Paolo Abeni

I have developed an external plugin to enable ssl decryption in
ethereal.

Me

- Remove unnecessary $Id$ from acinclude.m4
- Added packet-ssl-utils.h to Makefile.common
- Fixed a few warnings

TODO

- Lots of warning fixes (see separate mail)
- Reformat function headers to read like the others do
  (return value<newline>function-name...)
- Test on Windows platform
- Review the patch to packet-ssl.c and new files packet-ssl-utils.[hc]


svn path=/trunk/; revision=17156

Makefile.am

@@ -304,7 +304,8 @@ ethereal_LDADD = \
 	@SNMP_LIBS@ @SSL_LIBS@ 		\
 	$(plugin_ldadd)			\
 	@PCRE_LIBS@			\
-	@PCAP_LIBS@ @GTK_LIBS@ @ADNS_LIBS@ @KRB5_LIBS@ @FRAMEWORKS@
+	@PCAP_LIBS@ @GTK_LIBS@ @ADNS_LIBS@ @KRB5_LIBS@ @FRAMEWORKS@ \
+	@LIBGNUTLS_LIBS@
 
 # Additional libs that I know how to build. These will be
 # linked into the tethereal executable.
@@ -326,7 +327,8 @@ tethereal_LDADD = \
 	$(plugin_ldadd)			\
 	@PCRE_LIBS@			\
 	@GLIB_LIBS@ -lm			\
-	@PCAP_LIBS@ @SOCKET_LIBS@ @NSL_LIBS@ @ADNS_LIBS@ @KRB5_LIBS@
+	@PCAP_LIBS@ @SOCKET_LIBS@ @NSL_LIBS@ @ADNS_LIBS@ @KRB5_LIBS@ \
+	@LIBGNUTLS_LIBS@
 
 if ENABLE_STATIC
 tethereal_LDFLAGS = -Wl,-static -all-static
@@ -442,7 +444,8 @@ dftest_LDADD = \
 	$(plugin_ldadd)			\
 	@PCRE_LIBS@			\
 	@GLIB_LIBS@ -lm			\
-	@PCAP_LIBS@ @SOCKET_LIBS@ @NSL_LIBS@ @ADNS_LIBS@ @KRB5_LIBS@
+	@PCAP_LIBS@ @SOCKET_LIBS@ @NSL_LIBS@ @ADNS_LIBS@ @KRB5_LIBS@ \
+	@LIBGNUTLS_LIBS@
 
 dftest_LDFLAGS = -export-dynamic
 

acinclude.m4

@@ -1411,3 +1411,160 @@ AC_DEFUN([AC_ETHEREAL_KRB5_CHECK],
 	fi
 	AC_SUBST(KRB5_LIBS)
 ])
+
+dnl Autoconf macros for libgnutls
+
+# Modified for LIBGNUTLS -- nmav
+# Configure paths for LIBGCRYPT
+# Shamelessly stolen from the one of XDELTA by Owen Taylor
+# Werner Koch   99-12-09
+
+dnl AM_PATH_LIBGNUTLS([MINIMUM-VERSION, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]])
+dnl Test for libgnutls, and define LIBGNUTLS_CFLAGS and LIBGNUTLS_LIBS
+dnl
+AC_DEFUN([AM_PATH_LIBGNUTLS],
+[dnl
+dnl Get the cflags and libraries from the libgnutls-config script
+dnl
+AC_ARG_WITH(libgnutls-prefix,
+          [  --with-libgnutls-prefix=PFX   Prefix where libgnutls is installed (optional)],
+          libgnutls_config_prefix="$withval", libgnutls_config_prefix="")
+
+  if test x$libgnutls_config_prefix != x ; then
+     if test x${LIBGNUTLS_CONFIG+set} != xset ; then
+        LIBGNUTLS_CONFIG=$libgnutls_config_prefix/bin/libgnutls-config
+     fi
+  fi
+
+  AC_PATH_PROG(LIBGNUTLS_CONFIG, libgnutls-config, no)
+  min_libgnutls_version=ifelse([$1], ,0.1.0,$1)
+  AC_MSG_CHECKING(for libgnutls - version >= $min_libgnutls_version)
+  no_libgnutls=""
+  if test "$LIBGNUTLS_CONFIG" = "no" ; then
+    no_libgnutls=yes
+  else
+    LIBGNUTLS_CFLAGS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --cflags`
+    LIBGNUTLS_LIBS=`$LIBGNUTLS_CONFIG $libgnutls_config_args --libs`
+    libgnutls_config_version=`$LIBGNUTLS_CONFIG $libgnutls_config_args --version`
+
+      ac_save_CFLAGS="$CFLAGS"
+      ac_save_LIBS="$LIBS"
+      CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
+      LIBS="$LIBS $LIBGNUTLS_LIBS"
+dnl
+dnl Now check if the installed libgnutls is sufficiently new. Also sanity
+dnl checks the results of libgnutls-config to some extent
+dnl
+      rm -f conf.libgnutlstest
+      AC_TRY_RUN([
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+
+int
+main ()
+{
+    system ("touch conf.libgnutlstest");
+
+    if( strcmp( gnutls_check_version(NULL), "$libgnutls_config_version" ) )
+    {
+      printf("\n*** 'libgnutls-config --version' returned %s, but LIBGNUTLS (%s)\n",
+             "$libgnutls_config_version", gnutls_check_version(NULL) );
+      printf("*** was found! If libgnutls-config was correct, then it is best\n");
+      printf("*** to remove the old version of LIBGNUTLS. You may also be able to fix the error\n");
+      printf("*** by modifying your LD_LIBRARY_PATH enviroment variable, or by editing\n");
+      printf("*** /etc/ld.so.conf. Make sure you have run ldconfig if that is\n");
+      printf("*** required on your system.\n");
+      printf("*** If libgnutls-config was wrong, set the environment variable LIBGNUTLS_CONFIG\n");
+      printf("*** to point to the correct copy of libgnutls-config, and remove the file config.cache\n");
+      printf("*** before re-running configure\n");
+    }
+    else if ( strcmp(gnutls_check_version(NULL), LIBGNUTLS_VERSION ) )
+    {
+      printf("\n*** LIBGNUTLS header file (version %s) does not match\n", LIBGNUTLS_VERSION);
+      printf("*** library (version %s)\n", gnutls_check_version(NULL) );
+    }
+    else
+    {
+      if ( gnutls_check_version( "$min_libgnutls_version" ) )
+      {
+        return 0;
+      }
+     else
+      {
+        printf("no\n*** An old version of LIBGNUTLS (%s) was found.\n",
+                gnutls_check_version(NULL) );
+        printf("*** You need a version of LIBGNUTLS newer than %s. The latest version of\n",
+               "$min_libgnutls_version" );
+        printf("*** LIBGNUTLS is always available from ftp://gnutls.hellug.gr/pub/gnutls.\n");
+        printf("*** \n");
+        printf("*** If you have already installed a sufficiently new version, this error\n");
+        printf("*** probably means that the wrong copy of the libgnutls-config shell script is\n");
+        printf("*** being found. The easiest way to fix this is to remove the old version\n");
+        printf("*** of LIBGNUTLS, but you can also set the LIBGNUTLS_CONFIG environment to point to the\n");
+        printf("*** correct copy of libgnutls-config. (In this case, you will have to\n");
+        printf("*** modify your LD_LIBRARY_PATH enviroment variable, or edit /etc/ld.so.conf\n");
+        printf("*** so that the correct libraries are found at run-time))\n");
+      }
+    }
+  return 1;
+}
+],, no_libgnutls=yes,[echo $ac_n "cross compiling; assumed OK... $ac_c"])
+       CFLAGS="$ac_save_CFLAGS"
+       LIBS="$ac_save_LIBS"
+  fi
+
+  if test "x$no_libgnutls" = x ; then
+     AC_MSG_RESULT(yes)
+     ifelse([$2], , :, [$2])
+  else
+     if test -f conf.libgnutlstest ; then
+        :
+     else
+        AC_MSG_RESULT(no)
+     fi
+     if test "$LIBGNUTLS_CONFIG" = "no" ; then
+       echo "*** The libgnutls-config script installed by LIBGNUTLS could not be found"
+       echo "*** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in"
+       echo "*** your path, or set the LIBGNUTLS_CONFIG environment variable to the"
+       echo "*** full path to libgnutls-config."
+     else
+       if test -f conf.libgnutlstest ; then
+        :
+       else
+          echo "*** Could not run libgnutls test program, checking why..."
+          CFLAGS="$CFLAGS $LIBGNUTLS_CFLAGS"
+          LIBS="$LIBS $LIBGNUTLS_LIBS"
+          AC_TRY_LINK([
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+],      [ return !!gnutls_check_version(NULL); ],
+        [ echo "*** The test program compiled, but did not run. This usually means"
+          echo "*** that the run-time linker is not finding LIBGNUTLS or finding the wrong"
+          echo "*** version of LIBGNUTLS. If it is not finding LIBGNUTLS, you'll need to set your"
+          echo "*** LD_LIBRARY_PATH environment variable, or edit /etc/ld.so.conf to point"
+          echo "*** to the installed location  Also, make sure you have run ldconfig if that"
+          echo "*** is required on your system"
+          echo "***"
+          echo "*** If you have an old version installed, it is best to remove it, although"
+          echo "*** you may also be able to get things to work by modifying LD_LIBRARY_PATH"
+          echo "***" ],
+        [ echo "*** The test program failed to compile or link. See the file config.log for the"
+          echo "*** exact error that occured. This usually means LIBGNUTLS was incorrectly installed"
+          echo "*** or that you have moved LIBGNUTLS since it was installed. In the latter case, you"
+          echo "*** may want to edit the libgnutls-config script: $LIBGNUTLS_CONFIG" ])
+          CFLAGS="$ac_save_CFLAGS"
+          LIBS="$ac_save_LIBS"
+       fi
+     fi
+     LIBGNUTLS_CFLAGS=""
+     LIBGNUTLS_LIBS=""
+     ifelse([$3], , :, [$3])
+  fi
+  rm -f conf.libgnutlstest
+  AC_SUBST(LIBGNUTLS_CFLAGS)
+  AC_SUBST(LIBGNUTLS_LIBS)
+])

configure.in

@@ -63,6 +63,24 @@ AC_PATH_PROG(DOXYGEN, doxygen)
 AC_CHECK_PROG(HAVE_DOXYGEN, doxygen, "yes", "no")
 AM_CONDITIONAL(HAVE_DOXYGEN, test x$HAVE_DOXYGEN = xyes)
 
+# gnu tls
+AM_PATH_LIBGNUTLS(1.0.0, 
+        [
+                echo "gnuTLS found, enabling ssl decryption"
+                AC_DEFINE(HAVE_LIBGNUTLS, 1, [Define to use gnutls library])
+                tls_message="yes"
+        ]
+        , [
+                if test x$libgnutls_config_prefix != x ; then
+	                AC_MSG_ERROR([[gnuTLS not found; install gnuTLS-devel package for your system]])
+                else
+                        echo echo "gnuTLS not found, disabling ssl decryption"
+                        tls_message="no"
+                fi
+        ]
+)        
+        
+
 # Check for xsltproc
 AC_PATH_PROG(XSLTPROC, xsltproc)
 AC_CHECK_PROG(HAVE_XSLTPROC, xsltproc, "yes", "no")
@@ -1391,3 +1409,4 @@ echo "              Use GNU ADNS library : $adns_message"
 echo "            Use SSL crypto library : $ssl_message"
 echo "          Use IPv6 name resolution : $enable_ipv6"
 echo "     Use UCD SNMP/Net-SNMP library : $snmp_libs_message"
+echo "                Use gnutls library : $tls_message"

epan/dissectors/packet-ssl-utils.h

@@ -0,0 +1,172 @@
+/* packet-ss-utils.c
+ *
+ * $Id$
+ *
+ * ssl manipulation functions
+ * By Paolo Abeni <paolo.abeni@email.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ */
+
+#ifndef __SSL_UTILS_H_
+#define __SSL_UTILS_H_
+
+#include <glib.h>
+
+#ifdef HAVE_LIBGNUTLS
+
+#ifdef _WIN32
+/* #include <gnutls_conf.h> */
+#include <gcrypt_conf.h>
+#endif
+
+#include <stdio.h>
+#include <gcrypt.h>
+#include <gnutls/x509.h>
+#include <gnutls/openssl.h>
+
+/* #define SSL_FAST 1 */
+#define SSL_DECRYPT_DEBUG
+
+#define SSL_CIPHER_CTX gcry_cipher_hd_t
+#ifdef SSL_FAST
+#define SSL_PRIVATE_KEY gcry_mpi_t
+#else
+#define SSL_PRIVATE_KEY struct gcry_sexp
+#endif
+#else 
+#define SSL_CIPHER_CTX void*
+#define SSL_PRIVATE_KEY void
+#endif
+
+typedef struct _StringInfo {
+    unsigned char* data;
+    unsigned int data_len;
+} StringInfo;
+
+#define SSL_WRITE_KEY           1
+
+#define SSLV3_VERSION          0x300
+#define TLSV1_VERSION          0x301
+
+#define SSL_CLIENT_RANDOM       1
+#define SSL_SERVER_RANDOM       2
+#define SSL_CIPHER              4
+#define SSL_HAVE_SESSION_KEY    8    
+#define SSL_VERSION             0x10
+#define SSL_MASTER_SECRET       0x20
+
+#define SSL_CIPHER_MODE_STREAM  0
+#define SSL_CIPHER_MODE_CBC     1
+
+typedef struct _SslCipherSuite {
+     int number;
+     int kex;
+     int sig;
+     int enc;
+     int block;
+     int bits;
+     int eff_bits;
+     int dig;
+     int dig_len;
+     int export;
+     int mode;
+} SslCipherSuite;
+
+typedef struct _SslDecoder {
+    SslCipherSuite* cipher_suite;
+    unsigned char _mac_key[20];
+    StringInfo mac_key;
+    SSL_CIPHER_CTX evp;    
+    guint32 seq;
+} SslDecoder;
+
+#define KEX_RSA         0x10
+#define KEX_DH          0x11
+
+#define SIG_RSA         0x20
+#define SIG_DSS         0x21
+#define SIG_NONE        0x22
+
+#define ENC_DES         0x30
+#define ENC_3DES        0x31
+#define ENC_RC4         0x32
+#define ENC_RC2         0x33
+#define ENC_IDEA        0x34
+#define ENC_AES         0x35
+#define ENC_AES256      0x36
+#define ENC_NULL        0x37
+
+#define DIG_MD5         0x40
+#define DIG_SHA         0x41
+
+/*typedef struct _SslService {
+    address addr;
+    guint port;
+} SslService;*/
+
+typedef struct _SslDecryptSession {
+    unsigned char _master_secret[48];
+    unsigned char _session_id[256];
+    unsigned char _client_random[32];
+    unsigned char _server_random[32];
+    StringInfo session_id;
+    StringInfo server_random;
+    StringInfo client_random;
+    StringInfo master_secret;
+    StringInfo pre_master_secret;
+    
+    int cipher;
+    int state;
+    SslCipherSuite cipher_suite;
+    SslDecoder server;
+    SslDecoder client;
+    SSL_PRIVATE_KEY* private_key;
+    guint32 version;
+    guint16 version_netorder;  
+
+} SslDecryptSession;
+
+void ssl_lib_init(void);
+void ssl_session_init(SslDecryptSession*);
+int ssl_data_alloc(StringInfo* str, unsigned int len);
+int ssl_data_set(StringInfo* data, unsigned char* src, unsigned int len);
+
+SSL_PRIVATE_KEY* ssl_load_key(FILE* fp);
+void ssl_free_key(SSL_PRIVATE_KEY*);
+
+int ssl_find_cipher(int num,SslCipherSuite* cs);
+
+int ssl_generate_keyring_material(SslDecryptSession*ssl_session);
+
+int ssl_decrypt_pre_master_secret(SslDecryptSession*ssl_session, 
+    StringInfo* entrypted_pre_master, SSL_PRIVATE_KEY *pk);
+
+int ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, int ct, 
+        const unsigned char* in, int inl,unsigned char*out,int* outl);
+
+#ifdef SSL_DECRYPT_DEBUG
+void ssl_debug_printf(const char* fmt,...);
+void ssl_print_data(const char* name, const unsigned char* data, int len);
+void ssl_print_string(const char* name, const StringInfo* data);
+void ssl_print_text_data(const char* name, const unsigned char* data, int len);
+#else
+static inline char* ssl_debug_printf(const char* fmt,...) { return fmt; }
+#define ssl_print_data(a, b, c)
+#define ssl_print_string(a, b)
+#define ssl_print_text_data(a, b, c)
+#endif
+
+#endif

gtk/Makefile.common

@@ -95,6 +95,7 @@ ETHEREAL_GTK_SRC = \
 	sctp_error_dlg.c	\
 	service_response_time_table.c	\
 	simple_dialog.c	\
+	ssl-dlg.c	\
 	stream_prefs.c	\
 	summary_dlg.c	\
 	supported_protos_dlg.c	\

gtk/main.c

@@ -3575,6 +3575,8 @@ create_main_window (gint pl_size, gint tv_size, gint bv_size, e_prefs *prefs)
                          filter_te);
     set_menu_object_data("/Analyze/Follow TCP Stream", E_DFILTER_TE_KEY,
                          filter_te);
+    set_menu_object_data("/Analyze/Follow SSL Stream", E_DFILTER_TE_KEY,
+                         filter_te);                         
     set_menu_object_data("/Analyze/Apply as Filter/Selected", E_DFILTER_TE_KEY,
                          filter_te);
     set_menu_object_data("/Analyze/Apply as Filter/Not Selected", E_DFILTER_TE_KEY,

gtk/menu.c

@@ -171,6 +171,8 @@ File/Close:         the Gnome HIG suggests putting this item just above the Quit
                     currently opened/captured file only.
 */
 
+void
+ssl_stream_cb(GtkWidget * w, gpointer data _U_);
 
 /* main menu */
 static GtkItemFactoryEntry menu_items[] =
@@ -377,6 +379,8 @@ static GtkItemFactoryEntry menu_items[] =
     ITEM_FACTORY_ENTRY("/Analyze/<separator>", NULL, NULL, 0, "<Separator>", NULL),
     ITEM_FACTORY_ENTRY("/Analyze/_Follow TCP Stream", NULL,
                        follow_stream_cb, 0, NULL, NULL),    
+    ITEM_FACTORY_ENTRY("/Analyze/_Follow SSL Stream", NULL,
+                       ssl_stream_cb, 0, NULL, NULL),    
     ITEM_FACTORY_ENTRY("/_Statistics", NULL, NULL, 0, "<Branch>", NULL),
     ITEM_FACTORY_STOCK_ENTRY("/Statistics/_Summary", NULL, summary_open_cb, 0, GTK_STOCK_PROPERTIES),
     ITEM_FACTORY_ENTRY("/Statistics/_Protocol Hierarchy", NULL,
@@ -458,6 +462,8 @@ static GtkItemFactoryEntry packet_list_menu_items[] =
 
     ITEM_FACTORY_ENTRY("/Follow TCP Stream", NULL, follow_stream_cb,
                        0, NULL, NULL),
+    ITEM_FACTORY_ENTRY("/Follow SSL Stream", NULL, ssl_stream_cb,
+                       0, NULL, NULL),
 
     ITEM_FACTORY_ENTRY("/<separator>", NULL, NULL, 0, "<Separator>", NULL),
 
@@ -505,6 +511,8 @@ static GtkItemFactoryEntry tree_view_menu_items[] =
 
     ITEM_FACTORY_ENTRY("/Follow TCP Stream", NULL, follow_stream_cb,
                        0, NULL, NULL),
+    ITEM_FACTORY_ENTRY("/Follow SSL Stream", NULL, ssl_stream_cb,
+                       0, NULL, NULL),
 
     ITEM_FACTORY_ENTRY("/<separator>", NULL, NULL, 0, "<Separator>", NULL),
 
@@ -1988,6 +1996,12 @@ set_menus_for_selected_packet(capture_file *cf)
       cf->current_frame != NULL ? (cf->edt->pi.ipproto == IP_PROTO_TCP) : FALSE);
   set_menu_sensitivity(tree_view_menu_factory, "/Follow TCP Stream",
       cf->current_frame != NULL ? (cf->edt->pi.ipproto == IP_PROTO_TCP) : FALSE);
+  set_menu_sensitivity(main_menu_factory, "/Analyze/Follow SSL Stream",
+      cf->current_frame != NULL ? (cf->edt->pi.ipproto == IP_PROTO_TCP) : FALSE);
+  set_menu_sensitivity(packet_list_menu_factory, "/Follow SSL Stream",
+      cf->current_frame != NULL ? (cf->edt->pi.ipproto == IP_PROTO_TCP) : FALSE);
+  set_menu_sensitivity(tree_view_menu_factory, "/Follow SSL Stream",
+      cf->current_frame != NULL ? (cf->edt->pi.ipproto == IP_PROTO_TCP) : FALSE);
   set_menu_sensitivity(main_menu_factory, "/Analyze/Decode As...",
       cf->current_frame != NULL && decode_as_ok());
   set_menu_sensitivity(packet_list_menu_factory, "/Decode As...",