From 380e87ebf19c2ecbcd6dfcc977d70b5971559446 Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Tue, 20 Sep 2016 21:26:43 +0200 Subject: [WIP] ssl: add AEAD auth tag validation [rv2] TODO - pull AEAD init/check outside function (for re-use with TLS1.3?) - fix sequence number for nonce, need to check what is wrong - more testing (+ extend test suite)? CCM seems to work. GCM auth check seems still broken. - test with older libgcrypt versions (currently tested with 1.7.6). Change-Id: I94dd2fd70e1281d85c954abfe523f7483d9ac68b --- epan/dissectors/packet-dtls.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'epan/dissectors/packet-dtls.c') diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 0ac6a94340..dd8905c968 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -568,8 +568,8 @@ dtls_is_null_cipher(guint cipher ) } static gboolean -decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, - guint32 record_length, guint8 content_type, SslDecryptSession* ssl, +decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryptSession *ssl, + guint8 content_type, guint16 record_version, guint16 record_length, gboolean allow_fragments) { gboolean success; @@ -618,7 +618,8 @@ decrypt_dtls_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, ssl_debug_printf("decrypt_dtls_record: no decoder available\n"); return FALSE; } - success = ssl_decrypt_record(ssl, decoder, content_type, tvb_get_ptr(tvb, offset, record_length), record_length, + success = ssl_decrypt_record(ssl, decoder, content_type, record_version, + tvb_get_ptr(tvb, offset, record_length), record_length, &dtls_compressed_data, &dtls_decrypted_data, &dtls_decrypted_data_avail) == 0; } else if (dtls_is_null_cipher(ssl->session.cipher)) { @@ -794,7 +795,7 @@ dissect_dtls_record(tvbuff_t *tvb, packet_info *pinfo, /* try to decrypt record on the first pass, if possible. Store decrypted * record for later usage (without having to decrypt again). */ if (ssl) { - decrypt_dtls_record(tvb, pinfo, offset, record_length, content_type, ssl, + decrypt_dtls_record(tvb, pinfo, offset, ssl, content_type, version, record_length, content_type == SSL_ID_APP_DATA || content_type == SSL_ID_HANDSHAKE); } decrypted = ssl_get_record_info(tvb, proto_dtls, pinfo, tvb_raw_offset(tvb)+offset, &record); -- cgit v1.2.1