diff options
author | Peter Wu <peter@lekensteyn.nl> | 2016-09-04 01:23:37 +0200 |
---|---|---|
committer | Alexis La Goutte <alexis.lagoutte@gmail.com> | 2016-09-06 13:45:30 +0000 |
commit | 7a674c006b3d09735c9340ad74f02556fbd91cbd (patch) | |
tree | 748b60b5c61cb295aad2577f01e00c526262cb70 /test | |
parent | 36c8065cc3fbe7eb36dd8474e53aca36cdca624d (diff) |
ssl: fix TLS renegotiation, add test for this
A handshake starts a new session, be sure to clear the previous state to
avoid creating a decoder with wrong secrets.
Renegotiations are also kind of transparant to the application layer, so
be sure to re-use an existing SslFlow. This fixes the Follow SSL stream
functionality which would previously ignore everything except for the
first session.
The capture file contains a crafted HTTP request/response over TLS 1.2,
interleaved with renegotiations. The HTTP response contains the Python
script used to generate the traffic. Surprise!
Change-Id: I0110ce76893d4a79330845e53e47e10f1c79e47e
Reviewed-on: https://code.wireshark.org/review/17480
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Diffstat (limited to 'test')
-rw-r--r-- | test/captures/tls-renegotiation.pcap | bin | 0 -> 12935 bytes | |||
-rwxr-xr-x | test/suite-decryption.sh | 17 |
2 files changed, 17 insertions, 0 deletions
diff --git a/test/captures/tls-renegotiation.pcap b/test/captures/tls-renegotiation.pcap Binary files differnew file mode 100644 index 0000000000..7d772a58f5 --- /dev/null +++ b/test/captures/tls-renegotiation.pcap diff --git a/test/suite-decryption.sh b/test/suite-decryption.sh index 0d5ba25043..2d7aff666d 100755 --- a/test/suite-decryption.sh +++ b/test/suite-decryption.sh @@ -245,6 +245,22 @@ decryption_step_ssl_master_secret() { test_step_ok } +# TLS 1.2 with renegotiation +decryption_step_ssl_renegotiation() { + TEST_KEYS_FILE="$TESTS_DIR/keys/rsasnakeoil2.key" + if [ "$WS_SYSTEM" == "Windows" ] ; then + TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`" + fi + output=$($TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.content_length \ + -o ssl.keys_list:"0.0.0.0,4433,http,$TEST_KEYS_FILE" \ + -r "$CAPTURE_DIR/tls-renegotiation.pcap" -Y http) + if [[ "$output" != 0*2151* ]]; then + test_step_failed "Failed to decrypt SSL with renegotiation" + return + fi + test_step_ok +} + # ZigBee # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022 decryption_step_zigbee() { @@ -492,6 +508,7 @@ tshark_decryption_suite() { test_step_add "SSL Decryption (RSA private key with p smaller than q)" decryption_step_ssl_rsa_pq test_step_add "SSL Decryption (private key with password)" decryption_step_ssl_with_password test_step_add "SSL Decryption (master secret)" decryption_step_ssl_master_secret + test_step_add "SSL Decryption (renegotiation)" decryption_step_ssl_renegotiation test_step_add "ZigBee Decryption" decryption_step_zigbee test_step_add "ANSI C12.22 Decryption" decryption_step_c1222 test_step_add "DVB-CI Decryption" decryption_step_dvb_ci |