The server port must be set or else http_payload_subdissector will
assume two independent flows originating from the client. For example,
client 50813 connects through proxy server 3128 to server 443.
Previously it would result in three conversations: 50813<->3128 (proxy),
50813->443, 3128->443. Now it will see 50813<->3128 and 3128<->443 and
TLS decryption will work again.
Bug: 15042
Change-Id: I50bcef568be320b6512ee6fc5a09d2838d2f7a9a
Reviewed-on: https://code.wireshark.org/review/29046
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
session can be NULL if no valid session was found in the first pass.
Reproduced crash with attachment 16534 from bug 15050.
Change-Id: I45b9fcc4bfeb79b00075f70417acb17c2e4aede2
Fixes: v2.9.0rc0-1389-g5b61737dc9 ("WireGuard: implement initiation message decryption with static keys")
Reviewed-on: https://code.wireshark.org/review/29047
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Let's make the function accept FT_UINT40, FT_UINT48 and FT_UINT56 types.
Ping-Bug: 15050
Change-Id: I35440a7c0b9cbf25bd8d903c425b6026d6a987f0
Reviewed-on: https://code.wireshark.org/review/29044
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
If for whatever reason a download got corrupted, detect this and
reattempt the download. This protects the developer against server
compromises. Additionally, if an uploaded file was wrong and needs to be
replaced, then this check ensures that the updated file is used.
The -Force option is removed as there is no point in downloading the
same file twice (well, except maybe for verifying that all checksums are
correct, but that can be done with a new destination directory as well).
Change-Id: I770cc8917c49f7fab7209121b2a059dea8f21a58
Reviewed-on: https://code.wireshark.org/review/28954
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Don't return an error unless we get a read error. If the line could be
read, but isn't a valid text line, that just means it's not an RFC 7468
text file.
Change-Id: I04f48294cac213cf61b8dcb851b99dc6dd776df8
Reviewed-on: https://code.wireshark.org/review/29039
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The handling for unknown IEs was flawed in that it printed
the IEI and the IE Length lines twice: Once the general code before
the switch statement, and then a second time inside the default
case handling.
Change-Id: Ic845bfb79e9ff881b39f709e3bff407e352c49fd
Reviewed-on: https://code.wireshark.org/review/29005
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In general, GPRS APN names are encoded like DNS strings. However,
there is one exception: The wildcard APN '*'. If we feed this
into the DNS decoder, it will throw an exception.
Let's explicitly check for '*' as a special case.
Change-Id: I2b346f8b067fa176b80613fdbcdada8c8a8eaa52
Related: https://osmocom.org/issues/3450
Reviewed-on: https://code.wireshark.org/review/29004
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Since Qt 5.10, platform styles are no longer part of QtWidgets. Be sure
to delete the separate plugin (styles\qwindowsvistastyle.dll). See
https://bugreports.qt.io/browse/QTBUG-65177
Change-Id: I20376f787339c9a2072ef8127b3ea5cc55be8b06
Reviewed-on: https://code.wireshark.org/review/29003
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
New json option for frame request to output hidden fields:
"hidden": true
Output has two new optional keys: "g" for generated fields and
"v" for hidden fields.
Change-Id: If51fa5601c1193a03fff378bbe37dc9ab8f5e66d
Reviewed-on: https://code.wireshark.org/review/28955
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This was accomplished by factoring out the existing code supporting nullable
datetime and money types. The non-nullable versions are older and more often used
with TDS 4 and TDS 5.
Change-Id: I1bbf942d2b5ff3ec6bb9f1a607f0c579949f6131
Reviewed-on: https://code.wireshark.org/review/29008
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The HTTP dissector could crash (use-after-free) after switching
profiles. In reinit_http, it would assign the return value from
prefs_get_range_value to a global variable which is consulted during
dissection. This value is invalidated while switching profiles (via the
"prefs_reset" function), but is not reinitialized (because the
reinit_http function was not called).
A similar issue exists in the Kafka, UAUDP, VNC, TFTP, Gopher and TDS
dissectors. To reproduce using a capture from the SampleCaptures wiki,
start "wireshark -r vnc-sample.pcap -ovnc.tcp.port:1" and switch
profiles. For the HTTP crash, load any HTTP pcap and switch profiles.
Change-Id: I8725615504a8a82ae46255625a41e2188c07320a
Fixes: v2.3.0rc0-2097-g21a3b8cc71 ("Internalize struct preference")
Reviewed-on: https://code.wireshark.org/review/29030
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
We call that dissector even for zero-length PSDUs, so the radio
information is shown. We also show the zero-length PSDU type.
We don't call the 802.11 dissector for zero-length PSDU frames.
That way, you don't have to open up the radiotap information to find out
about zero-length PSDU frames, we can support zero-length PSDU
information for other pseudo-headers and file types if they support it,
and taps using the radio information can get zero-length PSDU frame
information.
Change-Id: I7d5da4ea978d8ca4889fc76160f11e3416b4d036
Reviewed-on: https://code.wireshark.org/review/29034
Reviewed-by: Guy Harris <guy@alum.mit.edu>
The loop doesn't just add them to the protocol tree, it also does sanity
checking; we want to do the sanity checking regardless of whether we're
building the protocol tree or not, so that if we skip processing the
radiotap header because it's malformed, we do so regardless of whether
we're building a protocol tree.
This prevents a crash I saw where, on the first pass, we weren't
building a protocol tree, so we didn't check the bitmaps and proceeded
to process the bad radiotap header in a fuzzed file and set the
"zero-length PSDU" flag, and didn't call the 802.11 radio dissector, and
didn't allocate a "wlan radio information" structure and attach it to
the packet, but, when I went to the packet, and thus *did* build a
protocol tree, we *did* check the bitmaps in the process of adding them
to the protocol tree, skipped the part where we processed the rest of
the radiotap header, *didn't* set the "zero-length PSDU" flag, and
*did* call the 802.11 radio dissector, which crashed becaus the "wlan
radio information" pointer was null.
(No, checking the "wlan radio information" pointer isn't the correct
fix; the correct fix is to make sure we do the same processing, other
than adding items to the protocol tree, *regardless* of whether we're
building the protocol tree.)
Change-Id: If3c16f76981448e4f396a4a9730f1d5dce8f8eba
Reviewed-on: https://code.wireshark.org/review/29033
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Note the places where we should be doing so.
Also, note that two of the tests in ieee80211_radiotap_iterator_init()
are redundant in Wireshark, and that it's irrelevant what versions of
radiotap Linux supports - this is Wireshark code, not Linux code. (If
there's anything to note, it's that there *is* no radiotap version other
than 0, so there's nothing *to* support.)
Change-Id: Ieabef703638b30649a097269d684f60e79db8ba5
Reviewed-on: https://code.wireshark.org/review/29031
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Report an error and quit dissecting if it's less than 8.
Change-Id: I297fcb0ca754641a9e197037df1140361000fd25
Reviewed-on: https://code.wireshark.org/review/29022
Reviewed-by: Guy Harris <guy@alum.mit.edu>
C99 requires fgets to fail once the EOF bit is set, glibc 2.28 started
implementing this behavior. Clear the EOF bit to avoid all future reads
from failing. Add another error check while at it.
Change-Id: I1c5f7e190426d29e3bf437c443b09092ed8d2d35
Fixes: v1.99.0-rc1-1080-ga69a63f5d1 ("ssl: fix SSL keylog file live-capture use case")
Reviewed-on: https://code.wireshark.org/review/28984
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This imposes an additional requirement on the key log file, PSKs are
only linked to the most recently seen ephemeral key. This means that the
key log might contain duplicate PSK lines, but at least the dissector
won't have to try all keys and thereby save CPU time.
Bug: 15011
Change-Id: I368fa16269c96c4a1ff3bcb4e376c21f38fa2689
Reviewed-on: https://code.wireshark.org/review/28993
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Invoke IP or data dissector for decrypted transport data.
Bug: 15011
Change-Id: I8fa149c429ae774c16fe7e712d4bfb6b3478ed11
Reviewed-on: https://code.wireshark.org/review/28992
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Transport data decryption will follow later.
Bug: 15011
Change-Id: Ib755e43ff54601405b21aeb0045b15d158bc283b
Reviewed-on: https://code.wireshark.org/review/28991
Reviewed-by: Anders Broman <a.broman58@gmail.com>
As UATs are currently unable to receive keys dynamically without manual
user interaction followed by rescanning of the pcap, add a mechanism
like ssl.keylog_file. Such keys can be extracted using the tools from
contrib/examples/extract-handshakes/ in the WireGuard source tree.
Now decryption of Initiation messages is also possible when keys
(Epriv_i) are captured from the initiator side.
Bug: 15011
Change-Id: If998bf26e818487187cc618d2eb6d4d8f5b2cc0a
Reviewed-on: https://code.wireshark.org/review/28990
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Enable decryption of the static and timestamp fields when the private
static key of the responder is known. Decryption of the initiation and
response messages using private ephemeral keys will be done later.
Bug: 15011
Change-Id: Ifc9729059694700333b6677374ab467c8cb64263
Reviewed-on: https://code.wireshark.org/review/28989
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Using long-term static public keys, it is possible to identify the
recipient of a handshake message. Add a new UAT where such keys can be
configured. Allow private keys to be configured as well since this
enables decryption of the Initiation handshake message.
Bug: 15011
Change-Id: I0d4df046824eac6c333e0df75f69f73d10ed8e5e
Reviewed-on: https://code.wireshark.org/review/28988
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The WireGuard dissector will need X25519 to enable decryption, add a
Gcrypt implementation that implements the NaCl/Sodium interface.
While inspired by the MPI example in t-cv25519.c, note subtle but
important correctness/interoperability fixes: add a check for infinity
(gcry_mpi_ec_get_affine) and handle short values from gcry_mpi_print.
The last issue is ugly, perhaps the high level API (gcry_pk_decrypt)
should be used instead (which < 2% slower than this MPI implementation).
(Both issues were found through fuzzing.)
As for alternative options, Sodium is superior but would be a new
dependency. For some older performance and usability notes (comparing
crypto_scalarmult_curve25519_base (note "_base") against others), see
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-July/004532.html
Performance comparison on Ubuntu 18.04 (i7-3770) between Sodium 1.0.16
against Gcrypt 1.8.3 and Gcrypt 86e5e06a (git master, future 1.9.x) by
computing 65536 times X25519(1, 8) via crypto_scalarmult_curve25519:
Sodium (sandy2x): 1.4x faster than ref10
Sodium (ref10): 1 (baseline)
Gcrypt (git): 5x slower than ref10, 7x slower than sandy2x
Gcrypt (1.8.3): 17x ref10, 24x sandy2x (took 65 seconds)
Change-Id: Ia54e73cc3cc469a6697554729aff4edd19f55630
Ping-Bug: 15011
Reviewed-on: https://code.wireshark.org/review/28987
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Link messages based on the receiver/sender IDs as found in the handshake
and based on the most recently seen source IP address and port number.
Tested with "8-trace.pcap". Roaming should work but is untested.
Bug: 15011
Change-Id: I017faaae09fc8b16548c4e8b062e143960fda928
Reviewed-on: https://code.wireshark.org/review/28986
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Initial dissection support for the WireGuard Protocol.
Decryption support will follow later.
Bug: 15011
Change-Id: Iaf7d901501e02299714c3f0e7daa56a8437d01de
Reviewed-on: https://code.wireshark.org/review/28985
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I34252f8f7ab59e1693174aa1a4c040668dcb388c
Reviewed-on: https://code.wireshark.org/review/29007
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Code was only allowing actions, while 'test', 'read' ,'action simply' and 'response'
are also possible
Change-Id: Iee84dd77912debe96a06f0b7d6b3e1f15527ce3b
Reviewed-on: https://code.wireshark.org/review/28997
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
RFC 5447 says MIP6-Feature-Vector is a 64-bit integer, not an octet
string.
Change-Id: I676cb4de09424259a9020680d11b92b783100482
Reviewed-on: https://code.wireshark.org/review/28999
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This change will append "Response in/to" for the messages match
in a conversation, matching sequence number
Response time was also added
Change-Id: Icca12873d7a61b8c83c132af461adeced5e7ce0e
Reviewed-on: https://code.wireshark.org/review/28979
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- 0x2A1F Temperature Celsius
- 0x2A20 Temperature Fahrenheit
- 0x2A2F Position 2D
- 0x2A30 Position 3D
- 0x2A3A Removable
- 0x2A3B Service Required
- 0x2A3C Scientific Temperature Celsius
- 0x2A3D String
- 0x2A3E Network Availability
- 0x2A57 Digital Output
- 0x2A59 Analog Output
Change-Id: I0c5bc4ba368c26edd600730ed62990abc9f4f1f9
Reviewed-on: https://code.wireshark.org/review/28956
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This is useful when processing packets that were captured by multiple radios on the same channel.
Change-Id: I9dacc35294a4ed4e817014e563e7c9a54ee05e40
Reviewed-on: https://code.wireshark.org/review/28843
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>