Fix SSL 2 version constant to 0x0002 #1694
Conversation
|
It's just bytes order. PCPP here is using host order, and other libraries that you posted are using network order. |
|
If it was byte order, as you suggest, then the constants for SSL 3 and TLS would be wrong. |
SSL 2 uses a version field of 0x0002, not 0x0200. This is confirmed not only in the original Netscape spec [1] and RFC draft of the time [2], but also in major implementations such as OpenSSL [3] and Wireshark [4]. [1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html [2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00 [3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71 [4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277
|
I missed code in |
|
Closing and reopening to run CI after base branch change. |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dev #1694 +/- ##
==========================================
- Coverage 83.15% 83.12% -0.03%
==========================================
Files 277 279 +2
Lines 48185 48433 +248
Branches 10165 10315 +150
==========================================
+ Hits 40067 40261 +194
+ Misses 7237 7047 -190
- Partials 881 1125 +244
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
@droe So is this still an issue? |
|
Yes, certainly. Code point 0x0200 is wrong, 0x0002 as proposed in this PR is correct. |
|
@droe In Wireshark the values are: And in PCPP, the current (master) values are: According to the byte order, I think |
|
It should be 0x0002 for SSL 2. This is not a byte order problem (and you're swapping nibbles, not bytes). |
|
I meant: major is 0x00, minor is 0x02. If you swap the bytes, 0x02 can be 0x2. |
|
Not sure I understand what you're saying, uint8_t 0x02 and 0x2 are the same thing. You are running the version uint16_t from the wire through be16toh() at deserialization time, so the code ends up seeing SSLVersion 0x0002 in host byte order for the SSL 2 version bytes |
| @@ -117,7 +117,7 @@ namespace pcpp | |||
| enum SSLVersionEnum | |||
| { | |||
| /** SSL 2.0 */ | |||
| SSL2 = 0x0200, | |||
| SSL2 = 0x0002, | |||
There was a problem hiding this comment.
I wouldn't change the byte order here because it'll be different from the rest of the values in this enum
There was a problem hiding this comment.
@seladb Actually I think 0x0200 is wrong, and it should be 0x0020 based on other enum value byte order.
There was a problem hiding this comment.
@droe Please change the value to 0x0020.
Let take a look a Wireshark code:
#define SSLV2_VERSION 0x0002 /* not in record layer, SSL_CLIENT_SERVER from
http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html */
#define SSLV3_VERSION 0x300
#define TLSV1_VERSION 0x301
and let's look at PCPP code:
/** SSL 3.0 */
SSL3 = 0x0300,
/** TLS 1.0 */
TLS1_0 = 0x0301,
It's obvious that SSL2 should be 0x0020 instead of 0x0002.
There was a problem hiding this comment.
No, that does not make any sense. You seem to be confused about some key aspect of this. If you explain step by step how you determined the (wrong) value 0x0020, I might be able to tell what exactly you are confused about.
There was a problem hiding this comment.
@seladb could you help double check?
There was a problem hiding this comment.
Do you happen to have a SSLv2 pcap that we can use in tests? If so, it'd be great to add a test for it!
When I wrote this code I couldn't find a pcap file...
There was a problem hiding this comment.
https://github.com/Lekensteyn/wireshark-notes/blob/master/ssl3/sslv2.pcapng
I don't think you currently support SSL 2 record format or SSL 2 compatible SSL 3 handshakes (as per RFC 6101 Appendix E); if you or a user of PCPP were to support the latter, you will have to handle either "0x00 0x02" or "0x03 0x00" / "0x03 0x01" / ... in the handshake version field. Therefore I do believe the best and most correct and useful value for the constant in the enum would be 0x0002. (Also note that SSL 2.0 is called "SSL 0.2" in the old Netscape spec.)
There was a problem hiding this comment.
That's great, thanks! Would you consider adding a test with a single SSLv2 packet from this file?
There was a problem hiding this comment.
SSL2RecordSSL2ClientHelloTest : PASSED
SSL2RecordTLS1ClientHelloTest : PASSED
| PTF_RUN_TEST(SSL2RecordSSL2ClientHelloTest, "ssl;ssl2"); | ||
| PTF_RUN_TEST(SSL2RecordTLS1ClientHelloTest, "ssl;ssl2"); |
There was a problem hiding this comment.
nit: maybe make the names shorter?
SSL2ClientHelloTest
TLS1ClientHelloTest
There was a problem hiding this comment.
That would remove very important information: These are a SSL 2 ClientHello in an SSL 2 record, and TLS 1 ClientHello in an SSL 2 record, respectively. The "SSL 2 record" bit is crucial because the wire format is different. TLS 1 handshake in SSL 2 record is different from a regular TLS 1 handshake in a TLS 1 record.
As of now, PCPP knows how to parse record format for SSL 3 through TLS 1.3, but not SSL 2 (neither plain SSL 2 nor SSL 2 compatible SSL 3 and later).
|
|
||
| pcpp::Packet clientHelloPacket(&rawPacket1); | ||
|
|
||
| // PCPP does not know how to parse SSLv2 yet, so we find the version field manually. |
There was a problem hiding this comment.
I probably miss something here - the change you made in SSLCommon should cover parsing of SSLv2, am I wrong?
Why do we need to parse the packet manually then? 🤔
There was a problem hiding this comment.
Because of what is says in the comment: PCPP does not know how to parse SSL 2 record format, nor SSL 2 handshake messages. While SSL 3 developed from SSL 2 and has similar concepts and a similar structure, it is more useful to think of it as a different protocol. SSL 2 support is not just a matter of looking at the version field in SSL 3 and later. SSL 2 uses a different record format (that has no version field!), different protocol layering, and handshake messages look different. For instance, cipher suite code points are three bytes, not two bytes. Telling the difference between SSL 2 and SSL 3 without context is not straightforward and takes heuristics.
The point of this PR is only to fix the objectively wrong SSL 2 version code point from 0x0200 to the only code point you'll ever see on the wire for SSL 2: 0x0002.
To bring full SSL 2 support to PCPP, much more work would be needed.
I've included the tests that you asked for only to settle the "endianness" misconceptions by demonstrating that with SSL 2 compatible SSL 3 / TLS handshakes (as per RFC 6101 Appendix E), you will see 0x0002 for an SSL 2 ClientHello transported over an SSL 2 record, and 0x0301 for an TLS 1 ClientHello transported over an SSL 2 record.
There was a problem hiding this comment.
I didn't realize SSLv2 is so different from SSLv3 (aka TLS). Maybe the solution is to actually remove SSLv2 from the enum if we don't actually support it?
I assume no one complained so far because they didn't use SSLv2, so even though it's a breaking change it's not really breaking anything because things are already broken... 😕
@droe do you think it'd be worth the effort to implement a separate SSLv2 parser?
There was a problem hiding this comment.
I concur, removing SSL2 from the enum would also be a sensible fix. Happy to update the branch accordingly if you prefer to go down that route.
I don't have an opinion on whether it's worth implementing full support for SSL 2 and/or SSL 2 compatible SSL 3 / TLS 1.x in PCPP. For most use of PCPP, it's probably irrelevant. For some niche use cases, it might be useful. I'm not sure if it can be done without API-breaking changes.
I'm not going to be contributing full support for SSL 2 or SSL 2 compatible SSL 3 / TLS 1.x. My mission is just to shepherd this change in order to fix or remove the wrong code point for SSL 2.
| @@ -117,7 +117,7 @@ namespace pcpp | |||
| enum SSLVersionEnum | |||
| { | |||
| /** SSL 2.0 */ | |||
| SSL2 = 0x0200, | |||
| SSL2 = 0x0002, | |||
There was a problem hiding this comment.
@droe Please change the value to 0x0020.
Let take a look a Wireshark code:
#define SSLV2_VERSION 0x0002 /* not in record layer, SSL_CLIENT_SERVER from
http://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html */
#define SSLV3_VERSION 0x300
#define TLSV1_VERSION 0x301
and let's look at PCPP code:
/** SSL 3.0 */
SSL3 = 0x0300,
/** TLS 1.0 */
TLS1_0 = 0x0301,
It's obvious that SSL2 should be 0x0020 instead of 0x0002.
SSL 2 uses a version field of 0x0002, not 0x0200. This is confirmed not only in the original Netscape spec [1] and RFC draft of the time [2], but also in major implementations such as OpenSSL [3] and Wireshark [4].
[1] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
[2] https://datatracker.ietf.org/doc/html/draft-hickman-netscape-ssl-00
[3] https://github.com/openssl/openssl/blob/OpenSSL_0_9_6m/ssl/ssl2.h#L66-L71
[4] https://github.com/wireshark/wireshark/blob/release-4.4/epan/dissectors/packet-tls-utils.h#L266-L277