ssldump-0.9-openssl.patch

This commit is contained in:
Alexandre Dulaunoy 2015-01-31 10:15:00 +01:00
parent ea12dfe6d2
commit b15b27c315
4 changed files with 75 additions and 24 deletions

View file

@ -206,7 +206,7 @@ int main(argc,argv)
signal(SIGINT,sig_handler); signal(SIGINT,sig_handler);
while((c=getopt(argc,argv,"vr:f:S:Ttai:k:p:nsAxXhHVNdqem:P"))!=EOF){ while((c=getopt(argc,argv,"vr:f:S:yTtai:k:p:nsAxXhHVNdqem:P"))!=EOF){
switch(c){ switch(c){
case 'v': case 'v':
print_version(); print_version();
@ -227,6 +227,9 @@ int main(argc,argv)
case 'a': case 'a':
NET_print_flags |= NET_PRINT_ACKS; NET_print_flags |= NET_PRINT_ACKS;
break; break;
case 'A':
SSL_print_flags |= SSL_PRINT_ALL_FIELDS;
break;
case 'T': case 'T':
NET_print_flags |= NET_PRINT_TCP_HDR; NET_print_flags |= NET_PRINT_TCP_HDR;
break; break;

View file

@ -133,7 +133,7 @@ flag_struct flags[]={
SSL_PRINT_DECODE SSL_PRINT_DECODE
}, },
{ {
0, 'y',
"nroff", "nroff",
SSL_PRINT_NROFF SSL_PRINT_NROFF
}, },

View file

@ -51,6 +51,7 @@
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/hmac.h> #include <openssl/hmac.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/md5.h>
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#endif #endif
#include "ssldecode.h" #include "ssldecode.h"
@ -131,7 +132,8 @@ int ssl_decode_ctx_create(dp,keyfile,pass)
ssl_decode_ctx *d=0; ssl_decode_ctx *d=0;
int r,_status; int r,_status;
SSLeay_add_all_algorithms(); SSL_library_init();
OpenSSL_add_all_algorithms();
if(!(d=(ssl_decode_ctx *)malloc(sizeof(ssl_decode_ctx)))) if(!(d=(ssl_decode_ctx *)malloc(sizeof(ssl_decode_ctx))))
ABORT(R_NO_MEMORY); ABORT(R_NO_MEMORY);
if(!(d->ssl_ctx=SSL_CTX_new(SSLv23_server_method()))) if(!(d->ssl_ctx=SSL_CTX_new(SSLv23_server_method())))

View file

@ -61,12 +61,9 @@ ssldump \- dump SSL traffic on a network
.na .na
.B ssldump .B ssldump
[ [
.B \-vtaTnsAxXhHVNdq .B \-vTshVq
.B \-aAdeHnNqTxXvy
] [ ] [
.B \-r
.I dumpfile
]
[
.B \-i .B \-i
.I interface .I interface
] ]
@ -81,6 +78,16 @@ ssldump \- dump SSL traffic on a network
.I password .I password
] ]
[ [
.B \-r
.I dumpfile
]
.br
.ti +8
[
.B \-S
.RI [\| crypto \||\| d \||\| ht \||\| H \||\| nroff \|]
]
[
.I expression .I expression
] ]
.br .br
@ -125,6 +132,7 @@ any user may run
You must have read access to You must have read access to
.IR /dev/bpf* . .IR /dev/bpf* .
.SH OPTIONS .SH OPTIONS
.TP
.B \-a .B \-a
Print bare TCP ACKs (useful for observing Nagle behavior) Print bare TCP ACKs (useful for observing Nagle behavior)
.TP .TP
@ -135,7 +143,7 @@ the most interesting fields)
.B \-d .B \-d
Display the application data traffic. This usually means Display the application data traffic. This usually means
decrypting it, but when -d is used ssldump will also decode decrypting it, but when -d is used ssldump will also decode
application data traffic _before_ the SSL session initiates. application data traffic \fIbefore\fP the SSL session initiates.
This allows you to see HTTPS CONNECT behavior as well as This allows you to see HTTPS CONNECT behavior as well as
SMTP STARTTLS. As a side effect, since ssldump can't tell SMTP STARTTLS. As a side effect, since ssldump can't tell
whether plaintext is traffic before the initiation of an whether plaintext is traffic before the initiation of an
@ -148,18 +156,9 @@ dumps. See also -X.
.B \-e .B \-e
Print absolute timestamps instead of relative timestamps Print absolute timestamps instead of relative timestamps
.TP .TP
.B \-r
Read data from \fIfile\fP instead of from the network.
The old -f option still works but is deprecated and will
probably be removed with the next version.
.B \-H .B \-H
Print the full SSL packet header. Print the full SSL packet header.
.TP .TP
.B \-k
Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format)
Previous versions of ssldump automatically looked in ./server.pem.
Now you must specify your keyfile every time.
.TP
.B \-n .B \-n
Don't try to resolve host names from IP addresses Don't try to resolve host names from IP addresses
.TP .TP
@ -176,6 +175,12 @@ Don't put the interface into promiscuous mode.
.B \-q .B \-q
Don't decode any record fields beyond a single summary line. (quiet mode). Don't decode any record fields beyond a single summary line. (quiet mode).
.TP .TP
.B \-T
Print the TCP headers.
.TP
.B \-v
Display version and copyright information.
.TP
.B \-x .B \-x
Print each record in hex, as well as decoding it. Print each record in hex, as well as decoding it.
.TP .TP
@ -183,13 +188,48 @@ Print each record in hex, as well as decoding it.
When the -d option is used, binary data is automatically printed When the -d option is used, binary data is automatically printed
in two columns with a hex dump on the left and the printable characters in two columns with a hex dump on the left and the printable characters
on the right. -X suppresses the display of the printable characters, on the right. -X suppresses the display of the printable characters,
thus making it easier to cut and paste the hext data into some other thus making it easier to cut and paste the hex data into some other
program. program.
.TP
.B \-y .B \-y
Decorate the output for processing with troff. Not very Decorate the output for processing with nroff/troff. Not very
useful for the average user. useful for the average user.
.TP .TP
.IP "\fI expression\fP" .BI \-i " interface"
Use \fIinterface\fP as the network interface on which to sniff SSL/TLS
traffic.
.TP
.BI \-k " keyfile"
Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format)
Previous versions of ssldump automatically looked in ./server.pem.
Now you must specify your keyfile every time.
.TP
.BI \-p " password"
Use \fIpassword\fP as the SSL keyfile password.
.TP
.BI \-r " file"
Read data from \fIfile\fP instead of from the network.
The old -f option still works but is deprecated and will
probably be removed with the next version.
.TP
.BI \-S " [ " crypto " | " d " | " ht " | " H " ]"
Specify SSL flags to ssldump. These flags include:
.RS
.TP
.I crypto
Print cryptographic information.
.TP
.I d
Print fields as decoded.
.TP
.I ht
Print the handshake type.
.TP
.I H
Print handshake type and highlights.
.RE
.TP
\fIexpression\fP
.RS .RS
Selects what packets ssldump will examine. Technically speaking, Selects what packets ssldump will examine. Technically speaking,
ssldump supports the full expression syntax from PCAP and tcpdump. ssldump supports the full expression syntax from PCAP and tcpdump.
@ -200,7 +240,7 @@ that ssldump will simply ignore. Only the expressions which
don't result in incomplete TCP streams are listed here. don't result in incomplete TCP streams are listed here.
.LP .LP
The \fIexpression\fP consists of one or more The \fIexpression\fP consists of one or more
.I primitives. .IR primitives .
Primitives usually consist of an Primitives usually consist of an
.I id .I id
(name or number) preceded by one or more qualifiers. There are three (name or number) preceded by one or more qualifiers. There are three
@ -512,5 +552,11 @@ direct experience with ssldump on other networks, please send me patches.
.LP .LP
ssldump doesn't implement session caching and therefore can't decrypt ssldump doesn't implement session caching and therefore can't decrypt
resumed sessions. resumed sessions.
.LP
.SH SEE ALSO
.LP
.BR tcpdump (1)
.LP
.SH AUTHOR
.LP
ssldump was written by Eric Rescorla <ekr@rtfm.com>.