TLS13: add Key Update dissection

Actual decryption support will be added later. Ping-Bug: 12779 Change-Id: I3ff1f243fd0bd1467e84d8a6a5433c1fe71bbebf Reviewed-on: https://code.wireshark.org/review/20012 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Peter Wu <peter@lekensteyn.nl>
author: Peter Wu <peter@lekensteyn.nl> 2017-02-08 02:04:18 +0100
committer: Peter Wu <peter@lekensteyn.nl> 2017-02-11 13:22:43 +0000
commit: eb1a63f3bcd30e8e844f2a72ac9c3e7a82871638 (patch)
tree: 3df30864bcd8a421e4b04afe41906560b0f69614
parent: 746bbe7abf4bad74b78db0282d8962eb891eb502 (diff)
download: wireshark-eb1a63f3bcd30e8e844f2a72ac9c3e7a82871638.tar.gz
4 files changed, 43 insertions, 2 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c
index 9e89d30048..0a1be9aaac 100644
--- a/epan/dissectors/packet-dtls.c
+++ b/epan/dissectors/packet-dtls.c
@@ -1334,6 +1334,7 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo,
           case SSL_HND_CERT_URL:
           case SSL_HND_CERT_STATUS:
           case SSL_HND_SUPPLEMENTAL_DATA:
+          case SSL_HND_KEY_UPDATE:
           case SSL_HND_ENCRYPTED_EXTS:
           case SSL_HND_ENCRYPTED_EXTENSIONS: /* TLS 1.3 */
             /* TODO: does this need further dissection? */
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 822b8bffce..1bcd0b2113 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -569,6 +569,7 @@ const value_string ssl_31_handshake_type[] = {
     { SSL_HND_CERT_URL,          "Client Certificate URL" },
     { SSL_HND_CERT_STATUS,       "Certificate Status" },
     { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
+    { SSL_HND_KEY_UPDATE,        "Key Update" },
     { SSL_HND_ENCRYPTED_EXTS,    "Encrypted Extensions" },
     { 0x00, NULL }
 };
@@ -1205,6 +1206,12 @@ const value_string tls_hello_ext_psk_ke_mode[] = {
     { 0, NULL }
 };
 
+const value_string tls13_key_update_request[] = {
+    { 0, "update_not_requested" },
+    { 1, "update_requested" },
+    { 0, NULL }
+};
+
 /* RFC 5246 7.4.1.4.1 */
 const value_string tls_hash_algorithm[] = {
     { 0, "None" },
@@ -6630,6 +6637,7 @@ ssl_is_valid_handshake_type(guint8 hs_type, gboolean is_dtls)
     case SSL_HND_CERT_URL:
     case SSL_HND_CERT_STATUS:
     case SSL_HND_SUPPLEMENTAL_DATA:
+    case SSL_HND_KEY_UPDATE:
     case SSL_HND_ENCRYPTED_EXTS:
         return TRUE;
     }
@@ -8063,6 +8071,22 @@ ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
 }
 /* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
 
+void
+tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
+                             proto_tree *tree, guint32 offset)
+{
+    /* https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.5.3
+     *  enum {
+     *      update_not_requested(0), update_requested(1), (255)
+     *  } KeyUpdateRequest;
+     *
+     *  struct {
+     *      KeyUpdateRequest request_update;
+     *  } KeyUpdate;
+     */
+    proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA);
+}
+
 #ifdef HAVE_LIBGCRYPT
 void
 ssl_common_register_options(module_t *module, ssl_common_options_t *options)
diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index 689e9139fe..82303bfa13 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -74,6 +74,7 @@ typedef enum {
     SSL_HND_CERT_URL               = 21,
     SSL_HND_CERT_STATUS            = 22,
     SSL_HND_SUPPLEMENTAL_DATA      = 23,
+    SSL_HND_KEY_UPDATE             = 24,
     /* Encrypted Extensions was NextProtocol in draft-agl-tls-nextprotoneg-03
      * and changed in draft 04. Not to be confused with TLS 1.3 EE. */
     SSL_HND_ENCRYPTED_EXTS         = 67
@@ -224,6 +225,7 @@ extern const value_string ssl_extension_ec_point_formats[];
 extern const value_string ssl_curve_types[];
 extern const value_string tls_hello_ext_server_name_type_vs[];
 extern const value_string tls_hello_ext_psk_ke_mode[];
+extern const value_string tls13_key_update_request[];
 
 /* XXX Should we use GByteArray instead? */
 typedef struct _StringInfo {
@@ -782,8 +784,9 @@ typedef struct ssl_common_dissect {
         gint hs_ext_draft_version_tls13;
         gint hs_ext_psk_ke_modes_len;
         gint hs_ext_psk_ke_mode;
-        gint hs_certificate_request_context;
         gint hs_certificate_request_context_length;
+        gint hs_certificate_request_context;
+        gint hs_key_update_request_update;
 
         /* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_HF_LIST! */
     } hf;
@@ -952,6 +955,10 @@ ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                           proto_tree *tree, guint32 offset, guint32 length,
                           const SslSession *session);
 
+extern void
+tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
+                             proto_tree *tree, guint32 offset);
+
 /* {{{ */
 #define SSL_COMMON_LIST_T(name) \
 ssl_common_dissect_t name = {   \
@@ -963,7 +970,7 @@ ssl_common_dissect_t name = {   \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
-        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,                         \
+        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,                     \
     },                                                                  \
     /* ett */ {                                                         \
         -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \
@@ -1588,6 +1595,11 @@ ssl_common_dissect_t name = {   \
       { "Certificate Request Context", prefix ".handshake.certificate_request_context", \
         FT_BYTES, BASE_NONE, NULL, 0x0,                                 \
         "Value from CertificateRequest or empty for server auth", HFILL } \
+    },                                                                  \
+    { & name .hf.hs_key_update_request_update,                          \
+      { "Key Update Request", prefix ".handshake.key_update.request_update", \
+        FT_UINT8, BASE_DEC, VALS(tls13_key_update_request), 0x00,       \
+        "Whether the receiver should also update its keys", HFILL }     \
     }
 /* }}} */
 
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 12a1cacacd..2157ae1492 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2188,6 +2188,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
                 /* TODO: dissect this? */
                 break;
 
+            case SSL_HND_KEY_UPDATE:
+                tls13_dissect_hnd_key_update(&dissect_ssl3_hf, tvb, tree, offset);
+                break;
+
             case SSL_HND_ENCRYPTED_EXTS:
                 dissect_ssl3_hnd_encrypted_exts(tvb, ssl_hand_tree, offset);
                 break;
author	Peter Wu <peter@lekensteyn.nl>	2017-02-08 02:04:18 +0100
committer	Peter Wu <peter@lekensteyn.nl>	2017-02-11 13:22:43 +0000
commit	eb1a63f3bcd30e8e844f2a72ac9c3e7a82871638 (patch)
tree	3df30864bcd8a421e4b04afe41906560b0f69614
parent	746bbe7abf4bad74b78db0282d8962eb891eb502 (diff)
download	wireshark-eb1a63f3bcd30e8e844f2a72ac9c3e7a82871638.tar.gz