -263,9 +254,7 @@ typedef struct {
guint32 initiator_frame;
guint32 response_frame; /* Responder or Cookie Reply message. */
wg_initial_info_t initial; /* Valid only on the first pass. */
#ifdef WG_DECRYPTION_SUPPORTED
wg_handshake_state_t *hs; /* Handshake state to enable decryption. */
#endif /* WG_DECRYPTION_SUPPORTED */
} wg_session_t;
/* Per-packet state. */
@ -279,7 +268,6 @@ static wmem_map_t *sessions;
static guint32 wg_session_count;
#ifdef WG_DECRYPTION_SUPPORTED
/* Key conversion routines. {{{ */
/* Import external random data as private key. */
static void
@ -1018,7 +1006,6 @@ wg_process_response(tvbuff_t *tvb, wg_handshake_state_t *hs)
hs->initiator_recv_cipher = wg_create_cipher(&transport_keys[1]);
hs->responder_recv_cipher = wg_create_cipher(&transport_keys[0]);
}
#endif /* WG_DECRYPTION_SUPPORTED */
static void
@ -1129,7 +1116,6 @@ wg_sessions_lookup(packet_info *pinfo, guint32 receiver_id, gboolean *receiver_i
return NULL;
}
#ifdef WG_DECRYPTION_SUPPORTED
/*
* Finds the static public key for the receiver of this message based on the
* MAC1 value.
@ -1248,7 +1234,6 @@ wg_dissect_key_extra(proto_tree *tree, tvbuff_t *tvb, const wg_qqword *pubkey, g
ti = proto_tree_add_boolean(tree, hf_known_privkey, tvb, 0, 0, has_private);
proto_item_set_generated(ti);
}
#endif /* WG_DECRYPTION_SUPPORTED */
static void
@ -1260,16 +1245,11 @@ wg_dissect_pubkey(proto_tree *tree, tvbuff_t *tvb, int offset, gboolean is_ephem
g_free(str);
int hf_id = is_ephemeral ? hf_wg_ephemeral : hf_wg_static;
#ifdef WG_DECRYPTION_SUPPORTED
proto_item *ti = proto_tree_add_string(tree, hf_id, tvb, offset, 32, key_str);
proto_tree *key_tree = proto_item_add_subtree(ti, ett_key_info);
wg_dissect_key_extra(key_tree, tvb, (const wg_qqword *)pubkey, is_ephemeral);
#else
proto_tree_add_string(tree, hf_id, tvb, offset, 32, key_str);
#endif
}
#ifdef WG_DECRYPTION_SUPPORTED
static void
wg_dissect_decrypted_static(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_tree, wg_handshake_state_t *hs)
{
@ -1358,7 +1338,6 @@ wg_dissect_mac1_pubkey(proto_tree *tree, tvbuff_t *tvb, const wg_skey_t *skey)
ti = proto_tree_add_boolean(key_tree, hf_wg_receiver_pubkey_known_privkey, tvb, 0, 0, !!has_private_key(&skey->priv_key));
proto_item_set_generated(ti);
}
#endif /* WG_DECRYPTION_SUPPORTED */
static int
wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_tree, wg_packet_info_t *wg_pinfo)
@ -1366,7 +1345,6 @@ wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *w
guint32 sender_id;
proto_item *ti;
#ifdef WG_DECRYPTION_SUPPORTED
wg_keylog_read();
const wg_skey_t *skey_r = wg_mac1_key_probe(tvb, TRUE);
wg_handshake_state_t *hs = NULL;
@ -1381,23 +1359,16 @@ wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *w
} else if (wg_pinfo && wg_pinfo->session) {
hs = wg_pinfo->session->hs;
}
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item_ret_uint(wg_tree, hf_wg_sender, tvb, 4, 4, ENC_LITTLE_ENDIAN, &sender_id);
col_append_fstr(pinfo->cinfo, COL_INFO, ", sender=0x%08X", sender_id);
wg_dissect_pubkey(wg_tree, tvb, 8, TRUE);
proto_tree_add_item(wg_tree, hf_wg_encrypted_static, tvb, 40, 32 + AUTH_TAG_LENGTH, ENC_NA);
#ifdef WG_DECRYPTION_SUPPORTED
wg_dissect_decrypted_static(tvb, pinfo, wg_tree, hs);
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item(wg_tree, hf_wg_encrypted_timestamp, tvb, 88, 12 + AUTH_TAG_LENGTH, ENC_NA);
#ifdef WG_DECRYPTION_SUPPORTED
wg_dissect_decrypted_timestamp(tvb, pinfo, wg_tree, hs);
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item(wg_tree, hf_wg_mac1, tvb, 116, 16, ENC_NA);
#ifdef WG_DECRYPTION_SUPPORTED
wg_dissect_mac1_pubkey(wg_tree, tvb, skey_r);
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item(wg_tree, hf_wg_mac2, tvb, 132, 16, ENC_NA);
if (!PINFO_FD_VISITED(pinfo)) {
@ -1406,9 +1377,7 @@ wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *w
wg_session_t *session = wg_session_new();
session->initiator_frame = pinfo->num;
wg_session_update_address(session, pinfo, TRUE);
#ifdef WG_DECRYPTION_SUPPORTED
session->hs = hs;
#endif /* WG_DECRYPTION_SUPPORTED */
wg_sessions_insert(sender_id, session);
wg_pinfo->session = session;
}
@ -1432,10 +1401,8 @@ wg_dissect_handshake_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_
proto_item *ti;
wg_session_t *session;
#ifdef WG_DECRYPTION_SUPPORTED
wg_keylog_read();
const wg_skey_t *skey_i = wg_mac1_key_probe(tvb, FALSE);
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item_ret_uint(wg_tree, hf_wg_sender, tvb, 4, 4, ENC_LITTLE_ENDIAN, &sender_id);
col_append_fstr(pinfo->cinfo, COL_INFO, ", sender=0x%08X", sender_id);
@ -1444,28 +1411,22 @@ wg_dissect_handshake_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_
if (!PINFO_FD_VISITED(pinfo)) {
session = wg_sessions_lookup_initiation(pinfo, receiver_id);
#ifdef WG_DECRYPTION_SUPPORTED
if (session && session->hs) {
wg_prepare_handshake_responder_keys(session->hs, tvb);
wg_process_response(tvb, session->hs);
}
#endif /* WG_DECRYPTION_SUPPORTED */
} else {
session = wg_pinfo ? wg_pinfo->session : NULL;
}
wg_dissect_pubkey(wg_tree, tvb, 12, TRUE);
proto_tree_add_item(wg_tree, hf_wg_encrypted_empty, tvb, 44, 16, ENC_NA);
#ifdef WG_DECRYPTION_SUPPORTED
if (session && session->hs) {
ti = proto_tree_add_boolean(wg_tree, hf_wg_handshake_ok, tvb, 0, 0, !!session->hs->empty_ok);
proto_item_set_generated(ti);
}
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item(wg_tree, hf_wg_mac1, tvb, 60, 16, ENC_NA);
#ifdef WG_DECRYPTION_SUPPORTED
wg_dissect_mac1_pubkey(wg_tree, tvb, skey_i);
#endif /* WG_DECRYPTION_SUPPORTED */
proto_tree_add_item(wg_tree, hf_wg_mac2, tvb, 76, 16, ENC_NA);
if (!PINFO_FD_VISITED(pinfo)) {
@ -1566,11 +1527,9 @@ wg_dissect_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_tree, wg_packe
proto_item_set_generated(ti);
}
#ifdef WG_DECRYPTION_SUPPORTED
if (session && session->hs) {
wg_dissect_decrypted_packet(tvb, pinfo, wg_tree, wg_pinfo, counter, packet_length - AUTH_TAG_LENGTH);
}
#endif /* WG_DECRYPTION_SUPPORTED */
return 16 + packet_length;
}
@ -1712,9 +1671,7 @@ wg_init(void)
void
proto_register_wg(void)
{
#ifdef WG_DECRYPTION_SUPPORTED
module_t *wg_module;
#endif /* WG_DECRYPTION_SUPPORTED */
expert_module_t *expert_wg;
static hf_register_info hf[] = {
@ -1888,14 +1845,12 @@ proto_register_wg(void)
},
};
#ifdef WG_DECRYPTION_SUPPORTED
/* UAT for header fields */
static uat_field_t wg_key_uat_fields[] = {
UAT_FLD_VS(wg_key_uat, key_type, "Key type", wg_key_uat_type_vals, "Public or Private"),
UAT_FLD_CSTRING(wg_key_uat, key, "Key", "Base64-encoded key"),
UAT_END_FIELDS
};
#endif /* WG_DECRYPTION_SUPPORTED */
proto_wg = proto_register_protocol("WireGuard Protocol", "WireGuard", "wg");
@ -1907,7 +1862,6 @@ proto_register_wg(void)
wg_handle = register_dissector("wg", dissect_wg, proto_wg);
#ifdef WG_DECRYPTION_SUPPORTED
wg_module = prefs_register_protocol(proto_wg, NULL);
uat_t *wg_keys_uat = uat_new("WireGuard static keys",
@ -1949,12 +1903,9 @@ proto_register_wg(void)
secrets_register_type(SECRETS_TYPE_WIREGUARD, wg_keylog_process_lines);
wg_ephemeral_keys = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_int_hash, wg_pubkey_equal);
#endif /* WG_DECRYPTION_SUPPORTED */
register_init_routine(wg_init);
#ifdef WG_DECRYPTION_SUPPORTED
register_cleanup_routine(wg_keylog_reset);
#endif /* WG_DECRYPTION_SUPPORTED */
sessions = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_direct_hash, g_direct_equal);
}
@ -1964,9 +1915,7 @@ proto_reg_handoff_wg(void)
dissector_add_uint_with_preference("udp.port", 0, wg_handle);
heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE);
#ifdef WG_DECRYPTION_SUPPORTED
ip_handle = find_dissector("ip");
#endif /* WG_DECRYPTION_SUPPORTED */
}
/*

19
wsutil/curve25519.c
View File

@ -13,11 +13,6 @@
#include "curve25519.h"
#include "ws_attributes.h"
#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */
#define HAVE_X25519
#endif
#ifdef HAVE_X25519
static inline void
copy_and_reverse(unsigned char *dest, const unsigned char *src, size_t n)
{
@ -105,17 +100,3 @@ crypto_scalarmult_curve25519_base(unsigned char *q, const unsigned char *n)
gcry_mpi_release(mpi_basepoint_x);
return r;
}
#else
int
crypto_scalarmult_curve25519(unsigned char *q _U_, const unsigned char *n _U_,
const unsigned char *p _U_)
{
return -1;
}
int
crypto_scalarmult_curve25519_base(unsigned char *q _U_, const unsigned char *n _U_)
{
return -1;
}
#endif /* HAVE_X25519 */

4
wsutil/curve25519.h
View File

@ -10,10 +10,6 @@
* SPDX-License-Identifier: GPL-2.0-or-later
*/
/*
* Callers MUST check GCRYPT_VERSION_NUMBER >= 0x010700 before using this API.
*/
#ifndef __CURVE25519_H__
#define __CURVE25519_H__

7
wsutil/wsgcrypt.c
View File

@ -30,7 +30,6 @@ gcry_error_t ws_hmac_buffer(int algo, void *digest, const void *buffer, size_t l
return GPG_ERR_NO_ERROR;
}
#if GCRYPT_VERSION_NUMBER >= 0x010600
gcry_error_t ws_cmac_buffer(int algo, void *digest, const void *buffer, size_t length, const void *key, size_t keylen)
{
gcry_mac_hd_t cmac_handle;
@ -48,12 +47,6 @@ gcry_error_t ws_cmac_buffer(int algo, void *digest, const void *buffer, size_t l
gcry_mac_close(cmac_handle);
return result;
}
#else
gcry_error_t ws_cmac_buffer(int algo _U_, void *digest _U_, const void *buffer _U_, size_t length _U_, const void *key _U_, size_t keylen _U_)
{
return GPG_ERR_UNSUPPORTED_ALGORITHM;
}
#endif
void crypt_des_ecb(guint8 *output, const guint8 *buffer, const guint8 *key56)
{

4
wsutil/wsgcrypt.h
View File

@ -27,20 +27,16 @@ DIAG_ON(deprecated-declarations)
* Define HAVE_LIBGCRYPT_AEAD here, because it's used in several source
* files.
*/
#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
/* Whether to provide support for authentication in addition to decryption. */
#define HAVE_LIBGCRYPT_AEAD
#endif
/*
* Define some other "do we have?" items as well.
*/
#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */
/* Whether ChaCh20 PNE can be supported. */
#define HAVE_LIBGCRYPT_CHACHA20
/* Whether AEAD_CHACHA20_POLY1305 can be supported. */
#define HAVE_LIBGCRYPT_CHACHA20_POLY1305
#endif
#define HASH_MD5_LENGTH 16
#define HASH_SHA1_LENGTH 20