Wireshark-bugs: [Wireshark-bugs] [Bug 6196] New: Incomplete decryption of multiple TLS record la
Date: Wed, 3 Aug 2011 14:23:49 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6196

           Summary: Incomplete decryption of multiple TLS record layers in
                    single packet
           Product: Wireshark
           Version: 1.6.1
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: toby.bearden@xxxxxxxxx


Build Information:
Version 1.6.1 (SVN Rev 38096 from /trunk-1.6)

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.10.3,
with
Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Jul
18 2011), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1.2
(packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch 1_0_rel0b
(20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 21022

--
I have a TLS session that I am trying to decrypt.  I have the server private
key entered for the ip/port in use, and it partially decrypts the session, but
the server response comes back with 2 TLS record layers with only the first one
being decrypted.  

I look at the ssl debug file and it looks like the first record is identified
as "from server - TRUE" and uses the server decrypt, but the second record says
"from server - FALSE" and uses client decrypt which obviously fails.  I don't
see the same behavior on the client packets with multiple TLS record layers. 
See below for server packet debug log...

dissect_ssl enter frame #427 (first time)
  conversation = 051C7820, ssl_session = 051C7B88
  record: offset = 0, reported_length_remaining = 334
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 206, ssl state 0x3F
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
ssl_decrypt_record ciphertext len 206
Ciphertext[206]:
68 f2 c5 cc 3e 3d fe fa b8 8a 1d 50 d6 11 cf 2a 
65 38 8f 3a 0e 9e 5d 3d 9e 18 4e bc 20 9c 22 e5 
10 82 7c a2 f9 9b 0a 38 66 cb 51 fa bf 41 a7 1d 
d7 34 d2 eb e2 ca 6a 11 d5 19 1e ed 51 1d 4b 83 
31 5b c6 ab 56 7b 25 4f 12 6f 25 4f 46 3b ca f5 
1f 37 c3 29 20 97 86 3e 1b 5b 32 0a 8f df 02 7b 
6c 2a 10 48 a2 31 7f 9d e9 fb f1 a3 de 03 c1 37 
58 30 9f e7 cf 93 10 00 18 a9 62 c5 4b c8 10 91 
28 52 da fe 92 bb 57 ca 06 f2 c7 b6 9d fe 93 48 
4b c5 88 95 36 ab da c3 b6 82 35 ca 3c 28 60 eb 
ce a0 da b5 9b d8 1a af 1e 46 0e c8 57 c0 f3 f0 
50 76 b3 6b b9 14 29 52 70 5b d2 35 cc d4 8b 5f 
03 8d a1 9a 3f ff ae 21 3a b0 66 cc 9c 8e 
Plaintext[206]:
48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 
0a 44 61 74 65 3a 20 57 65 64 2c 20 30 33 20 41 
75 67 20 32 30 31 31 20 31 38 3a 30 33 3a 35 34 
20 47 4d 54 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 
42 79 3a 20 53 65 72 76 6c 65 74 20 32 2e 35 3b 
20 4a 42 6f 73 73 2d 35 2e 30 2f 4a 42 6f 73 73 
57 65 62 2d 32 2e 31 0d 0a 43 6f 6e 74 65 6e 74 
2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 
6e 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 
0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 
20 39 38 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 
20 63 6c 6f 73 65 0d 0a 0d 0a e0 a5 e9 87 07 b4 
9f 06 57 84 e5 de 58 1c 14 4c cf d6 8e 76 
checking mac (len 186, version 301, ct 23 seq 1)
tls_check_mac mac type:SHA1 md 2
Mac[20]:
e0 a5 e9 87 07 b4 9f 06 57 84 e5 de 58 1c 14 4c 
cf d6 8e 76 
ssl_decrypt_record: mac ok
ssl_add_data_info: new data inserted data_len = 186, seq = 0, nxtseq = 186
association_find: TCP port 443 found 046C6C80
dissect_ssl3_record decrypted len 186
decrypted app data fragment: HTTP/1.1 200 OK
Date: Wed, 03 Aug 2011 18:03:54 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Content-Type: text/plain;charset=UTF-8
Content-Length: 98
Connection: close

dissect_ssl3_record found association 046C6C80
  record: offset = 211, reported_length_remaining = 123
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 118, ssl state 0x3F
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
ssl_decrypt_record ciphertext len 118
Ciphertext[118]:
7a 69 a4 59 b7 dc cf 1a a4 5e c3 29 8d 11 55 5b 
0c 84 c8 33 fb 31 42 e3 7d de a2 cb 4b 74 fd 48 
bf 44 6c bf c0 1b 7e db f0 b9 d0 f8 58 f9 9b ba 
6a d8 a1 93 f8 96 ce 0d 94 36 2e e1 48 8b 82 dc 
38 24 ed e2 67 ca 0c 8a c6 f6 e2 c2 d9 36 6c e9 
87 7e de 39 55 13 d7 76 be dd 85 fd 92 c9 f5 7f 
ae 48 2d 42 b5 a4 52 ee 47 fc ab 21 e4 3f d5 78 
39 c3 c1 82 63 90 
Plaintext[118]:
d9 96 ce 3d 9c 4d f0 22 c3 d6 0a d5 4c 09 41 a2 
f1 62 6e 76 e7 c8 3c df a5 2f 28 13 b4 12 9e 95 
8a 67 aa b1 a1 fe dd 4b fe 5a ca 2a 26 e1 c2 23 
9a 70 34 2d 3b a5 8f 05 ac 4d 59 0c 00 25 35 06 
a0 5d 4c bf 91 c6 6e d8 41 2b c2 ff fb df bd 06 
2a 3c 7f e7 2b 90 09 8c 6c 80 a5 22 18 a3 42 53 
fb 0c c2 4c 94 1b f8 0f cf 4d 07 48 da 3b 7f 7d 
f5 43 21 b5 7a c0 
checking mac (len 98, version 301, ct 23 seq 4)
tls_check_mac mac type:SHA1 md 2
Mac[20]:
48 1e 58 6f 06 49 ee 77 63 2a 42 95 05 03 f0 62 
ee e4 0d 92 
ssl_decrypt_record: mac failed
association_find: TCP port 18516 found 00000000
association_find: TCP port 21584 found 00000000
association_find: TCP port 0 found 00000000

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.