Ask Your Question
0

TLS 1.3: CCM ciphers not decrypted due to invalid AAD length

asked 2022-08-18 13:20:53 +0000

Gauri gravatar image

updated 2022-08-23 15:36:28 +0000

Recently I had implemented a callback function SSL_CTX_set_keylog_callback()that sets the TLS key logging callback. This callback is called whenever TLS key material is generated or received, in order to allow applications to store this keying material for debugging purposes. I am able to get the required keys and also using that keys I am able to decrypt the packets but some cipher suite are not decrypted. This below 3 ciphers are able to decrypt TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384

And with same config and same code change this below cipher suites are not decrypted, although I am getting the required keys for this. TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256

I came to know that those 3 working cipher suite are default ciphers and the last two non-working collections need to be explicitly added if required. When creating a list. https://www.microfocus.com/documentat...

May I know if Wireshark supports all 5 tlsv1.3 ciphers or not?

edit retag flag offensive close merge delete

Comments

Can you set the preference for TLS debug file (tls.debug_logfile) (TLS preference settings), do the decode and check the log for errors.

I get these - tls_decrypt_aead_record failed to set AAD: Invalid length - and would like to confirm the same for your decode.

https://github.com/gpg/libgcrypt/blob...: 

  if (abuflen > c->u_mode.ccm.aadlen)
    return GPG_ERR_INV_LENGTH;
packet-tls-utils.c:

Chuckc gravatar imageChuckc ( 2022-08-18 22:14:02 +0000 )edit

Yes, I have tried the same as you suggested, I am also getting the same error.

Gauri gravatar imageGauri ( 2022-08-19 06:37:46 +0000 )edit

Update title on the Gitlab issue also.

Chuckc gravatar imageChuckc ( 2022-08-23 15:42:18 +0000 )edit

7885: tls 1.3: set CCM aad_len for draft >= 25 is merged in and available to test in the Automated builds (Version 4.1.0rc0-94-g4915b646d074 (v4.1.0rc0-94-g4915b646d074). or newer)

Chuckc gravatar imageChuckc ( 2022-08-25 02:23:58 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-08-19 13:30:44 +0000

Chuckc gravatar image

Please open a bug report (Gitlab Issue) and add a link back to this question.
I'm not familiar enough with the TLS code to make a change but will add my notes to the issue.

edit flag offensive delete link more

Comments

18277: Unable to decrypt TLS 1.3 packets with the keys got using SSL_CTX_set_keylog_callback openssl API in Wireshark

Chuckc gravatar imageChuckc ( 2022-08-21 17:34:48 +0000 )edit

As you mentioned I have raised a ticket for the issue we are facing, also saw your comments there, just wanted to know is there any update on this issue, I am doing some enhancements for tls and we needed this data but we are stuck because of this, hence contacting you.

Thanks in advance!

Gauri gravatar imageGauri ( 2022-08-23 13:13:17 +0000 )edit

You could try changing the title to be more specific: "TLS 1.3: CCM ciphers not decrypted due to invalid AAD length".
That moves it back up to the top of the issues list and might get more attention.

Chuckc gravatar imageChuckc ( 2022-08-23 14:03:49 +0000 )edit

If you setup a build environment, this change would allow you to decode TLS 1.3 >= than draft 25. The final change to the Wireshark code will need to take the draft version into account and set the value accordingly.

wireshark$ git diff
diff --git a/epan/dissectors/packet-tls-utils.c b/epan/dissectors/packet-tls-utils.c
index 64c6e97f34..79f1b18052 100644
--- a/epan/dissectors/packet-tls-utils.c
+++ b/epan/dissectors/packet-tls-utils.c
@@ -4965,7 +4965,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,

     if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
         /* size of plaintext, additional authenticated data and auth tag. */
-        guint64 lengths[3] = { ciphertext_len, is_v12 ? 13 : 0, auth_tag_len };
+        guint64 lengths[3] = { ciphertext_len, is_v12 ? 13 : 5, auth_tag_len };
         if (is_cid) {
             if (ssl->session.deprecated_cid) {
                 lengths[1] += 1 + cidl; /* cid length (1 byte) + cid (cidl bytes) */
Chuckc gravatar imageChuckc ( 2022-08-23 15:08:59 +0000 )edit

Thanks for the response, with this change would I able to decrypt TLSv1.3:CCM and whether this code change would be available in the next version of wireshark official release?

Gauri gravatar imageGauri ( 2022-08-23 15:45:56 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-08-18 13:20:53 +0000

Seen: 524 times

Last updated: Aug 23 '22

Related questions

Which version of gcrypt and gnutls do I need for tls1.3 decryption

Decrypt the Mobile application "SSL" (or) "TLS" Traffic in wireshark??

My TLS client initiate an unexpected ClientHello to a domain

Decrypt TLS 1.3 with Wireshark

How to decrypt office365 (outlook windows client ) traffic in wireshark?

How to decrypt the "SSL" or "TLS" traffic in wireshark?

Find the server Elliptic curve

Unable to decrypt TLS using (Pre)-Master-Secret log and/or RSA Keys

What is this protocl version sent in the TLS supported_versions extension?

TCP Retransmission during TLS-Handshake