diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-11-24 00:03:53 +0000 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2017-11-24 05:22:12 +0000 |
commit | 0074855364047c362c6161ddd68cb206c221c893 (patch) | |
tree | 89b914f25d4e8a0932ac4663d7818b543ce11636 | |
parent | 9ac02f18c981c175be83b41bded7462aef128a3d (diff) |
DTLS: fix decryption with EMS and client auth
Similar to the TLS fix in v2.5.0rc0-1805-gd790c524b4, ensure that the
correct master secret is calculated when extended_master_secret is
enabled with client auth and a decrypted RSA premaster secret.
Bug: 14243
Change-Id: I3d8cecef0f0cc3ec73537053489adc2d0d45c947
Reviewed-on: https://code.wireshark.org/review/24564
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r-- | epan/dissectors/packet-dtls.c | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c index 1e2b5a35ff..2a3dd7b612 100644 --- a/epan/dissectors/packet-dtls.c +++ b/epan/dissectors/packet-dtls.c @@ -1255,23 +1255,29 @@ dissect_dtls_handshake(tvbuff_t *tvb, packet_info *pinfo, * Add handshake message (including type, length, etc.) to hash (for * Extended Master Secret). The computation must however happen as if * the message was sent in a single fragment (RFC 6347, section 4.2.6). + * + * Skip CertificateVerify since the handshake hash covers just + * ClientHello up to and including ClientKeyExchange, but the keys are + * actually retrieved in ChangeCipherSpec (which comes after that). */ - if (fragment_offset == 0) { - /* Unfragmented packet. */ - ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 12 + fragment_length); - } else { - /* - * Handshake message was fragmented over multiple messages, fake a - * single fragment and add reassembled data. - */ - /* msg_type (1), length (3), message_seq (2) */ - ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 6); - /* fragment_offset (3) equals to zero. */ - ssl_calculate_handshake_hash(ssl, NULL, 0, 3); - /* fragment_length (3) equals to length. */ - ssl_calculate_handshake_hash(ssl, tvb, hs_offset + 1, 3); - /* actual handshake data */ - ssl_calculate_handshake_hash(ssl, sub_tvb, 0, length); + if (msg_type != SSL_HND_CERT_VERIFY) { + if (fragment_offset == 0) { + /* Unfragmented packet. */ + ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 12 + fragment_length); + } else { + /* + * Handshake message was fragmented over multiple messages, fake a + * single fragment and add reassembled data. + */ + /* msg_type (1), length (3), message_seq (2) */ + ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 6); + /* fragment_offset (3) equals to zero. */ + ssl_calculate_handshake_hash(ssl, NULL, 0, 3); + /* fragment_length (3) equals to length. */ + ssl_calculate_handshake_hash(ssl, tvb, hs_offset + 1, 3); + /* actual handshake data */ + ssl_calculate_handshake_hash(ssl, sub_tvb, 0, length); + } } /* now dissect the handshake message, if necessary */ |