Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Trying to decode a TLS 1.3 with null cipher

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Ahmed Elsherbiny <sherboah@xxxxxxxxx>
Date: Sat, 2 May 2020 10:55:07 -0700
Wow this is great news, thank you Peter!

Regards,
Ahmed

On Sat, May 2, 2020 at 10:21 AM Peter Wu <peter@xxxxxxxxxxxxx> wrote:
Hi Ahmed,

On Fri, May 01, 2020 at 02:10:01PM -0700, Ahmed Elsherbiny wrote:
> Hello,
>
> I've written a dissector for a custom protocol. The dissector works well,
> and now I'm trying to run the protocol over TLS 1.3.
>
> The cipher suite being used is TLS_SHA256_SHA256 (Code: 0xC0B4). This is a
> new cipher suite, it is used for integrity and has a null cipher (The
> payload is actually plaintext). It is still in draft form, here is the
> document that describes it:
> https://www.ietf.org/id/draft-camwinget-tls-ts13-macciphersuites-05.txt
>
> Looking at the ServerHello packet, Wireshark shows the CipherSuite as
> Unknown (0xC0B4). Consequently, it does not provide a "Decrypted
> application data" tab and does not pass the data to my dissector.

The new cipher name was added in the development build via commit
v3.3.0rc0-513-g3e2a837cc0 (https://code.wireshark.org/review/36052). It
is not present in the stable build yet.

> This is what the TLS debug log shows:
[..]
> I tried adding the cipher-suite to packet-tls-utils.c and recompiling
> Wireshark. This is the line that I added, since the document says that
> Diffie-Helman is the only key exchange that can be used. I'm not completely
> sure that I'm using the correct macros - I don't fully understand TLS.
>
> {0xC0B4, KEX_DH_ANON, ENC_NULL, DIG_SHA256, MODE_GCM }

This is not correct, TLS 1.3 has a different key exchange (KEX_TLS13)
and more changes are needed to ensure that existing TLS 1.3 ciphers do
not break while adding support for this new cipher.

I've created a test samples for the two ciphers and posted these at
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16543

I hope to have a patch available tomorrow.
--
Kind regards,
Peter Wu
https://lekensteyn.nl
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube