| Bug ID | 10235 | 
        
          | Summary | Encrypted TLS handshake detected heuristic broken by AESGCM nonce when counter is used | 
        
          | Classification | Unclassified | 
        
          | Product | Wireshark | 
        
          | Version | 1.10.8 | 
        
          | Hardware | x86-64 | 
        
          | OS | Windows 7 | 
        
          | Status | UNCONFIRMED | 
        
          | Severity | Normal | 
        
          | Priority | Low | 
        
          | Component | Dissection engine (libwireshark) | 
        
          | Assignee | [email protected] | 
        
          | Reporter | [email protected] | 
      
        
        Created attachment 12853 [details]
AESGCM connection between opensssl s_client and google, packet #11 demonstrates
error
Build Information:
Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without
Kerberos, with GeoIP.
Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
       Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 6058MB of physical
memory.
--
Wireshark uses a heuristic to determine whether TLS handshake message is
encrypted.  That heuristic to:
1. Extract bytes 1-3 (0-counting) as a 24-bit length field
2. If that length is larger than the remaining payload, declare record
encrypted.
3. Otherwise, declare record unencrypted.
(see:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ssl.c;h=3c82774908ce9f5a6f3e9837c0f277912ddd6b0c;hb=HEAD#l1877
)
When AES-GCM is used, this heuristic is regularly broken.
When an AES GCM cipher suite is used, there is an 8-byte explicit nonce.
Some implementations use a counter for that explicit nonce.
Thus, the first 8 bytes of the TLS finished message are all 0x00, as it is the
first encrypted message.
When the heuristic runs against that payload, the extracted length is 0, and
the record is declared to be plaintext.  The heuristic runs another time, on
the next 4 bytes, and "finds" a second unencrypted handshake record when in
reality there are none.
The attachment demonstrates this error.  It was generated with openssl 1.0.1e
using the command:
openssl s_client -connect www.google.com:443 -cipher AESGCM
Packet 11 demonstrates the heuristic error, as Google uses a counter for the
nonce.
Packet 10 does not demonstrate the error as openssl uses a random nonce.
         
      
      
      You are receiving this mail because:
      
      
          - You are watching all bug changes.