Ask Your Question
0

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?

asked 2020-03-22 22:55:55 +0000

updated 2020-03-23 01:05:56 +0000

Guy Harris gravatar image

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?

About Wireshark

Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

 No.     Time           Source                Destination           Protocol Length Info
      17 2.335661       192.168.43.207        185.48.228.213        OSCORE   83     CON, MID:2, POST, /
 Frame 17: 83 bytes on wire (664 bits), 83 bytes captured (664 bits) on interface \Device\NPF_{F43FBF10-2A51-4899-AD1DDB3D426FB591}, id 0
 Ethernet II, Src: Microsof_bb:d6:95 (f0:6e:0b:bb:d6:95), Dst: XiaomiCo_2d:2b:5e (7c:03:ab:2d:2b:5e)
 Internet Protocol Version 4, Src: 192.168.43.207, Dst: 185.48.228.213
 User Datagram Protocol, Src Port: 53647, Dst Port: 5683 
 Constrained Application Protocol, Confirmable, POST, MID:2
     01.. .... = Version: 1
     ..00 .... = Type: Confirmable (0)
     .... 0000 = Token Length: 0
     Code: POST (2)
     Message ID: 2
     Opt Name: #1: Uri-Path: (null)
         Opt Desc: Type 11, Critical, Unsafe
         1011 .... = Opt Delta: 11 
         .... 0000 = Opt Length: 0
         Uri-Path: 
     Opt Name: #2: Object-Security: Key ID:102030405060708090a0b0c0, Key ID Context:(null), Partial IV:01234567
         Opt Desc: Type 21, Critical, Safe    
         1010 .... = Opt Delta: 10  
         .... 1101 = Opt Length: 13 
         Opt Length extended: 4
         0... .... = Non-compressed COSE message: False
         .0.. .... = Expanded Flag Byte: False      
         ..0. .... = Signature Present: False 
         ...0 .... = Key ID Context Present: False  
         .... 1... = Key ID Present: True 
         .... .100 = Partial IV Length: 4 
         Partial IV: 01234567 
         Key ID: 102030405060708090a0b0c0
     End of options marker: 255  
     [Uri-Path: /]  
     Encrypted OSCORE Data
         Payload Desc: application/octet-stream
         [Payload Length: 16] 
 Data (16 bytes)
 0000  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................ 
    Data: 000102030405060708090a0b0c0d0e0f  
    [Length: 16] Object Security for Constrained RESTful Environments
    [Expert Info (Warning/Undecoded): Security context not set - can't decrypt]
         [Security context not set - can't decrypt]
         [Severity level: Warning]
         [Group: Undecoded]
edit retag flag offensive close merge delete

Comments

Can update the question with the output of "wireshark -v" or Help->About Wireshark.
Also a brief description / screen shot / sample capture that shows where the number 21 is.

Chuckc gravatar imageChuckc ( 2020-03-22 23:16:29 +0000 )edit

About Wireshark Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

Alois Schönbächler gravatar imageAlois Schönbächler ( 2020-03-22 23:50:26 +0000 )edit

The upload of screen shots is not possible. (I have less than 60 Points)

Alois Schönbächler gravatar imageAlois Schönbächler ( 2020-03-23 00:52:52 +0000 )edit

What would be more useful is a pcap of this packet.
Can you put it on a public file sharing site like Dropbox, Google, Onedrive, ... and post a link to it here?

Chuckc gravatar imageChuckc ( 2020-03-23 01:05:55 +0000 )edit

Guy Harris just formatted my Wireshark trace. He did a great Job.

Alois Schönbächler gravatar imageAlois Schönbächler ( 2020-03-23 01:16:04 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2020-03-23 01:39:32 +0000

Guy Harris gravatar image

Is there a newer Wireshark version that will follow RFC8613?

Wireshark 3.4, when it comes out.

The code in the pre-master-branch code has

#define COAP_OPT_OBJECT_SECURITY      21      /* value used in OSCORE plugtests */

while the code in the master branch has

#define COAP_OPT_OBJECT_SECURITY      9       /* RFC 8613 */

I doubt any plugtests will be using 21 any more; the only reason I can see not to backport the change would be if somebody wanted to read old captures from a plugtest, in which case the right thing to do would be to 1) handle both 9 and 21 as OSCORE in the master branch and 2) backport the fix and that change.

Please report this as a bug on the Wireshark Bugzilla, as it's definitely a bug, given what's in the registry of CoAP Option Numbers.

edit flag offensive delete link more

Comments

The fix should be in the 3.2.3 release when it comes out. That release is currently scheduled for 2020-04-08.

Guy Harris gravatar imageGuy Harris ( 2020-03-24 03:49:32 +0000 )edit

Excellent work!

Alois Schönbächler gravatar imageAlois Schönbächler ( 2020-03-24 04:05:31 +0000 )edit

The "work" for putting the fix into 3.2.3 consisted of me clicking a few buttons on Wireshark's Gerrit Web site to apply the fix to the 3.2 branch. The real work was done by Cenk Gündoğan, who submitted the fix to the master branch in this change.

Guy Harris gravatar imageGuy Harris ( 2020-03-24 06:08:47 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-03-22 22:55:55 +0000

Seen: 276 times

Last updated: Mar 23 '20