Building SSL Packet fails

tintinweb / scapy-ssl_tls

SSL/TLS layers for scapy the interactive packet manipulation tool

GNU General Public License v2.0

419 stars 156 forks source link

Building SSL Packet fails #5

Closed eipiminus1 closed 9 years ago

eipiminus1 commented 9 years ago

When trying to resend a captured SSL-Packet I lose all data in SSL layer. The reason seems to be some problem in the build process.

SSL('AAAAA').show()

results in

###[ SSL/TLS ]###
  \records\
   |###[ TLS Record ]###
   |  content_type= 65
   |  version= 0x4141
   |  length= 0x4141

while

SSL('AAAAA').show2()

results in

###[ SSL/TLS ]###
  \records\

I tried to dig in deeper and found that in the Packet class in the do_build function:

def do_build(self):
    if not self.explicit:
        self = self.__iter__().next()

the call to self.__iter__().next() kills the content of the SSL layer. I don't yet understand the meaning of the explicit attribute but setting it to 1 helps here :)

eipiminus1 commented 9 years ago

Setting explicit = 1 does keep the content when converting via str() but somehow sendp() still does not send SSL layer content. sendp(str(SSL('AAAAA'))) does work as a workaround.

exploide commented 9 years ago

Settings explicit = 1 does not solve the problem entirely for me.

Example code (the get_payload function is from python-netfilterqueue but shouldn't be relevant here):

p = IP(pkt.get_payload())
if TLSClientHello in p:
    p.show2()

Without explicit = 1, this results in an output only containing IP and TCP header. If I apply your modification, it shows the SSL layer also. Fine so far.

But when I try to alter the packet, the SSL layer vanishes when using the show2 function. For example in

p = IP(pkt.get_payload())
if TLSClientHello in p:
    del(p.chksum)
    p.show2()

Some ideas?

eipiminus1 commented 9 years ago

Should be fixed in #6.

exploide commented 9 years ago

seems to work for me. nice! thanks

tintinweb commented 9 years ago

merged https://github.com/tintinweb/scapy-ssl_tls/pull/6 fixing this issue - thx eipiminus1.

some background information on the actual bug: the code did not take into account that by overriding scapy's default do_dissect() self.fields['records'] is never being initialized. Looking at scapy/packet.py::do_dissect() indicates that do_dissect() is responsible for this initialization. https://github.com/tintinweb/scapy-ssl_tls/pull/6 fixes this inside the loop body as mentioned in the pr-comment it would be better to have this outside the loop.
in order to address this issue I've merged your pr and modified the code in order to feel more like the original scapy::do_dissect() even though it is a little bit more overhead and the fact that we only have one field in our fields_desc.

here's my testcase, it should read 'True' at the end:

p = TLSRecord()/TLSHandshake()/TLSClientHello(compression_methods=[0x00], 
                                              cipher_suites=[TLSCipherSuite.RSA_WITH_AES_128_CBC_SHA],
                                              random_bytes='R'*28,
                                              extensions=[TLSExtension()/TLSServerNameIndication(server_names=[TLSServerName()])])
sp = SSL(str(p))
print "--show--"
sp.show()
print "--show2--"
sp.show2()
print str(sp.show())==str(sp.show2())