diff options
| author | Anders Broman <anders.broman@ericsson.com> | 2012-02-16 05:21:09 +0000 |
|---|---|---|
| committer | Anders Broman <anders.broman@ericsson.com> | 2012-02-16 05:21:09 +0000 |
| commit | 245fb95f47f9f1714d7a17832892d1958c099e38 (patch) | |
| tree | 67c4eb31111dd9dae8e57bb219fff9d0273743dc /epan/dissectors/packet-ssl-utils.c | |
| parent | ea02598924bb1eccbe3fbe0bb87e641ee3605633 (diff) | |
| download | wireshark-245fb95f47f9f1714d7a17832892d1958c099e38.tar.gz | |
From Naoyoshi Ueda:
Patch to fix DTLS decryption.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6847
svn path=/trunk/; revision=41036
Diffstat (limited to 'epan/dissectors/packet-ssl-utils.c')
| -rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 39 |
1 files changed, 20 insertions, 19 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 1b5af3923c..10c6fc1074 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -1885,7 +1885,8 @@ static gint prf(SslDecryptSession* ssl,StringInfo* secret,gchar* usage,StringInf gint ret; if (ssl->version_netorder==SSLV3_VERSION){ ret = ssl3_prf(secret,usage,rnd1,rnd2,out); - }else if (ssl->version_netorder==TLSV1_VERSION || ssl->version_netorder==TLSV1DOT1_VERSION){ + }else if (ssl->version_netorder==TLSV1_VERSION || ssl->version_netorder==TLSV1DOT1_VERSION || + ssl->version_netorder==DTLSV1DOT0_VERSION || ssl->version_netorder==DTLSV1DOT0_VERSION_NOT){ ret = tls_prf(secret,usage,rnd1,rnd2,out); }else{ if (ssl->cipher_suite.dig == DIG_SHA384){ @@ -2410,7 +2411,6 @@ ssl3_check_mac(SslDecoder*decoder,int ct,guint8* data, return(0); } -#if 0 static gint dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data, guint32 datalen, guint8* mac) @@ -2419,7 +2419,8 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data, gint md; guint32 len; guint8 buf[20]; - guint32 netnum; + gint16 temp; + md=ssl_get_digest_by_name(digests[decoder->cipher_suite->dig-0x40]); ssl_debug_printf("dtls_check_mac mac type:%s md %d\n", digests[decoder->cipher_suite->dig-0x40], md); @@ -2430,7 +2431,7 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data, /* hash sequence number */ fmt_seq(decoder->seq,buf); buf[0]=decoder->epoch>>8; - buf[1]=decoder->epoch; + buf[1]=(guint8)decoder->epoch; ssl_hmac_update(&hm,buf,8); @@ -2439,10 +2440,12 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data, ssl_hmac_update(&hm,buf,1); /* hash version,data length and data */ - *((gint16*)buf) = g_htons(ver); + temp = g_htons(ver); + memcpy(buf, &temp, 2); ssl_hmac_update(&hm,buf,2); - *((gint16*)buf) = g_htons(datalen); + temp = g_htons(datalen); + memcpy(buf, &temp, 2); ssl_hmac_update(&hm,buf,2); ssl_hmac_update(&hm,data,datalen); /* get digest and digest len */ @@ -2454,7 +2457,6 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data, return(0); } -#endif #ifdef HAVE_LIBZ int @@ -2584,21 +2586,20 @@ ssl_decrypt_record(SslDecryptSession*ssl,SslDecoder* decoder, gint ct, } else if(ssl->version_netorder==DTLSV1DOT0_VERSION || ssl->version_netorder==DTLSV1DOT0_VERSION_NOT){ - /* following the openssl dtls errors the right test is: - if(dtls_check_mac(decoder,ct,ssl->version_netorder,out_str->data,worklen,mac)< 0) { */ - if(tls_check_mac(decoder,ct,TLSV1_VERSION,out_str->data,worklen,mac)< 0) { - if(ssl_ignore_mac_failed) { - ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n"); - } - else{ - ssl_debug_printf("ssl_decrypt_record: mac failed\n"); - return -1; - } + /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */ + if(dtls_check_mac(decoder,ct,ssl->version_netorder,out_str->data,worklen,mac)>= 0) { + ssl_debug_printf("ssl_decrypt_record: mac ok\n"); + } + else if(tls_check_mac(decoder,ct,TLSV1_VERSION,out_str->data,worklen,mac)>= 0) { + ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n"); + } + else if(ssl_ignore_mac_failed) { + ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n"); } else{ - ssl_debug_printf("ssl_decrypt_record: mac ok\n"); + ssl_debug_printf("ssl_decrypt_record: mac failed\n"); + return -1; } - } *outl = worklen; |