Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4908, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-02-11-100348-3624-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/make-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d, "initial_max_path_id" },
2807 { 0, NULL((void*)0) }
2808};
2809
2810/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2811const val64_string quic_address_discovery_vals[] = {
2812 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2813 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2814 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2815 { 0, NULL((void*)0) }
2816};
2817
2818/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2819const val64_string quic_enable_time_stamp_v2_vals[] = {
2820 { 1, "I would like to receive TIME_STAMP frames" },
2821 { 2, "I am able to generate TIME_STAMP frames" },
2822 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2823 { 0, NULL((void*)0) }
2824};
2825
2826/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2827const val64_string quic_enable_multipath_vals[] = {
2828 { 0, "don't support multipath" },
2829 { 1, "support multipath as defined in this document" },
2830 { 0, NULL((void*)0) }
2831};
2832
2833/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2834const value_string tls_hello_ext_ech_clienthello_types[] = {
2835 { 0, "Outer Client Hello" },
2836 { 1, "Inner Client Hello" },
2837 { 0, NULL((void*)0) }
2838};
2839
2840/* RFC 9180 */
2841const value_string kem_id_type_vals[] = {
2842 { 0x0000, "Reserved" },
2843 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2844 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2845 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2846 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2847 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2848 { 0, NULL((void*)0) }
2849};
2850const value_string kdf_id_type_vals[] = {
2851 { 0x0000, "Reserved" },
2852 { 0x0001, "HKDF-SHA256" },
2853 { 0x0002, "HKDF-SHA384" },
2854 { 0x0003, "HKDF-SHA512" },
2855 { 0, NULL((void*)0) }
2856};
2857const value_string aead_id_type_vals[] = {
2858 { 0x0000, "Reserved" },
2859 { 0x0001, "AES-128-GCM" },
2860 { 0x0002, "AES-256-GCM" },
2861 { 0x0003, "ChaCha20Poly1305" },
2862 { 0xFFFF, "Export-only" },
2863 { 0, NULL((void*)0) }
2864};
2865
2866const value_string token_binding_key_parameter_vals[] = {
2867 { 0, "rsa2048_pkcs1.5" },
2868 { 1, "rsa2048_pss" },
2869 { 2, "ecdsap256" },
2870 { 0, NULL((void*)0) }
2871};
2872
2873/* Lookup tables }}} */
2874
2875void
2876quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2877{
2878 const char *label;
2879 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2880 label = "GREASE";
2881 } else {
2882 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2883 }
2884 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2885}
2886
2887/* we keep this internal to packet-tls-utils, as there should be
2888 no need to access it any other way.
2889
2890 This also allows us to hide the dependency on zlib.
2891*/
2892struct _SslDecompress {
2893 int compression;
2894#ifdef USE_ZLIB_OR_ZLIBNG
2895 zlib_stream istream;
2896#endif
2897};
2898
2899/* To assist in parsing client/server key exchange messages
2900 0 indicates unknown */
2901int ssl_get_keyex_alg(int cipher)
2902{
2903 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2904 switch(cipher) {
2905 case 0x0017:
2906 case 0x0018:
2907 case 0x0019:
2908 case 0x001a:
2909 case 0x001b:
2910 case 0x0034:
2911 case 0x003a:
2912 case 0x0046:
2913 case 0x006c:
2914 case 0x006d:
2915 case 0x0089:
2916 case 0x009b:
2917 case 0x00a6:
2918 case 0x00a7:
2919 case 0x00bf:
2920 case 0x00c5:
2921 case 0xc084:
2922 case 0xc085:
2923 return KEX_DH_ANON0x13;
2924 case 0x000b:
2925 case 0x000c:
2926 case 0x000d:
2927 case 0x0030:
2928 case 0x0036:
2929 case 0x003e:
2930 case 0x0042:
2931 case 0x0068:
2932 case 0x0085:
2933 case 0x0097:
2934 case 0x00a4:
2935 case 0x00a5:
2936 case 0x00bb:
2937 case 0x00c1:
2938 case 0xc082:
2939 case 0xc083:
2940 return KEX_DH_DSS0x14;
2941 case 0x000e:
2942 case 0x000f:
2943 case 0x0010:
2944 case 0x0031:
2945 case 0x0037:
2946 case 0x003f:
2947 case 0x0043:
2948 case 0x0069:
2949 case 0x0086:
2950 case 0x0098:
2951 case 0x00a0:
2952 case 0x00a1:
2953 case 0x00bc:
2954 case 0x00c2:
2955 case 0xc07e:
2956 case 0xc07f:
2957 return KEX_DH_RSA0x15;
2958 case 0x0011:
2959 case 0x0012:
2960 case 0x0013:
2961 case 0x0032:
2962 case 0x0038:
2963 case 0x0040:
2964 case 0x0044:
2965 case 0x0063:
2966 case 0x0065:
2967 case 0x0066:
2968 case 0x006a:
2969 case 0x0087:
2970 case 0x0099:
2971 case 0x00a2:
2972 case 0x00a3:
2973 case 0x00bd:
2974 case 0x00c3:
2975 case 0xc080:
2976 case 0xc081:
2977 return KEX_DHE_DSS0x10;
2978 case 0x002d:
2979 case 0x008e:
2980 case 0x008f:
2981 case 0x0090:
2982 case 0x0091:
2983 case 0x00aa:
2984 case 0x00ab:
2985 case 0x00b2:
2986 case 0x00b3:
2987 case 0x00b4:
2988 case 0x00b5:
2989 case 0xc090:
2990 case 0xc091:
2991 case 0xc096:
2992 case 0xc097:
2993 case 0xc0a6:
2994 case 0xc0a7:
2995 case 0xc0aa:
2996 case 0xc0ab:
2997 case 0xccad:
2998 case 0xe41c:
2999 case 0xe41d:
3000 return KEX_DHE_PSK0x11;
3001 case 0x0014:
3002 case 0x0015:
3003 case 0x0016:
3004 case 0x0033:
3005 case 0x0039:
3006 case 0x0045:
3007 case 0x0067:
3008 case 0x006b:
3009 case 0x0088:
3010 case 0x009a:
3011 case 0x009e:
3012 case 0x009f:
3013 case 0x00be:
3014 case 0x00c4:
3015 case 0xc07c:
3016 case 0xc07d:
3017 case 0xc09e:
3018 case 0xc09f:
3019 case 0xc0a2:
3020 case 0xc0a3:
3021 case 0xccaa:
3022 case 0xe41e:
3023 case 0xe41f:
3024 return KEX_DHE_RSA0x12;
3025 case 0xc015:
3026 case 0xc016:
3027 case 0xc017:
3028 case 0xc018:
3029 case 0xc019:
3030 return KEX_ECDH_ANON0x19;
3031 case 0xc001:
3032 case 0xc002:
3033 case 0xc003:
3034 case 0xc004:
3035 case 0xc005:
3036 case 0xc025:
3037 case 0xc026:
3038 case 0xc02d:
3039 case 0xc02e:
3040 case 0xc074:
3041 case 0xc075:
3042 case 0xc088:
3043 case 0xc089:
3044 return KEX_ECDH_ECDSA0x1a;
3045 case 0xc00b:
3046 case 0xc00c:
3047 case 0xc00d:
3048 case 0xc00e:
3049 case 0xc00f:
3050 case 0xc029:
3051 case 0xc02a:
3052 case 0xc031:
3053 case 0xc032:
3054 case 0xc078:
3055 case 0xc079:
3056 case 0xc08c:
3057 case 0xc08d:
3058 return KEX_ECDH_RSA0x1b;
3059 case 0xc006:
3060 case 0xc007:
3061 case 0xc008:
3062 case 0xc009:
3063 case 0xc00a:
3064 case 0xc023:
3065 case 0xc024:
3066 case 0xc02b:
3067 case 0xc02c:
3068 case 0xc072:
3069 case 0xc073:
3070 case 0xc086:
3071 case 0xc087:
3072 case 0xc0ac:
3073 case 0xc0ad:
3074 case 0xc0ae:
3075 case 0xc0af:
3076 case 0xcca9:
3077 case 0xe414:
3078 case 0xe415:
3079 return KEX_ECDHE_ECDSA0x16;
3080 case 0xc033:
3081 case 0xc034:
3082 case 0xc035:
3083 case 0xc036:
3084 case 0xc037:
3085 case 0xc038:
3086 case 0xc039:
3087 case 0xc03a:
3088 case 0xc03b:
3089 case 0xc09a:
3090 case 0xc09b:
3091 case 0xccac:
3092 case 0xe418:
3093 case 0xe419:
3094 case 0xd001:
3095 case 0xd002:
3096 case 0xd003:
3097 case 0xd005:
3098 return KEX_ECDHE_PSK0x17;
3099 case 0xc010:
3100 case 0xc011:
3101 case 0xc012:
3102 case 0xc013:
3103 case 0xc014:
3104 case 0xc027:
3105 case 0xc028:
3106 case 0xc02f:
3107 case 0xc030:
3108 case 0xc076:
3109 case 0xc077:
3110 case 0xc08a:
3111 case 0xc08b:
3112 case 0xcca8:
3113 case 0xe412:
3114 case 0xe413:
3115 return KEX_ECDHE_RSA0x18;
3116 case 0x001e:
3117 case 0x001f:
3118 case 0x0020:
3119 case 0x0021:
3120 case 0x0022:
3121 case 0x0023:
3122 case 0x0024:
3123 case 0x0025:
3124 case 0x0026:
3125 case 0x0027:
3126 case 0x0028:
3127 case 0x0029:
3128 case 0x002a:
3129 case 0x002b:
3130 return KEX_KRB50x1c;
3131 case 0x002c:
3132 case 0x008a:
3133 case 0x008b:
3134 case 0x008c:
3135 case 0x008d:
3136 case 0x00a8:
3137 case 0x00a9:
3138 case 0x00ae:
3139 case 0x00af:
3140 case 0x00b0:
3141 case 0x00b1:
3142 case 0xc064:
3143 case 0xc065:
3144 case 0xc08e:
3145 case 0xc08f:
3146 case 0xc094:
3147 case 0xc095:
3148 case 0xc0a4:
3149 case 0xc0a5:
3150 case 0xc0a8:
3151 case 0xc0a9:
3152 case 0xccab:
3153 case 0xe416:
3154 case 0xe417:
3155 return KEX_PSK0x1d;
3156 case 0x0001:
3157 case 0x0002:
3158 case 0x0003:
3159 case 0x0004:
3160 case 0x0005:
3161 case 0x0006:
3162 case 0x0007:
3163 case 0x0008:
3164 case 0x0009:
3165 case 0x000a:
3166 case 0x002f:
3167 case 0x0035:
3168 case 0x003b:
3169 case 0x003c:
3170 case 0x003d:
3171 case 0x0041:
3172 case 0x0060:
3173 case 0x0061:
3174 case 0x0062:
3175 case 0x0064:
3176 case 0x0084:
3177 case 0x0096:
3178 case 0x009c:
3179 case 0x009d:
3180 case 0x00ba:
3181 case 0x00c0:
3182 case 0xc07a:
3183 case 0xc07b:
3184 case 0xc09c:
3185 case 0xc09d:
3186 case 0xc0a0:
3187 case 0xc0a1:
3188 case 0xe410:
3189 case 0xe411:
3190 case 0xfefe:
3191 case 0xfeff:
3192 case 0xffe0:
3193 case 0xffe1:
3194 return KEX_RSA0x1e;
3195 case 0x002e:
3196 case 0x0092:
3197 case 0x0093:
3198 case 0x0094:
3199 case 0x0095:
3200 case 0x00ac:
3201 case 0x00ad:
3202 case 0x00b6:
3203 case 0x00b7:
3204 case 0x00b8:
3205 case 0x00b9:
3206 case 0xc092:
3207 case 0xc093:
3208 case 0xc098:
3209 case 0xc099:
3210 case 0xccae:
3211 case 0xe41a:
3212 case 0xe41b:
3213 return KEX_RSA_PSK0x1f;
3214 case 0xc01a:
3215 case 0xc01d:
3216 case 0xc020:
3217 return KEX_SRP_SHA0x20;
3218 case 0xc01c:
3219 case 0xc01f:
3220 case 0xc022:
3221 return KEX_SRP_SHA_DSS0x21;
3222 case 0xc01b:
3223 case 0xc01e:
3224 case 0xc021:
3225 return KEX_SRP_SHA_RSA0x22;
3226 case 0xc0ff:
3227 return KEX_ECJPAKE0x24;
3228 case 0xe003:
3229 case 0xe013:
3230 case 0xe053:
3231 return KEX_ECC_SM20x26;
3232 default:
3233 break;
3234 }
3235
3236 return 0;
3237 /* }}} */
3238}
3239
3240static wmem_list_t *connection_id_session_list;
3241
3242void
3243ssl_init_cid_list(void) {
3244 connection_id_session_list = wmem_list_new(wmem_file_scope());
3245}
3246
3247void
3248ssl_cleanup_cid_list(void) {
3249 wmem_destroy_list(connection_id_session_list);
3250}
3251
3252void
3253ssl_add_session_by_cid(SslDecryptSession *session)
3254{
3255 wmem_list_append(connection_id_session_list, session);
3256}
3257
3258SslDecryptSession *
3259ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3260{
3261 SslDecryptSession * ssl_cid = NULL((void*)0);
3262 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3263
3264 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3265 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3266 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3266, "ssl != ((void*)0)"))));
3267 SslSession *session = &ssl->session;
3268
3269 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3270 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3271 ssl_cid = ssl;
3272 }
3273 }
3274
3275 if (session->server_cid_len > 0) {
3276 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3277 ssl_cid = ssl;
3278 }
3279 }
3280
3281 it = wmem_list_frame_next(it);
3282 }
3283
3284 return ssl_cid;
3285}
3286
3287/* StringInfo structure (len + data) functions {{{ */
3288
3289int
3290ssl_data_alloc(StringInfo* str, size_t len)
3291{
3292 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3293 /* the allocator can return a null pointer for a size equal to 0,
3294 * and that must be allowed */
3295 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3296 return -1;
3297 str->data_len = (unsigned) len;
3298 return 0;
3299}
3300
3301void
3302ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3303{
3304 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3304, "data"))));
3305 memcpy(str->data, data, len);
3306 str->data_len = len;
3307}
3308
3309static int
3310ssl_data_realloc(StringInfo* str, unsigned len)
3311{
3312 str->data = (unsigned char *)g_realloc(str->data, len);
3313 if (!str->data)
3314 return -1;
3315 str->data_len = len;
3316 return 0;
3317}
3318
3319static StringInfo *
3320ssl_data_clone(StringInfo *str)
3321{
3322 StringInfo *cloned_str;
3323 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3324 sizeof(StringInfo) + str->data_len);
3325 cloned_str->data = (unsigned char *) (cloned_str + 1);
3326 ssl_data_set(cloned_str, str->data, str->data_len);
3327 return cloned_str;
3328}
3329
3330static int
3331ssl_data_copy(StringInfo* dst, StringInfo* src)
3332{
3333 if (dst->data_len < src->data_len) {
3334 if (ssl_data_realloc(dst, src->data_len))
3335 return -1;
3336 }
3337 memcpy(dst->data, src->data, src->data_len);
3338 dst->data_len = src->data_len;
3339 return 0;
3340}
3341
3342/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3343 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3344 * success. */
3345static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3346 size_t i;
3347
3348 if (hex_len & 1)
3349 return false0;
3350
3351 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3352 for (i = 0; i < hex_len / 2; i++) {
3353 int a = ws_xton(in[i*2]);
3354 int b = ws_xton(in[i*2 + 1]);
3355 if (a == -1 || b == -1)
3356 return false0;
3357 out->data[i] = a << 4 | b;
3358 }
3359 out->data_len = (unsigned)hex_len / 2;
3360 return true1;
3361}
3362/* StringInfo structure (len + data) functions }}} */
3363
3364
3365/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3366/* hmac abstraction layer */
3367#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3368
3369static inline int
3370ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3371{
3372 gcry_error_t err;
3373 const char *err_str, *err_src;
3374
3375 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3376 if (err != 0) {
3377 err_str = gcry_strerror(err);
3378 err_src = gcry_strsource(err);
3379 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3380 return -1;
3381 }
3382 return 0;
3383}
3384
3385static inline int
3386ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3387{
3388 gcry_error_t err;
3389 const char *err_str, *err_src;
3390
3391 err = gcry_md_setkey (*(md), key, len);
3392 if (err != 0) {
3393 err_str = gcry_strerror(err);
3394 err_src = gcry_strsource(err);
3395 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3396 return -1;
3397 }
3398 return 0;
3399}
3400
3401static inline int
3402ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3403{
3404 gcry_md_reset(*md);
3405 return 0;
3406}
3407
3408static inline void
3409ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3410{
3411 gcry_md_write(*(md), data, len);
3412}
3413static inline void
3414ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3415{
3416 int algo;
3417 unsigned len;
3418
3419 algo = gcry_md_get_algo (*(md));
3420 len = gcry_md_get_algo_dlen(algo);
3421 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3421, "len <= *datalen"))));
3422 memcpy(data, gcry_md_read(*(md), algo), len);
3423 *datalen = len;
3424}
3425static inline void
3426ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3427{
3428 gcry_md_close(*(md));
3429}
3430
3431/* message digest abstraction layer*/
3432#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3433
3434static inline int
3435ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3436{
3437 gcry_error_t err;
3438 const char *err_str, *err_src;
3439 err = gcry_md_open(md,algo, 0);
3440 if (err != 0) {
3441 err_str = gcry_strerror(err);
3442 err_src = gcry_strsource(err);
3443 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3444 return -1;
3445 }
3446 return 0;
3447}
3448static inline void
3449ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, int len)
3450{
3451 gcry_md_write(*(md), data, len);
3452}
3453static inline void
3454ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3455{
3456 int algo;
3457 int len;
3458 algo = gcry_md_get_algo (*(md));
3459 len = gcry_md_get_algo_dlen (algo);
3460 memcpy(data, gcry_md_read(*(md), algo), len);
3461 *datalen = len;
3462}
3463static inline void
3464ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3465{
3466 gcry_md_close(*(md));
3467}
3468
3469static inline void
3470ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3471{
3472 gcry_md_reset(*md);
3473}
3474
3475/* md5 /sha abstraction layer */
3476#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3477#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3478
3479static inline int
3480ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3481{
3482 gcry_error_t err;
3483 const char *err_str, *err_src;
3484 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3485 if (err != 0) {
3486 err_str = gcry_strerror(err);
3487 err_src = gcry_strsource(err);
3488 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3489 return -1;
3490 }
3491 return 0;
3492}
3493static inline void
3494ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3495{
3496 gcry_md_write(*(md), data, len);
3497}
3498static inline void
3499ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3500{
3501 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3502 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3503}
3504
3505static inline void
3506ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3507{
3508 gcry_md_reset(*md);
3509}
3510
3511static inline void
3512ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3513{
3514 gcry_md_close(*(md));
3515}
3516
3517static inline int
3518ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3519{
3520 gcry_error_t err;
3521 const char *err_str, *err_src;
3522 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3523 if (err != 0) {
3524 err_str = gcry_strerror(err);
3525 err_src = gcry_strsource(err);
3526 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3527 return -1;
3528 }
3529 return 0;
3530}
3531static inline void
3532ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3533{
3534 gcry_md_write(*(md), data, len);
3535}
3536static inline void
3537ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3538{
3539 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3540 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3541}
3542
3543static inline void
3544ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3545{
3546 gcry_md_reset(*md);
3547}
3548
3549static inline void
3550ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3551{
3552 gcry_md_close(*(md));
3553}
3554/* libgcrypt wrappers for HMAC/message digest operations }}} */
3555
3556/* libgcrypt wrappers for Cipher state manipulation {{{ */
3557int
3558ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3559{
3560 int ret;
3561#if 0
3562 unsigned char *ivp;
3563 int i;
3564 gcry_cipher_hd_t c;
3565 c=(gcry_cipher_hd_t)*cipher;
3566#endif
3567 ssl_debug_printf("--------------------------------------------------------------------");
3568#if 0
3569 for(ivp=c->iv,i=0; i < iv_len; i++ )
3570 {
3571 ssl_debug_printf("%d ",ivp[i]);
3572 i++;
3573 }
3574#endif
3575 ssl_debug_printf("--------------------------------------------------------------------");
3576 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3577#if 0
3578 for(ivp=c->iv,i=0; i < iv_len; i++ )
3579 {
3580 ssl_debug_printf("%d ",ivp[i]);
3581 i++;
3582 }
3583#endif
3584 ssl_debug_printf("--------------------------------------------------------------------");
3585 return ret;
3586}
3587/* stream cipher abstraction layer*/
3588static int
3589ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3590 unsigned char* iv, int mode)
3591{
3592 int gcry_modes[] = {
3593 GCRY_CIPHER_MODE_STREAM,
3594 GCRY_CIPHER_MODE_CBC,
3595 GCRY_CIPHER_MODE_GCM,
3596 GCRY_CIPHER_MODE_CCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_POLY1305,
3599 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3600 };
3601 int err;
3602 if (algo == -1) {
3603 /* NULL mode */
3604 *(cipher) = (gcry_cipher_hd_t)-1;
3605 return 0;
3606 }
3607 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3608 if (err !=0)
3609 return -1;
3610 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3611 if (err != 0)
3612 return -1;
3613 /* AEAD cipher suites will set the nonce later. */
3614 if (mode == MODE_CBC) {
3615 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3616 if (err != 0)
3617 return -1;
3618 }
3619 return 0;
3620}
3621static inline int
3622ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3623 const unsigned char * in, int inl)
3624{
3625 if ((*cipher) == (gcry_cipher_hd_t)-1)
3626 {
3627 if (in && inl)
3628 memcpy(out, in, outl < inl ? outl : inl);
3629 return 0;
3630 }
3631 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3632}
3633static inline int
3634ssl_get_digest_by_name(const char*name)
3635{
3636 return gcry_md_map_name(name);
3637}
3638static inline int
3639ssl_get_cipher_by_name(const char* name)
3640{
3641 return gcry_cipher_map_name(name);
3642}
3643
3644static inline void
3645ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3646{
3647 if ((*cipher) != (gcry_cipher_hd_t)-1)
3648 gcry_cipher_close(*cipher);
3649 *cipher = NULL((void*)0);
3650}
3651/* }}} */
3652
3653/* Digests, Ciphers and Cipher Suites registry {{{ */
3654static const SslDigestAlgo digests[]={
3655 {"MD5", 16},
3656 {"SHA1", 20},
3657 {"SHA256", 32},
3658 {"SHA384", 48},
3659 {"SM3", 32},
3660 {"Not Applicable", 0},
3661};
3662
3663#define DIGEST_MAX_SIZE48 48
3664
3665/* get index digest index */
3666static const SslDigestAlgo *
3667ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3668 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3669 return &digests[DIG_NA0x45 - DIG_MD50x40];
3670 }
3671 return &digests[cs->dig - DIG_MD50x40];
3672}
3673
3674static const char *ciphers[]={
3675 "DES",
3676 "3DES",
3677 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3678 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3679 "IDEA",
3680 "AES",
3681 "AES256",
3682 "CAMELLIA128",
3683 "CAMELLIA256",
3684 "SEED",
3685 "CHACHA20", /* since Libgcrypt 1.7.0 */
3686 "SM1",
3687 "SM4",
3688 "*UNKNOWN*"
3689};
3690
3691static const SslCipherSuite cipher_suites[]={
3692 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3693 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3694 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3695 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3696 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3697 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3698 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3699 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3700 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3701 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3702 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3703 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3704 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3705 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3706 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3707 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3708 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3709 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3710 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3711 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3712 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3713 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3714 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3715 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3716 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3717 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3718 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3719 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3720 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3721 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3722 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3723 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3724 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3725 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3726 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3727 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3728 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3729 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3730 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3731 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3732 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3733 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3734 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3735 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3736 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3737 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3738 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3739 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3740 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3741 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3747 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3748 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3749 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3751 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3753 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3754 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3755 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3756 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3757 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3758 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3759 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3760 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3761 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3767 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3768 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3769 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3770 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3771 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3772 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3773 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3774 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3775 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3776 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3777 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3778 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3779 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3780 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3781 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3782 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3783 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3784 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3785 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3786 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3787 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3788 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3789 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3790 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3791 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3792 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3793 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3794 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3795 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3796 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3797 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3798 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3799 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3800 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3801 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3802 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3803 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3804 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3805 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3806 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3807 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3808 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3809 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3810 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3811 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3812 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3813 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3814 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3815 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3821 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3826
3827 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3828 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3829 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3830 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3831 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3832 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3833 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3834
3835 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3836 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3837 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3838 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3839 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3840 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3841 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3842 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3843 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3844 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3845 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3846 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3847 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3848 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3849 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3850 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3851 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3852 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3853 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3854 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3855 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3856 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3857 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3858 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3859 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3860 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3861 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3862 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3865 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3866 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3867 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3868 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3869 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3870 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3871 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3872 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3873 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3874 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3875 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3876 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3877 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3878 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3879 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3880 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3881 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3882 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3883 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3884 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3885 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3886 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3887 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3888 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3889 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3890 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3891 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3892 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3893 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3894 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3895 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3896 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3897 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3898 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3899 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3900 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3901 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3902 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3903 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3904 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3905 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3906 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3907 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3908 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3909 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3910 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3911 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3912 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3913 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3914 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3915 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3916 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3917 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3918 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3919 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3920 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3921 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3922 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3923 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3924 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3925 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3926 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3927 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3928 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3929 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3930 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3931 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3932 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3933 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3934 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3935 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3936 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3937 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3938 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3939 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3940 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3941 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3942 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3943 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3944 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3945 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3946 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3947 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3948 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3949 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3950 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3951 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3952 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3953 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3954 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3955 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3956 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3957 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3958 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3965 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3966 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3967 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3968 /* GM */
3969 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3970 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3971 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3972 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3973 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3974 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3975 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3976 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3977 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3978 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3979 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3980 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3981 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3982 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3983 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3984 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3985 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3986 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3987 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3988 {-1, 0, 0, 0, MODE_STREAM}
3989};
3990
3991#define MAX_BLOCK_SIZE16 16
3992#define MAX_KEY_SIZE32 32
3993
3994const SslCipherSuite *
3995ssl_find_cipher(int num)
3996{
3997 const SslCipherSuite *c;
3998 for(c=cipher_suites;c->number!=-1;c++){
3999 if(c->number==num){
4000 return c;
4001 }
4002 }
4003
4004 return NULL((void*)0);
4005}
4006
4007int
4008ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4009{
4010 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4011}
4012
4013unsigned
4014ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4015{
4016 int cipher_algo;
4017 if (cipher_suite->mode != MODE_CBC) return 0;
4018 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4019 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4020}
4021
4022static unsigned
4023ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4024{
4025 switch (cipher_suite_num) {
4026 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4027 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4028 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4029 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4030 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4035 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4036 return 5;
4037
4038 /* not defined in below draft, but "implemented by several vendors",
4039 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4040 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4041 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4042 return 7;
4043
4044 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4045 * used 7. Until a pcap proves 8, let's use the old value. Link:
4046 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4047 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4048 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4050 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4051 return 7;
4052
4053 default:
4054 return 0;
4055 }
4056}
4057
4058/* Digests, Ciphers and Cipher Suites registry }}} */
4059
4060
4061/* HMAC and the Pseudorandom function {{{ */
4062static int
4063tls_hash(StringInfo *secret, StringInfo *seed, int md,
4064 StringInfo *out, unsigned out_len)
4065{
4066 /* RFC 2246 5. HMAC and the pseudorandom function
4067 * '+' denotes concatenation.
4068 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4069 * HMAC_hash(secret, A(2) + seed) + ...
4070 * A(0) = seed
4071 * A(i) = HMAC_hash(secret, A(i - 1))
4072 */
4073 uint8_t *ptr;
4074 unsigned left, tocpy;
4075 uint8_t *A;
4076 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4077 unsigned A_l, tmp_l;
4078 SSL_HMACgcry_md_hd_t hm;
4079
4080 ptr = out->data;
4081 left = out_len;
4082
4083 ssl_print_string("tls_hash: hash secret", secret);
4084 ssl_print_string("tls_hash: hash seed", seed);
4085 /* A(0) = seed */
4086 A = seed->data;
4087 A_l = seed->data_len;
4088
4089 if (ssl_hmac_init(&hm, md) != 0) {
4090 return -1;
4091 }
4092 while (left) {
4093 /* A(i) = HMAC_hash(secret, A(i-1)) */
4094 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4095 ssl_hmac_update(&hm, A, A_l);
4096 A_l = sizeof(_A); /* upper bound len for hash output */
4097 ssl_hmac_final(&hm, _A, &A_l);
4098 A = _A;
4099
4100 /* HMAC_hash(secret, A(i) + seed) */
4101 ssl_hmac_reset(&hm);
4102 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4103 ssl_hmac_update(&hm, A, A_l);
4104 ssl_hmac_update(&hm, seed->data, seed->data_len);
4105 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4106 ssl_hmac_final(&hm, tmp, &tmp_l);
4107 ssl_hmac_reset(&hm);
4108
4109 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4110 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4111 memcpy(ptr, tmp, tocpy);
4112 ptr += tocpy;
4113 left -= tocpy;
4114 }
4115 ssl_hmac_cleanup(&hm);
4116 out->data_len = out_len;
4117
4118 ssl_print_string("hash out", out);
4119 return 0;
4120}
4121
4122static bool_Bool
4123tls_prf(StringInfo* secret, const char *usage,
4124 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4125{
4126 StringInfo seed, sha_out, md5_out;
4127 uint8_t *ptr;
4128 StringInfo s1, s2;
4129 unsigned i,s_l;
4130 size_t usage_len, rnd2_len;
4131 bool_Bool success = false0;
4132 usage_len = strlen(usage);
4133 rnd2_len = rnd2 ? rnd2->data_len : 0;
4134
4135 /* initialize buffer for sha, md5 random seed*/
4136 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4137 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4138 return false0;
4139 }
4140 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4141 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4142 goto free_sha;
4143 }
4144 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4145 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4146 (int) (usage_len+rnd1->data_len+rnd2_len));
4147 goto free_md5;
4148 }
4149
4150 ptr=seed.data;
4151 memcpy(ptr,usage,usage_len);
4152 ptr+=usage_len;
4153 memcpy(ptr,rnd1->data,rnd1->data_len);
4154 if (rnd2_len > 0) {
4155 ptr+=rnd1->data_len;
4156 memcpy(ptr,rnd2->data,rnd2->data_len);
4157 /*ptr+=rnd2->data_len;*/
4158 }
4159
4160 /* initialize buffer for client/server seeds*/
4161 s_l=secret->data_len/2 + secret->data_len%2;
4162 if (ssl_data_alloc(&s1, s_l) < 0) {
4163 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4164 goto free_seed;
4165 }
4166 if (ssl_data_alloc(&s2, s_l) < 0) {
4167 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4168 goto free_s1;
4169 }
4170
4171 memcpy(s1.data,secret->data,s_l);
4172 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4173
4174 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4175 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4176 goto free_s2;
4177 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4178 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4179 goto free_s2;
4180
4181 for (i = 0; i < out_len; i++)
4182 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4183 /* success, now store the new meaningful data length */
4184 out->data_len = out_len;
4185 success = true1;
4186
4187 ssl_print_string("PRF out",out);
4188free_s2:
4189 g_free(s2.data);
4190free_s1:
4191 g_free(s1.data);
4192free_seed:
4193 g_free(seed.data);
4194free_md5:
4195 g_free(md5_out.data);
4196free_sha:
4197 g_free(sha_out.data);
4198 return success;
4199}
4200
4201static bool_Bool
4202tls12_prf(int md, StringInfo* secret, const char* usage,
4203 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4204{
4205 StringInfo label_seed;
4206 int success;
4207 size_t usage_len, rnd2_len;
4208 rnd2_len = rnd2 ? rnd2->data_len : 0;
4209
4210 usage_len = strlen(usage);
4211 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4212 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4213 return false0;
4214 }
4215 memcpy(label_seed.data, usage, usage_len);
4216 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4217 if (rnd2_len > 0)
4218 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4219
4220 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4221 success = tls_hash(secret, &label_seed, md, out, out_len);
4222 g_free(label_seed.data);
4223 if(success != -1){
4224 ssl_print_string("PRF out", out);
4225 return true1;
4226 }
4227 return false0;
4228}
4229
4230static bool_Bool
4231ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4232 StringInfo *out, unsigned out_len)
4233{
4234 SSL_MD5_CTXgcry_md_hd_t md5;
4235 uint8_t tmp[16];
4236
4237 if (ssl_md5_init(&md5) != 0) {
4238 return false0;
4239 }
4240 ssl_md5_update(&md5,r1->data,r1->data_len);
4241 ssl_md5_update(&md5,r2->data,r2->data_len);
4242 ssl_md5_final(tmp,&md5);
4243 ssl_md5_cleanup(&md5);
4244
4245 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4245, "out_len <= sizeof(tmp)"))));
4246 ssl_data_set(out, tmp, out_len);
4247 ssl_print_string("export iv", out);
4248 return true1;
4249}
4250
4251static bool_Bool
4252ssl3_prf(StringInfo* secret, const char* usage,
4253 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4254{
4255 SSL_MD5_CTXgcry_md_hd_t md5;
4256 SSL_SHA_CTXgcry_md_hd_t sha;
4257 unsigned off;
4258 int i = 0,j;
4259 uint8_t buf[20];
4260
4261 if (ssl_sha_init(&sha) != 0) {
4262 return false0;
4263 }
4264 if (ssl_md5_init(&md5) != 0) {
4265 ssl_sha_cleanup(&sha);
4266 return false0;
4267 }
4268 for (off = 0; off < out_len; off += 16) {
4269 unsigned char outbuf[16];
4270 i++;
4271
4272 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4273 /* A, BB, CCC, ... */
4274 for(j=0;j<i;j++){
4275 buf[j]=64+i;
4276 }
4277
4278 ssl_sha_update(&sha,buf,i);
4279 ssl_sha_update(&sha,secret->data,secret->data_len);
4280
4281 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4282 if (rnd2)
4283 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4284 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4285 }
4286 else{
4287 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4288 if (rnd2)
4289 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4290 }
4291
4292 ssl_sha_final(buf,&sha);
4293 ssl_sha_reset(&sha);
4294
4295 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4296 secret->data_len);
4297 ssl_md5_update(&md5,secret->data,secret->data_len);
4298 ssl_md5_update(&md5,buf,20);
4299 ssl_md5_final(outbuf,&md5);
4300 ssl_md5_reset(&md5);
4301
4302 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4303 }
4304 ssl_sha_cleanup(&sha);
4305 ssl_md5_cleanup(&md5);
4306 out->data_len = out_len;
4307
4308 return true1;
4309}
4310
4311/* out_len is the wanted output length for the pseudorandom function.
4312 * Ensure that ssl->cipher_suite is set. */
4313static bool_Bool
4314prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4315 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4316{
4317 switch (ssl->session.version) {
4318 case SSLV3_VERSION0x300:
4319 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4320
4321 case TLSV1_VERSION0x301:
4322 case TLSV1DOT1_VERSION0x302:
4323 case DTLSV1DOT0_VERSION0xfeff:
4324 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4325 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4326
4327 default: /* TLSv1.2 */
4328 switch (ssl->cipher_suite->dig) {
4329 case DIG_SM30x44:
4330#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4331 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4332 out, out_len);
4333#else
4334 return false0;
4335#endif
4336 case DIG_SHA3840x43:
4337 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4338 out, out_len);
4339 default:
4340 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4341 out, out_len);
4342 }
4343 }
4344}
4345
4346static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4347{
4348 SSL_MD5_CTXgcry_md_hd_t md5;
4349 SSL_SHA_CTXgcry_md_hd_t sha;
4350
4351 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4352 return -1;
4353
4354 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4355 return -1;
4356 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4357 ssl_md5_final(out->data,&md5);
4358 ssl_md5_cleanup(&md5);
4359
4360 if (ssl_sha_init(&sha) != 0)
4361 return -1;
4362 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4363 ssl_sha_final(out->data+16,&sha);
4364 ssl_sha_cleanup(&sha);
4365 return 0;
4366}
4367
4368static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4369{
4370 SSL_MDgcry_md_hd_t mc;
4371 uint8_t tmp[48];
4372 unsigned len;
4373
4374 if (ssl_md_init(&mc, md) != 0)
4375 return -1;
4376 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4377 ssl_md_final(&mc, tmp, &len);
4378 ssl_md_cleanup(&mc);
4379
4380 if (ssl_data_alloc(out, len) < 0)
4381 return -1;
4382 memcpy(out->data, tmp, len);
4383 return 0;
4384}
4385
4386/**
4387 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4388 * inlined and removed once support for draft 19 and before is dropped.
4389 */
4390static inline const char *
4391tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4392{
4393 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4394 return "TLS 1.3, ";
4395 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4396 return "dtls13";
4397 } else {
4398 return "tls13 ";
4399 }
4400}
4401
4402/*
4403 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4404 * custom label prefix. If "context_hash" is NULL, then an empty context is
4405 * used. Otherwise it must have the same length as the hash algorithm output.
4406 */
4407bool_Bool
4408tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4409 const char *label_prefix, const char *label,
4410 const uint8_t *context_hash, uint8_t context_length,
4411 uint16_t out_len, unsigned char **out)
4412{
4413 /* RFC 8446 Section 7.1:
4414 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4415 * HKDF-Expand(Secret, HkdfLabel, Length)
4416 * struct {
4417 * uint16 length = Length;
4418 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4419 * opaque context<0..255> = Context;
4420 * } HkdfLabel;
4421 *
4422 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4423 * HKDF-Expand(PRK, info, L) -> OKM
4424 */
4425 gcry_error_t err;
4426 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4427 const unsigned label_length = (unsigned) strlen(label);
4428
4429 /* Some sanity checks */
4430 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4430, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4431
4432 /* info = HkdfLabel { length, label, context } */
4433 GByteArray *info = g_byte_array_new();
4434 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4435 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4436
4437 const uint8_t label_vector_length = label_prefix_length + label_length;
4438 g_byte_array_append(info, &label_vector_length, 1);
4439 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4440 g_byte_array_append(info, (const uint8_t*)label, label_length);
4441
4442 g_byte_array_append(info, &context_length, 1);
4443 if (context_length) {
4444 g_byte_array_append(info, context_hash, context_length);
4445 }
4446
4447 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4448 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4449 g_byte_array_free(info, true1);
4450
4451 if (err) {
4452 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4453 wmem_free(NULL((void*)0), *out);
4454 *out = NULL((void*)0);
4455 return false0;
4456 }
4457
4458 return true1;
4459}
4460
4461bool_Bool
4462tls13_hkdf_expand_label(int md, const StringInfo *secret,
4463 const char *label_prefix, const char *label,
4464 uint16_t out_len, unsigned char **out)
4465{
4466 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4467}
4468/* HMAC and the Pseudorandom function }}} */
4469
4470/* Record Decompression (after decryption) {{{ */
4471#ifdef USE_ZLIB_OR_ZLIBNG
4472/* memory allocation functions for zlib initialization */
4473static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4474{
4475 return g_malloc0(no*size);
4476}
4477static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4478{
4479 g_free(addr);
4480}
4481#endif /* USE_ZLIB_OR_ZLIBNG */
4482
4483static SslDecompress*
4484ssl_create_decompressor(int compression)
4485{
4486 SslDecompress *decomp;
4487#ifdef USE_ZLIB_OR_ZLIBNG
4488 int err;
4489#endif
4490
4491 if (compression == 0) return NULL((void*)0);
4492 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4493 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4494 decomp->compression = compression;
4495 switch (decomp->compression) {
4496#ifdef USE_ZLIB_OR_ZLIBNG
4497 case 1: /* DEFLATE */
4498 decomp->istream.zalloc = ssl_zalloc;
4499 decomp->istream.zfree = ssl_zfree;
4500 decomp->istream.opaque = Z_NULL0;
4501 decomp->istream.next_in = Z_NULL0;
4502 decomp->istream.next_out = Z_NULL0;
4503 decomp->istream.avail_in = 0;
4504 decomp->istream.avail_out = 0;
4505 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4506 if (err != Z_OK0) {
4507 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4508 return NULL((void*)0);
4509 }
4510 break;
4511#endif /* USE_ZLIB_OR_ZLIBNG */
4512 default:
4513 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4514 return NULL((void*)0);
4515 }
4516 return decomp;
4517}
4518
4519#ifdef USE_ZLIB_OR_ZLIBNG
4520static int
4521ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4522{
4523 int err;
4524
4525 switch (decomp->compression) {
4526 case 1: /* DEFLATE */
4527 err = Z_OK0;
4528 if (out_str->data_len < 16384) { /* maximal plain length */
4529 ssl_data_realloc(out_str, 16384);
4530 }
4531#ifdef z_constconst
4532 decomp->istream.next_in = in;
4533#else
4534DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4535 decomp->istream.next_in = (Bytef *)in;
4536DIAG_ON(cast-qual)clang diagnostic pop
4537#endif
4538 decomp->istream.avail_in = inl;
4539 decomp->istream.next_out = out_str->data;
4540 decomp->istream.avail_out = out_str->data_len;
4541 if (inl > 0)
4542 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4543 if (err != Z_OK0) {
4544 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4545 return -1;
4546 }
4547 *outl = out_str->data_len - decomp->istream.avail_out;
4548 break;
4549 default:
4550 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4551 return -1;
4552 }
4553 return 0;
4554}
4555#else /* USE_ZLIB_OR_ZLIBNG */
4556int
4557ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4558{
4559 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4560 return -1;
4561}
4562#endif /* USE_ZLIB_OR_ZLIBNG */
4563/* Record Decompression (after decryption) }}} */
4564
4565/* Create a new structure to store decrypted chunks. {{{ */
4566static SslFlow*
4567ssl_create_flow(void)
4568{
4569 SslFlow *flow;
4570
4571 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4572 flow->byte_seq = 0;
4573 flow->flags = 0;
4574 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4575 return flow;
4576}
4577/* }}} */
4578
4579/* Use the negotiated security parameters for decryption. {{{ */
4580void
4581ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4582{
4583 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4584 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4585 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4586 *new_decoder ? "" : " (No decoder found - retransmission?)");
4587 if (*new_decoder) {
4588 *dest = *new_decoder;
4589 *new_decoder = NULL((void*)0);
4590 }
4591}
4592/* }}} */
4593
4594/* Init cipher state given some security parameters. {{{ */
4595static bool_Bool
4596ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4597
4598static SslDecoder*
4599ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4600 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4601{
4602 SslDecoder *dec;
4603 ssl_cipher_mode_t mode = cipher_suite->mode;
4604
4605 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4606 /* init mac buffer: mac storage is embedded into decoder struct to save a
4607 memory allocation and waste samo more memory*/
4608 dec->cipher_suite=cipher_suite;
4609 dec->compression = compression;
4610 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4611 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4612 // the special case for NULL ciphers, even if there is insufficiency
4613 // keying material (including MAC key), we will can still create
4614 // decoders since "decryption" is easy for such ciphers.
4615 dec->mac_key.data = dec->_mac_key_or_write_iv;
4616 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4617 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4618 // Input for the nonce, to be used with AEAD ciphers.
4619 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4619, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4620 dec->write_iv.data = dec->_mac_key_or_write_iv;
4621 ssl_data_set(&dec->write_iv, iv, iv_length);
4622 }
4623 dec->seq = 0;
4624 dec->decomp = ssl_create_decompressor(compression);
4625 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4626
4627 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4628 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4629 cipher_algo, cipher_suite->mode);
4630 return NULL((void*)0);
4631 }
4632
4633 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4634 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4635 mode = MODE_ECB;
4636 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4637 mode = MODE_STREAM;
4638 } else {
4639 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4640 return NULL((void*)0);
4641 }
4642
4643 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4644 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4645 cipher_algo, MODE_ECB);
4646 ssl_cipher_cleanup(&dec->evp);
4647 dec->evp = NULL((void*)0);
4648 return NULL((void*)0);
4649 }
4650 } else {
4651 dec->sn_evp = NULL((void*)0);
4652 }
4653
4654 dec->dtls13_aad.data = NULL((void*)0);
4655 dec->dtls13_aad.data_len = 0;
4656 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4657 return dec;
4658}
4659
4660static bool_Bool
4661ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4662{
4663 SslDecoder *dec = (SslDecoder *) user_data;
4664
4665 if (dec->evp)
4666 ssl_cipher_cleanup(&dec->evp);
4667 if (dec->sn_evp)
4668 ssl_cipher_cleanup(&dec->sn_evp);
4669
4670#ifdef USE_ZLIB_OR_ZLIBNG
4671 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4672 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4673#endif
4674
4675 return false0;
4676}
4677/* }}} */
4678
4679/* (Pre-)master secrets calculations {{{ */
4680#ifdef HAVE_LIBGNUTLS1
4681static bool_Bool
4682ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4683 StringInfo *encrypted_pre_master,
4684 GHashTable *key_hash);
4685#endif /* HAVE_LIBGNUTLS */
4686
4687static bool_Bool
4688ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4689 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4690
4691bool_Bool
4692ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4693 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4694 const char *ssl_psk, packet_info *pinfo,
4695#ifdef HAVE_LIBGNUTLS1
4696 GHashTable *key_hash,
4697#endif
4698 const ssl_master_key_map_t *mk_map)
4699{
4700 /* check for required session data */
4701 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4702 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4703 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4704 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4705 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4706 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4707 return false0;
4708 }
4709
4710 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4711 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4712 return false0;
4713 }
4714
4715 /* check to see if the PMS was provided to us*/
4716 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4717 mk_map->pms, &ssl_session->client_random)) {
4718 return true1;
4719 }
4720
4721 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4722 {
4723 /* calculate pre master secret*/
4724 StringInfo pre_master_secret;
4725 unsigned psk_len, pre_master_len;
4726
4727 if (!ssl_psk || (ssl_psk[0] == 0)) {
4728 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4729 return false0;
4730 }
4731
4732 /* convert hex string into char*/
4733 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4734 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4735 G_STRFUNC((const char*) (__func__)));
4736 return false0;
4737 }
4738
4739 psk_len = ssl_session->psk.data_len;
4740 if (psk_len >= (2 << 15)) {
4741 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4742 G_STRFUNC((const char*) (__func__)));
4743 return false0;
4744 }
4745
4746
4747 pre_master_len = psk_len * 2 + 4;
4748
4749 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4750 pre_master_secret.data_len = pre_master_len;
4751 /* 2 bytes psk_len*/
4752 pre_master_secret.data[0] = psk_len >> 8;
4753 pre_master_secret.data[1] = psk_len & 0xFF;
4754 /* psk_len bytes times 0*/
4755 memset(&pre_master_secret.data[2], 0, psk_len);
4756 /* 2 bytes psk_len*/
4757 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4758 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4759 /* psk*/
4760 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4761
4762 ssl_session->pre_master_secret.data = pre_master_secret.data;
4763 ssl_session->pre_master_secret.data_len = pre_master_len;
4764 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4765
4766 /* Remove the master secret if it was there.
4767 This forces keying material regeneration in
4768 case we're renegotiating */
4769 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4770 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4771 return true1;
4772 }
4773 else
4774 {
4775 unsigned encrlen, skip;
4776 encrlen = length;
4777 skip = 0;
4778
4779 /* get encrypted data, on tls1 we have to skip two bytes
4780 * (it's the encrypted len and should be equal to record len - 2)
4781 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4782 */
4783 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4784 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4785 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4786 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4787 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4788 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4789 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4790 {
4791 encrlen = tvb_get_ntohs(tvb, offset);
4792 skip = 2;
4793 if (encrlen > length - 2)
4794 {
4795 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4796 G_STRFUNC((const char*) (__func__)), encrlen, length);
4797 return false0;
4798 }
4799 }
4800 /* the valid lower bound is higher than 8, but it is sufficient for the
4801 * ssl keylog file below */
4802 if (encrlen < 8) {
4803 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4804 G_STRFUNC((const char*) (__func__)), encrlen);
4805 return false0;
4806 }
4807
4808 StringInfo encrypted_pre_master = {
4809 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4810 .data_len = encrlen,
4811 };
4812
4813#ifdef HAVE_LIBGNUTLS1
4814 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4815 if (ssl_session->cert_key_id) {
4816 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4817 return true1;
4818
4819 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4820 G_STRFUNC((const char*) (__func__)));
4821 }
4822#endif /* HAVE_LIBGNUTLS */
4823
4824 /* try to find the pre-master secret from the encrypted one. The
4825 * ssl key logfile stores only the first 8 bytes, so truncate it */
4826 encrypted_pre_master.data_len = 8;
4827 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4828 true1, mk_map->pre_master, &encrypted_pre_master))
4829 return true1;
4830 }
4831 return false0;
4832}
4833
4834/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4835int
4836ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4837{
4838 StringInfo key_block = { NULL((void*)0), 0 };
4839 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4840 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4841 int needed;
4842 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4843 unsigned encr_key_len, write_iv_len = 0;
4844 bool_Bool is_export_cipher;
4845 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4846 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4847 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4848
4849 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4850 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4851 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4852 return -1;
4853 }
4854
4855 /* check for enough info to proceed */
4856 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4857 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4858 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4859 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4860 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4861 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4862 /* Special case: for NULL encryption, allow dissection of data even if
4863 * the Client Hello is missing (MAC keys are now skipped though). */
4864 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4865 if ((ssl_session->state & need_all) == need_all &&
4866 cipher_suite->enc == ENC_NULL0x3D) {
4867 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4868 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4869 goto create_decoders;
4870 }
4871
4872 return -1;
4873 }
4874
4875 /* if master key is not available, generate is from the pre-master secret */
4876 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4877 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4878 StringInfo handshake_hashed_data;
4879 int ret;
4880
4881 handshake_hashed_data.data = NULL((void*)0);
4882 handshake_hashed_data.data_len = 0;
4883
4884 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4885 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4886 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4886, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4887
4888 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4893
4889 case TLSV1_VERSION0x301:
4890 case TLSV1DOT1_VERSION0x302:
4891 case DTLSV1DOT0_VERSION0xfeff:
4892 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4893 case TLCPV1_VERSION0x101:
4894 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4895 break;
4896 default:
4897 switch (cipher_suite->dig) {
4898 case DIG_SHA3840x43:
4899 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4900 break;
4901 default:
4902 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4903 break;
4904 }
4905 break;
4906 }
4907 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4907
30
Taking true branch
4908 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4909 return -1;
4910 }
4911
4912 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4913 ssl_session->handshake_data.data = NULL((void*)0);
4914 ssl_session->handshake_data.data_len = 0;
4915
4916 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4917 &handshake_hashed_data,
4918 NULL((void*)0), &ssl_session->master_secret,
4919 SSL_MASTER_SECRET_LENGTH48)) {
4920 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4921 g_free(handshake_hashed_data.data);
4922 return -1;
4923 }
4924 g_free(handshake_hashed_data.data);
4925 } else {
4926 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4927 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4928 ssl_print_string("client random",&ssl_session->client_random);
4929 ssl_print_string("server random",&ssl_session->server_random);
4930 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4931 &ssl_session->client_random,
4932 &ssl_session->server_random, &ssl_session->master_secret,
4933 SSL_MASTER_SECRET_LENGTH48)) {
4934 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4935 return -1;
4936 }
4937 }
4938 ssl_print_string("master secret",&ssl_session->master_secret);
4939
4940 /* the pre-master secret has been 'consumed' so we must clear it now */
4941 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4942 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4943 }
4944
4945 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4946 if (cipher_suite->enc != ENC_NULL0x3D) {
4947 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4948 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4949 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4950 if (cipher_algo == 0) {
4951 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4952 return -1;
4953 }
4954 }
4955
4956 /* Export ciphers consume less material from the key block. */
4957 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4958 is_export_cipher = encr_key_len > 0;
4959 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4960 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4961 }
4962
4963 if (cipher_suite->mode == MODE_CBC) {
4964 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4965 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4966 /* account for a four-byte salt for client and server side (from
4967 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4968 write_iv_len = 4;
4969 } else if (cipher_suite->mode == MODE_POLY1305) {
4970 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4971 write_iv_len = 12;
4972 }
4973
4974 /* Compute the key block. First figure out how much data we need */
4975 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4976 needed += 2 * encr_key_len; /* encryption key */
4977 needed += 2 * write_iv_len; /* write IV */
4978
4979 key_block.data = (unsigned char *)g_malloc(needed);
4980 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4981 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4982 &ssl_session->server_random,&ssl_session->client_random,
4983 &key_block, needed)) {
4984 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4985 goto fail;
4986 }
4987 ssl_print_string("key expansion", &key_block);
4988
4989 ptr=key_block.data;
4990 /* client/server write MAC key (for non-AEAD ciphers) */
4991 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4992 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4993 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4994 }
4995 /* client/server write encryption key */
4996 c_wk=ptr; ptr += encr_key_len;
4997 s_wk=ptr; ptr += encr_key_len;
4998 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4999 if (write_iv_len > 0) {
5000 c_iv=ptr; ptr += write_iv_len;
5001 s_iv=ptr; /* ptr += write_iv_len; */
5002 }
5003
5004 /* export ciphers work with a smaller key length */
5005 if (is_export_cipher) {
5006 if (cipher_suite->mode == MODE_CBC) {
5007
5008 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5009 all we should need. This is a sanity check */
5010 if (write_iv_len > MAX_BLOCK_SIZE16) {
5011 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5012 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5013 goto fail;
5014 }
5015
5016 if(ssl_session->session.version==SSLV3_VERSION0x300){
5017 /* The length of these fields are ignored by this caller */
5018 StringInfo iv_c, iv_s;
5019 iv_c.data = _iv_c;
5020 iv_s.data = _iv_s;
5021
5022 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5023 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5024 &ssl_session->server_random, &iv_c, write_iv_len)) {
5025 goto fail;
5026 }
5027 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5028 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5029 &ssl_session->client_random, &iv_s, write_iv_len)) {
5030 goto fail;
5031 }
5032 }
5033 else{
5034 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5035 StringInfo iv_block;
5036 StringInfo key_null;
5037 uint8_t _key_null;
5038
5039 key_null.data = &_key_null;
5040 key_null.data_len = 0;
5041
5042 iv_block.data = _iv_block;
5043
5044 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5045 if (!prf(ssl_session, &key_null, "IV block",
5046 &ssl_session->client_random,
5047 &ssl_session->server_random, &iv_block,
5048 write_iv_len * 2)) {
5049 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5050 goto fail;
5051 }
5052
5053 memcpy(_iv_c, iv_block.data, write_iv_len);
5054 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5055 }
5056
5057 c_iv=_iv_c;
5058 s_iv=_iv_s;
5059 }
5060
5061 if (ssl_session->session.version==SSLV3_VERSION0x300){
5062
5063 SSL_MD5_CTXgcry_md_hd_t md5;
5064 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5065
5066 if (ssl_md5_init(&md5) != 0)
5067 goto fail;
5068 ssl_md5_update(&md5,c_wk,encr_key_len);
5069 ssl_md5_update(&md5,ssl_session->client_random.data,
5070 ssl_session->client_random.data_len);
5071 ssl_md5_update(&md5,ssl_session->server_random.data,
5072 ssl_session->server_random.data_len);
5073 ssl_md5_final(_key_c,&md5);
5074 ssl_md5_cleanup(&md5);
5075 c_wk=_key_c;
5076
5077 if (ssl_md5_init(&md5) != 0)
5078 goto fail;
5079 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5080 ssl_md5_update(&md5,s_wk,encr_key_len);
5081 ssl_md5_update(&md5,ssl_session->server_random.data,
5082 ssl_session->server_random.data_len);
5083 ssl_md5_update(&md5,ssl_session->client_random.data,
5084 ssl_session->client_random.data_len);
5085 ssl_md5_final(_key_s,&md5);
5086 ssl_md5_cleanup(&md5);
5087 s_wk=_key_s;
5088 }
5089 else{
5090 StringInfo key_c, key_s, k;
5091 key_c.data = _key_c;
5092 key_s.data = _key_s;
5093
5094 k.data = c_wk;
5095 k.data_len = encr_key_len;
5096 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5097 if (!prf(ssl_session, &k, "client write key",
5098 &ssl_session->client_random,
5099 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5100 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5101 goto fail;
5102 }
5103 c_wk=_key_c;
5104
5105 k.data = s_wk;
5106 k.data_len = encr_key_len;
5107 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5108 if (!prf(ssl_session, &k, "server write key",
5109 &ssl_session->client_random,
5110 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5111 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5112 goto fail;
5113 }
5114 s_wk=_key_s;
5115 }
5116 }
5117
5118 /* show key material info */
5119 if (c_mk != NULL((void*)0)) {
5120 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5121 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5122 }
5123 ssl_print_data("Client Write key", c_wk, encr_key_len);
5124 ssl_print_data("Server Write key", s_wk, encr_key_len);
5125 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5126 if (write_iv_len > 0) {
5127 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5128 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5129 }
5130
5131create_decoders:
5132 /* create both client and server ciphers*/
5133 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5134 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5135 if (!ssl_session->client_new) {
5136 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5137 goto fail;
5138 }
5139 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5140 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5141 if (!ssl_session->server_new) {
5142 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5143 goto fail;
5144 }
5145
5146 /* Continue the SSL stream after renegotiation with new keys. */
5147 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5148 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5149
5150 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5151 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5152 g_free(key_block.data);
5153 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5154 return 0;
5155
5156fail:
5157 g_free(key_block.data);
5158 return -1;
5159}
5160
5161/* Generated the key material based on the given secret. */
5162bool_Bool
5163tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5164{
5165 bool_Bool success = false0;
5166 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5167 unsigned char *sn_key = NULL((void*)0);
5168 SslDecoder *decoder;
5169 unsigned key_length, iv_length;
5170 int hash_algo;
5171 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5172 int cipher_algo;
5173
5174 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5175 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5176 ssl_session->session.version);
5177 return false0;
5178 }
5179
5180 if (cipher_suite == NULL((void*)0)) {
5181 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5182 return false0;
5183 }
5184
5185 if (cipher_suite->kex != KEX_TLS130x23) {
5186 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5187 return false0;
5188 }
5189
5190 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5191 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5192 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5193 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5194 if (cipher_algo == 0) {
5195 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5196 return false0;
5197 }
5198
5199 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5200 hash_algo = ssl_get_digest_by_name(hash_name);
5201 if (!hash_algo) {
5202 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5203 return false0;
5204 }
5205
5206 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5207 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5208 iv_length = 12;
5209 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5210
5211 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5212 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5213 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5214 return false0;
5215 }
5216 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5217 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5218 goto end;
5219 }
5220
5221 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5222 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5223 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5224 goto end;
5225 }
5226 }
5227
5228 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5229 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5230 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5231 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5232 }
5233
5234 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5235 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5236 if (!decoder) {
5237 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5238 goto end;
5239 }
5240
5241 /* Continue the TLS session with new keys, but reuse old flow to keep things
5242 * like "Follow TLS" working (by linking application data records). */
5243 if (is_from_server) {
5244 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5245 ssl_session->server = decoder;
5246 } else {
5247 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5248 ssl_session->client = decoder;
5249 }
5250 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5251 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5252 success = true1;
5253
5254end:
5255 wmem_free(NULL((void*)0), write_key);
5256 wmem_free(NULL((void*)0), write_iv);
5257 if (sn_key)
5258 wmem_free(NULL((void*)0), sn_key);
5259 return success;
5260}
5261/* (Pre-)master secrets calculations }}} */
5262
5263#ifdef HAVE_LIBGNUTLS1
5264/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5265static bool_Bool
5266ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5267 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5268{
5269 int ret;
5270
5271 if (!encrypted_pre_master)
5272 return false0;
5273
5274 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5275 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5276 "(cipher suite 0x%04X %s) and cannot be decrypted "
5277 "using a RSA private key file.\n",
5278 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5279 val_to_str_ext_const(ssl_session->session.cipher,
5280 &ssl_31_ciphersuite_ext, "unknown"));
5281 return false0;
5282 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5283 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5284 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5285 return false0;
5286 }
5287
5288 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5289
5290 ssl_print_string("pre master encrypted", encrypted_pre_master);
5291 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5292 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5293 gnutls_datum_t pms = { 0 };
5294 if (pk) {
5295 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5296 char *err = NULL((void*)0);
5297 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5298 if (!private_key) {
5299 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5300 g_free(err);
5301 return false0;
5302 }
5303
5304 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5305 rsa_private_key_free(private_key);
5306 if (pms.size == 0) {
5307 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5308 g_free(err);
5309 return false0;
5310 }
5311 } else {
5312 // Try to decrypt using a hardware token.
5313 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5314 if (ret < 0) {
5315 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5316 return false0;
5317 }
5318 }
5319
5320 if (pms.size != 48) {
5321 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5322 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5323 g_free(pms.data);
5324 return false0;
5325 }
5326
5327 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5328 ssl_session->pre_master_secret.data_len = 48;
5329 g_free(pms.data);
5330 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5331
5332 /* Remove the master secret if it was there.
5333 This forces keying material regeneration in
5334 case we're renegotiating */
5335 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5336 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5337 return true1;
5338} /* }}} */
5339#endif /* HAVE_LIBGNUTLS */
5340
5341/* Decryption integrity check {{{ */
5342
5343static int
5344tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5345 uint32_t datalen, uint8_t* mac)
5346{
5347 SSL_HMACgcry_md_hd_t hm;
5348 int md;
5349 uint32_t len;
5350 uint8_t buf[DIGEST_MAX_SIZE48];
5351 int16_t temp;
5352
5353 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5354 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5355 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5356
5357 if (ssl_hmac_init(&hm,md) != 0)
5358 return -1;
5359 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5360 return -1;
5361
5362 /* hash sequence number */
5363 phtonu64(buf, decoder->seq);
5364
5365 decoder->seq++;
5366
5367 ssl_hmac_update(&hm,buf,8);
5368
5369 /* hash content type */
5370 buf[0]=ct;
5371 ssl_hmac_update(&hm,buf,1);
5372
5373 /* hash version,data length and data*/
5374 /* *((int16_t*)buf) = g_htons(ver); */
5375 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5376 memcpy(buf, &temp, 2);
5377 ssl_hmac_update(&hm,buf,2);
5378
5379 /* *((int16_t*)buf) = g_htons(datalen); */
5380 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5381 memcpy(buf, &temp, 2);
5382 ssl_hmac_update(&hm,buf,2);
5383 ssl_hmac_update(&hm,data,datalen);
5384
5385 /* get digest and digest len*/
5386 len = sizeof(buf);
5387 ssl_hmac_final(&hm,buf,&len);
5388 ssl_hmac_cleanup(&hm);
5389 ssl_print_data("Mac", buf, len);
5390 if(memcmp(mac,buf,len))
5391 return -1;
5392
5393 return 0;
5394}
5395
5396static int
5397ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5398 uint32_t datalen, uint8_t* mac)
5399{
5400 SSL_MDgcry_md_hd_t mc;
5401 int md;
5402 uint32_t len;
5403 uint8_t buf[64],dgst[20];
5404 int pad_ct;
5405 int16_t temp;
5406
5407 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5408
5409 /* get cipher used for digest computation */
5410 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5411 if (ssl_md_init(&mc,md) !=0)
5412 return -1;
5413
5414 /* do hash computation on data && padding */
5415 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5416
5417 /* hash padding*/
5418 memset(buf,0x36,pad_ct);
5419 ssl_md_update(&mc,buf,pad_ct);
5420
5421 /* hash sequence number */
5422 phtonu64(buf, decoder->seq);
5423 decoder->seq++;
5424 ssl_md_update(&mc,buf,8);
5425
5426 /* hash content type */
5427 buf[0]=ct;
5428 ssl_md_update(&mc,buf,1);
5429
5430 /* hash data length in network byte order and data*/
5431 /* *((int16_t* )buf) = g_htons(datalen); */
5432 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5433 memcpy(buf, &temp, 2);
5434 ssl_md_update(&mc,buf,2);
5435 ssl_md_update(&mc,data,datalen);
5436
5437 /* get partial digest */
5438 ssl_md_final(&mc,dgst,&len);
5439 ssl_md_reset(&mc);
5440
5441 /* hash mac key */
5442 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5443
5444 /* hash padding and partial digest*/
5445 memset(buf,0x5c,pad_ct);
5446 ssl_md_update(&mc,buf,pad_ct);
5447 ssl_md_update(&mc,dgst,len);
5448
5449 ssl_md_final(&mc,dgst,&len);
5450 ssl_md_cleanup(&mc);
5451
5452 if(memcmp(mac,dgst,len))
5453 return -1;
5454
5455 return 0;
5456}
5457
5458static int
5459dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5460 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5461{
5462 SSL_HMACgcry_md_hd_t hm;
5463 int md;
5464 uint32_t len;
5465 uint8_t buf[DIGEST_MAX_SIZE48];
5466 int16_t temp;
5467
5468 int ver = ssl->session.version;
5469 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5470
5471 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5472 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5473 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5474
5475 if (ssl_hmac_init(&hm,md) != 0)
5476 return -1;
5477 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5478 return -1;
5479
5480 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5481
5482 if (is_cid && !ssl->session.deprecated_cid) {
5483 /* hash seq num placeholder */
5484 memset(buf,0xFF,8);
5485 ssl_hmac_update(&hm,buf,8);
5486
5487 /* hash content type + cid length + content type */
5488 buf[0]=ct;
5489 buf[1]=cidl;
5490 buf[2]=ct;
5491 ssl_hmac_update(&hm,buf,3);
5492
5493 /* hash version */
5494 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5495 memcpy(buf, &temp, 2);
5496 ssl_hmac_update(&hm,buf,2);
5497
5498 /* hash sequence number */
5499 phtonu64(buf, decoder->seq);
5500 buf[0]=decoder->epoch>>8;
5501 buf[1]=(uint8_t)decoder->epoch;
5502 ssl_hmac_update(&hm,buf,8);
5503
5504 /* hash cid */
5505 ssl_hmac_update(&hm,cid,cidl);
5506 } else {
5507 /* hash sequence number */
5508 phtonu64(buf, decoder->seq);
5509 buf[0]=decoder->epoch>>8;
5510 buf[1]=(uint8_t)decoder->epoch;
5511 ssl_hmac_update(&hm,buf,8);
5512
5513 /* hash content type */
5514 buf[0]=ct;
5515 ssl_hmac_update(&hm,buf,1);
5516
5517 /* hash version */
5518 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5519 memcpy(buf, &temp, 2);
5520 ssl_hmac_update(&hm,buf,2);
5521
5522 if (is_cid && ssl->session.deprecated_cid) {
5523 /* hash cid */
5524 ssl_hmac_update(&hm,cid,cidl);
5525
5526 /* hash cid length */
5527 buf[0] = cidl;
5528 ssl_hmac_update(&hm,buf,1);
5529 }
5530 }
5531
5532 /* data length and data */
5533 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5534 memcpy(buf, &temp, 2);
5535 ssl_hmac_update(&hm,buf,2);
5536 ssl_hmac_update(&hm,data,datalen);
5537
5538 /* get digest and digest len */
5539 len = sizeof(buf);
5540 ssl_hmac_final(&hm,buf,&len);
5541 ssl_hmac_cleanup(&hm);
5542 ssl_print_data("Mac", buf, len);
5543 if(memcmp(mac,buf,len))
5544 return -1;
5545
5546 return 0;
5547}
5548/* Decryption integrity check }}} */
5549
5550
5551static bool_Bool
5552tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5553 uint8_t ct, uint16_t record_version,
5554 bool_Bool ignore_mac_failed,
5555 const unsigned char *in, uint16_t inl,
5556 const unsigned char *cid, uint8_t cidl,
5557 StringInfo *out_str, unsigned *outl)
5558{
5559 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5560 * GenericAEADCipher: { nonce_explicit, [content] }
5561 * In TLS 1.3 this explicit nonce is gone.
5562 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5563 * ciphertext and authentication tag.
5564 */
5565 const uint16_t version = ssl->session.version;
5566 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5567 gcry_error_t err;
5568 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5569 unsigned ciphertext_len, auth_tag_len;
5570 unsigned char nonce[12];
5571 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5572 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5573 const uint8_t draft_version = ssl->session.tls13_draft_version;
5574 const unsigned char *auth_tag_wire;
5575 unsigned char auth_tag_calc[16];
5576 unsigned char *aad = NULL((void*)0);
5577 unsigned aad_len = 0;
5578
5579 switch (cipher_mode) {
5580 case MODE_GCM:
5581 case MODE_CCM:
5582 case MODE_POLY1305:
5583 auth_tag_len = 16;
5584 break;
5585 case MODE_CCM_8:
5586 auth_tag_len = 8;
5587 break;
5588 default:
5589 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5590 return false0;
5591 }
5592
5593 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5594 if (is_v12 && cipher_mode != MODE_POLY1305) {
5595 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5596 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5597 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5598 return false0;
5599 }
5600 explicit_nonce = in;
5601 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5602 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5603 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5604 if (inl < auth_tag_len) {
5605 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5606 return false0;
5607 }
5608 ciphertext = in;
5609 ciphertext_len = inl - auth_tag_len;
5610 } else {
5611 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5612 return false0;
5613 }
5614 auth_tag_wire = ciphertext + ciphertext_len;
5615
5616 /*
5617 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5618 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5619 */
5620 if (is_v12 && cipher_mode != MODE_POLY1305) {
5621 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5621, "decoder->write_iv.data_len == 4"))));
5622 /* Implicit (4) and explicit (8) part of nonce. */
5623 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5624 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5625
5626 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5627 /*
5628 * Technically the nonce length must be at least 8 bytes, but for
5629 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5630 */
5631 const unsigned nonce_len = 12;
5632 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5632, "decoder->write_iv.data_len == nonce_len"
))));
5633 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5634 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5635 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5636 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5637 }
5638
5639 /* Set nonce and additional authentication data */
5640 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5641 ssl_print_data("nonce", nonce, 12);
5642 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5643 if (err) {
5644 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5645 return false0;
5646 }
5647
5648 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5649 if (is_cid) { /* if connection ID */
5650 if (ssl->session.deprecated_cid) {
5651 aad_len = 14 + cidl;
5652 aad = wmem_alloc(allocator, aad_len);
5653 phtonu64(aad, decoder->seq); /* record sequence number */
5654 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5655 aad[8] = ct; /* TLSCompressed.type */
5656 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5657 memcpy(aad + 11, cid, cidl); /* cid */
5658 aad[11 + cidl] = cidl; /* cid_length */
5659 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5660 } else {
5661 aad_len = 23 + cidl;
5662 aad = wmem_alloc(allocator, aad_len);
5663 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5664 aad[8] = ct; /* TLSCompressed.type */
5665 aad[9] = cidl; /* cid_length */
5666 aad[10] = ct; /* TLSCompressed.type */
5667 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5668 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5669 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5670 memcpy(aad + 21, cid, cidl); /* cid */
5671 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5672 }
5673 } else if (is_v12) {
5674 aad_len = 13;
5675 aad = wmem_alloc(allocator, aad_len);
5676 phtonu64(aad, decoder->seq); /* record sequence number */
5677 if (version == DTLSV1DOT2_VERSION0xfefd) {
5678 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5679 }
5680 aad[8] = ct; /* TLSCompressed.type */
5681 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5682 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5683 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5684 aad_len = decoder->dtls13_aad.data_len;
5685 aad = decoder->dtls13_aad.data;
5686 } else if (draft_version >= 25 || draft_version == 0) {
5687 aad_len = 5;
5688 aad = wmem_alloc(allocator, aad_len);
5689 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5690 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5691 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5692 }
5693
5694 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5695 /* size of plaintext, additional authenticated data and auth tag. */
5696 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5697
5698 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5699 }
5700
5701 if (aad && aad_len > 0) {
5702 ssl_print_data("AAD", aad, aad_len);
5703 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5704 if (err) {
5705 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5706 return false0;
5707 }
5708 }
5709
5710 /* Decrypt now that nonce and AAD are set. */
5711 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5712 if (err) {
5713 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5714 return false0;
5715 }
5716
5717 /* Check authentication tag for authenticity (replaces MAC) */
5718 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5719 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5720 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5721 } else {
5722 if (err) {
5723 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5724 } else {
5725 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5726 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5727 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5728 }
5729 if (ignore_mac_failed) {
5730 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5731 } else {
5732 return false0;
5733 }
5734 }
5735
5736 /*
5737 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5738 * after successful authentication to ensure that early data is skipped when
5739 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5740 */
5741 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5742 decoder->seq++;
5743 }
5744
5745 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5746 *outl = ciphertext_len;
5747 return true1;
5748}
5749
5750/* Record decryption glue based on security parameters {{{ */
5751/* Assume that we are called only for a non-NULL decoder which also means that
5752 * we have a non-NULL decoder->cipher_suite. */
5753int
5754ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5755 bool_Bool ignore_mac_failed,
5756 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5757 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5758{
5759 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5760 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5761
5762 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5763 ssl_print_data("Ciphertext",in, inl);
5764
5765 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5766 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5767 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5768 return -1;
5769 }
5770
5771 /* ensure we have enough storage space for decrypted data */
5772 if (inl > out_str->data_len)
5773 {
5774 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5775 inl + 32, out_str->data_len);
5776 ssl_data_realloc(out_str, inl + 32);
5777 }
5778
5779 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5780 * a separate MAC, so use a different routine for simplicity. */
5781 if (decoder->cipher_suite->mode == MODE_GCM ||
5782 decoder->cipher_suite->mode == MODE_CCM ||
5783 decoder->cipher_suite->mode == MODE_CCM_8 ||
5784 decoder->cipher_suite->mode == MODE_POLY1305 ||
5785 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5786 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5787
5788 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5789 /* decryption failed */
5790 return -1;
5791 }
5792
5793 goto skip_mac;
5794 }
5795
5796 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5797 * (notation: { unencrypted, [ encrypted ] })
5798 * GenericStreamCipher: { [content, mac] }
5799 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5800 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5801 * GenericAEADCipher: { nonce_explicit, [content] }
5802 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5803 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5804 */
5805
5806 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5807
5808 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5809 if (decoder->cipher_suite->mode == MODE_CBC) {
5810 unsigned blocksize = 0;
5811
5812 switch (ssl->session.version) {
5813 case TLSV1DOT1_VERSION0x302:
5814 case TLSV1DOT2_VERSION0x303:
5815 case DTLSV1DOT0_VERSION0xfeff:
5816 case DTLSV1DOT2_VERSION0xfefd:
5817 case DTLSV1DOT3_VERSION0xfefc:
5818 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5819 case TLCPV1_VERSION0x101:
5820 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5821 if (inl < blocksize) {
5822 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5823 inl, blocksize);
5824 return -1;
5825 }
5826 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5827 if (pad != 0) {
5828 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5829 gcry_strsource (pad), gcry_strerror (pad));
5830 }
5831
5832 inl -= blocksize;
5833 in += blocksize;
5834 break;
5835 }
5836
5837 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5838 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5839 /*
5840 * MAC is calculated over (IV + ) ENCRYPTED contents:
5841 *
5842 * MAC(MAC_write_key, ... +
5843 * IV + // for TLS 1.1 or greater
5844 * TLSCiphertext.enc_content);
5845 */
5846 if (inl < maclen) {
5847 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5848 G_STRFUNC((const char*) (__func__)), inl, maclen);
5849 return -1;
5850 }
5851 inl -= maclen;
5852 mac = (uint8_t *)in + inl;
5853 mac_frag = (uint8_t *)in - blocksize;
5854 mac_fraglen = blocksize + inl;
5855 }
5856 }
5857
5858 /* First decrypt*/
5859 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5860 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5861 gcry_strerror (pad));
5862 return -1;
5863 }
5864
5865 ssl_print_data("Plaintext", out_str->data, inl);
5866 worklen=inl;
5867
5868
5869 /* strip padding for GenericBlockCipher */
5870 if (decoder->cipher_suite->mode == MODE_CBC) {
5871 if (inl < 1) { /* Should this check happen earlier? */
5872 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5873 return -1;
5874 }
5875 pad=out_str->data[inl-1];
5876 if (worklen <= pad) {
5877 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5878 pad, worklen);
5879 return -1;
5880 }
5881 worklen-=(pad+1);
5882 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5883 pad, worklen);
5884 }
5885
5886 /* MAC for GenericStreamCipher and GenericBlockCipher.
5887 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5888 if (!mac) {
5889 /*
5890 * MAC is calculated over the DECRYPTED contents:
5891 *
5892 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5893 */
5894 if (worklen < maclen) {
5895 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5896 return -1;
5897 }
5898 worklen -= maclen;
5899 mac = out_str->data + worklen;
5900 mac_frag = out_str->data;
5901 mac_fraglen = worklen;
5902 }
5903
5904 /* If NULL encryption active and no keys are available, do not bother
5905 * checking the MAC. We do not have keys for that. */
5906 if (decoder->cipher_suite->mode == MODE_STREAM &&
5907 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5908 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5909 ssl_debug_printf("MAC check skipped due to missing keys\n");
5910 decoder->seq++; // Increment this for display
5911 goto skip_mac;
5912 }
5913
5914 /* Now check the MAC */
5915 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5916 worklen, ssl->session.version, ct, decoder->seq);
5917 if(ssl->session.version==SSLV3_VERSION0x300){
5918 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5919 if(ignore_mac_failed) {
5920 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5921 }
5922 else{
5923 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5924 return -1;
5925 }
5926 }
5927 else{
5928 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5929 }
5930 }
5931 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5932 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5933 if(ignore_mac_failed) {
5934 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5935 }
5936 else{
5937 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5938 return -1;
5939 }
5940 }
5941 else{
5942 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5943 }
5944 }
5945 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5946 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5947 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5948 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5949 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5950 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5951 }
5952 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5953 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5954 }
5955 else if(ignore_mac_failed) {
5956 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5957 }
5958 else{
5959 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5960 return -1;
5961 }
5962 }
5963skip_mac:
5964
5965 *outl = worklen;
5966
5967 if (decoder->compression > 0) {
5968 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5969 ssl_data_copy(comp_str, out_str);
5970 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5971 if (!decoder->decomp) {
5972 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5973 return -1;
5974 }
5975 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5976 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5977 *outl = uncomplen;
5978 }
5979
5980 return 0;
5981}
5982/* Record decryption glue based on security parameters }}} */
5983
5984
5985
5986#ifdef HAVE_LIBGNUTLS1
5987
5988/* RSA private key file processing {{{ */
5989static void
5990ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5991 const gnutls_datum_t *subjectPublicKeyInfo)
5992{
5993 gnutls_pubkey_t pubkey = NULL((void*)0);
5994 cert_key_id_t key_id;
5995 size_t key_id_len = sizeof(key_id);
5996 int r;
5997
5998 if (!subjectPublicKeyInfo->size) {
5999 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6000 return;
6001 }
6002
6003 r = gnutls_pubkey_init(&pubkey);
6004 if (r < 0) {
6005 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6006 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6007 return;
6008 }
6009
6010 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6011 if (r < 0) {
6012 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6013 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6014 goto end;
6015 }
6016
6017 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6018 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6019 goto end;
6020 }
6021
6022 /* Generate a 20-byte SHA-1 hash. */
6023 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6024 if (r < 0) {
6025 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6026 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6027 goto end;
6028 }
6029
6030 if (key_id_len != sizeof(key_id)) {
6031 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6032 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6033 goto end;
6034 }
6035
6036 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6037 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6038 *ssl->cert_key_id = key_id;
6039
6040end:
6041 gnutls_pubkey_deinit(pubkey);
6042}
6043
6044/* RSA private key file processing }}} */
6045#endif /* HAVE_LIBGNUTLS */
6046
6047/*--- Start of dissector-related code below ---*/
6048
6049/* This is not a "protocol" but ensures that this gets called during
6050 * the handoff stage. */
6051void proto_reg_handoff_tls_utils(void);
6052
6053static dissector_handle_t base_tls_handle;
6054static dissector_handle_t dtls_handle;
6055
6056void
6057proto_reg_handoff_tls_utils(void)
6058{
6059 base_tls_handle = find_dissector("tls");
6060 dtls_handle = find_dissector("dtls");
6061}
6062
6063/* get ssl data for this session. if no ssl data is found allocate a new one*/
6064SslDecryptSession *
6065ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
6066{
6067 void *conv_data;
6068 SslDecryptSession *ssl_session;
6069 int proto_ssl;
6070
6071 /* Note proto_ssl is tls for either the main tls_handle or the
6072 * tls13_handshake handle used by QUIC. */
6073 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6074 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6075 if (conv_data != NULL((void*)0))
6076 return (SslDecryptSession *)conv_data;
6077
6078 /* no previous SSL conversation info, initialize it. */
6079 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6080
6081 /* data_len is the part that is meaningful, not the allocated length */
6082 ssl_session->master_secret.data_len = 0;
6083 ssl_session->master_secret.data = ssl_session->_master_secret;
6084 ssl_session->session_id.data_len = 0;
6085 ssl_session->session_id.data = ssl_session->_session_id;
6086 ssl_session->client_random.data_len = 0;
6087 ssl_session->client_random.data = ssl_session->_client_random;
6088 ssl_session->server_random.data_len = 0;
6089 ssl_session->server_random.data = ssl_session->_server_random;
6090 ssl_session->session_ticket.data_len = 0;
6091 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6092 ssl_session->server_data_for_iv.data_len = 0;
6093 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6094 ssl_session->client_data_for_iv.data_len = 0;
6095 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6096 ssl_session->app_data_segment.data = NULL((void*)0);
6097 ssl_session->app_data_segment.data_len = 0;
6098 ssl_session->handshake_data.data=NULL((void*)0);
6099 ssl_session->handshake_data.data_len=0;
6100 ssl_session->ech_transcript.data=NULL((void*)0);
6101 ssl_session->ech_transcript.data_len=0;
6102
6103 /* Initialize parameters which are not necessary specific to decryption. */
6104 ssl_session->session.version = SSL_VER_UNKNOWN0;
6105 clear_address(&ssl_session->session.srv_addr);
6106 ssl_session->session.srv_ptype = PT_NONE;
6107 ssl_session->session.srv_port = 0;
6108 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6109 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6110 ssl_session->session.client_random.data_len = 0;
6111 ssl_session->session.client_random.data = ssl_session->session._client_random;
6112 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6113 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6114 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6115 ssl_session->session.ech = false0;
6116 ssl_session->session.hrr_ech_declined = false0;
6117 ssl_session->session.first_ch_ech_frame = 0;
6118
6119 /* We want to increment the stream count for the normal tls handle and
6120 * dtls handle, but presumably not for the tls13_handshake handle used
6121 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6122 * doesn't get sent to the TLS follow tap.)
6123 */
6124 if (tls_handle == base_tls_handle) {
6125 ssl_session->session.stream = tls_increment_stream_count();
6126 } else if (tls_handle == dtls_handle) {
6127 ssl_session->session.stream = dtls_increment_stream_count();
6128 }
6129
6130 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
6131 return ssl_session;
6132}
6133
6134void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6135{
6136 if (ssl) {
6137 /* Ensure that secrets are not restored using stale identifiers. Split
6138 * between client and server in case the packets somehow got out of order. */
6139 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6140
6141 if (is_client) {
6142 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6143 ssl->session_id.data_len = 0;
6144 ssl->session_ticket.data_len = 0;
6145 ssl->master_secret.data_len = 0;
6146 ssl->client_random.data_len = 0;
6147 ssl->has_early_data = false0;
6148 if (ssl->handshake_data.data_len > 0) {
6149 // The EMS handshake hash starts with at the Client Hello,
6150 // ensure that any messages before it are forgotten.
6151 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6152 ssl->handshake_data.data = NULL((void*)0);
6153 ssl->handshake_data.data_len = 0;
6154 }
6155 } else {
6156 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6157 ssl->server_random.data_len = 0;
6158 ssl->pre_master_secret.data_len = 0;
6159#ifdef HAVE_LIBGNUTLS1
6160 ssl->cert_key_id = NULL((void*)0);
6161#endif
6162 ssl->psk.data_len = 0;
6163 }
6164
6165 if (ssl->state & clear_flags) {
6166 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6167 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6168 ssl->state &= ~clear_flags;
6169 }
6170 }
6171
6172 /* These flags might be used for non-decryption purposes and may affect the
6173 * dissection, so reset them as well. */
6174 if (is_client) {
6175 session->client_cert_type = 0;
6176 } else {
6177 session->compression = 0;
6178 session->server_cert_type = 0;
6179 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6180 }
6181 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6182 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6183}
6184
6185void
6186tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6187 dissector_handle_t app_handle)
6188{
6189 conversation_t *conversation;
6190 SslSession *session;
6191
6192 /* Ignore if the TLS or other dissector is disabled. */
6193 if (!tls_handle || !app_handle)
6194 return;
6195
6196 conversation = find_or_create_conversation(pinfo);
6197 session = &ssl_get_session(conversation, tls_handle)->session;
6198 session->app_handle = app_handle;
6199}
6200
6201static uint32_t
6202ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6203 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6204{
6205 conversation_t *conversation;
6206 SslSession *session;
6207
6208 /* Ignore if the TLS dissector is disabled. */
6209 if (!tls_handle)
6210 return 0;
6211 /* The caller should always pass a valid handle to its own dissector. */
6212 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6212, "app_handle"))));
6213
6214 conversation = find_or_create_conversation(pinfo);
6215 session = &ssl_get_session(conversation, tls_handle)->session;
6216
6217 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6218 session->last_nontls_frame,
6219 (void *)session->app_handle,
6220 dissector_handle_get_dissector_name(session->app_handle));
6221 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6222 pinfo->num, (void *)app_handle,
6223 dissector_handle_get_dissector_name(app_handle));
6224
6225 /* Do not switch again if a dissector did it before. */
6226 if (session->last_nontls_frame) {
6227 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6228 return session->last_nontls_frame;
6229 }
6230
6231 session->app_handle = app_handle;
6232 /* The TLS dissector should be called first for this conversation. */
6233 conversation_set_dissector(conversation, tls_handle);
6234 /* TLS starts after this frame. */
6235 session->last_nontls_frame = last_nontls_frame;
6236 return 0;
6237}
6238
6239/* ssl_starttls_ack: mark future frames as encrypted. */
6240uint32_t
6241ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6242 dissector_handle_t app_handle)
6243{
6244 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6245}
6246
6247uint32_t
6248ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6249 dissector_handle_t app_handle)
6250{
6251 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6252}
6253
6254dissector_handle_t
6255ssl_find_appdata_dissector(const char *name)
6256{
6257 /* Accept 'http' for backwards compatibility and sanity. */
6258 if (!strcmp(name, "http"))
6259 name = "http-over-tls";
6260 /* XXX - Should this check to see if the dissector is actually added for
6261 * Decode As in the appropriate table?
6262 */
6263 return find_dissector(name);
6264}
6265
6266/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6267static int
6268ssl_equal (const void *v, const void *v2)
6269{
6270 const StringInfo *val1;
6271 const StringInfo *val2;
6272 val1 = (const StringInfo *)v;
6273 val2 = (const StringInfo *)v2;
6274
6275 if (val1->data_len == val2->data_len &&
6276 !memcmp(val1->data, val2->data, val2->data_len)) {
6277 return 1;
6278 }
6279 return 0;
6280}
6281
6282static unsigned
6283ssl_hash (const void *v)
6284{
6285 unsigned l,hash;
6286 const StringInfo* id;
6287 const unsigned* cur;
6288 hash = 0;
6289 id = (const StringInfo*) v;
6290
6291 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6292 * should be aligned for any kind of access (for example as a unsigned as
6293 * is done below). The intermediate void* cast is to prevent "cast
6294 * increases required alignment of target type" warnings on CPUs (such
6295 * as SPARCs) that do not allow misaligned memory accesses.
6296 */
6297 cur = (const unsigned*)(void*) id->data;
6298
6299 for (l=4; (l < id->data_len); l+=4, cur++)
6300 hash = hash ^ (*cur);
6301
6302 return hash;
6303}
6304/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6305
6306/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6307void
6308ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6309{
6310 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6310, "main_handle"))));
6311 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6311, "subdissector_handle"))));
6312 /* Registration is required for Export PDU feature to work properly. */
6313 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6314, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6314 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6314, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6315 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6316
6317 if (port) {
6318 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6319 if (tcp)
6320 dissector_add_uint("tcp.port", port, main_handle);
6321 else
6322 dissector_add_uint("udp.port", port, main_handle);
6323 dissector_add_uint("sctp.port", port, main_handle);
6324 } else {
6325 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6326 }
6327}
6328
6329void
6330ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6331{
6332 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6333 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6334 if (main_handle) {
6335 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6336 dissector_delete_uint("sctp.port", port, main_handle);
6337 }
6338
6339 if (port) {
6340 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6341 }
6342}
6343
6344void
6345ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6346{
6347 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6348 session->srv_ptype = ptype;
6349 session->srv_port = port;
6350}
6351
6352int
6353ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6354{
6355 int ret;
6356 if (session && session->srv_addr.type != AT_NONE) {
6357 ret = (session->srv_ptype == pinfo->ptype) &&
6358 (session->srv_port == pinfo->srcport) &&
6359 addresses_equal(&session->srv_addr, &pinfo->src);
6360 } else {
6361 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6362 }
6363
6364 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6365 return ret;
6366}
6367/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6368
6369
6370/* Links SSL records with the real packet data. {{{ */
6371SslPacketInfo *
6372tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6373{
6374 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6375 if (!pi) {
6376 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6377 pi->srcport = pinfo->srcport;
6378 pi->destport = pinfo->destport;
6379 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6380 }
6381
6382 return pi;
6383}
6384
6385/**
6386 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6387 * avoid the need for a decoder in the second pass. Additionally, it remembers
6388 * sequence numbers (for reassembly and Follow TLS Stream).
6389 *
6390 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6391 * @param pinfo The packet where the record originates from.
6392 * @param plain_data Decrypted plaintext to store in the record.
6393 * @param plain_data_len Total length of the plaintext.
6394 * @param content_len Length of the plaintext section corresponding to the record content.
6395 * @param record_id The identifier for this record within the current packet.
6396 * @param flow Information about sequence numbers, etc.
6397 * @param type TLS Content Type (such as handshake or application_data).
6398 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6399 */
6400void
6401ssl_add_record_info(int proto, packet_info *pinfo,
6402 const unsigned char *plain_data, int plain_data_len, int content_len,
6403 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6404 uint64_t record_seq)
6405{
6406 SslRecordInfo* rec, **prec;
6407 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6408
6409 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6409
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6410
6411 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6412 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6413 rec->plain_data_len = plain_data_len;
6414 rec->content_len = content_len;
6415 rec->id = record_id;
6416 rec->type = type;
6417 rec->next = NULL((void*)0);
6418 rec->record_seq = record_seq;
6419
6420 if (flow && type == SSL_ID_APP_DATA) {
6421 rec->seq = flow->byte_seq;
6422 rec->flow = flow;
6423 flow->byte_seq += content_len;
6424 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6425 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6426 }
6427
6428 /* Remember decrypted records. */
6429 prec = &pi->records;
6430 while (*prec) prec = &(*prec)->next;
6431 *prec = rec;
6432}
6433
6434/* search in packet data for the specified id; return a newly created tvb for the associated data */
6435tvbuff_t*
6436ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6437{
6438 SslRecordInfo* rec;
6439 SslPacketInfo* pi;
6440 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6441
6442 if (!pi)
6443 return NULL((void*)0);
6444
6445 for (rec = pi->records; rec; rec = rec->next)
6446 if (rec->id == record_id) {
6447 *matched_record = rec;
6448 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6449 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6450 }
6451
6452 return NULL((void*)0);
6453}
6454/* Links SSL records with the real packet data. }}} */
6455
6456/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6457void
6458ssl_common_init(ssl_master_key_map_t *mk_map,
6459 StringInfo *decrypted_data, StringInfo *compressed_data)
6460{
6461 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6462 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6463 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6464 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6465 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6466 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6467 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6468 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6469 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6470 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6471 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6472 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6473
6474 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6475 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6476
6477 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6478
6479 ssl_data_alloc(decrypted_data, 32);
6480 ssl_data_alloc(compressed_data, 32);
6481}
6482
6483void
6484ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6485 StringInfo *decrypted_data, StringInfo *compressed_data)
6486{
6487 g_hash_table_destroy(mk_map->session);
6488 g_hash_table_destroy(mk_map->tickets);
6489 g_hash_table_destroy(mk_map->crandom);
6490 g_hash_table_destroy(mk_map->pre_master);
6491 g_hash_table_destroy(mk_map->pms);
6492 g_hash_table_destroy(mk_map->tls13_client_early);
6493 g_hash_table_destroy(mk_map->tls13_client_handshake);
6494 g_hash_table_destroy(mk_map->tls13_server_handshake);
6495 g_hash_table_destroy(mk_map->tls13_client_appdata);
6496 g_hash_table_destroy(mk_map->tls13_server_appdata);
6497 g_hash_table_destroy(mk_map->tls13_early_exporter);
6498 g_hash_table_destroy(mk_map->tls13_exporter);
6499
6500 g_hash_table_destroy(mk_map->ech_secret);
6501 g_hash_table_destroy(mk_map->ech_config);
6502
6503 g_hash_table_destroy(mk_map->used_crandom);
6504
6505 g_free(decrypted_data->data);
6506 g_free(compressed_data->data);
6507
6508 /* close the previous keylog file now that the cache are cleared, this
6509 * allows the cache to be filled with the full keylog file contents. */
6510 if (*ssl_keylog_file) {
6511 fclose(*ssl_keylog_file);
6512 *ssl_keylog_file = NULL((void*)0);
6513 }
6514}
6515/* }}} */
6516
6517/* parse ssl related preferences (private keys and ports association strings) */
6518#if defined(HAVE_LIBGNUTLS1)
6519/* Load a single RSA key file item from preferences. {{{ */
6520void
6521ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6522{
6523 gnutls_x509_privkey_t x509_priv_key;
6524 gnutls_privkey_t priv_key = NULL((void*)0);
6525 FILE* fp = NULL((void*)0);
6526 int ret;
6527 size_t key_id_len = 20;
6528 unsigned char *key_id = NULL((void*)0);
6529 char *err = NULL((void*)0);
6530 dissector_handle_t handle;
6531 /* try to load keys file first */
6532 fp = ws_fopenfopen(uats->keyfile, "rb");
6533 if (!fp) {
6534 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6535 return;
6536 }
6537
6538 if ((int)strlen(uats->password) == 0) {
6539 x509_priv_key = rsa_load_pem_key(fp, &err);
6540 } else {
6541 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6542 }
6543 fclose(fp);
6544
6545 if (!x509_priv_key) {
6546 if (err) {
6547 report_failure("Can't load private key from %s: %s",
6548 uats->keyfile, err);
6549 g_free(err);
6550 } else
6551 report_failure("Can't load private key from %s: unknown error",
6552 uats->keyfile);
6553 return;
6554 }
6555 if (err) {
6556 report_failure("Load of private key from %s \"succeeded\" with error %s",
6557 uats->keyfile, err);
6558 g_free(err);
6559 }
6560
6561 gnutls_privkey_init(&priv_key);
6562 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6563 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6564 if (ret < 0) {
6565 report_failure("Can't convert private key %s: %s",
6566 uats->keyfile, gnutls_strerror(ret));
6567 goto end;
6568 }
6569
6570 key_id = (unsigned char *) g_malloc0(key_id_len);
6571 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6572 if (ret < 0) {
6573 report_failure("Can't calculate public key ID for %s: %s",
6574 uats->keyfile, gnutls_strerror(ret));
6575 goto end;
6576 }
6577 ssl_print_data("KeyID", key_id, key_id_len);
6578 if (key_id_len != 20) {
6579 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6580 uats->keyfile, key_id_len);
6581 goto end;
6582 }
6583
6584 g_hash_table_replace(key_hash, key_id, priv_key);
6585 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6586 priv_key = NULL((void*)0);
6587 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6588
6589 handle = ssl_find_appdata_dissector(uats->protocol);
6590 if (handle) {
6591 /* Port to subprotocol mapping */
6592 uint16_t port = 0;
6593 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6594 if (port > 0) {
6595 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6596 port, uats->keyfile, uats->password);
6597
6598 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6599 }
6600 } else {
6601 if (strcmp(uats->port, "start_tls"))
6602 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6603 }
6604 }
6605
6606end:
6607 gnutls_x509_privkey_deinit(x509_priv_key);
6608 gnutls_privkey_deinit(priv_key);
6609 g_free(key_id);
6610}
6611/* }}} */
6612#endif
6613
6614
6615/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6616/** store a known (pre-)master secret into cache */
6617static void
6618ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6619 StringInfo *mk)
6620{
6621 StringInfo *ht_key, *master_secret;
6622
6623 if (key->data_len == 0) {
6624 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6625 return;
6626 }
6627
6628 if (mk->data_len == 0) {
6629 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6630 G_STRFUNC((const char*) (__func__)), label);
6631 return;
6632 }
6633
6634 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6635 * so be careful in changing how it is allocated. */
6636 ht_key = ssl_data_clone(key);
6637 master_secret = ssl_data_clone(mk);
6638 g_hash_table_insert(ht, ht_key, master_secret);
6639
6640 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6641 ssl_print_string("stored key", ht_key);
6642 ssl_print_string("stored (pre-)master secret", master_secret);
6643}
6644
6645/** restore a (pre-)master secret given some key in the cache */
6646static bool_Bool
6647ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6648 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6649{
6650 StringInfo *ms;
6651
6652 if (key->data_len == 0) {
6653 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6654 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6655 return false0;
6656 }
6657
6658 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6659 if (!ms) {
6660 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6661 is_pre_master ? "pre-" : "", label);
6662 return false0;
6663 }
6664
6665 /* (pre)master secret found, clear knowledge of other keys and set it in the
6666 * current conversation */
6667 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6668 SSL_HAVE_SESSION_KEY(1<<3));
6669 if (is_pre_master) {
6670 /* unlike master secret, pre-master secret has a variable size (48 for
6671 * RSA, varying for PSK) and is therefore not statically allocated */
6672 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6673 ms->data_len);
6674 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6675 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6676 } else {
6677 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6678 ssl->state |= SSL_MASTER_SECRET(1<<5);
6679 }
6680 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6681 is_pre_master ? "pre-" : "", label);
6682 ssl_print_string(label, key);
6683 ssl_print_string("(pre-)master secret", ms);
6684 return true1;
6685}
6686/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6687
6688/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6689 * the decoder should be attempted to be initialized. {{{*/
6690void
6691ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6692{
6693 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6694 /* TLS 1.3 implementations only provide secrets derived from the master
6695 * secret which are loaded in tls13_change_key. No master secrets can be
6696 * loaded here, so just return. */
6697 return;
6698 }
6699 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6700 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6701 ssl_debug_printf(" session key already available, nothing to do.\n");
6702 return;
6703 }
6704 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6705 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6706 return;
6707 }
6708
6709 /* for decryption, there needs to be a master secret (which can be derived
6710 * from pre-master secret). If missing, try to pick a master key from cache
6711 * (an earlier packet in the capture or key logfile). */
6712 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6713 !ssl_restore_master_key(ssl, "Session ID", false0,
6714 mk_map->session, &ssl->session_id) &&
6715 (!ssl->session.is_session_resumed ||
6716 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6717 mk_map->tickets, &ssl->session_ticket)) &&
6718 !ssl_restore_master_key(ssl, "Client Random", false0,
6719 mk_map->crandom, &ssl->client_random)) {
6720 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6721 /* how unfortunate, the master secret could not be found */
6722 ssl_debug_printf(" Cannot find master secret\n");
6723 return;
6724 } else {
6725 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6726 "because of a NULL cipher\n");
6727 }
6728 }
6729
6730 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6731 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6732 return;
6733 }
6734 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6735 ssl_save_master_key("Client Random", mk_map->crandom,
6736 &ssl->client_random, &ssl->master_secret);
6737 ssl_save_master_key("Session ID", mk_map->session,
6738 &ssl->session_id, &ssl->master_secret);
6739 /* Only save the new secrets if the server sent the ticket. The client
6740 * ticket might have become stale. */
6741 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6742 ssl_save_master_key("Session Ticket", mk_map->tickets,
6743 &ssl->session_ticket, &ssl->master_secret);
6744 }
6745} /* }}} */
6746
6747/* Load the traffic key secret from the keylog file. */
6748StringInfo *
6749tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6750 bool_Bool is_from_server, TLSRecordType type)
6751{
6752 GHashTable *key_map;
6753 const char *label;
6754
6755 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6756 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6757 return NULL((void*)0);
6758 }
6759
6760 if (ssl->client_random.data_len == 0) {
6761 /* May happen if Hello message is missing and Finished is found. */
6762 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6763 return NULL((void*)0);
6764 }
6765
6766 switch (type) {
6767 case TLS_SECRET_0RTT_APP:
6768 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6768, "!is_from_server"))));
6769 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6770 key_map = mk_map->tls13_client_early;
6771 break;
6772 case TLS_SECRET_HANDSHAKE:
6773 if (is_from_server) {
6774 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6775 key_map = mk_map->tls13_server_handshake;
6776 } else {
6777 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6778 key_map = mk_map->tls13_client_handshake;
6779 }
6780 break;
6781 case TLS_SECRET_APP:
6782 if (is_from_server) {
6783 label = "SERVER_TRAFFIC_SECRET_0";
6784 key_map = mk_map->tls13_server_appdata;
6785 } else {
6786 label = "CLIENT_TRAFFIC_SECRET_0";
6787 key_map = mk_map->tls13_client_appdata;
6788 }
6789 break;
6790 default:
6791 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6791, __func__, "assertion \"not reached\" failed");
6792 }
6793
6794 /* Transitioning to new keys, mark old ones as unusable. */
6795 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6796 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6797
6798 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6799 if (!secret) {
6800 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6801 /* Disable decryption, the keys are invalid. */
6802 if (is_from_server) {
6803 ssl->server = NULL((void*)0);
6804 } else {
6805 ssl->client = NULL((void*)0);
6806 }
6807 return NULL((void*)0);
6808 }
6809
6810 /* TLS 1.3 secret found, set new keys. */
6811 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6812 ssl_print_string("Client Random", &ssl->client_random);
6813 ssl_print_string(label, secret);
6814 return secret;
6815}
6816
6817/* Load the new key. */
6818void
6819tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6820 bool_Bool is_from_server, TLSRecordType type)
6821{
6822 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6823 /*
6824 * QUIC does not use the TLS record layer for message protection.
6825 * The required keys will be extracted later by QUIC.
6826 */
6827 return;
6828 }
6829
6830 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6831 if (!secret) {
6832 if (type != TLS_SECRET_HANDSHAKE) {
6833 return;
6834 }
6835 /*
6836 * Workaround for when for some reason we don't have the handshake
6837 * secret but do have the application traffic secret. (#20240)
6838 * If we can't find the handshake secret, we'll never decrypt the
6839 * Finished message, so we won't know when to change to the app
6840 * traffic key, so we do so now.
6841 */
6842 type = TLS_SECRET_APP;
6843 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6844 if (!secret) {
6845 return;
6846 }
6847 }
6848
6849 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6850 /*
6851 * Remember the application traffic secret to support Key Update. The
6852 * other secrets cannot be used for this purpose, so free them.
6853 */
6854 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6855 StringInfo *app_secret = &decoder->app_traffic_secret;
6856 if (type == TLS_SECRET_APP) {
6857 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6858 app_secret->data,
6859 secret->data_len);
6860 ssl_data_set(app_secret, secret->data, secret->data_len);
6861 } else {
6862 wmem_free(wmem_file_scope(), app_secret->data);
6863 app_secret->data = NULL((void*)0);
6864 app_secret->data_len = 0;
6865 }
6866 }
6867}
6868
6869/**
6870 * Update to next application data traffic secret for TLS 1.3. The previous
6871 * secret should have been set by tls13_change_key.
6872 */
6873void
6874tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6875{
6876 /* RFC 8446 Section 7.2:
6877 * application_traffic_secret_N+1 =
6878 * HKDF-Expand-Label(application_traffic_secret_N,
6879 * "traffic upd", "", Hash.length)
6880 *
6881 * Both application_traffic_secret_N are of the same length (Hash.length).
6882 */
6883 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6884 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6885 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6886 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6887
6888 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6889 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6890 return;
6891 }
6892
6893 /*
6894 * Previous traffic secret is available, so find the hash function,
6895 * expand the new traffic secret and generate new keys.
6896 */
6897 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6898 int hash_algo = ssl_get_digest_by_name(hash_name);
6899 const unsigned hash_len = app_secret->data_len;
6900 unsigned char *new_secret;
6901 const char *label = "traffic upd";
6902 if (tls13_draft_version && tls13_draft_version < 20) {
6903 label = "application traffic secret";
6904 }
6905 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6906 tls13_hkdf_label_prefix(ssl),
6907 label, hash_len, &new_secret)) {
6908 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6909 return;
6910 }
6911 ssl_data_set(app_secret, new_secret, hash_len);
6912 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6913 /*
6914 * Remember the application traffic secret on the new decoder to
6915 * support another Key Update.
6916 */
6917 decoder = is_from_server ? ssl->server : ssl->client;
6918 app_secret = &decoder->app_traffic_secret;
6919 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6920 app_secret->data,
6921 hash_len);
6922 ssl_data_set(app_secret, new_secret, hash_len);
6923 }
6924 wmem_free(NULL((void*)0), new_secret);
6925}
6926
6927void
6928tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6929{
6930 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6931 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6932 }
6933}
6934
6935/** SSL keylog file handling. {{{ */
6936
6937static GRegex *
6938ssl_compile_keyfile_regex(void)
6939{
6940#define OCTET "(?:[[:xdigit:]]{2})"
6941 const char *pattern =
6942 "(?:"
6943 /* Matches Client Hellos having this Client Random */
6944 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6945 /* Matches first part of encrypted RSA pre-master secret */
6946 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6947 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6948 but it can be of any length for DHE */
6949 ")(?<pms>" OCTET "+)"
6950 "|(?:"
6951 /* Matches Server Hellos having a Session ID */
6952 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6953 /* Matches Client Hellos having this Client Random */
6954 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6955 /* Master-Secret is given, its length is fixed */
6956 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6957 "|(?"
6958 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6959 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6960 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6961 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6962 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6963 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6964 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6965 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6966 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6967 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6968 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6969 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6970 ") (?<derived_secret>" OCTET "+)";
6971#undef OCTET
6972 static GRegex *regex = NULL((void*)0);
6973 GError *gerr = NULL((void*)0);
6974
6975 if (!regex) {
6976 regex = g_regex_new(pattern,
6977 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6978 G_REGEX_MATCH_ANCHORED, &gerr);
6979 if (gerr) {
6980 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6981 gerr->message);
6982 g_error_free(gerr);
6983 regex = NULL((void*)0);
6984 }
6985 }
6986
6987 return regex;
6988}
6989
6990typedef struct ssl_master_key_match_group {
6991 const char *re_group_name;
6992 GHashTable *master_key_ht;
6993} ssl_master_key_match_group_t;
6994
6995void
6996tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6997{
6998 ssl_master_key_match_group_t mk_groups[] = {
6999 { "encrypted_pmk", mk_map->pre_master },
7000 { "session_id", mk_map->session },
7001 { "client_random", mk_map->crandom },
7002 { "client_random_pms", mk_map->pms },
7003 /* TLS 1.3 map from Client Random to derived secret. */
7004 { "client_early", mk_map->tls13_client_early },
7005 { "client_handshake", mk_map->tls13_client_handshake },
7006 { "server_handshake", mk_map->tls13_server_handshake },
7007 { "client_appdata", mk_map->tls13_client_appdata },
7008 { "server_appdata", mk_map->tls13_server_appdata },
7009 { "early_exporter", mk_map->tls13_early_exporter },
7010 { "exporter", mk_map->tls13_exporter },
7011 { "ech_secret", mk_map->ech_secret },
7012 { "ech_config", mk_map->ech_config },
7013 };
7014
7015 /* The format of the file is a series of records with one of the following formats:
7016 * - "RSA xxxx yyyy"
7017 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7018 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7019 * (this is the original format introduced with bug 4349)
7020 *
7021 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7022 * Where xxxx is the SSL session ID (hex-encoded)
7023 * Where yyyy is the cleartext master secret (hex-encoded)
7024 * (added to support openssl s_client Master-Key output)
7025 * This is somewhat is a misnomer because there's nothing RSA specific
7026 * about this.
7027 *
7028 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7029 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7030 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7031 * (This format allows SSL connections to be decrypted, if a user can
7032 * capture the PMS but could not recover the MS for a specific session
7033 * with a SSL Server.)
7034 *
7035 * - "CLIENT_RANDOM xxxx yyyy"
7036 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7037 * Where yyyy is the cleartext master secret (hex-encoded)
7038 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7039 * ECDHE-RSA.)
7040 *
7041 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7042 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7043 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7044 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7045 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7046 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7047 * - "EXPORTER_SECRET xxxx yyyy"
7048 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7049 * Where yyyy is the secret (hex-encoded) derived from the early,
7050 * handshake or master secrets. (This format is introduced with TLS 1.3
7051 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7052 */
7053 GRegex *regex = ssl_compile_keyfile_regex();
7054 if (!regex)
7055 return;
7056
7057 const char *next_line = (const char *)data;
7058 const char *line_end = next_line + datalen;
7059 while (next_line && next_line < line_end) {
7060 const char *line = next_line;
7061 next_line = (const char *)memchr(line, '\n', line_end - line);
7062 ssize_t linelen;
7063
7064 if (next_line) {
7065 linelen = next_line - line;
7066 next_line++; /* drop LF */
7067 } else {
7068 linelen = (ssize_t)(line_end - line);
7069 }
7070 if (linelen > 0 && line[linelen - 1] == '\r') {
7071 linelen--; /* drop CR */
7072 }
7073
7074 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7075 GMatchInfo *mi;
7076 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7077 char *hex_key, *hex_pre_ms_or_ms;
7078 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7079 StringInfo *pre_ms_or_ms = NULL((void*)0);
7080 GHashTable *ht = NULL((void*)0);
7081
7082 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7083 * otherwise we will use the Master Secret
7084 */
7085 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7086 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7087 g_free(hex_pre_ms_or_ms);
7088 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7089 }
7090 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7091 g_free(hex_pre_ms_or_ms);
7092 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7093 }
7094 /* There is always a match, otherwise the regex is wrong. */
7095 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7095, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7096
7097 /* convert from hex to bytes and save to hashtable */
7098 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7099 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7100 g_free(hex_pre_ms_or_ms);
7101
7102 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7103 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7104 ssl_master_key_match_group_t *g = &mk_groups[i];
7105 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7106 if (hex_key && *hex_key) {
7107 ssl_debug_printf(" matched %s\n", g->re_group_name);
7108 ht = g->master_key_ht;
7109 from_hex(key, hex_key, strlen(hex_key));
7110 g_free(hex_key);
7111 break;
7112 }
7113 g_free(hex_key);
7114 }
7115 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7115, "ht")))); /* Cannot be reached, or regex is wrong. */
7116
7117 g_hash_table_insert(ht, key, pre_ms_or_ms);
7118
7119 } else if (linelen > 0 && line[0] != '#') {
7120 ssl_debug_printf(" unrecognized line\n");
7121 }
7122 /* always free match info even if there is no match. */
7123 g_match_info_free(mi);
7124 }
7125}
7126
7127void
7128ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7129 const ssl_master_key_map_t *mk_map)
7130{
7131 /* no need to try if no key log file is configured. */
7132 if (!tls_keylog_filename || !*tls_keylog_filename) {
7133 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7134 G_STRFUNC((const char*) (__func__)));
7135 return;
7136 }
7137
7138 /* Validate regexes before even trying to use it. */
7139 if (!ssl_compile_keyfile_regex()) {
7140 return;
7141 }
7142
7143 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7144
7145 /* if the keylog file was deleted/overwritten, re-open it */
7146 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7147 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7148 fclose(*keylog_file);
7149 *keylog_file = NULL((void*)0);
7150 }
7151
7152 if (*keylog_file == NULL((void*)0)) {
7153 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7154 if (!*keylog_file) {
7155 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7156 return;
7157 }
7158 }
7159
7160 for (;;) {
7161 char buf[1110], *line;
7162 line = fgets(buf, sizeof(buf), *keylog_file);
7163 if (!line) {
7164 if (feof(*keylog_file)) {
7165 /* Ensure that newly appended keys can be read in the future. */
7166 clearerr(*keylog_file);
7167 } else if (ferror(*keylog_file)) {
7168 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7169 fclose(*keylog_file);
7170 *keylog_file = NULL((void*)0);
7171 }
7172 break;
7173 }
7174 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7175 }
7176}
7177/** SSL keylog file handling. }}} */
7178
7179#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7180
7181static FILE* ssl_debug_file;
7182
7183void
7184ssl_set_debug(const char* name)
7185{
7186 static int debug_file_must_be_closed;
7187 int use_stderr;
7188
7189 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7190
7191 if (debug_file_must_be_closed)
7192 fclose(ssl_debug_file);
7193
7194 if (use_stderr)
7195 ssl_debug_file = stderrstderr;
7196 else if (!name || (strcmp(name, "") ==0))
7197 ssl_debug_file = NULL((void*)0);
7198 else
7199 ssl_debug_file = ws_fopenfopen(name, "w");
7200
7201 if (!use_stderr && ssl_debug_file)
7202 debug_file_must_be_closed = 1;
7203 else
7204 debug_file_must_be_closed = 0;
7205
7206 ssl_debug_printf("Wireshark SSL debug log \n\n");
7207#ifdef HAVE_LIBGNUTLS1
7208 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7209#endif
7210 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7211 ssl_debug_printf("\n");
7212}
7213
7214void
7215ssl_debug_flush(void)
7216{
7217 if (ssl_debug_file)
7218 fflush(ssl_debug_file);
7219}
7220
7221void
7222ssl_debug_printf(const char* fmt, ...)
7223{
7224 va_list ap;
7225
7226 if (!ssl_debug_file)
7227 return;
7228
7229 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7230 vfprintf(ssl_debug_file, fmt, ap);
7231 va_end(ap)__builtin_va_end(ap);
7232}
7233
7234void
7235ssl_print_data(const char* name, const unsigned char* data, size_t len)
7236{
7237 size_t i, j, k;
7238 if (!ssl_debug_file)
7239 return;
7240 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7241 for (i=0; i<len; i+=16) {
7242 fprintf(ssl_debug_file,"| ");
7243 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7244 fprintf(ssl_debug_file,"%.2x ",data[j]);
7245 for (; k<16; ++k)
7246 fprintf(ssl_debug_file," ");
7247 fputc('|', ssl_debug_file);
7248 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7249 unsigned char c = data[j];
7250 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7251 fputc(c, ssl_debug_file);
7252 }
7253 for (; k<16; ++k)
7254 fputc(' ', ssl_debug_file);
7255 fprintf(ssl_debug_file,"|\n");
7256 }
7257}
7258
7259void
7260ssl_print_string(const char* name, const StringInfo* data)
7261{
7262 ssl_print_data(name, data->data, data->data_len);
7263}
7264#endif /* SSL_DECRYPT_DEBUG }}} */
7265
7266/* UAT preferences callbacks. {{{ */
7267/* checks for SSL and DTLS UAT key list fields */
7268
7269bool_Bool
7270ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7271{
7272 // This should be removed in favor of Decode As. Make it optional.
7273 *err = NULL((void*)0);
7274 return true1;
7275}
7276
7277bool_Bool
7278ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7279{
7280 if (!p || strlen(p) == 0u) {
7281 // This should be removed in favor of Decode As. Make it optional.
7282 *err = NULL((void*)0);
7283 return true1;
7284 }
7285
7286 if (strcmp(p, "start_tls") != 0){
7287 uint16_t port;
7288 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7289 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7290 return false0;
7291 }
7292 }
7293
7294 *err = NULL((void*)0);
7295 return true1;
7296}
7297
7298bool_Bool
7299ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7300{
7301 ws_statb64struct stat st;
7302
7303 if (!p || strlen(p) == 0u) {
7304 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7305 return false0;
7306 } else {
7307 if (ws_stat64stat(p, &st) != 0) {
7308 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7309 return false0;
7310 }
7311 }
7312
7313 *err = NULL((void*)0);
7314 return true1;
7315}
7316
7317bool_Bool
7318ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7319{
7320#if defined(HAVE_LIBGNUTLS1)
7321 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7322 FILE *fp = NULL((void*)0);
7323
7324 if (p && (strlen(p) > 0u)) {
7325 fp = ws_fopenfopen(f->keyfile, "rb");
7326 if (fp) {
7327 char *msg = NULL((void*)0);
7328 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7329 if (!priv_key) {
7330 fclose(fp);
7331 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7332 g_free(msg);
7333 return false0;
7334 }
7335 g_free(msg);
7336 gnutls_x509_privkey_deinit(priv_key);
7337 fclose(fp);
7338 } else {
7339 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7340 return false0;
7341 }
7342 }
7343
7344 *err = NULL((void*)0);
7345 return true1;
7346#else
7347 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7348 return false0;
7349#endif
7350}
7351/* UAT preferences callbacks. }}} */
7352
7353/** maximum size of ssl_association_info() string */
7354#define SSL_ASSOC_MAX_LEN8192 8192
7355
7356typedef struct ssl_association_info_callback_data
7357{
7358 char *str;
7359 const char *table_protocol;
7360} ssl_association_info_callback_data_t;
7361
7362/**
7363 * callback function used by ssl_association_info() to traverse the SSL associations.
7364 */
7365static void
7366ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7367{
7368 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7369 const int l = (const int)strlen(data->str);
7370 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7371}
7372
7373/**
7374 * @return an information string on the SSL protocol associations. The string must be freed.
7375 */
7376char*
7377ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7378{
7379 ssl_association_info_callback_data_t data;
7380
7381 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7382 data.table_protocol = table_protocol;
7383 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7384 return data.str;
7385}
7386
7387
7388/** Begin of code related to dissection of wire data. */
7389
7390/* Helpers for dissecting Variable-Length Vectors. {{{ */
7391bool_Bool
7392ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7393 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7394 int hf_length, uint32_t min_value, uint32_t max_value)
7395{
7396 unsigned veclen_size;
7397 uint32_t veclen_value;
7398 proto_item *pi;
7399
7400 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7400, (uint64_t)min_value, (uint64_t)max_value))));
7401 if (offset > offset_end) {
7402 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7403 "Vector offset is past buffer end offset (%u > %u)",
7404 offset, offset_end);
7405 *ret_length = 0;
7406 return false0; /* Cannot read length. */
7407 }
7408
7409 if (max_value > 0xffffff) {
7410 veclen_size = 4;
7411 } else if (max_value > 0xffff) {
7412 veclen_size = 3;
7413 } else if (max_value > 0xff) {
7414 veclen_size = 2;
7415 } else {
7416 veclen_size = 1;
7417 }
7418
7419 if (offset_end - offset < veclen_size) {
7420 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7421 tvb, offset, offset_end - offset,
7422 "No more room for vector of length %u",
7423 veclen_size);
7424 *ret_length = 0;
7425 return false0; /* Cannot read length. */
7426 }
7427
7428 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7429 offset += veclen_size;
7430
7431 if (veclen_value < min_value) {
7432 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7433 "Vector length %u is smaller than minimum %u",
7434 veclen_value, min_value);
7435 } else if (veclen_value > max_value) {
7436 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7437 "Vector length %u is larger than maximum %u",
7438 veclen_value, max_value);
7439 }
7440
7441 if (offset_end - offset < veclen_value) {
7442 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7443 "Vector length %u is too large, truncating it to %u",
7444 veclen_value, offset_end - offset);
7445 *ret_length = offset_end - offset;
7446 return false0; /* Length is truncated to avoid overflow. */
7447 }
7448
7449 *ret_length = veclen_value;
7450 return true1; /* Length is OK. */
7451}
7452
7453bool_Bool
7454ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7455 unsigned offset, unsigned offset_end)
7456{
7457 if (offset < offset_end) {
7458 unsigned trailing = offset_end - offset;
7459 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7460 tvb, offset, trailing,
7461 "%u trailing byte%s unprocessed",
7462 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7463 return false0; /* unprocessed data warning */
7464 } else if (offset > offset_end) {
7465 /*
7466 * Returned offset runs past the end. This should not happen and is
7467 * possibly a dissector bug.
7468 */
7469 unsigned excess = offset - offset_end;
7470 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7471 tvb, offset_end, excess,
7472 "Dissector processed too much data (%u byte%s)",
7473 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7474 return false0; /* overflow error */
7475 }
7476
7477 return true1; /* OK, offset matches. */
7478}
7479/** }}} */
7480
7481
7482static uint32_t
7483ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7484 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7485 uint16_t version, int hf_sig_len, int hf_sig);
7486
7487/* change_cipher_spec(20) dissection */
7488void
7489ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7490 packet_info *pinfo, proto_tree *tree,
7491 uint32_t offset, SslSession *session,
7492 bool_Bool is_from_server,
7493 const SslDecryptSession *ssl)
7494{
7495 /*
7496 * struct {
7497 * enum { change_cipher_spec(1), (255) } type;
7498 * } ChangeCipherSpec;
7499 */
7500 proto_item *ti;
7501 proto_item_set_text(tree,
7502 "%s Record Layer: %s Protocol: Change Cipher Spec",
7503 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7504 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7505 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7506
7507 if (session->version == TLSV1DOT3_VERSION0x304) {
7508 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7509 return;
7510 }
7511
7512 /* Remember frame number of first CCS */
7513 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7514 if (*ccs_frame == 0)
7515 *ccs_frame = pinfo->num;
7516
7517 /* Use heuristics to detect an abbreviated handshake, assume that missing
7518 * ServerHelloDone implies reusing previously negotiating keys. Then when
7519 * a Session ID or ticket is present, it must be a resumed session.
7520 * Normally this should be done at the Finished message, but that may be
7521 * encrypted so we do it here, at the last cleartext message. */
7522 if (is_from_server && ssl) {
7523 if (session->is_session_resumed) {
7524 const char *resumed = NULL((void*)0);
7525 if (ssl->session_ticket.data_len) {
7526 resumed = "Session Ticket";
7527 } else if (ssl->session_id.data_len) {
7528 resumed = "Session ID";
7529 }
7530 if (resumed) {
7531 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7532 } else {
7533 /* Can happen if the capture somehow starts in the middle */
7534 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7535 }
7536 } else {
7537 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7538 }
7539 }
7540 if (is_from_server && session->is_session_resumed)
7541 expert_add_info(pinfo, ti, &hf->ei.resumed);
7542}
7543
7544/** Begin of handshake(22) record dissections */
7545
7546/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7547 * {{{ */
7548static void
7549tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7550{
7551 uint32_t sighash, hashalg, sigalg;
7552 proto_item *ti_sigalg;
7553 proto_tree *sigalg_tree;
7554
7555 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7556 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7557 if (ja4_data) {
7558 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7559 }
7560
7561 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7562
7563 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7564 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7565 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7566 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7567 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7568
7569 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7570 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7571 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7572 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7573 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7574 sighash);
7575 }
7576} /* }}} */
7577
7578/* dissect a list of hash algorithms, return the number of bytes dissected
7579 this is used for the signature algorithms extension and for the
7580 TLS1.2 certificate request. {{{ */
7581static int
7582ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7583 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7584{
7585 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7586 * struct {
7587 * HashAlgorithm hash;
7588 * SignatureAlgorithm signature;
7589 * } SignatureAndHashAlgorithm;
7590 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7591 */
7592 proto_tree *subtree;
7593 proto_item *ti;
7594 unsigned sh_alg_length;
7595 uint32_t next_offset;
7596
7597 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7598 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7599 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7600 return offset_end;
7601 }
7602 offset += 2;
7603 next_offset = offset + sh_alg_length;
7604
7605 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7606 "Signature Hash Algorithms (%u algorithm%s)",
7607 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7608 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7609
7610 while (offset + 2 <= next_offset) {
7611 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7612 offset += 2;
7613 }
7614
7615 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7616 offset = next_offset;
7617 }
7618
7619 return offset;
7620} /* }}} */
7621
7622/* Dissection of DistinguishedName (for CertificateRequest and
7623 * certificate_authorities extension). {{{ */
7624static uint32_t
7625tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7626 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7627{
7628 proto_item *ti;
7629 proto_tree *subtree;
7630 uint32_t dnames_length, next_offset;
7631 asn1_ctx_t asn1_ctx;
7632 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7633
7634 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7635 /* DistinguishedName certificate_authorities<0..2^16-1> */
7636 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7637 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7638 return offset_end;
7639 }
7640 offset += 2;
7641 next_offset = offset + dnames_length;
7642
7643 if (dnames_length > 0) {
7644 ti = proto_tree_add_none_format(tree,
7645 hf->hf.hs_dnames,
7646 tvb, offset, dnames_length,
7647 "Distinguished Names (%d byte%s)",
7648 dnames_length,
7649 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7650 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7651
7652 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7653
7654 while (offset < next_offset) {
7655 /* get the length of the current certificate */
7656 uint32_t name_length;
7657
7658 if (dnames_count-- == 0) {
7659 /* stop adding to tree when the list is considered too large
7660 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7661 Note: dnames_count must be set low enough not to hit the
7662 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7663 */
7664 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7665 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7666 proto_item_set_generated(ti);
7667 return next_offset;
7668 }
7669
7670 /* opaque DistinguishedName<1..2^16-1> */
7671 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7672 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7673 return next_offset;
7674 }
7675 offset += 2;
7676
7677 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7678 subtree, hf->hf.hs_dname);
7679 offset += name_length;
7680 }
7681 }
7682 return offset;
7683} /* }}} */
7684
7685
7686/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7687static int
7688ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7689 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7690{
7691 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7692}
7693
7694static int
7695ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7696 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7697{
7698 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7699 hnd_type == SSL_HND_CERT_REQUEST) {
7700 /*
7701 * struct {
7702 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7703 * } SignatureSchemeList;
7704 */
7705
7706 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7707 } else {
7708 asn1_ctx_t asn1_ctx;
7709 unsigned pubkey_length, sign_length;
7710
7711 /*
7712 * struct {
7713 * uint32 valid_time;
7714 * SignatureScheme expected_cert_verify_algorithm;
7715 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7716 * } Credential;
7717 *
7718 * struct {
7719 * Credential cred;
7720 * SignatureScheme algorithm;
7721 * opaque signature<0..2^16-1>;
7722 * } DelegatedCredential;
7723 */
7724
7725 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7726
7727 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7728 offset += 4;
7729
7730 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7731 offset += 2;
7732
7733 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7734 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7735 return offset_end;
7736 }
7737 offset += 3;
7738 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7739 offset += pubkey_length;
7740
7741 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7742 offset += 2;
7743
7744 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7745 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7746 return offset_end;
7747 }
7748 offset += 2;
7749 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7750 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7751 offset += sign_length;
7752
7753 return offset;
7754 }
7755}
7756
7757static int
7758ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7759 packet_info *pinfo, proto_tree *tree,
7760 uint32_t offset, uint32_t offset_end,
7761 uint8_t hnd_type)
7762{
7763
7764 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7765
7766 switch (hnd_type) {
7767 case SSL_HND_CLIENT_HELLO: {
7768 proto_tree *alps_tree;
7769 proto_item *ti;
7770 uint32_t next_offset, alps_length, name_length;
7771
7772 /*
7773 * opaque ProtocolName<1..2^8-1>;
7774 * struct {
7775 * ProtocolName supported_protocols<2..2^16-1>
7776 * } ApplicationSettingsSupport;
7777 */
7778
7779 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7780 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7781 return offset_end;
7782 }
7783 offset += 2;
7784 next_offset = offset + alps_length;
7785
7786 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7787 tvb, offset, alps_length, ENC_NA0x00000000);
7788 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7789
7790 /* Parse list (note missing check for end of vector, ssl_add_vector below
7791 * ensures that data is always available.) */
7792 while (offset < next_offset) {
7793 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7794 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7795 return next_offset;
7796 }
7797 offset++;
7798
7799 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7800 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7801 offset += name_length;
7802 }
7803
7804 return offset;
7805 }
7806 case SSL_HND_ENCRYPTED_EXTS:
7807 /* Opaque blob */
7808 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7809 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7810 break;
7811 }
7812
7813 return offset_end;
7814}
7815
7816static int
7817ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7818 packet_info *pinfo, proto_tree *tree,
7819 uint32_t offset, uint32_t offset_end,
7820 uint8_t hnd_type, SslSession *session,
7821 bool_Bool is_dtls, ja4_data_t *ja4_data)
7822{
7823
7824 /* https://tools.ietf.org/html/rfc7301#section-3.1
7825 * opaque ProtocolName<1..2^8-1>;
7826 * struct {
7827 * ProtocolName protocol_name_list<2..2^16-1>
7828 * } ProtocolNameList;
7829 */
7830 proto_tree *alpn_tree;
7831 proto_item *ti;
7832 uint32_t next_offset, alpn_length, name_length;
7833 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7834
7835 /* ProtocolName protocol_name_list<2..2^16-1> */
7836 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7837 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7838 return offset_end;
7839 }
7840 offset += 2;
7841 next_offset = offset + alpn_length;
7842
7843 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7844 tvb, offset, alpn_length, ENC_NA0x00000000);
7845 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7846
7847 /* Parse list (note missing check for end of vector, ssl_add_vector below
7848 * ensures that data is always available.) */
7849 while (offset < next_offset) {
7850 /* opaque ProtocolName<1..2^8-1> */
7851 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7852 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7853 return next_offset;
7854 }
7855 offset++;
7856
7857 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7858 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7859 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7860 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7861 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7862 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
7863 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7864 }
7865 else {
7866 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7867 alpn_last_char & 0x0F);
7868 }
7869 }
7870 /* Remember first ALPN ProtocolName entry for server. */
7871 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7872 /* '\0'-terminated string for dissector table match and prefix
7873 * comparison purposes. */
7874 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7875 name_length, ENC_ASCII0x00000000);
7876 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7877 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7878 name_length, ENC_ASCII0x00000000);
7879 }
7880 offset += name_length;
7881 }
7882
7883 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7884 * exactly one "ProtocolName". */
7885 if (proto_name) {
7886 dissector_handle_t handle;
7887
7888 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7889
7890 if (is_dtls) {
7891 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7892 proto_name);
7893 } else {
7894 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7895 proto_name);
7896 if (handle == NULL((void*)0)) {
7897 /* Try prefix matching */
7898 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7899 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7900
7901 /* string_string is inappropriate as it compares strings
7902 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7903 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7904 handle = find_dissector(alpn_proto->dissector_name);
7905 break;
7906 }
7907 }
7908 }
7909 }
7910 if (handle != NULL((void*)0)) {
7911 /* ProtocolName match, so set the App data dissector handle.
7912 * This may override protocols given via the UAT dialog, but
7913 * since the ALPN hint is precise, do it anyway. */
7914 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7915 (void *)session->app_handle,
7916 (void *)handle,
7917 dissector_handle_get_dissector_name(handle));
7918 session->app_handle = handle;
7919 }
7920 } else if (client_proto_name) {
7921 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7922 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7923 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7924 }
7925
7926 return offset;
7927}
7928
7929static int
7930ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7931 packet_info *pinfo, proto_tree *tree,
7932 uint32_t offset, uint32_t offset_end)
7933{
7934 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7935 * The "extension_data" field of a "next_protocol_negotiation" extension
7936 * in a "ServerHello" contains an optional list of protocols advertised
7937 * by the server. Protocols are named by opaque, non-empty byte strings
7938 * and the list of protocols is serialized as a concatenation of 8-bit,
7939 * length prefixed byte strings. Implementations MUST ensure that the
7940 * empty string is not included and that no byte strings are truncated.
7941 */
7942 uint32_t npn_length;
7943 proto_tree *npn_tree;
7944
7945 /* List is optional, do not add tree if there are no entries. */
7946 if (offset == offset_end) {
7947 return offset;
7948 }
7949
7950 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7951
7952 while (offset < offset_end) {
7953 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7954 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7955 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7956 return offset_end;
7957 }
7958 offset++;
7959
7960 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7961 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7962 offset += npn_length;
7963 }
7964
7965 return offset;
7966}
7967
7968static int
7969ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7970 packet_info *pinfo, proto_tree *tree,
7971 uint32_t offset, uint32_t offset_end)
7972{
7973 /* https://tools.ietf.org/html/rfc5746#section-3.2
7974 * struct {
7975 * opaque renegotiated_connection<0..255>;
7976 * } RenegotiationInfo;
7977 *
7978 */
7979 proto_tree *reneg_info_tree;
7980 uint32_t reneg_info_length;
7981
7982 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7983
7984 /* opaque renegotiated_connection<0..255> */
7985 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7986 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7987 return offset_end;
7988 }
7989 offset++;
7990
7991 if (reneg_info_length > 0) {
7992 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7993 offset += reneg_info_length;
7994 }
7995
7996 return offset;
7997}
7998
7999static int
8000ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8001 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8002 const char **group_name_out)
8003{
8004 /* RFC 8446 Section 4.2.8
8005 * struct {
8006 * NamedGroup group;
8007 * opaque key_exchange<1..2^16-1>;
8008 * } KeyShareEntry;
8009 */
8010 uint32_t key_exchange_length, group;
8011 proto_tree *ks_tree;
8012
8013 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8014
8015 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8016 offset += 2;
8017 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8018 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8019 if (group_name_out) {
8020 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
8021 }
8022
8023 /* opaque key_exchange<1..2^16-1> */
8024 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8025 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8026 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8027 }
8028 offset += 2;
8029 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8030 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8031
8032 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8033 offset += key_exchange_length;
8034
8035 return offset;
8036}
8037
8038static int
8039ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8040 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8041 uint8_t hnd_type)
8042{
8043 proto_tree *key_share_tree;
8044 uint32_t next_offset;
8045 uint32_t client_shares_length;
8046 uint32_t group;
8047 const char *group_name = NULL((void*)0);
8048
8049 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8050 return offset;
8051 }
8052
8053 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8054
8055 switch(hnd_type){
8056 case SSL_HND_CLIENT_HELLO:
8057 /* KeyShareEntry client_shares<0..2^16-1> */
8058 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8059 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8060 return offset_end;
8061 }
8062 offset += 2;
8063 next_offset = offset + client_shares_length;
8064 const char *sep = " ";
8065 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8066 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8067 if (group_name) {
8068 proto_item_append_text(tree, "%s%s", sep, group_name);
8069 sep = ", ";
8070 }
8071 }
8072 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8073 return next_offset;
8074 }
8075 break;
8076 case SSL_HND_SERVER_HELLO:
8077 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8078 if (group_name) {
8079 proto_item_append_text(tree, " %s", group_name);
8080 }
8081 break;
8082 case SSL_HND_HELLO_RETRY_REQUEST:
8083 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8084 offset += 2;
8085 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8086 proto_item_append_text(tree, " %s", group_name);
8087 break;
8088 default: /* no default */
8089 break;
8090 }
8091
8092 return offset;
8093}
8094
8095static int
8096ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8097 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8098 uint8_t hnd_type)
8099{
8100 /* RFC 8446 Section 4.2.11
8101 * struct {
8102 * opaque identity<1..2^16-1>;
8103 * uint32 obfuscated_ticket_age;
8104 * } PskIdentity;
8105 * opaque PskBinderEntry<32..255>;
8106 * struct {
8107 * select (Handshake.msg_type) {
8108 * case client_hello:
8109 * PskIdentity identities<7..2^16-1>;
8110 * PskBinderEntry binders<33..2^16-1>;
8111 * case server_hello:
8112 * uint16 selected_identity;
8113 * };
8114 * } PreSharedKeyExtension;
8115 */
8116
8117 proto_tree *psk_tree;
8118
8119 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8120
8121 switch (hnd_type){
8122 case SSL_HND_CLIENT_HELLO: {
8123 uint32_t identities_length, identities_end, binders_length;
8124
8125 /* PskIdentity identities<7..2^16-1> */
8126 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8127 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8128 return offset_end;
8129 }
8130 offset += 2;
8131 identities_end = offset + identities_length;
8132
8133 while (offset < identities_end) {
8134 uint32_t identity_length;
8135 proto_tree *identity_tree;
8136
8137 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8138
8139 /* opaque identity<1..2^16-1> */
8140 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8141 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8142 return identities_end;
8143 }
8144 offset += 2;
8145 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8146
8147 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8148 offset += identity_length;
8149
8150 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8151 offset += 4;
8152
8153 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8154 }
8155 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8156 offset = identities_end;
8157 }
8158
8159 /* PskBinderEntry binders<33..2^16-1> */
8160 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8161 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8162 return offset_end;
8163 }
8164 offset += 2;
8165
8166 proto_item *binders_item;
8167 proto_tree *binders_tree;
8168 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8169 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8170 uint32_t binders_end = offset + binders_length;
8171 while (offset < binders_end) {
8172 uint32_t binder_length;
8173 proto_item *binder_item;
8174 proto_tree *binder_tree;
8175
8176 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8177 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8178
8179 /* opaque PskBinderEntry<32..255>; */
8180 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8181 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8182 return binders_end;
8183 }
8184 offset += 1;
8185 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8186
8187 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8188 offset += binder_length;
8189
8190 proto_item_set_end(binder_item, tvb, offset);
8191 }
8192 }
8193 break;
8194 case SSL_HND_SERVER_HELLO: {
8195 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8196 offset += 2;
8197 }
8198 break;
8199 default:
8200 break;
8201 }
8202
8203 return offset;
8204}
8205
8206static uint32_t
8207ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8208 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8209 uint8_t hnd_type, SslDecryptSession *ssl)
8210{
8211 /* RFC 8446 Section 4.2.10
8212 * struct {} Empty;
8213 * struct {
8214 * select (Handshake.msg_type) {
8215 * case new_session_ticket: uint32 max_early_data_size;
8216 * case client_hello: Empty;
8217 * case encrypted_extensions: Empty;
8218 * };
8219 * } EarlyDataIndication;
8220 */
8221 switch (hnd_type) {
8222 case SSL_HND_CLIENT_HELLO:
8223 /* Remember that early_data will follow the handshake. */
8224 if (ssl) {
8225 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8226 ssl->has_early_data = true1;
8227 }
8228 break;
8229 case SSL_HND_NEWSESSION_TICKET:
8230 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8231 offset += 4;
8232 break;
8233 default:
8234 break;
8235 }
8236 return offset;
8237}
8238
8239static uint16_t
8240tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8241{
8242 if (draft_version) {
8243 *draft_version = 0;
8244 }
8245 if (!is_dtls) {
8246 uint8_t tls13_draft = extract_tls13_draft_version(version);
8247 if (tls13_draft != 0) {
8248 /* This is TLS 1.3 (a draft version). */
8249 if (draft_version) {
8250 *draft_version = tls13_draft;
8251 }
8252 version = TLSV1DOT3_VERSION0x304;
8253 }
8254 if (version == 0xfb17 || version == 0xfb1a) {
8255 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8256 tls13_draft = (uint8_t)version;
8257 if (draft_version) {
8258 *draft_version = tls13_draft;
8259 }
8260 version = TLSV1DOT3_VERSION0x304;
8261 }
8262 }
8263
8264 switch (version) {
8265 case SSLV3_VERSION0x300:
8266 case TLSV1_VERSION0x301:
8267 case TLSV1DOT1_VERSION0x302:
8268 case TLSV1DOT2_VERSION0x303:
8269 case TLSV1DOT3_VERSION0x304:
8270 case TLCPV1_VERSION0x101:
8271 if (is_dtls)
8272 return SSL_VER_UNKNOWN0;
8273 break;
8274
8275 case DTLSV1DOT0_VERSION0xfeff:
8276 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8277 case DTLSV1DOT2_VERSION0xfefd:
8278 case DTLSV1DOT3_VERSION0xfefc:
8279 if (!is_dtls)
8280 return SSL_VER_UNKNOWN0;
8281 break;
8282
8283 default: /* invalid version number */
8284 return SSL_VER_UNKNOWN0;
8285 }
8286
8287 return version;
8288}
8289
8290static int
8291ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8292 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8293 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8294{
8295
8296 /* RFC 8446 Section 4.2.1
8297 * struct {
8298 * ProtocolVersion versions<2..254>; // ClientHello
8299 * } SupportedVersions;
8300 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8301 */
8302 uint32_t versions_length, next_offset;
8303 /* ProtocolVersion versions<2..254> */
8304 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8305 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8306 return offset_end;
8307 }
8308 offset++;
8309 next_offset = offset + versions_length;
8310
8311 unsigned version;
8312 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8313 uint8_t draft_version, max_draft_version = 0;
8314 const char *sep = " ";
8315 while (offset + 2 <= next_offset) {
8316 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8317 offset += 2;
8318
8319 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8320 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8321 sep = ", ";
8322 }
8323
8324 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8325 if (session->version == SSL_VER_UNKNOWN0) {
8326 if (lowest_version == SSL_VER_UNKNOWN0) {
8327 lowest_version = current_version;
8328 } else if (current_version != SSL_VER_UNKNOWN0) {
8329 if (!is_dtls) {
8330 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8331 } else {
8332 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8333 }
8334 }
8335 }
8336 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8337 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8338 /* The DTLS version numbers get mapped to "00" for unknown per
8339 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8340 * need to take the MIN instead of MAX here for DTLS.
8341 */
8342 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8343 }
8344 }
8345 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8346 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8347 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8348 }
8349 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8350 offset = next_offset;
8351 }
8352
8353 /* XXX remove this when draft 19 support is dropped,
8354 * this is only required for early data decryption. */
8355 if (max_draft_version) {
8356 session->tls13_draft_version = max_draft_version;
8357 }
8358
8359 return offset;
8360}
8361
8362static int
8363ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8364 packet_info *pinfo, proto_tree *tree,
8365 uint32_t offset, uint32_t offset_end)
8366{
8367 /* RFC 8446 Section 4.2.2
8368 * struct {
8369 * opaque cookie<1..2^16-1>;
8370 * } Cookie;
8371 */
8372 uint32_t cookie_length;
8373 /* opaque cookie<1..2^16-1> */
8374 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8375 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8376 return offset_end;
8377 }
8378 offset += 2;
8379
8380 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8381 offset += cookie_length;
8382
8383 return offset;
8384}
8385
8386static int
8387ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8388 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8389{
8390 /* RFC 8446 Section 4.2.9
8391 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8392 *
8393 * struct {
8394 * PskKeyExchangeMode ke_modes<1..255>;
8395 * } PskKeyExchangeModes;
8396 */
8397 uint32_t ke_modes_length, next_offset;
8398
8399 /* PskKeyExchangeMode ke_modes<1..255> */
8400 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8401 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8402 return offset_end;
8403 }
8404 offset++;
8405 next_offset = offset + ke_modes_length;
8406
8407 while (offset < next_offset) {
8408 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8409 offset++;
8410 }
8411
8412 return offset;
8413}
8414
8415static uint32_t
8416ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8417 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8418{
8419 /* RFC 8446 Section 4.2.4
8420 * opaque DistinguishedName<1..2^16-1>;
8421 * struct {
8422 * DistinguishedName authorities<3..2^16-1>;
8423 * } CertificateAuthoritiesExtension;
8424 */
8425 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8426}
8427
8428static int
8429ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8430 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8431{
8432 /* RFC 8446 Section 4.2.5
8433 * struct {
8434 * opaque certificate_extension_oid<1..2^8-1>;
8435 * opaque certificate_extension_values<0..2^16-1>;
8436 * } OIDFilter;
8437 * struct {
8438 * OIDFilter filters<0..2^16-1>;
8439 * } OIDFilterExtension;
8440 */
8441 proto_tree *subtree;
8442 uint32_t filters_length, oid_length, values_length, value_offset;
8443 asn1_ctx_t asn1_ctx;
8444 const char *oid, *name;
8445
8446 /* OIDFilter filters<0..2^16-1> */
8447 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8448 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8449 return offset_end;
8450 }
8451 offset += 2;
8452 offset_end = offset + filters_length;
8453
8454 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8455
8456 while (offset < offset_end) {
8457 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8458 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8459
8460 /* opaque certificate_extension_oid<1..2^8-1> */
8461 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8462 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8463 return offset_end;
8464 }
8465 offset++;
8466 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8467 hf->hf.hs_ext_oid_filters_oid, &oid);
8468 offset += oid_length;
8469
8470 /* Append OID to tree label */
8471 name = oid_resolved_from_string(pinfo->pool, oid);
8472 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8473
8474 /* opaque certificate_extension_values<0..2^16-1> */
8475 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8476 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8477 return offset_end;
8478 }
8479 offset += 2;
8480 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8481 if (values_length > 0) {
8482 value_offset = offset;
8483 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8484 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8485 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8486 }
8487 offset += values_length;
8488 }
8489
8490 return offset;
8491}
8492
8493static int
8494ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8495 packet_info *pinfo, proto_tree *tree,
8496 uint32_t offset, uint32_t offset_end)
8497{
8498 /* https://tools.ietf.org/html/rfc6066#section-3
8499 *
8500 * struct {
8501 * NameType name_type;
8502 * select (name_type) {
8503 * case host_name: HostName;
8504 * } name;
8505 * } ServerName;
8506 *
8507 * enum {
8508 * host_name(0), (255)
8509 * } NameType;
8510 *
8511 * opaque HostName<1..2^16-1>;
8512 *
8513 * struct {
8514 * ServerName server_name_list<1..2^16-1>
8515 * } ServerNameList;
8516 */
8517 proto_tree *server_name_tree;
8518 uint32_t list_length, server_name_length, next_offset;
8519
8520 /* The server SHALL include "server_name" extension with empty data. */
8521 if (offset == offset_end) {
8522 return offset;
8523 }
8524
8525 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8526
8527 /* ServerName server_name_list<1..2^16-1> */
8528 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8529 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8530 return offset_end;
8531 }
8532 offset += 2;
8533 next_offset = offset + list_length;
8534
8535 while (offset < next_offset) {
8536 uint32_t name_type;
8537 const char *server_name = NULL((void*)0);
8538 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8539 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8540 offset++;
8541
8542 /* opaque HostName<1..2^16-1> */
8543 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8544 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8545 return next_offset;
8546 }
8547 offset += 2;
8548
8549 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8550 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8551 pinfo->pool, (const uint8_t**)&server_name);
8552 offset += server_name_length;
8553 // Each type must only occur once, so we don't check for duplicates.
8554 if (name_type == 0) {
8555 proto_item_append_text(tree, " name=%s", server_name);
8556 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8557
8558 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8559 // Client Hello: Client (Src) -> Server (Dst)
8560 switch (pinfo->dst.type) {
8561 case AT_IPv4:
8562 if (pinfo->dst.len == sizeof(uint32_t)) {
8563 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8564 }
8565 break;
8566 case AT_IPv6:
8567 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8568 add_ipv6_name(pinfo->dst.data, server_name, false0);
8569 }
8570 break;
8571 }
8572 }
8573 }
8574 }
8575 return offset;
8576}
8577
8578static int
8579ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8580 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8581{
8582 unsigned ext_len = offset_end - offset;
8583 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8584 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8585 /* Save the Session Ticket such that it can be used as identifier for
8586 * restoring a previous Master Secret (in ChangeCipherSpec) */
8587 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8588 ssl->session_ticket.data, ext_len);
8589 ssl->session_ticket.data_len = ext_len;
8590 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8591 }
8592 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8593 tvb, offset, ext_len, ENC_NA0x00000000);
8594 return offset + ext_len;
8595}
8596
8597static int
8598ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8599 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8600 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8601{
8602 uint8_t cert_list_length;
8603 uint8_t cert_type;
8604 proto_tree *cert_list_tree;
8605 proto_item *ti;
8606
8607 switch(hnd_type){
8608 case SSL_HND_CLIENT_HELLO:
8609 cert_list_length = tvb_get_uint8(tvb, offset);
8610 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8611 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8612 offset += 1;
8613 if (offset_end - offset != (uint32_t)cert_list_length)
8614 return offset;
8615
8616 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8617 cert_list_length, cert_list_length);
8618 proto_item_append_text(ti, " (%d)", cert_list_length);
8619
8620 /* make this a subtree */
8621 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8622
8623 /* loop over all point formats */
8624 while (cert_list_length > 0)
8625 {
8626 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8627 offset++;
8628 cert_list_length--;
8629 }
8630 break;
8631 case SSL_HND_SERVER_HELLO:
8632 case SSL_HND_ENCRYPTED_EXTENSIONS:
8633 case SSL_HND_CERTIFICATE:
8634 cert_type = tvb_get_uint8(tvb, offset);
8635 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8636 offset += 1;
8637 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8638 session->client_cert_type = cert_type;
8639 }
8640 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8641 session->server_cert_type = cert_type;
8642 }
8643 break;
8644 default: /* no default */
8645 break;
8646 }
8647
8648 return offset;
8649}
8650
8651static uint32_t
8652ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8653 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8654 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8655{
8656 uint32_t compress_certificate_algorithms_length, next_offset;
8657
8658 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8659 * enum {
8660 * zlib(1),
8661 * brotli(2),
8662 * (65535)
8663 * } CertificateCompressionAlgorithm;
8664 *
8665 * struct {
8666 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8667 * } CertificateCompressionAlgorithms;
8668 */
8669 switch (hnd_type) {
8670 case SSL_HND_CLIENT_HELLO:
8671 case SSL_HND_CERT_REQUEST:
8672 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8673 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8674 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8675 return offset_end;
8676 }
8677 offset += 1;
8678 next_offset = offset + compress_certificate_algorithms_length;
8679
8680 while (offset < next_offset) {
8681 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8682 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8683 offset += 2;
8684 }
8685 break;
8686 default:
8687 break;
8688 }
8689
8690 return offset;
8691}
8692
8693static uint32_t
8694ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8695 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8696 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8697{
8698 uint32_t key_parameters_length, next_offset;
8699 proto_item *p_ti;
8700 proto_tree *p_tree;
8701
8702 /* RFC 8472
8703 *
8704 * struct {
8705 * uint8 major;
8706 * uint8 minor;
8707 * } TB_ProtocolVersion;
8708 *
8709 * enum {
8710 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8711 * } TokenBindingKeyParameters;
8712 *
8713 * struct {
8714 * TB_ProtocolVersion token_binding_version;
8715 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8716 * } TokenBindingParameters;
8717 */
8718
8719 switch (hnd_type) {
8720 case SSL_HND_CLIENT_HELLO:
8721 case SSL_HND_SERVER_HELLO:
8722 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8723 offset += 1;
8724 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8725 offset += 1;
8726
8727 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8728 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8729 return offset_end;
8730 }
8731 offset += 1;
8732 next_offset = offset + key_parameters_length;
8733
8734 p_ti = proto_tree_add_none_format(tree,
8735 hf->hf.hs_ext_token_binding_key_parameters,
8736 tvb, offset, key_parameters_length,
8737 "Key parameters identifiers (%d identifier%s)",
8738 key_parameters_length,
8739 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8740 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8741
8742 while (offset < next_offset) {
8743 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8744 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8745 offset += 1;
8746 }
8747
8748 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8749 offset = next_offset;
8750 }
8751
8752 break;
8753 default:
8754 break;
8755 }
8756
8757 return offset;
8758}
8759
8760static uint32_t
8761ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8762 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8763 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8764{
8765 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8766 uint32_t next_offset;
8767
8768 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8769 *
8770 * Note: the following structures are not literally defined in the spec,
8771 * they instead use an ASCII diagram.
8772 *
8773 * struct {
8774 * uint16 id;
8775 * opaque value<0..2^16-1>;
8776 * } TransportParameter; // before draft -27
8777 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8778 *
8779 * struct {
8780 * opaque ipv4Address[4];
8781 * uint16 ipv4Port;
8782 * opaque ipv6Address[16];
8783 * uint16 ipv6Port;
8784 * opaque connectionId<0..18>;
8785 * opaque statelessResetToken[16];
8786 * } PreferredAddress;
8787 */
8788
8789 if (offset_end - offset >= 6 &&
8790 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8791 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8792 // Assume encoding of Transport Parameters draft -26 or older with at
8793 // least one transport parameter that has a valid length.
8794 use_varint_encoding = false0;
8795 }
8796
8797 if (use_varint_encoding) {
8798 next_offset = offset_end;
8799 } else {
8800 uint32_t quic_length;
8801 // Assume draft -26 or earlier.
8802 /* TransportParameter TransportParameters<0..2^16-1>; */
8803 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8804 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8805 return offset_end;
8806 }
8807 offset += 2;
8808 next_offset = offset + quic_length;
8809 }
8810
8811 while (offset < next_offset) {
8812 uint64_t parameter_type; /* 62-bit space */
8813 uint32_t parameter_length;
8814 proto_tree *parameter_tree;
8815 uint32_t parameter_end_offset;
8816 uint64_t value;
8817 uint32_t i;
8818 int len = 0;
8819
8820 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8821 NULL((void*)0), "Parameter");
8822 /* TransportParameter ID and Length. */
8823 if (use_varint_encoding) {
8824 uint64_t parameter_length64;
8825 int type_len = 0;
8826
8827 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8828 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8829 offset += type_len;
8830
8831 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8832 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8833 parameter_length = (uint32_t)parameter_length64;
8834 offset += len;
8835
8836 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8837 } else {
8838 parameter_type = tvb_get_ntohs(tvb, offset);
8839 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8840 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8841 offset += 2;
8842
8843 /* opaque value<0..2^16-1> */
8844 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8845 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8846 return next_offset;
8847 }
8848 offset += 2;
8849
8850 proto_item_set_len(parameter_tree, 4 + parameter_length);
8851 }
8852
8853 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8854 proto_item_append_text(parameter_tree, ": GREASE");
8855 } else {
8856 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8857 }
8858
8859 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8860 parameter_end_offset = offset + parameter_length;
8861
8862 /* Omit the value field if the parameter's length is 0. */
8863 if (parameter_length != 0) {
8864 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8865 tvb, offset, parameter_length, ENC_NA0x00000000);
8866 }
8867
8868 switch (parameter_type) {
8869 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8870 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8871 tvb, offset, parameter_length, ENC_NA0x00000000);
8872 offset += parameter_length;
8873 break;
8874 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8875 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8876 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8877 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8878 offset += len;
8879 break;
8880 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8881 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8882 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8883 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8884 offset += 16;
8885 break;
8886 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8887 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8888 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8889 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8890 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8891 offset += len;
8892 break;
8893 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8894 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8895 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8896 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8897 offset += len;
8898 break;
8899 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8900 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8901 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8902 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8903 offset += len;
8904 break;
8905 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8906 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8907 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8908 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8909 offset += len;
8910 break;
8911 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8912 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8913 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8914 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8915 offset += len;
8916 break;
8917 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8918 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8919 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8920 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8921 offset += len;
8922 break;
8923 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8924 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8925 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8926 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8927 offset += len;
8928 break;
8929 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8930 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8931 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8932 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8933 offset += len;
8934 break;
8935 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8936 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8937 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8938 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8939 offset += len;
8940 break;
8941 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8942 /* No Payload */
8943 break;
8944 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8945 uint32_t connectionid_length;
8946 quic_cid_t cid;
8947
8948 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8949 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8950 offset += 4;
8951 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8952 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8953 offset += 2;
8954 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8955 tvb, offset, 16, ENC_NA0x00000000);
8956 offset += 16;
8957 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8958 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8959 offset += 2;
8960 /* XXX - Should we add these addresses and ports as addresses that the client
8961 * is allowed / expected to migrate the server address to? Right now we don't
8962 * enforce that (see RFC 9000 Section 9, which implies that while the client
8963 * can migrate to whatever address it wants, it can only migrate the server
8964 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8965 */
8966
8967 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8968 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8969 break;
8970 }
8971 offset += 1;
8972
8973 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8974 tvb, offset, connectionid_length, ENC_NA0x00000000);
8975 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8976 cid.len = connectionid_length;
8977 // RFC 9000 5.1.1 "If the preferred_address transport
8978 // parameter is sent, the sequence number of the supplied
8979 // connection ID is 1."
8980 cid.seq_num = 1;
8981 // Multipath draft-07 "Also, the Path Identifier for the
8982 // connection ID specified in the "preferred address"
8983 // transport parameter is 0."
8984 cid.path_id = 0;
8985 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8986 quic_add_connection(pinfo, &cid);
8987 }
8988 offset += connectionid_length;
8989
8990 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8991 tvb, offset, 16, ENC_NA0x00000000);
8992 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8993 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8994 }
8995 offset += 16;
8996 }
8997 break;
8998 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8999 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9000 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9001 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9002 offset += len;
9003 break;
9004 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9005 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9006 tvb, offset, parameter_length, ENC_NA0x00000000);
9007 offset += parameter_length;
9008 break;
9009 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9010 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9011 tvb, offset, parameter_length, ENC_NA0x00000000);
9012 offset += parameter_length;
9013 break;
9014 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9015 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9016 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9017 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9018 offset += len;
9019 break;
9020 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9021 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9022 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9023 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9024 offset += len;
9025 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9026 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9027 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9028 offset += len;
9029 break;
9030 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9031 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9032 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9033 if (len > 0) {
9034 quic_add_loss_bits(pinfo, value);
9035 }
9036 offset += 1;
9037 break;
9038 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9039 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9040 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9041 offset += len;
9042 break;
9043 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9044 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9045 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9046 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9047 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9048 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9049 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9050 offset += len;
9051 break;
9052 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9053 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9054 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9055 offset += parameter_length;
9056 break;
9057 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9058 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9059 tvb, offset, parameter_length, ENC_NA0x00000000);
9060 offset += parameter_length;
9061 break;
9062 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9063 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9064 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9065 offset += 4;
9066 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9067 uint32_t versions_length;
9068
9069 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9070 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9071 offset += 1;
9072 for (i = 0; i < versions_length / 4; i++) {
9073 quic_proto_tree_add_version(tvb, parameter_tree,
9074 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9075 offset += 4;
9076 }
9077 }
9078 break;
9079 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9080 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9081 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9082 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9083 offset += len;
9084 break;
9085 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9086 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9087 tvb, offset, parameter_length, ENC_NA0x00000000);
9088 offset += parameter_length;
9089 break;
9090 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9091 /* This field was used for non-standard Google-specific parameters encoded as a
9092 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9093 * parameters. Report it as a bytes blob... */
9094 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9095 tvb, offset, parameter_length, ENC_NA0x00000000);
9096 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9097 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9098 tvb, offset, 4, ENC_NA0x00000000);
9099 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9100 offset += parameter_length;
9101 break;
9102 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9103 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9104 tvb, offset, parameter_length, ENC_NA0x00000000);
9105 offset += parameter_length;
9106 break;
9107 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9108 /* No Payload */
9109 break;
9110 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9111 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9112 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9113 offset += parameter_length;
9114 break;
9115 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9116 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9117 quic_proto_tree_add_version(tvb, parameter_tree,
9118 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9119 offset += 4;
9120 for (i = 4; i < parameter_length; i += 4) {
9121 quic_proto_tree_add_version(tvb, parameter_tree,
9122 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9123 offset += 4;
9124 }
9125 break;
9126 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9127 /* No Payload */
9128 quic_add_grease_quic_bit(pinfo);
9129 break;
9130 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9131 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9132 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9133 offset += parameter_length;
9134 break;
9135 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9136 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9137 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9138 if (value == 1) {
9139 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9140 }
9141 offset += parameter_length;
9142 break;
9143 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9144 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9145 /* No Payload */
9146 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9147 break;
9148 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9149 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9150 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9151 if (value > 1) {
9152 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9153 }
9154 /* multipath draft-07: "The value of the initial_max_paths
9155 * parameter MUST be at least 2." TODO: Expert Info? */
9156 offset += parameter_length;
9157 break;
9158 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9159 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9160 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9161 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d0d:
9162 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9163 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9164 /* multipath draft-09 and later: "If an endpoint receives an
9165 * initial_max_path_id transport parameter with value 0, the
9166 * peer aims to enable the multipath extension without allowing
9167 * extra paths immediately."
9168 */
9169 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9170 offset += parameter_length;
9171 break;
9172 default:
9173 offset += parameter_length;
9174 /*TODO display expert info about unknown ? */
9175 break;
9176 }
9177
9178 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9179 /* Dissection did not end at expected location, fix it. */
9180 offset = parameter_end_offset;
9181 }
9182 }
9183
9184 return offset;
9185}
9186
9187static int
9188ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9189 proto_tree *tree, uint32_t offset,
9190 SslSession *session, SslDecryptSession *ssl,
9191 bool_Bool from_server, bool_Bool is_hrr)
9192{
9193 uint8_t sessid_length;
9194 proto_item *ti;
9195 proto_tree *rnd_tree;
9196 proto_tree *ti_rnd;
9197 proto_tree *ech_confirm_tree;
9198 uint8_t draft_version = session->tls13_draft_version;
9199
9200 if (ssl) {
9201 StringInfo *rnd;
9202 if (from_server)
9203 rnd = &ssl->server_random;
9204 else
9205 rnd = &ssl->client_random;
9206
9207 /* save provided random for later keyring generation */
9208 tvb_memcpy(tvb, rnd->data, offset, 32);
9209 rnd->data_len = 32;
9210 if (from_server)
9211 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9212 else
9213 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9214 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9215 from_server ? "SERVER" : "CLIENT", ssl->state);
9216 }
9217
9218 if (!from_server && session->client_random.data_len == 0) {
9219 session->client_random.data_len = 32;
9220 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9221 }
9222
9223 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9224
9225 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9226
9227 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9228 /* show the time */
9229 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9230 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9231 offset += 4;
9232
9233 /* show the random bytes */
9234 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9235 tvb, offset, 28, ENC_NA0x00000000);
9236 offset += 28;
9237 } else {
9238 if (is_hrr) {
9239 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9240 } else if (from_server && session->ech) {
9241 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9242 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9243 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9244 session->ech_confirmation, 8);
9245 proto_item_set_generated(ti);
9246 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9247 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9248 } else {
9249 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9250 }
9251 }
9252
9253 offset += 32;
9254 }
9255
9256 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9257 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9258 /* show the session id (length followed by actual Session ID) */
9259 sessid_length = tvb_get_uint8(tvb, offset);
9260 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9261 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9262 offset++;
9263
9264 if (ssl) {
9265 /* save the authoritative SID for later use in ChangeCipherSpec.
9266 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9267 * save more, so ignore larger ones. */
9268 if (from_server && sessid_length <= 32) {
9269 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9270 ssl->session_id.data_len = sessid_length;
9271 }
9272 }
9273 if (sessid_length > 0) {
9274 proto_tree_add_item(tree, hf->hf.hs_session_id,
9275 tvb, offset, sessid_length, ENC_NA0x00000000);
9276 offset += sessid_length;
9277 }
9278 }
9279
9280 return offset;
9281}
9282
9283static int
9284ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9285 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9286 bool_Bool has_length)
9287{
9288 /* TLS 1.2/1.3 status_request Client Hello Extension.
9289 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9290 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9291 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9292 * struct {
9293 * CertificateStatusType status_type;
9294 * uint16 request_length; // for status_request_v2
9295 * select (status_type) {
9296 * case ocsp: OCSPStatusRequest;
9297 * case ocsp_multi: OCSPStatusRequest;
9298 * } request;
9299 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9300 *
9301 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9302 * struct {
9303 * ResponderID responder_id_list<0..2^16-1>;
9304 * Extensions request_extensions;
9305 * } OCSPStatusRequest;
9306 * opaque ResponderID<1..2^16-1>;
9307 * opaque Extensions<0..2^16-1>;
9308 */
9309 unsigned cert_status_type;
9310
9311 cert_status_type = tvb_get_uint8(tvb, offset);
9312 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9313 tvb, offset, 1, ENC_NA0x00000000);
9314 offset++;
9315
9316 if (has_length) {
9317 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9318 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9319 offset += 2;
9320 }
9321
9322 switch (cert_status_type) {
9323 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9324 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9325 {
9326 uint32_t responder_id_list_len;
9327 uint32_t request_extensions_len;
9328
9329 /* ResponderID responder_id_list<0..2^16-1> */
9330 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9331 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9332 return offset_end;
9333 }
9334 offset += 2;
9335 if (responder_id_list_len != 0) {
9336 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9337 tvb, offset, responder_id_list_len,
9338 "Responder ID list is not implemented, contact Wireshark"
9339 " developers if you want this to be supported");
9340 }
9341 offset += responder_id_list_len;
9342
9343 /* opaque Extensions<0..2^16-1> */
9344 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9345 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9346 return offset_end;
9347 }
9348 offset += 2;
9349 if (request_extensions_len != 0) {
9350 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9351 tvb, offset, request_extensions_len,
9352 "Request Extensions are not implemented, contact"
9353 " Wireshark developers if you want this to be supported");
9354 }
9355 offset += request_extensions_len;
9356 break;
9357 }
9358 }
9359
9360 return offset;
9361}
9362
9363static unsigned
9364ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9365 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9366{
9367 /* https://tools.ietf.org/html/rfc6961#section-2.2
9368 * struct {
9369 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9370 * } CertificateStatusRequestListV2;
9371 */
9372 uint32_t req_list_length, next_offset;
9373
9374 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9375 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9376 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9377 return offset_end;
9378 }
9379 offset += 2;
9380 next_offset = offset + req_list_length;
9381
9382 while (offset < next_offset) {
9383 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9384 }
9385
9386 return offset;
9387}
9388
9389static uint32_t
9390tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9391 uint32_t offset, uint32_t offset_end)
9392{
9393 uint32_t response_length;
9394 proto_item *ocsp_resp;
9395 proto_tree *ocsp_resp_tree;
9396 asn1_ctx_t asn1_ctx;
9397
9398 /* opaque OCSPResponse<1..2^24-1>; */
9399 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9400 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9401 return offset_end;
9402 }
9403 offset += 3;
9404
9405 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9406 response_length, ENC_BIG_ENDIAN0x00000000);
9407 proto_item_set_text(ocsp_resp, "OCSP Response");
9408 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9409 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9410 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9411 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9412 }
9413 offset += response_length;
9414
9415 return offset;
9416}
9417
9418uint32_t
9419tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9420 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9421{
9422 /* TLS 1.2 "CertificateStatus" handshake message.
9423 * TLS 1.3 "status_request" Certificate extension.
9424 * struct {
9425 * CertificateStatusType status_type;
9426 * select (status_type) {
9427 * case ocsp: OCSPResponse;
9428 * case ocsp_multi: OCSPResponseList; // status_request_v2
9429 * } response;
9430 * } CertificateStatus;
9431 * opaque OCSPResponse<1..2^24-1>;
9432 * struct {
9433 * OCSPResponse ocsp_response_list<1..2^24-1>;
9434 * } OCSPResponseList; // status_request_v2
9435 */
9436 uint32_t status_type, resp_list_length, next_offset;
9437
9438 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9439 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9440 offset += 1;
9441
9442 switch (status_type) {
9443 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9444 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9445 break;
9446
9447 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9448 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9449 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9450 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9451 return offset_end;
9452 }
9453 offset += 3;
9454 next_offset = offset + resp_list_length;
9455
9456 while (offset < next_offset) {
9457 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9458 }
9459 break;
9460 }
9461
9462 return offset;
9463}
9464
9465static unsigned
9466ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9467 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9468 wmem_strbuf_t *ja3)
9469{
9470 /* RFC 8446 Section 4.2.7
9471 * enum { ..., (0xFFFF) } NamedGroup;
9472 * struct {
9473 * NamedGroup named_group_list<2..2^16-1>
9474 * } NamedGroupList;
9475 *
9476 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9477 * the extension itself from "elliptic_curves" to "supported_groups".
9478 */
9479 uint32_t groups_length, next_offset;
9480 proto_tree *groups_tree;
9481 proto_item *ti;
9482 char *ja3_dash = "";
9483
9484 /* NamedGroup named_group_list<2..2^16-1> */
9485 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9486 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9487 return offset_end;
9488 }
9489 offset += 2;
9490 next_offset = offset + groups_length;
9491
9492 ti = proto_tree_add_none_format(tree,
9493 hf->hf.hs_ext_supported_groups,
9494 tvb, offset, groups_length,
9495 "Supported Groups (%d group%s)",
9496 groups_length / 2,
9497 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9498
9499 /* make this a subtree */
9500 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9501
9502 if (ja3) {
9503 wmem_strbuf_append_c(ja3, ',');
9504 }
9505 /* loop over all groups */
9506 while (offset + 2 <= offset_end) {
9507 uint32_t ext_supported_group;
9508
9509 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9510 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9511 offset += 2;
9512 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9513 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9514 ja3_dash = "-";
9515 }
9516 }
9517 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9518 offset = next_offset;
9519 }
9520
9521 return offset;
9522}
9523
9524static int
9525ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9526 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9527{
9528 uint8_t ecpf_length;
9529 proto_tree *ecpf_tree;
9530 proto_item *ti;
9531
9532 ecpf_length = tvb_get_uint8(tvb, offset);
9533 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9534 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9535
9536 offset += 1;
9537 ti = proto_tree_add_none_format(tree,
9538 hf->hf.hs_ext_ec_point_formats,
9539 tvb, offset, ecpf_length,
9540 "Elliptic curves point formats (%d)",
9541 ecpf_length);
9542
9543 /* make this a subtree */
9544 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9545
9546 if (ja3) {
9547 wmem_strbuf_append_c(ja3, ',');
9548 }
9549
9550 /* loop over all point formats */
9551 while (ecpf_length > 0)
9552 {
9553 uint32_t ext_ec_point_format;
9554
9555 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9556 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9557 offset++;
9558 ecpf_length--;
9559 if (ja3) {
9560 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9561 if (ecpf_length > 0) {
9562 wmem_strbuf_append_c(ja3, '-');
9563 }
9564 }
9565 }
9566
9567 return offset;
9568}
9569
9570static int
9571ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9572 packet_info *pinfo, proto_tree *tree,
9573 uint32_t offset, uint32_t next_offset)
9574{
9575 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9576 * opaque srp_I<1..2^8-1>;
9577 */
9578 uint32_t username_len;
9579
9580 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9581 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9582 return next_offset;
9583 }
9584 offset++;
9585
9586 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9587 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9588 offset += username_len;
9589
9590 return offset;
9591}
9592
9593static uint32_t
9594tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9595 uint32_t offset, uint32_t offset_end, uint16_t version)
9596{
9597 /* https://tools.ietf.org/html/rfc6962#section-3.2
9598 * enum { v1(0), (255) } Version;
9599 * struct {
9600 * opaque key_id[32];
9601 * } LogID;
9602 * opaque CtExtensions<0..2^16-1>;
9603 * struct {
9604 * Version sct_version;
9605 * LogID id;
9606 * uint64 timestamp;
9607 * CtExtensions extensions;
9608 * digitally-signed struct { ... };
9609 * } SignedCertificateTimestamp;
9610 */
9611 uint32_t sct_version;
9612 uint64_t sct_timestamp_ms;
9613 nstime_t sct_timestamp;
9614 uint32_t exts_len;
9615 const char *log_name;
9616
9617 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9618 offset++;
9619 if (sct_version != 0) {
9620 // TODO expert info about unknown SCT version?
9621 return offset;
9622 }
9623 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9624 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9625 proto_item_append_text(tree, " (%s)", log_name);
9626 offset += 32;
9627 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9628 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9629 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9630 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9631 offset += 8;
9632 /* opaque CtExtensions<0..2^16-1> */
9633 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9634 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9635 return offset_end;
9636 }
9637 offset += 2;
9638 if (exts_len > 0) {
9639 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9640 offset += exts_len;
9641 }
9642 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9643 hf->hf.sct_sct_signature_length,
9644 hf->hf.sct_sct_signature);
9645 return offset;
9646}
9647
9648uint32_t
9649tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9650 uint32_t offset, uint32_t offset_end, uint16_t version)
9651{
9652 /* https://tools.ietf.org/html/rfc6962#section-3.3
9653 * opaque SerializedSCT<1..2^16-1>;
9654 * struct {
9655 * SerializedSCT sct_list <1..2^16-1>;
9656 * } SignedCertificateTimestampList;
9657 */
9658 uint32_t list_length, sct_length, next_offset;
9659 proto_tree *subtree;
9660
9661 /* SerializedSCT sct_list <1..2^16-1> */
9662 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9663 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9664 return offset_end;
9665 }
9666 offset += 2;
9667
9668 while (offset < offset_end) {
9669 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9670
9671 /* opaque SerializedSCT<1..2^16-1> */
9672 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9673 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9674 return offset_end;
9675 }
9676 offset += 2;
9677 next_offset = offset + sct_length;
9678 proto_item_set_len(subtree, 2 + sct_length);
9679 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9680 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9681 offset = next_offset;
9682 }
9683 }
9684
9685 return offset;
9686}
9687
9688static int
9689dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9690 proto_tree *tree, uint32_t offset)
9691{
9692 uint32_t kdf_id, aead_id;
9693 proto_item *cs_ti;
9694 proto_tree *cs_tree;
9695
9696 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9697 tvb, offset, 4, ENC_NA0x00000000);
9698 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9699
9700 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9701 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9702 offset += 2;
9703 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9704 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9705 offset += 2;
9706
9707 proto_item_append_text(cs_ti, ": %s/%s",
9708 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9709 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9710 return offset;
9711}
9712
9713static int
9714dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9715 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9716 uint32_t *config_id)
9717{
9718 uint32_t length, cipher_suite_length;
9719 proto_item *kc_ti, *css_ti;
9720 proto_tree *kc_tree, *css_tree;
9721 uint32_t original_offset = offset, next_offset;
9722
9723 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9724 tvb, offset, -1, ENC_NA0x00000000);
9725 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9726
9727 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9728 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9729 offset += 1;
9730 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9731 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9732 offset += 2;
9733 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9734 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9735 offset += 2;
9736 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9737 tvb, offset, length, ENC_NA0x00000000);
9738 offset += length;
9739
9740 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9741 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9742 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9743 return offset_end;
9744 }
9745 offset += 2;
9746 next_offset = offset + cipher_suite_length;
9747
9748 css_ti = proto_tree_add_none_format(kc_tree,
9749 hf->hf.ech_hpke_keyconfig_cipher_suites,
9750 tvb, offset, cipher_suite_length,
9751 "Cipher Suites (%d suite%s)",
9752 cipher_suite_length / 4,
9753 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9754 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9755
9756
9757 while (offset + 4 <= next_offset) {
9758 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9759 }
9760
9761 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9762 offset = next_offset;
9763 }
9764
9765 proto_item_set_len(kc_ti, offset - original_offset);
9766
9767 return offset;
9768}
9769
9770static int
9771dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9772 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9773 const uint8_t **public_name, uint32_t *config_id)
9774{
9775 uint32_t public_name_length, extensions_length, next_offset;
9776
9777 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9778 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9779 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9780 offset += 1;
9781 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9782 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9783 offset += 1;
9784 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9785 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9786 offset += public_name_length;
9787
9788 /* Extension extensions<0..2^16-1>; */
9789 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9790 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9791 return offset_end;
9792 }
9793 offset += 2;
9794 next_offset = offset + extensions_length;
9795
9796 if (extensions_length > 0) {
9797 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9798 tvb, offset, extensions_length, ENC_NA0x00000000);
9799 }
9800 offset += extensions_length;
9801
9802 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9803 offset = next_offset;
9804 }
9805
9806 return offset;
9807}
9808
9809static int
9810dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9811 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9812{
9813 uint32_t version, length;
9814 proto_item *ech_ti;
9815 proto_tree *ech_tree;
9816 const uint8_t *public_name = NULL((void*)0);
9817 uint32_t config_id = 0;
9818
9819 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9820 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9821
9822 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9823 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9824 offset += 2;
9825 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9826 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9827 offset += 2;
9828
9829 proto_item_set_len(ech_ti, 4 + length);
9830
9831 switch(version) {
9832 case 0xfe0d:
9833 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9834 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9835 break;
9836
9837 default:
9838 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9839 }
9840
9841 return 4 + length;
9842}
9843
9844uint32_t
9845ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9846 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9847{
9848 uint32_t echconfiglist_length, next_offset;
9849
9850 /* ECHConfig ECHConfigList<1..2^16-1>; */
9851 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9852 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9853 return offset_end;
9854 }
9855 offset += 2;
9856 next_offset = offset + echconfiglist_length;
9857
9858 while (offset < next_offset) {
9859 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9860 }
9861
9862 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9863 offset = next_offset;
9864 }
9865
9866 return offset;
9867}
9868
9869static uint32_t
9870ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9871 uint32_t offset, uint32_t offset_end)
9872{
9873 uint32_t ext_length, next_offset;
9874 proto_tree *ext_tree;
9875 proto_item *ti;
9876
9877 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9878 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9879 return offset_end;
9880 }
9881 offset += 1;
9882 next_offset = offset + ext_length;
9883
9884 ti = proto_tree_add_none_format(tree,
9885 hf->hf.hs_ext_ech_outer_ext,
9886 tvb, offset, ext_length,
9887 "Outer Extensions (%d extension%s)",
9888 ext_length / 2,
9889 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9890
9891 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9892
9893 while (offset + 2 <= offset_end) {
9894 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9895 offset += 2;
9896 }
9897
9898 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9899 offset = next_offset;
9900 }
9901
9902 return offset;
9903}
9904
9905static uint32_t
9906// NOLINTNEXTLINE(misc-no-recursion)
9907ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9908 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9909 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9910 uint32_t initial_offset, uint32_t hello_length)
9911{
9912 uint32_t ch_type, length;
9913 proto_item *ti, *payload_ti;
9914 proto_tree *retry_tree, *payload_tree;
9915
9916 switch (hnd_type) {
9917 case SSL_HND_CLIENT_HELLO:
9918 /*
9919 * enum { outer(0), inner(1) } ECHClientHelloType;
9920 *
9921 * struct {
9922 * ECHClientHelloType type;
9923 * select (ECHClientHello.type) {
9924 * case outer:
9925 * HpkeSymmetricCipherSuite cipher_suite;
9926 * uint8 config_id;
9927 * opaque enc<0..2^16-1>;
9928 * opaque payload<1..2^16-1>;
9929 * case inner:
9930 * Empty;
9931 * };
9932 * } ECHClientHello;
9933 */
9934
9935 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9936 offset += 1;
9937 switch (ch_type) {
9938 case 0: /* outer */
9939 if (ssl && session->first_ch_ech_frame == 0) {
9940 session->first_ch_ech_frame = pinfo->num;
9941 }
9942 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9943 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9944 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9945
9946 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9947 uint8_t config_id = tvb_get_uint8(tvb, offset);
9948 offset += 1;
9949 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9950 offset += 2;
9951 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9952 offset += length;
9953 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9954 offset += 2;
9955 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9956 offset += length;
9957
9958 if (!mk_map) {
9959 break;
9960 }
9961 if (session->client_random.data_len == 0) {
9962 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9963 break;
9964 }
9965 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9966 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9967 if (!ech_secret || !ech_config) {
9968 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9969 G_STRFUNC((const char*) (__func__)));
9970 break;
9971 }
9972
9973 if (hpke_hkdf_len(kdf_id) == 0) {
9974 ssl_debug_printf("Unsupported KDF\n");
9975 break;
9976 }
9977
9978 if (hpke_aead_key_len(aead_id) == 0) {
9979 ssl_debug_printf("Unsupported AEAD\n");
9980 break;
9981 }
9982
9983 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9984
9985 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9986 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9987 ssl_debug_printf("Unexpected version in ECH Config\n");
9988 break;
9989 }
9990 uint32_t ech_config_offset = 2;
9991 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9992 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9993 break;
9994 }
9995 ech_config_offset += 2;
9996 if (*(ech_config->data + ech_config_offset) != config_id) {
9997 ssl_debug_printf("ECH Config version mismatch\n");
9998 break;
9999 }
10000 ech_config_offset += 1;
10001 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
10002 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
10003 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10004 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10005 GByteArray *info = g_byte_array_new();
10006 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10007 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10008 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10009 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10010 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10011 key, base_nonce)) {
10012 g_byte_array_free(info, TRUE(!(0)));
10013 break;
10014 }
10015 g_byte_array_free(info, TRUE(!(0)));
10016 gcry_cipher_hd_t cipher;
10017 if (hpke_setup_aead(&cipher, aead_id, key) ||
10018 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10019 gcry_cipher_close(cipher);
10020 break;
10021 }
10022 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10023 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10024 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
10025 memset(ech_aad + offset - length - initial_offset, 0, length);
10026 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10027 gcry_cipher_close(cipher);
10028 wmem_free(NULL((void*)0), ech_aad);
10029 break;
10030 }
10031 wmem_free(NULL((void*)0), ech_aad);
10032 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
10033 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
10034 gcry_cipher_close(cipher);
10035 break;
10036 }
10037 unsigned char ech_auth_tag_calc[16];
10038 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
10039 gcry_cipher_close(cipher);
10040 break;
10041 }
10042 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10043 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
10044 gcry_cipher_close(cipher);
10045 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10046 payload + length - 16, 16)) {
10047 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10048 } else {
10049 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10050 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
10051 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10052 if (ssl) {
10053 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10054 uint32_t len_offset = ssl->ech_transcript.data_len;
10055 if (ssl->ech_transcript.data_len > 0)
10056 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10057 ssl->ech_transcript.data_len + hello_length + 4);
10058 else
10059 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10060 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10061 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10062 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10063 ssl->ech_transcript.data_len += 38;
10064 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
10065 tvb_get_uint8(tvb, initial_offset + 34) + 1);
10066 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
10067 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10068 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10069 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10070 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10071 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10072 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10073 1 + tvb_get_uint8(ech_tvb, ech_offset));
10074 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10075 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10076 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10077 ssl->ech_transcript.data_len += 2;
10078 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10079 ech_offset += 2;
10080 while (extensions_end - ech_offset >= 4) {
10081 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10082 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10083 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
10084 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10085 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
10086 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
10087 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
10088 ech_offset += 5;
10089 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
10090 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10091 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10092 while (outer_extensions_end - ech_offset >= 2) {
10093 while (hello_length - outer_offset >= 4) {
10094 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
10095 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10096 4 + tvb_get_ntohs(tvb, outer_offset + 2));
10097 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10098 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10099 break;
10100 } else {
10101 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
10102 }
10103 }
10104 ech_offset += 2;
10105 }
10106 }
10107 }
10108 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10109 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10110 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10111 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10112 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10113 }
10114 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
10115 ssl, NULL((void*)0), mk_map);
10116 if (ech_padding_begin < length - 16) {
10117 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
10118 ENC_NA0x00000000);
10119 }
10120 }
10121
10122 break;
10123 case 1: /* inner */
10124 break;
10125 }
10126 break;
10127
10128 case SSL_HND_ENCRYPTED_EXTENSIONS:
10129 /*
10130 * struct {
10131 * ECHConfigList retry_configs;
10132 * } ECHEncryptedExtensions;
10133 */
10134
10135 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10136 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10137 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10138 break;
10139
10140 case SSL_HND_HELLO_RETRY_REQUEST:
10141 /*
10142 * struct {
10143 * opaque confirmation[8];
10144 * } ECHHelloRetryRequest;
10145 */
10146
10147 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10148 if (session->ech) {
10149 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10150 proto_item_set_generated(ti);
10151 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10152 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10153 } else {
10154 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10155 }
10156 }
10157 offset += 8;
10158 break;
10159 }
10160
10161 return offset;
10162}
10163
10164static uint32_t
10165ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10166 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10167 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10168{
10169 uint32_t record_digest_length, encrypted_sni_length;
10170
10171 switch (hnd_type) {
10172 case SSL_HND_CLIENT_HELLO:
10173 /*
10174 * struct {
10175 * CipherSuite suite;
10176 * KeyShareEntry key_share;
10177 * opaque record_digest<0..2^16-1>;
10178 * opaque encrypted_sni<0..2^16-1>;
10179 * } ClientEncryptedSNI;
10180 */
10181 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10182 offset += 2;
10183 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10184
10185 /* opaque record_digest<0..2^16-1> */
10186 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10187 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10188 return offset_end;
10189 }
10190 offset += 2;
10191 if (record_digest_length > 0) {
10192 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10193 offset += record_digest_length;
10194 }
10195
10196 /* opaque encrypted_sni<0..2^16-1> */
10197 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10198 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10199 return offset_end;
10200 }
10201 offset += 2;
10202 if (encrypted_sni_length > 0) {
10203 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10204 offset += encrypted_sni_length;
10205 }
10206 break;
10207
10208 case SSL_HND_ENCRYPTED_EXTENSIONS:
10209 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10210 offset += 16;
10211 break;
10212 }
10213
10214 return offset;
10215}
10216/** TLS Extensions (in Client Hello and Server Hello). }}} */
10217
10218/* Connection ID dissection. {{{ */
10219static uint32_t
10220ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10221 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10222 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10223{
10224 /* keep track of the decrypt session only for the first pass */
10225 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10226 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10227 *session_cidl = cidl;
10228 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10229 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10230 if (ssl) {
10231 ssl_add_session_by_cid(ssl);
10232 }
10233 }
10234
10235 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10236 tvb, offset, 1, ENC_NA0x00000000);
10237 offset++;
10238
10239 if (cidl > 0) {
10240 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10241 tvb, offset, cidl, ENC_NA0x00000000);
10242 offset += cidl;
10243 }
10244
10245 return offset;
10246}
10247
10248static uint32_t
10249ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10250 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10251 SslSession *session, SslDecryptSession *ssl)
10252{
10253 uint8_t cidl = tvb_get_uint8(tvb, offset);
10254
10255 switch (hnd_type) {
10256 case SSL_HND_CLIENT_HELLO:
10257 session->client_cid_len_present = true1;
10258 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10259 cidl, &session->client_cid, &session->client_cid_len);
10260 case SSL_HND_SERVER_HELLO:
10261 session->server_cid_len_present = true1;
10262 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10263 cidl, &session->server_cid, &session->server_cid_len);
10264 default:
10265 return offset;
10266 }
10267} /* }}} */
10268
10269/* Trusted CA dissection. {{{ */
10270static uint32_t
10271ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10272 uint32_t offset, uint32_t offset_end)
10273{
10274 proto_item *ti;
10275 proto_tree *subtree;
10276 uint32_t keys_length, next_offset;
10277
10278 /*
10279 * struct {
10280 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10281 * } TrustedAuthorities;
10282 *
10283 * struct {
10284 * IdentifierType identifier_type;
10285 * select (identifier_type) {
10286 * case pre_agreed: struct {};
10287 * case key_sha1_hash: SHA1Hash;
10288 * case x509_name: DistinguishedName;
10289 * case cert_sha1_hash: SHA1Hash;
10290 * } identifier;
10291 * } TrustedAuthority;
10292 *
10293 * enum {
10294 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10295 * cert_sha1_hash(3), (255)
10296 * } IdentifierType;
10297 *
10298 * opaque DistinguishedName<1..2^16-1>;
10299 *
10300 */
10301
10302
10303 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10304 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10305 0, UINT16_MAX(65535)))
10306 {
10307 return offset_end;
10308 }
10309 offset += 2;
10310 next_offset = offset + keys_length;
10311
10312 if (keys_length > 0)
10313 {
10314 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10315 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10316 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10317
10318 while (offset < next_offset)
10319 {
10320 uint32_t identifier_type;
10321 proto_tree *trusted_key_tree;
10322 proto_item *trusted_key_item;
10323 asn1_ctx_t asn1_ctx;
10324 uint32_t key_len = 0;
10325
10326 identifier_type = tvb_get_uint8(tvb, offset);
10327
10328 // Use 0 as length for now as we'll only know the size when we decode the identifier
10329 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10330 offset, 0, "Trusted CA Key");
10331 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10332
10333 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10334 offset, 1, identifier_type);
10335 offset++;
10336
10337 /*
10338 * enum {
10339 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10340 * cert_sha1_hash(3), (255)
10341 * } IdentifierType;
10342 */
10343 switch (identifier_type)
10344 {
10345 case 0:
10346 key_len = 0;
10347 break;
10348 case 2:
10349 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10350
10351 uint32_t name_length;
10352 /* opaque DistinguishedName<1..2^16-1> */
10353 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10354 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10355 return next_offset;
10356 }
10357 offset += 2;
10358
10359 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10360 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10361 offset += name_length;
10362 break;
10363 case 1:
10364 case 3:
10365 key_len = 20;
10366 /* opaque SHA1Hash[20]; */
10367 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10368 offset, 20, ENC_NA0x00000000);
10369 break;
10370
10371 default:
10372 key_len = 0;
10373 /*TODO display expert info about unknown ? */
10374 break;
10375 }
10376 proto_item_set_len(trusted_key_item, 1 + key_len);
10377 offset += key_len;
10378 }
10379 }
10380
10381 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10382 {
10383 offset = next_offset;
10384 }
10385
10386 return offset;
10387} /* }}} */
10388
10389
10390/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10391bool_Bool
10392ssl_is_valid_content_type(uint8_t type)
10393{
10394 switch ((ContentType) type) {
10395 case SSL_ID_CHG_CIPHER_SPEC:
10396 case SSL_ID_ALERT:
10397 case SSL_ID_HANDSHAKE:
10398 case SSL_ID_APP_DATA:
10399 case SSL_ID_HEARTBEAT:
10400 case SSL_ID_TLS12_CID:
10401 case SSL_ID_DTLS13_ACK:
10402 return true1;
10403 }
10404 return false0;
10405}
10406
10407bool_Bool
10408ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10409{
10410 switch ((HandshakeType) hs_type) {
10411 case SSL_HND_HELLO_VERIFY_REQUEST:
10412 /* hello_verify_request is DTLS-only */
10413 return is_dtls;
10414
10415 case SSL_HND_HELLO_REQUEST:
10416 case SSL_HND_CLIENT_HELLO:
10417 case SSL_HND_SERVER_HELLO:
10418 case SSL_HND_NEWSESSION_TICKET:
10419 case SSL_HND_END_OF_EARLY_DATA:
10420 case SSL_HND_HELLO_RETRY_REQUEST:
10421 case SSL_HND_ENCRYPTED_EXTENSIONS:
10422 case SSL_HND_CERTIFICATE:
10423 case SSL_HND_SERVER_KEY_EXCHG:
10424 case SSL_HND_CERT_REQUEST:
10425 case SSL_HND_SVR_HELLO_DONE:
10426 case SSL_HND_CERT_VERIFY:
10427 case SSL_HND_CLIENT_KEY_EXCHG:
10428 case SSL_HND_FINISHED:
10429 case SSL_HND_CERT_URL:
10430 case SSL_HND_CERT_STATUS:
10431 case SSL_HND_SUPPLEMENTAL_DATA:
10432 case SSL_HND_KEY_UPDATE:
10433 case SSL_HND_COMPRESSED_CERTIFICATE:
10434 case SSL_HND_ENCRYPTED_EXTS:
10435 return true1;
10436 case SSL_HND_MESSAGE_HASH:
10437 return false0;
10438 }
10439 return false0;
10440}
10441
10442static bool_Bool
10443ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10444 bool_Bool is_dtls)
10445{
10446 /* Consider all valid Handshake messages (except for Client Hello) and
10447 * all other valid record types (other than Handshake) */
10448 return (content_type == SSL_ID_HANDSHAKE &&
10449 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10450 handshake_type != SSL_HND_CLIENT_HELLO) ||
10451 (content_type != SSL_ID_HANDSHAKE &&
10452 ssl_is_valid_content_type(content_type));
10453}
10454
10455/**
10456 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10457 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10458 * Returns true if the supported_versions extension was found, false if not.
10459 */
10460bool_Bool
10461tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10462 uint16_t *server_version, bool_Bool *is_hrr)
10463{
10464 /* SHA256("HelloRetryRequest") */
10465 static const uint8_t tls13_hrr_random_magic[] = {
10466 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10467 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10468 };
10469 uint8_t session_id_length;
10470
10471 *server_version = tvb_get_ntohs(tvb, offset);
10472
10473 /*
10474 * Try to look for supported_versions extension. Minimum length:
10475 * 2 + 32 + 1 = 35 (version, random, session id length)
10476 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10477 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10478 *
10479 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10480 * there's a separate expert info warning for that.
10481 */
10482 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10483 offset += 2;
10484 if (is_hrr) {
10485 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10486 }
10487 offset += 32;
10488 session_id_length = tvb_get_uint8(tvb, offset);
10489 offset++;
10490 if (offset_end - offset < session_id_length + 5u) {
10491 return false0;
10492 }
10493 offset += session_id_length + 5;
10494
10495 while (offset_end - offset >= 6) {
10496 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10497 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10498 if (offset_end - offset < 4u + ext_len) {
10499 break; /* not enough data for type, length and data */
10500 }
10501 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10502 if (ext_len == 2) {
10503 *server_version = tvb_get_ntohs(tvb, offset + 4);
10504 }
10505 return true1;
10506 }
10507 offset += 4 + ext_len;
10508 }
10509 } else {
10510 if (is_hrr) {
10511 *is_hrr = false0;
10512 }
10513 }
10514 return false0;
10515}
10516
10517/**
10518 * Scan a Client Hello handshake message to see if the supported_versions
10519 * extension is found, in which case the version field is legacy_version.
10520 */
10521static bool_Bool
10522tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10523{
10524 uint8_t session_id_length;
10525
10526 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10527
10528 /*
10529 * Try to look for supported_versions extension. Minimum length:
10530 * 2 + 32 + 1 = 35 (version, random, session id length)
10531 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10532 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10533 *
10534 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10535 * there's a separate expert info warning for that.
10536 */
10537 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10538 offset += 2;
10539 offset += 32;
10540 session_id_length = tvb_get_uint8(tvb, offset);
10541 offset++;
10542 if (offset_end - offset < session_id_length + 2u) {
10543 return false0;
10544 }
10545 offset += session_id_length;
10546 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10547 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10548 offset++;
10549 if (offset_end - offset < cookie_length + 2u) {
10550 return false0;
10551 }
10552 }
10553 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10554 offset += 2;
10555 if (offset_end - offset < cipher_suites_length + 1u) {
10556 return false0;
10557 }
10558 offset += cipher_suites_length;
10559 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10560 offset++;
10561 if (offset_end - offset < compression_methods_length + 2u) {
10562 return false0;
10563 }
10564 offset += compression_methods_length + 2;
10565
10566 while (offset_end - offset >= 6) {
10567 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10568 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10569 if (offset_end - offset < 4u + ext_len) {
10570 break; /* not enough data for type, length and data */
10571 }
10572 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10573 return true1;
10574 }
10575 offset += 4 + ext_len;
10576 }
10577 }
10578 return false0;
10579}
10580void
10581ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10582 uint8_t content_type, uint8_t handshake_type,
10583 bool_Bool is_dtls, uint16_t version)
10584{
10585 uint8_t tls13_draft = 0;
10586
10587 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10588 is_dtls))
10589 return;
10590
10591 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10592 if (version == SSL_VER_UNKNOWN0) {
10593 return;
10594 }
10595
10596 session->tls13_draft_version = tls13_draft;
10597 session->version = version;
10598 if (ssl) {
10599 ssl->state |= SSL_VERSION(1<<4);
10600 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10601 }
10602}
10603
10604void
10605ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10606 ContentType content_type,
10607 unsigned record_length, proto_item *length_pi,
10608 uint16_t version, tvbuff_t *decrypted_tvb)
10609{
10610 unsigned max_expansion;
10611 if (version == TLSV1DOT3_VERSION0x304) {
10612 /* TLS 1.3: Max length is 2^14 + 256 */
10613 max_expansion = 256;
10614 } else {
10615 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10616 max_expansion = 2048;
10617 }
10618 /*
10619 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10620 * and ChangeCipherSpec.
10621 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10622 * so assume it is permitted.
10623 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10624 * assume TLS 1.2 requirements.
10625 */
10626 if (record_length == 0 &&
10627 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10628 content_type == SSL_ID_ALERT ||
10629 content_type == SSL_ID_HANDSHAKE)) {
10630 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10631 "Zero-length %s fragments are not allowed",
10632 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10633 }
10634 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10635 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10636 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10637 }
10638 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10639 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10640 "TLSPlaintext length MUST NOT exceed 2^14");
10641 }
10642}
10643
10644static void
10645ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10646{
10647 /* store selected cipher suite for decryption */
10648 ssl->session.cipher = cipher;
10649
10650 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10651 if (!cs) {
10652 ssl->cipher_suite = NULL((void*)0);
10653 ssl->state &= ~SSL_CIPHER(1<<2);
10654 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10655 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10656 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10657 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10658 * to avoid a potential buffer overflow in ssl3_check_mac. */
10659 ssl->cipher_suite = NULL((void*)0);
10660 ssl->state &= ~SSL_CIPHER(1<<2);
10661 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10662 } else {
10663 /* Cipher found, save this for the delayed decoder init */
10664 ssl->cipher_suite = cs;
10665 ssl->state |= SSL_CIPHER(1<<2);
10666 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10667 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10668 ssl->state);
10669 }
10670}
10671/* }}} */
10672
10673
10674/* Client Hello and Server Hello dissections. {{{ */
10675static int
10676ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10677 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10678 SslSession *session, SslDecryptSession *ssl,
10679 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10680 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10681int
10682// NOLINTNEXTLINE(misc-no-recursion)
10683ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10684 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10685 uint32_t offset_end, SslSession *session,
10686 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10687{
10688 /* struct {
10689 * ProtocolVersion client_version;
10690 * Random random;
10691 * SessionID session_id;
10692 * opaque cookie<0..32>; //new field for DTLS
10693 * CipherSuite cipher_suites<2..2^16-1>;
10694 * CompressionMethod compression_methods<1..2^8-1>;
10695 * Extension client_hello_extension_list<0..2^16-1>;
10696 * } ClientHello;
10697 */
10698 proto_item *ti;
10699 proto_tree *cs_tree;
10700 uint32_t client_version;
10701 uint32_t cipher_suite_length;
10702 uint32_t compression_methods_length;
10703 uint8_t compression_method;
10704 uint32_t next_offset;
10705 uint32_t initial_offset = offset;
10706 uint32_t hello_length = offset_end - initial_offset;
10707 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10708 char *ja3_hash;
10709 char *ja3_dash = "";
10710 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10711 ja4_data_t ja4_data;
10712 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10713 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10714 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10715 wmem_list_frame_t *curr_entry;
10716
10717 ja4_data.max_version = 0;
10718 ja4_data.server_name_present = false0;
10719 ja4_data.num_cipher_suites = 0;
10720 ja4_data.num_extensions = 0;
10721 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10722 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10723 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10724 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10725
10726 /* show the client version */
10727 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10728 offset, 2, ENC_BIG_ENDIAN0x00000000,
10729 &client_version);
10730 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10731 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10732 }
10733 offset += 2;
10734 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10735
10736 /*
10737 * Is it version 1.3?
10738 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10739 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10740 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10741 * Hello".
10742 */
10743 if (dtls_hfs != NULL((void*)0)) {
10744 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10745 /* Don't do that. */
10746 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10747 }
10748 } else {
10749 if (client_version == TLSV1DOT3_VERSION0x304) {
10750 /* Don't do that. */
10751 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10752 }
10753 }
10754
10755 /* dissect fields that are present in both ClientHello and ServerHello */
10756 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10757
10758 /* fields specific for DTLS (cookie_len, cookie) */
10759 if (dtls_hfs != NULL((void*)0)) {
10760 uint32_t cookie_length;
10761 /* opaque cookie<0..32> (for DTLS only) */
10762 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10763 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10764 return offset;
10765 }
10766 offset++;
10767 if (cookie_length > 0) {
10768 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10769 tvb, offset, cookie_length, ENC_NA0x00000000);
10770 offset += cookie_length;
10771 }
10772 }
10773
10774 /* CipherSuite cipher_suites<2..2^16-1> */
10775 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10776 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10777 return offset;
10778 }
10779 offset += 2;
10780 next_offset = offset + cipher_suite_length;
10781 ti = proto_tree_add_none_format(tree,
10782 hf->hf.hs_cipher_suites,
10783 tvb, offset, cipher_suite_length,
10784 "Cipher Suites (%d suite%s)",
10785 cipher_suite_length / 2,
10786 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10787 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10788 while (offset + 2 <= next_offset) {
10789 uint32_t cipher_suite;
10790
10791 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10792 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10793 offset += 2;
10794 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10795 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10796 ja3_dash = "-";
10797 ja4_data.num_cipher_suites += 1;
10798 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10799 }
10800 }
10801 wmem_strbuf_append_c(ja3, ',');
10802 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10803 offset = next_offset;
10804 }
10805
10806 /* CompressionMethod compression_methods<1..2^8-1> */
10807 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10808 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10809 return offset;
10810 }
10811 offset++;
10812 next_offset = offset + compression_methods_length;
10813 ti = proto_tree_add_none_format(tree,
10814 hf->hf.hs_comp_methods,
10815 tvb, offset, compression_methods_length,
10816 "Compression Methods (%u method%s)",
10817 compression_methods_length,
10818 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10819 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10820 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10821 while (offset < next_offset) {
10822 compression_method = tvb_get_uint8(tvb, offset);
10823 /* TODO: make reserved/private comp meth. fields selectable */
10824 if (compression_method < 64)
10825 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10826 tvb, offset, 1, compression_method);
10827 else if (compression_method > 63 && compression_method < 193)
10828 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10829 compression_method, "Reserved - to be assigned by IANA (%u)",
10830 compression_method);
10831 else
10832 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10833 compression_method, "Private use range (%u)",
10834 compression_method);
10835 offset++;
10836 }
10837
10838 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10839 if (offset < offset_end) {
10840 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10841 offset_end, SSL_HND_CLIENT_HELLO,
10842 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10843 if (ja4_data.max_version > 0) {
10844 client_version = ja4_data.max_version;
10845 }
10846 } else {
10847 wmem_strbuf_append_printf(ja3, ",,");
10848 }
10849
10850 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10851 wmem_strbuf_append(ja4_a, "t");
10852 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10853 wmem_strbuf_append(ja4_a, "q");
10854 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10855 wmem_strbuf_append(ja4_a, "d");
10856 }
10857 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10858 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10859 if (ja4_data.num_cipher_suites > 99) {
10860 wmem_strbuf_append(ja4_a, "99");
10861 } else {
10862 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10863 }
10864 if (ja4_data.num_extensions > 99) {
10865 wmem_strbuf_append(ja4_a, "99");
10866 } else {
10867 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10868 }
10869 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10870 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10871 } else {
10872 wmem_strbuf_append(ja4_a, "00");
10873 }
10874
10875 curr_entry = wmem_list_head(ja4_data.cipher_list);
10876 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10877 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10878 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10879 wmem_strbuf_append(ja4_br, ",");
10880 }
10881 curr_entry = wmem_list_frame_next(curr_entry);
10882 }
10883
10884 curr_entry = wmem_list_head(ja4_data.extension_list);
10885 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10886 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10887 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10888 wmem_strbuf_append(ja4_cr, ",");
10889 }
10890 curr_entry = wmem_list_frame_next(curr_entry);
10891 }
10892
10893 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10894 wmem_strbuf_append(ja4_cr, "_");
10895 curr_entry = wmem_list_head(ja4_data.sighash_list);
10896 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10897 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10898 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10899 wmem_strbuf_append(ja4_cr, ",");
10900 }
10901 curr_entry = wmem_list_frame_next(curr_entry);
10902 }
10903 }
10904 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10905 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10906 } else {
10907 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10908 }
10909 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10910
10911 g_free(ja4_hash);
10912 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10913 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10914 } else {
10915 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10916 }
10917 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10918 g_free(ja4_hash);
10919
10920 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10921 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10922
10923 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10924 proto_item_set_generated(ti);
10925 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10926 proto_item_set_generated(ti);
10927
10928 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10929 wmem_strbuf_get_len(ja3));
10930 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10931 proto_item_set_generated(ti);
10932 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10933 proto_item_set_generated(ti);
10934 g_free(ja3_hash);
10935 return offset;
10936}
10937
10938void
10939ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10940 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10941 SslSession *session, SslDecryptSession *ssl,
10942 bool_Bool is_dtls, bool_Bool is_hrr)
10943{
10944 /* struct {
10945 * ProtocolVersion server_version;
10946 * Random random;
10947 * SessionID session_id; // TLS 1.2 and before
10948 * CipherSuite cipher_suite;
10949 * CompressionMethod compression_method; // TLS 1.2 and before
10950 * Extension server_hello_extension_list<0..2^16-1>;
10951 * } ServerHello;
10952 */
10953 uint8_t draft_version = session->tls13_draft_version;
10954 proto_item *ti;
10955 uint32_t server_version;
10956 uint32_t cipher_suite;
10957 uint32_t initial_offset = offset;
10958 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10959 char *ja3_hash;
10960
10961 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10962 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10963
10964 /* Initially assume that the session is resumed. If this is not the case, a
10965 * ServerHelloDone will be observed before the ChangeCipherSpec message
10966 * which will reset this flag. */
10967 session->is_session_resumed = true1;
10968
10969 /* show the server version */
10970 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10971 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10972
10973 uint16_t supported_server_version;
10974 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10975 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10976 }
10977 /*
10978 * Is it version 1.3?
10979 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10980 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10981 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10982 * Hello".
10983 */
10984 if (is_dtls) {
10985 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10986 /* Don't do that. */
10987 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10988 }
10989 } else {
10990 if (server_version == TLSV1DOT3_VERSION0x304) {
10991 /* Don't do that. */
10992 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10993 }
10994 }
10995
10996 offset += 2;
10997 wmem_strbuf_append_printf(ja3, "%i", server_version);
10998
10999 /* dissect fields that are present in both ClientHello and ServerHello */
11000 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11001
11002 if (ssl) {
11003 /* store selected cipher suite for decryption */
11004 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11005 }
11006
11007 /* now the server-selected cipher suite */
11008 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11009 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11010 offset += 2;
11011 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11012
11013 /* No compression with TLS 1.3 before draft -22 */
11014 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11015 if (ssl) {
11016 /* store selected compression method for decryption */
11017 ssl->session.compression = tvb_get_uint8(tvb, offset);
11018 }
11019 /* and the server-selected compression method */
11020 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11021 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11022 offset++;
11023 }
11024
11025 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11026 if (offset < offset_end) {
11027 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11028 offset_end,
11029 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11030 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
11031 }
11032
11033 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11034 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11035 if (hash_algo) {
11036 SSL_MDgcry_md_hd_t mc;
11037 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11038 unsigned char prk[DIGEST_MAX_SIZE48];
11039 unsigned char *ech_verify_out = NULL((void*)0);
11040 unsigned int len;
11041 ssl_md_init(&mc, hash_algo);
11042 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11043 if (is_hrr) {
11044 ssl_md_final(&mc, transcript_hash, &len);
11045 ssl_md_cleanup(&mc);
11046 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11047 ssl->ech_transcript.data_len = 4 + len;
11048 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11049 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11050 ssl->ech_transcript.data[1] = 0;
11051 ssl->ech_transcript.data[2] = 0;
11052 ssl->ech_transcript.data[3] = len;
11053 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11054 ssl_md_init(&mc, hash_algo);
11055 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11056 } else {
11057 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11058 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11059 }
11060 if (initial_offset > 4) {
11061 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11062 4 + offset_end - initial_offset);
11063 if (is_hrr)
11064 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11065 else
11066 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11067 } else {
11068 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11069 prefix[2] = ((offset - initial_offset) >> 8);
11070 prefix[3] = (offset - initial_offset) & 0xff;
11071 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11072 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11073 offset_end - initial_offset);
11074 ssl_md_update(&mc, prefix, 4);
11075 if (is_hrr)
11076 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11077 else
11078 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11079 }
11080 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11081 uint8_t zeros[8] = { 0 };
11082 uint32_t confirmation_offset = initial_offset + 26;
11083 if (is_hrr) {
11084 uint32_t hrr_offset = initial_offset + 34;
11085 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11086 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11087 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11088 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11089 hrr_offset += 3;
11090 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11091 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11092 hrr_offset += 2;
11093 while (extensions_end - hrr_offset >= 4) {
11094 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11095 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11096 confirmation_offset = hrr_offset + 4;
11097 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11098 ssl_md_update(&mc, zeros, 8);
11099 hrr_offset += 12;
11100 } else {
11101 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11102 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11103 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11104 }
11105 }
11106 } else {
11107 ssl_md_update(&mc, zeros, 8);
11108 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11109 offset - initial_offset - 34);
11110 }
11111 ssl_md_final(&mc, transcript_hash, &len);
11112 ssl_md_cleanup(&mc);
11113 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11114 StringInfo prk_string = {prk, len};
11115 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11116 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11117 transcript_hash, len, 8, &ech_verify_out)) {
11118 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11119 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11120 if (is_hrr) {
11121 ssl->session.hrr_ech_declined = true1;
11122 ssl->session.first_ch_ech_frame = 0;
11123 }
11124 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11125 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11126 }
11127 wmem_free(NULL((void*)0), ech_verify_out);
11128 }
11129 ssl->session.ech = true1;
11130 }
11131 }
11132
11133 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11134 wmem_strbuf_get_len(ja3));
11135 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11136 proto_item_set_generated(ti);
11137 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11138 proto_item_set_generated(ti);
11139 g_free(ja3_hash);
11140}
11141/* Client Hello and Server Hello dissections. }}} */
11142
11143/* New Session Ticket dissection. {{{ */
11144void
11145ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11146 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11147 SslSession *session, SslDecryptSession *ssl,
11148 bool_Bool is_dtls, GHashTable *session_hash)
11149{
11150 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11151 * struct {
11152 * uint32 ticket_lifetime_hint;
11153 * opaque ticket<0..2^16-1>;
11154 * } NewSessionTicket;
11155 *
11156 * RFC 8446 Section 4.6.1 (TLS 1.3):
11157 * struct {
11158 * uint32 ticket_lifetime;
11159 * uint32 ticket_age_add;
11160 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11161 * opaque ticket<1..2^16-1>;
11162 * Extension extensions<0..2^16-2>;
11163 * } NewSessionTicket;
11164 */
11165 proto_tree *subtree;
11166 proto_item *subitem;
11167 uint32_t ticket_len;
11168 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11169 unsigned char draft_version = session->tls13_draft_version;
11170 uint32_t lifetime_hint;
11171
11172 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11173 hf->ett.session_ticket, NULL((void*)0),
11174 "TLS Session Ticket");
11175
11176 /* ticket lifetime hint */
11177 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11178 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11179 offset += 4;
11180
11181 if (lifetime_hint >= 60) {
11182 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11183 proto_item_append_text(subitem, " (%s)", time_str);
11184 }
11185
11186 if (is_tls13) {
11187
11188 /* for TLS 1.3: ticket_age_add */
11189 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11190 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11191 offset += 4;
11192
11193 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11194 if (draft_version == 0 || draft_version >= 21) {
11195 uint32_t ticket_nonce_len;
11196
11197 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11198 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11199 return;
11200 }
11201 offset++;
11202
11203 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11204 offset += ticket_nonce_len;
11205 }
11206
11207 }
11208
11209 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11210 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11211 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11212 return;
11213 }
11214 offset += 2;
11215
11216 /* Content depends on implementation, so just show data! */
11217 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11218 tvb, offset, ticket_len, ENC_NA0x00000000);
11219 /* save the session ticket to cache for ssl_finalize_decryption */
11220 if (ssl && !is_tls13) {
11221 if (ssl->session.is_session_resumed) {
11222 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11223 * (Abbreviated Handshake Using New Session Ticket).
11224 * Restore the master key for this session ticket before saving
11225 * it to the new session ticket. */
11226 ssl_restore_master_key(ssl, "Session Ticket", false0,
11227 session_hash, &ssl->session_ticket);
11228 }
11229 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11230 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11231 ssl->session_ticket.data, ticket_len);
11232 ssl->session_ticket.data_len = ticket_len;
11233 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11234 /* NewSessionTicket is received after the first (client)
11235 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11236 * Since the second CCS has already the session key available it will
11237 * just return. To ensure that the session ticket is mapped to a
11238 * master key (from the first CCS), save the ticket here too. */
11239 ssl_save_master_key("Session Ticket", session_hash,
11240 &ssl->session_ticket, &ssl->master_secret);
11241 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11242 }
11243 offset += ticket_len;
11244
11245 if (is_tls13) {
11246 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11247 offset_end, SSL_HND_NEWSESSION_TICKET,
11248 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11249 }
11250} /* }}} */
11251
11252void
11253ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11254 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11255 SslSession *session, SslDecryptSession *ssl,
11256 bool_Bool is_dtls)
11257{
11258 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11259 * struct {
11260 * ProtocolVersion server_version;
11261 * CipherSuite cipher_suite; // not before draft -19
11262 * Extension extensions<2..2^16-1>;
11263 * } HelloRetryRequest;
11264 * Note: no longer used since draft -22
11265 */
11266 uint32_t version;
11267 uint8_t draft_version;
11268
11269 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11270 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11271 draft_version = extract_tls13_draft_version(version);
11272 offset += 2;
11273
11274 if (draft_version == 0 || draft_version >= 19) {
11275 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11276 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11277 offset += 2;
11278 }
11279
11280 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11281 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11282 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11283}
11284
11285void
11286ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11287 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11288 SslSession *session, SslDecryptSession *ssl,
11289 bool_Bool is_dtls)
11290{
11291 /* RFC 8446 Section 4.3.1
11292 * struct {
11293 * Extension extensions<0..2^16-1>;
11294 * } EncryptedExtensions;
11295 */
11296 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11297 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11298 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11299}
11300
11301/* Certificate and Certificate Request dissections. {{{ */
11302void
11303ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11304 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11305 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11306 bool_Bool is_from_server, bool_Bool is_dtls)
11307{
11308 /* opaque ASN.1Cert<1..2^24-1>;
11309 *
11310 * Before RFC 8446 (TLS <= 1.2):
11311 * struct {
11312 * select(certificate_type) {
11313 *
11314 * // certificate type defined in RFC 7250
11315 * case RawPublicKey:
11316 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11317 *
11318 * // X.509 certificate defined in RFC 5246
11319 * case X.509:
11320 * ASN.1Cert certificate_list<0..2^24-1>;
11321 * };
11322 * } Certificate;
11323 *
11324 * RFC 8446 (since draft -20):
11325 * struct {
11326 * select(certificate_type){
11327 * case RawPublicKey:
11328 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11329 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11330 *
11331 * case X.509:
11332 * opaque cert_data<1..2^24-1>;
11333 * }
11334 * Extension extensions<0..2^16-1>;
11335 * } CertificateEntry;
11336 * struct {
11337 * opaque certificate_request_context<0..2^8-1>;
11338 * CertificateEntry certificate_list<0..2^24-1>;
11339 * } Certificate;
11340 */
11341 enum { CERT_X509, CERT_RPK } cert_type;
11342 asn1_ctx_t asn1_ctx;
11343#if defined(HAVE_LIBGNUTLS1)
11344 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11345 unsigned certificate_index = 0;
11346#endif
11347 uint32_t next_offset, certificate_list_length, cert_length;
11348 proto_tree *subtree = tree;
11349
11350 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11351
11352 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11353 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11354 cert_type = CERT_RPK;
11355 } else {
11356 cert_type = CERT_X509;
11357 }
11358
11359#if defined(HAVE_LIBGNUTLS1)
11360 /* Ask the pkcs1 dissector to return the public key details */
11361 if (ssl)
11362 asn1_ctx.private_data = &subjectPublicKeyInfo;
11363#endif
11364
11365 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11366 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11367 uint32_t context_length;
11368 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11369 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11370 return;
11371 }
11372 offset++;
11373 if (context_length > 0) {
11374 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11375 tvb, offset, context_length, ENC_NA0x00000000);
11376 offset += context_length;
11377 }
11378 }
11379
11380 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11381 /* For RPK before TLS 1.3, the single RPK is stored directly without
11382 * another "certificate_list" field. */
11383 certificate_list_length = offset_end - offset;
11384 next_offset = offset_end;
11385 } else {
11386 /* CertificateEntry certificate_list<0..2^24-1> */
11387 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11388 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11389 return;
11390 }
11391 offset += 3; /* 24-bit length value */
11392 next_offset = offset + certificate_list_length;
11393 }
11394
11395 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11396 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11397 proto_item *ti;
11398
11399 ti = proto_tree_add_none_format(tree,
11400 hf->hf.hs_certificates,
11401 tvb, offset, certificate_list_length,
11402 "Certificates (%u bytes)",
11403 certificate_list_length);
11404
11405 /* make it a subtree */
11406 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11407 }
11408
11409 while (offset < next_offset) {
11410 switch (cert_type) {
11411 case CERT_RPK:
11412 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11413 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11414 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11415 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11416 return;
11417 }
11418 offset += 3;
11419
11420 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11421 offset += cert_length;
11422 break;
11423 case CERT_X509:
11424 /* opaque ASN1Cert<1..2^24-1> */
11425 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11426 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11427 return;
11428 }
11429 offset += 3;
11430
11431 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11432#if defined(HAVE_LIBGNUTLS1)
11433 if (is_from_server && ssl && certificate_index == 0) {
11434 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11435 /* Only attempt to get the RSA modulus for the first cert. */
11436 asn1_ctx.private_data = NULL((void*)0);
11437 }
11438#endif
11439 offset += cert_length;
11440 break;
11441 }
11442
11443 /* TLS 1.3: Extension extensions<0..2^16-1> */
11444 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11445 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11446 next_offset, SSL_HND_CERTIFICATE,
11447 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11448 }
11449
11450#if defined(HAVE_LIBGNUTLS1)
11451 certificate_index++;
11452#endif
11453 }
11454}
11455
11456void
11457ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11458 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11459 SslSession *session, bool_Bool is_dtls)
11460{
11461 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11462 * enum {
11463 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11464 * (255)
11465 * } ClientCertificateType;
11466 *
11467 * opaque DistinguishedName<1..2^16-1>;
11468 *
11469 * struct {
11470 * ClientCertificateType certificate_types<1..2^8-1>;
11471 * DistinguishedName certificate_authorities<3..2^16-1>;
11472 * } CertificateRequest;
11473 *
11474 *
11475 * As per TLSv1.2 (RFC 5246) the format has changed to:
11476 *
11477 * enum {
11478 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11479 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11480 * fortezza_dms_RESERVED(20), (255)
11481 * } ClientCertificateType;
11482 *
11483 * enum {
11484 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11485 * sha512(6), (255)
11486 * } HashAlgorithm;
11487 *
11488 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11489 * SignatureAlgorithm;
11490 *
11491 * struct {
11492 * HashAlgorithm hash;
11493 * SignatureAlgorithm signature;
11494 * } SignatureAndHashAlgorithm;
11495 *
11496 * SignatureAndHashAlgorithm
11497 * supported_signature_algorithms<2..2^16-2>;
11498 *
11499 * opaque DistinguishedName<1..2^16-1>;
11500 *
11501 * struct {
11502 * ClientCertificateType certificate_types<1..2^8-1>;
11503 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11504 * DistinguishedName certificate_authorities<0..2^16-1>;
11505 * } CertificateRequest;
11506 *
11507 * draft-ietf-tls-tls13-18:
11508 * struct {
11509 * opaque certificate_request_context<0..2^8-1>;
11510 * SignatureScheme
11511 * supported_signature_algorithms<2..2^16-2>;
11512 * DistinguishedName certificate_authorities<0..2^16-1>;
11513 * CertificateExtension certificate_extensions<0..2^16-1>;
11514 * } CertificateRequest;
11515 *
11516 * RFC 8446 (since draft-ietf-tls-tls13-19):
11517 *
11518 * struct {
11519 * opaque certificate_request_context<0..2^8-1>;
11520 * Extension extensions<2..2^16-1>;
11521 * } CertificateRequest;
11522 */
11523 proto_item *ti;
11524 proto_tree *subtree;
11525 uint32_t next_offset;
11526 asn1_ctx_t asn1_ctx;
11527 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11528 unsigned char draft_version = session->tls13_draft_version;
11529
11530 if (!tree)
11531 return;
11532
11533 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11534
11535 if (is_tls13) {
11536 uint32_t context_length;
11537 /* opaque certificate_request_context<0..2^8-1> */
11538 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11539 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11540 return;
11541 }
11542 offset++;
11543 if (context_length > 0) {
11544 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11545 tvb, offset, context_length, ENC_NA0x00000000);
11546 offset += context_length;
11547 }
11548 } else {
11549 uint32_t cert_types_count;
11550 /* ClientCertificateType certificate_types<1..2^8-1> */
11551 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11552 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11553 return;
11554 }
11555 offset++;
11556 next_offset = offset + cert_types_count;
11557
11558 ti = proto_tree_add_none_format(tree,
11559 hf->hf.hs_cert_types,
11560 tvb, offset, cert_types_count,
11561 "Certificate types (%u type%s)",
11562 cert_types_count,
11563 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11564 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11565
11566 while (offset < next_offset) {
11567 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11568 offset++;
11569 }
11570 }
11571
11572 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11573 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11574 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11575 }
11576
11577 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11578 /*
11579 * TLS 1.3 draft 19 and newer: Extensions.
11580 * SslDecryptSession pointer is NULL because Certificate Extensions
11581 * should not influence decryption state.
11582 */
11583 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11584 offset_end, SSL_HND_CERT_REQUEST,
11585 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11586 } else if (is_tls13 && draft_version <= 18) {
11587 /*
11588 * TLS 1.3 draft 18 and older: certificate_authorities and
11589 * certificate_extensions (a vector of OID mappings).
11590 */
11591 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11592 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11593 } else {
11594 /* for TLS 1.2 and older, the certificate_authorities field. */
11595 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11596 }
11597}
11598/* Certificate and Certificate Request dissections. }}} */
11599
11600void
11601ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11602 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11603{
11604 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11605 hf->hf.hs_client_cert_vrfy_sig_len,
11606 hf->hf.hs_client_cert_vrfy_sig);
11607}
11608
11609/* Finished dissection. {{{ */
11610void
11611ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11612 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11613 const SslSession *session, ssl_hfs_t *ssl_hfs)
11614{
11615 /* For SSLv3:
11616 * struct {
11617 * opaque md5_hash[16];
11618 * opaque sha_hash[20];
11619 * } Finished;
11620 *
11621 * For (D)TLS:
11622 * struct {
11623 * opaque verify_data[12];
11624 * } Finished;
11625 *
11626 * For TLS 1.3:
11627 * struct {
11628 * opaque verify_data[Hash.length];
11629 * }
11630 */
11631 if (!tree)
11632 return;
11633
11634 if (session->version == SSLV3_VERSION0x300) {
11635 if (ssl_hfs != NULL((void*)0)) {
11636 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11637 tvb, offset, 16, ENC_NA0x00000000);
11638 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11639 tvb, offset + 16, 20, ENC_NA0x00000000);
11640 }
11641 } else {
11642 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11643 proto_tree_add_item(tree, hf->hf.hs_finished,
11644 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11645 }
11646} /* }}} */
11647
11648/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11649void
11650ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11651{
11652 uint16_t url_hash_len;
11653
11654 /* enum {
11655 * individual_certs(0), pkipath(1), (255)
11656 * } CertChainType;
11657 *
11658 * struct {
11659 * CertChainType type;
11660 * URLAndHash url_and_hash_list<1..2^16-1>;
11661 * } CertificateURL;
11662 *
11663 * struct {
11664 * opaque url<1..2^16-1>;
11665 * uint8 padding;
11666 * opaque SHA1Hash[20];
11667 * } URLAndHash;
11668 */
11669
11670 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11671 tvb, offset, 1, ENC_NA0x00000000);
11672 offset++;
11673
11674 url_hash_len = tvb_get_ntohs(tvb, offset);
11675 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11676 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11677 offset += 2;
11678 while (url_hash_len-- > 0) {
11679 proto_item *urlhash_item;
11680 proto_tree *urlhash_tree;
11681 uint16_t url_len;
11682
11683 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11684 tvb, offset, -1, ENC_NA0x00000000);
11685 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11686
11687 url_len = tvb_get_ntohs(tvb, offset);
11688 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11689 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11690 offset += 2;
11691
11692 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11693 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11694 offset += url_len;
11695
11696 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11697 tvb, offset, 1, ENC_NA0x00000000);
11698 offset++;
11699 /* Note: RFC 6066 says that padding must be 0x01 */
11700
11701 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11702 tvb, offset, 20, ENC_NA0x00000000);
11703 offset += 20;
11704 }
11705} /* }}} */
11706
11707void
11708ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11709 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11710 SslSession *session, SslDecryptSession *ssl,
11711 bool_Bool is_from_server, bool_Bool is_dtls)
11712{
11713 uint32_t algorithm, uncompressed_length;
11714 uint32_t compressed_certificate_message_length;
11715 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11716 proto_item *ti;
11717 /*
11718 * enum {
11719 * zlib(1),
11720 * brotli(2),
11721 * zstd(3),
11722 * (65535)
11723 * } CertificateCompressionAlgorithm;
11724 *
11725 * struct {
11726 * CertificateCompressionAlgorithm algorithm;
11727 * uint24 uncompressed_length;
11728 * opaque compressed_certificate_message<1..2^24-1>;
11729 * } CompressedCertificate;
11730 */
11731
11732 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11733 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11734 offset += 2;
11735
11736 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11737 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11738 offset += 3;
11739
11740 /* opaque compressed_certificate_message<1..2^24-1>; */
11741 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11742 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11743 return;
11744 }
11745 offset += 3;
11746
11747 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11748 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11749
11750 /* Certificate decompression following algorithm */
11751 switch (algorithm) {
11752 case 1: /* zlib */
11753 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11754 break;
11755 case 2: /* brotli */
11756 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11757 break;
11758 case 3: /* zstd */
11759 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11760 break;
11761 }
11762
11763 if (uncompressed_tvb) {
11764 proto_tree *uncompressed_tree;
11765
11766 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11767 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11768 tvb, offset, offset_end - offset,
11769 "Invalid uncompressed length %u (expected %u)",
11770 tvb_captured_length(uncompressed_tvb),
11771 uncompressed_length);
11772 } else {
11773 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11774 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11775 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11776 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11777 }
11778 }
11779}
11780
11781/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11782static int
11783// NOLINTNEXTLINE(misc-no-recursion)
11784ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11785 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11786 SslSession *session, SslDecryptSession *ssl,
11787 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11788 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11789{
11790 uint32_t exts_len;
11791 uint16_t ext_type;
11792 uint32_t ext_len;
11793 uint32_t next_offset;
11794 proto_item *ext_item;
11795 proto_tree *ext_tree;
11796 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11797 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11798 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11799 char *ja3_dash = "";
11800 unsigned supported_version;
11801
11802 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11803 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11804 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11805 return offset_end;
11806 }
11807 offset += 2;
11808 offset_end = offset + exts_len;
11809
11810 if (ja4_data) {
11811 ja4_data->num_extensions = 0;
11812 }
11813 while (offset_end - offset >= 4)
11814 {
11815 ext_type = tvb_get_ntohs(tvb, offset);
11816 ext_len = tvb_get_ntohs(tvb, offset + 2);
11817
11818 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11819 ja4_data->num_extensions += 1;
11820 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11821 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11822 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11823 }
11824 }
11825
11826 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11827 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11828 tls_hello_extension_types,
11829 "Unknown type %u"), ext_len);
11830 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11831
11832 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11833 tvb, offset, 2, ext_type);
11834 offset += 2;
11835 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11836 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11837 ja3_dash = "-";
11838 }
11839
11840 /* opaque extension_data<0..2^16-1> */
11841 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11842 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11843 return offset_end;
11844 }
11845 offset += 2;
11846 next_offset = offset + ext_len;
11847
11848 switch (ext_type) {
11849 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11850 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11851 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11852 if (ja4_data) {
11853 ja4_data->server_name_present = true1;
11854 }
11855 }
11856 break;
11857 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11858 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11859 offset += 1;
11860 break;
11861 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11862 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11863 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11864 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11865 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11866 }
11867 break;
11868 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11869 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11870 offset, next_offset,
11871 hnd_type, ext_type,
11872 session);
11873 break;
11874 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11875 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11876 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11877 next_offset, ja3_sg);
11878 } else {
11879 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11880 next_offset, NULL((void*)0));
11881 }
11882 break;
11883 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11884 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11885 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11886 } else {
11887 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11888 }
11889 break;
11890 break;
11891 case SSL_HND_HELLO_EXT_SRP12:
11892 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11893 break;
11894 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11895 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11896 break;
11897 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11898 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11899 break;
11900 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11901 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11902 break;
11903 case SSL_HND_HELLO_EXT_USE_SRTP14:
11904 if (is_dtls) {
11905 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11906 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11907 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11908 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11909 }
11910 } else {
11911 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11912 }
11913 break;
11914 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11915 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11916 break;
11917 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11918 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11919 break;
11920 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11921 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11922 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11923 offset++;
11924 break;
11925 case SSL_HND_HELLO_EXT_ALPN16:
11926 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11927 break;
11928 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11929 if (hnd_type == SSL_HND_CLIENT_HELLO)
11930 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11931 break;
11932 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11933 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11934 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11935 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11936 break;
11937 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11938 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11939 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11940 offset, next_offset,
11941 hnd_type, ext_type,
11942 session);
11943 break;
11944 case SSL_HND_HELLO_EXT_PADDING21:
11945 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11946 offset += ext_len;
11947 break;
11948 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11949 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11950 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11951 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11952 }
11953 break;
11954 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11955 if (ssl) {
11956 switch (hnd_type) {
11957 case SSL_HND_CLIENT_HELLO:
11958 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11959 break;
11960 case SSL_HND_SERVER_HELLO:
11961 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11962 break;
11963 default: /* no default */
11964 break;
11965 }
11966 }
11967 break;
11968 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11969 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11970 break;
11971 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11972 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11973 break;
11974 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11975 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11976 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11977 offset += 2;
11978 break;
11979 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11980 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11981 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11982 break;
11983 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11984 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11985 break;
11986 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11987 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11988 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11989 break;
11990 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11991 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11992 break;
11993 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11994 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11995 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11996 break;
11997 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11998 switch (hnd_type) {
11999 case SSL_HND_CLIENT_HELLO:
12000 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12001 break;
12002 case SSL_HND_SERVER_HELLO:
12003 case SSL_HND_HELLO_RETRY_REQUEST:
12004 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12005 offset += 2;
12006 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12007 break;
12008 }
12009 break;
12010 case SSL_HND_HELLO_EXT_COOKIE44:
12011 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12012 break;
12013 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12014 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12015 break;
12016 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12017 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12018 break;
12019 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12020 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12021 break;
12022 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12023 break;
12024 case SSL_HND_HELLO_EXT_NPN13172:
12025 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12026 break;
12027 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12028 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12029 break;
12030 case SSL_HND_HELLO_EXT_ALPS17613:
12031 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12032 break;
12033 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12034 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12035 break;
12036 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12037 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12038 break;
12039 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12040 session->deprecated_cid = true1;
12041 /* FALLTHRU */
12042 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12043 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12044 break;
12045 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12046 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12047 break;
12048 default:
12049 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12050 tvb, offset, ext_len, ENC_NA0x00000000);
12051 offset += ext_len;
12052 break;
12053 }
12054
12055 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12056 /* Dissection did not end at expected location, fix it. */
12057 offset = next_offset;
12058 }
12059 }
12060
12061 if (ja3) {
12062 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12063 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12064 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12065 } else {
12066 wmem_strbuf_append_c(ja3, ',');
12067 }
12068 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12069 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12070 } else {
12071 wmem_strbuf_append_c(ja3, ',');
12072 }
12073 }
12074 }
12075
12076 /* Check if Extensions vector is correctly terminated. */
12077 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12078 offset = offset_end;
12079 }
12080
12081 return offset;
12082} /* }}} */
12083
12084
12085/* ClientKeyExchange algo-specific dissectors. {{{ */
12086
12087static void
12088dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12089 proto_tree *tree, uint32_t offset,
12090 uint32_t length)
12091{
12092 int point_len;
12093 proto_tree *ssl_ecdh_tree;
12094
12095 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12096 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12097
12098 /* point */
12099 point_len = tvb_get_uint8(tvb, offset);
12100 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12101 offset, 1, ENC_BIG_ENDIAN0x00000000);
12102 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12103 offset + 1, point_len, ENC_NA0x00000000);
12104}
12105
12106static void
12107dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12108 proto_tree *tree, uint32_t offset, uint32_t length)
12109{
12110 int yc_len;
12111 proto_tree *ssl_dh_tree;
12112
12113 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12114 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12115
12116 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12117 yc_len = tvb_get_ntohs(tvb, offset);
12118 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12119 offset, 2, ENC_BIG_ENDIAN0x00000000);
12120 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12121 offset + 2, yc_len, ENC_NA0x00000000);
12122}
12123
12124static void
12125dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12126 proto_tree *tree, uint32_t offset,
12127 uint32_t length, const SslSession *session)
12128{
12129 int epms_len;
12130 proto_tree *ssl_rsa_tree;
12131
12132 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12133 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12134
12135 /* EncryptedPreMasterSecret.pre_master_secret */
12136 switch (session->version) {
12137 case SSLV2_VERSION0x0002:
12138 case SSLV3_VERSION0x300:
12139 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12140 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12141 * not present. The handshake contents represents the EPMS, see:
12142 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12143 epms_len = length;
12144 break;
12145
12146 default:
12147 /* TLS and DTLS include vector length before EPMS */
12148 epms_len = tvb_get_ntohs(tvb, offset);
12149 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12150 offset, 2, ENC_BIG_ENDIAN0x00000000);
12151 offset += 2;
12152 break;
12153 }
12154 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12155 offset, epms_len, ENC_NA0x00000000);
12156}
12157
12158/* Used in PSK cipher suites */
12159static uint32_t
12160dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12161 proto_tree *tree, uint32_t offset)
12162{
12163 unsigned identity_len;
12164 proto_tree *ssl_psk_tree;
12165
12166 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12167 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12168 /* identity */
12169 identity_len = tvb_get_ntohs(tvb, offset);
12170 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12171 offset, 2, ENC_BIG_ENDIAN0x00000000);
12172 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12173 offset + 2, identity_len, ENC_NA0x00000000);
12174
12175 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12176 return 2 + identity_len;
12177}
12178
12179/* Used in RSA PSK cipher suites */
12180static void
12181dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12182 proto_tree *tree, uint32_t offset,
12183 uint32_t length)
12184{
12185 int identity_len, epms_len;
12186 proto_tree *ssl_psk_tree;
12187
12188 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12189 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12190
12191 /* identity */
12192 identity_len = tvb_get_ntohs(tvb, offset);
12193 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12194 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12195 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12196 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12197 offset += 2 + identity_len;
12198
12199 /* Yc */
12200 epms_len = tvb_get_ntohs(tvb, offset);
12201 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12202 offset, 2, ENC_BIG_ENDIAN0x00000000);
12203 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12204 offset + 2, epms_len, ENC_NA0x00000000);
12205}
12206
12207/* Used in Diffie-Hellman PSK cipher suites */
12208static void
12209dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12210 proto_tree *tree, uint32_t offset, uint32_t length)
12211{
12212 /*
12213 * struct {
12214 * select (KeyExchangeAlgorithm) {
12215 * case diffie_hellman_psk:
12216 * opaque psk_identity<0..2^16-1>;
12217 * ClientDiffieHellmanPublic public;
12218 * } exchange_keys;
12219 * } ClientKeyExchange;
12220 */
12221
12222 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12223 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12224}
12225
12226/* Used in EC Diffie-Hellman PSK cipher suites */
12227static void
12228dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12229 proto_tree *tree, uint32_t offset, uint32_t length)
12230{
12231 /*
12232 * struct {
12233 * select (KeyExchangeAlgorithm) {
12234 * case ec_diffie_hellman_psk:
12235 * opaque psk_identity<0..2^16-1>;
12236 * ClientECDiffieHellmanPublic public;
12237 * } exchange_keys;
12238 * } ClientKeyExchange;
12239 */
12240
12241 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12242 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12243}
12244
12245/* Used in EC J-PAKE cipher suites */
12246static void
12247dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12248 proto_tree *tree, uint32_t offset,
12249 uint32_t length)
12250{
12251 /*
12252 * struct {
12253 * ECPoint V;
12254 * opaque r<1..2^8-1>;
12255 * } ECSchnorrZKP;
12256 *
12257 * struct {
12258 * ECPoint X;
12259 * ECSchnorrZKP zkp;
12260 * } ECJPAKEKeyKP;
12261 *
12262 * struct {
12263 * ECJPAKEKeyKP ecjpake_key_kp;
12264 * } ClientECJPAKEParams;
12265 *
12266 * select (KeyExchangeAlgorithm) {
12267 * case ecjpake:
12268 * ClientECJPAKEParams params;
12269 * } ClientKeyExchange;
12270 */
12271
12272 int point_len;
12273 proto_tree *ssl_ecjpake_tree;
12274
12275 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12276 hf->ett.keyex_params, NULL((void*)0),
12277 "EC J-PAKE Client Params");
12278
12279 /* ECJPAKEKeyKP.X */
12280 point_len = tvb_get_uint8(tvb, offset);
12281 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12282 offset, 1, ENC_BIG_ENDIAN0x00000000);
12283 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12284 offset + 1, point_len, ENC_NA0x00000000);
12285 offset += 1 + point_len;
12286
12287 /* ECJPAKEKeyKP.zkp.V */
12288 point_len = tvb_get_uint8(tvb, offset);
12289 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12290 offset, 1, ENC_BIG_ENDIAN0x00000000);
12291 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12292 offset + 1, point_len, ENC_NA0x00000000);
12293 offset += 1 + point_len;
12294
12295 /* ECJPAKEKeyKP.zkp.r */
12296 point_len = tvb_get_uint8(tvb, offset);
12297 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12298 offset, 1, ENC_BIG_ENDIAN0x00000000);
12299 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12300 offset + 1, point_len, ENC_NA0x00000000);
12301}
12302
12303static void
12304dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12305 proto_tree *tree, uint32_t offset,
12306 uint32_t length)
12307{
12308 int epms_len;
12309 proto_tree *ssl_ecc_sm2_tree;
12310
12311 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12312 hf->ett.keyex_params, NULL((void*)0),
12313 "ECC-SM2 Encrypted PreMaster Secret");
12314
12315 epms_len = tvb_get_ntohs(tvb, offset);
12316 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12317 offset, 2, ENC_BIG_ENDIAN0x00000000);
12318 offset += 2;
12319 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12320 offset, epms_len, ENC_NA0x00000000);
12321}
12322/* ClientKeyExchange algo-specific dissectors. }}} */
12323
12324
12325/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12326static uint32_t
12327ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12328 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12329 uint16_t version, int hf_sig_len, int hf_sig)
12330{
12331 uint32_t sig_len;
12332
12333 switch (version) {
12334 case TLSV1DOT2_VERSION0x303:
12335 case DTLSV1DOT2_VERSION0xfefd:
12336 case TLSV1DOT3_VERSION0x304:
12337 case DTLSV1DOT3_VERSION0xfefc:
12338 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12339 offset += 2;
12340 break;
12341
12342 default:
12343 break;
12344 }
12345
12346 /* Sig */
12347 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12348 hf_sig_len, 0, UINT16_MAX(65535))) {
12349 return offset_end;
12350 }
12351 offset += 2;
12352 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12353 offset += sig_len;
12354 return offset;
12355} /* }}} */
12356
12357/* ServerKeyExchange algo-specific dissectors. {{{ */
12358
12359/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12360static void
12361dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12362 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12363 uint16_t version)
12364{
12365 /*
12366 * TLSv1.2 (RFC 5246 sec 7.4.8)
12367 * struct {
12368 * digitally-signed struct {
12369 * opaque handshake_messages[handshake_messages_length];
12370 * }
12371 * } CertificateVerify;
12372 *
12373 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12374 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12375 *
12376 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12377 * does more hashing including the master secret and padding.
12378 */
12379 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12380 hf->hf.hs_server_keyex_sig_len,
12381 hf->hf.hs_server_keyex_sig);
12382}
12383
12384static uint32_t
12385dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12386{
12387 /*
12388 * RFC 4492 ECC cipher suites for TLS
12389 *
12390 * struct {
12391 * ECCurveType curve_type;
12392 * select (curve_type) {
12393 * case explicit_prime:
12394 * ...
12395 * case explicit_char2:
12396 * ...
12397 * case named_curve:
12398 * NamedCurve namedcurve;
12399 * };
12400 * } ECParameters;
12401 */
12402
12403 int curve_type;
12404
12405 /* ECParameters.curve_type */
12406 curve_type = tvb_get_uint8(tvb, offset);
12407 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12408 offset, 1, ENC_BIG_ENDIAN0x00000000);
12409 offset++;
12410
12411 if (curve_type != 3)
12412 return offset_end; /* only named_curves are supported */
12413
12414 /* case curve_type == named_curve; ECParameters.namedcurve */
12415 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12416 offset, 2, ENC_BIG_ENDIAN0x00000000);
12417 offset += 2;
12418
12419 return offset;
12420}
12421
12422static void
12423dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12424 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12425 uint16_t version, bool_Bool anon)
12426{
12427 /*
12428 * RFC 4492 ECC cipher suites for TLS
12429 *
12430 * struct {
12431 * opaque point <1..2^8-1>;
12432 * } ECPoint;
12433 *
12434 * struct {
12435 * ECParameters curve_params;
12436 * ECPoint public;
12437 * } ServerECDHParams;
12438 *
12439 * select (KeyExchangeAlgorithm) {
12440 * case ec_diffie_hellman:
12441 * ServerECDHParams params;
12442 * Signature signed_params;
12443 * } ServerKeyExchange;
12444 */
12445
12446 int point_len;
12447 proto_tree *ssl_ecdh_tree;
12448
12449 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12450 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12451
12452 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12453 if (offset >= offset_end)
12454 return; /* only named_curves are supported */
12455
12456 /* ECPoint.point */
12457 point_len = tvb_get_uint8(tvb, offset);
12458 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12459 offset, 1, ENC_BIG_ENDIAN0x00000000);
12460 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12461 offset + 1, point_len, ENC_NA0x00000000);
12462 offset += 1 + point_len;
12463
12464 /* Signature (if non-anonymous KEX) */
12465 if (!anon) {
12466 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12467 }
12468}
12469
12470static void
12471dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12472 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12473 uint16_t version, bool_Bool anon)
12474{
12475 int p_len, g_len, ys_len;
12476 proto_tree *ssl_dh_tree;
12477
12478 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12479 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12480
12481 /* p */
12482 p_len = tvb_get_ntohs(tvb, offset);
12483 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12484 offset, 2, ENC_BIG_ENDIAN0x00000000);
12485 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12486 offset + 2, p_len, ENC_NA0x00000000);
12487 offset += 2 + p_len;
12488
12489 /* g */
12490 g_len = tvb_get_ntohs(tvb, offset);
12491 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12492 offset, 2, ENC_BIG_ENDIAN0x00000000);
12493 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12494 offset + 2, g_len, ENC_NA0x00000000);
12495 offset += 2 + g_len;
12496
12497 /* Ys */
12498 ys_len = tvb_get_ntohs(tvb, offset);
12499 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12500 offset, 2, ys_len);
12501 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12502 offset + 2, ys_len, ENC_NA0x00000000);
12503 offset += 2 + ys_len;
12504
12505 /* Signature (if non-anonymous KEX) */
12506 if (!anon) {
12507 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12508 }
12509}
12510
12511/* Only used in RSA-EXPORT cipher suites */
12512static void
12513dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12514 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12515 uint16_t version)
12516{
12517 int modulus_len, exponent_len;
12518 proto_tree *ssl_rsa_tree;
12519
12520 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12521 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12522
12523 /* modulus */
12524 modulus_len = tvb_get_ntohs(tvb, offset);
12525 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12526 offset, 2, ENC_BIG_ENDIAN0x00000000);
12527 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12528 offset + 2, modulus_len, ENC_NA0x00000000);
12529 offset += 2 + modulus_len;
12530
12531 /* exponent */
12532 exponent_len = tvb_get_ntohs(tvb, offset);
12533 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12534 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12535 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12536 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12537 offset += 2 + exponent_len;
12538
12539 /* Signature */
12540 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12541}
12542
12543/* Used in RSA PSK and PSK cipher suites */
12544static uint32_t
12545dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12546 proto_tree *tree, uint32_t offset)
12547{
12548 unsigned hint_len;
12549 proto_tree *ssl_psk_tree;
12550
12551 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12552 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12553
12554 /* hint */
12555 hint_len = tvb_get_ntohs(tvb, offset);
12556 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12557 offset, 2, ENC_BIG_ENDIAN0x00000000);
12558 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12559 offset + 2, hint_len, ENC_NA0x00000000);
12560
12561 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12562 return 2 + hint_len;
12563}
12564
12565/* Used in Diffie-Hellman PSK cipher suites */
12566static void
12567dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12568 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12569{
12570 /*
12571 * struct {
12572 * select (KeyExchangeAlgorithm) {
12573 * case diffie_hellman_psk:
12574 * opaque psk_identity_hint<0..2^16-1>;
12575 * ServerDHParams params;
12576 * };
12577 * } ServerKeyExchange;
12578 */
12579
12580 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12581 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12582}
12583
12584/* Used in EC Diffie-Hellman PSK cipher suites */
12585static void
12586dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12587 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12588{
12589 /*
12590 * struct {
12591 * select (KeyExchangeAlgorithm) {
12592 * case ec_diffie_hellman_psk:
12593 * opaque psk_identity_hint<0..2^16-1>;
12594 * ServerECDHParams params;
12595 * };
12596 * } ServerKeyExchange;
12597 */
12598
12599 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12600 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12601}
12602
12603/* Used in EC J-PAKE cipher suites */
12604static void
12605dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12606 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12607{
12608 /*
12609 * struct {
12610 * ECPoint V;
12611 * opaque r<1..2^8-1>;
12612 * } ECSchnorrZKP;
12613 *
12614 * struct {
12615 * ECPoint X;
12616 * ECSchnorrZKP zkp;
12617 * } ECJPAKEKeyKP;
12618 *
12619 * struct {
12620 * ECParameters curve_params;
12621 * ECJPAKEKeyKP ecjpake_key_kp;
12622 * } ServerECJPAKEParams;
12623 *
12624 * select (KeyExchangeAlgorithm) {
12625 * case ecjpake:
12626 * ServerECJPAKEParams params;
12627 * } ServerKeyExchange;
12628 */
12629
12630 int point_len;
12631 proto_tree *ssl_ecjpake_tree;
12632
12633 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12634 hf->ett.keyex_params, NULL((void*)0),
12635 "EC J-PAKE Server Params");
12636
12637 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12638 if (offset >= offset_end)
12639 return; /* only named_curves are supported */
12640
12641 /* ECJPAKEKeyKP.X */
12642 point_len = tvb_get_uint8(tvb, offset);
12643 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12644 offset, 1, ENC_BIG_ENDIAN0x00000000);
12645 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12646 offset + 1, point_len, ENC_NA0x00000000);
12647 offset += 1 + point_len;
12648
12649 /* ECJPAKEKeyKP.zkp.V */
12650 point_len = tvb_get_uint8(tvb, offset);
12651 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12652 offset, 1, ENC_BIG_ENDIAN0x00000000);
12653 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12654 offset + 1, point_len, ENC_NA0x00000000);
12655 offset += 1 + point_len;
12656
12657 /* ECJPAKEKeyKP.zkp.r */
12658 point_len = tvb_get_uint8(tvb, offset);
12659 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12660 offset, 1, ENC_BIG_ENDIAN0x00000000);
12661 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12662 offset + 1, point_len, ENC_NA0x00000000);
12663}
12664
12665/* Only used in ECC-SM2-EXPORT cipher suites */
12666static void
12667dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12668 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12669 uint16_t version)
12670{
12671 proto_tree *ssl_ecc_sm2_tree;
12672
12673 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12674 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12675
12676 /* Signature */
12677 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12678}
12679/* ServerKeyExchange algo-specific dissectors. }}} */
12680
12681/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12682void
12683ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12684 proto_tree *tree, uint32_t offset, uint32_t length,
12685 const SslSession *session)
12686{
12687 switch (ssl_get_keyex_alg(session->cipher)) {
12688 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12689 case KEX_DH_DSS0x14:
12690 case KEX_DH_RSA0x15:
12691 case KEX_DHE_DSS0x10:
12692 case KEX_DHE_RSA0x12:
12693 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12694 break;
12695 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12696 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12697 break;
12698 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12699 case KEX_ECDH_ECDSA0x1a:
12700 case KEX_ECDH_RSA0x1b:
12701 case KEX_ECDHE_ECDSA0x16:
12702 case KEX_ECDHE_RSA0x18:
12703 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12704 break;
12705 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12706 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12707 break;
12708 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12709 /* XXX: implement support for KRB5 */
12710 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12711 tvb, offset, length,
12712 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12713 " developers if you want them to be supported");
12714 break;
12715 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12716 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12717 break;
12718 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12719 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12720 break;
12721 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12722 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12723 break;
12724 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12725 case KEX_SRP_SHA_DSS0x21:
12726 case KEX_SRP_SHA_RSA0x22:
12727 /* XXX: implement support for SRP_SHA* */
12728 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12729 tvb, offset, length,
12730 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12731 " developers if you want them to be supported");
12732 break;
12733 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12734 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12735 break;
12736 case KEX_ECC_SM20x26: /* GB/T 38636 */
12737 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12738 break;
12739 default:
12740 if (session->cipher == 0) {
12741 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12742 tvb, offset, length,
12743 "Cipher Suite not found");
12744 } else {
12745 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12746 tvb, offset, length,
12747 "Cipher Suite 0x%04x is not implemented, "
12748 "contact Wireshark developers if you want this to be supported",
12749 session->cipher);
12750 }
12751 break;
12752 }
12753}
12754
12755void
12756ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12757 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12758 const SslSession *session)
12759{
12760 switch (ssl_get_keyex_alg(session->cipher)) {
12761 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12762 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12763 break;
12764 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12765 case KEX_DH_RSA0x15:
12766 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12767 tvb, offset, offset_end - offset);
12768 break;
12769 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12770 case KEX_DHE_RSA0x12:
12771 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12772 break;
12773 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12774 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12775 break;
12776 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12777 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12778 break;
12779 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12780 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12781 break;
12782 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12783 case KEX_ECDH_RSA0x1b:
12784 case KEX_ECDHE_ECDSA0x16:
12785 case KEX_ECDHE_RSA0x18:
12786 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12787 break;
12788 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12789 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12790 tvb, offset, offset_end - offset);
12791 break;
12792 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12793 case KEX_RSA_PSK0x1f:
12794 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12795 break;
12796 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12797 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12798 break;
12799 case KEX_ECC_SM20x26: /* GB/T 38636 */
12800 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12801 break;
12802 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12803 case KEX_SRP_SHA_DSS0x21:
12804 case KEX_SRP_SHA_RSA0x22:
12805 /* XXX: implement support for SRP_SHA* */
12806 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12807 tvb, offset, offset_end - offset,
12808 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12809 " developers if you want them to be supported");
12810 break;
12811 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12812 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12813 break;
12814 default:
12815 if (session->cipher == 0) {
12816 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12817 tvb, offset, offset_end - offset,
12818 "Cipher Suite not found");
12819 } else {
12820 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12821 tvb, offset, offset_end - offset,
12822 "Cipher Suite 0x%04x is not implemented, "
12823 "contact Wireshark developers if you want this to be supported",
12824 session->cipher);
12825 }
12826 break;
12827 }
12828}
12829/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12830
12831void
12832tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12833 proto_tree *tree, uint32_t offset)
12834{
12835 /* RFC 8446 Section 4.6.3
12836 * enum {
12837 * update_not_requested(0), update_requested(1), (255)
12838 * } KeyUpdateRequest;
12839 *
12840 * struct {
12841 * KeyUpdateRequest request_update;
12842 * } KeyUpdate;
12843 */
12844 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12845}
12846
12847void
12848ssl_common_register_ssl_alpn_dissector_table(const char *name,
12849 const char *ui_name, const int proto)
12850{
12851 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12852 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12853 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12854}
12855
12856void
12857ssl_common_register_dtls_alpn_dissector_table(const char *name,
12858 const char *ui_name, const int proto)
12859{
12860 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12861 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12862 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12863}
12864
12865void
12866ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12867{
12868 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12869 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12870 &(options->psk));
12871
12872 if (is_dtls) {
12873 prefs_register_obsolete_preference(module, "keylog_file");
12874 prefs_register_static_text_preference(module, "keylog_file_removed",
12875 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12876 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12877 return;
12878 }
12879
12880 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12881 "The name of a file which contains a list of \n"
12882 "(pre-)master secrets in one of the following formats:\n"
12883 "\n"
12884 "RSA <EPMS> <PMS>\n"
12885 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12886 "CLIENT_RANDOM <CRAND> <MS>\n"
12887 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12888 "\n"
12889 "Where:\n"
12890 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12891 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12892 "<SSLID> = The SSL Session ID\n"
12893 "<MS> = The Master-Secret (MS)\n"
12894 "<CRAND> = The Client's random number from the ClientHello message\n"
12895 "\n"
12896 "(All fields are in hex notation)",
12897 &(options->keylog_filename), false0);
12898}
12899
12900void
12901ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12902{
12903 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12904 uint32_t old_length = ssl_session->handshake_data.data_len;
12905 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12906 if (tvb) {
12907 if (tvb_bytes_exist(tvb, offset, length)) {
12908 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12909 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12910 ssl_session->handshake_data.data_len += length;
12911 }
12912 } else {
12913 /* DTLS calculates the hash as if each handshake message had been
12914 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12915 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12916 */
12917 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12917, (int64_t)length, (int64_t)4))));
12918 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12919 memset(ssl_session->handshake_data.data + old_length, 0, length);
12920 ssl_session->handshake_data.data_len += length;
12921 }
12922 }
12923}
12924
12925
12926/*
12927 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12928 *
12929 * Local variables:
12930 * c-basic-offset: 4
12931 * tab-width: 8
12932 * indent-tabs-mode: nil
12933 * End:
12934 *
12935 * vi: set shiftwidth=4 tabstop=8 expandtab:
12936 * :indentSize=4:tabSize=8:noTabs=true:
12937 */