From bdba74960ad6f24641b7f49b5c501c2b5c3e71db Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Wed, 2 Oct 2013 00:44:42 +0200 Subject: Add cleanup patches in development I previously mentioned that nobody seems to support AES CCM for PSK, but then I noticed that bug 8567 uses this for a DTLS capture. I might need to add some of these missing cases to the ssl_get_keyex_alg function. [1]: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8567 --- ...termining-key-exchange-algorithm-more-PSK.patch | 287 +++++++++++++++++++++ 1 file changed, 287 insertions(+) create mode 100644 patches-psk-cleanup/0005-Simplify-determining-key-exchange-algorithm-more-PSK.patch (limited to 'patches-psk-cleanup/0005-Simplify-determining-key-exchange-algorithm-more-PSK.patch') diff --git a/patches-psk-cleanup/0005-Simplify-determining-key-exchange-algorithm-more-PSK.patch b/patches-psk-cleanup/0005-Simplify-determining-key-exchange-algorithm-more-PSK.patch new file mode 100644 index 0000000..f5d7be7 --- /dev/null +++ b/patches-psk-cleanup/0005-Simplify-determining-key-exchange-algorithm-more-PSK.patch @@ -0,0 +1,287 @@ +From e959b19462c28a74092b445f17fd20f7507c9cca Mon Sep 17 00:00:00 2001 +From: Peter Wu +Date: Wed, 2 Oct 2013 00:11:45 +0200 +Subject: [PATCH 5/6] Simplify determining key exchange algorithm, more PSK + support + +The list of key exchange algorithms in ssl_get_keyex_alg is a +list of magic numbers that is also available in the cipher_suites +variable (compiled when GnuTLS support is enabled). Use this fact +to avoid having the same numbers in two places. + +Note that this places a dependency on GnuTLS. Without GnuTLS, +ssl_find_cipher always returns -1. This is not a big issue as +ssl_get_keyex_alg() is only used for decoding the ClientKeyExchange and +ServerKeyExchange messages. Support for these has only been added very +recently and users of this feature will very likely also have GnuTLS +support enabled to allow decryption of TLS packets. + +Comparing the cipher_suites list to the magic numbers list shows +that 32 new Camellia cipher suites have been added. Some cipher suites +are gone: all 8 ARIA cipher suites (not implemented by major TLS +libraries), 6 AES-CCM suites for PSK and the cipher suites 0xFE,0xFF; +0xFE,0xFF; 0xFF,0xE0; 0xFF,0xE1 (marked as reserved by IANA). + +After this change, PSK client params are decoded for more PSK cipher +suites by not relying on magic numbers, but checking the keyex type. +--- + epan/dissectors/packet-ssl-utils.c | 222 +------------------------------------ + epan/dissectors/packet-ssl.c | 6 +- + 2 files changed, 5 insertions(+), 223 deletions(-) + +diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c +index 863e431..d38b3bd 100644 +--- a/epan/dissectors/packet-ssl-utils.c ++++ b/epan/dissectors/packet-ssl-utils.c +@@ -1093,224 +1093,10 @@ struct _SslDecompress { + 0 indicates unknown */ + gint ssl_get_keyex_alg(gint cipher) + { +- switch(cipher) { +- case 0x0001: +- case 0x0002: +- case 0x0003: +- case 0x0004: +- case 0x0005: +- case 0x0006: +- case 0x0007: +- case 0x0008: +- case 0x0009: +- case 0x000a: +- case 0x002f: +- case 0x0035: +- case 0x003b: +- case 0x003c: +- case 0x003d: +- case 0x0041: +- case 0x0060: +- case 0x0061: +- case 0x0062: +- case 0x0064: +- case 0x0084: +- case 0x0096: +- case 0x009c: +- case 0x009d: +- case 0x00ba: +- case 0x00c0: +- case 0xfefe: +- case 0xfeff: +- case 0xffe0: +- case 0xffe1: +- return KEX_RSA; +- case 0x000b: +- case 0x000c: +- case 0x000d: +- case 0x000e: +- case 0x000f: +- case 0x0010: +- case 0x0011: +- case 0x0012: +- case 0x0013: +- case 0x0014: +- case 0x0015: +- case 0x0016: +- case 0x0017: +- case 0x0018: +- case 0x0019: +- case 0x001a: +- case 0x001b: +- case 0x002d: +- case 0x0030: +- case 0x0031: +- case 0x0032: +- case 0x0033: +- case 0x0034: +- case 0x0036: +- case 0x0037: +- case 0x0038: +- case 0x0039: +- case 0x003a: +- case 0x003e: +- case 0x003f: +- case 0x0040: +- case 0x0042: +- case 0x0043: +- case 0x0044: +- case 0x0045: +- case 0x0046: +- case 0x0063: +- case 0x0065: +- case 0x0066: +- case 0x0067: +- case 0x0068: +- case 0x0069: +- case 0x006a: +- case 0x006b: +- case 0x006c: +- case 0x006d: +- case 0x0085: +- case 0x0086: +- case 0x0087: +- case 0x0088: +- case 0x0089: +- case 0x008e: +- case 0x008f: +- case 0x0090: +- case 0x0091: +- case 0x0097: +- case 0x0098: +- case 0x0099: +- case 0x009a: +- case 0x009b: +- case 0x009e: +- case 0x009f: +- case 0x00a0: +- case 0x00a1: +- case 0x00a2: +- case 0x00a3: +- case 0x00a4: +- case 0x00a5: +- case 0x00a6: +- case 0x00a7: +- case 0x00aa: +- case 0x00ab: +- case 0x00b2: +- case 0x00b3: +- case 0x00b4: +- case 0x00b5: +- case 0x00bb: +- case 0x00bc: +- case 0x00bd: +- case 0x00be: +- case 0x00bf: +- case 0x00c1: +- case 0x00c2: +- case 0x00c3: +- case 0x00c4: +- case 0x00c5: +- return KEX_DH; +- case 0xc001: +- case 0xc002: +- case 0xc003: +- case 0xc004: +- case 0xc005: +- case 0xc006: +- case 0xc007: +- case 0xc008: +- case 0xc009: +- case 0xc00a: +- case 0xc00b: +- case 0xc00c: +- case 0xc00d: +- case 0xc00e: +- case 0xc00f: +- case 0xc010: +- case 0xc011: +- case 0xc012: +- case 0xc013: +- case 0xc014: +- case 0xc015: +- case 0xc016: +- case 0xc017: +- case 0xc018: +- case 0xc019: +- case 0xc023: +- case 0xc024: +- case 0xc025: +- case 0xc026: +- case 0xc027: +- case 0xc028: +- case 0xc029: +- case 0xc02a: +- case 0xc02b: +- case 0xc02c: +- case 0xc02d: +- case 0xc02e: +- case 0xc02f: +- case 0xc030: +- case 0xc031: +- case 0xc032: +- case 0xc033: +- case 0xc034: +- case 0xc035: +- case 0xc036: +- case 0xc037: +- case 0xc038: +- case 0xc039: +- case 0xc03a: +- case 0xc03b: +- return KEX_ECDH; +- case 0x002C: +- case 0x008A: +- case 0x008B: +- case 0x008C: +- case 0x008D: +- case 0x00A8: +- case 0x00A9: +- case 0x00AE: +- case 0x00AF: +- case 0x00B0: +- case 0x00B1: +- case 0xC064: +- case 0xC065: +- case 0xC06A: +- case 0xC06B: +- case 0xC08E: +- case 0xC08F: +- case 0xC094: +- case 0xC095: +- case 0xC0A4: +- case 0xC0A5: +- case 0xC0A8: +- case 0xC0A9: +- case 0xC0AA: +- case 0xC0AB: +- return KEX_PSK; +- case 0x002E: +- case 0x0092: +- case 0x0093: +- case 0x0094: +- case 0x0095: +- case 0x00AC: +- case 0x00AD: +- case 0x00B6: +- case 0x00B7: +- case 0x00B8: +- case 0x00B9: +- case 0xC068: +- case 0xC069: +- case 0xC06E: +- case 0xC06F: +- case 0xC092: +- case 0xC093: +- case 0xC098: +- case 0xC099: +- return KEX_RSA_PSK; +- default: +- break; ++ SslCipherSuite cs; ++ if (ssl_find_cipher(cipher, &cs) == 0) { ++ /* NOTE: this requires GnuTLS, otherwise stuff is not compiled-in. */ ++ return cs.kex; + } + + return 0; +diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c +index 31dbada..bdd6727 100644 +--- a/epan/dissectors/packet-ssl.c ++++ b/epan/dissectors/packet-ssl.c +@@ -2129,14 +2129,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, + { + /* PAOLO: here we can have all the data to build session key*/ + +- gint cipher_num; +- + if (!ssl) + break; + +- cipher_num = ssl->cipher; +- +- if (cipher_num == 0x8a || cipher_num == 0x8b || cipher_num == 0x8c || cipher_num == 0x8d) ++ if (ssl->cipher_suite.kex == KEX_PSK) + { + /* calculate pre master secret*/ + StringInfo pre_master_secret; +-- +1.8.4 + -- cgit v1.2.1