diff options
author | Peter Wu <peter@lekensteyn.nl> | 2019-02-05 13:40:23 +0100 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2019-02-05 15:36:40 +0000 |
commit | 53b55bfb5f775dad6c434bb5b18e260d79b0104d (patch) | |
tree | cd3e26894d7b2799bf517667efce43965570684e /editcap.c | |
parent | af3c6115f2f57eba177fc33d2df7c00621cbd4c4 (diff) |
editcap: warn when --inject-secrets is given a RSA private key
While the documentation of "editcap --inject-secrets" mentions support
for key log files only, people might misinterpret that and assume
support for RSA private keys. This is explicitly not supported due to
the sensitivity of these files. In order to be helpful, print a warning.
Change-Id: Ia7b464c17f1dfb550729dd35775290ed28e14510
Reviewed-on: https://code.wireshark.org/review/31893
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'editcap.c')
-rw-r--r-- | editcap.c | 21 |
1 files changed, 21 insertions, 0 deletions
@@ -932,6 +932,24 @@ lookup_secrets_type(const char *type) return 0; } +static void +validate_secrets_file(const char *filename, guint32 secrets_type, const char *data) +{ + if (secrets_type == SECRETS_TYPE_TLS) { + /* + * A key log file is unlikely going to look like either: + * - a PEM-encoded private key file. + * - a BER-encoded PKCS #12 file ("PFX file"). (Look for a Constructed + * SEQUENCE tag, e.g. bytes 0x30 which happens to be ASCII '0'.) + */ + if (g_str_has_prefix(data, "-----BEGIN ") || data[0] == 0x30) { + fprintf(stderr, + "editcap: Warning: \"%s\" is not a key log file, but an unsupported private key file. Decryption will not work.\n", + filename); + } + } +} + static int framenum_compare(gconstpointer a, gconstpointer b, gpointer user_data _U_) { @@ -1474,6 +1492,9 @@ main(int argc, char *argv[]) continue; } + /* Warn for badly formatted files, but proceed anyway. */ + validate_secrets_file(secrets_filename, secrets_type_id, data); + block = wtap_block_create(WTAP_BLOCK_DSB); dsb = (wtapng_dsb_mandatory_t *)wtap_block_get_mandatory_data(block); dsb->secrets_type = secrets_type_id; |