Ping-Bug: 15416
Change-Id: I24593bdc9f2399085926724176b1a0a8197d7e1a
Reviewed-on: https://code.wireshark.org/review/31662
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Update the flag descriptors for options inside a set_with_meta and
del_with_meta message, whilst also adding a new flag, IS_EXPIRATION,
for only del_with_meta.
Change-Id: I2f97c5aecb618e90783a39ce026ae0feba110dfd
Reviewed-on: https://code.wireshark.org/review/31675
Reviewed-by: Jim Walker <jim@couchbase.com>
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Field 'Src port' (mint.header.srcport) has a conflicting entry in its value_string: 133 is at indices 63 (trouble/dgram) and 64 (trouble/stream)
Change-Id: Ic0033e2fad7cc8338aafec6f4a32df0fbe4c3d9d
Reviewed-on: https://code.wireshark.org/review/31630
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
* implement preauth hashing
keep hash state in conversation object
- preauth_hash_con for connection hash state
- preauth_hash_ses for session preauth hash state
- preauth_hash_current points to either one of the above depending
on where we are in the connection state
- store final session preauth hash in session object
store per-packet hash in the saved packet data
object (smb2_saved_info_t) and display it as generated field.
since request and responses share the same pointer, make a hash buffer
for each (preauth_hash_req, preauth_hash_res).
* implement 3.1.1 key derivation
use session preauth hash to generate the keys
* sample
Sample from https://wiki.wireshark.org/SampleCaptures#SMB3.1.1_encryption
can be loaded as follows:
tshark -ouat:smb2_seskey_list:690000ac1c280000,b25a135fc3dc14269f20d7cbc8716b6b -r smb311-aes-128-ccm-filt.pcap
To obtain the session id and key you can compile your kernel with
CIFS_DEBUG_KEYS enabled and all the info should be printed on the
console when cifs.ko generates keys. The patch that adds this
config option merged in Linux 4.13 kernel.
Change-Id: Iee41ef9e2dd93795a0c7953fdd1f5256fe477dd2
Reviewed-on: https://code.wireshark.org/review/31659
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This will enable four tests in case_wireshark_capture on Linux, two of
them require --capture-interface to be specified.
To enable headless mode, QT_QPA_PLATFORM=minimal is set. Unfortunately
this option causes a null pointer dereference crash on macOS and it also
fails on Windows (cause not investigated). So limit it to Linux for now.
Change-Id: Id05364571b2c9da38434e611d92642a1177700df
Reviewed-on: https://code.wireshark.org/review/31664
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
* factor out duplicated code to lookup and create sessions
* we now create (potentially dummy) session object all the time, no
need for null checks.
* stash session key in session object in preparation of SMB3.1.1
decryption
Change-Id: I5499c6363abc1356fd35f22b1b8bc363dd5ec347
Reviewed-on: https://code.wireshark.org/review/31658
Reviewed-by: ronnie sahlberg <ronniesahlberg@gmail.com>
ui is required by randpkt_core, move it to its deps.
Bug: 15401
Change-Id: Ia8cfaddd220a22c1cf03ec6bf8f83f068f8d94ba
Reviewed-on: https://code.wireshark.org/review/31670
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Dario Lombardo <lomato@gmail.com>
in preparation for SMB3.1.1 decryption we need to know the dialect
when generating the keys.
Change-Id: I68a75bfe6f85b1941a201f8f261de16dbba3dc37
Reviewed-on: https://code.wireshark.org/review/31657
Reviewed-by: ronnie sahlberg <ronniesahlberg@gmail.com>
factor out duplicated code in decrypted and plain packet to display
generated session informations.
Change-Id: Id6d1d862da753cb5dc4111ec61d1c55c6f6fd760
Reviewed-on: https://code.wireshark.org/review/31656
Reviewed-by: ronnie sahlberg <ronniesahlberg@gmail.com>
If there was no secrets type specified, say so. Otherwise, if the
secrets type wasn't valid, report the correct string as the invalid
secrets type.
Change-Id: I3cd7d419ce3577fc176a256069456c5b49e81608
Reviewed-on: https://code.wireshark.org/review/31667
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
Include the current word in the filter completion list to give the
user a more complete picture of what constitutes a valid single-token
protocol name.
Bug: 15431
Change-Id: I77cfc78f19623d9aefd4441a67ed3ae72068034e
Reviewed-on: https://code.wireshark.org/review/31654
Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org>
Tested-by: Petri Dish Buildbot
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Instead of using "$ORIGIN/../lib" just use "$ORIGIN".
Also be explicit in configuring the relative RPATH. We don't want
to assume a default relative path, in case more targets are addded,
out of caution.
Change-Id: I3b7f5e8de7be8bb30aca3b433212113d876c4163
Reviewed-on: https://code.wireshark.org/review/31647
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
From the updates to text2pcap take the updates to the code comments and
apply them here as well. This also applies to the User Guide help texts.
Change-Id: I4e73fb1372ea0c1866c6d0fee7c14bc645fbe1b1
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Reviewed-on: https://code.wireshark.org/review/31636
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Building only a subset of programs is not a very common situation, it is
more likely that some feature was accidentally disabled. For that
reason, fail tests by default unless a program is explicitly permitted
to be missing.
The '-v' test is now dropped from the Travis tests, the sole reason of
adding it was to see which tests got (accidentally) skipped.
Change-Id: I725f4508541d8ed980e17d69fb7aee1ad2875d73
Reviewed-on: https://code.wireshark.org/review/31660
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Change-Id: I37a0cd4bb6ee419873ab05a131279c36c68a8c13
Reviewed-on: https://code.wireshark.org/review/31653
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Mention some changes to aid developers and distributors.
Change-Id: Ifd33796fd3b4883275c034021d25ae9b35eef1a5
Reviewed-on: https://code.wireshark.org/review/31651
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Depending on the build location, the full source and/or build directory
is currently visible in error messages (for example, DISSECTOR_ASSERT).
Remove these to help with reproducible builds and have shorter messages.
A similar option (-fdebug-prefix-map) is also needed, but it affects
external debugging tools and is therefore better left to distributors
(Debian and Arch Linux do this for example).
Bug: 15163
Change-Id: Icd8559bef2035f295aefbfc57ba6a342bfe76a41
Reviewed-on: https://code.wireshark.org/review/31645
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
This results in shorter filters. Some filters (such as quic.stream)
already omitted "frame_type". Done with an automated search and replace.
Change-Id: Iad8710b3b66487e5f744e10cde3561d34f20fe99
Reviewed-on: https://code.wireshark.org/review/31648
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Also reorder fields to match the bit layout.
Bug: 13881
Change-Id: I43d3186ae0a0f871302b8a3b34fcb628b38b2306
Reviewed-on: https://code.wireshark.org/review/31644
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
As all packet number fields are encrypted, it is no longer useful to
display the partial packet number. The user can infer the original
decrypted value by checking the field length and truncating the value.
Bug: 13881
Change-Id: I7926ac7439ff579b9dd5047dde87f738aefac76d
Reviewed-on: https://code.wireshark.org/review/31643
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Create ciphers earlier in the long header dissection process such that
the flag byte can be decrypted, dissect Reserved and Packet Number
Length fields.
Bug: 13881
Change-Id: I233ee1cab9783f00a4ed6e1e3689135f979ec820
Reviewed-on: https://code.wireshark.org/review/31642
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
While gQUIC Q044 is compatible with the IETF QUIC long headers format,
it is not the same. Remove gQUIC support since it is incomplete (flag
dissection is wrong, payload is not correctly dissected) and slows down
IETF QUIC dissector development. If support is restored, it should
likely be added as heuristics in packet-gquic.c
This is a manual revert of v2.9.0rc0-2173-g9fcb4af6b6 ("QUIC: gQUIC Q044
always use CHLO from gQUIC (with tag)") plus some other changes.
Change-Id: If75d81a4c38475f4e11fd8ade7252991f0ba0316
Reviewed-on: https://code.wireshark.org/review/31640
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
This was necessary to support draft -12 and -13 at the same time. As the
QUIC WG seems to slow down on further changes, this can be removed.
Removing this prepares for properly dissecting the decrypted flag byte
in dissect_quic_long_header.
Change-Id: Ieb7852e2cbdb89730a80b574d04e9ca42e16c23a
Reviewed-on: https://code.wireshark.org/review/31641
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Draft -17 shifts the key phase bit and encrypts it. The old KP bit is
now always 1 which broke decryption due to selection of the wrong
payload protection cipher.
Split calculation of the header protection and payload protection
cipher such that the short header flag can be decrypted earlier. Now the
decrypted flag can be displayed and the correct pp cipher is selected.
Bug: 13881
Change-Id: Ic9468498c3d0fb3f0a456d947824b40709db4927
Reviewed-on: https://code.wireshark.org/review/31637
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
CMAKE_INSTALL_RPATH is set inside the if() block and not before.
Change-Id: Id8a863ca9bf5fed367de3fa7681a9a269d3f4f07
Reviewed-on: https://code.wireshark.org/review/31646
Reviewed-by: João Valverde <j@v6e.pt>
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
At the moment, wslua first registers a class and then adds its
attributes in a second step. This registration creates empty __getters
and __setters tables which are later populated with the getter and
setter methods of the attributes.
Looking at the code and the comments, it seems that this was meant to be
a temporary solution. Eventually, attributes should be stored in
wslua_class' attrs field. The code to read and write attributes was
already updated to handle this.
Add new macros WSLUA_REGISTER_CLASS/_META_WITH_ATTRS that store the
attributes in wslua_class. Defining new macros is simpler than modifying
WSLUA_REGISTER_CLASS/_META to register attributes. If we did the latter,
we'd have to add an empty attribute list for all classes without
attributes.
We can now drop the WSLUA_REGISTER_ATTRIBUTES macro and the
wslua_reg_attributes function.
Using this new way of registering attributes, the __getters and
__setters tables are still available. The tests is the test suite that
rely on those tables still pass.
Change-Id: I526b9116435645c9c54ab69a05c3c7f3d459ec33
Reviewed-on: https://code.wireshark.org/review/31417
Reviewed-by: Martin Kaiser <wireshark@kaiser.cx>
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Since commit a3991874eb cmake fails
when LIBXML2 is not found.
LIBXML2_INCLUDE_DIR is used but not set.
This commit sets LIBXML2_INCLUDE_DIR.
Change-Id: Ieb8b4accb5360d397b961fbd311ae349aac2c658
Reviewed-on: https://code.wireshark.org/review/31638
Petri-Dish: João Valverde <j@v6e.pt>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
When built with -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_INSTALL_LIBDIR=lib
(as is done by many Linux distributions), do not set an unnecessary
RPATH. This was the case before v2.9.0rc0-2727-g697623411c.
Relocatable builds will still be possible with the default options as
/usr/local/lib is typically not considered a system library path.
Change-Id: Ic6ff1760183c20d3f9f9fb787604e888e116534e
Reviewed-on: https://code.wireshark.org/review/31602
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: João Valverde <j@v6e.pt>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
The new value has been chosen to make room for sharkd packet output
as: proto.c:MAX_TREE_LEVELS * 2 + 10% of additional sharkd overhead.
A new regression test for sharkd has been added that requires more
than 15 levels.
Change-Id: Ie54955c79c50c60b95c99b1a3c472888fc4842ac
Reviewed-on: https://code.wireshark.org/review/31624
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Decryption would fail after switching from Initial to the Handshake
message due to the packet number changing from 1 to 0 which would result
in the wrong reconstructed packet number. To fix this, implement three
different packet spaces and update the full packet number only if
decryption succeeds.
While at it, document all tricky interactions between packet number
spaces and different secrets / ciphers.
Bug: 13881
Change-Id: Ic88a83cdf76cb024054de8a32ea959bd1dacaca3
Reviewed-on: https://code.wireshark.org/review/31635
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Packet numbers in handshake messages are protected by a cipher different
from the initial cipher.
Bug: 13881
Change-Id: Ife6524c0525df10ff3c64f4333908b189f823509
Reviewed-on: https://code.wireshark.org/review/31634
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Peter Wu