diff options
author | Guy Harris <guy@alum.mit.edu> | 2019-02-19 01:01:48 -0800 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2019-02-19 09:57:52 +0000 |
commit | 28f49a0a9a9956c23a632f9f0ae4596544894d34 (patch) | |
tree | d621e0ae96427983f96911f78c51d42af70f0569 | |
parent | 3b8bf168e63e3acc534e098bc121e1c91d7d0b7f (diff) |
Add --discard-all-secrets to remove decryption secrets.
Bug: 15435
Change-Id: I78503c9c31ab3eda39908b91dca3ef3fb9af34bf
Reviewed-on: https://code.wireshark.org/review/32100
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
-rw-r--r-- | doc/editcap.pod | 7 | ||||
-rw-r--r-- | editcap.c | 28 | ||||
-rw-r--r-- | wiretap/file_access.c | 22 | ||||
-rw-r--r-- | wiretap/wtap.c | 7 | ||||
-rw-r--r-- | wiretap/wtap.h | 12 |
5 files changed, 76 insertions, 0 deletions
diff --git a/doc/editcap.pod b/doc/editcap.pod index 58a64b2d3d..5c6c7ac8e0 100644 --- a/doc/editcap.pod +++ b/doc/editcap.pod @@ -29,6 +29,7 @@ S<[ B<-t> E<lt>time adjustmentE<gt> ]> S<[ B<-T> E<lt>encapsulation typeE<gt> ]> S<[ B<-v> ]> S<[ B<--inject-secrets> E<lt>secrets typeE<gt>,E<lt>fileE<gt> ]> +S<[ B<--discard-all-secrets> ]> I<infile> I<outfile> S<[ I<packet#>[-I<packet#>] ... ]> @@ -349,6 +350,12 @@ I<tls> TLS Key Log as described at L<https://developer.mozilla.org/NSS_Key_Log_F This option may be specified multiple times. The available options for E<lt>secrets typeE<gt> can be listed with B<--inject-secrets help>. +=item --discard-all-secrets + +Discard all decryption secrets from the input file when writing the +output file. Does not discard secrets added by B<--inject-secrets> in +the same command line. + =back =head1 EXAMPLES @@ -170,6 +170,7 @@ static gboolean rem_vlan = FALSE; static gboolean dup_detect = FALSE; static gboolean dup_detect_by_time = FALSE; static gboolean skip_radiotap = FALSE; +static gboolean remove_all_secrets = FALSE; static int do_strict_time_adjustment = FALSE; static struct time_adjustment strict_time_adj = {NSTIME_INIT_ZERO, 0}; /* strict time adjustment */ @@ -837,6 +838,10 @@ print_usage(FILE *output) fprintf(output, " list the encapsulation types.\n"); fprintf(output, " --inject-secrets <type>,<file> Insert decryption secrets from <file>. List\n"); fprintf(output, " supported secret types with \"--inject-secrets help\".\n"); + fprintf(output, " --discard-all-secrets Discard all decryption secrets from the input file\n"); + fprintf(output, " when writing the output file. Does not discard\n"); + fprintf(output, " secrets added by \"--inject-secrets\" in the same\n"); + fprintf(output, " command line.\n"); fprintf(output, "\n"); fprintf(output, "Miscellaneous:\n"); fprintf(output, " -h display this help and exit.\n"); @@ -1013,11 +1018,13 @@ main(int argc, char *argv[]) #define LONGOPT_SKIP_RADIOTAP_HEADER 0x8101 #define LONGOPT_SEED 0x8102 #define LONGOPT_INJECT_SECRETS 0x8103 +#define LONGOPT_DISCARD_ALL_SECRETS 0x8104 static const struct option long_options[] = { {"novlan", no_argument, NULL, LONGOPT_NO_VLAN}, {"skip-radiotap-header", no_argument, NULL, LONGOPT_SKIP_RADIOTAP_HEADER}, {"seed", required_argument, NULL, LONGOPT_SEED}, {"inject-secrets", required_argument, NULL, LONGOPT_INJECT_SECRETS}, + {"discard-all-secrets", no_argument, NULL, LONGOPT_DISCARD_ALL_SECRETS}, {"help", no_argument, NULL, 'h'}, {"version", no_argument, NULL, 'V'}, {0, 0, 0, 0 } @@ -1149,6 +1156,12 @@ main(int argc, char *argv[]) break; } + case LONGOPT_DISCARD_ALL_SECRETS: + { + remove_all_secrets = TRUE; + break; + } + case 'a': { guint frame_number; @@ -1469,6 +1482,13 @@ main(int argc, char *argv[]) wtap_dump_params_init(¶ms, wth); + /* + * Discard any secrets we read in while opening the file. + */ + if (remove_all_secrets) { + wtap_dump_params_discard_decryption_secrets(¶ms); + } + if (dsb_filenames) { for (guint k = 0; k < dsb_filenames->len; k++) { guint32 secrets_type_id = g_array_index(dsb_types, guint32, k); @@ -1982,6 +2002,14 @@ main(int argc, char *argv[]) } } + if (remove_all_secrets) { + /* + * Discard any secrets we've read since the last packet + * we wrote. + */ + wtap_dump_discard_decryption_secrets(pdh); + } + /* Attempt to dump out current frame to the output file */ if (!wtap_dump(pdh, rec, buf, &write_err, &write_err_info)) { cfile_write_failure_message("editcap", argv[optind], diff --git a/wiretap/file_access.c b/wiretap/file_access.c index 803dac8d0b..b1022a25fe 100644 --- a/wiretap/file_access.c +++ b/wiretap/file_access.c @@ -2718,6 +2718,28 @@ wtap_dump_set_addrinfo_list(wtap_dumper *wdh, addrinfo_lists_t *addrinfo_lists) return TRUE; } +void +wtap_dump_discard_decryption_secrets(wtap_dumper *wdh) +{ + /* + * This doesn't free the data, as it might be pointed to + * from other structures; it merely marks all of them as + * having been written to the file, so that they don't + * get written by wtap_dump(). + * + * XXX - our APIs for dealing with some metadata, such as + * resolved names, decryption secrets, and interface + * statistics is not very well oriented towards one-pass + * programs; this needs to be cleaned up. See bug 15502. + */ + if (wdh->dsbs_growing) { + /* + * Pretend we've written all of them. + */ + wdh->dsbs_growing_written = wdh->dsbs_growing->len; + } +} + gboolean wtap_dump_get_needs_reload(wtap_dumper *wdh) { return wdh->needs_reload; } diff --git a/wiretap/wtap.c b/wiretap/wtap.c index fb77a4b23e..0614656302 100644 --- a/wiretap/wtap.c +++ b/wiretap/wtap.c @@ -328,6 +328,13 @@ wtap_dump_params_init(wtap_dump_params *params, wtap *wth) } void +wtap_dump_params_discard_decryption_secrets(wtap_dump_params *params) +{ + params->dsbs_initial = NULL; + params->dsbs_growing = NULL; +} + +void wtap_dump_params_cleanup(wtap_dump_params *params) { wtap_block_array_free(params->shb_hdrs); diff --git a/wiretap/wtap.h b/wiretap/wtap.h index 4e2eb7c4f3..3833a82379 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1998,6 +1998,16 @@ WS_DLL_PUBLIC void wtap_dump_params_init(wtap_dump_params *params, wtap *wth); /** + * Remove any decryption secret information from the per-file information; + * used if we're stripping decryption secrets as we write the file. + * + * @param params The parameters for wtap_dump_* from which to remove the + * decryption secrets.. + */ +WS_DLL_PUBLIC +void wtap_dump_params_discard_decryption_secrets(wtap_dump_params *params); + +/** * Free memory associated with the wtap_dump_params when it is no longer in * use by wtap_dumper. * @@ -2083,6 +2093,8 @@ WS_DLL_PUBLIC gboolean wtap_dump_set_addrinfo_list(wtap_dumper *wdh, addrinfo_lists_t *addrinfo_lists); WS_DLL_PUBLIC gboolean wtap_dump_get_needs_reload(wtap_dumper *wdh); +WS_DLL_PUBLIC +void wtap_dump_discard_decryption_secrets(wtap_dumper *wdh); /** * Closes open file handles and frees memory associated with wdh. Note that |