TLS: fix decryption with EMS and client auth

When extended_master_secret is enabled with client authentication,
decryption using an RSA private key file would fail because the wrong
master secret is derived. This happens due to an excess
CertificateVerify message in the handshake hash.

Bug: 14243
Change-Id: I02f8302ac4a85422f7df52a234bdddfcb5fe3307
Reviewed-on: https://code.wireshark.org/review/24543
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index 6c17bd276e..1b8513278f 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -2133,8 +2133,14 @@ dissect_ssl3_handshake(tvbuff_t *tvb, packet_info *pinfo,
         /*
          * Add handshake message (including type, length, etc.) to hash (for
          * Extended Master Secret).
+         * Hash ClientHello up to and including ClientKeyExchange. As the
+         * premaster secret is looked up during ChangeCipherSpec processing (an
+         * implementation detail), we must skip the CertificateVerify message
+         * which can appear between CKE and CCS when mutual auth is enabled.
          */
-        ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 4 + length);
+        if (msg_type != SSL_HND_CERT_VERIFY) {
+            ssl_calculate_handshake_hash(ssl, tvb, hs_offset, 4 + length);
+        }
 
         /* now dissect the handshake message, if necessary */
         switch ((HandshakeType) msg_type) {