Age | Commit message (Collapse) | Author | Files | Lines |
|
When libssl.so.1.1.1 was not yet loaded, it would assume that an older
library was already loaded and avoid the new API. That assumption is not
correct, it is also possible that no library was loaded at all as is the
case with Python. Test:
./sslkeylog.sh python -c \
'import requests;print(requests.head("https://wireshark.org"))'
Before this fix it would output all zeroes as secret (a sign that
something is wrong).
|
|
OpenSSL 1.1.1 adds TLS 1.3 support which uses a new secrets format.
Previously it resulted in garbage keylog files, this has been fixed now.
OpenSSL 1.1.1 also introduces a new API for secrets extraction.
Consumers can use it like this (curl uses this code for example):
static void keylog_callback(const SSL *ssl, const char *line) {
/* write line and terminating '\n' */
}
{
SSL_CTX *ctx;
...
SSL_CTX_set_keylog_callback(ctx, keylog_callback);
SSL *ssl = SSL_new(ctx);
}
In case you cannot change the source code for an application, you can
use sslkeylog.c again. This will basically perform the above step, set
the key log callback before calling SSL_new.
Since the new OpenSSL 1.1.1 API requires no further interception of
SSL_read and other functions, a new NO_OPENSSL_110_SUPPORT macro was to
avoid intercepting these. Additionally, a NO_OPENSSL_102_SUPPORT macro
avoids the need for OpenSSL development headers.
Caveat: when building with OpenSSL <= 1.0.2, libsslkeylog.so will not be
compatible with runtime OpenSSL 1.1.0. OpenSSL 1.1.1 still works though.
Use of SSL_new and interception via SSL_CTX_set_keylog_callback was
initially proposed by Derick Rethans, thanks for the suggestion!
|
|
Apparently the undocumented pagination limit is 100.
|
|
Large artifacts may be accumulated and at the moment hits the 50GB
limit. Deleting them one by one is cumbersome, so here is a way to
automate it. Motivation: https://code.wireshark.org/review/30268
|
|
|
|
If the final 1.3 version is not supported, negotiation could fail if
TLS 1.2 is not allowed. This is the case with tls13.crypto.mozilla.org.
|
|
|
|
Source is from April 3rd, 2018 or before.
|
|
Ensure that files are put within a subdirectory within the zip. Remove
extra info (timestamps/uid/gid) and sort the URLs while at it.
|
|
Tested with MSVC 2015 (Win64) and the WireGuard patches on top of
v2.9.0rc0-1338-g9b9a0d0f88. The decryption suite (43 tests) passes.
README.Wireshark is based on Pascal's instructions from
libgcrypt-1.7.6-win64ws.zip
|
|
Do not wake up on running tests (which might touch __pycache__ and
pytest files).
|
|
Change from 2018-07-19 13:03 +0200
|
|
|
|
As present in frame 3 of 25.pcap from
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13523
|
|
While working on improving handling of reassembly in presence of
retransmissions, it would be very helpful to have a tool that tells the
correct interpretation. This tool does that. It can probably not
directly be implemented in Wireshark due to the additional memory
requirements.
Used to investigate bugs such as
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13523
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13061
|
|
Used for crafting the capture in
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13523#c1
|
|
For testing various issues such as
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14944
Code coverage checked with Clang 6.0.0 by building packet-tcp.c with
options from https://clang.llvm.org/docs/SourceBasedCodeCoverage.html
# link.sh is the command to link libwireshark.so with the two profiling options
eval $(jq -r '.[] | select(.file | contains("packet-tcp.c")) | .command' compile_commands.json | sed 's/^[^ ]\+/clang -fprofile-instr-generate -fcoverage-mapping/') && time bash link.sh
llvm-profdata merge -sparse tcp.profraw -o tcp.profdata && llvm-cov show epan/dissectors/CMakeFiles/dissectors.dir/packet-tcp.c.o -instr-profile=tcp.profdata /tmp/wireshark/epan/dissectors/packet-tcp.c -name-regex='check_follow_fragments|follow_tcp_tap_listener'
Tested against https://code.wireshark.org/review/#/c/28614/4 with log:
1c6dc6d31f (master) Some fixes.
777dac163a Follow Stream: ensure linear performance with many packets
b853858e84 tcp: remove repetitive "follow_record->is_server"
98c33f532e tcp: fix Follow TCP Stream with missing (but ACKed) segments
8f4abb0346 tcp: fix Follow TCP Stream for overlapping data
9219c4b1b6 tcp: ignore zero-length payloads for Follow TCP Stream
9499a15a4a Qt: fix wrong Follow Stream text position after changing mode
All cases are covered, except for one:
1122| 1| data_offset = follow_info->seq[is_server] - sequence;
1123| 1| if (data_length <= data_offset) {
1124| 0| data_length = 0;
1125| 1| } else {
To reach that situation, the IP header probably needs to be modified, or
the pcap snaplen/caplen fields. Too much work for now and a visual
inspection shows that the case does not hurt, so just go for it.
|
|
Can be imported as Python module or used separately.
Created at 2017-04-23 for converting oss-fuzz reproducers into an actual
pcap.
|
|
GCRYPT is enabled by default, the option is gone since 2.4. Enable the
ASAN option via CMake to ensure that building lemon does not fail if
detect_leaks is not set.
|
|
And remove the unnecessary nothing() function, it was there to test a
crash issue.
|
|
Added in 2015-09-27, contains a minimal dissector that does not use
fields.
|
|
Lookup SSL_SESSION_get_master_key and SSL_get_client_random at runtime
too after intercepting a call instead of a link-time dependency.
|
|
Since the previous OpenSSL 1.1.0 compatibility patch, addition of the
SSL_get_session and SSL_SESSION_get_master_key required them to be
available at load time. Since applications are not necessarily linked
with -lssl, this can fail.
Avoid this dependency by looking up the symbols at runtime. Tested with
OpenSSL 1.0.2.k (using python+requests) and
OpenSSL_1_1_0-pre6-1439-g0e2c7b3ee (openssl s_client).
|
|
These steps were used for creating the tests for
https://code.wireshark.org/review/19850
("test: add (D)TLS test for AEAD ciphers")
|
|
These were not supposed to be exposed in the actual filters, but are
used internally because a table value could not act as both a ProtoField
and a table of other ProtoFields.
|
|
The previous implementation took 8.9 seconds with this command:
tshark -Xlua_script:file-zip.lua -r TechnicLauncher.jar -Vx -ozip_archive.decompress:FALSE
If the signature was not optional, we could optimize and avoid a linear
search, using string.find with steps of four bytes on negative match.
This would take 5.6 seconds (but does not handle a missing signature).
The combined approach that first scans with string.find (assuming a
signature) and then falling back to a linear search (assuming no
signature) would take 14.4 seconds (terrible in the worst case).
So try another approach, doing a byte for byte search (as before), but
then delaying the signature check until the length is valid. This
improves the running time to 7.5 seconds.
|
|
Reduce time to process TechnicLauncher.jar from 20 to 9 seconds (ASAN
build with tshark -Vx) by reducing TvbRange allocations.
|
|
Allow decompression to be disabled for performance reasons.
|
|
Found also hints via http://unix.stackexchange.com/q/14705/8250
Anslysis of unix/unix.c was done on Info-ZIP 6.0.
|
|
System mappings are taken from the APPNOTE.
|
|
|
|
Finally parses dex2jar-2.0.zip now :-)
|
|
|
|
Jar magic found via
https://github.com/openjdk/jdk7-jdk/blob/f977378235c3f9a73b6f90980cbbcb3c78263c30/src/share/classes/java/util/jar/JarOutputStream.java#L103
|
|
Based on spec from
https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
|
|
To be able to scan linearly, apply heuristics.
|
|
Well, this does not work because the actual data size is unknown... And
it turns out that you really have to parse the EoCD first, otherwise
.jar files cannot be parsed...
|
|
And also added missing fields for CD. Both were mostly scripted based on
the tables from Wikipedia.
|
|
|
|
|
|
Implemented a template for opening a file and making it available to
dissectors. For this, a FileHandler has been implemented which then
links with the MIME encapsulation type.
The "seek_read" issue mentioned in the comments should be fixed with
https://code.wireshark.org/review/19366
|
|
Append to PATH to avoid clobbering it when putting ccache in $PATH.
Enable SBC codec for testing.
Enable debug-prefix-map, should make relocatable debug builds easier
(where I build in a different directory and move it).
|
|
Created a sample (sip-rtp-g729a.pcap) using FreeSWITCH 1.6.12 and
mod_bcfg729 (https://github.com/xadhoom/mod_bcg729).
|
|
Requires appropriately configured FreeSWITCH server that responds to a
call to sip:test@host by playing a fragment, then hanging up.
SIPp scenario was used to create a bunch of captures, uploaded to
https://wiki.wireshark.org/SampleCaptures#SIP_and_RTP
|
|
Requires Python 3.4, but it can be adapted for older versions. It
demonstrates how "easy" it is to capture remotely over SSH when only
tcpdump is installed without dumpcap (in that case you could use
sshdump).
Note that on stopping/restarting captures, you still get some stderr
messages ("Dropped privileges", but that can be ignored). See also
https://ask.wireshark.org/questions/55768/remote-interface-linux
|
|
Match also stuff like DHE-PSK-AES128-CCM8. Improve error message if
cipher is not accepted by OpenSSL.
|
|
The options parser has changed, options now have to precede the
parameters (possible a bug, already reported to rt.openssl.org with
subject "Options after parameters are ignored in OpenSSL 1.1.0").
While at it, use COMPLEMENTOFALL instead of NULL since that possibly
includes more ciphers.
|
|
|
|
Prompted by https://code.wireshark.org/review/17749
|
|
OpenSSL 1.1.0 makes some structures opaque, but luckily it provides new
functions to extract the client random and master secret which is all we
need from the structures.
Tested with OpenSSL 1.1.0-pre6 using openssl s_client and
OpenSSL 1.0.2.h using curl.
|