summaryrefslogtreecommitdiff
path: root/patches-psk-cleanup/0005-Simplify-determining-key-exchange-algorithm-more-PSK.patch
blob: f5d7be7a42fb171cfbdcab7d2460907af6e200d9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
From e959b19462c28a74092b445f17fd20f7507c9cca Mon Sep 17 00:00:00 2001
From: Peter Wu <lekensteyn@gmail.com>
Date: Wed, 2 Oct 2013 00:11:45 +0200
Subject: [PATCH 5/6] Simplify determining key exchange algorithm, more PSK
 support

The list of key exchange algorithms in ssl_get_keyex_alg is a
list of magic numbers that is also available in the cipher_suites
variable (compiled when GnuTLS support is enabled). Use this fact
to avoid having the same numbers in two places.

Note that this places a dependency on GnuTLS. Without GnuTLS,
ssl_find_cipher always returns -1. This is not a big issue as
ssl_get_keyex_alg() is only used for decoding the ClientKeyExchange and
ServerKeyExchange messages. Support for these has only been added very
recently and users of this feature will very likely also have GnuTLS
support enabled to allow decryption of TLS packets.

Comparing the cipher_suites list to the magic numbers list shows
that 32 new Camellia cipher suites have been added. Some cipher suites
are gone: all 8 ARIA cipher suites (not implemented by major TLS
libraries), 6 AES-CCM suites for PSK and the cipher suites 0xFE,0xFF;
0xFE,0xFF; 0xFF,0xE0; 0xFF,0xE1 (marked as reserved by IANA).

After this change, PSK client params are decoded for more PSK cipher
suites by not relying on magic numbers, but checking the keyex type.
---
 epan/dissectors/packet-ssl-utils.c | 222 +------------------------------------
 epan/dissectors/packet-ssl.c       |   6 +-
 2 files changed, 5 insertions(+), 223 deletions(-)

diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 863e431..d38b3bd 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -1093,224 +1093,10 @@ struct _SslDecompress {
    0 indicates unknown */
 gint ssl_get_keyex_alg(gint cipher)
 {
-    switch(cipher) {
-    case 0x0001:
-    case 0x0002:
-    case 0x0003:
-    case 0x0004:
-    case 0x0005:
-    case 0x0006:
-    case 0x0007:
-    case 0x0008:
-    case 0x0009:
-    case 0x000a:
-    case 0x002f:
-    case 0x0035:
-    case 0x003b:
-    case 0x003c:
-    case 0x003d:
-    case 0x0041:
-    case 0x0060:
-    case 0x0061:
-    case 0x0062:
-    case 0x0064:
-    case 0x0084:
-    case 0x0096:
-    case 0x009c:
-    case 0x009d:
-    case 0x00ba:
-    case 0x00c0:
-    case 0xfefe:
-    case 0xfeff:
-    case 0xffe0:
-    case 0xffe1:
-        return KEX_RSA;
-    case 0x000b:
-    case 0x000c:
-    case 0x000d:
-    case 0x000e:
-    case 0x000f:
-    case 0x0010:
-    case 0x0011:
-    case 0x0012:
-    case 0x0013:
-    case 0x0014:
-    case 0x0015:
-    case 0x0016:
-    case 0x0017:
-    case 0x0018:
-    case 0x0019:
-    case 0x001a:
-    case 0x001b:
-    case 0x002d:
-    case 0x0030:
-    case 0x0031:
-    case 0x0032:
-    case 0x0033:
-    case 0x0034:
-    case 0x0036:
-    case 0x0037:
-    case 0x0038:
-    case 0x0039:
-    case 0x003a:
-    case 0x003e:
-    case 0x003f:
-    case 0x0040:
-    case 0x0042:
-    case 0x0043:
-    case 0x0044:
-    case 0x0045:
-    case 0x0046:
-    case 0x0063:
-    case 0x0065:
-    case 0x0066:
-    case 0x0067:
-    case 0x0068:
-    case 0x0069:
-    case 0x006a:
-    case 0x006b:
-    case 0x006c:
-    case 0x006d:
-    case 0x0085:
-    case 0x0086:
-    case 0x0087:
-    case 0x0088:
-    case 0x0089:
-    case 0x008e:
-    case 0x008f:
-    case 0x0090:
-    case 0x0091:
-    case 0x0097:
-    case 0x0098:
-    case 0x0099:
-    case 0x009a:
-    case 0x009b:
-    case 0x009e:
-    case 0x009f:
-    case 0x00a0:
-    case 0x00a1:
-    case 0x00a2:
-    case 0x00a3:
-    case 0x00a4:
-    case 0x00a5:
-    case 0x00a6:
-    case 0x00a7:
-    case 0x00aa:
-    case 0x00ab:
-    case 0x00b2:
-    case 0x00b3:
-    case 0x00b4:
-    case 0x00b5:
-    case 0x00bb:
-    case 0x00bc:
-    case 0x00bd:
-    case 0x00be:
-    case 0x00bf:
-    case 0x00c1:
-    case 0x00c2:
-    case 0x00c3:
-    case 0x00c4:
-    case 0x00c5:
-        return KEX_DH;
-    case 0xc001:
-    case 0xc002:
-    case 0xc003:
-    case 0xc004:
-    case 0xc005:
-    case 0xc006:
-    case 0xc007:
-    case 0xc008:
-    case 0xc009:
-    case 0xc00a:
-    case 0xc00b:
-    case 0xc00c:
-    case 0xc00d:
-    case 0xc00e:
-    case 0xc00f:
-    case 0xc010:
-    case 0xc011:
-    case 0xc012:
-    case 0xc013:
-    case 0xc014:
-    case 0xc015:
-    case 0xc016:
-    case 0xc017:
-    case 0xc018:
-    case 0xc019:
-    case 0xc023:
-    case 0xc024:
-    case 0xc025:
-    case 0xc026:
-    case 0xc027:
-    case 0xc028:
-    case 0xc029:
-    case 0xc02a:
-    case 0xc02b:
-    case 0xc02c:
-    case 0xc02d:
-    case 0xc02e:
-    case 0xc02f:
-    case 0xc030:
-    case 0xc031:
-    case 0xc032:
-    case 0xc033:
-    case 0xc034:
-    case 0xc035:
-    case 0xc036:
-    case 0xc037:
-    case 0xc038:
-    case 0xc039:
-    case 0xc03a:
-    case 0xc03b:
-        return KEX_ECDH;
-    case 0x002C:
-    case 0x008A:
-    case 0x008B:
-    case 0x008C:
-    case 0x008D:
-    case 0x00A8:
-    case 0x00A9:
-    case 0x00AE:
-    case 0x00AF:
-    case 0x00B0:
-    case 0x00B1:
-    case 0xC064:
-    case 0xC065:
-    case 0xC06A:
-    case 0xC06B:
-    case 0xC08E:
-    case 0xC08F:
-    case 0xC094:
-    case 0xC095:
-    case 0xC0A4:
-    case 0xC0A5:
-    case 0xC0A8:
-    case 0xC0A9:
-    case 0xC0AA:
-    case 0xC0AB:
-        return KEX_PSK;
-    case 0x002E:
-    case 0x0092:
-    case 0x0093:
-    case 0x0094:
-    case 0x0095:
-    case 0x00AC:
-    case 0x00AD:
-    case 0x00B6:
-    case 0x00B7:
-    case 0x00B8:
-    case 0x00B9:
-    case 0xC068:
-    case 0xC069:
-    case 0xC06E:
-    case 0xC06F:
-    case 0xC092:
-    case 0xC093:
-    case 0xC098:
-    case 0xC099:
-        return KEX_RSA_PSK;
-    default:
-        break;
+    SslCipherSuite cs;
+    if (ssl_find_cipher(cipher, &cs) == 0) {
+        /* NOTE: this requires GnuTLS, otherwise stuff is not compiled-in. */
+        return cs.kex;
     }
 
     return 0;
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 31dbada..bdd6727 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2129,14 +2129,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
                 {
                     /* PAOLO: here we can have all the data to build session key*/
 
-                    gint cipher_num;
-
                     if (!ssl)
                         break;
 
-                    cipher_num = ssl->cipher;
-
-                    if (cipher_num == 0x8a || cipher_num == 0x8b || cipher_num == 0x8c || cipher_num == 0x8d)
+                    if (ssl->cipher_suite.kex == KEX_PSK)
                     {
                         /* calculate pre master secret*/
                         StringInfo pre_master_secret;
-- 
1.8.4