diff options
author | Peter Wu <lekensteyn@gmail.com> | 2013-10-01 23:02:53 +0200 |
---|---|---|
committer | Peter Wu <lekensteyn@gmail.com> | 2013-10-01 23:02:53 +0200 |
commit | 1927a4fa8d871188842cddde7755f4d34f804dd2 (patch) | |
tree | c52264a0d88559401ce288b662476551d2863917 /generate-wireshark-cs | |
parent | 7bb3df540d659fe6c674a26b9a10704629a9bf6f (diff) | |
download | wireshark-notes-1927a4fa8d871188842cddde7755f4d34f804dd2.tar.gz |
generate-wireshark-cs: fix ECDH, add PSK, drop SIG_
ssl_get_keyex_alg.txt contains the current supported list of cipher
suites for key exchange by the ssl_get_keyex_alg() function.
It was generated with:
awk -F '[ :;\t]+' '/^gint ssl_get_keyex_alg/{p=1}
/case/{if(p)a[$3]=0} /return/{for(i in a)print i, $3;delete a} /^}
/{if(p)exit}' packet-ssl-utils.c
This file can then be converted and sorted with:
while read num name; do echo $((num)) $name;
done < ssl_get_keyex_alg.txt | sort -n > /tmp/1
To get the current cipher suites list:
awk -F '[ {,]+' '/,KEX_/{print $2, $3}' packet-ssl-utils.c > /tmp/2
Check which cipher suites are missing or have an incorrect key exchange:
diff -y /tmp/[12]
It turned out that the ECDH cipher suites were incorrectly marked as
DH (tested on top of SVN rev 52320). Therefore adjust the
generate-wireshark-cs file.
Diffstat (limited to 'generate-wireshark-cs')
-rwxr-xr-x | generate-wireshark-cs | 24 |
1 files changed, 5 insertions, 19 deletions
diff --git a/generate-wireshark-cs b/generate-wireshark-cs index 4bc1fa1..1d1d885 100755 --- a/generate-wireshark-cs +++ b/generate-wireshark-cs @@ -17,7 +17,7 @@ warn() { } p() { - local tmp kex sig keysize exp_keysize=0 dig diglen mode us_export blocksize hexid + local tmp kex keysize exp_keysize=0 dig diglen mode us_export blocksize hexid [ $# -gt 0 ] || return num=$(($2*0x100 + $3)) hexid=000$(echo "obase=16;$num" | bc) @@ -32,31 +32,17 @@ p() { tmp=${tmp%_EXPORT} tmp=${tmp#TLS_} case $tmp in + PSK) kex=PSK ;; + RSA_PSK) kex=RSA_PSK ;; RSA) kex=RSA ;; DH_*|DHE_*) kex=DH ;; - ECDH_*|ECDHE_*) kex=DH ;; + ECDH_*|ECDHE_*) kex=ECDH ;; *) warn "Unknown kex in $hexid $1 (tmp=$tmp)" return ;; esac - tmp=${1%%_WITH_*} - tmp=${tmp%_EXPORT} - tmp=${tmp#TLS_} - tmp=${tmp#EC} - tmp=${tmp#DH_} - tmp=${tmp#DHE_} - case $tmp in - RSA|DSS) sig=$tmp ;; - ECDSA) sig=DSS ;; - anon) sig=NONE ;; - *) - warn "Unknown sig in $hexid $1 (tmp=$tmp)" - return - ;; - esac - # HACK HACK HACK tmp=${1#*WITH_} cipher=${tmp%%_*} @@ -151,7 +137,7 @@ p() { esac cat <<EOF - {$num,KEX_$kex,SIG_$sig,ENC_$cipher,$blocksize,$keysize,$exp_keysize,DIG_$dig, SSL_CIPHER_MODE_$mode}, /* $1 */ + {$num,KEX_$kex,ENC_$cipher,$blocksize,$keysize,$exp_keysize,DIG_$dig, SSL_CIPHER_MODE_$mode}, /* $1 */ EOF } |