diff options
| -rw-r--r-- | CMakeLists.txt | 27 | ||||
| -rw-r--r-- | epan/crypt/CMakeLists.txt | 14 | ||||
| -rw-r--r-- | epan/crypt/dot11decrypt.c | 38 | ||||
| -rw-r--r-- | epan/crypt/dot11decrypt_ccmp_compat.c | 262 | ||||
| -rw-r--r-- | epan/crypt/dot11decrypt_int.h | 12 | ||||
| -rw-r--r-- | epan/dissectors/packet-btmesh-proxy.c | 13 | ||||
| -rw-r--r-- | epan/dissectors/packet-btmesh.c | 63 | ||||
| -rw-r--r-- | epan/dissectors/packet-dcerpc-netlogon.c | 10 | ||||
| -rw-r--r-- | epan/dissectors/packet-dof.c | 18 | ||||
| -rw-r--r-- | epan/dissectors/packet-isakmp.c | 3 | ||||
| -rw-r--r-- | epan/dissectors/packet-lorawan.c | 19 | ||||
| -rw-r--r-- | epan/dissectors/packet-pdcp-lte.c | 20 | ||||
| -rw-r--r-- | epan/dissectors/packet-pdcp-nr.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-smb2.c | 13 | ||||
| -rw-r--r-- | epan/dissectors/packet-ssh.c | 62 | ||||
| -rw-r--r-- | epan/dissectors/packet-tls.c | 2 | ||||
| -rw-r--r-- | epan/dissectors/packet-wireguard.c | 51 | ||||
| -rw-r--r-- | wsutil/curve25519.c | 19 | ||||
| -rw-r--r-- | wsutil/curve25519.h | 4 | ||||
| -rw-r--r-- | wsutil/wsgcrypt.c | 7 | ||||
| -rw-r--r-- | wsutil/wsgcrypt.h | 4 |
21 files changed, 9 insertions, 654 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 0769394dd7..d68280b8fb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1141,7 +1141,7 @@ find_package(GMODULE2) reset_find_package(GTHREAD2) find_package(GTHREAD2 REQUIRED) reset_find_package(GCRYPT GCRYPT_ERROR_LIBRARY) -find_package(GCRYPT "1.5.0" REQUIRED) +find_package(GCRYPT "1.8.0" REQUIRED) # C Asynchronous resolver reset_find_package(CARES) find_package(CARES "1.5.0" REQUIRED) @@ -1852,31 +1852,6 @@ endif() feature_summary(WHAT ALL) -# Newer Libgcrypt versions may be required for certain functionality: -# 1.6 -# - IEEE 802.11 TDLS, AES-GCMP-128 and AES-GCMP-256 decryption -# - IEEE 802.11 WPA3-Personal / SAE decryption -# - BT Mesh decryption -# - Distributed Object Framework (DOF) decryption -# - IKEv2 integrity check -# - LoRaWAN integrity check -# - LTE PDCP EIA2 integrity check -# - QUIC decryption support -# - SMB3 AES-128-CCM/GCM decryption -# - TLS 1.3 0-RTT decryption -# - TLS GCM/CCM ciphers integrity check -# 1.7 -# - QUIC ChaCha20-Poly1305 decryption -# - TLS 1.3 ChaCha20-Poly1305 decryption -# 1.8 -# - dcerpc-netlogon NETLOGON_FLAG_AES decryption -# - WireGuard decryption -if(GCRYPT_VERSION VERSION_LESS 1.6.0) - message(WARNING "Libgcrypt version 1.6.0 or newer is strongly recommended for improved decryption support, found ${GCRYPT_VERSION}") -elseif(GCRYPT_VERSION VERSION_LESS 1.8.0) - message(WARNING "Libgcrypt version 1.8.0 or newer is recommended for full decryption functionality, found ${GCRYPT_VERSION}") -endif() - # Should this be part of libui? if(WIN32) set(PLATFORM_UI_SRC diff --git a/epan/crypt/CMakeLists.txt b/epan/crypt/CMakeLists.txt index c44b0cee7d..861ad54efd 100644 --- a/epan/crypt/CMakeLists.txt +++ b/epan/crypt/CMakeLists.txt @@ -28,16 +28,10 @@ set(CRYPT_FILES ${CUSTOM_CRYPT_SRC} ) -if (GCRYPT_VERSION VERSION_LESS 1.6.0) - list(APPEND CRYPT_FILES - dot11decrypt_ccmp_compat.c - ) -else() - list(APPEND CRYPT_FILES - dot11decrypt_ccmp.c - dot11decrypt_gcmp.c - ) -endif() +list(APPEND CRYPT_FILES + dot11decrypt_ccmp.c + dot11decrypt_gcmp.c +) source_group(crypt FILES ${CRYPT_FILES}) diff --git a/epan/crypt/dot11decrypt.c b/epan/crypt/dot11decrypt.c index b4d625daf1..67994409f0 100644 --- a/epan/crypt/dot11decrypt.c +++ b/epan/crypt/dot11decrypt.c @@ -200,13 +200,11 @@ static INT Dot11DecryptRsnaMicCheck( int akm) ; -#if GCRYPT_VERSION_NUMBER >= 0x010600 static gint Dot11DecryptFtMicCheck( const PDOT11DECRYPT_ASSOC_PARSED assoc_parsed, const guint8 *kck, size_t kck_len); -#endif static PDOT11DECRYPT_SEC_ASSOCIATION Dot11DecryptGetSa( @@ -1814,7 +1812,6 @@ Dot11DecryptRsna4WHandshake( } /* Refer to IEEE 802.11-2016 Chapeter 13.8 FT authentication sequence */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 gint Dot11DecryptScanFtAssocForKeys( const PDOT11DECRYPT_CONTEXT ctx, @@ -1974,18 +1971,6 @@ Dot11DecryptScanFtAssocForKeys( Dot11DecryptCopyKey(sa, used_key); return DOT11DECRYPT_RET_SUCCESS_HANDSHAKE; } -#else -gint -Dot11DecryptScanFtAssocForKeys( - const PDOT11DECRYPT_CONTEXT ctx _U_, - const PDOT11DECRYPT_ASSOC_PARSED assoc_parsed _U_, - guint8 *decrypted_gtk _U_, size_t *decrypted_len _U_, - DOT11DECRYPT_KEY_ITEM* used_item _U_) -{ - ws_info("Skipped Dot11DecryptScanFtAssocForKeys, libgcrypt >= 1.6"); - return DOT11DECRYPT_RET_UNSUCCESS; -} -#endif /* From IEEE 802.11-2016 Table 12-8 Integrity and key-wrap algorithms */ static int @@ -1998,7 +1983,6 @@ Dot11DecryptGetIntegrityAlgoFromAkm(int akm, int *algo, gboolean *hmac) *algo = GCRY_MD_SHA1; *hmac = TRUE; break; -#if GCRYPT_VERSION_NUMBER >= 0x010600 case 3: case 4: case 5: @@ -2010,7 +1994,6 @@ Dot11DecryptGetIntegrityAlgoFromAkm(int akm, int *algo, gboolean *hmac) *algo = GCRY_MAC_CMAC_AES; *hmac = FALSE; break; -#endif case 11: case 18: *algo = GCRY_MD_SHA256; @@ -2105,7 +2088,6 @@ Dot11DecryptRsnaMicCheck( * — FTE, with the MIC field of the FTE set to 0 * — Contents of the RIC-Response (if present) */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 static gint Dot11DecryptFtMicCheck( const PDOT11DECRYPT_ASSOC_PARSED assoc_parsed, @@ -2182,7 +2164,6 @@ Dot11DecryptFtMicCheck( gcry_mac_close(handle); return DOT11DECRYPT_RET_SUCCESS; } -#endif static INT Dot11DecryptValidateKey( @@ -2986,36 +2967,22 @@ static INT Dot11DecryptTDLSDeriveKey( PDOT11DECRYPT_SEC_ASSOCIATION sa, const guint8 *data, -#if GCRYPT_VERSION_NUMBER >= 0x010600 guint offset_rsne, -#else - guint offset_rsne _U_, -#endif guint offset_fte, -#if GCRYPT_VERSION_NUMBER >= 0x010600 guint offset_timeout, -#else - guint offset_timeout _U_, -#endif guint offset_link, -#if GCRYPT_VERSION_NUMBER >= 0x010600 guint8 action) -#else - guint8 action _U_) -#endif { gcry_md_hd_t sha256_handle; gcry_md_hd_t hmac_handle; const guint8 *snonce, *anonce, *initiator, *responder, *bssid; guint8 key_input[32]; -#if GCRYPT_VERSION_NUMBER >= 0x010600 guint8 mic[16], seq_num = action + 1; guint8 zeros[16] = { 0 }; gcry_mac_hd_t cmac_handle; size_t cmac_len = 16; size_t cmac_write_len; -#endif /* Get key input */ anonce = &data[offset_fte + 20]; @@ -3060,7 +3027,6 @@ Dot11DecryptTDLSDeriveKey( gcry_md_close(hmac_handle); /* Check MIC */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 if (gcry_mac_open(&cmac_handle, GCRY_MAC_CMAC_AES, 0, NULL)) { return DOT11DECRYPT_RET_UNSUCCESS; } @@ -3094,10 +3060,6 @@ Dot11DecryptTDLSDeriveKey( return DOT11DECRYPT_RET_UNSUCCESS; } gcry_mac_close(cmac_handle); -#else - ws_info("MIC verification failed, need libgcrypt >= 1.6"); - return DOT11DECRYPT_RET_UNSUCCESS; -#endif /* TODO support other akm and ciphers? */ sa->wpa.akm = 2; sa->wpa.cipher = 4; diff --git a/epan/crypt/dot11decrypt_ccmp_compat.c b/epan/crypt/dot11decrypt_ccmp_compat.c deleted file mode 100644 index 95f95b3d9b..0000000000 --- a/epan/crypt/dot11decrypt_ccmp_compat.c +++ /dev/null @@ -1,262 +0,0 @@ -/* dot11decrypt_ccmp_compat.c - * - * Copyright (c) 2002-2005 Sam Leffler, Errno Consulting - * Copyright (c) 2006 CACE Technologies, Davis (California) - * All rights reserved. - * - * SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only) - */ - -/* - * This file is only used for backwards compatibility with libgcrypt - * versions < 1.6.0 that don't support AEAD. When building towards later - * versions dot11decrypt_ccmp.c file is used instead - */ - -/* - * Note: This file was derived from the FreeBSD source code, RELENG 6, - * sys/net80211/ieee80211_crypto_ccmp.c - */ - -/****************************************************************************/ -/* File includes */ -#include "config.h" -#include "dot11decrypt_system.h" -#include "dot11decrypt_int.h" - -#include "dot11decrypt_debug.h" -#include <glib.h> -#include <wsutil/wsgcrypt.h> - -/****************************************************************************/ -/* Internal definitions */ - -#define AES_BLOCK_LEN 16 - -#define FC1_AAD_MASK 0xc7 -#define FC1_AAD_QOS_MASK 0x47 - -/****************************************************************************/ -/* Internal macros */ - -#define XOR_BLOCK(b, a, len) { \ - INT __i__; \ - for (__i__ = 0; __i__ < (INT)(len); __i__++) \ - (b)[__i__] ^= (a)[__i__]; \ -} - -#define CCMP_DECRYPT(_i, _b, _b0, _pos, _a, _len) { \ - /* Decrypt, with counter */ \ - _b0[14] = (UINT8)((_i >> 8) & 0xff); \ - _b0[15] = (UINT8)(_i & 0xff); \ - gcry_cipher_encrypt(rijndael_handle, _b, AES_BLOCK_LEN, _b0, AES_BLOCK_LEN); \ - XOR_BLOCK(_pos, _b, _len); \ - /* Authentication */ \ - XOR_BLOCK(_a, _pos, _len); \ - gcry_cipher_encrypt(rijndael_handle, _a, AES_BLOCK_LEN, NULL, 0); \ -} - -#define READ_6(b0, b1, b2, b3, b4, b5) \ - ((((UINT64)((UINT16)((b4 << 0) | (b5 << 8)))) << 32) | \ - ((UINT32)((b0 << 0) | (b1 << 8) | (b2 << 16) | (b3 << 24)))) - -/****************************************************************************/ -/* Internal function prototypes declarations */ - -static void ccmp_init_blocks( - gcry_cipher_hd_t rijndael_handle, - PDOT11DECRYPT_MAC_FRAME wh, - UINT64 pn, - size_t dlen, - UINT8 b0[AES_BLOCK_LEN], - UINT8 aad[2 * AES_BLOCK_LEN], - UINT8 a[AES_BLOCK_LEN], - UINT8 b[AES_BLOCK_LEN]) - ; - -/****************************************************************************/ -/* Function definitions */ - -static void ccmp_init_blocks( - gcry_cipher_hd_t rijndael_handle, - PDOT11DECRYPT_MAC_FRAME wh, - UINT64 pn, - size_t dlen, - UINT8 b0[AES_BLOCK_LEN], - UINT8 aad[2 * AES_BLOCK_LEN], - UINT8 a[AES_BLOCK_LEN], - UINT8 b[AES_BLOCK_LEN]) -{ - UINT8 mgmt = (DOT11DECRYPT_TYPE(wh->fc[0]) == DOT11DECRYPT_TYPE_MANAGEMENT); - - memset(aad, 0, 2*AES_BLOCK_LEN); - - /* CCM Initial Block: - * Flag (Include authentication header, M=3 (8-octet MIC), - * L=1 (2-octet Dlen)) - * Nonce: 0x00 | A2 | PN - * Dlen */ - b0[0] = 0x59; - /* NB: b0[1] set below */ - DOT11DECRYPT_ADDR_COPY(b0 + 2, wh->addr2); - b0[8] = (UINT8)(pn >> 40); - b0[9] = (UINT8)(pn >> 32); - b0[10] = (UINT8)(pn >> 24); - b0[11] = (UINT8)(pn >> 16); - b0[12] = (UINT8)(pn >> 8); - b0[13] = (UINT8)(pn >> 0); - b0[14] = (UINT8)((UINT8)(dlen >> 8) & 0xff); - b0[15] = (UINT8)(dlen & 0xff); - - /* AAD: - * FC with bits 4..6 and 11..13 masked to zero; 14 is always one; 15 zero when QoS Control field present - * A1 | A2 | A3 - * SC with bits 4..15 (seq#) masked to zero - * A4 (if present) - * QC (if present) - */ - aad[0] = 0; /* AAD length >> 8 */ - /* NB: aad[1] set below */ - if (!mgmt) - aad[2] = (UINT8)(wh->fc[0] & 0x8f); /* XXX magic #s */ - else - aad[2] = wh->fc[0]; - if (DOT11DECRYPT_IS_QOS_DATA(wh)) { - aad[3] = (UINT8)((wh->fc[1] & FC1_AAD_QOS_MASK) | 0x40); - } else { - aad[3] = (UINT8)((wh->fc[1] & FC1_AAD_MASK) | 0x40); - } - - /* NB: we know 3 addresses are contiguous */ - memcpy(aad + 4, (guint8 *)wh->addr1, 3 * DOT11DECRYPT_MAC_LEN); - aad[22] = (UINT8)(wh->seq[0] & DOT11DECRYPT_SEQ_FRAG_MASK); - aad[23] = 0; /* all bits masked */ - /* - * Construct variable-length portion of AAD based - * on whether this is a 4-address frame/QOS frame. - * We always zero-pad to 32 bytes before running it - * through the cipher. - * - * We also fill in the priority bits of the CCM - * initial block as we know whether or not we have - * a QOS frame. - */ - if (DOT11DECRYPT_IS_4ADDRESS(wh)) { - DOT11DECRYPT_ADDR_COPY(aad + 24, - ((PDOT11DECRYPT_MAC_FRAME_ADDR4)wh)->addr4); - if (DOT11DECRYPT_IS_QOS_DATA(wh)) { - PDOT11DECRYPT_MAC_FRAME_ADDR4_QOS qwh4 = - (PDOT11DECRYPT_MAC_FRAME_ADDR4_QOS) wh; - aad[30] = (UINT8)(qwh4->qos[0] & 0x0f);/* just priority bits */ - aad[31] = 0; - b0[1] = aad[30]; - aad[1] = 22 + DOT11DECRYPT_MAC_LEN + 2; - } else { - memset(&aad[30], 0, 2); - b0[1] = 0; - aad[1] = 22 + DOT11DECRYPT_MAC_LEN; - } - } else { - if (DOT11DECRYPT_IS_QOS_DATA(wh)) { - PDOT11DECRYPT_MAC_FRAME_QOS qwh = - (PDOT11DECRYPT_MAC_FRAME_QOS) wh; - aad[24] = (UINT8)(qwh->qos[0] & 0x0f); /* just priority bits */ - aad[25] = 0; - b0[1] = aad[24]; - aad[1] = 22 + 2; - } else { - memset(&aad[24], 0, 2); - b0[1] = 0; - aad[1] = 22; - } - if (mgmt) - b0[1] |= 0x10; /* set MGMT flag */ - memset(&aad[26], 0, 4); - } - - /* Start with the first block and AAD */ - gcry_cipher_encrypt(rijndael_handle, a, AES_BLOCK_LEN, b0, AES_BLOCK_LEN); - XOR_BLOCK(a, aad, AES_BLOCK_LEN); - gcry_cipher_encrypt(rijndael_handle, a, AES_BLOCK_LEN, NULL, 0); - XOR_BLOCK(a, &aad[AES_BLOCK_LEN], AES_BLOCK_LEN); - gcry_cipher_encrypt(rijndael_handle, a, AES_BLOCK_LEN, NULL, 0); - b0[0] &= 0x07; - b0[14] = b0[15] = 0; - gcry_cipher_encrypt(rijndael_handle, b, AES_BLOCK_LEN, b0, AES_BLOCK_LEN); - - /** //XOR( m + len - 8, b, 8 ); **/ -} - -int Dot11DecryptCcmpDecrypt( - guint8 *m, - int mac_header_len, - int len, - guint8 *TK1, - int tk_len, - int mic_len) -{ - PDOT11DECRYPT_MAC_FRAME wh; - UINT8 aad[2 * AES_BLOCK_LEN]; - UINT8 b0[AES_BLOCK_LEN], b[AES_BLOCK_LEN], a[AES_BLOCK_LEN]; - UINT8 mic[AES_BLOCK_LEN]; - ssize_t data_len; - UINT i; - UINT8 *pos; - UINT space; - INT z = mac_header_len; - gcry_cipher_hd_t rijndael_handle; - UINT64 PN; - UINT8 *ivp=m+z; - - if (tk_len > 16 || mic_len > 8) { - /* NOT SUPPORTED*/ - return 1; - } - - PN = READ_6(ivp[0], ivp[1], ivp[4], ivp[5], ivp[6], ivp[7]); - - if (gcry_cipher_open(&rijndael_handle, GCRY_CIPHER_AES, GCRY_CIPHER_MODE_ECB, 0)) { - return 1; - } - if (gcry_cipher_setkey(rijndael_handle, TK1, 16)) { - gcry_cipher_close(rijndael_handle); - return 1; - } - - wh = (PDOT11DECRYPT_MAC_FRAME )m; - data_len = len - (z + DOT11DECRYPT_CCMP_HEADER+DOT11DECRYPT_CCMP_TRAILER); - if (data_len < 1) { - gcry_cipher_close(rijndael_handle); - return 0; - } - ccmp_init_blocks(rijndael_handle, wh, PN, data_len, b0, aad, a, b); - memcpy(mic, m+len-DOT11DECRYPT_CCMP_TRAILER, DOT11DECRYPT_CCMP_TRAILER); - XOR_BLOCK(mic, b, DOT11DECRYPT_CCMP_TRAILER); - - i = 1; - pos = (UINT8 *)m + z + DOT11DECRYPT_CCMP_HEADER; - space = len - (z + DOT11DECRYPT_CCMP_HEADER); - - if (space > data_len) - space = (UINT)data_len; - while (space >= AES_BLOCK_LEN) { - CCMP_DECRYPT(i, b, b0, pos, a, AES_BLOCK_LEN); - pos += AES_BLOCK_LEN; - space -= AES_BLOCK_LEN; - i++; - } - - if (space != 0) /* short last block */ - CCMP_DECRYPT(i, b, b0, pos, a, space); - - gcry_cipher_close(rijndael_handle); - /* MIC Key ?= MIC */ - if (memcmp(mic, a, DOT11DECRYPT_CCMP_TRAILER) == 0) { - return 0; - } - - /* TODO replay check (IEEE 802.11i-2004, pg. 62) */ - /* TODO PN must be incremental (IEEE 802.11i-2004, pg. 62) */ - - return 1; -} diff --git a/epan/crypt/dot11decrypt_int.h b/epan/crypt/dot11decrypt_int.h index 0507db4ba2..3d4ad86d8e 100644 --- a/epan/crypt/dot11decrypt_int.h +++ b/epan/crypt/dot11decrypt_int.h @@ -177,24 +177,12 @@ int Dot11DecryptCcmpDecrypt( int tk_len, int mic_len); -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ int Dot11DecryptGcmpDecrypt( guint8 *m, int mac_header_len, int len, guint8 *TK1, int tk_len); -#else -static inline int Dot11DecryptGcmpDecrypt( - guint8 *m _U_, - int mac_header_len _U_, - int len _U_, - guint8 *TK1 _U_, - int tk_len _U_) -{ - return 1; -} -#endif INT Dot11DecryptTkipDecrypt( UCHAR *tkip_mpdu, diff --git a/epan/dissectors/packet-btmesh-proxy.c b/epan/dissectors/packet-btmesh-proxy.c index 7d0787ed83..be513caab5 100644 --- a/epan/dissectors/packet-btmesh-proxy.c +++ b/epan/dissectors/packet-btmesh-proxy.c @@ -155,8 +155,6 @@ static guint32 sequence_counter[E_BTMESH_PROXY_SIDE_LAST]; static guint32 fragment_counter[E_BTMESH_PROXY_SIDE_LAST]; static gboolean first_pass; -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ - static gint dissect_btmesh_proxy_configuration_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) { @@ -281,17 +279,6 @@ dissect_btmesh_proxy_configuration_msg(tvbuff_t *tvb, packet_info *pinfo, proto_ return offset; } -#else /* GCRYPT_VERSION_NUMBER >= 0x010600 */ - -static gint -dissect_btmesh_proxy_configuration_msg(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_) -{ - proto_tree_add_item(tree, hf_btmesh_proxy_data, tvb, 0, tvb_reported_length(tvb), ENC_NA); - return tvb_reported_length(tvb); -} - -#endif/* GCRYPT_VERSION_NUMBER >= 0x010600 */ - static gint dissect_btmesh_proxy_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *proxy_data) { diff --git a/epan/dissectors/packet-btmesh.c b/epan/dissectors/packet-btmesh.c index 20c3261af3..0721f67846 100644 --- a/epan/dissectors/packet-btmesh.c +++ b/epan/dissectors/packet-btmesh.c @@ -1740,7 +1740,6 @@ static int hf_bt_characteristic_percentage_8 = -1; static int hf_bt_characteristic_time_millisecond_24 = -1; static int hf_bt_characteristic_time_second_16 = -1; -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ static const bt_property_raw_value_entry_t sensor_column_status_hfs = { .hf_raw_value_a = &hf_btmesh_sensor_column_status_raw_value_a, @@ -1796,7 +1795,6 @@ bt_property_columns_raw_value_t sensor_series_get_hfs = { .hf_raw_value_a1 = &hf_btmesh_sensor_series_get_raw_value_a1, .hf_raw_value_a2 = &hf_btmesh_sensor_series_get_raw_value_a2 }; -#endif static int ett_btmesh = -1; static int ett_btmesh_net_pdu = -1; @@ -2414,8 +2412,6 @@ static const value_string btmesh_defined_or_dash_vals[] = { { 0, NULL } }; -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ - static int * const config_composition_data_status_features_headers[] = { &hf_btmesh_config_composition_data_status_features_relay, &hf_btmesh_config_composition_data_status_features_proxy, @@ -2481,8 +2477,6 @@ static const fragment_items btmesh_segmented_control_frag_items = { "fragments" }; -#endif - static const value_string btmesh_status_code_vals[] = { { 0x00, "Success" }, { 0x01, "Invalid Address" }, @@ -2785,7 +2779,6 @@ static const value_string btmesh_properties_vals[] = { { PROPERTY_OUTPUT_CURRENT_PERCENT , "Output Current Percent" }, { 0, NULL } }; -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ static const btmesh_property_t btmesh_properties[] = { { PHONY_PROPERTY_PERCENTAGE_CHANGE_16 , PHONY_CHARACTERISTIC_PERCENTAGE_CHANGE_16 }, @@ -3072,7 +3065,6 @@ static const bt_gatt_characteristic_t bt_gatt_characteristics[] = { { CHARACTERISTIC_WIND_CHILL , 1, NULL , DISSECTOR_SIMPLE }, { 0, 0, NULL, 0}, }; -#endif /* GCRYPT_VERSION_NUMBER >= 0x010600 */ /* Upper Transport Message reassembly */ @@ -3180,7 +3172,6 @@ upper_transport_init_routine(void) } /* A BT Mesh dissector is not realy useful without decryption as all packets are encrypted. Just leave a stub dissector outside of */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ /* BT Mesh s1 function */ static gboolean @@ -3630,8 +3621,6 @@ btmesh_deobfuscate(tvbuff_t *tvb, packet_info *pinfo, int offset _U_, uat_btmesh return de_obf_tvb; } -#endif /* GCRYPT_VERSION_NUMBER >= 0x010600 */ - static const gchar *period_interval_unit[] = {"ms", "s", "s", "min"}; static const guint32 period_interval_multiplier[] = {100, 1, 10, 10}; @@ -4395,8 +4384,6 @@ format_time_second_16(gchar *buf, guint32 value) { } } -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ - static guint16 find_characteristic_id(guint16 property_id) { @@ -8123,56 +8110,6 @@ dissect_btmesh_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *da return offset; } -#else /* GCRYPT_VERSION_NUMBER >= 0x010600 */ - -static gboolean -create_master_security_keys(uat_btmesh_record_t * net_key_set _U_) -{ - return FALSE; -} - -static gboolean -k4(uat_btmesh_record_t *key_set _U_) -{ - return FALSE; -} - -static gboolean -label_uuid_hash(uat_btmesh_label_uuid_record_t *label_uuid_record _U_) -{ - return FALSE; -} - -/* Stub dissector if decryption not available on build system */ -static gint -dissect_btmesh_msg(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) -{ - proto_item *item; - proto_tree *sub_tree; - int offset = 0; - - col_set_str(pinfo->cinfo, COL_PROTOCOL, "BT Mesh"); - col_clear(pinfo->cinfo, COL_INFO); - - item = proto_tree_add_item(tree, proto_btmesh, tvb, offset, -1, ENC_NA); - sub_tree = proto_item_add_subtree(item, ett_btmesh); - - /* First byte in plaintext */ - /* IVI 1 bit Least significant bit of IV Index */ - proto_tree_add_item(sub_tree, hf_btmesh_ivi, tvb, offset, 1, ENC_BIG_ENDIAN); - proto_tree_add_item(sub_tree, hf_btmesh_nid, tvb, offset, 1, ENC_BIG_ENDIAN); - offset++; - - proto_tree_add_item(sub_tree, hf_btmesh_obfuscated, tvb, offset, 6, ENC_NA); - offset += 6; - - proto_tree_add_item(sub_tree, hf_btmesh_encrypted, tvb, offset, -1, ENC_NA); - - return tvb_reported_length(tvb); -} - -#endif /* GCRYPT_VERSION_NUMBER >= 0x010600 */ - static gint compute_ascii_key(guchar **ascii_key, const gchar *key, const gchar *key_name, guint expected_octets, char **err) { diff --git a/epan/dissectors/packet-dcerpc-netlogon.c b/epan/dissectors/packet-dcerpc-netlogon.c index b36f9ea62a..4fbeffaba1 100644 --- a/epan/dissectors/packet-dcerpc-netlogon.c +++ b/epan/dissectors/packet-dcerpc-netlogon.c @@ -6802,7 +6802,6 @@ netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset, debugprintf("Found %d passwords \n",list_size); if( flags & NETLOGON_FLAG_AES ) { -#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */ guint8 salt_buf[16] = { 0 }; guint8 sha256[HASH_SHA2_256_LENGTH]; guint64 calculated_cred; @@ -6872,7 +6871,6 @@ netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset, } } } -#endif } else if ( flags & NETLOGON_FLAG_STRONGKEY ) { guint8 zeros[4] = { 0 }; guint8 md5[HASH_MD5_LENGTH]; @@ -7877,7 +7875,6 @@ static int get_seal_key(const guint8 *session_key,int key_len,guint8* seal_key) } -#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */ static guint64 uncrypt_sequence_aes(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_) { gcry_error_t err; @@ -7920,7 +7917,6 @@ static guint64 uncrypt_sequence_aes(guint8* session_key,guint64 checksum,guint64 gcry_cipher_close(cipher_hd); return enc_seq; } -#endif static guint64 uncrypt_sequence_strong(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_) { @@ -7958,11 +7954,9 @@ static guint64 uncrypt_sequence_strong(guint8* session_key,guint64 checksum,guin static guint64 uncrypt_sequence(guint32 flags, guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_) { -#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */ if (flags & NETLOGON_FLAG_AES) { return uncrypt_sequence_aes(session_key, checksum, enc_seq, is_server); } -#endif if (flags & NETLOGON_FLAG_STRONGKEY) { return uncrypt_sequence_strong(session_key, checksum, enc_seq, is_server); @@ -7971,7 +7965,6 @@ static guint64 uncrypt_sequence(guint32 flags, guint8* session_key,guint64 check return 0; } -#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */ static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars, gcry_cipher_hd_t *_cipher_hd) { @@ -8010,7 +8003,6 @@ static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars, *_cipher_hd = cipher_hd; return 0; } -#endif static gcry_error_t prepare_decryption_cipher_strong(netlogon_auth_vars *vars, gcry_cipher_hd_t *_cipher_hd) @@ -8057,11 +8049,9 @@ static gcry_error_t prepare_decryption_cipher(netlogon_auth_vars *vars, { *_cipher_hd = NULL; -#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */ if (vars->flags & NETLOGON_FLAG_AES) { return prepare_decryption_cipher_aes(vars, _cipher_hd); } -#endif if (vars->flags & NETLOGON_FLAG_STRONGKEY) { return prepare_decryption_cipher_strong(vars, _cipher_hd); diff --git a/epan/dissectors/packet-dof.c b/epan/dissectors/packet-dof.c index 06e2aa9b8b..430082add5 100644 --- a/epan/dissectors/packet-dof.c +++ b/epan/dissectors/packet-dof.c @@ -180,9 +180,6 @@ #include <ctype.h> #include <wsutil/wsgcrypt.h> -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ -#define LIBGCRYPT_OK -#endif #include <epan/packet.h> #include <epan/proto.h> @@ -1938,7 +1935,6 @@ static const value_string sgmp_opcode_strings[] = { #if 0 /* TODO not used yet */ static gboolean sgmp_validate_session_key(sgmp_packet_data *cmd_data, guint8 *confirmation, guint8 *kek, guint8 *key) { -#ifdef LIBGCRYPT_OK gcry_mac_hd_t hmac; gcry_error_t result; @@ -1952,9 +1948,6 @@ static gboolean sgmp_validate_session_key(sgmp_packet_data *cmd_data, guint8 *co gcry_mac_write(hmac, key, 32); result = gcry_mac_verify(hmac, confirmation, sizeof(confirmation)); return result == 0; -#else - return FALSE; -#endif } #endif @@ -9103,7 +9096,6 @@ static int dissect_sgmp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, voi return offset; } -#ifdef LIBGCRYPT_OK static gboolean validate_session_key(tep_rekey_data *rekey, guint S_length, guint8 *S, guint8 *confirmation, guint8 *key) { guint8 pad[16]; @@ -9125,12 +9117,6 @@ static gboolean validate_session_key(tep_rekey_data *rekey, guint S_length, guin result = gcry_mac_verify(hmac, confirmation, 32); return result == 0; } -#else -static gboolean validate_session_key(tep_rekey_data *rekey _U_, guint S_length _U_, guint8 *S _U_, guint8 *confirmation _U_, guint8 *key _U_) -{ - return FALSE; -} -#endif static int dissect_tep_dsp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, void *data _U_) { @@ -11315,11 +11301,7 @@ static void dof_register_dpp_2(void) { &ei_dpp_default_flags, { "dof.dpp.v2.flags_included", PI_COMMENTS_GROUP, PI_NOTE, "Default flag value is included explicitly.", EXPFILL } }, { &ei_dpp_explicit_sender_sid_included, { "dof.dpp.v2.sender_sid_included", PI_PROTOCOL, PI_NOTE, "Explicit SID could be optimized, same as sender.", EXPFILL } }, { &ei_dpp_explicit_receiver_sid_included, { "dof.dpp.v2.receiver_sid_included", PI_PROTOCOL, PI_NOTE, "Explicit SID could be optimized, same as receiver.", EXPFILL } }, -#ifdef LIBGCRYPT_OK { &ei_dpp_no_security_context, { "dof.dpp.v2.no_context", PI_UNDECODED, PI_WARN, "No security context to enable packet decryption.", EXPFILL } }, -#else - { &ei_dpp_no_security_context, { "dof.dpp.v2.no_context", PI_UNDECODED, PI_WARN, "This version of wireshark was built without DOF decryption capability", EXPFILL } }, -#endif }; static gint *sett[] = diff --git a/epan/dissectors/packet-isakmp.c b/epan/dissectors/packet-isakmp.c index 1cfd90d405..d311d80214 100644 --- a/epan/dissectors/packet-isakmp.c +++ b/epan/dissectors/packet-isakmp.c @@ -6084,6 +6084,9 @@ dissect_enc(tvbuff_t *tvb, * - in 1.6.x length must be equal of cipher block length. Aaargh... :-( * We use accepted for both versions length of block size for GCM (16 bytes). * For CCM length given must be the same as given to gcry_cipher_ctl(GCRYCTL_SET_CCM_LENGTHS) + * + * XXX: We now require libgcrypt 1.8.0, so presumably this could + * be updated? */ guchar *tag; gint tag_len = icv_len; diff --git a/epan/dissectors/packet-lorawan.c b/epan/dissectors/packet-lorawan.c index ed1c69ad7c..8891798270 100644 --- a/epan/dissectors/packet-lorawan.c +++ b/epan/dissectors/packet-lorawan.c @@ -406,7 +406,6 @@ static device_encryption_keys_t *get_encryption_keys_dev_address(guint32 dev_add return NULL; } -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ static device_encryption_keys_t *get_encryption_keys_app_eui(const guint8 *appeui) { guint i; @@ -452,7 +451,6 @@ calculate_mic(const guint8 *in, guint8 length, const guint8 *key) gcry_mac_close(mac_hd); return mac; } -#endif /* length should be a multiple of 16, in should be padded to get to a multiple of 16 */ static gboolean @@ -648,9 +646,7 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d guint8 fport; guint32 dev_address; guint32 fcnt; -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ proto_item *checksum_item; -#endif gboolean uplink = TRUE; device_encryption_keys_t *encryption_keys = NULL; @@ -693,7 +689,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d * cmac = aes128_cmac(AppKey, msg) * MIC = cmac[0..3] */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ encryption_keys = get_encryption_keys_app_eui(tvb_get_ptr(tvb, current_offset - 18, 8)); if (encryption_keys) { proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, &ei_lorawan_mic, pinfo, @@ -703,10 +698,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS); expert_add_info(pinfo, checksum_item, &ei_lorawan_unverified_mic); } -#else - proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, NULL, pinfo, - 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS); -#endif return tvb_captured_length(tvb); } else if (mac_mtype == LORAWAN_MAC_MTYPE_JOINACCEPT) { tf = proto_tree_add_item(lorawan_tree, hf_lorawan_join_accept_type, tvb, current_offset, 12, ENC_NA); @@ -733,7 +724,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d * cmac = aes128_cmac(AppKey, msg) * MIC = cmac[0..3] */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ encryption_keys = get_encryption_keys_dev_address(dev_address); if (encryption_keys) { proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, &ei_lorawan_mic, pinfo, calculate_mic(tvb_get_ptr(tvb, 0, current_offset), current_offset, encryption_keys->appskey->data), ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_VERIFY); @@ -742,10 +732,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS); expert_add_info(pinfo, checksum_item, &ei_lorawan_unverified_mic); } -#else - proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, NULL, pinfo, - 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS); -#endif return tvb_captured_length(tvb); } else if ((mac_mtype >= LORAWAN_MAC_MTYPE_UNCONFIRMEDDATAUP) && (mac_mtype <= LORAWAN_MAC_MTYPE_CONFIRMEDDATADOWN)) { if (mac_mtype & 1) { @@ -823,7 +809,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d * MIC = cmac[0..3] * B0 = 0x49 | 0x00 | 0x00 | 0x00 | 0x00 | dir | devAddr | fcntup/fcntdown | len(msg) */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ if (encryption_keys) { gint frame_length = current_offset; guint8 *msg = (guint8 *)wmem_alloc0(pinfo->pool, frame_length + 16); @@ -839,10 +824,6 @@ dissect_lorawan(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void *d 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS); expert_add_info(pinfo, checksum_item, &ei_lorawan_unverified_mic); } -#else - proto_tree_add_checksum(lorawan_tree, tvb, current_offset, hf_lorawan_mic_type, hf_lorawan_mic_status_type, NULL, pinfo, - 0, ENC_LITTLE_ENDIAN, PROTO_CHECKSUM_NO_FLAGS); -#endif return tvb_captured_length(tvb); } diff --git a/epan/dissectors/packet-pdcp-lte.c b/epan/dissectors/packet-pdcp-lte.c index 714d09c8ec..26db3cdc41 100644 --- a/epan/dissectors/packet-pdcp-lte.c +++ b/epan/dissectors/packet-pdcp-lte.c @@ -1700,8 +1700,6 @@ static tvbuff_t *decipher_payload(tvbuff_t *tvb, packet_info *pinfo, int *offset /* Try to calculate digest to compare with that found in frame. */ -#if defined(HAVE_SNOW3G) || GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ || defined(HAVE_ZUC) -/* We can calculate it for at least some integrity types */ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, guint8 header, tvbuff_t *tvb, packet_info *pinfo, gint offset, gboolean *calculated) { @@ -1753,7 +1751,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, } #endif -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ case eia2: { /* AES */ @@ -1813,7 +1810,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, *calculated = TRUE; return ((mac[0] << 24) | (mac[1] << 16) | (mac[2] << 8) | mac[3]); } -#endif #ifdef HAVE_ZUC case eia3: { @@ -1846,22 +1842,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, return 0; } } -#else /* defined(HAVE_SNOW3G) || GCRYPT_VERSION_NUMBER >= 0x010600 || defined(HAVE_ZUC) */ -/* We can't calculate it for any integrity types other than eia0 */ -static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, guint8 header _U_, - tvbuff_t *tvb _U_, packet_info *pinfo _U_, gint offset _U_, gboolean *calculated) -{ - *calculated = FALSE; - - if (pdu_security_settings->integrity == eia0) { - /* Should be zero in this case */ - *calculated = TRUE; - } - - /* Otherwise, we can't calculate it */ - return 0; -} -#endif /* defined(HAVE_SNOW3G) || GCRYPT_VERSION_NUMBER >= 0x010600 || defined(HAVE_ZUC) */ /******************************/ /* Main dissection function. */ diff --git a/epan/dissectors/packet-pdcp-nr.c b/epan/dissectors/packet-pdcp-nr.c index 94c2e70574..3d6090770b 100644 --- a/epan/dissectors/packet-pdcp-nr.c +++ b/epan/dissectors/packet-pdcp-nr.c @@ -1739,7 +1739,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, } #endif -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ case nia2: { /* AES */ @@ -1802,7 +1801,6 @@ static guint32 calculate_digest(pdu_security_settings_t *pdu_security_settings, *calculated = TRUE; return ((mac[0] << 24) | (mac[1] << 16) | (mac[2] << 8) | mac[3]); } -#endif #ifdef HAVE_ZUC case nia3: { diff --git a/epan/dissectors/packet-smb2.c b/epan/dissectors/packet-smb2.c index 2213a374bc..0656693a05 100644 --- a/epan/dissectors/packet-smb2.c +++ b/epan/dissectors/packet-smb2.c @@ -10100,7 +10100,6 @@ static smb2_function smb2_dissector[256] = { #define SMB3_AES128CCM_NONCE 11 #define SMB3_AES128GCM_NONCE 12 -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ static gboolean is_decrypted_header_ok(guint8 *p, size_t size) { if (size < 4) @@ -10362,7 +10361,6 @@ decrypt_smb_payload(packet_info *pinfo, sti->session->server_port = pinfo->srcport; return data; } -#endif /* Append tvb[offset:offset+length] to out @@ -10668,13 +10666,9 @@ dissect_smb2_transform_header(packet_info *pinfo, proto_tree *tree, sti->session = smb2_get_session(sti->conv, sti->sesid, NULL, NULL); smb2_add_session_info(sesid_tree, sesid_item, tvb, sesid_offset, sti->session); -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ if (sti->flags & SMB2_TRANSFORM_FLAGS_ENCRYPTED) { plain_data = decrypt_smb_payload(pinfo, tvb, offset, offset_aad, sti); } -#else - (void) offset_aad; -#endif *enc_tvb = tvb_new_subset_length(tvb, offset, sti->size); if (plain_data != NULL) { @@ -10829,7 +10823,7 @@ dissect_smb2_tid_sesid(packet_info *pinfo _U_, proto_tree *tree, tvbuff_t *tvb, return offset; } -#if GCRYPT_VERSION_NUMBER >= 0x010600 + static void dissect_smb2_signature(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree *tree, smb2_info_t *si) { @@ -10896,7 +10890,6 @@ dissect_smb2_signature(packet_info *pinfo, tvbuff_t *tvb, int offset, proto_tree return; } -#endif static int dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolean first_in_chain) @@ -11063,11 +11056,7 @@ dissect_smb2(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, gboolea offset = dissect_smb2_tid_sesid(pinfo, header_tree, tvb, offset, si); /* Signature */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 dissect_smb2_signature(pinfo, tvb, offset, header_tree, si); -#else - proto_tree_add_item(header_tree, hf_smb2_signature, tvb, offset, 16, ENC_NA); -#endif offset += 16; proto_item_set_len(header_item, offset); diff --git a/epan/dissectors/packet-ssh.c b/epan/dissectors/packet-ssh.c index cf4da6297a..f343640f29 100644 --- a/epan/dissectors/packet-ssh.c +++ b/epan/dissectors/packet-ssh.c @@ -83,11 +83,6 @@ void proto_reg_handoff_ssh(void); /* proto data */ -#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */ -#define SSH_DECRYPTION_SUPPORTED -#endif - -#ifdef SSH_DECRYPTION_SUPPORTED typedef struct { guint8 *data; guint length; @@ -114,7 +109,6 @@ typedef struct { gboolean from_server; ssh_message_info_t * messages; } ssh_packet_info_t; -#endif typedef struct _ssh_channel_info_t { guint client_channel_number; @@ -152,12 +146,10 @@ struct ssh_peer_data { gint length_is_plaintext; -#ifdef SSH_DECRYPTION_SUPPORTED // see libgcrypt source, gcrypt.h:gcry_cipher_algos guint cipher_id; // chacha20 needs two cipher handles gcry_cipher_hd_t cipher, cipher_2; -#endif guint sequence_number; guint32 seq_num_kex_init; // union ??? -- begin @@ -173,9 +165,7 @@ struct ssh_peer_data { guint32 seq_num_dh_rep; // union ??? -- end guint32 seq_num_new_key; -#ifdef SSH_DECRYPTION_SUPPORTED ssh_bignum *bn_cookie; -#endif struct ssh_flow_data * global_data; }; @@ -192,7 +182,6 @@ struct ssh_flow_data { #define SERVER_PEER_DATA 1 struct ssh_peer_data peer_data[2]; -#ifdef SSH_DECRYPTION_SUPPORTED gchar *session_id; guint session_id_length; ssh_bignum *kex_e; @@ -206,13 +195,10 @@ struct ssh_flow_data { wmem_array_t *kex_shared_secret; gboolean do_decrypt; ssh_bignum new_keys[6]; -#endif ssh_channel_info_t *channel_info; }; -#ifdef SSH_DECRYPTION_SUPPORTED static GHashTable * ssh_master_key_map = NULL; -#endif static int proto_ssh = -1; @@ -391,12 +377,10 @@ static gboolean ssh_desegment = TRUE; static dissector_handle_t ssh_handle; static dissector_handle_t sftp_handle=NULL; -#ifdef SSH_DECRYPTION_SUPPORTED static const char *pref_keylog_file; static FILE *ssh_keylog_file; #define SSH_DECRYPT_DEBUG -#endif #ifdef SSH_DECRYPT_DEBUG static const gchar *ssh_debug_file_name = NULL; @@ -569,7 +553,6 @@ static void ssh_choose_algo(gchar *client, gchar *server, gchar **result); static void ssh_set_mac_length(struct ssh_peer_data *peer_data); static void ssh_set_kex_specific_dissector(struct ssh_flow_data *global_data); -#ifdef SSH_DECRYPTION_SUPPORTED static void ssh_keylog_read_file(void); static void ssh_keylog_process_line(const char *line); static void ssh_keylog_process_lines(const guint8 *data, guint datalen); @@ -629,8 +612,6 @@ static void set_subdissector_for_channel(struct ssh_peer_data *peer_data, guint #define SSH_DEBUG_USE_STDERR "-" -#endif /* SSH_DECRYPTION_SUPPORTED */ - #ifdef SSH_DECRYPT_DEBUG static void ssh_debug_printf(const gchar* fmt,...) G_GNUC_PRINTF(1,2); @@ -680,7 +661,6 @@ dissect_ssh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) global_data->kex_specific_dissector = ssh_dissect_kex_dh; global_data->peer_data[CLIENT_PEER_DATA].mac_length = -1; global_data->peer_data[SERVER_PEER_DATA].mac_length = -1; -#ifdef SSH_DECRYPTION_SUPPORTED global_data->peer_data[CLIENT_PEER_DATA].sequence_number = 0; global_data->peer_data[SERVER_PEER_DATA].sequence_number = 0; global_data->peer_data[CLIENT_PEER_DATA].seq_num_kex_init = 0; @@ -715,7 +695,6 @@ dissect_ssh(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) global_data->kex_server_host_key_blob = wmem_array_new(wmem_file_scope(), 1); global_data->kex_shared_secret = wmem_array_new(wmem_file_scope(), 1); global_data->do_decrypt = TRUE; -#endif conversation_add_proto_data(conversation, proto_ssh, global_data); } @@ -854,13 +833,11 @@ ssh_dissect_ssh2(tvbuff_t *tvb, packet_info *pinfo, offset, ssh2_tree, is_response, need_desegmentation); -#ifdef SSH_DECRYPTION_SUPPORTED if (!*need_desegmentation) { ssh_increment_message_number(pinfo, global_data, is_response); }else{ break; } -#endif } else { if(!*need_desegmentation){ offset = ssh_try_dissect_encrypted_packet(tvb, pinfo, @@ -1041,13 +1018,8 @@ ssh_tree_add_hostkey(tvbuff_t *tvb, int offset, proto_tree *parent_tree, proto_tree_add_uint(tree, hf_ssh_hostkey_length, tvb, last_offset, 4, key_len); // server host key (K_S / Q) -#ifdef SSH_DECRYPTION_SUPPORTED gchar *data = (gchar *)tvb_memdup(wmem_packet_scope(), tvb, last_offset + 4, key_len); ssh_hash_buffer_put_string(global_data->kex_server_host_key_blob, data, key_len); -#else - // ignore unused parameter complaint - (void)global_data; -#endif last_offset += 4; proto_tree_add_uint(tree, hf_ssh_hostkey_type_length, tvb, last_offset, 4, type_len); @@ -1239,13 +1211,11 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo, if ((peer_data->frame_key_start == 0) || (peer_data->frame_key_start == pinfo->num)) { if (!PINFO_FD_VISITED(pinfo)) { peer_data->frame_key_start = pinfo->num; -#ifdef SSH_DECRYPTION_SUPPORTED if(global_data->peer_data[is_response].seq_num_kex_init == 0){ global_data->peer_data[is_response].seq_num_kex_init = global_data->peer_data[is_response].sequence_number; global_data->peer_data[is_response].sequence_number++; ssh_debug_printf("%s->sequence_number{SSH_MSG_KEXINIT=%d}++ > %d\n", is_response?"server":"client", global_data->peer_data[is_response].seq_num_kex_init, global_data->peer_data[is_response].sequence_number); } -#endif } } seq_num = global_data->peer_data[is_response].seq_num_kex_init; @@ -1258,13 +1228,11 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo, global_data->peer_data[SERVER_PEER_DATA].enc_proposals[is_response], &peer_data->enc); -#ifdef SSH_DECRYPTION_SUPPORTED if(global_data->peer_data[is_response].seq_num_new_key == 0){ global_data->peer_data[is_response].seq_num_new_key = global_data->peer_data[is_response].sequence_number; global_data->peer_data[is_response].sequence_number++; ssh_debug_printf("%s->sequence_number{SSH_MSG_NEWKEYS=%d}++ > %d\n", is_response?"server":"client", global_data->peer_data[is_response].seq_num_new_key, global_data->peer_data[is_response].sequence_number); } -#endif /* some ciphers have their own MAC so the "negotiated" one is meaningless */ if(peer_data->enc && (0 == strcmp(peer_data->enc, "aes128-gcm@openssh.com") || @@ -1289,7 +1257,6 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo, &peer_data->comp); // the client sent SSH_MSG_NEWKEYS -#ifdef SSH_DECRYPTION_SUPPORTED if (!is_response) { ssh_decryption_set_cipher_id(&global_data->peer_data[CLIENT_PEER_DATA]); ssh_debug_printf("Activating new keys for CLIENT => SERVER\n"); @@ -1299,7 +1266,6 @@ ssh_dissect_key_exchange(tvbuff_t *tvb, packet_info *pinfo, ssh_debug_printf("Activating new keys for SERVER => CLIENT\n"); ssh_decryption_setup_cipher(&global_data->peer_data[SERVER_PEER_DATA], &global_data->new_keys[1], &global_data->new_keys[3]); } -#endif } seq_num = global_data->peer_data[is_response].seq_num_new_key; @@ -1334,13 +1300,11 @@ static int ssh_dissect_kex_dh(guint8 msg_code, tvbuff_t *tvb, switch (msg_code) { case SSH_MSG_KEXDH_INIT: -#ifdef SSH_DECRYPTION_SUPPORTED // e (client ephemeral key public part) if (!ssh_read_e(tvb, offset, global_data)) { proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2, "Invalid key length: %u", tvb_get_ntohl(tvb, offset)); } -#endif offset += ssh_tree_add_mpint(tvb, offset, tree, hf_ssh_dh_e); if(global_data->peer_data[CLIENT_PEER_DATA].seq_num_dh_ini == 0){ @@ -1355,14 +1319,12 @@ static int ssh_dissect_kex_dh(guint8 msg_code, tvbuff_t *tvb, offset += ssh_tree_add_hostkey(tvb, offset, tree, "KEX host key", ett_key_exchange_host_key, global_data); -#ifdef SSH_DECRYPTION_SUPPORTED // f (server ephemeral key public part), K_S (host key) if (!ssh_read_f(tvb, offset, global_data)) { proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2, "Invalid key length: %u", tvb_get_ntohl(tvb, offset)); } ssh_keylog_hash_write_secret(global_data); -#endif offset += ssh_tree_add_mpint(tvb, offset, tree, hf_ssh_dh_f); offset += ssh_tree_add_hostsignature(tvb, pinfo, offset, tree, "KEX host signature", @@ -1464,7 +1426,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb, switch (msg_code) { case SSH_MSG_KEX_ECDH_INIT: -#ifdef SSH_DECRYPTION_SUPPORTED if (!ssh_read_e(tvb, offset, global_data)) { proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2, "Invalid key length: %u", tvb_get_ntohl(tvb, offset)); @@ -1478,10 +1439,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb, } } *seq_num = global_data->peer_data[CLIENT_PEER_DATA].seq_num_ecdh_ini; -#else - // ignore unused parameter complaint - (void)seq_num; -#endif offset += ssh_tree_add_string(tvb, offset, tree, hf_ssh_ecdh_q_c, hf_ssh_ecdh_q_c_length); break; @@ -1490,7 +1447,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb, offset += ssh_tree_add_hostkey(tvb, offset, tree, "KEX host key", ett_key_exchange_host_key, global_data); -#ifdef SSH_DECRYPTION_SUPPORTED if (!ssh_read_f(tvb, offset, global_data)){ proto_tree_add_expert_format(tree, pinfo, &ei_ssh_invalid_keylen, tvb, offset, 2, "Invalid key length: %u", tvb_get_ntohl(tvb, offset)); @@ -1503,7 +1459,6 @@ ssh_dissect_kex_ecdh(guint8 msg_code, tvbuff_t *tvb, ssh_debug_printf("%s->sequence_number{SSH_MSG_KEX_ECDH_REPLY=%d}++ > %d\n", SERVER_PEER_DATA?"server":"client", global_data->peer_data[SERVER_PEER_DATA].seq_num_ecdh_rep, global_data->peer_data[SERVER_PEER_DATA].sequence_number); } *seq_num = global_data->peer_data[SERVER_PEER_DATA].seq_num_ecdh_rep; -#endif offset += ssh_tree_add_string(tvb, offset, tree, hf_ssh_ecdh_q_s, hf_ssh_ecdh_q_s_length); offset += ssh_tree_add_hostsignature(tvb, pinfo, offset, tree, "KEX host signature", @@ -1518,13 +1473,11 @@ static int ssh_try_dissect_encrypted_packet(tvbuff_t *tvb, packet_info *pinfo, struct ssh_peer_data *peer_data, int offset, proto_tree *tree) { -#ifdef SSH_DECRYPTION_SUPPORTED gboolean can_decrypt = peer_data->cipher != NULL; if (can_decrypt) { return ssh_decrypt_packet(tvb, pinfo, peer_data, offset, tree); } -#endif return ssh_dissect_encrypted_packet(tvb, pinfo, peer_data, offset, tree); } @@ -1634,7 +1587,6 @@ ssh_dissect_protocol(tvbuff_t *tvb, packet_info *pinfo, // V_C / V_S (client and server identification strings) RFC4253 4.2 // format: SSH-protoversion-softwareversion SP comments [CR LF not incl.] -#ifdef SSH_DECRYPTION_SUPPORTED if (!PINFO_FD_VISITED(pinfo)) { gchar *data = (gchar *)tvb_memdup(wmem_packet_scope(), tvb, offset, protolen); if(!is_response){ @@ -1643,7 +1595,6 @@ ssh_dissect_protocol(tvbuff_t *tvb, packet_info *pinfo, ssh_hash_buffer_put_string(global_data->kex_server_version, data, protolen); } } -#endif proto_tree_add_item(tree, hf_ssh_protocol, tvb, offset, protolen, ENC_ASCII); @@ -1760,11 +1711,7 @@ ssh_choose_algo(gchar *client, gchar *server, gchar **result) } static int -#ifdef SSH_DECRYPTION_SUPPORTED ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo, int offset, -#else -ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset, -#endif proto_tree *tree, int is_response, struct ssh_flow_data *global_data) { int start_offset = offset; @@ -1778,11 +1725,9 @@ ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset, struct ssh_peer_data *peer_data = &global_data->peer_data[is_response]; key_init_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_key_init, &tf, "Algorithms"); -#ifdef SSH_DECRYPTION_SUPPORTED if (!PINFO_FD_VISITED(pinfo)) { peer_data->bn_cookie = ssh_kex_make_bignum(tvb_get_ptr(tvb, offset, 16), 16); } -#endif proto_tree_add_item(key_init_tree, hf_ssh_cookie, tvb, offset, 16, ENC_NA); offset += 16; @@ -1871,7 +1816,6 @@ ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset, proto_item_set_len(tf, payload_length); } -#ifdef SSH_DECRYPTION_SUPPORTED // I_C / I_S (client and server SSH_MSG_KEXINIT payload) RFC4253 4.2 if (!PINFO_FD_VISITED(pinfo)) { gchar *data = (gchar *)wmem_alloc(wmem_packet_scope(), payload_length + 1); @@ -1883,7 +1827,6 @@ ssh_dissect_key_init(tvbuff_t *tvb, packet_info *pinfo _U_, int offset, ssh_hash_buffer_put_string(global_data->kex_client_key_exchange_init, data, payload_length + 1); } } -#endif return offset; } @@ -1905,7 +1848,6 @@ ssh_dissect_proposal(tvbuff_t *tvb, int offset, proto_tree *tree, return offset; } -#ifdef SSH_DECRYPTION_SUPPORTED static void ssh_keylog_read_file(void) { @@ -3346,8 +3288,6 @@ ssh_hash (gconstpointer v) } /* Functions for SSH random hashtables. }}} */ -#endif /* SSH_DECRYPTION_SUPPORTED */ - void proto_register_ssh(void) { @@ -4062,7 +4002,6 @@ proto_register_ssh(void) "To use this option, you must also enable \"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.", &ssh_desegment); -#ifdef SSH_DECRYPTION_SUPPORTED ssh_master_key_map = g_hash_table_new(ssh_hash, ssh_equal); prefs_register_filename_preference(ssh_module, "keylog_file", "Key log filename", "The path to the file which contains a list of key exchange secrets in the following format:\n" @@ -4075,7 +4014,6 @@ proto_register_ssh(void) &ssh_debug_file_name, TRUE); secrets_register_type(SECRETS_TYPE_SSH, ssh_secrets_block_callback); -#endif ssh_handle = register_dissector("ssh", dissect_ssh, proto_ssh); } diff --git a/epan/dissectors/packet-tls.c b/epan/dissectors/packet-tls.c index 10e679f4e2..f8dc1ff7a4 100644 --- a/epan/dissectors/packet-tls.c +++ b/epan/dissectors/packet-tls.c @@ -3920,7 +3920,6 @@ tls_get_alpn(packet_info *pinfo) } /* TLS Exporters {{{ */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ /** * Computes the TLS 1.3 Exporter value (RFC 8446 Section 7.5). * @@ -4009,7 +4008,6 @@ tls13_exporter(packet_info *pinfo, gboolean is_early, return tls13_exporter_common(hash_algo, secret, label, context, context_length, key_length, out); } -#endif /* }}} */ diff --git a/epan/dissectors/packet-wireguard.c b/epan/dissectors/packet-wireguard.c index 50bb98a6d0..32188ae2e9 100644 --- a/epan/dissectors/packet-wireguard.c +++ b/epan/dissectors/packet-wireguard.c @@ -33,11 +33,6 @@ #include <epan/secrets.h> #include <wiretap/secrets-types.h> -#if GCRYPT_VERSION_NUMBER >= 0x010800 /* 1.8.0 */ -/* Decryption requires Curve25519, ChaCha20-Poly1305 (1.7) and Blake2s (1.8). */ -#define WG_DECRYPTION_SUPPORTED -#endif - void proto_reg_handoff_wg(void); void proto_register_wg(void); @@ -78,12 +73,10 @@ static expert_field ei_wg_bad_packet_length = EI_INIT; static expert_field ei_wg_keepalive = EI_INIT; static expert_field ei_wg_decryption_error = EI_INIT; -#ifdef WG_DECRYPTION_SUPPORTED static gboolean pref_dissect_packet = TRUE; static const char *pref_keylog_file; static dissector_handle_t ip_handle; -#endif /* WG_DECRYPTION_SUPPORTED */ static dissector_handle_t wg_handle; @@ -105,7 +98,6 @@ static const value_string wg_type_names[] = { { 0x00, NULL } }; -#ifdef WG_DECRYPTION_SUPPORTED /* Decryption types. {{{ */ /* * Most operations operate on 32 byte units (keys and hash output). @@ -237,7 +229,6 @@ static wg_qqword hash_of_construction; /** Hash(Hash(CONSTRUCTION) || IDENTIFIER), initialized by wg_decrypt_init. */ static wg_qqword hash_of_c_identifier; /* Decryption types. }}} */ -#endif /* WG_DECRYPTION_SUPPORTED */ /* * Information required to process and link messages as required on the first @@ -263,9 +254,7 @@ typedef struct { guint32 initiator_frame; guint32 response_frame; /* Responder or Cookie Reply message. */ wg_initial_info_t initial; /* Valid only on the first pass. */ -#ifdef WG_DECRYPTION_SUPPORTED wg_handshake_state_t *hs; /* Handshake state to enable decryption. */ -#endif /* WG_DECRYPTION_SUPPORTED */ } wg_session_t; /* Per-packet state. */ @@ -279,7 +268,6 @@ static wmem_map_t *sessions; static guint32 wg_session_count; -#ifdef WG_DECRYPTION_SUPPORTED /* Key conversion routines. {{{ */ /* Import external random data as private key. */ static void @@ -1018,7 +1006,6 @@ wg_process_response(tvbuff_t *tvb, wg_handshake_state_t *hs) hs->initiator_recv_cipher = wg_create_cipher(&transport_keys[1]); hs->responder_recv_cipher = wg_create_cipher(&transport_keys[0]); } -#endif /* WG_DECRYPTION_SUPPORTED */ static void @@ -1129,7 +1116,6 @@ wg_sessions_lookup(packet_info *pinfo, guint32 receiver_id, gboolean *receiver_i return NULL; } -#ifdef WG_DECRYPTION_SUPPORTED /* * Finds the static public key for the receiver of this message based on the * MAC1 value. @@ -1248,7 +1234,6 @@ wg_dissect_key_extra(proto_tree *tree, tvbuff_t *tvb, const wg_qqword *pubkey, g ti = proto_tree_add_boolean(tree, hf_known_privkey, tvb, 0, 0, has_private); proto_item_set_generated(ti); } -#endif /* WG_DECRYPTION_SUPPORTED */ static void @@ -1260,16 +1245,11 @@ wg_dissect_pubkey(proto_tree *tree, tvbuff_t *tvb, int offset, gboolean is_ephem g_free(str); int hf_id = is_ephemeral ? hf_wg_ephemeral : hf_wg_static; -#ifdef WG_DECRYPTION_SUPPORTED proto_item *ti = proto_tree_add_string(tree, hf_id, tvb, offset, 32, key_str); proto_tree *key_tree = proto_item_add_subtree(ti, ett_key_info); wg_dissect_key_extra(key_tree, tvb, (const wg_qqword *)pubkey, is_ephemeral); -#else - proto_tree_add_string(tree, hf_id, tvb, offset, 32, key_str); -#endif } -#ifdef WG_DECRYPTION_SUPPORTED static void wg_dissect_decrypted_static(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_tree, wg_handshake_state_t *hs) { @@ -1358,7 +1338,6 @@ wg_dissect_mac1_pubkey(proto_tree *tree, tvbuff_t *tvb, const wg_skey_t *skey) ti = proto_tree_add_boolean(key_tree, hf_wg_receiver_pubkey_known_privkey, tvb, 0, 0, !!has_private_key(&skey->priv_key)); proto_item_set_generated(ti); } -#endif /* WG_DECRYPTION_SUPPORTED */ static int wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_tree, wg_packet_info_t *wg_pinfo) @@ -1366,7 +1345,6 @@ wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *w guint32 sender_id; proto_item *ti; -#ifdef WG_DECRYPTION_SUPPORTED wg_keylog_read(); const wg_skey_t *skey_r = wg_mac1_key_probe(tvb, TRUE); wg_handshake_state_t *hs = NULL; @@ -1381,23 +1359,16 @@ wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *w } else if (wg_pinfo && wg_pinfo->session) { hs = wg_pinfo->session->hs; } -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item_ret_uint(wg_tree, hf_wg_sender, tvb, 4, 4, ENC_LITTLE_ENDIAN, &sender_id); col_append_fstr(pinfo->cinfo, COL_INFO, ", sender=0x%08X", sender_id); wg_dissect_pubkey(wg_tree, tvb, 8, TRUE); proto_tree_add_item(wg_tree, hf_wg_encrypted_static, tvb, 40, 32 + AUTH_TAG_LENGTH, ENC_NA); -#ifdef WG_DECRYPTION_SUPPORTED wg_dissect_decrypted_static(tvb, pinfo, wg_tree, hs); -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item(wg_tree, hf_wg_encrypted_timestamp, tvb, 88, 12 + AUTH_TAG_LENGTH, ENC_NA); -#ifdef WG_DECRYPTION_SUPPORTED wg_dissect_decrypted_timestamp(tvb, pinfo, wg_tree, hs); -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item(wg_tree, hf_wg_mac1, tvb, 116, 16, ENC_NA); -#ifdef WG_DECRYPTION_SUPPORTED wg_dissect_mac1_pubkey(wg_tree, tvb, skey_r); -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item(wg_tree, hf_wg_mac2, tvb, 132, 16, ENC_NA); if (!PINFO_FD_VISITED(pinfo)) { @@ -1406,9 +1377,7 @@ wg_dissect_handshake_initiation(tvbuff_t *tvb, packet_info *pinfo, proto_tree *w wg_session_t *session = wg_session_new(); session->initiator_frame = pinfo->num; wg_session_update_address(session, pinfo, TRUE); -#ifdef WG_DECRYPTION_SUPPORTED session->hs = hs; -#endif /* WG_DECRYPTION_SUPPORTED */ wg_sessions_insert(sender_id, session); wg_pinfo->session = session; } @@ -1432,10 +1401,8 @@ wg_dissect_handshake_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_ proto_item *ti; wg_session_t *session; -#ifdef WG_DECRYPTION_SUPPORTED wg_keylog_read(); const wg_skey_t *skey_i = wg_mac1_key_probe(tvb, FALSE); -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item_ret_uint(wg_tree, hf_wg_sender, tvb, 4, 4, ENC_LITTLE_ENDIAN, &sender_id); col_append_fstr(pinfo->cinfo, COL_INFO, ", sender=0x%08X", sender_id); @@ -1444,28 +1411,22 @@ wg_dissect_handshake_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_ if (!PINFO_FD_VISITED(pinfo)) { session = wg_sessions_lookup_initiation(pinfo, receiver_id); -#ifdef WG_DECRYPTION_SUPPORTED if (session && session->hs) { wg_prepare_handshake_responder_keys(session->hs, tvb); wg_process_response(tvb, session->hs); } -#endif /* WG_DECRYPTION_SUPPORTED */ } else { session = wg_pinfo ? wg_pinfo->session : NULL; } wg_dissect_pubkey(wg_tree, tvb, 12, TRUE); proto_tree_add_item(wg_tree, hf_wg_encrypted_empty, tvb, 44, 16, ENC_NA); -#ifdef WG_DECRYPTION_SUPPORTED if (session && session->hs) { ti = proto_tree_add_boolean(wg_tree, hf_wg_handshake_ok, tvb, 0, 0, !!session->hs->empty_ok); proto_item_set_generated(ti); } -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item(wg_tree, hf_wg_mac1, tvb, 60, 16, ENC_NA); -#ifdef WG_DECRYPTION_SUPPORTED wg_dissect_mac1_pubkey(wg_tree, tvb, skey_i); -#endif /* WG_DECRYPTION_SUPPORTED */ proto_tree_add_item(wg_tree, hf_wg_mac2, tvb, 76, 16, ENC_NA); if (!PINFO_FD_VISITED(pinfo)) { @@ -1566,11 +1527,9 @@ wg_dissect_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *wg_tree, wg_packe proto_item_set_generated(ti); } -#ifdef WG_DECRYPTION_SUPPORTED if (session && session->hs) { wg_dissect_decrypted_packet(tvb, pinfo, wg_tree, wg_pinfo, counter, packet_length - AUTH_TAG_LENGTH); } -#endif /* WG_DECRYPTION_SUPPORTED */ return 16 + packet_length; } @@ -1712,9 +1671,7 @@ wg_init(void) void proto_register_wg(void) { -#ifdef WG_DECRYPTION_SUPPORTED module_t *wg_module; -#endif /* WG_DECRYPTION_SUPPORTED */ expert_module_t *expert_wg; static hf_register_info hf[] = { @@ -1888,14 +1845,12 @@ proto_register_wg(void) }, }; -#ifdef WG_DECRYPTION_SUPPORTED /* UAT for header fields */ static uat_field_t wg_key_uat_fields[] = { UAT_FLD_VS(wg_key_uat, key_type, "Key type", wg_key_uat_type_vals, "Public or Private"), UAT_FLD_CSTRING(wg_key_uat, key, "Key", "Base64-encoded key"), UAT_END_FIELDS }; -#endif /* WG_DECRYPTION_SUPPORTED */ proto_wg = proto_register_protocol("WireGuard Protocol", "WireGuard", "wg"); @@ -1907,7 +1862,6 @@ proto_register_wg(void) wg_handle = register_dissector("wg", dissect_wg, proto_wg); -#ifdef WG_DECRYPTION_SUPPORTED wg_module = prefs_register_protocol(proto_wg, NULL); uat_t *wg_keys_uat = uat_new("WireGuard static keys", @@ -1949,12 +1903,9 @@ proto_register_wg(void) secrets_register_type(SECRETS_TYPE_WIREGUARD, wg_keylog_process_lines); wg_ephemeral_keys = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_int_hash, wg_pubkey_equal); -#endif /* WG_DECRYPTION_SUPPORTED */ register_init_routine(wg_init); -#ifdef WG_DECRYPTION_SUPPORTED register_cleanup_routine(wg_keylog_reset); -#endif /* WG_DECRYPTION_SUPPORTED */ sessions = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), g_direct_hash, g_direct_equal); } @@ -1964,9 +1915,7 @@ proto_reg_handoff_wg(void) dissector_add_uint_with_preference("udp.port", 0, wg_handle); heur_dissector_add("udp", dissect_wg_heur, "WireGuard", "wg", proto_wg, HEURISTIC_ENABLE); -#ifdef WG_DECRYPTION_SUPPORTED ip_handle = find_dissector("ip"); -#endif /* WG_DECRYPTION_SUPPORTED */ } /* diff --git a/wsutil/curve25519.c b/wsutil/curve25519.c index 39e8b7389d..bf80c58635 100644 --- a/wsutil/curve25519.c +++ b/wsutil/curve25519.c @@ -13,11 +13,6 @@ #include "curve25519.h" #include "ws_attributes.h" -#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */ -#define HAVE_X25519 -#endif - -#ifdef HAVE_X25519 static inline void copy_and_reverse(unsigned char *dest, const unsigned char *src, size_t n) { @@ -105,17 +100,3 @@ crypto_scalarmult_curve25519_base(unsigned char *q, const unsigned char *n) gcry_mpi_release(mpi_basepoint_x); return r; } -#else -int -crypto_scalarmult_curve25519(unsigned char *q _U_, const unsigned char *n _U_, - const unsigned char *p _U_) -{ - return -1; -} - -int -crypto_scalarmult_curve25519_base(unsigned char *q _U_, const unsigned char *n _U_) -{ - return -1; -} -#endif /* HAVE_X25519 */ diff --git a/wsutil/curve25519.h b/wsutil/curve25519.h index 387ee29f5d..b2599d19c7 100644 --- a/wsutil/curve25519.h +++ b/wsutil/curve25519.h @@ -10,10 +10,6 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ -/* - * Callers MUST check GCRYPT_VERSION_NUMBER >= 0x010700 before using this API. - */ - #ifndef __CURVE25519_H__ #define __CURVE25519_H__ diff --git a/wsutil/wsgcrypt.c b/wsutil/wsgcrypt.c index caf766af2d..96449896fa 100644 --- a/wsutil/wsgcrypt.c +++ b/wsutil/wsgcrypt.c @@ -30,7 +30,6 @@ gcry_error_t ws_hmac_buffer(int algo, void *digest, const void *buffer, size_t l return GPG_ERR_NO_ERROR; } -#if GCRYPT_VERSION_NUMBER >= 0x010600 gcry_error_t ws_cmac_buffer(int algo, void *digest, const void *buffer, size_t length, const void *key, size_t keylen) { gcry_mac_hd_t cmac_handle; @@ -48,12 +47,6 @@ gcry_error_t ws_cmac_buffer(int algo, void *digest, const void *buffer, size_t l gcry_mac_close(cmac_handle); return result; } -#else -gcry_error_t ws_cmac_buffer(int algo _U_, void *digest _U_, const void *buffer _U_, size_t length _U_, const void *key _U_, size_t keylen _U_) -{ - return GPG_ERR_UNSUPPORTED_ALGORITHM; -} -#endif void crypt_des_ecb(guint8 *output, const guint8 *buffer, const guint8 *key56) { diff --git a/wsutil/wsgcrypt.h b/wsutil/wsgcrypt.h index 1997ffa8c3..b29e34ef2d 100644 --- a/wsutil/wsgcrypt.h +++ b/wsutil/wsgcrypt.h @@ -27,20 +27,16 @@ DIAG_ON(deprecated-declarations) * Define HAVE_LIBGCRYPT_AEAD here, because it's used in several source * files. */ -#if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */ /* Whether to provide support for authentication in addition to decryption. */ #define HAVE_LIBGCRYPT_AEAD -#endif /* * Define some other "do we have?" items as well. */ -#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */ /* Whether ChaCh20 PNE can be supported. */ #define HAVE_LIBGCRYPT_CHACHA20 /* Whether AEAD_CHACHA20_POLY1305 can be supported. */ #define HAVE_LIBGCRYPT_CHACHA20_POLY1305 -#endif #define HASH_MD5_LENGTH 16 #define HASH_SHA1_LENGTH 20 |