Bug Summary

File:epan/dissectors/packet-tls-utils.c
Warning:line 4881, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-20/lib/clang/20 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-20/lib/clang/20/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-09-17-100337-3933-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#endif
51
52/* JA3/JA3S calculations must ignore GREASE values
53 * as described in RFC 8701.
54 */
55#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
56 (((x) & 0xff) == (((x)>>8) & 0xff)))
57
58/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
59 * form for a similar purpose as GREASE.
60 */
61#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
62
63#define DTLS13_MAX_EPOCH10 10
64
65/* Lookup tables {{{ */
66const value_string ssl_version_short_names[] = {
67 { SSLV2_VERSION0x0002, "SSLv2" },
68 { SSLV3_VERSION0x300, "SSLv3" },
69 { TLSV1_VERSION0x301, "TLSv1" },
70 { TLCPV1_VERSION0x101, "TLCP" },
71 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
72 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
73 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
74 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
75 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
76 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
77 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
78 { 0x00, NULL((void*)0) }
79};
80
81const value_string ssl_versions[] = {
82 { SSLV2_VERSION0x0002, "SSL 2.0" },
83 { SSLV3_VERSION0x300, "SSL 3.0" },
84 { TLSV1_VERSION0x301, "TLS 1.0" },
85 { TLCPV1_VERSION0x101, "TLCP" },
86 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
87 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
88 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
89 { 0x7F0E, "TLS 1.3 (draft 14)" },
90 { 0x7F0F, "TLS 1.3 (draft 15)" },
91 { 0x7F10, "TLS 1.3 (draft 16)" },
92 { 0x7F11, "TLS 1.3 (draft 17)" },
93 { 0x7F12, "TLS 1.3 (draft 18)" },
94 { 0x7F13, "TLS 1.3 (draft 19)" },
95 { 0x7F14, "TLS 1.3 (draft 20)" },
96 { 0x7F15, "TLS 1.3 (draft 21)" },
97 { 0x7F16, "TLS 1.3 (draft 22)" },
98 { 0x7F17, "TLS 1.3 (draft 23)" },
99 { 0x7F18, "TLS 1.3 (draft 24)" },
100 { 0x7F19, "TLS 1.3 (draft 25)" },
101 { 0x7F1A, "TLS 1.3 (draft 26)" },
102 { 0x7F1B, "TLS 1.3 (draft 27)" },
103 { 0x7F1C, "TLS 1.3 (draft 28)" },
104 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
105 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
106 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
107 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
108 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
109 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
110 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
111 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
112 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x00, NULL((void*)0) }
127};
128
129static const value_string ssl_version_ja4_names[] = {
130 { 0x0100, "s1" },
131 { SSLV2_VERSION0x0002, "s2" },
132 { SSLV3_VERSION0x300, "s3" },
133 { TLSV1_VERSION0x301, "10" },
134 { TLSV1DOT1_VERSION0x302, "11" },
135 { TLSV1DOT2_VERSION0x303, "12" },
136 { TLSV1DOT3_VERSION0x304, "13" },
137 { DTLSV1DOT0_VERSION0xfeff, "d1" },
138 { DTLSV1DOT2_VERSION0xfefd, "d2" },
139 { DTLSV1DOT3_VERSION0xfefc, "d3" },
140 { 0x00, NULL((void*)0) }
141};
142
143const value_string ssl_20_msg_types[] = {
144 { SSL2_HND_ERROR0x00, "Error" },
145 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
146 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
147 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
148 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
149 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
150 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
151 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
152 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
153 { 0x00, NULL((void*)0) }
154};
155/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
156/* Note: sorted by ascending value so value_string-ext can do a binary search */
157static const value_string ssl_20_cipher_suites[] = {
158 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
159 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
160 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
161 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
162 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
163 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
164 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
165 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
166 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
167 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
168 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
169 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
170 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
171 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
172 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
173 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
174 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
175 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
176 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
177 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
178 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
180 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
182 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
183 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
184 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
185 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
186 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
187 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
188#if 0
189 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
190#endif
191 /* RFC 2712 */
192 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
193 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
194 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
195 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
196 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
197 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
198 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
199 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
200 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
201 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
202 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
203 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
204 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
205 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
206 /* RFC 4785 */
207 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
208 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
209 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
210 /* RFC 5246 */
211 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
212 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
213 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
217 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
218 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
219 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
223 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
224 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
225 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
226 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
227 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
228 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
230 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
231 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
236 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
237 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
238 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
239 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
240 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
241 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
242 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
243 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
244 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
245 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
246 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
247 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
248 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
249 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
250 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
251 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
254 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
255 /* 0x00,0x6E-83 Unassigned */
256 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
257 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
258 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
262 /* RFC 4279 */
263 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
264 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
265 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
266 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
267 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
268 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
269 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
270 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
271 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
272 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
273 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
274 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
275 /* RFC 4162 */
276 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
277 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
278 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
280 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
281 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
282 /* RFC 5288 */
283 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
284 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
285 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
295 /* RFC 5487 */
296 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
297 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
298 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
303 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
304 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
305 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
306 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
307 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
308 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
309 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
310 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
311 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
312 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
313 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
314 /* From RFC 5932 */
315 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
316 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
317 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
322 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
323 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
327 /* 0x00,0xC6-FE Unassigned */
328 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
329 /* 0x01-BF,* Unassigned */
330 /* From RFC 4492 */
331 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
332 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
333 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
334 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
335 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
336 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
337 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
338 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
339 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
340 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
341 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
342 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
343 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
344 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
345 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
346 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
347 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
348 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
349 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
350 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
351 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
352 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
353 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
354 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
355 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
356 /* RFC 5054 */
357 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
358 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
359 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
361 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
363 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
364 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
365 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
366 /* RFC 5589 */
367 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
368 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
369 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
376 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
377 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
383 /* RFC 5489 */
384 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
385 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
386 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
387 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
388 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
389 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
390 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
391 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
392 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
393 /* 0xC0,0x3C-FF Unassigned
394 0xC1-FD,* Unassigned
395 0xFE,0x00-FD Unassigned
396 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
397 0xFF,0x00-FF Reserved for Private Use [RFC5246]
398 */
399
400 /* old numbers used in the beginning
401 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
402 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
403 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
404 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405
406 /* https://tools.ietf.org/html/rfc7905 */
407 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
408 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
409 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414
415 /* GM/T 0024-2014 */
416 { 0x00e001, "ECDHE_SM1_SM3"},
417 { 0x00e003, "ECC_SM1_SM3"},
418 { 0x00e005, "IBSDH_SM1_SM3"},
419 { 0x00e007, "IBC_SM1_SM3"},
420 { 0x00e009, "RSA_SM1_SM3"},
421 { 0x00e00a, "RSA_SM1_SHA1"},
422 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
423 { 0x00e013, "ECC_SM4_CBC_SM3"},
424 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
425 { 0x00e017, "IBC_SM4_CBC_SM3"},
426 { 0x00e019, "RSA_SM4_CBC_SM3"},
427 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
428 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
429 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
430 { 0x00e053, "ECC_SM4_GCM_SM3"},
431 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
432 { 0x00e057, "IBC_SM4_GCM_SM3"},
433 { 0x00e059, "RSA_SM4_GCM_SM3"},
434 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
435
436 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
437 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
438 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
439 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
443 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
445 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
453
454 /* these from http://www.mozilla.org/projects/
455 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
456 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
457 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
458 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
459 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
460 /* note that ciphersuites of {0x00????} are TLS cipher suites in
461 * a sslv2 client hello message; the ???? above is the two-byte
462 * tls cipher suite id
463 */
464
465 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
466 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
467 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
468 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
469 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
470 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
471 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
472 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
473
474 { 0x00, NULL((void*)0) }
475};
476
477value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
478
479
480/*
481 * Supported Groups (formerly named "EC Named Curve").
482 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
483 */
484const value_string ssl_extension_curves[] = {
485 { 1, "sect163k1" },
486 { 2, "sect163r1" },
487 { 3, "sect163r2" },
488 { 4, "sect193r1" },
489 { 5, "sect193r2" },
490 { 6, "sect233k1" },
491 { 7, "sect233r1" },
492 { 8, "sect239k1" },
493 { 9, "sect283k1" },
494 { 10, "sect283r1" },
495 { 11, "sect409k1" },
496 { 12, "sect409r1" },
497 { 13, "sect571k1" },
498 { 14, "sect571r1" },
499 { 15, "secp160k1" },
500 { 16, "secp160r1" },
501 { 17, "secp160r2" },
502 { 18, "secp192k1" },
503 { 19, "secp192r1" },
504 { 20, "secp224k1" },
505 { 21, "secp224r1" },
506 { 22, "secp256k1" },
507 { 23, "secp256r1" },
508 { 24, "secp384r1" },
509 { 25, "secp521r1" },
510 { 26, "brainpoolP256r1" }, /* RFC 7027 */
511 { 27, "brainpoolP384r1" }, /* RFC 7027 */
512 { 28, "brainpoolP512r1" }, /* RFC 7027 */
513 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
514 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
515 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
516 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
517 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
518 { 34, "GC256A" }, /* RFC9189 */
519 { 35, "GC256B" }, /* RFC9189 */
520 { 36, "GC256C" }, /* RFC9189 */
521 { 37, "GC256D" }, /* RFC9189 */
522 { 38, "GC512A" }, /* RFC9189 */
523 { 39, "GC512B" }, /* RFC9189 */
524 { 40, "GC512C" }, /* RFC9189 */
525 { 41, "curveSM2" }, /* RFC 8998 */
526 { 256, "ffdhe2048" }, /* RFC 7919 */
527 { 257, "ffdhe3072" }, /* RFC 7919 */
528 { 258, "ffdhe4096" }, /* RFC 7919 */
529 { 259, "ffdhe6144" }, /* RFC 7919 */
530 { 260, "ffdhe8192" }, /* RFC 7919 */
531 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
532 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
533 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
535 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
536 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
537 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
538 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
539 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
540 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
544 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
545 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
546 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 0xFF01, "arbitrary_explicit_prime_curves" },
556 { 0xFF02, "arbitrary_explicit_char2_curves" },
557 /* Below are various unofficial values that have been used for testing. */
558 /* PQC key exchange algorithms from OQS-OpenSSL,
559 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
560 These use IANA unassigned values and this list may be incomplete.
561 */
562 { 0x2F00, "p256_frodo640aes" },
563 { 0x2F01, "p256_frodo640shake" },
564 { 0x2F02, "p384_frodo976aes" },
565 { 0x0203, "frodo976shake" },
566 { 0x2F03, "p384_frodo976shake" },
567 { 0x0204, "frodo1344aes" },
568 { 0x2F04, "p521_frodo1344aes" },
569 { 0x0205, "frodo1344shake" },
570 { 0x2F05, "p521_frodo1344shake" },
571 { 0x023A, "kyber512" },
572 { 0x2F3A, "p256_kyber512" },
573 { 0x023C, "kyber768" },
574 { 0x2F3C, "p384_kyber768" },
575 { 0x023D, "kyber1024" },
576 { 0x2F3D, "p521_kyber1024" },
577 { 0x0214, "ntru_hps2048509" },
578 { 0x2F14, "p256_ntru_hps2048509" },
579 { 0x0215, "ntru_hps2048677" },
580 { 0x2F15, "p384_ntru_hps2048677" },
581 { 0x0216, "ntru_hps4096821" },
582 { 0x2F16, "p521_ntru_hps4096821" },
583 { 0x0245, "ntru_hps40961229" },
584 { 0x2F45, "p521_ntru_hps40961229" },
585 { 0x0217, "ntru_hrss701" },
586 { 0x2F17, "p384_ntru_hrss701" },
587 { 0x0246, "ntru_hrss1373" },
588 { 0x2F46, "p521_ntru_hrss1373" },
589 { 0x0218, "lightsaber" },
590 { 0x2F18, "p256_lightsaber" },
591 { 0x0219, "saber" },
592 { 0x2F19, "p384_saber" },
593 { 0x021A, "firesaber" },
594 { 0x2F1A, "p521_firesaber" },
595 { 0x021B, "sidhp434" },
596 { 0x2F1B, "p256_sidhp434" },
597 { 0x021C, "sidhp503" },
598 { 0x2F1C, "p256_sidhp503" },
599 { 0x021D, "sidhp610" },
600 { 0x2F1D, "p384_sidhp610" },
601 { 0x021E, "sidhp751" },
602 { 0x2F1E, "p521_sidhp751" },
603 { 0x021F, "sikep434" },
604 { 0x2F1F, "p256_sikep434" },
605 { 0x0220, "sikep503" },
606 { 0x2F20, "p256_sikep503" },
607 { 0x0221, "sikep610" },
608 { 0x2F21, "p384_sikep610" },
609 { 0x0222, "sikep751" },
610 { 0x2F22, "p521_sikep751" },
611 { 0x0238, "bikel1" },
612 { 0x2F38, "p256_bikel1" },
613 { 0x023B, "bikel3" },
614 { 0x2F3B, "p384_bikel3" },
615 { 0x023E, "kyber90s512" },
616 { 0x2F3E, "p256_kyber90s512" },
617 { 0x023F, "kyber90s768" },
618 { 0x2F3F, "p384_kyber90s768" },
619 { 0x0240, "kyber90s1024" },
620 { 0x2F40, "p521_kyber90s1024" },
621 { 0x022C, "hqc128" },
622 { 0x2F2C, "p256_hqc128" },
623 { 0x022D, "hqc192" },
624 { 0x2F2D, "p384_hqc192" },
625 { 0x022E, "hqc256" },
626 { 0x2F2E, "p521_hqc256" },
627 { 0x022F, "ntrulpr653" },
628 { 0x2F2F, "p256_ntrulpr653" },
629 { 0x0230, "ntrulpr761" },
630 { 0x2F43, "p256_ntrulpr761" },
631 { 0x0231, "ntrulpr857" },
632 { 0x2F31, "p384_ntrulpr857" },
633 { 0x0241, "ntrulpr1277" },
634 { 0x2F41, "p521_ntrulpr1277" },
635 { 0x0232, "sntrup653" },
636 { 0x2F32, "p256_sntrup653" },
637 { 0x0233, "sntrup761" },
638 { 0x2F44, "p256_sntrup761" },
639 { 0x0234, "sntrup857" },
640 { 0x2F34, "p384_sntrup857" },
641 { 0x0242, "sntrup1277" },
642 { 0x2F42, "p521_sntrup1277" },
643 /* Other PQ key exchange algorithms, using Reserved for Private Use values
644 https://blog.cloudflare.com/post-quantum-for-all
645 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
646 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
647 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
648 { 0x00, NULL((void*)0) }
649};
650
651const value_string ssl_curve_types[] = {
652 { 1, "explicit_prime" },
653 { 2, "explicit_char2" },
654 { 3, "named_curve" },
655 { 0x00, NULL((void*)0) }
656};
657
658const value_string ssl_extension_ec_point_formats[] = {
659 { 0, "uncompressed" },
660 { 1, "ansiX962_compressed_prime" },
661 { 2, "ansiX962_compressed_char2" },
662 { 0x00, NULL((void*)0) }
663};
664
665const value_string ssl_20_certificate_type[] = {
666 { 0x00, "N/A" },
667 { 0x01, "X.509 Certificate" },
668 { 0x00, NULL((void*)0) }
669};
670
671const value_string ssl_31_content_type[] = {
672 { 20, "Change Cipher Spec" },
673 { 21, "Alert" },
674 { 22, "Handshake" },
675 { 23, "Application Data" },
676 { 24, "Heartbeat" },
677 { 25, "Connection ID" },
678 { 0x00, NULL((void*)0) }
679};
680
681#if 0
682/* XXX - would be used if we dissected the body of a Change Cipher Spec
683 message. */
684const value_string ssl_31_change_cipher_spec[] = {
685 { 1, "Change Cipher Spec" },
686 { 0x00, NULL((void*)0) }
687};
688#endif
689
690const value_string ssl_31_alert_level[] = {
691 { 1, "Warning" },
692 { 2, "Fatal" },
693 { 0x00, NULL((void*)0) }
694};
695
696const value_string ssl_31_alert_description[] = {
697 { 0, "Close Notify" },
698 { 1, "End of Early Data" },
699 { 10, "Unexpected Message" },
700 { 20, "Bad Record MAC" },
701 { 21, "Decryption Failed" },
702 { 22, "Record Overflow" },
703 { 30, "Decompression Failure" },
704 { 40, "Handshake Failure" },
705 { 41, "No Certificate" },
706 { 42, "Bad Certificate" },
707 { 43, "Unsupported Certificate" },
708 { 44, "Certificate Revoked" },
709 { 45, "Certificate Expired" },
710 { 46, "Certificate Unknown" },
711 { 47, "Illegal Parameter" },
712 { 48, "Unknown CA" },
713 { 49, "Access Denied" },
714 { 50, "Decode Error" },
715 { 51, "Decrypt Error" },
716 { 60, "Export Restriction" },
717 { 70, "Protocol Version" },
718 { 71, "Insufficient Security" },
719 { 80, "Internal Error" },
720 { 86, "Inappropriate Fallback" },
721 { 90, "User Canceled" },
722 { 100, "No Renegotiation" },
723 { 109, "Missing Extension" },
724 { 110, "Unsupported Extension" },
725 { 111, "Certificate Unobtainable" },
726 { 112, "Unrecognized Name" },
727 { 113, "Bad Certificate Status Response" },
728 { 114, "Bad Certificate Hash Value" },
729 { 115, "Unknown PSK Identity" },
730 { 116, "Certificate Required" },
731 { 120, "No application Protocol" },
732 { 121, "ECH Required" },
733 { 0x00, NULL((void*)0) }
734};
735
736const value_string ssl_31_handshake_type[] = {
737 { SSL_HND_HELLO_REQUEST, "Hello Request" },
738 { SSL_HND_CLIENT_HELLO, "Client Hello" },
739 { SSL_HND_SERVER_HELLO, "Server Hello" },
740 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
741 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
742 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
743 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
744 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
745 { SSL_HND_CERTIFICATE, "Certificate" },
746 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
747 { SSL_HND_CERT_REQUEST, "Certificate Request" },
748 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
749 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
750 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
751 { SSL_HND_FINISHED, "Finished" },
752 { SSL_HND_CERT_URL, "Client Certificate URL" },
753 { SSL_HND_CERT_STATUS, "Certificate Status" },
754 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
755 { SSL_HND_KEY_UPDATE, "Key Update" },
756 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
757 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
758 { 0x00, NULL((void*)0) }
759};
760
761const value_string tls_heartbeat_type[] = {
762 { 1, "Request" },
763 { 2, "Response" },
764 { 0x00, NULL((void*)0) }
765};
766
767const value_string tls_heartbeat_mode[] = {
768 { 1, "Peer allowed to send requests" },
769 { 2, "Peer not allowed to send requests" },
770 { 0x00, NULL((void*)0) }
771};
772
773const value_string ssl_31_compression_method[] = {
774 { 0, "null" },
775 { 1, "DEFLATE" },
776 { 64, "LZS" },
777 { 0x00, NULL((void*)0) }
778};
779
780#if 0
781/* XXX - would be used if we dissected a Signature, as would be
782 seen in a server key exchange or certificate verify message. */
783const value_string ssl_31_key_exchange_algorithm[] = {
784 { 0, "RSA" },
785 { 1, "Diffie Hellman" },
786 { 0x00, NULL((void*)0) }
787};
788
789const value_string ssl_31_signature_algorithm[] = {
790 { 0, "Anonymous" },
791 { 1, "RSA" },
792 { 2, "DSA" },
793 { 0x00, NULL((void*)0) }
794};
795#endif
796
797const value_string ssl_31_client_certificate_type[] = {
798 { 1, "RSA Sign" },
799 { 2, "DSS Sign" },
800 { 3, "RSA Fixed DH" },
801 { 4, "DSS Fixed DH" },
802 /* GOST certificate types */
803 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
804 { 21, "GOST R 34.10-94" },
805 { 22, "GOST R 34.10-2001" },
806 /* END GOST certificate types */
807 { 64, "ECDSA Sign" },
808 { 65, "RSA Fixed ECDH" },
809 { 66, "ECDSA Fixed ECDH" },
810 { 80, "IBC Params" },
811 { 0x00, NULL((void*)0) }
812};
813
814#if 0
815/* XXX - would be used if we dissected exchange keys, as would be
816 seen in a client key exchange message. */
817const value_string ssl_31_public_value_encoding[] = {
818 { 0, "Implicit" },
819 { 1, "Explicit" },
820 { 0x00, NULL((void*)0) }
821};
822#endif
823
824/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
825/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
826static const value_string ssl_31_ciphersuite[] = {
827 /* RFC 2246, RFC 4346, RFC 5246 */
828 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
829 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
830 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
831 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
832 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
833 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
834 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
835 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
836 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
837 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
838 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
839 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
840 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
841 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
842 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
843 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
844 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
845 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
846 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
847 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
848 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
849 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
850 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
851 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
852 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
853 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
854 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
855 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
856
857 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
858 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
859#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
860 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
861 of the ietf-tls list */
862 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
863#endif
864 /* RFC 2712 */
865 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
866 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
867 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
868 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
869 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
870 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
871 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
872 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
873 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
874 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
875 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
876 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
877 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
878 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
879 /* RFC 4785 */
880 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
881 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
882 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
883 /* RFC 5246 */
884 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
885 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
886 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
890 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
891 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
892 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
896 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
897 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
898 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
899 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
900 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
901 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
902 /* RFC 4132 */
903 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
904 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
905 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
909 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
910 /* --- ??? --- */
911 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
912 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
913 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
914 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
915 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
916 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
917 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
918 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
919 /* --- ??? ---*/
920 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
921 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
922 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
923 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
926 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
927 /* draft-chudov-cryptopro-cptls-04.txt */
928 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
929 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
930 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
931 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
932 /* RFC 4132 */
933 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
934 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
935 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
939 /* RFC 4279 */
940 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
941 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
942 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
943 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
944 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
945 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
946 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
947 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
948 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
949 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
950 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
951 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
952 /* RFC 4162 */
953 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
954 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
955 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
957 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
958 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
959 /* RFC 5288 */
960 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
961 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
962 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
967 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
968 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
971 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
972 /* RFC 5487 */
973 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
974 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
975 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
980 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
981 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
982 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
983 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
984 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
985 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
986 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
987 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
988 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
989 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
990 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
991 /* From RFC 5932 */
992 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
993 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
994 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
999 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1000 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1004 /* RFC 8998 */
1005 { 0x00C6, "TLS_SM4_GCM_SM3" },
1006 { 0x00C7, "TLS_SM4_CCM_SM3" },
1007 /* 0x00,0xC8-FE Unassigned */
1008 /* From RFC 5746 */
1009 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1010 /* RFC 8701 */
1011 { 0x0A0A, "Reserved (GREASE)" },
1012 /* RFC 8446 */
1013 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1014 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1015 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1016 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1017 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1018 /* RFC 8701 */
1019 { 0x1A1A, "Reserved (GREASE)" },
1020 { 0x2A2A, "Reserved (GREASE)" },
1021 { 0x3A3A, "Reserved (GREASE)" },
1022 { 0x4A4A, "Reserved (GREASE)" },
1023 /* From RFC 7507 */
1024 { 0x5600, "TLS_FALLBACK_SCSV" },
1025 /* RFC 8701 */
1026 { 0x5A5A, "Reserved (GREASE)" },
1027 { 0x6A6A, "Reserved (GREASE)" },
1028 { 0x7A7A, "Reserved (GREASE)" },
1029 { 0x8A8A, "Reserved (GREASE)" },
1030 { 0x9A9A, "Reserved (GREASE)" },
1031 { 0xAAAA, "Reserved (GREASE)" },
1032 { 0xBABA, "Reserved (GREASE)" },
1033 /* From RFC 4492 */
1034 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1035 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1036 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1037 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1038 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1039 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1040 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1041 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1042 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1043 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1044 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1045 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1046 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1047 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1048 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1049 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1050 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1051 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1052 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1053 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1054 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1055 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1056 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1057 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1058 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1059 /* RFC 5054 */
1060 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1061 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1062 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1064 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1065 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1066 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1067 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1068 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1069 /* RFC 5589 */
1070 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1071 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1072 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1079 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1080 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1086 /* RFC 5489 */
1087 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1088 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1089 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1090 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1091 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1092 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1093 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1094 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1095 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1096 /* RFC 6209 */
1097 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1098 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1099 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1118 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1119 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1138 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1139 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1144 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1145 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1150 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1151 /* RFC 6367 */
1152 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1153 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1154 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1161 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1162 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1187 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1188 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 /* RFC 6655 */
1195 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1196 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1197 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1198 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1199 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1200 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1201 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1204 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1205 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1208 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1209 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1210 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1211 /* RFC 7251 */
1212 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1213 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1214 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1215 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1216 /* RFC 8492 */
1217 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1218 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1219 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1220 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1221 /* draft-camwinget-tls-ts13-macciphersuites */
1222 { 0xC0B4, "TLS_SHA256_SHA256" },
1223 { 0xC0B5, "TLS_SHA384_SHA384" },
1224 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1225 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1226 /* draft-smyshlyaev-tls12-gost-suites */
1227 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1228 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1229 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1230 /* draft-smyshlyaev-tls13-gost-suites */
1231 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1232 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1233 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1234 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1235 /* RFC 8701 */
1236 { 0xCACA, "Reserved (GREASE)" },
1237/*
12380xC0,0xAB-FF Unassigned
12390xC1,0x03-FD,* Unassigned
12400xFE,0x00-FD Unassigned
12410xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12420xFF,0x00-FF Reserved for Private Use [RFC5246]
1243*/
1244 /* old numbers used in the beginning
1245 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1246 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1247 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1248 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 /* RFC 7905 */
1250 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1252 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 /* RFC 8442 */
1258 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1259 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1260 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1261 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1262 /* RFC 8701 */
1263 { 0xDADA, "Reserved (GREASE)" },
1264 /* GM/T 0024-2014 */
1265 { 0xe001, "ECDHE_SM1_SM3"},
1266 { 0xe003, "ECC_SM1_SM3"},
1267 { 0xe005, "IBSDH_SM1_SM3"},
1268 { 0xe007, "IBC_SM1_SM3"},
1269 { 0xe009, "RSA_SM1_SM3"},
1270 { 0xe00a, "RSA_SM1_SHA1"},
1271 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1272 { 0xe013, "ECC_SM4_CBC_SM3"},
1273 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1274 { 0xe017, "IBC_SM4_CBC_SM3"},
1275 { 0xe019, "RSA_SM4_CBC_SM3"},
1276 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1277 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1278 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1279 { 0xe053, "ECC_SM4_GCM_SM3"},
1280 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1281 { 0xe057, "IBC_SM4_GCM_SM3"},
1282 { 0xe059, "RSA_SM4_GCM_SM3"},
1283 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1284 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1285 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1286 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1287 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1291 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1293 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1301 /* RFC 8701 */
1302 { 0xEAEA, "Reserved (GREASE)" },
1303 { 0xFAFA, "Reserved (GREASE)" },
1304 /* these from http://www.mozilla.org/projects/
1305 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1306 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1307 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1308 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1309 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1310 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1311 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1312 /* note that ciphersuites 0xff00 - 0xffff are private */
1313 { 0x00, NULL((void*)0) }
1314};
1315
1316value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1317
1318/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1319const value_string tls_hello_extension_types[] = {
1320 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1321 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1322 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1327 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1328 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1329 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1330 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1331 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1332 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1333 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1334 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1335 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1336 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1337 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1338 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1339 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1340 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1341 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1342 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1343 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1344 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1345 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1346 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1347 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1348 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1349 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1350 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1351 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1352 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1353 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1357 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1359 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1363 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1364 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1365 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1366 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1367 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1368 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1369 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1370 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1371 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1372 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1374 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1376 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1377 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1378 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1379 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1381 https://twitter.com/ericlaw/status/274237352531083264 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1383 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1384 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1385 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1386 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1395 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1396 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1397 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1398 { 0, NULL((void*)0) }
1399};
1400
1401const value_string tls_hello_ext_server_name_type_vs[] = {
1402 { 0, "host_name" },
1403 { 0, NULL((void*)0) }
1404};
1405
1406/* RFC 6066 Section 4 */
1407const value_string tls_hello_ext_max_fragment_length[] = {
1408 { 1, "512" }, // 2^9
1409 { 2, "1024" }, // 2^10
1410 { 3, "2048" }, // 2^11
1411 { 4, "4096" }, // 2^12
1412 { 0, NULL((void*)0) }
1413};
1414
1415/* RFC 8446 Section 4.2.9 */
1416const value_string tls_hello_ext_psk_ke_mode[] = {
1417 { 0, "PSK-only key establishment (psk_ke)" },
1418 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1419 { 0, NULL((void*)0) }
1420};
1421
1422/* RFC 6066 Section 6 */
1423const value_string tls_hello_ext_trusted_ca_key_type[] = {
1424 {0, "pre_agreed"},
1425 {1, "key_sha1_hash"},
1426 {2, "x509_name"},
1427 {3, "cert_sha1_hash"},
1428 {0, NULL((void*)0)}
1429};
1430
1431const value_string tls13_key_update_request[] = {
1432 { 0, "update_not_requested" },
1433 { 1, "update_requested" },
1434 { 0, NULL((void*)0) }
1435};
1436
1437/* RFC 5246 7.4.1.4.1 */
1438/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1439/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1440 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1441 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1442 *
1443 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1444 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1445 * and TLS HashAlgorithm registries, but the new values are not compatible
1446 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1447 * cause confusion if used to interpret one of those schemes in a
1448 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1449 */
1450const value_string tls_hash_algorithm[] = {
1451 { 0, "None" },
1452 { 1, "MD5" },
1453 { 2, "SHA1" },
1454 { 3, "SHA224" },
1455 { 4, "SHA256" },
1456 { 5, "SHA384" },
1457 { 6, "SHA512" },
1458#if 0
1459 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1460 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1461 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1462 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1463 */
1464 { 8, "Intrinsic" },
1465#endif
1466 { 0, NULL((void*)0) }
1467};
1468
1469const value_string tls_signature_algorithm[] = {
1470 { 0, "Anonymous" },
1471 { 1, "RSA" },
1472 { 2, "DSA" },
1473 { 3, "ECDSA" },
1474#if 0
1475 /* As above. */
1476 { 7, "ED25519" },
1477 { 8, "ED448" },
1478 { 64, "GOSTR34102012_256" },
1479 { 65, "GOSTR34102012_512" },
1480#endif
1481 { 0, NULL((void*)0) }
1482};
1483
1484/* RFC 8446 Section 4.2.3 */
1485const value_string tls13_signature_algorithm[] = {
1486 { 0x0201, "rsa_pkcs1_sha1" },
1487 { 0x0203, "ecdsa_sha1" },
1488 { 0x0401, "rsa_pkcs1_sha256" },
1489 { 0x0403, "ecdsa_secp256r1_sha256" },
1490 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1491 { 0x0501, "rsa_pkcs1_sha384" },
1492 { 0x0503, "ecdsa_secp384r1_sha384" },
1493 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1494 { 0x0601, "rsa_pkcs1_sha512" },
1495 { 0x0603, "ecdsa_secp521r1_sha512" },
1496 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1497 { 0x0708, "sm2sig_sm3" },
1498 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1499 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1500 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1501 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1502 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1503 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1504 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1505 { 0x0804, "rsa_pss_rsae_sha256" },
1506 { 0x0805, "rsa_pss_rsae_sha384" },
1507 { 0x0806, "rsa_pss_rsae_sha512" },
1508 { 0x0807, "ed25519" },
1509 { 0x0808, "ed448" },
1510 { 0x0809, "rsa_pss_pss_sha256" },
1511 { 0x080a, "rsa_pss_pss_sha384" },
1512 { 0x080b, "rsa_pss_pss_sha512" },
1513 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1514 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1515 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1516 /* PQC digital signature algorithms from OQS-OpenSSL,
1517 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1518 { 0xfea0, "dilithium2" },
1519 { 0xfea1, "p256_dilithium2" },
1520 { 0xfea2, "rsa3072_dilithium2" },
1521 { 0xfea3, "dilithium3" },
1522 { 0xfea4, "p384_dilithium3" },
1523 { 0xfea5, "dilithium5" },
1524 { 0xfea6, "p521_dilithium5" },
1525 { 0xfea7, "dilithium2_aes" },
1526 { 0xfea8, "p256_dilithium2_aes" },
1527 { 0xfea9, "rsa3072_dilithium2_aes" },
1528 { 0xfeaa, "dilithium3_aes" },
1529 { 0xfeab, "p384_dilithium3_aes" },
1530 { 0xfeac, "dilithium5_aes" },
1531 { 0xfead, "p521_dilithium5_aes" },
1532 { 0xfe0b, "falcon512" },
1533 { 0xfe0c, "p256_falcon512" },
1534 { 0xfe0d, "rsa3072_falcon512" },
1535 { 0xfe0e, "falcon1024" },
1536 { 0xfe0f, "p521_falcon1024" },
1537 { 0xfe96, "picnicl1full" },
1538 { 0xfe97, "p256_picnicl1full" },
1539 { 0xfe98, "rsa3072_picnicl1full" },
1540 { 0xfe1b, "picnic3l1" },
1541 { 0xfe1c, "p256_picnic3l1" },
1542 { 0xfe1d, "rsa3072_picnic3l1" },
1543 { 0xfe27, "rainbowIclassic" },
1544 { 0xfe28, "p256_rainbowIclassic" },
1545 { 0xfe29, "rsa3072_rainbowIclassic" },
1546 { 0xfe3c, "rainbowVclassic" },
1547 { 0xfe3d, "p521_rainbowVclassic" },
1548 { 0xfe42, "sphincsharaka128frobust" },
1549 { 0xfe43, "p256_sphincsharaka128frobust" },
1550 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1551 { 0xfe5e, "sphincssha256128frobust" },
1552 { 0xfe5f, "p256_sphincssha256128frobust" },
1553 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1554 { 0xfe7a, "sphincsshake256128frobust" },
1555 { 0xfe7b, "p256_sphincsshake256128frobust" },
1556 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1557 { 0, NULL((void*)0) }
1558};
1559
1560/* RFC 6091 3.1 */
1561const value_string tls_certificate_type[] = {
1562 { 0, "X.509" },
1563 { 1, "OpenPGP" },
1564 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1565 { 0, NULL((void*)0) }
1566};
1567
1568const value_string tls_cert_chain_type[] = {
1569 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1570 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1571 { 0, NULL((void*)0) }
1572};
1573
1574const value_string tls_cert_status_type[] = {
1575 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1576 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1577 { 0, NULL((void*)0) }
1578};
1579
1580/* Generated by tools/make-tls-ct-logids.py
1581 * Last-Modified Sat, 13 Sep 2025 15:24:25 GMT, 186 entries. */
1582static const bytes_string ct_logids[] = {
1583 { (const uint8_t[]){
1584 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1585 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1586 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1587 },
1588 32, "Google 'Argon2020' log" },
1589 { (const uint8_t[]){
1590 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1591 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1592 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1593 },
1594 32, "Google 'Argon2021' log" },
1595 { (const uint8_t[]){
1596 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1597 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1598 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1599 },
1600 32, "Google 'Argon2022' log" },
1601 { (const uint8_t[]){
1602 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1603 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1604 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1605 },
1606 32, "Google 'Argon2023' log" },
1607 { (const uint8_t[]){
1608 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1609 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1610 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1611 },
1612 32, "Google 'Argon2024' log" },
1613 { (const uint8_t[]){
1614 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1615 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1616 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1617 },
1618 32, "Google 'Argon2025h1' log" },
1619 { (const uint8_t[]){
1620 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1621 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1622 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1623 },
1624 32, "Google 'Argon2025h2' log" },
1625 { (const uint8_t[]){
1626 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1627 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1628 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1629 },
1630 32, "Google 'Argon2026h1' log" },
1631 { (const uint8_t[]){
1632 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1633 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1634 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1635 },
1636 32, "Google 'Argon2026h2' log" },
1637 { (const uint8_t[]){
1638 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1639 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1640 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1641 },
1642 32, "Google 'Argon2027h1'" },
1643 { (const uint8_t[]){
1644 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1645 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1646 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1647 },
1648 32, "Google 'Xenon2020' log" },
1649 { (const uint8_t[]){
1650 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1651 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1652 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1653 },
1654 32, "Google 'Xenon2021' log" },
1655 { (const uint8_t[]){
1656 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1657 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1658 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1659 },
1660 32, "Google 'Xenon2022' log" },
1661 { (const uint8_t[]){
1662 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1663 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1664 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1665 },
1666 32, "Google 'Xenon2023' log" },
1667 { (const uint8_t[]){
1668 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1669 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1670 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1671 },
1672 32, "Google 'Xenon2024' log" },
1673 { (const uint8_t[]){
1674 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1675 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1676 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1677 },
1678 32, "Google 'Xenon2025h1' log" },
1679 { (const uint8_t[]){
1680 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1681 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1682 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1683 },
1684 32, "Google 'Xenon2025h2' log" },
1685 { (const uint8_t[]){
1686 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1687 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1688 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1689 },
1690 32, "Google 'Xenon2026h1' log" },
1691 { (const uint8_t[]){
1692 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1693 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1694 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1695 },
1696 32, "Google 'Xenon2026h2' log" },
1697 { (const uint8_t[]){
1698 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1699 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1700 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1701 },
1702 32, "Google 'Xenon2027h1'" },
1703 { (const uint8_t[]){
1704 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1705 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1706 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1707 },
1708 32, "Google 'Aviator' log" },
1709 { (const uint8_t[]){
1710 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1711 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1712 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1713 },
1714 32, "Google 'Icarus' log" },
1715 { (const uint8_t[]){
1716 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1717 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1718 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1719 },
1720 32, "Google 'Pilot' log" },
1721 { (const uint8_t[]){
1722 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1723 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1724 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1725 },
1726 32, "Google 'Rocketeer' log" },
1727 { (const uint8_t[]){
1728 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1729 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1730 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1731 },
1732 32, "Google 'Skydiver' log" },
1733 { (const uint8_t[]){
1734 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1735 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1736 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1737 },
1738 32, "Google 'Argon2017' log" },
1739 { (const uint8_t[]){
1740 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1741 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1742 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1743 },
1744 32, "Google 'Argon2018' log" },
1745 { (const uint8_t[]){
1746 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1747 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1748 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1749 },
1750 32, "Google 'Argon2019' log" },
1751 { (const uint8_t[]){
1752 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1753 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1754 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1755 },
1756 32, "Google 'Xenon2018' log" },
1757 { (const uint8_t[]){
1758 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1759 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1760 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1761 },
1762 32, "Google 'Xenon2019' log" },
1763 { (const uint8_t[]){
1764 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1765 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1766 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1767 },
1768 32, "Google 'Submariner' log" },
1769 { (const uint8_t[]){
1770 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1771 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1772 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1773 },
1774 32, "Google 'Daedalus' log" },
1775 { (const uint8_t[]){
1776 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1777 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1778 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1779 },
1780 32, "Google 'Testtube' log" },
1781 { (const uint8_t[]){
1782 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1783 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1784 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1785 },
1786 32, "Google 'Crucible' log" },
1787 { (const uint8_t[]){
1788 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1789 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1790 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1791 },
1792 32, "Google 'Solera2018' log" },
1793 { (const uint8_t[]){
1794 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1795 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1796 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1797 },
1798 32, "Google 'Solera2019' log" },
1799 { (const uint8_t[]){
1800 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1801 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1802 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1803 },
1804 32, "Google 'Solera2020' log" },
1805 { (const uint8_t[]){
1806 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1807 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1808 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1809 },
1810 32, "Google 'Solera2021' log" },
1811 { (const uint8_t[]){
1812 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1813 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1814 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1815 },
1816 32, "Google 'Solera2022' log" },
1817 { (const uint8_t[]){
1818 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1819 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1820 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1821 },
1822 32, "Google 'Solera2023' log" },
1823 { (const uint8_t[]){
1824 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1825 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1826 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1827 },
1828 32, "Google 'Solera2024' log" },
1829 { (const uint8_t[]){
1830 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1831 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1832 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1833 },
1834 32, "Google 'Solera2025h1' log" },
1835 { (const uint8_t[]){
1836 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1837 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1838 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1839 },
1840 32, "Google 'Solera2025h2' log" },
1841 { (const uint8_t[]){
1842 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1843 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1844 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1845 },
1846 32, "Google 'Solera2026h1' log" },
1847 { (const uint8_t[]){
1848 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1849 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1850 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1851 },
1852 32, "Google 'Solera2026h2' log" },
1853 { (const uint8_t[]){
1854 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1855 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1856 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1857 },
1858 32, "Cloudflare 'Nimbus2020' Log" },
1859 { (const uint8_t[]){
1860 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1861 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1862 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1863 },
1864 32, "Cloudflare 'Nimbus2021' Log" },
1865 { (const uint8_t[]){
1866 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1867 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1868 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1869 },
1870 32, "Cloudflare 'Nimbus2022' Log" },
1871 { (const uint8_t[]){
1872 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1873 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1874 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1875 },
1876 32, "Cloudflare 'Nimbus2023' Log" },
1877 { (const uint8_t[]){
1878 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1879 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1880 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1881 },
1882 32, "Cloudflare 'Nimbus2024' Log" },
1883 { (const uint8_t[]){
1884 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1885 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1886 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1887 },
1888 32, "Cloudflare 'Nimbus2025'" },
1889 { (const uint8_t[]){
1890 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1891 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1892 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1893 },
1894 32, "Cloudflare 'Nimbus2026'" },
1895 { (const uint8_t[]){
1896 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1897 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1898 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1899 },
1900 32, "Cloudflare 'Nimbus2027'" },
1901 { (const uint8_t[]){
1902 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1903 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1904 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1905 },
1906 32, "Cloudflare 'Nimbus2017' Log" },
1907 { (const uint8_t[]){
1908 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1909 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1910 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1911 },
1912 32, "Cloudflare 'Nimbus2018' Log" },
1913 { (const uint8_t[]){
1914 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1915 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1916 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1917 },
1918 32, "Cloudflare 'Nimbus2019' Log" },
1919 { (const uint8_t[]){
1920 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1921 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1922 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1923 },
1924 32, "DigiCert Log Server" },
1925 { (const uint8_t[]){
1926 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1927 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1928 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1929 },
1930 32, "DigiCert Log Server 2" },
1931 { (const uint8_t[]){
1932 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1933 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1934 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1935 },
1936 32, "DigiCert Yeti2020 Log" },
1937 { (const uint8_t[]){
1938 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1939 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1940 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1941 },
1942 32, "DigiCert Yeti2021 Log" },
1943 { (const uint8_t[]){
1944 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1945 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1946 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1947 },
1948 32, "DigiCert Yeti2022 Log" },
1949 { (const uint8_t[]){
1950 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1951 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1952 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1953 },
1954 32, "DigiCert Yeti2023 Log" },
1955 { (const uint8_t[]){
1956 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1957 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1958 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1959 },
1960 32, "DigiCert Yeti2024 Log" },
1961 { (const uint8_t[]){
1962 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1963 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1964 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1965 },
1966 32, "DigiCert Yeti2025 Log" },
1967 { (const uint8_t[]){
1968 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1969 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1970 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1971 },
1972 32, "DigiCert Nessie2020 Log" },
1973 { (const uint8_t[]){
1974 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1975 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1976 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1977 },
1978 32, "DigiCert Nessie2021 Log" },
1979 { (const uint8_t[]){
1980 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1981 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1982 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1983 },
1984 32, "DigiCert Nessie2022 Log" },
1985 { (const uint8_t[]){
1986 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1987 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1988 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1989 },
1990 32, "DigiCert Nessie2023 Log" },
1991 { (const uint8_t[]){
1992 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1993 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1994 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1995 },
1996 32, "DigiCert Nessie2024 Log" },
1997 { (const uint8_t[]){
1998 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1999 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2000 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2001 },
2002 32, "DigiCert Nessie2025 Log" },
2003 { (const uint8_t[]){
2004 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2005 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2006 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2007 },
2008 32, "DigiCert 'Wyvern2024h1' Log" },
2009 { (const uint8_t[]){
2010 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2011 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2012 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2013 },
2014 32, "DigiCert 'Wyvern2024h2' Log" },
2015 { (const uint8_t[]){
2016 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2017 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2018 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2019 },
2020 32, "DigiCert 'Wyvern2025h1' Log" },
2021 { (const uint8_t[]){
2022 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2023 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2024 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2025 },
2026 32, "DigiCert 'Wyvern2025h2' Log" },
2027 { (const uint8_t[]){
2028 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2029 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2030 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2031 },
2032 32, "DigiCert 'Wyvern2026h1'" },
2033 { (const uint8_t[]){
2034 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2035 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2036 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2037 },
2038 32, "DigiCert 'Wyvern2026h2'" },
2039 { (const uint8_t[]){
2040 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2041 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2042 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2043 },
2044 32, "DigiCert 'Wyvern2027h1'" },
2045 { (const uint8_t[]){
2046 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2047 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2048 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2049 },
2050 32, "DigiCert 'Wyvern2027h2'" },
2051 { (const uint8_t[]){
2052 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2053 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2054 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2055 },
2056 32, "DigiCert 'Sphinx2024h1' Log" },
2057 { (const uint8_t[]){
2058 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2059 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2060 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2061 },
2062 32, "DigiCert 'Sphinx2024h2' Log" },
2063 { (const uint8_t[]){
2064 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2065 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2066 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2067 },
2068 32, "DigiCert 'Sphinx2025h1' Log" },
2069 { (const uint8_t[]){
2070 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2071 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2072 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2073 },
2074 32, "DigiCert 'Sphinx2025h2' Log" },
2075 { (const uint8_t[]){
2076 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2077 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2078 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2079 },
2080 32, "DigiCert 'Sphinx2026h1'" },
2081 { (const uint8_t[]){
2082 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2083 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2084 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2085 },
2086 32, "DigiCert 'Sphinx2026h2'" },
2087 { (const uint8_t[]){
2088 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2089 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2090 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2091 },
2092 32, "DigiCert 'sphinx2027h1'" },
2093 { (const uint8_t[]){
2094 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2095 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2096 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2097 },
2098 32, "DigiCert 'sphinx2027h2'" },
2099 { (const uint8_t[]){
2100 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2101 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2102 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2103 },
2104 32, "Symantec log" },
2105 { (const uint8_t[]){
2106 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2107 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2108 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2109 },
2110 32, "Symantec 'Vega' log" },
2111 { (const uint8_t[]){
2112 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2113 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2114 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2115 },
2116 32, "Symantec 'Sirius' log" },
2117 { (const uint8_t[]){
2118 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2119 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2120 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2121 },
2122 32, "DigiCert Yeti2022-2 Log" },
2123 { (const uint8_t[]){
2124 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2125 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2126 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2127 },
2128 32, "DigiCert Yeti2018 Log" },
2129 { (const uint8_t[]){
2130 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2131 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2132 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2133 },
2134 32, "DigiCert Yeti2019 Log" },
2135 { (const uint8_t[]){
2136 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2137 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2138 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2139 },
2140 32, "DigiCert Nessie2018 Log" },
2141 { (const uint8_t[]){
2142 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2143 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2144 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2145 },
2146 32, "DigiCert Nessie2019 Log" },
2147 { (const uint8_t[]){
2148 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2149 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2150 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2151 },
2152 32, "Symantec Deneb" },
2153 { (const uint8_t[]){
2154 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2155 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2156 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2157 },
2158 32, "Certly.IO log" },
2159 { (const uint8_t[]){
2160 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2161 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2162 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2163 },
2164 32, "Izenpe log" },
2165 { (const uint8_t[]){
2166 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2167 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2168 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2169 },
2170 32, "Izenpe 'Argi' log" },
2171 { (const uint8_t[]){
2172 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2173 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2174 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2175 },
2176 32, "WoSign log" },
2177 { (const uint8_t[]){
2178 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2179 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2180 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2181 },
2182 32, "WoSign CT log #1" },
2183 { (const uint8_t[]){
2184 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2185 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2186 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2187 },
2188 32, "WoSign log 2" },
2189 { (const uint8_t[]){
2190 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2191 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2192 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2193 },
2194 32, "Venafi log" },
2195 { (const uint8_t[]){
2196 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2197 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2198 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2199 },
2200 32, "Venafi Gen2 CT log" },
2201 { (const uint8_t[]){
2202 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2203 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2204 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2205 },
2206 32, "CNNIC CT log" },
2207 { (const uint8_t[]){
2208 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2209 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2210 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2211 },
2212 32, "StartCom log" },
2213 { (const uint8_t[]){
2214 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2215 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2216 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2217 },
2218 32, "Sectigo 'Sabre' CT log" },
2219 { (const uint8_t[]){
2220 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2221 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2222 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2223 },
2224 32, "Sectigo 'Sabre2024h1'" },
2225 { (const uint8_t[]){
2226 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2227 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2228 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2229 },
2230 32, "Sectigo 'Sabre2024h2'" },
2231 { (const uint8_t[]){
2232 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2233 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2234 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2235 },
2236 32, "Sectigo 'Sabre2025h1'" },
2237 { (const uint8_t[]){
2238 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2239 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2240 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2241 },
2242 32, "Sectigo 'Sabre2025h2'" },
2243 { (const uint8_t[]){
2244 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2245 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2246 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2247 },
2248 32, "Sectigo 'Mammoth' CT log" },
2249 { (const uint8_t[]){
2250 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2251 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2252 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2253 },
2254 32, "Sectigo 'Mammoth2024h1'" },
2255 { (const uint8_t[]){
2256 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2257 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2258 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2259 },
2260 32, "Sectigo 'Mammoth2024h1b'" },
2261 { (const uint8_t[]){
2262 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2263 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2264 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2265 },
2266 32, "Sectigo 'Mammoth2024h2'" },
2267 { (const uint8_t[]){
2268 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2269 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2270 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2271 },
2272 32, "Sectigo 'Mammoth2025h1'" },
2273 { (const uint8_t[]){
2274 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2275 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2276 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2277 },
2278 32, "Sectigo 'Mammoth2025h2'" },
2279 { (const uint8_t[]){
2280 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2281 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2282 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2283 },
2284 32, "Sectigo 'Mammoth2026h1'" },
2285 { (const uint8_t[]){
2286 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2287 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2288 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2289 },
2290 32, "Sectigo 'Mammoth2026h2'" },
2291 { (const uint8_t[]){
2292 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2293 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2294 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2295 },
2296 32, "Sectigo 'Sabre2026h1'" },
2297 { (const uint8_t[]){
2298 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2299 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2300 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2301 },
2302 32, "Sectigo 'Sabre2026h2'" },
2303 { (const uint8_t[]){
2304 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2305 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2306 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2307 },
2308 32, "Sectigo 'Elephant2025h2'" },
2309 { (const uint8_t[]){
2310 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2311 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2312 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2313 },
2314 32, "Sectigo 'Elephant2026h1'" },
2315 { (const uint8_t[]){
2316 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2317 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2318 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2319 },
2320 32, "Sectigo 'Elephant2026h2'" },
2321 { (const uint8_t[]){
2322 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2323 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2324 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2325 },
2326 32, "Sectigo 'Elephant2027h1'" },
2327 { (const uint8_t[]){
2328 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2329 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2330 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2331 },
2332 32, "Sectigo 'Elephant2027h2'" },
2333 { (const uint8_t[]){
2334 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2335 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2336 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2337 },
2338 32, "Sectigo 'Tiger2025h2'" },
2339 { (const uint8_t[]){
2340 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2341 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2342 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2343 },
2344 32, "Sectigo 'Tiger2026h1'" },
2345 { (const uint8_t[]){
2346 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2347 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2348 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2349 },
2350 32, "Sectigo 'Tiger2026h2'" },
2351 { (const uint8_t[]){
2352 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2353 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2354 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2355 },
2356 32, "Sectigo 'Tiger2027h1'" },
2357 { (const uint8_t[]){
2358 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2359 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2360 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2361 },
2362 32, "Sectigo 'Tiger2027h2'" },
2363 { (const uint8_t[]){
2364 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2365 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2366 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2367 },
2368 32, "Sectigo 'Dodo' CT log" },
2369 { (const uint8_t[]){
2370 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2371 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2372 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2373 },
2374 32, "Let's Encrypt 'Oak2020' log" },
2375 { (const uint8_t[]){
2376 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2377 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2378 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2379 },
2380 32, "Let's Encrypt 'Oak2021' log" },
2381 { (const uint8_t[]){
2382 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2383 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2384 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2385 },
2386 32, "Let's Encrypt 'Oak2022' log" },
2387 { (const uint8_t[]){
2388 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2389 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2390 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2391 },
2392 32, "Let's Encrypt 'Oak2023' log" },
2393 { (const uint8_t[]){
2394 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2395 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2396 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2397 },
2398 32, "Let's Encrypt 'Oak2024H1' log" },
2399 { (const uint8_t[]){
2400 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2401 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2402 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2403 },
2404 32, "Let's Encrypt 'Oak2024H2' log" },
2405 { (const uint8_t[]){
2406 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2407 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2408 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2409 },
2410 32, "Let's Encrypt 'Oak2025h1'" },
2411 { (const uint8_t[]){
2412 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2413 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2414 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2415 },
2416 32, "Let's Encrypt 'Oak2025h2'" },
2417 { (const uint8_t[]){
2418 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2419 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2420 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2421 },
2422 32, "Let's Encrypt 'Oak2026h1'" },
2423 { (const uint8_t[]){
2424 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2425 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2426 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2427 },
2428 32, "Let's Encrypt 'Oak2026h2'" },
2429 { (const uint8_t[]){
2430 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2431 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2432 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2433 },
2434 32, "Let's Encrypt 'Oak2019' log" },
2435 { (const uint8_t[]){
2436 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2437 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2438 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2439 },
2440 32, "Let's Encrypt 'Testflume2019' log" },
2441 { (const uint8_t[]){
2442 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2443 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2444 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2445 },
2446 32, "Let's Encrypt 'Sapling 2022h2' log" },
2447 { (const uint8_t[]){
2448 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2449 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2450 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2451 },
2452 32, "Let's Encrypt 'Sapling 2023h1' log" },
2453 { (const uint8_t[]){
2454 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2455 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2456 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2457 },
2458 32, "Let's Encrypt 'Testflume2020' log" },
2459 { (const uint8_t[]){
2460 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2461 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2462 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2463 },
2464 32, "Let's Encrypt 'Testflume2021' log" },
2465 { (const uint8_t[]){
2466 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2467 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2468 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2469 },
2470 32, "Let's Encrypt 'Testflume2022' log" },
2471 { (const uint8_t[]){
2472 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2473 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2474 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2475 },
2476 32, "Let's Encrypt 'Testflume2023' log" },
2477 { (const uint8_t[]){
2478 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2479 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2480 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2481 },
2482 32, "Let's Encrypt 'Clicky' log" },
2483 { (const uint8_t[]){
2484 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2485 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2486 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2487 },
2488 32, "Trust Asia Log2020" },
2489 { (const uint8_t[]){
2490 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2491 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2492 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2493 },
2494 32, "Trust Asia CT2021" },
2495 { (const uint8_t[]){
2496 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2497 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2498 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2499 },
2500 32, "Trust Asia Log2021" },
2501 { (const uint8_t[]){
2502 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2503 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2504 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2505 },
2506 32, "Trust Asia Log2022" },
2507 { (const uint8_t[]){
2508 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2509 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2510 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2511 },
2512 32, "Trust Asia Log2023" },
2513 { (const uint8_t[]){
2514 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2515 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2516 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2517 },
2518 32, "Trust Asia Log2024" },
2519 { (const uint8_t[]){
2520 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2521 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2522 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2523 },
2524 32, "Trust Asia Log2024-2" },
2525 { (const uint8_t[]){
2526 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2527 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2528 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2529 },
2530 32, "TrustAsia Log2025a" },
2531 { (const uint8_t[]){
2532 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2533 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2534 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2535 },
2536 32, "TrustAsia Log2025b" },
2537 { (const uint8_t[]){
2538 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2539 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2540 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2541 },
2542 32, "TrustAsia 'log2026a'" },
2543 { (const uint8_t[]){
2544 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2545 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2546 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2547 },
2548 32, "TrustAsia 'log2026b'" },
2549 { (const uint8_t[]){
2550 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2551 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2552 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2553 },
2554 32, "TrustAsia 'HETU2027'" },
2555 { (const uint8_t[]){
2556 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2557 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2558 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2559 },
2560 32, "Trust Asia Log1" },
2561 { (const uint8_t[]){
2562 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2563 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2564 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2565 },
2566 32, "GDCA CT log #1" },
2567 { (const uint8_t[]){
2568 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2569 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2570 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2571 },
2572 32, "GDCA CT log #2" },
2573 { (const uint8_t[]){
2574 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2575 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2576 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2577 },
2578 32, "GDCA Log 1" },
2579 { (const uint8_t[]){
2580 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2581 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2582 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2583 },
2584 32, "GDCA Log 2" },
2585 { (const uint8_t[]){
2586 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2587 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2588 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2589 },
2590 32, "PuChuangSiDa CT log" },
2591 { (const uint8_t[]){
2592 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2593 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2594 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2595 },
2596 32, "Nordu 'flimsy' log" },
2597 { (const uint8_t[]){
2598 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2599 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2600 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2601 },
2602 32, "Nordu 'plausible' log" },
2603 { (const uint8_t[]){
2604 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2605 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2606 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2607 },
2608 32, "SHECA CT log 1" },
2609 { (const uint8_t[]){
2610 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2611 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2612 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2613 },
2614 32, "SHECA CT log 2" },
2615 { (const uint8_t[]){
2616 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2617 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2618 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2619 },
2620 32, "Akamai CT Log" },
2621 { (const uint8_t[]){
2622 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2623 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2624 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2625 },
2626 32, "Alpha CT Log" },
2627 { (const uint8_t[]){
2628 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2629 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2630 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2631 },
2632 32, "Up In The Air 'Behind the Sofa' log" },
2633 { (const uint8_t[]){
2634 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2635 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2636 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2637 },
2638 32, "Qihoo 360 2020" },
2639 { (const uint8_t[]){
2640 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2641 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2642 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2643 },
2644 32, "Qihoo 360 2021" },
2645 { (const uint8_t[]){
2646 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2647 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2648 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2649 },
2650 32, "Qihoo 360 2022" },
2651 { (const uint8_t[]){
2652 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2653 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2654 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2655 },
2656 32, "Qihoo 360 2023" },
2657 { (const uint8_t[]){
2658 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2659 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2660 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2661 },
2662 32, "Qihoo 360 v1 2020" },
2663 { (const uint8_t[]){
2664 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2665 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2666 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2667 },
2668 32, "Qihoo 360 v1 2021" },
2669 { (const uint8_t[]){
2670 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2671 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2672 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2673 },
2674 32, "Qihoo 360 v1 2022" },
2675 { (const uint8_t[]){
2676 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2677 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2678 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2679 },
2680 32, "Qihoo 360 v1 2023" },
2681 { (const uint8_t[]){
2682 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2683 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2684 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2685 },
2686 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2687 { (const uint8_t[]){
2688 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2689 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2690 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2691 },
2692 32, "Merklemap 'CompactLog' log" },
2693 { (const uint8_t[]){
2694 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2695 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2696 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2697 },
2698 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2699 { NULL((void*)0), 0, NULL((void*)0) }
2700};
2701
2702/*
2703 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2704 */
2705static dissector_table_t ssl_alpn_dissector_table;
2706static dissector_table_t dtls_alpn_dissector_table;
2707
2708/*
2709 * Special cases for prefix matching of the ALPN, if the ALPN includes
2710 * a version number for a draft or protocol revision.
2711 */
2712typedef struct ssl_alpn_prefix_match_protocol {
2713 const char *proto_prefix;
2714 const char *dissector_name;
2715} ssl_alpn_prefix_match_protocol_t;
2716
2717static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2718 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2719 * already exists 3.1 as of this writing... match the prefix. */
2720 { "spdy/", "spdy" },
2721 /* draft-ietf-httpbis-http2-16 */
2722 { "h2-", "http2" }, /* draft versions */
2723};
2724
2725const value_string compress_certificate_algorithm_vals[] = {
2726 { 1, "zlib" },
2727 { 2, "brotli" },
2728 { 3, "zstd" },
2729 { 0, NULL((void*)0) }
2730};
2731
2732
2733const val64_string quic_transport_parameter_id[] = {
2734 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2735 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2736 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2737 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2738 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2739 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2740 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2741 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2742 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2743 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2744 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2745 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2746 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2747 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2748 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2749 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2750 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2751 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2752 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2753 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2754 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2755 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2756 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2757 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2758 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2759 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2760 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2761 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2762 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2763 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2764 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2765 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2766 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2767 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2768 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2769 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2770 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2771 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2772 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2773 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2774 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2775 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2776 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2777 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2778 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2779 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2780 { 0, NULL((void*)0) }
2781};
2782
2783/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2784const val64_string quic_address_discovery_vals[] = {
2785 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2786 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2787 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2788 { 0, NULL((void*)0) }
2789};
2790
2791/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2792const val64_string quic_enable_time_stamp_v2_vals[] = {
2793 { 1, "I would like to receive TIME_STAMP frames" },
2794 { 2, "I am able to generate TIME_STAMP frames" },
2795 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2796 { 0, NULL((void*)0) }
2797};
2798
2799/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2800const val64_string quic_enable_multipath_vals[] = {
2801 { 0, "don't support multipath" },
2802 { 1, "support multipath as defined in this document" },
2803 { 0, NULL((void*)0) }
2804};
2805
2806/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2807const value_string tls_hello_ext_ech_clienthello_types[] = {
2808 { 0, "Outer Client Hello" },
2809 { 1, "Inner Client Hello" },
2810 { 0, NULL((void*)0) }
2811};
2812
2813/* RFC 9180 */
2814const value_string kem_id_type_vals[] = {
2815 { 0x0000, "Reserved" },
2816 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2817 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2818 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2819 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2820 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2821 { 0, NULL((void*)0) }
2822};
2823const value_string kdf_id_type_vals[] = {
2824 { 0x0000, "Reserved" },
2825 { 0x0001, "HKDF-SHA256" },
2826 { 0x0002, "HKDF-SHA384" },
2827 { 0x0003, "HKDF-SHA512" },
2828 { 0, NULL((void*)0) }
2829};
2830const value_string aead_id_type_vals[] = {
2831 { 0x0000, "Reserved" },
2832 { 0x0001, "AES-128-GCM" },
2833 { 0x0002, "AES-256-GCM" },
2834 { 0x0003, "ChaCha20Poly1305" },
2835 { 0xFFFF, "Export-only" },
2836 { 0, NULL((void*)0) }
2837};
2838
2839const value_string token_binding_key_parameter_vals[] = {
2840 { 0, "rsa2048_pkcs1.5" },
2841 { 1, "rsa2048_pss" },
2842 { 2, "ecdsap256" },
2843 { 0, NULL((void*)0) }
2844};
2845
2846/* Lookup tables }}} */
2847
2848void
2849quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2850{
2851 const char *label;
2852 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2853 label = "GREASE";
2854 } else {
2855 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2856 }
2857 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2858}
2859
2860/* we keep this internal to packet-tls-utils, as there should be
2861 no need to access it any other way.
2862
2863 This also allows us to hide the dependency on zlib.
2864*/
2865struct _SslDecompress {
2866 int compression;
2867#ifdef USE_ZLIB_OR_ZLIBNG
2868 zlib_stream istream;
2869#endif
2870};
2871
2872/* To assist in parsing client/server key exchange messages
2873 0 indicates unknown */
2874int ssl_get_keyex_alg(int cipher)
2875{
2876 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2877 switch(cipher) {
2878 case 0x0017:
2879 case 0x0018:
2880 case 0x0019:
2881 case 0x001a:
2882 case 0x001b:
2883 case 0x0034:
2884 case 0x003a:
2885 case 0x0046:
2886 case 0x006c:
2887 case 0x006d:
2888 case 0x0089:
2889 case 0x009b:
2890 case 0x00a6:
2891 case 0x00a7:
2892 case 0x00bf:
2893 case 0x00c5:
2894 case 0xc084:
2895 case 0xc085:
2896 return KEX_DH_ANON0x13;
2897 case 0x000b:
2898 case 0x000c:
2899 case 0x000d:
2900 case 0x0030:
2901 case 0x0036:
2902 case 0x003e:
2903 case 0x0042:
2904 case 0x0068:
2905 case 0x0085:
2906 case 0x0097:
2907 case 0x00a4:
2908 case 0x00a5:
2909 case 0x00bb:
2910 case 0x00c1:
2911 case 0xc082:
2912 case 0xc083:
2913 return KEX_DH_DSS0x14;
2914 case 0x000e:
2915 case 0x000f:
2916 case 0x0010:
2917 case 0x0031:
2918 case 0x0037:
2919 case 0x003f:
2920 case 0x0043:
2921 case 0x0069:
2922 case 0x0086:
2923 case 0x0098:
2924 case 0x00a0:
2925 case 0x00a1:
2926 case 0x00bc:
2927 case 0x00c2:
2928 case 0xc07e:
2929 case 0xc07f:
2930 return KEX_DH_RSA0x15;
2931 case 0x0011:
2932 case 0x0012:
2933 case 0x0013:
2934 case 0x0032:
2935 case 0x0038:
2936 case 0x0040:
2937 case 0x0044:
2938 case 0x0063:
2939 case 0x0065:
2940 case 0x0066:
2941 case 0x006a:
2942 case 0x0087:
2943 case 0x0099:
2944 case 0x00a2:
2945 case 0x00a3:
2946 case 0x00bd:
2947 case 0x00c3:
2948 case 0xc080:
2949 case 0xc081:
2950 return KEX_DHE_DSS0x10;
2951 case 0x002d:
2952 case 0x008e:
2953 case 0x008f:
2954 case 0x0090:
2955 case 0x0091:
2956 case 0x00aa:
2957 case 0x00ab:
2958 case 0x00b2:
2959 case 0x00b3:
2960 case 0x00b4:
2961 case 0x00b5:
2962 case 0xc090:
2963 case 0xc091:
2964 case 0xc096:
2965 case 0xc097:
2966 case 0xc0a6:
2967 case 0xc0a7:
2968 case 0xc0aa:
2969 case 0xc0ab:
2970 case 0xccad:
2971 case 0xe41c:
2972 case 0xe41d:
2973 return KEX_DHE_PSK0x11;
2974 case 0x0014:
2975 case 0x0015:
2976 case 0x0016:
2977 case 0x0033:
2978 case 0x0039:
2979 case 0x0045:
2980 case 0x0067:
2981 case 0x006b:
2982 case 0x0088:
2983 case 0x009a:
2984 case 0x009e:
2985 case 0x009f:
2986 case 0x00be:
2987 case 0x00c4:
2988 case 0xc07c:
2989 case 0xc07d:
2990 case 0xc09e:
2991 case 0xc09f:
2992 case 0xc0a2:
2993 case 0xc0a3:
2994 case 0xccaa:
2995 case 0xe41e:
2996 case 0xe41f:
2997 return KEX_DHE_RSA0x12;
2998 case 0xc015:
2999 case 0xc016:
3000 case 0xc017:
3001 case 0xc018:
3002 case 0xc019:
3003 return KEX_ECDH_ANON0x19;
3004 case 0xc001:
3005 case 0xc002:
3006 case 0xc003:
3007 case 0xc004:
3008 case 0xc005:
3009 case 0xc025:
3010 case 0xc026:
3011 case 0xc02d:
3012 case 0xc02e:
3013 case 0xc074:
3014 case 0xc075:
3015 case 0xc088:
3016 case 0xc089:
3017 return KEX_ECDH_ECDSA0x1a;
3018 case 0xc00b:
3019 case 0xc00c:
3020 case 0xc00d:
3021 case 0xc00e:
3022 case 0xc00f:
3023 case 0xc029:
3024 case 0xc02a:
3025 case 0xc031:
3026 case 0xc032:
3027 case 0xc078:
3028 case 0xc079:
3029 case 0xc08c:
3030 case 0xc08d:
3031 return KEX_ECDH_RSA0x1b;
3032 case 0xc006:
3033 case 0xc007:
3034 case 0xc008:
3035 case 0xc009:
3036 case 0xc00a:
3037 case 0xc023:
3038 case 0xc024:
3039 case 0xc02b:
3040 case 0xc02c:
3041 case 0xc072:
3042 case 0xc073:
3043 case 0xc086:
3044 case 0xc087:
3045 case 0xc0ac:
3046 case 0xc0ad:
3047 case 0xc0ae:
3048 case 0xc0af:
3049 case 0xcca9:
3050 case 0xe414:
3051 case 0xe415:
3052 return KEX_ECDHE_ECDSA0x16;
3053 case 0xc033:
3054 case 0xc034:
3055 case 0xc035:
3056 case 0xc036:
3057 case 0xc037:
3058 case 0xc038:
3059 case 0xc039:
3060 case 0xc03a:
3061 case 0xc03b:
3062 case 0xc09a:
3063 case 0xc09b:
3064 case 0xccac:
3065 case 0xe418:
3066 case 0xe419:
3067 case 0xd001:
3068 case 0xd002:
3069 case 0xd003:
3070 case 0xd005:
3071 return KEX_ECDHE_PSK0x17;
3072 case 0xc010:
3073 case 0xc011:
3074 case 0xc012:
3075 case 0xc013:
3076 case 0xc014:
3077 case 0xc027:
3078 case 0xc028:
3079 case 0xc02f:
3080 case 0xc030:
3081 case 0xc076:
3082 case 0xc077:
3083 case 0xc08a:
3084 case 0xc08b:
3085 case 0xcca8:
3086 case 0xe412:
3087 case 0xe413:
3088 return KEX_ECDHE_RSA0x18;
3089 case 0x001e:
3090 case 0x001f:
3091 case 0x0020:
3092 case 0x0021:
3093 case 0x0022:
3094 case 0x0023:
3095 case 0x0024:
3096 case 0x0025:
3097 case 0x0026:
3098 case 0x0027:
3099 case 0x0028:
3100 case 0x0029:
3101 case 0x002a:
3102 case 0x002b:
3103 return KEX_KRB50x1c;
3104 case 0x002c:
3105 case 0x008a:
3106 case 0x008b:
3107 case 0x008c:
3108 case 0x008d:
3109 case 0x00a8:
3110 case 0x00a9:
3111 case 0x00ae:
3112 case 0x00af:
3113 case 0x00b0:
3114 case 0x00b1:
3115 case 0xc064:
3116 case 0xc065:
3117 case 0xc08e:
3118 case 0xc08f:
3119 case 0xc094:
3120 case 0xc095:
3121 case 0xc0a4:
3122 case 0xc0a5:
3123 case 0xc0a8:
3124 case 0xc0a9:
3125 case 0xccab:
3126 case 0xe416:
3127 case 0xe417:
3128 return KEX_PSK0x1d;
3129 case 0x0001:
3130 case 0x0002:
3131 case 0x0003:
3132 case 0x0004:
3133 case 0x0005:
3134 case 0x0006:
3135 case 0x0007:
3136 case 0x0008:
3137 case 0x0009:
3138 case 0x000a:
3139 case 0x002f:
3140 case 0x0035:
3141 case 0x003b:
3142 case 0x003c:
3143 case 0x003d:
3144 case 0x0041:
3145 case 0x0060:
3146 case 0x0061:
3147 case 0x0062:
3148 case 0x0064:
3149 case 0x0084:
3150 case 0x0096:
3151 case 0x009c:
3152 case 0x009d:
3153 case 0x00ba:
3154 case 0x00c0:
3155 case 0xc07a:
3156 case 0xc07b:
3157 case 0xc09c:
3158 case 0xc09d:
3159 case 0xc0a0:
3160 case 0xc0a1:
3161 case 0xe410:
3162 case 0xe411:
3163 case 0xfefe:
3164 case 0xfeff:
3165 case 0xffe0:
3166 case 0xffe1:
3167 return KEX_RSA0x1e;
3168 case 0x002e:
3169 case 0x0092:
3170 case 0x0093:
3171 case 0x0094:
3172 case 0x0095:
3173 case 0x00ac:
3174 case 0x00ad:
3175 case 0x00b6:
3176 case 0x00b7:
3177 case 0x00b8:
3178 case 0x00b9:
3179 case 0xc092:
3180 case 0xc093:
3181 case 0xc098:
3182 case 0xc099:
3183 case 0xccae:
3184 case 0xe41a:
3185 case 0xe41b:
3186 return KEX_RSA_PSK0x1f;
3187 case 0xc01a:
3188 case 0xc01d:
3189 case 0xc020:
3190 return KEX_SRP_SHA0x20;
3191 case 0xc01c:
3192 case 0xc01f:
3193 case 0xc022:
3194 return KEX_SRP_SHA_DSS0x21;
3195 case 0xc01b:
3196 case 0xc01e:
3197 case 0xc021:
3198 return KEX_SRP_SHA_RSA0x22;
3199 case 0xc0ff:
3200 return KEX_ECJPAKE0x24;
3201 case 0xe003:
3202 case 0xe013:
3203 case 0xe053:
3204 return KEX_ECC_SM20x26;
3205 default:
3206 break;
3207 }
3208
3209 return 0;
3210 /* }}} */
3211}
3212
3213static wmem_list_t *connection_id_session_list;
3214
3215void
3216ssl_init_cid_list(void) {
3217 connection_id_session_list = wmem_list_new(wmem_file_scope());
3218}
3219
3220void
3221ssl_cleanup_cid_list(void) {
3222 wmem_destroy_list(connection_id_session_list);
3223}
3224
3225void
3226ssl_add_session_by_cid(SslDecryptSession *session)
3227{
3228 wmem_list_append(connection_id_session_list, session);
3229}
3230
3231SslDecryptSession *
3232ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3233{
3234 SslDecryptSession * ssl_cid = NULL((void*)0);
3235 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3236
3237 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3238 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3239 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3239, "ssl != ((void*)0)"))));
3240 SslSession *session = &ssl->session;
3241
3242 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3243 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3244 ssl_cid = ssl;
3245 }
3246 }
3247
3248 if (session->server_cid_len > 0) {
3249 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3250 ssl_cid = ssl;
3251 }
3252 }
3253
3254 it = wmem_list_frame_next(it);
3255 }
3256
3257 return ssl_cid;
3258}
3259
3260/* StringInfo structure (len + data) functions {{{ */
3261
3262int
3263ssl_data_alloc(StringInfo* str, size_t len)
3264{
3265 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3266 /* the allocator can return a null pointer for a size equal to 0,
3267 * and that must be allowed */
3268 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3269 return -1;
3270 str->data_len = (unsigned) len;
3271 return 0;
3272}
3273
3274void
3275ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3276{
3277 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3277, "data"))));
3278 memcpy(str->data, data, len);
3279 str->data_len = len;
3280}
3281
3282static int
3283ssl_data_realloc(StringInfo* str, unsigned len)
3284{
3285 str->data = (unsigned char *)g_realloc(str->data, len);
3286 if (!str->data)
3287 return -1;
3288 str->data_len = len;
3289 return 0;
3290}
3291
3292static StringInfo *
3293ssl_data_clone(StringInfo *str)
3294{
3295 StringInfo *cloned_str;
3296 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3297 sizeof(StringInfo) + str->data_len);
3298 cloned_str->data = (unsigned char *) (cloned_str + 1);
3299 ssl_data_set(cloned_str, str->data, str->data_len);
3300 return cloned_str;
3301}
3302
3303static int
3304ssl_data_copy(StringInfo* dst, StringInfo* src)
3305{
3306 if (dst->data_len < src->data_len) {
3307 if (ssl_data_realloc(dst, src->data_len))
3308 return -1;
3309 }
3310 memcpy(dst->data, src->data, src->data_len);
3311 dst->data_len = src->data_len;
3312 return 0;
3313}
3314
3315/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3316 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3317 * success. */
3318static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3319 size_t i;
3320
3321 if (hex_len & 1)
3322 return false0;
3323
3324 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3325 for (i = 0; i < hex_len / 2; i++) {
3326 int a = ws_xton(in[i*2]);
3327 int b = ws_xton(in[i*2 + 1]);
3328 if (a == -1 || b == -1)
3329 return false0;
3330 out->data[i] = a << 4 | b;
3331 }
3332 out->data_len = (unsigned)hex_len / 2;
3333 return true1;
3334}
3335/* StringInfo structure (len + data) functions }}} */
3336
3337
3338/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3339/* hmac abstraction layer */
3340#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3341
3342static inline int
3343ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3344{
3345 gcry_error_t err;
3346 const char *err_str, *err_src;
3347
3348 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3349 if (err != 0) {
3350 err_str = gcry_strerror(err);
3351 err_src = gcry_strsource(err);
3352 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3353 return -1;
3354 }
3355 return 0;
3356}
3357
3358static inline int
3359ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3360{
3361 gcry_error_t err;
3362 const char *err_str, *err_src;
3363
3364 err = gcry_md_setkey (*(md), key, len);
3365 if (err != 0) {
3366 err_str = gcry_strerror(err);
3367 err_src = gcry_strsource(err);
3368 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3369 return -1;
3370 }
3371 return 0;
3372}
3373
3374static inline int
3375ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3376{
3377 gcry_md_reset(*md);
3378 return 0;
3379}
3380
3381static inline void
3382ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3383{
3384 gcry_md_write(*(md), data, len);
3385}
3386static inline void
3387ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3388{
3389 int algo;
3390 unsigned len;
3391
3392 algo = gcry_md_get_algo (*(md));
3393 len = gcry_md_get_algo_dlen(algo);
3394 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3394, "len <= *datalen"))));
3395 memcpy(data, gcry_md_read(*(md), algo), len);
3396 *datalen = len;
3397}
3398static inline void
3399ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3400{
3401 gcry_md_close(*(md));
3402}
3403
3404/* message digest abstraction layer*/
3405#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3406
3407static inline int
3408ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3409{
3410 gcry_error_t err;
3411 const char *err_str, *err_src;
3412 err = gcry_md_open(md,algo, 0);
3413 if (err != 0) {
3414 err_str = gcry_strerror(err);
3415 err_src = gcry_strsource(err);
3416 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3417 return -1;
3418 }
3419 return 0;
3420}
3421static inline void
3422ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3423{
3424 gcry_md_write(*(md), data, len);
3425}
3426static inline void
3427ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3428{
3429 int algo;
3430 int len;
3431 algo = gcry_md_get_algo (*(md));
3432 len = gcry_md_get_algo_dlen (algo);
3433 memcpy(data, gcry_md_read(*(md), algo), len);
3434 *datalen = len;
3435}
3436static inline void
3437ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3438{
3439 gcry_md_close(*(md));
3440}
3441
3442static inline void
3443ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3444{
3445 gcry_md_reset(*md);
3446}
3447
3448/* md5 /sha abstraction layer */
3449#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3450#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3451
3452static inline int
3453ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3454{
3455 gcry_error_t err;
3456 const char *err_str, *err_src;
3457 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3458 if (err != 0) {
3459 err_str = gcry_strerror(err);
3460 err_src = gcry_strsource(err);
3461 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3462 return -1;
3463 }
3464 return 0;
3465}
3466static inline void
3467ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3468{
3469 gcry_md_write(*(md), data, len);
3470}
3471static inline void
3472ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3473{
3474 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3475 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3476}
3477
3478static inline void
3479ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3480{
3481 gcry_md_reset(*md);
3482}
3483
3484static inline void
3485ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3486{
3487 gcry_md_close(*(md));
3488}
3489
3490static inline int
3491ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3492{
3493 gcry_error_t err;
3494 const char *err_str, *err_src;
3495 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3496 if (err != 0) {
3497 err_str = gcry_strerror(err);
3498 err_src = gcry_strsource(err);
3499 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3500 return -1;
3501 }
3502 return 0;
3503}
3504static inline void
3505ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3506{
3507 gcry_md_write(*(md), data, len);
3508}
3509static inline void
3510ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3511{
3512 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3513 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3514}
3515
3516static inline void
3517ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3518{
3519 gcry_md_reset(*md);
3520}
3521
3522static inline void
3523ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3524{
3525 gcry_md_close(*(md));
3526}
3527/* libgcrypt wrappers for HMAC/message digest operations }}} */
3528
3529/* libgcrypt wrappers for Cipher state manipulation {{{ */
3530int
3531ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3532{
3533 int ret;
3534#if 0
3535 unsigned char *ivp;
3536 int i;
3537 gcry_cipher_hd_t c;
3538 c=(gcry_cipher_hd_t)*cipher;
3539#endif
3540 ssl_debug_printf("--------------------------------------------------------------------");
3541#if 0
3542 for(ivp=c->iv,i=0; i < iv_len; i++ )
3543 {
3544 ssl_debug_printf("%d ",ivp[i]);
3545 i++;
3546 }
3547#endif
3548 ssl_debug_printf("--------------------------------------------------------------------");
3549 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3550#if 0
3551 for(ivp=c->iv,i=0; i < iv_len; i++ )
3552 {
3553 ssl_debug_printf("%d ",ivp[i]);
3554 i++;
3555 }
3556#endif
3557 ssl_debug_printf("--------------------------------------------------------------------");
3558 return ret;
3559}
3560/* stream cipher abstraction layer*/
3561static int
3562ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3563 unsigned char* iv, int mode)
3564{
3565 int gcry_modes[] = {
3566 GCRY_CIPHER_MODE_STREAM,
3567 GCRY_CIPHER_MODE_CBC,
3568 GCRY_CIPHER_MODE_GCM,
3569 GCRY_CIPHER_MODE_CCM,
3570 GCRY_CIPHER_MODE_CCM,
3571 GCRY_CIPHER_MODE_POLY1305,
3572 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3573 };
3574 int err;
3575 if (algo == -1) {
3576 /* NULL mode */
3577 *(cipher) = (gcry_cipher_hd_t)-1;
3578 return 0;
3579 }
3580 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3581 if (err !=0)
3582 return -1;
3583 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3584 if (err != 0)
3585 return -1;
3586 /* AEAD cipher suites will set the nonce later. */
3587 if (mode == MODE_CBC) {
3588 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3589 if (err != 0)
3590 return -1;
3591 }
3592 return 0;
3593}
3594static inline int
3595ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3596 const unsigned char * in, int inl)
3597{
3598 if ((*cipher) == (gcry_cipher_hd_t)-1)
3599 {
3600 if (in && inl)
3601 memcpy(out, in, outl < inl ? outl : inl);
3602 return 0;
3603 }
3604 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3605}
3606static inline int
3607ssl_get_digest_by_name(const char*name)
3608{
3609 return gcry_md_map_name(name);
3610}
3611static inline int
3612ssl_get_cipher_by_name(const char* name)
3613{
3614 return gcry_cipher_map_name(name);
3615}
3616
3617static inline void
3618ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3619{
3620 if ((*cipher) != (gcry_cipher_hd_t)-1)
3621 gcry_cipher_close(*cipher);
3622 *cipher = NULL((void*)0);
3623}
3624/* }}} */
3625
3626/* Digests, Ciphers and Cipher Suites registry {{{ */
3627static const SslDigestAlgo digests[]={
3628 {"MD5", 16},
3629 {"SHA1", 20},
3630 {"SHA256", 32},
3631 {"SHA384", 48},
3632 {"SM3", 32},
3633 {"Not Applicable", 0},
3634};
3635
3636#define DIGEST_MAX_SIZE48 48
3637
3638/* get index digest index */
3639static const SslDigestAlgo *
3640ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3641 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3642 return &digests[DIG_NA0x45 - DIG_MD50x40];
3643 }
3644 return &digests[cs->dig - DIG_MD50x40];
3645}
3646
3647static const char *ciphers[]={
3648 "DES",
3649 "3DES",
3650 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3651 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3652 "IDEA",
3653 "AES",
3654 "AES256",
3655 "CAMELLIA128",
3656 "CAMELLIA256",
3657 "SEED",
3658 "CHACHA20", /* since Libgcrypt 1.7.0 */
3659 "SM1",
3660 "SM4",
3661 "*UNKNOWN*"
3662};
3663
3664static const SslCipherSuite cipher_suites[]={
3665 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3666 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3667 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3668 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3669 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3670 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3671 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3672 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3673 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3674 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3675 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3676 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3677 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3678 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3679 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3680 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3681 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3682 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3683 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3684 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3685 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3686 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3687 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3688 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3689 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3690 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3691 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3692 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3693 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3694 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3695 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3696 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3697 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3698 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3699 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3700 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3701 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3702 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3703 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3704 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3705 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3706 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3707 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3708 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3709 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3710 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3711 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3712 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3713 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3714 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3715 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3716 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3717 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3718 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3719 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3720 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3721 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3722 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3723 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3724 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3725 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3726 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3727 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3728 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3729 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3730 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3731 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3732 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3733 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3734 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3735 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3736 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3737 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3738 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3739 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3740 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3741 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3742 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3743 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3744 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3745 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3746 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3747 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3748 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3749 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3750 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3751 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3752 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3753 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3754 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3755 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3756 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3757 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3758 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3759 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3760 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3761 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3762 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3763 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3764 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3765 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3766 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3767 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3768 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3769 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3770 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3771 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3772 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3773 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3774 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3775 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3776 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3777 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3778 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3779 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3780 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3781 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3782 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3783 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3784 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3785 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3786 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3787 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3788 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3789 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3790 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3791 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3792 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3793 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3794 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3795 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3796 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3797 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3798 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3799
3800 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3801 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3802 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3803 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3804 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3805 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3806 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3807
3808 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3809 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3810 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3811 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3812 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3813 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3814 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3815 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3816 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3817 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3818 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3819 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3820 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3821 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3822 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3823 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3824 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3825 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3826 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3827 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3828 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3829 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3830 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3831 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3832 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3833 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3834 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3835 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3836 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3837 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3838 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3839 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3840 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3841 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3842 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3843 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3844 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3845 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3846 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3847 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3848 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3849 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3850 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3851 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3852 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3853 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3854 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3855 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3856 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3857 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3858 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3859 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3860 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3861 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3862 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3863 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3864 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3865 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3866 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3867 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3868 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3869 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3870 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3871 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3872 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3873 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3874 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3875 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3876 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3877 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3878 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3879 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3880 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3881 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3882 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3883 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3884 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3885 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3886 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3887 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3888 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3889 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3890 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3891 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3892 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3893 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3894 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3895 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3896 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3897 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3898 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3899 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3900 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3901 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3902 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3905 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3906 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3907 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3908 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3909 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3910 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3911 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3912 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3913 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3914 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3915 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3916 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3917 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3918 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3919 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3920 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3921 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3922 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3923 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3924 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3925 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3926 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3927 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3928 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3929 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3930 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3931 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3932 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3933 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3934 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3935 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3936 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3937 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3938 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3939 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3940 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3941 /* GM */
3942 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3943 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3944 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3945 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3946 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3947 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3948 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3949 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3950 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3951 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3952 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3953 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3954 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3955 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3956 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3957 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3958 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3959 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3960 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3961 {-1, 0, 0, 0, MODE_STREAM}
3962};
3963
3964#define MAX_BLOCK_SIZE16 16
3965#define MAX_KEY_SIZE32 32
3966
3967const SslCipherSuite *
3968ssl_find_cipher(int num)
3969{
3970 const SslCipherSuite *c;
3971 for(c=cipher_suites;c->number!=-1;c++){
3972 if(c->number==num){
3973 return c;
3974 }
3975 }
3976
3977 return NULL((void*)0);
3978}
3979
3980int
3981ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3982{
3983 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3984}
3985
3986unsigned
3987ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3988{
3989 int cipher_algo;
3990 if (cipher_suite->mode != MODE_CBC) return 0;
3991 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3992 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3993}
3994
3995static unsigned
3996ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3997{
3998 switch (cipher_suite_num) {
3999 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4000 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4001 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4002 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4003 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4004 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4005 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4006 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4007 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4008 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4009 return 5;
4010
4011 /* not defined in below draft, but "implemented by several vendors",
4012 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4013 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4014 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4015 return 7;
4016
4017 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4018 * used 7. Until a pcap proves 8, let's use the old value. Link:
4019 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4020 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4021 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4022 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4023 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4024 return 7;
4025
4026 default:
4027 return 0;
4028 }
4029}
4030
4031/* Digests, Ciphers and Cipher Suites registry }}} */
4032
4033
4034/* HMAC and the Pseudorandom function {{{ */
4035static int
4036tls_hash(StringInfo *secret, StringInfo *seed, int md,
4037 StringInfo *out, unsigned out_len)
4038{
4039 /* RFC 2246 5. HMAC and the pseudorandom function
4040 * '+' denotes concatenation.
4041 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4042 * HMAC_hash(secret, A(2) + seed) + ...
4043 * A(0) = seed
4044 * A(i) = HMAC_hash(secret, A(i - 1))
4045 */
4046 uint8_t *ptr;
4047 unsigned left, tocpy;
4048 uint8_t *A;
4049 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4050 unsigned A_l, tmp_l;
4051 SSL_HMACgcry_md_hd_t hm;
4052
4053 ptr = out->data;
4054 left = out_len;
4055
4056 ssl_print_string("tls_hash: hash secret", secret);
4057 ssl_print_string("tls_hash: hash seed", seed);
4058 /* A(0) = seed */
4059 A = seed->data;
4060 A_l = seed->data_len;
4061
4062 if (ssl_hmac_init(&hm, md) != 0) {
4063 return -1;
4064 }
4065 while (left) {
4066 /* A(i) = HMAC_hash(secret, A(i-1)) */
4067 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4068 ssl_hmac_update(&hm, A, A_l);
4069 A_l = sizeof(_A); /* upper bound len for hash output */
4070 ssl_hmac_final(&hm, _A, &A_l);
4071 A = _A;
4072
4073 /* HMAC_hash(secret, A(i) + seed) */
4074 ssl_hmac_reset(&hm);
4075 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4076 ssl_hmac_update(&hm, A, A_l);
4077 ssl_hmac_update(&hm, seed->data, seed->data_len);
4078 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4079 ssl_hmac_final(&hm, tmp, &tmp_l);
4080 ssl_hmac_reset(&hm);
4081
4082 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4083 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4084 memcpy(ptr, tmp, tocpy);
4085 ptr += tocpy;
4086 left -= tocpy;
4087 }
4088 ssl_hmac_cleanup(&hm);
4089 out->data_len = out_len;
4090
4091 ssl_print_string("hash out", out);
4092 return 0;
4093}
4094
4095static bool_Bool
4096tls_prf(StringInfo* secret, const char *usage,
4097 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4098{
4099 StringInfo seed, sha_out, md5_out;
4100 uint8_t *ptr;
4101 StringInfo s1, s2;
4102 unsigned i,s_l;
4103 size_t usage_len, rnd2_len;
4104 bool_Bool success = false0;
4105 usage_len = strlen(usage);
4106 rnd2_len = rnd2 ? rnd2->data_len : 0;
4107
4108 /* initialize buffer for sha, md5 random seed*/
4109 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4110 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4111 return false0;
4112 }
4113 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4114 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4115 goto free_sha;
4116 }
4117 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4118 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4119 (int) (usage_len+rnd1->data_len+rnd2_len));
4120 goto free_md5;
4121 }
4122
4123 ptr=seed.data;
4124 memcpy(ptr,usage,usage_len);
4125 ptr+=usage_len;
4126 memcpy(ptr,rnd1->data,rnd1->data_len);
4127 if (rnd2_len > 0) {
4128 ptr+=rnd1->data_len;
4129 memcpy(ptr,rnd2->data,rnd2->data_len);
4130 /*ptr+=rnd2->data_len;*/
4131 }
4132
4133 /* initialize buffer for client/server seeds*/
4134 s_l=secret->data_len/2 + secret->data_len%2;
4135 if (ssl_data_alloc(&s1, s_l) < 0) {
4136 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4137 goto free_seed;
4138 }
4139 if (ssl_data_alloc(&s2, s_l) < 0) {
4140 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4141 goto free_s1;
4142 }
4143
4144 memcpy(s1.data,secret->data,s_l);
4145 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4146
4147 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4148 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4149 goto free_s2;
4150 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4151 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4152 goto free_s2;
4153
4154 for (i = 0; i < out_len; i++)
4155 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4156 /* success, now store the new meaningful data length */
4157 out->data_len = out_len;
4158 success = true1;
4159
4160 ssl_print_string("PRF out",out);
4161free_s2:
4162 g_free(s2.data);
4163free_s1:
4164 g_free(s1.data);
4165free_seed:
4166 g_free(seed.data);
4167free_md5:
4168 g_free(md5_out.data);
4169free_sha:
4170 g_free(sha_out.data);
4171 return success;
4172}
4173
4174static bool_Bool
4175tls12_prf(int md, StringInfo* secret, const char* usage,
4176 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4177{
4178 StringInfo label_seed;
4179 int success;
4180 size_t usage_len, rnd2_len;
4181 rnd2_len = rnd2 ? rnd2->data_len : 0;
4182
4183 usage_len = strlen(usage);
4184 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4185 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4186 return false0;
4187 }
4188 memcpy(label_seed.data, usage, usage_len);
4189 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4190 if (rnd2_len > 0)
4191 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4192
4193 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4194 success = tls_hash(secret, &label_seed, md, out, out_len);
4195 g_free(label_seed.data);
4196 if(success != -1){
4197 ssl_print_string("PRF out", out);
4198 return true1;
4199 }
4200 return false0;
4201}
4202
4203static bool_Bool
4204ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4205 StringInfo *out, unsigned out_len)
4206{
4207 SSL_MD5_CTXgcry_md_hd_t md5;
4208 uint8_t tmp[16];
4209
4210 if (ssl_md5_init(&md5) != 0) {
4211 return false0;
4212 }
4213 ssl_md5_update(&md5,r1->data,r1->data_len);
4214 ssl_md5_update(&md5,r2->data,r2->data_len);
4215 ssl_md5_final(tmp,&md5);
4216 ssl_md5_cleanup(&md5);
4217
4218 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4218, "out_len <= sizeof(tmp)"))));
4219 ssl_data_set(out, tmp, out_len);
4220 ssl_print_string("export iv", out);
4221 return true1;
4222}
4223
4224static bool_Bool
4225ssl3_prf(StringInfo* secret, const char* usage,
4226 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4227{
4228 SSL_MD5_CTXgcry_md_hd_t md5;
4229 SSL_SHA_CTXgcry_md_hd_t sha;
4230 unsigned off;
4231 int i = 0,j;
4232 uint8_t buf[20];
4233
4234 if (ssl_sha_init(&sha) != 0) {
4235 return false0;
4236 }
4237 if (ssl_md5_init(&md5) != 0) {
4238 ssl_sha_cleanup(&sha);
4239 return false0;
4240 }
4241 for (off = 0; off < out_len; off += 16) {
4242 unsigned char outbuf[16];
4243 i++;
4244
4245 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4246 /* A, BB, CCC, ... */
4247 for(j=0;j<i;j++){
4248 buf[j]=64+i;
4249 }
4250
4251 ssl_sha_update(&sha,buf,i);
4252 ssl_sha_update(&sha,secret->data,secret->data_len);
4253
4254 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4255 if (rnd2)
4256 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4257 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4258 }
4259 else{
4260 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4261 if (rnd2)
4262 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4263 }
4264
4265 ssl_sha_final(buf,&sha);
4266 ssl_sha_reset(&sha);
4267
4268 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4269 secret->data_len);
4270 ssl_md5_update(&md5,secret->data,secret->data_len);
4271 ssl_md5_update(&md5,buf,20);
4272 ssl_md5_final(outbuf,&md5);
4273 ssl_md5_reset(&md5);
4274
4275 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4276 }
4277 ssl_sha_cleanup(&sha);
4278 ssl_md5_cleanup(&md5);
4279 out->data_len = out_len;
4280
4281 return true1;
4282}
4283
4284/* out_len is the wanted output length for the pseudorandom function.
4285 * Ensure that ssl->cipher_suite is set. */
4286static bool_Bool
4287prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4288 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4289{
4290 switch (ssl->session.version) {
4291 case SSLV3_VERSION0x300:
4292 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4293
4294 case TLSV1_VERSION0x301:
4295 case TLSV1DOT1_VERSION0x302:
4296 case DTLSV1DOT0_VERSION0xfeff:
4297 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4298 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4299
4300 default: /* TLSv1.2 */
4301 switch (ssl->cipher_suite->dig) {
4302 case DIG_SM30x44:
4303#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4304 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4305 out, out_len);
4306#else
4307 return false0;
4308#endif
4309 case DIG_SHA3840x43:
4310 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4311 out, out_len);
4312 default:
4313 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4314 out, out_len);
4315 }
4316 }
4317}
4318
4319static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4320{
4321 SSL_MD5_CTXgcry_md_hd_t md5;
4322 SSL_SHA_CTXgcry_md_hd_t sha;
4323
4324 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4325 return -1;
4326
4327 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4328 return -1;
4329 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4330 ssl_md5_final(out->data,&md5);
4331 ssl_md5_cleanup(&md5);
4332
4333 if (ssl_sha_init(&sha) != 0)
4334 return -1;
4335 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4336 ssl_sha_final(out->data+16,&sha);
4337 ssl_sha_cleanup(&sha);
4338 return 0;
4339}
4340
4341static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4342{
4343 SSL_MDgcry_md_hd_t mc;
4344 uint8_t tmp[48];
4345 unsigned len;
4346
4347 if (ssl_md_init(&mc, md) != 0)
4348 return -1;
4349 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4350 ssl_md_final(&mc, tmp, &len);
4351 ssl_md_cleanup(&mc);
4352
4353 if (ssl_data_alloc(out, len) < 0)
4354 return -1;
4355 memcpy(out->data, tmp, len);
4356 return 0;
4357}
4358
4359/**
4360 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4361 * inlined and removed once support for draft 19 and before is dropped.
4362 */
4363static inline const char *
4364tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4365{
4366 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4367 return "TLS 1.3, ";
4368 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4369 return "dtls13";
4370 } else {
4371 return "tls13 ";
4372 }
4373}
4374
4375/*
4376 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4377 * custom label prefix. If "context_hash" is NULL, then an empty context is
4378 * used. Otherwise it must have the same length as the hash algorithm output.
4379 */
4380bool_Bool
4381tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4382 const char *label_prefix, const char *label,
4383 const uint8_t *context_hash, uint8_t context_length,
4384 uint16_t out_len, unsigned char **out)
4385{
4386 /* RFC 8446 Section 7.1:
4387 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4388 * HKDF-Expand(Secret, HkdfLabel, Length)
4389 * struct {
4390 * uint16 length = Length;
4391 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4392 * opaque context<0..255> = Context;
4393 * } HkdfLabel;
4394 *
4395 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4396 * HKDF-Expand(PRK, info, L) -> OKM
4397 */
4398 gcry_error_t err;
4399 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4400 const unsigned label_length = (unsigned) strlen(label);
4401
4402 /* Some sanity checks */
4403 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4403, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4404
4405 /* info = HkdfLabel { length, label, context } */
4406 GByteArray *info = g_byte_array_new();
4407 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4408 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4409
4410 const uint8_t label_vector_length = label_prefix_length + label_length;
4411 g_byte_array_append(info, &label_vector_length, 1);
4412 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4413 g_byte_array_append(info, (const uint8_t*)label, label_length);
4414
4415 g_byte_array_append(info, &context_length, 1);
4416 if (context_length) {
4417 g_byte_array_append(info, context_hash, context_length);
4418 }
4419
4420 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4421 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4422 g_byte_array_free(info, true1);
4423
4424 if (err) {
4425 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4426 wmem_free(NULL((void*)0), *out);
4427 *out = NULL((void*)0);
4428 return false0;
4429 }
4430
4431 return true1;
4432}
4433
4434bool_Bool
4435tls13_hkdf_expand_label(int md, const StringInfo *secret,
4436 const char *label_prefix, const char *label,
4437 uint16_t out_len, unsigned char **out)
4438{
4439 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4440}
4441/* HMAC and the Pseudorandom function }}} */
4442
4443/* Record Decompression (after decryption) {{{ */
4444#ifdef USE_ZLIB_OR_ZLIBNG
4445/* memory allocation functions for zlib initialization */
4446static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4447{
4448 return g_malloc0(no*size);
4449}
4450static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4451{
4452 g_free(addr);
4453}
4454#endif /* USE_ZLIB_OR_ZLIBNG */
4455
4456static SslDecompress*
4457ssl_create_decompressor(int compression)
4458{
4459 SslDecompress *decomp;
4460#ifdef USE_ZLIB_OR_ZLIBNG
4461 int err;
4462#endif
4463
4464 if (compression == 0) return NULL((void*)0);
4465 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4466 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4467 decomp->compression = compression;
4468 switch (decomp->compression) {
4469#ifdef USE_ZLIB_OR_ZLIBNG
4470 case 1: /* DEFLATE */
4471 decomp->istream.zalloc = ssl_zalloc;
4472 decomp->istream.zfree = ssl_zfree;
4473 decomp->istream.opaque = Z_NULL0;
4474 decomp->istream.next_in = Z_NULL0;
4475 decomp->istream.next_out = Z_NULL0;
4476 decomp->istream.avail_in = 0;
4477 decomp->istream.avail_out = 0;
4478 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4479 if (err != Z_OK0) {
4480 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4481 return NULL((void*)0);
4482 }
4483 break;
4484#endif /* USE_ZLIB_OR_ZLIBNG */
4485 default:
4486 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4487 return NULL((void*)0);
4488 }
4489 return decomp;
4490}
4491
4492#ifdef USE_ZLIB_OR_ZLIBNG
4493static int
4494ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4495{
4496 int err;
4497
4498 switch (decomp->compression) {
4499 case 1: /* DEFLATE */
4500 err = Z_OK0;
4501 if (out_str->data_len < 16384) { /* maximal plain length */
4502 ssl_data_realloc(out_str, 16384);
4503 }
4504#ifdef z_constconst
4505 decomp->istream.next_in = in;
4506#else
4507DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4508 decomp->istream.next_in = (Bytef *)in;
4509DIAG_ON(cast-qual)clang diagnostic pop
4510#endif
4511 decomp->istream.avail_in = inl;
4512 decomp->istream.next_out = out_str->data;
4513 decomp->istream.avail_out = out_str->data_len;
4514 if (inl > 0)
4515 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4516 if (err != Z_OK0) {
4517 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4518 return -1;
4519 }
4520 *outl = out_str->data_len - decomp->istream.avail_out;
4521 break;
4522 default:
4523 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4524 return -1;
4525 }
4526 return 0;
4527}
4528#else /* USE_ZLIB_OR_ZLIBNG */
4529int
4530ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4531{
4532 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4533 return -1;
4534}
4535#endif /* USE_ZLIB_OR_ZLIBNG */
4536/* Record Decompression (after decryption) }}} */
4537
4538/* Create a new structure to store decrypted chunks. {{{ */
4539static SslFlow*
4540ssl_create_flow(void)
4541{
4542 SslFlow *flow;
4543
4544 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4545 flow->byte_seq = 0;
4546 flow->flags = 0;
4547 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4548 return flow;
4549}
4550/* }}} */
4551
4552/* Use the negotiated security parameters for decryption. {{{ */
4553void
4554ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4555{
4556 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4557 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4558 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4559 *new_decoder ? "" : " (No decoder found - retransmission?)");
4560 if (*new_decoder) {
4561 *dest = *new_decoder;
4562 *new_decoder = NULL((void*)0);
4563 }
4564}
4565/* }}} */
4566
4567/* Init cipher state given some security parameters. {{{ */
4568static bool_Bool
4569ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4570
4571static SslDecoder*
4572ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4573 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4574{
4575 SslDecoder *dec;
4576 ssl_cipher_mode_t mode = cipher_suite->mode;
4577
4578 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4579 /* init mac buffer: mac storage is embedded into decoder struct to save a
4580 memory allocation and waste samo more memory*/
4581 dec->cipher_suite=cipher_suite;
4582 dec->compression = compression;
4583 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4584 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4585 // the special case for NULL ciphers, even if there is insufficiency
4586 // keying material (including MAC key), we will can still create
4587 // decoders since "decryption" is easy for such ciphers.
4588 dec->mac_key.data = dec->_mac_key_or_write_iv;
4589 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4590 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4591 // Input for the nonce, to be used with AEAD ciphers.
4592 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4592, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4593 dec->write_iv.data = dec->_mac_key_or_write_iv;
4594 ssl_data_set(&dec->write_iv, iv, iv_length);
4595 }
4596 dec->seq = 0;
4597 dec->decomp = ssl_create_decompressor(compression);
4598 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4599
4600 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4601 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4602 cipher_algo, cipher_suite->mode);
4603 return NULL((void*)0);
4604 }
4605
4606 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4607 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4608 mode = MODE_ECB;
4609 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4610 mode = MODE_STREAM;
4611 } else {
4612 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4613 return NULL((void*)0);
4614 }
4615
4616 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4617 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4618 cipher_algo, MODE_ECB);
4619 ssl_cipher_cleanup(&dec->evp);
4620 dec->evp = NULL((void*)0);
4621 return NULL((void*)0);
4622 }
4623 } else {
4624 dec->sn_evp = NULL((void*)0);
4625 }
4626
4627 dec->dtls13_aad.data = NULL((void*)0);
4628 dec->dtls13_aad.data_len = 0;
4629 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4630 return dec;
4631}
4632
4633static bool_Bool
4634ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4635{
4636 SslDecoder *dec = (SslDecoder *) user_data;
4637
4638 if (dec->evp)
4639 ssl_cipher_cleanup(&dec->evp);
4640 if (dec->sn_evp)
4641 ssl_cipher_cleanup(&dec->sn_evp);
4642
4643#ifdef USE_ZLIB_OR_ZLIBNG
4644 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4645 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4646#endif
4647
4648 return false0;
4649}
4650/* }}} */
4651
4652/* (Pre-)master secrets calculations {{{ */
4653#ifdef HAVE_LIBGNUTLS1
4654static bool_Bool
4655ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4656 StringInfo *encrypted_pre_master,
4657 GHashTable *key_hash);
4658#endif /* HAVE_LIBGNUTLS */
4659
4660static bool_Bool
4661ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4662 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4663
4664bool_Bool
4665ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4666 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4667 const char *ssl_psk, packet_info *pinfo,
4668#ifdef HAVE_LIBGNUTLS1
4669 GHashTable *key_hash,
4670#endif
4671 const ssl_master_key_map_t *mk_map)
4672{
4673 /* check for required session data */
4674 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4675 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4676 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4677 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4678 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4679 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4680 return false0;
4681 }
4682
4683 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4684 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4685 return false0;
4686 }
4687
4688 /* check to see if the PMS was provided to us*/
4689 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4690 mk_map->pms, &ssl_session->client_random)) {
4691 return true1;
4692 }
4693
4694 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4695 {
4696 /* calculate pre master secret*/
4697 StringInfo pre_master_secret;
4698 unsigned psk_len, pre_master_len;
4699
4700 if (!ssl_psk || (ssl_psk[0] == 0)) {
4701 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4702 return false0;
4703 }
4704
4705 /* convert hex string into char*/
4706 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4707 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4708 G_STRFUNC((const char*) (__func__)));
4709 return false0;
4710 }
4711
4712 psk_len = ssl_session->psk.data_len;
4713 if (psk_len >= (2 << 15)) {
4714 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4715 G_STRFUNC((const char*) (__func__)));
4716 return false0;
4717 }
4718
4719
4720 pre_master_len = psk_len * 2 + 4;
4721
4722 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4723 pre_master_secret.data_len = pre_master_len;
4724 /* 2 bytes psk_len*/
4725 pre_master_secret.data[0] = psk_len >> 8;
4726 pre_master_secret.data[1] = psk_len & 0xFF;
4727 /* psk_len bytes times 0*/
4728 memset(&pre_master_secret.data[2], 0, psk_len);
4729 /* 2 bytes psk_len*/
4730 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4731 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4732 /* psk*/
4733 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4734
4735 ssl_session->pre_master_secret.data = pre_master_secret.data;
4736 ssl_session->pre_master_secret.data_len = pre_master_len;
4737 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4738
4739 /* Remove the master secret if it was there.
4740 This forces keying material regeneration in
4741 case we're renegotiating */
4742 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4743 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4744 return true1;
4745 }
4746 else
4747 {
4748 unsigned encrlen, skip;
4749 encrlen = length;
4750 skip = 0;
4751
4752 /* get encrypted data, on tls1 we have to skip two bytes
4753 * (it's the encrypted len and should be equal to record len - 2)
4754 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4755 */
4756 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4757 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4758 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4759 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4760 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4761 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4762 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4763 {
4764 encrlen = tvb_get_ntohs(tvb, offset);
4765 skip = 2;
4766 if (encrlen > length - 2)
4767 {
4768 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4769 G_STRFUNC((const char*) (__func__)), encrlen, length);
4770 return false0;
4771 }
4772 }
4773 /* the valid lower bound is higher than 8, but it is sufficient for the
4774 * ssl keylog file below */
4775 if (encrlen < 8) {
4776 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4777 G_STRFUNC((const char*) (__func__)), encrlen);
4778 return false0;
4779 }
4780
4781 StringInfo encrypted_pre_master = {
4782 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4783 .data_len = encrlen,
4784 };
4785
4786#ifdef HAVE_LIBGNUTLS1
4787 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4788 if (ssl_session->cert_key_id) {
4789 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4790 return true1;
4791
4792 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4793 G_STRFUNC((const char*) (__func__)));
4794 }
4795#endif /* HAVE_LIBGNUTLS */
4796
4797 /* try to find the pre-master secret from the encrypted one. The
4798 * ssl key logfile stores only the first 8 bytes, so truncate it */
4799 encrypted_pre_master.data_len = 8;
4800 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4801 true1, mk_map->pre_master, &encrypted_pre_master))
4802 return true1;
4803 }
4804 return false0;
4805}
4806
4807/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4808int
4809ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4810{
4811 StringInfo key_block = { NULL((void*)0), 0 };
4812 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4813 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4814 int needed;
4815 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4816 unsigned encr_key_len, write_iv_len = 0;
4817 bool_Bool is_export_cipher;
4818 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4819 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4820 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4821
4822 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4823 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4824 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4825 return -1;
4826 }
4827
4828 /* check for enough info to proceed */
4829 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4830 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4831 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4832 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4833 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4834 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4835 /* Special case: for NULL encryption, allow dissection of data even if
4836 * the Client Hello is missing (MAC keys are now skipped though). */
4837 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4838 if ((ssl_session->state & need_all) == need_all &&
4839 cipher_suite->enc == ENC_NULL0x3D) {
4840 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4841 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4842 goto create_decoders;
4843 }
4844
4845 return -1;
4846 }
4847
4848 /* if master key is not available, generate is from the pre-master secret */
4849 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4850 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4851 StringInfo handshake_hashed_data;
4852 int ret;
4853
4854 handshake_hashed_data.data = NULL((void*)0);
4855 handshake_hashed_data.data_len = 0;
4856
4857 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4858 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4859 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4859, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4860
4861 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4866
4862 case TLSV1_VERSION0x301:
4863 case TLSV1DOT1_VERSION0x302:
4864 case DTLSV1DOT0_VERSION0xfeff:
4865 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4866 case TLCPV1_VERSION0x101:
4867 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4868 break;
4869 default:
4870 switch (cipher_suite->dig) {
4871 case DIG_SHA3840x43:
4872 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4873 break;
4874 default:
4875 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4876 break;
4877 }
4878 break;
4879 }
4880 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4880
30
Taking true branch
4881 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4882 return -1;
4883 }
4884
4885 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4886 ssl_session->handshake_data.data = NULL((void*)0);
4887 ssl_session->handshake_data.data_len = 0;
4888
4889 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4890 &handshake_hashed_data,
4891 NULL((void*)0), &ssl_session->master_secret,
4892 SSL_MASTER_SECRET_LENGTH48)) {
4893 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4894 g_free(handshake_hashed_data.data);
4895 return -1;
4896 }
4897 g_free(handshake_hashed_data.data);
4898 } else {
4899 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4900 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4901 ssl_print_string("client random",&ssl_session->client_random);
4902 ssl_print_string("server random",&ssl_session->server_random);
4903 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4904 &ssl_session->client_random,
4905 &ssl_session->server_random, &ssl_session->master_secret,
4906 SSL_MASTER_SECRET_LENGTH48)) {
4907 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4908 return -1;
4909 }
4910 }
4911 ssl_print_string("master secret",&ssl_session->master_secret);
4912
4913 /* the pre-master secret has been 'consumed' so we must clear it now */
4914 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4915 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4916 }
4917
4918 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4919 if (cipher_suite->enc != ENC_NULL0x3D) {
4920 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4921 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4922 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4923 if (cipher_algo == 0) {
4924 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4925 return -1;
4926 }
4927 }
4928
4929 /* Export ciphers consume less material from the key block. */
4930 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4931 is_export_cipher = encr_key_len > 0;
4932 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4933 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4934 }
4935
4936 if (cipher_suite->mode == MODE_CBC) {
4937 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4938 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4939 /* account for a four-byte salt for client and server side (from
4940 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4941 write_iv_len = 4;
4942 } else if (cipher_suite->mode == MODE_POLY1305) {
4943 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4944 write_iv_len = 12;
4945 }
4946
4947 /* Compute the key block. First figure out how much data we need */
4948 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4949 needed += 2 * encr_key_len; /* encryption key */
4950 needed += 2 * write_iv_len; /* write IV */
4951
4952 key_block.data = (unsigned char *)g_malloc(needed);
4953 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4954 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4955 &ssl_session->server_random,&ssl_session->client_random,
4956 &key_block, needed)) {
4957 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4958 goto fail;
4959 }
4960 ssl_print_string("key expansion", &key_block);
4961
4962 ptr=key_block.data;
4963 /* client/server write MAC key (for non-AEAD ciphers) */
4964 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4965 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4966 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4967 }
4968 /* client/server write encryption key */
4969 c_wk=ptr; ptr += encr_key_len;
4970 s_wk=ptr; ptr += encr_key_len;
4971 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4972 if (write_iv_len > 0) {
4973 c_iv=ptr; ptr += write_iv_len;
4974 s_iv=ptr; /* ptr += write_iv_len; */
4975 }
4976
4977 /* export ciphers work with a smaller key length */
4978 if (is_export_cipher) {
4979 if (cipher_suite->mode == MODE_CBC) {
4980
4981 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4982 all we should need. This is a sanity check */
4983 if (write_iv_len > MAX_BLOCK_SIZE16) {
4984 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4985 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4986 goto fail;
4987 }
4988
4989 if(ssl_session->session.version==SSLV3_VERSION0x300){
4990 /* The length of these fields are ignored by this caller */
4991 StringInfo iv_c, iv_s;
4992 iv_c.data = _iv_c;
4993 iv_s.data = _iv_s;
4994
4995 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4996 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4997 &ssl_session->server_random, &iv_c, write_iv_len)) {
4998 goto fail;
4999 }
5000 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5001 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5002 &ssl_session->client_random, &iv_s, write_iv_len)) {
5003 goto fail;
5004 }
5005 }
5006 else{
5007 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5008 StringInfo iv_block;
5009 StringInfo key_null;
5010 uint8_t _key_null;
5011
5012 key_null.data = &_key_null;
5013 key_null.data_len = 0;
5014
5015 iv_block.data = _iv_block;
5016
5017 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5018 if (!prf(ssl_session, &key_null, "IV block",
5019 &ssl_session->client_random,
5020 &ssl_session->server_random, &iv_block,
5021 write_iv_len * 2)) {
5022 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5023 goto fail;
5024 }
5025
5026 memcpy(_iv_c, iv_block.data, write_iv_len);
5027 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5028 }
5029
5030 c_iv=_iv_c;
5031 s_iv=_iv_s;
5032 }
5033
5034 if (ssl_session->session.version==SSLV3_VERSION0x300){
5035
5036 SSL_MD5_CTXgcry_md_hd_t md5;
5037 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5038
5039 if (ssl_md5_init(&md5) != 0)
5040 goto fail;
5041 ssl_md5_update(&md5,c_wk,encr_key_len);
5042 ssl_md5_update(&md5,ssl_session->client_random.data,
5043 ssl_session->client_random.data_len);
5044 ssl_md5_update(&md5,ssl_session->server_random.data,
5045 ssl_session->server_random.data_len);
5046 ssl_md5_final(_key_c,&md5);
5047 ssl_md5_cleanup(&md5);
5048 c_wk=_key_c;
5049
5050 if (ssl_md5_init(&md5) != 0)
5051 goto fail;
5052 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5053 ssl_md5_update(&md5,s_wk,encr_key_len);
5054 ssl_md5_update(&md5,ssl_session->server_random.data,
5055 ssl_session->server_random.data_len);
5056 ssl_md5_update(&md5,ssl_session->client_random.data,
5057 ssl_session->client_random.data_len);
5058 ssl_md5_final(_key_s,&md5);
5059 ssl_md5_cleanup(&md5);
5060 s_wk=_key_s;
5061 }
5062 else{
5063 StringInfo key_c, key_s, k;
5064 key_c.data = _key_c;
5065 key_s.data = _key_s;
5066
5067 k.data = c_wk;
5068 k.data_len = encr_key_len;
5069 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5070 if (!prf(ssl_session, &k, "client write key",
5071 &ssl_session->client_random,
5072 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5073 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5074 goto fail;
5075 }
5076 c_wk=_key_c;
5077
5078 k.data = s_wk;
5079 k.data_len = encr_key_len;
5080 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5081 if (!prf(ssl_session, &k, "server write key",
5082 &ssl_session->client_random,
5083 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5084 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5085 goto fail;
5086 }
5087 s_wk=_key_s;
5088 }
5089 }
5090
5091 /* show key material info */
5092 if (c_mk != NULL((void*)0)) {
5093 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5094 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5095 }
5096 ssl_print_data("Client Write key", c_wk, encr_key_len);
5097 ssl_print_data("Server Write key", s_wk, encr_key_len);
5098 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5099 if (write_iv_len > 0) {
5100 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5101 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5102 }
5103
5104create_decoders:
5105 /* create both client and server ciphers*/
5106 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5107 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5108 if (!ssl_session->client_new) {
5109 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5110 goto fail;
5111 }
5112 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5113 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5114 if (!ssl_session->server_new) {
5115 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5116 goto fail;
5117 }
5118
5119 /* Continue the SSL stream after renegotiation with new keys. */
5120 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5121 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5122
5123 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5124 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5125 g_free(key_block.data);
5126 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5127 return 0;
5128
5129fail:
5130 g_free(key_block.data);
5131 return -1;
5132}
5133
5134/* Generated the key material based on the given secret. */
5135bool_Bool
5136tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5137{
5138 bool_Bool success = false0;
5139 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5140 unsigned char *sn_key = NULL((void*)0);
5141 SslDecoder *decoder;
5142 unsigned key_length, iv_length;
5143 int hash_algo;
5144 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5145 int cipher_algo;
5146
5147 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5148 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5149 ssl_session->session.version);
5150 return false0;
5151 }
5152
5153 if (cipher_suite == NULL((void*)0)) {
5154 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5155 return false0;
5156 }
5157
5158 if (cipher_suite->kex != KEX_TLS130x23) {
5159 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5160 return false0;
5161 }
5162
5163 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5164 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5165 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5166 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5167 if (cipher_algo == 0) {
5168 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5169 return false0;
5170 }
5171
5172 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5173 hash_algo = ssl_get_digest_by_name(hash_name);
5174 if (!hash_algo) {
5175 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5176 return false0;
5177 }
5178
5179 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5180 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5181 iv_length = 12;
5182 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5183
5184 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5185 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5186 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5187 return false0;
5188 }
5189 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5190 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5191 goto end;
5192 }
5193
5194 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5195 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5196 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5197 goto end;
5198 }
5199 }
5200
5201 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5202 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5203 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5204 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5205 }
5206
5207 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5208 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5209 if (!decoder) {
5210 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5211 goto end;
5212 }
5213
5214 /* Continue the TLS session with new keys, but reuse old flow to keep things
5215 * like "Follow TLS" working (by linking application data records). */
5216 if (is_from_server) {
5217 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5218 ssl_session->server = decoder;
5219 } else {
5220 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5221 ssl_session->client = decoder;
5222 }
5223 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5224 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5225 success = true1;
5226
5227end:
5228 wmem_free(NULL((void*)0), write_key);
5229 wmem_free(NULL((void*)0), write_iv);
5230 if (sn_key)
5231 wmem_free(NULL((void*)0), sn_key);
5232 return success;
5233}
5234/* (Pre-)master secrets calculations }}} */
5235
5236#ifdef HAVE_LIBGNUTLS1
5237/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5238static bool_Bool
5239ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5240 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5241{
5242 int ret;
5243
5244 if (!encrypted_pre_master)
5245 return false0;
5246
5247 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5248 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5249 "(cipher suite 0x%04X %s) and cannot be decrypted "
5250 "using a RSA private key file.\n",
5251 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5252 val_to_str_ext_const(ssl_session->session.cipher,
5253 &ssl_31_ciphersuite_ext, "unknown"));
5254 return false0;
5255 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5256 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5257 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5258 return false0;
5259 }
5260
5261 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5262
5263 ssl_print_string("pre master encrypted", encrypted_pre_master);
5264 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5265 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5266 gnutls_datum_t pms = { 0 };
5267 if (pk) {
5268 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5269 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5270 } else {
5271 // Try to decrypt using a hardware token.
5272 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5273 }
5274 if (ret < 0) {
5275 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5276 return false0;
5277 }
5278
5279 if (pms.size != 48) {
5280 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5281 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5282 if (pk) {
5283 gnutls_free(pms.data);
5284 } else {
5285 g_free(pms.data);
5286 }
5287 return false0;
5288 }
5289
5290 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5291 ssl_session->pre_master_secret.data_len = 48;
5292 if (pk) {
5293 gnutls_free(pms.data);
5294 } else {
5295 g_free(pms.data);
5296 }
5297 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5298
5299 /* Remove the master secret if it was there.
5300 This forces keying material regeneration in
5301 case we're renegotiating */
5302 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5303 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5304 return true1;
5305} /* }}} */
5306#endif /* HAVE_LIBGNUTLS */
5307
5308/* Decryption integrity check {{{ */
5309
5310static int
5311tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5312 uint32_t datalen, uint8_t* mac)
5313{
5314 SSL_HMACgcry_md_hd_t hm;
5315 int md;
5316 uint32_t len;
5317 uint8_t buf[DIGEST_MAX_SIZE48];
5318 int16_t temp;
5319
5320 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5321 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5322 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5323
5324 if (ssl_hmac_init(&hm,md) != 0)
5325 return -1;
5326 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5327 return -1;
5328
5329 /* hash sequence number */
5330 phtonu64(buf, decoder->seq);
5331
5332 decoder->seq++;
5333
5334 ssl_hmac_update(&hm,buf,8);
5335
5336 /* hash content type */
5337 buf[0]=ct;
5338 ssl_hmac_update(&hm,buf,1);
5339
5340 /* hash version,data length and data*/
5341 /* *((int16_t*)buf) = g_htons(ver); */
5342 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5343 memcpy(buf, &temp, 2);
5344 ssl_hmac_update(&hm,buf,2);
5345
5346 /* *((int16_t*)buf) = g_htons(datalen); */
5347 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5348 memcpy(buf, &temp, 2);
5349 ssl_hmac_update(&hm,buf,2);
5350 ssl_hmac_update(&hm,data,datalen);
5351
5352 /* get digest and digest len*/
5353 len = sizeof(buf);
5354 ssl_hmac_final(&hm,buf,&len);
5355 ssl_hmac_cleanup(&hm);
5356 ssl_print_data("Mac", buf, len);
5357 if(memcmp(mac,buf,len))
5358 return -1;
5359
5360 return 0;
5361}
5362
5363static int
5364ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5365 uint32_t datalen, uint8_t* mac)
5366{
5367 SSL_MDgcry_md_hd_t mc;
5368 int md;
5369 uint32_t len;
5370 uint8_t buf[64],dgst[20];
5371 int pad_ct;
5372 int16_t temp;
5373
5374 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5375
5376 /* get cipher used for digest computation */
5377 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5378 if (ssl_md_init(&mc,md) !=0)
5379 return -1;
5380
5381 /* do hash computation on data && padding */
5382 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5383
5384 /* hash padding*/
5385 memset(buf,0x36,pad_ct);
5386 ssl_md_update(&mc,buf,pad_ct);
5387
5388 /* hash sequence number */
5389 phtonu64(buf, decoder->seq);
5390 decoder->seq++;
5391 ssl_md_update(&mc,buf,8);
5392
5393 /* hash content type */
5394 buf[0]=ct;
5395 ssl_md_update(&mc,buf,1);
5396
5397 /* hash data length in network byte order and data*/
5398 /* *((int16_t* )buf) = g_htons(datalen); */
5399 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5400 memcpy(buf, &temp, 2);
5401 ssl_md_update(&mc,buf,2);
5402 ssl_md_update(&mc,data,datalen);
5403
5404 /* get partial digest */
5405 ssl_md_final(&mc,dgst,&len);
5406 ssl_md_reset(&mc);
5407
5408 /* hash mac key */
5409 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5410
5411 /* hash padding and partial digest*/
5412 memset(buf,0x5c,pad_ct);
5413 ssl_md_update(&mc,buf,pad_ct);
5414 ssl_md_update(&mc,dgst,len);
5415
5416 ssl_md_final(&mc,dgst,&len);
5417 ssl_md_cleanup(&mc);
5418
5419 if(memcmp(mac,dgst,len))
5420 return -1;
5421
5422 return 0;
5423}
5424
5425static int
5426dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5427 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5428{
5429 SSL_HMACgcry_md_hd_t hm;
5430 int md;
5431 uint32_t len;
5432 uint8_t buf[DIGEST_MAX_SIZE48];
5433 int16_t temp;
5434
5435 int ver = ssl->session.version;
5436 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5437
5438 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5439 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5440 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5441
5442 if (ssl_hmac_init(&hm,md) != 0)
5443 return -1;
5444 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5445 return -1;
5446
5447 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5448
5449 if (is_cid && !ssl->session.deprecated_cid) {
5450 /* hash seq num placeholder */
5451 memset(buf,0xFF,8);
5452 ssl_hmac_update(&hm,buf,8);
5453
5454 /* hash content type + cid length + content type */
5455 buf[0]=ct;
5456 buf[1]=cidl;
5457 buf[2]=ct;
5458 ssl_hmac_update(&hm,buf,3);
5459
5460 /* hash version */
5461 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5462 memcpy(buf, &temp, 2);
5463 ssl_hmac_update(&hm,buf,2);
5464
5465 /* hash sequence number */
5466 phtonu64(buf, decoder->seq);
5467 buf[0]=decoder->epoch>>8;
5468 buf[1]=(uint8_t)decoder->epoch;
5469 ssl_hmac_update(&hm,buf,8);
5470
5471 /* hash cid */
5472 ssl_hmac_update(&hm,cid,cidl);
5473 } else {
5474 /* hash sequence number */
5475 phtonu64(buf, decoder->seq);
5476 buf[0]=decoder->epoch>>8;
5477 buf[1]=(uint8_t)decoder->epoch;
5478 ssl_hmac_update(&hm,buf,8);
5479
5480 /* hash content type */
5481 buf[0]=ct;
5482 ssl_hmac_update(&hm,buf,1);
5483
5484 /* hash version */
5485 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5486 memcpy(buf, &temp, 2);
5487 ssl_hmac_update(&hm,buf,2);
5488
5489 if (is_cid && ssl->session.deprecated_cid) {
5490 /* hash cid */
5491 ssl_hmac_update(&hm,cid,cidl);
5492
5493 /* hash cid length */
5494 buf[0] = cidl;
5495 ssl_hmac_update(&hm,buf,1);
5496 }
5497 }
5498
5499 /* data length and data */
5500 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5501 memcpy(buf, &temp, 2);
5502 ssl_hmac_update(&hm,buf,2);
5503 ssl_hmac_update(&hm,data,datalen);
5504
5505 /* get digest and digest len */
5506 len = sizeof(buf);
5507 ssl_hmac_final(&hm,buf,&len);
5508 ssl_hmac_cleanup(&hm);
5509 ssl_print_data("Mac", buf, len);
5510 if(memcmp(mac,buf,len))
5511 return -1;
5512
5513 return 0;
5514}
5515/* Decryption integrity check }}} */
5516
5517
5518static bool_Bool
5519tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5520 uint8_t ct, uint16_t record_version,
5521 bool_Bool ignore_mac_failed,
5522 const unsigned char *in, uint16_t inl,
5523 const unsigned char *cid, uint8_t cidl,
5524 StringInfo *out_str, unsigned *outl)
5525{
5526 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5527 * GenericAEADCipher: { nonce_explicit, [content] }
5528 * In TLS 1.3 this explicit nonce is gone.
5529 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5530 * ciphertext and authentication tag.
5531 */
5532 const uint16_t version = ssl->session.version;
5533 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5534 gcry_error_t err;
5535 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5536 unsigned ciphertext_len, auth_tag_len;
5537 unsigned char nonce[12];
5538 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5539 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5540 const uint8_t draft_version = ssl->session.tls13_draft_version;
5541 const unsigned char *auth_tag_wire;
5542 unsigned char auth_tag_calc[16];
5543 unsigned char *aad = NULL((void*)0);
5544 unsigned aad_len = 0;
5545
5546 switch (cipher_mode) {
5547 case MODE_GCM:
5548 case MODE_CCM:
5549 case MODE_POLY1305:
5550 auth_tag_len = 16;
5551 break;
5552 case MODE_CCM_8:
5553 auth_tag_len = 8;
5554 break;
5555 default:
5556 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5557 return false0;
5558 }
5559
5560 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5561 if (is_v12 && cipher_mode != MODE_POLY1305) {
5562 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5563 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5564 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5565 return false0;
5566 }
5567 explicit_nonce = in;
5568 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5569 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5570 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5571 if (inl < auth_tag_len) {
5572 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5573 return false0;
5574 }
5575 ciphertext = in;
5576 ciphertext_len = inl - auth_tag_len;
5577 } else {
5578 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5579 return false0;
5580 }
5581 auth_tag_wire = ciphertext + ciphertext_len;
5582
5583 /*
5584 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5585 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5586 */
5587 if (is_v12 && cipher_mode != MODE_POLY1305) {
5588 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5588, "decoder->write_iv.data_len == 4"))));
5589 /* Implicit (4) and explicit (8) part of nonce. */
5590 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5591 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5592
5593 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5594 /*
5595 * Technically the nonce length must be at least 8 bytes, but for
5596 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5597 */
5598 const unsigned nonce_len = 12;
5599 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5599, "decoder->write_iv.data_len == nonce_len"
))));
5600 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5601 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5602 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5603 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5604 }
5605
5606 /* Set nonce and additional authentication data */
5607 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5608 ssl_print_data("nonce", nonce, 12);
5609 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5610 if (err) {
5611 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5612 return false0;
5613 }
5614
5615 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5616 if (is_cid) { /* if connection ID */
5617 if (ssl->session.deprecated_cid) {
5618 aad_len = 14 + cidl;
5619 aad = wmem_alloc(allocator, aad_len);
5620 phtonu64(aad, decoder->seq); /* record sequence number */
5621 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5622 aad[8] = ct; /* TLSCompressed.type */
5623 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5624 memcpy(aad + 11, cid, cidl); /* cid */
5625 aad[11 + cidl] = cidl; /* cid_length */
5626 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5627 } else {
5628 aad_len = 23 + cidl;
5629 aad = wmem_alloc(allocator, aad_len);
5630 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5631 aad[8] = ct; /* TLSCompressed.type */
5632 aad[9] = cidl; /* cid_length */
5633 aad[10] = ct; /* TLSCompressed.type */
5634 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5635 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5636 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5637 memcpy(aad + 21, cid, cidl); /* cid */
5638 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5639 }
5640 } else if (is_v12) {
5641 aad_len = 13;
5642 aad = wmem_alloc(allocator, aad_len);
5643 phtonu64(aad, decoder->seq); /* record sequence number */
5644 if (version == DTLSV1DOT2_VERSION0xfefd) {
5645 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5646 }
5647 aad[8] = ct; /* TLSCompressed.type */
5648 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5649 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5650 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5651 aad_len = decoder->dtls13_aad.data_len;
5652 aad = decoder->dtls13_aad.data;
5653 } else if (draft_version >= 25 || draft_version == 0) {
5654 aad_len = 5;
5655 aad = wmem_alloc(allocator, aad_len);
5656 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5657 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5658 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5659 }
5660
5661 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5662 /* size of plaintext, additional authenticated data and auth tag. */
5663 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5664
5665 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5666 }
5667
5668 if (aad && aad_len > 0) {
5669 ssl_print_data("AAD", aad, aad_len);
5670 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5671 if (err) {
5672 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5673 return false0;
5674 }
5675 }
5676
5677 /* Decrypt now that nonce and AAD are set. */
5678 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5679 if (err) {
5680 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5681 return false0;
5682 }
5683
5684 /* Check authentication tag for authenticity (replaces MAC) */
5685 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5686 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5687 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5688 } else {
5689 if (err) {
5690 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5691 } else {
5692 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5693 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5694 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5695 }
5696 if (ignore_mac_failed) {
5697 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5698 } else {
5699 return false0;
5700 }
5701 }
5702
5703 /*
5704 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5705 * after successful authentication to ensure that early data is skipped when
5706 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5707 */
5708 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5709 decoder->seq++;
5710 }
5711
5712 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5713 *outl = ciphertext_len;
5714 return true1;
5715}
5716
5717/* Record decryption glue based on security parameters {{{ */
5718/* Assume that we are called only for a non-NULL decoder which also means that
5719 * we have a non-NULL decoder->cipher_suite. */
5720int
5721ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5722 bool_Bool ignore_mac_failed,
5723 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5724 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5725{
5726 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5727 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5728
5729 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5730 ssl_print_data("Ciphertext",in, inl);
5731
5732 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5733 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5734 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5735 return -1;
5736 }
5737
5738 /* ensure we have enough storage space for decrypted data */
5739 if (inl > out_str->data_len)
5740 {
5741 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5742 inl + 32, out_str->data_len);
5743 ssl_data_realloc(out_str, inl + 32);
5744 }
5745
5746 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5747 * a separate MAC, so use a different routine for simplicity. */
5748 if (decoder->cipher_suite->mode == MODE_GCM ||
5749 decoder->cipher_suite->mode == MODE_CCM ||
5750 decoder->cipher_suite->mode == MODE_CCM_8 ||
5751 decoder->cipher_suite->mode == MODE_POLY1305 ||
5752 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5753 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5754
5755 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5756 /* decryption failed */
5757 return -1;
5758 }
5759
5760 goto skip_mac;
5761 }
5762
5763 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5764 * (notation: { unencrypted, [ encrypted ] })
5765 * GenericStreamCipher: { [content, mac] }
5766 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5767 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5768 * GenericAEADCipher: { nonce_explicit, [content] }
5769 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5770 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5771 */
5772
5773 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5774
5775 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5776 if (decoder->cipher_suite->mode == MODE_CBC) {
5777 unsigned blocksize = 0;
5778
5779 switch (ssl->session.version) {
5780 case TLSV1DOT1_VERSION0x302:
5781 case TLSV1DOT2_VERSION0x303:
5782 case DTLSV1DOT0_VERSION0xfeff:
5783 case DTLSV1DOT2_VERSION0xfefd:
5784 case DTLSV1DOT3_VERSION0xfefc:
5785 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5786 case TLCPV1_VERSION0x101:
5787 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5788 if (inl < blocksize) {
5789 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5790 inl, blocksize);
5791 return -1;
5792 }
5793 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5794 if (pad != 0) {
5795 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5796 gcry_strsource (pad), gcry_strerror (pad));
5797 }
5798
5799 inl -= blocksize;
5800 in += blocksize;
5801 break;
5802 }
5803
5804 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5805 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5806 /*
5807 * MAC is calculated over (IV + ) ENCRYPTED contents:
5808 *
5809 * MAC(MAC_write_key, ... +
5810 * IV + // for TLS 1.1 or greater
5811 * TLSCiphertext.enc_content);
5812 */
5813 if (inl < maclen) {
5814 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5815 G_STRFUNC((const char*) (__func__)), inl, maclen);
5816 return -1;
5817 }
5818 inl -= maclen;
5819 mac = (uint8_t *)in + inl;
5820 mac_frag = (uint8_t *)in - blocksize;
5821 mac_fraglen = blocksize + inl;
5822 }
5823 }
5824
5825 /* First decrypt*/
5826 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5827 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5828 gcry_strerror (pad));
5829 return -1;
5830 }
5831
5832 ssl_print_data("Plaintext", out_str->data, inl);
5833 worklen=inl;
5834
5835
5836 /* strip padding for GenericBlockCipher */
5837 if (decoder->cipher_suite->mode == MODE_CBC) {
5838 if (inl < 1) { /* Should this check happen earlier? */
5839 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5840 return -1;
5841 }
5842 pad=out_str->data[inl-1];
5843 if (worklen <= pad) {
5844 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5845 pad, worklen);
5846 return -1;
5847 }
5848 worklen-=(pad+1);
5849 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5850 pad, worklen);
5851 }
5852
5853 /* MAC for GenericStreamCipher and GenericBlockCipher.
5854 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5855 if (!mac) {
5856 /*
5857 * MAC is calculated over the DECRYPTED contents:
5858 *
5859 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5860 */
5861 if (worklen < maclen) {
5862 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5863 return -1;
5864 }
5865 worklen -= maclen;
5866 mac = out_str->data + worklen;
5867 mac_frag = out_str->data;
5868 mac_fraglen = worklen;
5869 }
5870
5871 /* If NULL encryption active and no keys are available, do not bother
5872 * checking the MAC. We do not have keys for that. */
5873 if (decoder->cipher_suite->mode == MODE_STREAM &&
5874 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5875 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5876 ssl_debug_printf("MAC check skipped due to missing keys\n");
5877 decoder->seq++; // Increment this for display
5878 goto skip_mac;
5879 }
5880
5881 /* Now check the MAC */
5882 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5883 worklen, ssl->session.version, ct, decoder->seq);
5884 if(ssl->session.version==SSLV3_VERSION0x300){
5885 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5886 if(ignore_mac_failed) {
5887 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5888 }
5889 else{
5890 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5891 return -1;
5892 }
5893 }
5894 else{
5895 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5896 }
5897 }
5898 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5899 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5900 if(ignore_mac_failed) {
5901 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5902 }
5903 else{
5904 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5905 return -1;
5906 }
5907 }
5908 else{
5909 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5910 }
5911 }
5912 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5913 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5914 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5915 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5916 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5917 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5918 }
5919 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5920 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5921 }
5922 else if(ignore_mac_failed) {
5923 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5924 }
5925 else{
5926 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5927 return -1;
5928 }
5929 }
5930skip_mac:
5931
5932 *outl = worklen;
5933
5934 if (decoder->compression > 0) {
5935 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5936 ssl_data_copy(comp_str, out_str);
5937 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5938 if (!decoder->decomp) {
5939 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5940 return -1;
5941 }
5942 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5943 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5944 *outl = uncomplen;
5945 }
5946
5947 return 0;
5948}
5949/* Record decryption glue based on security parameters }}} */
5950
5951
5952
5953#ifdef HAVE_LIBGNUTLS1
5954
5955/* RSA private key file processing {{{ */
5956static void
5957ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5958 gnutls_datum_t *subjectPublicKeyInfo)
5959{
5960 gnutls_pubkey_t pubkey = NULL((void*)0);
5961 cert_key_id_t key_id;
5962 size_t key_id_len = sizeof(key_id);
5963 int r;
5964
5965 if (!subjectPublicKeyInfo->size) {
5966 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5967 return;
5968 }
5969
5970 r = gnutls_pubkey_init(&pubkey);
5971 if (r < 0) {
5972 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5973 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5974 return;
5975 }
5976
5977 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5978 if (r < 0) {
5979 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5980 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5981 goto end;
5982 }
5983
5984 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5985 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5986 goto end;
5987 }
5988
5989 /* Generate a 20-byte SHA-1 hash. */
5990 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5991 if (r < 0) {
5992 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5993 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5994 goto end;
5995 }
5996
5997 if (key_id_len != sizeof(key_id)) {
5998 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5999 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6000 goto end;
6001 }
6002
6003 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6004 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6005 *ssl->cert_key_id = key_id;
6006
6007end:
6008 gnutls_pubkey_deinit(pubkey);
6009}
6010
6011/* RSA private key file processing }}} */
6012#endif /* HAVE_LIBGNUTLS */
6013
6014/*--- Start of dissector-related code below ---*/
6015
6016/* This is not a "protocol" but ensures that this gets called during
6017 * the handoff stage. */
6018void proto_reg_handoff_tls_utils(void);
6019
6020static dissector_handle_t base_tls_handle;
6021static dissector_handle_t dtls_handle;
6022
6023void
6024proto_reg_handoff_tls_utils(void)
6025{
6026 base_tls_handle = find_dissector("tls");
6027 dtls_handle = find_dissector("dtls");
6028}
6029
6030/* get ssl data for this session. if no ssl data is found allocate a new one*/
6031SslDecryptSession *
6032ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6033{
6034 void *conv_data;
6035 SslDecryptSession *ssl_session;
6036 int proto_ssl;
6037
6038 /* Note proto_ssl is tls for either the main tls_handle or the
6039 * tls13_handshake handle used by QUIC. */
6040 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6041 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6042 if (conv_data != NULL((void*)0))
6043 return (SslDecryptSession *)conv_data;
6044
6045 /* no previous SSL conversation info, initialize it. */
6046 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6047
6048 /* data_len is the part that is meaningful, not the allocated length */
6049 ssl_session->master_secret.data_len = 0;
6050 ssl_session->master_secret.data = ssl_session->_master_secret;
6051 ssl_session->session_id.data_len = 0;
6052 ssl_session->session_id.data = ssl_session->_session_id;
6053 ssl_session->client_random.data_len = 0;
6054 ssl_session->client_random.data = ssl_session->_client_random;
6055 ssl_session->server_random.data_len = 0;
6056 ssl_session->server_random.data = ssl_session->_server_random;
6057 ssl_session->session_ticket.data_len = 0;
6058 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6059 ssl_session->server_data_for_iv.data_len = 0;
6060 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6061 ssl_session->client_data_for_iv.data_len = 0;
6062 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6063 ssl_session->app_data_segment.data = NULL((void*)0);
6064 ssl_session->app_data_segment.data_len = 0;
6065 ssl_session->handshake_data.data=NULL((void*)0);
6066 ssl_session->handshake_data.data_len=0;
6067 ssl_session->ech_transcript.data=NULL((void*)0);
6068 ssl_session->ech_transcript.data_len=0;
6069
6070 /* Initialize parameters which are not necessary specific to decryption. */
6071 ssl_session->session.version = SSL_VER_UNKNOWN0;
6072 clear_address(&ssl_session->session.srv_addr);
6073 ssl_session->session.srv_ptype = PT_NONE;
6074 ssl_session->session.srv_port = 0;
6075 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6076 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6077 ssl_session->session.client_random.data_len = 0;
6078 ssl_session->session.client_random.data = ssl_session->session._client_random;
6079 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6080 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6081 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6082 ssl_session->session.ech = false0;
6083 ssl_session->session.hrr_ech_declined = false0;
6084 ssl_session->session.first_ch_ech_frame = 0;
6085
6086 /* We want to increment the stream count for the normal tls handle and
6087 * dtls handle, but presumably not for the tls13_handshake handle used
6088 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6089 * doesn't get sent to the TLS follow tap.)
6090 */
6091 if (tls_handle == base_tls_handle) {
6092 ssl_session->session.stream = tls_increment_stream_count();
6093 } else if (tls_handle == dtls_handle) {
6094 ssl_session->session.stream = dtls_increment_stream_count();
6095 }
6096
6097 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6098 return ssl_session;
6099}
6100
6101void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6102{
6103 if (ssl) {
6104 /* Ensure that secrets are not restored using stale identifiers. Split
6105 * between client and server in case the packets somehow got out of order. */
6106 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6107
6108 if (is_client) {
6109 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6110 ssl->session_id.data_len = 0;
6111 ssl->session_ticket.data_len = 0;
6112 ssl->master_secret.data_len = 0;
6113 ssl->client_random.data_len = 0;
6114 ssl->has_early_data = false0;
6115 if (ssl->handshake_data.data_len > 0) {
6116 // The EMS handshake hash starts with at the Client Hello,
6117 // ensure that any messages before it are forgotten.
6118 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6119 ssl->handshake_data.data = NULL((void*)0);
6120 ssl->handshake_data.data_len = 0;
6121 }
6122 } else {
6123 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6124 ssl->server_random.data_len = 0;
6125 ssl->pre_master_secret.data_len = 0;
6126#ifdef HAVE_LIBGNUTLS1
6127 ssl->cert_key_id = NULL((void*)0);
6128#endif
6129 ssl->psk.data_len = 0;
6130 }
6131
6132 if (ssl->state & clear_flags) {
6133 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6134 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6135 ssl->state &= ~clear_flags;
6136 }
6137 }
6138
6139 /* These flags might be used for non-decryption purposes and may affect the
6140 * dissection, so reset them as well. */
6141 if (is_client) {
6142 session->client_cert_type = 0;
6143 } else {
6144 session->compression = 0;
6145 session->server_cert_type = 0;
6146 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6147 }
6148 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6149 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6150}
6151
6152void
6153tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6154 dissector_handle_t app_handle)
6155{
6156 conversation_t *conversation;
6157 SslSession *session;
6158
6159 /* Ignore if the TLS or other dissector is disabled. */
6160 if (!tls_handle || !app_handle)
6161 return;
6162
6163 conversation = find_or_create_conversation(pinfo);
6164 session = &ssl_get_session(conversation, tls_handle)->session;
6165 session->app_handle = app_handle;
6166}
6167
6168static uint32_t
6169ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6170 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6171{
6172 conversation_t *conversation;
6173 SslSession *session;
6174
6175 /* Ignore if the TLS dissector is disabled. */
6176 if (!tls_handle)
6177 return 0;
6178 /* The caller should always pass a valid handle to its own dissector. */
6179 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6179, "app_handle"))));
6180
6181 conversation = find_or_create_conversation(pinfo);
6182 session = &ssl_get_session(conversation, tls_handle)->session;
6183
6184 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6185 session->last_nontls_frame,
6186 (void *)session->app_handle,
6187 dissector_handle_get_dissector_name(session->app_handle));
6188 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6189 pinfo->num, (void *)app_handle,
6190 dissector_handle_get_dissector_name(app_handle));
6191
6192 /* Do not switch again if a dissector did it before. */
6193 if (session->last_nontls_frame) {
6194 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6195 return session->last_nontls_frame;
6196 }
6197
6198 session->app_handle = app_handle;
6199 /* The TLS dissector should be called first for this conversation. */
6200 conversation_set_dissector(conversation, tls_handle);
6201 /* TLS starts after this frame. */
6202 session->last_nontls_frame = last_nontls_frame;
6203 return 0;
6204}
6205
6206/* ssl_starttls_ack: mark future frames as encrypted. */
6207uint32_t
6208ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6209 dissector_handle_t app_handle)
6210{
6211 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6212}
6213
6214uint32_t
6215ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6216 dissector_handle_t app_handle)
6217{
6218 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6219}
6220
6221dissector_handle_t
6222ssl_find_appdata_dissector(const char *name)
6223{
6224 /* Accept 'http' for backwards compatibility and sanity. */
6225 if (!strcmp(name, "http"))
6226 name = "http-over-tls";
6227 /* XXX - Should this check to see if the dissector is actually added for
6228 * Decode As in the appropriate table?
6229 */
6230 return find_dissector(name);
6231}
6232
6233/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6234static int
6235ssl_equal (const void *v, const void *v2)
6236{
6237 const StringInfo *val1;
6238 const StringInfo *val2;
6239 val1 = (const StringInfo *)v;
6240 val2 = (const StringInfo *)v2;
6241
6242 if (val1->data_len == val2->data_len &&
6243 !memcmp(val1->data, val2->data, val2->data_len)) {
6244 return 1;
6245 }
6246 return 0;
6247}
6248
6249static unsigned
6250ssl_hash (const void *v)
6251{
6252 unsigned l,hash;
6253 const StringInfo* id;
6254 const unsigned* cur;
6255 hash = 0;
6256 id = (const StringInfo*) v;
6257
6258 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6259 * should be aligned for any kind of access (for example as a unsigned as
6260 * is done below). The intermediate void* cast is to prevent "cast
6261 * increases required alignment of target type" warnings on CPUs (such
6262 * as SPARCs) that do not allow misaligned memory accesses.
6263 */
6264 cur = (const unsigned*)(void*) id->data;
6265
6266 for (l=4; (l < id->data_len); l+=4, cur++)
6267 hash = hash ^ (*cur);
6268
6269 return hash;
6270}
6271/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6272
6273/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6274void
6275ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6276{
6277 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6277, "main_handle"))));
6278 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6278, "subdissector_handle"))));
6279 /* Registration is required for Export PDU feature to work properly. */
6280 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6281, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6281 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6281, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6282 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6283
6284 if (port) {
6285 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6286 if (tcp)
6287 dissector_add_uint("tcp.port", port, main_handle);
6288 else
6289 dissector_add_uint("udp.port", port, main_handle);
6290 dissector_add_uint("sctp.port", port, main_handle);
6291 } else {
6292 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6293 }
6294}
6295
6296void
6297ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6298{
6299 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6300 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6301 if (main_handle) {
6302 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6303 dissector_delete_uint("sctp.port", port, main_handle);
6304 }
6305
6306 if (port) {
6307 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6308 }
6309}
6310
6311void
6312ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6313{
6314 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6315 session->srv_ptype = ptype;
6316 session->srv_port = port;
6317}
6318
6319int
6320ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6321{
6322 int ret;
6323 if (session && session->srv_addr.type != AT_NONE) {
6324 ret = (session->srv_ptype == pinfo->ptype) &&
6325 (session->srv_port == pinfo->srcport) &&
6326 addresses_equal(&session->srv_addr, &pinfo->src);
6327 } else {
6328 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6329 }
6330
6331 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6332 return ret;
6333}
6334/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6335
6336
6337/* Links SSL records with the real packet data. {{{ */
6338SslPacketInfo *
6339tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6340{
6341 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6342 if (!pi) {
6343 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6344 pi->srcport = pinfo->srcport;
6345 pi->destport = pinfo->destport;
6346 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6347 }
6348
6349 return pi;
6350}
6351
6352/**
6353 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6354 * avoid the need for a decoder in the second pass. Additionally, it remembers
6355 * sequence numbers (for reassembly and Follow TLS Stream).
6356 *
6357 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6358 * @param pinfo The packet where the record originates from.
6359 * @param data Decrypted data to store in the record.
6360 * @param data_len Length of decrypted record data.
6361 * @param record_id The identifier for this record within the current packet.
6362 * @param flow Information about sequence numbers, etc.
6363 * @param type TLS Content Type (such as handshake or application_data).
6364 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6365 */
6366void
6367ssl_add_record_info(int proto, packet_info *pinfo, const unsigned char *data, int data_len, int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl, uint64_t record_seq)
6368{
6369 SslRecordInfo* rec, **prec;
6370 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6371
6372 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6373 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), data, data_len);
6374 rec->data_len = data_len;
6375 rec->id = record_id;
6376 rec->type = type;
6377 rec->next = NULL((void*)0);
6378 rec->record_seq = record_seq;
6379
6380 if (flow && type == SSL_ID_APP_DATA) {
6381 rec->seq = flow->byte_seq;
6382 rec->flow = flow;
6383 flow->byte_seq += data_len;
6384 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6385 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + data_len, (void*)flow);
6386 }
6387
6388 /* Remember decrypted records. */
6389 prec = &pi->records;
6390 while (*prec) prec = &(*prec)->next;
6391 *prec = rec;
6392}
6393
6394/* search in packet data for the specified id; return a newly created tvb for the associated data */
6395tvbuff_t*
6396ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6397{
6398 SslRecordInfo* rec;
6399 SslPacketInfo* pi;
6400 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6401
6402 if (!pi)
6403 return NULL((void*)0);
6404
6405 for (rec = pi->records; rec; rec = rec->next)
6406 if (rec->id == record_id) {
6407 *matched_record = rec;
6408 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6409 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->data_len, rec->data_len);
6410 }
6411
6412 return NULL((void*)0);
6413}
6414/* Links SSL records with the real packet data. }}} */
6415
6416/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6417void
6418ssl_common_init(ssl_master_key_map_t *mk_map,
6419 StringInfo *decrypted_data, StringInfo *compressed_data)
6420{
6421 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6422 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6423 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6424 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6425 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6426 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6427 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6428 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6429 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6430 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6431 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6432 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6433
6434 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6435 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6436
6437 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6438
6439 ssl_data_alloc(decrypted_data, 32);
6440 ssl_data_alloc(compressed_data, 32);
6441}
6442
6443void
6444ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6445 StringInfo *decrypted_data, StringInfo *compressed_data)
6446{
6447 g_hash_table_destroy(mk_map->session);
6448 g_hash_table_destroy(mk_map->tickets);
6449 g_hash_table_destroy(mk_map->crandom);
6450 g_hash_table_destroy(mk_map->pre_master);
6451 g_hash_table_destroy(mk_map->pms);
6452 g_hash_table_destroy(mk_map->tls13_client_early);
6453 g_hash_table_destroy(mk_map->tls13_client_handshake);
6454 g_hash_table_destroy(mk_map->tls13_server_handshake);
6455 g_hash_table_destroy(mk_map->tls13_client_appdata);
6456 g_hash_table_destroy(mk_map->tls13_server_appdata);
6457 g_hash_table_destroy(mk_map->tls13_early_exporter);
6458 g_hash_table_destroy(mk_map->tls13_exporter);
6459
6460 g_hash_table_destroy(mk_map->ech_secret);
6461 g_hash_table_destroy(mk_map->ech_config);
6462
6463 g_hash_table_destroy(mk_map->used_crandom);
6464
6465 g_free(decrypted_data->data);
6466 g_free(compressed_data->data);
6467
6468 /* close the previous keylog file now that the cache are cleared, this
6469 * allows the cache to be filled with the full keylog file contents. */
6470 if (*ssl_keylog_file) {
6471 fclose(*ssl_keylog_file);
6472 *ssl_keylog_file = NULL((void*)0);
6473 }
6474}
6475/* }}} */
6476
6477/* parse ssl related preferences (private keys and ports association strings) */
6478#if defined(HAVE_LIBGNUTLS1)
6479/* Load a single RSA key file item from preferences. {{{ */
6480void
6481ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6482{
6483 gnutls_x509_privkey_t x509_priv_key;
6484 gnutls_privkey_t priv_key = NULL((void*)0);
6485 FILE* fp = NULL((void*)0);
6486 int ret;
6487 size_t key_id_len = 20;
6488 unsigned char *key_id = NULL((void*)0);
6489 char *err = NULL((void*)0);
6490 dissector_handle_t handle;
6491 /* try to load keys file first */
6492 fp = ws_fopenfopen(uats->keyfile, "rb");
6493 if (!fp) {
6494 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6495 return;
6496 }
6497
6498 if ((int)strlen(uats->password) == 0) {
6499 x509_priv_key = rsa_load_pem_key(fp, &err);
6500 } else {
6501 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6502 }
6503 fclose(fp);
6504
6505 if (!x509_priv_key) {
6506 if (err) {
6507 report_failure("Can't load private key from %s: %s",
6508 uats->keyfile, err);
6509 g_free(err);
6510 } else
6511 report_failure("Can't load private key from %s: unknown error",
6512 uats->keyfile);
6513 return;
6514 }
6515 if (err) {
6516 report_failure("Load of private key from %s \"succeeded\" with error %s",
6517 uats->keyfile, err);
6518 g_free(err);
6519 }
6520
6521 gnutls_privkey_init(&priv_key);
6522 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6523 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6524 if (ret < 0) {
6525 report_failure("Can't convert private key %s: %s",
6526 uats->keyfile, gnutls_strerror(ret));
6527 goto end;
6528 }
6529
6530 key_id = (unsigned char *) g_malloc0(key_id_len);
6531 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6532 if (ret < 0) {
6533 report_failure("Can't calculate public key ID for %s: %s",
6534 uats->keyfile, gnutls_strerror(ret));
6535 goto end;
6536 }
6537 ssl_print_data("KeyID", key_id, key_id_len);
6538 if (key_id_len != 20) {
6539 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6540 uats->keyfile, key_id_len);
6541 goto end;
6542 }
6543
6544 g_hash_table_replace(key_hash, key_id, priv_key);
6545 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6546 priv_key = NULL((void*)0);
6547 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6548
6549 handle = ssl_find_appdata_dissector(uats->protocol);
6550 if (handle) {
6551 /* Port to subprotocol mapping */
6552 uint16_t port = 0;
6553 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6554 if (port > 0) {
6555 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6556 port, uats->keyfile, uats->password);
6557
6558 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6559 }
6560 } else {
6561 if (strcmp(uats->port, "start_tls"))
6562 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6563 }
6564 }
6565
6566end:
6567 gnutls_x509_privkey_deinit(x509_priv_key);
6568 gnutls_privkey_deinit(priv_key);
6569 g_free(key_id);
6570}
6571/* }}} */
6572#endif
6573
6574
6575/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6576/** store a known (pre-)master secret into cache */
6577static void
6578ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6579 StringInfo *mk)
6580{
6581 StringInfo *ht_key, *master_secret;
6582
6583 if (key->data_len == 0) {
6584 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6585 return;
6586 }
6587
6588 if (mk->data_len == 0) {
6589 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6590 G_STRFUNC((const char*) (__func__)), label);
6591 return;
6592 }
6593
6594 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6595 * so be careful in changing how it is allocated. */
6596 ht_key = ssl_data_clone(key);
6597 master_secret = ssl_data_clone(mk);
6598 g_hash_table_insert(ht, ht_key, master_secret);
6599
6600 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6601 ssl_print_string("stored key", ht_key);
6602 ssl_print_string("stored (pre-)master secret", master_secret);
6603}
6604
6605/** restore a (pre-)master secret given some key in the cache */
6606static bool_Bool
6607ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6608 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6609{
6610 StringInfo *ms;
6611
6612 if (key->data_len == 0) {
6613 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6614 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6615 return false0;
6616 }
6617
6618 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6619 if (!ms) {
6620 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6621 is_pre_master ? "pre-" : "", label);
6622 return false0;
6623 }
6624
6625 /* (pre)master secret found, clear knowledge of other keys and set it in the
6626 * current conversation */
6627 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6628 SSL_HAVE_SESSION_KEY(1<<3));
6629 if (is_pre_master) {
6630 /* unlike master secret, pre-master secret has a variable size (48 for
6631 * RSA, varying for PSK) and is therefore not statically allocated */
6632 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6633 ms->data_len);
6634 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6635 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6636 } else {
6637 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6638 ssl->state |= SSL_MASTER_SECRET(1<<5);
6639 }
6640 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6641 is_pre_master ? "pre-" : "", label);
6642 ssl_print_string(label, key);
6643 ssl_print_string("(pre-)master secret", ms);
6644 return true1;
6645}
6646/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6647
6648/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6649 * the decoder should be attempted to be initialized. {{{*/
6650void
6651ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6652{
6653 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6654 /* TLS 1.3 implementations only provide secrets derived from the master
6655 * secret which are loaded in tls13_change_key. No master secrets can be
6656 * loaded here, so just return. */
6657 return;
6658 }
6659 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6660 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6661 ssl_debug_printf(" session key already available, nothing to do.\n");
6662 return;
6663 }
6664 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6665 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6666 return;
6667 }
6668
6669 /* for decryption, there needs to be a master secret (which can be derived
6670 * from pre-master secret). If missing, try to pick a master key from cache
6671 * (an earlier packet in the capture or key logfile). */
6672 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6673 !ssl_restore_master_key(ssl, "Session ID", false0,
6674 mk_map->session, &ssl->session_id) &&
6675 (!ssl->session.is_session_resumed ||
6676 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6677 mk_map->tickets, &ssl->session_ticket)) &&
6678 !ssl_restore_master_key(ssl, "Client Random", false0,
6679 mk_map->crandom, &ssl->client_random)) {
6680 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6681 /* how unfortunate, the master secret could not be found */
6682 ssl_debug_printf(" Cannot find master secret\n");
6683 return;
6684 } else {
6685 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6686 "because of a NULL cipher\n");
6687 }
6688 }
6689
6690 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6691 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6692 return;
6693 }
6694 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6695 ssl_save_master_key("Client Random", mk_map->crandom,
6696 &ssl->client_random, &ssl->master_secret);
6697 ssl_save_master_key("Session ID", mk_map->session,
6698 &ssl->session_id, &ssl->master_secret);
6699 /* Only save the new secrets if the server sent the ticket. The client
6700 * ticket might have become stale. */
6701 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6702 ssl_save_master_key("Session Ticket", mk_map->tickets,
6703 &ssl->session_ticket, &ssl->master_secret);
6704 }
6705} /* }}} */
6706
6707/* Load the traffic key secret from the keylog file. */
6708StringInfo *
6709tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6710 bool_Bool is_from_server, TLSRecordType type)
6711{
6712 GHashTable *key_map;
6713 const char *label;
6714
6715 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6716 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6717 return NULL((void*)0);
6718 }
6719
6720 if (ssl->client_random.data_len == 0) {
6721 /* May happen if Hello message is missing and Finished is found. */
6722 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6723 return NULL((void*)0);
6724 }
6725
6726 switch (type) {
6727 case TLS_SECRET_0RTT_APP:
6728 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6728, "!is_from_server"))));
6729 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6730 key_map = mk_map->tls13_client_early;
6731 break;
6732 case TLS_SECRET_HANDSHAKE:
6733 if (is_from_server) {
6734 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6735 key_map = mk_map->tls13_server_handshake;
6736 } else {
6737 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6738 key_map = mk_map->tls13_client_handshake;
6739 }
6740 break;
6741 case TLS_SECRET_APP:
6742 if (is_from_server) {
6743 label = "SERVER_TRAFFIC_SECRET_0";
6744 key_map = mk_map->tls13_server_appdata;
6745 } else {
6746 label = "CLIENT_TRAFFIC_SECRET_0";
6747 key_map = mk_map->tls13_client_appdata;
6748 }
6749 break;
6750 default:
6751 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6751, __func__, "assertion \"not reached\" failed");
6752 }
6753
6754 /* Transitioning to new keys, mark old ones as unusable. */
6755 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6756 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6757
6758 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6759 if (!secret) {
6760 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6761 /* Disable decryption, the keys are invalid. */
6762 if (is_from_server) {
6763 ssl->server = NULL((void*)0);
6764 } else {
6765 ssl->client = NULL((void*)0);
6766 }
6767 return NULL((void*)0);
6768 }
6769
6770 /* TLS 1.3 secret found, set new keys. */
6771 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6772 ssl_print_string("Client Random", &ssl->client_random);
6773 ssl_print_string(label, secret);
6774 return secret;
6775}
6776
6777/* Load the new key. */
6778void
6779tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6780 bool_Bool is_from_server, TLSRecordType type)
6781{
6782 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6783 /*
6784 * QUIC does not use the TLS record layer for message protection.
6785 * The required keys will be extracted later by QUIC.
6786 */
6787 return;
6788 }
6789
6790 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6791 if (!secret) {
6792 if (type != TLS_SECRET_HANDSHAKE) {
6793 return;
6794 }
6795 /*
6796 * Workaround for when for some reason we don't have the handshake
6797 * secret but do have the application traffic secret. (#20240)
6798 * If we can't find the handshake secret, we'll never decrypt the
6799 * Finished message, so we won't know when to change to the app
6800 * traffic key, so we do so now.
6801 */
6802 type = TLS_SECRET_APP;
6803 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6804 if (!secret) {
6805 return;
6806 }
6807 }
6808
6809 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6810 /*
6811 * Remember the application traffic secret to support Key Update. The
6812 * other secrets cannot be used for this purpose, so free them.
6813 */
6814 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6815 StringInfo *app_secret = &decoder->app_traffic_secret;
6816 if (type == TLS_SECRET_APP) {
6817 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6818 app_secret->data,
6819 secret->data_len);
6820 ssl_data_set(app_secret, secret->data, secret->data_len);
6821 } else {
6822 wmem_free(wmem_file_scope(), app_secret->data);
6823 app_secret->data = NULL((void*)0);
6824 app_secret->data_len = 0;
6825 }
6826 }
6827}
6828
6829/**
6830 * Update to next application data traffic secret for TLS 1.3. The previous
6831 * secret should have been set by tls13_change_key.
6832 */
6833void
6834tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6835{
6836 /* RFC 8446 Section 7.2:
6837 * application_traffic_secret_N+1 =
6838 * HKDF-Expand-Label(application_traffic_secret_N,
6839 * "traffic upd", "", Hash.length)
6840 *
6841 * Both application_traffic_secret_N are of the same length (Hash.length).
6842 */
6843 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6844 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6845 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6846 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6847
6848 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6849 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6850 return;
6851 }
6852
6853 /*
6854 * Previous traffic secret is available, so find the hash function,
6855 * expand the new traffic secret and generate new keys.
6856 */
6857 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6858 int hash_algo = ssl_get_digest_by_name(hash_name);
6859 const unsigned hash_len = app_secret->data_len;
6860 unsigned char *new_secret;
6861 const char *label = "traffic upd";
6862 if (tls13_draft_version && tls13_draft_version < 20) {
6863 label = "application traffic secret";
6864 }
6865 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6866 tls13_hkdf_label_prefix(ssl),
6867 label, hash_len, &new_secret)) {
6868 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6869 return;
6870 }
6871 ssl_data_set(app_secret, new_secret, hash_len);
6872 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6873 /*
6874 * Remember the application traffic secret on the new decoder to
6875 * support another Key Update.
6876 */
6877 decoder = is_from_server ? ssl->server : ssl->client;
6878 app_secret = &decoder->app_traffic_secret;
6879 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6880 app_secret->data,
6881 hash_len);
6882 ssl_data_set(app_secret, new_secret, hash_len);
6883 }
6884 wmem_free(NULL((void*)0), new_secret);
6885}
6886
6887void
6888tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6889{
6890 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6891 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6892 }
6893}
6894
6895/** SSL keylog file handling. {{{ */
6896
6897static GRegex *
6898ssl_compile_keyfile_regex(void)
6899{
6900#define OCTET "(?:[[:xdigit:]]{2})"
6901 const char *pattern =
6902 "(?:"
6903 /* Matches Client Hellos having this Client Random */
6904 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6905 /* Matches first part of encrypted RSA pre-master secret */
6906 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6907 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6908 but it can be of any length for DHE */
6909 ")(?<pms>" OCTET "+)"
6910 "|(?:"
6911 /* Matches Server Hellos having a Session ID */
6912 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6913 /* Matches Client Hellos having this Client Random */
6914 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6915 /* Master-Secret is given, its length is fixed */
6916 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6917 "|(?"
6918 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6919 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6920 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6921 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6922 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6923 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6924 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6925 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6926 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6927 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6928 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6929 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6930 ") (?<derived_secret>" OCTET "+)";
6931#undef OCTET
6932 static GRegex *regex = NULL((void*)0);
6933 GError *gerr = NULL((void*)0);
6934
6935 if (!regex) {
6936 regex = g_regex_new(pattern,
6937 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6938 G_REGEX_MATCH_ANCHORED, &gerr);
6939 if (gerr) {
6940 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6941 gerr->message);
6942 g_error_free(gerr);
6943 regex = NULL((void*)0);
6944 }
6945 }
6946
6947 return regex;
6948}
6949
6950typedef struct ssl_master_key_match_group {
6951 const char *re_group_name;
6952 GHashTable *master_key_ht;
6953} ssl_master_key_match_group_t;
6954
6955void
6956tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6957{
6958 ssl_master_key_match_group_t mk_groups[] = {
6959 { "encrypted_pmk", mk_map->pre_master },
6960 { "session_id", mk_map->session },
6961 { "client_random", mk_map->crandom },
6962 { "client_random_pms", mk_map->pms },
6963 /* TLS 1.3 map from Client Random to derived secret. */
6964 { "client_early", mk_map->tls13_client_early },
6965 { "client_handshake", mk_map->tls13_client_handshake },
6966 { "server_handshake", mk_map->tls13_server_handshake },
6967 { "client_appdata", mk_map->tls13_client_appdata },
6968 { "server_appdata", mk_map->tls13_server_appdata },
6969 { "early_exporter", mk_map->tls13_early_exporter },
6970 { "exporter", mk_map->tls13_exporter },
6971 { "ech_secret", mk_map->ech_secret },
6972 { "ech_config", mk_map->ech_config },
6973 };
6974
6975 /* The format of the file is a series of records with one of the following formats:
6976 * - "RSA xxxx yyyy"
6977 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6978 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6979 * (this is the original format introduced with bug 4349)
6980 *
6981 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6982 * Where xxxx is the SSL session ID (hex-encoded)
6983 * Where yyyy is the cleartext master secret (hex-encoded)
6984 * (added to support openssl s_client Master-Key output)
6985 * This is somewhat is a misnomer because there's nothing RSA specific
6986 * about this.
6987 *
6988 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6989 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6990 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6991 * (This format allows SSL connections to be decrypted, if a user can
6992 * capture the PMS but could not recover the MS for a specific session
6993 * with a SSL Server.)
6994 *
6995 * - "CLIENT_RANDOM xxxx yyyy"
6996 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6997 * Where yyyy is the cleartext master secret (hex-encoded)
6998 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6999 * ECDHE-RSA.)
7000 *
7001 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7002 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7003 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7004 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7005 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7006 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7007 * - "EXPORTER_SECRET xxxx yyyy"
7008 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7009 * Where yyyy is the secret (hex-encoded) derived from the early,
7010 * handshake or master secrets. (This format is introduced with TLS 1.3
7011 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7012 */
7013 GRegex *regex = ssl_compile_keyfile_regex();
7014 if (!regex)
7015 return;
7016
7017 const char *next_line = (const char *)data;
7018 const char *line_end = next_line + datalen;
7019 while (next_line && next_line < line_end) {
7020 const char *line = next_line;
7021 next_line = (const char *)memchr(line, '\n', line_end - line);
7022 ssize_t linelen;
7023
7024 if (next_line) {
7025 linelen = next_line - line;
7026 next_line++; /* drop LF */
7027 } else {
7028 linelen = (ssize_t)(line_end - line);
7029 }
7030 if (linelen > 0 && line[linelen - 1] == '\r') {
7031 linelen--; /* drop CR */
7032 }
7033
7034 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7035 GMatchInfo *mi;
7036 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7037 char *hex_key, *hex_pre_ms_or_ms;
7038 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7039 StringInfo *pre_ms_or_ms = NULL((void*)0);
7040 GHashTable *ht = NULL((void*)0);
7041
7042 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7043 * otherwise we will use the Master Secret
7044 */
7045 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7046 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7047 g_free(hex_pre_ms_or_ms);
7048 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7049 }
7050 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7051 g_free(hex_pre_ms_or_ms);
7052 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7053 }
7054 /* There is always a match, otherwise the regex is wrong. */
7055 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7055, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7056
7057 /* convert from hex to bytes and save to hashtable */
7058 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7059 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7060 g_free(hex_pre_ms_or_ms);
7061
7062 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7063 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7064 ssl_master_key_match_group_t *g = &mk_groups[i];
7065 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7066 if (hex_key && *hex_key) {
7067 ssl_debug_printf(" matched %s\n", g->re_group_name);
7068 ht = g->master_key_ht;
7069 from_hex(key, hex_key, strlen(hex_key));
7070 g_free(hex_key);
7071 break;
7072 }
7073 g_free(hex_key);
7074 }
7075 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7075, "ht")))); /* Cannot be reached, or regex is wrong. */
7076
7077 g_hash_table_insert(ht, key, pre_ms_or_ms);
7078
7079 } else if (linelen > 0 && line[0] != '#') {
7080 ssl_debug_printf(" unrecognized line\n");
7081 }
7082 /* always free match info even if there is no match. */
7083 g_match_info_free(mi);
7084 }
7085}
7086
7087void
7088ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7089 const ssl_master_key_map_t *mk_map)
7090{
7091 /* no need to try if no key log file is configured. */
7092 if (!tls_keylog_filename || !*tls_keylog_filename) {
7093 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7094 G_STRFUNC((const char*) (__func__)));
7095 return;
7096 }
7097
7098 /* Validate regexes before even trying to use it. */
7099 if (!ssl_compile_keyfile_regex()) {
7100 return;
7101 }
7102
7103 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7104
7105 /* if the keylog file was deleted/overwritten, re-open it */
7106 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7107 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7108 fclose(*keylog_file);
7109 *keylog_file = NULL((void*)0);
7110 }
7111
7112 if (*keylog_file == NULL((void*)0)) {
7113 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7114 if (!*keylog_file) {
7115 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7116 return;
7117 }
7118 }
7119
7120 for (;;) {
7121 char buf[1110], *line;
7122 line = fgets(buf, sizeof(buf), *keylog_file);
7123 if (!line) {
7124 if (feof(*keylog_file)) {
7125 /* Ensure that newly appended keys can be read in the future. */
7126 clearerr(*keylog_file);
7127 } else if (ferror(*keylog_file)) {
7128 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7129 fclose(*keylog_file);
7130 *keylog_file = NULL((void*)0);
7131 }
7132 break;
7133 }
7134 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7135 }
7136}
7137/** SSL keylog file handling. }}} */
7138
7139#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7140
7141static FILE* ssl_debug_file;
7142
7143void
7144ssl_set_debug(const char* name)
7145{
7146 static int debug_file_must_be_closed;
7147 int use_stderr;
7148
7149 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7150
7151 if (debug_file_must_be_closed)
7152 fclose(ssl_debug_file);
7153
7154 if (use_stderr)
7155 ssl_debug_file = stderrstderr;
7156 else if (!name || (strcmp(name, "") ==0))
7157 ssl_debug_file = NULL((void*)0);
7158 else
7159 ssl_debug_file = ws_fopenfopen(name, "w");
7160
7161 if (!use_stderr && ssl_debug_file)
7162 debug_file_must_be_closed = 1;
7163 else
7164 debug_file_must_be_closed = 0;
7165
7166 ssl_debug_printf("Wireshark SSL debug log \n\n");
7167#ifdef HAVE_LIBGNUTLS1
7168 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7169#endif
7170 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7171 ssl_debug_printf("\n");
7172}
7173
7174void
7175ssl_debug_flush(void)
7176{
7177 if (ssl_debug_file)
7178 fflush(ssl_debug_file);
7179}
7180
7181void
7182ssl_debug_printf(const char* fmt, ...)
7183{
7184 va_list ap;
7185
7186 if (!ssl_debug_file)
7187 return;
7188
7189 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7190 vfprintf(ssl_debug_file, fmt, ap);
7191 va_end(ap)__builtin_va_end(ap);
7192}
7193
7194void
7195ssl_print_data(const char* name, const unsigned char* data, size_t len)
7196{
7197 size_t i, j, k;
7198 if (!ssl_debug_file)
7199 return;
7200 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7201 for (i=0; i<len; i+=16) {
7202 fprintf(ssl_debug_file,"| ");
7203 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7204 fprintf(ssl_debug_file,"%.2x ",data[j]);
7205 for (; k<16; ++k)
7206 fprintf(ssl_debug_file," ");
7207 fputc('|', ssl_debug_file);
7208 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7209 unsigned char c = data[j];
7210 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7211 fputc(c, ssl_debug_file);
7212 }
7213 for (; k<16; ++k)
7214 fputc(' ', ssl_debug_file);
7215 fprintf(ssl_debug_file,"|\n");
7216 }
7217}
7218
7219void
7220ssl_print_string(const char* name, const StringInfo* data)
7221{
7222 ssl_print_data(name, data->data, data->data_len);
7223}
7224#endif /* SSL_DECRYPT_DEBUG }}} */
7225
7226/* UAT preferences callbacks. {{{ */
7227/* checks for SSL and DTLS UAT key list fields */
7228
7229bool_Bool
7230ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7231{
7232 // This should be removed in favor of Decode As. Make it optional.
7233 *err = NULL((void*)0);
7234 return true1;
7235}
7236
7237bool_Bool
7238ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7239{
7240 if (!p || strlen(p) == 0u) {
7241 // This should be removed in favor of Decode As. Make it optional.
7242 *err = NULL((void*)0);
7243 return true1;
7244 }
7245
7246 if (strcmp(p, "start_tls") != 0){
7247 uint16_t port;
7248 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7249 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7250 return false0;
7251 }
7252 }
7253
7254 *err = NULL((void*)0);
7255 return true1;
7256}
7257
7258bool_Bool
7259ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7260{
7261 ws_statb64struct stat st;
7262
7263 if (!p || strlen(p) == 0u) {
7264 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7265 return false0;
7266 } else {
7267 if (ws_stat64stat(p, &st) != 0) {
7268 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7269 return false0;
7270 }
7271 }
7272
7273 *err = NULL((void*)0);
7274 return true1;
7275}
7276
7277bool_Bool
7278ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7279{
7280#if defined(HAVE_LIBGNUTLS1)
7281 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7282 FILE *fp = NULL((void*)0);
7283
7284 if (p && (strlen(p) > 0u)) {
7285 fp = ws_fopenfopen(f->keyfile, "rb");
7286 if (fp) {
7287 char *msg = NULL((void*)0);
7288 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7289 if (!priv_key) {
7290 fclose(fp);
7291 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7292 g_free(msg);
7293 return false0;
7294 }
7295 g_free(msg);
7296 gnutls_x509_privkey_deinit(priv_key);
7297 fclose(fp);
7298 } else {
7299 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7300 return false0;
7301 }
7302 }
7303
7304 *err = NULL((void*)0);
7305 return true1;
7306#else
7307 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7308 return false0;
7309#endif
7310}
7311/* UAT preferences callbacks. }}} */
7312
7313/** maximum size of ssl_association_info() string */
7314#define SSL_ASSOC_MAX_LEN8192 8192
7315
7316typedef struct ssl_association_info_callback_data
7317{
7318 char *str;
7319 const char *table_protocol;
7320} ssl_association_info_callback_data_t;
7321
7322/**
7323 * callback function used by ssl_association_info() to traverse the SSL associations.
7324 */
7325static void
7326ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7327{
7328 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7329 const int l = (const int)strlen(data->str);
7330 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7331}
7332
7333/**
7334 * @return an information string on the SSL protocol associations. The string must be freed.
7335 */
7336char*
7337ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7338{
7339 ssl_association_info_callback_data_t data;
7340
7341 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7342 data.table_protocol = table_protocol;
7343 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7344 return data.str;
7345}
7346
7347
7348/** Begin of code related to dissection of wire data. */
7349
7350/* Helpers for dissecting Variable-Length Vectors. {{{ */
7351bool_Bool
7352ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7353 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7354 int hf_length, uint32_t min_value, uint32_t max_value)
7355{
7356 unsigned veclen_size;
7357 uint32_t veclen_value;
7358 proto_item *pi;
7359
7360 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7360, (uint64_t)min_value, (uint64_t)max_value))));
7361 if (offset > offset_end) {
7362 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7363 "Vector offset is past buffer end offset (%u > %u)",
7364 offset, offset_end);
7365 *ret_length = 0;
7366 return false0; /* Cannot read length. */
7367 }
7368
7369 if (max_value > 0xffffff) {
7370 veclen_size = 4;
7371 } else if (max_value > 0xffff) {
7372 veclen_size = 3;
7373 } else if (max_value > 0xff) {
7374 veclen_size = 2;
7375 } else {
7376 veclen_size = 1;
7377 }
7378
7379 if (offset_end - offset < veclen_size) {
7380 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7381 tvb, offset, offset_end - offset,
7382 "No more room for vector of length %u",
7383 veclen_size);
7384 *ret_length = 0;
7385 return false0; /* Cannot read length. */
7386 }
7387
7388 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7389 offset += veclen_size;
7390
7391 if (veclen_value < min_value) {
7392 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7393 "Vector length %u is smaller than minimum %u",
7394 veclen_value, min_value);
7395 } else if (veclen_value > max_value) {
7396 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7397 "Vector length %u is larger than maximum %u",
7398 veclen_value, max_value);
7399 }
7400
7401 if (offset_end - offset < veclen_value) {
7402 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7403 "Vector length %u is too large, truncating it to %u",
7404 veclen_value, offset_end - offset);
7405 *ret_length = offset_end - offset;
7406 return false0; /* Length is truncated to avoid overflow. */
7407 }
7408
7409 *ret_length = veclen_value;
7410 return true1; /* Length is OK. */
7411}
7412
7413bool_Bool
7414ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7415 unsigned offset, unsigned offset_end)
7416{
7417 if (offset < offset_end) {
7418 unsigned trailing = offset_end - offset;
7419 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7420 tvb, offset, trailing,
7421 "%u trailing byte%s unprocessed",
7422 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7423 return false0; /* unprocessed data warning */
7424 } else if (offset > offset_end) {
7425 /*
7426 * Returned offset runs past the end. This should not happen and is
7427 * possibly a dissector bug.
7428 */
7429 unsigned excess = offset - offset_end;
7430 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7431 tvb, offset_end, excess,
7432 "Dissector processed too much data (%u byte%s)",
7433 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7434 return false0; /* overflow error */
7435 }
7436
7437 return true1; /* OK, offset matches. */
7438}
7439/** }}} */
7440
7441
7442static uint32_t
7443ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7444 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7445 uint16_t version, int hf_sig_len, int hf_sig);
7446
7447/* change_cipher_spec(20) dissection */
7448void
7449ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7450 packet_info *pinfo, proto_tree *tree,
7451 uint32_t offset, SslSession *session,
7452 bool_Bool is_from_server,
7453 const SslDecryptSession *ssl)
7454{
7455 /*
7456 * struct {
7457 * enum { change_cipher_spec(1), (255) } type;
7458 * } ChangeCipherSpec;
7459 */
7460 proto_item *ti;
7461 proto_item_set_text(tree,
7462 "%s Record Layer: %s Protocol: Change Cipher Spec",
7463 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7464 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7465 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7466
7467 if (session->version == TLSV1DOT3_VERSION0x304) {
7468 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7469 return;
7470 }
7471
7472 /* Remember frame number of first CCS */
7473 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7474 if (*ccs_frame == 0)
7475 *ccs_frame = pinfo->num;
7476
7477 /* Use heuristics to detect an abbreviated handshake, assume that missing
7478 * ServerHelloDone implies reusing previously negotiating keys. Then when
7479 * a Session ID or ticket is present, it must be a resumed session.
7480 * Normally this should be done at the Finished message, but that may be
7481 * encrypted so we do it here, at the last cleartext message. */
7482 if (is_from_server && ssl) {
7483 if (session->is_session_resumed) {
7484 const char *resumed = NULL((void*)0);
7485 if (ssl->session_ticket.data_len) {
7486 resumed = "Session Ticket";
7487 } else if (ssl->session_id.data_len) {
7488 resumed = "Session ID";
7489 }
7490 if (resumed) {
7491 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7492 } else {
7493 /* Can happen if the capture somehow starts in the middle */
7494 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7495 }
7496 } else {
7497 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7498 }
7499 }
7500 if (is_from_server && session->is_session_resumed)
7501 expert_add_info(pinfo, ti, &hf->ei.resumed);
7502}
7503
7504/** Begin of handshake(22) record dissections */
7505
7506/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7507 * {{{ */
7508static void
7509tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7510{
7511 uint32_t sighash, hashalg, sigalg;
7512 proto_item *ti_sigalg;
7513 proto_tree *sigalg_tree;
7514
7515 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7516 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7517 if (ja4_data) {
7518 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7519 }
7520
7521 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7522
7523 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7524 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7525 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7526 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7527 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7528
7529 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7530 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7531 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7532 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7533 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7534 sighash);
7535 }
7536} /* }}} */
7537
7538/* dissect a list of hash algorithms, return the number of bytes dissected
7539 this is used for the signature algorithms extension and for the
7540 TLS1.2 certificate request. {{{ */
7541static int
7542ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7543 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7544{
7545 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7546 * struct {
7547 * HashAlgorithm hash;
7548 * SignatureAlgorithm signature;
7549 * } SignatureAndHashAlgorithm;
7550 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7551 */
7552 proto_tree *subtree;
7553 proto_item *ti;
7554 unsigned sh_alg_length;
7555 uint32_t next_offset;
7556
7557 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7558 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7559 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7560 return offset_end;
7561 }
7562 offset += 2;
7563 next_offset = offset + sh_alg_length;
7564
7565 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7566 "Signature Hash Algorithms (%u algorithm%s)",
7567 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7568 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7569
7570 while (offset + 2 <= next_offset) {
7571 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7572 offset += 2;
7573 }
7574
7575 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7576 offset = next_offset;
7577 }
7578
7579 return offset;
7580} /* }}} */
7581
7582/* Dissection of DistinguishedName (for CertificateRequest and
7583 * certificate_authorities extension). {{{ */
7584static uint32_t
7585tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7586 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7587{
7588 proto_item *ti;
7589 proto_tree *subtree;
7590 uint32_t dnames_length, next_offset;
7591 asn1_ctx_t asn1_ctx;
7592 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7593
7594 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7595 /* DistinguishedName certificate_authorities<0..2^16-1> */
7596 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7597 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7598 return offset_end;
7599 }
7600 offset += 2;
7601 next_offset = offset + dnames_length;
7602
7603 if (dnames_length > 0) {
7604 ti = proto_tree_add_none_format(tree,
7605 hf->hf.hs_dnames,
7606 tvb, offset, dnames_length,
7607 "Distinguished Names (%d byte%s)",
7608 dnames_length,
7609 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7610 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7611
7612 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7613
7614 while (offset < next_offset) {
7615 /* get the length of the current certificate */
7616 uint32_t name_length;
7617
7618 if (dnames_count-- == 0) {
7619 /* stop adding to tree when the list is considered too large
7620 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7621 Note: dnames_count must be set low enough not to hit the
7622 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7623 */
7624 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7625 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7626 proto_item_set_generated(ti);
7627 return next_offset;
7628 }
7629
7630 /* opaque DistinguishedName<1..2^16-1> */
7631 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7632 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7633 return next_offset;
7634 }
7635 offset += 2;
7636
7637 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7638 subtree, hf->hf.hs_dname);
7639 offset += name_length;
7640 }
7641 }
7642 return offset;
7643} /* }}} */
7644
7645
7646/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7647static int
7648ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7649 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7650{
7651 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7652}
7653
7654static int
7655ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7656 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7657{
7658 if (hnd_type == SSL_HND_CLIENT_HELLO) {
7659 /*
7660 * struct {
7661 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7662 * } SignatureSchemeList;
7663 */
7664
7665 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7666 } else {
7667 asn1_ctx_t asn1_ctx;
7668 unsigned pubkey_length, sign_length;
7669
7670 /*
7671 * struct {
7672 * uint32 valid_time;
7673 * SignatureScheme expected_cert_verify_algorithm;
7674 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7675 * } Credential;
7676 *
7677 * struct {
7678 * Credential cred;
7679 * SignatureScheme algorithm;
7680 * opaque signature<0..2^16-1>;
7681 * } DelegatedCredential;
7682 */
7683
7684 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7685
7686 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7687 offset += 4;
7688
7689 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7690 offset += 2;
7691
7692 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7693 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7694 return offset_end;
7695 }
7696 offset += 3;
7697 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7698 offset += pubkey_length;
7699
7700 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7701 offset += 2;
7702
7703 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7704 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7705 return offset_end;
7706 }
7707 offset += 2;
7708 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7709 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7710 offset += sign_length;
7711
7712 return offset;
7713 }
7714}
7715
7716static int
7717ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7718 packet_info *pinfo, proto_tree *tree,
7719 uint32_t offset, uint32_t offset_end,
7720 uint8_t hnd_type)
7721{
7722
7723 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7724
7725 switch (hnd_type) {
7726 case SSL_HND_CLIENT_HELLO: {
7727 proto_tree *alps_tree;
7728 proto_item *ti;
7729 uint32_t next_offset, alps_length, name_length;
7730
7731 /*
7732 * opaque ProtocolName<1..2^8-1>;
7733 * struct {
7734 * ProtocolName supported_protocols<2..2^16-1>
7735 * } ApplicationSettingsSupport;
7736 */
7737
7738 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7739 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7740 return offset_end;
7741 }
7742 offset += 2;
7743 next_offset = offset + alps_length;
7744
7745 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7746 tvb, offset, alps_length, ENC_NA0x00000000);
7747 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7748
7749 /* Parse list (note missing check for end of vector, ssl_add_vector below
7750 * ensures that data is always available.) */
7751 while (offset < next_offset) {
7752 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7753 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7754 return next_offset;
7755 }
7756 offset++;
7757
7758 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7759 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7760 offset += name_length;
7761 }
7762
7763 return offset;
7764 }
7765 case SSL_HND_ENCRYPTED_EXTS:
7766 /* Opaque blob */
7767 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7768 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7769 break;
7770 }
7771
7772 return offset_end;
7773}
7774
7775static int
7776ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7777 packet_info *pinfo, proto_tree *tree,
7778 uint32_t offset, uint32_t offset_end,
7779 uint8_t hnd_type, SslSession *session,
7780 bool_Bool is_dtls, ja4_data_t *ja4_data)
7781{
7782
7783 /* https://tools.ietf.org/html/rfc7301#section-3.1
7784 * opaque ProtocolName<1..2^8-1>;
7785 * struct {
7786 * ProtocolName protocol_name_list<2..2^16-1>
7787 * } ProtocolNameList;
7788 */
7789 proto_tree *alpn_tree;
7790 proto_item *ti;
7791 uint32_t next_offset, alpn_length, name_length;
7792 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7793
7794 /* ProtocolName protocol_name_list<2..2^16-1> */
7795 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7796 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7797 return offset_end;
7798 }
7799 offset += 2;
7800 next_offset = offset + alpn_length;
7801
7802 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7803 tvb, offset, alpn_length, ENC_NA0x00000000);
7804 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7805
7806 /* Parse list (note missing check for end of vector, ssl_add_vector below
7807 * ensures that data is always available.) */
7808 while (offset < next_offset) {
7809 /* opaque ProtocolName<1..2^8-1> */
7810 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7811 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7812 return next_offset;
7813 }
7814 offset++;
7815
7816 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7817 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7818 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7819 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7820 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7821 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7822 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7823 }
7824 else {
7825 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7826 alpn_last_char & 0x0F);
7827 }
7828 }
7829 /* Remember first ALPN ProtocolName entry for server. */
7830 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7831 /* '\0'-terminated string for dissector table match and prefix
7832 * comparison purposes. */
7833 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7834 name_length, ENC_ASCII0x00000000);
7835 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7836 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7837 name_length, ENC_ASCII0x00000000);
7838 }
7839 offset += name_length;
7840 }
7841
7842 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7843 * exactly one "ProtocolName". */
7844 if (proto_name) {
7845 dissector_handle_t handle;
7846
7847 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7848
7849 if (is_dtls) {
7850 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7851 proto_name);
7852 } else {
7853 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7854 proto_name);
7855 if (handle == NULL((void*)0)) {
7856 /* Try prefix matching */
7857 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7858 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7859
7860 /* string_string is inappropriate as it compares strings
7861 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7862 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7863 handle = find_dissector(alpn_proto->dissector_name);
7864 break;
7865 }
7866 }
7867 }
7868 }
7869 if (handle != NULL((void*)0)) {
7870 /* ProtocolName match, so set the App data dissector handle.
7871 * This may override protocols given via the UAT dialog, but
7872 * since the ALPN hint is precise, do it anyway. */
7873 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7874 (void *)session->app_handle,
7875 (void *)handle,
7876 dissector_handle_get_dissector_name(handle));
7877 session->app_handle = handle;
7878 }
7879 } else if (client_proto_name) {
7880 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7881 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7882 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7883 }
7884
7885 return offset;
7886}
7887
7888static int
7889ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7890 packet_info *pinfo, proto_tree *tree,
7891 uint32_t offset, uint32_t offset_end)
7892{
7893 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7894 * The "extension_data" field of a "next_protocol_negotiation" extension
7895 * in a "ServerHello" contains an optional list of protocols advertised
7896 * by the server. Protocols are named by opaque, non-empty byte strings
7897 * and the list of protocols is serialized as a concatenation of 8-bit,
7898 * length prefixed byte strings. Implementations MUST ensure that the
7899 * empty string is not included and that no byte strings are truncated.
7900 */
7901 uint32_t npn_length;
7902 proto_tree *npn_tree;
7903
7904 /* List is optional, do not add tree if there are no entries. */
7905 if (offset == offset_end) {
7906 return offset;
7907 }
7908
7909 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7910
7911 while (offset < offset_end) {
7912 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7913 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7914 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7915 return offset_end;
7916 }
7917 offset++;
7918
7919 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7920 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7921 offset += npn_length;
7922 }
7923
7924 return offset;
7925}
7926
7927static int
7928ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7929 packet_info *pinfo, proto_tree *tree,
7930 uint32_t offset, uint32_t offset_end)
7931{
7932 /* https://tools.ietf.org/html/rfc5746#section-3.2
7933 * struct {
7934 * opaque renegotiated_connection<0..255>;
7935 * } RenegotiationInfo;
7936 *
7937 */
7938 proto_tree *reneg_info_tree;
7939 uint32_t reneg_info_length;
7940
7941 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7942
7943 /* opaque renegotiated_connection<0..255> */
7944 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7945 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7946 return offset_end;
7947 }
7948 offset++;
7949
7950 if (reneg_info_length > 0) {
7951 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7952 offset += reneg_info_length;
7953 }
7954
7955 return offset;
7956}
7957
7958static int
7959ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7960 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7961 const char **group_name_out)
7962{
7963 /* RFC 8446 Section 4.2.8
7964 * struct {
7965 * NamedGroup group;
7966 * opaque key_exchange<1..2^16-1>;
7967 * } KeyShareEntry;
7968 */
7969 uint32_t key_exchange_length, group;
7970 proto_tree *ks_tree;
7971
7972 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7973
7974 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7975 offset += 2;
7976 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7977 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7978 if (group_name_out) {
7979 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7980 }
7981
7982 /* opaque key_exchange<1..2^16-1> */
7983 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7984 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7985 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7986 }
7987 offset += 2;
7988 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7989 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7990
7991 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
7992 offset += key_exchange_length;
7993
7994 return offset;
7995}
7996
7997static int
7998ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7999 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8000 uint8_t hnd_type)
8001{
8002 proto_tree *key_share_tree;
8003 uint32_t next_offset;
8004 uint32_t client_shares_length;
8005 uint32_t group;
8006 const char *group_name = NULL((void*)0);
8007
8008 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8009 return offset;
8010 }
8011
8012 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8013
8014 switch(hnd_type){
8015 case SSL_HND_CLIENT_HELLO:
8016 /* KeyShareEntry client_shares<0..2^16-1> */
8017 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8018 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8019 return offset_end;
8020 }
8021 offset += 2;
8022 next_offset = offset + client_shares_length;
8023 const char *sep = " ";
8024 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8025 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8026 if (group_name) {
8027 proto_item_append_text(tree, "%s%s", sep, group_name);
8028 sep = ", ";
8029 }
8030 }
8031 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8032 return next_offset;
8033 }
8034 break;
8035 case SSL_HND_SERVER_HELLO:
8036 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8037 if (group_name) {
8038 proto_item_append_text(tree, " %s", group_name);
8039 }
8040 break;
8041 case SSL_HND_HELLO_RETRY_REQUEST:
8042 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8043 offset += 2;
8044 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8045 proto_item_append_text(tree, " %s", group_name);
8046 break;
8047 default: /* no default */
8048 break;
8049 }
8050
8051 return offset;
8052}
8053
8054static int
8055ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8056 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8057 uint8_t hnd_type)
8058{
8059 /* RFC 8446 Section 4.2.11
8060 * struct {
8061 * opaque identity<1..2^16-1>;
8062 * uint32 obfuscated_ticket_age;
8063 * } PskIdentity;
8064 * opaque PskBinderEntry<32..255>;
8065 * struct {
8066 * select (Handshake.msg_type) {
8067 * case client_hello:
8068 * PskIdentity identities<7..2^16-1>;
8069 * PskBinderEntry binders<33..2^16-1>;
8070 * case server_hello:
8071 * uint16 selected_identity;
8072 * };
8073 * } PreSharedKeyExtension;
8074 */
8075
8076 proto_tree *psk_tree;
8077
8078 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8079
8080 switch (hnd_type){
8081 case SSL_HND_CLIENT_HELLO: {
8082 uint32_t identities_length, identities_end, binders_length;
8083
8084 /* PskIdentity identities<7..2^16-1> */
8085 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8086 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8087 return offset_end;
8088 }
8089 offset += 2;
8090 identities_end = offset + identities_length;
8091
8092 while (offset < identities_end) {
8093 uint32_t identity_length;
8094 proto_tree *identity_tree;
8095
8096 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8097
8098 /* opaque identity<1..2^16-1> */
8099 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8100 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8101 return identities_end;
8102 }
8103 offset += 2;
8104 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8105
8106 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8107 offset += identity_length;
8108
8109 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8110 offset += 4;
8111
8112 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8113 }
8114 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8115 offset = identities_end;
8116 }
8117
8118 /* PskBinderEntry binders<33..2^16-1> */
8119 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8120 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8121 return offset_end;
8122 }
8123 offset += 2;
8124
8125 proto_item *binders_item;
8126 proto_tree *binders_tree;
8127 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8128 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8129 uint32_t binders_end = offset + binders_length;
8130 while (offset < binders_end) {
8131 uint32_t binder_length;
8132 proto_item *binder_item;
8133 proto_tree *binder_tree;
8134
8135 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8136 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8137
8138 /* opaque PskBinderEntry<32..255>; */
8139 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8140 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8141 return binders_end;
8142 }
8143 offset += 1;
8144 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8145
8146 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8147 offset += binder_length;
8148
8149 proto_item_set_end(binder_item, tvb, offset);
8150 }
8151 }
8152 break;
8153 case SSL_HND_SERVER_HELLO: {
8154 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8155 offset += 2;
8156 }
8157 break;
8158 default:
8159 break;
8160 }
8161
8162 return offset;
8163}
8164
8165static uint32_t
8166ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8167 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8168 uint8_t hnd_type, SslDecryptSession *ssl)
8169{
8170 /* RFC 8446 Section 4.2.10
8171 * struct {} Empty;
8172 * struct {
8173 * select (Handshake.msg_type) {
8174 * case new_session_ticket: uint32 max_early_data_size;
8175 * case client_hello: Empty;
8176 * case encrypted_extensions: Empty;
8177 * };
8178 * } EarlyDataIndication;
8179 */
8180 switch (hnd_type) {
8181 case SSL_HND_CLIENT_HELLO:
8182 /* Remember that early_data will follow the handshake. */
8183 if (ssl) {
8184 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8185 ssl->has_early_data = true1;
8186 }
8187 break;
8188 case SSL_HND_NEWSESSION_TICKET:
8189 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8190 offset += 4;
8191 break;
8192 default:
8193 break;
8194 }
8195 return offset;
8196}
8197
8198static uint16_t
8199tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8200{
8201 if (draft_version) {
8202 *draft_version = 0;
8203 }
8204 if (!is_dtls) {
8205 uint8_t tls13_draft = extract_tls13_draft_version(version);
8206 if (tls13_draft != 0) {
8207 /* This is TLS 1.3 (a draft version). */
8208 if (draft_version) {
8209 *draft_version = tls13_draft;
8210 }
8211 version = TLSV1DOT3_VERSION0x304;
8212 }
8213 if (version == 0xfb17 || version == 0xfb1a) {
8214 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8215 tls13_draft = (uint8_t)version;
8216 if (draft_version) {
8217 *draft_version = tls13_draft;
8218 }
8219 version = TLSV1DOT3_VERSION0x304;
8220 }
8221 }
8222
8223 switch (version) {
8224 case SSLV3_VERSION0x300:
8225 case TLSV1_VERSION0x301:
8226 case TLSV1DOT1_VERSION0x302:
8227 case TLSV1DOT2_VERSION0x303:
8228 case TLSV1DOT3_VERSION0x304:
8229 case TLCPV1_VERSION0x101:
8230 if (is_dtls)
8231 return SSL_VER_UNKNOWN0;
8232 break;
8233
8234 case DTLSV1DOT0_VERSION0xfeff:
8235 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8236 case DTLSV1DOT2_VERSION0xfefd:
8237 case DTLSV1DOT3_VERSION0xfefc:
8238 if (!is_dtls)
8239 return SSL_VER_UNKNOWN0;
8240 break;
8241
8242 default: /* invalid version number */
8243 return SSL_VER_UNKNOWN0;
8244 }
8245
8246 return version;
8247}
8248
8249static int
8250ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8251 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8252 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8253{
8254
8255 /* RFC 8446 Section 4.2.1
8256 * struct {
8257 * ProtocolVersion versions<2..254>; // ClientHello
8258 * } SupportedVersions;
8259 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8260 */
8261 uint32_t versions_length, next_offset;
8262 /* ProtocolVersion versions<2..254> */
8263 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8264 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8265 return offset_end;
8266 }
8267 offset++;
8268 next_offset = offset + versions_length;
8269
8270 unsigned version;
8271 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8272 uint8_t draft_version, max_draft_version = 0;
8273 const char *sep = " ";
8274 while (offset + 2 <= next_offset) {
8275 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8276 offset += 2;
8277
8278 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8279 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8280 sep = ", ";
8281 }
8282
8283 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8284 if (session->version == SSL_VER_UNKNOWN0) {
8285 if (lowest_version == SSL_VER_UNKNOWN0) {
8286 lowest_version = current_version;
8287 } else if (current_version != SSL_VER_UNKNOWN0) {
8288 if (!is_dtls) {
8289 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8290 } else {
8291 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8292 }
8293 }
8294 }
8295 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8296 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8297 /* The DTLS version numbers get mapped to "00" for unknown per
8298 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8299 * need to take the MIN instead of MAX here for DTLS.
8300 */
8301 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8302 }
8303 }
8304 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8305 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8306 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8307 }
8308 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8309 offset = next_offset;
8310 }
8311
8312 /* XXX remove this when draft 19 support is dropped,
8313 * this is only required for early data decryption. */
8314 if (max_draft_version) {
8315 session->tls13_draft_version = max_draft_version;
8316 }
8317
8318 return offset;
8319}
8320
8321static int
8322ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8323 packet_info *pinfo, proto_tree *tree,
8324 uint32_t offset, uint32_t offset_end)
8325{
8326 /* RFC 8446 Section 4.2.2
8327 * struct {
8328 * opaque cookie<1..2^16-1>;
8329 * } Cookie;
8330 */
8331 uint32_t cookie_length;
8332 /* opaque cookie<1..2^16-1> */
8333 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8334 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8335 return offset_end;
8336 }
8337 offset += 2;
8338
8339 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8340 offset += cookie_length;
8341
8342 return offset;
8343}
8344
8345static int
8346ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8347 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8348{
8349 /* RFC 8446 Section 4.2.9
8350 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8351 *
8352 * struct {
8353 * PskKeyExchangeMode ke_modes<1..255>;
8354 * } PskKeyExchangeModes;
8355 */
8356 uint32_t ke_modes_length, next_offset;
8357
8358 /* PskKeyExchangeMode ke_modes<1..255> */
8359 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8360 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8361 return offset_end;
8362 }
8363 offset++;
8364 next_offset = offset + ke_modes_length;
8365
8366 while (offset < next_offset) {
8367 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8368 offset++;
8369 }
8370
8371 return offset;
8372}
8373
8374static uint32_t
8375ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8376 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8377{
8378 /* RFC 8446 Section 4.2.4
8379 * opaque DistinguishedName<1..2^16-1>;
8380 * struct {
8381 * DistinguishedName authorities<3..2^16-1>;
8382 * } CertificateAuthoritiesExtension;
8383 */
8384 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8385}
8386
8387static int
8388ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8389 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8390{
8391 /* RFC 8446 Section 4.2.5
8392 * struct {
8393 * opaque certificate_extension_oid<1..2^8-1>;
8394 * opaque certificate_extension_values<0..2^16-1>;
8395 * } OIDFilter;
8396 * struct {
8397 * OIDFilter filters<0..2^16-1>;
8398 * } OIDFilterExtension;
8399 */
8400 proto_tree *subtree;
8401 uint32_t filters_length, oid_length, values_length, value_offset;
8402 asn1_ctx_t asn1_ctx;
8403 const char *oid, *name;
8404
8405 /* OIDFilter filters<0..2^16-1> */
8406 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8407 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8408 return offset_end;
8409 }
8410 offset += 2;
8411 offset_end = offset + filters_length;
8412
8413 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8414
8415 while (offset < offset_end) {
8416 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8417 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8418
8419 /* opaque certificate_extension_oid<1..2^8-1> */
8420 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8421 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8422 return offset_end;
8423 }
8424 offset++;
8425 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8426 hf->hf.hs_ext_oid_filters_oid, &oid);
8427 offset += oid_length;
8428
8429 /* Append OID to tree label */
8430 name = oid_resolved_from_string(pinfo->pool, oid);
8431 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8432
8433 /* opaque certificate_extension_values<0..2^16-1> */
8434 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8435 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8436 return offset_end;
8437 }
8438 offset += 2;
8439 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8440 if (values_length > 0) {
8441 value_offset = offset;
8442 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8443 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8444 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8445 }
8446 offset += values_length;
8447 }
8448
8449 return offset;
8450}
8451
8452static int
8453ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8454 packet_info *pinfo, proto_tree *tree,
8455 uint32_t offset, uint32_t offset_end)
8456{
8457 /* https://tools.ietf.org/html/rfc6066#section-3
8458 *
8459 * struct {
8460 * NameType name_type;
8461 * select (name_type) {
8462 * case host_name: HostName;
8463 * } name;
8464 * } ServerName;
8465 *
8466 * enum {
8467 * host_name(0), (255)
8468 * } NameType;
8469 *
8470 * opaque HostName<1..2^16-1>;
8471 *
8472 * struct {
8473 * ServerName server_name_list<1..2^16-1>
8474 * } ServerNameList;
8475 */
8476 proto_tree *server_name_tree;
8477 uint32_t list_length, server_name_length, next_offset;
8478
8479 /* The server SHALL include "server_name" extension with empty data. */
8480 if (offset == offset_end) {
8481 return offset;
8482 }
8483
8484 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8485
8486 /* ServerName server_name_list<1..2^16-1> */
8487 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8488 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8489 return offset_end;
8490 }
8491 offset += 2;
8492 next_offset = offset + list_length;
8493
8494 while (offset < next_offset) {
8495 uint32_t name_type;
8496 const uint8_t *server_name = NULL((void*)0);
8497 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8498 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8499 offset++;
8500
8501 /* opaque HostName<1..2^16-1> */
8502 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8503 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8504 return next_offset;
8505 }
8506 offset += 2;
8507
8508 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8509 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8510 pinfo->pool, &server_name);
8511 offset += server_name_length;
8512 // Each type must only occur once, so we don't check for duplicates.
8513 if (name_type == 0) {
8514 proto_item_append_text(tree, " name=%s", server_name);
8515 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8516
8517 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8518 // Client Hello: Client (Src) -> Server (Dst)
8519 switch (pinfo->dst.type) {
8520 case AT_IPv4:
8521 if (pinfo->dst.len == sizeof(uint32_t)) {
8522 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8523 }
8524 break;
8525 case AT_IPv6:
8526 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8527 add_ipv6_name(pinfo->dst.data, server_name, false0);
8528 }
8529 break;
8530 }
8531 }
8532 }
8533 }
8534 return offset;
8535}
8536
8537static int
8538ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8539 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8540{
8541 unsigned ext_len = offset_end - offset;
8542 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8543 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8544 /* Save the Session Ticket such that it can be used as identifier for
8545 * restoring a previous Master Secret (in ChangeCipherSpec) */
8546 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8547 ssl->session_ticket.data, ext_len);
8548 ssl->session_ticket.data_len = ext_len;
8549 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8550 }
8551 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8552 tvb, offset, ext_len, ENC_NA0x00000000);
8553 return offset + ext_len;
8554}
8555
8556static int
8557ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8558 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8559 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8560{
8561 uint8_t cert_list_length;
8562 uint8_t cert_type;
8563 proto_tree *cert_list_tree;
8564 proto_item *ti;
8565
8566 switch(hnd_type){
8567 case SSL_HND_CLIENT_HELLO:
8568 cert_list_length = tvb_get_uint8(tvb, offset);
8569 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8570 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8571 offset += 1;
8572 if (offset_end - offset != (uint32_t)cert_list_length)
8573 return offset;
8574
8575 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8576 cert_list_length, cert_list_length);
8577 proto_item_append_text(ti, " (%d)", cert_list_length);
8578
8579 /* make this a subtree */
8580 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8581
8582 /* loop over all point formats */
8583 while (cert_list_length > 0)
8584 {
8585 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8586 offset++;
8587 cert_list_length--;
8588 }
8589 break;
8590 case SSL_HND_SERVER_HELLO:
8591 case SSL_HND_ENCRYPTED_EXTENSIONS:
8592 case SSL_HND_CERTIFICATE:
8593 cert_type = tvb_get_uint8(tvb, offset);
8594 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8595 offset += 1;
8596 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8597 session->client_cert_type = cert_type;
8598 }
8599 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8600 session->server_cert_type = cert_type;
8601 }
8602 break;
8603 default: /* no default */
8604 break;
8605 }
8606
8607 return offset;
8608}
8609
8610static uint32_t
8611ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8612 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8613 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8614{
8615 uint32_t compress_certificate_algorithms_length, next_offset;
8616
8617 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8618 * enum {
8619 * zlib(1),
8620 * brotli(2),
8621 * (65535)
8622 * } CertificateCompressionAlgorithm;
8623 *
8624 * struct {
8625 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8626 * } CertificateCompressionAlgorithms;
8627 */
8628 switch (hnd_type) {
8629 case SSL_HND_CLIENT_HELLO:
8630 case SSL_HND_CERT_REQUEST:
8631 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8632 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8633 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8634 return offset_end;
8635 }
8636 offset += 1;
8637 next_offset = offset + compress_certificate_algorithms_length;
8638
8639 while (offset < next_offset) {
8640 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8641 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8642 offset += 2;
8643 }
8644 break;
8645 default:
8646 break;
8647 }
8648
8649 return offset;
8650}
8651
8652static uint32_t
8653ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8654 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8655 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8656{
8657 uint32_t key_parameters_length, next_offset;
8658 proto_item *p_ti;
8659 proto_tree *p_tree;
8660
8661 /* RFC 8472
8662 *
8663 * struct {
8664 * uint8 major;
8665 * uint8 minor;
8666 * } TB_ProtocolVersion;
8667 *
8668 * enum {
8669 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8670 * } TokenBindingKeyParameters;
8671 *
8672 * struct {
8673 * TB_ProtocolVersion token_binding_version;
8674 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8675 * } TokenBindingParameters;
8676 */
8677
8678 switch (hnd_type) {
8679 case SSL_HND_CLIENT_HELLO:
8680 case SSL_HND_SERVER_HELLO:
8681 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8682 offset += 1;
8683 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8684 offset += 1;
8685
8686 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8687 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8688 return offset_end;
8689 }
8690 offset += 1;
8691 next_offset = offset + key_parameters_length;
8692
8693 p_ti = proto_tree_add_none_format(tree,
8694 hf->hf.hs_ext_token_binding_key_parameters,
8695 tvb, offset, key_parameters_length,
8696 "Key parameters identifiers (%d identifier%s)",
8697 key_parameters_length,
8698 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8699 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8700
8701 while (offset < next_offset) {
8702 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8703 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8704 offset += 1;
8705 }
8706
8707 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8708 offset = next_offset;
8709 }
8710
8711 break;
8712 default:
8713 break;
8714 }
8715
8716 return offset;
8717}
8718
8719static uint32_t
8720ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8721 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8722 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8723{
8724 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8725 uint32_t next_offset;
8726
8727 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8728 *
8729 * Note: the following structures are not literally defined in the spec,
8730 * they instead use an ASCII diagram.
8731 *
8732 * struct {
8733 * uint16 id;
8734 * opaque value<0..2^16-1>;
8735 * } TransportParameter; // before draft -27
8736 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8737 *
8738 * struct {
8739 * opaque ipv4Address[4];
8740 * uint16 ipv4Port;
8741 * opaque ipv6Address[16];
8742 * uint16 ipv6Port;
8743 * opaque connectionId<0..18>;
8744 * opaque statelessResetToken[16];
8745 * } PreferredAddress;
8746 */
8747
8748 if (offset_end - offset >= 6 &&
8749 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8750 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8751 // Assume encoding of Transport Parameters draft -26 or older with at
8752 // least one transport parameter that has a valid length.
8753 use_varint_encoding = false0;
8754 }
8755
8756 if (use_varint_encoding) {
8757 next_offset = offset_end;
8758 } else {
8759 uint32_t quic_length;
8760 // Assume draft -26 or earlier.
8761 /* TransportParameter TransportParameters<0..2^16-1>; */
8762 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8763 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8764 return offset_end;
8765 }
8766 offset += 2;
8767 next_offset = offset + quic_length;
8768 }
8769
8770 while (offset < next_offset) {
8771 uint64_t parameter_type; /* 62-bit space */
8772 uint32_t parameter_length;
8773 proto_tree *parameter_tree;
8774 uint32_t parameter_end_offset;
8775 uint64_t value;
8776 uint32_t len = 0, i;
8777
8778 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8779 NULL((void*)0), "Parameter");
8780 /* TransportParameter ID and Length. */
8781 if (use_varint_encoding) {
8782 uint64_t parameter_length64;
8783 uint32_t type_len = 0;
8784
8785 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8786 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8787 offset += type_len;
8788
8789 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8790 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8791 parameter_length = (uint32_t)parameter_length64;
8792 offset += len;
8793
8794 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8795 } else {
8796 parameter_type = tvb_get_ntohs(tvb, offset);
8797 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8798 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8799 offset += 2;
8800
8801 /* opaque value<0..2^16-1> */
8802 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8803 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8804 return next_offset;
8805 }
8806 offset += 2;
8807
8808 proto_item_set_len(parameter_tree, 4 + parameter_length);
8809 }
8810
8811 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8812 proto_item_append_text(parameter_tree, ": GREASE");
8813 } else {
8814 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8815 }
8816
8817 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8818 parameter_end_offset = offset + parameter_length;
8819
8820 /* Omit the value field if the parameter's length is 0. */
8821 if (parameter_length != 0) {
8822 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8823 tvb, offset, parameter_length, ENC_NA0x00000000);
8824 }
8825
8826 switch (parameter_type) {
8827 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8828 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8829 tvb, offset, parameter_length, ENC_NA0x00000000);
8830 offset += parameter_length;
8831 break;
8832 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8833 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8834 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8835 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8836 offset += len;
8837 break;
8838 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8839 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8840 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8841 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8842 offset += 16;
8843 break;
8844 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8845 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8846 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8847 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8848 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8849 offset += len;
8850 break;
8851 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8852 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8853 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8854 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8855 offset += len;
8856 break;
8857 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8858 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8859 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8860 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8861 offset += len;
8862 break;
8863 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8864 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8865 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8866 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8867 offset += len;
8868 break;
8869 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8870 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8871 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8872 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8873 offset += len;
8874 break;
8875 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8876 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8877 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8878 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8879 offset += len;
8880 break;
8881 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8882 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8883 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8884 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8885 offset += len;
8886 break;
8887 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8888 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8889 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8890 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8891 offset += len;
8892 break;
8893 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8894 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8895 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8896 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8897 offset += len;
8898 break;
8899 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8900 /* No Payload */
8901 break;
8902 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8903 uint32_t connectionid_length;
8904 quic_cid_t cid;
8905
8906 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8907 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8908 offset += 4;
8909 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8910 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8911 offset += 2;
8912 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8913 tvb, offset, 16, ENC_NA0x00000000);
8914 offset += 16;
8915 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8916 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8917 offset += 2;
8918 /* XXX - Should we add these addresses and ports as addresses that the client
8919 * is allowed / expected to migrate the server address to? Right now we don't
8920 * enforce that (see RFC 9000 Section 9, which implies that while the client
8921 * can migrate to whatever address it wants, it can only migrate the server
8922 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8923 */
8924
8925 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8926 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8927 break;
8928 }
8929 offset += 1;
8930
8931 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8932 tvb, offset, connectionid_length, ENC_NA0x00000000);
8933 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8934 cid.len = connectionid_length;
8935 // RFC 9000 5.1.1 "If the preferred_address transport
8936 // parameter is sent, the sequence number of the supplied
8937 // connection ID is 1."
8938 cid.seq_num = 1;
8939 // Multipath draft-07 "Also, the Path Identifier for the
8940 // connection ID specified in the "preferred address"
8941 // transport parameter is 0."
8942 cid.path_id = 0;
8943 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8944 quic_add_connection(pinfo, &cid);
8945 }
8946 offset += connectionid_length;
8947
8948 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8949 tvb, offset, 16, ENC_NA0x00000000);
8950 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8951 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8952 }
8953 offset += 16;
8954 }
8955 break;
8956 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8957 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8958 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8959 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8960 offset += len;
8961 break;
8962 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8963 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8964 tvb, offset, parameter_length, ENC_NA0x00000000);
8965 offset += parameter_length;
8966 break;
8967 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8968 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8969 tvb, offset, parameter_length, ENC_NA0x00000000);
8970 offset += parameter_length;
8971 break;
8972 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8973 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8974 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8975 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8976 offset += len;
8977 break;
8978 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8979 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8980 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8981 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8982 offset += len;
8983 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8984 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8985 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8986 offset += len;
8987 break;
8988 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8989 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8990 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8991 if (len > 0) {
8992 quic_add_loss_bits(pinfo, value);
8993 }
8994 offset += 1;
8995 break;
8996 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
8997 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
8998 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8999 offset += len;
9000 break;
9001 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9002 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9003 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9004 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9005 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9006 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9007 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9008 offset += len;
9009 break;
9010 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9011 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9012 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9013 offset += parameter_length;
9014 break;
9015 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9016 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9017 tvb, offset, parameter_length, ENC_NA0x00000000);
9018 offset += parameter_length;
9019 break;
9020 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9021 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9022 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9023 offset += 4;
9024 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9025 uint32_t versions_length;
9026
9027 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9028 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9029 offset += 1;
9030 for (i = 0; i < versions_length / 4; i++) {
9031 quic_proto_tree_add_version(tvb, parameter_tree,
9032 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9033 offset += 4;
9034 }
9035 }
9036 break;
9037 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9038 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9039 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9040 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9041 offset += len;
9042 break;
9043 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9044 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9045 tvb, offset, parameter_length, ENC_NA0x00000000);
9046 offset += parameter_length;
9047 break;
9048 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9049 /* This field was used for non-standard Google-specific parameters encoded as a
9050 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9051 * parameters. Report it as a bytes blob... */
9052 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9053 tvb, offset, parameter_length, ENC_NA0x00000000);
9054 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9055 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9056 tvb, offset, 4, ENC_NA0x00000000);
9057 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9058 offset += parameter_length;
9059 break;
9060 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9061 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9062 tvb, offset, parameter_length, ENC_NA0x00000000);
9063 offset += parameter_length;
9064 break;
9065 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9066 /* No Payload */
9067 break;
9068 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9069 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9070 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9071 offset += parameter_length;
9072 break;
9073 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9074 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9075 quic_proto_tree_add_version(tvb, parameter_tree,
9076 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9077 offset += 4;
9078 for (i = 4; i < parameter_length; i += 4) {
9079 quic_proto_tree_add_version(tvb, parameter_tree,
9080 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9081 offset += 4;
9082 }
9083 break;
9084 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9085 /* No Payload */
9086 quic_add_grease_quic_bit(pinfo);
9087 break;
9088 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9089 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9090 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9091 offset += parameter_length;
9092 break;
9093 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9094 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9095 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9096 if (value == 1) {
9097 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9098 }
9099 offset += parameter_length;
9100 break;
9101 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9102 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9103 /* No Payload */
9104 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9105 break;
9106 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9107 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9108 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9109 if (value > 1) {
9110 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9111 }
9112 /* multipath draft-07: "The value of the initial_max_paths
9113 * parameter MUST be at least 2." TODO: Expert Info? */
9114 offset += parameter_length;
9115 break;
9116 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9117 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9118 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9119 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9120 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9121 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9122 /* multipath draft-09 and later: "If an endpoint receives an
9123 * initial_max_path_id transport parameter with value 0, the
9124 * peer aims to enable the multipath extension without allowing
9125 * extra paths immediately."
9126 */
9127 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9128 offset += parameter_length;
9129 break;
9130 default:
9131 offset += parameter_length;
9132 /*TODO display expert info about unknown ? */
9133 break;
9134 }
9135
9136 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9137 /* Dissection did not end at expected location, fix it. */
9138 offset = parameter_end_offset;
9139 }
9140 }
9141
9142 return offset;
9143}
9144
9145static int
9146ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9147 proto_tree *tree, uint32_t offset,
9148 SslSession *session, SslDecryptSession *ssl,
9149 bool_Bool from_server, bool_Bool is_hrr)
9150{
9151 uint8_t sessid_length;
9152 proto_item *ti;
9153 proto_tree *rnd_tree;
9154 proto_tree *ti_rnd;
9155 proto_tree *ech_confirm_tree;
9156 uint8_t draft_version = session->tls13_draft_version;
9157
9158 if (ssl) {
9159 StringInfo *rnd;
9160 if (from_server)
9161 rnd = &ssl->server_random;
9162 else
9163 rnd = &ssl->client_random;
9164
9165 /* save provided random for later keyring generation */
9166 tvb_memcpy(tvb, rnd->data, offset, 32);
9167 rnd->data_len = 32;
9168 if (from_server)
9169 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9170 else
9171 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9172 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9173 from_server ? "SERVER" : "CLIENT", ssl->state);
9174 }
9175
9176 if (!from_server && session->client_random.data_len == 0) {
9177 session->client_random.data_len = 32;
9178 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9179 }
9180
9181 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9182
9183 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9184
9185 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9186 /* show the time */
9187 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9188 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9189 offset += 4;
9190
9191 /* show the random bytes */
9192 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9193 tvb, offset, 28, ENC_NA0x00000000);
9194 offset += 28;
9195 } else {
9196 if (is_hrr) {
9197 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9198 } else if (from_server && session->ech) {
9199 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9200 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9201 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9202 session->ech_confirmation, 8);
9203 proto_item_set_generated(ti);
9204 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9205 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9206 } else {
9207 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9208 }
9209 }
9210
9211 offset += 32;
9212 }
9213
9214 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9215 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9216 /* show the session id (length followed by actual Session ID) */
9217 sessid_length = tvb_get_uint8(tvb, offset);
9218 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9219 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9220 offset++;
9221
9222 if (ssl) {
9223 /* save the authoritative SID for later use in ChangeCipherSpec.
9224 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9225 * save more, so ignore larger ones. */
9226 if (from_server && sessid_length <= 32) {
9227 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9228 ssl->session_id.data_len = sessid_length;
9229 }
9230 }
9231 if (sessid_length > 0) {
9232 proto_tree_add_item(tree, hf->hf.hs_session_id,
9233 tvb, offset, sessid_length, ENC_NA0x00000000);
9234 offset += sessid_length;
9235 }
9236 }
9237
9238 return offset;
9239}
9240
9241static int
9242ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9243 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9244 bool_Bool has_length)
9245{
9246 /* TLS 1.2/1.3 status_request Client Hello Extension.
9247 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9248 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9249 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9250 * struct {
9251 * CertificateStatusType status_type;
9252 * uint16 request_length; // for status_request_v2
9253 * select (status_type) {
9254 * case ocsp: OCSPStatusRequest;
9255 * case ocsp_multi: OCSPStatusRequest;
9256 * } request;
9257 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9258 *
9259 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9260 * struct {
9261 * ResponderID responder_id_list<0..2^16-1>;
9262 * Extensions request_extensions;
9263 * } OCSPStatusRequest;
9264 * opaque ResponderID<1..2^16-1>;
9265 * opaque Extensions<0..2^16-1>;
9266 */
9267 unsigned cert_status_type;
9268
9269 cert_status_type = tvb_get_uint8(tvb, offset);
9270 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9271 tvb, offset, 1, ENC_NA0x00000000);
9272 offset++;
9273
9274 if (has_length) {
9275 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9276 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9277 offset += 2;
9278 }
9279
9280 switch (cert_status_type) {
9281 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9282 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9283 {
9284 uint32_t responder_id_list_len;
9285 uint32_t request_extensions_len;
9286
9287 /* ResponderID responder_id_list<0..2^16-1> */
9288 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9289 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9290 return offset_end;
9291 }
9292 offset += 2;
9293 if (responder_id_list_len != 0) {
9294 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9295 tvb, offset, responder_id_list_len,
9296 "Responder ID list is not implemented, contact Wireshark"
9297 " developers if you want this to be supported");
9298 }
9299 offset += responder_id_list_len;
9300
9301 /* opaque Extensions<0..2^16-1> */
9302 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9303 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9304 return offset_end;
9305 }
9306 offset += 2;
9307 if (request_extensions_len != 0) {
9308 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9309 tvb, offset, request_extensions_len,
9310 "Request Extensions are not implemented, contact"
9311 " Wireshark developers if you want this to be supported");
9312 }
9313 offset += request_extensions_len;
9314 break;
9315 }
9316 }
9317
9318 return offset;
9319}
9320
9321static unsigned
9322ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9323 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9324{
9325 /* https://tools.ietf.org/html/rfc6961#section-2.2
9326 * struct {
9327 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9328 * } CertificateStatusRequestListV2;
9329 */
9330 uint32_t req_list_length, next_offset;
9331
9332 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9333 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9334 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9335 return offset_end;
9336 }
9337 offset += 2;
9338 next_offset = offset + req_list_length;
9339
9340 while (offset < next_offset) {
9341 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9342 }
9343
9344 return offset;
9345}
9346
9347static uint32_t
9348tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9349 uint32_t offset, uint32_t offset_end)
9350{
9351 uint32_t response_length;
9352 proto_item *ocsp_resp;
9353 proto_tree *ocsp_resp_tree;
9354 asn1_ctx_t asn1_ctx;
9355
9356 /* opaque OCSPResponse<1..2^24-1>; */
9357 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9358 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9359 return offset_end;
9360 }
9361 offset += 3;
9362
9363 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9364 response_length, ENC_BIG_ENDIAN0x00000000);
9365 proto_item_set_text(ocsp_resp, "OCSP Response");
9366 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9367 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9368 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9369 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9370 }
9371 offset += response_length;
9372
9373 return offset;
9374}
9375
9376uint32_t
9377tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9378 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9379{
9380 /* TLS 1.2 "CertificateStatus" handshake message.
9381 * TLS 1.3 "status_request" Certificate extension.
9382 * struct {
9383 * CertificateStatusType status_type;
9384 * select (status_type) {
9385 * case ocsp: OCSPResponse;
9386 * case ocsp_multi: OCSPResponseList; // status_request_v2
9387 * } response;
9388 * } CertificateStatus;
9389 * opaque OCSPResponse<1..2^24-1>;
9390 * struct {
9391 * OCSPResponse ocsp_response_list<1..2^24-1>;
9392 * } OCSPResponseList; // status_request_v2
9393 */
9394 uint32_t status_type, resp_list_length, next_offset;
9395
9396 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9397 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9398 offset += 1;
9399
9400 switch (status_type) {
9401 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9402 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9403 break;
9404
9405 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9406 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9407 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9408 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9409 return offset_end;
9410 }
9411 offset += 3;
9412 next_offset = offset + resp_list_length;
9413
9414 while (offset < next_offset) {
9415 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9416 }
9417 break;
9418 }
9419
9420 return offset;
9421}
9422
9423static unsigned
9424ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9425 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9426 wmem_strbuf_t *ja3)
9427{
9428 /* RFC 8446 Section 4.2.7
9429 * enum { ..., (0xFFFF) } NamedGroup;
9430 * struct {
9431 * NamedGroup named_group_list<2..2^16-1>
9432 * } NamedGroupList;
9433 *
9434 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9435 * the extension itself from "elliptic_curves" to "supported_groups".
9436 */
9437 uint32_t groups_length, next_offset;
9438 proto_tree *groups_tree;
9439 proto_item *ti;
9440 char *ja3_dash = "";
9441
9442 /* NamedGroup named_group_list<2..2^16-1> */
9443 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9444 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9445 return offset_end;
9446 }
9447 offset += 2;
9448 next_offset = offset + groups_length;
9449
9450 ti = proto_tree_add_none_format(tree,
9451 hf->hf.hs_ext_supported_groups,
9452 tvb, offset, groups_length,
9453 "Supported Groups (%d group%s)",
9454 groups_length / 2,
9455 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9456
9457 /* make this a subtree */
9458 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9459
9460 if (ja3) {
9461 wmem_strbuf_append_c(ja3, ',');
9462 }
9463 /* loop over all groups */
9464 while (offset + 2 <= offset_end) {
9465 uint32_t ext_supported_group;
9466
9467 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9468 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9469 offset += 2;
9470 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9471 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9472 ja3_dash = "-";
9473 }
9474 }
9475 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9476 offset = next_offset;
9477 }
9478
9479 return offset;
9480}
9481
9482static int
9483ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9484 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9485{
9486 uint8_t ecpf_length;
9487 proto_tree *ecpf_tree;
9488 proto_item *ti;
9489
9490 ecpf_length = tvb_get_uint8(tvb, offset);
9491 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9492 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9493
9494 offset += 1;
9495 ti = proto_tree_add_none_format(tree,
9496 hf->hf.hs_ext_ec_point_formats,
9497 tvb, offset, ecpf_length,
9498 "Elliptic curves point formats (%d)",
9499 ecpf_length);
9500
9501 /* make this a subtree */
9502 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9503
9504 if (ja3) {
9505 wmem_strbuf_append_c(ja3, ',');
9506 }
9507
9508 /* loop over all point formats */
9509 while (ecpf_length > 0)
9510 {
9511 uint32_t ext_ec_point_format;
9512
9513 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9514 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9515 offset++;
9516 ecpf_length--;
9517 if (ja3) {
9518 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9519 if (ecpf_length > 0) {
9520 wmem_strbuf_append_c(ja3, '-');
9521 }
9522 }
9523 }
9524
9525 return offset;
9526}
9527
9528static int
9529ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9530 packet_info *pinfo, proto_tree *tree,
9531 uint32_t offset, uint32_t next_offset)
9532{
9533 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9534 * opaque srp_I<1..2^8-1>;
9535 */
9536 uint32_t username_len;
9537
9538 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9539 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9540 return next_offset;
9541 }
9542 offset++;
9543
9544 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9545 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9546 offset += username_len;
9547
9548 return offset;
9549}
9550
9551static uint32_t
9552tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9553 uint32_t offset, uint32_t offset_end, uint16_t version)
9554{
9555 /* https://tools.ietf.org/html/rfc6962#section-3.2
9556 * enum { v1(0), (255) } Version;
9557 * struct {
9558 * opaque key_id[32];
9559 * } LogID;
9560 * opaque CtExtensions<0..2^16-1>;
9561 * struct {
9562 * Version sct_version;
9563 * LogID id;
9564 * uint64 timestamp;
9565 * CtExtensions extensions;
9566 * digitally-signed struct { ... };
9567 * } SignedCertificateTimestamp;
9568 */
9569 uint32_t sct_version;
9570 uint64_t sct_timestamp_ms;
9571 nstime_t sct_timestamp;
9572 uint32_t exts_len;
9573 const char *log_name;
9574
9575 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9576 offset++;
9577 if (sct_version != 0) {
9578 // TODO expert info about unknown SCT version?
9579 return offset;
9580 }
9581 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9582 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9583 proto_item_append_text(tree, " (%s)", log_name);
9584 offset += 32;
9585 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9586 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9587 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9588 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9589 offset += 8;
9590 /* opaque CtExtensions<0..2^16-1> */
9591 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9592 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9593 return offset_end;
9594 }
9595 offset += 2;
9596 if (exts_len > 0) {
9597 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9598 offset += exts_len;
9599 }
9600 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9601 hf->hf.sct_sct_signature_length,
9602 hf->hf.sct_sct_signature);
9603 return offset;
9604}
9605
9606uint32_t
9607tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9608 uint32_t offset, uint32_t offset_end, uint16_t version)
9609{
9610 /* https://tools.ietf.org/html/rfc6962#section-3.3
9611 * opaque SerializedSCT<1..2^16-1>;
9612 * struct {
9613 * SerializedSCT sct_list <1..2^16-1>;
9614 * } SignedCertificateTimestampList;
9615 */
9616 uint32_t list_length, sct_length, next_offset;
9617 proto_tree *subtree;
9618
9619 /* SerializedSCT sct_list <1..2^16-1> */
9620 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9621 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9622 return offset_end;
9623 }
9624 offset += 2;
9625
9626 while (offset < offset_end) {
9627 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9628
9629 /* opaque SerializedSCT<1..2^16-1> */
9630 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9631 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9632 return offset_end;
9633 }
9634 offset += 2;
9635 next_offset = offset + sct_length;
9636 proto_item_set_len(subtree, 2 + sct_length);
9637 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9638 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9639 offset = next_offset;
9640 }
9641 }
9642
9643 return offset;
9644}
9645
9646static int
9647dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9648 proto_tree *tree, uint32_t offset)
9649{
9650 uint32_t kdf_id, aead_id;
9651 proto_item *cs_ti;
9652 proto_tree *cs_tree;
9653
9654 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9655 tvb, offset, 4, ENC_NA0x00000000);
9656 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9657
9658 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9659 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9660 offset += 2;
9661 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9662 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9663 offset += 2;
9664
9665 proto_item_append_text(cs_ti, ": %s/%s",
9666 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9667 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9668 return offset;
9669}
9670
9671static int
9672dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9673 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9674 uint32_t *config_id)
9675{
9676 uint32_t length, cipher_suite_length;
9677 proto_item *kc_ti, *css_ti;
9678 proto_tree *kc_tree, *css_tree;
9679 uint32_t original_offset = offset, next_offset;
9680
9681 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9682 tvb, offset, -1, ENC_NA0x00000000);
9683 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9684
9685 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9686 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9687 offset += 1;
9688 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9689 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9690 offset += 2;
9691 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9692 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9693 offset += 2;
9694 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9695 tvb, offset, length, ENC_NA0x00000000);
9696 offset += length;
9697
9698 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9699 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9700 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9701 return offset_end;
9702 }
9703 offset += 2;
9704 next_offset = offset + cipher_suite_length;
9705
9706 css_ti = proto_tree_add_none_format(kc_tree,
9707 hf->hf.ech_hpke_keyconfig_cipher_suites,
9708 tvb, offset, cipher_suite_length,
9709 "Cipher Suites (%d suite%s)",
9710 cipher_suite_length / 4,
9711 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9712 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9713
9714
9715 while (offset + 4 <= next_offset) {
9716 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9717 }
9718
9719 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9720 offset = next_offset;
9721 }
9722
9723 proto_item_set_len(kc_ti, offset - original_offset);
9724
9725 return offset;
9726}
9727
9728static int
9729dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9730 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9731 const uint8_t **public_name, uint32_t *config_id)
9732{
9733 uint32_t public_name_length, extensions_length, next_offset;
9734
9735 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9736 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9737 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9738 offset += 1;
9739 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9740 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9741 offset += 1;
9742 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9743 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9744 offset += public_name_length;
9745
9746 /* Extension extensions<0..2^16-1>; */
9747 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9748 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9749 return offset_end;
9750 }
9751 offset += 2;
9752 next_offset = offset + extensions_length;
9753
9754 if (extensions_length > 0) {
9755 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9756 tvb, offset, extensions_length, ENC_NA0x00000000);
9757 }
9758 offset += extensions_length;
9759
9760 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9761 offset = next_offset;
9762 }
9763
9764 return offset;
9765}
9766
9767static int
9768dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9769 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9770{
9771 uint32_t version, length;
9772 proto_item *ech_ti;
9773 proto_tree *ech_tree;
9774 const uint8_t *public_name = NULL((void*)0);
9775 uint32_t config_id = 0;
9776
9777 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9778 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9779
9780 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9781 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9782 offset += 2;
9783 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9784 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9785 offset += 2;
9786
9787 proto_item_set_len(ech_ti, 4 + length);
9788
9789 switch(version) {
9790 case 0xfe0d:
9791 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9792 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9793 break;
9794
9795 default:
9796 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9797 }
9798
9799 return 4 + length;
9800}
9801
9802uint32_t
9803ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9804 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9805{
9806 uint32_t echconfiglist_length, next_offset;
9807
9808 /* ECHConfig ECHConfigList<1..2^16-1>; */
9809 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9810 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9811 return offset_end;
9812 }
9813 offset += 2;
9814 next_offset = offset + echconfiglist_length;
9815
9816 while (offset < next_offset) {
9817 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9818 }
9819
9820 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9821 offset = next_offset;
9822 }
9823
9824 return offset;
9825}
9826
9827static uint32_t
9828ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9829 uint32_t offset, uint32_t offset_end)
9830{
9831 uint32_t ext_length, next_offset;
9832 proto_tree *ext_tree;
9833 proto_item *ti;
9834
9835 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9836 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9837 return offset_end;
9838 }
9839 offset += 1;
9840 next_offset = offset + ext_length;
9841
9842 ti = proto_tree_add_none_format(tree,
9843 hf->hf.hs_ext_ech_outer_ext,
9844 tvb, offset, ext_length,
9845 "Outer Extensions (%d extension%s)",
9846 ext_length / 2,
9847 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9848
9849 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9850
9851 while (offset + 2 <= offset_end) {
9852 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9853 offset += 2;
9854 }
9855
9856 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9857 offset = next_offset;
9858 }
9859
9860 return offset;
9861}
9862
9863static uint32_t
9864// NOLINTNEXTLINE(misc-no-recursion)
9865ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9866 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9867 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9868 uint32_t initial_offset, uint32_t hello_length)
9869{
9870 uint32_t ch_type, length;
9871 proto_item *ti, *payload_ti;
9872 proto_tree *retry_tree, *payload_tree;
9873
9874 switch (hnd_type) {
9875 case SSL_HND_CLIENT_HELLO:
9876 /*
9877 * enum { outer(0), inner(1) } ECHClientHelloType;
9878 *
9879 * struct {
9880 * ECHClientHelloType type;
9881 * select (ECHClientHello.type) {
9882 * case outer:
9883 * HpkeSymmetricCipherSuite cipher_suite;
9884 * uint8 config_id;
9885 * opaque enc<0..2^16-1>;
9886 * opaque payload<1..2^16-1>;
9887 * case inner:
9888 * Empty;
9889 * };
9890 * } ECHClientHello;
9891 */
9892
9893 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9894 offset += 1;
9895 switch (ch_type) {
9896 case 0: /* outer */
9897 if (ssl && session->first_ch_ech_frame == 0) {
9898 session->first_ch_ech_frame = pinfo->num;
9899 }
9900 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9901 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9902 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9903
9904 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9905 uint8_t config_id = tvb_get_uint8(tvb, offset);
9906 offset += 1;
9907 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9908 offset += 2;
9909 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9910 offset += length;
9911 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9912 offset += 2;
9913 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9914 offset += length;
9915
9916 if (!mk_map) {
9917 break;
9918 }
9919 if (session->client_random.data_len == 0) {
9920 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9921 break;
9922 }
9923 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9924 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9925 if (!ech_secret || !ech_config) {
9926 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9927 G_STRFUNC((const char*) (__func__)));
9928 break;
9929 }
9930
9931 if (hpke_hkdf_len(kdf_id) == 0) {
9932 ssl_debug_printf("Unsupported KDF\n");
9933 break;
9934 }
9935
9936 if (hpke_aead_key_len(aead_id) == 0) {
9937 ssl_debug_printf("Unsupported AEAD\n");
9938 break;
9939 }
9940
9941 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9942
9943 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9944 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9945 ssl_debug_printf("Unexpected version in ECH Config\n");
9946 break;
9947 }
9948 uint32_t ech_config_offset = 2;
9949 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9950 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9951 break;
9952 }
9953 ech_config_offset += 2;
9954 if (*(ech_config->data + ech_config_offset) != config_id) {
9955 ssl_debug_printf("ECH Config version mismatch\n");
9956 break;
9957 }
9958 ech_config_offset += 1;
9959 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9960 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9961 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9962 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9963 GByteArray *info = g_byte_array_new();
9964 g_byte_array_append(info, "tls ech", 8);
9965 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9966 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9967 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9968 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9969 key, base_nonce)) {
9970 g_byte_array_free(info, TRUE(!(0)));
9971 break;
9972 }
9973 g_byte_array_free(info, TRUE(!(0)));
9974 gcry_cipher_hd_t cipher;
9975 if (hpke_setup_aead(&cipher, aead_id, key) ||
9976 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9977 gcry_cipher_close(cipher);
9978 break;
9979 }
9980 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9981 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9982 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9983 memset(ech_aad + offset - length - initial_offset, 0, length);
9984 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9985 gcry_cipher_close(cipher);
9986 wmem_free(NULL((void*)0), ech_aad);
9987 break;
9988 }
9989 wmem_free(NULL((void*)0), ech_aad);
9990 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
9991 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
9992 gcry_cipher_close(cipher);
9993 break;
9994 }
9995 unsigned char ech_auth_tag_calc[16];
9996 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
9997 gcry_cipher_close(cipher);
9998 break;
9999 }
10000 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10001 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
10002 gcry_cipher_close(cipher);
10003 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10004 payload + length - 16, 16)) {
10005 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10006 } else {
10007 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10008 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
10009 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10010 if (ssl) {
10011 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10012 uint32_t len_offset = ssl->ech_transcript.data_len;
10013 if (ssl->ech_transcript.data_len > 0)
10014 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10015 ssl->ech_transcript.data_len + hello_length + 4);
10016 else
10017 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10018 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10019 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10020 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10021 ssl->ech_transcript.data_len += 38;
10022 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
10023 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10024 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10025 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10026 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10027 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10028 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10029 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10030 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10031 1 + tvb_get_uint8(ech_tvb, ech_offset));
10032 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10033 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10034 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10035 ssl->ech_transcript.data_len += 2;
10036 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10037 ech_offset += 2;
10038 while (extensions_end - ech_offset >= 4) {
10039 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10040 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10041 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10042 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10043 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10044 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10045 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10046 ech_offset += 5;
10047 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10048 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10049 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10050 while (outer_extensions_end - ech_offset >= 2) {
10051 while (hello_length - outer_offset >= 4) {
10052 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10053 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10054 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10055 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10056 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10057 break;
10058 } else {
10059 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10060 }
10061 }
10062 ech_offset += 2;
10063 }
10064 }
10065 }
10066 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10067 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10068 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10069 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10070 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10071 }
10072 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10073 ssl, NULL((void*)0), mk_map);
10074 if (ech_padding_begin < length - 16) {
10075 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10076 ENC_NA0x00000000);
10077 }
10078 }
10079
10080 break;
10081 case 1: /* inner */
10082 break;
10083 }
10084 break;
10085
10086 case SSL_HND_ENCRYPTED_EXTENSIONS:
10087 /*
10088 * struct {
10089 * ECHConfigList retry_configs;
10090 * } ECHEncryptedExtensions;
10091 */
10092
10093 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10094 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10095 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10096 break;
10097
10098 case SSL_HND_HELLO_RETRY_REQUEST:
10099 /*
10100 * struct {
10101 * opaque confirmation[8];
10102 * } ECHHelloRetryRequest;
10103 */
10104
10105 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10106 if (session->ech) {
10107 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10108 proto_item_set_generated(ti);
10109 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10110 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10111 } else {
10112 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10113 }
10114 }
10115 offset += 8;
10116 break;
10117 }
10118
10119 return offset;
10120}
10121
10122static uint32_t
10123ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10124 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10125 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10126{
10127 uint32_t record_digest_length, encrypted_sni_length;
10128
10129 switch (hnd_type) {
10130 case SSL_HND_CLIENT_HELLO:
10131 /*
10132 * struct {
10133 * CipherSuite suite;
10134 * KeyShareEntry key_share;
10135 * opaque record_digest<0..2^16-1>;
10136 * opaque encrypted_sni<0..2^16-1>;
10137 * } ClientEncryptedSNI;
10138 */
10139 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10140 offset += 2;
10141 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10142
10143 /* opaque record_digest<0..2^16-1> */
10144 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10145 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10146 return offset_end;
10147 }
10148 offset += 2;
10149 if (record_digest_length > 0) {
10150 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10151 offset += record_digest_length;
10152 }
10153
10154 /* opaque encrypted_sni<0..2^16-1> */
10155 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10156 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10157 return offset_end;
10158 }
10159 offset += 2;
10160 if (encrypted_sni_length > 0) {
10161 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10162 offset += encrypted_sni_length;
10163 }
10164 break;
10165
10166 case SSL_HND_ENCRYPTED_EXTENSIONS:
10167 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10168 offset += 16;
10169 break;
10170 }
10171
10172 return offset;
10173}
10174/** TLS Extensions (in Client Hello and Server Hello). }}} */
10175
10176/* Connection ID dissection. {{{ */
10177static uint32_t
10178ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10179 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10180 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10181{
10182 /* keep track of the decrypt session only for the first pass */
10183 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10184 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10185 *session_cidl = cidl;
10186 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10187 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10188 if (ssl) {
10189 ssl_add_session_by_cid(ssl);
10190 }
10191 }
10192
10193 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10194 tvb, offset, 1, ENC_NA0x00000000);
10195 offset++;
10196
10197 if (cidl > 0) {
10198 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10199 tvb, offset, cidl, ENC_NA0x00000000);
10200 offset += cidl;
10201 }
10202
10203 return offset;
10204}
10205
10206static uint32_t
10207ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10208 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10209 SslSession *session, SslDecryptSession *ssl)
10210{
10211 uint8_t cidl = tvb_get_uint8(tvb, offset);
10212
10213 switch (hnd_type) {
10214 case SSL_HND_CLIENT_HELLO:
10215 session->client_cid_len_present = true1;
10216 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10217 cidl, &session->client_cid, &session->client_cid_len);
10218 case SSL_HND_SERVER_HELLO:
10219 session->server_cid_len_present = true1;
10220 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10221 cidl, &session->server_cid, &session->server_cid_len);
10222 default:
10223 return offset;
10224 }
10225} /* }}} */
10226
10227/* Trusted CA dissection. {{{ */
10228static uint32_t
10229ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10230 uint32_t offset, uint32_t offset_end)
10231{
10232 proto_item *ti;
10233 proto_tree *subtree;
10234 uint32_t keys_length, next_offset;
10235
10236 /*
10237 * struct {
10238 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10239 * } TrustedAuthorities;
10240 *
10241 * struct {
10242 * IdentifierType identifier_type;
10243 * select (identifier_type) {
10244 * case pre_agreed: struct {};
10245 * case key_sha1_hash: SHA1Hash;
10246 * case x509_name: DistinguishedName;
10247 * case cert_sha1_hash: SHA1Hash;
10248 * } identifier;
10249 * } TrustedAuthority;
10250 *
10251 * enum {
10252 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10253 * cert_sha1_hash(3), (255)
10254 * } IdentifierType;
10255 *
10256 * opaque DistinguishedName<1..2^16-1>;
10257 *
10258 */
10259
10260
10261 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10262 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10263 0, UINT16_MAX(65535)))
10264 {
10265 return offset_end;
10266 }
10267 offset += 2;
10268 next_offset = offset + keys_length;
10269
10270 if (keys_length > 0)
10271 {
10272 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10273 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10274 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10275
10276 while (offset < next_offset)
10277 {
10278 uint32_t identifier_type;
10279 proto_tree *trusted_key_tree;
10280 proto_item *trusted_key_item;
10281 asn1_ctx_t asn1_ctx;
10282 uint32_t key_len = 0;
10283
10284 identifier_type = tvb_get_uint8(tvb, offset);
10285
10286 // Use 0 as length for now as we'll only know the size when we decode the identifier
10287 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10288 offset, 0, "Trusted CA Key");
10289 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10290
10291 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10292 offset, 1, identifier_type);
10293 offset++;
10294
10295 /*
10296 * enum {
10297 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10298 * cert_sha1_hash(3), (255)
10299 * } IdentifierType;
10300 */
10301 switch (identifier_type)
10302 {
10303 case 0:
10304 key_len = 0;
10305 break;
10306 case 2:
10307 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10308
10309 uint32_t name_length;
10310 /* opaque DistinguishedName<1..2^16-1> */
10311 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10312 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10313 return next_offset;
10314 }
10315 offset += 2;
10316
10317 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10318 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10319 offset += name_length;
10320 break;
10321 case 1:
10322 case 3:
10323 key_len = 20;
10324 /* opaque SHA1Hash[20]; */
10325 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10326 offset, 20, ENC_NA0x00000000);
10327 break;
10328
10329 default:
10330 key_len = 0;
10331 /*TODO display expert info about unknown ? */
10332 break;
10333 }
10334 proto_item_set_len(trusted_key_item, 1 + key_len);
10335 offset += key_len;
10336 }
10337 }
10338
10339 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10340 {
10341 offset = next_offset;
10342 }
10343
10344 return offset;
10345} /* }}} */
10346
10347
10348/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10349bool_Bool
10350ssl_is_valid_content_type(uint8_t type)
10351{
10352 switch ((ContentType) type) {
10353 case SSL_ID_CHG_CIPHER_SPEC:
10354 case SSL_ID_ALERT:
10355 case SSL_ID_HANDSHAKE:
10356 case SSL_ID_APP_DATA:
10357 case SSL_ID_HEARTBEAT:
10358 case SSL_ID_TLS12_CID:
10359 case SSL_ID_DTLS13_ACK:
10360 return true1;
10361 }
10362 return false0;
10363}
10364
10365bool_Bool
10366ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10367{
10368 switch ((HandshakeType) hs_type) {
10369 case SSL_HND_HELLO_VERIFY_REQUEST:
10370 /* hello_verify_request is DTLS-only */
10371 return is_dtls;
10372
10373 case SSL_HND_HELLO_REQUEST:
10374 case SSL_HND_CLIENT_HELLO:
10375 case SSL_HND_SERVER_HELLO:
10376 case SSL_HND_NEWSESSION_TICKET:
10377 case SSL_HND_END_OF_EARLY_DATA:
10378 case SSL_HND_HELLO_RETRY_REQUEST:
10379 case SSL_HND_ENCRYPTED_EXTENSIONS:
10380 case SSL_HND_CERTIFICATE:
10381 case SSL_HND_SERVER_KEY_EXCHG:
10382 case SSL_HND_CERT_REQUEST:
10383 case SSL_HND_SVR_HELLO_DONE:
10384 case SSL_HND_CERT_VERIFY:
10385 case SSL_HND_CLIENT_KEY_EXCHG:
10386 case SSL_HND_FINISHED:
10387 case SSL_HND_CERT_URL:
10388 case SSL_HND_CERT_STATUS:
10389 case SSL_HND_SUPPLEMENTAL_DATA:
10390 case SSL_HND_KEY_UPDATE:
10391 case SSL_HND_COMPRESSED_CERTIFICATE:
10392 case SSL_HND_ENCRYPTED_EXTS:
10393 return true1;
10394 case SSL_HND_MESSAGE_HASH:
10395 return false0;
10396 }
10397 return false0;
10398}
10399
10400static bool_Bool
10401ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10402 bool_Bool is_dtls)
10403{
10404 /* Consider all valid Handshake messages (except for Client Hello) and
10405 * all other valid record types (other than Handshake) */
10406 return (content_type == SSL_ID_HANDSHAKE &&
10407 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10408 handshake_type != SSL_HND_CLIENT_HELLO) ||
10409 (content_type != SSL_ID_HANDSHAKE &&
10410 ssl_is_valid_content_type(content_type));
10411}
10412
10413/**
10414 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10415 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10416 * Returns true if the supported_versions extension was found, false if not.
10417 */
10418bool_Bool
10419tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10420 uint16_t *server_version, bool_Bool *is_hrr)
10421{
10422 /* SHA256("HelloRetryRequest") */
10423 static const uint8_t tls13_hrr_random_magic[] = {
10424 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10425 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10426 };
10427 uint8_t session_id_length;
10428
10429 *server_version = tvb_get_ntohs(tvb, offset);
10430
10431 /*
10432 * Try to look for supported_versions extension. Minimum length:
10433 * 2 + 32 + 1 = 35 (version, random, session id length)
10434 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10435 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10436 *
10437 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10438 * there's a separate expert info warning for that.
10439 */
10440 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10441 offset += 2;
10442 if (is_hrr) {
10443 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10444 }
10445 offset += 32;
10446 session_id_length = tvb_get_uint8(tvb, offset);
10447 offset++;
10448 if (offset_end - offset < session_id_length + 5u) {
10449 return false0;
10450 }
10451 offset += session_id_length + 5;
10452
10453 while (offset_end - offset >= 6) {
10454 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10455 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10456 if (offset_end - offset < 4u + ext_len) {
10457 break; /* not enough data for type, length and data */
10458 }
10459 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10460 if (ext_len == 2) {
10461 *server_version = tvb_get_ntohs(tvb, offset + 4);
10462 }
10463 return true1;
10464 }
10465 offset += 4 + ext_len;
10466 }
10467 } else {
10468 if (is_hrr) {
10469 *is_hrr = false0;
10470 }
10471 }
10472 return false0;
10473}
10474
10475/**
10476 * Scan a Client Hello handshake message to see if the supported_versions
10477 * extension is found, in which case the version field is legacy_version.
10478 */
10479static bool_Bool
10480tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10481{
10482 uint8_t session_id_length;
10483
10484 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10485
10486 /*
10487 * Try to look for supported_versions extension. Minimum length:
10488 * 2 + 32 + 1 = 35 (version, random, session id length)
10489 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10490 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10491 *
10492 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10493 * there's a separate expert info warning for that.
10494 */
10495 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10496 offset += 2;
10497 offset += 32;
10498 session_id_length = tvb_get_uint8(tvb, offset);
10499 offset++;
10500 if (offset_end - offset < session_id_length + 2u) {
10501 return false0;
10502 }
10503 offset += session_id_length;
10504 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10505 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10506 offset++;
10507 if (offset_end - offset < cookie_length + 2u) {
10508 return false0;
10509 }
10510 }
10511 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10512 offset += 2;
10513 if (offset_end - offset < cipher_suites_length + 1u) {
10514 return false0;
10515 }
10516 offset += cipher_suites_length;
10517 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10518 offset++;
10519 if (offset_end - offset < compression_methods_length + 2u) {
10520 return false0;
10521 }
10522 offset += compression_methods_length + 2;
10523
10524 while (offset_end - offset >= 6) {
10525 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10526 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10527 if (offset_end - offset < 4u + ext_len) {
10528 break; /* not enough data for type, length and data */
10529 }
10530 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10531 return true1;
10532 }
10533 offset += 4 + ext_len;
10534 }
10535 }
10536 return false0;
10537}
10538void
10539ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10540 uint8_t content_type, uint8_t handshake_type,
10541 bool_Bool is_dtls, uint16_t version)
10542{
10543 uint8_t tls13_draft = 0;
10544
10545 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10546 is_dtls))
10547 return;
10548
10549 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10550 if (version == SSL_VER_UNKNOWN0) {
10551 return;
10552 }
10553
10554 session->tls13_draft_version = tls13_draft;
10555 session->version = version;
10556 if (ssl) {
10557 ssl->state |= SSL_VERSION(1<<4);
10558 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10559 }
10560}
10561
10562void
10563ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10564 ContentType content_type,
10565 unsigned record_length, proto_item *length_pi,
10566 uint16_t version, tvbuff_t *decrypted_tvb)
10567{
10568 unsigned max_expansion;
10569 if (version == TLSV1DOT3_VERSION0x304) {
10570 /* TLS 1.3: Max length is 2^14 + 256 */
10571 max_expansion = 256;
10572 } else {
10573 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10574 max_expansion = 2048;
10575 }
10576 /*
10577 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10578 * and ChangeCipherSpec.
10579 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10580 * so assume it is permitted.
10581 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10582 * assume TLS 1.2 requirements.
10583 */
10584 if (record_length == 0 &&
10585 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10586 content_type == SSL_ID_ALERT ||
10587 content_type == SSL_ID_HANDSHAKE)) {
10588 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10589 "Zero-length %s fragments are not allowed",
10590 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10591 }
10592 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10593 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10594 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10595 }
10596 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10597 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10598 "TLSPlaintext length MUST NOT exceed 2^14");
10599 }
10600}
10601
10602static void
10603ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10604{
10605 /* store selected cipher suite for decryption */
10606 ssl->session.cipher = cipher;
10607
10608 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10609 if (!cs) {
10610 ssl->cipher_suite = NULL((void*)0);
10611 ssl->state &= ~SSL_CIPHER(1<<2);
10612 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10613 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10614 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10615 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10616 * to avoid a potential buffer overflow in ssl3_check_mac. */
10617 ssl->cipher_suite = NULL((void*)0);
10618 ssl->state &= ~SSL_CIPHER(1<<2);
10619 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10620 } else {
10621 /* Cipher found, save this for the delayed decoder init */
10622 ssl->cipher_suite = cs;
10623 ssl->state |= SSL_CIPHER(1<<2);
10624 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10625 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10626 ssl->state);
10627 }
10628}
10629/* }}} */
10630
10631
10632/* Client Hello and Server Hello dissections. {{{ */
10633static int
10634ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10635 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10636 SslSession *session, SslDecryptSession *ssl,
10637 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10638 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10639int
10640// NOLINTNEXTLINE(misc-no-recursion)
10641ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10642 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10643 uint32_t offset_end, SslSession *session,
10644 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10645{
10646 /* struct {
10647 * ProtocolVersion client_version;
10648 * Random random;
10649 * SessionID session_id;
10650 * opaque cookie<0..32>; //new field for DTLS
10651 * CipherSuite cipher_suites<2..2^16-1>;
10652 * CompressionMethod compression_methods<1..2^8-1>;
10653 * Extension client_hello_extension_list<0..2^16-1>;
10654 * } ClientHello;
10655 */
10656 proto_item *ti;
10657 proto_tree *cs_tree;
10658 uint32_t client_version;
10659 uint32_t cipher_suite_length;
10660 uint32_t compression_methods_length;
10661 uint8_t compression_method;
10662 uint32_t next_offset;
10663 uint32_t initial_offset = offset;
10664 uint32_t hello_length = offset_end - initial_offset;
10665 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10666 char *ja3_hash;
10667 char *ja3_dash = "";
10668 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10669 ja4_data_t ja4_data;
10670 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10671 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10672 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10673 wmem_list_frame_t *curr_entry;
10674
10675 ja4_data.max_version = 0;
10676 ja4_data.server_name_present = false0;
10677 ja4_data.num_cipher_suites = 0;
10678 ja4_data.num_extensions = 0;
10679 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10680 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10681 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10682 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10683
10684 /* show the client version */
10685 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10686 offset, 2, ENC_BIG_ENDIAN0x00000000,
10687 &client_version);
10688 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10689 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10690 }
10691 offset += 2;
10692 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10693
10694 /*
10695 * Is it version 1.3?
10696 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10697 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10698 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10699 * Hello".
10700 */
10701 if (dtls_hfs != NULL((void*)0)) {
10702 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10703 /* Don't do that. */
10704 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10705 }
10706 } else {
10707 if (client_version == TLSV1DOT3_VERSION0x304) {
10708 /* Don't do that. */
10709 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10710 }
10711 }
10712
10713 /* dissect fields that are present in both ClientHello and ServerHello */
10714 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10715
10716 /* fields specific for DTLS (cookie_len, cookie) */
10717 if (dtls_hfs != NULL((void*)0)) {
10718 uint32_t cookie_length;
10719 /* opaque cookie<0..32> (for DTLS only) */
10720 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10721 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10722 return offset;
10723 }
10724 offset++;
10725 if (cookie_length > 0) {
10726 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10727 tvb, offset, cookie_length, ENC_NA0x00000000);
10728 offset += cookie_length;
10729 }
10730 }
10731
10732 /* CipherSuite cipher_suites<2..2^16-1> */
10733 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10734 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10735 return offset;
10736 }
10737 offset += 2;
10738 next_offset = offset + cipher_suite_length;
10739 ti = proto_tree_add_none_format(tree,
10740 hf->hf.hs_cipher_suites,
10741 tvb, offset, cipher_suite_length,
10742 "Cipher Suites (%d suite%s)",
10743 cipher_suite_length / 2,
10744 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10745 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10746 while (offset + 2 <= next_offset) {
10747 uint32_t cipher_suite;
10748
10749 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10750 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10751 offset += 2;
10752 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10753 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10754 ja3_dash = "-";
10755 ja4_data.num_cipher_suites += 1;
10756 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10757 }
10758 }
10759 wmem_strbuf_append_c(ja3, ',');
10760 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10761 offset = next_offset;
10762 }
10763
10764 /* CompressionMethod compression_methods<1..2^8-1> */
10765 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10766 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10767 return offset;
10768 }
10769 offset++;
10770 next_offset = offset + compression_methods_length;
10771 ti = proto_tree_add_none_format(tree,
10772 hf->hf.hs_comp_methods,
10773 tvb, offset, compression_methods_length,
10774 "Compression Methods (%u method%s)",
10775 compression_methods_length,
10776 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10777 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10778 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10779 while (offset < next_offset) {
10780 compression_method = tvb_get_uint8(tvb, offset);
10781 /* TODO: make reserved/private comp meth. fields selectable */
10782 if (compression_method < 64)
10783 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10784 tvb, offset, 1, compression_method);
10785 else if (compression_method > 63 && compression_method < 193)
10786 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10787 compression_method, "Reserved - to be assigned by IANA (%u)",
10788 compression_method);
10789 else
10790 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10791 compression_method, "Private use range (%u)",
10792 compression_method);
10793 offset++;
10794 }
10795
10796 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10797 if (offset < offset_end) {
10798 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10799 offset_end, SSL_HND_CLIENT_HELLO,
10800 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10801 if (ja4_data.max_version > 0) {
10802 client_version = ja4_data.max_version;
10803 }
10804 } else {
10805 wmem_strbuf_append_printf(ja3, ",,");
10806 }
10807
10808 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10809 wmem_strbuf_append(ja4_a, "t");
10810 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10811 wmem_strbuf_append(ja4_a, "q");
10812 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10813 wmem_strbuf_append(ja4_a, "d");
10814 }
10815 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10816 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10817 if (ja4_data.num_cipher_suites > 99) {
10818 wmem_strbuf_append(ja4_a, "99");
10819 } else {
10820 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10821 }
10822 if (ja4_data.num_extensions > 99) {
10823 wmem_strbuf_append(ja4_a, "99");
10824 } else {
10825 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10826 }
10827 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10828 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10829 } else {
10830 wmem_strbuf_append(ja4_a, "00");
10831 }
10832
10833 curr_entry = wmem_list_head(ja4_data.cipher_list);
10834 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10835 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10836 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10837 wmem_strbuf_append(ja4_br, ",");
10838 }
10839 curr_entry = wmem_list_frame_next(curr_entry);
10840 }
10841
10842 curr_entry = wmem_list_head(ja4_data.extension_list);
10843 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10844 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10845 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10846 wmem_strbuf_append(ja4_cr, ",");
10847 }
10848 curr_entry = wmem_list_frame_next(curr_entry);
10849 }
10850
10851 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10852 wmem_strbuf_append(ja4_cr, "_");
10853 curr_entry = wmem_list_head(ja4_data.sighash_list);
10854 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10855 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10856 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10857 wmem_strbuf_append(ja4_cr, ",");
10858 }
10859 curr_entry = wmem_list_frame_next(curr_entry);
10860 }
10861 }
10862 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10863 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10864 } else {
10865 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10866 }
10867 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10868
10869 g_free(ja4_hash);
10870 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10871 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10872 } else {
10873 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10874 }
10875 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10876 g_free(ja4_hash);
10877
10878 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10879 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10880
10881 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10882 proto_item_set_generated(ti);
10883 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10884 proto_item_set_generated(ti);
10885
10886 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10887 wmem_strbuf_get_len(ja3));
10888 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10889 proto_item_set_generated(ti);
10890 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10891 proto_item_set_generated(ti);
10892 g_free(ja3_hash);
10893 return offset;
10894}
10895
10896void
10897ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10898 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10899 SslSession *session, SslDecryptSession *ssl,
10900 bool_Bool is_dtls, bool_Bool is_hrr)
10901{
10902 /* struct {
10903 * ProtocolVersion server_version;
10904 * Random random;
10905 * SessionID session_id; // TLS 1.2 and before
10906 * CipherSuite cipher_suite;
10907 * CompressionMethod compression_method; // TLS 1.2 and before
10908 * Extension server_hello_extension_list<0..2^16-1>;
10909 * } ServerHello;
10910 */
10911 uint8_t draft_version = session->tls13_draft_version;
10912 proto_item *ti;
10913 uint32_t server_version;
10914 uint32_t cipher_suite;
10915 uint32_t initial_offset = offset;
10916 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10917 char *ja3_hash;
10918
10919 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10920 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10921
10922 /* Initially assume that the session is resumed. If this is not the case, a
10923 * ServerHelloDone will be observed before the ChangeCipherSpec message
10924 * which will reset this flag. */
10925 session->is_session_resumed = true1;
10926
10927 /* show the server version */
10928 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10929 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10930
10931 uint16_t supported_server_version;
10932 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10933 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10934 }
10935 /*
10936 * Is it version 1.3?
10937 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10938 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10939 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10940 * Hello".
10941 */
10942 if (is_dtls) {
10943 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10944 /* Don't do that. */
10945 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10946 }
10947 } else {
10948 if (server_version == TLSV1DOT3_VERSION0x304) {
10949 /* Don't do that. */
10950 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10951 }
10952 }
10953
10954 offset += 2;
10955 wmem_strbuf_append_printf(ja3, "%i", server_version);
10956
10957 /* dissect fields that are present in both ClientHello and ServerHello */
10958 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10959
10960 if (ssl) {
10961 /* store selected cipher suite for decryption */
10962 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10963 }
10964
10965 /* now the server-selected cipher suite */
10966 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10967 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10968 offset += 2;
10969 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10970
10971 /* No compression with TLS 1.3 before draft -22 */
10972 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10973 if (ssl) {
10974 /* store selected compression method for decryption */
10975 ssl->session.compression = tvb_get_uint8(tvb, offset);
10976 }
10977 /* and the server-selected compression method */
10978 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10979 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10980 offset++;
10981 }
10982
10983 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10984 if (offset < offset_end) {
10985 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10986 offset_end,
10987 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10988 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
10989 }
10990
10991 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
10992 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
10993 if (hash_algo) {
10994 SSL_MDgcry_md_hd_t mc;
10995 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
10996 unsigned char prk[DIGEST_MAX_SIZE48];
10997 unsigned char *ech_verify_out = NULL((void*)0);
10998 unsigned int len;
10999 ssl_md_init(&mc, hash_algo);
11000 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11001 if (is_hrr) {
11002 ssl_md_final(&mc, transcript_hash, &len);
11003 ssl_md_cleanup(&mc);
11004 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11005 ssl->ech_transcript.data_len = 4 + len;
11006 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11007 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11008 ssl->ech_transcript.data[1] = 0;
11009 ssl->ech_transcript.data[2] = 0;
11010 ssl->ech_transcript.data[3] = len;
11011 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11012 ssl_md_init(&mc, hash_algo);
11013 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11014 } else {
11015 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11016 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11017 }
11018 if (initial_offset > 4) {
11019 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11020 4 + offset_end - initial_offset);
11021 if (is_hrr)
11022 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11023 else
11024 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11025 } else {
11026 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11027 prefix[2] = ((offset - initial_offset) >> 8);
11028 prefix[3] = (offset - initial_offset) & 0xff;
11029 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11030 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11031 offset_end - initial_offset);
11032 ssl_md_update(&mc, prefix, 4);
11033 if (is_hrr)
11034 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 34), 34);
11035 else
11036 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 26), 26);
11037 }
11038 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11039 uint8_t zeros[8] = { 0 };
11040 uint32_t confirmation_offset = initial_offset + 26;
11041 if (is_hrr) {
11042 uint32_t hrr_offset = initial_offset + 34;
11043 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset,
11044 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11045 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11046 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
11047 hrr_offset += 3;
11048 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11049 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
11050 hrr_offset += 2;
11051 while (extensions_end - hrr_offset >= 4) {
11052 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11053 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11054 confirmation_offset = hrr_offset + 4;
11055 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
11056 ssl_md_update(&mc, zeros, 8);
11057 hrr_offset += 12;
11058 } else {
11059 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11060 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11061 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11062 }
11063 }
11064 } else {
11065 ssl_md_update(&mc, zeros, 8);
11066 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11067 offset - initial_offset - 34);
11068 }
11069 ssl_md_final(&mc, transcript_hash, &len);
11070 ssl_md_cleanup(&mc);
11071 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11072 StringInfo prk_string = {prk, len};
11073 tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11074 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11075 transcript_hash, len, 8, &ech_verify_out);
11076 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11077 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11078 if (is_hrr) {
11079 ssl->session.hrr_ech_declined = true1;
11080 ssl->session.first_ch_ech_frame = 0;
11081 }
11082 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11083 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11084 }
11085 wmem_free(NULL((void*)0), ech_verify_out);
11086 ssl->session.ech = true1;
11087 }
11088 }
11089
11090 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11091 wmem_strbuf_get_len(ja3));
11092 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11093 proto_item_set_generated(ti);
11094 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11095 proto_item_set_generated(ti);
11096 g_free(ja3_hash);
11097}
11098/* Client Hello and Server Hello dissections. }}} */
11099
11100/* New Session Ticket dissection. {{{ */
11101void
11102ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11103 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11104 SslSession *session, SslDecryptSession *ssl,
11105 bool_Bool is_dtls, GHashTable *session_hash)
11106{
11107 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11108 * struct {
11109 * uint32 ticket_lifetime_hint;
11110 * opaque ticket<0..2^16-1>;
11111 * } NewSessionTicket;
11112 *
11113 * RFC 8446 Section 4.6.1 (TLS 1.3):
11114 * struct {
11115 * uint32 ticket_lifetime;
11116 * uint32 ticket_age_add;
11117 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11118 * opaque ticket<1..2^16-1>;
11119 * Extension extensions<0..2^16-2>;
11120 * } NewSessionTicket;
11121 */
11122 proto_tree *subtree;
11123 proto_item *subitem;
11124 uint32_t ticket_len;
11125 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11126 unsigned char draft_version = session->tls13_draft_version;
11127 uint32_t lifetime_hint;
11128
11129 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11130 hf->ett.session_ticket, NULL((void*)0),
11131 "TLS Session Ticket");
11132
11133 /* ticket lifetime hint */
11134 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11135 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11136 offset += 4;
11137
11138 if (lifetime_hint >= 60) {
11139 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11140 proto_item_append_text(subitem, " (%s)", time_str);
11141 }
11142
11143 if (is_tls13) {
11144
11145 /* for TLS 1.3: ticket_age_add */
11146 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11147 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11148 offset += 4;
11149
11150 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11151 if (draft_version == 0 || draft_version >= 21) {
11152 uint32_t ticket_nonce_len;
11153
11154 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11155 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11156 return;
11157 }
11158 offset++;
11159
11160 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11161 offset += ticket_nonce_len;
11162 }
11163
11164 }
11165
11166 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11167 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11168 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11169 return;
11170 }
11171 offset += 2;
11172
11173 /* Content depends on implementation, so just show data! */
11174 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11175 tvb, offset, ticket_len, ENC_NA0x00000000);
11176 /* save the session ticket to cache for ssl_finalize_decryption */
11177 if (ssl && !is_tls13) {
11178 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11179 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11180 ssl->session_ticket.data, ticket_len);
11181 ssl->session_ticket.data_len = ticket_len;
11182 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11183 /* NewSessionTicket is received after the first (client)
11184 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11185 * Since the second CCS has already the session key available it will
11186 * just return. To ensure that the session ticket is mapped to a
11187 * master key (from the first CCS), save the ticket here too. */
11188 ssl_save_master_key("Session Ticket", session_hash,
11189 &ssl->session_ticket, &ssl->master_secret);
11190 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11191 }
11192 offset += ticket_len;
11193
11194 if (is_tls13) {
11195 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11196 offset_end, SSL_HND_NEWSESSION_TICKET,
11197 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11198 }
11199} /* }}} */
11200
11201void
11202ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11203 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11204 SslSession *session, SslDecryptSession *ssl,
11205 bool_Bool is_dtls)
11206{
11207 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11208 * struct {
11209 * ProtocolVersion server_version;
11210 * CipherSuite cipher_suite; // not before draft -19
11211 * Extension extensions<2..2^16-1>;
11212 * } HelloRetryRequest;
11213 * Note: no longer used since draft -22
11214 */
11215 uint32_t version;
11216 uint8_t draft_version;
11217
11218 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11219 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11220 draft_version = extract_tls13_draft_version(version);
11221 offset += 2;
11222
11223 if (draft_version == 0 || draft_version >= 19) {
11224 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11225 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11226 offset += 2;
11227 }
11228
11229 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11230 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11231 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11232}
11233
11234void
11235ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11236 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11237 SslSession *session, SslDecryptSession *ssl,
11238 bool_Bool is_dtls)
11239{
11240 /* RFC 8446 Section 4.3.1
11241 * struct {
11242 * Extension extensions<0..2^16-1>;
11243 * } EncryptedExtensions;
11244 */
11245 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11246 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11247 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11248}
11249
11250/* Certificate and Certificate Request dissections. {{{ */
11251void
11252ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11253 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11254 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11255 bool_Bool is_from_server, bool_Bool is_dtls)
11256{
11257 /* opaque ASN.1Cert<1..2^24-1>;
11258 *
11259 * Before RFC 8446 (TLS <= 1.2):
11260 * struct {
11261 * select(certificate_type) {
11262 *
11263 * // certificate type defined in RFC 7250
11264 * case RawPublicKey:
11265 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11266 *
11267 * // X.509 certificate defined in RFC 5246
11268 * case X.509:
11269 * ASN.1Cert certificate_list<0..2^24-1>;
11270 * };
11271 * } Certificate;
11272 *
11273 * RFC 8446 (since draft -20):
11274 * struct {
11275 * select(certificate_type){
11276 * case RawPublicKey:
11277 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11278 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11279 *
11280 * case X.509:
11281 * opaque cert_data<1..2^24-1>;
11282 * }
11283 * Extension extensions<0..2^16-1>;
11284 * } CertificateEntry;
11285 * struct {
11286 * opaque certificate_request_context<0..2^8-1>;
11287 * CertificateEntry certificate_list<0..2^24-1>;
11288 * } Certificate;
11289 */
11290 enum { CERT_X509, CERT_RPK } cert_type;
11291 asn1_ctx_t asn1_ctx;
11292#if defined(HAVE_LIBGNUTLS1)
11293 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11294 unsigned certificate_index = 0;
11295#endif
11296 uint32_t next_offset, certificate_list_length, cert_length;
11297 proto_tree *subtree = tree;
11298
11299 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11300
11301 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11302 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11303 cert_type = CERT_RPK;
11304 } else {
11305 cert_type = CERT_X509;
11306 }
11307
11308#if defined(HAVE_LIBGNUTLS1)
11309 /* Ask the pkcs1 dissector to return the public key details */
11310 if (ssl)
11311 asn1_ctx.private_data = &subjectPublicKeyInfo;
11312#endif
11313
11314 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11315 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11316 uint32_t context_length;
11317 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11318 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11319 return;
11320 }
11321 offset++;
11322 if (context_length > 0) {
11323 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11324 tvb, offset, context_length, ENC_NA0x00000000);
11325 offset += context_length;
11326 }
11327 }
11328
11329 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11330 /* For RPK before TLS 1.3, the single RPK is stored directly without
11331 * another "certificate_list" field. */
11332 certificate_list_length = offset_end - offset;
11333 next_offset = offset_end;
11334 } else {
11335 /* CertificateEntry certificate_list<0..2^24-1> */
11336 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11337 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11338 return;
11339 }
11340 offset += 3; /* 24-bit length value */
11341 next_offset = offset + certificate_list_length;
11342 }
11343
11344 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11345 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11346 proto_item *ti;
11347
11348 ti = proto_tree_add_none_format(tree,
11349 hf->hf.hs_certificates,
11350 tvb, offset, certificate_list_length,
11351 "Certificates (%u bytes)",
11352 certificate_list_length);
11353
11354 /* make it a subtree */
11355 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11356 }
11357
11358 while (offset < next_offset) {
11359 switch (cert_type) {
11360 case CERT_RPK:
11361 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11362 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11363 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11364 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11365 return;
11366 }
11367 offset += 3;
11368
11369 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11370 offset += cert_length;
11371 break;
11372 case CERT_X509:
11373 /* opaque ASN1Cert<1..2^24-1> */
11374 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11375 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11376 return;
11377 }
11378 offset += 3;
11379
11380 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11381#if defined(HAVE_LIBGNUTLS1)
11382 if (is_from_server && ssl && certificate_index == 0) {
11383 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11384 /* Only attempt to get the RSA modulus for the first cert. */
11385 asn1_ctx.private_data = NULL((void*)0);
11386 }
11387#endif
11388 offset += cert_length;
11389 break;
11390 }
11391
11392 /* TLS 1.3: Extension extensions<0..2^16-1> */
11393 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11394 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11395 next_offset, SSL_HND_CERTIFICATE,
11396 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11397 }
11398
11399#if defined(HAVE_LIBGNUTLS1)
11400 certificate_index++;
11401#endif
11402 }
11403}
11404
11405void
11406ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11407 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11408 SslSession *session, bool_Bool is_dtls)
11409{
11410 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11411 * enum {
11412 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11413 * (255)
11414 * } ClientCertificateType;
11415 *
11416 * opaque DistinguishedName<1..2^16-1>;
11417 *
11418 * struct {
11419 * ClientCertificateType certificate_types<1..2^8-1>;
11420 * DistinguishedName certificate_authorities<3..2^16-1>;
11421 * } CertificateRequest;
11422 *
11423 *
11424 * As per TLSv1.2 (RFC 5246) the format has changed to:
11425 *
11426 * enum {
11427 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11428 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11429 * fortezza_dms_RESERVED(20), (255)
11430 * } ClientCertificateType;
11431 *
11432 * enum {
11433 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11434 * sha512(6), (255)
11435 * } HashAlgorithm;
11436 *
11437 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11438 * SignatureAlgorithm;
11439 *
11440 * struct {
11441 * HashAlgorithm hash;
11442 * SignatureAlgorithm signature;
11443 * } SignatureAndHashAlgorithm;
11444 *
11445 * SignatureAndHashAlgorithm
11446 * supported_signature_algorithms<2..2^16-2>;
11447 *
11448 * opaque DistinguishedName<1..2^16-1>;
11449 *
11450 * struct {
11451 * ClientCertificateType certificate_types<1..2^8-1>;
11452 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11453 * DistinguishedName certificate_authorities<0..2^16-1>;
11454 * } CertificateRequest;
11455 *
11456 * draft-ietf-tls-tls13-18:
11457 * struct {
11458 * opaque certificate_request_context<0..2^8-1>;
11459 * SignatureScheme
11460 * supported_signature_algorithms<2..2^16-2>;
11461 * DistinguishedName certificate_authorities<0..2^16-1>;
11462 * CertificateExtension certificate_extensions<0..2^16-1>;
11463 * } CertificateRequest;
11464 *
11465 * RFC 8446 (since draft-ietf-tls-tls13-19):
11466 *
11467 * struct {
11468 * opaque certificate_request_context<0..2^8-1>;
11469 * Extension extensions<2..2^16-1>;
11470 * } CertificateRequest;
11471 */
11472 proto_item *ti;
11473 proto_tree *subtree;
11474 uint32_t next_offset;
11475 asn1_ctx_t asn1_ctx;
11476 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11477 unsigned char draft_version = session->tls13_draft_version;
11478
11479 if (!tree)
11480 return;
11481
11482 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11483
11484 if (is_tls13) {
11485 uint32_t context_length;
11486 /* opaque certificate_request_context<0..2^8-1> */
11487 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11488 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11489 return;
11490 }
11491 offset++;
11492 if (context_length > 0) {
11493 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11494 tvb, offset, context_length, ENC_NA0x00000000);
11495 offset += context_length;
11496 }
11497 } else {
11498 uint32_t cert_types_count;
11499 /* ClientCertificateType certificate_types<1..2^8-1> */
11500 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11501 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11502 return;
11503 }
11504 offset++;
11505 next_offset = offset + cert_types_count;
11506
11507 ti = proto_tree_add_none_format(tree,
11508 hf->hf.hs_cert_types,
11509 tvb, offset, cert_types_count,
11510 "Certificate types (%u type%s)",
11511 cert_types_count,
11512 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11513 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11514
11515 while (offset < next_offset) {
11516 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11517 offset++;
11518 }
11519 }
11520
11521 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11522 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11523 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11524 }
11525
11526 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11527 /*
11528 * TLS 1.3 draft 19 and newer: Extensions.
11529 * SslDecryptSession pointer is NULL because Certificate Extensions
11530 * should not influence decryption state.
11531 */
11532 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11533 offset_end, SSL_HND_CERT_REQUEST,
11534 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11535 } else if (is_tls13 && draft_version <= 18) {
11536 /*
11537 * TLS 1.3 draft 18 and older: certificate_authorities and
11538 * certificate_extensions (a vector of OID mappings).
11539 */
11540 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11541 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11542 } else {
11543 /* for TLS 1.2 and older, the certificate_authorities field. */
11544 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11545 }
11546}
11547/* Certificate and Certificate Request dissections. }}} */
11548
11549void
11550ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11551 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11552{
11553 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11554 hf->hf.hs_client_cert_vrfy_sig_len,
11555 hf->hf.hs_client_cert_vrfy_sig);
11556}
11557
11558/* Finished dissection. {{{ */
11559void
11560ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11561 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11562 const SslSession *session, ssl_hfs_t *ssl_hfs)
11563{
11564 /* For SSLv3:
11565 * struct {
11566 * opaque md5_hash[16];
11567 * opaque sha_hash[20];
11568 * } Finished;
11569 *
11570 * For (D)TLS:
11571 * struct {
11572 * opaque verify_data[12];
11573 * } Finished;
11574 *
11575 * For TLS 1.3:
11576 * struct {
11577 * opaque verify_data[Hash.length];
11578 * }
11579 */
11580 if (!tree)
11581 return;
11582
11583 if (session->version == SSLV3_VERSION0x300) {
11584 if (ssl_hfs != NULL((void*)0)) {
11585 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11586 tvb, offset, 16, ENC_NA0x00000000);
11587 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11588 tvb, offset + 16, 20, ENC_NA0x00000000);
11589 }
11590 } else {
11591 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11592 proto_tree_add_item(tree, hf->hf.hs_finished,
11593 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11594 }
11595} /* }}} */
11596
11597/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11598void
11599ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11600{
11601 uint16_t url_hash_len;
11602
11603 /* enum {
11604 * individual_certs(0), pkipath(1), (255)
11605 * } CertChainType;
11606 *
11607 * struct {
11608 * CertChainType type;
11609 * URLAndHash url_and_hash_list<1..2^16-1>;
11610 * } CertificateURL;
11611 *
11612 * struct {
11613 * opaque url<1..2^16-1>;
11614 * unint8 padding;
11615 * opaque SHA1Hash[20];
11616 * } URLAndHash;
11617 */
11618
11619 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11620 tvb, offset, 1, ENC_NA0x00000000);
11621 offset++;
11622
11623 url_hash_len = tvb_get_ntohs(tvb, offset);
11624 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11625 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11626 offset += 2;
11627 while (url_hash_len-- > 0) {
11628 proto_item *urlhash_item;
11629 proto_tree *urlhash_tree;
11630 uint16_t url_len;
11631
11632 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11633 tvb, offset, -1, ENC_NA0x00000000);
11634 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11635
11636 url_len = tvb_get_ntohs(tvb, offset);
11637 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11638 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11639 offset += 2;
11640
11641 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11642 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11643 offset += url_len;
11644
11645 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11646 tvb, offset, 1, ENC_NA0x00000000);
11647 offset++;
11648 /* Note: RFC 6066 says that padding must be 0x01 */
11649
11650 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11651 tvb, offset, 20, ENC_NA0x00000000);
11652 offset += 20;
11653 }
11654} /* }}} */
11655
11656void
11657ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11658 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11659 SslSession *session, SslDecryptSession *ssl,
11660 bool_Bool is_from_server, bool_Bool is_dtls)
11661{
11662 uint32_t algorithm, uncompressed_length;
11663 uint32_t compressed_certificate_message_length;
11664 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11665 proto_item *ti;
11666 /*
11667 * enum {
11668 * zlib(1),
11669 * brotli(2),
11670 * zstd(3),
11671 * (65535)
11672 * } CertificateCompressionAlgorithm;
11673 *
11674 * struct {
11675 * CertificateCompressionAlgorithm algorithm;
11676 * uint24 uncompressed_length;
11677 * opaque compressed_certificate_message<1..2^24-1>;
11678 * } CompressedCertificate;
11679 */
11680
11681 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11682 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11683 offset += 2;
11684
11685 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11686 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11687 offset += 3;
11688
11689 /* opaque compressed_certificate_message<1..2^24-1>; */
11690 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11691 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11692 return;
11693 }
11694 offset += 3;
11695
11696 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11697 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11698
11699 /* Certificate decompression following algorithm */
11700 switch (algorithm) {
11701 case 1: /* zlib */
11702 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11703 break;
11704 case 2: /* brotli */
11705 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11706 break;
11707 case 3: /* zstd */
11708 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11709 break;
11710 }
11711
11712 if (uncompressed_tvb) {
11713 proto_tree *uncompressed_tree;
11714
11715 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11716 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11717 tvb, offset, offset_end - offset,
11718 "Invalid uncompressed length %u (expected %u)",
11719 tvb_captured_length(uncompressed_tvb),
11720 uncompressed_length);
11721 } else {
11722 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11723 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11724 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11725 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11726 }
11727 }
11728}
11729
11730/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11731static int
11732// NOLINTNEXTLINE(misc-no-recursion)
11733ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11734 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11735 SslSession *session, SslDecryptSession *ssl,
11736 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11737 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11738{
11739 uint32_t exts_len;
11740 uint16_t ext_type;
11741 uint32_t ext_len;
11742 uint32_t next_offset;
11743 proto_item *ext_item;
11744 proto_tree *ext_tree;
11745 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11746 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11747 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11748 char *ja3_dash = "";
11749 unsigned supported_version;
11750
11751 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11752 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11753 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11754 return offset_end;
11755 }
11756 offset += 2;
11757 offset_end = offset + exts_len;
11758
11759 if (ja4_data) {
11760 ja4_data->num_extensions = 0;
11761 }
11762 while (offset_end - offset >= 4)
11763 {
11764 ext_type = tvb_get_ntohs(tvb, offset);
11765 ext_len = tvb_get_ntohs(tvb, offset + 2);
11766
11767 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11768 ja4_data->num_extensions += 1;
11769 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11770 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11771 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11772 }
11773 }
11774
11775 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11776 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11777 tls_hello_extension_types,
11778 "Unknown type %u"), ext_len);
11779 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11780
11781 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11782 tvb, offset, 2, ext_type);
11783 offset += 2;
11784 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11785 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11786 ja3_dash = "-";
11787 }
11788
11789 /* opaque extension_data<0..2^16-1> */
11790 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11791 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11792 return offset_end;
11793 }
11794 offset += 2;
11795 next_offset = offset + ext_len;
11796
11797 switch (ext_type) {
11798 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11799 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11800 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11801 if (ja4_data) {
11802 ja4_data->server_name_present = true1;
11803 }
11804 }
11805 break;
11806 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11807 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11808 offset += 1;
11809 break;
11810 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11811 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11812 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11813 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11814 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11815 }
11816 break;
11817 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11818 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11819 offset, next_offset,
11820 hnd_type, ext_type,
11821 session);
11822 break;
11823 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11824 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11825 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11826 next_offset, ja3_sg);
11827 } else {
11828 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11829 next_offset, NULL((void*)0));
11830 }
11831 break;
11832 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11833 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11834 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11835 } else {
11836 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11837 }
11838 break;
11839 break;
11840 case SSL_HND_HELLO_EXT_SRP12:
11841 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11842 break;
11843 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11844 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11845 break;
11846 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11847 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11848 break;
11849 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11850 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11851 break;
11852 case SSL_HND_HELLO_EXT_USE_SRTP14:
11853 if (is_dtls) {
11854 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11855 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11856 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11857 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11858 }
11859 } else {
11860 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11861 }
11862 break;
11863 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11864 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11865 break;
11866 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11867 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11868 break;
11869 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11870 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11871 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11872 offset++;
11873 break;
11874 case SSL_HND_HELLO_EXT_ALPN16:
11875 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11876 break;
11877 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11878 if (hnd_type == SSL_HND_CLIENT_HELLO)
11879 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11880 break;
11881 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11882 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11883 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11884 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11885 break;
11886 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11887 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11888 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11889 offset, next_offset,
11890 hnd_type, ext_type,
11891 session);
11892 break;
11893 case SSL_HND_HELLO_EXT_PADDING21:
11894 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11895 offset += ext_len;
11896 break;
11897 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11898 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11899 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11900 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11901 }
11902 break;
11903 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11904 if (ssl) {
11905 switch (hnd_type) {
11906 case SSL_HND_CLIENT_HELLO:
11907 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11908 break;
11909 case SSL_HND_SERVER_HELLO:
11910 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11911 break;
11912 default: /* no default */
11913 break;
11914 }
11915 }
11916 break;
11917 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11918 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11919 break;
11920 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11921 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11922 break;
11923 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11924 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11925 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11926 offset += 2;
11927 break;
11928 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11929 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11930 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11931 break;
11932 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11933 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11934 break;
11935 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11936 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11937 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11938 break;
11939 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11940 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11941 break;
11942 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11943 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11944 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11945 break;
11946 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11947 switch (hnd_type) {
11948 case SSL_HND_CLIENT_HELLO:
11949 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11950 break;
11951 case SSL_HND_SERVER_HELLO:
11952 case SSL_HND_HELLO_RETRY_REQUEST:
11953 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11954 offset += 2;
11955 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11956 break;
11957 }
11958 break;
11959 case SSL_HND_HELLO_EXT_COOKIE44:
11960 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11961 break;
11962 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11963 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11964 break;
11965 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11966 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11967 break;
11968 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11969 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11970 break;
11971 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11972 break;
11973 case SSL_HND_HELLO_EXT_NPN13172:
11974 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11975 break;
11976 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
11977 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11978 break;
11979 case SSL_HND_HELLO_EXT_ALPS17613:
11980 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11981 break;
11982 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
11983 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
11984 break;
11985 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
11986 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11987 break;
11988 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
11989 session->deprecated_cid = true1;
11990 /* FALLTHRU */
11991 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
11992 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
11993 break;
11994 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
11995 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
11996 break;
11997 default:
11998 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
11999 tvb, offset, ext_len, ENC_NA0x00000000);
12000 offset += ext_len;
12001 break;
12002 }
12003
12004 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12005 /* Dissection did not end at expected location, fix it. */
12006 offset = next_offset;
12007 }
12008 }
12009
12010 if (ja3) {
12011 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12012 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12013 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12014 } else {
12015 wmem_strbuf_append_c(ja3, ',');
12016 }
12017 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12018 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12019 } else {
12020 wmem_strbuf_append_c(ja3, ',');
12021 }
12022 }
12023 }
12024
12025 /* Check if Extensions vector is correctly terminated. */
12026 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12027 offset = offset_end;
12028 }
12029
12030 return offset;
12031} /* }}} */
12032
12033
12034/* ClientKeyExchange algo-specific dissectors. {{{ */
12035
12036static void
12037dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12038 proto_tree *tree, uint32_t offset,
12039 uint32_t length)
12040{
12041 int point_len;
12042 proto_tree *ssl_ecdh_tree;
12043
12044 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12045 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12046
12047 /* point */
12048 point_len = tvb_get_uint8(tvb, offset);
12049 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12050 offset, 1, ENC_BIG_ENDIAN0x00000000);
12051 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12052 offset + 1, point_len, ENC_NA0x00000000);
12053}
12054
12055static void
12056dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12057 proto_tree *tree, uint32_t offset, uint32_t length)
12058{
12059 int yc_len;
12060 proto_tree *ssl_dh_tree;
12061
12062 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12063 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12064
12065 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12066 yc_len = tvb_get_ntohs(tvb, offset);
12067 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12068 offset, 2, ENC_BIG_ENDIAN0x00000000);
12069 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12070 offset + 2, yc_len, ENC_NA0x00000000);
12071}
12072
12073static void
12074dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12075 proto_tree *tree, uint32_t offset,
12076 uint32_t length, const SslSession *session)
12077{
12078 int epms_len;
12079 proto_tree *ssl_rsa_tree;
12080
12081 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12082 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12083
12084 /* EncryptedPreMasterSecret.pre_master_secret */
12085 switch (session->version) {
12086 case SSLV2_VERSION0x0002:
12087 case SSLV3_VERSION0x300:
12088 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12089 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12090 * not present. The handshake contents represents the EPMS, see:
12091 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12092 epms_len = length;
12093 break;
12094
12095 default:
12096 /* TLS and DTLS include vector length before EPMS */
12097 epms_len = tvb_get_ntohs(tvb, offset);
12098 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12099 offset, 2, ENC_BIG_ENDIAN0x00000000);
12100 offset += 2;
12101 break;
12102 }
12103 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12104 offset, epms_len, ENC_NA0x00000000);
12105}
12106
12107/* Used in PSK cipher suites */
12108static uint32_t
12109dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12110 proto_tree *tree, uint32_t offset)
12111{
12112 unsigned identity_len;
12113 proto_tree *ssl_psk_tree;
12114
12115 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12116 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12117 /* identity */
12118 identity_len = tvb_get_ntohs(tvb, offset);
12119 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12120 offset, 2, ENC_BIG_ENDIAN0x00000000);
12121 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12122 offset + 2, identity_len, ENC_NA0x00000000);
12123
12124 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12125 return 2 + identity_len;
12126}
12127
12128/* Used in RSA PSK cipher suites */
12129static void
12130dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12131 proto_tree *tree, uint32_t offset,
12132 uint32_t length)
12133{
12134 int identity_len, epms_len;
12135 proto_tree *ssl_psk_tree;
12136
12137 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12138 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12139
12140 /* identity */
12141 identity_len = tvb_get_ntohs(tvb, offset);
12142 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12143 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12144 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12145 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12146 offset += 2 + identity_len;
12147
12148 /* Yc */
12149 epms_len = tvb_get_ntohs(tvb, offset);
12150 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12151 offset, 2, ENC_BIG_ENDIAN0x00000000);
12152 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12153 offset + 2, epms_len, ENC_NA0x00000000);
12154}
12155
12156/* Used in Diffie-Hellman PSK cipher suites */
12157static void
12158dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12159 proto_tree *tree, uint32_t offset, uint32_t length)
12160{
12161 /*
12162 * struct {
12163 * select (KeyExchangeAlgorithm) {
12164 * case diffie_hellman_psk:
12165 * opaque psk_identity<0..2^16-1>;
12166 * ClientDiffieHellmanPublic public;
12167 * } exchange_keys;
12168 * } ClientKeyExchange;
12169 */
12170
12171 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12172 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12173}
12174
12175/* Used in EC Diffie-Hellman PSK cipher suites */
12176static void
12177dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12178 proto_tree *tree, uint32_t offset, uint32_t length)
12179{
12180 /*
12181 * struct {
12182 * select (KeyExchangeAlgorithm) {
12183 * case ec_diffie_hellman_psk:
12184 * opaque psk_identity<0..2^16-1>;
12185 * ClientECDiffieHellmanPublic public;
12186 * } exchange_keys;
12187 * } ClientKeyExchange;
12188 */
12189
12190 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12191 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12192}
12193
12194/* Used in EC J-PAKE cipher suites */
12195static void
12196dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12197 proto_tree *tree, uint32_t offset,
12198 uint32_t length)
12199{
12200 /*
12201 * struct {
12202 * ECPoint V;
12203 * opaque r<1..2^8-1>;
12204 * } ECSchnorrZKP;
12205 *
12206 * struct {
12207 * ECPoint X;
12208 * ECSchnorrZKP zkp;
12209 * } ECJPAKEKeyKP;
12210 *
12211 * struct {
12212 * ECJPAKEKeyKP ecjpake_key_kp;
12213 * } ClientECJPAKEParams;
12214 *
12215 * select (KeyExchangeAlgorithm) {
12216 * case ecjpake:
12217 * ClientECJPAKEParams params;
12218 * } ClientKeyExchange;
12219 */
12220
12221 int point_len;
12222 proto_tree *ssl_ecjpake_tree;
12223
12224 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12225 hf->ett.keyex_params, NULL((void*)0),
12226 "EC J-PAKE Client Params");
12227
12228 /* ECJPAKEKeyKP.X */
12229 point_len = tvb_get_uint8(tvb, offset);
12230 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12231 offset, 1, ENC_BIG_ENDIAN0x00000000);
12232 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12233 offset + 1, point_len, ENC_NA0x00000000);
12234 offset += 1 + point_len;
12235
12236 /* ECJPAKEKeyKP.zkp.V */
12237 point_len = tvb_get_uint8(tvb, offset);
12238 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12239 offset, 1, ENC_BIG_ENDIAN0x00000000);
12240 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12241 offset + 1, point_len, ENC_NA0x00000000);
12242 offset += 1 + point_len;
12243
12244 /* ECJPAKEKeyKP.zkp.r */
12245 point_len = tvb_get_uint8(tvb, offset);
12246 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12247 offset, 1, ENC_BIG_ENDIAN0x00000000);
12248 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12249 offset + 1, point_len, ENC_NA0x00000000);
12250}
12251
12252static void
12253dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12254 proto_tree *tree, uint32_t offset,
12255 uint32_t length)
12256{
12257 int epms_len;
12258 proto_tree *ssl_ecc_sm2_tree;
12259
12260 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12261 hf->ett.keyex_params, NULL((void*)0),
12262 "ECC-SM2 Encrypted PreMaster Secret");
12263
12264 epms_len = tvb_get_ntohs(tvb, offset);
12265 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12266 offset, 2, ENC_BIG_ENDIAN0x00000000);
12267 offset += 2;
12268 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12269 offset, epms_len, ENC_NA0x00000000);
12270}
12271/* ClientKeyExchange algo-specific dissectors. }}} */
12272
12273
12274/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12275static uint32_t
12276ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12277 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12278 uint16_t version, int hf_sig_len, int hf_sig)
12279{
12280 uint32_t sig_len;
12281
12282 switch (version) {
12283 case TLSV1DOT2_VERSION0x303:
12284 case DTLSV1DOT2_VERSION0xfefd:
12285 case TLSV1DOT3_VERSION0x304:
12286 case DTLSV1DOT3_VERSION0xfefc:
12287 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12288 offset += 2;
12289 break;
12290
12291 default:
12292 break;
12293 }
12294
12295 /* Sig */
12296 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12297 hf_sig_len, 0, UINT16_MAX(65535))) {
12298 return offset_end;
12299 }
12300 offset += 2;
12301 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12302 offset += sig_len;
12303 return offset;
12304} /* }}} */
12305
12306/* ServerKeyExchange algo-specific dissectors. {{{ */
12307
12308/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12309static void
12310dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12311 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12312 uint16_t version)
12313{
12314 /*
12315 * TLSv1.2 (RFC 5246 sec 7.4.8)
12316 * struct {
12317 * digitally-signed struct {
12318 * opaque handshake_messages[handshake_messages_length];
12319 * }
12320 * } CertificateVerify;
12321 *
12322 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12323 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12324 *
12325 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12326 * does more hashing including the master secret and padding.
12327 */
12328 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12329 hf->hf.hs_server_keyex_sig_len,
12330 hf->hf.hs_server_keyex_sig);
12331}
12332
12333static uint32_t
12334dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12335{
12336 /*
12337 * RFC 4492 ECC cipher suites for TLS
12338 *
12339 * struct {
12340 * ECCurveType curve_type;
12341 * select (curve_type) {
12342 * case explicit_prime:
12343 * ...
12344 * case explicit_char2:
12345 * ...
12346 * case named_curve:
12347 * NamedCurve namedcurve;
12348 * };
12349 * } ECParameters;
12350 */
12351
12352 int curve_type;
12353
12354 /* ECParameters.curve_type */
12355 curve_type = tvb_get_uint8(tvb, offset);
12356 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12357 offset, 1, ENC_BIG_ENDIAN0x00000000);
12358 offset++;
12359
12360 if (curve_type != 3)
12361 return offset_end; /* only named_curves are supported */
12362
12363 /* case curve_type == named_curve; ECParameters.namedcurve */
12364 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12365 offset, 2, ENC_BIG_ENDIAN0x00000000);
12366 offset += 2;
12367
12368 return offset;
12369}
12370
12371static void
12372dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12373 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12374 uint16_t version, bool_Bool anon)
12375{
12376 /*
12377 * RFC 4492 ECC cipher suites for TLS
12378 *
12379 * struct {
12380 * opaque point <1..2^8-1>;
12381 * } ECPoint;
12382 *
12383 * struct {
12384 * ECParameters curve_params;
12385 * ECPoint public;
12386 * } ServerECDHParams;
12387 *
12388 * select (KeyExchangeAlgorithm) {
12389 * case ec_diffie_hellman:
12390 * ServerECDHParams params;
12391 * Signature signed_params;
12392 * } ServerKeyExchange;
12393 */
12394
12395 int point_len;
12396 proto_tree *ssl_ecdh_tree;
12397
12398 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12399 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12400
12401 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12402 if (offset >= offset_end)
12403 return; /* only named_curves are supported */
12404
12405 /* ECPoint.point */
12406 point_len = tvb_get_uint8(tvb, offset);
12407 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12408 offset, 1, ENC_BIG_ENDIAN0x00000000);
12409 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12410 offset + 1, point_len, ENC_NA0x00000000);
12411 offset += 1 + point_len;
12412
12413 /* Signature (if non-anonymous KEX) */
12414 if (!anon) {
12415 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12416 }
12417}
12418
12419static void
12420dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12421 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12422 uint16_t version, bool_Bool anon)
12423{
12424 int p_len, g_len, ys_len;
12425 proto_tree *ssl_dh_tree;
12426
12427 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12428 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12429
12430 /* p */
12431 p_len = tvb_get_ntohs(tvb, offset);
12432 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12433 offset, 2, ENC_BIG_ENDIAN0x00000000);
12434 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12435 offset + 2, p_len, ENC_NA0x00000000);
12436 offset += 2 + p_len;
12437
12438 /* g */
12439 g_len = tvb_get_ntohs(tvb, offset);
12440 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12441 offset, 2, ENC_BIG_ENDIAN0x00000000);
12442 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12443 offset + 2, g_len, ENC_NA0x00000000);
12444 offset += 2 + g_len;
12445
12446 /* Ys */
12447 ys_len = tvb_get_ntohs(tvb, offset);
12448 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12449 offset, 2, ys_len);
12450 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12451 offset + 2, ys_len, ENC_NA0x00000000);
12452 offset += 2 + ys_len;
12453
12454 /* Signature (if non-anonymous KEX) */
12455 if (!anon) {
12456 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12457 }
12458}
12459
12460/* Only used in RSA-EXPORT cipher suites */
12461static void
12462dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12463 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12464 uint16_t version)
12465{
12466 int modulus_len, exponent_len;
12467 proto_tree *ssl_rsa_tree;
12468
12469 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12470 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12471
12472 /* modulus */
12473 modulus_len = tvb_get_ntohs(tvb, offset);
12474 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12475 offset, 2, ENC_BIG_ENDIAN0x00000000);
12476 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12477 offset + 2, modulus_len, ENC_NA0x00000000);
12478 offset += 2 + modulus_len;
12479
12480 /* exponent */
12481 exponent_len = tvb_get_ntohs(tvb, offset);
12482 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12483 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12484 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12485 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12486 offset += 2 + exponent_len;
12487
12488 /* Signature */
12489 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12490}
12491
12492/* Used in RSA PSK and PSK cipher suites */
12493static uint32_t
12494dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12495 proto_tree *tree, uint32_t offset)
12496{
12497 unsigned hint_len;
12498 proto_tree *ssl_psk_tree;
12499
12500 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12501 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12502
12503 /* hint */
12504 hint_len = tvb_get_ntohs(tvb, offset);
12505 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12506 offset, 2, ENC_BIG_ENDIAN0x00000000);
12507 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12508 offset + 2, hint_len, ENC_NA0x00000000);
12509
12510 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12511 return 2 + hint_len;
12512}
12513
12514/* Used in Diffie-Hellman PSK cipher suites */
12515static void
12516dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12517 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12518{
12519 /*
12520 * struct {
12521 * select (KeyExchangeAlgorithm) {
12522 * case diffie_hellman_psk:
12523 * opaque psk_identity_hint<0..2^16-1>;
12524 * ServerDHParams params;
12525 * };
12526 * } ServerKeyExchange;
12527 */
12528
12529 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12530 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12531}
12532
12533/* Used in EC Diffie-Hellman PSK cipher suites */
12534static void
12535dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12536 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12537{
12538 /*
12539 * struct {
12540 * select (KeyExchangeAlgorithm) {
12541 * case ec_diffie_hellman_psk:
12542 * opaque psk_identity_hint<0..2^16-1>;
12543 * ServerECDHParams params;
12544 * };
12545 * } ServerKeyExchange;
12546 */
12547
12548 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12549 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12550}
12551
12552/* Used in EC J-PAKE cipher suites */
12553static void
12554dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12555 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12556{
12557 /*
12558 * struct {
12559 * ECPoint V;
12560 * opaque r<1..2^8-1>;
12561 * } ECSchnorrZKP;
12562 *
12563 * struct {
12564 * ECPoint X;
12565 * ECSchnorrZKP zkp;
12566 * } ECJPAKEKeyKP;
12567 *
12568 * struct {
12569 * ECParameters curve_params;
12570 * ECJPAKEKeyKP ecjpake_key_kp;
12571 * } ServerECJPAKEParams;
12572 *
12573 * select (KeyExchangeAlgorithm) {
12574 * case ecjpake:
12575 * ServerECJPAKEParams params;
12576 * } ServerKeyExchange;
12577 */
12578
12579 int point_len;
12580 proto_tree *ssl_ecjpake_tree;
12581
12582 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12583 hf->ett.keyex_params, NULL((void*)0),
12584 "EC J-PAKE Server Params");
12585
12586 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12587 if (offset >= offset_end)
12588 return; /* only named_curves are supported */
12589
12590 /* ECJPAKEKeyKP.X */
12591 point_len = tvb_get_uint8(tvb, offset);
12592 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12593 offset, 1, ENC_BIG_ENDIAN0x00000000);
12594 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12595 offset + 1, point_len, ENC_NA0x00000000);
12596 offset += 1 + point_len;
12597
12598 /* ECJPAKEKeyKP.zkp.V */
12599 point_len = tvb_get_uint8(tvb, offset);
12600 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12601 offset, 1, ENC_BIG_ENDIAN0x00000000);
12602 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12603 offset + 1, point_len, ENC_NA0x00000000);
12604 offset += 1 + point_len;
12605
12606 /* ECJPAKEKeyKP.zkp.r */
12607 point_len = tvb_get_uint8(tvb, offset);
12608 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12609 offset, 1, ENC_BIG_ENDIAN0x00000000);
12610 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12611 offset + 1, point_len, ENC_NA0x00000000);
12612}
12613
12614/* Only used in ECC-SM2-EXPORT cipher suites */
12615static void
12616dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12617 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12618 uint16_t version)
12619{
12620 proto_tree *ssl_ecc_sm2_tree;
12621
12622 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12623 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12624
12625 /* Signature */
12626 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12627}
12628/* ServerKeyExchange algo-specific dissectors. }}} */
12629
12630/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12631void
12632ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12633 proto_tree *tree, uint32_t offset, uint32_t length,
12634 const SslSession *session)
12635{
12636 switch (ssl_get_keyex_alg(session->cipher)) {
12637 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12638 case KEX_DH_DSS0x14:
12639 case KEX_DH_RSA0x15:
12640 case KEX_DHE_DSS0x10:
12641 case KEX_DHE_RSA0x12:
12642 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12643 break;
12644 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12645 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12646 break;
12647 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12648 case KEX_ECDH_ECDSA0x1a:
12649 case KEX_ECDH_RSA0x1b:
12650 case KEX_ECDHE_ECDSA0x16:
12651 case KEX_ECDHE_RSA0x18:
12652 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12653 break;
12654 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12655 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12656 break;
12657 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12658 /* XXX: implement support for KRB5 */
12659 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12660 tvb, offset, length,
12661 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12662 " developers if you want them to be supported");
12663 break;
12664 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12665 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12666 break;
12667 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12668 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12669 break;
12670 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12671 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12672 break;
12673 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12674 case KEX_SRP_SHA_DSS0x21:
12675 case KEX_SRP_SHA_RSA0x22:
12676 /* XXX: implement support for SRP_SHA* */
12677 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12678 tvb, offset, length,
12679 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12680 " developers if you want them to be supported");
12681 break;
12682 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12683 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12684 break;
12685 case KEX_ECC_SM20x26: /* GB/T 38636 */
12686 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12687 break;
12688 default:
12689 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12690 tvb, offset, length);
12691 break;
12692 }
12693}
12694
12695void
12696ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12697 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12698 const SslSession *session)
12699{
12700 switch (ssl_get_keyex_alg(session->cipher)) {
12701 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12702 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12703 break;
12704 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12705 case KEX_DH_RSA0x15:
12706 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12707 tvb, offset, offset_end - offset);
12708 break;
12709 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12710 case KEX_DHE_RSA0x12:
12711 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12712 break;
12713 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12714 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12715 break;
12716 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12717 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12718 break;
12719 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12720 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12721 break;
12722 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12723 case KEX_ECDH_RSA0x1b:
12724 case KEX_ECDHE_ECDSA0x16:
12725 case KEX_ECDHE_RSA0x18:
12726 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12727 break;
12728 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12729 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12730 tvb, offset, offset_end - offset);
12731 break;
12732 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12733 case KEX_RSA_PSK0x1f:
12734 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12735 break;
12736 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12737 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12738 break;
12739 case KEX_ECC_SM20x26: /* GB/T 38636 */
12740 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12741 break;
12742 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12743 case KEX_SRP_SHA_DSS0x21:
12744 case KEX_SRP_SHA_RSA0x22:
12745 /* XXX: implement support for SRP_SHA* */
12746 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12747 tvb, offset, offset_end - offset,
12748 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12749 " developers if you want them to be supported");
12750 break;
12751 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12752 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12753 break;
12754 default:
12755 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12756 tvb, offset, offset_end - offset);
12757 break;
12758 }
12759}
12760/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12761
12762void
12763tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12764 proto_tree *tree, uint32_t offset)
12765{
12766 /* RFC 8446 Section 4.6.3
12767 * enum {
12768 * update_not_requested(0), update_requested(1), (255)
12769 * } KeyUpdateRequest;
12770 *
12771 * struct {
12772 * KeyUpdateRequest request_update;
12773 * } KeyUpdate;
12774 */
12775 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12776}
12777
12778void
12779ssl_common_register_ssl_alpn_dissector_table(const char *name,
12780 const char *ui_name, const int proto)
12781{
12782 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12783 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12784 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12785}
12786
12787void
12788ssl_common_register_dtls_alpn_dissector_table(const char *name,
12789 const char *ui_name, const int proto)
12790{
12791 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12792 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12793 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12794}
12795
12796void
12797ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12798{
12799 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12800 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12801 &(options->psk));
12802
12803 if (is_dtls) {
12804 prefs_register_obsolete_preference(module, "keylog_file");
12805 prefs_register_static_text_preference(module, "keylog_file_removed",
12806 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12807 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12808 return;
12809 }
12810
12811 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12812 "The name of a file which contains a list of \n"
12813 "(pre-)master secrets in one of the following formats:\n"
12814 "\n"
12815 "RSA <EPMS> <PMS>\n"
12816 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12817 "CLIENT_RANDOM <CRAND> <MS>\n"
12818 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12819 "\n"
12820 "Where:\n"
12821 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12822 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12823 "<SSLID> = The SSL Session ID\n"
12824 "<MS> = The Master-Secret (MS)\n"
12825 "<CRAND> = The Client's random number from the ClientHello message\n"
12826 "\n"
12827 "(All fields are in hex notation)",
12828 &(options->keylog_filename), false0);
12829}
12830
12831void
12832ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12833{
12834 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12835 uint32_t old_length = ssl_session->handshake_data.data_len;
12836 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12837 if (tvb) {
12838 if (tvb_bytes_exist(tvb, offset, length)) {
12839 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12840 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12841 ssl_session->handshake_data.data_len += length;
12842 }
12843 } else {
12844 /* DTLS calculates the hash as if each handshake message had been
12845 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12846 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12847 */
12848 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12848, (int64_t)length, (int64_t)4))));
12849 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12850 memset(ssl_session->handshake_data.data + old_length, 0, length);
12851 ssl_session->handshake_data.data_len += length;
12852 }
12853 }
12854}
12855
12856
12857/*
12858 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12859 *
12860 * Local variables:
12861 * c-basic-offset: 4
12862 * tab-width: 8
12863 * indent-tabs-mode: nil
12864 * End:
12865 *
12866 * vi: set shiftwidth=4 tabstop=8 expandtab:
12867 * :indentSize=4:tabSize=8:noTabs=true:
12868 */