Wireshark-dev: Re: [Wireshark-dev] working with header data

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 17 Oct 2011 17:14:36 -0700
On Oct 14, 2011, at 2:05 PM, Ed Beroset wrote:

> Guy Harris wrote:
>> 
>> On Oct 14, 2011, at 1:16 PM, Ed Beroset wrote:
>> 
>>> if (PNODE_FINFO(tree)->hfinfo->id == hf_c1222_user_information)
>>> pkt_tree = proto_item_get_parent_nth(tree, 2); else return FALSE;
>> 
>> None of that has anything to do with adding hf_c1222_crypto_good to
>> the protocol tree, which is what is relevant for making a
>> "c1222.crypto_good" field work; where is the code that adds that to
>> the tree?
> 
> It does, but it's a bit indirect.  If the call to that function returns false, it's an indication that the encryption validation failed for some reason.

If "that function" is canonify_unencrypted_header(), then, if it returns false, it's an indication that the canonicalization of the header failed for some reason, so you can't even try to do the crypto.  If that can be done in a different fashion, as per my earlier suggestion, that code shouldn't even exist.

The code that actually does the crypto is in dissect_epsem(), which should only be called after all the header fields have been dissected.