Bug Summary

File:epan/dissectors/packet-tls-utils.c
Warning:line 4889, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-11-18-100323-3583-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0708, "sm2sig_sm3" },
1500 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1501 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1502 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1503 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1504 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1505 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1506 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1507 { 0x0804, "rsa_pss_rsae_sha256" },
1508 { 0x0805, "rsa_pss_rsae_sha384" },
1509 { 0x0806, "rsa_pss_rsae_sha512" },
1510 { 0x0807, "ed25519" },
1511 { 0x0808, "ed448" },
1512 { 0x0809, "rsa_pss_pss_sha256" },
1513 { 0x080a, "rsa_pss_pss_sha384" },
1514 { 0x080b, "rsa_pss_pss_sha512" },
1515 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1516 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1517 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1518 /* PQC digital signature algorithms from OQS-OpenSSL,
1519 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1520 { 0xfea0, "dilithium2" },
1521 { 0xfea1, "p256_dilithium2" },
1522 { 0xfea2, "rsa3072_dilithium2" },
1523 { 0xfea3, "dilithium3" },
1524 { 0xfea4, "p384_dilithium3" },
1525 { 0xfea5, "dilithium5" },
1526 { 0xfea6, "p521_dilithium5" },
1527 { 0xfea7, "dilithium2_aes" },
1528 { 0xfea8, "p256_dilithium2_aes" },
1529 { 0xfea9, "rsa3072_dilithium2_aes" },
1530 { 0xfeaa, "dilithium3_aes" },
1531 { 0xfeab, "p384_dilithium3_aes" },
1532 { 0xfeac, "dilithium5_aes" },
1533 { 0xfead, "p521_dilithium5_aes" },
1534 { 0xfe0b, "falcon512" },
1535 { 0xfe0c, "p256_falcon512" },
1536 { 0xfe0d, "rsa3072_falcon512" },
1537 { 0xfe0e, "falcon1024" },
1538 { 0xfe0f, "p521_falcon1024" },
1539 { 0xfe96, "picnicl1full" },
1540 { 0xfe97, "p256_picnicl1full" },
1541 { 0xfe98, "rsa3072_picnicl1full" },
1542 { 0xfe1b, "picnic3l1" },
1543 { 0xfe1c, "p256_picnic3l1" },
1544 { 0xfe1d, "rsa3072_picnic3l1" },
1545 { 0xfe27, "rainbowIclassic" },
1546 { 0xfe28, "p256_rainbowIclassic" },
1547 { 0xfe29, "rsa3072_rainbowIclassic" },
1548 { 0xfe3c, "rainbowVclassic" },
1549 { 0xfe3d, "p521_rainbowVclassic" },
1550 { 0xfe42, "sphincsharaka128frobust" },
1551 { 0xfe43, "p256_sphincsharaka128frobust" },
1552 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1553 { 0xfe5e, "sphincssha256128frobust" },
1554 { 0xfe5f, "p256_sphincssha256128frobust" },
1555 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1556 { 0xfe7a, "sphincsshake256128frobust" },
1557 { 0xfe7b, "p256_sphincsshake256128frobust" },
1558 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1559 { 0, NULL((void*)0) }
1560};
1561
1562/* RFC 6091 3.1 */
1563const value_string tls_certificate_type[] = {
1564 { 0, "X.509" },
1565 { 1, "OpenPGP" },
1566 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1567 { 0, NULL((void*)0) }
1568};
1569
1570const value_string tls_cert_chain_type[] = {
1571 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1572 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1573 { 0, NULL((void*)0) }
1574};
1575
1576const value_string tls_cert_status_type[] = {
1577 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1578 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1579 { 0, NULL((void*)0) }
1580};
1581
1582/* Generated by tools/make-tls-ct-logids.py
1583 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1584static const bytes_string ct_logids[] = {
1585 { (const uint8_t[]){
1586 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1587 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1588 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1589 },
1590 32, "Google 'Argon2020' log" },
1591 { (const uint8_t[]){
1592 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1593 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1594 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1595 },
1596 32, "Google 'Argon2021' log" },
1597 { (const uint8_t[]){
1598 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1599 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1600 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1601 },
1602 32, "Google 'Argon2022' log" },
1603 { (const uint8_t[]){
1604 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1605 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1606 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1607 },
1608 32, "Google 'Argon2023' log" },
1609 { (const uint8_t[]){
1610 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1611 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1612 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1613 },
1614 32, "Google 'Argon2024' log" },
1615 { (const uint8_t[]){
1616 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1617 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1618 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1619 },
1620 32, "Google 'Argon2025h1' log" },
1621 { (const uint8_t[]){
1622 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1623 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1624 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1625 },
1626 32, "Google 'Argon2025h2' log" },
1627 { (const uint8_t[]){
1628 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1629 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1630 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1631 },
1632 32, "Google 'Argon2026h1' log" },
1633 { (const uint8_t[]){
1634 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1635 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1636 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1637 },
1638 32, "Google 'Argon2026h2' log" },
1639 { (const uint8_t[]){
1640 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1641 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1642 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1643 },
1644 32, "Google 'Argon2027h1'" },
1645 { (const uint8_t[]){
1646 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1647 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1648 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1649 },
1650 32, "Google 'Xenon2020' log" },
1651 { (const uint8_t[]){
1652 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1653 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1654 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1655 },
1656 32, "Google 'Xenon2021' log" },
1657 { (const uint8_t[]){
1658 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1659 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1660 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1661 },
1662 32, "Google 'Xenon2022' log" },
1663 { (const uint8_t[]){
1664 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1665 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1666 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1667 },
1668 32, "Google 'Xenon2023' log" },
1669 { (const uint8_t[]){
1670 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1671 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1672 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1673 },
1674 32, "Google 'Xenon2024' log" },
1675 { (const uint8_t[]){
1676 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1677 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1678 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1679 },
1680 32, "Google 'Xenon2025h1' log" },
1681 { (const uint8_t[]){
1682 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1683 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1684 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1685 },
1686 32, "Google 'Xenon2025h2' log" },
1687 { (const uint8_t[]){
1688 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1689 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1690 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1691 },
1692 32, "Google 'Xenon2026h1' log" },
1693 { (const uint8_t[]){
1694 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1695 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1696 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1697 },
1698 32, "Google 'Xenon2026h2' log" },
1699 { (const uint8_t[]){
1700 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1701 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1702 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1703 },
1704 32, "Google 'Xenon2027h1'" },
1705 { (const uint8_t[]){
1706 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1707 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1708 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1709 },
1710 32, "Google 'Aviator' log" },
1711 { (const uint8_t[]){
1712 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1713 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1714 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1715 },
1716 32, "Google 'Icarus' log" },
1717 { (const uint8_t[]){
1718 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1719 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1720 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1721 },
1722 32, "Google 'Pilot' log" },
1723 { (const uint8_t[]){
1724 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1725 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1726 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1727 },
1728 32, "Google 'Rocketeer' log" },
1729 { (const uint8_t[]){
1730 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1731 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1732 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1733 },
1734 32, "Google 'Skydiver' log" },
1735 { (const uint8_t[]){
1736 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1737 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1738 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1739 },
1740 32, "Google 'Argon2017' log" },
1741 { (const uint8_t[]){
1742 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1743 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1744 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1745 },
1746 32, "Google 'Argon2018' log" },
1747 { (const uint8_t[]){
1748 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1749 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1750 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1751 },
1752 32, "Google 'Argon2019' log" },
1753 { (const uint8_t[]){
1754 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1755 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1756 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1757 },
1758 32, "Google 'Xenon2018' log" },
1759 { (const uint8_t[]){
1760 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1761 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1762 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1763 },
1764 32, "Google 'Xenon2019' log" },
1765 { (const uint8_t[]){
1766 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1767 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1768 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1769 },
1770 32, "Google 'Submariner' log" },
1771 { (const uint8_t[]){
1772 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1773 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1774 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1775 },
1776 32, "Google 'Daedalus' log" },
1777 { (const uint8_t[]){
1778 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1779 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1780 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1781 },
1782 32, "Google 'Testtube' log" },
1783 { (const uint8_t[]){
1784 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1785 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1786 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1787 },
1788 32, "Google 'Crucible' log" },
1789 { (const uint8_t[]){
1790 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1791 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1792 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1793 },
1794 32, "Google 'Solera2018' log" },
1795 { (const uint8_t[]){
1796 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1797 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1798 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1799 },
1800 32, "Google 'Solera2019' log" },
1801 { (const uint8_t[]){
1802 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1803 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1804 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1805 },
1806 32, "Google 'Solera2020' log" },
1807 { (const uint8_t[]){
1808 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1809 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1810 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1811 },
1812 32, "Google 'Solera2021' log" },
1813 { (const uint8_t[]){
1814 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1815 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1816 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1817 },
1818 32, "Google 'Solera2022' log" },
1819 { (const uint8_t[]){
1820 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1821 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1822 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1823 },
1824 32, "Google 'Solera2023' log" },
1825 { (const uint8_t[]){
1826 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1827 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1828 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1829 },
1830 32, "Google 'Solera2024' log" },
1831 { (const uint8_t[]){
1832 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1833 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1834 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1835 },
1836 32, "Google 'Solera2025h1' log" },
1837 { (const uint8_t[]){
1838 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1839 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1840 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1841 },
1842 32, "Google 'Solera2025h2' log" },
1843 { (const uint8_t[]){
1844 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1845 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1846 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1847 },
1848 32, "Google 'Solera2026h1' log" },
1849 { (const uint8_t[]){
1850 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1851 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1852 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1853 },
1854 32, "Google 'Solera2026h2' log" },
1855 { (const uint8_t[]){
1856 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1857 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1858 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1859 },
1860 32, "Google 'Solera2027h1' log" },
1861 { (const uint8_t[]){
1862 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1863 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1864 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1865 },
1866 32, "Cloudflare 'Nimbus2020' Log" },
1867 { (const uint8_t[]){
1868 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1869 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1870 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1871 },
1872 32, "Cloudflare 'Nimbus2021' Log" },
1873 { (const uint8_t[]){
1874 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1875 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1876 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1877 },
1878 32, "Cloudflare 'Nimbus2022' Log" },
1879 { (const uint8_t[]){
1880 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1881 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1882 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1883 },
1884 32, "Cloudflare 'Nimbus2023' Log" },
1885 { (const uint8_t[]){
1886 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1887 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1888 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1889 },
1890 32, "Cloudflare 'Nimbus2024' Log" },
1891 { (const uint8_t[]){
1892 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1893 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1894 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1895 },
1896 32, "Cloudflare 'Nimbus2025'" },
1897 { (const uint8_t[]){
1898 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1899 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1900 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1901 },
1902 32, "Cloudflare 'Nimbus2026'" },
1903 { (const uint8_t[]){
1904 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1905 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1906 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1907 },
1908 32, "Cloudflare 'Nimbus2027'" },
1909 { (const uint8_t[]){
1910 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1911 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1912 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1913 },
1914 32, "Cloudflare 'Nimbus2017' Log" },
1915 { (const uint8_t[]){
1916 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1917 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1918 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1919 },
1920 32, "Cloudflare 'Nimbus2018' Log" },
1921 { (const uint8_t[]){
1922 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1923 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1924 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1925 },
1926 32, "Cloudflare 'Nimbus2019' Log" },
1927 { (const uint8_t[]){
1928 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1929 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1930 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1931 },
1932 32, "DigiCert Log Server" },
1933 { (const uint8_t[]){
1934 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1935 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1936 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1937 },
1938 32, "DigiCert Log Server 2" },
1939 { (const uint8_t[]){
1940 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1941 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1942 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1943 },
1944 32, "DigiCert Yeti2020 Log" },
1945 { (const uint8_t[]){
1946 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1947 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1948 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1949 },
1950 32, "DigiCert Yeti2021 Log" },
1951 { (const uint8_t[]){
1952 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1953 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1954 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1955 },
1956 32, "DigiCert Yeti2022 Log" },
1957 { (const uint8_t[]){
1958 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1959 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1960 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1961 },
1962 32, "DigiCert Yeti2023 Log" },
1963 { (const uint8_t[]){
1964 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1965 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1966 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1967 },
1968 32, "DigiCert Yeti2024 Log" },
1969 { (const uint8_t[]){
1970 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1971 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1972 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1973 },
1974 32, "DigiCert Yeti2025 Log" },
1975 { (const uint8_t[]){
1976 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1977 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1978 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1979 },
1980 32, "DigiCert Nessie2020 Log" },
1981 { (const uint8_t[]){
1982 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1983 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1984 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1985 },
1986 32, "DigiCert Nessie2021 Log" },
1987 { (const uint8_t[]){
1988 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1989 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1990 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1991 },
1992 32, "DigiCert Nessie2022 Log" },
1993 { (const uint8_t[]){
1994 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1995 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1996 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1997 },
1998 32, "DigiCert Nessie2023 Log" },
1999 { (const uint8_t[]){
2000 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2001 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2002 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2003 },
2004 32, "DigiCert Nessie2024 Log" },
2005 { (const uint8_t[]){
2006 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2007 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2008 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2009 },
2010 32, "DigiCert Nessie2025 Log" },
2011 { (const uint8_t[]){
2012 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2013 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2014 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2015 },
2016 32, "DigiCert 'Wyvern2024h1' Log" },
2017 { (const uint8_t[]){
2018 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2019 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2020 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2021 },
2022 32, "DigiCert 'Wyvern2024h2' Log" },
2023 { (const uint8_t[]){
2024 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2025 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2026 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2027 },
2028 32, "DigiCert 'Wyvern2025h1' Log" },
2029 { (const uint8_t[]){
2030 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2031 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2032 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2033 },
2034 32, "DigiCert 'Wyvern2025h2' Log" },
2035 { (const uint8_t[]){
2036 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2037 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2038 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2039 },
2040 32, "DigiCert 'Wyvern2026h1'" },
2041 { (const uint8_t[]){
2042 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2043 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2044 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2045 },
2046 32, "DigiCert 'Wyvern2026h2'" },
2047 { (const uint8_t[]){
2048 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2049 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2050 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2051 },
2052 32, "DigiCert 'Wyvern2027h1'" },
2053 { (const uint8_t[]){
2054 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2055 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2056 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2057 },
2058 32, "DigiCert 'Wyvern2027h2'" },
2059 { (const uint8_t[]){
2060 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2061 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2062 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2063 },
2064 32, "DigiCert 'Sphinx2024h1' Log" },
2065 { (const uint8_t[]){
2066 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2067 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2068 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2069 },
2070 32, "DigiCert 'Sphinx2024h2' Log" },
2071 { (const uint8_t[]){
2072 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2073 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2074 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2075 },
2076 32, "DigiCert 'Sphinx2025h1' Log" },
2077 { (const uint8_t[]){
2078 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2079 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2080 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2081 },
2082 32, "DigiCert 'Sphinx2025h2' Log" },
2083 { (const uint8_t[]){
2084 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2085 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2086 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2087 },
2088 32, "DigiCert 'Sphinx2026h1'" },
2089 { (const uint8_t[]){
2090 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2091 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2092 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2093 },
2094 32, "DigiCert 'Sphinx2026h2'" },
2095 { (const uint8_t[]){
2096 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2097 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2098 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2099 },
2100 32, "DigiCert 'sphinx2027h1'" },
2101 { (const uint8_t[]){
2102 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2103 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2104 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2105 },
2106 32, "DigiCert 'sphinx2027h2'" },
2107 { (const uint8_t[]){
2108 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2109 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2110 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2111 },
2112 32, "Symantec log" },
2113 { (const uint8_t[]){
2114 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2115 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2116 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2117 },
2118 32, "Symantec 'Vega' log" },
2119 { (const uint8_t[]){
2120 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2121 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2122 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2123 },
2124 32, "Symantec 'Sirius' log" },
2125 { (const uint8_t[]){
2126 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2127 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2128 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2129 },
2130 32, "DigiCert Yeti2022-2 Log" },
2131 { (const uint8_t[]){
2132 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2133 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2134 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2135 },
2136 32, "DigiCert Yeti2018 Log" },
2137 { (const uint8_t[]){
2138 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2139 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2140 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2141 },
2142 32, "DigiCert Yeti2019 Log" },
2143 { (const uint8_t[]){
2144 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2145 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2146 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2147 },
2148 32, "DigiCert Nessie2018 Log" },
2149 { (const uint8_t[]){
2150 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2151 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2152 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2153 },
2154 32, "DigiCert Nessie2019 Log" },
2155 { (const uint8_t[]){
2156 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2157 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2158 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2159 },
2160 32, "Symantec Deneb" },
2161 { (const uint8_t[]){
2162 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2163 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2164 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2165 },
2166 32, "Certly.IO log" },
2167 { (const uint8_t[]){
2168 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2169 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2170 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2171 },
2172 32, "Izenpe log" },
2173 { (const uint8_t[]){
2174 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2175 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2176 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2177 },
2178 32, "Izenpe 'Argi' log" },
2179 { (const uint8_t[]){
2180 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2181 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2182 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2183 },
2184 32, "WoSign log" },
2185 { (const uint8_t[]){
2186 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2187 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2188 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2189 },
2190 32, "WoSign CT log #1" },
2191 { (const uint8_t[]){
2192 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2193 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2194 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2195 },
2196 32, "WoSign log 2" },
2197 { (const uint8_t[]){
2198 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2199 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2200 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2201 },
2202 32, "Venafi log" },
2203 { (const uint8_t[]){
2204 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2205 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2206 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2207 },
2208 32, "Venafi Gen2 CT log" },
2209 { (const uint8_t[]){
2210 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2211 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2212 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2213 },
2214 32, "CNNIC CT log" },
2215 { (const uint8_t[]){
2216 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2217 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2218 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2219 },
2220 32, "StartCom log" },
2221 { (const uint8_t[]){
2222 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2223 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2224 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2225 },
2226 32, "Sectigo 'Sabre' CT log" },
2227 { (const uint8_t[]){
2228 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2229 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2230 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2231 },
2232 32, "Sectigo 'Sabre2024h1'" },
2233 { (const uint8_t[]){
2234 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2235 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2236 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2237 },
2238 32, "Sectigo 'Sabre2024h2'" },
2239 { (const uint8_t[]){
2240 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2241 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2242 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2243 },
2244 32, "Sectigo 'Sabre2025h1'" },
2245 { (const uint8_t[]){
2246 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2247 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2248 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2249 },
2250 32, "Sectigo 'Sabre2025h2'" },
2251 { (const uint8_t[]){
2252 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2253 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2254 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2255 },
2256 32, "Sectigo 'Mammoth' CT log" },
2257 { (const uint8_t[]){
2258 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2259 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2260 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2261 },
2262 32, "Sectigo 'Mammoth2024h1'" },
2263 { (const uint8_t[]){
2264 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2265 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2266 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2267 },
2268 32, "Sectigo 'Mammoth2024h1b'" },
2269 { (const uint8_t[]){
2270 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2271 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2272 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2273 },
2274 32, "Sectigo 'Mammoth2024h2'" },
2275 { (const uint8_t[]){
2276 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2277 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2278 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2279 },
2280 32, "Sectigo 'Mammoth2025h1'" },
2281 { (const uint8_t[]){
2282 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2283 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2284 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2285 },
2286 32, "Sectigo 'Mammoth2025h2'" },
2287 { (const uint8_t[]){
2288 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2289 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2290 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2291 },
2292 32, "Sectigo 'Mammoth2026h1'" },
2293 { (const uint8_t[]){
2294 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2295 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2296 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2297 },
2298 32, "Sectigo 'Mammoth2026h2'" },
2299 { (const uint8_t[]){
2300 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2301 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2302 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2303 },
2304 32, "Sectigo 'Sabre2026h1'" },
2305 { (const uint8_t[]){
2306 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2307 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2308 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2309 },
2310 32, "Sectigo 'Sabre2026h2'" },
2311 { (const uint8_t[]){
2312 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2313 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2314 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2315 },
2316 32, "Sectigo 'Elephant2025h2'" },
2317 { (const uint8_t[]){
2318 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2319 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2320 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2321 },
2322 32, "Sectigo 'Elephant2026h1'" },
2323 { (const uint8_t[]){
2324 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2325 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2326 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2327 },
2328 32, "Sectigo 'Elephant2026h2'" },
2329 { (const uint8_t[]){
2330 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2331 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2332 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2333 },
2334 32, "Sectigo 'Elephant2027h1'" },
2335 { (const uint8_t[]){
2336 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2337 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2338 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2339 },
2340 32, "Sectigo 'Elephant2027h2'" },
2341 { (const uint8_t[]){
2342 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2343 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2344 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2345 },
2346 32, "Sectigo 'Tiger2025h2'" },
2347 { (const uint8_t[]){
2348 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2349 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2350 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2351 },
2352 32, "Sectigo 'Tiger2026h1'" },
2353 { (const uint8_t[]){
2354 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2355 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2356 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2357 },
2358 32, "Sectigo 'Tiger2026h2'" },
2359 { (const uint8_t[]){
2360 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2361 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2362 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2363 },
2364 32, "Sectigo 'Tiger2027h1'" },
2365 { (const uint8_t[]){
2366 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2367 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2368 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2369 },
2370 32, "Sectigo 'Tiger2027h2'" },
2371 { (const uint8_t[]){
2372 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2373 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2374 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2375 },
2376 32, "Sectigo 'Dodo' CT log" },
2377 { (const uint8_t[]){
2378 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2379 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2380 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2381 },
2382 32, "Let's Encrypt 'Oak2020' log" },
2383 { (const uint8_t[]){
2384 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2385 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2386 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2387 },
2388 32, "Let's Encrypt 'Oak2021' log" },
2389 { (const uint8_t[]){
2390 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2391 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2392 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2393 },
2394 32, "Let's Encrypt 'Oak2022' log" },
2395 { (const uint8_t[]){
2396 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2397 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2398 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2399 },
2400 32, "Let's Encrypt 'Oak2023' log" },
2401 { (const uint8_t[]){
2402 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2403 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2404 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2405 },
2406 32, "Let's Encrypt 'Oak2024H1' log" },
2407 { (const uint8_t[]){
2408 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2409 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2410 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2411 },
2412 32, "Let's Encrypt 'Oak2024H2' log" },
2413 { (const uint8_t[]){
2414 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2415 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2416 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2417 },
2418 32, "Let's Encrypt 'Oak2025h1'" },
2419 { (const uint8_t[]){
2420 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2421 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2422 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2423 },
2424 32, "Let's Encrypt 'Oak2025h2'" },
2425 { (const uint8_t[]){
2426 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2427 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2428 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2429 },
2430 32, "Let's Encrypt 'Oak2026h1'" },
2431 { (const uint8_t[]){
2432 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2433 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2434 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2435 },
2436 32, "Let's Encrypt 'Oak2026h2'" },
2437 { (const uint8_t[]){
2438 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2439 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2440 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2441 },
2442 32, "Let's Encrypt 'Oak2019' log" },
2443 { (const uint8_t[]){
2444 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2445 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2446 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2447 },
2448 32, "Let's Encrypt 'Testflume2019' log" },
2449 { (const uint8_t[]){
2450 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2451 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2452 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2453 },
2454 32, "Let's Encrypt 'Sapling 2022h2' log" },
2455 { (const uint8_t[]){
2456 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2457 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2458 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2459 },
2460 32, "Let's Encrypt 'Sapling 2023h1' log" },
2461 { (const uint8_t[]){
2462 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2463 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2464 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2465 },
2466 32, "Let's Encrypt 'Testflume2020' log" },
2467 { (const uint8_t[]){
2468 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2469 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2470 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2471 },
2472 32, "Let's Encrypt 'Testflume2021' log" },
2473 { (const uint8_t[]){
2474 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2475 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2476 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2477 },
2478 32, "Let's Encrypt 'Testflume2022' log" },
2479 { (const uint8_t[]){
2480 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2481 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2482 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2483 },
2484 32, "Let's Encrypt 'Testflume2023' log" },
2485 { (const uint8_t[]){
2486 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2487 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2488 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2489 },
2490 32, "Let's Encrypt 'Clicky' log" },
2491 { (const uint8_t[]){
2492 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2493 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2494 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2495 },
2496 32, "Trust Asia Log2020" },
2497 { (const uint8_t[]){
2498 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2499 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2500 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2501 },
2502 32, "Trust Asia CT2021" },
2503 { (const uint8_t[]){
2504 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2505 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2506 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2507 },
2508 32, "Trust Asia Log2021" },
2509 { (const uint8_t[]){
2510 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2511 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2512 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2513 },
2514 32, "Trust Asia Log2022" },
2515 { (const uint8_t[]){
2516 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2517 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2518 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2519 },
2520 32, "Trust Asia Log2023" },
2521 { (const uint8_t[]){
2522 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2523 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2524 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2525 },
2526 32, "Trust Asia Log2024" },
2527 { (const uint8_t[]){
2528 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2529 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2530 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2531 },
2532 32, "Trust Asia Log2024-2" },
2533 { (const uint8_t[]){
2534 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2535 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2536 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2537 },
2538 32, "TrustAsia Log2025a" },
2539 { (const uint8_t[]){
2540 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2541 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2542 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2543 },
2544 32, "TrustAsia Log2025b" },
2545 { (const uint8_t[]){
2546 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2547 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2548 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2549 },
2550 32, "TrustAsia 'log2026a'" },
2551 { (const uint8_t[]){
2552 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2553 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2554 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2555 },
2556 32, "TrustAsia 'log2026b'" },
2557 { (const uint8_t[]){
2558 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2559 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2560 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2561 },
2562 32, "TrustAsia 'HETU2027'" },
2563 { (const uint8_t[]){
2564 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2565 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2566 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2567 },
2568 32, "Trust Asia Log1" },
2569 { (const uint8_t[]){
2570 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2571 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2572 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2573 },
2574 32, "GDCA CT log #1" },
2575 { (const uint8_t[]){
2576 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2577 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2578 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2579 },
2580 32, "GDCA CT log #2" },
2581 { (const uint8_t[]){
2582 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2583 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2584 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2585 },
2586 32, "GDCA Log 1" },
2587 { (const uint8_t[]){
2588 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2589 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2590 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2591 },
2592 32, "GDCA Log 2" },
2593 { (const uint8_t[]){
2594 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2595 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2596 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2597 },
2598 32, "PuChuangSiDa CT log" },
2599 { (const uint8_t[]){
2600 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2601 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2602 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2603 },
2604 32, "Nordu 'flimsy' log" },
2605 { (const uint8_t[]){
2606 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2607 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2608 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2609 },
2610 32, "Nordu 'plausible' log" },
2611 { (const uint8_t[]){
2612 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2613 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2614 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2615 },
2616 32, "SHECA CT log 1" },
2617 { (const uint8_t[]){
2618 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2619 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2620 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2621 },
2622 32, "SHECA CT log 2" },
2623 { (const uint8_t[]){
2624 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2625 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2626 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2627 },
2628 32, "Akamai CT Log" },
2629 { (const uint8_t[]){
2630 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2631 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2632 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2633 },
2634 32, "Alpha CT Log" },
2635 { (const uint8_t[]){
2636 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2637 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2638 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2639 },
2640 32, "Up In The Air 'Behind the Sofa' log" },
2641 { (const uint8_t[]){
2642 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2643 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2644 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2645 },
2646 32, "Qihoo 360 2020" },
2647 { (const uint8_t[]){
2648 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2649 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2650 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2651 },
2652 32, "Qihoo 360 2021" },
2653 { (const uint8_t[]){
2654 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2655 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2656 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2657 },
2658 32, "Qihoo 360 2022" },
2659 { (const uint8_t[]){
2660 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2661 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2662 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2663 },
2664 32, "Qihoo 360 2023" },
2665 { (const uint8_t[]){
2666 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2667 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2668 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2669 },
2670 32, "Qihoo 360 v1 2020" },
2671 { (const uint8_t[]){
2672 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2673 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2674 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2675 },
2676 32, "Qihoo 360 v1 2021" },
2677 { (const uint8_t[]){
2678 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2679 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2680 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2681 },
2682 32, "Qihoo 360 v1 2022" },
2683 { (const uint8_t[]){
2684 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2685 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2686 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2687 },
2688 32, "Qihoo 360 v1 2023" },
2689 { (const uint8_t[]){
2690 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2691 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2692 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2693 },
2694 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2695 { (const uint8_t[]){
2696 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2697 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2698 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2699 },
2700 32, "Merklemap 'CompactLog' log" },
2701 { (const uint8_t[]){
2702 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2703 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2704 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2705 },
2706 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2707 { NULL((void*)0), 0, NULL((void*)0) }
2708};
2709
2710/*
2711 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2712 */
2713static dissector_table_t ssl_alpn_dissector_table;
2714static dissector_table_t dtls_alpn_dissector_table;
2715
2716/*
2717 * Special cases for prefix matching of the ALPN, if the ALPN includes
2718 * a version number for a draft or protocol revision.
2719 */
2720typedef struct ssl_alpn_prefix_match_protocol {
2721 const char *proto_prefix;
2722 const char *dissector_name;
2723} ssl_alpn_prefix_match_protocol_t;
2724
2725static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2726 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2727 * already exists 3.1 as of this writing... match the prefix. */
2728 { "spdy/", "spdy" },
2729 /* draft-ietf-httpbis-http2-16 */
2730 { "h2-", "http2" }, /* draft versions */
2731};
2732
2733const value_string compress_certificate_algorithm_vals[] = {
2734 { 1, "zlib" },
2735 { 2, "brotli" },
2736 { 3, "zstd" },
2737 { 0, NULL((void*)0) }
2738};
2739
2740
2741const val64_string quic_transport_parameter_id[] = {
2742 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2743 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2744 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2745 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2746 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2747 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2748 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2749 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2750 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2751 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2752 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2753 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2754 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2755 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2756 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2757 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2758 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2759 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2760 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2761 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2762 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2763 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2764 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2765 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2766 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2767 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2768 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2769 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2770 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2771 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2772 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2773 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2774 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2775 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2776 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2777 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2778 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2779 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2780 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2781 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2782 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2783 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2784 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2785 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2786 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2787 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2788 { 0, NULL((void*)0) }
2789};
2790
2791/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2792const val64_string quic_address_discovery_vals[] = {
2793 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2794 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2795 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2796 { 0, NULL((void*)0) }
2797};
2798
2799/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2800const val64_string quic_enable_time_stamp_v2_vals[] = {
2801 { 1, "I would like to receive TIME_STAMP frames" },
2802 { 2, "I am able to generate TIME_STAMP frames" },
2803 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2804 { 0, NULL((void*)0) }
2805};
2806
2807/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2808const val64_string quic_enable_multipath_vals[] = {
2809 { 0, "don't support multipath" },
2810 { 1, "support multipath as defined in this document" },
2811 { 0, NULL((void*)0) }
2812};
2813
2814/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2815const value_string tls_hello_ext_ech_clienthello_types[] = {
2816 { 0, "Outer Client Hello" },
2817 { 1, "Inner Client Hello" },
2818 { 0, NULL((void*)0) }
2819};
2820
2821/* RFC 9180 */
2822const value_string kem_id_type_vals[] = {
2823 { 0x0000, "Reserved" },
2824 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2825 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2826 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2827 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2828 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2829 { 0, NULL((void*)0) }
2830};
2831const value_string kdf_id_type_vals[] = {
2832 { 0x0000, "Reserved" },
2833 { 0x0001, "HKDF-SHA256" },
2834 { 0x0002, "HKDF-SHA384" },
2835 { 0x0003, "HKDF-SHA512" },
2836 { 0, NULL((void*)0) }
2837};
2838const value_string aead_id_type_vals[] = {
2839 { 0x0000, "Reserved" },
2840 { 0x0001, "AES-128-GCM" },
2841 { 0x0002, "AES-256-GCM" },
2842 { 0x0003, "ChaCha20Poly1305" },
2843 { 0xFFFF, "Export-only" },
2844 { 0, NULL((void*)0) }
2845};
2846
2847const value_string token_binding_key_parameter_vals[] = {
2848 { 0, "rsa2048_pkcs1.5" },
2849 { 1, "rsa2048_pss" },
2850 { 2, "ecdsap256" },
2851 { 0, NULL((void*)0) }
2852};
2853
2854/* Lookup tables }}} */
2855
2856void
2857quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2858{
2859 const char *label;
2860 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2861 label = "GREASE";
2862 } else {
2863 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2864 }
2865 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2866}
2867
2868/* we keep this internal to packet-tls-utils, as there should be
2869 no need to access it any other way.
2870
2871 This also allows us to hide the dependency on zlib.
2872*/
2873struct _SslDecompress {
2874 int compression;
2875#ifdef USE_ZLIB_OR_ZLIBNG
2876 zlib_stream istream;
2877#endif
2878};
2879
2880/* To assist in parsing client/server key exchange messages
2881 0 indicates unknown */
2882int ssl_get_keyex_alg(int cipher)
2883{
2884 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2885 switch(cipher) {
2886 case 0x0017:
2887 case 0x0018:
2888 case 0x0019:
2889 case 0x001a:
2890 case 0x001b:
2891 case 0x0034:
2892 case 0x003a:
2893 case 0x0046:
2894 case 0x006c:
2895 case 0x006d:
2896 case 0x0089:
2897 case 0x009b:
2898 case 0x00a6:
2899 case 0x00a7:
2900 case 0x00bf:
2901 case 0x00c5:
2902 case 0xc084:
2903 case 0xc085:
2904 return KEX_DH_ANON0x13;
2905 case 0x000b:
2906 case 0x000c:
2907 case 0x000d:
2908 case 0x0030:
2909 case 0x0036:
2910 case 0x003e:
2911 case 0x0042:
2912 case 0x0068:
2913 case 0x0085:
2914 case 0x0097:
2915 case 0x00a4:
2916 case 0x00a5:
2917 case 0x00bb:
2918 case 0x00c1:
2919 case 0xc082:
2920 case 0xc083:
2921 return KEX_DH_DSS0x14;
2922 case 0x000e:
2923 case 0x000f:
2924 case 0x0010:
2925 case 0x0031:
2926 case 0x0037:
2927 case 0x003f:
2928 case 0x0043:
2929 case 0x0069:
2930 case 0x0086:
2931 case 0x0098:
2932 case 0x00a0:
2933 case 0x00a1:
2934 case 0x00bc:
2935 case 0x00c2:
2936 case 0xc07e:
2937 case 0xc07f:
2938 return KEX_DH_RSA0x15;
2939 case 0x0011:
2940 case 0x0012:
2941 case 0x0013:
2942 case 0x0032:
2943 case 0x0038:
2944 case 0x0040:
2945 case 0x0044:
2946 case 0x0063:
2947 case 0x0065:
2948 case 0x0066:
2949 case 0x006a:
2950 case 0x0087:
2951 case 0x0099:
2952 case 0x00a2:
2953 case 0x00a3:
2954 case 0x00bd:
2955 case 0x00c3:
2956 case 0xc080:
2957 case 0xc081:
2958 return KEX_DHE_DSS0x10;
2959 case 0x002d:
2960 case 0x008e:
2961 case 0x008f:
2962 case 0x0090:
2963 case 0x0091:
2964 case 0x00aa:
2965 case 0x00ab:
2966 case 0x00b2:
2967 case 0x00b3:
2968 case 0x00b4:
2969 case 0x00b5:
2970 case 0xc090:
2971 case 0xc091:
2972 case 0xc096:
2973 case 0xc097:
2974 case 0xc0a6:
2975 case 0xc0a7:
2976 case 0xc0aa:
2977 case 0xc0ab:
2978 case 0xccad:
2979 case 0xe41c:
2980 case 0xe41d:
2981 return KEX_DHE_PSK0x11;
2982 case 0x0014:
2983 case 0x0015:
2984 case 0x0016:
2985 case 0x0033:
2986 case 0x0039:
2987 case 0x0045:
2988 case 0x0067:
2989 case 0x006b:
2990 case 0x0088:
2991 case 0x009a:
2992 case 0x009e:
2993 case 0x009f:
2994 case 0x00be:
2995 case 0x00c4:
2996 case 0xc07c:
2997 case 0xc07d:
2998 case 0xc09e:
2999 case 0xc09f:
3000 case 0xc0a2:
3001 case 0xc0a3:
3002 case 0xccaa:
3003 case 0xe41e:
3004 case 0xe41f:
3005 return KEX_DHE_RSA0x12;
3006 case 0xc015:
3007 case 0xc016:
3008 case 0xc017:
3009 case 0xc018:
3010 case 0xc019:
3011 return KEX_ECDH_ANON0x19;
3012 case 0xc001:
3013 case 0xc002:
3014 case 0xc003:
3015 case 0xc004:
3016 case 0xc005:
3017 case 0xc025:
3018 case 0xc026:
3019 case 0xc02d:
3020 case 0xc02e:
3021 case 0xc074:
3022 case 0xc075:
3023 case 0xc088:
3024 case 0xc089:
3025 return KEX_ECDH_ECDSA0x1a;
3026 case 0xc00b:
3027 case 0xc00c:
3028 case 0xc00d:
3029 case 0xc00e:
3030 case 0xc00f:
3031 case 0xc029:
3032 case 0xc02a:
3033 case 0xc031:
3034 case 0xc032:
3035 case 0xc078:
3036 case 0xc079:
3037 case 0xc08c:
3038 case 0xc08d:
3039 return KEX_ECDH_RSA0x1b;
3040 case 0xc006:
3041 case 0xc007:
3042 case 0xc008:
3043 case 0xc009:
3044 case 0xc00a:
3045 case 0xc023:
3046 case 0xc024:
3047 case 0xc02b:
3048 case 0xc02c:
3049 case 0xc072:
3050 case 0xc073:
3051 case 0xc086:
3052 case 0xc087:
3053 case 0xc0ac:
3054 case 0xc0ad:
3055 case 0xc0ae:
3056 case 0xc0af:
3057 case 0xcca9:
3058 case 0xe414:
3059 case 0xe415:
3060 return KEX_ECDHE_ECDSA0x16;
3061 case 0xc033:
3062 case 0xc034:
3063 case 0xc035:
3064 case 0xc036:
3065 case 0xc037:
3066 case 0xc038:
3067 case 0xc039:
3068 case 0xc03a:
3069 case 0xc03b:
3070 case 0xc09a:
3071 case 0xc09b:
3072 case 0xccac:
3073 case 0xe418:
3074 case 0xe419:
3075 case 0xd001:
3076 case 0xd002:
3077 case 0xd003:
3078 case 0xd005:
3079 return KEX_ECDHE_PSK0x17;
3080 case 0xc010:
3081 case 0xc011:
3082 case 0xc012:
3083 case 0xc013:
3084 case 0xc014:
3085 case 0xc027:
3086 case 0xc028:
3087 case 0xc02f:
3088 case 0xc030:
3089 case 0xc076:
3090 case 0xc077:
3091 case 0xc08a:
3092 case 0xc08b:
3093 case 0xcca8:
3094 case 0xe412:
3095 case 0xe413:
3096 return KEX_ECDHE_RSA0x18;
3097 case 0x001e:
3098 case 0x001f:
3099 case 0x0020:
3100 case 0x0021:
3101 case 0x0022:
3102 case 0x0023:
3103 case 0x0024:
3104 case 0x0025:
3105 case 0x0026:
3106 case 0x0027:
3107 case 0x0028:
3108 case 0x0029:
3109 case 0x002a:
3110 case 0x002b:
3111 return KEX_KRB50x1c;
3112 case 0x002c:
3113 case 0x008a:
3114 case 0x008b:
3115 case 0x008c:
3116 case 0x008d:
3117 case 0x00a8:
3118 case 0x00a9:
3119 case 0x00ae:
3120 case 0x00af:
3121 case 0x00b0:
3122 case 0x00b1:
3123 case 0xc064:
3124 case 0xc065:
3125 case 0xc08e:
3126 case 0xc08f:
3127 case 0xc094:
3128 case 0xc095:
3129 case 0xc0a4:
3130 case 0xc0a5:
3131 case 0xc0a8:
3132 case 0xc0a9:
3133 case 0xccab:
3134 case 0xe416:
3135 case 0xe417:
3136 return KEX_PSK0x1d;
3137 case 0x0001:
3138 case 0x0002:
3139 case 0x0003:
3140 case 0x0004:
3141 case 0x0005:
3142 case 0x0006:
3143 case 0x0007:
3144 case 0x0008:
3145 case 0x0009:
3146 case 0x000a:
3147 case 0x002f:
3148 case 0x0035:
3149 case 0x003b:
3150 case 0x003c:
3151 case 0x003d:
3152 case 0x0041:
3153 case 0x0060:
3154 case 0x0061:
3155 case 0x0062:
3156 case 0x0064:
3157 case 0x0084:
3158 case 0x0096:
3159 case 0x009c:
3160 case 0x009d:
3161 case 0x00ba:
3162 case 0x00c0:
3163 case 0xc07a:
3164 case 0xc07b:
3165 case 0xc09c:
3166 case 0xc09d:
3167 case 0xc0a0:
3168 case 0xc0a1:
3169 case 0xe410:
3170 case 0xe411:
3171 case 0xfefe:
3172 case 0xfeff:
3173 case 0xffe0:
3174 case 0xffe1:
3175 return KEX_RSA0x1e;
3176 case 0x002e:
3177 case 0x0092:
3178 case 0x0093:
3179 case 0x0094:
3180 case 0x0095:
3181 case 0x00ac:
3182 case 0x00ad:
3183 case 0x00b6:
3184 case 0x00b7:
3185 case 0x00b8:
3186 case 0x00b9:
3187 case 0xc092:
3188 case 0xc093:
3189 case 0xc098:
3190 case 0xc099:
3191 case 0xccae:
3192 case 0xe41a:
3193 case 0xe41b:
3194 return KEX_RSA_PSK0x1f;
3195 case 0xc01a:
3196 case 0xc01d:
3197 case 0xc020:
3198 return KEX_SRP_SHA0x20;
3199 case 0xc01c:
3200 case 0xc01f:
3201 case 0xc022:
3202 return KEX_SRP_SHA_DSS0x21;
3203 case 0xc01b:
3204 case 0xc01e:
3205 case 0xc021:
3206 return KEX_SRP_SHA_RSA0x22;
3207 case 0xc0ff:
3208 return KEX_ECJPAKE0x24;
3209 case 0xe003:
3210 case 0xe013:
3211 case 0xe053:
3212 return KEX_ECC_SM20x26;
3213 default:
3214 break;
3215 }
3216
3217 return 0;
3218 /* }}} */
3219}
3220
3221static wmem_list_t *connection_id_session_list;
3222
3223void
3224ssl_init_cid_list(void) {
3225 connection_id_session_list = wmem_list_new(wmem_file_scope());
3226}
3227
3228void
3229ssl_cleanup_cid_list(void) {
3230 wmem_destroy_list(connection_id_session_list);
3231}
3232
3233void
3234ssl_add_session_by_cid(SslDecryptSession *session)
3235{
3236 wmem_list_append(connection_id_session_list, session);
3237}
3238
3239SslDecryptSession *
3240ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3241{
3242 SslDecryptSession * ssl_cid = NULL((void*)0);
3243 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3244
3245 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3246 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3247 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3247, "ssl != ((void*)0)"))));
3248 SslSession *session = &ssl->session;
3249
3250 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3251 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3252 ssl_cid = ssl;
3253 }
3254 }
3255
3256 if (session->server_cid_len > 0) {
3257 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3258 ssl_cid = ssl;
3259 }
3260 }
3261
3262 it = wmem_list_frame_next(it);
3263 }
3264
3265 return ssl_cid;
3266}
3267
3268/* StringInfo structure (len + data) functions {{{ */
3269
3270int
3271ssl_data_alloc(StringInfo* str, size_t len)
3272{
3273 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3274 /* the allocator can return a null pointer for a size equal to 0,
3275 * and that must be allowed */
3276 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3277 return -1;
3278 str->data_len = (unsigned) len;
3279 return 0;
3280}
3281
3282void
3283ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3284{
3285 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3285, "data"))));
3286 memcpy(str->data, data, len);
3287 str->data_len = len;
3288}
3289
3290static int
3291ssl_data_realloc(StringInfo* str, unsigned len)
3292{
3293 str->data = (unsigned char *)g_realloc(str->data, len);
3294 if (!str->data)
3295 return -1;
3296 str->data_len = len;
3297 return 0;
3298}
3299
3300static StringInfo *
3301ssl_data_clone(StringInfo *str)
3302{
3303 StringInfo *cloned_str;
3304 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3305 sizeof(StringInfo) + str->data_len);
3306 cloned_str->data = (unsigned char *) (cloned_str + 1);
3307 ssl_data_set(cloned_str, str->data, str->data_len);
3308 return cloned_str;
3309}
3310
3311static int
3312ssl_data_copy(StringInfo* dst, StringInfo* src)
3313{
3314 if (dst->data_len < src->data_len) {
3315 if (ssl_data_realloc(dst, src->data_len))
3316 return -1;
3317 }
3318 memcpy(dst->data, src->data, src->data_len);
3319 dst->data_len = src->data_len;
3320 return 0;
3321}
3322
3323/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3324 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3325 * success. */
3326static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3327 size_t i;
3328
3329 if (hex_len & 1)
3330 return false0;
3331
3332 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3333 for (i = 0; i < hex_len / 2; i++) {
3334 int a = ws_xton(in[i*2]);
3335 int b = ws_xton(in[i*2 + 1]);
3336 if (a == -1 || b == -1)
3337 return false0;
3338 out->data[i] = a << 4 | b;
3339 }
3340 out->data_len = (unsigned)hex_len / 2;
3341 return true1;
3342}
3343/* StringInfo structure (len + data) functions }}} */
3344
3345
3346/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3347/* hmac abstraction layer */
3348#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3349
3350static inline int
3351ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3352{
3353 gcry_error_t err;
3354 const char *err_str, *err_src;
3355
3356 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3357 if (err != 0) {
3358 err_str = gcry_strerror(err);
3359 err_src = gcry_strsource(err);
3360 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3361 return -1;
3362 }
3363 return 0;
3364}
3365
3366static inline int
3367ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3368{
3369 gcry_error_t err;
3370 const char *err_str, *err_src;
3371
3372 err = gcry_md_setkey (*(md), key, len);
3373 if (err != 0) {
3374 err_str = gcry_strerror(err);
3375 err_src = gcry_strsource(err);
3376 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3377 return -1;
3378 }
3379 return 0;
3380}
3381
3382static inline int
3383ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3384{
3385 gcry_md_reset(*md);
3386 return 0;
3387}
3388
3389static inline void
3390ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3391{
3392 gcry_md_write(*(md), data, len);
3393}
3394static inline void
3395ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3396{
3397 int algo;
3398 unsigned len;
3399
3400 algo = gcry_md_get_algo (*(md));
3401 len = gcry_md_get_algo_dlen(algo);
3402 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3402, "len <= *datalen"))));
3403 memcpy(data, gcry_md_read(*(md), algo), len);
3404 *datalen = len;
3405}
3406static inline void
3407ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3408{
3409 gcry_md_close(*(md));
3410}
3411
3412/* message digest abstraction layer*/
3413#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3414
3415static inline int
3416ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3417{
3418 gcry_error_t err;
3419 const char *err_str, *err_src;
3420 err = gcry_md_open(md,algo, 0);
3421 if (err != 0) {
3422 err_str = gcry_strerror(err);
3423 err_src = gcry_strsource(err);
3424 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3425 return -1;
3426 }
3427 return 0;
3428}
3429static inline void
3430ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3431{
3432 gcry_md_write(*(md), data, len);
3433}
3434static inline void
3435ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3436{
3437 int algo;
3438 int len;
3439 algo = gcry_md_get_algo (*(md));
3440 len = gcry_md_get_algo_dlen (algo);
3441 memcpy(data, gcry_md_read(*(md), algo), len);
3442 *datalen = len;
3443}
3444static inline void
3445ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3446{
3447 gcry_md_close(*(md));
3448}
3449
3450static inline void
3451ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3452{
3453 gcry_md_reset(*md);
3454}
3455
3456/* md5 /sha abstraction layer */
3457#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3458#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3459
3460static inline int
3461ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3462{
3463 gcry_error_t err;
3464 const char *err_str, *err_src;
3465 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3466 if (err != 0) {
3467 err_str = gcry_strerror(err);
3468 err_src = gcry_strsource(err);
3469 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3470 return -1;
3471 }
3472 return 0;
3473}
3474static inline void
3475ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3476{
3477 gcry_md_write(*(md), data, len);
3478}
3479static inline void
3480ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3481{
3482 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3483 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3484}
3485
3486static inline void
3487ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3488{
3489 gcry_md_reset(*md);
3490}
3491
3492static inline void
3493ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3494{
3495 gcry_md_close(*(md));
3496}
3497
3498static inline int
3499ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3500{
3501 gcry_error_t err;
3502 const char *err_str, *err_src;
3503 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3504 if (err != 0) {
3505 err_str = gcry_strerror(err);
3506 err_src = gcry_strsource(err);
3507 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3508 return -1;
3509 }
3510 return 0;
3511}
3512static inline void
3513ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3514{
3515 gcry_md_write(*(md), data, len);
3516}
3517static inline void
3518ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3519{
3520 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3521 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3522}
3523
3524static inline void
3525ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3526{
3527 gcry_md_reset(*md);
3528}
3529
3530static inline void
3531ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3532{
3533 gcry_md_close(*(md));
3534}
3535/* libgcrypt wrappers for HMAC/message digest operations }}} */
3536
3537/* libgcrypt wrappers for Cipher state manipulation {{{ */
3538int
3539ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3540{
3541 int ret;
3542#if 0
3543 unsigned char *ivp;
3544 int i;
3545 gcry_cipher_hd_t c;
3546 c=(gcry_cipher_hd_t)*cipher;
3547#endif
3548 ssl_debug_printf("--------------------------------------------------------------------");
3549#if 0
3550 for(ivp=c->iv,i=0; i < iv_len; i++ )
3551 {
3552 ssl_debug_printf("%d ",ivp[i]);
3553 i++;
3554 }
3555#endif
3556 ssl_debug_printf("--------------------------------------------------------------------");
3557 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3558#if 0
3559 for(ivp=c->iv,i=0; i < iv_len; i++ )
3560 {
3561 ssl_debug_printf("%d ",ivp[i]);
3562 i++;
3563 }
3564#endif
3565 ssl_debug_printf("--------------------------------------------------------------------");
3566 return ret;
3567}
3568/* stream cipher abstraction layer*/
3569static int
3570ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3571 unsigned char* iv, int mode)
3572{
3573 int gcry_modes[] = {
3574 GCRY_CIPHER_MODE_STREAM,
3575 GCRY_CIPHER_MODE_CBC,
3576 GCRY_CIPHER_MODE_GCM,
3577 GCRY_CIPHER_MODE_CCM,
3578 GCRY_CIPHER_MODE_CCM,
3579 GCRY_CIPHER_MODE_POLY1305,
3580 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3581 };
3582 int err;
3583 if (algo == -1) {
3584 /* NULL mode */
3585 *(cipher) = (gcry_cipher_hd_t)-1;
3586 return 0;
3587 }
3588 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3589 if (err !=0)
3590 return -1;
3591 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3592 if (err != 0)
3593 return -1;
3594 /* AEAD cipher suites will set the nonce later. */
3595 if (mode == MODE_CBC) {
3596 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3597 if (err != 0)
3598 return -1;
3599 }
3600 return 0;
3601}
3602static inline int
3603ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3604 const unsigned char * in, int inl)
3605{
3606 if ((*cipher) == (gcry_cipher_hd_t)-1)
3607 {
3608 if (in && inl)
3609 memcpy(out, in, outl < inl ? outl : inl);
3610 return 0;
3611 }
3612 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3613}
3614static inline int
3615ssl_get_digest_by_name(const char*name)
3616{
3617 return gcry_md_map_name(name);
3618}
3619static inline int
3620ssl_get_cipher_by_name(const char* name)
3621{
3622 return gcry_cipher_map_name(name);
3623}
3624
3625static inline void
3626ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3627{
3628 if ((*cipher) != (gcry_cipher_hd_t)-1)
3629 gcry_cipher_close(*cipher);
3630 *cipher = NULL((void*)0);
3631}
3632/* }}} */
3633
3634/* Digests, Ciphers and Cipher Suites registry {{{ */
3635static const SslDigestAlgo digests[]={
3636 {"MD5", 16},
3637 {"SHA1", 20},
3638 {"SHA256", 32},
3639 {"SHA384", 48},
3640 {"SM3", 32},
3641 {"Not Applicable", 0},
3642};
3643
3644#define DIGEST_MAX_SIZE48 48
3645
3646/* get index digest index */
3647static const SslDigestAlgo *
3648ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3649 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3650 return &digests[DIG_NA0x45 - DIG_MD50x40];
3651 }
3652 return &digests[cs->dig - DIG_MD50x40];
3653}
3654
3655static const char *ciphers[]={
3656 "DES",
3657 "3DES",
3658 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3659 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3660 "IDEA",
3661 "AES",
3662 "AES256",
3663 "CAMELLIA128",
3664 "CAMELLIA256",
3665 "SEED",
3666 "CHACHA20", /* since Libgcrypt 1.7.0 */
3667 "SM1",
3668 "SM4",
3669 "*UNKNOWN*"
3670};
3671
3672static const SslCipherSuite cipher_suites[]={
3673 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3674 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3675 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3676 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3677 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3678 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3679 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3680 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3681 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3682 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3683 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3684 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3685 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3686 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3687 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3688 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3689 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3690 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3691 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3692 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3693 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3694 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3695 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3697 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3698 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3699 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3700 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3701 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3702 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3703 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3704 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3705 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3706 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3707 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3708 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3709 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3710 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3711 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3712 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3713 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3714 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3715 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3716 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3717 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3718 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3719 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3720 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3721 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3722 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3723 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3724 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3725 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3726 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3727 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3728 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3729 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3730 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3731 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3732 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3733 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3734 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3735 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3736 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3737 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3738 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3739 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3740 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3741 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3742 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3743 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3744 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3745 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3746 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3747 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3748 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3749 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3750 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3751 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3752 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3753 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3754 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3755 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3756 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3757 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3758 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3759 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3760 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3761 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3762 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3763 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3764 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3765 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3766 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3767 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3768 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3769 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3770 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3771 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3772 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3773 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3774 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3775 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3776 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3777 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3778 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3779 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3780 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3781 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3782 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3783 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3784 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3785 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3786 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3787 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3788 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3789 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3790 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3791 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3792 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3793 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3794 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3795 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3796 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3797 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3798 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3799 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3800 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3801 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3802 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3803 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3804 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3805 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3806 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3807
3808 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3809 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3810 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3811 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3812 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3813 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3814 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3815
3816 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3817 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3818 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3819 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3820 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3821 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3822 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3823 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3824 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3825 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3826 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3827 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3828 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3829 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3830 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3831 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3832 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3833 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3834 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3835 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3836 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3837 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3838 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3839 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3840 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3841 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3842 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3843 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3845 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3846 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3847 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3848 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3849 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3850 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3851 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3852 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3853 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3854 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3855 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3856 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3857 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3858 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3859 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3860 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3861 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3862 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3863 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3864 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3865 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3866 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3867 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3868 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3869 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3870 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3871 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3872 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3873 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3874 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3875 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3876 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3877 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3878 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3879 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3880 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3881 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3882 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3883 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3884 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3885 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3886 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3887 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3888 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3889 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3890 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3891 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3892 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3893 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3894 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3895 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3896 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3897 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3898 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3899 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3900 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3901 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3902 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3903 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3904 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3911 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3912 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3913 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3914 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3915 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3916 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3917 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3918 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3919 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3920 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3921 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3922 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3923 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3924 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3925 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3926 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3927 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3928 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3929 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3930 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3931 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3932 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3933 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3934 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3935 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3936 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3937 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3938 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3939 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3940 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3941 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3942 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3943 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3944 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3945 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3946 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3947 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3948 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3949 /* GM */
3950 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3951 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3952 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3953 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3954 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3955 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3956 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3957 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3958 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3959 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3960 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3961 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3962 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3963 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3964 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3965 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3966 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3967 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3968 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3969 {-1, 0, 0, 0, MODE_STREAM}
3970};
3971
3972#define MAX_BLOCK_SIZE16 16
3973#define MAX_KEY_SIZE32 32
3974
3975const SslCipherSuite *
3976ssl_find_cipher(int num)
3977{
3978 const SslCipherSuite *c;
3979 for(c=cipher_suites;c->number!=-1;c++){
3980 if(c->number==num){
3981 return c;
3982 }
3983 }
3984
3985 return NULL((void*)0);
3986}
3987
3988int
3989ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3990{
3991 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3992}
3993
3994unsigned
3995ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3996{
3997 int cipher_algo;
3998 if (cipher_suite->mode != MODE_CBC) return 0;
3999 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4000 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4001}
4002
4003static unsigned
4004ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4005{
4006 switch (cipher_suite_num) {
4007 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4008 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4009 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4010 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4011 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4012 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4013 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4014 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4015 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4016 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4017 return 5;
4018
4019 /* not defined in below draft, but "implemented by several vendors",
4020 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4021 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4022 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4023 return 7;
4024
4025 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4026 * used 7. Until a pcap proves 8, let's use the old value. Link:
4027 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4028 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4029 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4030 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4031 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4032 return 7;
4033
4034 default:
4035 return 0;
4036 }
4037}
4038
4039/* Digests, Ciphers and Cipher Suites registry }}} */
4040
4041
4042/* HMAC and the Pseudorandom function {{{ */
4043static int
4044tls_hash(StringInfo *secret, StringInfo *seed, int md,
4045 StringInfo *out, unsigned out_len)
4046{
4047 /* RFC 2246 5. HMAC and the pseudorandom function
4048 * '+' denotes concatenation.
4049 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4050 * HMAC_hash(secret, A(2) + seed) + ...
4051 * A(0) = seed
4052 * A(i) = HMAC_hash(secret, A(i - 1))
4053 */
4054 uint8_t *ptr;
4055 unsigned left, tocpy;
4056 uint8_t *A;
4057 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4058 unsigned A_l, tmp_l;
4059 SSL_HMACgcry_md_hd_t hm;
4060
4061 ptr = out->data;
4062 left = out_len;
4063
4064 ssl_print_string("tls_hash: hash secret", secret);
4065 ssl_print_string("tls_hash: hash seed", seed);
4066 /* A(0) = seed */
4067 A = seed->data;
4068 A_l = seed->data_len;
4069
4070 if (ssl_hmac_init(&hm, md) != 0) {
4071 return -1;
4072 }
4073 while (left) {
4074 /* A(i) = HMAC_hash(secret, A(i-1)) */
4075 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4076 ssl_hmac_update(&hm, A, A_l);
4077 A_l = sizeof(_A); /* upper bound len for hash output */
4078 ssl_hmac_final(&hm, _A, &A_l);
4079 A = _A;
4080
4081 /* HMAC_hash(secret, A(i) + seed) */
4082 ssl_hmac_reset(&hm);
4083 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4084 ssl_hmac_update(&hm, A, A_l);
4085 ssl_hmac_update(&hm, seed->data, seed->data_len);
4086 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4087 ssl_hmac_final(&hm, tmp, &tmp_l);
4088 ssl_hmac_reset(&hm);
4089
4090 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4091 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4092 memcpy(ptr, tmp, tocpy);
4093 ptr += tocpy;
4094 left -= tocpy;
4095 }
4096 ssl_hmac_cleanup(&hm);
4097 out->data_len = out_len;
4098
4099 ssl_print_string("hash out", out);
4100 return 0;
4101}
4102
4103static bool_Bool
4104tls_prf(StringInfo* secret, const char *usage,
4105 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4106{
4107 StringInfo seed, sha_out, md5_out;
4108 uint8_t *ptr;
4109 StringInfo s1, s2;
4110 unsigned i,s_l;
4111 size_t usage_len, rnd2_len;
4112 bool_Bool success = false0;
4113 usage_len = strlen(usage);
4114 rnd2_len = rnd2 ? rnd2->data_len : 0;
4115
4116 /* initialize buffer for sha, md5 random seed*/
4117 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4118 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4119 return false0;
4120 }
4121 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4122 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4123 goto free_sha;
4124 }
4125 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4126 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4127 (int) (usage_len+rnd1->data_len+rnd2_len));
4128 goto free_md5;
4129 }
4130
4131 ptr=seed.data;
4132 memcpy(ptr,usage,usage_len);
4133 ptr+=usage_len;
4134 memcpy(ptr,rnd1->data,rnd1->data_len);
4135 if (rnd2_len > 0) {
4136 ptr+=rnd1->data_len;
4137 memcpy(ptr,rnd2->data,rnd2->data_len);
4138 /*ptr+=rnd2->data_len;*/
4139 }
4140
4141 /* initialize buffer for client/server seeds*/
4142 s_l=secret->data_len/2 + secret->data_len%2;
4143 if (ssl_data_alloc(&s1, s_l) < 0) {
4144 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4145 goto free_seed;
4146 }
4147 if (ssl_data_alloc(&s2, s_l) < 0) {
4148 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4149 goto free_s1;
4150 }
4151
4152 memcpy(s1.data,secret->data,s_l);
4153 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4154
4155 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4156 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4157 goto free_s2;
4158 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4159 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4160 goto free_s2;
4161
4162 for (i = 0; i < out_len; i++)
4163 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4164 /* success, now store the new meaningful data length */
4165 out->data_len = out_len;
4166 success = true1;
4167
4168 ssl_print_string("PRF out",out);
4169free_s2:
4170 g_free(s2.data);
4171free_s1:
4172 g_free(s1.data);
4173free_seed:
4174 g_free(seed.data);
4175free_md5:
4176 g_free(md5_out.data);
4177free_sha:
4178 g_free(sha_out.data);
4179 return success;
4180}
4181
4182static bool_Bool
4183tls12_prf(int md, StringInfo* secret, const char* usage,
4184 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4185{
4186 StringInfo label_seed;
4187 int success;
4188 size_t usage_len, rnd2_len;
4189 rnd2_len = rnd2 ? rnd2->data_len : 0;
4190
4191 usage_len = strlen(usage);
4192 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4193 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4194 return false0;
4195 }
4196 memcpy(label_seed.data, usage, usage_len);
4197 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4198 if (rnd2_len > 0)
4199 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4200
4201 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4202 success = tls_hash(secret, &label_seed, md, out, out_len);
4203 g_free(label_seed.data);
4204 if(success != -1){
4205 ssl_print_string("PRF out", out);
4206 return true1;
4207 }
4208 return false0;
4209}
4210
4211static bool_Bool
4212ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4213 StringInfo *out, unsigned out_len)
4214{
4215 SSL_MD5_CTXgcry_md_hd_t md5;
4216 uint8_t tmp[16];
4217
4218 if (ssl_md5_init(&md5) != 0) {
4219 return false0;
4220 }
4221 ssl_md5_update(&md5,r1->data,r1->data_len);
4222 ssl_md5_update(&md5,r2->data,r2->data_len);
4223 ssl_md5_final(tmp,&md5);
4224 ssl_md5_cleanup(&md5);
4225
4226 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4226, "out_len <= sizeof(tmp)"))));
4227 ssl_data_set(out, tmp, out_len);
4228 ssl_print_string("export iv", out);
4229 return true1;
4230}
4231
4232static bool_Bool
4233ssl3_prf(StringInfo* secret, const char* usage,
4234 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4235{
4236 SSL_MD5_CTXgcry_md_hd_t md5;
4237 SSL_SHA_CTXgcry_md_hd_t sha;
4238 unsigned off;
4239 int i = 0,j;
4240 uint8_t buf[20];
4241
4242 if (ssl_sha_init(&sha) != 0) {
4243 return false0;
4244 }
4245 if (ssl_md5_init(&md5) != 0) {
4246 ssl_sha_cleanup(&sha);
4247 return false0;
4248 }
4249 for (off = 0; off < out_len; off += 16) {
4250 unsigned char outbuf[16];
4251 i++;
4252
4253 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4254 /* A, BB, CCC, ... */
4255 for(j=0;j<i;j++){
4256 buf[j]=64+i;
4257 }
4258
4259 ssl_sha_update(&sha,buf,i);
4260 ssl_sha_update(&sha,secret->data,secret->data_len);
4261
4262 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4263 if (rnd2)
4264 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4265 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4266 }
4267 else{
4268 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4269 if (rnd2)
4270 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4271 }
4272
4273 ssl_sha_final(buf,&sha);
4274 ssl_sha_reset(&sha);
4275
4276 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4277 secret->data_len);
4278 ssl_md5_update(&md5,secret->data,secret->data_len);
4279 ssl_md5_update(&md5,buf,20);
4280 ssl_md5_final(outbuf,&md5);
4281 ssl_md5_reset(&md5);
4282
4283 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4284 }
4285 ssl_sha_cleanup(&sha);
4286 ssl_md5_cleanup(&md5);
4287 out->data_len = out_len;
4288
4289 return true1;
4290}
4291
4292/* out_len is the wanted output length for the pseudorandom function.
4293 * Ensure that ssl->cipher_suite is set. */
4294static bool_Bool
4295prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4296 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4297{
4298 switch (ssl->session.version) {
4299 case SSLV3_VERSION0x300:
4300 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4301
4302 case TLSV1_VERSION0x301:
4303 case TLSV1DOT1_VERSION0x302:
4304 case DTLSV1DOT0_VERSION0xfeff:
4305 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4306 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4307
4308 default: /* TLSv1.2 */
4309 switch (ssl->cipher_suite->dig) {
4310 case DIG_SM30x44:
4311#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4312 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4313 out, out_len);
4314#else
4315 return false0;
4316#endif
4317 case DIG_SHA3840x43:
4318 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4319 out, out_len);
4320 default:
4321 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4322 out, out_len);
4323 }
4324 }
4325}
4326
4327static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4328{
4329 SSL_MD5_CTXgcry_md_hd_t md5;
4330 SSL_SHA_CTXgcry_md_hd_t sha;
4331
4332 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4333 return -1;
4334
4335 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4336 return -1;
4337 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4338 ssl_md5_final(out->data,&md5);
4339 ssl_md5_cleanup(&md5);
4340
4341 if (ssl_sha_init(&sha) != 0)
4342 return -1;
4343 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4344 ssl_sha_final(out->data+16,&sha);
4345 ssl_sha_cleanup(&sha);
4346 return 0;
4347}
4348
4349static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4350{
4351 SSL_MDgcry_md_hd_t mc;
4352 uint8_t tmp[48];
4353 unsigned len;
4354
4355 if (ssl_md_init(&mc, md) != 0)
4356 return -1;
4357 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md_final(&mc, tmp, &len);
4359 ssl_md_cleanup(&mc);
4360
4361 if (ssl_data_alloc(out, len) < 0)
4362 return -1;
4363 memcpy(out->data, tmp, len);
4364 return 0;
4365}
4366
4367/**
4368 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4369 * inlined and removed once support for draft 19 and before is dropped.
4370 */
4371static inline const char *
4372tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4373{
4374 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4375 return "TLS 1.3, ";
4376 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4377 return "dtls13";
4378 } else {
4379 return "tls13 ";
4380 }
4381}
4382
4383/*
4384 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4385 * custom label prefix. If "context_hash" is NULL, then an empty context is
4386 * used. Otherwise it must have the same length as the hash algorithm output.
4387 */
4388bool_Bool
4389tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4390 const char *label_prefix, const char *label,
4391 const uint8_t *context_hash, uint8_t context_length,
4392 uint16_t out_len, unsigned char **out)
4393{
4394 /* RFC 8446 Section 7.1:
4395 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4396 * HKDF-Expand(Secret, HkdfLabel, Length)
4397 * struct {
4398 * uint16 length = Length;
4399 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4400 * opaque context<0..255> = Context;
4401 * } HkdfLabel;
4402 *
4403 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4404 * HKDF-Expand(PRK, info, L) -> OKM
4405 */
4406 gcry_error_t err;
4407 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4408 const unsigned label_length = (unsigned) strlen(label);
4409
4410 /* Some sanity checks */
4411 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4411, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4412
4413 /* info = HkdfLabel { length, label, context } */
4414 GByteArray *info = g_byte_array_new();
4415 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4416 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4417
4418 const uint8_t label_vector_length = label_prefix_length + label_length;
4419 g_byte_array_append(info, &label_vector_length, 1);
4420 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4421 g_byte_array_append(info, (const uint8_t*)label, label_length);
4422
4423 g_byte_array_append(info, &context_length, 1);
4424 if (context_length) {
4425 g_byte_array_append(info, context_hash, context_length);
4426 }
4427
4428 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4429 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4430 g_byte_array_free(info, true1);
4431
4432 if (err) {
4433 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4434 wmem_free(NULL((void*)0), *out);
4435 *out = NULL((void*)0);
4436 return false0;
4437 }
4438
4439 return true1;
4440}
4441
4442bool_Bool
4443tls13_hkdf_expand_label(int md, const StringInfo *secret,
4444 const char *label_prefix, const char *label,
4445 uint16_t out_len, unsigned char **out)
4446{
4447 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4448}
4449/* HMAC and the Pseudorandom function }}} */
4450
4451/* Record Decompression (after decryption) {{{ */
4452#ifdef USE_ZLIB_OR_ZLIBNG
4453/* memory allocation functions for zlib initialization */
4454static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4455{
4456 return g_malloc0(no*size);
4457}
4458static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4459{
4460 g_free(addr);
4461}
4462#endif /* USE_ZLIB_OR_ZLIBNG */
4463
4464static SslDecompress*
4465ssl_create_decompressor(int compression)
4466{
4467 SslDecompress *decomp;
4468#ifdef USE_ZLIB_OR_ZLIBNG
4469 int err;
4470#endif
4471
4472 if (compression == 0) return NULL((void*)0);
4473 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4474 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4475 decomp->compression = compression;
4476 switch (decomp->compression) {
4477#ifdef USE_ZLIB_OR_ZLIBNG
4478 case 1: /* DEFLATE */
4479 decomp->istream.zalloc = ssl_zalloc;
4480 decomp->istream.zfree = ssl_zfree;
4481 decomp->istream.opaque = Z_NULL0;
4482 decomp->istream.next_in = Z_NULL0;
4483 decomp->istream.next_out = Z_NULL0;
4484 decomp->istream.avail_in = 0;
4485 decomp->istream.avail_out = 0;
4486 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4487 if (err != Z_OK0) {
4488 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4489 return NULL((void*)0);
4490 }
4491 break;
4492#endif /* USE_ZLIB_OR_ZLIBNG */
4493 default:
4494 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4495 return NULL((void*)0);
4496 }
4497 return decomp;
4498}
4499
4500#ifdef USE_ZLIB_OR_ZLIBNG
4501static int
4502ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4503{
4504 int err;
4505
4506 switch (decomp->compression) {
4507 case 1: /* DEFLATE */
4508 err = Z_OK0;
4509 if (out_str->data_len < 16384) { /* maximal plain length */
4510 ssl_data_realloc(out_str, 16384);
4511 }
4512#ifdef z_constconst
4513 decomp->istream.next_in = in;
4514#else
4515DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4516 decomp->istream.next_in = (Bytef *)in;
4517DIAG_ON(cast-qual)clang diagnostic pop
4518#endif
4519 decomp->istream.avail_in = inl;
4520 decomp->istream.next_out = out_str->data;
4521 decomp->istream.avail_out = out_str->data_len;
4522 if (inl > 0)
4523 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4524 if (err != Z_OK0) {
4525 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4526 return -1;
4527 }
4528 *outl = out_str->data_len - decomp->istream.avail_out;
4529 break;
4530 default:
4531 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4532 return -1;
4533 }
4534 return 0;
4535}
4536#else /* USE_ZLIB_OR_ZLIBNG */
4537int
4538ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4539{
4540 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4541 return -1;
4542}
4543#endif /* USE_ZLIB_OR_ZLIBNG */
4544/* Record Decompression (after decryption) }}} */
4545
4546/* Create a new structure to store decrypted chunks. {{{ */
4547static SslFlow*
4548ssl_create_flow(void)
4549{
4550 SslFlow *flow;
4551
4552 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4553 flow->byte_seq = 0;
4554 flow->flags = 0;
4555 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4556 return flow;
4557}
4558/* }}} */
4559
4560/* Use the negotiated security parameters for decryption. {{{ */
4561void
4562ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4563{
4564 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4565 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4566 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4567 *new_decoder ? "" : " (No decoder found - retransmission?)");
4568 if (*new_decoder) {
4569 *dest = *new_decoder;
4570 *new_decoder = NULL((void*)0);
4571 }
4572}
4573/* }}} */
4574
4575/* Init cipher state given some security parameters. {{{ */
4576static bool_Bool
4577ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4578
4579static SslDecoder*
4580ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4581 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4582{
4583 SslDecoder *dec;
4584 ssl_cipher_mode_t mode = cipher_suite->mode;
4585
4586 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4587 /* init mac buffer: mac storage is embedded into decoder struct to save a
4588 memory allocation and waste samo more memory*/
4589 dec->cipher_suite=cipher_suite;
4590 dec->compression = compression;
4591 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4592 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4593 // the special case for NULL ciphers, even if there is insufficiency
4594 // keying material (including MAC key), we will can still create
4595 // decoders since "decryption" is easy for such ciphers.
4596 dec->mac_key.data = dec->_mac_key_or_write_iv;
4597 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4598 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4599 // Input for the nonce, to be used with AEAD ciphers.
4600 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4600, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4601 dec->write_iv.data = dec->_mac_key_or_write_iv;
4602 ssl_data_set(&dec->write_iv, iv, iv_length);
4603 }
4604 dec->seq = 0;
4605 dec->decomp = ssl_create_decompressor(compression);
4606 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4607
4608 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4609 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4610 cipher_algo, cipher_suite->mode);
4611 return NULL((void*)0);
4612 }
4613
4614 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4615 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4616 mode = MODE_ECB;
4617 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4618 mode = MODE_STREAM;
4619 } else {
4620 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4621 return NULL((void*)0);
4622 }
4623
4624 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4625 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4626 cipher_algo, MODE_ECB);
4627 ssl_cipher_cleanup(&dec->evp);
4628 dec->evp = NULL((void*)0);
4629 return NULL((void*)0);
4630 }
4631 } else {
4632 dec->sn_evp = NULL((void*)0);
4633 }
4634
4635 dec->dtls13_aad.data = NULL((void*)0);
4636 dec->dtls13_aad.data_len = 0;
4637 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4638 return dec;
4639}
4640
4641static bool_Bool
4642ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4643{
4644 SslDecoder *dec = (SslDecoder *) user_data;
4645
4646 if (dec->evp)
4647 ssl_cipher_cleanup(&dec->evp);
4648 if (dec->sn_evp)
4649 ssl_cipher_cleanup(&dec->sn_evp);
4650
4651#ifdef USE_ZLIB_OR_ZLIBNG
4652 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4653 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4654#endif
4655
4656 return false0;
4657}
4658/* }}} */
4659
4660/* (Pre-)master secrets calculations {{{ */
4661#ifdef HAVE_LIBGNUTLS1
4662static bool_Bool
4663ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4664 StringInfo *encrypted_pre_master,
4665 GHashTable *key_hash);
4666#endif /* HAVE_LIBGNUTLS */
4667
4668static bool_Bool
4669ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4670 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4671
4672bool_Bool
4673ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4674 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4675 const char *ssl_psk, packet_info *pinfo,
4676#ifdef HAVE_LIBGNUTLS1
4677 GHashTable *key_hash,
4678#endif
4679 const ssl_master_key_map_t *mk_map)
4680{
4681 /* check for required session data */
4682 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4683 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4684 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4685 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4686 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4687 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4688 return false0;
4689 }
4690
4691 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4692 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4693 return false0;
4694 }
4695
4696 /* check to see if the PMS was provided to us*/
4697 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4698 mk_map->pms, &ssl_session->client_random)) {
4699 return true1;
4700 }
4701
4702 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4703 {
4704 /* calculate pre master secret*/
4705 StringInfo pre_master_secret;
4706 unsigned psk_len, pre_master_len;
4707
4708 if (!ssl_psk || (ssl_psk[0] == 0)) {
4709 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4710 return false0;
4711 }
4712
4713 /* convert hex string into char*/
4714 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4715 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4716 G_STRFUNC((const char*) (__func__)));
4717 return false0;
4718 }
4719
4720 psk_len = ssl_session->psk.data_len;
4721 if (psk_len >= (2 << 15)) {
4722 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4723 G_STRFUNC((const char*) (__func__)));
4724 return false0;
4725 }
4726
4727
4728 pre_master_len = psk_len * 2 + 4;
4729
4730 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4731 pre_master_secret.data_len = pre_master_len;
4732 /* 2 bytes psk_len*/
4733 pre_master_secret.data[0] = psk_len >> 8;
4734 pre_master_secret.data[1] = psk_len & 0xFF;
4735 /* psk_len bytes times 0*/
4736 memset(&pre_master_secret.data[2], 0, psk_len);
4737 /* 2 bytes psk_len*/
4738 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4739 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4740 /* psk*/
4741 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4742
4743 ssl_session->pre_master_secret.data = pre_master_secret.data;
4744 ssl_session->pre_master_secret.data_len = pre_master_len;
4745 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4746
4747 /* Remove the master secret if it was there.
4748 This forces keying material regeneration in
4749 case we're renegotiating */
4750 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4751 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4752 return true1;
4753 }
4754 else
4755 {
4756 unsigned encrlen, skip;
4757 encrlen = length;
4758 skip = 0;
4759
4760 /* get encrypted data, on tls1 we have to skip two bytes
4761 * (it's the encrypted len and should be equal to record len - 2)
4762 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4763 */
4764 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4765 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4766 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4767 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4768 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4769 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4770 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4771 {
4772 encrlen = tvb_get_ntohs(tvb, offset);
4773 skip = 2;
4774 if (encrlen > length - 2)
4775 {
4776 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4777 G_STRFUNC((const char*) (__func__)), encrlen, length);
4778 return false0;
4779 }
4780 }
4781 /* the valid lower bound is higher than 8, but it is sufficient for the
4782 * ssl keylog file below */
4783 if (encrlen < 8) {
4784 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4785 G_STRFUNC((const char*) (__func__)), encrlen);
4786 return false0;
4787 }
4788
4789 StringInfo encrypted_pre_master = {
4790 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4791 .data_len = encrlen,
4792 };
4793
4794#ifdef HAVE_LIBGNUTLS1
4795 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4796 if (ssl_session->cert_key_id) {
4797 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4798 return true1;
4799
4800 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4801 G_STRFUNC((const char*) (__func__)));
4802 }
4803#endif /* HAVE_LIBGNUTLS */
4804
4805 /* try to find the pre-master secret from the encrypted one. The
4806 * ssl key logfile stores only the first 8 bytes, so truncate it */
4807 encrypted_pre_master.data_len = 8;
4808 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4809 true1, mk_map->pre_master, &encrypted_pre_master))
4810 return true1;
4811 }
4812 return false0;
4813}
4814
4815/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4816int
4817ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4818{
4819 StringInfo key_block = { NULL((void*)0), 0 };
4820 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4821 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4822 int needed;
4823 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4824 unsigned encr_key_len, write_iv_len = 0;
4825 bool_Bool is_export_cipher;
4826 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4827 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4828 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4829
4830 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4831 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4832 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4833 return -1;
4834 }
4835
4836 /* check for enough info to proceed */
4837 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4838 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4839 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4840 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4841 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4842 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4843 /* Special case: for NULL encryption, allow dissection of data even if
4844 * the Client Hello is missing (MAC keys are now skipped though). */
4845 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4846 if ((ssl_session->state & need_all) == need_all &&
4847 cipher_suite->enc == ENC_NULL0x3D) {
4848 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4849 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4850 goto create_decoders;
4851 }
4852
4853 return -1;
4854 }
4855
4856 /* if master key is not available, generate is from the pre-master secret */
4857 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4858 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4859 StringInfo handshake_hashed_data;
4860 int ret;
4861
4862 handshake_hashed_data.data = NULL((void*)0);
4863 handshake_hashed_data.data_len = 0;
4864
4865 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4866 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4867 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4867, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4868
4869 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4874
4870 case TLSV1_VERSION0x301:
4871 case TLSV1DOT1_VERSION0x302:
4872 case DTLSV1DOT0_VERSION0xfeff:
4873 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4874 case TLCPV1_VERSION0x101:
4875 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4876 break;
4877 default:
4878 switch (cipher_suite->dig) {
4879 case DIG_SHA3840x43:
4880 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4881 break;
4882 default:
4883 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4884 break;
4885 }
4886 break;
4887 }
4888 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4888
30
Taking true branch
4889 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4890 return -1;
4891 }
4892
4893 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4894 ssl_session->handshake_data.data = NULL((void*)0);
4895 ssl_session->handshake_data.data_len = 0;
4896
4897 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4898 &handshake_hashed_data,
4899 NULL((void*)0), &ssl_session->master_secret,
4900 SSL_MASTER_SECRET_LENGTH48)) {
4901 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4902 g_free(handshake_hashed_data.data);
4903 return -1;
4904 }
4905 g_free(handshake_hashed_data.data);
4906 } else {
4907 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4908 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4909 ssl_print_string("client random",&ssl_session->client_random);
4910 ssl_print_string("server random",&ssl_session->server_random);
4911 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4912 &ssl_session->client_random,
4913 &ssl_session->server_random, &ssl_session->master_secret,
4914 SSL_MASTER_SECRET_LENGTH48)) {
4915 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4916 return -1;
4917 }
4918 }
4919 ssl_print_string("master secret",&ssl_session->master_secret);
4920
4921 /* the pre-master secret has been 'consumed' so we must clear it now */
4922 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4923 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4924 }
4925
4926 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4927 if (cipher_suite->enc != ENC_NULL0x3D) {
4928 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4929 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4930 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4931 if (cipher_algo == 0) {
4932 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4933 return -1;
4934 }
4935 }
4936
4937 /* Export ciphers consume less material from the key block. */
4938 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4939 is_export_cipher = encr_key_len > 0;
4940 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4941 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4942 }
4943
4944 if (cipher_suite->mode == MODE_CBC) {
4945 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4946 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4947 /* account for a four-byte salt for client and server side (from
4948 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4949 write_iv_len = 4;
4950 } else if (cipher_suite->mode == MODE_POLY1305) {
4951 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4952 write_iv_len = 12;
4953 }
4954
4955 /* Compute the key block. First figure out how much data we need */
4956 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4957 needed += 2 * encr_key_len; /* encryption key */
4958 needed += 2 * write_iv_len; /* write IV */
4959
4960 key_block.data = (unsigned char *)g_malloc(needed);
4961 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4962 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4963 &ssl_session->server_random,&ssl_session->client_random,
4964 &key_block, needed)) {
4965 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4966 goto fail;
4967 }
4968 ssl_print_string("key expansion", &key_block);
4969
4970 ptr=key_block.data;
4971 /* client/server write MAC key (for non-AEAD ciphers) */
4972 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4973 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4974 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4975 }
4976 /* client/server write encryption key */
4977 c_wk=ptr; ptr += encr_key_len;
4978 s_wk=ptr; ptr += encr_key_len;
4979 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4980 if (write_iv_len > 0) {
4981 c_iv=ptr; ptr += write_iv_len;
4982 s_iv=ptr; /* ptr += write_iv_len; */
4983 }
4984
4985 /* export ciphers work with a smaller key length */
4986 if (is_export_cipher) {
4987 if (cipher_suite->mode == MODE_CBC) {
4988
4989 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4990 all we should need. This is a sanity check */
4991 if (write_iv_len > MAX_BLOCK_SIZE16) {
4992 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4993 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4994 goto fail;
4995 }
4996
4997 if(ssl_session->session.version==SSLV3_VERSION0x300){
4998 /* The length of these fields are ignored by this caller */
4999 StringInfo iv_c, iv_s;
5000 iv_c.data = _iv_c;
5001 iv_s.data = _iv_s;
5002
5003 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5004 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5005 &ssl_session->server_random, &iv_c, write_iv_len)) {
5006 goto fail;
5007 }
5008 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5009 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5010 &ssl_session->client_random, &iv_s, write_iv_len)) {
5011 goto fail;
5012 }
5013 }
5014 else{
5015 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5016 StringInfo iv_block;
5017 StringInfo key_null;
5018 uint8_t _key_null;
5019
5020 key_null.data = &_key_null;
5021 key_null.data_len = 0;
5022
5023 iv_block.data = _iv_block;
5024
5025 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5026 if (!prf(ssl_session, &key_null, "IV block",
5027 &ssl_session->client_random,
5028 &ssl_session->server_random, &iv_block,
5029 write_iv_len * 2)) {
5030 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5031 goto fail;
5032 }
5033
5034 memcpy(_iv_c, iv_block.data, write_iv_len);
5035 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5036 }
5037
5038 c_iv=_iv_c;
5039 s_iv=_iv_s;
5040 }
5041
5042 if (ssl_session->session.version==SSLV3_VERSION0x300){
5043
5044 SSL_MD5_CTXgcry_md_hd_t md5;
5045 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5046
5047 if (ssl_md5_init(&md5) != 0)
5048 goto fail;
5049 ssl_md5_update(&md5,c_wk,encr_key_len);
5050 ssl_md5_update(&md5,ssl_session->client_random.data,
5051 ssl_session->client_random.data_len);
5052 ssl_md5_update(&md5,ssl_session->server_random.data,
5053 ssl_session->server_random.data_len);
5054 ssl_md5_final(_key_c,&md5);
5055 ssl_md5_cleanup(&md5);
5056 c_wk=_key_c;
5057
5058 if (ssl_md5_init(&md5) != 0)
5059 goto fail;
5060 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5061 ssl_md5_update(&md5,s_wk,encr_key_len);
5062 ssl_md5_update(&md5,ssl_session->server_random.data,
5063 ssl_session->server_random.data_len);
5064 ssl_md5_update(&md5,ssl_session->client_random.data,
5065 ssl_session->client_random.data_len);
5066 ssl_md5_final(_key_s,&md5);
5067 ssl_md5_cleanup(&md5);
5068 s_wk=_key_s;
5069 }
5070 else{
5071 StringInfo key_c, key_s, k;
5072 key_c.data = _key_c;
5073 key_s.data = _key_s;
5074
5075 k.data = c_wk;
5076 k.data_len = encr_key_len;
5077 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5078 if (!prf(ssl_session, &k, "client write key",
5079 &ssl_session->client_random,
5080 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5081 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5082 goto fail;
5083 }
5084 c_wk=_key_c;
5085
5086 k.data = s_wk;
5087 k.data_len = encr_key_len;
5088 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5089 if (!prf(ssl_session, &k, "server write key",
5090 &ssl_session->client_random,
5091 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5092 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5093 goto fail;
5094 }
5095 s_wk=_key_s;
5096 }
5097 }
5098
5099 /* show key material info */
5100 if (c_mk != NULL((void*)0)) {
5101 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5102 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5103 }
5104 ssl_print_data("Client Write key", c_wk, encr_key_len);
5105 ssl_print_data("Server Write key", s_wk, encr_key_len);
5106 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5107 if (write_iv_len > 0) {
5108 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5109 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5110 }
5111
5112create_decoders:
5113 /* create both client and server ciphers*/
5114 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5115 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5116 if (!ssl_session->client_new) {
5117 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5118 goto fail;
5119 }
5120 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5121 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5122 if (!ssl_session->server_new) {
5123 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5124 goto fail;
5125 }
5126
5127 /* Continue the SSL stream after renegotiation with new keys. */
5128 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5129 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5130
5131 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5132 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5133 g_free(key_block.data);
5134 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5135 return 0;
5136
5137fail:
5138 g_free(key_block.data);
5139 return -1;
5140}
5141
5142/* Generated the key material based on the given secret. */
5143bool_Bool
5144tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5145{
5146 bool_Bool success = false0;
5147 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5148 unsigned char *sn_key = NULL((void*)0);
5149 SslDecoder *decoder;
5150 unsigned key_length, iv_length;
5151 int hash_algo;
5152 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5153 int cipher_algo;
5154
5155 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5156 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5157 ssl_session->session.version);
5158 return false0;
5159 }
5160
5161 if (cipher_suite == NULL((void*)0)) {
5162 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5163 return false0;
5164 }
5165
5166 if (cipher_suite->kex != KEX_TLS130x23) {
5167 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5168 return false0;
5169 }
5170
5171 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5172 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5173 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5174 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5175 if (cipher_algo == 0) {
5176 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5177 return false0;
5178 }
5179
5180 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5181 hash_algo = ssl_get_digest_by_name(hash_name);
5182 if (!hash_algo) {
5183 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5184 return false0;
5185 }
5186
5187 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5188 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5189 iv_length = 12;
5190 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5191
5192 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5193 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5194 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5195 return false0;
5196 }
5197 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5198 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5199 goto end;
5200 }
5201
5202 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5203 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5204 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5205 goto end;
5206 }
5207 }
5208
5209 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5210 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5211 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5212 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5213 }
5214
5215 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5216 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5217 if (!decoder) {
5218 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5219 goto end;
5220 }
5221
5222 /* Continue the TLS session with new keys, but reuse old flow to keep things
5223 * like "Follow TLS" working (by linking application data records). */
5224 if (is_from_server) {
5225 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5226 ssl_session->server = decoder;
5227 } else {
5228 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5229 ssl_session->client = decoder;
5230 }
5231 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5232 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5233 success = true1;
5234
5235end:
5236 wmem_free(NULL((void*)0), write_key);
5237 wmem_free(NULL((void*)0), write_iv);
5238 if (sn_key)
5239 wmem_free(NULL((void*)0), sn_key);
5240 return success;
5241}
5242/* (Pre-)master secrets calculations }}} */
5243
5244#ifdef HAVE_LIBGNUTLS1
5245/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5246static bool_Bool
5247ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5248 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5249{
5250 int ret;
5251
5252 if (!encrypted_pre_master)
5253 return false0;
5254
5255 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5256 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5257 "(cipher suite 0x%04X %s) and cannot be decrypted "
5258 "using a RSA private key file.\n",
5259 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5260 val_to_str_ext_const(ssl_session->session.cipher,
5261 &ssl_31_ciphersuite_ext, "unknown"));
5262 return false0;
5263 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5264 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5265 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5266 return false0;
5267 }
5268
5269 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5270
5271 ssl_print_string("pre master encrypted", encrypted_pre_master);
5272 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5273 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5274 gnutls_datum_t pms = { 0 };
5275 if (pk) {
5276 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5277 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5278 } else {
5279 // Try to decrypt using a hardware token.
5280 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5281 }
5282 if (ret < 0) {
5283 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5284 return false0;
5285 }
5286
5287 if (pms.size != 48) {
5288 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5289 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5290 if (pk) {
5291 gnutls_free(pms.data);
5292 } else {
5293 g_free(pms.data);
5294 }
5295 return false0;
5296 }
5297
5298 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5299 ssl_session->pre_master_secret.data_len = 48;
5300 if (pk) {
5301 gnutls_free(pms.data);
5302 } else {
5303 g_free(pms.data);
5304 }
5305 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5306
5307 /* Remove the master secret if it was there.
5308 This forces keying material regeneration in
5309 case we're renegotiating */
5310 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5311 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5312 return true1;
5313} /* }}} */
5314#endif /* HAVE_LIBGNUTLS */
5315
5316/* Decryption integrity check {{{ */
5317
5318static int
5319tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5320 uint32_t datalen, uint8_t* mac)
5321{
5322 SSL_HMACgcry_md_hd_t hm;
5323 int md;
5324 uint32_t len;
5325 uint8_t buf[DIGEST_MAX_SIZE48];
5326 int16_t temp;
5327
5328 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5329 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5330 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5331
5332 if (ssl_hmac_init(&hm,md) != 0)
5333 return -1;
5334 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5335 return -1;
5336
5337 /* hash sequence number */
5338 phtonu64(buf, decoder->seq);
5339
5340 decoder->seq++;
5341
5342 ssl_hmac_update(&hm,buf,8);
5343
5344 /* hash content type */
5345 buf[0]=ct;
5346 ssl_hmac_update(&hm,buf,1);
5347
5348 /* hash version,data length and data*/
5349 /* *((int16_t*)buf) = g_htons(ver); */
5350 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5351 memcpy(buf, &temp, 2);
5352 ssl_hmac_update(&hm,buf,2);
5353
5354 /* *((int16_t*)buf) = g_htons(datalen); */
5355 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5356 memcpy(buf, &temp, 2);
5357 ssl_hmac_update(&hm,buf,2);
5358 ssl_hmac_update(&hm,data,datalen);
5359
5360 /* get digest and digest len*/
5361 len = sizeof(buf);
5362 ssl_hmac_final(&hm,buf,&len);
5363 ssl_hmac_cleanup(&hm);
5364 ssl_print_data("Mac", buf, len);
5365 if(memcmp(mac,buf,len))
5366 return -1;
5367
5368 return 0;
5369}
5370
5371static int
5372ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5373 uint32_t datalen, uint8_t* mac)
5374{
5375 SSL_MDgcry_md_hd_t mc;
5376 int md;
5377 uint32_t len;
5378 uint8_t buf[64],dgst[20];
5379 int pad_ct;
5380 int16_t temp;
5381
5382 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5383
5384 /* get cipher used for digest computation */
5385 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5386 if (ssl_md_init(&mc,md) !=0)
5387 return -1;
5388
5389 /* do hash computation on data && padding */
5390 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5391
5392 /* hash padding*/
5393 memset(buf,0x36,pad_ct);
5394 ssl_md_update(&mc,buf,pad_ct);
5395
5396 /* hash sequence number */
5397 phtonu64(buf, decoder->seq);
5398 decoder->seq++;
5399 ssl_md_update(&mc,buf,8);
5400
5401 /* hash content type */
5402 buf[0]=ct;
5403 ssl_md_update(&mc,buf,1);
5404
5405 /* hash data length in network byte order and data*/
5406 /* *((int16_t* )buf) = g_htons(datalen); */
5407 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5408 memcpy(buf, &temp, 2);
5409 ssl_md_update(&mc,buf,2);
5410 ssl_md_update(&mc,data,datalen);
5411
5412 /* get partial digest */
5413 ssl_md_final(&mc,dgst,&len);
5414 ssl_md_reset(&mc);
5415
5416 /* hash mac key */
5417 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5418
5419 /* hash padding and partial digest*/
5420 memset(buf,0x5c,pad_ct);
5421 ssl_md_update(&mc,buf,pad_ct);
5422 ssl_md_update(&mc,dgst,len);
5423
5424 ssl_md_final(&mc,dgst,&len);
5425 ssl_md_cleanup(&mc);
5426
5427 if(memcmp(mac,dgst,len))
5428 return -1;
5429
5430 return 0;
5431}
5432
5433static int
5434dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5435 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5436{
5437 SSL_HMACgcry_md_hd_t hm;
5438 int md;
5439 uint32_t len;
5440 uint8_t buf[DIGEST_MAX_SIZE48];
5441 int16_t temp;
5442
5443 int ver = ssl->session.version;
5444 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5445
5446 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5447 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5448 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5449
5450 if (ssl_hmac_init(&hm,md) != 0)
5451 return -1;
5452 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5453 return -1;
5454
5455 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5456
5457 if (is_cid && !ssl->session.deprecated_cid) {
5458 /* hash seq num placeholder */
5459 memset(buf,0xFF,8);
5460 ssl_hmac_update(&hm,buf,8);
5461
5462 /* hash content type + cid length + content type */
5463 buf[0]=ct;
5464 buf[1]=cidl;
5465 buf[2]=ct;
5466 ssl_hmac_update(&hm,buf,3);
5467
5468 /* hash version */
5469 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5470 memcpy(buf, &temp, 2);
5471 ssl_hmac_update(&hm,buf,2);
5472
5473 /* hash sequence number */
5474 phtonu64(buf, decoder->seq);
5475 buf[0]=decoder->epoch>>8;
5476 buf[1]=(uint8_t)decoder->epoch;
5477 ssl_hmac_update(&hm,buf,8);
5478
5479 /* hash cid */
5480 ssl_hmac_update(&hm,cid,cidl);
5481 } else {
5482 /* hash sequence number */
5483 phtonu64(buf, decoder->seq);
5484 buf[0]=decoder->epoch>>8;
5485 buf[1]=(uint8_t)decoder->epoch;
5486 ssl_hmac_update(&hm,buf,8);
5487
5488 /* hash content type */
5489 buf[0]=ct;
5490 ssl_hmac_update(&hm,buf,1);
5491
5492 /* hash version */
5493 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5494 memcpy(buf, &temp, 2);
5495 ssl_hmac_update(&hm,buf,2);
5496
5497 if (is_cid && ssl->session.deprecated_cid) {
5498 /* hash cid */
5499 ssl_hmac_update(&hm,cid,cidl);
5500
5501 /* hash cid length */
5502 buf[0] = cidl;
5503 ssl_hmac_update(&hm,buf,1);
5504 }
5505 }
5506
5507 /* data length and data */
5508 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5509 memcpy(buf, &temp, 2);
5510 ssl_hmac_update(&hm,buf,2);
5511 ssl_hmac_update(&hm,data,datalen);
5512
5513 /* get digest and digest len */
5514 len = sizeof(buf);
5515 ssl_hmac_final(&hm,buf,&len);
5516 ssl_hmac_cleanup(&hm);
5517 ssl_print_data("Mac", buf, len);
5518 if(memcmp(mac,buf,len))
5519 return -1;
5520
5521 return 0;
5522}
5523/* Decryption integrity check }}} */
5524
5525
5526static bool_Bool
5527tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5528 uint8_t ct, uint16_t record_version,
5529 bool_Bool ignore_mac_failed,
5530 const unsigned char *in, uint16_t inl,
5531 const unsigned char *cid, uint8_t cidl,
5532 StringInfo *out_str, unsigned *outl)
5533{
5534 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5535 * GenericAEADCipher: { nonce_explicit, [content] }
5536 * In TLS 1.3 this explicit nonce is gone.
5537 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5538 * ciphertext and authentication tag.
5539 */
5540 const uint16_t version = ssl->session.version;
5541 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5542 gcry_error_t err;
5543 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5544 unsigned ciphertext_len, auth_tag_len;
5545 unsigned char nonce[12];
5546 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5547 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5548 const uint8_t draft_version = ssl->session.tls13_draft_version;
5549 const unsigned char *auth_tag_wire;
5550 unsigned char auth_tag_calc[16];
5551 unsigned char *aad = NULL((void*)0);
5552 unsigned aad_len = 0;
5553
5554 switch (cipher_mode) {
5555 case MODE_GCM:
5556 case MODE_CCM:
5557 case MODE_POLY1305:
5558 auth_tag_len = 16;
5559 break;
5560 case MODE_CCM_8:
5561 auth_tag_len = 8;
5562 break;
5563 default:
5564 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5565 return false0;
5566 }
5567
5568 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5569 if (is_v12 && cipher_mode != MODE_POLY1305) {
5570 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5571 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5572 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5573 return false0;
5574 }
5575 explicit_nonce = in;
5576 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5577 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5578 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5579 if (inl < auth_tag_len) {
5580 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5581 return false0;
5582 }
5583 ciphertext = in;
5584 ciphertext_len = inl - auth_tag_len;
5585 } else {
5586 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5587 return false0;
5588 }
5589 auth_tag_wire = ciphertext + ciphertext_len;
5590
5591 /*
5592 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5593 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5594 */
5595 if (is_v12 && cipher_mode != MODE_POLY1305) {
5596 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5596, "decoder->write_iv.data_len == 4"))));
5597 /* Implicit (4) and explicit (8) part of nonce. */
5598 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5599 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5600
5601 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5602 /*
5603 * Technically the nonce length must be at least 8 bytes, but for
5604 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5605 */
5606 const unsigned nonce_len = 12;
5607 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5607, "decoder->write_iv.data_len == nonce_len"
))));
5608 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5609 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5610 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5611 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5612 }
5613
5614 /* Set nonce and additional authentication data */
5615 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5616 ssl_print_data("nonce", nonce, 12);
5617 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5618 if (err) {
5619 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5620 return false0;
5621 }
5622
5623 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5624 if (is_cid) { /* if connection ID */
5625 if (ssl->session.deprecated_cid) {
5626 aad_len = 14 + cidl;
5627 aad = wmem_alloc(allocator, aad_len);
5628 phtonu64(aad, decoder->seq); /* record sequence number */
5629 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5630 aad[8] = ct; /* TLSCompressed.type */
5631 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5632 memcpy(aad + 11, cid, cidl); /* cid */
5633 aad[11 + cidl] = cidl; /* cid_length */
5634 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5635 } else {
5636 aad_len = 23 + cidl;
5637 aad = wmem_alloc(allocator, aad_len);
5638 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5639 aad[8] = ct; /* TLSCompressed.type */
5640 aad[9] = cidl; /* cid_length */
5641 aad[10] = ct; /* TLSCompressed.type */
5642 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5643 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5644 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5645 memcpy(aad + 21, cid, cidl); /* cid */
5646 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5647 }
5648 } else if (is_v12) {
5649 aad_len = 13;
5650 aad = wmem_alloc(allocator, aad_len);
5651 phtonu64(aad, decoder->seq); /* record sequence number */
5652 if (version == DTLSV1DOT2_VERSION0xfefd) {
5653 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5654 }
5655 aad[8] = ct; /* TLSCompressed.type */
5656 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5657 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5658 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5659 aad_len = decoder->dtls13_aad.data_len;
5660 aad = decoder->dtls13_aad.data;
5661 } else if (draft_version >= 25 || draft_version == 0) {
5662 aad_len = 5;
5663 aad = wmem_alloc(allocator, aad_len);
5664 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5665 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5666 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5667 }
5668
5669 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5670 /* size of plaintext, additional authenticated data and auth tag. */
5671 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5672
5673 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5674 }
5675
5676 if (aad && aad_len > 0) {
5677 ssl_print_data("AAD", aad, aad_len);
5678 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5679 if (err) {
5680 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5681 return false0;
5682 }
5683 }
5684
5685 /* Decrypt now that nonce and AAD are set. */
5686 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5687 if (err) {
5688 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5689 return false0;
5690 }
5691
5692 /* Check authentication tag for authenticity (replaces MAC) */
5693 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5694 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5695 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5696 } else {
5697 if (err) {
5698 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5699 } else {
5700 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5701 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5702 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5703 }
5704 if (ignore_mac_failed) {
5705 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5706 } else {
5707 return false0;
5708 }
5709 }
5710
5711 /*
5712 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5713 * after successful authentication to ensure that early data is skipped when
5714 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5715 */
5716 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5717 decoder->seq++;
5718 }
5719
5720 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5721 *outl = ciphertext_len;
5722 return true1;
5723}
5724
5725/* Record decryption glue based on security parameters {{{ */
5726/* Assume that we are called only for a non-NULL decoder which also means that
5727 * we have a non-NULL decoder->cipher_suite. */
5728int
5729ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5730 bool_Bool ignore_mac_failed,
5731 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5732 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5733{
5734 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5735 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5736
5737 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5738 ssl_print_data("Ciphertext",in, inl);
5739
5740 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5741 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5742 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5743 return -1;
5744 }
5745
5746 /* ensure we have enough storage space for decrypted data */
5747 if (inl > out_str->data_len)
5748 {
5749 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5750 inl + 32, out_str->data_len);
5751 ssl_data_realloc(out_str, inl + 32);
5752 }
5753
5754 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5755 * a separate MAC, so use a different routine for simplicity. */
5756 if (decoder->cipher_suite->mode == MODE_GCM ||
5757 decoder->cipher_suite->mode == MODE_CCM ||
5758 decoder->cipher_suite->mode == MODE_CCM_8 ||
5759 decoder->cipher_suite->mode == MODE_POLY1305 ||
5760 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5761 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5762
5763 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5764 /* decryption failed */
5765 return -1;
5766 }
5767
5768 goto skip_mac;
5769 }
5770
5771 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5772 * (notation: { unencrypted, [ encrypted ] })
5773 * GenericStreamCipher: { [content, mac] }
5774 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5775 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5776 * GenericAEADCipher: { nonce_explicit, [content] }
5777 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5778 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5779 */
5780
5781 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5782
5783 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5784 if (decoder->cipher_suite->mode == MODE_CBC) {
5785 unsigned blocksize = 0;
5786
5787 switch (ssl->session.version) {
5788 case TLSV1DOT1_VERSION0x302:
5789 case TLSV1DOT2_VERSION0x303:
5790 case DTLSV1DOT0_VERSION0xfeff:
5791 case DTLSV1DOT2_VERSION0xfefd:
5792 case DTLSV1DOT3_VERSION0xfefc:
5793 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5794 case TLCPV1_VERSION0x101:
5795 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5796 if (inl < blocksize) {
5797 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5798 inl, blocksize);
5799 return -1;
5800 }
5801 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5802 if (pad != 0) {
5803 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5804 gcry_strsource (pad), gcry_strerror (pad));
5805 }
5806
5807 inl -= blocksize;
5808 in += blocksize;
5809 break;
5810 }
5811
5812 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5813 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5814 /*
5815 * MAC is calculated over (IV + ) ENCRYPTED contents:
5816 *
5817 * MAC(MAC_write_key, ... +
5818 * IV + // for TLS 1.1 or greater
5819 * TLSCiphertext.enc_content);
5820 */
5821 if (inl < maclen) {
5822 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5823 G_STRFUNC((const char*) (__func__)), inl, maclen);
5824 return -1;
5825 }
5826 inl -= maclen;
5827 mac = (uint8_t *)in + inl;
5828 mac_frag = (uint8_t *)in - blocksize;
5829 mac_fraglen = blocksize + inl;
5830 }
5831 }
5832
5833 /* First decrypt*/
5834 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5835 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5836 gcry_strerror (pad));
5837 return -1;
5838 }
5839
5840 ssl_print_data("Plaintext", out_str->data, inl);
5841 worklen=inl;
5842
5843
5844 /* strip padding for GenericBlockCipher */
5845 if (decoder->cipher_suite->mode == MODE_CBC) {
5846 if (inl < 1) { /* Should this check happen earlier? */
5847 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5848 return -1;
5849 }
5850 pad=out_str->data[inl-1];
5851 if (worklen <= pad) {
5852 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5853 pad, worklen);
5854 return -1;
5855 }
5856 worklen-=(pad+1);
5857 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5858 pad, worklen);
5859 }
5860
5861 /* MAC for GenericStreamCipher and GenericBlockCipher.
5862 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5863 if (!mac) {
5864 /*
5865 * MAC is calculated over the DECRYPTED contents:
5866 *
5867 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5868 */
5869 if (worklen < maclen) {
5870 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5871 return -1;
5872 }
5873 worklen -= maclen;
5874 mac = out_str->data + worklen;
5875 mac_frag = out_str->data;
5876 mac_fraglen = worklen;
5877 }
5878
5879 /* If NULL encryption active and no keys are available, do not bother
5880 * checking the MAC. We do not have keys for that. */
5881 if (decoder->cipher_suite->mode == MODE_STREAM &&
5882 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5883 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5884 ssl_debug_printf("MAC check skipped due to missing keys\n");
5885 decoder->seq++; // Increment this for display
5886 goto skip_mac;
5887 }
5888
5889 /* Now check the MAC */
5890 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5891 worklen, ssl->session.version, ct, decoder->seq);
5892 if(ssl->session.version==SSLV3_VERSION0x300){
5893 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5894 if(ignore_mac_failed) {
5895 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5896 }
5897 else{
5898 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5899 return -1;
5900 }
5901 }
5902 else{
5903 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5904 }
5905 }
5906 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5907 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5908 if(ignore_mac_failed) {
5909 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5910 }
5911 else{
5912 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5913 return -1;
5914 }
5915 }
5916 else{
5917 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5918 }
5919 }
5920 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5921 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5922 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5923 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5924 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5925 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5926 }
5927 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5928 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5929 }
5930 else if(ignore_mac_failed) {
5931 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5932 }
5933 else{
5934 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5935 return -1;
5936 }
5937 }
5938skip_mac:
5939
5940 *outl = worklen;
5941
5942 if (decoder->compression > 0) {
5943 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5944 ssl_data_copy(comp_str, out_str);
5945 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5946 if (!decoder->decomp) {
5947 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5948 return -1;
5949 }
5950 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5951 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5952 *outl = uncomplen;
5953 }
5954
5955 return 0;
5956}
5957/* Record decryption glue based on security parameters }}} */
5958
5959
5960
5961#ifdef HAVE_LIBGNUTLS1
5962
5963/* RSA private key file processing {{{ */
5964static void
5965ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5966 gnutls_datum_t *subjectPublicKeyInfo)
5967{
5968 gnutls_pubkey_t pubkey = NULL((void*)0);
5969 cert_key_id_t key_id;
5970 size_t key_id_len = sizeof(key_id);
5971 int r;
5972
5973 if (!subjectPublicKeyInfo->size) {
5974 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5975 return;
5976 }
5977
5978 r = gnutls_pubkey_init(&pubkey);
5979 if (r < 0) {
5980 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5981 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5982 return;
5983 }
5984
5985 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5986 if (r < 0) {
5987 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5988 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5989 goto end;
5990 }
5991
5992 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5993 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5994 goto end;
5995 }
5996
5997 /* Generate a 20-byte SHA-1 hash. */
5998 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5999 if (r < 0) {
6000 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6001 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6002 goto end;
6003 }
6004
6005 if (key_id_len != sizeof(key_id)) {
6006 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6007 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6008 goto end;
6009 }
6010
6011 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6012 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6013 *ssl->cert_key_id = key_id;
6014
6015end:
6016 gnutls_pubkey_deinit(pubkey);
6017}
6018
6019/* RSA private key file processing }}} */
6020#endif /* HAVE_LIBGNUTLS */
6021
6022/*--- Start of dissector-related code below ---*/
6023
6024/* This is not a "protocol" but ensures that this gets called during
6025 * the handoff stage. */
6026void proto_reg_handoff_tls_utils(void);
6027
6028static dissector_handle_t base_tls_handle;
6029static dissector_handle_t dtls_handle;
6030
6031void
6032proto_reg_handoff_tls_utils(void)
6033{
6034 base_tls_handle = find_dissector("tls");
6035 dtls_handle = find_dissector("dtls");
6036}
6037
6038/* get ssl data for this session. if no ssl data is found allocate a new one*/
6039SslDecryptSession *
6040ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6041{
6042 void *conv_data;
6043 SslDecryptSession *ssl_session;
6044 int proto_ssl;
6045
6046 /* Note proto_ssl is tls for either the main tls_handle or the
6047 * tls13_handshake handle used by QUIC. */
6048 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6049 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6050 if (conv_data != NULL((void*)0))
6051 return (SslDecryptSession *)conv_data;
6052
6053 /* no previous SSL conversation info, initialize it. */
6054 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6055
6056 /* data_len is the part that is meaningful, not the allocated length */
6057 ssl_session->master_secret.data_len = 0;
6058 ssl_session->master_secret.data = ssl_session->_master_secret;
6059 ssl_session->session_id.data_len = 0;
6060 ssl_session->session_id.data = ssl_session->_session_id;
6061 ssl_session->client_random.data_len = 0;
6062 ssl_session->client_random.data = ssl_session->_client_random;
6063 ssl_session->server_random.data_len = 0;
6064 ssl_session->server_random.data = ssl_session->_server_random;
6065 ssl_session->session_ticket.data_len = 0;
6066 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6067 ssl_session->server_data_for_iv.data_len = 0;
6068 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6069 ssl_session->client_data_for_iv.data_len = 0;
6070 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6071 ssl_session->app_data_segment.data = NULL((void*)0);
6072 ssl_session->app_data_segment.data_len = 0;
6073 ssl_session->handshake_data.data=NULL((void*)0);
6074 ssl_session->handshake_data.data_len=0;
6075 ssl_session->ech_transcript.data=NULL((void*)0);
6076 ssl_session->ech_transcript.data_len=0;
6077
6078 /* Initialize parameters which are not necessary specific to decryption. */
6079 ssl_session->session.version = SSL_VER_UNKNOWN0;
6080 clear_address(&ssl_session->session.srv_addr);
6081 ssl_session->session.srv_ptype = PT_NONE;
6082 ssl_session->session.srv_port = 0;
6083 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6084 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6085 ssl_session->session.client_random.data_len = 0;
6086 ssl_session->session.client_random.data = ssl_session->session._client_random;
6087 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6088 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6089 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6090 ssl_session->session.ech = false0;
6091 ssl_session->session.hrr_ech_declined = false0;
6092 ssl_session->session.first_ch_ech_frame = 0;
6093
6094 /* We want to increment the stream count for the normal tls handle and
6095 * dtls handle, but presumably not for the tls13_handshake handle used
6096 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6097 * doesn't get sent to the TLS follow tap.)
6098 */
6099 if (tls_handle == base_tls_handle) {
6100 ssl_session->session.stream = tls_increment_stream_count();
6101 } else if (tls_handle == dtls_handle) {
6102 ssl_session->session.stream = dtls_increment_stream_count();
6103 }
6104
6105 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6106 return ssl_session;
6107}
6108
6109void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6110{
6111 if (ssl) {
6112 /* Ensure that secrets are not restored using stale identifiers. Split
6113 * between client and server in case the packets somehow got out of order. */
6114 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6115
6116 if (is_client) {
6117 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6118 ssl->session_id.data_len = 0;
6119 ssl->session_ticket.data_len = 0;
6120 ssl->master_secret.data_len = 0;
6121 ssl->client_random.data_len = 0;
6122 ssl->has_early_data = false0;
6123 if (ssl->handshake_data.data_len > 0) {
6124 // The EMS handshake hash starts with at the Client Hello,
6125 // ensure that any messages before it are forgotten.
6126 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6127 ssl->handshake_data.data = NULL((void*)0);
6128 ssl->handshake_data.data_len = 0;
6129 }
6130 } else {
6131 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6132 ssl->server_random.data_len = 0;
6133 ssl->pre_master_secret.data_len = 0;
6134#ifdef HAVE_LIBGNUTLS1
6135 ssl->cert_key_id = NULL((void*)0);
6136#endif
6137 ssl->psk.data_len = 0;
6138 }
6139
6140 if (ssl->state & clear_flags) {
6141 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6142 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6143 ssl->state &= ~clear_flags;
6144 }
6145 }
6146
6147 /* These flags might be used for non-decryption purposes and may affect the
6148 * dissection, so reset them as well. */
6149 if (is_client) {
6150 session->client_cert_type = 0;
6151 } else {
6152 session->compression = 0;
6153 session->server_cert_type = 0;
6154 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6155 }
6156 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6157 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6158}
6159
6160void
6161tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6162 dissector_handle_t app_handle)
6163{
6164 conversation_t *conversation;
6165 SslSession *session;
6166
6167 /* Ignore if the TLS or other dissector is disabled. */
6168 if (!tls_handle || !app_handle)
6169 return;
6170
6171 conversation = find_or_create_conversation(pinfo);
6172 session = &ssl_get_session(conversation, tls_handle)->session;
6173 session->app_handle = app_handle;
6174}
6175
6176static uint32_t
6177ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6178 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6179{
6180 conversation_t *conversation;
6181 SslSession *session;
6182
6183 /* Ignore if the TLS dissector is disabled. */
6184 if (!tls_handle)
6185 return 0;
6186 /* The caller should always pass a valid handle to its own dissector. */
6187 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6187, "app_handle"))));
6188
6189 conversation = find_or_create_conversation(pinfo);
6190 session = &ssl_get_session(conversation, tls_handle)->session;
6191
6192 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6193 session->last_nontls_frame,
6194 (void *)session->app_handle,
6195 dissector_handle_get_dissector_name(session->app_handle));
6196 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6197 pinfo->num, (void *)app_handle,
6198 dissector_handle_get_dissector_name(app_handle));
6199
6200 /* Do not switch again if a dissector did it before. */
6201 if (session->last_nontls_frame) {
6202 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6203 return session->last_nontls_frame;
6204 }
6205
6206 session->app_handle = app_handle;
6207 /* The TLS dissector should be called first for this conversation. */
6208 conversation_set_dissector(conversation, tls_handle);
6209 /* TLS starts after this frame. */
6210 session->last_nontls_frame = last_nontls_frame;
6211 return 0;
6212}
6213
6214/* ssl_starttls_ack: mark future frames as encrypted. */
6215uint32_t
6216ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6217 dissector_handle_t app_handle)
6218{
6219 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6220}
6221
6222uint32_t
6223ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6224 dissector_handle_t app_handle)
6225{
6226 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6227}
6228
6229dissector_handle_t
6230ssl_find_appdata_dissector(const char *name)
6231{
6232 /* Accept 'http' for backwards compatibility and sanity. */
6233 if (!strcmp(name, "http"))
6234 name = "http-over-tls";
6235 /* XXX - Should this check to see if the dissector is actually added for
6236 * Decode As in the appropriate table?
6237 */
6238 return find_dissector(name);
6239}
6240
6241/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6242static int
6243ssl_equal (const void *v, const void *v2)
6244{
6245 const StringInfo *val1;
6246 const StringInfo *val2;
6247 val1 = (const StringInfo *)v;
6248 val2 = (const StringInfo *)v2;
6249
6250 if (val1->data_len == val2->data_len &&
6251 !memcmp(val1->data, val2->data, val2->data_len)) {
6252 return 1;
6253 }
6254 return 0;
6255}
6256
6257static unsigned
6258ssl_hash (const void *v)
6259{
6260 unsigned l,hash;
6261 const StringInfo* id;
6262 const unsigned* cur;
6263 hash = 0;
6264 id = (const StringInfo*) v;
6265
6266 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6267 * should be aligned for any kind of access (for example as a unsigned as
6268 * is done below). The intermediate void* cast is to prevent "cast
6269 * increases required alignment of target type" warnings on CPUs (such
6270 * as SPARCs) that do not allow misaligned memory accesses.
6271 */
6272 cur = (const unsigned*)(void*) id->data;
6273
6274 for (l=4; (l < id->data_len); l+=4, cur++)
6275 hash = hash ^ (*cur);
6276
6277 return hash;
6278}
6279/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6280
6281/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6282void
6283ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6284{
6285 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6285, "main_handle"))));
6286 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6286, "subdissector_handle"))));
6287 /* Registration is required for Export PDU feature to work properly. */
6288 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6289, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6289 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6289, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6290 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6291
6292 if (port) {
6293 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6294 if (tcp)
6295 dissector_add_uint("tcp.port", port, main_handle);
6296 else
6297 dissector_add_uint("udp.port", port, main_handle);
6298 dissector_add_uint("sctp.port", port, main_handle);
6299 } else {
6300 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6301 }
6302}
6303
6304void
6305ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6306{
6307 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6308 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6309 if (main_handle) {
6310 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6311 dissector_delete_uint("sctp.port", port, main_handle);
6312 }
6313
6314 if (port) {
6315 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6316 }
6317}
6318
6319void
6320ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6321{
6322 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6323 session->srv_ptype = ptype;
6324 session->srv_port = port;
6325}
6326
6327int
6328ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6329{
6330 int ret;
6331 if (session && session->srv_addr.type != AT_NONE) {
6332 ret = (session->srv_ptype == pinfo->ptype) &&
6333 (session->srv_port == pinfo->srcport) &&
6334 addresses_equal(&session->srv_addr, &pinfo->src);
6335 } else {
6336 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6337 }
6338
6339 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6340 return ret;
6341}
6342/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6343
6344
6345/* Links SSL records with the real packet data. {{{ */
6346SslPacketInfo *
6347tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6348{
6349 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6350 if (!pi) {
6351 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6352 pi->srcport = pinfo->srcport;
6353 pi->destport = pinfo->destport;
6354 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6355 }
6356
6357 return pi;
6358}
6359
6360/**
6361 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6362 * avoid the need for a decoder in the second pass. Additionally, it remembers
6363 * sequence numbers (for reassembly and Follow TLS Stream).
6364 *
6365 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6366 * @param pinfo The packet where the record originates from.
6367 * @param plain_data Decrypted plaintext to store in the record.
6368 * @param plain_data_len Total length of the plaintext.
6369 * @param content_len Length of the plaintext section corresponding to the record content.
6370 * @param record_id The identifier for this record within the current packet.
6371 * @param flow Information about sequence numbers, etc.
6372 * @param type TLS Content Type (such as handshake or application_data).
6373 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6374 */
6375void
6376ssl_add_record_info(int proto, packet_info *pinfo,
6377 const unsigned char *plain_data, int plain_data_len, int content_len,
6378 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6379 uint64_t record_seq)
6380{
6381 SslRecordInfo* rec, **prec;
6382 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6383
6384 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6384
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6385
6386 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6387 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6388 rec->plain_data_len = plain_data_len;
6389 rec->content_len = content_len;
6390 rec->id = record_id;
6391 rec->type = type;
6392 rec->next = NULL((void*)0);
6393 rec->record_seq = record_seq;
6394
6395 if (flow && type == SSL_ID_APP_DATA) {
6396 rec->seq = flow->byte_seq;
6397 rec->flow = flow;
6398 flow->byte_seq += content_len;
6399 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6400 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6401 }
6402
6403 /* Remember decrypted records. */
6404 prec = &pi->records;
6405 while (*prec) prec = &(*prec)->next;
6406 *prec = rec;
6407}
6408
6409/* search in packet data for the specified id; return a newly created tvb for the associated data */
6410tvbuff_t*
6411ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6412{
6413 SslRecordInfo* rec;
6414 SslPacketInfo* pi;
6415 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6416
6417 if (!pi)
6418 return NULL((void*)0);
6419
6420 for (rec = pi->records; rec; rec = rec->next)
6421 if (rec->id == record_id) {
6422 *matched_record = rec;
6423 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6424 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6425 }
6426
6427 return NULL((void*)0);
6428}
6429/* Links SSL records with the real packet data. }}} */
6430
6431/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6432void
6433ssl_common_init(ssl_master_key_map_t *mk_map,
6434 StringInfo *decrypted_data, StringInfo *compressed_data)
6435{
6436 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6437 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6438 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6439 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6440 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6441 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6442 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6443 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6444 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6445 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6446 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6447 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6448
6449 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6450 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6451
6452 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6453
6454 ssl_data_alloc(decrypted_data, 32);
6455 ssl_data_alloc(compressed_data, 32);
6456}
6457
6458void
6459ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6460 StringInfo *decrypted_data, StringInfo *compressed_data)
6461{
6462 g_hash_table_destroy(mk_map->session);
6463 g_hash_table_destroy(mk_map->tickets);
6464 g_hash_table_destroy(mk_map->crandom);
6465 g_hash_table_destroy(mk_map->pre_master);
6466 g_hash_table_destroy(mk_map->pms);
6467 g_hash_table_destroy(mk_map->tls13_client_early);
6468 g_hash_table_destroy(mk_map->tls13_client_handshake);
6469 g_hash_table_destroy(mk_map->tls13_server_handshake);
6470 g_hash_table_destroy(mk_map->tls13_client_appdata);
6471 g_hash_table_destroy(mk_map->tls13_server_appdata);
6472 g_hash_table_destroy(mk_map->tls13_early_exporter);
6473 g_hash_table_destroy(mk_map->tls13_exporter);
6474
6475 g_hash_table_destroy(mk_map->ech_secret);
6476 g_hash_table_destroy(mk_map->ech_config);
6477
6478 g_hash_table_destroy(mk_map->used_crandom);
6479
6480 g_free(decrypted_data->data);
6481 g_free(compressed_data->data);
6482
6483 /* close the previous keylog file now that the cache are cleared, this
6484 * allows the cache to be filled with the full keylog file contents. */
6485 if (*ssl_keylog_file) {
6486 fclose(*ssl_keylog_file);
6487 *ssl_keylog_file = NULL((void*)0);
6488 }
6489}
6490/* }}} */
6491
6492/* parse ssl related preferences (private keys and ports association strings) */
6493#if defined(HAVE_LIBGNUTLS1)
6494/* Load a single RSA key file item from preferences. {{{ */
6495void
6496ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6497{
6498 gnutls_x509_privkey_t x509_priv_key;
6499 gnutls_privkey_t priv_key = NULL((void*)0);
6500 FILE* fp = NULL((void*)0);
6501 int ret;
6502 size_t key_id_len = 20;
6503 unsigned char *key_id = NULL((void*)0);
6504 char *err = NULL((void*)0);
6505 dissector_handle_t handle;
6506 /* try to load keys file first */
6507 fp = ws_fopenfopen(uats->keyfile, "rb");
6508 if (!fp) {
6509 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6510 return;
6511 }
6512
6513 if ((int)strlen(uats->password) == 0) {
6514 x509_priv_key = rsa_load_pem_key(fp, &err);
6515 } else {
6516 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6517 }
6518 fclose(fp);
6519
6520 if (!x509_priv_key) {
6521 if (err) {
6522 report_failure("Can't load private key from %s: %s",
6523 uats->keyfile, err);
6524 g_free(err);
6525 } else
6526 report_failure("Can't load private key from %s: unknown error",
6527 uats->keyfile);
6528 return;
6529 }
6530 if (err) {
6531 report_failure("Load of private key from %s \"succeeded\" with error %s",
6532 uats->keyfile, err);
6533 g_free(err);
6534 }
6535
6536 gnutls_privkey_init(&priv_key);
6537 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6538 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6539 if (ret < 0) {
6540 report_failure("Can't convert private key %s: %s",
6541 uats->keyfile, gnutls_strerror(ret));
6542 goto end;
6543 }
6544
6545 key_id = (unsigned char *) g_malloc0(key_id_len);
6546 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6547 if (ret < 0) {
6548 report_failure("Can't calculate public key ID for %s: %s",
6549 uats->keyfile, gnutls_strerror(ret));
6550 goto end;
6551 }
6552 ssl_print_data("KeyID", key_id, key_id_len);
6553 if (key_id_len != 20) {
6554 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6555 uats->keyfile, key_id_len);
6556 goto end;
6557 }
6558
6559 g_hash_table_replace(key_hash, key_id, priv_key);
6560 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6561 priv_key = NULL((void*)0);
6562 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6563
6564 handle = ssl_find_appdata_dissector(uats->protocol);
6565 if (handle) {
6566 /* Port to subprotocol mapping */
6567 uint16_t port = 0;
6568 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6569 if (port > 0) {
6570 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6571 port, uats->keyfile, uats->password);
6572
6573 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6574 }
6575 } else {
6576 if (strcmp(uats->port, "start_tls"))
6577 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6578 }
6579 }
6580
6581end:
6582 gnutls_x509_privkey_deinit(x509_priv_key);
6583 gnutls_privkey_deinit(priv_key);
6584 g_free(key_id);
6585}
6586/* }}} */
6587#endif
6588
6589
6590/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6591/** store a known (pre-)master secret into cache */
6592static void
6593ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6594 StringInfo *mk)
6595{
6596 StringInfo *ht_key, *master_secret;
6597
6598 if (key->data_len == 0) {
6599 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6600 return;
6601 }
6602
6603 if (mk->data_len == 0) {
6604 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6605 G_STRFUNC((const char*) (__func__)), label);
6606 return;
6607 }
6608
6609 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6610 * so be careful in changing how it is allocated. */
6611 ht_key = ssl_data_clone(key);
6612 master_secret = ssl_data_clone(mk);
6613 g_hash_table_insert(ht, ht_key, master_secret);
6614
6615 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6616 ssl_print_string("stored key", ht_key);
6617 ssl_print_string("stored (pre-)master secret", master_secret);
6618}
6619
6620/** restore a (pre-)master secret given some key in the cache */
6621static bool_Bool
6622ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6623 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6624{
6625 StringInfo *ms;
6626
6627 if (key->data_len == 0) {
6628 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6629 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6630 return false0;
6631 }
6632
6633 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6634 if (!ms) {
6635 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6636 is_pre_master ? "pre-" : "", label);
6637 return false0;
6638 }
6639
6640 /* (pre)master secret found, clear knowledge of other keys and set it in the
6641 * current conversation */
6642 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6643 SSL_HAVE_SESSION_KEY(1<<3));
6644 if (is_pre_master) {
6645 /* unlike master secret, pre-master secret has a variable size (48 for
6646 * RSA, varying for PSK) and is therefore not statically allocated */
6647 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6648 ms->data_len);
6649 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6650 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6651 } else {
6652 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6653 ssl->state |= SSL_MASTER_SECRET(1<<5);
6654 }
6655 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6656 is_pre_master ? "pre-" : "", label);
6657 ssl_print_string(label, key);
6658 ssl_print_string("(pre-)master secret", ms);
6659 return true1;
6660}
6661/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6662
6663/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6664 * the decoder should be attempted to be initialized. {{{*/
6665void
6666ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6667{
6668 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6669 /* TLS 1.3 implementations only provide secrets derived from the master
6670 * secret which are loaded in tls13_change_key. No master secrets can be
6671 * loaded here, so just return. */
6672 return;
6673 }
6674 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6675 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6676 ssl_debug_printf(" session key already available, nothing to do.\n");
6677 return;
6678 }
6679 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6680 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6681 return;
6682 }
6683
6684 /* for decryption, there needs to be a master secret (which can be derived
6685 * from pre-master secret). If missing, try to pick a master key from cache
6686 * (an earlier packet in the capture or key logfile). */
6687 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6688 !ssl_restore_master_key(ssl, "Session ID", false0,
6689 mk_map->session, &ssl->session_id) &&
6690 (!ssl->session.is_session_resumed ||
6691 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6692 mk_map->tickets, &ssl->session_ticket)) &&
6693 !ssl_restore_master_key(ssl, "Client Random", false0,
6694 mk_map->crandom, &ssl->client_random)) {
6695 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6696 /* how unfortunate, the master secret could not be found */
6697 ssl_debug_printf(" Cannot find master secret\n");
6698 return;
6699 } else {
6700 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6701 "because of a NULL cipher\n");
6702 }
6703 }
6704
6705 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6706 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6707 return;
6708 }
6709 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6710 ssl_save_master_key("Client Random", mk_map->crandom,
6711 &ssl->client_random, &ssl->master_secret);
6712 ssl_save_master_key("Session ID", mk_map->session,
6713 &ssl->session_id, &ssl->master_secret);
6714 /* Only save the new secrets if the server sent the ticket. The client
6715 * ticket might have become stale. */
6716 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6717 ssl_save_master_key("Session Ticket", mk_map->tickets,
6718 &ssl->session_ticket, &ssl->master_secret);
6719 }
6720} /* }}} */
6721
6722/* Load the traffic key secret from the keylog file. */
6723StringInfo *
6724tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6725 bool_Bool is_from_server, TLSRecordType type)
6726{
6727 GHashTable *key_map;
6728 const char *label;
6729
6730 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6731 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6732 return NULL((void*)0);
6733 }
6734
6735 if (ssl->client_random.data_len == 0) {
6736 /* May happen if Hello message is missing and Finished is found. */
6737 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6738 return NULL((void*)0);
6739 }
6740
6741 switch (type) {
6742 case TLS_SECRET_0RTT_APP:
6743 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6743, "!is_from_server"))));
6744 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6745 key_map = mk_map->tls13_client_early;
6746 break;
6747 case TLS_SECRET_HANDSHAKE:
6748 if (is_from_server) {
6749 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6750 key_map = mk_map->tls13_server_handshake;
6751 } else {
6752 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6753 key_map = mk_map->tls13_client_handshake;
6754 }
6755 break;
6756 case TLS_SECRET_APP:
6757 if (is_from_server) {
6758 label = "SERVER_TRAFFIC_SECRET_0";
6759 key_map = mk_map->tls13_server_appdata;
6760 } else {
6761 label = "CLIENT_TRAFFIC_SECRET_0";
6762 key_map = mk_map->tls13_client_appdata;
6763 }
6764 break;
6765 default:
6766 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6766, __func__, "assertion \"not reached\" failed");
6767 }
6768
6769 /* Transitioning to new keys, mark old ones as unusable. */
6770 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6771 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6772
6773 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6774 if (!secret) {
6775 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6776 /* Disable decryption, the keys are invalid. */
6777 if (is_from_server) {
6778 ssl->server = NULL((void*)0);
6779 } else {
6780 ssl->client = NULL((void*)0);
6781 }
6782 return NULL((void*)0);
6783 }
6784
6785 /* TLS 1.3 secret found, set new keys. */
6786 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6787 ssl_print_string("Client Random", &ssl->client_random);
6788 ssl_print_string(label, secret);
6789 return secret;
6790}
6791
6792/* Load the new key. */
6793void
6794tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6795 bool_Bool is_from_server, TLSRecordType type)
6796{
6797 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6798 /*
6799 * QUIC does not use the TLS record layer for message protection.
6800 * The required keys will be extracted later by QUIC.
6801 */
6802 return;
6803 }
6804
6805 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6806 if (!secret) {
6807 if (type != TLS_SECRET_HANDSHAKE) {
6808 return;
6809 }
6810 /*
6811 * Workaround for when for some reason we don't have the handshake
6812 * secret but do have the application traffic secret. (#20240)
6813 * If we can't find the handshake secret, we'll never decrypt the
6814 * Finished message, so we won't know when to change to the app
6815 * traffic key, so we do so now.
6816 */
6817 type = TLS_SECRET_APP;
6818 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6819 if (!secret) {
6820 return;
6821 }
6822 }
6823
6824 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6825 /*
6826 * Remember the application traffic secret to support Key Update. The
6827 * other secrets cannot be used for this purpose, so free them.
6828 */
6829 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6830 StringInfo *app_secret = &decoder->app_traffic_secret;
6831 if (type == TLS_SECRET_APP) {
6832 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6833 app_secret->data,
6834 secret->data_len);
6835 ssl_data_set(app_secret, secret->data, secret->data_len);
6836 } else {
6837 wmem_free(wmem_file_scope(), app_secret->data);
6838 app_secret->data = NULL((void*)0);
6839 app_secret->data_len = 0;
6840 }
6841 }
6842}
6843
6844/**
6845 * Update to next application data traffic secret for TLS 1.3. The previous
6846 * secret should have been set by tls13_change_key.
6847 */
6848void
6849tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6850{
6851 /* RFC 8446 Section 7.2:
6852 * application_traffic_secret_N+1 =
6853 * HKDF-Expand-Label(application_traffic_secret_N,
6854 * "traffic upd", "", Hash.length)
6855 *
6856 * Both application_traffic_secret_N are of the same length (Hash.length).
6857 */
6858 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6859 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6860 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6861 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6862
6863 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6864 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6865 return;
6866 }
6867
6868 /*
6869 * Previous traffic secret is available, so find the hash function,
6870 * expand the new traffic secret and generate new keys.
6871 */
6872 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6873 int hash_algo = ssl_get_digest_by_name(hash_name);
6874 const unsigned hash_len = app_secret->data_len;
6875 unsigned char *new_secret;
6876 const char *label = "traffic upd";
6877 if (tls13_draft_version && tls13_draft_version < 20) {
6878 label = "application traffic secret";
6879 }
6880 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6881 tls13_hkdf_label_prefix(ssl),
6882 label, hash_len, &new_secret)) {
6883 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6884 return;
6885 }
6886 ssl_data_set(app_secret, new_secret, hash_len);
6887 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6888 /*
6889 * Remember the application traffic secret on the new decoder to
6890 * support another Key Update.
6891 */
6892 decoder = is_from_server ? ssl->server : ssl->client;
6893 app_secret = &decoder->app_traffic_secret;
6894 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6895 app_secret->data,
6896 hash_len);
6897 ssl_data_set(app_secret, new_secret, hash_len);
6898 }
6899 wmem_free(NULL((void*)0), new_secret);
6900}
6901
6902void
6903tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6904{
6905 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6906 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6907 }
6908}
6909
6910/** SSL keylog file handling. {{{ */
6911
6912static GRegex *
6913ssl_compile_keyfile_regex(void)
6914{
6915#define OCTET "(?:[[:xdigit:]]{2})"
6916 const char *pattern =
6917 "(?:"
6918 /* Matches Client Hellos having this Client Random */
6919 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6920 /* Matches first part of encrypted RSA pre-master secret */
6921 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6922 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6923 but it can be of any length for DHE */
6924 ")(?<pms>" OCTET "+)"
6925 "|(?:"
6926 /* Matches Server Hellos having a Session ID */
6927 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6928 /* Matches Client Hellos having this Client Random */
6929 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6930 /* Master-Secret is given, its length is fixed */
6931 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6932 "|(?"
6933 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6934 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6935 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6936 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6937 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6938 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6939 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6940 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6941 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6942 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6943 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6944 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6945 ") (?<derived_secret>" OCTET "+)";
6946#undef OCTET
6947 static GRegex *regex = NULL((void*)0);
6948 GError *gerr = NULL((void*)0);
6949
6950 if (!regex) {
6951 regex = g_regex_new(pattern,
6952 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6953 G_REGEX_MATCH_ANCHORED, &gerr);
6954 if (gerr) {
6955 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6956 gerr->message);
6957 g_error_free(gerr);
6958 regex = NULL((void*)0);
6959 }
6960 }
6961
6962 return regex;
6963}
6964
6965typedef struct ssl_master_key_match_group {
6966 const char *re_group_name;
6967 GHashTable *master_key_ht;
6968} ssl_master_key_match_group_t;
6969
6970void
6971tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6972{
6973 ssl_master_key_match_group_t mk_groups[] = {
6974 { "encrypted_pmk", mk_map->pre_master },
6975 { "session_id", mk_map->session },
6976 { "client_random", mk_map->crandom },
6977 { "client_random_pms", mk_map->pms },
6978 /* TLS 1.3 map from Client Random to derived secret. */
6979 { "client_early", mk_map->tls13_client_early },
6980 { "client_handshake", mk_map->tls13_client_handshake },
6981 { "server_handshake", mk_map->tls13_server_handshake },
6982 { "client_appdata", mk_map->tls13_client_appdata },
6983 { "server_appdata", mk_map->tls13_server_appdata },
6984 { "early_exporter", mk_map->tls13_early_exporter },
6985 { "exporter", mk_map->tls13_exporter },
6986 { "ech_secret", mk_map->ech_secret },
6987 { "ech_config", mk_map->ech_config },
6988 };
6989
6990 /* The format of the file is a series of records with one of the following formats:
6991 * - "RSA xxxx yyyy"
6992 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6993 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6994 * (this is the original format introduced with bug 4349)
6995 *
6996 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6997 * Where xxxx is the SSL session ID (hex-encoded)
6998 * Where yyyy is the cleartext master secret (hex-encoded)
6999 * (added to support openssl s_client Master-Key output)
7000 * This is somewhat is a misnomer because there's nothing RSA specific
7001 * about this.
7002 *
7003 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7004 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7005 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7006 * (This format allows SSL connections to be decrypted, if a user can
7007 * capture the PMS but could not recover the MS for a specific session
7008 * with a SSL Server.)
7009 *
7010 * - "CLIENT_RANDOM xxxx yyyy"
7011 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7012 * Where yyyy is the cleartext master secret (hex-encoded)
7013 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7014 * ECDHE-RSA.)
7015 *
7016 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7017 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7018 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7019 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7020 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7021 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7022 * - "EXPORTER_SECRET xxxx yyyy"
7023 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7024 * Where yyyy is the secret (hex-encoded) derived from the early,
7025 * handshake or master secrets. (This format is introduced with TLS 1.3
7026 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7027 */
7028 GRegex *regex = ssl_compile_keyfile_regex();
7029 if (!regex)
7030 return;
7031
7032 const char *next_line = (const char *)data;
7033 const char *line_end = next_line + datalen;
7034 while (next_line && next_line < line_end) {
7035 const char *line = next_line;
7036 next_line = (const char *)memchr(line, '\n', line_end - line);
7037 ssize_t linelen;
7038
7039 if (next_line) {
7040 linelen = next_line - line;
7041 next_line++; /* drop LF */
7042 } else {
7043 linelen = (ssize_t)(line_end - line);
7044 }
7045 if (linelen > 0 && line[linelen - 1] == '\r') {
7046 linelen--; /* drop CR */
7047 }
7048
7049 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7050 GMatchInfo *mi;
7051 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7052 char *hex_key, *hex_pre_ms_or_ms;
7053 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7054 StringInfo *pre_ms_or_ms = NULL((void*)0);
7055 GHashTable *ht = NULL((void*)0);
7056
7057 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7058 * otherwise we will use the Master Secret
7059 */
7060 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7061 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7062 g_free(hex_pre_ms_or_ms);
7063 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7064 }
7065 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7066 g_free(hex_pre_ms_or_ms);
7067 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7068 }
7069 /* There is always a match, otherwise the regex is wrong. */
7070 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7070, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7071
7072 /* convert from hex to bytes and save to hashtable */
7073 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7074 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7075 g_free(hex_pre_ms_or_ms);
7076
7077 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7078 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7079 ssl_master_key_match_group_t *g = &mk_groups[i];
7080 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7081 if (hex_key && *hex_key) {
7082 ssl_debug_printf(" matched %s\n", g->re_group_name);
7083 ht = g->master_key_ht;
7084 from_hex(key, hex_key, strlen(hex_key));
7085 g_free(hex_key);
7086 break;
7087 }
7088 g_free(hex_key);
7089 }
7090 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7090, "ht")))); /* Cannot be reached, or regex is wrong. */
7091
7092 g_hash_table_insert(ht, key, pre_ms_or_ms);
7093
7094 } else if (linelen > 0 && line[0] != '#') {
7095 ssl_debug_printf(" unrecognized line\n");
7096 }
7097 /* always free match info even if there is no match. */
7098 g_match_info_free(mi);
7099 }
7100}
7101
7102void
7103ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7104 const ssl_master_key_map_t *mk_map)
7105{
7106 /* no need to try if no key log file is configured. */
7107 if (!tls_keylog_filename || !*tls_keylog_filename) {
7108 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7109 G_STRFUNC((const char*) (__func__)));
7110 return;
7111 }
7112
7113 /* Validate regexes before even trying to use it. */
7114 if (!ssl_compile_keyfile_regex()) {
7115 return;
7116 }
7117
7118 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7119
7120 /* if the keylog file was deleted/overwritten, re-open it */
7121 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7122 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7123 fclose(*keylog_file);
7124 *keylog_file = NULL((void*)0);
7125 }
7126
7127 if (*keylog_file == NULL((void*)0)) {
7128 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7129 if (!*keylog_file) {
7130 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7131 return;
7132 }
7133 }
7134
7135 for (;;) {
7136 char buf[1110], *line;
7137 line = fgets(buf, sizeof(buf), *keylog_file);
7138 if (!line) {
7139 if (feof(*keylog_file)) {
7140 /* Ensure that newly appended keys can be read in the future. */
7141 clearerr(*keylog_file);
7142 } else if (ferror(*keylog_file)) {
7143 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7144 fclose(*keylog_file);
7145 *keylog_file = NULL((void*)0);
7146 }
7147 break;
7148 }
7149 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7150 }
7151}
7152/** SSL keylog file handling. }}} */
7153
7154#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7155
7156static FILE* ssl_debug_file;
7157
7158void
7159ssl_set_debug(const char* name)
7160{
7161 static int debug_file_must_be_closed;
7162 int use_stderr;
7163
7164 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7165
7166 if (debug_file_must_be_closed)
7167 fclose(ssl_debug_file);
7168
7169 if (use_stderr)
7170 ssl_debug_file = stderrstderr;
7171 else if (!name || (strcmp(name, "") ==0))
7172 ssl_debug_file = NULL((void*)0);
7173 else
7174 ssl_debug_file = ws_fopenfopen(name, "w");
7175
7176 if (!use_stderr && ssl_debug_file)
7177 debug_file_must_be_closed = 1;
7178 else
7179 debug_file_must_be_closed = 0;
7180
7181 ssl_debug_printf("Wireshark SSL debug log \n\n");
7182#ifdef HAVE_LIBGNUTLS1
7183 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7184#endif
7185 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7186 ssl_debug_printf("\n");
7187}
7188
7189void
7190ssl_debug_flush(void)
7191{
7192 if (ssl_debug_file)
7193 fflush(ssl_debug_file);
7194}
7195
7196void
7197ssl_debug_printf(const char* fmt, ...)
7198{
7199 va_list ap;
7200
7201 if (!ssl_debug_file)
7202 return;
7203
7204 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7205 vfprintf(ssl_debug_file, fmt, ap);
7206 va_end(ap)__builtin_va_end(ap);
7207}
7208
7209void
7210ssl_print_data(const char* name, const unsigned char* data, size_t len)
7211{
7212 size_t i, j, k;
7213 if (!ssl_debug_file)
7214 return;
7215 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7216 for (i=0; i<len; i+=16) {
7217 fprintf(ssl_debug_file,"| ");
7218 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7219 fprintf(ssl_debug_file,"%.2x ",data[j]);
7220 for (; k<16; ++k)
7221 fprintf(ssl_debug_file," ");
7222 fputc('|', ssl_debug_file);
7223 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7224 unsigned char c = data[j];
7225 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7226 fputc(c, ssl_debug_file);
7227 }
7228 for (; k<16; ++k)
7229 fputc(' ', ssl_debug_file);
7230 fprintf(ssl_debug_file,"|\n");
7231 }
7232}
7233
7234void
7235ssl_print_string(const char* name, const StringInfo* data)
7236{
7237 ssl_print_data(name, data->data, data->data_len);
7238}
7239#endif /* SSL_DECRYPT_DEBUG }}} */
7240
7241/* UAT preferences callbacks. {{{ */
7242/* checks for SSL and DTLS UAT key list fields */
7243
7244bool_Bool
7245ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7246{
7247 // This should be removed in favor of Decode As. Make it optional.
7248 *err = NULL((void*)0);
7249 return true1;
7250}
7251
7252bool_Bool
7253ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7254{
7255 if (!p || strlen(p) == 0u) {
7256 // This should be removed in favor of Decode As. Make it optional.
7257 *err = NULL((void*)0);
7258 return true1;
7259 }
7260
7261 if (strcmp(p, "start_tls") != 0){
7262 uint16_t port;
7263 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7264 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7265 return false0;
7266 }
7267 }
7268
7269 *err = NULL((void*)0);
7270 return true1;
7271}
7272
7273bool_Bool
7274ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7275{
7276 ws_statb64struct stat st;
7277
7278 if (!p || strlen(p) == 0u) {
7279 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7280 return false0;
7281 } else {
7282 if (ws_stat64stat(p, &st) != 0) {
7283 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7284 return false0;
7285 }
7286 }
7287
7288 *err = NULL((void*)0);
7289 return true1;
7290}
7291
7292bool_Bool
7293ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7294{
7295#if defined(HAVE_LIBGNUTLS1)
7296 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7297 FILE *fp = NULL((void*)0);
7298
7299 if (p && (strlen(p) > 0u)) {
7300 fp = ws_fopenfopen(f->keyfile, "rb");
7301 if (fp) {
7302 char *msg = NULL((void*)0);
7303 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7304 if (!priv_key) {
7305 fclose(fp);
7306 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7307 g_free(msg);
7308 return false0;
7309 }
7310 g_free(msg);
7311 gnutls_x509_privkey_deinit(priv_key);
7312 fclose(fp);
7313 } else {
7314 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7315 return false0;
7316 }
7317 }
7318
7319 *err = NULL((void*)0);
7320 return true1;
7321#else
7322 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7323 return false0;
7324#endif
7325}
7326/* UAT preferences callbacks. }}} */
7327
7328/** maximum size of ssl_association_info() string */
7329#define SSL_ASSOC_MAX_LEN8192 8192
7330
7331typedef struct ssl_association_info_callback_data
7332{
7333 char *str;
7334 const char *table_protocol;
7335} ssl_association_info_callback_data_t;
7336
7337/**
7338 * callback function used by ssl_association_info() to traverse the SSL associations.
7339 */
7340static void
7341ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7342{
7343 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7344 const int l = (const int)strlen(data->str);
7345 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7346}
7347
7348/**
7349 * @return an information string on the SSL protocol associations. The string must be freed.
7350 */
7351char*
7352ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7353{
7354 ssl_association_info_callback_data_t data;
7355
7356 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7357 data.table_protocol = table_protocol;
7358 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7359 return data.str;
7360}
7361
7362
7363/** Begin of code related to dissection of wire data. */
7364
7365/* Helpers for dissecting Variable-Length Vectors. {{{ */
7366bool_Bool
7367ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7368 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7369 int hf_length, uint32_t min_value, uint32_t max_value)
7370{
7371 unsigned veclen_size;
7372 uint32_t veclen_value;
7373 proto_item *pi;
7374
7375 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7375, (uint64_t)min_value, (uint64_t)max_value))));
7376 if (offset > offset_end) {
7377 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7378 "Vector offset is past buffer end offset (%u > %u)",
7379 offset, offset_end);
7380 *ret_length = 0;
7381 return false0; /* Cannot read length. */
7382 }
7383
7384 if (max_value > 0xffffff) {
7385 veclen_size = 4;
7386 } else if (max_value > 0xffff) {
7387 veclen_size = 3;
7388 } else if (max_value > 0xff) {
7389 veclen_size = 2;
7390 } else {
7391 veclen_size = 1;
7392 }
7393
7394 if (offset_end - offset < veclen_size) {
7395 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7396 tvb, offset, offset_end - offset,
7397 "No more room for vector of length %u",
7398 veclen_size);
7399 *ret_length = 0;
7400 return false0; /* Cannot read length. */
7401 }
7402
7403 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7404 offset += veclen_size;
7405
7406 if (veclen_value < min_value) {
7407 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7408 "Vector length %u is smaller than minimum %u",
7409 veclen_value, min_value);
7410 } else if (veclen_value > max_value) {
7411 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7412 "Vector length %u is larger than maximum %u",
7413 veclen_value, max_value);
7414 }
7415
7416 if (offset_end - offset < veclen_value) {
7417 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7418 "Vector length %u is too large, truncating it to %u",
7419 veclen_value, offset_end - offset);
7420 *ret_length = offset_end - offset;
7421 return false0; /* Length is truncated to avoid overflow. */
7422 }
7423
7424 *ret_length = veclen_value;
7425 return true1; /* Length is OK. */
7426}
7427
7428bool_Bool
7429ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7430 unsigned offset, unsigned offset_end)
7431{
7432 if (offset < offset_end) {
7433 unsigned trailing = offset_end - offset;
7434 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7435 tvb, offset, trailing,
7436 "%u trailing byte%s unprocessed",
7437 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7438 return false0; /* unprocessed data warning */
7439 } else if (offset > offset_end) {
7440 /*
7441 * Returned offset runs past the end. This should not happen and is
7442 * possibly a dissector bug.
7443 */
7444 unsigned excess = offset - offset_end;
7445 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7446 tvb, offset_end, excess,
7447 "Dissector processed too much data (%u byte%s)",
7448 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7449 return false0; /* overflow error */
7450 }
7451
7452 return true1; /* OK, offset matches. */
7453}
7454/** }}} */
7455
7456
7457static uint32_t
7458ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7459 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7460 uint16_t version, int hf_sig_len, int hf_sig);
7461
7462/* change_cipher_spec(20) dissection */
7463void
7464ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7465 packet_info *pinfo, proto_tree *tree,
7466 uint32_t offset, SslSession *session,
7467 bool_Bool is_from_server,
7468 const SslDecryptSession *ssl)
7469{
7470 /*
7471 * struct {
7472 * enum { change_cipher_spec(1), (255) } type;
7473 * } ChangeCipherSpec;
7474 */
7475 proto_item *ti;
7476 proto_item_set_text(tree,
7477 "%s Record Layer: %s Protocol: Change Cipher Spec",
7478 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7479 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7480 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7481
7482 if (session->version == TLSV1DOT3_VERSION0x304) {
7483 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7484 return;
7485 }
7486
7487 /* Remember frame number of first CCS */
7488 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7489 if (*ccs_frame == 0)
7490 *ccs_frame = pinfo->num;
7491
7492 /* Use heuristics to detect an abbreviated handshake, assume that missing
7493 * ServerHelloDone implies reusing previously negotiating keys. Then when
7494 * a Session ID or ticket is present, it must be a resumed session.
7495 * Normally this should be done at the Finished message, but that may be
7496 * encrypted so we do it here, at the last cleartext message. */
7497 if (is_from_server && ssl) {
7498 if (session->is_session_resumed) {
7499 const char *resumed = NULL((void*)0);
7500 if (ssl->session_ticket.data_len) {
7501 resumed = "Session Ticket";
7502 } else if (ssl->session_id.data_len) {
7503 resumed = "Session ID";
7504 }
7505 if (resumed) {
7506 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7507 } else {
7508 /* Can happen if the capture somehow starts in the middle */
7509 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7510 }
7511 } else {
7512 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7513 }
7514 }
7515 if (is_from_server && session->is_session_resumed)
7516 expert_add_info(pinfo, ti, &hf->ei.resumed);
7517}
7518
7519/** Begin of handshake(22) record dissections */
7520
7521/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7522 * {{{ */
7523static void
7524tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7525{
7526 uint32_t sighash, hashalg, sigalg;
7527 proto_item *ti_sigalg;
7528 proto_tree *sigalg_tree;
7529
7530 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7531 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7532 if (ja4_data) {
7533 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7534 }
7535
7536 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7537
7538 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7539 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7540 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7541 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7542 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7543
7544 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7545 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7546 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7547 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7548 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7549 sighash);
7550 }
7551} /* }}} */
7552
7553/* dissect a list of hash algorithms, return the number of bytes dissected
7554 this is used for the signature algorithms extension and for the
7555 TLS1.2 certificate request. {{{ */
7556static int
7557ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7558 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7559{
7560 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7561 * struct {
7562 * HashAlgorithm hash;
7563 * SignatureAlgorithm signature;
7564 * } SignatureAndHashAlgorithm;
7565 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7566 */
7567 proto_tree *subtree;
7568 proto_item *ti;
7569 unsigned sh_alg_length;
7570 uint32_t next_offset;
7571
7572 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7573 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7574 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7575 return offset_end;
7576 }
7577 offset += 2;
7578 next_offset = offset + sh_alg_length;
7579
7580 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7581 "Signature Hash Algorithms (%u algorithm%s)",
7582 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7583 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7584
7585 while (offset + 2 <= next_offset) {
7586 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7587 offset += 2;
7588 }
7589
7590 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7591 offset = next_offset;
7592 }
7593
7594 return offset;
7595} /* }}} */
7596
7597/* Dissection of DistinguishedName (for CertificateRequest and
7598 * certificate_authorities extension). {{{ */
7599static uint32_t
7600tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7601 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7602{
7603 proto_item *ti;
7604 proto_tree *subtree;
7605 uint32_t dnames_length, next_offset;
7606 asn1_ctx_t asn1_ctx;
7607 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7608
7609 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7610 /* DistinguishedName certificate_authorities<0..2^16-1> */
7611 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7612 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7613 return offset_end;
7614 }
7615 offset += 2;
7616 next_offset = offset + dnames_length;
7617
7618 if (dnames_length > 0) {
7619 ti = proto_tree_add_none_format(tree,
7620 hf->hf.hs_dnames,
7621 tvb, offset, dnames_length,
7622 "Distinguished Names (%d byte%s)",
7623 dnames_length,
7624 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7625 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7626
7627 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7628
7629 while (offset < next_offset) {
7630 /* get the length of the current certificate */
7631 uint32_t name_length;
7632
7633 if (dnames_count-- == 0) {
7634 /* stop adding to tree when the list is considered too large
7635 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7636 Note: dnames_count must be set low enough not to hit the
7637 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7638 */
7639 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7640 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7641 proto_item_set_generated(ti);
7642 return next_offset;
7643 }
7644
7645 /* opaque DistinguishedName<1..2^16-1> */
7646 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7647 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7648 return next_offset;
7649 }
7650 offset += 2;
7651
7652 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7653 subtree, hf->hf.hs_dname);
7654 offset += name_length;
7655 }
7656 }
7657 return offset;
7658} /* }}} */
7659
7660
7661/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7662static int
7663ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7664 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7665{
7666 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7667}
7668
7669static int
7670ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7671 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7672{
7673 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7674 hnd_type == SSL_HND_CERT_REQUEST) {
7675 /*
7676 * struct {
7677 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7678 * } SignatureSchemeList;
7679 */
7680
7681 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7682 } else {
7683 asn1_ctx_t asn1_ctx;
7684 unsigned pubkey_length, sign_length;
7685
7686 /*
7687 * struct {
7688 * uint32 valid_time;
7689 * SignatureScheme expected_cert_verify_algorithm;
7690 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7691 * } Credential;
7692 *
7693 * struct {
7694 * Credential cred;
7695 * SignatureScheme algorithm;
7696 * opaque signature<0..2^16-1>;
7697 * } DelegatedCredential;
7698 */
7699
7700 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7701
7702 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7703 offset += 4;
7704
7705 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7706 offset += 2;
7707
7708 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7709 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7710 return offset_end;
7711 }
7712 offset += 3;
7713 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7714 offset += pubkey_length;
7715
7716 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7717 offset += 2;
7718
7719 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7720 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7721 return offset_end;
7722 }
7723 offset += 2;
7724 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7725 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7726 offset += sign_length;
7727
7728 return offset;
7729 }
7730}
7731
7732static int
7733ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7734 packet_info *pinfo, proto_tree *tree,
7735 uint32_t offset, uint32_t offset_end,
7736 uint8_t hnd_type)
7737{
7738
7739 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7740
7741 switch (hnd_type) {
7742 case SSL_HND_CLIENT_HELLO: {
7743 proto_tree *alps_tree;
7744 proto_item *ti;
7745 uint32_t next_offset, alps_length, name_length;
7746
7747 /*
7748 * opaque ProtocolName<1..2^8-1>;
7749 * struct {
7750 * ProtocolName supported_protocols<2..2^16-1>
7751 * } ApplicationSettingsSupport;
7752 */
7753
7754 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7755 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7756 return offset_end;
7757 }
7758 offset += 2;
7759 next_offset = offset + alps_length;
7760
7761 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7762 tvb, offset, alps_length, ENC_NA0x00000000);
7763 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7764
7765 /* Parse list (note missing check for end of vector, ssl_add_vector below
7766 * ensures that data is always available.) */
7767 while (offset < next_offset) {
7768 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7769 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7770 return next_offset;
7771 }
7772 offset++;
7773
7774 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7775 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7776 offset += name_length;
7777 }
7778
7779 return offset;
7780 }
7781 case SSL_HND_ENCRYPTED_EXTS:
7782 /* Opaque blob */
7783 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7784 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7785 break;
7786 }
7787
7788 return offset_end;
7789}
7790
7791static int
7792ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7793 packet_info *pinfo, proto_tree *tree,
7794 uint32_t offset, uint32_t offset_end,
7795 uint8_t hnd_type, SslSession *session,
7796 bool_Bool is_dtls, ja4_data_t *ja4_data)
7797{
7798
7799 /* https://tools.ietf.org/html/rfc7301#section-3.1
7800 * opaque ProtocolName<1..2^8-1>;
7801 * struct {
7802 * ProtocolName protocol_name_list<2..2^16-1>
7803 * } ProtocolNameList;
7804 */
7805 proto_tree *alpn_tree;
7806 proto_item *ti;
7807 uint32_t next_offset, alpn_length, name_length;
7808 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7809
7810 /* ProtocolName protocol_name_list<2..2^16-1> */
7811 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7812 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7813 return offset_end;
7814 }
7815 offset += 2;
7816 next_offset = offset + alpn_length;
7817
7818 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7819 tvb, offset, alpn_length, ENC_NA0x00000000);
7820 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7821
7822 /* Parse list (note missing check for end of vector, ssl_add_vector below
7823 * ensures that data is always available.) */
7824 while (offset < next_offset) {
7825 /* opaque ProtocolName<1..2^8-1> */
7826 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7827 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7828 return next_offset;
7829 }
7830 offset++;
7831
7832 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7833 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7834 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7835 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7836 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7837 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7838 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7839 }
7840 else {
7841 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7842 alpn_last_char & 0x0F);
7843 }
7844 }
7845 /* Remember first ALPN ProtocolName entry for server. */
7846 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7847 /* '\0'-terminated string for dissector table match and prefix
7848 * comparison purposes. */
7849 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7850 name_length, ENC_ASCII0x00000000);
7851 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7852 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7853 name_length, ENC_ASCII0x00000000);
7854 }
7855 offset += name_length;
7856 }
7857
7858 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7859 * exactly one "ProtocolName". */
7860 if (proto_name) {
7861 dissector_handle_t handle;
7862
7863 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7864
7865 if (is_dtls) {
7866 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7867 proto_name);
7868 } else {
7869 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7870 proto_name);
7871 if (handle == NULL((void*)0)) {
7872 /* Try prefix matching */
7873 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7874 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7875
7876 /* string_string is inappropriate as it compares strings
7877 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7878 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7879 handle = find_dissector(alpn_proto->dissector_name);
7880 break;
7881 }
7882 }
7883 }
7884 }
7885 if (handle != NULL((void*)0)) {
7886 /* ProtocolName match, so set the App data dissector handle.
7887 * This may override protocols given via the UAT dialog, but
7888 * since the ALPN hint is precise, do it anyway. */
7889 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7890 (void *)session->app_handle,
7891 (void *)handle,
7892 dissector_handle_get_dissector_name(handle));
7893 session->app_handle = handle;
7894 }
7895 } else if (client_proto_name) {
7896 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7897 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7898 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7899 }
7900
7901 return offset;
7902}
7903
7904static int
7905ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7906 packet_info *pinfo, proto_tree *tree,
7907 uint32_t offset, uint32_t offset_end)
7908{
7909 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7910 * The "extension_data" field of a "next_protocol_negotiation" extension
7911 * in a "ServerHello" contains an optional list of protocols advertised
7912 * by the server. Protocols are named by opaque, non-empty byte strings
7913 * and the list of protocols is serialized as a concatenation of 8-bit,
7914 * length prefixed byte strings. Implementations MUST ensure that the
7915 * empty string is not included and that no byte strings are truncated.
7916 */
7917 uint32_t npn_length;
7918 proto_tree *npn_tree;
7919
7920 /* List is optional, do not add tree if there are no entries. */
7921 if (offset == offset_end) {
7922 return offset;
7923 }
7924
7925 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7926
7927 while (offset < offset_end) {
7928 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7929 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7930 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7931 return offset_end;
7932 }
7933 offset++;
7934
7935 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7936 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7937 offset += npn_length;
7938 }
7939
7940 return offset;
7941}
7942
7943static int
7944ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7945 packet_info *pinfo, proto_tree *tree,
7946 uint32_t offset, uint32_t offset_end)
7947{
7948 /* https://tools.ietf.org/html/rfc5746#section-3.2
7949 * struct {
7950 * opaque renegotiated_connection<0..255>;
7951 * } RenegotiationInfo;
7952 *
7953 */
7954 proto_tree *reneg_info_tree;
7955 uint32_t reneg_info_length;
7956
7957 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7958
7959 /* opaque renegotiated_connection<0..255> */
7960 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7961 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7962 return offset_end;
7963 }
7964 offset++;
7965
7966 if (reneg_info_length > 0) {
7967 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7968 offset += reneg_info_length;
7969 }
7970
7971 return offset;
7972}
7973
7974static int
7975ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7976 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7977 const char **group_name_out)
7978{
7979 /* RFC 8446 Section 4.2.8
7980 * struct {
7981 * NamedGroup group;
7982 * opaque key_exchange<1..2^16-1>;
7983 * } KeyShareEntry;
7984 */
7985 uint32_t key_exchange_length, group;
7986 proto_tree *ks_tree;
7987
7988 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7989
7990 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7991 offset += 2;
7992 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7993 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7994 if (group_name_out) {
7995 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7996 }
7997
7998 /* opaque key_exchange<1..2^16-1> */
7999 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8000 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8001 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8002 }
8003 offset += 2;
8004 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8005 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8006
8007 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8008 offset += key_exchange_length;
8009
8010 return offset;
8011}
8012
8013static int
8014ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8015 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8016 uint8_t hnd_type)
8017{
8018 proto_tree *key_share_tree;
8019 uint32_t next_offset;
8020 uint32_t client_shares_length;
8021 uint32_t group;
8022 const char *group_name = NULL((void*)0);
8023
8024 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8025 return offset;
8026 }
8027
8028 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8029
8030 switch(hnd_type){
8031 case SSL_HND_CLIENT_HELLO:
8032 /* KeyShareEntry client_shares<0..2^16-1> */
8033 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8034 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8035 return offset_end;
8036 }
8037 offset += 2;
8038 next_offset = offset + client_shares_length;
8039 const char *sep = " ";
8040 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8041 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8042 if (group_name) {
8043 proto_item_append_text(tree, "%s%s", sep, group_name);
8044 sep = ", ";
8045 }
8046 }
8047 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8048 return next_offset;
8049 }
8050 break;
8051 case SSL_HND_SERVER_HELLO:
8052 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8053 if (group_name) {
8054 proto_item_append_text(tree, " %s", group_name);
8055 }
8056 break;
8057 case SSL_HND_HELLO_RETRY_REQUEST:
8058 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8059 offset += 2;
8060 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8061 proto_item_append_text(tree, " %s", group_name);
8062 break;
8063 default: /* no default */
8064 break;
8065 }
8066
8067 return offset;
8068}
8069
8070static int
8071ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8072 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8073 uint8_t hnd_type)
8074{
8075 /* RFC 8446 Section 4.2.11
8076 * struct {
8077 * opaque identity<1..2^16-1>;
8078 * uint32 obfuscated_ticket_age;
8079 * } PskIdentity;
8080 * opaque PskBinderEntry<32..255>;
8081 * struct {
8082 * select (Handshake.msg_type) {
8083 * case client_hello:
8084 * PskIdentity identities<7..2^16-1>;
8085 * PskBinderEntry binders<33..2^16-1>;
8086 * case server_hello:
8087 * uint16 selected_identity;
8088 * };
8089 * } PreSharedKeyExtension;
8090 */
8091
8092 proto_tree *psk_tree;
8093
8094 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8095
8096 switch (hnd_type){
8097 case SSL_HND_CLIENT_HELLO: {
8098 uint32_t identities_length, identities_end, binders_length;
8099
8100 /* PskIdentity identities<7..2^16-1> */
8101 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8102 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8103 return offset_end;
8104 }
8105 offset += 2;
8106 identities_end = offset + identities_length;
8107
8108 while (offset < identities_end) {
8109 uint32_t identity_length;
8110 proto_tree *identity_tree;
8111
8112 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8113
8114 /* opaque identity<1..2^16-1> */
8115 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8116 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8117 return identities_end;
8118 }
8119 offset += 2;
8120 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8121
8122 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8123 offset += identity_length;
8124
8125 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8126 offset += 4;
8127
8128 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8129 }
8130 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8131 offset = identities_end;
8132 }
8133
8134 /* PskBinderEntry binders<33..2^16-1> */
8135 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8136 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8137 return offset_end;
8138 }
8139 offset += 2;
8140
8141 proto_item *binders_item;
8142 proto_tree *binders_tree;
8143 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8144 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8145 uint32_t binders_end = offset + binders_length;
8146 while (offset < binders_end) {
8147 uint32_t binder_length;
8148 proto_item *binder_item;
8149 proto_tree *binder_tree;
8150
8151 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8152 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8153
8154 /* opaque PskBinderEntry<32..255>; */
8155 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8156 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8157 return binders_end;
8158 }
8159 offset += 1;
8160 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8161
8162 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8163 offset += binder_length;
8164
8165 proto_item_set_end(binder_item, tvb, offset);
8166 }
8167 }
8168 break;
8169 case SSL_HND_SERVER_HELLO: {
8170 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8171 offset += 2;
8172 }
8173 break;
8174 default:
8175 break;
8176 }
8177
8178 return offset;
8179}
8180
8181static uint32_t
8182ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8183 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8184 uint8_t hnd_type, SslDecryptSession *ssl)
8185{
8186 /* RFC 8446 Section 4.2.10
8187 * struct {} Empty;
8188 * struct {
8189 * select (Handshake.msg_type) {
8190 * case new_session_ticket: uint32 max_early_data_size;
8191 * case client_hello: Empty;
8192 * case encrypted_extensions: Empty;
8193 * };
8194 * } EarlyDataIndication;
8195 */
8196 switch (hnd_type) {
8197 case SSL_HND_CLIENT_HELLO:
8198 /* Remember that early_data will follow the handshake. */
8199 if (ssl) {
8200 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8201 ssl->has_early_data = true1;
8202 }
8203 break;
8204 case SSL_HND_NEWSESSION_TICKET:
8205 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8206 offset += 4;
8207 break;
8208 default:
8209 break;
8210 }
8211 return offset;
8212}
8213
8214static uint16_t
8215tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8216{
8217 if (draft_version) {
8218 *draft_version = 0;
8219 }
8220 if (!is_dtls) {
8221 uint8_t tls13_draft = extract_tls13_draft_version(version);
8222 if (tls13_draft != 0) {
8223 /* This is TLS 1.3 (a draft version). */
8224 if (draft_version) {
8225 *draft_version = tls13_draft;
8226 }
8227 version = TLSV1DOT3_VERSION0x304;
8228 }
8229 if (version == 0xfb17 || version == 0xfb1a) {
8230 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8231 tls13_draft = (uint8_t)version;
8232 if (draft_version) {
8233 *draft_version = tls13_draft;
8234 }
8235 version = TLSV1DOT3_VERSION0x304;
8236 }
8237 }
8238
8239 switch (version) {
8240 case SSLV3_VERSION0x300:
8241 case TLSV1_VERSION0x301:
8242 case TLSV1DOT1_VERSION0x302:
8243 case TLSV1DOT2_VERSION0x303:
8244 case TLSV1DOT3_VERSION0x304:
8245 case TLCPV1_VERSION0x101:
8246 if (is_dtls)
8247 return SSL_VER_UNKNOWN0;
8248 break;
8249
8250 case DTLSV1DOT0_VERSION0xfeff:
8251 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8252 case DTLSV1DOT2_VERSION0xfefd:
8253 case DTLSV1DOT3_VERSION0xfefc:
8254 if (!is_dtls)
8255 return SSL_VER_UNKNOWN0;
8256 break;
8257
8258 default: /* invalid version number */
8259 return SSL_VER_UNKNOWN0;
8260 }
8261
8262 return version;
8263}
8264
8265static int
8266ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8267 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8268 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8269{
8270
8271 /* RFC 8446 Section 4.2.1
8272 * struct {
8273 * ProtocolVersion versions<2..254>; // ClientHello
8274 * } SupportedVersions;
8275 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8276 */
8277 uint32_t versions_length, next_offset;
8278 /* ProtocolVersion versions<2..254> */
8279 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8280 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8281 return offset_end;
8282 }
8283 offset++;
8284 next_offset = offset + versions_length;
8285
8286 unsigned version;
8287 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8288 uint8_t draft_version, max_draft_version = 0;
8289 const char *sep = " ";
8290 while (offset + 2 <= next_offset) {
8291 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8292 offset += 2;
8293
8294 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8295 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8296 sep = ", ";
8297 }
8298
8299 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8300 if (session->version == SSL_VER_UNKNOWN0) {
8301 if (lowest_version == SSL_VER_UNKNOWN0) {
8302 lowest_version = current_version;
8303 } else if (current_version != SSL_VER_UNKNOWN0) {
8304 if (!is_dtls) {
8305 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8306 } else {
8307 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8308 }
8309 }
8310 }
8311 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8312 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8313 /* The DTLS version numbers get mapped to "00" for unknown per
8314 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8315 * need to take the MIN instead of MAX here for DTLS.
8316 */
8317 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8318 }
8319 }
8320 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8321 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8322 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8323 }
8324 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8325 offset = next_offset;
8326 }
8327
8328 /* XXX remove this when draft 19 support is dropped,
8329 * this is only required for early data decryption. */
8330 if (max_draft_version) {
8331 session->tls13_draft_version = max_draft_version;
8332 }
8333
8334 return offset;
8335}
8336
8337static int
8338ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8339 packet_info *pinfo, proto_tree *tree,
8340 uint32_t offset, uint32_t offset_end)
8341{
8342 /* RFC 8446 Section 4.2.2
8343 * struct {
8344 * opaque cookie<1..2^16-1>;
8345 * } Cookie;
8346 */
8347 uint32_t cookie_length;
8348 /* opaque cookie<1..2^16-1> */
8349 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8350 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8351 return offset_end;
8352 }
8353 offset += 2;
8354
8355 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8356 offset += cookie_length;
8357
8358 return offset;
8359}
8360
8361static int
8362ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8363 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8364{
8365 /* RFC 8446 Section 4.2.9
8366 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8367 *
8368 * struct {
8369 * PskKeyExchangeMode ke_modes<1..255>;
8370 * } PskKeyExchangeModes;
8371 */
8372 uint32_t ke_modes_length, next_offset;
8373
8374 /* PskKeyExchangeMode ke_modes<1..255> */
8375 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8376 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8377 return offset_end;
8378 }
8379 offset++;
8380 next_offset = offset + ke_modes_length;
8381
8382 while (offset < next_offset) {
8383 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8384 offset++;
8385 }
8386
8387 return offset;
8388}
8389
8390static uint32_t
8391ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8392 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8393{
8394 /* RFC 8446 Section 4.2.4
8395 * opaque DistinguishedName<1..2^16-1>;
8396 * struct {
8397 * DistinguishedName authorities<3..2^16-1>;
8398 * } CertificateAuthoritiesExtension;
8399 */
8400 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8401}
8402
8403static int
8404ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8405 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8406{
8407 /* RFC 8446 Section 4.2.5
8408 * struct {
8409 * opaque certificate_extension_oid<1..2^8-1>;
8410 * opaque certificate_extension_values<0..2^16-1>;
8411 * } OIDFilter;
8412 * struct {
8413 * OIDFilter filters<0..2^16-1>;
8414 * } OIDFilterExtension;
8415 */
8416 proto_tree *subtree;
8417 uint32_t filters_length, oid_length, values_length, value_offset;
8418 asn1_ctx_t asn1_ctx;
8419 const char *oid, *name;
8420
8421 /* OIDFilter filters<0..2^16-1> */
8422 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8423 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8424 return offset_end;
8425 }
8426 offset += 2;
8427 offset_end = offset + filters_length;
8428
8429 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8430
8431 while (offset < offset_end) {
8432 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8433 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8434
8435 /* opaque certificate_extension_oid<1..2^8-1> */
8436 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8437 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8438 return offset_end;
8439 }
8440 offset++;
8441 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8442 hf->hf.hs_ext_oid_filters_oid, &oid);
8443 offset += oid_length;
8444
8445 /* Append OID to tree label */
8446 name = oid_resolved_from_string(pinfo->pool, oid);
8447 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8448
8449 /* opaque certificate_extension_values<0..2^16-1> */
8450 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8451 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8452 return offset_end;
8453 }
8454 offset += 2;
8455 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8456 if (values_length > 0) {
8457 value_offset = offset;
8458 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8459 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8460 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8461 }
8462 offset += values_length;
8463 }
8464
8465 return offset;
8466}
8467
8468static int
8469ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8470 packet_info *pinfo, proto_tree *tree,
8471 uint32_t offset, uint32_t offset_end)
8472{
8473 /* https://tools.ietf.org/html/rfc6066#section-3
8474 *
8475 * struct {
8476 * NameType name_type;
8477 * select (name_type) {
8478 * case host_name: HostName;
8479 * } name;
8480 * } ServerName;
8481 *
8482 * enum {
8483 * host_name(0), (255)
8484 * } NameType;
8485 *
8486 * opaque HostName<1..2^16-1>;
8487 *
8488 * struct {
8489 * ServerName server_name_list<1..2^16-1>
8490 * } ServerNameList;
8491 */
8492 proto_tree *server_name_tree;
8493 uint32_t list_length, server_name_length, next_offset;
8494
8495 /* The server SHALL include "server_name" extension with empty data. */
8496 if (offset == offset_end) {
8497 return offset;
8498 }
8499
8500 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8501
8502 /* ServerName server_name_list<1..2^16-1> */
8503 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8504 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8505 return offset_end;
8506 }
8507 offset += 2;
8508 next_offset = offset + list_length;
8509
8510 while (offset < next_offset) {
8511 uint32_t name_type;
8512 const uint8_t *server_name = NULL((void*)0);
8513 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8514 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8515 offset++;
8516
8517 /* opaque HostName<1..2^16-1> */
8518 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8519 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8520 return next_offset;
8521 }
8522 offset += 2;
8523
8524 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8525 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8526 pinfo->pool, &server_name);
8527 offset += server_name_length;
8528 // Each type must only occur once, so we don't check for duplicates.
8529 if (name_type == 0) {
8530 proto_item_append_text(tree, " name=%s", server_name);
8531 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8532
8533 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8534 // Client Hello: Client (Src) -> Server (Dst)
8535 switch (pinfo->dst.type) {
8536 case AT_IPv4:
8537 if (pinfo->dst.len == sizeof(uint32_t)) {
8538 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8539 }
8540 break;
8541 case AT_IPv6:
8542 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8543 add_ipv6_name(pinfo->dst.data, server_name, false0);
8544 }
8545 break;
8546 }
8547 }
8548 }
8549 }
8550 return offset;
8551}
8552
8553static int
8554ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8555 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8556{
8557 unsigned ext_len = offset_end - offset;
8558 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8559 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8560 /* Save the Session Ticket such that it can be used as identifier for
8561 * restoring a previous Master Secret (in ChangeCipherSpec) */
8562 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8563 ssl->session_ticket.data, ext_len);
8564 ssl->session_ticket.data_len = ext_len;
8565 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8566 }
8567 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8568 tvb, offset, ext_len, ENC_NA0x00000000);
8569 return offset + ext_len;
8570}
8571
8572static int
8573ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8574 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8575 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8576{
8577 uint8_t cert_list_length;
8578 uint8_t cert_type;
8579 proto_tree *cert_list_tree;
8580 proto_item *ti;
8581
8582 switch(hnd_type){
8583 case SSL_HND_CLIENT_HELLO:
8584 cert_list_length = tvb_get_uint8(tvb, offset);
8585 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8586 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8587 offset += 1;
8588 if (offset_end - offset != (uint32_t)cert_list_length)
8589 return offset;
8590
8591 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8592 cert_list_length, cert_list_length);
8593 proto_item_append_text(ti, " (%d)", cert_list_length);
8594
8595 /* make this a subtree */
8596 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8597
8598 /* loop over all point formats */
8599 while (cert_list_length > 0)
8600 {
8601 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8602 offset++;
8603 cert_list_length--;
8604 }
8605 break;
8606 case SSL_HND_SERVER_HELLO:
8607 case SSL_HND_ENCRYPTED_EXTENSIONS:
8608 case SSL_HND_CERTIFICATE:
8609 cert_type = tvb_get_uint8(tvb, offset);
8610 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8611 offset += 1;
8612 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8613 session->client_cert_type = cert_type;
8614 }
8615 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8616 session->server_cert_type = cert_type;
8617 }
8618 break;
8619 default: /* no default */
8620 break;
8621 }
8622
8623 return offset;
8624}
8625
8626static uint32_t
8627ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8628 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8629 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8630{
8631 uint32_t compress_certificate_algorithms_length, next_offset;
8632
8633 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8634 * enum {
8635 * zlib(1),
8636 * brotli(2),
8637 * (65535)
8638 * } CertificateCompressionAlgorithm;
8639 *
8640 * struct {
8641 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8642 * } CertificateCompressionAlgorithms;
8643 */
8644 switch (hnd_type) {
8645 case SSL_HND_CLIENT_HELLO:
8646 case SSL_HND_CERT_REQUEST:
8647 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8648 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8649 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8650 return offset_end;
8651 }
8652 offset += 1;
8653 next_offset = offset + compress_certificate_algorithms_length;
8654
8655 while (offset < next_offset) {
8656 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8657 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8658 offset += 2;
8659 }
8660 break;
8661 default:
8662 break;
8663 }
8664
8665 return offset;
8666}
8667
8668static uint32_t
8669ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8670 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8671 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8672{
8673 uint32_t key_parameters_length, next_offset;
8674 proto_item *p_ti;
8675 proto_tree *p_tree;
8676
8677 /* RFC 8472
8678 *
8679 * struct {
8680 * uint8 major;
8681 * uint8 minor;
8682 * } TB_ProtocolVersion;
8683 *
8684 * enum {
8685 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8686 * } TokenBindingKeyParameters;
8687 *
8688 * struct {
8689 * TB_ProtocolVersion token_binding_version;
8690 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8691 * } TokenBindingParameters;
8692 */
8693
8694 switch (hnd_type) {
8695 case SSL_HND_CLIENT_HELLO:
8696 case SSL_HND_SERVER_HELLO:
8697 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8698 offset += 1;
8699 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8700 offset += 1;
8701
8702 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8703 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8704 return offset_end;
8705 }
8706 offset += 1;
8707 next_offset = offset + key_parameters_length;
8708
8709 p_ti = proto_tree_add_none_format(tree,
8710 hf->hf.hs_ext_token_binding_key_parameters,
8711 tvb, offset, key_parameters_length,
8712 "Key parameters identifiers (%d identifier%s)",
8713 key_parameters_length,
8714 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8715 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8716
8717 while (offset < next_offset) {
8718 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8719 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8720 offset += 1;
8721 }
8722
8723 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8724 offset = next_offset;
8725 }
8726
8727 break;
8728 default:
8729 break;
8730 }
8731
8732 return offset;
8733}
8734
8735static uint32_t
8736ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8737 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8738 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8739{
8740 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8741 uint32_t next_offset;
8742
8743 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8744 *
8745 * Note: the following structures are not literally defined in the spec,
8746 * they instead use an ASCII diagram.
8747 *
8748 * struct {
8749 * uint16 id;
8750 * opaque value<0..2^16-1>;
8751 * } TransportParameter; // before draft -27
8752 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8753 *
8754 * struct {
8755 * opaque ipv4Address[4];
8756 * uint16 ipv4Port;
8757 * opaque ipv6Address[16];
8758 * uint16 ipv6Port;
8759 * opaque connectionId<0..18>;
8760 * opaque statelessResetToken[16];
8761 * } PreferredAddress;
8762 */
8763
8764 if (offset_end - offset >= 6 &&
8765 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8766 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8767 // Assume encoding of Transport Parameters draft -26 or older with at
8768 // least one transport parameter that has a valid length.
8769 use_varint_encoding = false0;
8770 }
8771
8772 if (use_varint_encoding) {
8773 next_offset = offset_end;
8774 } else {
8775 uint32_t quic_length;
8776 // Assume draft -26 or earlier.
8777 /* TransportParameter TransportParameters<0..2^16-1>; */
8778 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8779 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8780 return offset_end;
8781 }
8782 offset += 2;
8783 next_offset = offset + quic_length;
8784 }
8785
8786 while (offset < next_offset) {
8787 uint64_t parameter_type; /* 62-bit space */
8788 uint32_t parameter_length;
8789 proto_tree *parameter_tree;
8790 uint32_t parameter_end_offset;
8791 uint64_t value;
8792 uint32_t len = 0, i;
8793
8794 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8795 NULL((void*)0), "Parameter");
8796 /* TransportParameter ID and Length. */
8797 if (use_varint_encoding) {
8798 uint64_t parameter_length64;
8799 uint32_t type_len = 0;
8800
8801 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8802 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8803 offset += type_len;
8804
8805 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8806 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8807 parameter_length = (uint32_t)parameter_length64;
8808 offset += len;
8809
8810 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8811 } else {
8812 parameter_type = tvb_get_ntohs(tvb, offset);
8813 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8814 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8815 offset += 2;
8816
8817 /* opaque value<0..2^16-1> */
8818 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8819 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8820 return next_offset;
8821 }
8822 offset += 2;
8823
8824 proto_item_set_len(parameter_tree, 4 + parameter_length);
8825 }
8826
8827 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8828 proto_item_append_text(parameter_tree, ": GREASE");
8829 } else {
8830 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8831 }
8832
8833 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8834 parameter_end_offset = offset + parameter_length;
8835
8836 /* Omit the value field if the parameter's length is 0. */
8837 if (parameter_length != 0) {
8838 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8839 tvb, offset, parameter_length, ENC_NA0x00000000);
8840 }
8841
8842 switch (parameter_type) {
8843 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8844 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8845 tvb, offset, parameter_length, ENC_NA0x00000000);
8846 offset += parameter_length;
8847 break;
8848 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8849 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8850 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8851 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8852 offset += len;
8853 break;
8854 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8855 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8856 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8857 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8858 offset += 16;
8859 break;
8860 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8861 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8862 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8863 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8864 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8865 offset += len;
8866 break;
8867 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8868 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8869 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8870 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8871 offset += len;
8872 break;
8873 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8874 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8875 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8876 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8877 offset += len;
8878 break;
8879 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8880 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8881 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8882 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8883 offset += len;
8884 break;
8885 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8886 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8887 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8888 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8889 offset += len;
8890 break;
8891 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8892 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8893 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8894 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8895 offset += len;
8896 break;
8897 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8898 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8899 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8900 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8901 offset += len;
8902 break;
8903 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8904 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8905 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8906 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8907 offset += len;
8908 break;
8909 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8910 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8911 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8912 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8913 offset += len;
8914 break;
8915 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8916 /* No Payload */
8917 break;
8918 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8919 uint32_t connectionid_length;
8920 quic_cid_t cid;
8921
8922 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8923 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8924 offset += 4;
8925 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8926 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8927 offset += 2;
8928 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8929 tvb, offset, 16, ENC_NA0x00000000);
8930 offset += 16;
8931 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8932 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8933 offset += 2;
8934 /* XXX - Should we add these addresses and ports as addresses that the client
8935 * is allowed / expected to migrate the server address to? Right now we don't
8936 * enforce that (see RFC 9000 Section 9, which implies that while the client
8937 * can migrate to whatever address it wants, it can only migrate the server
8938 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8939 */
8940
8941 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8942 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8943 break;
8944 }
8945 offset += 1;
8946
8947 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8948 tvb, offset, connectionid_length, ENC_NA0x00000000);
8949 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8950 cid.len = connectionid_length;
8951 // RFC 9000 5.1.1 "If the preferred_address transport
8952 // parameter is sent, the sequence number of the supplied
8953 // connection ID is 1."
8954 cid.seq_num = 1;
8955 // Multipath draft-07 "Also, the Path Identifier for the
8956 // connection ID specified in the "preferred address"
8957 // transport parameter is 0."
8958 cid.path_id = 0;
8959 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8960 quic_add_connection(pinfo, &cid);
8961 }
8962 offset += connectionid_length;
8963
8964 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8965 tvb, offset, 16, ENC_NA0x00000000);
8966 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8967 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8968 }
8969 offset += 16;
8970 }
8971 break;
8972 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8973 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8974 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8975 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8976 offset += len;
8977 break;
8978 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8979 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8980 tvb, offset, parameter_length, ENC_NA0x00000000);
8981 offset += parameter_length;
8982 break;
8983 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8984 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8985 tvb, offset, parameter_length, ENC_NA0x00000000);
8986 offset += parameter_length;
8987 break;
8988 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8989 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8990 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8991 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8992 offset += len;
8993 break;
8994 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8995 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8996 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8997 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8998 offset += len;
8999 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9000 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9001 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9002 offset += len;
9003 break;
9004 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9005 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9006 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9007 if (len > 0) {
9008 quic_add_loss_bits(pinfo, value);
9009 }
9010 offset += 1;
9011 break;
9012 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9013 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9014 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9015 offset += len;
9016 break;
9017 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9018 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9019 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9020 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9021 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9022 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9023 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9024 offset += len;
9025 break;
9026 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9027 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9028 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9029 offset += parameter_length;
9030 break;
9031 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9032 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9033 tvb, offset, parameter_length, ENC_NA0x00000000);
9034 offset += parameter_length;
9035 break;
9036 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9037 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9038 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9039 offset += 4;
9040 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9041 uint32_t versions_length;
9042
9043 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9044 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9045 offset += 1;
9046 for (i = 0; i < versions_length / 4; i++) {
9047 quic_proto_tree_add_version(tvb, parameter_tree,
9048 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9049 offset += 4;
9050 }
9051 }
9052 break;
9053 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9054 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9055 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9056 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9057 offset += len;
9058 break;
9059 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9060 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9061 tvb, offset, parameter_length, ENC_NA0x00000000);
9062 offset += parameter_length;
9063 break;
9064 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9065 /* This field was used for non-standard Google-specific parameters encoded as a
9066 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9067 * parameters. Report it as a bytes blob... */
9068 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9069 tvb, offset, parameter_length, ENC_NA0x00000000);
9070 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9071 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9072 tvb, offset, 4, ENC_NA0x00000000);
9073 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9074 offset += parameter_length;
9075 break;
9076 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9077 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9078 tvb, offset, parameter_length, ENC_NA0x00000000);
9079 offset += parameter_length;
9080 break;
9081 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9082 /* No Payload */
9083 break;
9084 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9085 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9086 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9087 offset += parameter_length;
9088 break;
9089 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9090 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9091 quic_proto_tree_add_version(tvb, parameter_tree,
9092 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9093 offset += 4;
9094 for (i = 4; i < parameter_length; i += 4) {
9095 quic_proto_tree_add_version(tvb, parameter_tree,
9096 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9097 offset += 4;
9098 }
9099 break;
9100 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9101 /* No Payload */
9102 quic_add_grease_quic_bit(pinfo);
9103 break;
9104 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9105 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9106 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9107 offset += parameter_length;
9108 break;
9109 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9110 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9111 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9112 if (value == 1) {
9113 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9114 }
9115 offset += parameter_length;
9116 break;
9117 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9118 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9119 /* No Payload */
9120 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9121 break;
9122 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9123 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9124 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9125 if (value > 1) {
9126 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9127 }
9128 /* multipath draft-07: "The value of the initial_max_paths
9129 * parameter MUST be at least 2." TODO: Expert Info? */
9130 offset += parameter_length;
9131 break;
9132 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9133 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9134 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9135 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9136 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9137 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9138 /* multipath draft-09 and later: "If an endpoint receives an
9139 * initial_max_path_id transport parameter with value 0, the
9140 * peer aims to enable the multipath extension without allowing
9141 * extra paths immediately."
9142 */
9143 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9144 offset += parameter_length;
9145 break;
9146 default:
9147 offset += parameter_length;
9148 /*TODO display expert info about unknown ? */
9149 break;
9150 }
9151
9152 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9153 /* Dissection did not end at expected location, fix it. */
9154 offset = parameter_end_offset;
9155 }
9156 }
9157
9158 return offset;
9159}
9160
9161static int
9162ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9163 proto_tree *tree, uint32_t offset,
9164 SslSession *session, SslDecryptSession *ssl,
9165 bool_Bool from_server, bool_Bool is_hrr)
9166{
9167 uint8_t sessid_length;
9168 proto_item *ti;
9169 proto_tree *rnd_tree;
9170 proto_tree *ti_rnd;
9171 proto_tree *ech_confirm_tree;
9172 uint8_t draft_version = session->tls13_draft_version;
9173
9174 if (ssl) {
9175 StringInfo *rnd;
9176 if (from_server)
9177 rnd = &ssl->server_random;
9178 else
9179 rnd = &ssl->client_random;
9180
9181 /* save provided random for later keyring generation */
9182 tvb_memcpy(tvb, rnd->data, offset, 32);
9183 rnd->data_len = 32;
9184 if (from_server)
9185 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9186 else
9187 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9188 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9189 from_server ? "SERVER" : "CLIENT", ssl->state);
9190 }
9191
9192 if (!from_server && session->client_random.data_len == 0) {
9193 session->client_random.data_len = 32;
9194 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9195 }
9196
9197 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9198
9199 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9200
9201 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9202 /* show the time */
9203 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9204 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9205 offset += 4;
9206
9207 /* show the random bytes */
9208 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9209 tvb, offset, 28, ENC_NA0x00000000);
9210 offset += 28;
9211 } else {
9212 if (is_hrr) {
9213 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9214 } else if (from_server && session->ech) {
9215 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9216 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9217 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9218 session->ech_confirmation, 8);
9219 proto_item_set_generated(ti);
9220 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9221 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9222 } else {
9223 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9224 }
9225 }
9226
9227 offset += 32;
9228 }
9229
9230 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9231 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9232 /* show the session id (length followed by actual Session ID) */
9233 sessid_length = tvb_get_uint8(tvb, offset);
9234 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9235 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9236 offset++;
9237
9238 if (ssl) {
9239 /* save the authoritative SID for later use in ChangeCipherSpec.
9240 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9241 * save more, so ignore larger ones. */
9242 if (from_server && sessid_length <= 32) {
9243 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9244 ssl->session_id.data_len = sessid_length;
9245 }
9246 }
9247 if (sessid_length > 0) {
9248 proto_tree_add_item(tree, hf->hf.hs_session_id,
9249 tvb, offset, sessid_length, ENC_NA0x00000000);
9250 offset += sessid_length;
9251 }
9252 }
9253
9254 return offset;
9255}
9256
9257static int
9258ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9259 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9260 bool_Bool has_length)
9261{
9262 /* TLS 1.2/1.3 status_request Client Hello Extension.
9263 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9264 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9265 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9266 * struct {
9267 * CertificateStatusType status_type;
9268 * uint16 request_length; // for status_request_v2
9269 * select (status_type) {
9270 * case ocsp: OCSPStatusRequest;
9271 * case ocsp_multi: OCSPStatusRequest;
9272 * } request;
9273 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9274 *
9275 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9276 * struct {
9277 * ResponderID responder_id_list<0..2^16-1>;
9278 * Extensions request_extensions;
9279 * } OCSPStatusRequest;
9280 * opaque ResponderID<1..2^16-1>;
9281 * opaque Extensions<0..2^16-1>;
9282 */
9283 unsigned cert_status_type;
9284
9285 cert_status_type = tvb_get_uint8(tvb, offset);
9286 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9287 tvb, offset, 1, ENC_NA0x00000000);
9288 offset++;
9289
9290 if (has_length) {
9291 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9292 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9293 offset += 2;
9294 }
9295
9296 switch (cert_status_type) {
9297 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9298 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9299 {
9300 uint32_t responder_id_list_len;
9301 uint32_t request_extensions_len;
9302
9303 /* ResponderID responder_id_list<0..2^16-1> */
9304 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9305 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9306 return offset_end;
9307 }
9308 offset += 2;
9309 if (responder_id_list_len != 0) {
9310 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9311 tvb, offset, responder_id_list_len,
9312 "Responder ID list is not implemented, contact Wireshark"
9313 " developers if you want this to be supported");
9314 }
9315 offset += responder_id_list_len;
9316
9317 /* opaque Extensions<0..2^16-1> */
9318 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9319 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9320 return offset_end;
9321 }
9322 offset += 2;
9323 if (request_extensions_len != 0) {
9324 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9325 tvb, offset, request_extensions_len,
9326 "Request Extensions are not implemented, contact"
9327 " Wireshark developers if you want this to be supported");
9328 }
9329 offset += request_extensions_len;
9330 break;
9331 }
9332 }
9333
9334 return offset;
9335}
9336
9337static unsigned
9338ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9339 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9340{
9341 /* https://tools.ietf.org/html/rfc6961#section-2.2
9342 * struct {
9343 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9344 * } CertificateStatusRequestListV2;
9345 */
9346 uint32_t req_list_length, next_offset;
9347
9348 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9349 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9350 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9351 return offset_end;
9352 }
9353 offset += 2;
9354 next_offset = offset + req_list_length;
9355
9356 while (offset < next_offset) {
9357 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9358 }
9359
9360 return offset;
9361}
9362
9363static uint32_t
9364tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9365 uint32_t offset, uint32_t offset_end)
9366{
9367 uint32_t response_length;
9368 proto_item *ocsp_resp;
9369 proto_tree *ocsp_resp_tree;
9370 asn1_ctx_t asn1_ctx;
9371
9372 /* opaque OCSPResponse<1..2^24-1>; */
9373 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9374 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9375 return offset_end;
9376 }
9377 offset += 3;
9378
9379 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9380 response_length, ENC_BIG_ENDIAN0x00000000);
9381 proto_item_set_text(ocsp_resp, "OCSP Response");
9382 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9383 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9384 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9385 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9386 }
9387 offset += response_length;
9388
9389 return offset;
9390}
9391
9392uint32_t
9393tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9394 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9395{
9396 /* TLS 1.2 "CertificateStatus" handshake message.
9397 * TLS 1.3 "status_request" Certificate extension.
9398 * struct {
9399 * CertificateStatusType status_type;
9400 * select (status_type) {
9401 * case ocsp: OCSPResponse;
9402 * case ocsp_multi: OCSPResponseList; // status_request_v2
9403 * } response;
9404 * } CertificateStatus;
9405 * opaque OCSPResponse<1..2^24-1>;
9406 * struct {
9407 * OCSPResponse ocsp_response_list<1..2^24-1>;
9408 * } OCSPResponseList; // status_request_v2
9409 */
9410 uint32_t status_type, resp_list_length, next_offset;
9411
9412 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9413 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9414 offset += 1;
9415
9416 switch (status_type) {
9417 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9418 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9419 break;
9420
9421 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9422 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9423 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9424 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9425 return offset_end;
9426 }
9427 offset += 3;
9428 next_offset = offset + resp_list_length;
9429
9430 while (offset < next_offset) {
9431 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9432 }
9433 break;
9434 }
9435
9436 return offset;
9437}
9438
9439static unsigned
9440ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9441 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9442 wmem_strbuf_t *ja3)
9443{
9444 /* RFC 8446 Section 4.2.7
9445 * enum { ..., (0xFFFF) } NamedGroup;
9446 * struct {
9447 * NamedGroup named_group_list<2..2^16-1>
9448 * } NamedGroupList;
9449 *
9450 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9451 * the extension itself from "elliptic_curves" to "supported_groups".
9452 */
9453 uint32_t groups_length, next_offset;
9454 proto_tree *groups_tree;
9455 proto_item *ti;
9456 char *ja3_dash = "";
9457
9458 /* NamedGroup named_group_list<2..2^16-1> */
9459 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9460 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9461 return offset_end;
9462 }
9463 offset += 2;
9464 next_offset = offset + groups_length;
9465
9466 ti = proto_tree_add_none_format(tree,
9467 hf->hf.hs_ext_supported_groups,
9468 tvb, offset, groups_length,
9469 "Supported Groups (%d group%s)",
9470 groups_length / 2,
9471 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9472
9473 /* make this a subtree */
9474 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9475
9476 if (ja3) {
9477 wmem_strbuf_append_c(ja3, ',');
9478 }
9479 /* loop over all groups */
9480 while (offset + 2 <= offset_end) {
9481 uint32_t ext_supported_group;
9482
9483 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9484 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9485 offset += 2;
9486 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9487 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9488 ja3_dash = "-";
9489 }
9490 }
9491 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9492 offset = next_offset;
9493 }
9494
9495 return offset;
9496}
9497
9498static int
9499ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9500 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9501{
9502 uint8_t ecpf_length;
9503 proto_tree *ecpf_tree;
9504 proto_item *ti;
9505
9506 ecpf_length = tvb_get_uint8(tvb, offset);
9507 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9508 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9509
9510 offset += 1;
9511 ti = proto_tree_add_none_format(tree,
9512 hf->hf.hs_ext_ec_point_formats,
9513 tvb, offset, ecpf_length,
9514 "Elliptic curves point formats (%d)",
9515 ecpf_length);
9516
9517 /* make this a subtree */
9518 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9519
9520 if (ja3) {
9521 wmem_strbuf_append_c(ja3, ',');
9522 }
9523
9524 /* loop over all point formats */
9525 while (ecpf_length > 0)
9526 {
9527 uint32_t ext_ec_point_format;
9528
9529 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9530 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9531 offset++;
9532 ecpf_length--;
9533 if (ja3) {
9534 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9535 if (ecpf_length > 0) {
9536 wmem_strbuf_append_c(ja3, '-');
9537 }
9538 }
9539 }
9540
9541 return offset;
9542}
9543
9544static int
9545ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9546 packet_info *pinfo, proto_tree *tree,
9547 uint32_t offset, uint32_t next_offset)
9548{
9549 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9550 * opaque srp_I<1..2^8-1>;
9551 */
9552 uint32_t username_len;
9553
9554 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9555 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9556 return next_offset;
9557 }
9558 offset++;
9559
9560 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9561 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9562 offset += username_len;
9563
9564 return offset;
9565}
9566
9567static uint32_t
9568tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9569 uint32_t offset, uint32_t offset_end, uint16_t version)
9570{
9571 /* https://tools.ietf.org/html/rfc6962#section-3.2
9572 * enum { v1(0), (255) } Version;
9573 * struct {
9574 * opaque key_id[32];
9575 * } LogID;
9576 * opaque CtExtensions<0..2^16-1>;
9577 * struct {
9578 * Version sct_version;
9579 * LogID id;
9580 * uint64 timestamp;
9581 * CtExtensions extensions;
9582 * digitally-signed struct { ... };
9583 * } SignedCertificateTimestamp;
9584 */
9585 uint32_t sct_version;
9586 uint64_t sct_timestamp_ms;
9587 nstime_t sct_timestamp;
9588 uint32_t exts_len;
9589 const char *log_name;
9590
9591 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9592 offset++;
9593 if (sct_version != 0) {
9594 // TODO expert info about unknown SCT version?
9595 return offset;
9596 }
9597 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9598 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9599 proto_item_append_text(tree, " (%s)", log_name);
9600 offset += 32;
9601 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9602 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9603 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9604 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9605 offset += 8;
9606 /* opaque CtExtensions<0..2^16-1> */
9607 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9608 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9609 return offset_end;
9610 }
9611 offset += 2;
9612 if (exts_len > 0) {
9613 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9614 offset += exts_len;
9615 }
9616 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9617 hf->hf.sct_sct_signature_length,
9618 hf->hf.sct_sct_signature);
9619 return offset;
9620}
9621
9622uint32_t
9623tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9624 uint32_t offset, uint32_t offset_end, uint16_t version)
9625{
9626 /* https://tools.ietf.org/html/rfc6962#section-3.3
9627 * opaque SerializedSCT<1..2^16-1>;
9628 * struct {
9629 * SerializedSCT sct_list <1..2^16-1>;
9630 * } SignedCertificateTimestampList;
9631 */
9632 uint32_t list_length, sct_length, next_offset;
9633 proto_tree *subtree;
9634
9635 /* SerializedSCT sct_list <1..2^16-1> */
9636 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9637 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9638 return offset_end;
9639 }
9640 offset += 2;
9641
9642 while (offset < offset_end) {
9643 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9644
9645 /* opaque SerializedSCT<1..2^16-1> */
9646 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9647 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9648 return offset_end;
9649 }
9650 offset += 2;
9651 next_offset = offset + sct_length;
9652 proto_item_set_len(subtree, 2 + sct_length);
9653 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9654 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9655 offset = next_offset;
9656 }
9657 }
9658
9659 return offset;
9660}
9661
9662static int
9663dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9664 proto_tree *tree, uint32_t offset)
9665{
9666 uint32_t kdf_id, aead_id;
9667 proto_item *cs_ti;
9668 proto_tree *cs_tree;
9669
9670 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9671 tvb, offset, 4, ENC_NA0x00000000);
9672 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9673
9674 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9675 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9676 offset += 2;
9677 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9678 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9679 offset += 2;
9680
9681 proto_item_append_text(cs_ti, ": %s/%s",
9682 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9683 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9684 return offset;
9685}
9686
9687static int
9688dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9689 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9690 uint32_t *config_id)
9691{
9692 uint32_t length, cipher_suite_length;
9693 proto_item *kc_ti, *css_ti;
9694 proto_tree *kc_tree, *css_tree;
9695 uint32_t original_offset = offset, next_offset;
9696
9697 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9698 tvb, offset, -1, ENC_NA0x00000000);
9699 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9700
9701 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9702 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9703 offset += 1;
9704 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9705 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9706 offset += 2;
9707 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9708 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9709 offset += 2;
9710 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9711 tvb, offset, length, ENC_NA0x00000000);
9712 offset += length;
9713
9714 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9715 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9716 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9717 return offset_end;
9718 }
9719 offset += 2;
9720 next_offset = offset + cipher_suite_length;
9721
9722 css_ti = proto_tree_add_none_format(kc_tree,
9723 hf->hf.ech_hpke_keyconfig_cipher_suites,
9724 tvb, offset, cipher_suite_length,
9725 "Cipher Suites (%d suite%s)",
9726 cipher_suite_length / 4,
9727 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9728 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9729
9730
9731 while (offset + 4 <= next_offset) {
9732 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9733 }
9734
9735 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9736 offset = next_offset;
9737 }
9738
9739 proto_item_set_len(kc_ti, offset - original_offset);
9740
9741 return offset;
9742}
9743
9744static int
9745dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9746 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9747 const uint8_t **public_name, uint32_t *config_id)
9748{
9749 uint32_t public_name_length, extensions_length, next_offset;
9750
9751 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9752 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9753 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9754 offset += 1;
9755 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9756 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9757 offset += 1;
9758 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9759 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9760 offset += public_name_length;
9761
9762 /* Extension extensions<0..2^16-1>; */
9763 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9764 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9765 return offset_end;
9766 }
9767 offset += 2;
9768 next_offset = offset + extensions_length;
9769
9770 if (extensions_length > 0) {
9771 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9772 tvb, offset, extensions_length, ENC_NA0x00000000);
9773 }
9774 offset += extensions_length;
9775
9776 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9777 offset = next_offset;
9778 }
9779
9780 return offset;
9781}
9782
9783static int
9784dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9785 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9786{
9787 uint32_t version, length;
9788 proto_item *ech_ti;
9789 proto_tree *ech_tree;
9790 const uint8_t *public_name = NULL((void*)0);
9791 uint32_t config_id = 0;
9792
9793 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9794 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9795
9796 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9797 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9798 offset += 2;
9799 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9800 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9801 offset += 2;
9802
9803 proto_item_set_len(ech_ti, 4 + length);
9804
9805 switch(version) {
9806 case 0xfe0d:
9807 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9808 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9809 break;
9810
9811 default:
9812 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9813 }
9814
9815 return 4 + length;
9816}
9817
9818uint32_t
9819ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9820 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9821{
9822 uint32_t echconfiglist_length, next_offset;
9823
9824 /* ECHConfig ECHConfigList<1..2^16-1>; */
9825 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9826 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9827 return offset_end;
9828 }
9829 offset += 2;
9830 next_offset = offset + echconfiglist_length;
9831
9832 while (offset < next_offset) {
9833 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9834 }
9835
9836 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9837 offset = next_offset;
9838 }
9839
9840 return offset;
9841}
9842
9843static uint32_t
9844ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9845 uint32_t offset, uint32_t offset_end)
9846{
9847 uint32_t ext_length, next_offset;
9848 proto_tree *ext_tree;
9849 proto_item *ti;
9850
9851 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9852 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9853 return offset_end;
9854 }
9855 offset += 1;
9856 next_offset = offset + ext_length;
9857
9858 ti = proto_tree_add_none_format(tree,
9859 hf->hf.hs_ext_ech_outer_ext,
9860 tvb, offset, ext_length,
9861 "Outer Extensions (%d extension%s)",
9862 ext_length / 2,
9863 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9864
9865 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9866
9867 while (offset + 2 <= offset_end) {
9868 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9869 offset += 2;
9870 }
9871
9872 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9873 offset = next_offset;
9874 }
9875
9876 return offset;
9877}
9878
9879static uint32_t
9880// NOLINTNEXTLINE(misc-no-recursion)
9881ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9882 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9883 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9884 uint32_t initial_offset, uint32_t hello_length)
9885{
9886 uint32_t ch_type, length;
9887 proto_item *ti, *payload_ti;
9888 proto_tree *retry_tree, *payload_tree;
9889
9890 switch (hnd_type) {
9891 case SSL_HND_CLIENT_HELLO:
9892 /*
9893 * enum { outer(0), inner(1) } ECHClientHelloType;
9894 *
9895 * struct {
9896 * ECHClientHelloType type;
9897 * select (ECHClientHello.type) {
9898 * case outer:
9899 * HpkeSymmetricCipherSuite cipher_suite;
9900 * uint8 config_id;
9901 * opaque enc<0..2^16-1>;
9902 * opaque payload<1..2^16-1>;
9903 * case inner:
9904 * Empty;
9905 * };
9906 * } ECHClientHello;
9907 */
9908
9909 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9910 offset += 1;
9911 switch (ch_type) {
9912 case 0: /* outer */
9913 if (ssl && session->first_ch_ech_frame == 0) {
9914 session->first_ch_ech_frame = pinfo->num;
9915 }
9916 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9917 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9918 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9919
9920 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9921 uint8_t config_id = tvb_get_uint8(tvb, offset);
9922 offset += 1;
9923 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9924 offset += 2;
9925 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9926 offset += length;
9927 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9928 offset += 2;
9929 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9930 offset += length;
9931
9932 if (!mk_map) {
9933 break;
9934 }
9935 if (session->client_random.data_len == 0) {
9936 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9937 break;
9938 }
9939 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9940 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9941 if (!ech_secret || !ech_config) {
9942 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9943 G_STRFUNC((const char*) (__func__)));
9944 break;
9945 }
9946
9947 if (hpke_hkdf_len(kdf_id) == 0) {
9948 ssl_debug_printf("Unsupported KDF\n");
9949 break;
9950 }
9951
9952 if (hpke_aead_key_len(aead_id) == 0) {
9953 ssl_debug_printf("Unsupported AEAD\n");
9954 break;
9955 }
9956
9957 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9958
9959 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9960 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9961 ssl_debug_printf("Unexpected version in ECH Config\n");
9962 break;
9963 }
9964 uint32_t ech_config_offset = 2;
9965 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9966 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9967 break;
9968 }
9969 ech_config_offset += 2;
9970 if (*(ech_config->data + ech_config_offset) != config_id) {
9971 ssl_debug_printf("ECH Config version mismatch\n");
9972 break;
9973 }
9974 ech_config_offset += 1;
9975 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9976 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9977 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9978 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9979 GByteArray *info = g_byte_array_new();
9980 g_byte_array_append(info, "tls ech", 8);
9981 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9982 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9983 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9984 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9985 key, base_nonce)) {
9986 g_byte_array_free(info, TRUE(!(0)));
9987 break;
9988 }
9989 g_byte_array_free(info, TRUE(!(0)));
9990 gcry_cipher_hd_t cipher;
9991 if (hpke_setup_aead(&cipher, aead_id, key) ||
9992 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9993 gcry_cipher_close(cipher);
9994 break;
9995 }
9996 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9997 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9998 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9999 memset(ech_aad + offset - length - initial_offset, 0, length);
10000 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10001 gcry_cipher_close(cipher);
10002 wmem_free(NULL((void*)0), ech_aad);
10003 break;
10004 }
10005 wmem_free(NULL((void*)0), ech_aad);
10006 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
10007 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
10008 gcry_cipher_close(cipher);
10009 break;
10010 }
10011 unsigned char ech_auth_tag_calc[16];
10012 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
10013 gcry_cipher_close(cipher);
10014 break;
10015 }
10016 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10017 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
10018 gcry_cipher_close(cipher);
10019 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10020 payload + length - 16, 16)) {
10021 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10022 } else {
10023 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10024 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
10025 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10026 if (ssl) {
10027 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10028 uint32_t len_offset = ssl->ech_transcript.data_len;
10029 if (ssl->ech_transcript.data_len > 0)
10030 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10031 ssl->ech_transcript.data_len + hello_length + 4);
10032 else
10033 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10034 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10035 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10036 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10037 ssl->ech_transcript.data_len += 38;
10038 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
10039 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10040 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10041 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10042 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10043 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10044 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10045 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10046 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10047 1 + tvb_get_uint8(ech_tvb, ech_offset));
10048 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10049 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10050 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10051 ssl->ech_transcript.data_len += 2;
10052 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10053 ech_offset += 2;
10054 while (extensions_end - ech_offset >= 4) {
10055 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10056 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10057 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10058 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10059 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10060 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10061 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10062 ech_offset += 5;
10063 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10064 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10065 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10066 while (outer_extensions_end - ech_offset >= 2) {
10067 while (hello_length - outer_offset >= 4) {
10068 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10069 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10070 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10071 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10072 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10073 break;
10074 } else {
10075 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10076 }
10077 }
10078 ech_offset += 2;
10079 }
10080 }
10081 }
10082 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10083 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10084 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10085 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10086 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10087 }
10088 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10089 ssl, NULL((void*)0), mk_map);
10090 if (ech_padding_begin < length - 16) {
10091 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10092 ENC_NA0x00000000);
10093 }
10094 }
10095
10096 break;
10097 case 1: /* inner */
10098 break;
10099 }
10100 break;
10101
10102 case SSL_HND_ENCRYPTED_EXTENSIONS:
10103 /*
10104 * struct {
10105 * ECHConfigList retry_configs;
10106 * } ECHEncryptedExtensions;
10107 */
10108
10109 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10110 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10111 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10112 break;
10113
10114 case SSL_HND_HELLO_RETRY_REQUEST:
10115 /*
10116 * struct {
10117 * opaque confirmation[8];
10118 * } ECHHelloRetryRequest;
10119 */
10120
10121 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10122 if (session->ech) {
10123 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10124 proto_item_set_generated(ti);
10125 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10126 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10127 } else {
10128 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10129 }
10130 }
10131 offset += 8;
10132 break;
10133 }
10134
10135 return offset;
10136}
10137
10138static uint32_t
10139ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10140 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10141 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10142{
10143 uint32_t record_digest_length, encrypted_sni_length;
10144
10145 switch (hnd_type) {
10146 case SSL_HND_CLIENT_HELLO:
10147 /*
10148 * struct {
10149 * CipherSuite suite;
10150 * KeyShareEntry key_share;
10151 * opaque record_digest<0..2^16-1>;
10152 * opaque encrypted_sni<0..2^16-1>;
10153 * } ClientEncryptedSNI;
10154 */
10155 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10156 offset += 2;
10157 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10158
10159 /* opaque record_digest<0..2^16-1> */
10160 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10161 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10162 return offset_end;
10163 }
10164 offset += 2;
10165 if (record_digest_length > 0) {
10166 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10167 offset += record_digest_length;
10168 }
10169
10170 /* opaque encrypted_sni<0..2^16-1> */
10171 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10172 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10173 return offset_end;
10174 }
10175 offset += 2;
10176 if (encrypted_sni_length > 0) {
10177 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10178 offset += encrypted_sni_length;
10179 }
10180 break;
10181
10182 case SSL_HND_ENCRYPTED_EXTENSIONS:
10183 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10184 offset += 16;
10185 break;
10186 }
10187
10188 return offset;
10189}
10190/** TLS Extensions (in Client Hello and Server Hello). }}} */
10191
10192/* Connection ID dissection. {{{ */
10193static uint32_t
10194ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10195 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10196 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10197{
10198 /* keep track of the decrypt session only for the first pass */
10199 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10200 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10201 *session_cidl = cidl;
10202 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10203 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10204 if (ssl) {
10205 ssl_add_session_by_cid(ssl);
10206 }
10207 }
10208
10209 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10210 tvb, offset, 1, ENC_NA0x00000000);
10211 offset++;
10212
10213 if (cidl > 0) {
10214 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10215 tvb, offset, cidl, ENC_NA0x00000000);
10216 offset += cidl;
10217 }
10218
10219 return offset;
10220}
10221
10222static uint32_t
10223ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10224 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10225 SslSession *session, SslDecryptSession *ssl)
10226{
10227 uint8_t cidl = tvb_get_uint8(tvb, offset);
10228
10229 switch (hnd_type) {
10230 case SSL_HND_CLIENT_HELLO:
10231 session->client_cid_len_present = true1;
10232 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10233 cidl, &session->client_cid, &session->client_cid_len);
10234 case SSL_HND_SERVER_HELLO:
10235 session->server_cid_len_present = true1;
10236 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10237 cidl, &session->server_cid, &session->server_cid_len);
10238 default:
10239 return offset;
10240 }
10241} /* }}} */
10242
10243/* Trusted CA dissection. {{{ */
10244static uint32_t
10245ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10246 uint32_t offset, uint32_t offset_end)
10247{
10248 proto_item *ti;
10249 proto_tree *subtree;
10250 uint32_t keys_length, next_offset;
10251
10252 /*
10253 * struct {
10254 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10255 * } TrustedAuthorities;
10256 *
10257 * struct {
10258 * IdentifierType identifier_type;
10259 * select (identifier_type) {
10260 * case pre_agreed: struct {};
10261 * case key_sha1_hash: SHA1Hash;
10262 * case x509_name: DistinguishedName;
10263 * case cert_sha1_hash: SHA1Hash;
10264 * } identifier;
10265 * } TrustedAuthority;
10266 *
10267 * enum {
10268 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10269 * cert_sha1_hash(3), (255)
10270 * } IdentifierType;
10271 *
10272 * opaque DistinguishedName<1..2^16-1>;
10273 *
10274 */
10275
10276
10277 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10278 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10279 0, UINT16_MAX(65535)))
10280 {
10281 return offset_end;
10282 }
10283 offset += 2;
10284 next_offset = offset + keys_length;
10285
10286 if (keys_length > 0)
10287 {
10288 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10289 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10290 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10291
10292 while (offset < next_offset)
10293 {
10294 uint32_t identifier_type;
10295 proto_tree *trusted_key_tree;
10296 proto_item *trusted_key_item;
10297 asn1_ctx_t asn1_ctx;
10298 uint32_t key_len = 0;
10299
10300 identifier_type = tvb_get_uint8(tvb, offset);
10301
10302 // Use 0 as length for now as we'll only know the size when we decode the identifier
10303 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10304 offset, 0, "Trusted CA Key");
10305 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10306
10307 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10308 offset, 1, identifier_type);
10309 offset++;
10310
10311 /*
10312 * enum {
10313 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10314 * cert_sha1_hash(3), (255)
10315 * } IdentifierType;
10316 */
10317 switch (identifier_type)
10318 {
10319 case 0:
10320 key_len = 0;
10321 break;
10322 case 2:
10323 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10324
10325 uint32_t name_length;
10326 /* opaque DistinguishedName<1..2^16-1> */
10327 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10328 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10329 return next_offset;
10330 }
10331 offset += 2;
10332
10333 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10334 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10335 offset += name_length;
10336 break;
10337 case 1:
10338 case 3:
10339 key_len = 20;
10340 /* opaque SHA1Hash[20]; */
10341 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10342 offset, 20, ENC_NA0x00000000);
10343 break;
10344
10345 default:
10346 key_len = 0;
10347 /*TODO display expert info about unknown ? */
10348 break;
10349 }
10350 proto_item_set_len(trusted_key_item, 1 + key_len);
10351 offset += key_len;
10352 }
10353 }
10354
10355 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10356 {
10357 offset = next_offset;
10358 }
10359
10360 return offset;
10361} /* }}} */
10362
10363
10364/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10365bool_Bool
10366ssl_is_valid_content_type(uint8_t type)
10367{
10368 switch ((ContentType) type) {
10369 case SSL_ID_CHG_CIPHER_SPEC:
10370 case SSL_ID_ALERT:
10371 case SSL_ID_HANDSHAKE:
10372 case SSL_ID_APP_DATA:
10373 case SSL_ID_HEARTBEAT:
10374 case SSL_ID_TLS12_CID:
10375 case SSL_ID_DTLS13_ACK:
10376 return true1;
10377 }
10378 return false0;
10379}
10380
10381bool_Bool
10382ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10383{
10384 switch ((HandshakeType) hs_type) {
10385 case SSL_HND_HELLO_VERIFY_REQUEST:
10386 /* hello_verify_request is DTLS-only */
10387 return is_dtls;
10388
10389 case SSL_HND_HELLO_REQUEST:
10390 case SSL_HND_CLIENT_HELLO:
10391 case SSL_HND_SERVER_HELLO:
10392 case SSL_HND_NEWSESSION_TICKET:
10393 case SSL_HND_END_OF_EARLY_DATA:
10394 case SSL_HND_HELLO_RETRY_REQUEST:
10395 case SSL_HND_ENCRYPTED_EXTENSIONS:
10396 case SSL_HND_CERTIFICATE:
10397 case SSL_HND_SERVER_KEY_EXCHG:
10398 case SSL_HND_CERT_REQUEST:
10399 case SSL_HND_SVR_HELLO_DONE:
10400 case SSL_HND_CERT_VERIFY:
10401 case SSL_HND_CLIENT_KEY_EXCHG:
10402 case SSL_HND_FINISHED:
10403 case SSL_HND_CERT_URL:
10404 case SSL_HND_CERT_STATUS:
10405 case SSL_HND_SUPPLEMENTAL_DATA:
10406 case SSL_HND_KEY_UPDATE:
10407 case SSL_HND_COMPRESSED_CERTIFICATE:
10408 case SSL_HND_ENCRYPTED_EXTS:
10409 return true1;
10410 case SSL_HND_MESSAGE_HASH:
10411 return false0;
10412 }
10413 return false0;
10414}
10415
10416static bool_Bool
10417ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10418 bool_Bool is_dtls)
10419{
10420 /* Consider all valid Handshake messages (except for Client Hello) and
10421 * all other valid record types (other than Handshake) */
10422 return (content_type == SSL_ID_HANDSHAKE &&
10423 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10424 handshake_type != SSL_HND_CLIENT_HELLO) ||
10425 (content_type != SSL_ID_HANDSHAKE &&
10426 ssl_is_valid_content_type(content_type));
10427}
10428
10429/**
10430 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10431 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10432 * Returns true if the supported_versions extension was found, false if not.
10433 */
10434bool_Bool
10435tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10436 uint16_t *server_version, bool_Bool *is_hrr)
10437{
10438 /* SHA256("HelloRetryRequest") */
10439 static const uint8_t tls13_hrr_random_magic[] = {
10440 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10441 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10442 };
10443 uint8_t session_id_length;
10444
10445 *server_version = tvb_get_ntohs(tvb, offset);
10446
10447 /*
10448 * Try to look for supported_versions extension. Minimum length:
10449 * 2 + 32 + 1 = 35 (version, random, session id length)
10450 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10451 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10452 *
10453 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10454 * there's a separate expert info warning for that.
10455 */
10456 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10457 offset += 2;
10458 if (is_hrr) {
10459 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10460 }
10461 offset += 32;
10462 session_id_length = tvb_get_uint8(tvb, offset);
10463 offset++;
10464 if (offset_end - offset < session_id_length + 5u) {
10465 return false0;
10466 }
10467 offset += session_id_length + 5;
10468
10469 while (offset_end - offset >= 6) {
10470 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10471 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10472 if (offset_end - offset < 4u + ext_len) {
10473 break; /* not enough data for type, length and data */
10474 }
10475 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10476 if (ext_len == 2) {
10477 *server_version = tvb_get_ntohs(tvb, offset + 4);
10478 }
10479 return true1;
10480 }
10481 offset += 4 + ext_len;
10482 }
10483 } else {
10484 if (is_hrr) {
10485 *is_hrr = false0;
10486 }
10487 }
10488 return false0;
10489}
10490
10491/**
10492 * Scan a Client Hello handshake message to see if the supported_versions
10493 * extension is found, in which case the version field is legacy_version.
10494 */
10495static bool_Bool
10496tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10497{
10498 uint8_t session_id_length;
10499
10500 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10501
10502 /*
10503 * Try to look for supported_versions extension. Minimum length:
10504 * 2 + 32 + 1 = 35 (version, random, session id length)
10505 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10506 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10507 *
10508 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10509 * there's a separate expert info warning for that.
10510 */
10511 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10512 offset += 2;
10513 offset += 32;
10514 session_id_length = tvb_get_uint8(tvb, offset);
10515 offset++;
10516 if (offset_end - offset < session_id_length + 2u) {
10517 return false0;
10518 }
10519 offset += session_id_length;
10520 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10521 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10522 offset++;
10523 if (offset_end - offset < cookie_length + 2u) {
10524 return false0;
10525 }
10526 }
10527 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10528 offset += 2;
10529 if (offset_end - offset < cipher_suites_length + 1u) {
10530 return false0;
10531 }
10532 offset += cipher_suites_length;
10533 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10534 offset++;
10535 if (offset_end - offset < compression_methods_length + 2u) {
10536 return false0;
10537 }
10538 offset += compression_methods_length + 2;
10539
10540 while (offset_end - offset >= 6) {
10541 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10542 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10543 if (offset_end - offset < 4u + ext_len) {
10544 break; /* not enough data for type, length and data */
10545 }
10546 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10547 return true1;
10548 }
10549 offset += 4 + ext_len;
10550 }
10551 }
10552 return false0;
10553}
10554void
10555ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10556 uint8_t content_type, uint8_t handshake_type,
10557 bool_Bool is_dtls, uint16_t version)
10558{
10559 uint8_t tls13_draft = 0;
10560
10561 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10562 is_dtls))
10563 return;
10564
10565 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10566 if (version == SSL_VER_UNKNOWN0) {
10567 return;
10568 }
10569
10570 session->tls13_draft_version = tls13_draft;
10571 session->version = version;
10572 if (ssl) {
10573 ssl->state |= SSL_VERSION(1<<4);
10574 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10575 }
10576}
10577
10578void
10579ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10580 ContentType content_type,
10581 unsigned record_length, proto_item *length_pi,
10582 uint16_t version, tvbuff_t *decrypted_tvb)
10583{
10584 unsigned max_expansion;
10585 if (version == TLSV1DOT3_VERSION0x304) {
10586 /* TLS 1.3: Max length is 2^14 + 256 */
10587 max_expansion = 256;
10588 } else {
10589 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10590 max_expansion = 2048;
10591 }
10592 /*
10593 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10594 * and ChangeCipherSpec.
10595 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10596 * so assume it is permitted.
10597 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10598 * assume TLS 1.2 requirements.
10599 */
10600 if (record_length == 0 &&
10601 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10602 content_type == SSL_ID_ALERT ||
10603 content_type == SSL_ID_HANDSHAKE)) {
10604 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10605 "Zero-length %s fragments are not allowed",
10606 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10607 }
10608 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10609 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10610 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10611 }
10612 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10613 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10614 "TLSPlaintext length MUST NOT exceed 2^14");
10615 }
10616}
10617
10618static void
10619ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10620{
10621 /* store selected cipher suite for decryption */
10622 ssl->session.cipher = cipher;
10623
10624 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10625 if (!cs) {
10626 ssl->cipher_suite = NULL((void*)0);
10627 ssl->state &= ~SSL_CIPHER(1<<2);
10628 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10629 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10630 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10631 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10632 * to avoid a potential buffer overflow in ssl3_check_mac. */
10633 ssl->cipher_suite = NULL((void*)0);
10634 ssl->state &= ~SSL_CIPHER(1<<2);
10635 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10636 } else {
10637 /* Cipher found, save this for the delayed decoder init */
10638 ssl->cipher_suite = cs;
10639 ssl->state |= SSL_CIPHER(1<<2);
10640 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10641 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10642 ssl->state);
10643 }
10644}
10645/* }}} */
10646
10647
10648/* Client Hello and Server Hello dissections. {{{ */
10649static int
10650ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10651 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10652 SslSession *session, SslDecryptSession *ssl,
10653 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10654 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10655int
10656// NOLINTNEXTLINE(misc-no-recursion)
10657ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10658 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10659 uint32_t offset_end, SslSession *session,
10660 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10661{
10662 /* struct {
10663 * ProtocolVersion client_version;
10664 * Random random;
10665 * SessionID session_id;
10666 * opaque cookie<0..32>; //new field for DTLS
10667 * CipherSuite cipher_suites<2..2^16-1>;
10668 * CompressionMethod compression_methods<1..2^8-1>;
10669 * Extension client_hello_extension_list<0..2^16-1>;
10670 * } ClientHello;
10671 */
10672 proto_item *ti;
10673 proto_tree *cs_tree;
10674 uint32_t client_version;
10675 uint32_t cipher_suite_length;
10676 uint32_t compression_methods_length;
10677 uint8_t compression_method;
10678 uint32_t next_offset;
10679 uint32_t initial_offset = offset;
10680 uint32_t hello_length = offset_end - initial_offset;
10681 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10682 char *ja3_hash;
10683 char *ja3_dash = "";
10684 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10685 ja4_data_t ja4_data;
10686 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10687 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10688 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10689 wmem_list_frame_t *curr_entry;
10690
10691 ja4_data.max_version = 0;
10692 ja4_data.server_name_present = false0;
10693 ja4_data.num_cipher_suites = 0;
10694 ja4_data.num_extensions = 0;
10695 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10696 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10697 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10698 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10699
10700 /* show the client version */
10701 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10702 offset, 2, ENC_BIG_ENDIAN0x00000000,
10703 &client_version);
10704 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10705 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10706 }
10707 offset += 2;
10708 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10709
10710 /*
10711 * Is it version 1.3?
10712 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10713 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10714 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10715 * Hello".
10716 */
10717 if (dtls_hfs != NULL((void*)0)) {
10718 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10719 /* Don't do that. */
10720 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10721 }
10722 } else {
10723 if (client_version == TLSV1DOT3_VERSION0x304) {
10724 /* Don't do that. */
10725 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10726 }
10727 }
10728
10729 /* dissect fields that are present in both ClientHello and ServerHello */
10730 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10731
10732 /* fields specific for DTLS (cookie_len, cookie) */
10733 if (dtls_hfs != NULL((void*)0)) {
10734 uint32_t cookie_length;
10735 /* opaque cookie<0..32> (for DTLS only) */
10736 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10737 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10738 return offset;
10739 }
10740 offset++;
10741 if (cookie_length > 0) {
10742 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10743 tvb, offset, cookie_length, ENC_NA0x00000000);
10744 offset += cookie_length;
10745 }
10746 }
10747
10748 /* CipherSuite cipher_suites<2..2^16-1> */
10749 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10750 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10751 return offset;
10752 }
10753 offset += 2;
10754 next_offset = offset + cipher_suite_length;
10755 ti = proto_tree_add_none_format(tree,
10756 hf->hf.hs_cipher_suites,
10757 tvb, offset, cipher_suite_length,
10758 "Cipher Suites (%d suite%s)",
10759 cipher_suite_length / 2,
10760 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10761 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10762 while (offset + 2 <= next_offset) {
10763 uint32_t cipher_suite;
10764
10765 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10766 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10767 offset += 2;
10768 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10769 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10770 ja3_dash = "-";
10771 ja4_data.num_cipher_suites += 1;
10772 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10773 }
10774 }
10775 wmem_strbuf_append_c(ja3, ',');
10776 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10777 offset = next_offset;
10778 }
10779
10780 /* CompressionMethod compression_methods<1..2^8-1> */
10781 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10782 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10783 return offset;
10784 }
10785 offset++;
10786 next_offset = offset + compression_methods_length;
10787 ti = proto_tree_add_none_format(tree,
10788 hf->hf.hs_comp_methods,
10789 tvb, offset, compression_methods_length,
10790 "Compression Methods (%u method%s)",
10791 compression_methods_length,
10792 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10793 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10794 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10795 while (offset < next_offset) {
10796 compression_method = tvb_get_uint8(tvb, offset);
10797 /* TODO: make reserved/private comp meth. fields selectable */
10798 if (compression_method < 64)
10799 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10800 tvb, offset, 1, compression_method);
10801 else if (compression_method > 63 && compression_method < 193)
10802 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10803 compression_method, "Reserved - to be assigned by IANA (%u)",
10804 compression_method);
10805 else
10806 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10807 compression_method, "Private use range (%u)",
10808 compression_method);
10809 offset++;
10810 }
10811
10812 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10813 if (offset < offset_end) {
10814 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10815 offset_end, SSL_HND_CLIENT_HELLO,
10816 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10817 if (ja4_data.max_version > 0) {
10818 client_version = ja4_data.max_version;
10819 }
10820 } else {
10821 wmem_strbuf_append_printf(ja3, ",,");
10822 }
10823
10824 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10825 wmem_strbuf_append(ja4_a, "t");
10826 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10827 wmem_strbuf_append(ja4_a, "q");
10828 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10829 wmem_strbuf_append(ja4_a, "d");
10830 }
10831 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10832 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10833 if (ja4_data.num_cipher_suites > 99) {
10834 wmem_strbuf_append(ja4_a, "99");
10835 } else {
10836 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10837 }
10838 if (ja4_data.num_extensions > 99) {
10839 wmem_strbuf_append(ja4_a, "99");
10840 } else {
10841 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10842 }
10843 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10844 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10845 } else {
10846 wmem_strbuf_append(ja4_a, "00");
10847 }
10848
10849 curr_entry = wmem_list_head(ja4_data.cipher_list);
10850 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10851 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10852 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10853 wmem_strbuf_append(ja4_br, ",");
10854 }
10855 curr_entry = wmem_list_frame_next(curr_entry);
10856 }
10857
10858 curr_entry = wmem_list_head(ja4_data.extension_list);
10859 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10860 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10861 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10862 wmem_strbuf_append(ja4_cr, ",");
10863 }
10864 curr_entry = wmem_list_frame_next(curr_entry);
10865 }
10866
10867 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10868 wmem_strbuf_append(ja4_cr, "_");
10869 curr_entry = wmem_list_head(ja4_data.sighash_list);
10870 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10871 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10872 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10873 wmem_strbuf_append(ja4_cr, ",");
10874 }
10875 curr_entry = wmem_list_frame_next(curr_entry);
10876 }
10877 }
10878 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10879 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10880 } else {
10881 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10882 }
10883 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10884
10885 g_free(ja4_hash);
10886 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10887 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10888 } else {
10889 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10890 }
10891 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10892 g_free(ja4_hash);
10893
10894 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10895 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10896
10897 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10898 proto_item_set_generated(ti);
10899 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10900 proto_item_set_generated(ti);
10901
10902 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10903 wmem_strbuf_get_len(ja3));
10904 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10905 proto_item_set_generated(ti);
10906 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10907 proto_item_set_generated(ti);
10908 g_free(ja3_hash);
10909 return offset;
10910}
10911
10912void
10913ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10914 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10915 SslSession *session, SslDecryptSession *ssl,
10916 bool_Bool is_dtls, bool_Bool is_hrr)
10917{
10918 /* struct {
10919 * ProtocolVersion server_version;
10920 * Random random;
10921 * SessionID session_id; // TLS 1.2 and before
10922 * CipherSuite cipher_suite;
10923 * CompressionMethod compression_method; // TLS 1.2 and before
10924 * Extension server_hello_extension_list<0..2^16-1>;
10925 * } ServerHello;
10926 */
10927 uint8_t draft_version = session->tls13_draft_version;
10928 proto_item *ti;
10929 uint32_t server_version;
10930 uint32_t cipher_suite;
10931 uint32_t initial_offset = offset;
10932 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10933 char *ja3_hash;
10934
10935 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10936 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10937
10938 /* Initially assume that the session is resumed. If this is not the case, a
10939 * ServerHelloDone will be observed before the ChangeCipherSpec message
10940 * which will reset this flag. */
10941 session->is_session_resumed = true1;
10942
10943 /* show the server version */
10944 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10945 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10946
10947 uint16_t supported_server_version;
10948 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10949 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10950 }
10951 /*
10952 * Is it version 1.3?
10953 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10954 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10955 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10956 * Hello".
10957 */
10958 if (is_dtls) {
10959 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10960 /* Don't do that. */
10961 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10962 }
10963 } else {
10964 if (server_version == TLSV1DOT3_VERSION0x304) {
10965 /* Don't do that. */
10966 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10967 }
10968 }
10969
10970 offset += 2;
10971 wmem_strbuf_append_printf(ja3, "%i", server_version);
10972
10973 /* dissect fields that are present in both ClientHello and ServerHello */
10974 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10975
10976 if (ssl) {
10977 /* store selected cipher suite for decryption */
10978 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10979 }
10980
10981 /* now the server-selected cipher suite */
10982 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10983 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10984 offset += 2;
10985 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10986
10987 /* No compression with TLS 1.3 before draft -22 */
10988 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10989 if (ssl) {
10990 /* store selected compression method for decryption */
10991 ssl->session.compression = tvb_get_uint8(tvb, offset);
10992 }
10993 /* and the server-selected compression method */
10994 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10995 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10996 offset++;
10997 }
10998
10999 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11000 if (offset < offset_end) {
11001 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11002 offset_end,
11003 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11004 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
11005 }
11006
11007 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11008 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11009 if (hash_algo) {
11010 SSL_MDgcry_md_hd_t mc;
11011 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11012 unsigned char prk[DIGEST_MAX_SIZE48];
11013 unsigned char *ech_verify_out = NULL((void*)0);
11014 unsigned int len;
11015 ssl_md_init(&mc, hash_algo);
11016 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11017 if (is_hrr) {
11018 ssl_md_final(&mc, transcript_hash, &len);
11019 ssl_md_cleanup(&mc);
11020 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11021 ssl->ech_transcript.data_len = 4 + len;
11022 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11023 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11024 ssl->ech_transcript.data[1] = 0;
11025 ssl->ech_transcript.data[2] = 0;
11026 ssl->ech_transcript.data[3] = len;
11027 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11028 ssl_md_init(&mc, hash_algo);
11029 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11030 } else {
11031 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11032 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11033 }
11034 if (initial_offset > 4) {
11035 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11036 4 + offset_end - initial_offset);
11037 if (is_hrr)
11038 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11039 else
11040 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11041 } else {
11042 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11043 prefix[2] = ((offset - initial_offset) >> 8);
11044 prefix[3] = (offset - initial_offset) & 0xff;
11045 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11046 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11047 offset_end - initial_offset);
11048 ssl_md_update(&mc, prefix, 4);
11049 if (is_hrr)
11050 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 34), 34);
11051 else
11052 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset, 26), 26);
11053 }
11054 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11055 uint8_t zeros[8] = { 0 };
11056 uint32_t confirmation_offset = initial_offset + 26;
11057 if (is_hrr) {
11058 uint32_t hrr_offset = initial_offset + 34;
11059 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset,
11060 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11061 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11062 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
11063 hrr_offset += 3;
11064 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11065 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
11066 hrr_offset += 2;
11067 while (extensions_end - hrr_offset >= 4) {
11068 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11069 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11070 confirmation_offset = hrr_offset + 4;
11071 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
11072 ssl_md_update(&mc, zeros, 8);
11073 hrr_offset += 12;
11074 } else {
11075 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11076 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11077 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11078 }
11079 }
11080 } else {
11081 ssl_md_update(&mc, zeros, 8);
11082 ssl_md_update(&mc, (unsigned char *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11083 offset - initial_offset - 34);
11084 }
11085 ssl_md_final(&mc, transcript_hash, &len);
11086 ssl_md_cleanup(&mc);
11087 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11088 StringInfo prk_string = {prk, len};
11089 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11090 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11091 transcript_hash, len, 8, &ech_verify_out)) {
11092 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11093 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11094 if (is_hrr) {
11095 ssl->session.hrr_ech_declined = true1;
11096 ssl->session.first_ch_ech_frame = 0;
11097 }
11098 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11099 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11100 }
11101 wmem_free(NULL((void*)0), ech_verify_out);
11102 }
11103 ssl->session.ech = true1;
11104 }
11105 }
11106
11107 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11108 wmem_strbuf_get_len(ja3));
11109 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11110 proto_item_set_generated(ti);
11111 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11112 proto_item_set_generated(ti);
11113 g_free(ja3_hash);
11114}
11115/* Client Hello and Server Hello dissections. }}} */
11116
11117/* New Session Ticket dissection. {{{ */
11118void
11119ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11120 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11121 SslSession *session, SslDecryptSession *ssl,
11122 bool_Bool is_dtls, GHashTable *session_hash)
11123{
11124 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11125 * struct {
11126 * uint32 ticket_lifetime_hint;
11127 * opaque ticket<0..2^16-1>;
11128 * } NewSessionTicket;
11129 *
11130 * RFC 8446 Section 4.6.1 (TLS 1.3):
11131 * struct {
11132 * uint32 ticket_lifetime;
11133 * uint32 ticket_age_add;
11134 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11135 * opaque ticket<1..2^16-1>;
11136 * Extension extensions<0..2^16-2>;
11137 * } NewSessionTicket;
11138 */
11139 proto_tree *subtree;
11140 proto_item *subitem;
11141 uint32_t ticket_len;
11142 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11143 unsigned char draft_version = session->tls13_draft_version;
11144 uint32_t lifetime_hint;
11145
11146 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11147 hf->ett.session_ticket, NULL((void*)0),
11148 "TLS Session Ticket");
11149
11150 /* ticket lifetime hint */
11151 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11152 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11153 offset += 4;
11154
11155 if (lifetime_hint >= 60) {
11156 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11157 proto_item_append_text(subitem, " (%s)", time_str);
11158 }
11159
11160 if (is_tls13) {
11161
11162 /* for TLS 1.3: ticket_age_add */
11163 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11164 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11165 offset += 4;
11166
11167 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11168 if (draft_version == 0 || draft_version >= 21) {
11169 uint32_t ticket_nonce_len;
11170
11171 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11172 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11173 return;
11174 }
11175 offset++;
11176
11177 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11178 offset += ticket_nonce_len;
11179 }
11180
11181 }
11182
11183 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11184 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11185 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11186 return;
11187 }
11188 offset += 2;
11189
11190 /* Content depends on implementation, so just show data! */
11191 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11192 tvb, offset, ticket_len, ENC_NA0x00000000);
11193 /* save the session ticket to cache for ssl_finalize_decryption */
11194 if (ssl && !is_tls13) {
11195 if (ssl->session.is_session_resumed) {
11196 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11197 * (Abbreviated Handshake Using New Session Ticket).
11198 * Restore the master key for this session ticket before saving
11199 * it to the new session ticket. */
11200 ssl_restore_master_key(ssl, "Session Ticket", false0,
11201 session_hash, &ssl->session_ticket);
11202 }
11203 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11204 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11205 ssl->session_ticket.data, ticket_len);
11206 ssl->session_ticket.data_len = ticket_len;
11207 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11208 /* NewSessionTicket is received after the first (client)
11209 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11210 * Since the second CCS has already the session key available it will
11211 * just return. To ensure that the session ticket is mapped to a
11212 * master key (from the first CCS), save the ticket here too. */
11213 ssl_save_master_key("Session Ticket", session_hash,
11214 &ssl->session_ticket, &ssl->master_secret);
11215 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11216 }
11217 offset += ticket_len;
11218
11219 if (is_tls13) {
11220 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11221 offset_end, SSL_HND_NEWSESSION_TICKET,
11222 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11223 }
11224} /* }}} */
11225
11226void
11227ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11228 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11229 SslSession *session, SslDecryptSession *ssl,
11230 bool_Bool is_dtls)
11231{
11232 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11233 * struct {
11234 * ProtocolVersion server_version;
11235 * CipherSuite cipher_suite; // not before draft -19
11236 * Extension extensions<2..2^16-1>;
11237 * } HelloRetryRequest;
11238 * Note: no longer used since draft -22
11239 */
11240 uint32_t version;
11241 uint8_t draft_version;
11242
11243 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11244 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11245 draft_version = extract_tls13_draft_version(version);
11246 offset += 2;
11247
11248 if (draft_version == 0 || draft_version >= 19) {
11249 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11250 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11251 offset += 2;
11252 }
11253
11254 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11255 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11256 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11257}
11258
11259void
11260ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11261 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11262 SslSession *session, SslDecryptSession *ssl,
11263 bool_Bool is_dtls)
11264{
11265 /* RFC 8446 Section 4.3.1
11266 * struct {
11267 * Extension extensions<0..2^16-1>;
11268 * } EncryptedExtensions;
11269 */
11270 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11271 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11272 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11273}
11274
11275/* Certificate and Certificate Request dissections. {{{ */
11276void
11277ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11278 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11279 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11280 bool_Bool is_from_server, bool_Bool is_dtls)
11281{
11282 /* opaque ASN.1Cert<1..2^24-1>;
11283 *
11284 * Before RFC 8446 (TLS <= 1.2):
11285 * struct {
11286 * select(certificate_type) {
11287 *
11288 * // certificate type defined in RFC 7250
11289 * case RawPublicKey:
11290 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11291 *
11292 * // X.509 certificate defined in RFC 5246
11293 * case X.509:
11294 * ASN.1Cert certificate_list<0..2^24-1>;
11295 * };
11296 * } Certificate;
11297 *
11298 * RFC 8446 (since draft -20):
11299 * struct {
11300 * select(certificate_type){
11301 * case RawPublicKey:
11302 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11303 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11304 *
11305 * case X.509:
11306 * opaque cert_data<1..2^24-1>;
11307 * }
11308 * Extension extensions<0..2^16-1>;
11309 * } CertificateEntry;
11310 * struct {
11311 * opaque certificate_request_context<0..2^8-1>;
11312 * CertificateEntry certificate_list<0..2^24-1>;
11313 * } Certificate;
11314 */
11315 enum { CERT_X509, CERT_RPK } cert_type;
11316 asn1_ctx_t asn1_ctx;
11317#if defined(HAVE_LIBGNUTLS1)
11318 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11319 unsigned certificate_index = 0;
11320#endif
11321 uint32_t next_offset, certificate_list_length, cert_length;
11322 proto_tree *subtree = tree;
11323
11324 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11325
11326 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11327 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11328 cert_type = CERT_RPK;
11329 } else {
11330 cert_type = CERT_X509;
11331 }
11332
11333#if defined(HAVE_LIBGNUTLS1)
11334 /* Ask the pkcs1 dissector to return the public key details */
11335 if (ssl)
11336 asn1_ctx.private_data = &subjectPublicKeyInfo;
11337#endif
11338
11339 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11340 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11341 uint32_t context_length;
11342 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11343 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11344 return;
11345 }
11346 offset++;
11347 if (context_length > 0) {
11348 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11349 tvb, offset, context_length, ENC_NA0x00000000);
11350 offset += context_length;
11351 }
11352 }
11353
11354 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11355 /* For RPK before TLS 1.3, the single RPK is stored directly without
11356 * another "certificate_list" field. */
11357 certificate_list_length = offset_end - offset;
11358 next_offset = offset_end;
11359 } else {
11360 /* CertificateEntry certificate_list<0..2^24-1> */
11361 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11362 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11363 return;
11364 }
11365 offset += 3; /* 24-bit length value */
11366 next_offset = offset + certificate_list_length;
11367 }
11368
11369 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11370 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11371 proto_item *ti;
11372
11373 ti = proto_tree_add_none_format(tree,
11374 hf->hf.hs_certificates,
11375 tvb, offset, certificate_list_length,
11376 "Certificates (%u bytes)",
11377 certificate_list_length);
11378
11379 /* make it a subtree */
11380 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11381 }
11382
11383 while (offset < next_offset) {
11384 switch (cert_type) {
11385 case CERT_RPK:
11386 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11387 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11388 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11389 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11390 return;
11391 }
11392 offset += 3;
11393
11394 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11395 offset += cert_length;
11396 break;
11397 case CERT_X509:
11398 /* opaque ASN1Cert<1..2^24-1> */
11399 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11400 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11401 return;
11402 }
11403 offset += 3;
11404
11405 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11406#if defined(HAVE_LIBGNUTLS1)
11407 if (is_from_server && ssl && certificate_index == 0) {
11408 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11409 /* Only attempt to get the RSA modulus for the first cert. */
11410 asn1_ctx.private_data = NULL((void*)0);
11411 }
11412#endif
11413 offset += cert_length;
11414 break;
11415 }
11416
11417 /* TLS 1.3: Extension extensions<0..2^16-1> */
11418 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11419 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11420 next_offset, SSL_HND_CERTIFICATE,
11421 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11422 }
11423
11424#if defined(HAVE_LIBGNUTLS1)
11425 certificate_index++;
11426#endif
11427 }
11428}
11429
11430void
11431ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11432 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11433 SslSession *session, bool_Bool is_dtls)
11434{
11435 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11436 * enum {
11437 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11438 * (255)
11439 * } ClientCertificateType;
11440 *
11441 * opaque DistinguishedName<1..2^16-1>;
11442 *
11443 * struct {
11444 * ClientCertificateType certificate_types<1..2^8-1>;
11445 * DistinguishedName certificate_authorities<3..2^16-1>;
11446 * } CertificateRequest;
11447 *
11448 *
11449 * As per TLSv1.2 (RFC 5246) the format has changed to:
11450 *
11451 * enum {
11452 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11453 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11454 * fortezza_dms_RESERVED(20), (255)
11455 * } ClientCertificateType;
11456 *
11457 * enum {
11458 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11459 * sha512(6), (255)
11460 * } HashAlgorithm;
11461 *
11462 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11463 * SignatureAlgorithm;
11464 *
11465 * struct {
11466 * HashAlgorithm hash;
11467 * SignatureAlgorithm signature;
11468 * } SignatureAndHashAlgorithm;
11469 *
11470 * SignatureAndHashAlgorithm
11471 * supported_signature_algorithms<2..2^16-2>;
11472 *
11473 * opaque DistinguishedName<1..2^16-1>;
11474 *
11475 * struct {
11476 * ClientCertificateType certificate_types<1..2^8-1>;
11477 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11478 * DistinguishedName certificate_authorities<0..2^16-1>;
11479 * } CertificateRequest;
11480 *
11481 * draft-ietf-tls-tls13-18:
11482 * struct {
11483 * opaque certificate_request_context<0..2^8-1>;
11484 * SignatureScheme
11485 * supported_signature_algorithms<2..2^16-2>;
11486 * DistinguishedName certificate_authorities<0..2^16-1>;
11487 * CertificateExtension certificate_extensions<0..2^16-1>;
11488 * } CertificateRequest;
11489 *
11490 * RFC 8446 (since draft-ietf-tls-tls13-19):
11491 *
11492 * struct {
11493 * opaque certificate_request_context<0..2^8-1>;
11494 * Extension extensions<2..2^16-1>;
11495 * } CertificateRequest;
11496 */
11497 proto_item *ti;
11498 proto_tree *subtree;
11499 uint32_t next_offset;
11500 asn1_ctx_t asn1_ctx;
11501 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11502 unsigned char draft_version = session->tls13_draft_version;
11503
11504 if (!tree)
11505 return;
11506
11507 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11508
11509 if (is_tls13) {
11510 uint32_t context_length;
11511 /* opaque certificate_request_context<0..2^8-1> */
11512 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11513 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11514 return;
11515 }
11516 offset++;
11517 if (context_length > 0) {
11518 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11519 tvb, offset, context_length, ENC_NA0x00000000);
11520 offset += context_length;
11521 }
11522 } else {
11523 uint32_t cert_types_count;
11524 /* ClientCertificateType certificate_types<1..2^8-1> */
11525 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11526 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11527 return;
11528 }
11529 offset++;
11530 next_offset = offset + cert_types_count;
11531
11532 ti = proto_tree_add_none_format(tree,
11533 hf->hf.hs_cert_types,
11534 tvb, offset, cert_types_count,
11535 "Certificate types (%u type%s)",
11536 cert_types_count,
11537 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11538 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11539
11540 while (offset < next_offset) {
11541 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11542 offset++;
11543 }
11544 }
11545
11546 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11547 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11548 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11549 }
11550
11551 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11552 /*
11553 * TLS 1.3 draft 19 and newer: Extensions.
11554 * SslDecryptSession pointer is NULL because Certificate Extensions
11555 * should not influence decryption state.
11556 */
11557 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11558 offset_end, SSL_HND_CERT_REQUEST,
11559 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11560 } else if (is_tls13 && draft_version <= 18) {
11561 /*
11562 * TLS 1.3 draft 18 and older: certificate_authorities and
11563 * certificate_extensions (a vector of OID mappings).
11564 */
11565 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11566 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11567 } else {
11568 /* for TLS 1.2 and older, the certificate_authorities field. */
11569 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11570 }
11571}
11572/* Certificate and Certificate Request dissections. }}} */
11573
11574void
11575ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11576 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11577{
11578 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11579 hf->hf.hs_client_cert_vrfy_sig_len,
11580 hf->hf.hs_client_cert_vrfy_sig);
11581}
11582
11583/* Finished dissection. {{{ */
11584void
11585ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11586 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11587 const SslSession *session, ssl_hfs_t *ssl_hfs)
11588{
11589 /* For SSLv3:
11590 * struct {
11591 * opaque md5_hash[16];
11592 * opaque sha_hash[20];
11593 * } Finished;
11594 *
11595 * For (D)TLS:
11596 * struct {
11597 * opaque verify_data[12];
11598 * } Finished;
11599 *
11600 * For TLS 1.3:
11601 * struct {
11602 * opaque verify_data[Hash.length];
11603 * }
11604 */
11605 if (!tree)
11606 return;
11607
11608 if (session->version == SSLV3_VERSION0x300) {
11609 if (ssl_hfs != NULL((void*)0)) {
11610 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11611 tvb, offset, 16, ENC_NA0x00000000);
11612 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11613 tvb, offset + 16, 20, ENC_NA0x00000000);
11614 }
11615 } else {
11616 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11617 proto_tree_add_item(tree, hf->hf.hs_finished,
11618 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11619 }
11620} /* }}} */
11621
11622/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11623void
11624ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11625{
11626 uint16_t url_hash_len;
11627
11628 /* enum {
11629 * individual_certs(0), pkipath(1), (255)
11630 * } CertChainType;
11631 *
11632 * struct {
11633 * CertChainType type;
11634 * URLAndHash url_and_hash_list<1..2^16-1>;
11635 * } CertificateURL;
11636 *
11637 * struct {
11638 * opaque url<1..2^16-1>;
11639 * uint8 padding;
11640 * opaque SHA1Hash[20];
11641 * } URLAndHash;
11642 */
11643
11644 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11645 tvb, offset, 1, ENC_NA0x00000000);
11646 offset++;
11647
11648 url_hash_len = tvb_get_ntohs(tvb, offset);
11649 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11650 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11651 offset += 2;
11652 while (url_hash_len-- > 0) {
11653 proto_item *urlhash_item;
11654 proto_tree *urlhash_tree;
11655 uint16_t url_len;
11656
11657 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11658 tvb, offset, -1, ENC_NA0x00000000);
11659 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11660
11661 url_len = tvb_get_ntohs(tvb, offset);
11662 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11663 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11664 offset += 2;
11665
11666 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11667 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11668 offset += url_len;
11669
11670 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11671 tvb, offset, 1, ENC_NA0x00000000);
11672 offset++;
11673 /* Note: RFC 6066 says that padding must be 0x01 */
11674
11675 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11676 tvb, offset, 20, ENC_NA0x00000000);
11677 offset += 20;
11678 }
11679} /* }}} */
11680
11681void
11682ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11683 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11684 SslSession *session, SslDecryptSession *ssl,
11685 bool_Bool is_from_server, bool_Bool is_dtls)
11686{
11687 uint32_t algorithm, uncompressed_length;
11688 uint32_t compressed_certificate_message_length;
11689 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11690 proto_item *ti;
11691 /*
11692 * enum {
11693 * zlib(1),
11694 * brotli(2),
11695 * zstd(3),
11696 * (65535)
11697 * } CertificateCompressionAlgorithm;
11698 *
11699 * struct {
11700 * CertificateCompressionAlgorithm algorithm;
11701 * uint24 uncompressed_length;
11702 * opaque compressed_certificate_message<1..2^24-1>;
11703 * } CompressedCertificate;
11704 */
11705
11706 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11707 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11708 offset += 2;
11709
11710 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11711 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11712 offset += 3;
11713
11714 /* opaque compressed_certificate_message<1..2^24-1>; */
11715 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11716 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11717 return;
11718 }
11719 offset += 3;
11720
11721 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11722 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11723
11724 /* Certificate decompression following algorithm */
11725 switch (algorithm) {
11726 case 1: /* zlib */
11727 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11728 break;
11729 case 2: /* brotli */
11730 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11731 break;
11732 case 3: /* zstd */
11733 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11734 break;
11735 }
11736
11737 if (uncompressed_tvb) {
11738 proto_tree *uncompressed_tree;
11739
11740 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11741 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11742 tvb, offset, offset_end - offset,
11743 "Invalid uncompressed length %u (expected %u)",
11744 tvb_captured_length(uncompressed_tvb),
11745 uncompressed_length);
11746 } else {
11747 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11748 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11749 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11750 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11751 }
11752 }
11753}
11754
11755/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11756static int
11757// NOLINTNEXTLINE(misc-no-recursion)
11758ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11759 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11760 SslSession *session, SslDecryptSession *ssl,
11761 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11762 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11763{
11764 uint32_t exts_len;
11765 uint16_t ext_type;
11766 uint32_t ext_len;
11767 uint32_t next_offset;
11768 proto_item *ext_item;
11769 proto_tree *ext_tree;
11770 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11771 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11772 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11773 char *ja3_dash = "";
11774 unsigned supported_version;
11775
11776 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11777 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11778 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11779 return offset_end;
11780 }
11781 offset += 2;
11782 offset_end = offset + exts_len;
11783
11784 if (ja4_data) {
11785 ja4_data->num_extensions = 0;
11786 }
11787 while (offset_end - offset >= 4)
11788 {
11789 ext_type = tvb_get_ntohs(tvb, offset);
11790 ext_len = tvb_get_ntohs(tvb, offset + 2);
11791
11792 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11793 ja4_data->num_extensions += 1;
11794 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11795 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11796 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11797 }
11798 }
11799
11800 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11801 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11802 tls_hello_extension_types,
11803 "Unknown type %u"), ext_len);
11804 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11805
11806 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11807 tvb, offset, 2, ext_type);
11808 offset += 2;
11809 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11810 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11811 ja3_dash = "-";
11812 }
11813
11814 /* opaque extension_data<0..2^16-1> */
11815 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11816 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11817 return offset_end;
11818 }
11819 offset += 2;
11820 next_offset = offset + ext_len;
11821
11822 switch (ext_type) {
11823 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11824 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11825 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11826 if (ja4_data) {
11827 ja4_data->server_name_present = true1;
11828 }
11829 }
11830 break;
11831 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11832 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11833 offset += 1;
11834 break;
11835 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11836 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11837 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11838 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11839 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11840 }
11841 break;
11842 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11843 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11844 offset, next_offset,
11845 hnd_type, ext_type,
11846 session);
11847 break;
11848 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11849 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11850 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11851 next_offset, ja3_sg);
11852 } else {
11853 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11854 next_offset, NULL((void*)0));
11855 }
11856 break;
11857 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11858 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11859 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11860 } else {
11861 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11862 }
11863 break;
11864 break;
11865 case SSL_HND_HELLO_EXT_SRP12:
11866 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11867 break;
11868 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11869 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11870 break;
11871 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11872 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11873 break;
11874 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11875 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11876 break;
11877 case SSL_HND_HELLO_EXT_USE_SRTP14:
11878 if (is_dtls) {
11879 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11880 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11881 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11882 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11883 }
11884 } else {
11885 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11886 }
11887 break;
11888 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11889 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11890 break;
11891 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11892 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11893 break;
11894 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11895 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11896 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11897 offset++;
11898 break;
11899 case SSL_HND_HELLO_EXT_ALPN16:
11900 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11901 break;
11902 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11903 if (hnd_type == SSL_HND_CLIENT_HELLO)
11904 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11905 break;
11906 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11907 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11908 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11909 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11910 break;
11911 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11912 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11913 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11914 offset, next_offset,
11915 hnd_type, ext_type,
11916 session);
11917 break;
11918 case SSL_HND_HELLO_EXT_PADDING21:
11919 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11920 offset += ext_len;
11921 break;
11922 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11923 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11924 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11925 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11926 }
11927 break;
11928 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11929 if (ssl) {
11930 switch (hnd_type) {
11931 case SSL_HND_CLIENT_HELLO:
11932 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11933 break;
11934 case SSL_HND_SERVER_HELLO:
11935 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11936 break;
11937 default: /* no default */
11938 break;
11939 }
11940 }
11941 break;
11942 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11943 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11944 break;
11945 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11946 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11947 break;
11948 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11949 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11950 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11951 offset += 2;
11952 break;
11953 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11954 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11955 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11956 break;
11957 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11958 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11959 break;
11960 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11961 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11962 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11963 break;
11964 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11965 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11966 break;
11967 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11968 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11969 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11970 break;
11971 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11972 switch (hnd_type) {
11973 case SSL_HND_CLIENT_HELLO:
11974 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11975 break;
11976 case SSL_HND_SERVER_HELLO:
11977 case SSL_HND_HELLO_RETRY_REQUEST:
11978 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11979 offset += 2;
11980 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11981 break;
11982 }
11983 break;
11984 case SSL_HND_HELLO_EXT_COOKIE44:
11985 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11986 break;
11987 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11988 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11989 break;
11990 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11991 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11992 break;
11993 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11994 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11995 break;
11996 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11997 break;
11998 case SSL_HND_HELLO_EXT_NPN13172:
11999 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12000 break;
12001 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12002 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12003 break;
12004 case SSL_HND_HELLO_EXT_ALPS17613:
12005 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12006 break;
12007 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12008 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12009 break;
12010 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12011 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12012 break;
12013 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12014 session->deprecated_cid = true1;
12015 /* FALLTHRU */
12016 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12017 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12018 break;
12019 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12020 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12021 break;
12022 default:
12023 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12024 tvb, offset, ext_len, ENC_NA0x00000000);
12025 offset += ext_len;
12026 break;
12027 }
12028
12029 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12030 /* Dissection did not end at expected location, fix it. */
12031 offset = next_offset;
12032 }
12033 }
12034
12035 if (ja3) {
12036 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12037 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12038 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12039 } else {
12040 wmem_strbuf_append_c(ja3, ',');
12041 }
12042 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12043 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12044 } else {
12045 wmem_strbuf_append_c(ja3, ',');
12046 }
12047 }
12048 }
12049
12050 /* Check if Extensions vector is correctly terminated. */
12051 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12052 offset = offset_end;
12053 }
12054
12055 return offset;
12056} /* }}} */
12057
12058
12059/* ClientKeyExchange algo-specific dissectors. {{{ */
12060
12061static void
12062dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12063 proto_tree *tree, uint32_t offset,
12064 uint32_t length)
12065{
12066 int point_len;
12067 proto_tree *ssl_ecdh_tree;
12068
12069 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12070 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12071
12072 /* point */
12073 point_len = tvb_get_uint8(tvb, offset);
12074 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12075 offset, 1, ENC_BIG_ENDIAN0x00000000);
12076 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12077 offset + 1, point_len, ENC_NA0x00000000);
12078}
12079
12080static void
12081dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12082 proto_tree *tree, uint32_t offset, uint32_t length)
12083{
12084 int yc_len;
12085 proto_tree *ssl_dh_tree;
12086
12087 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12088 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12089
12090 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12091 yc_len = tvb_get_ntohs(tvb, offset);
12092 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12093 offset, 2, ENC_BIG_ENDIAN0x00000000);
12094 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12095 offset + 2, yc_len, ENC_NA0x00000000);
12096}
12097
12098static void
12099dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12100 proto_tree *tree, uint32_t offset,
12101 uint32_t length, const SslSession *session)
12102{
12103 int epms_len;
12104 proto_tree *ssl_rsa_tree;
12105
12106 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12107 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12108
12109 /* EncryptedPreMasterSecret.pre_master_secret */
12110 switch (session->version) {
12111 case SSLV2_VERSION0x0002:
12112 case SSLV3_VERSION0x300:
12113 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12114 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12115 * not present. The handshake contents represents the EPMS, see:
12116 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12117 epms_len = length;
12118 break;
12119
12120 default:
12121 /* TLS and DTLS include vector length before EPMS */
12122 epms_len = tvb_get_ntohs(tvb, offset);
12123 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12124 offset, 2, ENC_BIG_ENDIAN0x00000000);
12125 offset += 2;
12126 break;
12127 }
12128 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12129 offset, epms_len, ENC_NA0x00000000);
12130}
12131
12132/* Used in PSK cipher suites */
12133static uint32_t
12134dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12135 proto_tree *tree, uint32_t offset)
12136{
12137 unsigned identity_len;
12138 proto_tree *ssl_psk_tree;
12139
12140 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12141 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12142 /* identity */
12143 identity_len = tvb_get_ntohs(tvb, offset);
12144 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12145 offset, 2, ENC_BIG_ENDIAN0x00000000);
12146 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12147 offset + 2, identity_len, ENC_NA0x00000000);
12148
12149 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12150 return 2 + identity_len;
12151}
12152
12153/* Used in RSA PSK cipher suites */
12154static void
12155dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12156 proto_tree *tree, uint32_t offset,
12157 uint32_t length)
12158{
12159 int identity_len, epms_len;
12160 proto_tree *ssl_psk_tree;
12161
12162 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12163 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12164
12165 /* identity */
12166 identity_len = tvb_get_ntohs(tvb, offset);
12167 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12168 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12169 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12170 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12171 offset += 2 + identity_len;
12172
12173 /* Yc */
12174 epms_len = tvb_get_ntohs(tvb, offset);
12175 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12176 offset, 2, ENC_BIG_ENDIAN0x00000000);
12177 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12178 offset + 2, epms_len, ENC_NA0x00000000);
12179}
12180
12181/* Used in Diffie-Hellman PSK cipher suites */
12182static void
12183dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12184 proto_tree *tree, uint32_t offset, uint32_t length)
12185{
12186 /*
12187 * struct {
12188 * select (KeyExchangeAlgorithm) {
12189 * case diffie_hellman_psk:
12190 * opaque psk_identity<0..2^16-1>;
12191 * ClientDiffieHellmanPublic public;
12192 * } exchange_keys;
12193 * } ClientKeyExchange;
12194 */
12195
12196 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12197 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12198}
12199
12200/* Used in EC Diffie-Hellman PSK cipher suites */
12201static void
12202dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12203 proto_tree *tree, uint32_t offset, uint32_t length)
12204{
12205 /*
12206 * struct {
12207 * select (KeyExchangeAlgorithm) {
12208 * case ec_diffie_hellman_psk:
12209 * opaque psk_identity<0..2^16-1>;
12210 * ClientECDiffieHellmanPublic public;
12211 * } exchange_keys;
12212 * } ClientKeyExchange;
12213 */
12214
12215 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12216 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12217}
12218
12219/* Used in EC J-PAKE cipher suites */
12220static void
12221dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12222 proto_tree *tree, uint32_t offset,
12223 uint32_t length)
12224{
12225 /*
12226 * struct {
12227 * ECPoint V;
12228 * opaque r<1..2^8-1>;
12229 * } ECSchnorrZKP;
12230 *
12231 * struct {
12232 * ECPoint X;
12233 * ECSchnorrZKP zkp;
12234 * } ECJPAKEKeyKP;
12235 *
12236 * struct {
12237 * ECJPAKEKeyKP ecjpake_key_kp;
12238 * } ClientECJPAKEParams;
12239 *
12240 * select (KeyExchangeAlgorithm) {
12241 * case ecjpake:
12242 * ClientECJPAKEParams params;
12243 * } ClientKeyExchange;
12244 */
12245
12246 int point_len;
12247 proto_tree *ssl_ecjpake_tree;
12248
12249 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12250 hf->ett.keyex_params, NULL((void*)0),
12251 "EC J-PAKE Client Params");
12252
12253 /* ECJPAKEKeyKP.X */
12254 point_len = tvb_get_uint8(tvb, offset);
12255 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12256 offset, 1, ENC_BIG_ENDIAN0x00000000);
12257 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12258 offset + 1, point_len, ENC_NA0x00000000);
12259 offset += 1 + point_len;
12260
12261 /* ECJPAKEKeyKP.zkp.V */
12262 point_len = tvb_get_uint8(tvb, offset);
12263 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12264 offset, 1, ENC_BIG_ENDIAN0x00000000);
12265 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12266 offset + 1, point_len, ENC_NA0x00000000);
12267 offset += 1 + point_len;
12268
12269 /* ECJPAKEKeyKP.zkp.r */
12270 point_len = tvb_get_uint8(tvb, offset);
12271 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12272 offset, 1, ENC_BIG_ENDIAN0x00000000);
12273 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12274 offset + 1, point_len, ENC_NA0x00000000);
12275}
12276
12277static void
12278dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12279 proto_tree *tree, uint32_t offset,
12280 uint32_t length)
12281{
12282 int epms_len;
12283 proto_tree *ssl_ecc_sm2_tree;
12284
12285 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12286 hf->ett.keyex_params, NULL((void*)0),
12287 "ECC-SM2 Encrypted PreMaster Secret");
12288
12289 epms_len = tvb_get_ntohs(tvb, offset);
12290 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12291 offset, 2, ENC_BIG_ENDIAN0x00000000);
12292 offset += 2;
12293 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12294 offset, epms_len, ENC_NA0x00000000);
12295}
12296/* ClientKeyExchange algo-specific dissectors. }}} */
12297
12298
12299/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12300static uint32_t
12301ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12302 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12303 uint16_t version, int hf_sig_len, int hf_sig)
12304{
12305 uint32_t sig_len;
12306
12307 switch (version) {
12308 case TLSV1DOT2_VERSION0x303:
12309 case DTLSV1DOT2_VERSION0xfefd:
12310 case TLSV1DOT3_VERSION0x304:
12311 case DTLSV1DOT3_VERSION0xfefc:
12312 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12313 offset += 2;
12314 break;
12315
12316 default:
12317 break;
12318 }
12319
12320 /* Sig */
12321 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12322 hf_sig_len, 0, UINT16_MAX(65535))) {
12323 return offset_end;
12324 }
12325 offset += 2;
12326 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12327 offset += sig_len;
12328 return offset;
12329} /* }}} */
12330
12331/* ServerKeyExchange algo-specific dissectors. {{{ */
12332
12333/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12334static void
12335dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12336 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12337 uint16_t version)
12338{
12339 /*
12340 * TLSv1.2 (RFC 5246 sec 7.4.8)
12341 * struct {
12342 * digitally-signed struct {
12343 * opaque handshake_messages[handshake_messages_length];
12344 * }
12345 * } CertificateVerify;
12346 *
12347 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12348 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12349 *
12350 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12351 * does more hashing including the master secret and padding.
12352 */
12353 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12354 hf->hf.hs_server_keyex_sig_len,
12355 hf->hf.hs_server_keyex_sig);
12356}
12357
12358static uint32_t
12359dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12360{
12361 /*
12362 * RFC 4492 ECC cipher suites for TLS
12363 *
12364 * struct {
12365 * ECCurveType curve_type;
12366 * select (curve_type) {
12367 * case explicit_prime:
12368 * ...
12369 * case explicit_char2:
12370 * ...
12371 * case named_curve:
12372 * NamedCurve namedcurve;
12373 * };
12374 * } ECParameters;
12375 */
12376
12377 int curve_type;
12378
12379 /* ECParameters.curve_type */
12380 curve_type = tvb_get_uint8(tvb, offset);
12381 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12382 offset, 1, ENC_BIG_ENDIAN0x00000000);
12383 offset++;
12384
12385 if (curve_type != 3)
12386 return offset_end; /* only named_curves are supported */
12387
12388 /* case curve_type == named_curve; ECParameters.namedcurve */
12389 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12390 offset, 2, ENC_BIG_ENDIAN0x00000000);
12391 offset += 2;
12392
12393 return offset;
12394}
12395
12396static void
12397dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12398 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12399 uint16_t version, bool_Bool anon)
12400{
12401 /*
12402 * RFC 4492 ECC cipher suites for TLS
12403 *
12404 * struct {
12405 * opaque point <1..2^8-1>;
12406 * } ECPoint;
12407 *
12408 * struct {
12409 * ECParameters curve_params;
12410 * ECPoint public;
12411 * } ServerECDHParams;
12412 *
12413 * select (KeyExchangeAlgorithm) {
12414 * case ec_diffie_hellman:
12415 * ServerECDHParams params;
12416 * Signature signed_params;
12417 * } ServerKeyExchange;
12418 */
12419
12420 int point_len;
12421 proto_tree *ssl_ecdh_tree;
12422
12423 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12424 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12425
12426 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12427 if (offset >= offset_end)
12428 return; /* only named_curves are supported */
12429
12430 /* ECPoint.point */
12431 point_len = tvb_get_uint8(tvb, offset);
12432 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12433 offset, 1, ENC_BIG_ENDIAN0x00000000);
12434 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12435 offset + 1, point_len, ENC_NA0x00000000);
12436 offset += 1 + point_len;
12437
12438 /* Signature (if non-anonymous KEX) */
12439 if (!anon) {
12440 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12441 }
12442}
12443
12444static void
12445dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12446 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12447 uint16_t version, bool_Bool anon)
12448{
12449 int p_len, g_len, ys_len;
12450 proto_tree *ssl_dh_tree;
12451
12452 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12453 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12454
12455 /* p */
12456 p_len = tvb_get_ntohs(tvb, offset);
12457 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12458 offset, 2, ENC_BIG_ENDIAN0x00000000);
12459 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12460 offset + 2, p_len, ENC_NA0x00000000);
12461 offset += 2 + p_len;
12462
12463 /* g */
12464 g_len = tvb_get_ntohs(tvb, offset);
12465 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12466 offset, 2, ENC_BIG_ENDIAN0x00000000);
12467 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12468 offset + 2, g_len, ENC_NA0x00000000);
12469 offset += 2 + g_len;
12470
12471 /* Ys */
12472 ys_len = tvb_get_ntohs(tvb, offset);
12473 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12474 offset, 2, ys_len);
12475 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12476 offset + 2, ys_len, ENC_NA0x00000000);
12477 offset += 2 + ys_len;
12478
12479 /* Signature (if non-anonymous KEX) */
12480 if (!anon) {
12481 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12482 }
12483}
12484
12485/* Only used in RSA-EXPORT cipher suites */
12486static void
12487dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12488 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12489 uint16_t version)
12490{
12491 int modulus_len, exponent_len;
12492 proto_tree *ssl_rsa_tree;
12493
12494 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12495 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12496
12497 /* modulus */
12498 modulus_len = tvb_get_ntohs(tvb, offset);
12499 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12500 offset, 2, ENC_BIG_ENDIAN0x00000000);
12501 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12502 offset + 2, modulus_len, ENC_NA0x00000000);
12503 offset += 2 + modulus_len;
12504
12505 /* exponent */
12506 exponent_len = tvb_get_ntohs(tvb, offset);
12507 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12508 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12509 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12510 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12511 offset += 2 + exponent_len;
12512
12513 /* Signature */
12514 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12515}
12516
12517/* Used in RSA PSK and PSK cipher suites */
12518static uint32_t
12519dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12520 proto_tree *tree, uint32_t offset)
12521{
12522 unsigned hint_len;
12523 proto_tree *ssl_psk_tree;
12524
12525 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12526 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12527
12528 /* hint */
12529 hint_len = tvb_get_ntohs(tvb, offset);
12530 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12531 offset, 2, ENC_BIG_ENDIAN0x00000000);
12532 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12533 offset + 2, hint_len, ENC_NA0x00000000);
12534
12535 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12536 return 2 + hint_len;
12537}
12538
12539/* Used in Diffie-Hellman PSK cipher suites */
12540static void
12541dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12542 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12543{
12544 /*
12545 * struct {
12546 * select (KeyExchangeAlgorithm) {
12547 * case diffie_hellman_psk:
12548 * opaque psk_identity_hint<0..2^16-1>;
12549 * ServerDHParams params;
12550 * };
12551 * } ServerKeyExchange;
12552 */
12553
12554 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12555 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12556}
12557
12558/* Used in EC Diffie-Hellman PSK cipher suites */
12559static void
12560dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12561 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12562{
12563 /*
12564 * struct {
12565 * select (KeyExchangeAlgorithm) {
12566 * case ec_diffie_hellman_psk:
12567 * opaque psk_identity_hint<0..2^16-1>;
12568 * ServerECDHParams params;
12569 * };
12570 * } ServerKeyExchange;
12571 */
12572
12573 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12574 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12575}
12576
12577/* Used in EC J-PAKE cipher suites */
12578static void
12579dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12580 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12581{
12582 /*
12583 * struct {
12584 * ECPoint V;
12585 * opaque r<1..2^8-1>;
12586 * } ECSchnorrZKP;
12587 *
12588 * struct {
12589 * ECPoint X;
12590 * ECSchnorrZKP zkp;
12591 * } ECJPAKEKeyKP;
12592 *
12593 * struct {
12594 * ECParameters curve_params;
12595 * ECJPAKEKeyKP ecjpake_key_kp;
12596 * } ServerECJPAKEParams;
12597 *
12598 * select (KeyExchangeAlgorithm) {
12599 * case ecjpake:
12600 * ServerECJPAKEParams params;
12601 * } ServerKeyExchange;
12602 */
12603
12604 int point_len;
12605 proto_tree *ssl_ecjpake_tree;
12606
12607 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12608 hf->ett.keyex_params, NULL((void*)0),
12609 "EC J-PAKE Server Params");
12610
12611 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12612 if (offset >= offset_end)
12613 return; /* only named_curves are supported */
12614
12615 /* ECJPAKEKeyKP.X */
12616 point_len = tvb_get_uint8(tvb, offset);
12617 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12618 offset, 1, ENC_BIG_ENDIAN0x00000000);
12619 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12620 offset + 1, point_len, ENC_NA0x00000000);
12621 offset += 1 + point_len;
12622
12623 /* ECJPAKEKeyKP.zkp.V */
12624 point_len = tvb_get_uint8(tvb, offset);
12625 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12626 offset, 1, ENC_BIG_ENDIAN0x00000000);
12627 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12628 offset + 1, point_len, ENC_NA0x00000000);
12629 offset += 1 + point_len;
12630
12631 /* ECJPAKEKeyKP.zkp.r */
12632 point_len = tvb_get_uint8(tvb, offset);
12633 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12634 offset, 1, ENC_BIG_ENDIAN0x00000000);
12635 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12636 offset + 1, point_len, ENC_NA0x00000000);
12637}
12638
12639/* Only used in ECC-SM2-EXPORT cipher suites */
12640static void
12641dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12642 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12643 uint16_t version)
12644{
12645 proto_tree *ssl_ecc_sm2_tree;
12646
12647 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12648 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12649
12650 /* Signature */
12651 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12652}
12653/* ServerKeyExchange algo-specific dissectors. }}} */
12654
12655/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12656void
12657ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12658 proto_tree *tree, uint32_t offset, uint32_t length,
12659 const SslSession *session)
12660{
12661 switch (ssl_get_keyex_alg(session->cipher)) {
12662 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12663 case KEX_DH_DSS0x14:
12664 case KEX_DH_RSA0x15:
12665 case KEX_DHE_DSS0x10:
12666 case KEX_DHE_RSA0x12:
12667 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12668 break;
12669 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12670 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12671 break;
12672 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12673 case KEX_ECDH_ECDSA0x1a:
12674 case KEX_ECDH_RSA0x1b:
12675 case KEX_ECDHE_ECDSA0x16:
12676 case KEX_ECDHE_RSA0x18:
12677 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12678 break;
12679 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12680 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12681 break;
12682 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12683 /* XXX: implement support for KRB5 */
12684 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12685 tvb, offset, length,
12686 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12687 " developers if you want them to be supported");
12688 break;
12689 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12690 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12691 break;
12692 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12693 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12694 break;
12695 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12696 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12697 break;
12698 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12699 case KEX_SRP_SHA_DSS0x21:
12700 case KEX_SRP_SHA_RSA0x22:
12701 /* XXX: implement support for SRP_SHA* */
12702 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12703 tvb, offset, length,
12704 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12705 " developers if you want them to be supported");
12706 break;
12707 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12708 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12709 break;
12710 case KEX_ECC_SM20x26: /* GB/T 38636 */
12711 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12712 break;
12713 default:
12714 if (session->cipher == 0) {
12715 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12716 tvb, offset, length,
12717 "Cipher Suite not found");
12718 } else {
12719 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12720 tvb, offset, length,
12721 "Cipher Suite 0x%04x is not implemented, "
12722 "contact Wireshark developers if you want this to be supported",
12723 session->cipher);
12724 }
12725 break;
12726 }
12727}
12728
12729void
12730ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12731 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12732 const SslSession *session)
12733{
12734 switch (ssl_get_keyex_alg(session->cipher)) {
12735 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12736 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12737 break;
12738 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12739 case KEX_DH_RSA0x15:
12740 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12741 tvb, offset, offset_end - offset);
12742 break;
12743 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12744 case KEX_DHE_RSA0x12:
12745 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12746 break;
12747 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12748 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12749 break;
12750 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12751 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12752 break;
12753 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12754 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12755 break;
12756 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12757 case KEX_ECDH_RSA0x1b:
12758 case KEX_ECDHE_ECDSA0x16:
12759 case KEX_ECDHE_RSA0x18:
12760 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12761 break;
12762 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12763 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12764 tvb, offset, offset_end - offset);
12765 break;
12766 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12767 case KEX_RSA_PSK0x1f:
12768 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12769 break;
12770 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12771 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12772 break;
12773 case KEX_ECC_SM20x26: /* GB/T 38636 */
12774 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12775 break;
12776 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12777 case KEX_SRP_SHA_DSS0x21:
12778 case KEX_SRP_SHA_RSA0x22:
12779 /* XXX: implement support for SRP_SHA* */
12780 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12781 tvb, offset, offset_end - offset,
12782 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12783 " developers if you want them to be supported");
12784 break;
12785 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12786 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12787 break;
12788 default:
12789 if (session->cipher == 0) {
12790 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12791 tvb, offset, offset_end - offset,
12792 "Cipher Suite not found");
12793 } else {
12794 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12795 tvb, offset, offset_end - offset,
12796 "Cipher Suite 0x%04x is not implemented, "
12797 "contact Wireshark developers if you want this to be supported",
12798 session->cipher);
12799 }
12800 break;
12801 }
12802}
12803/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12804
12805void
12806tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12807 proto_tree *tree, uint32_t offset)
12808{
12809 /* RFC 8446 Section 4.6.3
12810 * enum {
12811 * update_not_requested(0), update_requested(1), (255)
12812 * } KeyUpdateRequest;
12813 *
12814 * struct {
12815 * KeyUpdateRequest request_update;
12816 * } KeyUpdate;
12817 */
12818 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12819}
12820
12821void
12822ssl_common_register_ssl_alpn_dissector_table(const char *name,
12823 const char *ui_name, const int proto)
12824{
12825 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12826 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12827 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12828}
12829
12830void
12831ssl_common_register_dtls_alpn_dissector_table(const char *name,
12832 const char *ui_name, const int proto)
12833{
12834 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12835 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12836 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12837}
12838
12839void
12840ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12841{
12842 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12843 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12844 &(options->psk));
12845
12846 if (is_dtls) {
12847 prefs_register_obsolete_preference(module, "keylog_file");
12848 prefs_register_static_text_preference(module, "keylog_file_removed",
12849 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12850 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12851 return;
12852 }
12853
12854 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12855 "The name of a file which contains a list of \n"
12856 "(pre-)master secrets in one of the following formats:\n"
12857 "\n"
12858 "RSA <EPMS> <PMS>\n"
12859 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12860 "CLIENT_RANDOM <CRAND> <MS>\n"
12861 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12862 "\n"
12863 "Where:\n"
12864 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12865 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12866 "<SSLID> = The SSL Session ID\n"
12867 "<MS> = The Master-Secret (MS)\n"
12868 "<CRAND> = The Client's random number from the ClientHello message\n"
12869 "\n"
12870 "(All fields are in hex notation)",
12871 &(options->keylog_filename), false0);
12872}
12873
12874void
12875ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12876{
12877 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12878 uint32_t old_length = ssl_session->handshake_data.data_len;
12879 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12880 if (tvb) {
12881 if (tvb_bytes_exist(tvb, offset, length)) {
12882 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12883 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12884 ssl_session->handshake_data.data_len += length;
12885 }
12886 } else {
12887 /* DTLS calculates the hash as if each handshake message had been
12888 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12889 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12890 */
12891 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12891, (int64_t)length, (int64_t)4))));
12892 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12893 memset(ssl_session->handshake_data.data + old_length, 0, length);
12894 ssl_session->handshake_data.data_len += length;
12895 }
12896 }
12897}
12898
12899
12900/*
12901 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12902 *
12903 * Local variables:
12904 * c-basic-offset: 4
12905 * tab-width: 8
12906 * indent-tabs-mode: nil
12907 * End:
12908 *
12909 * vi: set shiftwidth=4 tabstop=8 expandtab:
12910 * :indentSize=4:tabSize=8:noTabs=true:
12911 */