diff options
author | Peter Wu <peter@lekensteyn.nl> | 2018-09-16 01:07:21 +0200 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2018-09-17 08:14:32 +0000 |
commit | 2fd42045f5afb556a03d8a1090f3278c77798766 (patch) | |
tree | 6607c73ce45fcb1d4221c81c8e393256135e7ca1 /epan/dissectors/packet-ssl-utils.c | |
parent | 9de95b83f87e49a5d99085df1e8aa262f4fa2af1 (diff) |
QUIC: implement decryption using new traffic secrets (draft -13)
QUIC draft -12 and before used the TLS Exporter to derive the protected
payload secrets. Starting with draft -13, the handshake and 1-RTT
protected payloads use keys derived during the TLS 1.3 handshake (but
with the "quic " label for HKDF-Expand-Label instead of "tls13 ").
That unfortunately means that previous CLIENT_HANDSHAKE_TRAFFIC_SECRET,
SERVER_TRAFFIC_SECRET_0, etc. are unusable. As a quick workaround,
extend the key log format with new labels similar to the old one (but
with "QUIC_" prepended to it).
To match draft -13, rename the original "handshake cipher/secret" to
"initial cipher/secret" and add a new "handshake cipher".
Potential limitation: if the client/server addresses/ports change since
the Initial Packet, then a new TLS session is created in the TLS
dissector. Attempting to retrieve secrets after the change will fail
since the Client Random is empty and the secret cannot be linked.
Another more common limitation: (Certificate) handshake messages that
span multiple CRYPTO frames are not correctly recognized.
Change-Id: I2932c3cc851fae51e8becf859db53ccc5f4beeda
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/29677
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Diffstat (limited to 'epan/dissectors/packet-ssl-utils.c')
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 3cce6609e7..1c177d4b5b 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -4663,6 +4663,13 @@ ssl_common_init(ssl_master_key_map_t *mk_map, mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal); ssl_data_alloc(decrypted_data, 32); ssl_data_alloc(compressed_data, 32); + + /* QUIC keys. */ + mk_map->quic_client_early = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->quic_client_handshake = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->quic_server_handshake = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->quic_client_appdata = g_hash_table_new(ssl_hash, ssl_equal); + mk_map->quic_server_appdata = g_hash_table_new(ssl_hash, ssl_equal); } void @@ -4685,6 +4692,13 @@ ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file, g_free(decrypted_data->data); g_free(compressed_data->data); + /* QUIC keys */ + g_hash_table_destroy(mk_map->quic_client_early); + g_hash_table_destroy(mk_map->quic_client_handshake); + g_hash_table_destroy(mk_map->quic_server_handshake); + g_hash_table_destroy(mk_map->quic_client_appdata); + g_hash_table_destroy(mk_map->quic_server_appdata); + /* close the previous keylog file now that the cache are cleared, this * allows the cache to be filled with the full keylog file contents. */ if (*ssl_keylog_file) { @@ -5108,6 +5122,13 @@ ssl_compile_keyfile_regex(void) "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})" "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})" "|EXPORTER_SECRET (?<exporter>" OCTET "{32})" + /* QUIC (draft >= -13) Client Random to Derived Secrets mapping. + * EXPERIMENTAL, subject to change based on QUIC changes! */ + "|QUIC_CLIENT_EARLY_TRAFFIC_SECRET (?<quic_client_early>" OCTET "{32})" + "|QUIC_CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<quic_client_handshake>" OCTET "{32})" + "|QUIC_SERVER_HANDSHAKE_TRAFFIC_SECRET (?<quic_server_handshake>" OCTET "{32})" + "|QUIC_CLIENT_TRAFFIC_SECRET_0 (?<quic_client_appdata>" OCTET "{32})" + "|QUIC_SERVER_TRAFFIC_SECRET_0 (?<quic_server_appdata>" OCTET "{32})" ") (?<derived_secret>" OCTET "+)"; #undef OCTET static GRegex *regex = NULL; @@ -5172,6 +5193,12 @@ ssl_load_keyfile(const gchar *ssl_keylog_filename, FILE **keylog_file, { "server_appdata", mk_map->tls13_server_appdata }, { "early_exporter", mk_map->tls13_early_exporter }, { "exporter", mk_map->tls13_exporter }, + /* QUIC map from Client Random to derived secret. */ + { "quic_client_early", mk_map->quic_client_early }, + { "quic_client_handshake", mk_map->quic_client_handshake }, + { "quic_server_handshake", mk_map->quic_server_handshake }, + { "quic_client_appdata", mk_map->quic_client_appdata }, + { "quic_server_appdata", mk_map->quic_server_appdata }, }; /* no need to try if no key log file is configured. */ if (!ssl_keylog_filename || !*ssl_keylog_filename) { |