diff options
author | Peter Wu <peter@lekensteyn.nl> | 2016-09-20 21:26:43 +0200 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2017-01-29 01:52:58 +0100 |
commit | 380e87ebf19c2ecbcd6dfcc977d70b5971559446 (patch) | |
tree | b422874df0bac8a342f7f9d75b0234e53de174b6 /epan/dissectors/packet-dtls.c | |
parent | ec9ce3fdad014274ce00de1768f9e11395a77e37 (diff) | |
download | wireshark-ssl-aead-fixes.tar.gz |
[WIP] ssl: add AEAD auth tag validation [rv2]ssl-aead-fixes
TODO
- pull AEAD init/check outside function (for re-use with TLS1.3?)
- fix sequence number for nonce, need to check what is wrong
- more testing (+ extend test suite)? CCM seems to work. GCM auth check
seems still broken.
- test with older libgcrypt versions (currently tested with 1.7.6).
Change-Id: I94dd2fd70e1281d85c954abfe523f7483d9ac68b
Diffstat (limited to 'epan/dissectors/packet-dtls.c')
-rw-r--r-- | epan/dissectors/packet-dtls.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 0ac6a94340..dd8905c968 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -568,8 +568,8 @@ dtls_is_null_cipher(guint cipher ) } static gboolean -decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, - guint32 record_length, guint8 content_type, SslDecryptSession* ssl, +decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryptSession *ssl, + guint8 content_type, guint16 record_version, guint16 record_length, gboolean allow_fragments) { gboolean success; @@ -618,7 +618,8 @@ decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, ssl_debug_printf("decrypt_dtls_record: no decoder available\n"); return FALSE; } - success = ssl_decrypt_record(ssl, decoder, content_type, tvb_get_ptr(tvb, offset, record_length), record_length, + success = ssl_decrypt_record(ssl, decoder, content_type, record_version, + tvb_get_ptr(tvb, offset, record_length), record_length, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0; } else if (dtls_is_null_cipher(ssl->session.cipher)) { @@ -794,7 +795,7 @@ dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo, /* try to decrypt record on the first pass, if possible. Store decrypted * record for later usage (without having to decrypt again). */ if (ssl) { - decrypt_dtls_record(tvb, pinfo, offset, record_length, content_type, ssl, + decrypt_dtls_record(tvb, pinfo, offset, ssl, content_type, version, record_length, content_type == SSL_ID_APP_DATA || content_type == SSL_ID_HANDSHAKE); } decrypted = ssl_get_record_info(tvb, proto_dtls, pinfo, tvb_raw_offset(tvb)+offset, &record); |