DTLS: add DSB support, use the key log file from the TLS dissector

The DTLS and TLS dissectors already share code for parsing the key log
file contents but the actual key material was stored separately. As
implementations (like GnuTLS) write the TLS and DTLS secrets to the same
file (specified by the SSLKEYLOGFILE environment variable), it seems
reasonable to combine them.

This also enables use of the pcapng Decryption Secrets Block for
decryption of DTLS traces. The dtls.keylog_file preference has become
obsolete and can no longer be used (this was not tested anyway).

A new test was added based on dtls12-aes128ccm8.pcap, the master secret
was extracted using the tls.debug_file preference.

Bug: 15252
Change-Id: Idfd52c251da966fe111dea37bc3fb143d968f744
Reviewed-on: https://code.wireshark.org/review/31577
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>

docbook/release-notes.asciidoc

@@ -74,7 +74,7 @@ since version 2.6.0:
 * The build system now supports AppImage packages.
 * The Windows installers now ship with Qt 5.12.0. Previously they
   shipped with Qt 5.9.7.
-* Support for decrypting TLS streams in pcapng files that embedded a Decryption
+* Support for DTLS and TLS decryption using pcapng files that embed a Decryption
   Secrets Block (DSB) containing a TLS Key Log (wsbuglink:15252[]).
 * The editcap utility gained a new `--inject-secrets` option to inject an
   existing TLS Key Log file into a pcapng file.

epan/dissectors/packet-dtls.c

@@ -147,7 +147,6 @@ static expert_field ei_dtls_handshake_fragment_past_end_msg = EI_INIT;
 static expert_field ei_dtls_msg_len_diff_fragment = EI_INIT;
 static expert_field ei_dtls_heartbeat_payload_length = EI_INIT;
 
-static ssl_master_key_map_t dtls_master_key_map;
 #ifdef HAVE_LIBGNUTLS
 static GHashTable      *dtls_key_hash   = NULL;
 static wmem_stack_t    *key_list_stack  = NULL;
@@ -160,7 +159,6 @@ static dissector_handle_t  dtls_handle               = NULL;
 static StringInfo          dtls_compressed_data      = {NULL, 0};
 static StringInfo          dtls_decrypted_data       = {NULL, 0};
 static gint                dtls_decrypted_data_avail = 0;
-static FILE               *dtls_keylog_file          = NULL;
 
 static ssl_common_options_t dtls_options = { NULL, NULL};
 static const gchar *dtls_debug_file_name = NULL;
@@ -199,8 +197,8 @@ dtls_init(void)
   module_t *dtls_module = prefs_find_module("dtls");
   pref_t   *keys_list_pref;
 
-  ssl_common_init(&dtls_master_key_map,
-                  &dtls_decrypted_data, &dtls_compressed_data);
+  ssl_data_alloc(&dtls_decrypted_data, 32);
+  ssl_data_alloc(&dtls_compressed_data, 32);
 
   /* We should have loaded "keys_list" by now. Mark it obsolete */
   if (dtls_module) {
@@ -220,8 +218,8 @@ dtls_cleanup(void)
     key_list_stack = NULL;
   }
 #endif
-  ssl_common_cleanup(&dtls_master_key_map, &dtls_keylog_file,
-                     &dtls_decrypted_data, &dtls_compressed_data);
+  g_free(dtls_decrypted_data.data);
+  g_free(dtls_compressed_data.data);
 }
 
 #ifdef HAVE_LIBGNUTLS
@@ -787,9 +785,7 @@ dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo,
                                    dtls_record_tree, offset, session,
                                    is_from_server, ssl);
     if (ssl) {
-        ssl_load_keyfile(dtls_options.keylog_filename, &dtls_keylog_file,
-                         &dtls_master_key_map);
-        ssl_finalize_decryption(ssl, &dtls_master_key_map);
+        ssl_finalize_decryption(ssl, tls_get_master_key_map(TRUE));
         ssl_change_cipher(ssl, ssl_packet_from_server(session, dtls_associations, pinfo));
     }
     /* Heuristic: any later ChangeCipherSpec is not a resumption of this
@@ -1301,7 +1297,7 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
              * master key with this Session Ticket */
             ssl_dissect_hnd_new_ses_ticket(&dissect_dtls_hf, sub_tvb, pinfo,
                                            ssl_hand_tree, 0, length, session, ssl, TRUE,
-                                           dtls_master_key_map.tickets);
+                                           tls_get_master_key_map(FALSE)->tickets);
             break;
 
           case SSL_HND_HELLO_RETRY_REQUEST:
@@ -1336,15 +1332,13 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
             if (!ssl)
                 break;
 
-            ssl_load_keyfile(dtls_options.keylog_filename, &dtls_keylog_file,
-                             &dtls_master_key_map);
             /* try to find master key from pre-master key */
             if (!ssl_generate_pre_master_secret(ssl, length, sub_tvb, 0,
                                                 dtls_options.psk,
 #ifdef HAVE_LIBGNUTLS
                                                 dtls_key_hash,
 #endif
-                                                &dtls_master_key_map)) {
+                                                tls_get_master_key_map(TRUE))) {
                 ssl_debug_printf("dissect_dtls_handshake can't generate pre master secret\n");
             }
             break;
@@ -2000,7 +1994,7 @@ proto_register_dtls(void)
                                        "redirect dtls debug to file name; leave empty to disable debug, "
                                        "use \"" SSL_DEBUG_USE_STDERR "\" to redirect output to stderr\n",
                                        &dtls_debug_file_name, TRUE);
-    ssl_common_register_options(dtls_module, &dtls_options);
+    ssl_common_register_options(dtls_module, &dtls_options, TRUE);
   }
 
   dtls_handle = register_dissector("dtls", dissect_dtls, proto_dtls);

epan/dissectors/packet-tls-utils.c

@@ -9002,12 +9002,20 @@ ssl_common_register_dtls_alpn_dissector_table(const char *name,
 }
 
 void
-ssl_common_register_options(module_t *module, ssl_common_options_t *options)
+ssl_common_register_options(module_t *module, ssl_common_options_t *options, gboolean is_dtls)
 {
         prefs_register_string_preference(module, "psk", "Pre-Shared-Key",
              "Pre-Shared-Key as HEX string. Should be 0 to 16 bytes.",
              &(options->psk));
 
+        if (is_dtls) {
+            prefs_register_obsolete_preference(module, "keylog_file");
+            prefs_register_static_text_preference(module, "keylog_file_removed",
+                    "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
+                    "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
+            return;
+        }
+
         prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
              "The name of a file which contains a list of \n"
              "(pre-)master secrets in one of the following formats:\n"

epan/dissectors/packet-tls-utils.h

@@ -640,6 +640,14 @@ extern void
 ssl_common_cleanup(ssl_master_key_map_t *master_key_map, FILE **ssl_keylog_file,
                    StringInfo *decrypted_data, StringInfo *compressed_data);
 
+/**
+ * Access to the keys in the TLS dissector, for use by the DTLS dissector.
+ * (This is a transition function, it would be nice if the static keylog file
+ * contents was separated from keys derived at runtime.)
+ */
+extern ssl_master_key_map_t *
+tls_get_master_key_map(gboolean load_secrets);
+
 /* Process lines from the TLS key log and populate the secrets map. */
 extern void
 tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const guint8 *data, guint len);
@@ -2110,7 +2118,7 @@ ssl_common_register_dtls_alpn_dissector_table(const char *name,
     const char *ui_name, const int proto);
 
 extern void
-ssl_common_register_options(module_t *module, ssl_common_options_t *options);
+ssl_common_register_options(module_t *module, ssl_common_options_t *options, gboolean is_dtls);
 
 #ifdef SSL_DECRYPT_DEBUG
 extern void

epan/dissectors/packet-tls.c

@@ -310,6 +310,16 @@ ssl_cleanup(void)
     ssl_crandom_hash = NULL;
 }
 
+ssl_master_key_map_t *
+tls_get_master_key_map(gboolean load_secrets)
+{
+    // Try to load new keys.
+    if (load_secrets) {
+        ssl_load_keyfile(ssl_options.keylog_filename, &ssl_keylog_file, &ssl_master_key_map);
+    }
+    return &ssl_master_key_map;
+}
+
 #ifdef HAVE_LIBGNUTLS
 /* parse ssl related preferences (private keys and ports association strings) */
 static void
@@ -4160,7 +4170,7 @@ proto_register_tls(void)
              "Message Authentication Code (MAC), ignore \"mac failed\"",
              "For troubleshooting ignore the mac check result and decrypt also if the Message Authentication Code (MAC) fails.",
              &tls_ignore_mac_failed);
-        ssl_common_register_options(ssl_module, &ssl_options);
+        ssl_common_register_options(ssl_module, &ssl_options, FALSE);
     }
 
     /* heuristic dissectors for any premable e.g. CredSSP before RDP */

test/suite_decryption.py

@@ -107,6 +107,16 @@ class case_decrypt_dtls(subprocesstest.SubprocessTestCase):
         wfm_count = self.countOutput('Works for me!.')
         self.assertTrue(dt_count == 7 and wfm_count == 2)
 
+    def test_dtls_dsb_aes128ccm8(self, cmd_tshark, capture_file):
+        '''DTLS 1.2 with master secrets in a pcapng Decryption Secrets Block.'''
+        self.assertRun((cmd_tshark,
+                '-r', capture_file('dtls12-aes128ccm8-dsb.pcapng'),
+                '-x'
+            ))
+        dt_count = self.countOutput('Decrypted DTLS')
+        wfm_count = self.countOutput('Works for me!.')
+        self.assertTrue(dt_count == 7 and wfm_count == 2)
+
     def test_dtls_udt(self, cmd_tshark, dirs, capture_file, features):
         '''UDT over DTLS 1.2 with RSA key'''
         if not features.have_gnutls: