Wireshark-dev: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
From: "Kukosa, Tomas" <[email protected]>
Date: Wed, 6 Jun 2007 07:51:24 +0200
Hi,

problem is that DESEGMENT_UNTIL_FIN is not implemented (well) in the SSL dissector.

I will think about it but I can not guarantee that I will find solution soon.

regards,
  Tomas


Mailcode: NdD2sKHg
-----Original Message-----
From: Brian Vandenberg [mailto:[email protected]] 
Sent: Tuesday, June 05, 2007 10:32 PM
To: Kukosa, Tomas
Subject: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector

Tomas,

  Not a problem.  Oh, and I meant TLSv1 (was thinking SSL3).

  The IP is 192.168.20.68, the port is 9091, and I've attached two key 
files.  I'm unsure which is the right one, I was just using both to 
avoid figuring it out.

  Ignoring the first two http packets in this sample, every response 
packet from the server seems to exhibit this behavior.  The same 
reconstructed data is added as a data source two times instead of one, 
and the http dissector is then called twice, once on each of the two 
data sources that are themselves identical to eachother.

-Brian

Kukosa, Tomas wrote:

>Hi Brian,
>
>please could you send me your sample capure? (with key and key config) 
>
>Regards,
>  Tomas
>
>
>Mailcode: NdD2sKHg
>-----Original Message-----
>From: Brian Vandenberg [mailto:[email protected]] 
>Sent: Monday, June 04, 2007 5:22 PM
>To: Kukosa, Tomas
>Cc: Brian Vandenberg
>Subject: Re: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
>
>Tomas,
>
>  Did you see my response to your email last week?  I've had to shelve 
>fixing this temporarily because it's taking me so long to track it down, 
>but I'm probably going to be working on it sometime this week.  If you'd 
>like me to send you a sample capture to try reproducing this issue I can 
>do that.
>
>  In response to your question, I'm using code from about 1.5wks ago 
>from the wireshark trunk.  The ssl protocol is TSLv3.  I'm unfamiliar 
>with H.225 and SIP, so I'm not sure what other information you'd need.
>
>-Brian
>
>Kukosa, Tomas wrote:
>  
>
>>Hi,
>>
>>which version do you use? I have rewritten SSL reasembling about one month ago.
>>I have it tested witch segmented H.225 and SIP and it works well.
>>
>>Tomas
>>
>>
>>Mailcode: NdD2sKHg
>>-----Original Message-----
>>From: [email protected] [mailto:[email protected]] On Behalf Of Brian Vandenberg
>>Sent: Thursday, May 31, 2007 12:40 AM
>>To: Developer support list for Wireshark
>>Subject: [Wireshark-dev] help needed in tracking down a bug in SSL dissector
>>
>>  I found a bug about 9-10 months ago in the SSL dissector that was 
>>never fixed, so I'm trying to find/fix the problem myself, but I'm 
>>having a hard time tracking it down.
>>
>>  Essentially this is what happens:
>>
>>* POST to server occurs, the SSL chunk isn't fragmented.
>>* When SSL dissector decrypts it a single new data source is added and 
>>displayed entitled "Decrypted SSL Data"
>>* The new data source is then passed to the http dissector.
>>* ...
>>* A response from the server is sent, the SSL chunk *IS* fragmented.
>>* The SSL dissector decrypts each chunk then reconstructs it; four new 
>>data sources are added:
>>** Decrypted SSL data (X bytes)
>>** Reassembled SSL (Y bytes)
>>** Decrypted SSL data (Z bytes)
>>** Reassembled SSL (Y bytes)
>>** note that both 'Reassembled' data sources have the same size, and the 
>>exact same data.
>>* The reassembled chunks are *both* passed to the http dissector.
>>
>>  The problem is that the SSL dissector is adding the same reassembled 
>>chunk as a new data source twice (possibly more, if it is broken up into 
>>more than 2 chunks, but so far I've only seen it broken in two chunks).  
>>I've spent a couple of days on this, and though I think I'm close, I 
>>just don't know enough about the Wireshark API, so I'm making very slow 
>>progress.
>>
>>  I expected that it would be as simple as going to line 920 of 
>>packet-ssl.c, set a breakpoint, observe that the line is executed twice 
>>for each packet where this occurs, then figure out why it executes more 
>>than once ... but it only executes that line once for each packet where 
>>this occurs, and I don't see another line of code that tries to add a 
>>new data source with the text "Reassembled SSL", .  I haven't managed to 
>>find where the 2nd call to add_new_data_source takes place.
>>
>>  I'm going to continue working on this, however, if anyone has a 
>>suggestion, or see's something I'm missing, I'd appreciate the help.
>>
>>-Brian
>>
>>Anders Broman wrote:
>>  
>>    
>>
>>>Hi,
>>>ETR 091 (ETSI ETR 091 ed.1 (1993-07)) downloadable from ETSI.
>>>http://www.etsi.org/services_products/freestandard/home.htm
>>>Regards
>>>Anders
>>>
>>>________________________________________
>>>Från: [email protected] [mailto:[email protected]] För Kukosa, Tomas
>>>Skickat: den 30 maj 2007 23:19
>>>Till: [email protected]
>>>Ämne: Re: [Wireshark-dev] [Wireshark-commits] rev 22008:/trunk/asn1/gsmmap/ /trunk/asn1/gsmmap/:MAP-ApplicationContexts.asn MAP-BS-Code.asnMAP-CH-DataTypes.asn MAP-CommonDataTypes.asnMAP-ER-DataTypes.asn MAP-GR-DataTypes.asn ...
>>>
>>>Hi,
>>> 
>>>which document the MobileDomainDefinitions.asn comes from?
>>> 
>>>I have tries do find any reference in the 3GPP TS 29.002 but without any success.
>>> 
>>>Regards,
>>>  Tomas
>>>
>>>________________________________________
>>>Od: [email protected] za uživatele [email protected]
>>>Odesláno: st 30.5.2007 21:03
>>>Komu: [email protected]
>>>Předmět: [Wireshark-commits] rev 22008: /trunk/asn1/gsmmap/ /trunk/asn1/gsmmap/: MAP-ApplicationContexts.asn MAP-BS-Code.asn MAP-CH-DataTypes.asn MAP-CommonDataTypes.asn MAP-ER-DataTypes.asn MAP-GR-DataTypes.asn ...
>>>http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=22008
>>>
>>>User: etxrab
>>>Date: 2007/05/30 07:03 PM
>>>
>>>Log:
>>> Add separate asn1 files that may be used later.
>>>
>>>Directory: /trunk/asn1/gsmmap/
>>>  Changes    Path                           Action
>>>  +196 -0    MAP-ApplicationContexts.asn    Added
>>>  +130 -0    MAP-BS-Code.asn                Added
>>>  +463 -0    MAP-CH-DataTypes.asn           Added
>>>  +627 -0    MAP-CommonDataTypes.asn        Added
>>>  +406 -0    MAP-ER-DataTypes.asn           Added
>>>  +197 -0    MAP-GR-DataTypes.asn           Added
>>>  +2596 -0   MAP-MS-DataTypes.asn           Added
>>>  +214 -0    MAP-OM-DataTypes.asn           Added
>>>  +246 -0    MAP-SM-DataTypes.asn           Added
>>>  +186 -0    MAP-SS-Code.asn                Added
>>>  +341 -0    MAP-SS-DataTypes.asn           Added
>>>
>>>
>>>(3 files not shown)
>>>_______________________________________________
>>>Wireshark-commits mailing list
>>>[email protected]
>>>http://www.wireshark.org/mailman/listinfo/wireshark-commits
>>>
>>>_______________________________________________
>>>Wireshark-dev mailing list
>>>[email protected]
>>>http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>>  
>>>    
>>>      
>>>
>>_______________________________________________
>>Wireshark-dev mailing list
>>[email protected]
>>http://www.wireshark.org/mailman/listinfo/wireshark-dev
>>  
>>    
>>
>
>  
>