diff options
author | Peter Wu <peter@lekensteyn.nl> | 2015-10-15 02:00:47 +0200 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2015-10-16 09:27:47 +0000 |
commit | 36079a1eb55768755e4861801e3b651ebf603a52 (patch) | |
tree | 7ed00077aa0d9c822e3398827eda21e7d6899b0b /epan/dissectors/packet-dtls.c | |
parent | b92caedf91f7711ad6e7add42957435ddd482eba (diff) | |
download | wireshark-36079a1eb55768755e4861801e3b651ebf603a52.tar.gz |
ssl-utils: allow gcrypt without GnuTLS, improve structure
Fix distinction between HAVE_LIBGNUTLS and HAVE_LIBGCRYPT. If GnuTLS is
unavailable, then the only missing feature is decryption using an RSA
private key file. Regardless of GnuTLS, allow SSL decryption (e.g. using
a SSL key log file or a PSK configured via preferences).
This change has no functional effect when GnuTLS and gcrypt are both
available (or not). Additionally, decryption is possible if only
libgcrypt is available.
Further changes to make ssl-utils more maintainable and documented:
- Group related functions, add markers and documentation. The following
functions are moved (with no further modifications):
- ssl_data_realloc, ssl_data_copy: related to StringInfo.
- ssl_change_cipher, ssl_create_flow: related to the decryption of a
session.
- ssl_decompress_record: related to Record Decompression.
- ssl_lib_init: moved to an arbitrary place.
- ssl_set_server: moved closer to ssl_packet_from_server.
- ssl_is_valid_content_type, ssl_is_valid_handshake_type: move closer
to dissection code.
- ssl_dissect_hnd_hello_ext_status_request,
ssl_dissect_hnd_hello_ext_status_request_v2,
ssl_dissect_hnd_hello_ext_elliptic_curves,
ssl_dissect_hnd_hello_ext_ec_point_formats: move to TLS extensions.
- Remove unused forward declaration of _gcry_rsa_decrypt.
- ssl-packet-utils.h:
- Remove ssl_equal, ssl_hash. These are only used in
packet-ssl-utils.c.
- ssl_private_key_equal, ssl_private_key_hash,
ssl_common_register_options: inline when decryption is not
possible.
- Remove ws_symbol_export.h, enable SSL debug log when libgcrypt is
compiled in (instead of depending on GnuTLS).
- Move/merge stub code when GnuTLS or libgcrypt are not available:
- ssl_find_cipher: move.
- ssl_cipher_setiv: move.
- ssl_generate_pre_master_secret, ssl_generate_keyring_material: move.
Compile-tested all combinations:
- no GnuTLS, no libgcrypt: CentOS 6.
- no GnuTLS, has libgcrypt: CentOS 6. Passes all decryption tests
except for the ones that need a RSA private key file.
- has GnuTLS, no libgcrypt: Arch Linux.
- has GnuTLS, has libgcrypt: Arch Linux. The decryption tests pass.
(GnuTLS support is useless without gcrypt, but included for completeness.)
Change-Id: I727248937331f8788de8ed78248bb33296206096
Reviewed-on: https://code.wireshark.org/review/11052
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'epan/dissectors/packet-dtls.c')
-rw-r--r-- | epan/dissectors/packet-dtls.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 35948d5c66..c07082db61 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -147,7 +147,7 @@ static FILE *dtls_keylog_file = NULL; static uat_t *dtlsdecrypt_uat = NULL; static const gchar *dtls_keys_list = NULL; static ssl_common_options_t dtls_options = { NULL, NULL}; -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGCRYPT static const gchar *dtls_debug_file_name = NULL; #endif @@ -1611,7 +1611,7 @@ looks_like_dtls(tvbuff_t *tvb, guint32 offset) /* UAT */ -#ifdef HAVE_LIBGNUTLS +#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT) static void dtlsdecrypt_free_cb(void* r) { @@ -1633,7 +1633,7 @@ dtlsdecrypt_update_cb(void* r _U_, const char** err _U_) } #endif -#ifdef HAVE_LIBGNUTLS +#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT) static void * dtlsdecrypt_copy_cb(void* dest, const void* orig, size_t len _U_) { @@ -1867,10 +1867,11 @@ proto_register_dtls(void) expert_dtls = expert_register_protocol(proto_dtls); expert_register_field_array(expert_dtls, ei, array_length(ei)); -#ifdef HAVE_LIBGNUTLS +#ifdef HAVE_LIBGCRYPT { module_t *dtls_module = prefs_register_protocol(proto_dtls, proto_reg_handoff_dtls); +#ifdef HAVE_LIBGNUTLS static uat_field_t dtlskeylist_uats_flds[] = { UAT_FLD_CSTRING_OTHER(sslkeylist_uats, ipaddr, "IP address", ssldecrypt_uat_fld_ip_chk_cb, "IPv4 or IPv6 address"), UAT_FLD_CSTRING_OTHER(sslkeylist_uats, port, "Port", ssldecrypt_uat_fld_port_chk_cb, "Port Number"), @@ -1898,6 +1899,7 @@ proto_register_dtls(void) "RSA keys list", "A table of RSA keys for DTLS decryption", dtlsdecrypt_uat); +#endif /* HAVE_LIBGNUTLS */ prefs_register_filename_preference(dtls_module, "debug_file", "DTLS debug file", "redirect dtls debug to file name; leave empty to disable debug, " |