diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-10-17 00:23:28 +0100 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2017-10-17 00:28:44 +0000 |
commit | b5505fd4512456f85188a81e9b6478ecce65504b (patch) | |
tree | e8357042b638cca5bd0bb6d0d9b4f8d0e59568e7 /epan | |
parent | 46f4664b29a685a43dd5dd4c18b60e8bc1a5c34f (diff) |
ssl: regression fix for decryption with renegotiation
A renegotiated session with decrypted records has !maybe_encrypted which
means that the plaintext buffer is passed to dissect_ssl3_handshake. Do
not assume that this plaintext buffer might be encrypted, it is
definitely not the case.
Change-Id: I2ce9a5305e5cbc24b5c7e93077f7e796bf8cb406
Fixes: v2.5.0rc0-1314-g9d189c7e20 ("ssl: assume everything after CCS is encrypted")
Ping-Bug: 14117
Reviewed-on: https://code.wireshark.org/review/23948
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'epan')
-rw-r--r-- | epan/dissectors/packet-ssl.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 87983e843e..2aa2f015ba 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -2036,15 +2036,15 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo, */ if (maybe_encrypted) { maybe_encrypted = tvb_bytes_exist(tvb, offset, 5) && tvb_get_ntoh40(tvb, offset) == 0; - } - /* - * Everything after the ChangeCipherSpec message is encrypted. - * TODO handle Finished message after CCS in the same frame and remove the - * above nonce-based heuristic. - */ - if (!maybe_encrypted) { - guint32 ccs_frame = is_from_server ? session->server_ccs_frame : session->client_ccs_frame; - maybe_encrypted = ccs_frame != 0 && pinfo->num > ccs_frame; + /* + * Everything after the ChangeCipherSpec message is encrypted. + * TODO handle Finished message after CCS in the same frame and remove the + * above nonce-based heuristic. + */ + if (!maybe_encrypted) { + guint32 ccs_frame = is_from_server ? session->server_ccs_frame : session->client_ccs_frame; + maybe_encrypted = ccs_frame != 0 && pinfo->num > ccs_frame; + } } /* just as there can be multiple records per packet, there |