Transport data decryption will follow later.
Bug: 15011
Change-Id: Ib755e43ff54601405b21aeb0045b15d158bc283b
Reviewed-on: https://code.wireshark.org/review/28991
Reviewed-by: Anders Broman <a.broman58@gmail.com>
As UATs are currently unable to receive keys dynamically without manual
user interaction followed by rescanning of the pcap, add a mechanism
like ssl.keylog_file. Such keys can be extracted using the tools from
contrib/examples/extract-handshakes/ in the WireGuard source tree.
Now decryption of Initiation messages is also possible when keys
(Epriv_i) are captured from the initiator side.
Bug: 15011
Change-Id: If998bf26e818487187cc618d2eb6d4d8f5b2cc0a
Reviewed-on: https://code.wireshark.org/review/28990
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Enable decryption of the static and timestamp fields when the private
static key of the responder is known. Decryption of the initiation and
response messages using private ephemeral keys will be done later.
Bug: 15011
Change-Id: Ifc9729059694700333b6677374ab467c8cb64263
Reviewed-on: https://code.wireshark.org/review/28989
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Using long-term static public keys, it is possible to identify the
recipient of a handshake message. Add a new UAT where such keys can be
configured. Allow private keys to be configured as well since this
enables decryption of the Initiation handshake message.
Bug: 15011
Change-Id: I0d4df046824eac6c333e0df75f69f73d10ed8e5e
Reviewed-on: https://code.wireshark.org/review/28988
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The WireGuard dissector will need X25519 to enable decryption, add a
Gcrypt implementation that implements the NaCl/Sodium interface.
While inspired by the MPI example in t-cv25519.c, note subtle but
important correctness/interoperability fixes: add a check for infinity
(gcry_mpi_ec_get_affine) and handle short values from gcry_mpi_print.
The last issue is ugly, perhaps the high level API (gcry_pk_decrypt)
should be used instead (which < 2% slower than this MPI implementation).
(Both issues were found through fuzzing.)
As for alternative options, Sodium is superior but would be a new
dependency. For some older performance and usability notes (comparing
crypto_scalarmult_curve25519_base (note "_base") against others), see
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-July/004532.html
Performance comparison on Ubuntu 18.04 (i7-3770) between Sodium 1.0.16
against Gcrypt 1.8.3 and Gcrypt 86e5e06a (git master, future 1.9.x) by
computing 65536 times X25519(1, 8) via crypto_scalarmult_curve25519:
Sodium (sandy2x): 1.4x faster than ref10
Sodium (ref10): 1 (baseline)
Gcrypt (git): 5x slower than ref10, 7x slower than sandy2x
Gcrypt (1.8.3): 17x ref10, 24x sandy2x (took 65 seconds)
Change-Id: Ia54e73cc3cc469a6697554729aff4edd19f55630
Ping-Bug: 15011
Reviewed-on: https://code.wireshark.org/review/28987
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Link messages based on the receiver/sender IDs as found in the handshake
and based on the most recently seen source IP address and port number.
Tested with "8-trace.pcap". Roaming should work but is untested.
Bug: 15011
Change-Id: I017faaae09fc8b16548c4e8b062e143960fda928
Reviewed-on: https://code.wireshark.org/review/28986
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Initial dissection support for the WireGuard Protocol.
Decryption support will follow later.
Bug: 15011
Change-Id: Iaf7d901501e02299714c3f0e7daa56a8437d01de
Reviewed-on: https://code.wireshark.org/review/28985
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Change-Id: I34252f8f7ab59e1693174aa1a4c040668dcb388c
Reviewed-on: https://code.wireshark.org/review/29007
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Code was only allowing actions, while 'test', 'read' ,'action simply' and 'response'
are also possible
Change-Id: Iee84dd77912debe96a06f0b7d6b3e1f15527ce3b
Reviewed-on: https://code.wireshark.org/review/28997
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
RFC 5447 says MIP6-Feature-Vector is a 64-bit integer, not an octet
string.
Change-Id: I676cb4de09424259a9020680d11b92b783100482
Reviewed-on: https://code.wireshark.org/review/28999
Reviewed-by: Guy Harris <guy@alum.mit.edu>
This change will append "Response in/to" for the messages match
in a conversation, matching sequence number
Response time was also added
Change-Id: Icca12873d7a61b8c83c132af461adeced5e7ce0e
Reviewed-on: https://code.wireshark.org/review/28979
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
- 0x2A1F Temperature Celsius
- 0x2A20 Temperature Fahrenheit
- 0x2A2F Position 2D
- 0x2A30 Position 3D
- 0x2A3A Removable
- 0x2A3B Service Required
- 0x2A3C Scientific Temperature Celsius
- 0x2A3D String
- 0x2A3E Network Availability
- 0x2A57 Digital Output
- 0x2A59 Analog Output
Change-Id: I0c5bc4ba368c26edd600730ed62990abc9f4f1f9
Reviewed-on: https://code.wireshark.org/review/28956
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This is useful when processing packets that were captured by multiple radios on the same channel.
Change-Id: I9dacc35294a4ed4e817014e563e7c9a54ee05e40
Reviewed-on: https://code.wireshark.org/review/28843
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Export the PDUs in the following cases:
- When sctp.ulp_dissection is FALSE
Not having to dissect the upper layers greatly improve exporting speed.
Previously no PDUs were exported becuase without dissection the upper
layer name was not available. Now in this case the exported_pdu.tag is
set to sctp.ppi or sctp.port table and the corresponding ppi or port
is also set in the exported_pdu.this_table_val.
- When the upper layer can't be dissected but at least one of the
payload_proto_id, destport or srcport is not 0
Refactor and move the common parts in a dedicated functions.
Change-Id: Ie5073a5c7603e11c4a5703118fd81ac25bd924e9
Reviewed-on: https://code.wireshark.org/review/28933
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
This fixes the following asserts
#2 0x00007ffff0d270f3 in g_assertion_message (domain=0x0, file=0x7ffff4e11f90 "/home/vasko/sources/wireshark/epan/print.c", line=598, func=0x7ffff4e12e20 <__func__.18585> "proto_tree_write_node_pdml",
message=0x555555aaab70 "code should not be reached") at gtestutils.c:2532
#3 0x00007ffff0d8015e in g_assertion_message_expr () at gtestutils.c:2555
#2 0x00007ffff0d270f3 in g_assertion_message (domain=0x0, file=0x7ffff4e11f90 "/home/vasko/sources/wireshark/epan/print.c", line=983,
func=0x7ffff4e12e40 <__func__.18697> "write_json_proto_node_hex_dump", message=0x555555aac9d0 "code should not be reached") at gtestutils.c:2532
#3 0x00007ffff0d8015e in g_assertion_message_expr () at gtestutils.c:2555
#4 0x00007ffff39a8f87 in write_json_proto_node_hex_dump (node=0x7fffdc86e550, data=0x7fffffffce60) at /home/vasko/sources/wireshark/epan/print.c:983
#2 0x00007ffff0d270f3 in g_assertion_message (domain=0x0, file=0x7ffff4e12010 "/home/vasko/sources/wireshark/epan/print.c", line=1299,
func=0x7ffff4e12ef0 <__func__.18804> "ek_write_hex", message=0x555555aac290 "code should not be reached") at gtestutils.c:2532
#3 0x00007ffff0d8015e in g_assertion_message_expr () at gtestutils.c:2555
#4 0x00007ffff39a9a32 in ek_write_hex (fi=0x7fffdc86e4e0, pdata=0x7fffffffce90) at /home/vasko/sources/wireshark/epan/print.c:1299
Change-Id: I48a7e87863fb6708cd668582a240e5ba71d1b5a0
Reviewed-on: https://code.wireshark.org/review/28891
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
In CI environments with no capture driver, the test_tshark_dump_glossary
test could fail because "tshark -G decodes" contains an error message.
Postpone the check until the moment where a capture is actually started.
It also no longer shows with tshark -L, -D, --version, etc.
Change-Id: I6674c6fe007c99576c777a025cd44b3f2e594b59
Reviewed-on: https://code.wireshark.org/review/28966
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Fix the digit check, testing a pointer as character is an error.
Change-Id: I1ce2898dd1cca0b61bb2da342c81bc648fdb1cf2
Fixes: v2.9.0rc0-1356-g51c6fde9c7 ("AT: Distinguish between numeric and textual CME errors")
Reviewed-on: https://code.wireshark.org/review/28962
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Parse both commands and responses, including a call to GSM SIM dissector
Change-Id: I39624a1a088066aae6eb1e6fd61d4f73821b2345
Reviewed-on: https://code.wireshark.org/review/28959
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
The altitude value presented is the value converted into feet.
Instead, as the label suggests, the value should be presented
as a flight level. Change the conversion as such.
Bug: 15030
Change-Id: I131f6b586c6b1f59090f93862ea13b117403c502
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/28961
Reviewed-by: Marko Hrastovec <marko.hrastovec@gmail.com>
Tested-by: Petri Dish Buildbot
Re-enables AES-NI support and provides XTS mode and Blake2 hash support.
Based on Debian Buster packages with stripped binaries,
libgcrypt-mingw-w64-dev 1.8.3-1 and libgpg-error-mingw-w64-dev 1.32-1
Change-Id: Iace616926d3c8c22c92e60bdbd6346826f91db59
Reviewed-on: https://code.wireshark.org/review/28943
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The initial proxy bypass check can take a lot of time (14 seconds).
Cache the instance to make subsequent downloads faster.
Change-Id: I3ccb99d245e0127f03d9b022d10f9ce4a89018d2
Fixes: v1.99.6rc0-344-ge3785f7aff ("win-setup.ps1 Make setup script aware of proxies")
Reviewed-on: https://code.wireshark.org/review/28953
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Leftover description form the BT-HFP dissector was classifying the DTE as an
Audio Gateway, which isn't always the case.
Change-Id: If6f916026bce00dc8783d95f48e449ffa9951d37
Reviewed-on: https://code.wireshark.org/review/28960
Reviewed-by: Anders Broman <a.broman58@gmail.com>
According to 3GPP TS 04.08, section 10.5.2.49, the APDU Flags field
is coded together with APDU ID, and occupies bits 1-3 (mask 0x70):
0 1 2 3
S T F L
. . . * Last Segment
. . * . First Segment
. * . . C/R, if L=0 only, otherwise spare and set to 0
* . . . Spare (0)
Instead of parsing all bits together as a set of integer values,
let's parse each flag individually. Moreover, the previous
definition was missing some possible bit combinations, so
this change also fixes that problem.
Change-Id: Id71fae9ef06572c1ad17aafe0be3dfb66e081b7d
Reviewed-on: https://code.wireshark.org/review/28948
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Return color-filter bg/fg colors for single frame if requested.
Also return marked/ignored fields for frame.
Change-Id: I4480b733f54991c72bea1664fa6e7337812e6231
Reviewed-on: https://code.wireshark.org/review/28304
Petri-Dish: Michal Labedzki <michal.labedzki@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Michal Labedzki <michal.labedzki@wireshark.org>
According to 3GPP TS 04.08, table 9.1.53.1, Application Information
message has two mandatory fields encoded in a single octet:
- APDU ID (section 10.5.2.48) M V 1/2,
- APDU Flags (section 10.5.2.49) M V 1/2.
For some reason, they were dissected incorrectly:
GSM A-I/F DTAP - Application Information
Protocol Discriminator: Radio Resources Management messages (6)
.... 0110 = Protocol discriminator: Radio Resources Management messages (0x6)
0000 .... = Skip Indicator: No indication of selected PLMN (0)
DTAP Radio Resources Management Message Type: Application Information (0x38)
APDU ID
.... 0000 = APDU ID: RRLP (GSM 04.31) LCS (0x0)
Missing Mandatory element APDU ID, rest of dissection is suspect
[Expert Info (Error/Protocol): Missing Mandatory element APDU ID,
rest of dissection is suspect]
[Missing Mandatory element APDU ID, rest of dissection is suspect]
[Severity level: Error]
[Group: Protocol]
APDU Flags
0000 .... = APDU Flags: Unknown (0x0)
APDU Data
[...]
Change-Id: Ibb248104289da8e602ac15da15ae9e8eadb42c42
Reviewed-on: https://code.wireshark.org/review/28947
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
The min length was increased to 8 in d9c70acaf4 but there are valid 7
bytes long RANAP messages that are not recognized by the heuristic
function. Revert the value to 7 as in 482a3cd1f1
Change-Id: I5096cd905c24c87dccbc2aa4bbdccc7b0febead7
Reviewed-on: https://code.wireshark.org/review/28945
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
These messages are defined in [0], and are used in some deployed
products already.
[0] https://tools.ietf.org/html/draft-kouvelas-lisp-map-server-reliable-transport-04
Change-Id: Idfbc777175c1596d3e0fa1df39602a68ee1c488f
Signed-off-by: Lorand Jakab <ljakab@ac.upc.edu>
Reviewed-on: https://code.wireshark.org/review/28503
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
253 (8 direct, 245 indirect) bytes in 1 blocks are definitely lost in loss record 87 of 93
at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
by 0xBC4B3C5: g_malloc (gmem.c:99)
by 0x13E225: exp_pdu_open (tap_export_pdu.c:128)
372 (40 direct, 332 indirect) bytes in 1 blocks are definitely lost in loss record 88 of 93
at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
by 0xBC4B3C5: g_malloc (gmem.c:99)
by 0xBC62FF6: g_slice_alloc (gslice.c:1025)
by 0xBC16984: g_array_sized_new (garray.c:194)
by 0x13E143: exp_pdu_open (tap_export_pdu.c:93)
Change-Id: I24a3cec1dc4491032232c282b01fea04a23872b3
Reviewed-on: https://code.wireshark.org/review/28934
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
reported by Donn Lee
Bug: 15026
Change-Id: I54bb65338a22c3d9cb691618baeb011a869182d3
Reviewed-on: https://code.wireshark.org/review/28939
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Variable units is shifted two times,in proto_tree_add_item_ret_unit and
again in the dissector.
Change-Id: Ia93bfe59730a7634201de26b37dcc8111515eea5
Reviewed-on: https://code.wireshark.org/review/28931
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
The implementation of wmem_strsplit() has changed to behave like
g_strsplit(), and this affects splitting strings starting with the
delimiter. Update URI Path splitting for the new behaviour.
Ping-Bug: 14980
Change-Id: Id50cca24861b6d0969077e604ea199d864a9036c
Reviewed-on: https://code.wireshark.org/review/28930
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>