Wireshark-dev: Re: [Wireshark-dev] [pcap-ng-format] Proposal for storing decryption secrets in
From: ronnie sahlberg <[email protected]>
Date: Sat, 6 Oct 2018 19:37:43 +1000
What Guy said.
On Fri, Oct 5, 2018 at 4:11 PM Guy Harris <[email protected]> wrote:
>
> On Sep 30, 2018, at 10:47 AM, Peter Wu <[email protected]> wrote:
>
> > Requirements for block placement:
> > - No requirement. Producers are allowed to write the block anywhere.
> >  Disadvantages for consumers: requires a two-pass scan to collect
> >  secrets before they are used.
> > - Place secrets before the packet blocks that require them. Consumers
> >  can read and decrypt in one pass. Disadvantage: producers cannot
> >  always guarantee availability of secrets while writing the capture.
> > - Place a single secret block before the first packet block. Consumers
> >  can read and decrypt in one pass. Disadvantage: requires producers to
> >  post-process (rewrite) the capture file to insert secrets.
>
> The third of those appears to be a special case of the second of those.  I don't see any need to require the secrets to be before the *first* packet block if the first packet block doesn't require the secret; presumably "before the packet blocks that require them" just means "*somewhere* before the packet blocks that require them", which is *allowed* to be "before all packet blocks in the file" but not *required* to be "before all packet blocks in the file".
>
> If the secret isn't available by the time the first packet requiring the secret for decryption is ready to be written to the capture, *somebody* will have to do some form of two-pass processing.
>
> The first option says the consumer must do so; that's inconvenient for a consumer doing one-pass processing (tcpdump, TShark without the -2 option), and isn't even really good for at least some consumers doing two-pass processing (Wireshark, TShark with the -2 option), because dissection is done on the first pass.
>
> The second and third option require either the producer, or some post-processor, to write a new version of the file putting the secrets before the packets that require them.  The producer isn't necessarily responsible for doing so; one might have tcpdump, or dumpcap (or some program using dumpcap, such as TShark or Wireshark) write out a capture with no secrets, and then have another program (a utility, or Wireshark after having read in the file and then given the secret in question) write out a new file with the secrets early enough in the file ("before all the packet blocks" is probably the simplest implementation).
>
> A producer that *does* happen to have the secret available before seeing any packets that require the secret *could* write it directly.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <[email protected]>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:[email protected]?subject=unsubscribe