diff options
authorPeter Wu <peter@lekensteyn.nl>2017-11-23 01:55:27 +0000
committerAnders Broman <a.broman58@gmail.com>2017-11-23 05:37:29 +0000
commitd790c524b41907ebaa0f29afec19ee6913173129 (patch)
parentb4419eacce6d76f0e854280f8c20d4849ba2c067 (diff)
TLS: fix decryption with EMS and client auth
When extended_master_secret is enabled with client authentication, decryption using an RSA private key file would fail because the wrong master secret is derived. This happens due to an excess CertificateVerify message in the handshake hash. Bug: 14243 Change-Id: I02f8302ac4a85422f7df52a234bdddfcb5fe3307 Reviewed-on: https://code.wireshark.org/review/24543 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
1 files changed, 7 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 6c17bd2..1b85132 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2133,8 +2133,14 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
* Add handshake message (including type, length, etc.) to hash (for
* Extended Master Secret).
+ * Hash ClientHello up to and including ClientKeyExchange. As the
+ * premaster secret is looked up during ChangeCipherSpec processing (an
+ * implementation detail), we must skip the CertificateVerify message
+ * which can appear between CKE and CCS when mutual auth is enabled.
- ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 4 + length);
+ if (msg_type != SSL_HND_CERT_VERIFY) {
+ ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 4 + length);
+ }
/* now dissect the handshake message, if necessary */
switch ((HandshakeType) msg_type) {