#8 TLS1.1 and TLS1.2 app data decrypt support

open
nobody
None
5
2011-12-12
2011-12-12
David Holmes
No

ssldump -d will decrypt data. This patch adds decryption support for TLS1.1 and 1.2. Does not include DTLS. Also adds cipher string recognition for TLS1.1 and TLS1.2 ciphers.

Note, be sure to use a recent version of OpenSSL that includes AES128/256/512 support.

Discussion

  • Paul Aurich
    Paul Aurich
    2012-07-15

    There are two minor issues with the patch:
    1) Doesn't factor in hash agility for the HMAC (which is up to the cipher-suite, but has a lower-bound of SHA256 for previously-defined ciphersuites), which prevented the PRF from deriving the proper keying material for ciphersuites with weaker HMACs.

    2) Currently tries to remove explicit IVs from stream ciphers (an oversight), which prevents decryption of streams using stream ciphers.

    David and I solved #1 by giving the HMAC a lower-bound MAX(DIG_SHA256, ssl->cs->dig)-0x40, and #2 by ensuring ssl->cs->block > 1.

    Since I'm not seeing an immediately obvious way of including a new attachment in this artifact, below is a diff against ssldump-0.9b3 with the ssldump.tls12-appdata-decrypt.patch applied:

    diff -pur ssldump-0.9b3/ssl/ssldecode.c ssldump-0.9b3-modified/ssl/ssldecode.c
    --- ssldump-0.9b3/ssl/ssldecode.c 2012-07-14 16:58:02.581306589 -0700
    +++ ssldump-0.9b3-modified/ssl/ssldecode.c 2012-07-14 17:04:06.622785719 -0700
    @@ -682,7 +682,7 @@ static int tls12_prf(ssl,secret,usage,rn
    Data *sha_out=0;
    Data *seed;
    UCHAR *ptr;
    - int i;
    + int i, dgi;

    if(r=r_data_alloc(&sha_out,MAX(out->len,64))) /* assume max SHA512 */
    ABORT(r);
    @@ -694,9 +694,10 @@ static int tls12_prf(ssl,secret,usage,rn
    memcpy(ptr,rnd2->data,rnd2->len); ptr+=rnd2->len;

    /* Earlier versions of openssl didn't have SHA256 of course... */
    - if ((md=EVP_get_digestbyname(digests[ssl->cs->dig-0x40])) == NULL) {
    + dgi = MAX(DIG_SHA256, ssl->cs->dig)-0x40;
    + if ((md=EVP_get_digestbyname(digests[dgi])) == NULL) {
    DBG((0,"Cannot get EVP for digest %s, openssl library current?",
    - digests[ssl->cs->dig-0x40]));
    + digests[dgi]));
    ERETURN(SSL_BAD_MAC);
    }
    if(r=tls_P_hash(ssl,secret,seed,md,sha_out))
    diff -pur ssldump-0.9b3/ssl/ssl_rec.c ssldump-0.9b3-modified/ssl/ssl_rec.c
    --- ssldump-0.9b3/ssl/ssl_rec.c 2012-07-14 16:58:02.581306589 -0700
    +++ ssldump-0.9b3-modified/ssl/ssl_rec.c 2012-07-14 17:03:11.322561686 -0700
    @@ -198,7 +198,9 @@ int ssl_decode_rec_data(ssl,d,ct,version
    ERETURN(r);
    }
    else{
    - if (ssl->version>=0x0302) { /* for 1.1 and beyond, remove explicit IV */
    + /* TLS 1.1 and beyond: remove explicit IV, only used with
    + * non-stream ciphers. */
    + if (ssl->version>=0x0302 && ssl->cs->block > 1) {
    UINT4 blk = ssl->cs->block;
    if (blk <= *outl) {
    *outl-=blk;