diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-01-26 12:07:49 +0100 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-01-27 05:01:32 +0000 |
commit | dc86242e3e158adbc99371acf4c99d4e06e57a1a (patch) | |
tree | 8338578e7f84b1290dd4e97d163d54a63985e449 | |
parent | 9f600384e8c113c43a069d491a7482c402c1ea8d (diff) | |
download | wireshark-dc86242e3e158adbc99371acf4c99d4e06e57a1a.tar.gz |
ssl-utils: recognize new TLS 1.3 keylog format
Implemented by BoringSSL, an older description can be found at:
https://github.com/google/boringssl/commit/e776cc29568e520aaabc83188cc7db7991f0b776
Implementation pending at OpenSSL:
https://github.com/openssl/openssl/pull/2287
NSS bug (still open):
https://bugzilla.mozilla.org/show_bug.cgi?id=1287711
Proposal for PicoTLS:
https://github.com/h2o/picotls/issues/6
Change-Id: Ib597f48e296d286d8f6d30873ca03e7d6324a3c4
Ping-Bug: 12779
Reviewed-on: https://code.wireshark.org/review/19801
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 39 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 6 |
2 files changed, 42 insertions, 3 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index a0b1a75477..4e3a93e6ef 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -4561,6 +4561,10 @@ ssl_common_init(ssl_master_key_map_t *mk_map, mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal); mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal); mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal); ssl_data_alloc(decrypted_data, 32); ssl_data_alloc(compressed_data, 32); } @@ -4574,6 +4578,10 @@ ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file, g_hash_table_destroy(mk_map->crandom); g_hash_table_destroy(mk_map->pre_master); g_hash_table_destroy(mk_map->pms); + g_hash_table_destroy(mk_map->tls13_client_handshake); + g_hash_table_destroy(mk_map->tls13_server_handshake); + g_hash_table_destroy(mk_map->tls13_client_appdata); + g_hash_table_destroy(mk_map->tls13_server_appdata); g_free(decrypted_data->data); g_free(compressed_data->data); @@ -4823,7 +4831,14 @@ ssl_compile_keyfile_regex(void) /* Matches Client Hellos having this Client Random */ "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) " /* Master-Secret is given, its length is fixed */ - ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH) "})"; + ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH) "})" + "|(?" + /* TLS 1.3 Client Random to Derived Secrets mapping. */ + ":CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})" + "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})" + "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})" + "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})" + ") (?<derived_secret>" OCTET "+)"; #undef OCTET static GRegex *regex = NULL; GError *gerr = NULL; @@ -4878,7 +4893,12 @@ ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file, { "encrypted_pmk", mk_map->pre_master }, { "session_id", mk_map->session }, { "client_random", mk_map->crandom }, - { "client_random_pms", mk_map->pms}, + { "client_random_pms", mk_map->pms }, + /* TLS 1.3 map from Client Random to derived secret. */ + { "client_handshake", mk_map->tls13_client_handshake }, + { "server_handshake", mk_map->tls13_server_handshake }, + { "client_appdata", mk_map->tls13_client_appdata }, + { "server_appdata", mk_map->tls13_server_appdata }, }; /* no need to try if no key log file is configured. */ if (!ssl_keylog_filename || !*ssl_keylog_filename) { @@ -4912,6 +4932,15 @@ ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file, * Where yyyy is the cleartext master secret (hex-encoded) * (This format allows non-RSA SSL connections to be decrypted, i.e. * ECDHE-RSA.) + * + * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy" + * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy" + * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy" + * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy" + * Where xxxx is the client_random from the ClientHello (hex-encoded) + * Where yyyy is the secret (hex-encoded) derived from the handshake or + * master secrets. (This format is introduced with TLS 1.3 and supported + * by BoringSSL, OpenSSL, etc. See bug 12779.) */ regex = ssl_compile_keyfile_regex(); if (!regex) @@ -4965,10 +4994,14 @@ ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file, * otherwise we will use the Master Secret */ hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret"); - if (hex_pre_ms_or_ms == NULL || strlen(hex_pre_ms_or_ms) == 0){ + if (hex_pre_ms_or_ms == NULL || !*hex_pre_ms_or_ms) { g_free(hex_pre_ms_or_ms); hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms"); } + if (hex_pre_ms_or_ms == NULL || !*hex_pre_ms_or_ms) { + g_free(hex_pre_ms_or_ms); + hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret"); + } /* There is always a match, otherwise the regex is wrong. */ DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)); diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index 43e408028a..b3094993f4 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -450,6 +450,12 @@ typedef struct { GHashTable *pre_master; /* First 8 bytes of encrypted pre-master secret to pre-master secret */ GHashTable *pms; /* Client Random to unencrypted pre-master secret */ + + /* For TLS 1.3: maps Client Random to derived secret. */ + GHashTable *tls13_client_handshake; + GHashTable *tls13_server_handshake; + GHashTable *tls13_client_appdata; + GHashTable *tls13_server_appdata; } ssl_master_key_map_t; gint ssl_get_keyex_alg(gint cipher); |