Wireshark mailing list archives
Trying to decode a TLS 1.3 with null cipher
From: Ahmed Elsherbiny <sherboah () gmail com>
Date: Fri, 1 May 2020 14:10:01 -0700
Hello, I've written a dissector for a custom protocol. The dissector works well, and now I'm trying to run the protocol over TLS 1.3. The cipher suite being used is TLS_SHA256_SHA256 (Code: 0xC0B4). This is a new cipher suite, it is used for integrity and has a null cipher (The payload is actually plaintext). It is still in draft form, here is the document that describes it: https://www.ietf.org/id/draft-camwinget-tls-ts13-macciphersuites-05.txt Looking at the ServerHello packet, Wireshark shows the CipherSuite as Unknown (0xC0B4). Consequently, it does not provide a "Decrypted application data" tab and does not pass the data to my dissector. This is what the TLS debug log shows: *For the ServerHelloMessage:* dissect_ssl enter frame #2 (first time) packet_from_server: is from server - TRUE conversation = 0000025F9CC7D780, ssl_session = 0000025F9CC7DEF0 record: offset = 0, reported_length_remaining = 128 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 123, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 119 bytes, remaining 128 ssl_try_set_version found version 0x0304 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher can't find cipher suite 0xC0B4 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret transitioning to new key, old state 0x93 tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible tls13_load_secret transitioning to new key, old state 0x93 tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible *For the Application Message: * dissect_ssl enter frame #3 (first time) packet_from_server: is from server - TRUE conversation = 0000025F9CC7D780, ssl_session = 0000025F9CC7DEF0 record: offset = 0, reported_length_remaining = 44 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 39, ssl state 0x93 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available I tried adding the cipher-suite to packet-tls-utils.c and recompiling Wireshark. This is the line that I added, since the document says that Diffie-Helman is the only key exchange that can be used. I'm not completely sure that I'm using the correct macros - I don't fully understand TLS. {0xC0B4, KEX_DH_ANON, ENC_NULL, DIG_SHA256, MODE_GCM } After recompiling Wireshark with this line added, this is what I get: *For the ServerHelloMessage: * dissect_ssl enter frame #2 (first time) packet_from_server: is from server - TRUE conversation = 0000018ED3796780, ssl_session = 0000018ED3796EF0 record: offset = 0, reported_length_remaining = 128 ssl_try_set_version found version 0x0303 -> state 0x91 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 123, ssl state 0x91 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 119 bytes, remaining 128 ssl_try_set_version found version 0x0304 -> state 0x91 ssl_dissect_hnd_hello_common found SERVER RANDOM -> state 0x93 ssl_set_cipher found CIPHER 0xC0B4 unknown -> state 0x97 ssl_load_keyfile dtls/tls.keylog_file is not configured! tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find CLIENT_HANDSHAKE_TRAFFIC_SECRET, decryption impossible tls13_load_secret transitioning to new key, old state 0x97 tls13_load_secret Cannot find SERVER_HANDSHAKE_TRAFFIC_SECRET, decryption impossible *For the Application Message: * dissect_ssl enter frame #3 (first time) packet_from_server: is from server - TRUE conversation = 0000018ED3796780, ssl_session = 0000018ED3796EF0 record: offset = 0, reported_length_remaining = 44 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 39, ssl state 0x97 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available Notice the highlighted text. The message changed from "Can't find cipher suite" to "found CIPHER 0xC0B4 unknown". So I might be doing something right here. But it seems to still expect a key. I should be able to proceed without keys, since this particular cipher-suite does not encrypt the payload. Appreciate if someone could help me figure this out. Thanks in advance! Regards, Ahmed ElSherbiny
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Trying to decode a TLS 1.3 with null cipher Ahmed Elsherbiny (May 01)
- Re: Trying to decode a TLS 1.3 with null cipher Peter Wu (May 02)
- Re: Trying to decode a TLS 1.3 with null cipher Ahmed Elsherbiny (May 02)
- Re: Trying to decode a TLS 1.3 with null cipher Peter Wu (May 02)
- Re: Trying to decode a TLS 1.3 with null cipher Ahmed Elsherbiny (May 04)
- Re: Trying to decode a TLS 1.3 with null cipher Peter Wu (May 04)
- Re: Trying to decode a TLS 1.3 with null cipher Ahmed Elsherbiny (May 05)
- Re: Trying to decode a TLS 1.3 with null cipher Peter Wu (May 07)
- Re: Trying to decode a TLS 1.3 with null cipher Ahmed Elsherbiny (May 02)
- Re: Trying to decode a TLS 1.3 with null cipher Peter Wu (May 02)