First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?

  • retag add tags

RFC8613 Object Security for Constrained RESTful Environments (OSCORE) defines the Coap Option number 9 as OSCORE Option. Wireshark seems to use the number 21 instead. Is there a newer Wireshark version that will follow RFC8613?

About Wireshark

Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

 No.     Time           Source                Destination           Protocol Length Info
      17 2.335661       192.168.43.207        185.48.228.213        OSCORE   83     CON, MID:2, POST, /
 Frame 17: 83 bytes on wire (664 bits), 83 bytes captured (664 bits) on interface \Device\NPF_{F43FBF10-2A51-4899-AD1DDB3D426FB591}, id 0
 Ethernet II, Src: Microsof_bb:d6:95 (f0:6e:0b:bb:d6:95), Dst: XiaomiCo_2d:2b:5e (7c:03:ab:2d:2b:5e)
 Internet Protocol Version 4, Src: 192.168.43.207, Dst: 185.48.228.213
 User Datagram Protocol, Src Port: 53647, Dst Port: 5683 
 Constrained Application Protocol, Confirmable, POST, MID:2
     01.. .... = Version: 1
     ..00 .... = Type: Confirmable (0)
     .... 0000 = Token Length: 0
     Code: POST (2)
     Message ID: 2
     Opt Name: #1: Uri-Path: (null)
         Opt Desc: Type 11, Critical, Unsafe
         1011 .... = Opt Delta: 11 
         .... 0000 = Opt Length: 0
         Uri-Path: 
     Opt Name: #2: Object-Security: Key ID:102030405060708090a0b0c0, Key ID Context:(null), Partial IV:01234567
         Opt Desc: Type 21, Critical, Safe    
         1010 .... = Opt Delta: 10  
         .... 1101 = Opt Length: 13 
         Opt Length extended: 4
         0... .... = Non-compressed COSE message: False
         .0.. .... = Expanded Flag Byte: False      
         ..0. .... = Signature Present: False 
         ...0 .... = Key ID Context Present: False  
         .... 1... = Key ID Present: True 
         .... .100 = Partial IV Length: 4 
         Partial IV: 01234567 
         Key ID: 102030405060708090a0b0c0
     End of options marker: 255  
     [Uri-Path: /]  
     Encrypted OSCORE Data
         Payload Desc: application/octet-stream
         [Payload Length: 16] 
 Data (16 bytes)
 0000  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f   ................ 
    Data: 000102030405060708090a0b0c0d0e0f  
    [Length: 16] Object Security for Constrained RESTful Environments
    [Expert Info (Warning/Undecoded): Security context not set - can't decrypt]
         [Security context not set - can't decrypt]
         [Severity level: Warning]
         [Group: Undecoded]
Alois Schönbächler's avatar
3
Alois Schönbächler
asked 2020-03-22 22:55:55 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2020-03-23 01:05:56 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can update the question with the output of "wireshark -v" or Help->About Wireshark.
Also a brief description / screen shot / sample capture that shows where the number 21 is.

Chuckc's avatar Chuckc (2020-03-22 23:16:29 +0000) edit
more
  • delete

About Wireshark Version 3.2.1 (v3.2.1-0-gbf38a67724d0)

Alois Schönbächler's avatar Alois Schönbächler (2020-03-22 23:50:26 +0000) edit
more
  • delete

The upload of screen shots is not possible. (I have less than 60 Points)

Alois Schönbächler's avatar Alois Schönbächler (2020-03-23 00:52:52 +0000) edit
more
  • delete

What would be more useful is a pcap of this packet.
Can you put it on a public file sharing site like Dropbox, Google, Onedrive, ... and post a link to it here?

Chuckc's avatar Chuckc (2020-03-23 01:05:55 +0000) edit
more
  • delete

Guy Harris just formatted my Wireshark trace. He did a great Job.

Alois Schönbächler's avatar Alois Schönbächler (2020-03-23 01:16:04 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Is there a newer Wireshark version that will follow RFC8613?

Wireshark 3.4, when it comes out.

The code in the pre-master-branch code has

#define COAP_OPT_OBJECT_SECURITY      21      /* value used in OSCORE plugtests */

while the code in the master branch has

#define COAP_OPT_OBJECT_SECURITY      9       /* RFC 8613 */

I doubt any plugtests will be using 21 any more; the only reason I can see not to backport the change would be if somebody wanted to read old captures from a plugtest, in which case the right thing to do would be to 1) handle both 9 and 21 as OSCORE in the master branch and 2) backport the fix and that change.

Please report this as a bug on the Wireshark Bugzilla, as it's definitely a bug, given what's in the registry of CoAP Option Numbers.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-03-23 01:39:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The fix should be in the 3.2.3 release when it comes out. That release is currently scheduled for 2020-04-08.

Guy Harris's avatar Guy Harris (2020-03-24 03:49:32 +0000) edit
more
  • delete

Excellent work!

Alois Schönbächler's avatar Alois Schönbächler (2020-03-24 04:05:31 +0000) edit
more
  • delete

The "work" for putting the fix into 3.2.3 consisted of me clicking a few buttons on Wireshark's Gerrit Web site to apply the fix to the 3.2 branch. The real work was done by Cenk Gündoğan, who submitted the fix to the master branch in this change.

Guy Harris's avatar Guy Harris (2020-03-24 06:08:47 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer