Wireshark-dev: Re: [Wireshark-dev] Adding decryption keys at "runtime" (dissection time)
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Thu, 6 Apr 2017 14:53:48 +0200
On Thu, Apr 06, 2017 at 02:41:15PM +0200, Bogdan Pavkovic wrote: > Hi Peter, all, > > Thanks a lot for the insight regarding this patch. > I will look into details regarding the separate keylog file according to > SSL/TLS example. > > One question nevertheless: > is there a particular need to write Lua post-disector script > instead of updating the keylog directly from the dissector? It could also be done from the dissector, but it feels a bit strange to write to an input file (keylog file) which is supposed to provide keys. A possible alternative is to create a second preference, pointing to the file where new keys are appended. Yet another option is a boolean preference, controlling whether new keys are allowed to be written to the "input" keylog file. Then the user can control whether it is OK to write the file. Peter > Best regards, > Bogdan > > *From*: Peter Wu <peter@xxxxxxxxxxxxx <[email protected]>> > > *Date*: Fri, 24 Mar 2017 12:28:06 +0100 > > > > On Tue, Mar 21, 2017 at 05:07:28PM -0400, Michael Mann wrote: > > > There are currently two outstanding patches > > > (https://code.wireshark.org/review/20585 and > > > https://code.wireshark.org/review/20656) that want to modify a UAT at > > > runtime for additional decryption keys/information found during > > > dissection. In this case the UAT is providing all of the "static" > > > keys, but apparently these dissectors can have some at runtime too. > > > Are there currently dissectors that handle such a case so these > > > patches can be modeled after those? > > > > The problem with the ZigBee dissector (20656) appears as follows: > > > > - There is a static (master?) key, configured in UAT. > > - Session keys are encrypted by the master key and transmitted through > > a special message. > > - When a capture is split, this special message will only appear in the > > first capture file and not in the succeeding files. Since the session > > key is not known, these other files cannot be decrypted (only the > > first one can be decrypted). > > > > This (unhandled) result is comparable to the SSL/TLS dissector, if the > > TLS handshake messages are missing, the following application data > > cannot be decrypted. > > > > > The only solution I can think of is to have a copy of the UAT taken > > > (created in the post_update callback of the UAT) and then add the > > > "runtime" decryption keys to the copy. Not the prettiest so I thought > > > I'd elicit other opinions. > > > > The UAT was designed to give the GUI full control over the contents, the > > dissectors only get a copy of it. Trying to change this might be > > difficult. Adding the "runtime" (session) keys to the copy will not help > > if the capture file is changed and the UAT is reloaded. > > > > As for how dissectors handle decryption keys, I am familiar with these: > > > > - 802.11: WEP and WPA(2)-PSK keys can be configured via UAT. These > > secrets normally do not change and UAT works fine here. > > - SSL/TLS: a path to a keylog file can be configured, mappings from an > > identifier to session secrets can be found in this file. Entries are > > loaded at runtime as they are appended (making it usable for live > > captures). UAT would not be usable as it is loaded only once. > > > > One way to solve the ZigBee problem is by using this separate file > > approach? The dissector would then read keys from this file (instead of > > UAT), a separate Lua post-dissector could be written to append to this > > file. > > > > FWIW, for another protocol I also had the need to load external session > > secrets during a live capture, these were also loaded from file:https://github.com/Lekensteyn/wireguard-dissector > > -- > > Kind regards, > > Peter Wuhttps://lekensteyn.nl > > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe -- Kind regards, Peter Wu https://lekensteyn.nl
- References:
- Re: [Wireshark-dev] Adding decryption keys at "runtime" (dissection time)
- From: Bogdan Pavkovic
- Re: [Wireshark-dev] Adding decryption keys at "runtime" (dissection time)
- Prev by Date: Re: [Wireshark-dev] Adding decryption keys at "runtime" (dissection time)
- Next by Date: [Wireshark-dev] attribution/copyright
- Previous by thread: Re: [Wireshark-dev] Adding decryption keys at "runtime" (dissection time)
- Next by thread: [Wireshark-dev] attribution/copyright
- Index(es):