Wireshark-bugs: [Wireshark-bugs] [Bug 9499] DTLS: add decrypt support for TLS_PSK_WITH_AES_128_C
Date: Thu, 05 Dec 2013 16:37:36 +0000

Comment # 18 on bug 9499 from
(In reply to comment #13)
> (In reply to comment #12)
> > (In reply to comment #8)
> > [..]
> > 
> > Yes CCM is an authenticating cipher, it builds its own mac with aes. The
> > last 8 or 16 bytes are the MAC, over the encrypted data itself and some
> > additional data. It is not checked by wireshark.
> 
> Then I would suggest to add a DIG_NA (Not Applicable) macro and use that
> instead
> of some arbitrary, unrelated digest.

I added this in the last patch

> > There was a problem in the patch it used AES128 when it should use AES256,
> > this was fixed and I was able to decrypt your trace and some traces I
> > generated with cyassl.
> 
> Great, confirmed working!

Nice to hear that.

> Some minor comments:
> 
> - There is a line with white space only in packet-ssl-utils.c (before `if
> (ssl_session->cipher_suite.kex == KEX_PSK)`)

Fixed there and in one more place.

> - I think you had too much beer here: "ssl_generate_pre_master_serect"
> (should be "secret" ;))

Fixed, it was too late in the night.

> Besides that, you can consider the dtls PSK patch reviewed. Although the
> diff looks large, most of them come from re-indentation and changing
> whitespace. Where necessary, "break" has been replaced by "return" and some
> redundant code has been removed from the DTLS code.
> 
> For the CCM patch (packet-ssl-utils.h), the "16 Bit Auth" should be "8 byte
> auth tag". Personally, I would abbreviate it to: AEAD_AES_{128,256}_CCM too,
> but I leave that up to you. With the DIG_NA comment noted above, you can
> also consider this reviewed.

I changed this.

I removed the patch converting the SSL Cipher list from decimal to hex, I will
work on your script and make it generate this list automatically and send a
patch later.


You are receiving this mail because:
  • You are watching all bug changes.