diff options
author | Peter Wu <peter@lekensteyn.nl> | 2014-04-14 13:28:37 +0200 |
---|---|---|
committer | Evan Huus <eapache@gmail.com> | 2014-04-17 12:05:17 +0000 |
commit | ce468653dab1fc470179ad25c95d12a3889905d7 (patch) | |
tree | 84710d327af7a195092609831bc8882a73c25fca | |
parent | 5201d177863521fada5e5ad91e5e2fdf245e6879 (diff) |
ssl: Detect unencrypted heartbeat messages
Records are always unencrypted before the ChangeCipherSpec message. This
patch assumes that conversations without a SSL decoder (i.e. before
calling ssl_change_cipher) are unencrypted. If it turns out that the
contents were encrypted anyway, then there is about 0.8% probability
that the heartbeat message gets recognized wrong
(dissect_ssl3_heartbeat checks if the first byte equals 1 (request) or 2
(response)). Not a big deal, and the advantage that the heartbleed
expert information is triggered overweights that possible mistake.
(Note that ssl_set_master_secret as called by external code will also
invoke ssl_change_cipher, but that should be caught by the if
condition in the line before this hunk.)
An example capture is available at:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9988
Change-Id: I5b14d9e7e8e0c1cd358f3b05c9b84fca1daf1d69
Reviewed-on: https://code.wireshark.org/review/1102
Reviewed-by: Evan Huus <eapache@gmail.com>
-rw-r--r-- | epan/dissectors/packet-ssl.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c index 4a8ba03933..483bd4af1c 100644 --- a/epan/dissectors/packet-ssl.c +++ b/epan/dissectors/packet-ssl.c @@ -1768,7 +1768,16 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, add_new_data_source(pinfo, decrypted, "Decrypted SSL record"); dissect_ssl3_heartbeat(decrypted, pinfo, ssl_record_tree, 0, conv_version, tvb_length (decrypted), TRUE); } else { - dissect_ssl3_heartbeat(tvb, pinfo, ssl_record_tree, offset, conv_version, record_length, FALSE); + gboolean plaintext = TRUE; + /* heartbeats before ChangeCipherSpec are unencrypted */ + if (ssl) { + if (ssl_packet_from_server(ssl, ssl_associations, pinfo)) { + plaintext = ssl->server == NULL; + } else { + plaintext = ssl->client == NULL; + } + } + dissect_ssl3_heartbeat(tvb, pinfo, ssl_record_tree, offset, conv_version, record_length, plaintext); } break; } |