From eb1a63f3bcd30e8e844f2a72ac9c3e7a82871638 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Wed, 8 Feb 2017 02:04:18 +0100 Subject: TLS13: add Key Update dissection Actual decryption support will be added later. Ping-Bug: 12779 Change-Id: I3ff1f243fd0bd1467e84d8a6a5433c1fe71bbebf Reviewed-on: https://code.wireshark.org/review/20012 Petri-Dish: Peter Wu Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu --- epan/dissectors/packet-dtls.c | 1 + epan/dissectors/packet-ssl-utils.c | 24 ++++++++++++++++++++++++ epan/dissectors/packet-ssl-utils.h | 16 ++++++++++++++-- epan/dissectors/packet-ssl.c | 4 ++++ 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 9e89d30048..0a1be9aaac 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -1334,6 +1334,7 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo, case SSL_HND_CERT_URL: case SSL_HND_CERT_STATUS: case SSL_HND_SUPPLEMENTAL_DATA: + case SSL_HND_KEY_UPDATE: case SSL_HND_ENCRYPTED_EXTS: case SSL_HND_ENCRYPTED_EXTENSIONS: /* TLS 1.3 */ /* TODO: does this need further dissection? */ diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 822b8bffce..1bcd0b2113 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -569,6 +569,7 @@ const value_string ssl_31_handshake_type[] = { { SSL_HND_CERT_URL, "Client Certificate URL" }, { SSL_HND_CERT_STATUS, "Certificate Status" }, { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" }, + { SSL_HND_KEY_UPDATE, "Key Update" }, { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" }, { 0x00, NULL } }; @@ -1205,6 +1206,12 @@ const value_string tls_hello_ext_psk_ke_mode[] = { { 0, NULL } }; +const value_string tls13_key_update_request[] = { + { 0, "update_not_requested" }, + { 1, "update_requested" }, + { 0, NULL } +}; + /* RFC 5246 7.4.1.4.1 */ const value_string tls_hash_algorithm[] = { { 0, "None" }, @@ -6630,6 +6637,7 @@ ssl_is_valid_handshake_type(guint8 hs_type, gboolean is_dtls) case SSL_HND_CERT_URL: case SSL_HND_CERT_STATUS: case SSL_HND_SUPPLEMENTAL_DATA: + case SSL_HND_KEY_UPDATE: case SSL_HND_ENCRYPTED_EXTS: return TRUE; } @@ -8063,6 +8071,22 @@ ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, } /* Client Key Exchange and Server Key Exchange handshake dissections. }}} */ +void +tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb, + proto_tree *tree, guint32 offset) +{ + /* https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.5.3 + * enum { + * update_not_requested(0), update_requested(1), (255) + * } KeyUpdateRequest; + * + * struct { + * KeyUpdateRequest request_update; + * } KeyUpdate; + */ + proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA); +} + #ifdef HAVE_LIBGCRYPT void ssl_common_register_options(module_t *module, ssl_common_options_t *options) diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index 689e9139fe..82303bfa13 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -74,6 +74,7 @@ typedef enum { SSL_HND_CERT_URL = 21, SSL_HND_CERT_STATUS = 22, SSL_HND_SUPPLEMENTAL_DATA = 23, + SSL_HND_KEY_UPDATE = 24, /* Encrypted Extensions was NextProtocol in draft-agl-tls-nextprotoneg-03 * and changed in draft 04. Not to be confused with TLS 1.3 EE. */ SSL_HND_ENCRYPTED_EXTS = 67 @@ -224,6 +225,7 @@ extern const value_string ssl_extension_ec_point_formats[]; extern const value_string ssl_curve_types[]; extern const value_string tls_hello_ext_server_name_type_vs[]; extern const value_string tls_hello_ext_psk_ke_mode[]; +extern const value_string tls13_key_update_request[]; /* XXX Should we use GByteArray instead? */ typedef struct _StringInfo { @@ -782,8 +784,9 @@ typedef struct ssl_common_dissect { gint hs_ext_draft_version_tls13; gint hs_ext_psk_ke_modes_len; gint hs_ext_psk_ke_mode; - gint hs_certificate_request_context; gint hs_certificate_request_context_length; + gint hs_certificate_request_context; + gint hs_key_update_request_update; /* do not forget to update SSL_COMMON_LIST_T and SSL_COMMON_HF_LIST! */ } hf; @@ -952,6 +955,10 @@ ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, guint32 offset, guint32 length, const SslSession *session); +extern void +tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb, + proto_tree *tree, guint32 offset); + /* {{{ */ #define SSL_COMMON_LIST_T(name) \ ssl_common_dissect_t name = { \ @@ -963,7 +970,7 @@ ssl_common_dissect_t name = { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ }, \ /* ett */ { \ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, \ @@ -1588,6 +1595,11 @@ ssl_common_dissect_t name = { \ { "Certificate Request Context", prefix ".handshake.certificate_request_context", \ FT_BYTES, BASE_NONE, NULL, 0x0, \ "Value from CertificateRequest or empty for server auth", HFILL } \ + }, \ + { & name .hf.hs_key_update_request_update, \ + { "Key Update Request", prefix ".handshake.key_update.request_update", \ + FT_UINT8, BASE_DEC, VALS(tls13_key_update_request), 0x00, \ + "Whether the receiver should also update its keys", HFILL } \ } /* }}} */ diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 12a1cacacd..2157ae1492 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -2188,6 +2188,10 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, /* TODO: dissect this? */ break; + case SSL_HND_KEY_UPDATE: + tls13_dissect_hnd_key_update(&dissect_ssl3_hf, tvb, tree, offset); + break; + case SSL_HND_ENCRYPTED_EXTS: dissect_ssl3_hnd_encrypted_exts(tvb, ssl_hand_tree, offset); break; -- cgit v1.2.1