RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?

asked 2020-03-22 22:55:55 +0000

updated 2020-03-23 01:05:56 +0000

Guy Harris
19890 ●3 ●633 ●207

About Wireshark

Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

 No.     Time           Source                Destination           Protocol Length Info
      17 2.335661       192.168.43.207        185.48.228.213        OSCORE   83     CON, MID:2, POST, /
 Frame 17: 83 bytes on wire (664 bits), 83 bytes captured (664 bits) on interface \Device\NPF_{F43FBF10-2A51-4899-AD1DDB3D426FB591}, id 0
 Ethernet II, Src: Microsof_bb:d6:95 (f0:6e:0b:bb:d6:95), Dst: XiaomiCo_2d:2b:5e (7c:03:ab:2d:2b:5e)
 Internet Protocol Version 4, Src: 192.168.43.207, Dst: 185.48.228.213
 User Datagram Protocol, Src Port: 53647, Dst Port: 5683 
 Constrained Application Protocol, Confirmable, POST, MID:2
     01.. .... = Version: 1
     ..00 .... = Type: Confirmable (0)
     .... 0000 = Token Length: 0
     Code: POST (2)
     Message ID: 2
     Opt Name: #1: Uri-Path: (null)
         Opt Desc: Type 11, Critical, Unsafe
         1011 .... = Opt Delta: 11 
         .... 0000 = Opt Length: 0
         Uri-Path: 
     Opt Name: #2: Object-Security: Key ID:102030405060708090a0b0c0, Key ID Context:(null), Partial IV:01234567
         Opt Desc: Type 21, Critical, Safe    
         1010 .... = Opt Delta: 10  
         .... 1101 = Opt Length: 13 
         Opt Length extended: 4
         0... .... = Non-compressed COSE message: False
         .0.. .... = Expanded Flag Byte: False      
         ..0. .... = Signature Present: False 
         ...0 .... = Key ID Context Present: False  
         .... 1... = Key ID Present: True 
         .... .100 = Partial IV Length: 4 
         Partial IV: 01234567 
         Key ID: 102030405060708090a0b0c0
     End of options marker: 255  
     [Uri-Path: /]  
     Encrypted OSCORE Data
         Payload Desc: application/octet-stream
         [Payload Length: 16] 
 Data (16 bytes)
 0000  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................ 
    Data: 000102030405060708090a0b0c0d0e0f  
    [Length: 16] Object Security for Constrained RESTful Environments
    [Expert Info (Warning/Undecoded): Security context not set - can't decrypt]
         [Security context not set - can't decrypt]
         [Severity level: Warning]
         [Group: Undecoded]

edit retag flag offensive close merge delete

Comments

Can update the question with the output of "wireshark -v" or Help->About Wireshark.
Also a brief description / screen shot / sample capture that shows where the number 21 is.

Chuckc ( 2020-03-22 23:16:29 +0000 )edit

About Wireshark Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

Alois Schönbächler ( 2020-03-22 23:50:26 +0000 )edit

The upload of screen shots is not possible. (I have less than 60 Points)

Alois Schönbächler ( 2020-03-23 00:52:52 +0000 )edit

What would be more useful is a pcap of this packet.
Can you put it on a public file sharing site like Dropbox, Google, Onedrive, ... and post a link to it here?

Chuckc ( 2020-03-23 01:05:55 +0000 )edit

Guy Harris just formatted my Wireshark trace. He did a great Job.

Alois Schönbächler ( 2020-03-23 01:16:04 +0000 )edit

see more comments

answered 2020-03-23 01:39:32 +0000

Guy Harris
19890 ●3 ●633 ●207

Is there a newer Wireshark version that will follow RFC8613?

Wireshark 3.4, when it comes out.

The code in the pre-master-branch code has

#define COAP_OPT_OBJECT_SECURITY      21      /* value used in OSCORE plugtests */

while the code in the master branch has

#define COAP_OPT_OBJECT_SECURITY      9       /* RFC 8613 */

I doubt any plugtests will be using 21 any more; the only reason I can see not to backport the change would be if somebody wanted to read old captures from a plugtest, in which case the right thing to do would be to 1) handle both 9 and 21 as OSCORE in the master branch and 2) backport the fix and that change.

Please report this as a bug on the Wireshark Bugzilla, as it's definitely a bug, given what's in the registry of CoAP Option Numbers.

edit flag offensive delete link

Comments

The fix should be in the 3.2.3 release when it comes out. That release is currently scheduled for 2020-04-08.

Guy Harris ( 2020-03-24 03:49:32 +0000 )edit

Excellent work!

Alois Schönbächler ( 2020-03-24 04:05:31 +0000 )edit

The "work" for putting the fix into 3.2.3 consisted of me clicking a few buttons on Wireshark's Gerrit Web site to apply the fix to the 3.2 branch. The real work was done by Cenk Gündoğan, who submitted the fix to the master branch in this change.

Guy Harris ( 2020-03-24 06:08:47 +0000 )edit

add a comment

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613? edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?