Wireshark-dev: Re: [Wireshark-dev] payload_proto_id in SCPT dissector
From: João Valverde <joao.valverde@xxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Aug 2019 10:09:43 +0100


On 15/08/19 23:48, Peter Wu wrote:
The problem was introduced with v3.1.1rc0-144-gede7be3440 ("TLS: allow
dissectors to set the appdata protocol via the data param"). Since that
commit, the "data" parameter of TCP is interpreted as a string.

The problem is that the SCTP dissector can also call the TLS dissector
with a non-NULL data parameter:

    dissector_try_uint_new(sctp_port_dissector_table, high_port, payload_tvb, pinfo, tree, TRUE, GUINT_TO_POINTER(ppi)))

This dissector table registration happened in ssl_association_add:

    dissector_add_uint("sctp.port", port, main_handle);

The data parameter is badly overloaded, all I wanted to is to directly
pass data from the EAP dissector to the TLS dissector via
call_dissector_with_data(tls_handle, ...);
Instead we have several things that can go wrong:

 - sctp.port - sctp dissector passes an integer
 - tcp.port - TCP passes a "struct tcpinfo" structure
 - udp.port - UDP passes NULL (ok).

So far I only considered the case where the Lua dissector passes NULL, I
did not think about the above dissector table cases... Meh.

There are at least two ways to fix this:

 - Add an explicit check to ignore the data parameter when invoked
   through the TCP or SCTP dissectors. Disadvantage: any other user that
   adds TLS to their dissector table with non-NULL data will have
   exactly the same issue.
 - Apply my initial approach: do not use the data parameter and instead
   introduce a new function similar to ssl_starttls
   (tls_set_appdata_dissector). That does not reuse existing dissector
   APIs however and is indirect which is why I considered the data
   parameter instead.

João's proposed patch to allow sub-dissectors to pass data via a
hashtable[1] would have a similar affect to the second option, except
that it would require additional code in the TLS dissector to actually
look up the data. Such approaches also do not work if you have nested
TLS traffic for some reason (maybe a VPN tunnel in TLS?).

I would like to understand your concern with encapsulation/nested traffic and [1]. I think the point your are missing, correct me if I'm wrong, is that encapsulation already does not work (for your definition of "not working") with the void data pointer dissector argument and my patch is orthogonal to that issue.

Using a hash table is an indirect method of passing data. A void pointer function argument is a direct method of passing data. So why would the former present problems with nested TLS traffic and the latter not? Any limitations present in one would be present in the other and vice-versa. What am I missing?

What I would like to do is implement a consumer pull model of data passing between dissectors instead of a producer push model. And one that would be Lua friendly too. This seems like a difficult and very time consuming task. One that would require breaking all sorts of compatibility, optimizations and assumptions I suspect.


 [1]: https://code.wireshark.org/review/34049

For now I will consider the first option, but I am open to other
suggestions.

Kind regards,
Peter