Add support for TK user input keys. With this Wireshark can
decrypt packet captures where 4WHS frames are missing and
packet captures with non-supported AKMS, for example
802.11r / Fast BSS Transitioning.
Decryption using user TK works as a backup if the normal
decryption flow does not succeed. Having TK decryption keys
added will affect general IEEE 802.11 dissector performance
as each encrypted packet will be tested with every TK.
Worst case scenario is plenty of TKs where none of them
matches encrypted frames.
On successful user TK decryption an SA is formed based on
parameters used to decrypt the frame. This SA is similar to
what is formed when Wireshark detects and derive keys from
4WHS messages. With the SA entry in place the decryption
performance (success case) should be on par with "normal"
decryption flow.
Bug: 16579
Change-Id: I72c2c1e2c6693131d3ba07f8ddb8ff772c1b54a9
Reviewed-on: https://code.wireshark.org/review/37217
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I283bab1ecdadc17589e2fbe944a457f5b5211970
Signed-off-by: Filipe Laíns <lains@archlinux.org>
Reviewed-on: https://code.wireshark.org/review/37317
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The erf_dump function in erf.c keeps the header intact and
ignores the adjusted time.
This adds a section for checking if the timestamp is changed
and updating the header accordingly.
Bug: 16578
Change-Id: I14468a302e746c7a84cf5619b73b94850142d930
Reviewed-on: https://code.wireshark.org/review/37301
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There is a window where the memory for the composite TVB can be leaked,
namely between calling tvb_composite_new and tvb_composite_finalize.
This can occur due to complex dissector logic (bug 16375) or due to
exceptions preventing tvb_composite_finalize from being called.
Fix this by attaching the composite TVB sooner to another TVB. Ideally
tvb_composite_new is changed to receive the initial TVB as parameter,
but that would change its API.
While at it, remove a redundant NULL-pointer check and comment. The
comment referring to a union was likely about avoiding the const-cast.
Bug: 16375
Change-Id: Ic8c6d1da6fbd5ff9f16b1280af3aab23f9ed470d
Reviewed-on: https://code.wireshark.org/review/37345
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
nghttp2_hd_inflate_hd has only been deprecated because its "in" argument
is non-const, aside from this aspect the implementation is equivalent.
For inflate_http2_header_block there is no difference since the buffer
is already non-const. However in fix_partial_header_dissection_support,
the given buffer is const. To avoid new -Wcast-qual warnings while
keeping the buffer read-only, just add a simple wrapper function.
This fixes a build failure reported for libnghttp2-devel
1.7.1-1.15.x86_64 on openSUSE Leap 42.3.
Change-Id: I9ab9305ffc5920f5e3f4866c2f0378d45008b57a
Reviewed-on: https://code.wireshark.org/review/37346
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Use proper functions to lookup/iterate elements in QHash
Avoid useless lookup
Change-Id: I7a115ae5ed35b31599f33050e36bf68007167a96
Reviewed-on: https://code.wireshark.org/review/37304
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Roland Knall <rknall@gmail.com>
Add an entry for CMAKE_OSX_DEPLOYMENT_TARGET to the CMake section.
Change-Id: I6b15d0e3dfeb501b61049b09a0cb94f6a9297353
Reviewed-on: https://code.wireshark.org/review/37337
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Make sure we set QIODevice::Text on our QTextStreams when saving and
exporting text so that we get native line endings on Windows.
Change-Id: I4602157d2d170eb9a2c79032254ea5be236c7589
Reviewed-on: https://code.wireshark.org/review/37336
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fix the following deprecation issues for Qt 5.15:
Use Qt::WindowFlags() instead of 0 in Qt >= 5.6.
Pass Qt::SkipEmptyParts instead of QString::SkipEmptyParts to QString::split() in Qt >= 5.15.
Use QMultiMap instead of QMap where we were using QMap::uniqeKeys().
Use QCP::Interactions() instead of 0.
Use '\n' instead of QTextStream::endl.
Use QWheelEvent::angleDelta() instead of QWheelEvent::angle().
Change-Id: Ie2d69d3a396c0821c2c34f506ddad6f8e22f7049
Reviewed-on: https://code.wireshark.org/review/37334
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Since Wireshark 3.2 the filter toolbar no longer has an Expression button.
Remove this from the Users Guide as well.
Change-Id: I54d0356c42ff599296fa800e7d730e6098f35976
Reviewed-on: https://code.wireshark.org/review/37338
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Bug: 16255 - support HE MCS to rate conversion
Change-Id: I4a4a6c3d62c167b654d150c397047a55f287e6c8
Reviewed-on: https://code.wireshark.org/review/37255
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Both bus id and device address are already known when creating interface
info on the first pass. Set the values early to prevent passing zero
initialized data to dissectors.
Change-Id: I50c748eb16e0ab39fdc84f2d7503c87ae48eeae9
Reviewed-on: https://code.wireshark.org/review/37328
Petri-Dish: Tomasz Moń <desowin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Filipe Laíns <lains@archlinux.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Error:
./asn1/kerberos/packet-kerberos-template.c:109:2: error: unknown type name ‘enc_key_t’
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_EncryptionKey’:
./asn1/kerberos/kerberos.cnf:386:7: error: unused variable ‘start_offset’ [-Werror=unused-variable]
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_authenticator_subkey’:
./asn1/kerberos/kerberos.cnf:406:42: error: ‘save_Authenticator_subkey’ undeclared (first use in this function); did you mean ‘hf_kerberos_authenticator_subkey’?
./asn1/kerberos/kerberos.cnf:406:42: note: each undeclared identifier is reported only once for each function it appears in
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_encTicketPart_key’:
./asn1/kerberos/kerberos.cnf:445:42: error: ‘save_EncTicketPart_key’ undeclared (first use in this function); did you mean ‘hf_kerberos_encTicketPart_key’?
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_encKDCRepPart_key’:
./asn1/kerberos/kerberos.cnf:435:42: error: ‘save_EncKDCRepPart_key’ undeclared (first use in this function); did you mean ‘hf_kerberos_encKDCRepPart_key’?
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_encAPRepPart_subkey’:
./asn1/kerberos/kerberos.cnf:416:42: error: ‘save_EncAPRepPart_subkey’ undeclared (first use in this function); did you mean ‘hf_kerberos_encAPRepPart_subkey’?
./asn1/kerberos/kerberos.cnf: In function ‘dissect_kerberos_T_krbCredInfo_key’:
./asn1/kerberos/kerberos.cnf:455:42: error: ‘save_KrbCredInfo_key’ undeclared (first use in this function); did you mean ‘hf_kerberos_krbCredInfo_key’?
cc1: all warnings being treated as errors
Change-Id: Ib9e38c3d745dd8a12ac8e4691918770a8b876727
Reviewed-on: https://code.wireshark.org/review/37313
Petri-Dish: Dario Lombardo <lomato@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We should explicitly check that the security header indicates the use of
ciphering.
Change-Id: I0e6f50e180f95e03d6e1dd96db39a03543490be4
Reviewed-on: https://code.wireshark.org/review/37326
Petri-Dish: Pascal Quantin <pascal@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal@wireshark.org>
This improves the performance a lot if you have a keytab with a lot of
entries (e.g. for a whole domain).
GSSKRB5 decryption should only try the subkey of the AP-Rep.
We could further optimize this and remember the key
on the cenversation after the first success, but
that's for another day.
Change-Id: I405e41e7d90073d569fcbeec4b4188453a251000
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37323
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I4d4014c6def44144461497ad4d92b9f32b4d3140
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37322
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-Update dissection of the OSCORE option.
-Enable zero-length Sender and Recipient ID.
-Add ID Context field in preferences.
-Update context derivation to rfc8613.
-Extend context lookup to include ID context.
-Fix Observe responses.
Bug: 16585
Change-Id: Ib9823a54cf535be3559e1c41a19b8b612458777f
Reviewed-on: https://code.wireshark.org/review/37314
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Have completely separate definitions of krb5_fast_key(); the one used if
we don't have krb5_c_fx_cf2_simple() declares *all* parameters as
unused, as it's a stub routine.
Change-Id: I828c8d8f60634fcf537c2822f1a1c5db33ea2798
Reviewed-on: https://code.wireshark.org/review/37321
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
Note that Windows Package Manager (winget) and Scoop exist, but don't
currently provide all of the packages we require.
Change-Id: I69f6958faec3454f37eda79e5b76d3e70d399555
Reviewed-on: https://code.wireshark.org/review/37320
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We already know about the top level message type.
So we only need an autodetection for the TGS-REP.
We could also avoid that, but that would need state to
match TGS-REQ with TGS-REP.
But if we client used FAST and we got a strengthen_key,
we're sure an authenticator subkey was used.
Windows don't use an authenticator subkey without FAST,
but heimdal does.
For now try 8 before 9 in order to avoid overhead and false
positives for the 'kerberos.missing_keytype' filter in pure
windows captures.
Change-Id: If974dda735cd2aa5b1920c26309e5e2081723e4f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37299
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I28bdf176818401c1e4e6ef15cf808e502fcf4989
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37300
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We already know a few details in order to avoid the autodetection.
This avoids overhead and false positives for the
'kerberos.missing_keytype' filter.
Change-Id: I8a15fa41d2a56df3fb26de046a401bf43a876b79
Reviewed-on: https://code.wireshark.org/review/37298
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It's useful to see which decryption keys are missing!
The "kerberos.missing_keytype" filter can be used to find all of them.
It's also useful to see which key_map was is in used
and how many decryption attempts were tried.
This should also allow future optimizations in
order to avoid decryption attempts based on the usage
and more detailed key maps.
Change-Id: Ie0302454e29a65aa00ddac79839aac8ec63fa290
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37297
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Currently this is only available for MIT Kerberos, but it
should be possible to implement the same using
krb5_crypto_fx_cf2() from Heimdal.
Change-Id: Ic3327dfde770f9345485bf97e2ac6045b909b64e
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/36472
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This gives a useful overview.
Change-Id: I39aaa8cf5de6fa3788c674355675873f2212b78f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37292
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This way we can avoid zero_private on the stack.
Change-Id: Iea7ed7e1cd6d0616b0e72aeff489549efd13e4f4
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37291
Reviewed-by: Anders Broman <a.broman58@gmail.com>
That makes it easier to match them.
Change-Id: I29b9d69415d82a1ea7df275a89a413c2fd460b1f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37289
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In incomplete streams the http2 dissector fails to display the content of
a data packet following a header with unknown fields as
reassembly_info->data_initiated_in is not set.
Change-Id: I754bdc92049124bcc722a25f8cf791e36f8f523a
Reviewed-on: https://code.wireshark.org/review/37311
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
For now we use kerberos_all_keys, but in future we may select the
map based on passed usage.
Change-Id: I1f29e97aa60a41be3694b75bc4353b3a5dae0eae
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37288
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will be used temporary in order to replace
enc_key_list until we maintain/use separate lists.
Note that this will use wmem_file_scope(), but it
will get the longterm keys filled in when needed.
In the long run, we'll use more detailed lists
and use optimizations depending on the key usage.
Change-Id: If654dcfbc9ec8742eadbbb82b97a23fe8403022d
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37287
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Distinguished Name (AFI 17) is not a widely used address family, but
there is ongoing work in the LISP IETF working group to standardize its
use within the LISP control plane protocol. The encoding is quite
simple, it's just a zero-terminated ASCII string. Details can be found
in the following IETF draft:
https://tools.ietf.org/html/draft-farinacci-lisp-name-encoding
A previous patch (https://code.wireshark.org/review/36892) added support
for DN in simple AFI usages. This patch add support for DN within the
LISP Canonical Address Format (LCAF) usage.
Change-Id: Ic2dbbd1e36e2eabb91202c04eb86fdf151fe9928
Reviewed-on: https://code.wireshark.org/review/37275
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Add a "recent_common" description and update it and the "recent"
description. Update the "manuf" description. Alphabetize the lists of
configuration files. Update some markup.
Change-Id: I3d3cd451dbaa1778eb7dd841b162dff8c6ba99c1
Reviewed-on: https://code.wireshark.org/review/37310
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Here it's enough to try longterm keys from the keytab.
Change-Id: I4d98fd7aa456c5cf2ca175cdcefc0ad1a4a8be2d
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37286
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This will replace enc_key_list in the long run,
but will hold only keytabb entries, as that's what
the consumers outside of packet-kerberos.c are using.
Change-Id: Iba0436a0c1754232f0363cb1e9a905ac7c22986f
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37285
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In the long run we'll remove enc_key_list and use a wmem_map instead.
Change-Id: I50a0a32eea4cb21bf2bcb5e97ed8eab6b847a75d
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://code.wireshark.org/review/37283
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Populate the dynamic table with dummy entries to ensure that nghttp2
will continue even if previous headers were missing (for example, due to
the capture starting in the middle of a plaintext h2c connection).
Bug: 16496
Change-Id: Ifb2fd4c6b8f3f93babed42e1f803048a695b23e9
Reviewed-on: https://code.wireshark.org/review/37278
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Report case 2b from https://tools.ietf.org/html/rfc7413#page-6 where the
server drops the data and sends a SYN-ACK acknowleding only the SYN
sequence number. Tested with tfo.pcapng from the linked bug.
Bug: 16559
Change-Id: Ia03b923f8192f025e2e81716e615d49db4bafe91
Reviewed-on: https://code.wireshark.org/review/37161
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The function used to search for an SA allocates one entry if none
exists. Searching for an SA is done in many places including on
packet decryption. In practise this means for every encrypted packet
with unique STA/BSSID an SA is allocated. This is a waste both from a
memory and performance point of view but also a limitation as with
the old static array SA storage decryption would fail when max
number of SAs is reached. i.e. decryption would fail for captures
with more than 256 unique STA/BSSids.
Separate the searching for SA entries and allocation of new SAs to
avoid allocating unnecessary SA entries.
Change-Id: I7ddc9ac4bad5d69e273f97f8f8fb38d34b59a854
Reviewed-on: https://code.wireshark.org/review/37308
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Simplify the SA storage by replacing the static array with a
hash table. This way there's no need to keep track of whether
an entry is used or not and no need to traverse the whole
array for the non-matching case. This change should benefit
performance but was mainly done to prepare for coming changes
where code adding and searching for SA entries is modified. With
this change in place those changes become cleaner.
Change-Id: Ide572c5e4e7e872f1654d8d8f288cd6451f04435
Reviewed-on: https://code.wireshark.org/review/37307
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>