A DTLS capture from Jitsi Videobridge for Windows x64 (v519) using a
(patched?) BouncyCastle 1.51.0 exposed the odd behavior where the
ProtocolVersion from the record layer was always fixed to DTLSv1.2 while
the server agrees to use DTLSv1.0.
This resulted in a Malformed packet dissection of the ServerKeyExchange
message which mistakenly expects a SignatureAndHash field. Fix this
by using the protocol version from the ServerHello. Keep the fallback
in case a capture starts in the middle of a SSL conversation.
(Also display "DTLS" instead of "SSL" when the version is not yet
determined for DTLS packets.)
Bug: 11709
Change-Id: I0719977e3b2208da1960121b01dc109fa76bfcb6
Reviewed-on: https://code.wireshark.org/review/11821
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The SslSession struct contains a "version" field for displaying
purposes in the protocol column while the SslDecryptSession struct
has a "version_netorder" field for use in TLS hash functions (for
secrets calculations).
As these are strongly associated with each other, remove the
version_netorder field and its associated constants, let the SslSession
version field store this value instead. All SSL_VER_* are renamed to
appropriate *_VERSION macros (via search & replace), SSL_VER_UNKNOWN
is kept though.
The PCT and SSLv2 protocols had no wire value (*_VERSION), so
SSL_VER_PCT and SSL_VER_SSLv2 are assigned with some arbitrary values.
Warning: external plugins using the ssl_set_master_secret function
must now pass the wire version (TLSV1_VERSION) instead of the (now
removed) internal macros (SSL_VER_TLSv1).
Change-Id: Icd8ef15adae9c62eb21eab1c3b812166e451936f
Reviewed-on: https://code.wireshark.org/review/11820
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Since ssl_dissector_[add|delete] only take TCP dissectors, remove the parameter and just use it within the "internal" ssl_association_add call.
Change-Id: I0fdf941389934c20cbacf910250e17520614e706
Reviewed-on: https://code.wireshark.org/review/11591
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Add expert info to the Change Cipher Spec tree when session resumption
is detected. This can be used as hint that decryption using a RSA key
file will not succeed because of missing key material.
The name of this expert info is "ssl.resumed" or "dtls.resumed" and the
expert info message is "This session reuses previously negotiated keys
(Session resumption)".
Change-Id: I4a83edb13417631c97d6cfc4a57e2086bd217878
Reviewed-on: https://code.wireshark.org/review/11583
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
It ends up dragging in libwireshark headers, which programs not linking
with libwireshark shouldn't do. In particular, including
<epan/address.h> causes some functions that refer to libwireshark
functions to be defined if the compiler doesn't handle "static inline"
the way GCC does, and you end up requiring libwireshark even though you
shouldn't require it.
Move plurality() to wsutil/str_util.h, so that non-libwireshark code can
get it without include epan/packet.h. Fix includes as necessary.
Change-Id: Ie4819719da4c2b349f61445112aa419e99b977d3
Reviewed-on: https://code.wireshark.org/review/11545
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Add Wireshark/GnuTLS/Libgcrypt versions to the debug log file. Remove
ssl_lib_init since it didn't do anything useful (the debug file was not
open yet so it would write... nothing).
Match more (EC)DH(E) cipher suites and try to improve the message.
Add the human-readable name besides numeric cipher suite IDs.
Change-Id: I84a33d270f91e90efc55371475b231b483fd24c9
Reviewed-on: https://code.wireshark.org/review/11403
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
this is to make sure that all expert info we see in the
main window will also appear in the expert info window
the sample capture from bug 11561 shows this problem:
without this patch, the expert info with severity 'error'
don't show up in the expert info window
Change-Id: Ia71ae7e248f57bf1344cf722ac57e74c517828d5
Reviewed-on: https://code.wireshark.org/review/11246
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I3e72fddc6ed380780d7e2e1c8df87e580138188d
Reviewed-on: https://code.wireshark.org/review/11271
Petri-Dish: Jeff Morriss <jeff.morriss.ws@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Fix distinction between HAVE_LIBGNUTLS and HAVE_LIBGCRYPT. If GnuTLS is
unavailable, then the only missing feature is decryption using an RSA
private key file. Regardless of GnuTLS, allow SSL decryption (e.g. using
a SSL key log file or a PSK configured via preferences).
This change has no functional effect when GnuTLS and gcrypt are both
available (or not). Additionally, decryption is possible if only
libgcrypt is available.
Further changes to make ssl-utils more maintainable and documented:
- Group related functions, add markers and documentation. The following
functions are moved (with no further modifications):
- ssl_data_realloc, ssl_data_copy: related to StringInfo.
- ssl_change_cipher, ssl_create_flow: related to the decryption of a
session.
- ssl_decompress_record: related to Record Decompression.
- ssl_lib_init: moved to an arbitrary place.
- ssl_set_server: moved closer to ssl_packet_from_server.
- ssl_is_valid_content_type, ssl_is_valid_handshake_type: move closer
to dissection code.
- ssl_dissect_hnd_hello_ext_status_request,
ssl_dissect_hnd_hello_ext_status_request_v2,
ssl_dissect_hnd_hello_ext_elliptic_curves,
ssl_dissect_hnd_hello_ext_ec_point_formats: move to TLS extensions.
- Remove unused forward declaration of _gcry_rsa_decrypt.
- ssl-packet-utils.h:
- Remove ssl_equal, ssl_hash. These are only used in
packet-ssl-utils.c.
- ssl_private_key_equal, ssl_private_key_hash,
ssl_common_register_options: inline when decryption is not
possible.
- Remove ws_symbol_export.h, enable SSL debug log when libgcrypt is
compiled in (instead of depending on GnuTLS).
- Move/merge stub code when GnuTLS or libgcrypt are not available:
- ssl_find_cipher: move.
- ssl_cipher_setiv: move.
- ssl_generate_pre_master_secret, ssl_generate_keyring_material: move.
Compile-tested all combinations:
- no GnuTLS, no libgcrypt: CentOS 6.
- no GnuTLS, has libgcrypt: CentOS 6. Passes all decryption tests
except for the ones that need a RSA private key file.
- has GnuTLS, no libgcrypt: Arch Linux.
- has GnuTLS, has libgcrypt: Arch Linux. The decryption tests pass.
(GnuTLS support is useless without gcrypt, but included for completeness.)
Change-Id: I727248937331f8788de8ed78248bb33296206096
Reviewed-on: https://code.wireshark.org/review/11052
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Heartbeat requests with large payload sizes would not be detected
because the record length is smaller than the type, length and MAC,
resulting in an integer overflow. This patch corrects that issue by
moving the term to payload_length which is at most 0xffff.
While a record length smaller than 19 should be considered as
unencrypted, this was not obvious from the integer overflow in
`payload_length <= record_length - 16 - 3`. Explicitly check for that
condition although it makes no difference in the end.
When the payload + padding does not fit in the record, assume malicious
intent (Heartbleed) and do not display a padding. Instead display an
export info item. Remove if(tree) due to the addition of expert info.
Tested with small-hb.pcap from the linked bugreport.
Bug: 9983
Change-Id: I26b164632ecd6bdb49e78bbcb9b163f635c94628
Reviewed-on: https://code.wireshark.org/review/1105
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Load RSA private keys based on their public key instead of relying on
the user to specify a valid address and port mapping. This is more
reliable and prepares for simplification of the SSL Keys dialog.
After this change, the "address" part of the UAT dialog will be ignored
when loading the private key. The port+protocol mapping is still
imported, but should probably be removed too.
Change-Id: I4d7a2bfcf63d17e66e336ef770759f20510fc176
Reviewed-on: https://code.wireshark.org/review/10766
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The certificate and GnuTLS private key are never used except for
reporting in the log file. Remove the unused certificate-related code
from the PKCS#12 file parsing. Report an immediate error instead of
opening key file if GnuTLS is disabled.
Made ssl_load_key and ssl_load_pkcs12 static, they are not used outside
the SSL dissector. If for some reason the PKCS#12 bag contains multiple
private keys, then the previous one would be overwritten (leaking
memory). Fix this by returning the first private key found.
Simplify key_hash (dtls_key_hash/ssl_key_hash) memory management, now
the table automatically frees keys/values when items are removed.
Fix memory leaks:
- ssldecrypt_uat_fld_password_chk_cb: release ssl_load_pkcs12 memory.
- ssl_load_key: avoid leaking gnutls_x509_privkey_t on error.
- ssl_load_pkcs12: fix ssl_pkey leak on error path.
Change-Id: I5db6fecb0d74e5c78796392aeb17e3eb7985a2ef
Reviewed-on: https://code.wireshark.org/review/10764
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
When SSL packet contains multiple encrypted contents the WS shows only the
last record due the wrong indexing of the structure where the decrypted
contents are stored. Should use tvb_raw_offset(tvb)+offset instead of
offset as I think was intended.
Added the same fix for DTLS.
Bug: 11523
Change-Id: I0a977a0e6ebe7c45e526fa5152b8614463abd4fa
Reviewed-on: https://code.wireshark.org/review/10528
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Peter Wu <peter@lekensteyn.nl>
TLS can be tunnelled over other protocols (e.g. TLS over EAP
over 802.1x), which are neither TCP nor UDP. In this case,
we would assume DTLS, which is typically wrong. Assume TLS
instead.
Change-Id: I45d70789f7fa793861297fc2e7a5f2be311bbbb1
Reviewed-on: https://code.wireshark.org/review/10416
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Not only must characters that aren't printable ASCII characters be
escaped, backslashes must be escaped (as backslash is an escape
introducer) and double-quotes must be escaped (as double-quotes
encapsulate strings).
When constructing a string to hand to uat_load_str(), escape pathnames,
as they are likely to contain backslashes on Windows, could contain
backslashes on UN*X, and could contain quotes on UN*X and possibly
Windows. (Arguably, we should escape all the string arguments
Bug: 11372
Change-Id: I594840327fa41895130903c3c612ba97d6c29df3
Reviewed-on: https://code.wireshark.org/review/9716
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Minor functional change: instead of an empty hash table, now the
ssl_session_hash and ssl_crandom_hash structures point will be set to
NULL when files are closed.
API change: drop the ssl_keylog_file parameter from ssl_common_init,
add a new ssl_common_cleanup parameter instead.
Change-Id: I65efe71f8347fe9685359f8ed70cfb9673712421
Reviewed-on: https://code.wireshark.org/review/9226
Reviewed-by: Michael Mann <mmann78@netscape.net>
SSL traffic from tshark with -o ssl.keys_list.
For example, as used in a new test also added in this commit:
-o "ssl.keys_list: 127.0.0.1,9131,http,$TEST_KEYS_DIR/key.p12,WebAS"
Change-Id: Ia6960fa4ae88182277f6d22d84ec9170ea74d54e
Reviewed-on: https://code.wireshark.org/review/8746
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
When specifying a filename preference (e.g. the SSL pre-master secret
log filename) don't warn about overwriting the file. Most of the time
we're reading the file and when we're not (e.g. for the SSL debug log)
overwriting it is kind of the point.
Preference descriptions are plain text. We display them in tooltips as
rich text. Convert them accordingly.
Fixup some of the SSL preference descriptions.
Bug: 11010
Change-Id: I4f1b1f3dd270c01648d9dd52ae20381c3c0d2e37
Reviewed-on: https://code.wireshark.org/review/8665
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Change-Id: Icb81649363725c92f94dde5cb28cbba0f6ab5099
Reviewed-on: https://code.wireshark.org/review/7687
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This allows for exporting the SSL session keys for captures which were
decrypted using a RSA certificate, but where the server does not support
session resumption.
To avoid frequent reallocations, the expected length is used as initial
string size.
Tested against a nginx server with ssl_session_cache off.
Note that all keys loaded via ssl.keylog_file are exported, not just the
displayed ones!
Change-Id: Ie3a93d3692885502f46442953fa53303d16672d7
Reviewed-on: https://code.wireshark.org/review/7175
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
TLSv1.2 gained an additional SignatureAndHashAlgorithm field for fields
marked with the digitally-signed attribute. This was already implemented
before for ServerKeyExchange, let's reuse that.
Note that the SignatureAndHashAlgorithm tree and fields (hash algo,
signature algo) are repurposed in a different context, but since the
structure is the same it is kept like this.
By the way, add support for DTLSv1.2 too. RFC 6347 section 4.2.6
suggests that the implementation is the same (as far as the dissector is
concerned).
Also update the comments and remove the additional "Signature with
client's private key" subtree since the CertificateVerify message has no
other items.
Bug: 11045
Change-Id: I025901b85e607f04d60357ff14187cc13db2ae5d
Reviewed-on: https://code.wireshark.org/review/7650
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Michael Mann <mmann78@netscape.net>
When a TLS record is fragmented over multiple TCP segments, with its
first byte in one segment, and the remainder over the others,
ssl_looks_like_sslv3() throws an exception because it tries to access
the third byte.
This breaks the encryption state, resulting in very weird (scrambled)
decrypted data. To fix this, check the record size before using it. Also
add TLSv1.1 and TLSv1.2 as known version.
Change-Id: Ie0ca78302a5d6c4241ea699d2ef6f7b873dd51ee
Reviewed-on: https://code.wireshark.org/review/7234
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
All STARTTLS-like dissectors (protocols which can switch to SSL/TLS
after a protocol command) currently fail to get called after decryption.
The reason for this is that the port is not registered for SSL
dissection via ssl_dissector_add. Besides this, the MySQL dissector
breaks in the event of multiple segments because it does not properly
set desegmentation.
The call path TCP | App | SSL | App is a bad, error-prone pattern which
requires duplication of required functionality in dissectors. This patch
enables to bypass the App (TCP | SSL | App) by registering a SSL as
conversation dissector after a STARTTLS switch.
Logical overview of changes:
- Move srv_addr, srv_ptype and srv_port to SslSession and adjust the
users. This allows passing SslSession around which will never be null
unlike SslDecryptSession. This is needed for looking up the packet
direction (server or client) before calling a subdissector.
- Add app_handle to store the dissector and last_nontls_frame the
frame that initiated STARTTLS.
- The same app_handle is now used to store the dissector handle from
a ssl association.
- Moved conversation data (SslDecryptSession) to ssl-utils to avoid
code duplication. Merge ssl_session_init into it. The new
ssl_session_get() is needed for STARTTLS frame/handle storage.
- Introduce new "ssl_starttls_ack" function to signal the last non-TLS
packet.
- Ensure that match_uint is set before calling the conversation
dissector. This ensures that dissectors using match_uint to check
the direction of a packet (client vs. server) see the TCP port
instead of the IP proto. At least the MySQL and SMTP dissectors
require such special treatment.
- Move epan/conversation.h outside HAVE_LIBGNUTLS, remove from dtls
(as it is already included by ssl-utils).
- Various comment/debug string updates. Remove outdated comment before
SSL association lookup.
Besides setting match_uint and caching the app_handle, existing
dissectors should not be affected by this patch. Follow-up patches
will update existing dissectors to use the new ssl_starttls_ack
interface.
Bug: 9515
Change-Id: I795d16b6a901e672a5d89e922adc7e5bbcda0333
Reviewed-on: https://code.wireshark.org/review/6872
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I009c09f25d170e5c9aaaef713eaacb3252817856
Reviewed-on: https://code.wireshark.org/review/6460
Petri-Dish: Michael Mann <mmann78@netscape.net>
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Most of the remaining ep_ uses are grouped with specific functionality.
Change-Id: I8fa64a17acc6bcdcf6891b2d28715ac0c58f1a4a
Reviewed-on: https://code.wireshark.org/review/6484
Reviewed-by: Michael Mann <mmann78@netscape.net>
Change-Id: I4a803d83844d937804849b2ad3b067381c9b96d0
Reviewed-on: https://code.wireshark.org/review/6448
Petri-Dish: Evan Huus <eapache@gmail.com>
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Fifth batch (packet-rtp.c -> end).
Will look at cleaning up and committing script afterwards.
Change-Id: I8ed61dc941d98d3f7259a9d1f74e214eb7b4bfa2
Reviewed-on: https://code.wireshark.org/review/6052
Reviewed-by: Martin Mathieson <martin.r.mathieson@googlemail.com>
Specifically:
- Set packet.h to be the first wireshark #include after
config.h and "system" #includes.
packet.h added as an #include in some cases when missing.
- Remove some #includes included (directly/indirectly) in
packet.h. E.g., glib.h.
(Done only for those files including packet.h).
- As needed, move "system" #includes to be after config.h and
before wireshark #includes.
- Rework various #include file specifications for consistency.
- Misc.
Change-Id: Ifaa1a14b50b69fbad38ea4838a49dfe595c54c95
Reviewed-on: https://code.wireshark.org/review/5923
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Bill Meier <wmeier@newsguy.com>
This allows dissector lists to be looked up by name, so they can be
shared by multiple dissectors.
(This means that there's no "udplite" heuristic dissector list, but
there shouldn't be one - protocols can run atop UDP or UDPLite equally
well, and they share a port namespace and uint dissector table, so they
should share a heuristic dissector table as well.)
Change-Id: Ifb2d2c294938c06d348a159adea7a57db8d770a7
Reviewed-on: https://code.wireshark.org/review/5936
Reviewed-by: Guy Harris <guy@alum.mit.edu>
(for some dissectors which fetch all other integral fields using
ENC_BIG_ENDIAN).
Change-Id: Ic18e3172aad76af12b12d6732c88497be22aed56
Reviewed-on: https://code.wireshark.org/review/5748
Reviewed-by: Bill Meier <wmeier@newsguy.com>
Store all handshake mesages in a buffer so that we can hash them
correctly when generating the master secret.
This change does not work correctly for DTLS retransmitted packets; that
are in the handshake as they will be hashed twice; which is bad. Looking
for ideas to implement this.
Bug: 10686
Change-Id: Ied01d4cc37b4270f325070a8d1630d3123577a0d
Reviewed-on: https://code.wireshark.org/review/5168
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This should make it possible to add checkfiltername.pl to the pre-commit script.
Change-Id: Icdee7e4ea3381fa1467bb4b5caf0f60c255adec0
Reviewed-on: https://code.wireshark.org/review/5166
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Changed the entries so that users have access to the whole certificate in
tshark. This allows developers to process the certs in custom ways
Change-Id: I113d60b2b3f12c6b15a644ec02bbebf7134f0ece
Reviewed-on: https://code.wireshark.org/review/5119
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
All of the calls removed are followed by proto_tree_add_xxx calls of the same offset/length of the tvb_ensure_bytes_exist call. The proto_tree_add_xxx calls should throw the exception, so we don't need the "double check".
There are probably more calls that can be removed, these were just obvious as first glance, spurred mostly by noticing the (ab)use in packet-wsp.c
Change-Id: I37cee347c8cf8ab0559e21562c802d3b37f4871e
Reviewed-on: https://code.wireshark.org/review/4833
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Patch "ssl,dtls: simplify keyfile handling" did not account for the use
case where packets are captured and decrypted on the fly using
SSLKEYLOGFILE.
This patch restores that functionality by reading additional lines from
the keylog file when needed (to preserve the benefit of not having to
read the full file) and by watching the open file for deletions.
"Deletion" is detected by comparing st_dev and st_ino. Since these may
be useless on Windows, the size is also checked.
Change-Id: Ieadaef1426a9270587293db28f4dda33b3d17334
Reviewed-on: https://code.wireshark.org/review/3190
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Evan Huus <eapache@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Previously, the keylog file would be fully parsed when an encrypted
pre-master secret is encountered or in the ChangeCipherSpec stage. There
was also a lot of duplication in the key logfile parsing.
This patch simplifies the key logfile parsing by using regular
expressions. Rather than scanning the key logfile for a specific key,
do this scan once at ssl init and save the results to a hashtable. The
map for session ID/tickets to master keys already existed, another one
for client random to master key and encrypted pre-master to pre-master
was added. This could later also be wired to the "Export SSL Keys"
menu item for improved reliability (when no session ID or tickets are
available, the client random could be used).
The ssl_{save,restore}_session{,_ticket} functions have been converted
to a single function that looks up a key (sid / client random / encr.
pre-master) to a (pre-)master secret.
Other minor changes: return booleans for some functions that can only
fail/pass. Remove some functions from the ssl-utils header that have
become private a few commits ago. Remove some outstanding issues
from the comments in packet-ssl as they are already done, add myself
to the ssl-utils header.
These changes pass the test suite and the sample Session Ticket-enabled
capture from https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5963
On-the-fly decryption are broken with this patch since keylog files are
read once at the start of a capture. This will be solved in a future
patch.
Change-Id: Idb343abe161950b5f3ff61bee093d0f4ef9655bd
Reviewed-on: https://code.wireshark.org/review/3057
Reviewed-by: Evan Huus <eapache@gmail.com>
Petri-Dish: Evan Huus <eapache@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Michael Mann <mmann78@netscape.net>
Changes:
- dtls: also support saving session tickets.
- Drop the length check and let proto_tree_add_item throw exceptions
on length errors.
- Use proto_tree_add_item instead of proto_tree_add_uint.
- Drop "TLS" from header field descriptions, the RFC does not name it
as such and DTLS can also use it (a draft is in progress that extends
DTLS with Session Tickets,
draft-hummen-dtls-extended-session-resumption-01).
Change-Id: I11195217368b7200821d11289b1c5870a1ffe637
Reviewed-on: https://code.wireshark.org/review/3029
Reviewed-by: Evan Huus <eapache@gmail.com>
Changes to ClientHello dissection:
- Move ssl_find_private_key (and its pre-req, ssl_set_server) outside
ssl_dissect_hnd_cli_hello. It has not really something to do with
dissection, but state tracking and decoder param feeding.
- dtls: add expert info for bad cipher suites len.
- ssl: remove bad cipher suites len text label which is also
available as expert info. Attach expert info to a the length proto
item (which is converted to use add_item instead of add_uint).
- Remove `if (tree || ssl)` since expert info seems not to apply
otherwise (this also needs changes in common and handshake
dissection).
- ssl: remove tvb_ensure_bytes_exist so we can dissect more
compression methods and cipher suites.
- Since DTLS has an additional Cookie field which TLS does not have,
pass these additional header fields through a struct whose type is
defined in ssl-utils.
Change-Id: I41bef04c1c3353e582e30f561d1d246a744e1d60
Reviewed-on: https://code.wireshark.org/review/3021
Reviewed-by: Evan Huus <eapache@gmail.com>
Changes to ServerHello:
- Get rid of session parameter as the SslDecryptSession already
provides a reference to SslSession. Done for the new
ssl_dissect_hnd_srv_hello and ssl_dissect_hnd_hello_ext functions.
- No need to generate the keyring here, decryption is only needed after
ChangeCipherSpec and the keyring will be generated there provided
that there are enough params (cipher, version, master-secret, etc.)
- Get rid of labels and goto in favor of if/else.
- DTLS: SSL_HAVE_SESSION_KEY is implicitly set when
ssl_generate_keyring_material succeeds, no need to set it. Remove it.
- Remove `if (tree || ssl)` since expert info seems not to apply
otherwise (this also needs changes in common and handshake
dissection). (Expert info from the TLS extensions, not the
ServerHello itself.)
Other changes:
- ClientHello: renamed some fields shared with ServerHello.
Change-Id: I466b905d990489e03250bac97bf9d862ff82ce6c
Reviewed-on: https://code.wireshark.org/review/3020
Reviewed-by: Evan Huus <eapache@gmail.com>
My previous change removed master-key retrieval in the Server Hello.
This broke decryption when ClientKeyExchange is missing. That was done
because decryption is only needed after ChangeCipherSpec.
This patch moves the remaining initialization in ClientKeyExchange to
ChangeCipherSpec. In theory this could fix decryption of DTLS traffic
when an abbreviated handshake is used (and thus keyring material is
never generated in ClientKeyExchange since it is not called).
It also avoids saving a session ticket with an empty key which can
happen when no RSA key is present, but the NewSessionTicket message
is received. This could lead to garbage decryption.
Change-Id: If0f475232c270b1d7b006c1f9af0e8d8098c6b65
Reviewed-on: https://code.wireshark.org/review/3019
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Evan Huus <eapache@gmail.com>
Based on DTLS code with changes merged from SSL. Changes:
- Ignore large Session IDs, this was not harmful though since the
backing storage was 256 bytes in size.
- {ssl,dtls}.handshake.random: fixed description, it is not used like
a SSLv2 random challenge.
- dtls: also debug print client/server for random
- SSL: the common dissector now returns an offset rather than dissected
length.
- dtls: display actual Session ID bytes in the UI rather than the text
"Session ID (32 bytes)". The length field is already visible in the
preceding field.
Also changed is the handling of key material generation. The SSL
dissector previously generated key material based on the Session ID,
Session Ticket or a key logfile. (DTLS did not have this functionality.)
As decryption is needed only after ChangeCipherSpec, I have removed it
from the ServerHello handling. This will break decryption when a
ClientKeyExchange message is missing, but it will be restored proper in
a next patch.
(By the way, there was an inverted if-condition bug in DTLS that could
break decryption by not restoring the master key matching a SID. This
is gone in the refactoring because the faulty code is removed.)
Change-Id: Ida3de88adefe3f7691f85936c496977426c4d96e
Reviewed-on: https://code.wireshark.org/review/3018
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Evan Huus <eapache@gmail.com>
Except for field/expert_info names, a redundant subtree assignment,
a different !tree check, a type confusion in DTLS (proto_tree *ti),
a check against a different DTLS/TLS version and a (void) retval cast,
the functions are exactly the same. Extract them to ssl-utils.
Change-Id: I2ca7089fe2cd23212ef78656506cb53768f55927
Reviewed-on: https://code.wireshark.org/review/2986
Reviewed-by: Anders Broman <a.broman58@gmail.com>
There are no dissection differences between DTLS and SSL, so move to
ssl-utils. While at it, skip dissection when the tree is NULL, remove
the plural from certificates length (the length is always larger than
ome), fix type of "ti" for dtls, get rid of "failsafe" subtree
assignment in ssl, get rid of tvb_ensure_bytes_exist in ssl.
Unrelated changes: fix param (tvb vs sub_tvb) for DTLS KeyExchange
handshake messages.
Change-Id: Iecaa45a7a601e55a52aa16180cf219a122fbe95a
Reviewed-on: https://code.wireshark.org/review/2985
Reviewed-by: Anders Broman <a.broman58@gmail.com>