Age | Commit message (Collapse) | Author | Files | Lines |
|
On truncated TLS records, just fail when attempting to decrypt or
calculate the handshake hash instead of raising an BoundsError.
The appropriate exception will be raised later when fields are
actually added to the tree.
This only makes a difference on the first pass, especially with
unencrypted initial handshake messages, as we don't try to decrypt
or calculate the hash on the second pass.
Fix #18896
|
|
You're Not Supposed To Do That, as per RFC 8446 section 4.1.2 "Client
Hello".
Also do the equivalent check for DTLS, as RFC 9147 Section 5.3 "Client
Hello" says You're Not Supposed To Do The Equivalent. We don't yet
handle DTLS 1.3, but if we ever do....
Fixes #18851.
While we're at it, improve two comments to clarify what
ssl_dissect_hnd_hello_common() does (and to fix one place where the old
comment was incorrect).
|
|
RFC 2817. Ping #18825
|
|
When dissectors register for Follow Stream, have them register a
function for finding the next valid sub stream id for a given
stream and substream id pair. This function is NULL if the dissector
does not use sub stream IDs.
Use this function in follow_stream_dialog to update the sub stream
id widget (and use the absence of the function to disable and hide
the widget.) Use this function in the CLI tap-follow to determine
whether to parse a sub stream id from the command line options.
This removes the dependencies on epan/dissectors from the Qt
follow_stream_dialog, and gets us closer to having dissectors
being able to register for Follow Stream without having to update
anything in the common source code.
|
|
In the case of RDP traffic, the conversation usually starts with 3 TPKT packets
and then switch to TLS. The SSL dissector was setting the conversation dissector
without specifying any start packet which were leading to have the 3 first packets
interpreted as invalid SSL records (which they are as it's TPKT packets). This patch
fixes by specifying the first true SSL packet.
|
|
Add a tlsinfo struct that is similar to tcpinfo, and carries
the sequence number (within the TLS stream) and the end of
stream notification (from the TCP FIN or close_notify alerts)
in addition to the session app handle pointer already used
by TLS heuristic dissectors.
Have HTTP use the end of stream notification in order to
handle DESEGMENT_UNTIL_FIN the same way it does when HTTP
is directly over TCP. Also have HTTP use the sequence number
in order to reduce chunked processing from O(N^2) to O(N)
similar to done over TCP.
Update all the TLS heuristic dissectors that set the app
handle to use the new structure.
Note the workaround for the issue #15159 - the TLS dissector
has to report to the TCP dissector that desegmentation at FIN
is required, so that the TCP dissector will know to call the
TLS dissector at FIN. However, the TLS dissector does not request
that the TCP dissector resend bytes belonging to records that
TLS has already desegmented (and decrypted, if possible), to
avoid decrypting twice (and upsetting the decoder state.)
This can mean the TCP dissector calling the TLS dissector to
desegment at FIN with a zero byte payload. In such as case, the
TLS dissector artificially returns "1" byte dissected to avoid
indicating rejecting the payload and having the TLS (and subdissector)
layers removed. (TCP ignores the value returned when desegmenting
at FIN.)
Fix #9154. Fix #14382.
|
|
|
|
The fragment functions will work with a zero length fragment,
which might happen if a record length is zero in a malformed
packet and a reassembly is in progress. It is not by itself
a fatal error (and could actually work, even though
non-compliant.) There is already a tls.record.length.invalid
expert info added by ssl_check_record_length for this case.
Related to #17890.
|
|
GMTLS is a non-official name, now that these is a Chinese National Standard called
"GB/T 38636-2020 Information security technology—Transport layer cryptography protocol(TLCP)"
so we replace GMTLS by TLCP
|
|
Don't update the end of the msp on a second pass. (This
can only happen if we had some reassembly that didn't finish
in the first pass and got left dangling needing one more
segment. But that information is only used in the first pass.)
Use the same check as done in the TCP dissector.
Related to #18342.
|
|
Instead of having the UI have to know about each type of follow
stream, and how to retrieve its total number of streams, have
each follow type register a function that returns the total
number of stream. (The function can be NULL, for protocols like
SIP that do not use this.)
This gets us closer to making follow stream registration generic.
|
|
Rename dissector_handle_get_long_name() and
dissector_handle_get_short_name() to
dissector_handle_get_protocol_long_name() and
dissector_handle_get_protocol_short_name(), to clarify that they fetch
names for the protocol that the dissector dissects, not for the
dissector *itself*. Leave a deprecated
dissector_handle_get_short_name() wrapper, and export
dissector_handle_get_protocol_long_name(), as it's now used in some
dissectors.
Change some calls to dissector_handle_get_description() back to
dissector_handle_get_protocol_short_name(), as they appear to be made in
order to display a *protocol* name.
Rename some methods, variables, enums, and table column names to reflect
cases where the dissector description is being used.
|
|
A given protocol's packet format may depend, for example, on which
lower-level protocol is transporting the protocol in question. For
example, protocols that run atop both byte-stream protocols such as TCP
and TLS, and packet-oriented protocols such as UDP or DTLS, might begin
the packet with a length when running atop a byte-stream protocol, to
indicate where this packet ends and the next packet begins in the byte
stream, but not do so when running atop a packet-oriented protocol.
Dissectors can handle this in various ways:
For example, the dissector could attempt to determine the protocol over
which the packet was transported.
Unfortunately, many of those mechanisms do so by fetching data from the
packet_info structure, and many items in that structure act as global
variables, so that, for example, if there are two two PDUs for protocol
A inside a TCP segment, and the first protocol for PDU A contains a PDU
for protocol B, and protocol B's dissector, or a dissector it calls,
modifies the information in the packet_info structure so that it no
longer indicates that the parent protocol is TCP, the second PDU for
protocol A might not be correctly dissected.
Another such mechanism is to query the previous element in the layers
structure of the packet_info structure, which is a list of protocol IDs.
Unfortunately, that is not a list of earlier protocols in the protocol
stack, it's a list of earlier protocols in the dissection, which means
that, in the above example, when the second PDU for protocol A is
dissected, the list is {...,TCP,A,B,...,A}, which means that the
previous element in the list is not TCP, so, again, the second PDU for
protocol A will not be correctly dissected.
An alternative is to have multiple dissectors for the same protocol,
with the part of the protocol that's independent of the protocol
transporting the PDU being dissected by common code. Protocol B might
have an "over a byte-stream transport" dissector and an "over a packet
transport" dissector, with the first dissector being registered for use
over TCP and TLS and the other dissector being registered for use over
packet protocols. This mechanism, unlike the other mechanisms, is not
dependent on information in the packet_info structure that might be
affected by dissectors other than the one for the protocol that
transports protocol B.
Furthermore, in a LINKTYPE_WIRESHARK_UPPER_PDU pcap or pcapng packet for
protocol B, there might not be any information to indicate the protocol
that transports protocol B, so there would have to be separate
dissectors for protocol B, with separate names, so that a tag giving the
protocol name would differ for B-over-byte-stream and B-over-packets.
So:
We rename EXP_PDU_TAG_PROTO_NAME and EXP_PDU_TAG_HEUR_PROTO_NAME to
EXP_PDU_TAG_DISSECTOR_NAME and EXP_PDU_TAG_HEUR_DISSECTOR_NAME, to
emphasize that they are *not* protocol names, they are dissector names
(which has always been the case - if there's a protocol with that name,
but no dissector with that name, Wireshark will not be able to handle
the packet, as it will try to look up a dissector given that name and
fail).
We fix that exported PDU dissector to refer to those tags as dissector
names, not protocol names.
We update documentation to refer to them as DISSECTOR_NAME tags, not
PROTO_NAME tags. (If there is any documentation for this outside the
Wireshark source, it should be updated as well.)
We add comments for calls to dissector_handle_get_dissector_name() where
the dissector name is shown to the user, to indicate that it might be
that the protocol name should be used.
We update the TLS and DTLS dissectors to show the encapsulated protocol
as the string returned by dissector_handle_get_long_name(); as the
default is "Application Data", it appeaers that a descriptive name,
rather than a short API name, should be used. (We continue to use the
dissector name in debugging messages, to indicate which dissector was
called.)
|
|
A conversation in Wireshark might have two endpoints or might have no
endpoints; few if any have one endpoint. Distinguish between
conversations and endpoints.
|
|
ECC_SM4_GCM_SM3 is defined in RFC8998,and it defined how to use
SM3 and SM4 in tls1.3.
|
|
|
|
Similar to TCP, properly display what frame a fragmented
TLS message was reassembled_in for the first fragment on
a second pass. Also similar to TCP, don't bother to add the
reassembled_in field for fragments that are reassembled
in the same frame.
|
|
This allows flags to be passed by the registering listener
to the collection of information
|
|
The handshake hash is used to derive TLS decryption keys when the
Extended Master Secret (EMS) extension is in use.
ssl_calculate_handshake_hash updates this hash only when the master
secret has not been determined yet.
During TLS renegotiation, there are two master secrets: one before, and
one after. Before this fix, the second calculated master secret is
wrong because the second Client Hello is missing in the handshake hash.
It was missing because the handshake hash was not being updated since
the master secret for the first handshake was still present, and the
decryption state was only reset after that hash update.
To fix this, make sure to clear the SSL_MASTER_SECRET flag before
updating the handshake hash when needed. Additionally, clear the
handshake hash when processing the Client Hello just to make sure that
any previous state is gone.
Fixes #18059
|
|
Libgcrypt 1.8.0 is required now, so these are always defined.
|
|
Libgcrypt 1.8.x is required for a large amount of decryption
support and is the current LTS version of libgcrypt. The 1.6 and
1.7 series have been end-of-life since 2017-06-30 and 2019-06-30,
respectively.
The Linux distributions that have versions of libgcrypt before 1.8.0
are nearing or at end of support (RHEL7, SLES 12, Debian stretch,
Ubuntu 16.04LTS) and can be supported by the Wireshark 3.6 LTS release
series.
Remove an enormous amount of ifdefs based on libgcrypt versions
1.6.0, 1.7.0, and 1.8.0. There will be a second pass for the
commons defines HAVE_LIBGCRYPT_AEAD, HAVE_LIBGCRYPT_CHACHA20, and
HAVE_LIBGCRYPT_CHACHA20_POLY1305, which are now always defined.
The ISAKMP dissector has some comments noting that some workarounds
were used for libgcrypt 1.6 that aren't needed with 1.7; perhaps
that could be updated now.
|
|
Since TLS uses the TCP multisegment pdus for desegmentation,
use the TCP reassembly functions so that both the first frame
and sequence number are used. Fix #11173 somewhat better than
the previous fix, because it avoids the (unlikely) case of two
different fragments comparing equal when just bit twiddling a
single key.
|
|
If a multisegment TLS pdu begins and ends in the same frame, don't
add "[TLS segment of a reassembled PDU]" to the info column.
|
|
Do not require a useless ENC_NA parameter for string encodings.
FT_STRING and FT_STRINGZ types don't have any ndianness.
Follow-up to 6ec429622c9258eefd388caf21ce92ab5b9f54b4.
|
|
Repeated words were found with:
egrep "(\b[a-zA-Z]+) +\1\b" . -Ir
and then manually reviewed.
Non-displayed strings (e.g., in comments)
were also corrected, to ease future review.
|
|
Use macros from inttypes.h.
|
|
Use macros from inttypes.h with format strings.
|
|
Reported by @chuckcraft in https://gitlab.com/wireshark/wireshark/-/issues/13881#note_676567768
|
|
|
|
Modify YAML output format so it includes information about peers and
absolute timestamps for each packet.
This also adds yaml output to tshark: -z follow,tcp,yaml,X
|
|
|
|
Use the Data dissector to show decrypted data if nothing else is used.
|
|
|
|
It's used in a number of source files; don't force each of them to test
GCRYPT_VERSION_NUMBER independently.
Make sure every file that uses HAVE_LIBGCRYPT_AEAD includes
wsutil/wsgcrypt.h.
Also do some other definitions that are based on the libgcrypt version
there as well.
This requires that the Qt UI code be given the include directory for
libgcrypt, as the follow stream code includes
epan/dissectors/packet-quic.h, which includes wsutil/wsgcrypt.h to get
HAVE_LIBGCRYPT_AEAD defined, and wsutil/wsgcrypt.h includes <gcrypt.h>.
Change-Id: I9cb50f411f5b2b6b9e28a38bfd901f4a66d9cc8f
Reviewed-on: https://code.wireshark.org/review/38116
Petri-Dish: Guy Harris <gharris@sonic.net>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <gharris@sonic.net>
|
|
* Add DTLS connection ID extension based on
draft-ietf-tls-dtls-connection-id-07, excerpt:
A CID is an identifier carried in the record layer header that gives the
recipient additional information for selecting the appropriate security
association.
* Support session tracking based on connection ID, i.e. a connection ID
list is built then looked up to retrieve the session of a packet, then
the related conversation is updated with this session.
Bug: 16600
Change-Id: I050d7b5b09dad33eb39d506aca67ee839b3b7181
Reviewed-on: https://code.wireshark.org/review/37351
Petri-Dish: Anders Broman <a.broman58@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Do not limit the digest function for 0-RTT ciphers to SHA-384, add
support for digest algorithms with smaller output sizes such as SHA-256.
Fixes 0-RTT decryption of quic_0-rtt_cannot_decrypt-dsb.pcapng
(draft -23).
Change-Id: I3b49d17497fbfa52773a989dc530d04b37b20c3a
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/35144
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Encrypted alerts could be misreported as plain encrypt messages. Be sure
to check the length before interpreting it as unencrypted alert message.
Rename SSL to TLS while at it, and support unknown alerts.
Bug: 16180
Change-Id: I223568f8502cd629fed4642a786c9f5fcb488e8e
Reviewed-on: https://code.wireshark.org/review/34982
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Break nested TLS in TLS in favor of keeping TLS reassembly working.
Bug: 16109
Change-Id: I10da5392635ea5224c1c7b31f24cebc45d8926ee
Reviewed-on: https://code.wireshark.org/review/34942
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
The TLS stream of IBM WebSphere doesn't get detected since the TLS
record is sent in two packets: First the five bytes of the TLS record
header, then the TLS record data.
Bug: 16085
Change-Id: Ide8758dc7f6a14e4a5aeb01abc7fcaa42374f675
Reviewed-on: https://code.wireshark.org/review/34634
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
QUIC needs to read the ALPN to select the dissector for STREAM
dissection.
Change-Id: I3c3a2d5a6fe2f8f127b31287ed4ad3e3b4b0e56c
Reviewed-on: https://code.wireshark.org/review/34633
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
This reverts commit ede7be3440689cee51489361934704467f2b2ffb.
The TLS dissector can be called via multiple entrypoints. It could be
called directly (the EAP-TTLS/EAP-PEAP case with an explicit dissector
name), but also through dissector tables. The TCP and SCTP dissectors
however pass a data parameter of a different type, resulting in crashes
due to type confusion.
Change-Id: I1d21cb5e31eb09689970ff3bdc7a63c6b7965d49
Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16442
Link: https://www.wireshark.org/lists/wireshark-dev/201908/msg00037.html
Reviewed-on: https://code.wireshark.org/review/34310
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
For use by EAP-TTLS which knows the next protocol that must be set.
Similar to the ssl_starttls functions, but simpler as the caller does
not switch the transport protocol to TLS.
Change-Id: Idadb6f33e5e1182bf7b3b0b5134df9af2717a592
Reviewed-on: https://code.wireshark.org/review/34293
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Some of these links are broken, but most of the information is severely
outdated. Replace it my a more up-to-date list of references.
Change-Id: I2a7a6041317c281f56ee86fe720a63332d493943
Reviewed-on: https://code.wireshark.org/review/34238
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Change all wireshark.org URLs to use https.
Fix some broken links while we're at it.
Change-Id: I161bf8eeca43b8027605acea666032da86f5ea1c
Reviewed-on: https://code.wireshark.org/review/34089
Reviewed-by: Guy Harris <guy@alum.mit.edu>
|
|
Since the key log format nor wire format provides any information on the
0-RTT cipher, perform trial decryption. Tested with quant-dsb.pcapng
Bug: 13881
Change-Id: I1c082bccf12d1ed6d12def6e8cc1b3d9bce1d93a
Reviewed-on: https://code.wireshark.org/review/33695
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
The title of a decode_as_t was used by the GTK UI. It's no
longer required for Qt.
Change-Id: Ibd9d4acbe9cad2c1af520340d04e550326a97ebe
Reviewed-on: https://code.wireshark.org/review/33557
Petri-Dish: Martin Kaiser <wireshark@kaiser.cx>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Do not attempt reassembly when it will end up failing due to missing
data in a tvb. The dissection results will be wrong as the middle of a
fragment is now interpreted as a full handshake message, but at least
future handshake records should be correctly interpreted and the null
pointer crash due to an incomplete reassembly is fixed.
Bug: 15811
Change-Id: I308d5fa6c131972625f1987d01a8c207e65b4ed2
Fixes: v3.1.0rc0-620-gb641febb1e ("TLS: Implement reassembly for Handshake messages")
Reviewed-on: https://code.wireshark.org/review/33535
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
|
|
Since the "quic " label was dropped in draft -17 (which happens to be
our minimum supported QUIC draft version as well), the QUIC and TLS 1.3
base secrets are the same again. Temporarily accept both the QUIC_xyz
and xyz labels, hopefully we can drop the "QUIC_" label soon.
Change-Id: Ib3919997db75c2e9652239a5d6400876df745fdb
Ping-Bug: 13881
Reviewed-on: https://code.wireshark.org/review/33275
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|
|
When decrypt_ssl3_record is called with a record length of zero, it will
pass NULL to ssl_data_set because tvb_get_ptr(..., 0) yields NULL. That
triggers a DISSECTOR_ASSERT. Fix this and add expert info while at it.
Bug: 15780
Change-Id: I727b511aa48b6e1aeb20a441d1eb9d3627a74413
Reviewed-on: https://code.wireshark.org/review/33203
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
|
|
Lack of handshake reassembly caused Certificate handshake messages to be
reported as "Encrypted Handshake Messages" and broke decryption in some
cases. Fix this by properly tracking handshake fragments and delay
dissection until all fragments are available.
Now when a fragmented Handshake message is found:
* The first fragment will have "(fragmented)" appended to the record
tree item as well as the "Handshake Protocol" item.
* "Reassembled Handshake Message in frame: X" is added for fragments.
* The last reassembled handshake message will be displayed together with
a fragment list.
Note: Previously, handshake records with a message length larger than
the available data was assumed to be encrypted. This restriction had to
be lifted, but can now cause false positives (reporting encrypted data
as unencrypted handshake fragments).
The provided capture is not minimal but should be comprehensive as it is
generated with randomly sized TLS record and TCP segment lengths using
`./tls-handshake-fragments.py hs-frag.pcap --seed=1337 --count=100` and
https://git.lekensteyn.nl/peter/wireshark-notes/tree/crafted-pkt/tls-handshake-fragments.py
(A copy of this script is attached to bug 3303.)
Bug: 3303
Bug: 15537
Bug: 15625
Change-Id: I779925aba30548a76c20e0e37b39d01d2c88a764
Reviewed-on: https://code.wireshark.org/review/32857
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
|