Wireshark-bugs: [Wireshark-bugs] [Bug 9499] DTLS: add decrypt support for TLS_PSK_WITH_AES_128_C

Date: Tue, 03 Dec 2013 11:20:14 +0000

Comment # 6 on bug 9499 from
(In reply to comment #2)
> Created attachment 12210 [details]
> ssl: use hex numbers of TLS Cipher suites
> 
> The TLS Cipher Suites are referenced in Hex code everywhere, use that
> also in the decode table.

Good idea, I have updated my script to generate hexadecimal values for the
cipher suite ID[1]. This should give more consistent (capitalization) numbers.
Also, you updated the comments for three PSK suites here (139, 140, 141).

 [1]:
https://git.lekensteyn.nl/peter/wireshark-notes/tree/generate-wireshark-cs

(In reply to comment #3)
> Created attachment 12211 [details]
> SSL: add decrypt support for CCM and CCM_8 Ciphers
> 
> This adds decrypt support for CCM and CCM_8 Ciphers like the ones
> specified in rfc6655.

There is no "GenericCCMCipher" in the TLS RFCs, RFC 6655 names
GenericAEADCipher too.

Copy pasta error: the comment preceding the auth tag handling before
SSL_CIPHER_MODE_CCM_8 is wrong, RFC 6655, sect. 6.1 "AES-128-CCM with an
8-Octet Integrity Check Value (ICV)" mentions a tag size of 8 octets.

Since the nonce handling code is mostly shared with other GCM, I suggest to
merge them (SSL_EX_NONCE_LEN_GCM is copied without changing as well).
(According to RFC 6655, the nonce is exactly that of GCM). You seem to have
implemented RFC 3610 which is not specific to TLS. Do you have an AES-CCM test
cipher?

I am fine with the "dtls: set ssl_set_server()" (note: `git am` does not take
the fuzz, I manually applied it).

The patch "dtls: add psk decrypt support" is mostly copying from packet-ssl.c
and re-indenting previous code, it would be nicier if you refactored the code
from packet-ssl.c to packet-ssl-utils.c to reduce code duplication.

Thanks for your efforts!


You are receiving this mail because:
  • You are watching all bug changes.