summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPeter Wu <lekensteyn@gmail.com>2013-10-01 23:02:53 +0200
committerPeter Wu <lekensteyn@gmail.com>2013-10-01 23:02:53 +0200
commit1927a4fa8d871188842cddde7755f4d34f804dd2 (patch)
treec52264a0d88559401ce288b662476551d2863917
parent7bb3df540d659fe6c674a26b9a10704629a9bf6f (diff)
downloadwireshark-notes-1927a4fa8d871188842cddde7755f4d34f804dd2.tar.gz
generate-wireshark-cs: fix ECDH, add PSK, drop SIG_
ssl_get_keyex_alg.txt contains the current supported list of cipher suites for key exchange by the ssl_get_keyex_alg() function. It was generated with: awk -F '[ :;\t]+' '/^gint ssl_get_keyex_alg/{p=1} /case/{if(p)a[$3]=0} /return/{for(i in a)print i, $3;delete a} /^} /{if(p)exit}' packet-ssl-utils.c This file can then be converted and sorted with: while read num name; do echo $((num)) $name; done < ssl_get_keyex_alg.txt | sort -n > /tmp/1 To get the current cipher suites list: awk -F '[ {,]+' '/,KEX_/{print $2, $3}' packet-ssl-utils.c > /tmp/2 Check which cipher suites are missing or have an incorrect key exchange: diff -y /tmp/[12] It turned out that the ECDH cipher suites were incorrectly marked as DH (tested on top of SVN rev 52320). Therefore adjust the generate-wireshark-cs file.
-rwxr-xr-xgenerate-wireshark-cs24
-rw-r--r--kex-fix/ssl_get_keyex_alg.txt210
-rw-r--r--kex-fix/ssl_get_keyex_alg.txt.diff210
-rw-r--r--notes.txt16
-rwxr-xr-xopenssl-connect1
-rwxr-xr-xopenssl-listen1
6 files changed, 443 insertions, 19 deletions
diff --git a/generate-wireshark-cs b/generate-wireshark-cs
index 4bc1fa1..1d1d885 100755
--- a/generate-wireshark-cs
+++ b/generate-wireshark-cs
@@ -17,7 +17,7 @@ warn() {
}
p() {
- local tmp kex sig keysize exp_keysize=0 dig diglen mode us_export blocksize hexid
+ local tmp kex keysize exp_keysize=0 dig diglen mode us_export blocksize hexid
[ $# -gt 0 ] || return
num=$(($2*0x100 + $3))
hexid=000$(echo "obase=16;$num" | bc)
@@ -32,31 +32,17 @@ p() {
tmp=${tmp%_EXPORT}
tmp=${tmp#TLS_}
case $tmp in
+ PSK) kex=PSK ;;
+ RSA_PSK) kex=RSA_PSK ;;
RSA) kex=RSA ;;
DH_*|DHE_*) kex=DH ;;
- ECDH_*|ECDHE_*) kex=DH ;;
+ ECDH_*|ECDHE_*) kex=ECDH ;;
*)
warn "Unknown kex in $hexid $1 (tmp=$tmp)"
return
;;
esac
- tmp=${1%%_WITH_*}
- tmp=${tmp%_EXPORT}
- tmp=${tmp#TLS_}
- tmp=${tmp#EC}
- tmp=${tmp#DH_}
- tmp=${tmp#DHE_}
- case $tmp in
- RSA|DSS) sig=$tmp ;;
- ECDSA) sig=DSS ;;
- anon) sig=NONE ;;
- *)
- warn "Unknown sig in $hexid $1 (tmp=$tmp)"
- return
- ;;
- esac
-
# HACK HACK HACK
tmp=${1#*WITH_}
cipher=${tmp%%_*}
@@ -151,7 +137,7 @@ p() {
esac
cat <<EOF
- {$num,KEX_$kex,SIG_$sig,ENC_$cipher,$blocksize,$keysize,$exp_keysize,DIG_$dig, SSL_CIPHER_MODE_$mode}, /* $1 */
+ {$num,KEX_$kex,ENC_$cipher,$blocksize,$keysize,$exp_keysize,DIG_$dig, SSL_CIPHER_MODE_$mode}, /* $1 */
EOF
}
diff --git a/kex-fix/ssl_get_keyex_alg.txt b/kex-fix/ssl_get_keyex_alg.txt
new file mode 100644
index 0000000..380037c
--- /dev/null
+++ b/kex-fix/ssl_get_keyex_alg.txt
@@ -0,0 +1,210 @@
+0xffe0 KEX_RSA
+0x003d KEX_RSA
+0x0003 KEX_RSA
+0xffe1 KEX_RSA
+0x002f KEX_RSA
+0x0004 KEX_RSA
+0x0041 KEX_RSA
+0x0005 KEX_RSA
+0x0060 KEX_RSA
+0x0006 KEX_RSA
+0x0061 KEX_RSA
+0x0007 KEX_RSA
+0x00ba KEX_RSA
+0x009c KEX_RSA
+0x0062 KEX_RSA
+0x0035 KEX_RSA
+0x0008 KEX_RSA
+0x009d KEX_RSA
+0x0009 KEX_RSA
+0x0064 KEX_RSA
+0x000a KEX_RSA
+0x00c0 KEX_RSA
+0x0084 KEX_RSA
+0xfefe KEX_RSA
+0xfeff KEX_RSA
+0x003b KEX_RSA
+0x0001 KEX_RSA
+0x0096 KEX_RSA
+0x003c KEX_RSA
+0x0002 KEX_RSA
+0x0040 KEX_DH
+0x0042 KEX_DH
+0x009a KEX_DH
+0x0043 KEX_DH
+0x009b KEX_DH
+0x0044 KEX_DH
+0x0045 KEX_DH
+0x0046 KEX_DH
+0x009e KEX_DH
+0x009f KEX_DH
+0x0063 KEX_DH
+0x0065 KEX_DH
+0x0066 KEX_DH
+0x0067 KEX_DH
+0x0068 KEX_DH
+0x00aa KEX_DH
+0x0069 KEX_DH
+0x00ab KEX_DH
+0x0085 KEX_DH
+0x0086 KEX_DH
+0x0087 KEX_DH
+0x0088 KEX_DH
+0x0089 KEX_DH
+0x00b2 KEX_DH
+0x000b KEX_DH
+0x00b3 KEX_DH
+0x000c KEX_DH
+0x00b4 KEX_DH
+0x000d KEX_DH
+0x00b5 KEX_DH
+0x000e KEX_DH
+0x000f KEX_DH
+0x002d KEX_DH
+0x0010 KEX_DH
+0x0011 KEX_DH
+0x0012 KEX_DH
+0x006a KEX_DH
+0x0013 KEX_DH
+0x006b KEX_DH
+0x0014 KEX_DH
+0x006c KEX_DH
+0x0015 KEX_DH
+0x006d KEX_DH
+0x0016 KEX_DH
+0x0017 KEX_DH
+0x0030 KEX_DH
+0x0018 KEX_DH
+0x0031 KEX_DH
+0x0019 KEX_DH
+0x0032 KEX_DH
+0x0033 KEX_DH
+0x0034 KEX_DH
+0x0036 KEX_DH
+0x008e KEX_DH
+0x0037 KEX_DH
+0x008f KEX_DH
+0x0038 KEX_DH
+0x0039 KEX_DH
+0x0090 KEX_DH
+0x0091 KEX_DH
+0x00bb KEX_DH
+0x00bc KEX_DH
+0x00bd KEX_DH
+0x00be KEX_DH
+0x00bf KEX_DH
+0x0097 KEX_DH
+0x0098 KEX_DH
+0x0099 KEX_DH
+0x00a0 KEX_DH
+0x00a1 KEX_DH
+0x00a2 KEX_DH
+0x00a3 KEX_DH
+0x00a4 KEX_DH
+0x00a5 KEX_DH
+0x00a6 KEX_DH
+0x00a7 KEX_DH
+0x00c1 KEX_DH
+0x001a KEX_DH
+0x00c2 KEX_DH
+0x001b KEX_DH
+0x00c3 KEX_DH
+0x00c4 KEX_DH
+0x00c5 KEX_DH
+0x003a KEX_DH
+0x003e KEX_DH
+0x003f KEX_DH
+0xc030 KEX_ECDH
+0xc017 KEX_ECDH
+0xc031 KEX_ECDH
+0xc018 KEX_ECDH
+0xc032 KEX_ECDH
+0xc019 KEX_ECDH
+0xc033 KEX_ECDH
+0xc034 KEX_ECDH
+0xc035 KEX_ECDH
+0xc036 KEX_ECDH
+0xc037 KEX_ECDH
+0xc038 KEX_ECDH
+0xc039 KEX_ECDH
+0xc03a KEX_ECDH
+0xc03b KEX_ECDH
+0xc001 KEX_ECDH
+0xc002 KEX_ECDH
+0xc003 KEX_ECDH
+0xc004 KEX_ECDH
+0xc005 KEX_ECDH
+0xc006 KEX_ECDH
+0xc007 KEX_ECDH
+0xc008 KEX_ECDH
+0xc009 KEX_ECDH
+0xc023 KEX_ECDH
+0xc024 KEX_ECDH
+0xc025 KEX_ECDH
+0xc026 KEX_ECDH
+0xc027 KEX_ECDH
+0xc028 KEX_ECDH
+0xc029 KEX_ECDH
+0xc00a KEX_ECDH
+0xc00b KEX_ECDH
+0xc00c KEX_ECDH
+0xc00d KEX_ECDH
+0xc00e KEX_ECDH
+0xc00f KEX_ECDH
+0xc02a KEX_ECDH
+0xc02b KEX_ECDH
+0xc02c KEX_ECDH
+0xc02d KEX_ECDH
+0xc02e KEX_ECDH
+0xc02f KEX_ECDH
+0xc010 KEX_ECDH
+0xc011 KEX_ECDH
+0xc012 KEX_ECDH
+0xc013 KEX_ECDH
+0xc014 KEX_ECDH
+0xc015 KEX_ECDH
+0xc016 KEX_ECDH
+0xC095 KEX_PSK
+0xC08E KEX_PSK
+0x00B0 KEX_PSK
+0xC08F KEX_PSK
+0x00B1 KEX_PSK
+0x002C KEX_PSK
+0xC0AA KEX_PSK
+0xC0A4 KEX_PSK
+0xC0AB KEX_PSK
+0xC0A5 KEX_PSK
+0xC06A KEX_PSK
+0xC064 KEX_PSK
+0x00AE KEX_PSK
+0x00A8 KEX_PSK
+0x008A KEX_PSK
+0xC06B KEX_PSK
+0xC065 KEX_PSK
+0x00AF KEX_PSK
+0x00A9 KEX_PSK
+0x008B KEX_PSK
+0xC0A8 KEX_PSK
+0x008C KEX_PSK
+0xC0A9 KEX_PSK
+0xC094 KEX_PSK
+0x008D KEX_PSK
+0xC06E KEX_RSA_PSK
+0xC068 KEX_RSA_PSK
+0xC06F KEX_RSA_PSK
+0xC069 KEX_RSA_PSK
+0xC098 KEX_RSA_PSK
+0xC099 KEX_RSA_PSK
+0x00AC KEX_RSA_PSK
+0x002E KEX_RSA_PSK
+0x00B6 KEX_RSA_PSK
+0x00AD KEX_RSA_PSK
+0x0092 KEX_RSA_PSK
+0x00B7 KEX_RSA_PSK
+0x0093 KEX_RSA_PSK
+0xC092 KEX_RSA_PSK
+0x00B8 KEX_RSA_PSK
+0x0094 KEX_RSA_PSK
+0xC093 KEX_RSA_PSK
+0x00B9 KEX_RSA_PSK
+0x0095 KEX_RSA_PSK
diff --git a/kex-fix/ssl_get_keyex_alg.txt.diff b/kex-fix/ssl_get_keyex_alg.txt.diff
new file mode 100644
index 0000000..a28b251
--- /dev/null
+++ b/kex-fix/ssl_get_keyex_alg.txt.diff
@@ -0,0 +1,210 @@
+1 KEX_RSA 1 KEX_RSA
+2 KEX_RSA 2 KEX_RSA
+3 KEX_RSA 3 KEX_RSA
+4 KEX_RSA 4 KEX_RSA
+5 KEX_RSA 5 KEX_RSA
+6 KEX_RSA 6 KEX_RSA
+7 KEX_RSA 7 KEX_RSA
+8 KEX_RSA 8 KEX_RSA
+9 KEX_RSA 9 KEX_RSA
+10 KEX_RSA 10 KEX_RSA
+11 KEX_DH 11 KEX_DH
+12 KEX_DH 12 KEX_DH
+13 KEX_DH 13 KEX_DH
+14 KEX_DH 14 KEX_DH
+15 KEX_DH 15 KEX_DH
+16 KEX_DH 16 KEX_DH
+17 KEX_DH 17 KEX_DH
+18 KEX_DH 18 KEX_DH
+19 KEX_DH 19 KEX_DH
+20 KEX_DH 20 KEX_DH
+21 KEX_DH 21 KEX_DH
+22 KEX_DH 22 KEX_DH
+23 KEX_DH 23 KEX_DH
+24 KEX_DH 24 KEX_DH
+25 KEX_DH 25 KEX_DH
+26 KEX_DH 26 KEX_DH
+27 KEX_DH 27 KEX_DH
+44 KEX_PSK <
+45 KEX_DH <
+46 KEX_RSA_PSK <
+47 KEX_RSA 47 KEX_RSA
+48 KEX_DH 48 KEX_DH
+49 KEX_DH 49 KEX_DH
+50 KEX_DH 50 KEX_DH
+51 KEX_DH 51 KEX_DH
+52 KEX_DH 52 KEX_DH
+53 KEX_RSA 53 KEX_RSA
+54 KEX_DH 54 KEX_DH
+55 KEX_DH 55 KEX_DH
+56 KEX_DH 56 KEX_DH
+57 KEX_DH 57 KEX_DH
+58 KEX_DH 58 KEX_DH
+59 KEX_RSA 59 KEX_RSA
+60 KEX_RSA 60 KEX_RSA
+61 KEX_RSA 61 KEX_RSA
+62 KEX_DH 62 KEX_DH
+63 KEX_DH 63 KEX_DH
+64 KEX_DH 64 KEX_DH
+65 KEX_RSA 65 KEX_RSA
+66 KEX_DH 66 KEX_DH
+67 KEX_DH 67 KEX_DH
+68 KEX_DH 68 KEX_DH
+69 KEX_DH 69 KEX_DH
+70 KEX_DH 70 KEX_DH
+96 KEX_RSA 96 KEX_RSA
+97 KEX_RSA 97 KEX_RSA
+98 KEX_RSA 98 KEX_RSA
+99 KEX_DH 99 KEX_DH
+100 KEX_RSA 100 KEX_RSA
+101 KEX_DH 101 KEX_DH
+102 KEX_DH 102 KEX_DH
+103 KEX_DH 103 KEX_DH
+104 KEX_DH 104 KEX_DH
+105 KEX_DH 105 KEX_DH
+106 KEX_DH 106 KEX_DH
+107 KEX_DH 107 KEX_DH
+108 KEX_DH 108 KEX_DH
+109 KEX_DH 109 KEX_DH
+132 KEX_RSA 132 KEX_RSA
+133 KEX_DH 133 KEX_DH
+134 KEX_DH 134 KEX_DH
+135 KEX_DH 135 KEX_DH
+136 KEX_DH 136 KEX_DH
+137 KEX_DH 137 KEX_DH
+138 KEX_PSK <
+139 KEX_PSK 139 KEX_PSK
+140 KEX_PSK 140 KEX_PSK
+141 KEX_PSK 141 KEX_PSK
+142 KEX_DH <
+143 KEX_DH <
+144 KEX_DH <
+145 KEX_DH <
+146 KEX_RSA_PSK <
+147 KEX_RSA_PSK <
+148 KEX_RSA_PSK <
+149 KEX_RSA_PSK <
+150 KEX_RSA 150 KEX_RSA
+151 KEX_DH 151 KEX_DH
+152 KEX_DH 152 KEX_DH
+153 KEX_DH 153 KEX_DH
+154 KEX_DH 154 KEX_DH
+155 KEX_DH 155 KEX_DH
+156 KEX_RSA 156 KEX_RSA
+157 KEX_RSA 157 KEX_RSA
+158 KEX_DH 158 KEX_DH
+159 KEX_DH 159 KEX_DH
+160 KEX_DH 160 KEX_DH
+161 KEX_DH 161 KEX_DH
+162 KEX_DH 162 KEX_DH
+163 KEX_DH 163 KEX_DH
+164 KEX_DH 164 KEX_DH
+165 KEX_DH 165 KEX_DH
+166 KEX_DH 166 KEX_DH
+167 KEX_DH 167 KEX_DH
+168 KEX_PSK <
+169 KEX_PSK <
+170 KEX_DH <
+171 KEX_DH <
+172 KEX_RSA_PSK <
+173 KEX_RSA_PSK <
+174 KEX_PSK <
+175 KEX_PSK <
+176 KEX_PSK <
+177 KEX_PSK <
+178 KEX_DH <
+179 KEX_DH <
+180 KEX_DH <
+181 KEX_DH <
+182 KEX_RSA_PSK <
+183 KEX_RSA_PSK <
+184 KEX_RSA_PSK <
+185 KEX_RSA_PSK <
+186 KEX_RSA 186 KEX_RSA
+187 KEX_DH 187 KEX_DH
+188 KEX_DH 188 KEX_DH
+189 KEX_DH 189 KEX_DH
+190 KEX_DH 190 KEX_DH
+191 KEX_DH 191 KEX_DH
+192 KEX_RSA 192 KEX_RSA
+193 KEX_DH 193 KEX_DH
+194 KEX_DH 194 KEX_DH
+195 KEX_DH 195 KEX_DH
+196 KEX_DH 196 KEX_DH
+197 KEX_DH 197 KEX_DH
+49153 KEX_ECDH | 49153 KEX_DH
+49154 KEX_ECDH | 49154 KEX_DH
+49155 KEX_ECDH | 49155 KEX_DH
+49156 KEX_ECDH | 49156 KEX_DH
+49157 KEX_ECDH | 49157 KEX_DH
+49158 KEX_ECDH | 49158 KEX_DH
+49159 KEX_ECDH | 49159 KEX_DH
+49160 KEX_ECDH | 49160 KEX_DH
+49161 KEX_ECDH | 49161 KEX_DH
+49162 KEX_ECDH | 49162 KEX_DH
+49163 KEX_ECDH | 49163 KEX_DH
+49164 KEX_ECDH | 49164 KEX_DH
+49165 KEX_ECDH | 49165 KEX_DH
+49166 KEX_ECDH | 49166 KEX_DH
+49167 KEX_ECDH | 49167 KEX_DH
+49168 KEX_ECDH | 49168 KEX_DH
+49169 KEX_ECDH | 49169 KEX_DH
+49170 KEX_ECDH | 49170 KEX_DH
+49171 KEX_ECDH | 49171 KEX_DH
+49172 KEX_ECDH | 49172 KEX_DH
+49173 KEX_ECDH | 49173 KEX_DH
+49174 KEX_ECDH | 49174 KEX_DH
+49175 KEX_ECDH | 49175 KEX_DH
+49176 KEX_ECDH | 49176 KEX_DH
+49177 KEX_ECDH | 49177 KEX_DH
+49187 KEX_ECDH | 49187 KEX_DH
+49188 KEX_ECDH | 49188 KEX_DH
+49189 KEX_ECDH | 49189 KEX_DH
+49190 KEX_ECDH | 49190 KEX_DH
+49191 KEX_ECDH | 49191 KEX_DH
+49192 KEX_ECDH | 49192 KEX_DH
+49193 KEX_ECDH | 49193 KEX_DH
+49194 KEX_ECDH | 49194 KEX_DH
+49195 KEX_ECDH | 49195 KEX_DH
+49196 KEX_ECDH | 49196 KEX_DH
+49197 KEX_ECDH | 49197 KEX_DH
+49198 KEX_ECDH | 49198 KEX_DH
+49199 KEX_ECDH | 49199 KEX_DH
+49200 KEX_ECDH | 49200 KEX_DH
+49201 KEX_ECDH | 49201 KEX_DH
+49202 KEX_ECDH | 49202 KEX_DH
+49203 KEX_ECDH <
+49204 KEX_ECDH <
+49205 KEX_ECDH <
+49206 KEX_ECDH <
+49207 KEX_ECDH <
+49208 KEX_ECDH <
+49209 KEX_ECDH <
+49210 KEX_ECDH <
+49211 KEX_ECDH <
+49252 KEX_PSK <
+49253 KEX_PSK <
+49256 KEX_RSA_PSK <
+49257 KEX_RSA_PSK <
+49258 KEX_PSK <
+49259 KEX_PSK <
+49262 KEX_RSA_PSK <
+49263 KEX_RSA_PSK <
+49294 KEX_PSK <
+49295 KEX_PSK <
+49298 KEX_RSA_PSK <
+49299 KEX_RSA_PSK <
+49300 KEX_PSK <
+49301 KEX_PSK <
+49304 KEX_RSA_PSK <
+49305 KEX_RSA_PSK <
+49316 KEX_PSK <
+49317 KEX_PSK <
+49320 KEX_PSK <
+49321 KEX_PSK <
+49322 KEX_PSK <
+49323 KEX_PSK <
+65278 KEX_RSA <
+65279 KEX_RSA <
+65504 KEX_RSA <
+65505 KEX_RSA <
diff --git a/notes.txt b/notes.txt
index b2f38b5..a78c21e 100644
--- a/notes.txt
+++ b/notes.txt
@@ -1,5 +1,15 @@
/tmp/wireshark/configure --prefix=/tmp/wsroot --with-ssl --with-gtk2 --without-gtk3
+# libgcrypt RC2 fixing
+# Fix compile issue (missing fig2dev in doc, Makefile.in in tests is not
+# generated (Makefile/autotools of the repo too old?))
+sed '/SUBDIRS/s/ doc tests//' -i Makefile.am && ./autogen.sh
+mkdir build && cd build
+../configure --disable-static --disable-padlock-support --prefix=/tmp/libgcrypt/prefix
+make install
+# for libgcrypt-config test in wireshark ./configure
+PATH=/tmp/libgcrypt/prefix/bin:$PATH
+
# find which suites are not supported yet (unsupported.txt)
awk -vsrc=/tmp/wireshark/epan/dissectors/packet-ssl-utils.c -F'[ {,]+' 'BEGIN{while(getline <src)if(/^ *\{.*,KEX_/)a[$2]=1}{if(!a[$1])print}' suites.txt
# find which ciphers openssl supports
@@ -87,6 +97,12 @@ http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-paramete
- ARIA
- mode CCM
+libgcrypt RC2 (40-bit keys) implementation is named "RFC2268_40". This does not
+seem to work with TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 though. I think that the
+unimplemented RFC2268_128 algo should be used. As mentioned in RFC 2246 (TLS
+1.0), section 6.3.1. Export key generation example, this RC2 cipher suite has a
+final_client_write_key length of 128 bits.
+
# Generate RSA stuff
openssl genrsa -out server.pem
openssl req -new -x509 -key server.pem -out server.crt -days 3650 -subj "/CN=*.local.al.lekensteyn.nl"
diff --git a/openssl-connect b/openssl-connect
index 9faab3f..fa9b09a 100755
--- a/openssl-connect
+++ b/openssl-connect
@@ -5,6 +5,7 @@
host=${1:-localhost}
portbase=${2:-4430}
PSK=12345678
+PSK=0102030405060708091011121314151617181920
s_client_client_random() {
awk '
diff --git a/openssl-listen b/openssl-listen
index dd37e44..65cf714 100755
--- a/openssl-listen
+++ b/openssl-listen
@@ -11,6 +11,7 @@ ecd_pub=secp384r1-dsa.crt
ecc_prv=secp384r1-rsa.pem
ecc_pub=secp384r1-rsa.crt
PSK=12345678
+PSK=0102030405060708091011121314151617181920
pkdir=$1
portbase=${2:-4430}