Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for incorrectly labelled disclosure packets #6

Merged
merged 7 commits into from
May 6, 2024
Merged

Fix for incorrectly labelled disclosure packets #6

Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
10a5c67
no v2gtlssecret subtrees for non-disclosure packets
TGruett Apr 30, 2024
8b34cc4
discard invalid disclosure messages
TGruett Apr 30, 2024
e1f71e1
warnings for equal client randoms
TGruett Apr 30, 2024
78cb8ac
improved warning for invalid CLIENT RANDOM
TGruett May 6, 2024
6da7c8f
formatted lua files
TGruett May 6, 2024
c942c80
updated README + OSSAcknowledgements
TGruett May 6, 2024
f212c4e
update version to 1.3.0
TGruett May 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 46 additions & 15 deletions Wireshark/plugins/v2gtlssecret.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,21 +46,34 @@ local function check_version(required_version)
end
end

local function split_string(str)
local parts = {}
for part in str:gmatch'[^ \r\n]+' do
table.insert(parts, part)
end
return parts
end

local function add_expert_info(message, tree, pinfo, expertinfo)
local oldInfo = tostring(pinfo.cols.info)
if string.len(oldInfo) < 9 or oldInfo:sub(0, 9) ~= "[WARNING]" then
TGruett marked this conversation as resolved.
Show resolved Hide resolved
tree:add_proto_expert_info(expertinfo, message)
pinfo.cols.info = "[WARNING] " .. oldInfo
end
end

-- PDU dissection function
function p_v2gtlssecret.dissector(buf,pinfo,root)
local str = buf:raw()
local tls_secret_list = {}
local info_strings = {}

local subtree = root:add(p_v2gtlssecret,buf(0))

-- one UDP packet may contain several lines, check each line
local byte_offset = 0
for line in str:gmatch'[^\r\n]+' do
-- check if this is really a secret
local match = line:match'^([%u_]+)%d* %x+ %x+$'
if match == nil then
goto continue
return 0
elseif match == "CLIENT_RANDOM" then
table.insert(info_strings, "master secret")
elseif match == "CLIENT_HANDSHAKE_TRAFFIC_SECRET" then
Expand All @@ -77,16 +90,20 @@ function p_v2gtlssecret.dissector(buf,pinfo,root)
-- one last plausibility check
if line:len() > 100 and line:len() < 300 then
table.insert(tls_secret_list, line)
subtree:add(f_cr,buf(byte_offset, line:len()))
end
::continue::
byte_offset = byte_offset + line:len() + 1
end

if #tls_secret_list == 0 then
return 0
end

local byte_offset = 0
local subtree = root:add(p_v2gtlssecret,buf(byte_offset))
for _, v in ipairs(tls_secret_list) do
subtree:add(f_cr,buf(byte_offset, v:len()))
byte_offset = byte_offset + v:len() + 1 -- (+1) for line break
end

-- set info column
pinfo.cols.info = "TLS disclosure message for " .. table.concat(info_strings, ", ")

Expand Down Expand Up @@ -115,27 +132,40 @@ function p_v2gtlssecret.dissector(buf,pinfo,root)
-- check if the TLS secrets are already in the file
local file, _, _ = io.open(get_preference("tls.keylog_file"), "r")
if file ~= nil then
for line in file:lines() do
local tls_secret_of_file = tostring(line)
for idx = #tls_secret_list, 1, -1 do
if tls_secret_list[idx] == tls_secret_of_file then
table.remove(tls_secret_list, idx)
local file_content = file:read("*a")
file:close(file)

for idx = #tls_secret_list, 1, -1 do
local to_be_removed = false
local splitted_from_packet = split_string(tls_secret_list[idx])
for line in file_content:gmatch'[^\r\n]+' do
local splitted_from_file = split_string(tostring(line))
if #splitted_from_packet == 3 and #splitted_from_file == 3 then
if splitted_from_file[1] == splitted_from_packet[1] and splitted_from_file[2] == splitted_from_packet[2] then
if splitted_from_file[3] == splitted_from_packet[3] then
to_be_removed = true
else
add_expert_info("CLIENT RANDOM is not unique!", subtree, pinfo, ef_io_error)
TGruett marked this conversation as resolved.
Show resolved Hide resolved
end
end
end
end
if to_be_removed then
table.remove(tls_secret_list, idx)
end
if #tls_secret_list == 0 then
break
end

end
file:close(file)
end

-- write TLS secret only once
if #tls_secret_list > 0 then
local err_str
file, err_str, _ = io.open(get_preference("tls.keylog_file"), "a")
if file == nil then
subtree:add_proto_expert_info(ef_io_error, err_str)
pinfo.cols.info = "[ERROR] " .. tostring(pinfo.cols.info)
add_expert_info(err_str, subtree, pinfo, ef_io_error)
else
for _, tls_secret in ipairs(tls_secret_list) do
file:write(tls_secret .. "\n")
Expand All @@ -158,4 +188,5 @@ end -- end function 'p_v2gtlssecret.dissector'
function p_v2gtlssecret.init()
-- register tls secret ports
DissectorTable.get("udp.port"):add(p_v2gmsg.prefs["portrange_tlssecret"], p_v2gtlssecret)
frame_numbers = {}
end