ssl-utils: add versions to ssl debug log

Add Wireshark/GnuTLS/Libgcrypt versions to the debug log file. Remove ssl_lib_init since it didn't do anything useful (the debug file was not open yet so it would write... nothing). Match more (EC)DH(E) cipher suites and try to improve the message. Add the human-readable name besides numeric cipher suite IDs. Change-Id: I84a33d270f91e90efc55371475b231b483fd24c9 Reviewed-on: https://code.wireshark.org/review/11403 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Reviewed-by: Graham Bloice <graham.bloice@trihedral.com> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Michael Mann <mmann78@netscape.net>
2015-10-29 16:09:17 +01:00 · 2015-10-29 16:09:17 +01:00 · 07ceb2c6dc
parent 9ef04d04be
commit 07ceb2c6dc
4 changed files with 23 additions and 24 deletions
--- a/epan/dissectors/packet-dtls.c
+++ b/epan/dissectors/packet-dtls.c
@ -1916,7 +1916,6 @@ proto_register_dtls(void)

  register_init_routine(dtls_init);
  register_cleanup_routine(dtls_cleanup);
-  ssl_lib_init();
  dtls_tap = register_tap("dtls");
  ssl_debug_printf("proto_register_dtls: registered tap %s:%d\n",
                   "dtls", dtls_tap);
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@ -44,6 +44,7 @@
 #include <wsutil/str_util.h>
 #include <wsutil/report_err.h>
 #include <wsutil/pint.h>
+#include <wsutil/ws_version_info.h>
 #include "packet-x509af.h"
 #include "packet-x509if.h"
 #include "packet-ssl-utils.h"
@ -3184,14 +3185,14 @@ ssl_decrypt_pre_master_secret(SslDecryptSession*ssl_session,

    if (!encrypted_pre_master)
        return FALSE;
-    if(ssl_session->cipher_suite.kex == KEX_DHE_DSS ||
-            ssl_session->cipher_suite.kex == KEX_DHE_PSK ||
-            ssl_session->cipher_suite.kex == KEX_DHE_RSA ||
-            ssl_session->cipher_suite.kex == KEX_DH_ANON ||
-            ssl_session->cipher_suite.kex == KEX_DH_DSS ||
-            ssl_session->cipher_suite.kex == KEX_DH_RSA) {
-        ssl_debug_printf("%s: session uses DH (%d) key exchange, which is "
-                         "impossible to decrypt\n", G_STRFUNC, ssl_session->cipher_suite.kex);
+
+    if (KEX_IS_DH(ssl_session->cipher_suite.kex)) {
+        ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
+                         "(cipher suite 0x%04X %s) and cannot be decrypted "
+                         "using a RSA private key file.\n",
+                         G_STRFUNC, ssl_session->session.cipher,
+                         val_to_str_ext_const(ssl_session->session.cipher,
+                             &ssl_31_ciphersuite_ext, "unknown"));
        return FALSE;
    } else if(ssl_session->cipher_suite.kex != KEX_RSA) {
         ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
@ -4453,14 +4454,6 @@ ssl_parse_key_list(const ssldecrypt_assoc_t *uats _U_, GHashTable *key_hash _U_,
 }
 #endif

-void
-ssl_lib_init(void)
-{
-#ifdef HAVE_LIBGNUTLS
-    ssl_debug_printf("gnutls version: %s\n", gnutls_check_version(NULL));
-#endif
-}
-

 #ifdef HAVE_LIBGCRYPT /* useless without decryption support. */
 /* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
@ -4802,6 +4795,14 @@ ssl_set_debug(const gchar* name)
        debug_file_must_be_closed = 1;

    ssl_debug_printf("Wireshark SSL debug log \n\n");
+    ssl_debug_printf("Wireshark version: %s\n", get_ws_vcs_version_info());
+#ifdef HAVE_LIBGNUTLS
+    ssl_debug_printf("GnuTLS version:    %s\n", gnutls_check_version(NULL));
+#endif
+#ifdef HAVE_LIBGCRYPT
+    ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL));
+#endif
+    ssl_debug_printf("\n");
 }

 void
@ -5716,8 +5717,11 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
        } else {
            /* Cipher found, save this for the delayed decoder init */
            ssl->state |= SSL_CIPHER;
-            ssl_debug_printf("%s found CIPHER 0x%04X -> state 0x%02X\n",
-                             G_STRFUNC, ssl->session.cipher, ssl->state);
+            ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n",
+                             G_STRFUNC, ssl->session.cipher,
+                             val_to_str_ext_const(ssl->session.cipher,
+                                 &ssl_31_ciphersuite_ext, "unknown"),
+                             ssl->state);
        }
    }

--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@ -306,6 +306,7 @@ typedef struct _SslDecoder {
 #define KEX_SRP_SHA     0x20
 #define KEX_SRP_SHA_DSS 0x21
 #define KEX_SRP_SHA_RSA 0x22
+#define KEX_IS_DH(n)    ((n) >= KEX_DHE_DSS && (n) <= KEX_ECDH_RSA)

 #define ENC_DES         0x30
 #define ENC_3DES        0x31
@ -448,10 +449,6 @@ gboolean ssldecrypt_uat_fld_protocol_chk_cb(void*, const char*, unsigned, const
 gboolean ssldecrypt_uat_fld_fileopen_chk_cb(void*, const char*, unsigned, const void*, const void*, char** err);
 gboolean ssldecrypt_uat_fld_password_chk_cb(void*, const char*, unsigned, const void*, const void*, char** err);

-/** Initialize decryption engine/ssl layer. To be called once per execution */
-extern void
-ssl_lib_init(void);
-
 /** Retrieve a SslSession, creating it if it did not already exist.
 * @param conversation The SSL conversation.
 * @param ssl_handle The dissector handle for SSL or DTLS.
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@ -4204,7 +4204,6 @@ proto_register_ssl(void)

    register_init_routine(ssl_init);
    register_cleanup_routine(ssl_cleanup);
-    ssl_lib_init();
    ssl_tap = register_tap("ssl");
    ssl_debug_printf("proto_register_ssl: registered tap %s:%d\n",
        "ssl", ssl_tap);