ssl: regression fix for decryption with renegotiation

A renegotiated session with decrypted records has !maybe_encrypted which
means that the plaintext buffer is passed to dissect_ssl3_handshake. Do
not assume that this plaintext buffer might be encrypted, it is
definitely not the case.

Change-Id: I2ce9a5305e5cbc24b5c7e93077f7e796bf8cb406
Fixes: v2.5.0rc0-1314-g9d189c7e20 ("ssl: assume everything after CCS is encrypted")
Ping-Bug: 14117
Reviewed-on: https://code.wireshark.org/review/23948
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>

1 files changed, 9 insertions, 9 deletions

diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 87983e843e..2aa2f015ba 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2036,15 +2036,15 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
      */
     if (maybe_encrypted) {
         maybe_encrypted = tvb_bytes_exist(tvb, offset, 5) && tvb_get_ntoh40(tvb, offset) == 0;
-    }
-    /*
-     * Everything after the ChangeCipherSpec message is encrypted.
-     * TODO handle Finished message after CCS in the same frame and remove the
-     * above nonce-based heuristic.
-     */
-    if (!maybe_encrypted) {
-        guint32 ccs_frame = is_from_server ? session->server_ccs_frame : session->client_ccs_frame;
-        maybe_encrypted = ccs_frame != 0 && pinfo->num > ccs_frame;
+        /*
+         * Everything after the ChangeCipherSpec message is encrypted.
+         * TODO handle Finished message after CCS in the same frame and remove the
+         * above nonce-based heuristic.
+         */
+        if (!maybe_encrypted) {
+            guint32 ccs_frame = is_from_server ? session->server_ccs_frame : session->client_ccs_frame;
+            maybe_encrypted = ccs_frame != 0 && pinfo->num > ccs_frame;
+        }
     }
 
     /* just as there can be multiple records per packet, there