Wireshark mailing list archives
Re: Adding decryption keys at "runtime" (dissection time)
From: Peter Wu <peter () lekensteyn nl>
Date: Thu, 6 Apr 2017 14:53:48 +0200
On Thu, Apr 06, 2017 at 02:41:15PM +0200, Bogdan Pavkovic wrote:
Hi Peter, all, Thanks a lot for the insight regarding this patch. I will look into details regarding the separate keylog file according to SSL/TLS example. One question nevertheless: is there a particular need to write Lua post-disector script instead of updating the keylog directly from the dissector?
It could also be done from the dissector, but it feels a bit strange to write to an input file (keylog file) which is supposed to provide keys. A possible alternative is to create a second preference, pointing to the file where new keys are appended. Yet another option is a boolean preference, controlling whether new keys are allowed to be written to the "input" keylog file. Then the user can control whether it is OK to write the file. Peter
Best regards, Bogdan *From*: Peter Wu <peter@xxxxxxxxxxxxx <peter@DOMAIN.HIDDEN>>*Date*: Fri, 24 Mar 2017 12:28:06 +0100 On Tue, Mar 21, 2017 at 05:07:28PM -0400, Michael Mann wrote:There are currently two outstanding patches (https://code.wireshark.org/review/20585 and https://code.wireshark.org/review/20656) that want to modify a UAT at runtime for additional decryption keys/information found during dissection. In this case the UAT is providing all of the "static" keys, but apparently these dissectors can have some at runtime too. Are there currently dissectors that handle such a case so these patches can be modeled after those?The problem with the ZigBee dissector (20656) appears as follows: - There is a static (master?) key, configured in UAT. - Session keys are encrypted by the master key and transmitted through a special message. - When a capture is split, this special message will only appear in the first capture file and not in the succeeding files. Since the session key is not known, these other files cannot be decrypted (only the first one can be decrypted). This (unhandled) result is comparable to the SSL/TLS dissector, if the TLS handshake messages are missing, the following application data cannot be decrypted.The only solution I can think of is to have a copy of the UAT taken (created in the post_update callback of the UAT) and then add the "runtime" decryption keys to the copy. Not the prettiest so I thought I'd elicit other opinions.The UAT was designed to give the GUI full control over the contents, the dissectors only get a copy of it. Trying to change this might be difficult. Adding the "runtime" (session) keys to the copy will not help if the capture file is changed and the UAT is reloaded. As for how dissectors handle decryption keys, I am familiar with these: - 802.11: WEP and WPA(2)-PSK keys can be configured via UAT. These secrets normally do not change and UAT works fine here. - SSL/TLS: a path to a keylog file can be configured, mappings from an identifier to session secrets can be found in this file. Entries are loaded at runtime as they are appended (making it usable for live captures). UAT would not be usable as it is loaded only once. One way to solve the ZigBee problem is by using this separate file approach? The dissector would then read keys from this file (instead of UAT), a separate Lua post-dissector could be written to append to this file. FWIW, for another protocol I also had the need to load external session secrets during a live capture, these were also loaded from file:https://github.com/Lekensteyn/wireguard-dissector -- Kind regards, Peter Wuhttps://lekensteyn.nl
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
-- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Adding decryption keys at "runtime" (dissection time) Bogdan Pavkovic (Apr 06)
- Re: Adding decryption keys at "runtime" (dissection time) Peter Wu (Apr 06)