Fix distinction between HAVE_LIBGNUTLS and HAVE_LIBGCRYPT. If GnuTLS is
unavailable, then the only missing feature is decryption using an RSA
private key file. Regardless of GnuTLS, allow SSL decryption (e.g. using
a SSL key log file or a PSK configured via preferences).
This change has no functional effect when GnuTLS and gcrypt are both
available (or not). Additionally, decryption is possible if only
libgcrypt is available.
Further changes to make ssl-utils more maintainable and documented:
- Group related functions, add markers and documentation. The following
functions are moved (with no further modifications):
- ssl_data_realloc, ssl_data_copy: related to StringInfo.
- ssl_change_cipher, ssl_create_flow: related to the decryption of a
session.
- ssl_decompress_record: related to Record Decompression.
- ssl_lib_init: moved to an arbitrary place.
- ssl_set_server: moved closer to ssl_packet_from_server.
- ssl_is_valid_content_type, ssl_is_valid_handshake_type: move closer
to dissection code.
- ssl_dissect_hnd_hello_ext_status_request,
ssl_dissect_hnd_hello_ext_status_request_v2,
ssl_dissect_hnd_hello_ext_elliptic_curves,
ssl_dissect_hnd_hello_ext_ec_point_formats: move to TLS extensions.
- Remove unused forward declaration of _gcry_rsa_decrypt.
- ssl-packet-utils.h:
- Remove ssl_equal, ssl_hash. These are only used in
packet-ssl-utils.c.
- ssl_private_key_equal, ssl_private_key_hash,
ssl_common_register_options: inline when decryption is not
possible.
- Remove ws_symbol_export.h, enable SSL debug log when libgcrypt is
compiled in (instead of depending on GnuTLS).
- Move/merge stub code when GnuTLS or libgcrypt are not available:
- ssl_find_cipher: move.
- ssl_cipher_setiv: move.
- ssl_generate_pre_master_secret, ssl_generate_keyring_material: move.
Compile-tested all combinations:
- no GnuTLS, no libgcrypt: CentOS 6.
- no GnuTLS, has libgcrypt: CentOS 6. Passes all decryption tests
except for the ones that need a RSA private key file.
- has GnuTLS, no libgcrypt: Arch Linux.
- has GnuTLS, has libgcrypt: Arch Linux. The decryption tests pass.
(GnuTLS support is useless without gcrypt, but included for completeness.)
Change-Id: I727248937331f8788de8ed78248bb33296206096
Reviewed-on: https://code.wireshark.org/review/11052
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
In a case that Setup part is used as payload within rest of data
(setup and remaining data merged), no bytes are highlighted
on bytes pane. Also move next dissector tree under root tree.
Change-Id: If127f6f2061c60795f2b9940c3a6cb6034cdbdf7
Reviewed-on: https://code.wireshark.org/review/11026
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Not all systems support this glyph
Change-Id: I99784101b4d462991351554e44a5618bfea42a84
Reviewed-on: https://code.wireshark.org/review/11063
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Jörg Mayer <jmayer@loplof.de>
Heartbeat requests with large payload sizes would not be detected
because the record length is smaller than the type, length and MAC,
resulting in an integer overflow. This patch corrects that issue by
moving the term to payload_length which is at most 0xffff.
While a record length smaller than 19 should be considered as
unencrypted, this was not obvious from the integer overflow in
`payload_length <= record_length - 16 - 3`. Explicitly check for that
condition although it makes no difference in the end.
When the payload + padding does not fit in the record, assume malicious
intent (Heartbleed) and do not display a padding. Instead display an
export info item. Remove if(tree) due to the addition of expert info.
Tested with small-hb.pcap from the linked bugreport.
Bug: 9983
Change-Id: I26b164632ecd6bdb49e78bbcb9b163f635c94628
Reviewed-on: https://code.wireshark.org/review/1105
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
There is possible that request will be send from two devices
in the same time. Fix request-response tracking to support this case.
Change-Id: Iaacf910d952f8dff96073e7155ea4947f9b8cbc3
Reviewed-on: https://code.wireshark.org/review/11014
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michal Labedzki <michal.labedzki@tieto.com>
Jam and Ego commands have been added at end of July 2015.
Ego seems to be sniffer for skateboard
wireless communication and control.
Change-Id: I676cdd3513d3124994ef35dce8d1d99e1c6f943a
Reviewed-on: https://code.wireshark.org/review/10521
Petri-Dish: Michal Labedzki <michal.labedzki@tieto.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
tvb_get_ipv6() takes a struct e_in6_addr *, use that here too.
Change-Id: Id8b368daa05c151a61d4bc01dc88c00da13e9c88
Reviewed-on: https://code.wireshark.org/review/10953
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Balint Reczey <balint@balintreczey.hu>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Similar to TCP:
- Maps TCP connections to their respective MPTCP stream (mptcp.stream)
based on the token/key.
- Ability to distinguish master subflow and to list subsequent subflows
- Can display relative MPTCP data sequence signal (DSS) sequence numbers/acks
(mptcp.dss.dsn/mptcp.dss.ack), or absolute values
(tcp.options.mptcp.rawdataack)
- Adds an MPTCP panel in Preferences
- fixes RM_ADDR analysis (i.e., it can contain several address ids)
- adds an MPTCP tap to list conversations in tshark -z "conv,mptcp"
Change-Id: I2766aa2f534c25b0f583ef84c20e74c7b2fa496e
Reviewed-on: https://code.wireshark.org/review/10577
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
If we're seeing only one side of a conversation (we're not seeing any ACKs)
then things get really, really slow as the number of unacked segments grows.
1000 is, of course, an arbitrary limit.
Bug: 11589
Change-Id: I42652965b736da50122c722e6ac386c4d481e57f
Reviewed-on: https://code.wireshark.org/review/10971
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Somehow "# CLIENT_RANDOM" would also be matched by the regex. It turns
out that glib requires two flags to enable anchoring.
This issue also causes silent truncation of keylog lines rather than
reporting no match.
Change-Id: Ib51265b6ec428988c222b4f3bc3cbc99ef0d72bf
Reviewed-on: https://code.wireshark.org/review/10933
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
With "PMS_CLIENT_RANDOM xxxx yyyy" lines, only 32 byte long pre-master
secrets could be entered, but they are 48 byte long for RSA and can be
of any length for DHE cipher suites.
When a line had the "RSA xxxx yyyy" format then yyyy was previously
parsed with the <master_secret> regex group but it contains
the pre-master secret, so now it is parsed with the <pms> group.
This didn't cause a functional issue for RSA, but it couldn't be used
where the pre-master secret isn't 48 byte long.
After this change the regex will accept everything that was previously
working.
Change-Id: I71f43f3e9977a5e98758f387ad69893e8be0e27a
Reviewed-on: https://code.wireshark.org/review/10923
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change-Id: I8d36dbbe255a58b3ca1e4059a15e993155ca9ba1
Reviewed-on: https://code.wireshark.org/review/10708
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
The maximum MAC length is 160 bits, not 128. MAX_MAC_LEN can be safely
increased as an extension should be > 4 bytes.
Bug: 11580
Change-Id: I0ea5a1f85d644e57315f033f09241d7a79dd3a45
Reviewed-on: https://code.wireshark.org/review/10934
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Don't display duplicate ports if transport name resolution is not
enabled (for UDP/TCP/DCCP).
Also introduce col_append_port() to handle info column port display
with name resolution in a uniform format.
Change-Id: Icb8ac45f726b7c539b4534c62061473e9b582753
Reviewed-on: https://code.wireshark.org/review/10804
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I94f096a0ca487311d44a03e4183732db015605b2
Reviewed-on: https://code.wireshark.org/review/10896
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
For the conversion of a 16-bit short address in 6lowpan to an IID, there
are several RFCs that produce different results. RFC 4944 section 6
specifies that the conversion uses the given PAN ID and the 16-bit short
address. RFC 6282, on the other hand, specifies thta the conversion only
uses the 16-bit short address and no longer uses the PAN ID.
The current version of the 6lowpan dissector supports only the newer RFC
6282, but there are protocols out there that assume that the address
conversion still abides to RFC 4944.
In order to support these protocols and following the discussion from
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8970
this patch introduces a boolean preference in the 6lowpan dissector that
indicates whether or not the older RFC 4944 should be used for address
conversion. By default, it is set to FALSE, thus leaving the behavior of
the dissector unchanged.
Besides the boolean preference, another helper function
lowpan_addr16_with_panid_to_ifcid has been written that implements the
expected behavior from RFC 4944 using the same hint mechanism already in
place in the dissector for the support of RFC 6282.
Change-Id: I8d202c69a225d7b1212080a174e0111e5203553c
Reviewed-on: https://code.wireshark.org/review/10902
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
The 6lowpan standard specifies a reserved octet in the extended header
of an IP_PROTO_FRAGMENT packet in the same place used for the header
length for other extension headers.
The current version of the 6lowpan dissector displays the reserved octet
and the rest of the header (6 more bytes) together as data, as opposed to
displaying the reserved octet by itself and then the data (using the
data dissector).
This patch does not change the functionality of the dissector in any
way, only how the 7 bytes are displayed. Instead of displaying the
header information and then 7 bytes of data, it displays the reserved
octet and then the data. This is also consistent with the way the ipv6
dissector displays it (showing the reserved octet and its value).
For this purpose, there is a new hf (hf_6lowpan_nhc_ext_reserved) and
the corresponding proto_tree calls. Also, depending on the type of
extension header, the octets sent to the general data dissector are
shifted by one.
Change-Id: I4c7fb58a3364307e79517b979808f3e34a2e0b94
Reviewed-on: https://code.wireshark.org/review/10908
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Do not leak the key and SSID. Note that there are still some leaks in
the GTK UI related to get_wireshark_keys(), but I did not track them
down.
Caught by LeakSanitizer.
Change-Id: I639166e6ea457605d6ae0ebd58e56d7594a7b7db
Reviewed-on: https://code.wireshark.org/review/10860
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change-Id: I25d84c725559f5f077dcc03fb425a89d87e90f55
Reviewed-on: https://code.wireshark.org/review/10897
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I8cfd1c223c70c7e03728af8b2f7cbf9354d7ad86
Ping-Bug: 3949
Reviewed-on: https://code.wireshark.org/review/10865
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Roland Knall <rknall@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: Iebf0fc5d3e86fba9a2ea4da5784256d820598e39
Reviewed-on: https://code.wireshark.org/review/10744
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The p_(add|get)_proto_data() functions are used to store data related
to an AMQP frame. The stored information gets overwritten if there are
multiple small AMQP frames in one TCP/IP packet.
As suggested by Pascal and https://code.wireshark.org/review/#/c/10579/,
we should use tvb_raw_offset as key for p_(add|get)_proto_data().
Change-Id: I860df8af51a6fbbef495985747313ae96402cc5c
Reviewed-on: https://code.wireshark.org/review/10836
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
* draft-ietf-dnsop-delegation-trust-maintainance-14 => RFC 7344
Update also DNS-Based Authentication of Named Entities (DANE) Parameters (
2014-04-23) (no change)
Change-Id: I7aa7dddf8c26d2ea2ccb4a0533d835ce119737bd
Reviewed-on: https://code.wireshark.org/review/10825
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Load RSA private keys based on their public key instead of relying on
the user to specify a valid address and port mapping. This is more
reliable and prepares for simplification of the SSL Keys dialog.
After this change, the "address" part of the UAT dialog will be ignored
when loading the private key. The port+protocol mapping is still
imported, but should probably be removed too.
Change-Id: I4d7a2bfcf63d17e66e336ef770759f20510fc176
Reviewed-on: https://code.wireshark.org/review/10766
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The certificate and GnuTLS private key are never used except for
reporting in the log file. Remove the unused certificate-related code
from the PKCS#12 file parsing. Report an immediate error instead of
opening key file if GnuTLS is disabled.
Made ssl_load_key and ssl_load_pkcs12 static, they are not used outside
the SSL dissector. If for some reason the PKCS#12 bag contains multiple
private keys, then the previous one would be overwritten (leaking
memory). Fix this by returning the first private key found.
Simplify key_hash (dtls_key_hash/ssl_key_hash) memory management, now
the table automatically frees keys/values when items are removed.
Fix memory leaks:
- ssldecrypt_uat_fld_password_chk_cb: release ssl_load_pkcs12 memory.
- ssl_load_key: avoid leaking gnutls_x509_privkey_t on error.
- ssl_load_pkcs12: fix ssl_pkey leak on error path.
Change-Id: I5db6fecb0d74e5c78796392aeb17e3eb7985a2ef
Reviewed-on: https://code.wireshark.org/review/10764
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
From draft-ietf-idr-bgp-extended-messages
Update BGP Capability Codes to 2015-09-30
Change-Id: I2f3b44ad8ad7a9e5444cdfbfb22bf7d0538ffbfc
Reviewed-on: https://code.wireshark.org/review/10826
Reviewed-by: Michael Mann <mmann78@netscape.net>
Cosmetic change, to better distinguish if multiple
SPDO packages have been detected.
This should also be back-ported to 1.12 and 2.0
Change-Id: I3d0b26ecb6e0cc60b3cdc9861920c5ccaeb70cbd
Reviewed-on: https://code.wireshark.org/review/10829
Reviewed-by: Roland Knall <rknall@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
That way, the generic 802.11 radio dissector, and any future taps if we
add a tap with radio information, can get the channel for radiotap and
PPI headers, as we do for some other radio headers that supply just a
frequency.
Change-Id: I9e3037f69938bed3b3ba563689ff00aaed486a16
Reviewed-on: https://code.wireshark.org/review/10821
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Avoid displaying duplicate port numbers with transport name resolution disabled and
make some dissector code simpler.
Introduces port_with_resolution_to_str_buf() function and amends UDP/TCP/DCCP/SCTP to
use the new field display type.
Change-Id: Ifb97810b9c669ccbb1a310a2c0ffd6e2b63af210
Reviewed-on: https://code.wireshark.org/review/10625
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Peter Wu