diff options
author | Evan Huus <eapache@gmail.com> | 2014-06-29 08:50:21 -0400 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2014-06-30 21:10:11 +0000 |
commit | f1ff6635a8356e0832350fd806cc3810132b2102 (patch) | |
tree | 841a11722aafad604f40f97be880be559b020c38 /epan/dissectors/packet-ssl.c | |
parent | 60d0faf9c9bee0defc42d7ad633ae46a8008bd6c (diff) | |
download | wireshark-f1ff6635a8356e0832350fd806cc3810132b2102.tar.gz |
Warn about unencrypted HTTP traffic over port 443
At the suggestion of Toralf Förster. This includes an expert info, as well as
making SSL a new-style dissector and rejecting traffic that looks like
unencrypted text.
Change-Id: Ib09ea0d97952330f092590ff3fc6488807cdbb81
Reviewed-on: https://code.wireshark.org/review/2693
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Evan Huus <eapache@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-ssl.c')
-rw-r--r-- | epan/dissectors/packet-ssl.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 3c82774908..ce0105667a 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -612,8 +612,8 @@ static gint ssl_looks_like_valid_pct_handshake(tvbuff_t *tvb, /* * Code to actually dissect the packets */ -static void -dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +static int +dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { conversation_t *conversation; @@ -634,6 +634,23 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ssl_session = NULL; + if (tvb_captured_length(tvb) > 4) { + const guint8 *tmp = tvb_get_ptr(tvb, 0, 4); + if (g_ascii_isprint(tmp[0]) && + g_ascii_isprint(tmp[1]) && + g_ascii_isprint(tmp[2]) && + g_ascii_isprint(tmp[3])) { + /* it is extremely unlikely that real SSL traffic starts with four + * printable ascii characters; this looks like it's unencrypted + * text, so assume it's not ours (SSL does have some unencrypted + * text fields in certain packets, but you'd have to get very + * unlucky with TCP fragmentation to have one of those fields at the + * beginning of a TCP payload at the beginning of the capture where + * reassembly hasn't started yet) */ + return 0; + } + } + ssl_debug_printf("\ndissect_ssl enter frame #%u (%s)\n", pinfo->fd->num, (pinfo->fd->flags.visited)?"already visited":"first time"); /* Track the version using conversations to reduce the @@ -798,7 +815,7 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ssl_debug_printf(" need_desegmentation: offset = %d, reported_length_remaining = %d\n", offset, tvb_reported_length_remaining(tvb, offset)); tap_queue_packet(ssl_tap, pinfo, GINT_TO_POINTER(proto_ssl)); - return; + return tvb_captured_length(tvb); } /* set up for next record in frame, if any */ @@ -810,6 +827,8 @@ dissect_ssl(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) ssl_debug_flush(); tap_queue_packet(ssl_tap, pinfo, GINT_TO_POINTER(proto_ssl)); + + return tvb_captured_length(tvb); } static gint @@ -4943,7 +4962,7 @@ proto_register_ssl(void) /* heuristic dissectors for any premable e.g. CredSSP before RDP */ register_heur_dissector_list("ssl", &ssl_heur_subdissector_list); - register_dissector("ssl", dissect_ssl, proto_ssl); + new_register_dissector("ssl", dissect_ssl, proto_ssl); ssl_handle = find_dissector("ssl"); ssl_associations = g_tree_new(ssl_association_cmp); |