From 170158a65b4513136d995c91f3c3d0862268ca67 Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Mon, 2 Jul 2018 10:36:54 -0500
Subject: [PATCH 01/12] add l option for SSLKEYLOGFILE

---
 base/pcap-snoop.c | 9 +++++++--
 ssl/ssl_analyze.c | 1 +
 ssl/ssl_analyze.h | 1 +
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/base/pcap-snoop.c b/base/pcap-snoop.c
index e0c9b62..27b47c8 100644
--- a/base/pcap-snoop.c
+++ b/base/pcap-snoop.c
@@ -104,7 +104,7 @@ int err_exit(str,num)
 
 int usage()
   {
-    fprintf(stderr,"Usage: ssldump [-r dumpfile] [-i interface] \n");
+    fprintf(stderr,"Usage: ssldump [-r dumpfile] [-i interface] [-l sslkeylogfile] \n");
     fprintf(stderr,"               [-k keyfile] [-p password] [-vtaTnsAxVNde]\n");
     fprintf(stderr,"               [filter]\n");
     exit(0);
@@ -293,7 +293,7 @@ int main(argc,argv)
 
     signal(SIGINT,sig_handler);
     
-    while((c=getopt(argc,argv,"vr:F:f:S:yTt:ai:k:p:nsAxXhHVNdqem:P"))!=EOF){
+    while((c=getopt(argc,argv,"vr:F:f:S:yTt:ai:k:l:p:nsAxXhHVNdqem:P"))!=EOF){
       switch(c){
         case 'v':
           print_version();
@@ -326,6 +326,9 @@ int main(argc,argv)
         case 'k':
           SSL_keyfile=strdup(optarg);
           break;
+        case 'l':
+	  SSL_keylogfile=strdup(optarg);
+	  break;
         case 'p':
           SSL_password=strdup(optarg);
           break;
@@ -465,6 +468,8 @@ int main(argc,argv)
         free(interface_name);
     if(SSL_keyfile)
         free(SSL_keyfile);
+    if(SSL_keylogfile)
+        free(SSL_keylogfile);
     if(SSL_password)
         free(SSL_password);
 
diff --git a/ssl/ssl_analyze.c b/ssl/ssl_analyze.c
index 67b1f73..f5b91fa 100644
--- a/ssl/ssl_analyze.c
+++ b/ssl/ssl_analyze.c
@@ -77,6 +77,7 @@ static int print_ssl_record PROTO_LIST((ssl_obj *obj,int direction,
   segment *q,UCHAR *data,int len));
 char *SSL_keyfile=0;
 char *SSL_password=0;
+char *SSL_keylogfile=0;
 
 #define NEGATE 0x800000
 
diff --git a/ssl/ssl_analyze.h b/ssl/ssl_analyze.h
index d985218..20d2e64 100644
--- a/ssl/ssl_analyze.h
+++ b/ssl/ssl_analyze.h
@@ -82,6 +82,7 @@ extern proto_mod ssl_mod;
 extern UINT4 SSL_print_flags;
 extern char *SSL_keyfile;
 extern char *SSL_password;
+extern char *SSL_keylogfile;
 
 #endif
 

From 3020239022a8236853d3215436a61eb3fb35cd9a Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Mon, 2 Jul 2018 20:52:12 -0500
Subject: [PATCH 02/12] fix decoding and printing of DiffieHellman Client
 params

---
 ssl/ssl.enums.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl.enums.c b/ssl/ssl.enums.c
index 55278b1..b5f8014 100644
--- a/ssl/ssl.enums.c
+++ b/ssl/ssl.enums.c
@@ -466,8 +466,10 @@ static int decode_HandshakeType_ClientKeyExchange(ssl,dir,seg,data)
 
             break;
         case KEX_DH:
-            SSL_DECODE_OPAQUE_ARRAY(ssl,"DiffieHellmanClientPublicValue",
-	        -(1<<15-1),P_HL,data,0);
+	  SSL_DECODE_OPAQUE_ARRAY(ssl,"DiffieHellmanClientPublicValue",
+				  -((1<<7)-1),P_HL,data,0);
+	  ssl_process_client_key_exchange(ssl,
+					  ssl->decoder,NULL,0);
       }
    }
    return(0);

From b261b215740a98e4859c07d039d98932ca830326 Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Mon, 2 Jul 2018 20:55:51 -0500
Subject: [PATCH 03/12] added sslkeylogfile pointer to decode ctx

---
 ssl/ssl_analyze.c |  2 +-
 ssl/ssldecode.c   | 12 +++++++++---
 ssl/ssldecode.h   |  2 +-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/ssl/ssl_analyze.c b/ssl/ssl_analyze.c
index f5b91fa..5a6b7ea 100644
--- a/ssl/ssl_analyze.c
+++ b/ssl/ssl_analyze.c
@@ -219,7 +219,7 @@ static int create_ssl_ctx(handle,ctxp)
     ssl_decode_ctx *ctx=0;
     int r,_status;
     
-    if(r=ssl_decode_ctx_create(&ctx,SSL_keyfile,SSL_password))
+    if(r=ssl_decode_ctx_create(&ctx,SSL_keyfile,SSL_password,SSL_keylogfile))
       ABORT(r);
 
     *ctxp=(proto_ctx *)ctx;
diff --git a/ssl/ssldecode.c b/ssl/ssldecode.c
index 7c3ee79..656343a 100644
--- a/ssl/ssldecode.c
+++ b/ssl/ssldecode.c
@@ -76,6 +76,7 @@ struct ssl_decode_ctx_ {
      SSL_CTX *ssl_ctx;
      SSL *ssl;
      r_assoc *session_cache;
+     FILE *ssl_key_log_file;
 #else
      char dummy;       /* Some compilers (Win32) don't like empty
                            structs */
@@ -132,10 +133,11 @@ static int password_cb(char *buf,int num,int rwflag,void *userdata)
     return(strlen(ssl_password));
   }
 
-int ssl_decode_ctx_create(dp,keyfile,pass)
+int ssl_decode_ctx_create(dp,keyfile,pass,keylogfile)
   ssl_decode_ctx **dp;
   char *keyfile;
   char *pass;
+  char *keylogfile;
   {
 #ifdef OPENSSL    
     ssl_decode_ctx *d=0;
@@ -169,6 +171,11 @@ int ssl_decode_ctx_create(dp,keyfile,pass)
     if(r_assoc_create(&d->session_cache))
       ABORT(R_NO_MEMORY);
 
+    if(keylogfile && !(d->ssl_key_log_file=fopen(keylogfile, "r"))){
+      fprintf(stderr,"Failed to open ssl key log file");
+      ABORT(R_INTERNAL);
+    }
+
     X509V3_add_standard_extensions();
 
     *dp=d;
@@ -539,9 +546,8 @@ int ssl_process_client_key_exchange(ssl,d,msg,len)
 #ifdef OPENSSL
     int r,_status;
     int i;
-
     EVP_PKEY *pk;
-    
+
     if(ssl->cs->kex!=KEX_RSA)
       return(-1);
 
diff --git a/ssl/ssldecode.h b/ssl/ssldecode.h
index 3ef9226..48acafe 100644
--- a/ssl/ssldecode.h
+++ b/ssl/ssldecode.h
@@ -51,7 +51,7 @@
 #define CRDUMPD(a,b) P_(P_CR) {exdump(ssl,a,b);printf("\n");}
 
 int ssl_decode_ctx_create PROTO_LIST((ssl_decode_ctx **ctx,
-  char *keyfile,char *password));
+  char *keyfile,char *password,char *keylogfile));
 int ssl_decoder_destroy PROTO_LIST((ssl_decoder **dp));
 int ssl_decoder_create PROTO_LIST((ssl_decoder **dp,ssl_decode_ctx *ctx));
 int ssl_set_client_random PROTO_LIST((ssl_decoder *dp,

From cc3446a1ceb1230b771a81ca772f95ef6e00adbc Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Mon, 2 Jul 2018 20:56:07 -0500
Subject: [PATCH 04/12] added GCM specific ciphersuite info

---
 ssl/ciphersuites.c | 16 ++++++++--------
 ssl/ssl_rec.c      |  4 +++-
 ssl/sslciphers.h   |  2 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/ssl/ciphersuites.c b/ssl/ciphersuites.c
index 1954881..f3e09ff 100644
--- a/ssl/ciphersuites.c
+++ b/ssl/ciphersuites.c
@@ -188,14 +188,14 @@ static SSL_CipherSuite CipherSuites[]={
      {49192,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA384,48,0},
      {49193,KEX_DH,SIG_RSA,ENC_AES128,16,128,128,DIG_SHA256,32,0},
      {49194,KEX_DH,SIG_RSA,ENC_AES256,16,256,256,DIG_SHA384,48,0},
-     {49195,KEX_DH,SIG_DSS,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {49196,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {49197,KEX_DH,SIG_DSS,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {49198,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {49199,KEX_DH,SIG_RSA,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {49200,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {49201,KEX_DH,SIG_RSA,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {49202,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384,48,0},
+     {49195,KEX_DH,SIG_DSS,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {49196,KEX_DH,SIG_DSS,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {49197,KEX_DH,SIG_DSS,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {49198,KEX_DH,SIG_DSS,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {49199,KEX_DH,SIG_RSA,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {49200,KEX_DH,SIG_RSA,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {49201,KEX_DH,SIG_RSA,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {49202,KEX_DH,SIG_RSA,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
      // Missing: 49203-49211
      {49266,KEX_DH,SIG_DSS,ENC_CAMELLIA128,16,128,128,DIG_SHA256,32,0},
      {49267,KEX_DH,SIG_DSS,ENC_CAMELLIA256,16,256,256,DIG_SHA256,48,0},
diff --git a/ssl/ssl_rec.c b/ssl/ssl_rec.c
index cdf946e..ab9ac6c 100644
--- a/ssl/ssl_rec.c
+++ b/ssl/ssl_rec.c
@@ -89,7 +89,9 @@ char *ciphers[]={
      "CAMELLIA128",
      "CAMELLIA256",
      "SEED",
-     NULL
+     NULL,
+     "aes-128-gcm",
+     "aes-256-gcm"
 };
 
 
diff --git a/ssl/sslciphers.h b/ssl/sslciphers.h
index 95e2939..a41aaf4 100644
--- a/ssl/sslciphers.h
+++ b/ssl/sslciphers.h
@@ -77,6 +77,8 @@ typedef struct SSL_CipherSuite_ {
 #define ENC_CAMELLIA256	0x38
 #define ENC_SEED	0x39
 #define ENC_NULL	0x3a
+#define ENC_AES128_GCM  0x3b
+#define ENC_AES256_GCM  0x3c
 
 #define DIG_MD5		0x40
 #define DIG_SHA		0x41

From 4ef8eb376a5994f7ff6d362d797523bf36e85e6e Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Mon, 2 Jul 2018 20:57:00 -0500
Subject: [PATCH 05/12] added function to extract MS from sslkeylogfile

---
 ssl/ssldecode.c | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/ssl/ssldecode.c b/ssl/ssldecode.c
index 656343a..669b931 100644
--- a/ssl/ssldecode.c
+++ b/ssl/ssldecode.c
@@ -116,6 +116,7 @@ static int ssl_generate_keying_material PROTO_LIST((ssl_obj *ssl,
   ssl_decoder *d));
 static int ssl_generate_session_hash PROTO_LIST((ssl_obj *ssl,
   ssl_decoder *d));
+static int ssl_read_key_log_file PROTO_LIST((ssl_decoder *d));
 #endif
 
 static int ssl_create_session_lookup_key PROTO_LIST((ssl_obj *ssl,
@@ -1057,4 +1058,46 @@ static int ssl_generate_session_hash(ssl,d)
   abort:
     return(_status);
   }
+
+static int ssl_read_key_log_file(d)
+  ssl_decoder *d;
+  {
+    int r,_status,dgi,n;
+    unsigned int t;
+    size_t l=0;
+    char *line,*label_data;
+
+    while ((n=getline(&line,&l,d->ctx->ssl_key_log_file))!=-1) {
+      if(n==(d->client_random->len*2)+112 &&
+	 !strncmp(line,"CLIENT_RANDOM",13)) {
+
+	if(!(label_data=malloc((d->client_random->len*2)+1)))
+	  ABORT(r);
+
+	for(int i=0;i<d->client_random->len;i++)
+	  if(snprintf(label_data+(i*2),3,"%02x",d->client_random->data[i])!=2)
+	    ABORT(r);
+
+	if(strncmp(line+14,label_data,64))
+	  continue;
+
+	if(r=r_data_alloc(&d->MS,48))
+	  ABORT(r);
+
+	for(int i=0; i < d->MS->len; i++) {
+	  if(sscanf(line+14+65+(i*2),"%2x",&t)!=1)
+	    ABORT(r);
+	  *(d->MS->data+i)=(char)t;
+	}
+      }
+      /*
+	 Eventually add support for other labels defined here:
+	 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
+      */
+    }
+    _status=0;
+  abort:
+    fseek(d->ctx->ssl_key_log_file, SEEK_SET, 0);
+    return(_status);
+  }
 #endif

From f788c3a67a98b5ab41ef1f92526daadc51af1fee Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 12:14:55 -0500
Subject: [PATCH 06/12] use sslkeylogfile to get MS if possible

---
 ssl/ssldecode.c | 66 +++++++++++++++++++++++++++----------------------
 1 file changed, 37 insertions(+), 29 deletions(-)

diff --git a/ssl/ssldecode.c b/ssl/ssldecode.c
index 669b931..d3128cf 100644
--- a/ssl/ssldecode.c
+++ b/ssl/ssldecode.c
@@ -549,36 +549,40 @@ int ssl_process_client_key_exchange(ssl,d,msg,len)
     int i;
     EVP_PKEY *pk;
 
-    if(ssl->cs->kex!=KEX_RSA)
-      return(-1);
-
-    if(d->ephemeral_rsa)
-      return(-1);
-
-    pk=SSL_get_privatekey(d->ctx->ssl);
-    if(!pk)
-      return(-1);
-
-    if(pk->type!=EVP_PKEY_RSA)
-      return(-1);
- 
-    if(r=r_data_alloc(&d->PMS,BN_num_bytes(pk->pkey.rsa->n)))
-      ABORT(r);
-
-    i=RSA_private_decrypt(len,msg,d->PMS->data,
-      pk->pkey.rsa,RSA_PKCS1_PADDING);
-
-    if(i!=48)
-      ABORT(SSL_BAD_PMS);
-
-    d->PMS->len=48;
-      
-    CRDUMPD("PMS",d->PMS);
-
     /* Remove the master secret if it was there
        to force keying material regeneration in
        case we're renegotiating */
     r_data_destroy(&d->MS);
+
+    if(!d->ctx->ssl_key_log_file ||
+       ssl_read_key_log_file(d) ||
+       !d->MS){
+      if(ssl->cs->kex!=KEX_RSA)
+	return(-1);
+
+      if(d->ephemeral_rsa)
+	return(-1);
+
+      pk=SSL_get_privatekey(d->ctx->ssl);
+      if(!pk)
+	return(-1);
+
+      if(pk->type!=EVP_PKEY_RSA)
+	return(-1);
+ 
+      if(r=r_data_alloc(&d->PMS,BN_num_bytes(pk->pkey.rsa->n)))
+	ABORT(r);
+
+      i=RSA_private_decrypt(len,msg,d->PMS->data,
+			    pk->pkey.rsa,RSA_PKCS1_PADDING);
+
+      if(i!=48)
+	ABORT(SSL_BAD_PMS);
+
+      d->PMS->len=48;
+      
+      CRDUMPD("PMS",d->PMS);
+    }
     
     switch(ssl->version){
       case SSLV3_VERSION:
@@ -883,7 +887,8 @@ static int ssl_generate_keying_material(ssl,d)
 
     /* Compute the key block. First figure out how much data
          we need*/
-    needed=ssl->cs->dig_len*2;
+    /* Ideally find a cleaner way to check for AEAD cipher */
+    needed=(ssl->cs->enc!=0x3b && ssl->cs->enc!=0x3c)?ssl->cs->dig_len*2:0;
     needed+=ssl->cs->bits / 4;
     if(ssl->cs->block>1) needed+=ssl->cs->block*2;
 
@@ -895,8 +900,11 @@ static int ssl_generate_keying_material(ssl,d)
       ABORT(r);
     
     ptr=key_block->data;
-    c_mk=ptr; ptr+=ssl->cs->dig_len;
-    s_mk=ptr; ptr+=ssl->cs->dig_len;
+    /* Ideally find a cleaner way to check for AEAD cipher */
+    if(ssl->cs->enc!=0x3b && ssl->cs->enc!=0x3c){
+      c_mk=ptr; ptr+=ssl->cs->dig_len;
+      s_mk=ptr; ptr+=ssl->cs->dig_len;
+    }
 
     c_wk=ptr; ptr+=ssl->cs->eff_bits/8;
     s_wk=ptr; ptr+=ssl->cs->eff_bits/8;

From 98a233fc402da92331447c7be1619ab54df45cf3 Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 12:17:16 -0500
Subject: [PATCH 07/12] added support for AES GCM decryption

---
 ssl/ssl_rec.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 63 insertions(+), 6 deletions(-)

diff --git a/ssl/ssl_rec.c b/ssl/ssl_rec.c
index ab9ac6c..89a5caa 100644
--- a/ssl/ssl_rec.c
+++ b/ssl/ssl_rec.c
@@ -61,6 +61,8 @@ static char *RCSSTRING="$Id: ssl_rec.c,v 1.3 2000/11/03 06:38:06 ekr Exp $";
 struct ssl_rec_decoder_ {
      SSL_CipherSuite *cs;
      Data *mac_key;
+     Data *implicit_iv; /* for AEAD ciphers */
+     Data *write_key; /* for AEAD ciphers */
 #ifdef OPENSSL     
      EVP_CIPHER_CTX *evp;
 #endif     
@@ -125,8 +127,28 @@ int ssl_create_rec_decoder(dp,cs,mk,sk,iv)
       ABORT(R_NO_MEMORY);
 
     dec->cs=cs;
-    if(r=r_data_create(&dec->mac_key,mk,cs->dig_len))
+
+    if(r=r_data_alloc(&dec->mac_key,cs->dig_len))
       ABORT(r);
+
+    if(r=r_data_alloc(&dec->implicit_iv,cs->block))
+      ABORT(r);
+    memcpy(dec->implicit_iv->data,iv,cs->block);
+
+    if(r=r_data_create(&dec->write_key,sk,cs->eff_bits/8))
+      ABORT(r);
+
+    /*
+       This is necessary for AEAD ciphers, because we must wait to fully initialize the cipher
+       in order to include the implicit IV
+    */
+    if(cs->enc==0x3b || cs->enc==0x3c){
+      sk=NULL;
+      iv=NULL;
+    }
+    else
+      memcpy(dec->mac_key->data,mk,cs->dig_len);
+
     if(!(dec->evp=(EVP_CIPHER_CTX *)malloc(sizeof(EVP_CIPHER_CTX))))
       ABORT(R_NO_MEMORY);
     EVP_CIPHER_CTX_init(dec->evp);
@@ -152,6 +174,8 @@ int ssl_destroy_rec_decoder(dp)
     d=*dp;
 
     r_data_destroy(&d->mac_key);
+    r_data_destroy(&d->implicit_iv);
+    r_data_destroy(&d->write_key);
 #ifdef OPENSSL    
     if(d->evp){
       EVP_CIPHER_CTX_cleanup(d->evp);
@@ -165,6 +189,9 @@ int ssl_destroy_rec_decoder(dp)
   }
 
 
+#define MSB(a) ((a>>8)&0xff)
+#define LSB(a) (a&0xff)
+
 int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl)
   ssl_obj *ssl;
   ssl_rec_decoder *d;
@@ -177,12 +204,44 @@ int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl)
   {
 #ifdef OPENSSL
     int pad;
-    int r,encpadl;
-    UCHAR *mac,*iv;
+    int r,encpadl,x;
+    UCHAR *mac,*iv,aead_tag[13],aead_nonce[12];
     
     CRDUMP("Ciphertext",in,inl);
 
-    if(ssl->extensions->encrypt_then_mac==2){
+    if(d->cs->enc==0x3b || d->cs->enc==0x3c){
+      memcpy(aead_nonce,d->implicit_iv->data,d->implicit_iv->len);
+      memcpy(aead_nonce+d->implicit_iv->len,in,12-d->implicit_iv->len);
+      in+=12-d->implicit_iv->len;
+      inl-=12-d->implicit_iv->len;
+
+      EVP_DecryptInit(d->evp,
+		      NULL,
+		      d->write_key->data,
+		      aead_nonce);
+      EVP_CIPHER_CTX_ctrl(d->evp,EVP_CTRL_GCM_SET_TAG,16,in+(inl-16));
+      inl-=d->cs->eff_bits/8;
+
+      fmt_seq(d->seq,aead_tag);
+      d->seq++;
+      aead_tag[8]=ct;
+      aead_tag[9]=MSB(version);
+      aead_tag[10]=LSB(version);
+      aead_tag[11]=MSB(inl);
+      aead_tag[12]=LSB(inl);
+
+      EVP_DecryptUpdate(d->evp,NULL,outl,aead_tag,13);
+      EVP_DecryptUpdate(d->evp,out,outl,in,inl);
+
+      if (!(x=EVP_DecryptFinal(d->evp,NULL,&x)))
+	ERETURN(SSL_BAD_MAC);
+    }
+
+    /*
+       Encrypt-then-MAC is not used with AEAD ciphers, as per:
+       https://tools.ietf.org/html/rfc7366#section-3
+    */
+    else if(ssl->extensions->encrypt_then_mac==2){
       *outl=inl;
 
       /* First strip off the MAC */
@@ -267,8 +326,6 @@ int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl)
   }
     
 
-#define MSB(a) ((a>>8)&0xff)
-#define LSB(a) (a&0xff)
 #ifdef OPENSSL
 
 /* This should go to 2^128, but we're never really going to see

From c46019cc62db00a2aaabfc4784c2b946cfe3c878 Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 14:23:17 -0500
Subject: [PATCH 08/12] added case insensitive string comparison macro

---
 common/include/r_macros.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/common/include/r_macros.h b/common/include/r_macros.h
index fa1b318..0a9e565 100644
--- a/common/include/r_macros.h
+++ b/common/include/r_macros.h
@@ -108,5 +108,18 @@ int debug(int class,char *format,...);
 
 #define UNIMPLEMENTED do { fprintf(stderr,"Function %s unimplemented\n",__FUNCTION__); abort(); } while(0)
 
+#ifdef STDC_HEADERS
+#include <string.h>
+#endif
+
+#ifndef STRNICMP
+
+#ifdef _WIN32
+#define STRNICMP(a,b,n) strnicmp(a,b,n)
+#else
+#define STRNICMP(a,b,n) strncasecmp(a,b,n)
+#endif
+
+#endif
 
 #endif 

From 4a8b677de0e5ee32bc4afa19d340ae43f69c2678 Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 14:26:20 -0500
Subject: [PATCH 09/12] added fix for AES256 GCM decryption

---
 ssl/ssl_rec.c   | 7 ++++++-
 ssl/ssldecode.c | 5 +++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ssl/ssl_rec.c b/ssl/ssl_rec.c
index 89a5caa..2be3256 100644
--- a/ssl/ssl_rec.c
+++ b/ssl/ssl_rec.c
@@ -219,8 +219,13 @@ int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl)
 		      NULL,
 		      d->write_key->data,
 		      aead_nonce);
+
+      /*
+	 Then tag is always 16 bytes, as per:
+	 https://tools.ietf.org/html/rfc5116#section-5.2
+      */
       EVP_CIPHER_CTX_ctrl(d->evp,EVP_CTRL_GCM_SET_TAG,16,in+(inl-16));
-      inl-=d->cs->eff_bits/8;
+      inl-=16;
 
       fmt_seq(d->seq,aead_tag);
       d->seq++;
diff --git a/ssl/ssldecode.c b/ssl/ssldecode.c
index d3128cf..499680e 100644
--- a/ssl/ssldecode.c
+++ b/ssl/ssldecode.c
@@ -742,7 +742,8 @@ static int tls12_prf(ssl,secret,usage,rnd1,rnd2,out)
     memcpy(ptr,rnd2->data,rnd2->len); ptr+=rnd2->len;    
 
     /* Earlier versions of openssl didn't have SHA256 of course... */
-    dgi = MAX(DIG_SHA256, ssl->cs->dig)-0x40;
+    dgi = MAX(DIG_SHA256, ssl->cs->dig);
+    dgi-=0x40;
     if ((md=EVP_get_digestbyname(digests[dgi])) == NULL) {
         DBG((0,"Cannot get EVP for digest %s, openssl library current?",
                     digests[dgi]));
@@ -1086,7 +1087,7 @@ static int ssl_read_key_log_file(d)
 	  if(snprintf(label_data+(i*2),3,"%02x",d->client_random->data[i])!=2)
 	    ABORT(r);
 
-	if(strncmp(line+14,label_data,64))
+	if(STRNICMP(line+14,label_data,64))
 	  continue;
 
 	if(r=r_data_alloc(&d->MS,48))

From 39488f1a84b50b0c46be793f03c9b7721215c452 Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 14:53:45 -0500
Subject: [PATCH 10/12] updated relevant ciphersuites with GCM enc

---
 ssl/ciphersuites.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/ssl/ciphersuites.c b/ssl/ciphersuites.c
index f3e09ff..eb07c73 100644
--- a/ssl/ciphersuites.c
+++ b/ssl/ciphersuites.c
@@ -130,18 +130,18 @@ static SSL_CipherSuite CipherSuites[]={
      {153,KEX_DH,SIG_DSS,ENC_SEED,16,128,128,DIG_SHA,20,0},
      {154,KEX_DH,SIG_RSA,ENC_SEED,16,128,128,DIG_SHA,20,0},
      {155,KEX_DH,SIG_NONE,ENC_SEED,16,128,128,DIG_SHA,20,0},
-     {156,KEX_RSA,SIG_RSA,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {157,KEX_RSA,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {158,KEX_DH,SIG_RSA,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {159,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {160,KEX_DH,SIG_RSA,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {161,KEX_DH,SIG_RSA,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {162,KEX_DH,SIG_DSS,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {163,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {164,KEX_DH,SIG_DSS,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {165,KEX_DH,SIG_DSS,ENC_AES256,4,256,256,DIG_SHA384,48,0},
-     {166,KEX_DH,SIG_NONE,ENC_AES128,4,128,128,DIG_SHA256,32,0},
-     {167,KEX_DH,SIG_NONE,ENC_AES256,4,256,256,DIG_SHA384,48,0},
+     {156,KEX_RSA,SIG_RSA,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {157,KEX_RSA,SIG_RSA,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {158,KEX_DH,SIG_RSA,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {159,KEX_DH,SIG_RSA,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {160,KEX_DH,SIG_RSA,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {161,KEX_DH,SIG_RSA,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {162,KEX_DH,SIG_DSS,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {163,KEX_DH,SIG_DSS,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {164,KEX_DH,SIG_DSS,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {165,KEX_DH,SIG_DSS,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
+     {166,KEX_DH,SIG_NONE,ENC_AES128_GCM,4,128,128,DIG_SHA256,32,0},
+     {167,KEX_DH,SIG_NONE,ENC_AES256_GCM,4,256,256,DIG_SHA384,48,0},
      // Missing: 168-185
      {186,KEX_RSA,SIG_RSA,ENC_CAMELLIA128,16,128,128,DIG_SHA256,32,0},
      {187,KEX_DH,SIG_DSS,ENC_CAMELLIA128,16,128,128,DIG_SHA256,32,0},

From 6d136a554781a0925a9bd90465769afc5c6436bc Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 15:04:10 -0500
Subject: [PATCH 11/12] update man page with -l sslkeylogfile option

---
 ssldump.1 | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ssldump.1 b/ssldump.1
index ca5681c..a4a8e97 100644
--- a/ssldump.1
+++ b/ssldump.1
@@ -74,6 +74,10 @@ ssldump \- dump SSL traffic on a network
 .I keyfile
 ]
 [
+.B \-l
+.I sslkeylogfile
+]
+[
 .B \-p
 .I password
 ]
@@ -210,6 +214,10 @@ Use \fIkeyfile\fP as the location of the SSL keyfile (OpenSSL format)
 Previous versions of ssldump automatically looked in ./server.pem.
 Now you must specify your keyfile every time.
 .TP
+.BI \-l " sslkeylogfile"
+Use \fIsslkeylogfile\fP as the location of the SSLKEYLOGFILE
+(https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format)
+.TP
 .BI \-p " password"
 Use \fIpassword\fP as the SSL keyfile password.
 .TP

From 32b343791a57f1f316238a03af85571ea8a647de Mon Sep 17 00:00:00 2001
From: mathewmarcus <mathewmarcus456@gmail.com>
Date: Wed, 4 Jul 2018 15:31:29 -0500
Subject: [PATCH 12/12] use macro to check if cipher is AEAD

---
 ssl/ssl_rec.c   | 5 ++---
 ssl/ssl_rec.h   | 1 +
 ssl/ssldecode.c | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ssl/ssl_rec.c b/ssl/ssl_rec.c
index 2be3256..098bb2d 100644
--- a/ssl/ssl_rec.c
+++ b/ssl/ssl_rec.c
@@ -142,7 +142,7 @@ int ssl_create_rec_decoder(dp,cs,mk,sk,iv)
        This is necessary for AEAD ciphers, because we must wait to fully initialize the cipher
        in order to include the implicit IV
     */
-    if(cs->enc==0x3b || cs->enc==0x3c){
+    if(IS_AEAD_CIPHER(cs)){
       sk=NULL;
       iv=NULL;
     }
@@ -208,8 +208,7 @@ int ssl_decode_rec_data(ssl,d,ct,version,in,inl,out,outl)
     UCHAR *mac,*iv,aead_tag[13],aead_nonce[12];
     
     CRDUMP("Ciphertext",in,inl);
-
-    if(d->cs->enc==0x3b || d->cs->enc==0x3c){
+    if(IS_AEAD_CIPHER(d->cs)){
       memcpy(aead_nonce,d->implicit_iv->data,d->implicit_iv->len);
       memcpy(aead_nonce+d->implicit_iv->len,in,12-d->implicit_iv->len);
       in+=12-d->implicit_iv->len;
diff --git a/ssl/ssl_rec.h b/ssl/ssl_rec.h
index 203f55f..fa91b00 100644
--- a/ssl/ssl_rec.h
+++ b/ssl/ssl_rec.h
@@ -55,5 +55,6 @@ int ssl_create_rec_decoder PROTO_LIST((ssl_rec_decoder **dp,
 int ssl_decode_rec_data PROTO_LIST((ssl_obj *ssl,ssl_rec_decoder *d,
   int ct,int version,UCHAR *in,int inl,UCHAR *out,int *outl));
 
+#define IS_AEAD_CIPHER(cs) (cs->enc==0x3b||cs->enc==0x3c)
 #endif
 
diff --git a/ssl/ssldecode.c b/ssl/ssldecode.c
index 499680e..32946e9 100644
--- a/ssl/ssldecode.c
+++ b/ssl/ssldecode.c
@@ -889,7 +889,7 @@ static int ssl_generate_keying_material(ssl,d)
     /* Compute the key block. First figure out how much data
          we need*/
     /* Ideally find a cleaner way to check for AEAD cipher */
-    needed=(ssl->cs->enc!=0x3b && ssl->cs->enc!=0x3c)?ssl->cs->dig_len*2:0;
+    needed=!IS_AEAD_CIPHER(ssl->cs)?ssl->cs->dig_len*2:0;
     needed+=ssl->cs->bits / 4;
     if(ssl->cs->block>1) needed+=ssl->cs->block*2;
 
@@ -902,7 +902,7 @@ static int ssl_generate_keying_material(ssl,d)
     
     ptr=key_block->data;
     /* Ideally find a cleaner way to check for AEAD cipher */
-    if(ssl->cs->enc!=0x3b && ssl->cs->enc!=0x3c){
+    if(!IS_AEAD_CIPHER(ssl->cs)){
       c_mk=ptr; ptr+=ssl->cs->dig_len;
       s_mk=ptr; ptr+=ssl->cs->dig_len;
     }