diff options
author | Peter Wu <peter@lekensteyn.nl> | 2015-11-14 13:33:02 +0100 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2015-11-16 21:45:50 +0000 |
commit | c90990068ff2f442bdfb2475dc9dd3a55cdb2e46 (patch) | |
tree | 20e1c091fe1c9434855bfe8c6872a0a0954d03d7 | |
parent | 9ec2cbb1c2f2917a9b9e149def8da8c072134524 (diff) | |
download | wireshark-c90990068ff2f442bdfb2475dc9dd3a55cdb2e46.tar.gz |
ssl,dtls: use a single field to track ProtocolVersion
The SslSession struct contains a "version" field for displaying
purposes in the protocol column while the SslDecryptSession struct
has a "version_netorder" field for use in TLS hash functions (for
secrets calculations).
As these are strongly associated with each other, remove the
version_netorder field and its associated constants, let the SslSession
version field store this value instead. All SSL_VER_* are renamed to
appropriate *_VERSION macros (via search & replace), SSL_VER_UNKNOWN
is kept though.
The PCT and SSLv2 protocols had no wire value (*_VERSION), so
SSL_VER_PCT and SSL_VER_SSLv2 are assigned with some arbitrary values.
Warning: external plugins using the ssl_set_master_secret function
must now pass the wire version (TLSV1_VERSION) instead of the (now
removed) internal macros (SSL_VER_TLSv1).
Change-Id: Icd8ef15adae9c62eb21eab1c3b812166e451936f
Reviewed-on: https://code.wireshark.org/review/11820
Reviewed-by: Michael Mann <mmann78@netscape.net>
Petri-Dish: Michael Mann <mmann78@netscape.net>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
-rw-r--r-- | epan/dissectors/packet-dtls.c | 82 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 76 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 22 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl.c | 144 |
4 files changed, 96 insertions, 228 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 7ca9997f25..3d15e6d9fa 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -326,7 +326,6 @@ static int dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb, * Support Functions * */ -/*static void ssl_set_conv_version(packet_info *pinfo, guint version);*/ static gint dtls_is_authoritative_version_message(guint8 content_type, guint8 next_byte); @@ -415,13 +414,9 @@ dissect_dtls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) * known to be associated with the conversation */ switch(session->version) { - case SSL_VER_DTLS: - case SSL_VER_DTLS_OPENSSL: - offset = dissect_dtls_record(tvb, pinfo, dtls_tree, - offset, session, is_from_server, - ssl_session); - break; - case SSL_VER_DTLS1DOT2: + case DTLSV1DOT0_VERSION: + case DTLSV1DOT0_OPENSSL_VERSION: + case DTLSV1DOT2_VERSION: offset = dissect_dtls_record(tvb, pinfo, dtls_tree, offset, session, is_from_server, ssl_session); @@ -758,44 +753,19 @@ dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo, next_byte = tvb_get_guint8(tvb, offset); if (session->version == SSL_VER_UNKNOWN && dtls_is_authoritative_version_message(content_type, next_byte)) + { + if (version == DTLSV1DOT0_VERSION || + version == DTLSV1DOT0_OPENSSL_VERSION || + version == DTLSV1DOT2_VERSION) { - if (version == DTLSV1DOT0_VERSION || - version == DTLSV1DOT0_VERSION_NOT || - version == DTLSV1DOT2_VERSION) - { - if (version == DTLSV1DOT0_VERSION) - session->version = SSL_VER_DTLS; - if (version == DTLSV1DOT0_VERSION_NOT) - session->version = SSL_VER_DTLS_OPENSSL; - if (version == DTLSV1DOT2_VERSION) - session->version = SSL_VER_DTLS1DOT2; - - if (ssl) { - ssl->version_netorder = version; - ssl->state |= SSL_VERSION; - } - /*ssl_set_conv_version(pinfo, ssl->version);*/ - } + session->version = version; + if (ssl) { + ssl->state |= SSL_VERSION; + } } - if (version == DTLSV1DOT0_VERSION) - { - col_set_str(pinfo->cinfo, COL_PROTOCOL, - val_to_str_const(SSL_VER_DTLS, ssl_version_short_names, "SSL")); - } - else if (version == DTLSV1DOT0_VERSION_NOT) - { - col_set_str(pinfo->cinfo, COL_PROTOCOL, - val_to_str_const(SSL_VER_DTLS_OPENSSL, ssl_version_short_names, "SSL")); - } - else if (version == DTLSV1DOT2_VERSION) - { - col_set_str(pinfo->cinfo, COL_PROTOCOL, - val_to_str_const(SSL_VER_DTLS1DOT2, ssl_version_short_names, "SSL")); - } - else - { - col_set_str(pinfo->cinfo, COL_PROTOCOL,"DTLS"); } + col_set_str(pinfo->cinfo, COL_PROTOCOL, + val_to_str_const(version, ssl_version_short_names, "DTLS")); /* * now dissect the next layer @@ -1518,30 +1488,6 @@ dissect_dtls_hnd_hello_verify_request(tvbuff_t *tvb, proto_tree *tree, * Support Functions * *********************************************************************/ -#if 0 -static void -ssl_set_conv_version(packet_info *pinfo, guint version) -{ - conversation_t *conversation; - - if (pinfo->fd->flags.visited) - { - /* We've already processed this frame; no need to do any more - * work on it. - */ - return; - } - - conversation = find_or_create_conversation(pinfo); - - if (conversation_get_proto_data(conversation, proto_dtls) != NULL) - { - /* get rid of the current data */ - conversation_delete_proto_data(conversation, proto_dtls); - } - conversation_add_proto_data(conversation, proto_dtls, GINT_TO_POINTER(version)); -} -#endif static gint dtls_is_authoritative_version_message(guint8 content_type, guint8 next_byte) @@ -1582,7 +1528,7 @@ looks_like_dtls(tvbuff_t *tvb, guint32 offset) /* now check to see if the version byte appears valid */ version = tvb_get_ntohs(tvb, offset + 1); if (version != DTLSV1DOT0_VERSION && version != DTLSV1DOT2_VERSION && - version != DTLSV1DOT0_VERSION_NOT) + version != DTLSV1DOT0_OPENSSL_VERSION) { return 0; } diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 9aceb8eb38..6ebf46108a 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -55,16 +55,16 @@ /* Lookup tables {{{ */ const value_string ssl_version_short_names[] = { - { SSL_VER_UNKNOWN, "SSL" }, - { SSL_VER_SSLv2, "SSLv2" }, - { SSL_VER_SSLv3, "SSLv3" }, - { SSL_VER_TLS, "TLSv1" }, - { SSL_VER_TLSv1DOT1, "TLSv1.1" }, - { SSL_VER_DTLS, "DTLSv1.0" }, - { SSL_VER_DTLS1DOT2, "DTLSv1.2" }, - { SSL_VER_DTLS_OPENSSL, "DTLS 1.0 (OpenSSL pre 0.9.8f)" }, - { SSL_VER_PCT, "PCT" }, - { SSL_VER_TLSv1DOT2, "TLSv1.2" }, + { SSL_VER_UNKNOWN, "SSL" }, + { SSLV2_VERSION, "SSLv2" }, + { SSLV3_VERSION, "SSLv3" }, + { TLSV1_VERSION, "TLSv1" }, + { TLSV1DOT1_VERSION, "TLSv1.1" }, + { TLSV1DOT2_VERSION, "TLSv1.2" }, + { DTLSV1DOT0_VERSION, "DTLSv1.0" }, + { DTLSV1DOT2_VERSION, "DTLSv1.2" }, + { DTLSV1DOT0_OPENSSL_VERSION, "DTLS 1.0 (OpenSSL pre 0.9.8f)" }, + { PCT_VERSION, "PCT" }, { 0x00, NULL } }; @@ -2483,14 +2483,14 @@ static gboolean prf(SslDecryptSession *ssl, StringInfo *secret, const gchar *usage, StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, guint out_len) { - switch (ssl->version_netorder) { + switch (ssl->session.version) { case SSLV3_VERSION: return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len); case TLSV1_VERSION: case TLSV1DOT1_VERSION: case DTLSV1DOT0_VERSION: - case DTLSV1DOT0_VERSION_NOT: + case DTLSV1DOT0_OPENSSL_VERSION: return tls_prf(secret, usage, rnd1, rnd2, out, out_len); default: /* TLSv1.2 */ @@ -2851,9 +2851,11 @@ ssl_generate_pre_master_secret(SslDecryptSession *ssl_session, * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary */ if (ssl_session->cipher_suite.kex == KEX_RSA && - (ssl_session->session.version == SSL_VER_TLS || ssl_session->session.version == SSL_VER_TLSv1DOT1 || - ssl_session->session.version == SSL_VER_TLSv1DOT2 || ssl_session->session.version == SSL_VER_DTLS || - ssl_session->session.version == SSL_VER_DTLS1DOT2)) + (ssl_session->session.version == TLSV1_VERSION || + ssl_session->session.version == TLSV1DOT1_VERSION || + ssl_session->session.version == TLSV1DOT2_VERSION || + ssl_session->session.version == DTLSV1DOT0_VERSION || + ssl_session->session.version == DTLSV1DOT2_VERSION)) { encrlen = tvb_get_ntohs(tvb, offset); skip = 2; @@ -2930,11 +2932,11 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session) ssl_print_string("pre master secret",&ssl_session->pre_master_secret); DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0); - switch(ssl_session->version_netorder) { + switch(ssl_session->session.version) { case TLSV1_VERSION: case TLSV1DOT1_VERSION: case DTLSV1DOT0_VERSION: - case DTLSV1DOT0_VERSION_NOT: + case DTLSV1DOT0_OPENSSL_VERSION: ret = tls_handshake_hash(ssl_session, &handshake_hashed_data); break; default: @@ -3033,7 +3035,7 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session) goto fail; } - if(ssl_session->version_netorder==SSLV3_VERSION){ + if(ssl_session->session.version==SSLV3_VERSION){ /* The length of these fields are ignored by this caller */ StringInfo iv_c, iv_s; iv_c.data = _iv_c; @@ -3077,7 +3079,7 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session) s_iv=_iv_s; } - if (ssl_session->version_netorder==SSLV3_VERSION){ + if (ssl_session->session.version==SSLV3_VERSION){ SSL_MD5_CTX md5; ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC); @@ -3435,12 +3437,12 @@ ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, gint ct, /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */ if (decoder->cipher_suite->mode == MODE_CBC) { - switch (ssl->version_netorder) { + switch (ssl->session.version) { case TLSV1DOT1_VERSION: case TLSV1DOT2_VERSION: case DTLSV1DOT0_VERSION: case DTLSV1DOT2_VERSION: - case DTLSV1DOT0_VERSION_NOT: + case DTLSV1DOT0_OPENSSL_VERSION: if ((gint)inl < decoder->cipher_suite->block) { ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n", inl, decoder->cipher_suite->block); @@ -3563,8 +3565,8 @@ ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, gint ct, /* Now check the MAC */ ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %d)\n", - worklen, ssl->version_netorder, ct, decoder->seq); - if(ssl->version_netorder==SSLV3_VERSION){ + worklen, ssl->session.version, ct, decoder->seq); + if(ssl->session.version==SSLV3_VERSION){ if(ssl3_check_mac(decoder,ct,out_str->data,worklen,mac) < 0) { if(ssl_ignore_mac_failed) { ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n"); @@ -3578,8 +3580,8 @@ ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, gint ct, ssl_debug_printf("ssl_decrypt_record: mac ok\n"); } } - else if(ssl->version_netorder==TLSV1_VERSION || ssl->version_netorder==TLSV1DOT1_VERSION || ssl->version_netorder==TLSV1DOT2_VERSION){ - if(tls_check_mac(decoder,ct,ssl->version_netorder,out_str->data,worklen,mac)< 0) { + else if(ssl->session.version==TLSV1_VERSION || ssl->session.version==TLSV1DOT1_VERSION || ssl->session.version==TLSV1DOT2_VERSION){ + if(tls_check_mac(decoder,ct,ssl->session.version,out_str->data,worklen,mac)< 0) { if(ssl_ignore_mac_failed) { ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n"); } @@ -3592,11 +3594,11 @@ ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, gint ct, ssl_debug_printf("ssl_decrypt_record: mac ok\n"); } } - else if(ssl->version_netorder==DTLSV1DOT0_VERSION || - ssl->version_netorder==DTLSV1DOT2_VERSION || - ssl->version_netorder==DTLSV1DOT0_VERSION_NOT){ + else if(ssl->session.version==DTLSV1DOT0_VERSION || + ssl->session.version==DTLSV1DOT2_VERSION || + ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION){ /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */ - if(dtls_check_mac(decoder,ct,ssl->version_netorder,out_str->data,worklen,mac)>= 0) { + if(dtls_check_mac(decoder,ct,ssl->session.version,out_str->data,worklen,mac)>= 0) { ssl_debug_printf("ssl_decrypt_record: mac ok\n"); } else if(tls_check_mac(decoder,ct,TLSV1_VERSION,out_str->data,worklen,mac)>= 0) { @@ -6007,8 +6009,8 @@ ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, } switch (session->version) { - case SSL_VER_TLSv1DOT2: - case SSL_VER_DTLS1DOT2: + case TLSV1DOT2_VERSION: + case DTLSV1DOT2_VERSION: sh_alg_length = tvb_get_ntohs(tvb, offset); if (sh_alg_length % 2) { expert_add_info_format(pinfo, NULL, @@ -6099,7 +6101,7 @@ ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb, if (!tree) return; - if (session->version == SSL_VER_SSLv3) { + if (session->version == SSLV3_VERSION) { if (ssl_hfs != NULL) { proto_tree_add_item(tree, ssl_hfs->hs_md5_hash, tvb, offset, 16, ENC_NA); @@ -6334,9 +6336,9 @@ dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, /* EncryptedPreMasterSecret.pre_master_secret */ switch (session->version) { - case SSL_VER_SSLv2: - case SSL_VER_SSLv3: - case SSL_VER_DTLS_OPENSSL: + case SSLV2_VERSION: + case SSLV3_VERSION: + case DTLSV1DOT0_OPENSSL_VERSION: /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is * not present. The handshake contents represents the EPMS, see: * https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10222 */ @@ -6415,8 +6417,8 @@ ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *ssl_algo_tree; switch (session->version) { - case SSL_VER_TLSv1DOT2: - case SSL_VER_DTLS1DOT2: + case TLSV1DOT2_VERSION: + case DTLSV1DOT2_VERSION: ti_algo = proto_tree_add_item(tree, hf->hf.hs_sig_hash_alg, tvb, offset, 2, ENC_BIG_ENDIAN); ssl_algo_tree = proto_item_add_subtree(ti_algo, hf->ett.hs_sig_hash_alg); diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index dcf1f8b515..5ccaf8abd0 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -47,18 +47,6 @@ #endif /* HAVE_LIBGCRYPT */ -/* version state tables */ -#define SSL_VER_UNKNOWN 0 -#define SSL_VER_SSLv2 1 -#define SSL_VER_SSLv3 2 -#define SSL_VER_TLS 3 -#define SSL_VER_TLSv1DOT1 4 -#define SSL_VER_DTLS 5 -#define SSL_VER_DTLS1DOT2 8 -#define SSL_VER_DTLS_OPENSSL 9 -#define SSL_VER_PCT 6 -#define SSL_VER_TLSv1DOT2 7 - /* other defines */ typedef enum { SSL_ID_CHG_CIPHER_SPEC = 0x14, @@ -219,14 +207,19 @@ typedef struct _StringInfo { #define SSL_WRITE_KEY 1 +#define SSL_VER_UNKNOWN 0 +#define PCT_VERSION 0x8001 /* PCT_VERSION_1 from http://graphcomp.com/info/specs/ms/pct.htm */ +#define SSLV2_VERSION 0x0002 /* not in record layer, SSL_CLIENT_SERVER from + http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html */ #define SSLV3_VERSION 0x300 #define TLSV1_VERSION 0x301 #define TLSV1DOT1_VERSION 0x302 #define TLSV1DOT2_VERSION 0x303 #define DTLSV1DOT0_VERSION 0xfeff -#define DTLSV1DOT0_VERSION_NOT 0x100 +#define DTLSV1DOT0_OPENSSL_VERSION 0x100 #define DTLSV1DOT2_VERSION 0xfefd + #define SSL_CLIENT_RANDOM (1<<0) #define SSL_SERVER_RANDOM (1<<1) #define SSL_CIPHER (1<<2) @@ -356,7 +349,7 @@ typedef struct { typedef struct _SslSession { gint cipher; gint compression; - guint32 version; + guint16 version; gint8 client_cert_type; gint8 server_cert_type; @@ -404,7 +397,6 @@ typedef struct _SslDecryptSession { gcry_sexp_t private_key; #endif StringInfo psk; - guint16 version_netorder; StringInfo app_data_segment; SslSession session; diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 23d7a6d7c3..0ce1ec8295 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -547,7 +547,6 @@ static void dissect_pct_msg_error(tvbuff_t *tvb, * Support Functions * */ -/*static void ssl_set_conv_version(packet_info *pinfo, guint version);*/ static gint ssl_is_valid_ssl_version(const guint16 version); static gint ssl_is_authoritative_version_message(const guint8 content_type, const guint8 next_byte); @@ -681,8 +680,8 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) * known to be associated with the conversation */ switch (session->version) { - case SSL_VER_SSLv2: - case SSL_VER_PCT: + case SSLV2_VERSION: + case PCT_VERSION: offset = dissect_ssl2_record(tvb, pinfo, ssl_tree, offset, session, &need_desegmentation, @@ -690,10 +689,10 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) first_record_in_frame); break; - case SSL_VER_SSLv3: - case SSL_VER_TLS: - case SSL_VER_TLSv1DOT1: - case SSL_VER_TLSv1DOT2: + case SSLV3_VERSION: + case TLSV1_VERSION: + case TLSV1DOT1_VERSION: + case TLSV1DOT2_VERSION: /* SSLv3/TLS record headers need at least 1+2+2 = 5 bytes. */ if (tvb_reported_length_remaining(tvb, offset) < 5) { if (ssl_desegment && pinfo->can_desegment) { @@ -1413,7 +1412,9 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, available_bytes = tvb_reported_length_remaining(tvb, offset); /* TLS 1.0/1.1 just ignores unknown records - RFC 2246 chapter 6. The TLS Record Protocol */ - if ((session->version==SSL_VER_TLS || session->version==SSL_VER_TLSv1DOT1 || session->version==SSL_VER_TLSv1DOT2) && + if ((session->version==TLSV1_VERSION || + session->version==TLSV1DOT1_VERSION || + session->version==TLSV1DOT2_VERSION) && (available_bytes >=1 ) && !ssl_is_valid_content_type(tvb_get_guint8(tvb, offset))) { proto_tree_add_expert(tree, pinfo, &ei_ssl_ignored_unknown_record, tvb, offset, available_bytes); /* on second and subsequent records per frame @@ -1543,48 +1544,16 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, if (session->version == SSL_VER_UNKNOWN && ssl_is_authoritative_version_message(content_type, next_byte)) { - if (version == SSLV3_VERSION) - { - session->version = SSL_VER_SSLv3; - if (ssl) { - ssl->version_netorder = version; - ssl->state |= SSL_VERSION; - ssl_debug_printf("dissect_ssl3_record found version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); - } - /*ssl_set_conv_version(pinfo, ssl->session.version);*/ - } - else if (version == TLSV1_VERSION) - { - - session->version = SSL_VER_TLS; - if (ssl) { - ssl->version_netorder = version; - ssl->state |= SSL_VERSION; - ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.0) -> state 0x%02X\n", ssl->version_netorder, ssl->state); - } - /*ssl_set_conv_version(pinfo, ssl->session.version);*/ - } - else if (version == TLSV1DOT1_VERSION) - { - - session->version = SSL_VER_TLSv1DOT1; - if (ssl) { - ssl->version_netorder = version; - ssl->state |= SSL_VERSION; - ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.1) -> state 0x%02X\n", ssl->version_netorder, ssl->state); - } - /*ssl_set_conv_version(pinfo, ssl->session.version);*/ - } - else if (version == TLSV1DOT2_VERSION) - { - - session->version = SSL_VER_TLSv1DOT2; + switch (version) { + case SSLV3_VERSION: + case TLSV1_VERSION: + case TLSV1DOT1_VERSION: + case TLSV1DOT2_VERSION: + session->version = version; if (ssl) { - ssl->version_netorder = version; ssl->state |= SSL_VERSION; - ssl_debug_printf("dissect_ssl3_record found version 0x%04X(TLS 1.2) -> state 0x%02X\n", ssl->version_netorder, ssl->state); + ssl_debug_printf("dissect_ssl3_record found version 0x%04X -> state 0x%02X\n", version, ssl->state); } - /*ssl_set_conv_version(pinfo, ssl->session.version);*/ } } @@ -2358,13 +2327,11 @@ dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, (initial_offset + record_length_length), record_length)) { - session->version = SSL_VER_PCT; - /*ssl_set_conv_version(pinfo, ssl->session.version);*/ + session->version = PCT_VERSION; } else if (msg_type >= 2 && msg_type <= 8) { - session->version = SSL_VER_SSLv2; - /*ssl_set_conv_version(pinfo, ssl->session.version);*/ + session->version = SSLV2_VERSION; } } @@ -2373,20 +2340,20 @@ dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, * (e.g., on a client hello) */ col_set_str(pinfo->cinfo, COL_PROTOCOL, - (session->version == SSL_VER_PCT) ? "PCT" : "SSLv2"); + (session->version == PCT_VERSION) ? "PCT" : "SSLv2"); /* see if the msg_type is valid; if not the payload is * probably encrypted, so note that fact and bail */ msg_type_str = try_val_to_str(msg_type, - (session->version == SSL_VER_PCT) + (session->version == PCT_VERSION) ? pct_msg_types : ssl_20_msg_types); if (!msg_type_str - || ((session->version != SSL_VER_PCT) && + || ((session->version != PCT_VERSION) && !ssl_looks_like_valid_v2_handshake(tvb, initial_offset + record_length_length, record_length)) - || ((session->version == SSL_VER_PCT) && + || ((session->version == PCT_VERSION) && !ssl_looks_like_valid_pct_handshake(tvb, initial_offset + record_length_length, record_length))) @@ -2394,7 +2361,7 @@ dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, if (ssl_record_tree) { proto_item_set_text(ssl_record_tree, "%s Record Layer: %s", - (session->version == SSL_VER_PCT) + (session->version == PCT_VERSION) ? "PCT" : "SSLv2", "Encrypted Data"); @@ -2419,7 +2386,7 @@ dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, if (ssl_record_tree) { proto_item_set_text(ssl_record_tree, "%s Record Layer: %s", - (session->version == SSL_VER_PCT) + (session->version == PCT_VERSION) ? "PCT" : "SSLv2", msg_type_str); } @@ -2472,13 +2439,13 @@ dissect_ssl2_record(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, if (ssl_record_tree) { proto_tree_add_item(ssl_record_tree, - (session->version == SSL_VER_PCT) + (session->version == PCT_VERSION) ? hf_pct_msg_type : hf_ssl2_msg_type, tvb, offset, 1, ENC_BIG_ENDIAN); } offset += 1; /* move past msg_type byte */ - if (session->version != SSL_VER_PCT) + if (session->version != PCT_VERSION) { /* dissect the message (only handle client hello right now) */ switch (msg_type) { @@ -3213,32 +3180,18 @@ void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_c /* version */ if ((ssl->session.version==SSL_VER_UNKNOWN) && (version!=SSL_VER_UNKNOWN)) { switch (version) { - case SSL_VER_SSLv3: - ssl->session.version = SSL_VER_SSLv3; - ssl->version_netorder = SSLV3_VERSION; - ssl->state |= SSL_VERSION; - ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); - break; - - case SSL_VER_TLS: - ssl->session.version = SSL_VER_TLS; - ssl->version_netorder = TLSV1_VERSION; + case SSLV3_VERSION: + case TLSV1_VERSION: + case TLSV1DOT1_VERSION: + case TLSV1DOT2_VERSION: + ssl->session.version = version; ssl->state |= SSL_VERSION; - ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); + ssl_debug_printf("%s set version 0x%04X -> state 0x%02X\n", G_STRFUNC, ssl->session.version, ssl->state); break; - - case SSL_VER_TLSv1DOT1: - ssl->session.version = SSL_VER_TLSv1DOT1; - ssl->version_netorder = TLSV1DOT1_VERSION; - ssl->state |= SSL_VERSION; - ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); - break; - - case SSL_VER_TLSv1DOT2: - ssl->session.version = SSL_VER_TLSv1DOT2; - ssl->version_netorder = TLSV1DOT2_VERSION; - ssl->state |= SSL_VERSION; - ssl_debug_printf("ssl_set_master_secret set version 0x%04X -> state 0x%02X\n", ssl->version_netorder, ssl->state); + default: + /* API change: version number is no longer an internal value + * (SSL_VER_*) but the ProtocolVersion from wire (*_VERSION) */ + ssl_debug_printf("%s WARNING must pass ProtocolVersion, not 0x%04x!\n", G_STRFUNC, version); break; } } @@ -3313,31 +3266,6 @@ void ssl_set_master_secret(guint32 frame_num, address *addr_srv, address *addr_c * Support Functions * *********************************************************************/ -#if 0 -static void -ssl_set_conv_version(packet_info *pinfo, guint version) -{ - conversation_t *conversation; - - if (pinfo->fd->flags.visited) - { - /* We've already processed this frame; no need to do any more - * work on it. - */ - return; - } - - conversation = find_or_create_conversation(pinfo); - - if (conversation_get_proto_data(conversation, proto_ssl) != NULL) - { - /* get rid of the current data */ - conversation_delete_proto_data(conversation, proto_ssl); - } - conversation_add_proto_data(conversation, proto_ssl, GINT_TO_POINTER(version)); -} -#endif - static gint ssl_is_valid_ssl_version(const guint16 version) { |