diff options
| author | Hauke Mehrtens <hauke@hauke-m.de> | 2014-05-22 10:45:40 +0200 |
|---|---|---|
| committer | Peter Wu <peter@lekensteyn.nl> | 2014-07-03 17:01:31 +0200 |
| commit | a69023f301e7dfc0c398670d0b1eb90b1df1279d (patch) | |
| tree | 2ab58b0cace191655ae6f9e62ec800b79315b881 | |
| parent | 71cb629adcc50242d98ac4fe73499d7d36c17180 (diff) | |
| download | wireshark-a69023f301e7dfc0c398670d0b1eb90b1df1279d.tar.gz | |
ssl: add SslSession structure
This structure is used to store information about a SSL session which
is not only needed for decrypting the session, but also to show nice
dissection information.
In an other patch I will add some more members to the struct because
the old way of passing them to the function does not scale.
Change-Id: I88e7f2896e0364a41d4538752dad291de83bfbca
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-on: https://code.wireshark.org/review/1819
Reviewed-by: Evan Huus <eapache@gmail.com>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
(cherry picked from commit a7a4aa9a743f68f9864011d3b56bb5739c2cda15)
| -rw-r--r-- | epan/dissectors/packet-dtls.c | 20 | ||||
| -rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 10 | ||||
| -rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 10 | ||||
| -rw-r--r-- | epan/dissectors/packet-ssl.c | 48 |
4 files changed, 46 insertions, 42 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 0a3cc6917c..8ec5f0f69e 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -500,7 +500,7 @@ dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession); ssl_session_init(ssl_session); - ssl_session->version = SSL_VER_UNKNOWN; + ssl_session->session.version = SSL_VER_UNKNOWN; conversation_add_proto_data(conversation, proto_dtls, ssl_session); /* we need to know witch side of conversation is speaking */ @@ -527,8 +527,8 @@ dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ssl_session->private_key = private_key->sexp_pkey; } } - conv_version= & ssl_session->version; - conv_cipher = ssl_session->cipher; + conv_version= & ssl_session->session.version; + conv_cipher = ssl_session->session.cipher; /* try decryption only the first time we see this packet * (to keep cipher synchronized) */ @@ -725,7 +725,7 @@ decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, decoder = ssl->client; } - if (!decoder && !dtls_is_null_cipher(ssl->cipher)) { + if (!decoder && !dtls_is_null_cipher(ssl->session.cipher)) { ssl_debug_printf("decrypt_dtls_record: no decoder available\n"); return ret; } @@ -753,7 +753,7 @@ decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0) ret = 1; } - else if (dtls_is_null_cipher(ssl->cipher)) { + else if (dtls_is_null_cipher(ssl->session.cipher)) { /* Non-encrypting cipher NULL-XXX */ memcpy(dtls_decrypted_data.data, tvb_get_ptr(tvb, offset, record_length), record_length); dtls_decrypted_data_avail = dtls_decrypted_data.data_len = record_length; @@ -1904,15 +1904,15 @@ dissect_dtls_hnd_srv_hello(tvbuff_t *tvb, /* PAOLO: handle session cipher suite */ if (ssl) { /* store selected cipher suite for decryption */ - ssl->cipher = tvb_get_ntohs(tvb, offset); - if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) { - ssl_debug_printf("dissect_dtls_hnd_srv_hello can't find cipher suite %X\n", ssl->cipher); + ssl->session.cipher = tvb_get_ntohs(tvb, offset); + if (ssl_find_cipher(ssl->session.cipher,&ssl->cipher_suite) < 0) { + ssl_debug_printf("dissect_dtls_hnd_srv_hello can't find cipher suite %X\n", ssl->session.cipher); goto no_cipher; } ssl->state |= SSL_CIPHER; ssl_debug_printf("dissect_dtls_hnd_srv_hello found cipher %X, state %X\n", - ssl->cipher, ssl->state); + ssl->session.cipher, ssl->state); /* if we have restored a session now we can have enough material * to build session key, check it out*/ @@ -1934,7 +1934,7 @@ dissect_dtls_hnd_srv_hello(tvbuff_t *tvb, no_cipher: if (ssl) { /* store selected compression method for decompression */ - ssl->compression = tvb_get_guint8(tvb, offset+2); + ssl->session.compression = tvb_get_guint8(tvb, offset+2); } /* now the server-selected cipher suite */ diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index ef9a86ad46..9595f19680 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -2519,9 +2519,9 @@ ssl_generate_pre_master_secret(SslDecryptSession *ssl_session, * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary */ if (ssl_session->cipher_suite.kex == KEX_RSA && - (ssl_session->version == SSL_VER_TLS || ssl_session->version == SSL_VER_TLSv1DOT1 || - ssl_session->version == SSL_VER_TLSv1DOT2 || ssl_session->version == SSL_VER_DTLS || - ssl_session->version == SSL_VER_DTLS1DOT2)) + (ssl_session->session.version == SSL_VER_TLS || ssl_session->session.version == SSL_VER_TLSv1DOT1 || + ssl_session->session.version == SSL_VER_TLSv1DOT2 || ssl_session->session.version == SSL_VER_DTLS || + ssl_session->session.version == SSL_VER_DTLS1DOT2)) { encrlen = tvb_get_ntohs(tvb, offset); skip = 2; @@ -2769,13 +2769,13 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session) /* create both client and server ciphers*/ ssl_debug_printf("ssl_generate_keyring_material ssl_create_decoder(client)\n"); - ssl_session->client_new = ssl_create_decoder(&ssl_session->cipher_suite, ssl_session->compression, c_mk, c_wk, c_iv); + ssl_session->client_new = ssl_create_decoder(&ssl_session->cipher_suite, ssl_session->session.compression, c_mk, c_wk, c_iv); if (!ssl_session->client_new) { ssl_debug_printf("ssl_generate_keyring_material can't init client decoder\n"); goto fail; } ssl_debug_printf("ssl_generate_keyring_material ssl_create_decoder(server)\n"); - ssl_session->server_new = ssl_create_decoder(&ssl_session->cipher_suite, ssl_session->compression, s_mk, s_wk, s_iv); + ssl_session->server_new = ssl_create_decoder(&ssl_session->cipher_suite, ssl_session->session.compression, s_mk, s_wk, s_iv); if (!ssl_session->server_new) { ssl_debug_printf("ssl_generate_keyring_material can't init client decoder\n"); goto fail; diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index 63e3ba37c6..d39e1f79f7 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -335,6 +335,12 @@ typedef struct { SslRecordInfo* handshake_data; } SslPacketInfo; +typedef struct _SslSession { + gint cipher; + gint compression; + guint32 version; +} SslSession; + typedef struct _SslDecryptSession { guchar _master_secret[48]; guchar _session_id[256]; @@ -352,8 +358,6 @@ typedef struct _SslDecryptSession { guchar _client_data_for_iv[24]; StringInfo client_data_for_iv; - gint cipher; - gint compression; gint state; SslCipherSuite cipher_suite; SslDecoder *server; @@ -362,9 +366,9 @@ typedef struct _SslDecryptSession { SslDecoder *client_new; SSL_PRIVATE_KEY* private_key; StringInfo psk; - guint32 version; guint16 version_netorder; StringInfo app_data_segment; + SslSession session; address srv_addr; port_type srv_ptype; diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 4cbd898950..50a66afd91 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -726,11 +726,11 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) else { ssl_session = (SslDecryptSession *)wmem_alloc0(wmem_file_scope(), sizeof(SslDecryptSession)); ssl_session_init(ssl_session); - ssl_session->version = SSL_VER_UNKNOWN; + ssl_session->session.version = SSL_VER_UNKNOWN; conversation_add_proto_data(conversation, proto_ssl, ssl_session); } - conv_version =& ssl_session->version; - conv_cipher = ssl_session->cipher; + conv_version =& ssl_session->session.version; + conv_cipher = ssl_session->session.cipher; /* try decryption only the first time we see this packet * (to keep cipher synchronized) */ @@ -1614,7 +1614,7 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, ssl->state |= SSL_VERSION; ssl_debug_printf("dissect_ssl3_record found version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); } - /*ssl_set_conv_version(pinfo, ssl->version);*/ + /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } else if (version == TLSV1_VERSION) { @@ -1625,7 +1625,7 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, ssl->state |= SSL_VERSION; ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.0) -> state 0x%02X\n", ssl->version_netorder, ssl->state); } - /*ssl_set_conv_version(pinfo, ssl->version);*/ + /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } else if (version == TLSV1DOT1_VERSION) { @@ -1636,7 +1636,7 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, ssl->state |= SSL_VERSION; ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.1) -> state 0x%02X\n", ssl->version_netorder, ssl->state); } - /*ssl_set_conv_version(pinfo, ssl->version);*/ + /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } else if (version == TLSV1DOT2_VERSION) { @@ -1647,7 +1647,7 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, ssl->state |= SSL_VERSION; ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.2) -> state 0x%02X\n", ssl->version_netorder, ssl->state); } - /*ssl_set_conv_version(pinfo, ssl->version);*/ + /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } } @@ -2488,15 +2488,15 @@ dissect_ssl3_hnd_srv_hello(tvbuff_t *tvb, /* PAOLO: handle session cipher suite */ if (ssl) { /* store selected cipher suite for decryption */ - ssl->cipher = tvb_get_ntohs(tvb, offset); - if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) { - ssl_debug_printf("dissect_ssl3_hnd_srv_hello can't find cipher suite 0x%X\n", ssl->cipher); + ssl->session.cipher = tvb_get_ntohs(tvb, offset); + if (ssl_find_cipher(ssl->session.cipher,&ssl->cipher_suite) < 0) { + ssl_debug_printf("dissect_ssl3_hnd_srv_hello can't find cipher suite 0x%X\n", ssl->session.cipher); goto no_cipher; } ssl->state |= SSL_CIPHER; ssl_debug_printf("dissect_ssl3_hnd_srv_hello found CIPHER 0x%04X -> state 0x%02X\n", - ssl->cipher, ssl->state); + ssl->session.cipher, ssl->state); /* if we have restored a session now we can have enough material * to build session key, check it out*/ @@ -2515,7 +2515,7 @@ no_cipher: if (ssl) { /* store selected compression method for decryption */ - ssl->compression = tvb_get_guint8(tvb, offset); + ssl->session.compression = tvb_get_guint8(tvb, offset); } /* and the server-selected compression method */ proto_tree_add_item(tree, hf_ssl_handshake_comp_method, @@ -3541,12 +3541,12 @@ dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, record_length_length), record_length)) { *conv_version = SSL_VER_PCT; - /*ssl_set_conv_version(pinfo, ssl->version);*/ + /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } else if (msg_type >= 2 && msg_type <= 8) { *conv_version = SSL_VER_SSLv2; - /*ssl_set_conv_version(pinfo, ssl->version);*/ + /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } } @@ -4430,7 +4430,7 @@ void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_c } else { ssl = (SslDecryptSession *)wmem_alloc0(wmem_file_scope(), sizeof(SslDecryptSession)); ssl_session_init(ssl); - ssl->version = SSL_VER_UNKNOWN; + ssl->session.version = SSL_VER_UNKNOWN; conversation_add_proto_data(conversation, proto_ssl, ssl); } @@ -4439,31 +4439,31 @@ void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_c ssl_set_server(ssl, addr_srv, ptype, port_srv); /* version */ - if ((ssl->version==SSL_VER_UNKNOWN) && (version!=SSL_VER_UNKNOWN)) { + if ((ssl->session.version==SSL_VER_UNKNOWN) && (version!=SSL_VER_UNKNOWN)) { switch (version) { case SSL_VER_SSLv3: - ssl->version = SSL_VER_SSLv3; + ssl->session.version = SSL_VER_SSLv3; ssl->version_netorder = SSLV3_VERSION; ssl->state |= SSL_VERSION; ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); break; case SSL_VER_TLS: - ssl->version = SSL_VER_TLS; + ssl->session.version = SSL_VER_TLS; ssl->version_netorder = TLSV1_VERSION; ssl->state |= SSL_VERSION; ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); break; case SSL_VER_TLSv1DOT1: - ssl->version = SSL_VER_TLSv1DOT1; + ssl->session.version = SSL_VER_TLSv1DOT1; ssl->version_netorder = TLSV1DOT1_VERSION; ssl->state |= SSL_VERSION; ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); break; case SSL_VER_TLSv1DOT2: - ssl->version = SSL_VER_TLSv1DOT2; + ssl->session.version = SSL_VER_TLSv1DOT2; ssl->version_netorder = TLSV1DOT2_VERSION; ssl->state |= SSL_VERSION; ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); @@ -4473,12 +4473,12 @@ void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_c /* cipher */ if (cipher > 0) { - ssl->cipher = cipher; - if (ssl_find_cipher(ssl->cipher,&ssl->cipher_suite) < 0) { - ssl_debug_printf("ssl_set_master_secret can't find cipher suite 0x%X\n", ssl->cipher); + ssl->session.cipher = cipher; + if (ssl_find_cipher(ssl->session.cipher,&ssl->cipher_suite) < 0) { + ssl_debug_printf("ssl_set_master_secret can't find cipher suite 0x%X\n", ssl->session.cipher); } else { ssl->state |= SSL_CIPHER; - ssl_debug_printf("ssl_set_master_secret set CIPHER 0x%04X -> state 0x%02X\n", ssl->cipher, ssl->state); + ssl_debug_printf("ssl_set_master_secret set CIPHER 0x%04X -> state 0x%02X\n", ssl->session.cipher, ssl->state); } } |