1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
|
#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <pcap/pcap.h>
#include "tinydtls.h"
#include "debug.h"
#include "dtls.h"
#define TRANSPORT_HEADER_SIZE (14+20+8) /* Ethernet + IP + UDP */
/* the pre_master_secret is generated from the PSK at startup */
unsigned char pre_master_secret[60];
size_t pre_master_len = 0;
unsigned char master_secret[DTLS_MASTER_SECRET_LENGTH];
size_t master_secret_len = 0;
dtls_security_parameters_t security_params[2];
int config = 0;
unsigned int epoch[2] = { 0, 0 };
#if DTLS_VERSION == 0xfeff
dtls_hash_t hs_hash[2];
#elif DTLS_VERSION == 0xfefd
dtls_hash_t hs_hash[1];
#endif
static inline void
update_hash(uint8 *record, size_t rlength,
uint8 *data, size_t data_length) {
int i;
if (!hs_hash[0])
return;
for (i = 0; i < sizeof(hs_hash) / sizeof(dtls_hash_t *); ++i) {
dtls_hash_update(hs_hash[i], data, data_length);
}
}
static inline void
finalize_hash(uint8 *buf) {
#if DTLS_VERSION == 0xfeff
unsigned char statebuf[sizeof(md5_state_t) + sizeof(SHA_CTX)];
#elif DTLS_VERSION == 0xfefd
unsigned char statebuf[sizeof(DTLS_SHA256_CTX)];
#endif
if (!hs_hash[0])
return;
/* temporarily store hash status for roll-back after finalize */
#if DTLS_VERSION == 0xfeff
memcpy(statebuf, hs_hash[0], sizeof(md5_state_t));
memcpy(statebuf + sizeof(md5_state_t),
hs_hash[1],
sizeof(SHA_CTX));
#elif DTLS_VERSION == 0xfefd
memcpy(statebuf, hs_hash[0], sizeof(statebuf));
#endif
dtls_hash_finalize(buf, hs_hash[0]);
#if DTLS_VERSION == 0xfeff
dtls_hash_finalize(buf + 16, hs_hash[1]);
#endif
/* restore hash status */
#if DTLS_VERSION == 0xfeff
memcpy(hs_hash[0], statebuf, sizeof(md5_state_t));
memcpy(hs_hash[1],
statebuf + sizeof(md5_state_t),
sizeof(SHA_CTX));
#elif DTLS_VERSION == 0xfefd
memcpy(hs_hash[0], statebuf, sizeof(statebuf));
#endif
}
static inline void
clear_hash() {
int i;
for (i = 0; i < sizeof(hs_hash) / sizeof(dtls_hash_t *); ++i)
free(hs_hash[i]);
memset(hs_hash, 0, sizeof(hs_hash));
}
#undef CURRENT_CONFIG
#undef OTHER_CONFIG
#undef SWITCH_CONFIG
#define CURRENT_CONFIG (&security_params[config])
#define OTHER_CONFIG (&security_params[!(config & 0x01)])
#define SWITCH_CONFIG (config = !(config & 0x01))
int
pcap_verify(dtls_security_parameters_t *sec,
int is_client,
const unsigned char *record, size_t record_length,
const unsigned char *cleartext, size_t cleartext_length) {
unsigned char mac[DTLS_HMAC_MAX];
dtls_hmac_context_t hmac_ctx;
int ok;
if (cleartext_length < dtls_kb_digest_size(sec))
return 0;
dtls_hmac_init(&hmac_ctx,
is_client
? dtls_kb_client_mac_secret(sec)
: dtls_kb_server_mac_secret(sec),
dtls_kb_mac_secret_size(sec));
cleartext_length -= dtls_kb_digest_size(sec);
/* calculate MAC even if padding is wrong */
dtls_mac(&hmac_ctx,
record, /* the pre-filled record header */
cleartext, cleartext_length,
mac);
ok = memcmp(mac, cleartext + cleartext_length,
dtls_kb_digest_size(sec)) == 0;
#ifndef NDEBUG
printf("MAC (%s): ", ok ? "valid" : "invalid");
dump(mac, dtls_kb_digest_size(sec));
printf("\n");
#endif
return ok;
}
int
decrypt_verify(int is_client, const uint8 *packet, size_t length,
uint8 **cleartext, size_t *clen) {
int res, ok = 0;
dtls_cipher_context_t *cipher;
static unsigned char buf[1000];
switch (CURRENT_CONFIG->cipher) {
case AES128: /* TLS_PSK_WITH_AES128_CBC_SHA */
*cleartext = buf;
*clen = length - sizeof(dtls_record_header_t);
if (is_client)
cipher = CURRENT_CONFIG->read_cipher;
else
cipher = CURRENT_CONFIG->write_cipher;
res = dtls_decrypt(cipher,
(uint8 *)packet + sizeof(dtls_record_header_t), *clen,
buf, NULL, 0);
if (res < 0) {
warn("decryption failed!\n");
} else {
ok = pcap_verify(CURRENT_CONFIG, is_client, (uint8 *)packet, length,
*cleartext, res);
if (ok)
*clen = res - dtls_kb_digest_size(CURRENT_CONFIG);
}
break;
default: /* no cipher suite selected */
*cleartext = (uint8 *)packet + sizeof(dtls_record_header_t);
*clen = length - sizeof(dtls_record_header_t);
ok = 1;
}
if (ok)
printf("verify OK\n");
else
printf("verification failed!\n");
return ok;
}
#define SKIP_ETH_HEADER(M,L) \
if ((L) < 14) \
return; \
else { \
(M) += 14; \
(L) -= 14; \
}
#define SKIP_IP_HEADER(M,L) \
if (((M)[0] & 0xF0) == 0x40) { /* IPv4 */ \
(M) += (M[0] & 0x0F) * 4; \
(L) -= (M[0] & 0x0F) * 4; \
} else \
if (((M)[0] & 0xF0) == 0x60) { /* IPv6 */ \
(M) += 40; \
(L) -= 40; \
}
#define SKIP_UDP_HEADER(M,L) { \
(M) += 8; \
(L) -= 8; \
}
void
handle_packet(const u_char *packet, int length) {
static int n = 0;
static unsigned char initial_hello[] = {
0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
uint8 *data;
size_t data_length, rlen;
int i, res;
#if DTLS_VERSION == 0xfeff
#ifndef SHA1_DIGEST_LENGTH
#define SHA1_DIGEST_LENGTH 20
#endif
uint8 hash_buf[16 + SHA1_DIGEST_LENGTH];
#elif DTLS_VERSION == 0xfefd
uint8 hash_buf[DTLS_SHA256_DIGEST_LENGTH];
#endif
#define verify_data_length 12
int is_client;
n++;
SKIP_ETH_HEADER(packet, length);
SKIP_IP_HEADER(packet, length);
/* determine from port if this is a client */
is_client = dtls_uint16_to_int(packet) != 20220;
SKIP_UDP_HEADER(packet, length);
while (length) {
rlen = dtls_uint16_to_int(packet + 11) + sizeof(dtls_record_header_t);
if (!rlen) {
fprintf(stderr, "invalid length!\n");
return;
}
/* skip packet if it is from a different epoch */
if (dtls_uint16_to_int(packet + 3) != epoch[is_client])
goto next;
res = decrypt_verify(is_client, packet, rlen,
&data, &data_length);
if (res <= 0)
goto next;
printf("packet %d (from %s):\n", n, is_client ? "client" : "server");
hexdump(packet, sizeof(dtls_record_header_t));
printf("\n");
hexdump(data, data_length);
printf("\n");
if (packet[0] == 22 && data[0] == 1) { /* ClientHello */
if (memcmp(packet, initial_hello, sizeof(initial_hello)) == 0)
goto next;
memcpy(dtls_kb_client_iv(OTHER_CONFIG), data + 14, 32);
clear_hash();
#if DTLS_VERSION == 0xfeff
hs_hash[0] = dtls_new_hash(HASH_MD5);
hs_hash[1] = dtls_new_hash(HASH_SHA1);
hs_hash[0]->init(hs_hash[0]->data);
hs_hash[1]->init(hs_hash[1]->data);
#elif DTLS_VERSION == 0xfefd
dtls_hash_init(hs_hash[0]);
#endif
}
if (packet[0] == 22 && data[0] == 2) { /* ServerHello */
memcpy(dtls_kb_server_iv(OTHER_CONFIG), data + 14, 32);
/* FIXME: search in ciphers */
OTHER_CONFIG->cipher = TLS_PSK_WITH_AES_128_CCM_8;
}
if (packet[0] == 20 && data[0] == 1) { /* ChangeCipherSpec */
printf("client random: ");
dump(dtls_kb_client_iv(OTHER_CONFIG), 32);
printf("\nserver random: ");
dump(dtls_kb_server_iv(OTHER_CONFIG), 32);
printf("\n");
master_secret_len =
dtls_prf(pre_master_secret, pre_master_len,
(unsigned char *)"master secret", 13,
dtls_kb_client_iv(OTHER_CONFIG), 32,
dtls_kb_server_iv(OTHER_CONFIG), 32,
master_secret, DTLS_MASTER_SECRET_LENGTH);
printf("master_secret:\n ");
for(i = 0; i < master_secret_len; i++)
printf("%02x", master_secret[i]);
printf("\n");
/* create key_block from master_secret
* key_block = PRF(master_secret,
"key expansion" + server_random + client_random) */
dtls_prf(master_secret, master_secret_len,
(unsigned char *)"key expansion", 13,
dtls_kb_server_iv(OTHER_CONFIG), 32,
dtls_kb_client_iv(OTHER_CONFIG), 32,
OTHER_CONFIG->key_block,
dtls_kb_size(OTHER_CONFIG));
OTHER_CONFIG->read_cipher =
dtls_cipher_new(OTHER_CONFIG->cipher,
dtls_kb_client_write_key(OTHER_CONFIG),
dtls_kb_key_size(OTHER_CONFIG));
if (!OTHER_CONFIG->read_cipher) {
warn("cannot create read cipher\n");
} else {
dtls_cipher_set_iv(OTHER_CONFIG->read_cipher,
dtls_kb_client_iv(OTHER_CONFIG),
dtls_kb_iv_size(OTHER_CONFIG));
}
OTHER_CONFIG->write_cipher =
dtls_cipher_new(OTHER_CONFIG->cipher,
dtls_kb_server_write_key(OTHER_CONFIG),
dtls_kb_key_size(OTHER_CONFIG));
if (!OTHER_CONFIG->write_cipher) {
warn("cannot create write cipher\n");
} else {
dtls_cipher_set_iv(OTHER_CONFIG->write_cipher,
dtls_kb_server_iv(OTHER_CONFIG),
dtls_kb_iv_size(OTHER_CONFIG));
}
/* if (is_client) */
SWITCH_CONFIG;
epoch[is_client]++;
printf("key_block:\n");
printf(" client_MAC_secret:\t");
dump(dtls_kb_client_mac_secret(CURRENT_CONFIG),
dtls_kb_mac_secret_size(CURRENT_CONFIG));
printf("\n");
printf(" server_MAC_secret:\t");
dump(dtls_kb_server_mac_secret(CURRENT_CONFIG),
dtls_kb_mac_secret_size(CURRENT_CONFIG));
printf("\n");
printf(" client_write_key:\t");
dump(dtls_kb_client_write_key(CURRENT_CONFIG),
dtls_kb_key_size(CURRENT_CONFIG));
printf("\n");
printf(" server_write_key:\t");
dump(dtls_kb_server_write_key(CURRENT_CONFIG),
dtls_kb_key_size(CURRENT_CONFIG));
printf("\n");
printf(" client_IV:\t\t");
dump(dtls_kb_client_iv(CURRENT_CONFIG),
dtls_kb_iv_size(CURRENT_CONFIG));
printf("\n");
printf(" server_IV:\t\t");
dump(dtls_kb_server_iv(CURRENT_CONFIG),
dtls_kb_iv_size(CURRENT_CONFIG));
printf("\n");
}
if (packet[0] == 22) {
if (data[0] == 20) { /* Finished */
finalize_hash(hash_buf);
/* clear_hash(); */
update_hash((unsigned char *)packet, sizeof(dtls_record_header_t),
data, data_length);
dtls_prf(master_secret, master_secret_len,
is_client
? (unsigned char *)"client finished"
: (unsigned char *)"server finished"
, 15,
hash_buf, sizeof(hash_buf),
NULL, 0,
data + sizeof(dtls_handshake_header_t),
verify_data_length);
printf("verify_data:\n");
dump(data, data_length);
printf("\n");
} else {
update_hash((unsigned char *)packet, sizeof(dtls_record_header_t),
data, data_length);
}
}
if (packet[0] == 23) { /* Application Data */
printf("Application Data:\n");
dump(data, data_length);
printf("\n");
}
next:
length -= rlen;
packet += rlen;
}
}
void init() {
memset(security_params, 0, sizeof(security_params));
CURRENT_CONFIG->cipher = -1;
memset(hs_hash, 0, sizeof(hs_hash));
/* set pre_master_secret to default if no PSK was given */
if (!pre_master_len) {
/* unsigned char psk[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06 }; */
pre_master_len =
dtls_pre_master_secret((unsigned char *)"secretPSK", 9,
pre_master_secret);
}
}
int main(int argc, char **argv) {
pcap_t *pcap;
char errbuf[PCAP_ERRBUF_SIZE];
struct pcap_pkthdr *pkthdr;
const u_char *packet;
int res = 0;
int c, option_index = 0;
static struct option opts[] = {
{ "psk", 1, 0, 'p' },
{ 0, 0, 0, 0 }
};
/* handle command line options */
while (1) {
c = getopt_long(argc, argv, "p:", opts, &option_index);
if (c == -1)
break;
switch (c) {
case 'p':
pre_master_len = dtls_pre_master_secret((unsigned char *)optarg,
strlen(optarg), pre_master_secret);
break;
}
}
if (argc <= optind) {
fprintf(stderr, "usage: %s [-p|--psk PSK] pcapfile\n", argv[0]);
return -1;
}
init();
pcap = pcap_open_offline(argv[optind], errbuf);
if (!pcap) {
fprintf(stderr, "pcap_open_offline: %s\n", errbuf);
return -2;
}
for (;;) {
res = pcap_next_ex(pcap, &pkthdr, &packet);
switch(res) {
case -2: goto done;
case -1: pcap_perror(pcap, "read packet"); break;
case 1: handle_packet(packet, pkthdr->caplen); break;
default:
;
}
}
done:
pcap_close(pcap);
return 0;
}
|
