ssl-utils: add versions to ssl debug log

Add Wireshark/GnuTLS/Libgcrypt versions to the debug log file. Remove
ssl_lib_init since it didn't do anything useful (the debug file was not
open yet so it would write... nothing).

Match more (EC)DH(E) cipher suites and try to improve the message.

Add the human-readable name besides numeric cipher suite IDs.

Change-Id: I84a33d270f91e90efc55371475b231b483fd24c9
Reviewed-on: https://code.wireshark.org/review/11403
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Graham Bloice <graham.bloice@trihedral.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Michael Mann <mmann78@netscape.net>

4 files changed, 23 insertions, 24 deletions

diff --git a/epan/dissectors/packet-dtls.c b/epan/dissectors/packet-dtls.c
index 512c47d777..ce92f88ea5 100644
--- a/epan/dissectors/packet-dtls.c
+++ b/epan/dissectors/packet-dtls.c
@@ -1916,7 +1916,6 @@ proto_register_dtls(void)
 
   register_init_routine(dtls_init);
   register_cleanup_routine(dtls_cleanup);
-  ssl_lib_init();
   dtls_tap = register_tap("dtls");
   ssl_debug_printf("proto_register_dtls: registered tap %s:%d\n",
                    "dtls", dtls_tap);
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 487b31f304..40b043996e 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -44,6 +44,7 @@
 #include <wsutil/str_util.h>
 #include <wsutil/report_err.h>
 #include <wsutil/pint.h>
+#include <wsutil/ws_version_info.h>
 #include "packet-x509af.h"
 #include "packet-x509if.h"
 #include "packet-ssl-utils.h"
@@ -3184,14 +3185,14 @@ ssl_decrypt_pre_master_secret(SslDecryptSession*ssl_session,
 
     if (!encrypted_pre_master)
         return FALSE;
-    if(ssl_session->cipher_suite.kex == KEX_DHE_DSS ||
-            ssl_session->cipher_suite.kex == KEX_DHE_PSK ||
-            ssl_session->cipher_suite.kex == KEX_DHE_RSA ||
-            ssl_session->cipher_suite.kex == KEX_DH_ANON ||
-            ssl_session->cipher_suite.kex == KEX_DH_DSS ||
-            ssl_session->cipher_suite.kex == KEX_DH_RSA) {
-        ssl_debug_printf("%s: session uses DH (%d) key exchange, which is "
-                         "impossible to decrypt\n", G_STRFUNC, ssl_session->cipher_suite.kex);
+
+    if (KEX_IS_DH(ssl_session->cipher_suite.kex)) {
+        ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
+                         "(cipher suite 0x%04X %s) and cannot be decrypted "
+                         "using a RSA private key file.\n",
+                         G_STRFUNC, ssl_session->session.cipher,
+                         val_to_str_ext_const(ssl_session->session.cipher,
+                             &ssl_31_ciphersuite_ext, "unknown"));
         return FALSE;
     } else if(ssl_session->cipher_suite.kex != KEX_RSA) {
          ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
@@ -4453,14 +4454,6 @@ ssl_parse_key_list(const ssldecrypt_assoc_t *uats _U_, GHashTable *key_hash _U_,
 }
 #endif
 
-void
-ssl_lib_init(void)
-{
-#ifdef HAVE_LIBGNUTLS
-    ssl_debug_printf("gnutls version: %s\n", gnutls_check_version(NULL));
-#endif
-}
-
 
 #ifdef HAVE_LIBGCRYPT /* useless without decryption support. */
 /* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
@@ -4802,6 +4795,14 @@ ssl_set_debug(const gchar* name)
         debug_file_must_be_closed = 1;
 
     ssl_debug_printf("Wireshark SSL debug log \n\n");
+    ssl_debug_printf("Wireshark version: %s\n", get_ws_vcs_version_info());
+#ifdef HAVE_LIBGNUTLS
+    ssl_debug_printf("GnuTLS version:    %s\n", gnutls_check_version(NULL));
+#endif
+#ifdef HAVE_LIBGCRYPT
+    ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL));
+#endif
+    ssl_debug_printf("\n");
 }
 
 void
@@ -5716,8 +5717,11 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
         } else {
             /* Cipher found, save this for the delayed decoder init */
             ssl->state |= SSL_CIPHER;
-            ssl_debug_printf("%s found CIPHER 0x%04X -> state 0x%02X\n",
-                             G_STRFUNC, ssl->session.cipher, ssl->state);
+            ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n",
+                             G_STRFUNC, ssl->session.cipher,
+                             val_to_str_ext_const(ssl->session.cipher,
+                                 &ssl_31_ciphersuite_ext, "unknown"),
+                             ssl->state);
         }
     }
 
diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h
index a36b978ae4..4e3be07eea 100644
--- a/epan/dissectors/packet-ssl-utils.h
+++ b/epan/dissectors/packet-ssl-utils.h
@@ -306,6 +306,7 @@ typedef struct _SslDecoder {
 #define KEX_SRP_SHA     0x20
 #define KEX_SRP_SHA_DSS 0x21
 #define KEX_SRP_SHA_RSA 0x22
+#define KEX_IS_DH(n)    ((n) >= KEX_DHE_DSS && (n) <= KEX_ECDH_RSA)
 
 #define ENC_DES         0x30
 #define ENC_3DES        0x31
@@ -448,10 +449,6 @@ gboolean ssldecrypt_uat_fld_protocol_chk_cb(void*, const char*, unsigned, const
 gboolean ssldecrypt_uat_fld_fileopen_chk_cb(void*, const char*, unsigned, const void*, const void*, char** err);
 gboolean ssldecrypt_uat_fld_password_chk_cb(void*, const char*, unsigned, const void*, const void*, char** err);
 
-/** Initialize decryption engine/ssl layer. To be called once per execution */
-extern void
-ssl_lib_init(void);
-
 /** Retrieve a SslSession, creating it if it did not already exist.
  * @param conversation The SSL conversation.
  * @param ssl_handle The dissector handle for SSL or DTLS.
diff --git a/epan/dissectors/packet-ssl.c b/epan/dissectors/packet-ssl.c
index e98c3f3091..0e485c8754 100644
--- a/epan/dissectors/packet-ssl.c
+++ b/epan/dissectors/packet-ssl.c
@@ -4204,7 +4204,6 @@ proto_register_ssl(void)
 
     register_init_routine(ssl_init);
     register_cleanup_routine(ssl_cleanup);
-    ssl_lib_init();
     ssl_tap = register_tap("ssl");
     ssl_debug_printf("proto_register_ssl: registered tap %s:%d\n",
         "ssl", ssl_tap);