Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4909, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-05-17-100315-3642-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/make-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
2807 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
2808 { 0, NULL((void*)0) }
2809};
2810
2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
2813 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2814 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2815 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2816 { 0, NULL((void*)0) }
2817};
2818
2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
2821 { 1, "I would like to receive TIME_STAMP frames" },
2822 { 2, "I am able to generate TIME_STAMP frames" },
2823 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2824 { 0, NULL((void*)0) }
2825};
2826
2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
2829 { 0, "don't support multipath" },
2830 { 1, "support multipath as defined in this document" },
2831 { 0, NULL((void*)0) }
2832};
2833
2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
2836 { 0, "Outer Client Hello" },
2837 { 1, "Inner Client Hello" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
2843 { 0x0000, "Reserved" },
2844 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2845 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2846 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2847 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2848 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2849 { 0, NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
2852 { 0x0000, "Reserved" },
2853 { 0x0001, "HKDF-SHA256" },
2854 { 0x0002, "HKDF-SHA384" },
2855 { 0x0003, "HKDF-SHA512" },
2856 { 0, NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
2859 { 0x0000, "Reserved" },
2860 { 0x0001, "AES-128-GCM" },
2861 { 0x0002, "AES-256-GCM" },
2862 { 0x0003, "ChaCha20Poly1305" },
2863 { 0xFFFF, "Export-only" },
2864 { 0, NULL((void*)0) }
2865};
2866
2867const value_string token_binding_key_parameter_vals[] = {
2868 { 0, "rsa2048_pkcs1.5" },
2869 { 1, "rsa2048_pss" },
2870 { 2, "ecdsap256" },
2871 { 0, NULL((void*)0) }
2872};
2873
2874/* Lookup tables }}} */
2875
2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
2879 const char *label;
2880 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2881 label = "GREASE";
2882 } else {
2883 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2884 }
2885 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}
2887
2888/* we keep this internal to packet-tls-utils, as there should be
2889 no need to access it any other way.
2890
2891 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
2894 int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
2896 zlib_stream istream;
2897#endif
2898};
2899
2900/* To assist in parsing client/server key exchange messages
2901 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
2904 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2905 switch(cipher) {
2906 case 0x0017:
2907 case 0x0018:
2908 case 0x0019:
2909 case 0x001a:
2910 case 0x001b:
2911 case 0x0034:
2912 case 0x003a:
2913 case 0x0046:
2914 case 0x006c:
2915 case 0x006d:
2916 case 0x0089:
2917 case 0x009b:
2918 case 0x00a6:
2919 case 0x00a7:
2920 case 0x00bf:
2921 case 0x00c5:
2922 case 0xc084:
2923 case 0xc085:
2924 return KEX_DH_ANON0x13;
2925 case 0x000b:
2926 case 0x000c:
2927 case 0x000d:
2928 case 0x0030:
2929 case 0x0036:
2930 case 0x003e:
2931 case 0x0042:
2932 case 0x0068:
2933 case 0x0085:
2934 case 0x0097:
2935 case 0x00a4:
2936 case 0x00a5:
2937 case 0x00bb:
2938 case 0x00c1:
2939 case 0xc082:
2940 case 0xc083:
2941 return KEX_DH_DSS0x14;
2942 case 0x000e:
2943 case 0x000f:
2944 case 0x0010:
2945 case 0x0031:
2946 case 0x0037:
2947 case 0x003f:
2948 case 0x0043:
2949 case 0x0069:
2950 case 0x0086:
2951 case 0x0098:
2952 case 0x00a0:
2953 case 0x00a1:
2954 case 0x00bc:
2955 case 0x00c2:
2956 case 0xc07e:
2957 case 0xc07f:
2958 return KEX_DH_RSA0x15;
2959 case 0x0011:
2960 case 0x0012:
2961 case 0x0013:
2962 case 0x0032:
2963 case 0x0038:
2964 case 0x0040:
2965 case 0x0044:
2966 case 0x0063:
2967 case 0x0065:
2968 case 0x0066:
2969 case 0x006a:
2970 case 0x0087:
2971 case 0x0099:
2972 case 0x00a2:
2973 case 0x00a3:
2974 case 0x00bd:
2975 case 0x00c3:
2976 case 0xc080:
2977 case 0xc081:
2978 return KEX_DHE_DSS0x10;
2979 case 0x002d:
2980 case 0x008e:
2981 case 0x008f:
2982 case 0x0090:
2983 case 0x0091:
2984 case 0x00aa:
2985 case 0x00ab:
2986 case 0x00b2:
2987 case 0x00b3:
2988 case 0x00b4:
2989 case 0x00b5:
2990 case 0xc090:
2991 case 0xc091:
2992 case 0xc096:
2993 case 0xc097:
2994 case 0xc0a6:
2995 case 0xc0a7:
2996 case 0xc0aa:
2997 case 0xc0ab:
2998 case 0xccad:
2999 case 0xe41c:
3000 case 0xe41d:
3001 return KEX_DHE_PSK0x11;
3002 case 0x0014:
3003 case 0x0015:
3004 case 0x0016:
3005 case 0x0033:
3006 case 0x0039:
3007 case 0x0045:
3008 case 0x0067:
3009 case 0x006b:
3010 case 0x0088:
3011 case 0x009a:
3012 case 0x009e:
3013 case 0x009f:
3014 case 0x00be:
3015 case 0x00c4:
3016 case 0xc07c:
3017 case 0xc07d:
3018 case 0xc09e:
3019 case 0xc09f:
3020 case 0xc0a2:
3021 case 0xc0a3:
3022 case 0xccaa:
3023 case 0xe41e:
3024 case 0xe41f:
3025 return KEX_DHE_RSA0x12;
3026 case 0xc015:
3027 case 0xc016:
3028 case 0xc017:
3029 case 0xc018:
3030 case 0xc019:
3031 return KEX_ECDH_ANON0x19;
3032 case 0xc001:
3033 case 0xc002:
3034 case 0xc003:
3035 case 0xc004:
3036 case 0xc005:
3037 case 0xc025:
3038 case 0xc026:
3039 case 0xc02d:
3040 case 0xc02e:
3041 case 0xc074:
3042 case 0xc075:
3043 case 0xc088:
3044 case 0xc089:
3045 return KEX_ECDH_ECDSA0x1a;
3046 case 0xc00b:
3047 case 0xc00c:
3048 case 0xc00d:
3049 case 0xc00e:
3050 case 0xc00f:
3051 case 0xc029:
3052 case 0xc02a:
3053 case 0xc031:
3054 case 0xc032:
3055 case 0xc078:
3056 case 0xc079:
3057 case 0xc08c:
3058 case 0xc08d:
3059 return KEX_ECDH_RSA0x1b;
3060 case 0xc006:
3061 case 0xc007:
3062 case 0xc008:
3063 case 0xc009:
3064 case 0xc00a:
3065 case 0xc023:
3066 case 0xc024:
3067 case 0xc02b:
3068 case 0xc02c:
3069 case 0xc072:
3070 case 0xc073:
3071 case 0xc086:
3072 case 0xc087:
3073 case 0xc0ac:
3074 case 0xc0ad:
3075 case 0xc0ae:
3076 case 0xc0af:
3077 case 0xcca9:
3078 case 0xe414:
3079 case 0xe415:
3080 return KEX_ECDHE_ECDSA0x16;
3081 case 0xc033:
3082 case 0xc034:
3083 case 0xc035:
3084 case 0xc036:
3085 case 0xc037:
3086 case 0xc038:
3087 case 0xc039:
3088 case 0xc03a:
3089 case 0xc03b:
3090 case 0xc09a:
3091 case 0xc09b:
3092 case 0xccac:
3093 case 0xe418:
3094 case 0xe419:
3095 case 0xd001:
3096 case 0xd002:
3097 case 0xd003:
3098 case 0xd005:
3099 return KEX_ECDHE_PSK0x17;
3100 case 0xc010:
3101 case 0xc011:
3102 case 0xc012:
3103 case 0xc013:
3104 case 0xc014:
3105 case 0xc027:
3106 case 0xc028:
3107 case 0xc02f:
3108 case 0xc030:
3109 case 0xc076:
3110 case 0xc077:
3111 case 0xc08a:
3112 case 0xc08b:
3113 case 0xcca8:
3114 case 0xe412:
3115 case 0xe413:
3116 return KEX_ECDHE_RSA0x18;
3117 case 0x001e:
3118 case 0x001f:
3119 case 0x0020:
3120 case 0x0021:
3121 case 0x0022:
3122 case 0x0023:
3123 case 0x0024:
3124 case 0x0025:
3125 case 0x0026:
3126 case 0x0027:
3127 case 0x0028:
3128 case 0x0029:
3129 case 0x002a:
3130 case 0x002b:
3131 return KEX_KRB50x1c;
3132 case 0x002c:
3133 case 0x008a:
3134 case 0x008b:
3135 case 0x008c:
3136 case 0x008d:
3137 case 0x00a8:
3138 case 0x00a9:
3139 case 0x00ae:
3140 case 0x00af:
3141 case 0x00b0:
3142 case 0x00b1:
3143 case 0xc064:
3144 case 0xc065:
3145 case 0xc08e:
3146 case 0xc08f:
3147 case 0xc094:
3148 case 0xc095:
3149 case 0xc0a4:
3150 case 0xc0a5:
3151 case 0xc0a8:
3152 case 0xc0a9:
3153 case 0xccab:
3154 case 0xe416:
3155 case 0xe417:
3156 return KEX_PSK0x1d;
3157 case 0x0001:
3158 case 0x0002:
3159 case 0x0003:
3160 case 0x0004:
3161 case 0x0005:
3162 case 0x0006:
3163 case 0x0007:
3164 case 0x0008:
3165 case 0x0009:
3166 case 0x000a:
3167 case 0x002f:
3168 case 0x0035:
3169 case 0x003b:
3170 case 0x003c:
3171 case 0x003d:
3172 case 0x0041:
3173 case 0x0060:
3174 case 0x0061:
3175 case 0x0062:
3176 case 0x0064:
3177 case 0x0084:
3178 case 0x0096:
3179 case 0x009c:
3180 case 0x009d:
3181 case 0x00ba:
3182 case 0x00c0:
3183 case 0xc07a:
3184 case 0xc07b:
3185 case 0xc09c:
3186 case 0xc09d:
3187 case 0xc0a0:
3188 case 0xc0a1:
3189 case 0xe410:
3190 case 0xe411:
3191 case 0xfefe:
3192 case 0xfeff:
3193 case 0xffe0:
3194 case 0xffe1:
3195 return KEX_RSA0x1e;
3196 case 0x002e:
3197 case 0x0092:
3198 case 0x0093:
3199 case 0x0094:
3200 case 0x0095:
3201 case 0x00ac:
3202 case 0x00ad:
3203 case 0x00b6:
3204 case 0x00b7:
3205 case 0x00b8:
3206 case 0x00b9:
3207 case 0xc092:
3208 case 0xc093:
3209 case 0xc098:
3210 case 0xc099:
3211 case 0xccae:
3212 case 0xe41a:
3213 case 0xe41b:
3214 return KEX_RSA_PSK0x1f;
3215 case 0xc01a:
3216 case 0xc01d:
3217 case 0xc020:
3218 return KEX_SRP_SHA0x20;
3219 case 0xc01c:
3220 case 0xc01f:
3221 case 0xc022:
3222 return KEX_SRP_SHA_DSS0x21;
3223 case 0xc01b:
3224 case 0xc01e:
3225 case 0xc021:
3226 return KEX_SRP_SHA_RSA0x22;
3227 case 0xc0ff:
3228 return KEX_ECJPAKE0x24;
3229 case 0xe003:
3230 case 0xe013:
3231 case 0xe053:
3232 return KEX_ECC_SM20x26;
3233 default:
3234 break;
3235 }
3236
3237 return 0;
3238 /* }}} */
3239}
3240
3241static wmem_list_t *connection_id_session_list;
3242
3243void
3244ssl_init_cid_list(void) {
3245 connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}
3247
3248void
3249ssl_cleanup_cid_list(void) {
3250 wmem_destroy_list(connection_id_session_list);
3251}
3252
3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
3256 wmem_list_append(connection_id_session_list, session);
3257}
3258
3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
3262 SslDecryptSession * ssl_cid = NULL((void*)0);
3263 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3264
3265 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3266 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3267 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))));
3268 SslSession *session = &ssl->session;
3269
3270 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3271 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3272 ssl_cid = ssl;
3273 }
3274 }
3275
3276 if (session->server_cid_len > 0) {
3277 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3278 ssl_cid = ssl;
3279 }
3280 }
3281
3282 it = wmem_list_frame_next(it);
3283 }
3284
3285 return ssl_cid;
3286}
3287
3288/* StringInfo structure (len + data) functions {{{ */
3289
3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
3293 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3294 /* the allocator can return a null pointer for a size equal to 0,
3295 * and that must be allowed */
3296 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3297 return -1;
3298 str->data_len = (unsigned) len;
3299 return 0;
3300}
3301
3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
3305 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))));
3306 memcpy(str->data, data, len);
3307 str->data_len = len;
3308}
3309
3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
3313 str->data = (unsigned char *)g_realloc(str->data, len);
3314 if (!str->data)
3315 return -1;
3316 str->data_len = len;
3317 return 0;
3318}
3319
3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
3323 StringInfo *cloned_str;
3324 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3325 sizeof(StringInfo) + str->data_len);
3326 cloned_str->data = (unsigned char *) (cloned_str + 1);
3327 ssl_data_set(cloned_str, str->data, str->data_len);
3328 return cloned_str;
3329}
3330
3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
3334 if (dst->data_len < src->data_len) {
3335 if (ssl_data_realloc(dst, src->data_len))
3336 return -1;
3337 }
3338 memcpy(dst->data, src->data, src->data_len);
3339 dst->data_len = src->data_len;
3340 return 0;
3341}
3342
3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3344 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3345 * success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3347 size_t i;
3348
3349 if (hex_len & 1)
3350 return false0;
3351
3352 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3353 for (i = 0; i < hex_len / 2; i++) {
3354 int a = ws_xton(in[i*2]);
3355 int b = ws_xton(in[i*2 + 1]);
3356 if (a == -1 || b == -1)
3357 return false0;
3358 out->data[i] = a << 4 | b;
3359 }
3360 out->data_len = (unsigned)hex_len / 2;
3361 return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */
3364
3365
3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3369
3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
3373 gcry_error_t err;
3374 const char *err_str, *err_src;
3375
3376 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3377 if (err != 0) {
3378 err_str = gcry_strerror(err);
3379 err_src = gcry_strsource(err);
3380 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3381 return -1;
3382 }
3383 return 0;
3384}
3385
3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
3389 gcry_error_t err;
3390 const char *err_str, *err_src;
3391
3392 err = gcry_md_setkey (*(md), key, len);
3393 if (err != 0) {
3394 err_str = gcry_strerror(err);
3395 err_src = gcry_strsource(err);
3396 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3397 return -1;
3398 }
3399 return 0;
3400}
3401
3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
3405 gcry_md_reset(*md);
3406 return 0;
3407}
3408
3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
3412 gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
3417 int algo;
3418 unsigned len;
3419
3420 algo = gcry_md_get_algo (*(md));
3421 len = gcry_md_get_algo_dlen(algo);
3422 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))));
3423 memcpy(data, gcry_md_read(*(md), algo), len);
3424 *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
3429 gcry_md_close(*(md));
3430}
3431
3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3434
3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
3438 gcry_error_t err;
3439 const char *err_str, *err_src;
3440 err = gcry_md_open(md,algo, 0);
3441 if (err != 0) {
3442 err_str = gcry_strerror(err);
3443 err_src = gcry_strsource(err);
3444 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3445 return -1;
3446 }
3447 return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, int len)
3451{
3452 gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
3457 int algo;
3458 int len;
3459 algo = gcry_md_get_algo (*(md));
3460 len = gcry_md_get_algo_dlen (algo);
3461 memcpy(data, gcry_md_read(*(md), algo), len);
3462 *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
3467 gcry_md_close(*(md));
3468}
3469
3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
3473 gcry_md_reset(*md);
3474}
3475
3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3479
3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_error_t err;
3484 const char *err_str, *err_src;
3485 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3486 if (err != 0) {
3487 err_str = gcry_strerror(err);
3488 err_src = gcry_strsource(err);
3489 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3490 return -1;
3491 }
3492 return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
3497 gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
3502 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3503 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}
3505
3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
3509 gcry_md_reset(*md);
3510}
3511
3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
3515 gcry_md_close(*(md));
3516}
3517
3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_error_t err;
3522 const char *err_str, *err_src;
3523 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3524 if (err != 0) {
3525 err_str = gcry_strerror(err);
3526 err_src = gcry_strsource(err);
3527 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3528 return -1;
3529 }
3530 return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
3535 gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
3540 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3541 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}
3543
3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
3547 gcry_md_reset(*md);
3548}
3549
3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
3553 gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */
3556
3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
3561 int ret;
3562#if 0
3563 unsigned char *ivp;
3564 int i;
3565 gcry_cipher_hd_t c;
3566 c=(gcry_cipher_hd_t)*cipher;
3567#endif
3568 ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
3570 for(ivp=c->iv,i=0; i < iv_len; i++ )
3571 {
3572 ssl_debug_printf("%d ",ivp[i]);
3573 i++;
3574 }
3575#endif
3576 ssl_debug_printf("--------------------------------------------------------------------");
3577 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
3579 for(ivp=c->iv,i=0; i < iv_len; i++ )
3580 {
3581 ssl_debug_printf("%d ",ivp[i]);
3582 i++;
3583 }
3584#endif
3585 ssl_debug_printf("--------------------------------------------------------------------");
3586 return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3591 unsigned char* iv, int mode)
3592{
3593 int gcry_modes[] = {
3594 GCRY_CIPHER_MODE_STREAM,
3595 GCRY_CIPHER_MODE_CBC,
3596 GCRY_CIPHER_MODE_GCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_CCM,
3599 GCRY_CIPHER_MODE_POLY1305,
3600 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3601 };
3602 int err;
3603 if (algo == -1) {
3604 /* NULL mode */
3605 *(cipher) = (gcry_cipher_hd_t)-1;
3606 return 0;
3607 }
3608 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3609 if (err !=0)
3610 return -1;
3611 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3612 if (err != 0)
3613 return -1;
3614 /* AEAD cipher suites will set the nonce later. */
3615 if (mode == MODE_CBC) {
3616 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3617 if (err != 0)
3618 return -1;
3619 }
3620 return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3624 const unsigned char * in, int inl)
3625{
3626 if ((*cipher) == (gcry_cipher_hd_t)-1)
3627 {
3628 if (in && inl)
3629 memcpy(out, in, outl < inl ? outl : inl);
3630 return 0;
3631 }
3632 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
3637 return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
3642 return gcry_cipher_map_name(name);
3643}
3644
3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
3648 if ((*cipher) != (gcry_cipher_hd_t)-1)
3649 gcry_cipher_close(*cipher);
3650 *cipher = NULL((void*)0);
3651}
3652/* }}} */
3653
3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
3656 {"MD5", 16},
3657 {"SHA1", 20},
3658 {"SHA256", 32},
3659 {"SHA384", 48},
3660 {"SM3", 32},
3661 {"Not Applicable", 0},
3662};
3663
3664#define DIGEST_MAX_SIZE48 48
3665
3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3669 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3670 return &digests[DIG_NA0x45 - DIG_MD50x40];
3671 }
3672 return &digests[cs->dig - DIG_MD50x40];
3673}
3674
3675static const char *ciphers[]={
3676 "DES",
3677 "3DES",
3678 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3679 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3680 "IDEA",
3681 "AES",
3682 "AES256",
3683 "CAMELLIA128",
3684 "CAMELLIA256",
3685 "SEED",
3686 "CHACHA20", /* since Libgcrypt 1.7.0 */
3687 "SM1",
3688 "SM4",
3689 "*UNKNOWN*"
3690};
3691
3692static const SslCipherSuite cipher_suites[]={
3693 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3694 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3695 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3697 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3698 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3699 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3700 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3701 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3702 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3704 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3705 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3706 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3707 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3708 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3709 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3710 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3711 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3712 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3713 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3714 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3715 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3716 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3717 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3718 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3719 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3720 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3721 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3722 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3723 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3724 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3725 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3726 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3727 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3728 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3729 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3730 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3731 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3732 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3733 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3734 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3735 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3736 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3737 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3738 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3739 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3740 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3741 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3747 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3748 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3749 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3751 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3753 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3754 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3755 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3756 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3757 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3758 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3759 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3760 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3761 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3767 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3768 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3769 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3770 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3771 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3772 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3773 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3774 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3775 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3776 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3777 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3778 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3779 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3780 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3781 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3782 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3783 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3784 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3785 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3786 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3787 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3788 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3789 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3790 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3791 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3792 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3793 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3794 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3795 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3796 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3797 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3798 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3799 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3800 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3801 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3802 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3803 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3804 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3805 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3806 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3807 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3808 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3809 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3810 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3811 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3812 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3813 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3814 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3815 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3821 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3826 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3827
3828 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3829 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3830 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3831 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3832 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3833 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3834 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3835
3836 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3837 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3838 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3839 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3840 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3841 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3842 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3843 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3845 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3846 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3847 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3848 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3849 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3850 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3851 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3852 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3853 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3854 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3855 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3856 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3857 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3858 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3859 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3860 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3861 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3862 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3865 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3866 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3867 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3868 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3869 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3870 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3871 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3872 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3873 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3874 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3875 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3876 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3877 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3878 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3879 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3880 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3881 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3882 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3883 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3884 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3885 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3886 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3887 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3888 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3889 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3890 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3891 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3892 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3893 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3894 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3895 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3896 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3897 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3898 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3899 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3900 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3901 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3902 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3911 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3912 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3913 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3914 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3915 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3916 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3917 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3918 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3919 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3920 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3921 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3922 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3923 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3924 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3925 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3926 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3927 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3928 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3929 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3930 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3931 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3932 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3933 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3934 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3935 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3936 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3937 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3938 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3939 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3940 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3941 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3942 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3943 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3944 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3945 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3946 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3947 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3948 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3949 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3950 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3951 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3952 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3953 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3954 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3955 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3956 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3957 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3958 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3965 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3966 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3967 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3968 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3969 /* GM */
3970 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3971 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3972 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3973 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3974 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3975 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3976 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3977 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3978 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3979 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3980 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3981 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3982 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3983 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3984 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3985 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3986 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3987 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3988 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3989 {-1, 0, 0, 0, MODE_STREAM}
3990};
3991
3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32
3994
3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
3998 const SslCipherSuite *c;
3999 for(c=cipher_suites;c->number!=-1;c++){
4000 if(c->number==num){
4001 return c;
4002 }
4003 }
4004
4005 return NULL((void*)0);
4006}
4007
4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
4011 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}
4013
4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
4017 int cipher_algo;
4018 if (cipher_suite->mode != MODE_CBC) return 0;
4019 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4020 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}
4022
4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
4026 switch (cipher_suite_num) {
4027 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4028 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4029 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4030 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4035 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4036 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4037 return 5;
4038
4039 /* not defined in below draft, but "implemented by several vendors",
4040 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4041 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4042 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4043 return 7;
4044
4045 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4046 * used 7. Until a pcap proves 8, let's use the old value. Link:
4047 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4048 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4050 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4051 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4052 return 7;
4053
4054 default:
4055 return 0;
4056 }
4057}
4058
4059/* Digests, Ciphers and Cipher Suites registry }}} */
4060
4061
4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
4065 StringInfo *out, unsigned out_len)
4066{
4067 /* RFC 2246 5. HMAC and the pseudorandom function
4068 * '+' denotes concatenation.
4069 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4070 * HMAC_hash(secret, A(2) + seed) + ...
4071 * A(0) = seed
4072 * A(i) = HMAC_hash(secret, A(i - 1))
4073 */
4074 uint8_t *ptr;
4075 unsigned left, tocpy;
4076 uint8_t *A;
4077 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4078 unsigned A_l, tmp_l;
4079 SSL_HMACgcry_md_hd_t hm;
4080
4081 ptr = out->data;
4082 left = out_len;
4083
4084 ssl_print_string("tls_hash: hash secret", secret);
4085 ssl_print_string("tls_hash: hash seed", seed);
4086 /* A(0) = seed */
4087 A = seed->data;
4088 A_l = seed->data_len;
4089
4090 if (ssl_hmac_init(&hm, md) != 0) {
4091 return -1;
4092 }
4093 while (left) {
4094 /* A(i) = HMAC_hash(secret, A(i-1)) */
4095 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4096 ssl_hmac_update(&hm, A, A_l);
4097 A_l = sizeof(_A); /* upper bound len for hash output */
4098 ssl_hmac_final(&hm, _A, &A_l);
4099 A = _A;
4100
4101 /* HMAC_hash(secret, A(i) + seed) */
4102 ssl_hmac_reset(&hm);
4103 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4104 ssl_hmac_update(&hm, A, A_l);
4105 ssl_hmac_update(&hm, seed->data, seed->data_len);
4106 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4107 ssl_hmac_final(&hm, tmp, &tmp_l);
4108 ssl_hmac_reset(&hm);
4109
4110 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4111 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4112 memcpy(ptr, tmp, tocpy);
4113 ptr += tocpy;
4114 left -= tocpy;
4115 }
4116 ssl_hmac_cleanup(&hm);
4117 out->data_len = out_len;
4118
4119 ssl_print_string("hash out", out);
4120 return 0;
4121}
4122
4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
4125 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
4127 StringInfo seed, sha_out, md5_out;
4128 uint8_t *ptr;
4129 StringInfo s1, s2;
4130 unsigned i,s_l;
4131 size_t usage_len, rnd2_len;
4132 bool_Bool success = false0;
4133 usage_len = strlen(usage);
4134 rnd2_len = rnd2 ? rnd2->data_len : 0;
4135
4136 /* initialize buffer for sha, md5 random seed*/
4137 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4139 return false0;
4140 }
4141 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4143 goto free_sha;
4144 }
4145 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4146 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4147 (int) (usage_len+rnd1->data_len+rnd2_len));
4148 goto free_md5;
4149 }
4150
4151 ptr=seed.data;
4152 memcpy(ptr,usage,usage_len);
4153 ptr+=usage_len;
4154 memcpy(ptr,rnd1->data,rnd1->data_len);
4155 if (rnd2_len > 0) {
4156 ptr+=rnd1->data_len;
4157 memcpy(ptr,rnd2->data,rnd2->data_len);
4158 /*ptr+=rnd2->data_len;*/
4159 }
4160
4161 /* initialize buffer for client/server seeds*/
4162 s_l=secret->data_len/2 + secret->data_len%2;
4163 if (ssl_data_alloc(&s1, s_l) < 0) {
4164 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4165 goto free_seed;
4166 }
4167 if (ssl_data_alloc(&s2, s_l) < 0) {
4168 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4169 goto free_s1;
4170 }
4171
4172 memcpy(s1.data,secret->data,s_l);
4173 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4174
4175 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4176 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4177 goto free_s2;
4178 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4179 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4180 goto free_s2;
4181
4182 for (i = 0; i < out_len; i++)
4183 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4184 /* success, now store the new meaningful data length */
4185 out->data_len = out_len;
4186 success = true1;
4187
4188 ssl_print_string("PRF out",out);
4189free_s2:
4190 g_free(s2.data);
4191free_s1:
4192 g_free(s1.data);
4193free_seed:
4194 g_free(seed.data);
4195free_md5:
4196 g_free(md5_out.data);
4197free_sha:
4198 g_free(sha_out.data);
4199 return success;
4200}
4201
4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
4204 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
4206 StringInfo label_seed;
4207 int success;
4208 size_t usage_len, rnd2_len;
4209 rnd2_len = rnd2 ? rnd2->data_len : 0;
4210
4211 usage_len = strlen(usage);
4212 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4213 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4214 return false0;
4215 }
4216 memcpy(label_seed.data, usage, usage_len);
4217 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4218 if (rnd2_len > 0)
4219 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4220
4221 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4222 success = tls_hash(secret, &label_seed, md, out, out_len);
4223 g_free(label_seed.data);
4224 if(success != -1){
4225 ssl_print_string("PRF out", out);
4226 return true1;
4227 }
4228 return false0;
4229}
4230
4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4233 StringInfo *out, unsigned out_len)
4234{
4235 SSL_MD5_CTXgcry_md_hd_t md5;
4236 uint8_t tmp[16];
4237
4238 if (ssl_md5_init(&md5) != 0) {
4239 return false0;
4240 }
4241 ssl_md5_update(&md5,r1->data,r1->data_len);
4242 ssl_md5_update(&md5,r2->data,r2->data_len);
4243 ssl_md5_final(tmp,&md5);
4244 ssl_md5_cleanup(&md5);
4245
4246 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))));
4247 ssl_data_set(out, tmp, out_len);
4248 ssl_print_string("export iv", out);
4249 return true1;
4250}
4251
4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
4254 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
4256 SSL_MD5_CTXgcry_md_hd_t md5;
4257 SSL_SHA_CTXgcry_md_hd_t sha;
4258 unsigned off;
4259 int i = 0,j;
4260 uint8_t buf[20];
4261
4262 if (ssl_sha_init(&sha) != 0) {
4263 return false0;
4264 }
4265 if (ssl_md5_init(&md5) != 0) {
4266 ssl_sha_cleanup(&sha);
4267 return false0;
4268 }
4269 for (off = 0; off < out_len; off += 16) {
4270 unsigned char outbuf[16];
4271 i++;
4272
4273 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4274 /* A, BB, CCC, ... */
4275 for(j=0;j<i;j++){
4276 buf[j]=64+i;
4277 }
4278
4279 ssl_sha_update(&sha,buf,i);
4280 ssl_sha_update(&sha,secret->data,secret->data_len);
4281
4282 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4283 if (rnd2)
4284 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4285 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4286 }
4287 else{
4288 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4289 if (rnd2)
4290 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4291 }
4292
4293 ssl_sha_final(buf,&sha);
4294 ssl_sha_reset(&sha);
4295
4296 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4297 secret->data_len);
4298 ssl_md5_update(&md5,secret->data,secret->data_len);
4299 ssl_md5_update(&md5,buf,20);
4300 ssl_md5_final(outbuf,&md5);
4301 ssl_md5_reset(&md5);
4302
4303 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4304 }
4305 ssl_sha_cleanup(&sha);
4306 ssl_md5_cleanup(&md5);
4307 out->data_len = out_len;
4308
4309 return true1;
4310}
4311
4312/* out_len is the wanted output length for the pseudorandom function.
4313 * Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4316 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
4318 switch (ssl->session.version) {
4319 case SSLV3_VERSION0x300:
4320 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4321
4322 case TLSV1_VERSION0x301:
4323 case TLSV1DOT1_VERSION0x302:
4324 case DTLSV1DOT0_VERSION0xfeff:
4325 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4326 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4327
4328 default: /* TLSv1.2 */
4329 switch (ssl->cipher_suite->dig) {
4330 case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4332 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4333 out, out_len);
4334#else
4335 return false0;
4336#endif
4337 case DIG_SHA3840x43:
4338 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4339 out, out_len);
4340 default:
4341 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4342 out, out_len);
4343 }
4344 }
4345}
4346
4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
4349 SSL_MD5_CTXgcry_md_hd_t md5;
4350 SSL_SHA_CTXgcry_md_hd_t sha;
4351
4352 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4353 return -1;
4354
4355 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4356 return -1;
4357 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md5_final(out->data,&md5);
4359 ssl_md5_cleanup(&md5);
4360
4361 if (ssl_sha_init(&sha) != 0)
4362 return -1;
4363 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4364 ssl_sha_final(out->data+16,&sha);
4365 ssl_sha_cleanup(&sha);
4366 return 0;
4367}
4368
4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
4371 SSL_MDgcry_md_hd_t mc;
4372 uint8_t tmp[48];
4373 unsigned len;
4374
4375 if (ssl_md_init(&mc, md) != 0)
4376 return -1;
4377 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4378 ssl_md_final(&mc, tmp, &len);
4379 ssl_md_cleanup(&mc);
4380
4381 if (ssl_data_alloc(out, len) < 0)
4382 return -1;
4383 memcpy(out->data, tmp, len);
4384 return 0;
4385}
4386
4387/**
4388 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4389 * inlined and removed once support for draft 19 and before is dropped.
4390 */
4391static inline const char *
4392tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4393{
4394 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4395 return "TLS 1.3, ";
4396 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4397 return "dtls13";
4398 } else {
4399 return "tls13 ";
4400 }
4401}
4402
4403/*
4404 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4405 * custom label prefix. If "context_hash" is NULL, then an empty context is
4406 * used. Otherwise it must have the same length as the hash algorithm output.
4407 */
4408bool_Bool
4409tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4410 const char *label_prefix, const char *label,
4411 const uint8_t *context_hash, uint8_t context_length,
4412 uint16_t out_len, unsigned char **out)
4413{
4414 /* RFC 8446 Section 7.1:
4415 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4416 * HKDF-Expand(Secret, HkdfLabel, Length)
4417 * struct {
4418 * uint16 length = Length;
4419 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4420 * opaque context<0..255> = Context;
4421 * } HkdfLabel;
4422 *
4423 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4424 * HKDF-Expand(PRK, info, L) -> OKM
4425 */
4426 gcry_error_t err;
4427 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4428 const unsigned label_length = (unsigned) strlen(label);
4429
4430 /* Some sanity checks */
4431 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4431, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4432
4433 /* info = HkdfLabel { length, label, context } */
4434 GByteArray *info = g_byte_array_new();
4435 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4436 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4437
4438 const uint8_t label_vector_length = label_prefix_length + label_length;
4439 g_byte_array_append(info, &label_vector_length, 1);
4440 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4441 g_byte_array_append(info, (const uint8_t*)label, label_length);
4442
4443 g_byte_array_append(info, &context_length, 1);
4444 if (context_length) {
4445 g_byte_array_append(info, context_hash, context_length);
4446 }
4447
4448 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4449 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4450 g_byte_array_free(info, true1);
4451
4452 if (err) {
4453 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4454 wmem_free(NULL((void*)0), *out);
4455 *out = NULL((void*)0);
4456 return false0;
4457 }
4458
4459 return true1;
4460}
4461
4462bool_Bool
4463tls13_hkdf_expand_label(int md, const StringInfo *secret,
4464 const char *label_prefix, const char *label,
4465 uint16_t out_len, unsigned char **out)
4466{
4467 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4468}
4469/* HMAC and the Pseudorandom function }}} */
4470
4471/* Record Decompression (after decryption) {{{ */
4472#ifdef USE_ZLIB_OR_ZLIBNG
4473/* memory allocation functions for zlib initialization */
4474static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4475{
4476 return g_malloc0(no*size);
4477}
4478static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4479{
4480 g_free(addr);
4481}
4482#endif /* USE_ZLIB_OR_ZLIBNG */
4483
4484static SslDecompress*
4485ssl_create_decompressor(int compression)
4486{
4487 SslDecompress *decomp;
4488#ifdef USE_ZLIB_OR_ZLIBNG
4489 int err;
4490#endif
4491
4492 if (compression == 0) return NULL((void*)0);
4493 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4494 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4495 decomp->compression = compression;
4496 switch (decomp->compression) {
4497#ifdef USE_ZLIB_OR_ZLIBNG
4498 case 1: /* DEFLATE */
4499 decomp->istream.zalloc = ssl_zalloc;
4500 decomp->istream.zfree = ssl_zfree;
4501 decomp->istream.opaque = Z_NULL0;
4502 decomp->istream.next_in = Z_NULL0;
4503 decomp->istream.next_out = Z_NULL0;
4504 decomp->istream.avail_in = 0;
4505 decomp->istream.avail_out = 0;
4506 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4507 if (err != Z_OK0) {
4508 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4509 return NULL((void*)0);
4510 }
4511 break;
4512#endif /* USE_ZLIB_OR_ZLIBNG */
4513 default:
4514 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4515 return NULL((void*)0);
4516 }
4517 return decomp;
4518}
4519
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521static int
4522ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4523{
4524 int err;
4525
4526 switch (decomp->compression) {
4527 case 1: /* DEFLATE */
4528 err = Z_OK0;
4529 if (out_str->data_len < 16384) { /* maximal plain length */
4530 ssl_data_realloc(out_str, 16384);
4531 }
4532#ifdef z_constconst
4533 decomp->istream.next_in = in;
4534#else
4535DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4536 decomp->istream.next_in = (Bytef *)in;
4537DIAG_ON(cast-qual)clang diagnostic pop
4538#endif
4539 decomp->istream.avail_in = inl;
4540 decomp->istream.next_out = out_str->data;
4541 decomp->istream.avail_out = out_str->data_len;
4542 if (inl > 0)
4543 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4544 if (err != Z_OK0) {
4545 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4546 return -1;
4547 }
4548 *outl = out_str->data_len - decomp->istream.avail_out;
4549 break;
4550 default:
4551 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4552 return -1;
4553 }
4554 return 0;
4555}
4556#else /* USE_ZLIB_OR_ZLIBNG */
4557int
4558ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4559{
4560 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4561 return -1;
4562}
4563#endif /* USE_ZLIB_OR_ZLIBNG */
4564/* Record Decompression (after decryption) }}} */
4565
4566/* Create a new structure to store decrypted chunks. {{{ */
4567static SslFlow*
4568ssl_create_flow(void)
4569{
4570 SslFlow *flow;
4571
4572 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4573 flow->byte_seq = 0;
4574 flow->flags = 0;
4575 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4576 return flow;
4577}
4578/* }}} */
4579
4580/* Use the negotiated security parameters for decryption. {{{ */
4581void
4582ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4583{
4584 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4585 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4586 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4587 *new_decoder ? "" : " (No decoder found - retransmission?)");
4588 if (*new_decoder) {
4589 *dest = *new_decoder;
4590 *new_decoder = NULL((void*)0);
4591 }
4592}
4593/* }}} */
4594
4595/* Init cipher state given some security parameters. {{{ */
4596static bool_Bool
4597ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4598
4599static SslDecoder*
4600ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4601 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4602{
4603 SslDecoder *dec;
4604 ssl_cipher_mode_t mode = cipher_suite->mode;
4605
4606 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4607 /* init mac buffer: mac storage is embedded into decoder struct to save a
4608 memory allocation and waste samo more memory*/
4609 dec->cipher_suite=cipher_suite;
4610 dec->compression = compression;
4611 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4612 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4613 // the special case for NULL ciphers, even if there is insufficiency
4614 // keying material (including MAC key), we will can still create
4615 // decoders since "decryption" is easy for such ciphers.
4616 dec->mac_key.data = dec->_mac_key_or_write_iv;
4617 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4618 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4619 // Input for the nonce, to be used with AEAD ciphers.
4620 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4620, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4621 dec->write_iv.data = dec->_mac_key_or_write_iv;
4622 ssl_data_set(&dec->write_iv, iv, iv_length);
4623 }
4624 dec->seq = 0;
4625 dec->decomp = ssl_create_decompressor(compression);
4626 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4627
4628 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4629 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4630 cipher_algo, cipher_suite->mode);
4631 return NULL((void*)0);
4632 }
4633
4634 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4635 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4636 mode = MODE_ECB;
4637 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4638 mode = MODE_STREAM;
4639 } else {
4640 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4641 return NULL((void*)0);
4642 }
4643
4644 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4645 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4646 cipher_algo, MODE_ECB);
4647 ssl_cipher_cleanup(&dec->evp);
4648 dec->evp = NULL((void*)0);
4649 return NULL((void*)0);
4650 }
4651 } else {
4652 dec->sn_evp = NULL((void*)0);
4653 }
4654
4655 dec->dtls13_aad.data = NULL((void*)0);
4656 dec->dtls13_aad.data_len = 0;
4657 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4658 return dec;
4659}
4660
4661static bool_Bool
4662ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4663{
4664 SslDecoder *dec = (SslDecoder *) user_data;
4665
4666 if (dec->evp)
4667 ssl_cipher_cleanup(&dec->evp);
4668 if (dec->sn_evp)
4669 ssl_cipher_cleanup(&dec->sn_evp);
4670
4671#ifdef USE_ZLIB_OR_ZLIBNG
4672 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4673 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4674#endif
4675
4676 return false0;
4677}
4678/* }}} */
4679
4680/* (Pre-)master secrets calculations {{{ */
4681#ifdef HAVE_LIBGNUTLS1
4682static bool_Bool
4683ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4684 StringInfo *encrypted_pre_master,
4685 GHashTable *key_hash);
4686#endif /* HAVE_LIBGNUTLS */
4687
4688static bool_Bool
4689ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4690 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4691
4692bool_Bool
4693ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4694 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4695 const char *ssl_psk, packet_info *pinfo,
4696#ifdef HAVE_LIBGNUTLS1
4697 GHashTable *key_hash,
4698#endif
4699 const ssl_master_key_map_t *mk_map)
4700{
4701 /* check for required session data */
4702 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4703 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4704 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4705 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4706 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4707 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4708 return false0;
4709 }
4710
4711 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4712 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4713 return false0;
4714 }
4715
4716 /* check to see if the PMS was provided to us*/
4717 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4718 mk_map->pms, &ssl_session->client_random)) {
4719 return true1;
4720 }
4721
4722 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4723 {
4724 /* calculate pre master secret*/
4725 StringInfo pre_master_secret;
4726 unsigned psk_len, pre_master_len;
4727
4728 if (!ssl_psk || (ssl_psk[0] == 0)) {
4729 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4730 return false0;
4731 }
4732
4733 /* convert hex string into char*/
4734 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4735 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4736 G_STRFUNC((const char*) (__func__)));
4737 return false0;
4738 }
4739
4740 psk_len = ssl_session->psk.data_len;
4741 if (psk_len >= (2 << 15)) {
4742 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4743 G_STRFUNC((const char*) (__func__)));
4744 return false0;
4745 }
4746
4747
4748 pre_master_len = psk_len * 2 + 4;
4749
4750 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4751 pre_master_secret.data_len = pre_master_len;
4752 /* 2 bytes psk_len*/
4753 pre_master_secret.data[0] = psk_len >> 8;
4754 pre_master_secret.data[1] = psk_len & 0xFF;
4755 /* psk_len bytes times 0*/
4756 memset(&pre_master_secret.data[2], 0, psk_len);
4757 /* 2 bytes psk_len*/
4758 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4759 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4760 /* psk*/
4761 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4762
4763 ssl_session->pre_master_secret.data = pre_master_secret.data;
4764 ssl_session->pre_master_secret.data_len = pre_master_len;
4765 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4766
4767 /* Remove the master secret if it was there.
4768 This forces keying material regeneration in
4769 case we're renegotiating */
4770 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4771 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4772 return true1;
4773 }
4774 else
4775 {
4776 unsigned encrlen, skip;
4777 encrlen = length;
4778 skip = 0;
4779
4780 /* get encrypted data, on tls1 we have to skip two bytes
4781 * (it's the encrypted len and should be equal to record len - 2)
4782 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4783 */
4784 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4785 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4786 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4787 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4788 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4789 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4790 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4791 {
4792 encrlen = tvb_get_ntohs(tvb, offset);
4793 skip = 2;
4794 if (encrlen > length - 2)
4795 {
4796 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4797 G_STRFUNC((const char*) (__func__)), encrlen, length);
4798 return false0;
4799 }
4800 }
4801 /* the valid lower bound is higher than 8, but it is sufficient for the
4802 * ssl keylog file below */
4803 if (encrlen < 8) {
4804 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4805 G_STRFUNC((const char*) (__func__)), encrlen);
4806 return false0;
4807 }
4808
4809 StringInfo encrypted_pre_master = {
4810 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4811 .data_len = encrlen,
4812 };
4813
4814#ifdef HAVE_LIBGNUTLS1
4815 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4816 if (ssl_session->cert_key_id) {
4817 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4818 return true1;
4819
4820 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4821 G_STRFUNC((const char*) (__func__)));
4822 }
4823#endif /* HAVE_LIBGNUTLS */
4824
4825 /* try to find the pre-master secret from the encrypted one. The
4826 * ssl key logfile stores only the first 8 bytes, so truncate it */
4827 encrypted_pre_master.data_len = 8;
4828 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4829 true1, mk_map->pre_master, &encrypted_pre_master))
4830 return true1;
4831 }
4832 return false0;
4833}
4834
4835/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4836int
4837ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4838{
4839 StringInfo key_block = { NULL((void*)0), 0 };
4840 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4841 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4842 int needed;
4843 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4844 unsigned encr_key_len, write_iv_len = 0;
4845 bool_Bool is_export_cipher;
4846 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4847 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4848 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4849
4850 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4851 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4852 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4853 return -1;
4854 }
4855
4856 /* check for enough info to proceed */
4857 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4858 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4859 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4860 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4861 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4862 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4863 /* Special case: for NULL encryption, allow dissection of data even if
4864 * the Client Hello is missing (MAC keys are now skipped though). */
4865 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4866 if ((ssl_session->state & need_all) == need_all &&
4867 cipher_suite->enc == ENC_NULL0x3D) {
4868 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4869 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4870 goto create_decoders;
4871 }
4872
4873 return -1;
4874 }
4875
4876 /* if master key is not available, generate is from the pre-master secret */
4877 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4878 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4879 StringInfo handshake_hashed_data;
4880 int ret;
4881
4882 handshake_hashed_data.data = NULL((void*)0);
4883 handshake_hashed_data.data_len = 0;
4884
4885 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4886 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4887 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4887, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4888
4889 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4894
4890 case TLSV1_VERSION0x301:
4891 case TLSV1DOT1_VERSION0x302:
4892 case DTLSV1DOT0_VERSION0xfeff:
4893 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4894 case TLCPV1_VERSION0x101:
4895 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4896 break;
4897 default:
4898 switch (cipher_suite->dig) {
4899 case DIG_SHA3840x43:
4900 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4901 break;
4902 default:
4903 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4904 break;
4905 }
4906 break;
4907 }
4908 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4908
30
Taking true branch
4909 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4910 return -1;
4911 }
4912
4913 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4914 ssl_session->handshake_data.data = NULL((void*)0);
4915 ssl_session->handshake_data.data_len = 0;
4916
4917 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4918 &handshake_hashed_data,
4919 NULL((void*)0), &ssl_session->master_secret,
4920 SSL_MASTER_SECRET_LENGTH48)) {
4921 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4922 g_free(handshake_hashed_data.data);
4923 return -1;
4924 }
4925 g_free(handshake_hashed_data.data);
4926 } else {
4927 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4928 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4929 ssl_print_string("client random",&ssl_session->client_random);
4930 ssl_print_string("server random",&ssl_session->server_random);
4931 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4932 &ssl_session->client_random,
4933 &ssl_session->server_random, &ssl_session->master_secret,
4934 SSL_MASTER_SECRET_LENGTH48)) {
4935 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4936 return -1;
4937 }
4938 }
4939 ssl_print_string("master secret",&ssl_session->master_secret);
4940
4941 /* the pre-master secret has been 'consumed' so we must clear it now */
4942 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4943 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4944 }
4945
4946 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4947 if (cipher_suite->enc != ENC_NULL0x3D) {
4948 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4949 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4950 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4951 if (cipher_algo == 0) {
4952 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4953 return -1;
4954 }
4955 }
4956
4957 /* Export ciphers consume less material from the key block. */
4958 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4959 is_export_cipher = encr_key_len > 0;
4960 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4961 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4962 }
4963
4964 if (cipher_suite->mode == MODE_CBC) {
4965 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4966 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4967 /* account for a four-byte salt for client and server side (from
4968 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4969 write_iv_len = 4;
4970 } else if (cipher_suite->mode == MODE_POLY1305) {
4971 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4972 write_iv_len = 12;
4973 }
4974
4975 /* Compute the key block. First figure out how much data we need */
4976 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4977 needed += 2 * encr_key_len; /* encryption key */
4978 needed += 2 * write_iv_len; /* write IV */
4979
4980 key_block.data = (unsigned char *)g_malloc(needed);
4981 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4982 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4983 &ssl_session->server_random,&ssl_session->client_random,
4984 &key_block, needed)) {
4985 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4986 goto fail;
4987 }
4988 ssl_print_string("key expansion", &key_block);
4989
4990 ptr=key_block.data;
4991 /* client/server write MAC key (for non-AEAD ciphers) */
4992 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4993 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4994 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4995 }
4996 /* client/server write encryption key */
4997 c_wk=ptr; ptr += encr_key_len;
4998 s_wk=ptr; ptr += encr_key_len;
4999 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
5000 if (write_iv_len > 0) {
5001 c_iv=ptr; ptr += write_iv_len;
5002 s_iv=ptr; /* ptr += write_iv_len; */
5003 }
5004
5005 /* export ciphers work with a smaller key length */
5006 if (is_export_cipher) {
5007 if (cipher_suite->mode == MODE_CBC) {
5008
5009 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5010 all we should need. This is a sanity check */
5011 if (write_iv_len > MAX_BLOCK_SIZE16) {
5012 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5013 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5014 goto fail;
5015 }
5016
5017 if(ssl_session->session.version==SSLV3_VERSION0x300){
5018 /* The length of these fields are ignored by this caller */
5019 StringInfo iv_c, iv_s;
5020 iv_c.data = _iv_c;
5021 iv_s.data = _iv_s;
5022
5023 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5024 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5025 &ssl_session->server_random, &iv_c, write_iv_len)) {
5026 goto fail;
5027 }
5028 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5029 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5030 &ssl_session->client_random, &iv_s, write_iv_len)) {
5031 goto fail;
5032 }
5033 }
5034 else{
5035 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5036 StringInfo iv_block;
5037 StringInfo key_null;
5038 uint8_t _key_null;
5039
5040 key_null.data = &_key_null;
5041 key_null.data_len = 0;
5042
5043 iv_block.data = _iv_block;
5044
5045 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5046 if (!prf(ssl_session, &key_null, "IV block",
5047 &ssl_session->client_random,
5048 &ssl_session->server_random, &iv_block,
5049 write_iv_len * 2)) {
5050 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5051 goto fail;
5052 }
5053
5054 memcpy(_iv_c, iv_block.data, write_iv_len);
5055 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5056 }
5057
5058 c_iv=_iv_c;
5059 s_iv=_iv_s;
5060 }
5061
5062 if (ssl_session->session.version==SSLV3_VERSION0x300){
5063
5064 SSL_MD5_CTXgcry_md_hd_t md5;
5065 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5066
5067 if (ssl_md5_init(&md5) != 0)
5068 goto fail;
5069 ssl_md5_update(&md5,c_wk,encr_key_len);
5070 ssl_md5_update(&md5,ssl_session->client_random.data,
5071 ssl_session->client_random.data_len);
5072 ssl_md5_update(&md5,ssl_session->server_random.data,
5073 ssl_session->server_random.data_len);
5074 ssl_md5_final(_key_c,&md5);
5075 ssl_md5_cleanup(&md5);
5076 c_wk=_key_c;
5077
5078 if (ssl_md5_init(&md5) != 0)
5079 goto fail;
5080 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5081 ssl_md5_update(&md5,s_wk,encr_key_len);
5082 ssl_md5_update(&md5,ssl_session->server_random.data,
5083 ssl_session->server_random.data_len);
5084 ssl_md5_update(&md5,ssl_session->client_random.data,
5085 ssl_session->client_random.data_len);
5086 ssl_md5_final(_key_s,&md5);
5087 ssl_md5_cleanup(&md5);
5088 s_wk=_key_s;
5089 }
5090 else{
5091 StringInfo key_c, key_s, k;
5092 key_c.data = _key_c;
5093 key_s.data = _key_s;
5094
5095 k.data = c_wk;
5096 k.data_len = encr_key_len;
5097 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5098 if (!prf(ssl_session, &k, "client write key",
5099 &ssl_session->client_random,
5100 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5101 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5102 goto fail;
5103 }
5104 c_wk=_key_c;
5105
5106 k.data = s_wk;
5107 k.data_len = encr_key_len;
5108 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5109 if (!prf(ssl_session, &k, "server write key",
5110 &ssl_session->client_random,
5111 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5112 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5113 goto fail;
5114 }
5115 s_wk=_key_s;
5116 }
5117 }
5118
5119 /* show key material info */
5120 if (c_mk != NULL((void*)0)) {
5121 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5122 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5123 }
5124 ssl_print_data("Client Write key", c_wk, encr_key_len);
5125 ssl_print_data("Server Write key", s_wk, encr_key_len);
5126 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5127 if (write_iv_len > 0) {
5128 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5129 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5130 }
5131
5132create_decoders:
5133 /* create both client and server ciphers*/
5134 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5135 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5136 if (!ssl_session->client_new) {
5137 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5138 goto fail;
5139 }
5140 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5141 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5142 if (!ssl_session->server_new) {
5143 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5144 goto fail;
5145 }
5146
5147 /* Continue the SSL stream after renegotiation with new keys. */
5148 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5149 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5150
5151 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5152 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5153 g_free(key_block.data);
5154 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5155 return 0;
5156
5157fail:
5158 g_free(key_block.data);
5159 return -1;
5160}
5161
5162/* Generated the key material based on the given secret. */
5163bool_Bool
5164tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5165{
5166 bool_Bool success = false0;
5167 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5168 unsigned char *sn_key = NULL((void*)0);
5169 SslDecoder *decoder;
5170 unsigned key_length, iv_length;
5171 int hash_algo;
5172 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5173 int cipher_algo;
5174
5175 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5176 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5177 ssl_session->session.version);
5178 return false0;
5179 }
5180
5181 if (cipher_suite == NULL((void*)0)) {
5182 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5183 return false0;
5184 }
5185
5186 if (cipher_suite->kex != KEX_TLS130x23) {
5187 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5188 return false0;
5189 }
5190
5191 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5192 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5193 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5194 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5195 if (cipher_algo == 0) {
5196 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5197 return false0;
5198 }
5199
5200 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5201 hash_algo = ssl_get_digest_by_name(hash_name);
5202 if (!hash_algo) {
5203 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5204 return false0;
5205 }
5206
5207 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5208 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5209 iv_length = 12;
5210 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5211
5212 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5213 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5214 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5215 return false0;
5216 }
5217 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5218 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5219 goto end;
5220 }
5221
5222 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5223 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5224 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5225 goto end;
5226 }
5227 }
5228
5229 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5230 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5231 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5232 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5233 }
5234
5235 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5236 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5237 if (!decoder) {
5238 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5239 goto end;
5240 }
5241
5242 /* Continue the TLS session with new keys, but reuse old flow to keep things
5243 * like "Follow TLS" working (by linking application data records). */
5244 if (is_from_server) {
5245 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5246 ssl_session->server = decoder;
5247 } else {
5248 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5249 ssl_session->client = decoder;
5250 }
5251 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5252 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5253 success = true1;
5254
5255end:
5256 wmem_free(NULL((void*)0), write_key);
5257 wmem_free(NULL((void*)0), write_iv);
5258 if (sn_key)
5259 wmem_free(NULL((void*)0), sn_key);
5260 return success;
5261}
5262/* (Pre-)master secrets calculations }}} */
5263
5264#ifdef HAVE_LIBGNUTLS1
5265/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5266static bool_Bool
5267ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5268 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5269{
5270 int ret;
5271
5272 if (!encrypted_pre_master)
5273 return false0;
5274
5275 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5276 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5277 "(cipher suite 0x%04X %s) and cannot be decrypted "
5278 "using a RSA private key file.\n",
5279 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5280 val_to_str_ext_const(ssl_session->session.cipher,
5281 &ssl_31_ciphersuite_ext, "unknown"));
5282 return false0;
5283 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5284 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5285 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5286 return false0;
5287 }
5288
5289 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5290
5291 ssl_print_string("pre master encrypted", encrypted_pre_master);
5292 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5293 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5294 gnutls_datum_t pms = { 0 };
5295 if (pk) {
5296 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5297 char *err = NULL((void*)0);
5298 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5299 if (!private_key) {
5300 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5301 g_free(err);
5302 return false0;
5303 }
5304
5305 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5306 rsa_private_key_free(private_key);
5307 if (pms.size == 0) {
5308 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5309 g_free(err);
5310 return false0;
5311 }
5312 } else {
5313 // Try to decrypt using a hardware token.
5314 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5315 if (ret < 0) {
5316 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5317 return false0;
5318 }
5319 }
5320
5321 if (pms.size != 48) {
5322 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5323 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5324 g_free(pms.data);
5325 return false0;
5326 }
5327
5328 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5329 ssl_session->pre_master_secret.data_len = 48;
5330 g_free(pms.data);
5331 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5332
5333 /* Remove the master secret if it was there.
5334 This forces keying material regeneration in
5335 case we're renegotiating */
5336 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5337 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5338 return true1;
5339} /* }}} */
5340#endif /* HAVE_LIBGNUTLS */
5341
5342/* Decryption integrity check {{{ */
5343
5344static int
5345tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5346 uint32_t datalen, uint8_t* mac)
5347{
5348 SSL_HMACgcry_md_hd_t hm;
5349 int md;
5350 uint32_t len;
5351 uint8_t buf[DIGEST_MAX_SIZE48];
5352 int16_t temp;
5353
5354 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5355 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5356 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5357
5358 if (ssl_hmac_init(&hm,md) != 0)
5359 return -1;
5360 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5361 return -1;
5362
5363 /* hash sequence number */
5364 phtonu64(buf, decoder->seq);
5365
5366 decoder->seq++;
5367
5368 ssl_hmac_update(&hm,buf,8);
5369
5370 /* hash content type */
5371 buf[0]=ct;
5372 ssl_hmac_update(&hm,buf,1);
5373
5374 /* hash version,data length and data*/
5375 /* *((int16_t*)buf) = g_htons(ver); */
5376 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5377 memcpy(buf, &temp, 2);
5378 ssl_hmac_update(&hm,buf,2);
5379
5380 /* *((int16_t*)buf) = g_htons(datalen); */
5381 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5382 memcpy(buf, &temp, 2);
5383 ssl_hmac_update(&hm,buf,2);
5384 ssl_hmac_update(&hm,data,datalen);
5385
5386 /* get digest and digest len*/
5387 len = sizeof(buf);
5388 ssl_hmac_final(&hm,buf,&len);
5389 ssl_hmac_cleanup(&hm);
5390 ssl_print_data("Mac", buf, len);
5391 if(memcmp(mac,buf,len))
5392 return -1;
5393
5394 return 0;
5395}
5396
5397static int
5398ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5399 uint32_t datalen, uint8_t* mac)
5400{
5401 SSL_MDgcry_md_hd_t mc;
5402 int md;
5403 uint32_t len;
5404 uint8_t buf[64],dgst[20];
5405 int pad_ct;
5406 int16_t temp;
5407
5408 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5409
5410 /* get cipher used for digest computation */
5411 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5412 if (ssl_md_init(&mc,md) !=0)
5413 return -1;
5414
5415 /* do hash computation on data && padding */
5416 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5417
5418 /* hash padding*/
5419 memset(buf,0x36,pad_ct);
5420 ssl_md_update(&mc,buf,pad_ct);
5421
5422 /* hash sequence number */
5423 phtonu64(buf, decoder->seq);
5424 decoder->seq++;
5425 ssl_md_update(&mc,buf,8);
5426
5427 /* hash content type */
5428 buf[0]=ct;
5429 ssl_md_update(&mc,buf,1);
5430
5431 /* hash data length in network byte order and data*/
5432 /* *((int16_t* )buf) = g_htons(datalen); */
5433 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5434 memcpy(buf, &temp, 2);
5435 ssl_md_update(&mc,buf,2);
5436 ssl_md_update(&mc,data,datalen);
5437
5438 /* get partial digest */
5439 ssl_md_final(&mc,dgst,&len);
5440 ssl_md_reset(&mc);
5441
5442 /* hash mac key */
5443 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5444
5445 /* hash padding and partial digest*/
5446 memset(buf,0x5c,pad_ct);
5447 ssl_md_update(&mc,buf,pad_ct);
5448 ssl_md_update(&mc,dgst,len);
5449
5450 ssl_md_final(&mc,dgst,&len);
5451 ssl_md_cleanup(&mc);
5452
5453 if(memcmp(mac,dgst,len))
5454 return -1;
5455
5456 return 0;
5457}
5458
5459static int
5460dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5461 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5462{
5463 SSL_HMACgcry_md_hd_t hm;
5464 int md;
5465 uint32_t len;
5466 uint8_t buf[DIGEST_MAX_SIZE48];
5467 int16_t temp;
5468
5469 int ver = ssl->session.version;
5470 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5471
5472 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5473 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5474 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5475
5476 if (ssl_hmac_init(&hm,md) != 0)
5477 return -1;
5478 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5479 return -1;
5480
5481 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5482
5483 if (is_cid && !ssl->session.deprecated_cid) {
5484 /* hash seq num placeholder */
5485 memset(buf,0xFF,8);
5486 ssl_hmac_update(&hm,buf,8);
5487
5488 /* hash content type + cid length + content type */
5489 buf[0]=ct;
5490 buf[1]=cidl;
5491 buf[2]=ct;
5492 ssl_hmac_update(&hm,buf,3);
5493
5494 /* hash version */
5495 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5496 memcpy(buf, &temp, 2);
5497 ssl_hmac_update(&hm,buf,2);
5498
5499 /* hash sequence number */
5500 phtonu64(buf, decoder->seq);
5501 buf[0]=decoder->epoch>>8;
5502 buf[1]=(uint8_t)decoder->epoch;
5503 ssl_hmac_update(&hm,buf,8);
5504
5505 /* hash cid */
5506 ssl_hmac_update(&hm,cid,cidl);
5507 } else {
5508 /* hash sequence number */
5509 phtonu64(buf, decoder->seq);
5510 buf[0]=decoder->epoch>>8;
5511 buf[1]=(uint8_t)decoder->epoch;
5512 ssl_hmac_update(&hm,buf,8);
5513
5514 /* hash content type */
5515 buf[0]=ct;
5516 ssl_hmac_update(&hm,buf,1);
5517
5518 /* hash version */
5519 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5520 memcpy(buf, &temp, 2);
5521 ssl_hmac_update(&hm,buf,2);
5522
5523 if (is_cid && ssl->session.deprecated_cid) {
5524 /* hash cid */
5525 ssl_hmac_update(&hm,cid,cidl);
5526
5527 /* hash cid length */
5528 buf[0] = cidl;
5529 ssl_hmac_update(&hm,buf,1);
5530 }
5531 }
5532
5533 /* data length and data */
5534 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5535 memcpy(buf, &temp, 2);
5536 ssl_hmac_update(&hm,buf,2);
5537 ssl_hmac_update(&hm,data,datalen);
5538
5539 /* get digest and digest len */
5540 len = sizeof(buf);
5541 ssl_hmac_final(&hm,buf,&len);
5542 ssl_hmac_cleanup(&hm);
5543 ssl_print_data("Mac", buf, len);
5544 if(memcmp(mac,buf,len))
5545 return -1;
5546
5547 return 0;
5548}
5549/* Decryption integrity check }}} */
5550
5551
5552static bool_Bool
5553tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5554 uint8_t ct, uint16_t record_version,
5555 bool_Bool ignore_mac_failed,
5556 const unsigned char *in, uint16_t inl,
5557 const unsigned char *cid, uint8_t cidl,
5558 StringInfo *out_str, unsigned *outl)
5559{
5560 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5561 * GenericAEADCipher: { nonce_explicit, [content] }
5562 * In TLS 1.3 this explicit nonce is gone.
5563 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5564 * ciphertext and authentication tag.
5565 */
5566 const uint16_t version = ssl->session.version;
5567 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5568 gcry_error_t err;
5569 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5570 unsigned ciphertext_len, auth_tag_len;
5571 unsigned char nonce[12];
5572 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5573 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5574 const uint8_t draft_version = ssl->session.tls13_draft_version;
5575 const unsigned char *auth_tag_wire;
5576 unsigned char auth_tag_calc[16];
5577 unsigned char *aad = NULL((void*)0);
5578 unsigned aad_len = 0;
5579
5580 switch (cipher_mode) {
5581 case MODE_GCM:
5582 case MODE_CCM:
5583 case MODE_POLY1305:
5584 auth_tag_len = 16;
5585 break;
5586 case MODE_CCM_8:
5587 auth_tag_len = 8;
5588 break;
5589 default:
5590 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5591 return false0;
5592 }
5593
5594 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5595 if (is_v12 && cipher_mode != MODE_POLY1305) {
5596 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5597 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5598 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5599 return false0;
5600 }
5601 explicit_nonce = in;
5602 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5603 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5604 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5605 if (inl < auth_tag_len) {
5606 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5607 return false0;
5608 }
5609 ciphertext = in;
5610 ciphertext_len = inl - auth_tag_len;
5611 } else {
5612 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5613 return false0;
5614 }
5615 auth_tag_wire = ciphertext + ciphertext_len;
5616
5617 /*
5618 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5619 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5620 */
5621 if (is_v12 && cipher_mode != MODE_POLY1305) {
5622 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5622, "decoder->write_iv.data_len == 4"))));
5623 /* Implicit (4) and explicit (8) part of nonce. */
5624 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5625 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5626
5627 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5628 /*
5629 * Technically the nonce length must be at least 8 bytes, but for
5630 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5631 */
5632 const unsigned nonce_len = 12;
5633 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5633, "decoder->write_iv.data_len == nonce_len"
))));
5634 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5635 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5636 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5637 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5638 }
5639
5640 /* Set nonce and additional authentication data */
5641 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5642 ssl_print_data("nonce", nonce, 12);
5643 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5644 if (err) {
5645 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5646 return false0;
5647 }
5648
5649 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5650 if (is_cid) { /* if connection ID */
5651 if (ssl->session.deprecated_cid) {
5652 aad_len = 14 + cidl;
5653 aad = wmem_alloc(allocator, aad_len);
5654 phtonu64(aad, decoder->seq); /* record sequence number */
5655 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5656 aad[8] = ct; /* TLSCompressed.type */
5657 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5658 memcpy(aad + 11, cid, cidl); /* cid */
5659 aad[11 + cidl] = cidl; /* cid_length */
5660 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5661 } else {
5662 aad_len = 23 + cidl;
5663 aad = wmem_alloc(allocator, aad_len);
5664 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5665 aad[8] = ct; /* TLSCompressed.type */
5666 aad[9] = cidl; /* cid_length */
5667 aad[10] = ct; /* TLSCompressed.type */
5668 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5669 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5670 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5671 memcpy(aad + 21, cid, cidl); /* cid */
5672 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5673 }
5674 } else if (is_v12) {
5675 aad_len = 13;
5676 aad = wmem_alloc(allocator, aad_len);
5677 phtonu64(aad, decoder->seq); /* record sequence number */
5678 if (version == DTLSV1DOT2_VERSION0xfefd) {
5679 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5680 }
5681 aad[8] = ct; /* TLSCompressed.type */
5682 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5683 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5684 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5685 aad_len = decoder->dtls13_aad.data_len;
5686 aad = decoder->dtls13_aad.data;
5687 } else if (draft_version >= 25 || draft_version == 0) {
5688 aad_len = 5;
5689 aad = wmem_alloc(allocator, aad_len);
5690 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5691 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5692 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5693 }
5694
5695 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5696 /* size of plaintext, additional authenticated data and auth tag. */
5697 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5698
5699 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5700 }
5701
5702 if (aad && aad_len > 0) {
5703 ssl_print_data("AAD", aad, aad_len);
5704 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5705 if (err) {
5706 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5707 return false0;
5708 }
5709 }
5710
5711 /* Decrypt now that nonce and AAD are set. */
5712 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5713 if (err) {
5714 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5715 return false0;
5716 }
5717
5718 /* Check authentication tag for authenticity (replaces MAC) */
5719 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5720 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5721 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5722 } else {
5723 if (err) {
5724 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5725 } else {
5726 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5727 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5728 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5729 }
5730 if (ignore_mac_failed) {
5731 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5732 } else {
5733 return false0;
5734 }
5735 }
5736
5737 /*
5738 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5739 * after successful authentication to ensure that early data is skipped when
5740 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5741 */
5742 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5743 decoder->seq++;
5744 }
5745
5746 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5747 *outl = ciphertext_len;
5748 return true1;
5749}
5750
5751/* Record decryption glue based on security parameters {{{ */
5752/* Assume that we are called only for a non-NULL decoder which also means that
5753 * we have a non-NULL decoder->cipher_suite. */
5754int
5755ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5756 bool_Bool ignore_mac_failed,
5757 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5758 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5759{
5760 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5761 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5762
5763 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5764 ssl_print_data("Ciphertext",in, inl);
5765
5766 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5767 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5768 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5769 return -1;
5770 }
5771
5772 /* ensure we have enough storage space for decrypted data */
5773 if (inl > out_str->data_len)
5774 {
5775 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5776 inl + 32, out_str->data_len);
5777 ssl_data_realloc(out_str, inl + 32);
5778 }
5779
5780 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5781 * a separate MAC, so use a different routine for simplicity. */
5782 if (decoder->cipher_suite->mode == MODE_GCM ||
5783 decoder->cipher_suite->mode == MODE_CCM ||
5784 decoder->cipher_suite->mode == MODE_CCM_8 ||
5785 decoder->cipher_suite->mode == MODE_POLY1305 ||
5786 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5787 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5788
5789 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5790 /* decryption failed */
5791 return -1;
5792 }
5793
5794 goto skip_mac;
5795 }
5796
5797 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5798 * (notation: { unencrypted, [ encrypted ] })
5799 * GenericStreamCipher: { [content, mac] }
5800 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5801 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5802 * GenericAEADCipher: { nonce_explicit, [content] }
5803 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5804 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5805 */
5806
5807 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5808
5809 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5810 if (decoder->cipher_suite->mode == MODE_CBC) {
5811 unsigned blocksize = 0;
5812
5813 switch (ssl->session.version) {
5814 case TLSV1DOT1_VERSION0x302:
5815 case TLSV1DOT2_VERSION0x303:
5816 case DTLSV1DOT0_VERSION0xfeff:
5817 case DTLSV1DOT2_VERSION0xfefd:
5818 case DTLSV1DOT3_VERSION0xfefc:
5819 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5820 case TLCPV1_VERSION0x101:
5821 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5822 if (inl < blocksize) {
5823 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5824 inl, blocksize);
5825 return -1;
5826 }
5827 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5828 if (pad != 0) {
5829 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5830 gcry_strsource (pad), gcry_strerror (pad));
5831 }
5832
5833 inl -= blocksize;
5834 in += blocksize;
5835 break;
5836 }
5837
5838 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5839 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5840 /*
5841 * MAC is calculated over (IV + ) ENCRYPTED contents:
5842 *
5843 * MAC(MAC_write_key, ... +
5844 * IV + // for TLS 1.1 or greater
5845 * TLSCiphertext.enc_content);
5846 */
5847 if (inl < maclen) {
5848 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5849 G_STRFUNC((const char*) (__func__)), inl, maclen);
5850 return -1;
5851 }
5852 inl -= maclen;
5853 mac = (uint8_t *)in + inl;
5854 mac_frag = (uint8_t *)in - blocksize;
5855 mac_fraglen = blocksize + inl;
5856 }
5857 }
5858
5859 /* First decrypt*/
5860 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5861 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5862 gcry_strerror (pad));
5863 return -1;
5864 }
5865
5866 ssl_print_data("Plaintext", out_str->data, inl);
5867 worklen=inl;
5868
5869
5870 /* strip padding for GenericBlockCipher */
5871 if (decoder->cipher_suite->mode == MODE_CBC) {
5872 if (inl < 1) { /* Should this check happen earlier? */
5873 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5874 return -1;
5875 }
5876 pad=out_str->data[inl-1];
5877 if (worklen <= pad) {
5878 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5879 pad, worklen);
5880 return -1;
5881 }
5882 worklen-=(pad+1);
5883 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5884 pad, worklen);
5885 }
5886
5887 /* MAC for GenericStreamCipher and GenericBlockCipher.
5888 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5889 if (!mac) {
5890 /*
5891 * MAC is calculated over the DECRYPTED contents:
5892 *
5893 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5894 */
5895 if (worklen < maclen) {
5896 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5897 return -1;
5898 }
5899 worklen -= maclen;
5900 mac = out_str->data + worklen;
5901 mac_frag = out_str->data;
5902 mac_fraglen = worklen;
5903 }
5904
5905 /* If NULL encryption active and no keys are available, do not bother
5906 * checking the MAC. We do not have keys for that. */
5907 if (decoder->cipher_suite->mode == MODE_STREAM &&
5908 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5909 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5910 ssl_debug_printf("MAC check skipped due to missing keys\n");
5911 decoder->seq++; // Increment this for display
5912 goto skip_mac;
5913 }
5914
5915 /* Now check the MAC */
5916 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5917 worklen, ssl->session.version, ct, decoder->seq);
5918 if(ssl->session.version==SSLV3_VERSION0x300){
5919 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5920 if(ignore_mac_failed) {
5921 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5922 }
5923 else{
5924 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5925 return -1;
5926 }
5927 }
5928 else{
5929 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5930 }
5931 }
5932 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5933 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5934 if(ignore_mac_failed) {
5935 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5936 }
5937 else{
5938 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5939 return -1;
5940 }
5941 }
5942 else{
5943 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5944 }
5945 }
5946 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5947 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5948 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5949 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5950 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5951 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5952 }
5953 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5954 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5955 }
5956 else if(ignore_mac_failed) {
5957 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5958 }
5959 else{
5960 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5961 return -1;
5962 }
5963 }
5964skip_mac:
5965
5966 *outl = worklen;
5967
5968 if (decoder->compression > 0) {
5969 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5970 ssl_data_copy(comp_str, out_str);
5971 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5972 if (!decoder->decomp) {
5973 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5974 return -1;
5975 }
5976 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5977 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5978 *outl = uncomplen;
5979 }
5980
5981 return 0;
5982}
5983/* Record decryption glue based on security parameters }}} */
5984
5985
5986
5987#ifdef HAVE_LIBGNUTLS1
5988
5989/* RSA private key file processing {{{ */
5990static void
5991ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5992 const gnutls_datum_t *subjectPublicKeyInfo)
5993{
5994 gnutls_pubkey_t pubkey = NULL((void*)0);
5995 cert_key_id_t key_id;
5996 size_t key_id_len = sizeof(key_id);
5997 int r;
5998
5999 if (!subjectPublicKeyInfo->size) {
6000 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6001 return;
6002 }
6003
6004 r = gnutls_pubkey_init(&pubkey);
6005 if (r < 0) {
6006 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6007 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6008 return;
6009 }
6010
6011 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6012 if (r < 0) {
6013 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6014 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6015 goto end;
6016 }
6017
6018 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6019 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6020 goto end;
6021 }
6022
6023 /* Generate a 20-byte SHA-1 hash. */
6024 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6025 if (r < 0) {
6026 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6027 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6028 goto end;
6029 }
6030
6031 if (key_id_len != sizeof(key_id)) {
6032 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6033 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6034 goto end;
6035 }
6036
6037 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6038 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6039 *ssl->cert_key_id = key_id;
6040
6041end:
6042 gnutls_pubkey_deinit(pubkey);
6043}
6044
6045/* RSA private key file processing }}} */
6046#endif /* HAVE_LIBGNUTLS */
6047
6048/*--- Start of dissector-related code below ---*/
6049
6050/* This is not a "protocol" but ensures that this gets called during
6051 * the handoff stage. */
6052void proto_reg_handoff_tls_utils(void);
6053
6054static dissector_handle_t base_tls_handle;
6055static dissector_handle_t dtls_handle;
6056
6057void
6058proto_reg_handoff_tls_utils(void)
6059{
6060 base_tls_handle = find_dissector("tls");
6061 dtls_handle = find_dissector("dtls");
6062}
6063
6064/* Look up an existing SslDecryptSession without creating one. Returns NULL if
6065 * no session exists. */
6066SslDecryptSession *
6067tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6068{
6069 void *conv_data;
6070 wmem_map_t *session_map;
6071
6072 if (!conversation)
6073 return NULL((void*)0);
6074
6075 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6076 if (conv_data == NULL((void*)0))
6077 return NULL((void*)0);
6078
6079 session_map = (wmem_map_t *)conv_data;
6080
6081 return (SslDecryptSession *)wmem_map_lookup(session_map,
6082 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6083
6084}
6085
6086/* get ssl data for this session. if no ssl data is found allocate a new one*/
6087SslDecryptSession *
6088ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6089{
6090 void *conv_data;
6091 SslDecryptSession *ssl_session;
6092 int proto_ssl;
6093 wmem_map_t *session_map;
6094
6095 /* Note proto_ssl is tls for either the main tls_handle or the
6096 * tls13_handshake handle used by QUIC. */
6097 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6098 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6099
6100 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
6101 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
6102 * preventing memory leaks on capture reload. */
6103 if (conv_data != NULL((void*)0)) {
6104 session_map = (wmem_map_t *)conv_data;
6105 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6106 if (ssl_session != NULL((void*)0)) {
6107 return ssl_session;
6108 }
6109 } else {
6110 /* Create a new wmem map to store sessions by layer number */
6111 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
6112 conversation_add_proto_data(conversation, proto_ssl, session_map);
6113 }
6114
6115 /* no previous SSL conversation info for this layer, initialize it. */
6116 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6117
6118 /* data_len is the part that is meaningful, not the allocated length */
6119 ssl_session->master_secret.data_len = 0;
6120 ssl_session->master_secret.data = ssl_session->_master_secret;
6121 ssl_session->session_id.data_len = 0;
6122 ssl_session->session_id.data = ssl_session->_session_id;
6123 ssl_session->client_random.data_len = 0;
6124 ssl_session->client_random.data = ssl_session->_client_random;
6125 ssl_session->server_random.data_len = 0;
6126 ssl_session->server_random.data = ssl_session->_server_random;
6127 ssl_session->session_ticket.data_len = 0;
6128 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6129 ssl_session->server_data_for_iv.data_len = 0;
6130 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6131 ssl_session->client_data_for_iv.data_len = 0;
6132 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6133 ssl_session->app_data_segment.data = NULL((void*)0);
6134 ssl_session->app_data_segment.data_len = 0;
6135 ssl_session->handshake_data.data=NULL((void*)0);
6136 ssl_session->handshake_data.data_len=0;
6137 ssl_session->ech_transcript.data=NULL((void*)0);
6138 ssl_session->ech_transcript.data_len=0;
6139
6140 /* Initialize parameters which are not necessary specific to decryption. */
6141 ssl_session->session.version = SSL_VER_UNKNOWN0;
6142 clear_address(&ssl_session->session.srv_addr);
6143 ssl_session->session.srv_ptype = PT_NONE;
6144 ssl_session->session.srv_port = 0;
6145 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6146 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6147 ssl_session->session.client_random.data_len = 0;
6148 ssl_session->session.client_random.data = ssl_session->session._client_random;
6149 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6150 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6151 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6152 ssl_session->session.ech = false0;
6153 ssl_session->session.hrr_ech_declined = false0;
6154 ssl_session->session.first_ch_ech_frame = 0;
6155
6156 /* We want to increment the stream count for the normal tls handle and
6157 * dtls handle, but presumably not for the tls13_handshake handle used
6158 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6159 * doesn't get sent to the TLS follow tap.)
6160 */
6161 if (tls_handle == base_tls_handle) {
6162 ssl_session->session.stream = tls_increment_stream_count();
6163 } else if (tls_handle == dtls_handle) {
6164 ssl_session->session.stream = dtls_increment_stream_count();
6165 }
6166
6167 /* Store the session in the wmem map indexed by layer number */
6168 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
6169
6170 return ssl_session;
6171}
6172
6173void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6174{
6175 if (ssl) {
6176 /* Ensure that secrets are not restored using stale identifiers. Split
6177 * between client and server in case the packets somehow got out of order. */
6178 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6179
6180 if (is_client) {
6181 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6182 ssl->session_id.data_len = 0;
6183 ssl->session_ticket.data_len = 0;
6184 ssl->master_secret.data_len = 0;
6185 ssl->client_random.data_len = 0;
6186 ssl->has_early_data = false0;
6187 if (ssl->handshake_data.data_len > 0) {
6188 // The EMS handshake hash starts with at the Client Hello,
6189 // ensure that any messages before it are forgotten.
6190 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6191 ssl->handshake_data.data = NULL((void*)0);
6192 ssl->handshake_data.data_len = 0;
6193 }
6194 } else {
6195 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6196 ssl->server_random.data_len = 0;
6197 ssl->pre_master_secret.data_len = 0;
6198#ifdef HAVE_LIBGNUTLS1
6199 ssl->cert_key_id = NULL((void*)0);
6200#endif
6201 ssl->psk.data_len = 0;
6202 }
6203
6204 if (ssl->state & clear_flags) {
6205 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6206 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6207 ssl->state &= ~clear_flags;
6208 }
6209 }
6210
6211 /* These flags might be used for non-decryption purposes and may affect the
6212 * dissection, so reset them as well. */
6213 if (is_client) {
6214 session->client_cert_type = 0;
6215 } else {
6216 session->compression = 0;
6217 session->server_cert_type = 0;
6218 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6219 }
6220 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6221 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6222}
6223
6224void
6225tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6226 dissector_handle_t app_handle)
6227{
6228 conversation_t *conversation;
6229 SslSession *session;
6230
6231 /* Ignore if the TLS or other dissector is disabled. */
6232 if (!tls_handle || !app_handle)
6233 return;
6234
6235 conversation = find_or_create_conversation(pinfo);
6236 session = &ssl_get_session(conversation, tls_handle, pinfo->curr_proto_layer_num)->session;
6237 session->app_handle = app_handle;
6238}
6239
6240static uint32_t
6241ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6242 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6243{
6244 conversation_t *conversation;
6245 SslSession *session;
6246
6247 /* Ignore if the TLS dissector is disabled. */
6248 if (!tls_handle)
6249 return 0;
6250 /* The caller should always pass a valid handle to its own dissector. */
6251 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6251, "app_handle"))));
6252
6253 conversation = find_or_create_conversation(pinfo);
6254 session = &ssl_get_session(conversation, tls_handle, pinfo->curr_proto_layer_num)->session;
6255
6256 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6257 session->last_nontls_frame,
6258 (void *)session->app_handle,
6259 dissector_handle_get_dissector_name(session->app_handle));
6260 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6261 pinfo->num, (void *)app_handle,
6262 dissector_handle_get_dissector_name(app_handle));
6263
6264 /* Do not switch again if a dissector did it before. */
6265 if (session->last_nontls_frame) {
6266 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6267 return session->last_nontls_frame;
6268 }
6269
6270 session->app_handle = app_handle;
6271 /* The TLS dissector should be called first for this conversation. */
6272 conversation_set_dissector(conversation, tls_handle);
6273 /* TLS starts after this frame. */
6274 session->last_nontls_frame = last_nontls_frame;
6275 return 0;
6276}
6277
6278/* ssl_starttls_ack: mark future frames as encrypted. */
6279uint32_t
6280ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6281 dissector_handle_t app_handle)
6282{
6283 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6284}
6285
6286uint32_t
6287ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6288 dissector_handle_t app_handle)
6289{
6290 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6291}
6292
6293dissector_handle_t
6294ssl_find_appdata_dissector(const char *name)
6295{
6296 /* Accept 'http' for backwards compatibility and sanity. */
6297 if (!strcmp(name, "http"))
6298 name = "http-over-tls";
6299 /* XXX - Should this check to see if the dissector is actually added for
6300 * Decode As in the appropriate table?
6301 */
6302 return find_dissector(name);
6303}
6304
6305/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6306static int
6307ssl_equal (const void *v, const void *v2)
6308{
6309 const StringInfo *val1;
6310 const StringInfo *val2;
6311 val1 = (const StringInfo *)v;
6312 val2 = (const StringInfo *)v2;
6313
6314 if (val1->data_len == val2->data_len &&
6315 !memcmp(val1->data, val2->data, val2->data_len)) {
6316 return 1;
6317 }
6318 return 0;
6319}
6320
6321static unsigned
6322ssl_hash (const void *v)
6323{
6324 unsigned l,hash;
6325 const StringInfo* id;
6326 const unsigned* cur;
6327 hash = 0;
6328 id = (const StringInfo*) v;
6329
6330 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6331 * should be aligned for any kind of access (for example as a unsigned as
6332 * is done below). The intermediate void* cast is to prevent "cast
6333 * increases required alignment of target type" warnings on CPUs (such
6334 * as SPARCs) that do not allow misaligned memory accesses.
6335 */
6336 cur = (const unsigned*)(void*) id->data;
6337
6338 for (l=4; (l < id->data_len); l+=4, cur++)
6339 hash = hash ^ (*cur);
6340
6341 return hash;
6342}
6343/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6344
6345/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6346void
6347ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6348{
6349 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6349, "main_handle"))));
6350 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6350, "subdissector_handle"))));
6351 /* Registration is required for Export PDU feature to work properly. */
6352 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6353, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6353 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6353, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6354 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6355
6356 if (port) {
6357 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6358 if (tcp)
6359 dissector_add_uint("tcp.port", port, main_handle);
6360 else
6361 dissector_add_uint("udp.port", port, main_handle);
6362 dissector_add_uint("sctp.port", port, main_handle);
6363 } else {
6364 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6365 }
6366}
6367
6368void
6369ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6370{
6371 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6372 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6373 if (main_handle) {
6374 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6375 dissector_delete_uint("sctp.port", port, main_handle);
6376 }
6377
6378 if (port) {
6379 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6380 }
6381}
6382
6383void
6384ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6385{
6386 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6387 session->srv_ptype = ptype;
6388 session->srv_port = port;
6389}
6390
6391int
6392ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6393{
6394 int ret;
6395 if (session && session->srv_addr.type != AT_NONE) {
6396 ret = (session->srv_ptype == pinfo->ptype) &&
6397 (session->srv_port == pinfo->srcport) &&
6398 addresses_equal(&session->srv_addr, &pinfo->src);
6399 } else {
6400 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6401 }
6402
6403 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6404 return ret;
6405}
6406/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6407
6408
6409/* Links SSL records with the real packet data. {{{ */
6410SslPacketInfo *
6411tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6412{
6413 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6414 if (!pi) {
6415 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6416 pi->srcport = pinfo->srcport;
6417 pi->destport = pinfo->destport;
6418 conversation_t *conv = find_or_create_conversation_strat(pinfo);
6419 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
6420 if (ssl_session) {
6421 /* This can also be called by the QUIC TLS1.3 handshake only
6422 * dissector. That is not associated with a session, or a stream,
6423 * and doesn't need the information for Follow or Decode As. */
6424 pi->stream = ssl_session->session.stream;
6425 }
6426 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6427 }
6428
6429 return pi;
6430}
6431
6432/**
6433 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6434 * avoid the need for a decoder in the second pass. Additionally, it remembers
6435 * sequence numbers (for reassembly and Follow TLS Stream).
6436 *
6437 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6438 * @param pinfo The packet where the record originates from.
6439 * @param plain_data Decrypted plaintext to store in the record.
6440 * @param plain_data_len Total length of the plaintext.
6441 * @param content_len Length of the plaintext section corresponding to the record content.
6442 * @param record_id The identifier for this record within the current packet.
6443 * @param flow Information about sequence numbers, etc.
6444 * @param type TLS Content Type (such as handshake or application_data).
6445 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6446 */
6447void
6448ssl_add_record_info(int proto, packet_info *pinfo,
6449 const unsigned char *plain_data, int plain_data_len, int content_len,
6450 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6451 uint64_t record_seq)
6452{
6453 SslRecordInfo* rec, **prec;
6454 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6455
6456 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6456
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6457
6458 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6459 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6460 rec->plain_data_len = plain_data_len;
6461 rec->content_len = content_len;
6462 rec->id = record_id;
6463 rec->type = type;
6464 rec->next = NULL((void*)0);
6465 rec->record_seq = record_seq;
6466
6467 if (flow && type == SSL_ID_APP_DATA) {
6468 rec->seq = flow->byte_seq;
6469 rec->flow = flow;
6470 flow->byte_seq += content_len;
6471 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6472 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6473 }
6474
6475 /* Remember decrypted records. */
6476 prec = &pi->records;
6477 while (*prec) prec = &(*prec)->next;
6478 *prec = rec;
6479}
6480
6481/* search in packet data for the specified id; return a newly created tvb for the associated data */
6482tvbuff_t*
6483ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6484{
6485 SslRecordInfo* rec;
6486 SslPacketInfo* pi;
6487 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6488
6489 if (!pi)
6490 return NULL((void*)0);
6491
6492 for (rec = pi->records; rec; rec = rec->next)
6493 if (rec->id == record_id) {
6494 *matched_record = rec;
6495 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6496 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6497 }
6498
6499 return NULL((void*)0);
6500}
6501/* Links SSL records with the real packet data. }}} */
6502
6503/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6504void
6505ssl_common_init(ssl_master_key_map_t *mk_map,
6506 StringInfo *decrypted_data, StringInfo *compressed_data)
6507{
6508 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6509 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6510 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6511 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6512 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6513 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6514 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6515 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6516 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6517 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6518 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6519 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6520
6521 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6522 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6523
6524 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6525
6526 ssl_data_alloc(decrypted_data, 32);
6527 ssl_data_alloc(compressed_data, 32);
6528}
6529
6530void
6531ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6532 StringInfo *decrypted_data, StringInfo *compressed_data)
6533{
6534 g_hash_table_destroy(mk_map->session);
6535 g_hash_table_destroy(mk_map->tickets);
6536 g_hash_table_destroy(mk_map->crandom);
6537 g_hash_table_destroy(mk_map->pre_master);
6538 g_hash_table_destroy(mk_map->pms);
6539 g_hash_table_destroy(mk_map->tls13_client_early);
6540 g_hash_table_destroy(mk_map->tls13_client_handshake);
6541 g_hash_table_destroy(mk_map->tls13_server_handshake);
6542 g_hash_table_destroy(mk_map->tls13_client_appdata);
6543 g_hash_table_destroy(mk_map->tls13_server_appdata);
6544 g_hash_table_destroy(mk_map->tls13_early_exporter);
6545 g_hash_table_destroy(mk_map->tls13_exporter);
6546
6547 g_hash_table_destroy(mk_map->ech_secret);
6548 g_hash_table_destroy(mk_map->ech_config);
6549
6550 g_hash_table_destroy(mk_map->used_crandom);
6551
6552 g_free(decrypted_data->data);
6553 g_free(compressed_data->data);
6554
6555 /* close the previous keylog file now that the cache are cleared, this
6556 * allows the cache to be filled with the full keylog file contents. */
6557 if (*ssl_keylog_file) {
6558 fclose(*ssl_keylog_file);
6559 *ssl_keylog_file = NULL((void*)0);
6560 }
6561}
6562/* }}} */
6563
6564/* parse ssl related preferences (private keys and ports association strings) */
6565#if defined(HAVE_LIBGNUTLS1)
6566/* Load a single RSA key file item from preferences. {{{ */
6567void
6568ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6569{
6570 gnutls_x509_privkey_t x509_priv_key;
6571 gnutls_privkey_t priv_key = NULL((void*)0);
6572 FILE* fp = NULL((void*)0);
6573 int ret;
6574 size_t key_id_len = 20;
6575 unsigned char *key_id = NULL((void*)0);
6576 char *err = NULL((void*)0);
6577 dissector_handle_t handle;
6578 /* try to load keys file first */
6579 fp = ws_fopenfopen(uats->keyfile, "rb");
6580 if (!fp) {
6581 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6582 return;
6583 }
6584
6585 if ((int)strlen(uats->password) == 0) {
6586 x509_priv_key = rsa_load_pem_key(fp, &err);
6587 } else {
6588 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6589 }
6590 fclose(fp);
6591
6592 if (!x509_priv_key) {
6593 if (err) {
6594 report_failure("Can't load private key from %s: %s",
6595 uats->keyfile, err);
6596 g_free(err);
6597 } else
6598 report_failure("Can't load private key from %s: unknown error",
6599 uats->keyfile);
6600 return;
6601 }
6602 if (err) {
6603 report_failure("Load of private key from %s \"succeeded\" with error %s",
6604 uats->keyfile, err);
6605 g_free(err);
6606 }
6607
6608 gnutls_privkey_init(&priv_key);
6609 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6610 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6611 if (ret < 0) {
6612 report_failure("Can't convert private key %s: %s",
6613 uats->keyfile, gnutls_strerror(ret));
6614 goto end;
6615 }
6616
6617 key_id = (unsigned char *) g_malloc0(key_id_len);
6618 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6619 if (ret < 0) {
6620 report_failure("Can't calculate public key ID for %s: %s",
6621 uats->keyfile, gnutls_strerror(ret));
6622 goto end;
6623 }
6624 ssl_print_data("KeyID", key_id, key_id_len);
6625 if (key_id_len != 20) {
6626 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6627 uats->keyfile, key_id_len);
6628 goto end;
6629 }
6630
6631 g_hash_table_replace(key_hash, key_id, priv_key);
6632 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6633 priv_key = NULL((void*)0);
6634 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6635
6636 handle = ssl_find_appdata_dissector(uats->protocol);
6637 if (handle) {
6638 /* Port to subprotocol mapping */
6639 uint16_t port = 0;
6640 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6641 if (port > 0) {
6642 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6643 port, uats->keyfile, uats->password);
6644
6645 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6646 }
6647 } else {
6648 if (strcmp(uats->port, "start_tls"))
6649 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6650 }
6651 }
6652
6653end:
6654 gnutls_x509_privkey_deinit(x509_priv_key);
6655 gnutls_privkey_deinit(priv_key);
6656 g_free(key_id);
6657}
6658/* }}} */
6659#endif
6660
6661
6662/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6663/** store a known (pre-)master secret into cache */
6664static void
6665ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6666 StringInfo *mk)
6667{
6668 StringInfo *ht_key, *master_secret;
6669
6670 if (key->data_len == 0) {
6671 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6672 return;
6673 }
6674
6675 if (mk->data_len == 0) {
6676 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6677 G_STRFUNC((const char*) (__func__)), label);
6678 return;
6679 }
6680
6681 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6682 * so be careful in changing how it is allocated. */
6683 ht_key = ssl_data_clone(key);
6684 master_secret = ssl_data_clone(mk);
6685 g_hash_table_insert(ht, ht_key, master_secret);
6686
6687 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6688 ssl_print_string("stored key", ht_key);
6689 ssl_print_string("stored (pre-)master secret", master_secret);
6690}
6691
6692/** restore a (pre-)master secret given some key in the cache */
6693static bool_Bool
6694ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6695 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6696{
6697 StringInfo *ms;
6698
6699 if (key->data_len == 0) {
6700 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6701 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6702 return false0;
6703 }
6704
6705 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6706 if (!ms) {
6707 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6708 is_pre_master ? "pre-" : "", label);
6709 return false0;
6710 }
6711
6712 /* (pre)master secret found, clear knowledge of other keys and set it in the
6713 * current conversation */
6714 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6715 SSL_HAVE_SESSION_KEY(1<<3));
6716 if (is_pre_master) {
6717 /* unlike master secret, pre-master secret has a variable size (48 for
6718 * RSA, varying for PSK) and is therefore not statically allocated */
6719 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6720 ms->data_len);
6721 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6722 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6723 } else {
6724 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6725 ssl->state |= SSL_MASTER_SECRET(1<<5);
6726 }
6727 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6728 is_pre_master ? "pre-" : "", label);
6729 ssl_print_string(label, key);
6730 ssl_print_string("(pre-)master secret", ms);
6731 return true1;
6732}
6733/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6734
6735/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6736 * the decoder should be attempted to be initialized. {{{*/
6737void
6738ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6739{
6740 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6741 /* TLS 1.3 implementations only provide secrets derived from the master
6742 * secret which are loaded in tls13_change_key. No master secrets can be
6743 * loaded here, so just return. */
6744 return;
6745 }
6746 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6747 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6748 ssl_debug_printf(" session key already available, nothing to do.\n");
6749 return;
6750 }
6751 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6752 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6753 return;
6754 }
6755
6756 /* for decryption, there needs to be a master secret (which can be derived
6757 * from pre-master secret). If missing, try to pick a master key from cache
6758 * (an earlier packet in the capture or key logfile). */
6759 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6760 !ssl_restore_master_key(ssl, "Session ID", false0,
6761 mk_map->session, &ssl->session_id) &&
6762 (!ssl->session.is_session_resumed ||
6763 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6764 mk_map->tickets, &ssl->session_ticket)) &&
6765 !ssl_restore_master_key(ssl, "Client Random", false0,
6766 mk_map->crandom, &ssl->client_random)) {
6767 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6768 /* how unfortunate, the master secret could not be found */
6769 ssl_debug_printf(" Cannot find master secret\n");
6770 return;
6771 } else {
6772 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6773 "because of a NULL cipher\n");
6774 }
6775 }
6776
6777 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6778 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6779 return;
6780 }
6781 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6782 ssl_save_master_key("Client Random", mk_map->crandom,
6783 &ssl->client_random, &ssl->master_secret);
6784 ssl_save_master_key("Session ID", mk_map->session,
6785 &ssl->session_id, &ssl->master_secret);
6786 /* Only save the new secrets if the server sent the ticket. The client
6787 * ticket might have become stale. */
6788 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6789 ssl_save_master_key("Session Ticket", mk_map->tickets,
6790 &ssl->session_ticket, &ssl->master_secret);
6791 }
6792} /* }}} */
6793
6794/* Load the traffic key secret from the keylog file. */
6795StringInfo *
6796tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6797 bool_Bool is_from_server, TLSRecordType type)
6798{
6799 GHashTable *key_map;
6800 const char *label;
6801
6802 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6803 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6804 return NULL((void*)0);
6805 }
6806
6807 if (ssl->client_random.data_len == 0) {
6808 /* May happen if Hello message is missing and Finished is found. */
6809 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6810 return NULL((void*)0);
6811 }
6812
6813 switch (type) {
6814 case TLS_SECRET_0RTT_APP:
6815 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6815, "!is_from_server"))));
6816 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6817 key_map = mk_map->tls13_client_early;
6818 break;
6819 case TLS_SECRET_HANDSHAKE:
6820 if (is_from_server) {
6821 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6822 key_map = mk_map->tls13_server_handshake;
6823 } else {
6824 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6825 key_map = mk_map->tls13_client_handshake;
6826 }
6827 break;
6828 case TLS_SECRET_APP:
6829 if (is_from_server) {
6830 label = "SERVER_TRAFFIC_SECRET_0";
6831 key_map = mk_map->tls13_server_appdata;
6832 } else {
6833 label = "CLIENT_TRAFFIC_SECRET_0";
6834 key_map = mk_map->tls13_client_appdata;
6835 }
6836 break;
6837 default:
6838 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6838, __func__, "assertion \"not reached\" failed");
6839 }
6840
6841 /* Transitioning to new keys, mark old ones as unusable. */
6842 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6843 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6844
6845 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6846 if (!secret) {
6847 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6848 /* Disable decryption, the keys are invalid. */
6849 if (is_from_server) {
6850 ssl->server = NULL((void*)0);
6851 } else {
6852 ssl->client = NULL((void*)0);
6853 }
6854 return NULL((void*)0);
6855 }
6856
6857 /* TLS 1.3 secret found, set new keys. */
6858 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6859 ssl_print_string("Client Random", &ssl->client_random);
6860 ssl_print_string(label, secret);
6861 return secret;
6862}
6863
6864/* Load the new key. */
6865void
6866tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6867 bool_Bool is_from_server, TLSRecordType type)
6868{
6869 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6870 /*
6871 * QUIC does not use the TLS record layer for message protection.
6872 * The required keys will be extracted later by QUIC.
6873 */
6874 return;
6875 }
6876
6877 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6878 if (!secret) {
6879 if (type != TLS_SECRET_HANDSHAKE) {
6880 return;
6881 }
6882 /*
6883 * Workaround for when for some reason we don't have the handshake
6884 * secret but do have the application traffic secret. (#20240)
6885 * If we can't find the handshake secret, we'll never decrypt the
6886 * Finished message, so we won't know when to change to the app
6887 * traffic key, so we do so now.
6888 */
6889 type = TLS_SECRET_APP;
6890 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6891 if (!secret) {
6892 return;
6893 }
6894 }
6895
6896 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6897 /*
6898 * Remember the application traffic secret to support Key Update. The
6899 * other secrets cannot be used for this purpose, so free them.
6900 */
6901 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6902 StringInfo *app_secret = &decoder->app_traffic_secret;
6903 if (type == TLS_SECRET_APP) {
6904 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6905 app_secret->data,
6906 secret->data_len);
6907 ssl_data_set(app_secret, secret->data, secret->data_len);
6908 } else {
6909 wmem_free(wmem_file_scope(), app_secret->data);
6910 app_secret->data = NULL((void*)0);
6911 app_secret->data_len = 0;
6912 }
6913 }
6914}
6915
6916/**
6917 * Update to next application data traffic secret for TLS 1.3. The previous
6918 * secret should have been set by tls13_change_key.
6919 */
6920void
6921tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6922{
6923 /* RFC 8446 Section 7.2:
6924 * application_traffic_secret_N+1 =
6925 * HKDF-Expand-Label(application_traffic_secret_N,
6926 * "traffic upd", "", Hash.length)
6927 *
6928 * Both application_traffic_secret_N are of the same length (Hash.length).
6929 */
6930 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6931 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6932 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6933 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6934
6935 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6936 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6937 return;
6938 }
6939
6940 /*
6941 * Previous traffic secret is available, so find the hash function,
6942 * expand the new traffic secret and generate new keys.
6943 */
6944 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6945 int hash_algo = ssl_get_digest_by_name(hash_name);
6946 const unsigned hash_len = app_secret->data_len;
6947 unsigned char *new_secret;
6948 const char *label = "traffic upd";
6949 if (tls13_draft_version && tls13_draft_version < 20) {
6950 label = "application traffic secret";
6951 }
6952 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6953 tls13_hkdf_label_prefix(ssl),
6954 label, hash_len, &new_secret)) {
6955 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6956 return;
6957 }
6958 ssl_data_set(app_secret, new_secret, hash_len);
6959 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6960 /*
6961 * Remember the application traffic secret on the new decoder to
6962 * support another Key Update.
6963 */
6964 decoder = is_from_server ? ssl->server : ssl->client;
6965 app_secret = &decoder->app_traffic_secret;
6966 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6967 app_secret->data,
6968 hash_len);
6969 ssl_data_set(app_secret, new_secret, hash_len);
6970 }
6971 wmem_free(NULL((void*)0), new_secret);
6972}
6973
6974void
6975tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6976{
6977 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6978 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6979 }
6980}
6981
6982/** SSL keylog file handling. {{{ */
6983
6984static GRegex *
6985ssl_compile_keyfile_regex(void)
6986{
6987#define OCTET "(?:[[:xdigit:]]{2})"
6988 const char *pattern =
6989 "(?:"
6990 /* Matches Client Hellos having this Client Random */
6991 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6992 /* Matches first part of encrypted RSA pre-master secret */
6993 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6994 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6995 but it can be of any length for DHE */
6996 ")(?<pms>" OCTET "+)"
6997 "|(?:"
6998 /* Matches Server Hellos having a Session ID */
6999 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
7000 /* Matches Client Hellos having this Client Random */
7001 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
7002 /* Master-Secret is given, its length is fixed */
7003 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
7004 "|(?"
7005 /* TLS 1.3 Client Random to Derived Secrets mapping. */
7006 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
7007 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
7008 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
7009 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
7010 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
7011 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
7012 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
7013 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
7014 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
7015 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
7016 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
7017 ") (?<derived_secret>" OCTET "+)";
7018#undef OCTET
7019 static GRegex *regex = NULL((void*)0);
7020 GError *gerr = NULL((void*)0);
7021
7022 if (!regex) {
7023 regex = g_regex_new(pattern,
7024 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
7025 G_REGEX_MATCH_ANCHORED, &gerr);
7026 if (gerr) {
7027 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
7028 gerr->message);
7029 g_error_free(gerr);
7030 regex = NULL((void*)0);
7031 }
7032 }
7033
7034 return regex;
7035}
7036
7037typedef struct ssl_master_key_match_group {
7038 const char *re_group_name;
7039 GHashTable *master_key_ht;
7040} ssl_master_key_match_group_t;
7041
7042void
7043tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7044{
7045 ssl_master_key_match_group_t mk_groups[] = {
7046 { "encrypted_pmk", mk_map->pre_master },
7047 { "session_id", mk_map->session },
7048 { "client_random", mk_map->crandom },
7049 { "client_random_pms", mk_map->pms },
7050 /* TLS 1.3 map from Client Random to derived secret. */
7051 { "client_early", mk_map->tls13_client_early },
7052 { "client_handshake", mk_map->tls13_client_handshake },
7053 { "server_handshake", mk_map->tls13_server_handshake },
7054 { "client_appdata", mk_map->tls13_client_appdata },
7055 { "server_appdata", mk_map->tls13_server_appdata },
7056 { "early_exporter", mk_map->tls13_early_exporter },
7057 { "exporter", mk_map->tls13_exporter },
7058 { "ech_secret", mk_map->ech_secret },
7059 { "ech_config", mk_map->ech_config },
7060 };
7061
7062 /* The format of the file is a series of records with one of the following formats:
7063 * - "RSA xxxx yyyy"
7064 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7065 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7066 * (this is the original format introduced with bug 4349)
7067 *
7068 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7069 * Where xxxx is the SSL session ID (hex-encoded)
7070 * Where yyyy is the cleartext master secret (hex-encoded)
7071 * (added to support openssl s_client Master-Key output)
7072 * This is somewhat is a misnomer because there's nothing RSA specific
7073 * about this.
7074 *
7075 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7076 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7077 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7078 * (This format allows SSL connections to be decrypted, if a user can
7079 * capture the PMS but could not recover the MS for a specific session
7080 * with a SSL Server.)
7081 *
7082 * - "CLIENT_RANDOM xxxx yyyy"
7083 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7084 * Where yyyy is the cleartext master secret (hex-encoded)
7085 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7086 * ECDHE-RSA.)
7087 *
7088 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7089 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7090 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7091 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7092 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7093 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7094 * - "EXPORTER_SECRET xxxx yyyy"
7095 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7096 * Where yyyy is the secret (hex-encoded) derived from the early,
7097 * handshake or master secrets. (This format is introduced with TLS 1.3
7098 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7099 */
7100 GRegex *regex = ssl_compile_keyfile_regex();
7101 if (!regex)
7102 return;
7103
7104 const char *next_line = (const char *)data;
7105 const char *line_end = next_line + datalen;
7106 while (next_line && next_line < line_end) {
7107 const char *line = next_line;
7108 next_line = (const char *)memchr(line, '\n', line_end - line);
7109 ssize_t linelen;
7110
7111 if (next_line) {
7112 linelen = next_line - line;
7113 next_line++; /* drop LF */
7114 } else {
7115 linelen = (ssize_t)(line_end - line);
7116 }
7117 if (linelen > 0 && line[linelen - 1] == '\r') {
7118 linelen--; /* drop CR */
7119 }
7120
7121 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7122 GMatchInfo *mi;
7123 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7124 char *hex_key, *hex_pre_ms_or_ms;
7125 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7126 StringInfo *pre_ms_or_ms = NULL((void*)0);
7127 GHashTable *ht = NULL((void*)0);
7128
7129 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7130 * otherwise we will use the Master Secret
7131 */
7132 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7133 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7134 g_free(hex_pre_ms_or_ms);
7135 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7136 }
7137 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7138 g_free(hex_pre_ms_or_ms);
7139 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7140 }
7141 /* There is always a match, otherwise the regex is wrong. */
7142 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7142, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7143
7144 /* convert from hex to bytes and save to hashtable */
7145 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7146 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7147 g_free(hex_pre_ms_or_ms);
7148
7149 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7150 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7151 ssl_master_key_match_group_t *g = &mk_groups[i];
7152 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7153 if (hex_key && *hex_key) {
7154 ssl_debug_printf(" matched %s\n", g->re_group_name);
7155 ht = g->master_key_ht;
7156 from_hex(key, hex_key, strlen(hex_key));
7157 g_free(hex_key);
7158 break;
7159 }
7160 g_free(hex_key);
7161 }
7162 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7162, "ht")))); /* Cannot be reached, or regex is wrong. */
7163
7164 g_hash_table_insert(ht, key, pre_ms_or_ms);
7165
7166 } else if (linelen > 0 && line[0] != '#') {
7167 ssl_debug_printf(" unrecognized line\n");
7168 }
7169 /* always free match info even if there is no match. */
7170 g_match_info_free(mi);
7171 }
7172}
7173
7174void
7175ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7176 const ssl_master_key_map_t *mk_map)
7177{
7178 /* no need to try if no key log file is configured. */
7179 if (!tls_keylog_filename || !*tls_keylog_filename) {
7180 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7181 G_STRFUNC((const char*) (__func__)));
7182 return;
7183 }
7184
7185 /* Validate regexes before even trying to use it. */
7186 if (!ssl_compile_keyfile_regex()) {
7187 return;
7188 }
7189
7190 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7191
7192 /* if the keylog file was deleted/overwritten, re-open it */
7193 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7194 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7195 fclose(*keylog_file);
7196 *keylog_file = NULL((void*)0);
7197 }
7198
7199 if (*keylog_file == NULL((void*)0)) {
7200 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7201 if (!*keylog_file) {
7202 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7203 return;
7204 }
7205 }
7206
7207 for (;;) {
7208 char buf[1110], *line;
7209 line = fgets(buf, sizeof(buf), *keylog_file);
7210 if (!line) {
7211 if (feof(*keylog_file)) {
7212 /* Ensure that newly appended keys can be read in the future. */
7213 clearerr(*keylog_file);
7214 } else if (ferror(*keylog_file)) {
7215 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7216 fclose(*keylog_file);
7217 *keylog_file = NULL((void*)0);
7218 }
7219 break;
7220 }
7221 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7222 }
7223}
7224/** SSL keylog file handling. }}} */
7225
7226#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7227
7228static FILE* ssl_debug_file;
7229
7230void
7231ssl_set_debug(const char* name)
7232{
7233 static int debug_file_must_be_closed;
7234 int use_stderr;
7235
7236 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7237
7238 if (debug_file_must_be_closed)
7239 fclose(ssl_debug_file);
7240
7241 if (use_stderr)
7242 ssl_debug_file = stderrstderr;
7243 else if (!name || (strcmp(name, "") ==0))
7244 ssl_debug_file = NULL((void*)0);
7245 else
7246 ssl_debug_file = ws_fopenfopen(name, "w");
7247
7248 if (!use_stderr && ssl_debug_file)
7249 debug_file_must_be_closed = 1;
7250 else
7251 debug_file_must_be_closed = 0;
7252
7253 ssl_debug_printf("Wireshark SSL debug log \n\n");
7254#ifdef HAVE_LIBGNUTLS1
7255 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7256#endif
7257 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7258 ssl_debug_printf("\n");
7259}
7260
7261void
7262ssl_debug_flush(void)
7263{
7264 if (ssl_debug_file)
7265 fflush(ssl_debug_file);
7266}
7267
7268void
7269ssl_debug_printf(const char* fmt, ...)
7270{
7271 va_list ap;
7272
7273 if (!ssl_debug_file)
7274 return;
7275
7276 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7277 vfprintf(ssl_debug_file, fmt, ap);
7278 va_end(ap)__builtin_va_end(ap);
7279}
7280
7281void
7282ssl_print_data(const char* name, const unsigned char* data, size_t len)
7283{
7284 size_t i, j, k;
7285 if (!ssl_debug_file)
7286 return;
7287 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7288 for (i=0; i<len; i+=16) {
7289 fprintf(ssl_debug_file,"| ");
7290 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7291 fprintf(ssl_debug_file,"%.2x ",data[j]);
7292 for (; k<16; ++k)
7293 fprintf(ssl_debug_file," ");
7294 fputc('|', ssl_debug_file);
7295 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7296 unsigned char c = data[j];
7297 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7298 fputc(c, ssl_debug_file);
7299 }
7300 for (; k<16; ++k)
7301 fputc(' ', ssl_debug_file);
7302 fprintf(ssl_debug_file,"|\n");
7303 }
7304}
7305
7306void
7307ssl_print_string(const char* name, const StringInfo* data)
7308{
7309 ssl_print_data(name, data->data, data->data_len);
7310}
7311#endif /* SSL_DECRYPT_DEBUG }}} */
7312
7313/* UAT preferences callbacks. {{{ */
7314/* checks for SSL and DTLS UAT key list fields */
7315
7316bool_Bool
7317ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7318{
7319 // This should be removed in favor of Decode As. Make it optional.
7320 *err = NULL((void*)0);
7321 return true1;
7322}
7323
7324bool_Bool
7325ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7326{
7327 if (!p || strlen(p) == 0u) {
7328 // This should be removed in favor of Decode As. Make it optional.
7329 *err = NULL((void*)0);
7330 return true1;
7331 }
7332
7333 if (strcmp(p, "start_tls") != 0){
7334 uint16_t port;
7335 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7336 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7337 return false0;
7338 }
7339 }
7340
7341 *err = NULL((void*)0);
7342 return true1;
7343}
7344
7345bool_Bool
7346ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7347{
7348 ws_statb64struct stat st;
7349
7350 if (!p || strlen(p) == 0u) {
7351 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7352 return false0;
7353 } else {
7354 if (ws_stat64stat(p, &st) != 0) {
7355 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7356 return false0;
7357 }
7358 }
7359
7360 *err = NULL((void*)0);
7361 return true1;
7362}
7363
7364bool_Bool
7365ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7366{
7367#if defined(HAVE_LIBGNUTLS1)
7368 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7369 FILE *fp = NULL((void*)0);
7370
7371 if (p && (strlen(p) > 0u)) {
7372 fp = ws_fopenfopen(f->keyfile, "rb");
7373 if (fp) {
7374 char *msg = NULL((void*)0);
7375 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7376 if (!priv_key) {
7377 fclose(fp);
7378 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7379 g_free(msg);
7380 return false0;
7381 }
7382 g_free(msg);
7383 gnutls_x509_privkey_deinit(priv_key);
7384 fclose(fp);
7385 } else {
7386 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7387 return false0;
7388 }
7389 }
7390
7391 *err = NULL((void*)0);
7392 return true1;
7393#else
7394 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7395 return false0;
7396#endif
7397}
7398/* UAT preferences callbacks. }}} */
7399
7400/** maximum size of ssl_association_info() string */
7401#define SSL_ASSOC_MAX_LEN8192 8192
7402
7403typedef struct ssl_association_info_callback_data
7404{
7405 char *str;
7406 const char *table_protocol;
7407} ssl_association_info_callback_data_t;
7408
7409/**
7410 * callback function used by ssl_association_info() to traverse the SSL associations.
7411 */
7412static void
7413ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7414{
7415 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7416 const int l = (const int)strlen(data->str);
7417 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7418}
7419
7420/**
7421 * @return an information string on the SSL protocol associations. The string must be freed.
7422 */
7423char*
7424ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7425{
7426 ssl_association_info_callback_data_t data;
7427
7428 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7429 data.table_protocol = table_protocol;
7430 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7431 return data.str;
7432}
7433
7434
7435/** Begin of code related to dissection of wire data. */
7436
7437/* Helpers for dissecting Variable-Length Vectors. {{{ */
7438bool_Bool
7439ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7440 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7441 int hf_length, uint32_t min_value, uint32_t max_value)
7442{
7443 unsigned veclen_size;
7444 uint32_t veclen_value;
7445 proto_item *pi;
7446
7447 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7447, (uint64_t)min_value, (uint64_t)max_value))));
7448 if (offset > offset_end) {
7449 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7450 "Vector offset is past buffer end offset (%u > %u)",
7451 offset, offset_end);
7452 *ret_length = 0;
7453 return false0; /* Cannot read length. */
7454 }
7455
7456 if (max_value > 0xffffff) {
7457 veclen_size = 4;
7458 } else if (max_value > 0xffff) {
7459 veclen_size = 3;
7460 } else if (max_value > 0xff) {
7461 veclen_size = 2;
7462 } else {
7463 veclen_size = 1;
7464 }
7465
7466 if (offset_end - offset < veclen_size) {
7467 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7468 tvb, offset, offset_end - offset,
7469 "No more room for vector of length %u",
7470 veclen_size);
7471 *ret_length = 0;
7472 return false0; /* Cannot read length. */
7473 }
7474
7475 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7476 offset += veclen_size;
7477
7478 if (veclen_value < min_value) {
7479 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7480 "Vector length %u is smaller than minimum %u",
7481 veclen_value, min_value);
7482 } else if (veclen_value > max_value) {
7483 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7484 "Vector length %u is larger than maximum %u",
7485 veclen_value, max_value);
7486 }
7487
7488 if (offset_end - offset < veclen_value) {
7489 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7490 "Vector length %u is too large, truncating it to %u",
7491 veclen_value, offset_end - offset);
7492 *ret_length = offset_end - offset;
7493 return false0; /* Length is truncated to avoid overflow. */
7494 }
7495
7496 *ret_length = veclen_value;
7497 return true1; /* Length is OK. */
7498}
7499
7500bool_Bool
7501ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7502 unsigned offset, unsigned offset_end)
7503{
7504 if (offset < offset_end) {
7505 unsigned trailing = offset_end - offset;
7506 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7507 tvb, offset, trailing,
7508 "%u trailing byte%s unprocessed",
7509 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7510 return false0; /* unprocessed data warning */
7511 } else if (offset > offset_end) {
7512 /*
7513 * Returned offset runs past the end. This should not happen and is
7514 * possibly a dissector bug.
7515 */
7516 unsigned excess = offset - offset_end;
7517 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7518 tvb, offset_end, excess,
7519 "Dissector processed too much data (%u byte%s)",
7520 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7521 return false0; /* overflow error */
7522 }
7523
7524 return true1; /* OK, offset matches. */
7525}
7526/** }}} */
7527
7528
7529static uint32_t
7530ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7531 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7532 uint16_t version, int hf_sig_len, int hf_sig);
7533
7534/* change_cipher_spec(20) dissection */
7535void
7536ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7537 packet_info *pinfo, proto_tree *tree,
7538 uint32_t offset, SslSession *session,
7539 bool_Bool is_from_server,
7540 const SslDecryptSession *ssl)
7541{
7542 /*
7543 * struct {
7544 * enum { change_cipher_spec(1), (255) } type;
7545 * } ChangeCipherSpec;
7546 */
7547 proto_item *ti;
7548 proto_item_set_text(tree,
7549 "%s Record Layer: %s Protocol: Change Cipher Spec",
7550 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7551 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7552 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7553
7554 if (session->version == TLSV1DOT3_VERSION0x304) {
7555 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7556 return;
7557 }
7558
7559 /* Remember frame number of first CCS */
7560 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7561 if (*ccs_frame == 0)
7562 *ccs_frame = pinfo->num;
7563
7564 /* Use heuristics to detect an abbreviated handshake, assume that missing
7565 * ServerHelloDone implies reusing previously negotiating keys. Then when
7566 * a Session ID or ticket is present, it must be a resumed session.
7567 * Normally this should be done at the Finished message, but that may be
7568 * encrypted so we do it here, at the last cleartext message. */
7569 if (is_from_server && ssl) {
7570 if (session->is_session_resumed) {
7571 const char *resumed = NULL((void*)0);
7572 if (ssl->session_ticket.data_len) {
7573 resumed = "Session Ticket";
7574 } else if (ssl->session_id.data_len) {
7575 resumed = "Session ID";
7576 }
7577 if (resumed) {
7578 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7579 } else {
7580 /* Can happen if the capture somehow starts in the middle */
7581 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7582 }
7583 } else {
7584 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7585 }
7586 }
7587 if (is_from_server && session->is_session_resumed)
7588 expert_add_info(pinfo, ti, &hf->ei.resumed);
7589}
7590
7591/** Begin of handshake(22) record dissections */
7592
7593/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7594 * {{{ */
7595static void
7596tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7597{
7598 uint32_t sighash, hashalg, sigalg;
7599 proto_item *ti_sigalg;
7600 proto_tree *sigalg_tree;
7601
7602 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7603 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7604 if (ja4_data) {
7605 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7606 }
7607
7608 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7609
7610 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7611 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7612 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7613 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7614 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7615
7616 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7617 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7618 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7619 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7620 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7621 sighash);
7622 }
7623} /* }}} */
7624
7625/* dissect a list of hash algorithms, return the number of bytes dissected
7626 this is used for the signature algorithms extension and for the
7627 TLS1.2 certificate request. {{{ */
7628static int
7629ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7630 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7631{
7632 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7633 * struct {
7634 * HashAlgorithm hash;
7635 * SignatureAlgorithm signature;
7636 * } SignatureAndHashAlgorithm;
7637 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7638 */
7639 proto_tree *subtree;
7640 proto_item *ti;
7641 unsigned sh_alg_length;
7642 uint32_t next_offset;
7643
7644 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7645 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7646 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7647 return offset_end;
7648 }
7649 offset += 2;
7650 next_offset = offset + sh_alg_length;
7651
7652 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7653 "Signature Hash Algorithms (%u algorithm%s)",
7654 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7655 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7656
7657 while (offset + 2 <= next_offset) {
7658 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7659 offset += 2;
7660 }
7661
7662 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7663 offset = next_offset;
7664 }
7665
7666 return offset;
7667} /* }}} */
7668
7669/* Dissection of DistinguishedName (for CertificateRequest and
7670 * certificate_authorities extension). {{{ */
7671static uint32_t
7672tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7673 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7674{
7675 proto_item *ti;
7676 proto_tree *subtree;
7677 uint32_t dnames_length, next_offset;
7678 asn1_ctx_t asn1_ctx;
7679 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7680
7681 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7682 /* DistinguishedName certificate_authorities<0..2^16-1> */
7683 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7684 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7685 return offset_end;
7686 }
7687 offset += 2;
7688 next_offset = offset + dnames_length;
7689
7690 if (dnames_length > 0) {
7691 ti = proto_tree_add_none_format(tree,
7692 hf->hf.hs_dnames,
7693 tvb, offset, dnames_length,
7694 "Distinguished Names (%d byte%s)",
7695 dnames_length,
7696 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7697 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7698
7699 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7700
7701 while (offset < next_offset) {
7702 /* get the length of the current certificate */
7703 uint32_t name_length;
7704
7705 if (dnames_count-- == 0) {
7706 /* stop adding to tree when the list is considered too large
7707 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7708 Note: dnames_count must be set low enough not to hit the
7709 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7710 */
7711 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7712 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7713 proto_item_set_generated(ti);
7714 return next_offset;
7715 }
7716
7717 /* opaque DistinguishedName<1..2^16-1> */
7718 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7719 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7720 return next_offset;
7721 }
7722 offset += 2;
7723
7724 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7725 subtree, hf->hf.hs_dname);
7726 offset += name_length;
7727 }
7728 }
7729 return offset;
7730} /* }}} */
7731
7732
7733/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7734static int
7735ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7736 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7737{
7738 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7739}
7740
7741static int
7742ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7743 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7744{
7745 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7746 hnd_type == SSL_HND_CERT_REQUEST) {
7747 /*
7748 * struct {
7749 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7750 * } SignatureSchemeList;
7751 */
7752
7753 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7754 } else {
7755 asn1_ctx_t asn1_ctx;
7756 unsigned pubkey_length, sign_length;
7757
7758 /*
7759 * struct {
7760 * uint32 valid_time;
7761 * SignatureScheme expected_cert_verify_algorithm;
7762 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7763 * } Credential;
7764 *
7765 * struct {
7766 * Credential cred;
7767 * SignatureScheme algorithm;
7768 * opaque signature<0..2^16-1>;
7769 * } DelegatedCredential;
7770 */
7771
7772 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7773
7774 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7775 offset += 4;
7776
7777 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7778 offset += 2;
7779
7780 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7781 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7782 return offset_end;
7783 }
7784 offset += 3;
7785 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7786 offset += pubkey_length;
7787
7788 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7789 offset += 2;
7790
7791 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7792 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7793 return offset_end;
7794 }
7795 offset += 2;
7796 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7797 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7798 offset += sign_length;
7799
7800 return offset;
7801 }
7802}
7803
7804static int
7805ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7806 packet_info *pinfo, proto_tree *tree,
7807 uint32_t offset, uint32_t offset_end,
7808 uint8_t hnd_type)
7809{
7810
7811 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7812
7813 switch (hnd_type) {
7814 case SSL_HND_CLIENT_HELLO: {
7815 proto_tree *alps_tree;
7816 proto_item *ti;
7817 uint32_t next_offset, alps_length, name_length;
7818
7819 /*
7820 * opaque ProtocolName<1..2^8-1>;
7821 * struct {
7822 * ProtocolName supported_protocols<2..2^16-1>
7823 * } ApplicationSettingsSupport;
7824 */
7825
7826 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7827 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7828 return offset_end;
7829 }
7830 offset += 2;
7831 next_offset = offset + alps_length;
7832
7833 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7834 tvb, offset, alps_length, ENC_NA0x00000000);
7835 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7836
7837 /* Parse list (note missing check for end of vector, ssl_add_vector below
7838 * ensures that data is always available.) */
7839 while (offset < next_offset) {
7840 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7841 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7842 return next_offset;
7843 }
7844 offset++;
7845
7846 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7847 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7848 offset += name_length;
7849 }
7850
7851 return offset;
7852 }
7853 case SSL_HND_ENCRYPTED_EXTS:
7854 /* Opaque blob */
7855 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7856 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7857 break;
7858 }
7859
7860 return offset_end;
7861}
7862
7863static int
7864ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7865 packet_info *pinfo, proto_tree *tree,
7866 uint32_t offset, uint32_t offset_end,
7867 uint8_t hnd_type, SslSession *session,
7868 bool_Bool is_dtls, ja4_data_t *ja4_data)
7869{
7870
7871 /* https://tools.ietf.org/html/rfc7301#section-3.1
7872 * opaque ProtocolName<1..2^8-1>;
7873 * struct {
7874 * ProtocolName protocol_name_list<2..2^16-1>
7875 * } ProtocolNameList;
7876 */
7877 proto_tree *alpn_tree;
7878 proto_item *ti;
7879 uint32_t next_offset, alpn_length, name_length;
7880 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7881
7882 /* ProtocolName protocol_name_list<2..2^16-1> */
7883 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7884 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7885 return offset_end;
7886 }
7887 offset += 2;
7888 next_offset = offset + alpn_length;
7889
7890 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7891 tvb, offset, alpn_length, ENC_NA0x00000000);
7892 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7893
7894 /* Parse list (note missing check for end of vector, ssl_add_vector below
7895 * ensures that data is always available.) */
7896 while (offset < next_offset) {
7897 /* opaque ProtocolName<1..2^8-1> */
7898 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7899 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7900 return next_offset;
7901 }
7902 offset++;
7903
7904 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7905 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7906 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7907 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7908 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7909 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
7910 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7911 }
7912 else {
7913 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7914 alpn_last_char & 0x0F);
7915 }
7916 }
7917 /* Remember first ALPN ProtocolName entry for server. */
7918 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7919 /* '\0'-terminated string for dissector table match and prefix
7920 * comparison purposes. */
7921 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7922 name_length, ENC_ASCII0x00000000);
7923 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7924 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7925 name_length, ENC_ASCII0x00000000);
7926 }
7927 offset += name_length;
7928 }
7929
7930 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7931 * exactly one "ProtocolName". */
7932 if (proto_name) {
7933 dissector_handle_t handle;
7934
7935 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7936
7937 if (is_dtls) {
7938 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7939 proto_name);
7940 } else {
7941 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7942 proto_name);
7943 if (handle == NULL((void*)0)) {
7944 /* Try prefix matching */
7945 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7946 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7947
7948 /* string_string is inappropriate as it compares strings
7949 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7950 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7951 handle = find_dissector(alpn_proto->dissector_name);
7952 break;
7953 }
7954 }
7955 }
7956 }
7957 if (handle != NULL((void*)0)) {
7958 /* ProtocolName match, so set the App data dissector handle.
7959 * This may override protocols given via the UAT dialog, but
7960 * since the ALPN hint is precise, do it anyway. */
7961 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7962 (void *)session->app_handle,
7963 (void *)handle,
7964 dissector_handle_get_dissector_name(handle));
7965 session->app_handle = handle;
7966 }
7967 } else if (client_proto_name) {
7968 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7969 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7970 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7971 }
7972
7973 return offset;
7974}
7975
7976static int
7977ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7978 packet_info *pinfo, proto_tree *tree,
7979 uint32_t offset, uint32_t offset_end)
7980{
7981 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7982 * The "extension_data" field of a "next_protocol_negotiation" extension
7983 * in a "ServerHello" contains an optional list of protocols advertised
7984 * by the server. Protocols are named by opaque, non-empty byte strings
7985 * and the list of protocols is serialized as a concatenation of 8-bit,
7986 * length prefixed byte strings. Implementations MUST ensure that the
7987 * empty string is not included and that no byte strings are truncated.
7988 */
7989 uint32_t npn_length;
7990 proto_tree *npn_tree;
7991
7992 /* List is optional, do not add tree if there are no entries. */
7993 if (offset == offset_end) {
7994 return offset;
7995 }
7996
7997 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7998
7999 while (offset < offset_end) {
8000 /* non-empty, 8-bit length prefixed strings means range 1..255 */
8001 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
8002 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
8003 return offset_end;
8004 }
8005 offset++;
8006
8007 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
8008 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8009 offset += npn_length;
8010 }
8011
8012 return offset;
8013}
8014
8015static int
8016ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8017 packet_info *pinfo, proto_tree *tree,
8018 uint32_t offset, uint32_t offset_end)
8019{
8020 /* https://tools.ietf.org/html/rfc5746#section-3.2
8021 * struct {
8022 * opaque renegotiated_connection<0..255>;
8023 * } RenegotiationInfo;
8024 *
8025 */
8026 proto_tree *reneg_info_tree;
8027 uint32_t reneg_info_length;
8028
8029 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
8030
8031 /* opaque renegotiated_connection<0..255> */
8032 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
8033 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
8034 return offset_end;
8035 }
8036 offset++;
8037
8038 if (reneg_info_length > 0) {
8039 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
8040 offset += reneg_info_length;
8041 }
8042
8043 return offset;
8044}
8045
8046static int
8047ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8048 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8049 const char **group_name_out)
8050{
8051 /* RFC 8446 Section 4.2.8
8052 * struct {
8053 * NamedGroup group;
8054 * opaque key_exchange<1..2^16-1>;
8055 * } KeyShareEntry;
8056 */
8057 uint32_t key_exchange_length, group;
8058 proto_tree *ks_tree;
8059
8060 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8061
8062 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8063 offset += 2;
8064 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8065 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8066 if (group_name_out) {
8067 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
8068 }
8069
8070 /* opaque key_exchange<1..2^16-1> */
8071 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8072 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8073 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8074 }
8075 offset += 2;
8076 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8077 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8078
8079 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8080 offset += key_exchange_length;
8081
8082 return offset;
8083}
8084
8085static int
8086ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8087 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8088 uint8_t hnd_type)
8089{
8090 proto_tree *key_share_tree;
8091 uint32_t next_offset;
8092 uint32_t client_shares_length;
8093 uint32_t group;
8094 const char *group_name = NULL((void*)0);
8095
8096 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8097 return offset;
8098 }
8099
8100 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8101
8102 switch(hnd_type){
8103 case SSL_HND_CLIENT_HELLO:
8104 /* KeyShareEntry client_shares<0..2^16-1> */
8105 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8106 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8107 return offset_end;
8108 }
8109 offset += 2;
8110 next_offset = offset + client_shares_length;
8111 const char *sep = " ";
8112 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8113 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8114 if (group_name) {
8115 proto_item_append_text(tree, "%s%s", sep, group_name);
8116 sep = ", ";
8117 }
8118 }
8119 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8120 return next_offset;
8121 }
8122 break;
8123 case SSL_HND_SERVER_HELLO:
8124 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8125 if (group_name) {
8126 proto_item_append_text(tree, " %s", group_name);
8127 }
8128 break;
8129 case SSL_HND_HELLO_RETRY_REQUEST:
8130 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8131 offset += 2;
8132 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8133 proto_item_append_text(tree, " %s", group_name);
8134 break;
8135 default: /* no default */
8136 break;
8137 }
8138
8139 return offset;
8140}
8141
8142static int
8143ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8144 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8145 uint8_t hnd_type)
8146{
8147 /* RFC 8446 Section 4.2.11
8148 * struct {
8149 * opaque identity<1..2^16-1>;
8150 * uint32 obfuscated_ticket_age;
8151 * } PskIdentity;
8152 * opaque PskBinderEntry<32..255>;
8153 * struct {
8154 * select (Handshake.msg_type) {
8155 * case client_hello:
8156 * PskIdentity identities<7..2^16-1>;
8157 * PskBinderEntry binders<33..2^16-1>;
8158 * case server_hello:
8159 * uint16 selected_identity;
8160 * };
8161 * } PreSharedKeyExtension;
8162 */
8163
8164 proto_tree *psk_tree;
8165
8166 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8167
8168 switch (hnd_type){
8169 case SSL_HND_CLIENT_HELLO: {
8170 uint32_t identities_length, identities_end, binders_length;
8171
8172 /* PskIdentity identities<7..2^16-1> */
8173 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8174 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8175 return offset_end;
8176 }
8177 offset += 2;
8178 identities_end = offset + identities_length;
8179
8180 while (offset < identities_end) {
8181 uint32_t identity_length;
8182 proto_tree *identity_tree;
8183
8184 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8185
8186 /* opaque identity<1..2^16-1> */
8187 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8188 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8189 return identities_end;
8190 }
8191 offset += 2;
8192 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8193
8194 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8195 offset += identity_length;
8196
8197 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8198 offset += 4;
8199
8200 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8201 }
8202 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8203 offset = identities_end;
8204 }
8205
8206 /* PskBinderEntry binders<33..2^16-1> */
8207 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8208 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8209 return offset_end;
8210 }
8211 offset += 2;
8212
8213 proto_item *binders_item;
8214 proto_tree *binders_tree;
8215 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8216 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8217 uint32_t binders_end = offset + binders_length;
8218 while (offset < binders_end) {
8219 uint32_t binder_length;
8220 proto_item *binder_item;
8221 proto_tree *binder_tree;
8222
8223 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8224 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8225
8226 /* opaque PskBinderEntry<32..255>; */
8227 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8228 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8229 return binders_end;
8230 }
8231 offset += 1;
8232 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8233
8234 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8235 offset += binder_length;
8236
8237 proto_item_set_end(binder_item, tvb, offset);
8238 }
8239 }
8240 break;
8241 case SSL_HND_SERVER_HELLO: {
8242 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8243 offset += 2;
8244 }
8245 break;
8246 default:
8247 break;
8248 }
8249
8250 return offset;
8251}
8252
8253static uint32_t
8254ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8255 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8256 uint8_t hnd_type, SslDecryptSession *ssl)
8257{
8258 /* RFC 8446 Section 4.2.10
8259 * struct {} Empty;
8260 * struct {
8261 * select (Handshake.msg_type) {
8262 * case new_session_ticket: uint32 max_early_data_size;
8263 * case client_hello: Empty;
8264 * case encrypted_extensions: Empty;
8265 * };
8266 * } EarlyDataIndication;
8267 */
8268 switch (hnd_type) {
8269 case SSL_HND_CLIENT_HELLO:
8270 /* Remember that early_data will follow the handshake. */
8271 if (ssl) {
8272 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8273 ssl->has_early_data = true1;
8274 }
8275 break;
8276 case SSL_HND_NEWSESSION_TICKET:
8277 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8278 offset += 4;
8279 break;
8280 default:
8281 break;
8282 }
8283 return offset;
8284}
8285
8286static uint16_t
8287tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8288{
8289 if (draft_version) {
8290 *draft_version = 0;
8291 }
8292 if (!is_dtls) {
8293 uint8_t tls13_draft = extract_tls13_draft_version(version);
8294 if (tls13_draft != 0) {
8295 /* This is TLS 1.3 (a draft version). */
8296 if (draft_version) {
8297 *draft_version = tls13_draft;
8298 }
8299 version = TLSV1DOT3_VERSION0x304;
8300 }
8301 if (version == 0xfb17 || version == 0xfb1a) {
8302 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8303 tls13_draft = (uint8_t)version;
8304 if (draft_version) {
8305 *draft_version = tls13_draft;
8306 }
8307 version = TLSV1DOT3_VERSION0x304;
8308 }
8309 }
8310
8311 switch (version) {
8312 case SSLV3_VERSION0x300:
8313 case TLSV1_VERSION0x301:
8314 case TLSV1DOT1_VERSION0x302:
8315 case TLSV1DOT2_VERSION0x303:
8316 case TLSV1DOT3_VERSION0x304:
8317 case TLCPV1_VERSION0x101:
8318 if (is_dtls)
8319 return SSL_VER_UNKNOWN0;
8320 break;
8321
8322 case DTLSV1DOT0_VERSION0xfeff:
8323 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8324 case DTLSV1DOT2_VERSION0xfefd:
8325 case DTLSV1DOT3_VERSION0xfefc:
8326 if (!is_dtls)
8327 return SSL_VER_UNKNOWN0;
8328 break;
8329
8330 default: /* invalid version number */
8331 return SSL_VER_UNKNOWN0;
8332 }
8333
8334 return version;
8335}
8336
8337static int
8338ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8339 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8340 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8341{
8342
8343 /* RFC 8446 Section 4.2.1
8344 * struct {
8345 * ProtocolVersion versions<2..254>; // ClientHello
8346 * } SupportedVersions;
8347 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8348 */
8349 uint32_t versions_length, next_offset;
8350 /* ProtocolVersion versions<2..254> */
8351 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8352 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8353 return offset_end;
8354 }
8355 offset++;
8356 next_offset = offset + versions_length;
8357
8358 unsigned version;
8359 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8360 uint8_t draft_version, max_draft_version = 0;
8361 const char *sep = " ";
8362 while (offset + 2 <= next_offset) {
8363 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8364 offset += 2;
8365
8366 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8367 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8368 sep = ", ";
8369 }
8370
8371 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8372 if (session->version == SSL_VER_UNKNOWN0) {
8373 if (lowest_version == SSL_VER_UNKNOWN0) {
8374 lowest_version = current_version;
8375 } else if (current_version != SSL_VER_UNKNOWN0) {
8376 if (!is_dtls) {
8377 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8378 } else {
8379 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8380 }
8381 }
8382 }
8383 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8384 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8385 /* The DTLS version numbers get mapped to "00" for unknown per
8386 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8387 * need to take the MIN instead of MAX here for DTLS.
8388 */
8389 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8390 }
8391 }
8392 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8393 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8394 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8395 }
8396 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8397 offset = next_offset;
8398 }
8399
8400 /* XXX remove this when draft 19 support is dropped,
8401 * this is only required for early data decryption. */
8402 if (max_draft_version) {
8403 session->tls13_draft_version = max_draft_version;
8404 }
8405
8406 return offset;
8407}
8408
8409static int
8410ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8411 packet_info *pinfo, proto_tree *tree,
8412 uint32_t offset, uint32_t offset_end)
8413{
8414 /* RFC 8446 Section 4.2.2
8415 * struct {
8416 * opaque cookie<1..2^16-1>;
8417 * } Cookie;
8418 */
8419 uint32_t cookie_length;
8420 /* opaque cookie<1..2^16-1> */
8421 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8422 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8423 return offset_end;
8424 }
8425 offset += 2;
8426
8427 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8428 offset += cookie_length;
8429
8430 return offset;
8431}
8432
8433static int
8434ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8435 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8436{
8437 /* RFC 8446 Section 4.2.9
8438 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8439 *
8440 * struct {
8441 * PskKeyExchangeMode ke_modes<1..255>;
8442 * } PskKeyExchangeModes;
8443 */
8444 uint32_t ke_modes_length, next_offset;
8445
8446 /* PskKeyExchangeMode ke_modes<1..255> */
8447 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8448 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8449 return offset_end;
8450 }
8451 offset++;
8452 next_offset = offset + ke_modes_length;
8453
8454 while (offset < next_offset) {
8455 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8456 offset++;
8457 }
8458
8459 return offset;
8460}
8461
8462static uint32_t
8463ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8464 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8465{
8466 /* RFC 8446 Section 4.2.4
8467 * opaque DistinguishedName<1..2^16-1>;
8468 * struct {
8469 * DistinguishedName authorities<3..2^16-1>;
8470 * } CertificateAuthoritiesExtension;
8471 */
8472 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8473}
8474
8475static int
8476ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8477 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8478{
8479 /* RFC 8446 Section 4.2.5
8480 * struct {
8481 * opaque certificate_extension_oid<1..2^8-1>;
8482 * opaque certificate_extension_values<0..2^16-1>;
8483 * } OIDFilter;
8484 * struct {
8485 * OIDFilter filters<0..2^16-1>;
8486 * } OIDFilterExtension;
8487 */
8488 proto_tree *subtree;
8489 uint32_t filters_length, oid_length, values_length, value_offset;
8490 asn1_ctx_t asn1_ctx;
8491 const char *oid, *name;
8492
8493 /* OIDFilter filters<0..2^16-1> */
8494 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8495 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8496 return offset_end;
8497 }
8498 offset += 2;
8499 offset_end = offset + filters_length;
8500
8501 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8502
8503 while (offset < offset_end) {
8504 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8505 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8506
8507 /* opaque certificate_extension_oid<1..2^8-1> */
8508 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8509 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8510 return offset_end;
8511 }
8512 offset++;
8513 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8514 hf->hf.hs_ext_oid_filters_oid, &oid);
8515 offset += oid_length;
8516
8517 /* Append OID to tree label */
8518 name = oid_resolved_from_string(pinfo->pool, oid);
8519 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8520
8521 /* opaque certificate_extension_values<0..2^16-1> */
8522 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8523 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8524 return offset_end;
8525 }
8526 offset += 2;
8527 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8528 if (values_length > 0) {
8529 value_offset = offset;
8530 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8531 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8532 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8533 }
8534 offset += values_length;
8535 }
8536
8537 return offset;
8538}
8539
8540static int
8541ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8542 packet_info *pinfo, proto_tree *tree,
8543 uint32_t offset, uint32_t offset_end)
8544{
8545 /* https://tools.ietf.org/html/rfc6066#section-3
8546 *
8547 * struct {
8548 * NameType name_type;
8549 * select (name_type) {
8550 * case host_name: HostName;
8551 * } name;
8552 * } ServerName;
8553 *
8554 * enum {
8555 * host_name(0), (255)
8556 * } NameType;
8557 *
8558 * opaque HostName<1..2^16-1>;
8559 *
8560 * struct {
8561 * ServerName server_name_list<1..2^16-1>
8562 * } ServerNameList;
8563 */
8564 proto_tree *server_name_tree;
8565 uint32_t list_length, server_name_length, next_offset;
8566
8567 /* The server SHALL include "server_name" extension with empty data. */
8568 if (offset == offset_end) {
8569 return offset;
8570 }
8571
8572 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8573
8574 /* ServerName server_name_list<1..2^16-1> */
8575 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8576 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8577 return offset_end;
8578 }
8579 offset += 2;
8580 next_offset = offset + list_length;
8581
8582 while (offset < next_offset) {
8583 uint32_t name_type;
8584 const char *server_name = NULL((void*)0);
8585 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8586 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8587 offset++;
8588
8589 /* opaque HostName<1..2^16-1> */
8590 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8591 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8592 return next_offset;
8593 }
8594 offset += 2;
8595
8596 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8597 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8598 pinfo->pool, (const uint8_t**)&server_name);
8599 offset += server_name_length;
8600 // Each type must only occur once, so we don't check for duplicates.
8601 if (name_type == 0) {
8602 proto_item_append_text(tree, " name=%s", server_name);
8603 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8604
8605 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8606 // Client Hello: Client (Src) -> Server (Dst)
8607 switch (pinfo->dst.type) {
8608 case AT_IPv4:
8609 if (pinfo->dst.len == sizeof(uint32_t)) {
8610 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8611 }
8612 break;
8613 case AT_IPv6:
8614 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8615 add_ipv6_name(pinfo->dst.data, server_name, false0);
8616 }
8617 break;
8618 }
8619 }
8620 }
8621 }
8622 return offset;
8623}
8624
8625static int
8626ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8627 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8628{
8629 unsigned ext_len = offset_end - offset;
8630 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8631 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8632 /* Save the Session Ticket such that it can be used as identifier for
8633 * restoring a previous Master Secret (in ChangeCipherSpec) */
8634 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8635 ssl->session_ticket.data, ext_len);
8636 ssl->session_ticket.data_len = ext_len;
8637 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8638 }
8639 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8640 tvb, offset, ext_len, ENC_NA0x00000000);
8641 return offset + ext_len;
8642}
8643
8644static int
8645ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8646 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8647 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8648{
8649 uint8_t cert_list_length;
8650 uint8_t cert_type;
8651 proto_tree *cert_list_tree;
8652 proto_item *ti;
8653
8654 switch(hnd_type){
8655 case SSL_HND_CLIENT_HELLO:
8656 cert_list_length = tvb_get_uint8(tvb, offset);
8657 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8658 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8659 offset += 1;
8660 if (offset_end - offset != (uint32_t)cert_list_length)
8661 return offset;
8662
8663 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8664 cert_list_length, cert_list_length);
8665 proto_item_append_text(ti, " (%d)", cert_list_length);
8666
8667 /* make this a subtree */
8668 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8669
8670 /* loop over all point formats */
8671 while (cert_list_length > 0)
8672 {
8673 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8674 offset++;
8675 cert_list_length--;
8676 }
8677 break;
8678 case SSL_HND_SERVER_HELLO:
8679 case SSL_HND_ENCRYPTED_EXTENSIONS:
8680 case SSL_HND_CERTIFICATE:
8681 cert_type = tvb_get_uint8(tvb, offset);
8682 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8683 offset += 1;
8684 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8685 session->client_cert_type = cert_type;
8686 }
8687 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8688 session->server_cert_type = cert_type;
8689 }
8690 break;
8691 default: /* no default */
8692 break;
8693 }
8694
8695 return offset;
8696}
8697
8698static uint32_t
8699ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8700 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8701 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8702{
8703 uint32_t compress_certificate_algorithms_length, next_offset;
8704
8705 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8706 * enum {
8707 * zlib(1),
8708 * brotli(2),
8709 * (65535)
8710 * } CertificateCompressionAlgorithm;
8711 *
8712 * struct {
8713 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8714 * } CertificateCompressionAlgorithms;
8715 */
8716 switch (hnd_type) {
8717 case SSL_HND_CLIENT_HELLO:
8718 case SSL_HND_CERT_REQUEST:
8719 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8720 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8721 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8722 return offset_end;
8723 }
8724 offset += 1;
8725 next_offset = offset + compress_certificate_algorithms_length;
8726
8727 while (offset < next_offset) {
8728 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8729 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8730 offset += 2;
8731 }
8732 break;
8733 default:
8734 break;
8735 }
8736
8737 return offset;
8738}
8739
8740static uint32_t
8741ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8742 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8743 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8744{
8745 uint32_t key_parameters_length, next_offset;
8746 proto_item *p_ti;
8747 proto_tree *p_tree;
8748
8749 /* RFC 8472
8750 *
8751 * struct {
8752 * uint8 major;
8753 * uint8 minor;
8754 * } TB_ProtocolVersion;
8755 *
8756 * enum {
8757 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8758 * } TokenBindingKeyParameters;
8759 *
8760 * struct {
8761 * TB_ProtocolVersion token_binding_version;
8762 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8763 * } TokenBindingParameters;
8764 */
8765
8766 switch (hnd_type) {
8767 case SSL_HND_CLIENT_HELLO:
8768 case SSL_HND_SERVER_HELLO:
8769 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8770 offset += 1;
8771 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8772 offset += 1;
8773
8774 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8775 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8776 return offset_end;
8777 }
8778 offset += 1;
8779 next_offset = offset + key_parameters_length;
8780
8781 p_ti = proto_tree_add_none_format(tree,
8782 hf->hf.hs_ext_token_binding_key_parameters,
8783 tvb, offset, key_parameters_length,
8784 "Key parameters identifiers (%d identifier%s)",
8785 key_parameters_length,
8786 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8787 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8788
8789 while (offset < next_offset) {
8790 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8791 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8792 offset += 1;
8793 }
8794
8795 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8796 offset = next_offset;
8797 }
8798
8799 break;
8800 default:
8801 break;
8802 }
8803
8804 return offset;
8805}
8806
8807static uint32_t
8808ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8809 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8810 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8811{
8812 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8813 uint32_t next_offset;
8814
8815 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8816 *
8817 * Note: the following structures are not literally defined in the spec,
8818 * they instead use an ASCII diagram.
8819 *
8820 * struct {
8821 * uint16 id;
8822 * opaque value<0..2^16-1>;
8823 * } TransportParameter; // before draft -27
8824 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8825 *
8826 * struct {
8827 * opaque ipv4Address[4];
8828 * uint16 ipv4Port;
8829 * opaque ipv6Address[16];
8830 * uint16 ipv6Port;
8831 * opaque connectionId<0..18>;
8832 * opaque statelessResetToken[16];
8833 * } PreferredAddress;
8834 */
8835
8836 if (offset_end - offset >= 6 &&
8837 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8838 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8839 // Assume encoding of Transport Parameters draft -26 or older with at
8840 // least one transport parameter that has a valid length.
8841 use_varint_encoding = false0;
8842 }
8843
8844 if (use_varint_encoding) {
8845 next_offset = offset_end;
8846 } else {
8847 uint32_t quic_length;
8848 // Assume draft -26 or earlier.
8849 /* TransportParameter TransportParameters<0..2^16-1>; */
8850 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8851 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8852 return offset_end;
8853 }
8854 offset += 2;
8855 next_offset = offset + quic_length;
8856 }
8857
8858 while (offset < next_offset) {
8859 uint64_t parameter_type; /* 62-bit space */
8860 uint32_t parameter_length;
8861 proto_tree *parameter_tree;
8862 uint32_t parameter_end_offset;
8863 uint64_t value;
8864 uint32_t i;
8865 int len = 0;
8866
8867 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8868 NULL((void*)0), "Parameter");
8869 /* TransportParameter ID and Length. */
8870 if (use_varint_encoding) {
8871 uint64_t parameter_length64;
8872 int type_len = 0;
8873
8874 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8875 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8876 offset += type_len;
8877
8878 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8879 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8880 parameter_length = (uint32_t)parameter_length64;
8881 offset += len;
8882
8883 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8884 } else {
8885 parameter_type = tvb_get_ntohs(tvb, offset);
8886 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8887 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8888 offset += 2;
8889
8890 /* opaque value<0..2^16-1> */
8891 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8892 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8893 return next_offset;
8894 }
8895 offset += 2;
8896
8897 proto_item_set_len(parameter_tree, 4 + parameter_length);
8898 }
8899
8900 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8901 proto_item_append_text(parameter_tree, ": GREASE");
8902 } else {
8903 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8904 }
8905
8906 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8907 parameter_end_offset = offset + parameter_length;
8908
8909 /* Omit the value field if the parameter's length is 0. */
8910 if (parameter_length != 0) {
8911 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8912 tvb, offset, parameter_length, ENC_NA0x00000000);
8913 }
8914
8915 switch (parameter_type) {
8916 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8917 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8918 tvb, offset, parameter_length, ENC_NA0x00000000);
8919 offset += parameter_length;
8920 break;
8921 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8922 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8923 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8924 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8925 offset += len;
8926 break;
8927 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8928 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8929 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8930 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8931 offset += 16;
8932 break;
8933 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8934 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8935 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8936 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8937 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8938 offset += len;
8939 break;
8940 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8941 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8942 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8943 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8944 offset += len;
8945 break;
8946 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8947 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8948 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8949 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8950 offset += len;
8951 break;
8952 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8953 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8954 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8955 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8956 offset += len;
8957 break;
8958 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8959 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8960 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8961 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8962 offset += len;
8963 break;
8964 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8965 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8966 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8967 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8968 offset += len;
8969 break;
8970 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8971 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8972 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8973 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8974 offset += len;
8975 break;
8976 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8977 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8978 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8979 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8980 offset += len;
8981 break;
8982 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8983 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8984 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8985 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8986 offset += len;
8987 break;
8988 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8989 /* No Payload */
8990 break;
8991 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8992 uint32_t connectionid_length;
8993 quic_cid_t cid;
8994
8995 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8996 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8997 offset += 4;
8998 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8999 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9000 offset += 2;
9001 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
9002 tvb, offset, 16, ENC_NA0x00000000);
9003 offset += 16;
9004 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
9005 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9006 offset += 2;
9007 /* XXX - Should we add these addresses and ports as addresses that the client
9008 * is allowed / expected to migrate the server address to? Right now we don't
9009 * enforce that (see RFC 9000 Section 9, which implies that while the client
9010 * can migrate to whatever address it wants, it can only migrate the server
9011 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
9012 */
9013
9014 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
9015 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
9016 break;
9017 }
9018 offset += 1;
9019
9020 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
9021 tvb, offset, connectionid_length, ENC_NA0x00000000);
9022 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9023 cid.len = connectionid_length;
9024 // RFC 9000 5.1.1 "If the preferred_address transport
9025 // parameter is sent, the sequence number of the supplied
9026 // connection ID is 1."
9027 cid.seq_num = 1;
9028 // Multipath draft-07 "Also, the Path Identifier for the
9029 // connection ID specified in the "preferred address"
9030 // transport parameter is 0."
9031 cid.path_id = 0;
9032 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
9033 quic_add_connection(pinfo, &cid);
9034 }
9035 offset += connectionid_length;
9036
9037 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
9038 tvb, offset, 16, ENC_NA0x00000000);
9039 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9040 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
9041 }
9042 offset += 16;
9043 }
9044 break;
9045 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
9046 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9047 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9048 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9049 offset += len;
9050 break;
9051 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9052 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9053 tvb, offset, parameter_length, ENC_NA0x00000000);
9054 offset += parameter_length;
9055 break;
9056 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9057 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9058 tvb, offset, parameter_length, ENC_NA0x00000000);
9059 offset += parameter_length;
9060 break;
9061 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9062 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9063 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9064 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9065 offset += len;
9066 break;
9067 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9068 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9069 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9070 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9071 offset += len;
9072 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9073 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9074 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9075 offset += len;
9076 break;
9077 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9078 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9079 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9080 if (len > 0) {
9081 quic_add_loss_bits(pinfo, value);
9082 }
9083 offset += 1;
9084 break;
9085 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9086 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9087 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9088 offset += len;
9089 break;
9090 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9091 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9092 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9093 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9094 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9095 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9096 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9097 offset += len;
9098 break;
9099 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9100 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9101 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9102 offset += parameter_length;
9103 break;
9104 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9105 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9106 tvb, offset, parameter_length, ENC_NA0x00000000);
9107 offset += parameter_length;
9108 break;
9109 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9110 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9111 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9112 offset += 4;
9113 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9114 uint32_t versions_length;
9115
9116 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9117 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9118 offset += 1;
9119 for (i = 0; i < versions_length / 4; i++) {
9120 quic_proto_tree_add_version(tvb, parameter_tree,
9121 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9122 offset += 4;
9123 }
9124 }
9125 break;
9126 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9127 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9128 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9129 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9130 offset += len;
9131 break;
9132 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9133 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9134 tvb, offset, parameter_length, ENC_NA0x00000000);
9135 offset += parameter_length;
9136 break;
9137 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9138 /* This field was used for non-standard Google-specific parameters encoded as a
9139 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9140 * parameters. Report it as a bytes blob... */
9141 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9142 tvb, offset, parameter_length, ENC_NA0x00000000);
9143 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9144 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9145 tvb, offset, 4, ENC_NA0x00000000);
9146 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9147 offset += parameter_length;
9148 break;
9149 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9150 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9151 tvb, offset, parameter_length, ENC_NA0x00000000);
9152 offset += parameter_length;
9153 break;
9154 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9155 /* No Payload */
9156 break;
9157 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9158 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9159 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9160 offset += parameter_length;
9161 break;
9162 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9163 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9164 quic_proto_tree_add_version(tvb, parameter_tree,
9165 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9166 offset += 4;
9167 for (i = 4; i < parameter_length; i += 4) {
9168 quic_proto_tree_add_version(tvb, parameter_tree,
9169 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9170 offset += 4;
9171 }
9172 break;
9173 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9174 /* No Payload */
9175 quic_add_grease_quic_bit(pinfo);
9176 break;
9177 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9178 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9179 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9180 offset += parameter_length;
9181 break;
9182 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9183 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9184 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9185 if (value == 1) {
9186 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9187 }
9188 offset += parameter_length;
9189 break;
9190 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9191 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9192 /* No Payload */
9193 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9194 break;
9195 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9196 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9197 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9198 if (value > 1) {
9199 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9200 }
9201 /* multipath draft-07: "The value of the initial_max_paths
9202 * parameter MUST be at least 2." TODO: Expert Info? */
9203 offset += parameter_length;
9204 break;
9205 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9206 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9207 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9208 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
9209 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
9210 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9211 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9212 /* multipath draft-09 and later: "If an endpoint receives an
9213 * initial_max_path_id transport parameter with value 0, the
9214 * peer aims to enable the multipath extension without allowing
9215 * extra paths immediately."
9216 */
9217 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9218 offset += parameter_length;
9219 break;
9220 default:
9221 offset += parameter_length;
9222 /*TODO display expert info about unknown ? */
9223 break;
9224 }
9225
9226 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9227 /* Dissection did not end at expected location, fix it. */
9228 offset = parameter_end_offset;
9229 }
9230 }
9231
9232 return offset;
9233}
9234
9235static int
9236ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9237 proto_tree *tree, uint32_t offset,
9238 SslSession *session, SslDecryptSession *ssl,
9239 bool_Bool from_server, bool_Bool is_hrr)
9240{
9241 uint8_t sessid_length;
9242 proto_item *ti;
9243 proto_tree *rnd_tree;
9244 proto_tree *ti_rnd;
9245 proto_tree *ech_confirm_tree;
9246 uint8_t draft_version = session->tls13_draft_version;
9247
9248 if (ssl) {
9249 StringInfo *rnd;
9250 if (from_server)
9251 rnd = &ssl->server_random;
9252 else
9253 rnd = &ssl->client_random;
9254
9255 /* save provided random for later keyring generation */
9256 tvb_memcpy(tvb, rnd->data, offset, 32);
9257 rnd->data_len = 32;
9258 if (from_server)
9259 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9260 else
9261 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9262 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9263 from_server ? "SERVER" : "CLIENT", ssl->state);
9264 }
9265
9266 if (!from_server && session->client_random.data_len == 0) {
9267 session->client_random.data_len = 32;
9268 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9269 }
9270
9271 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9272
9273 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9274
9275 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9276 /* show the time */
9277 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9278 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9279 offset += 4;
9280
9281 /* show the random bytes */
9282 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9283 tvb, offset, 28, ENC_NA0x00000000);
9284 offset += 28;
9285 } else {
9286 if (is_hrr) {
9287 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9288 } else if (from_server && session->ech) {
9289 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9290 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9291 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9292 session->ech_confirmation, 8);
9293 proto_item_set_generated(ti);
9294 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9295 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9296 } else {
9297 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9298 }
9299 }
9300
9301 offset += 32;
9302 }
9303
9304 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9305 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9306 /* show the session id (length followed by actual Session ID) */
9307 sessid_length = tvb_get_uint8(tvb, offset);
9308 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9309 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9310 offset++;
9311
9312 if (ssl) {
9313 /* save the authoritative SID for later use in ChangeCipherSpec.
9314 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9315 * save more, so ignore larger ones. To support ECH, also save
9316 * the SID from the ClientHelloOuter. */
9317 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
9318 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9319 ssl->session_id.data_len = sessid_length;
9320 }
9321 }
9322 if (sessid_length > 0) {
9323 proto_tree_add_item(tree, hf->hf.hs_session_id,
9324 tvb, offset, sessid_length, ENC_NA0x00000000);
9325 offset += sessid_length;
9326 }
9327 }
9328
9329 return offset;
9330}
9331
9332static int
9333ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9334 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9335 bool_Bool has_length)
9336{
9337 /* TLS 1.2/1.3 status_request Client Hello Extension.
9338 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9339 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9340 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9341 * struct {
9342 * CertificateStatusType status_type;
9343 * uint16 request_length; // for status_request_v2
9344 * select (status_type) {
9345 * case ocsp: OCSPStatusRequest;
9346 * case ocsp_multi: OCSPStatusRequest;
9347 * } request;
9348 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9349 *
9350 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9351 * struct {
9352 * ResponderID responder_id_list<0..2^16-1>;
9353 * Extensions request_extensions;
9354 * } OCSPStatusRequest;
9355 * opaque ResponderID<1..2^16-1>;
9356 * opaque Extensions<0..2^16-1>;
9357 */
9358 unsigned cert_status_type;
9359
9360 cert_status_type = tvb_get_uint8(tvb, offset);
9361 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9362 tvb, offset, 1, ENC_NA0x00000000);
9363 offset++;
9364
9365 if (has_length) {
9366 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9367 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9368 offset += 2;
9369 }
9370
9371 switch (cert_status_type) {
9372 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9373 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9374 {
9375 uint32_t responder_id_list_len;
9376 uint32_t request_extensions_len;
9377
9378 /* ResponderID responder_id_list<0..2^16-1> */
9379 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9380 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9381 return offset_end;
9382 }
9383 offset += 2;
9384 if (responder_id_list_len != 0) {
9385 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9386 tvb, offset, responder_id_list_len,
9387 "Responder ID list is not implemented, contact Wireshark"
9388 " developers if you want this to be supported");
9389 }
9390 offset += responder_id_list_len;
9391
9392 /* opaque Extensions<0..2^16-1> */
9393 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9394 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9395 return offset_end;
9396 }
9397 offset += 2;
9398 if (request_extensions_len != 0) {
9399 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9400 tvb, offset, request_extensions_len,
9401 "Request Extensions are not implemented, contact"
9402 " Wireshark developers if you want this to be supported");
9403 }
9404 offset += request_extensions_len;
9405 break;
9406 }
9407 }
9408
9409 return offset;
9410}
9411
9412static unsigned
9413ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9414 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9415{
9416 /* https://tools.ietf.org/html/rfc6961#section-2.2
9417 * struct {
9418 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9419 * } CertificateStatusRequestListV2;
9420 */
9421 uint32_t req_list_length, next_offset;
9422
9423 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9424 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9425 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9426 return offset_end;
9427 }
9428 offset += 2;
9429 next_offset = offset + req_list_length;
9430
9431 while (offset < next_offset) {
9432 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9433 }
9434
9435 return offset;
9436}
9437
9438static uint32_t
9439tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9440 uint32_t offset, uint32_t offset_end)
9441{
9442 uint32_t response_length;
9443 proto_item *ocsp_resp;
9444 proto_tree *ocsp_resp_tree;
9445 asn1_ctx_t asn1_ctx;
9446
9447 /* opaque OCSPResponse<1..2^24-1>; */
9448 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9449 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9450 return offset_end;
9451 }
9452 offset += 3;
9453
9454 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9455 response_length, ENC_BIG_ENDIAN0x00000000);
9456 proto_item_set_text(ocsp_resp, "OCSP Response");
9457 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9458 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9459 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9460 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9461 }
9462 offset += response_length;
9463
9464 return offset;
9465}
9466
9467uint32_t
9468tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9469 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9470{
9471 /* TLS 1.2 "CertificateStatus" handshake message.
9472 * TLS 1.3 "status_request" Certificate extension.
9473 * struct {
9474 * CertificateStatusType status_type;
9475 * select (status_type) {
9476 * case ocsp: OCSPResponse;
9477 * case ocsp_multi: OCSPResponseList; // status_request_v2
9478 * } response;
9479 * } CertificateStatus;
9480 * opaque OCSPResponse<1..2^24-1>;
9481 * struct {
9482 * OCSPResponse ocsp_response_list<1..2^24-1>;
9483 * } OCSPResponseList; // status_request_v2
9484 */
9485 uint32_t status_type, resp_list_length, next_offset;
9486
9487 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9488 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9489 offset += 1;
9490
9491 switch (status_type) {
9492 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9493 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9494 break;
9495
9496 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9497 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9498 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9499 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9500 return offset_end;
9501 }
9502 offset += 3;
9503 next_offset = offset + resp_list_length;
9504
9505 while (offset < next_offset) {
9506 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9507 }
9508 break;
9509 }
9510
9511 return offset;
9512}
9513
9514static unsigned
9515ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9516 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9517 wmem_strbuf_t *ja3)
9518{
9519 /* RFC 8446 Section 4.2.7
9520 * enum { ..., (0xFFFF) } NamedGroup;
9521 * struct {
9522 * NamedGroup named_group_list<2..2^16-1>
9523 * } NamedGroupList;
9524 *
9525 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9526 * the extension itself from "elliptic_curves" to "supported_groups".
9527 */
9528 uint32_t groups_length, next_offset;
9529 proto_tree *groups_tree;
9530 proto_item *ti;
9531 char *ja3_dash = "";
9532
9533 /* NamedGroup named_group_list<2..2^16-1> */
9534 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9535 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9536 return offset_end;
9537 }
9538 offset += 2;
9539 next_offset = offset + groups_length;
9540
9541 ti = proto_tree_add_none_format(tree,
9542 hf->hf.hs_ext_supported_groups,
9543 tvb, offset, groups_length,
9544 "Supported Groups (%d group%s)",
9545 groups_length / 2,
9546 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9547
9548 /* make this a subtree */
9549 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9550
9551 if (ja3) {
9552 wmem_strbuf_append_c(ja3, ',');
9553 }
9554 /* loop over all groups */
9555 while (offset + 2 <= offset_end) {
9556 uint32_t ext_supported_group;
9557
9558 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9559 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9560 offset += 2;
9561 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9562 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9563 ja3_dash = "-";
9564 }
9565 }
9566 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9567 offset = next_offset;
9568 }
9569
9570 return offset;
9571}
9572
9573static int
9574ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9575 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9576{
9577 uint8_t ecpf_length;
9578 proto_tree *ecpf_tree;
9579 proto_item *ti;
9580
9581 ecpf_length = tvb_get_uint8(tvb, offset);
9582 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9583 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9584
9585 offset += 1;
9586 ti = proto_tree_add_none_format(tree,
9587 hf->hf.hs_ext_ec_point_formats,
9588 tvb, offset, ecpf_length,
9589 "Elliptic curves point formats (%d)",
9590 ecpf_length);
9591
9592 /* make this a subtree */
9593 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9594
9595 if (ja3) {
9596 wmem_strbuf_append_c(ja3, ',');
9597 }
9598
9599 /* loop over all point formats */
9600 while (ecpf_length > 0)
9601 {
9602 uint32_t ext_ec_point_format;
9603
9604 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9605 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9606 offset++;
9607 ecpf_length--;
9608 if (ja3) {
9609 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9610 if (ecpf_length > 0) {
9611 wmem_strbuf_append_c(ja3, '-');
9612 }
9613 }
9614 }
9615
9616 return offset;
9617}
9618
9619static int
9620ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9621 packet_info *pinfo, proto_tree *tree,
9622 uint32_t offset, uint32_t next_offset)
9623{
9624 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9625 * opaque srp_I<1..2^8-1>;
9626 */
9627 uint32_t username_len;
9628
9629 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9630 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9631 return next_offset;
9632 }
9633 offset++;
9634
9635 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9636 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9637 offset += username_len;
9638
9639 return offset;
9640}
9641
9642static uint32_t
9643tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9644 uint32_t offset, uint32_t offset_end, uint16_t version)
9645{
9646 /* https://tools.ietf.org/html/rfc6962#section-3.2
9647 * enum { v1(0), (255) } Version;
9648 * struct {
9649 * opaque key_id[32];
9650 * } LogID;
9651 * opaque CtExtensions<0..2^16-1>;
9652 * struct {
9653 * Version sct_version;
9654 * LogID id;
9655 * uint64 timestamp;
9656 * CtExtensions extensions;
9657 * digitally-signed struct { ... };
9658 * } SignedCertificateTimestamp;
9659 */
9660 uint32_t sct_version;
9661 uint64_t sct_timestamp_ms;
9662 nstime_t sct_timestamp;
9663 uint32_t exts_len;
9664 const char *log_name;
9665
9666 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9667 offset++;
9668 if (sct_version != 0) {
9669 // TODO expert info about unknown SCT version?
9670 return offset;
9671 }
9672 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9673 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9674 proto_item_append_text(tree, " (%s)", log_name);
9675 offset += 32;
9676 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9677 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9678 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9679 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9680 offset += 8;
9681 /* opaque CtExtensions<0..2^16-1> */
9682 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9683 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9684 return offset_end;
9685 }
9686 offset += 2;
9687 if (exts_len > 0) {
9688 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9689 offset += exts_len;
9690 }
9691 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9692 hf->hf.sct_sct_signature_length,
9693 hf->hf.sct_sct_signature);
9694 return offset;
9695}
9696
9697uint32_t
9698tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9699 uint32_t offset, uint32_t offset_end, uint16_t version)
9700{
9701 /* https://tools.ietf.org/html/rfc6962#section-3.3
9702 * opaque SerializedSCT<1..2^16-1>;
9703 * struct {
9704 * SerializedSCT sct_list <1..2^16-1>;
9705 * } SignedCertificateTimestampList;
9706 */
9707 uint32_t list_length, sct_length, next_offset;
9708 proto_tree *subtree;
9709
9710 /* SerializedSCT sct_list <1..2^16-1> */
9711 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9712 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9713 return offset_end;
9714 }
9715 offset += 2;
9716
9717 while (offset < offset_end) {
9718 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9719
9720 /* opaque SerializedSCT<1..2^16-1> */
9721 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9722 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9723 return offset_end;
9724 }
9725 offset += 2;
9726 next_offset = offset + sct_length;
9727 proto_item_set_len(subtree, 2 + sct_length);
9728 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9729 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9730 offset = next_offset;
9731 }
9732 }
9733
9734 return offset;
9735}
9736
9737static int
9738dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9739 proto_tree *tree, uint32_t offset)
9740{
9741 uint32_t kdf_id, aead_id;
9742 proto_item *cs_ti;
9743 proto_tree *cs_tree;
9744
9745 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9746 tvb, offset, 4, ENC_NA0x00000000);
9747 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9748
9749 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9750 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9751 offset += 2;
9752 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9753 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9754 offset += 2;
9755
9756 proto_item_append_text(cs_ti, ": %s/%s",
9757 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9758 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9759 return offset;
9760}
9761
9762static int
9763dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9764 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9765 uint32_t *config_id)
9766{
9767 uint32_t length, cipher_suite_length;
9768 proto_item *kc_ti, *css_ti;
9769 proto_tree *kc_tree, *css_tree;
9770 uint32_t original_offset = offset, next_offset;
9771
9772 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9773 tvb, offset, -1, ENC_NA0x00000000);
9774 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9775
9776 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9777 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9778 offset += 1;
9779 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9780 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9781 offset += 2;
9782 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9783 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9784 offset += 2;
9785 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9786 tvb, offset, length, ENC_NA0x00000000);
9787 offset += length;
9788
9789 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9790 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9791 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9792 return offset_end;
9793 }
9794 offset += 2;
9795 next_offset = offset + cipher_suite_length;
9796
9797 css_ti = proto_tree_add_none_format(kc_tree,
9798 hf->hf.ech_hpke_keyconfig_cipher_suites,
9799 tvb, offset, cipher_suite_length,
9800 "Cipher Suites (%d suite%s)",
9801 cipher_suite_length / 4,
9802 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9803 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9804
9805
9806 while (offset + 4 <= next_offset) {
9807 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9808 }
9809
9810 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9811 offset = next_offset;
9812 }
9813
9814 proto_item_set_len(kc_ti, offset - original_offset);
9815
9816 return offset;
9817}
9818
9819static int
9820dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9821 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9822 const uint8_t **public_name, uint32_t *config_id)
9823{
9824 uint32_t public_name_length, extensions_length, next_offset;
9825
9826 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9827 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9828 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9829 offset += 1;
9830 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9831 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9832 offset += 1;
9833 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9834 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9835 offset += public_name_length;
9836
9837 /* Extension extensions<0..2^16-1>; */
9838 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9839 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9840 return offset_end;
9841 }
9842 offset += 2;
9843 next_offset = offset + extensions_length;
9844
9845 if (extensions_length > 0) {
9846 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9847 tvb, offset, extensions_length, ENC_NA0x00000000);
9848 }
9849 offset += extensions_length;
9850
9851 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9852 offset = next_offset;
9853 }
9854
9855 return offset;
9856}
9857
9858static int
9859dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9860 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9861{
9862 uint32_t version, length;
9863 proto_item *ech_ti;
9864 proto_tree *ech_tree;
9865 const uint8_t *public_name = NULL((void*)0);
9866 uint32_t config_id = 0;
9867
9868 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9869 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9870
9871 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9872 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9873 offset += 2;
9874 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9875 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9876 offset += 2;
9877
9878 proto_item_set_len(ech_ti, 4 + length);
9879
9880 switch(version) {
9881 case 0xfe0d:
9882 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9883 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9884 break;
9885
9886 default:
9887 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9888 }
9889
9890 return 4 + length;
9891}
9892
9893uint32_t
9894ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9895 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9896{
9897 uint32_t echconfiglist_length, next_offset;
9898
9899 /* ECHConfig ECHConfigList<1..2^16-1>; */
9900 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9901 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9902 return offset_end;
9903 }
9904 offset += 2;
9905 next_offset = offset + echconfiglist_length;
9906
9907 while (offset < next_offset) {
9908 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9909 }
9910
9911 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9912 offset = next_offset;
9913 }
9914
9915 return offset;
9916}
9917
9918static uint32_t
9919ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9920 uint32_t offset, uint32_t offset_end)
9921{
9922 uint32_t ext_length, next_offset;
9923 proto_tree *ext_tree;
9924 proto_item *ti;
9925
9926 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9927 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9928 return offset_end;
9929 }
9930 offset += 1;
9931 next_offset = offset + ext_length;
9932
9933 ti = proto_tree_add_none_format(tree,
9934 hf->hf.hs_ext_ech_outer_ext,
9935 tvb, offset, ext_length,
9936 "Outer Extensions (%d extension%s)",
9937 ext_length / 2,
9938 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9939
9940 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9941
9942 while (offset + 2 <= offset_end) {
9943 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9944 offset += 2;
9945 }
9946
9947 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9948 offset = next_offset;
9949 }
9950
9951 return offset;
9952}
9953
9954static uint32_t
9955// NOLINTNEXTLINE(misc-no-recursion)
9956ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9957 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9958 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
9959{
9960 uint32_t ch_type, length;
9961 proto_item *ti, *payload_ti;
9962 proto_tree *retry_tree, *payload_tree;
9963 uint32_t hello_length = tvb_reported_length(tvb);
9964
9965 switch (hnd_type) {
9966 case SSL_HND_CLIENT_HELLO:
9967 /*
9968 * enum { outer(0), inner(1) } ECHClientHelloType;
9969 *
9970 * struct {
9971 * ECHClientHelloType type;
9972 * select (ECHClientHello.type) {
9973 * case outer:
9974 * HpkeSymmetricCipherSuite cipher_suite;
9975 * uint8 config_id;
9976 * opaque enc<0..2^16-1>;
9977 * opaque payload<1..2^16-1>;
9978 * case inner:
9979 * Empty;
9980 * };
9981 * } ECHClientHello;
9982 */
9983
9984 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9985 offset += 1;
9986 switch (ch_type) {
9987 case 0: /* outer */
9988 if (ssl && session->first_ch_ech_frame == 0) {
9989 session->first_ch_ech_frame = pinfo->num;
9990 }
9991 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9992 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9993 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9994
9995 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9996 uint8_t config_id = tvb_get_uint8(tvb, offset);
9997 offset += 1;
9998 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9999 offset += 2;
10000 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
10001 offset += length;
10002 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10003 offset += 2;
10004 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
10005 offset += length;
10006
10007 if (!mk_map) {
10008 break;
10009 }
10010 if (session->client_random.data_len == 0) {
10011 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
10012 break;
10013 }
10014 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
10015 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
10016 if (!ech_secret || !ech_config) {
10017 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
10018 G_STRFUNC((const char*) (__func__)));
10019 break;
10020 }
10021
10022 if (hpke_hkdf_len(kdf_id) == 0) {
10023 ssl_debug_printf("Unsupported KDF\n");
10024 break;
10025 }
10026
10027 if (hpke_aead_key_len(aead_id) == 0) {
10028 ssl_debug_printf("Unsupported AEAD\n");
10029 break;
10030 }
10031
10032 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
10033
10034 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
10035 if (length < aead_auth_tag_len) {
10036 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
10037 break;
10038 }
10039 unsigned decrypted_len = length - aead_auth_tag_len;
10040
10041 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
10042 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10043 ssl_debug_printf("Unexpected version in ECH Config\n");
10044 break;
10045 }
10046 uint32_t ech_config_offset = 2;
10047 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
10048 ssl_debug_printf("Malformed ECH Config, invalid length\n");
10049 break;
10050 }
10051 ech_config_offset += 2;
10052 if (*(ech_config->data + ech_config_offset) != config_id) {
10053 ssl_debug_printf("ECH Config version mismatch\n");
10054 break;
10055 }
10056 ech_config_offset += 1;
10057 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
10058 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
10059 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10060 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10061 GByteArray *info = g_byte_array_new();
10062 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10063 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10064 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10065 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10066 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10067 key, base_nonce)) {
10068 g_byte_array_free(info, TRUE(!(0)));
10069 break;
10070 }
10071 g_byte_array_free(info, TRUE(!(0)));
10072 gcry_cipher_hd_t cipher;
10073 if (hpke_setup_aead(&cipher, aead_id, key) ||
10074 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10075 gcry_cipher_close(cipher);
10076 break;
10077 }
10078 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10079 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10080 tvb_memcpy(tvb, ech_aad, 0, hello_length);
10081 memset(ech_aad + offset - length, 0, length);
10082 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10083 gcry_cipher_close(cipher);
10084 wmem_free(NULL((void*)0), ech_aad);
10085 break;
10086 }
10087 wmem_free(NULL((void*)0), ech_aad);
10088 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
10089 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
10090 gcry_cipher_close(cipher);
10091 break;
10092 }
10093 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
10094 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
10095 gcry_cipher_close(cipher);
10096 break;
10097 }
10098 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10099 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
10100 gcry_cipher_close(cipher);
10101 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10102 payload + decrypted_len, aead_auth_tag_len)) {
10103 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10104 } else {
10105 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10106 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
10107 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10108 if (ssl) {
10109 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10110 uint32_t len_offset = ssl->ech_transcript.data_len;
10111 if (ssl->ech_transcript.data_len > 0)
10112 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10113 ssl->ech_transcript.data_len + hello_length + 4);
10114 else
10115 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10116 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10117 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10118 /* Copy ClientHelloInner up to the legacy_session_id field. */
10119 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10120 ssl->ech_transcript.data_len += 38;
10121 /* Now copy the legacy_session_id field from ClientHelloOuter. */
10122 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
10123 ssl->ech_transcript.data_len++;
10124 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
10125 ssl->ech_transcript.data_len += ssl->session_id.data_len;
10126 /* Skip past the legacy_session_id field in ClientHelloInner
10127 * (which should be the empty string, i.e. just a 0 size.) */
10128 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10129 /* Copy the Cipher Suites from ClientHelloInner. */
10130 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10131 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10132 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10133 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10134 /* Copy the Compression Methods */
10135 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10136 1 + tvb_get_uint8(ech_tvb, ech_offset));
10137 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10138 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10139 /* Now replace extensions in ech_outer_extensions with the
10140 * data from ClientHelloOuter. */
10141 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10142 ssl->ech_transcript.data_len += 2;
10143 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10144 ech_offset += 2;
10145 while (extensions_end - ech_offset >= 4) {
10146 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10147 ech_offset += 2;
10148 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
10149 ech_offset += 2;
10150 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10151 /* Copy this extension directly */
10152 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
10153 ech_offset - 4, 4 + ext_len);
10154 ssl->ech_transcript.data_len += 4 + ext_len;
10155 ech_offset += ext_len;
10156 } else if (ext_len > 0) {
10157 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
10158 ech_offset += 1;
10159 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
10160 /* In ClientHelloOuter, skip past the legacy_session_id */
10161 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
10162 /* Skip past Cipher Suites */
10163 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10164 /* Skip past Compression Methods */
10165 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10166 /* Now at the start of ClientHelloOuter's extensions */
10167 while (ech_outer_extensions_end - ech_offset >= 2) {
10168 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10169 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10170 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
10171 /* This could lead to a buffer overflow by
10172 * making the post-copying ClientHelloInner
10173 * longer than ClientHelloOuter and is
10174 * illegal, so don't copy. */
10175 break;
10176 }
10177 bool_Bool found = false0;
10178 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
10179 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
10180 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
10181 if (ext_type == outer_ext_type) {
10182 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10183 4 + outer_ext_len);
10184 ssl->ech_transcript.data_len += 4 + outer_ext_len;
10185 outer_offset += 4 + outer_ext_len;
10186 found = true1;
10187 break;
10188 } else {
10189 outer_offset += 4 + outer_ext_len;
10190 }
10191 }
10192 if (!found) {
10193 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
10194 }
10195 ech_offset += 2;
10196 }
10197 }
10198 }
10199 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10200 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10201 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10202 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10203 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10204 }
10205 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
10206 ssl, NULL((void*)0), mk_map);
10207 if (ech_padding_begin < decrypted_len) {
10208 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
10209 ENC_NA0x00000000);
10210 }
10211 }
10212
10213 break;
10214 case 1: /* inner */
10215 break;
10216 }
10217 break;
10218
10219 case SSL_HND_ENCRYPTED_EXTENSIONS:
10220 /*
10221 * struct {
10222 * ECHConfigList retry_configs;
10223 * } ECHEncryptedExtensions;
10224 */
10225
10226 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10227 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10228 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10229 break;
10230
10231 case SSL_HND_HELLO_RETRY_REQUEST:
10232 /*
10233 * struct {
10234 * opaque confirmation[8];
10235 * } ECHHelloRetryRequest;
10236 */
10237
10238 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10239 if (session->ech) {
10240 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10241 proto_item_set_generated(ti);
10242 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10243 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10244 } else {
10245 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10246 }
10247 }
10248 offset += 8;
10249 break;
10250 }
10251
10252 return offset;
10253}
10254
10255static uint32_t
10256ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10257 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10258 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10259{
10260 uint32_t record_digest_length, encrypted_sni_length;
10261
10262 switch (hnd_type) {
10263 case SSL_HND_CLIENT_HELLO:
10264 /*
10265 * struct {
10266 * CipherSuite suite;
10267 * KeyShareEntry key_share;
10268 * opaque record_digest<0..2^16-1>;
10269 * opaque encrypted_sni<0..2^16-1>;
10270 * } ClientEncryptedSNI;
10271 */
10272 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10273 offset += 2;
10274 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10275
10276 /* opaque record_digest<0..2^16-1> */
10277 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10278 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10279 return offset_end;
10280 }
10281 offset += 2;
10282 if (record_digest_length > 0) {
10283 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10284 offset += record_digest_length;
10285 }
10286
10287 /* opaque encrypted_sni<0..2^16-1> */
10288 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10289 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10290 return offset_end;
10291 }
10292 offset += 2;
10293 if (encrypted_sni_length > 0) {
10294 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10295 offset += encrypted_sni_length;
10296 }
10297 break;
10298
10299 case SSL_HND_ENCRYPTED_EXTENSIONS:
10300 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10301 offset += 16;
10302 break;
10303 }
10304
10305 return offset;
10306}
10307/** TLS Extensions (in Client Hello and Server Hello). }}} */
10308
10309/* Connection ID dissection. {{{ */
10310static uint32_t
10311ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10312 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10313 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10314{
10315 /* keep track of the decrypt session only for the first pass */
10316 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10317 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10318 *session_cidl = cidl;
10319 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10320 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10321 if (ssl) {
10322 ssl_add_session_by_cid(ssl);
10323 }
10324 }
10325
10326 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10327 tvb, offset, 1, ENC_NA0x00000000);
10328 offset++;
10329
10330 if (cidl > 0) {
10331 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10332 tvb, offset, cidl, ENC_NA0x00000000);
10333 offset += cidl;
10334 }
10335
10336 return offset;
10337}
10338
10339static uint32_t
10340ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10341 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10342 SslSession *session, SslDecryptSession *ssl)
10343{
10344 uint8_t cidl = tvb_get_uint8(tvb, offset);
10345
10346 switch (hnd_type) {
10347 case SSL_HND_CLIENT_HELLO:
10348 session->client_cid_len_present = true1;
10349 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10350 cidl, &session->client_cid, &session->client_cid_len);
10351 case SSL_HND_SERVER_HELLO:
10352 session->server_cid_len_present = true1;
10353 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10354 cidl, &session->server_cid, &session->server_cid_len);
10355 default:
10356 return offset;
10357 }
10358} /* }}} */
10359
10360/* Trusted CA dissection. {{{ */
10361static uint32_t
10362ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10363 uint32_t offset, uint32_t offset_end)
10364{
10365 proto_item *ti;
10366 proto_tree *subtree;
10367 uint32_t keys_length, next_offset;
10368
10369 /*
10370 * struct {
10371 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10372 * } TrustedAuthorities;
10373 *
10374 * struct {
10375 * IdentifierType identifier_type;
10376 * select (identifier_type) {
10377 * case pre_agreed: struct {};
10378 * case key_sha1_hash: SHA1Hash;
10379 * case x509_name: DistinguishedName;
10380 * case cert_sha1_hash: SHA1Hash;
10381 * } identifier;
10382 * } TrustedAuthority;
10383 *
10384 * enum {
10385 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10386 * cert_sha1_hash(3), (255)
10387 * } IdentifierType;
10388 *
10389 * opaque DistinguishedName<1..2^16-1>;
10390 *
10391 */
10392
10393
10394 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10395 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10396 0, UINT16_MAX(65535)))
10397 {
10398 return offset_end;
10399 }
10400 offset += 2;
10401 next_offset = offset + keys_length;
10402
10403 if (keys_length > 0)
10404 {
10405 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10406 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10407 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10408
10409 while (offset < next_offset)
10410 {
10411 uint32_t identifier_type;
10412 proto_tree *trusted_key_tree;
10413 proto_item *trusted_key_item;
10414 asn1_ctx_t asn1_ctx;
10415 uint32_t key_len = 0;
10416
10417 identifier_type = tvb_get_uint8(tvb, offset);
10418
10419 // Use 0 as length for now as we'll only know the size when we decode the identifier
10420 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10421 offset, 0, "Trusted CA Key");
10422 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10423
10424 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10425 offset, 1, identifier_type);
10426 offset++;
10427
10428 /*
10429 * enum {
10430 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10431 * cert_sha1_hash(3), (255)
10432 * } IdentifierType;
10433 */
10434 switch (identifier_type)
10435 {
10436 case 0:
10437 key_len = 0;
10438 break;
10439 case 2:
10440 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10441
10442 uint32_t name_length;
10443 /* opaque DistinguishedName<1..2^16-1> */
10444 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10445 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10446 return next_offset;
10447 }
10448 offset += 2;
10449
10450 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10451 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10452 offset += name_length;
10453 break;
10454 case 1:
10455 case 3:
10456 key_len = 20;
10457 /* opaque SHA1Hash[20]; */
10458 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10459 offset, 20, ENC_NA0x00000000);
10460 break;
10461
10462 default:
10463 key_len = 0;
10464 /*TODO display expert info about unknown ? */
10465 break;
10466 }
10467 proto_item_set_len(trusted_key_item, 1 + key_len);
10468 offset += key_len;
10469 }
10470 }
10471
10472 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10473 {
10474 offset = next_offset;
10475 }
10476
10477 return offset;
10478} /* }}} */
10479
10480
10481/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10482bool_Bool
10483ssl_is_valid_content_type(uint8_t type)
10484{
10485 switch ((ContentType) type) {
10486 case SSL_ID_CHG_CIPHER_SPEC:
10487 case SSL_ID_ALERT:
10488 case SSL_ID_HANDSHAKE:
10489 case SSL_ID_APP_DATA:
10490 case SSL_ID_HEARTBEAT:
10491 case SSL_ID_TLS12_CID:
10492 case SSL_ID_DTLS13_ACK:
10493 return true1;
10494 }
10495 return false0;
10496}
10497
10498bool_Bool
10499ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10500{
10501 switch ((HandshakeType) hs_type) {
10502 case SSL_HND_HELLO_VERIFY_REQUEST:
10503 /* hello_verify_request is DTLS-only */
10504 return is_dtls;
10505
10506 case SSL_HND_HELLO_REQUEST:
10507 case SSL_HND_CLIENT_HELLO:
10508 case SSL_HND_SERVER_HELLO:
10509 case SSL_HND_NEWSESSION_TICKET:
10510 case SSL_HND_END_OF_EARLY_DATA:
10511 case SSL_HND_HELLO_RETRY_REQUEST:
10512 case SSL_HND_ENCRYPTED_EXTENSIONS:
10513 case SSL_HND_CERTIFICATE:
10514 case SSL_HND_SERVER_KEY_EXCHG:
10515 case SSL_HND_CERT_REQUEST:
10516 case SSL_HND_SVR_HELLO_DONE:
10517 case SSL_HND_CERT_VERIFY:
10518 case SSL_HND_CLIENT_KEY_EXCHG:
10519 case SSL_HND_FINISHED:
10520 case SSL_HND_CERT_URL:
10521 case SSL_HND_CERT_STATUS:
10522 case SSL_HND_SUPPLEMENTAL_DATA:
10523 case SSL_HND_KEY_UPDATE:
10524 case SSL_HND_COMPRESSED_CERTIFICATE:
10525 case SSL_HND_ENCRYPTED_EXTS:
10526 return true1;
10527 case SSL_HND_MESSAGE_HASH:
10528 return false0;
10529 }
10530 return false0;
10531}
10532
10533static bool_Bool
10534ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10535 bool_Bool is_dtls)
10536{
10537 /* Consider all valid Handshake messages (except for Client Hello) and
10538 * all other valid record types (other than Handshake) */
10539 return (content_type == SSL_ID_HANDSHAKE &&
10540 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10541 handshake_type != SSL_HND_CLIENT_HELLO) ||
10542 (content_type != SSL_ID_HANDSHAKE &&
10543 ssl_is_valid_content_type(content_type));
10544}
10545
10546/**
10547 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10548 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10549 * Returns true if the supported_versions extension was found, false if not.
10550 */
10551bool_Bool
10552tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10553 uint16_t *server_version, bool_Bool *is_hrr)
10554{
10555 /* SHA256("HelloRetryRequest") */
10556 static const uint8_t tls13_hrr_random_magic[] = {
10557 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10558 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10559 };
10560 uint8_t session_id_length;
10561
10562 *server_version = tvb_get_ntohs(tvb, offset);
10563
10564 /*
10565 * Try to look for supported_versions extension. Minimum length:
10566 * 2 + 32 + 1 = 35 (version, random, session id length)
10567 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10568 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10569 *
10570 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10571 * there's a separate expert info warning for that.
10572 */
10573 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10574 offset += 2;
10575 if (is_hrr) {
10576 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10577 }
10578 offset += 32;
10579 session_id_length = tvb_get_uint8(tvb, offset);
10580 offset++;
10581 if (offset_end - offset < session_id_length + 5u) {
10582 return false0;
10583 }
10584 offset += session_id_length + 5;
10585
10586 while (offset_end - offset >= 6) {
10587 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10588 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10589 if (offset_end - offset < 4u + ext_len) {
10590 break; /* not enough data for type, length and data */
10591 }
10592 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10593 if (ext_len == 2) {
10594 *server_version = tvb_get_ntohs(tvb, offset + 4);
10595 }
10596 return true1;
10597 }
10598 offset += 4 + ext_len;
10599 }
10600 } else {
10601 if (is_hrr) {
10602 *is_hrr = false0;
10603 }
10604 }
10605 return false0;
10606}
10607
10608/**
10609 * Scan a Client Hello handshake message to see if the supported_versions
10610 * extension is found, in which case the version field is legacy_version.
10611 */
10612static bool_Bool
10613tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10614{
10615 uint8_t session_id_length;
10616
10617 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10618
10619 /*
10620 * Try to look for supported_versions extension. Minimum length:
10621 * 2 + 32 + 1 = 35 (version, random, session id length)
10622 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10623 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10624 *
10625 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10626 * there's a separate expert info warning for that.
10627 */
10628 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10629 offset += 2;
10630 offset += 32;
10631 session_id_length = tvb_get_uint8(tvb, offset);
10632 offset++;
10633 if (offset_end - offset < session_id_length + 2u) {
10634 return false0;
10635 }
10636 offset += session_id_length;
10637 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10638 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10639 offset++;
10640 if (offset_end - offset < cookie_length + 2u) {
10641 return false0;
10642 }
10643 }
10644 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10645 offset += 2;
10646 if (offset_end - offset < cipher_suites_length + 1u) {
10647 return false0;
10648 }
10649 offset += cipher_suites_length;
10650 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10651 offset++;
10652 if (offset_end - offset < compression_methods_length + 2u) {
10653 return false0;
10654 }
10655 offset += compression_methods_length + 2;
10656
10657 while (offset_end - offset >= 6) {
10658 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10659 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10660 if (offset_end - offset < 4u + ext_len) {
10661 break; /* not enough data for type, length and data */
10662 }
10663 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10664 return true1;
10665 }
10666 offset += 4 + ext_len;
10667 }
10668 }
10669 return false0;
10670}
10671void
10672ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10673 uint8_t content_type, uint8_t handshake_type,
10674 bool_Bool is_dtls, uint16_t version)
10675{
10676 uint8_t tls13_draft = 0;
10677
10678 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10679 is_dtls))
10680 return;
10681
10682 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10683 if (version == SSL_VER_UNKNOWN0) {
10684 return;
10685 }
10686
10687 session->tls13_draft_version = tls13_draft;
10688 session->version = version;
10689 if (ssl) {
10690 ssl->state |= SSL_VERSION(1<<4);
10691 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10692 }
10693}
10694
10695void
10696ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10697 ContentType content_type,
10698 unsigned record_length, proto_item *length_pi,
10699 uint16_t version, tvbuff_t *decrypted_tvb)
10700{
10701 unsigned max_expansion;
10702 if (version == TLSV1DOT3_VERSION0x304) {
10703 /* TLS 1.3: Max length is 2^14 + 256 */
10704 max_expansion = 256;
10705 } else {
10706 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10707 max_expansion = 2048;
10708 }
10709 /*
10710 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10711 * and ChangeCipherSpec.
10712 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10713 * so assume it is permitted.
10714 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10715 * assume TLS 1.2 requirements.
10716 */
10717 if (record_length == 0 &&
10718 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10719 content_type == SSL_ID_ALERT ||
10720 content_type == SSL_ID_HANDSHAKE)) {
10721 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10722 "Zero-length %s fragments are not allowed",
10723 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10724 }
10725 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10726 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10727 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10728 }
10729 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10730 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10731 "TLSPlaintext length MUST NOT exceed 2^14");
10732 }
10733}
10734
10735static void
10736ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10737{
10738 /* store selected cipher suite for decryption */
10739 ssl->session.cipher = cipher;
10740
10741 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10742 if (!cs) {
10743 ssl->cipher_suite = NULL((void*)0);
10744 ssl->state &= ~SSL_CIPHER(1<<2);
10745 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10746 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10747 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10748 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10749 * to avoid a potential buffer overflow in ssl3_check_mac. */
10750 ssl->cipher_suite = NULL((void*)0);
10751 ssl->state &= ~SSL_CIPHER(1<<2);
10752 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10753 } else {
10754 /* Cipher found, save this for the delayed decoder init */
10755 ssl->cipher_suite = cs;
10756 ssl->state |= SSL_CIPHER(1<<2);
10757 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10758 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10759 ssl->state);
10760 }
10761}
10762/* }}} */
10763
10764
10765/* Client Hello and Server Hello dissections. {{{ */
10766static int
10767ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10768 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10769 SslSession *session, SslDecryptSession *ssl,
10770 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10771 ssl_master_key_map_t *mk_map);
10772int
10773// NOLINTNEXTLINE(misc-no-recursion)
10774ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10775 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10776 uint32_t offset_end, SslSession *session,
10777 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10778{
10779 /* struct {
10780 * ProtocolVersion client_version;
10781 * Random random;
10782 * SessionID session_id;
10783 * opaque cookie<0..32>; //new field for DTLS
10784 * CipherSuite cipher_suites<2..2^16-1>;
10785 * CompressionMethod compression_methods<1..2^8-1>;
10786 * Extension client_hello_extension_list<0..2^16-1>;
10787 * } ClientHello;
10788 */
10789 proto_item *ti;
10790 proto_tree *cs_tree;
10791 uint32_t client_version;
10792 uint32_t cipher_suite_length;
10793 uint32_t compression_methods_length;
10794 uint8_t compression_method;
10795 uint32_t next_offset;
10796 uint32_t initial_offset = offset;
10797 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10798 char *ja3_hash;
10799 char *ja3_dash = "";
10800 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10801 ja4_data_t ja4_data;
10802 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10803 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10804 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10805 wmem_list_frame_t *curr_entry;
10806
10807 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10807, (int64_t)initial_offset, (int64_t)offset_end))));
10808 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10809 offset = 0;
10810 offset_end = tvb_reported_length(hello_tvb);
10811
10812 ja4_data.max_version = 0;
10813 ja4_data.server_name_present = false0;
10814 ja4_data.num_cipher_suites = 0;
10815 ja4_data.num_extensions = 0;
10816 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10817 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10818 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10819 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10820
10821 /* show the client version */
10822 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10823 offset, 2, ENC_BIG_ENDIAN0x00000000,
10824 &client_version);
10825 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10826 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10827 }
10828 offset += 2;
10829 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10830
10831 /*
10832 * Is it version 1.3?
10833 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10834 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10835 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10836 * Hello".
10837 */
10838 if (dtls_hfs != NULL((void*)0)) {
10839 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10840 /* Don't do that. */
10841 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10842 }
10843 } else {
10844 if (client_version == TLSV1DOT3_VERSION0x304) {
10845 /* Don't do that. */
10846 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10847 }
10848 }
10849
10850 /* dissect fields that are present in both ClientHello and ServerHello */
10851 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
10852
10853 /* fields specific for DTLS (cookie_len, cookie) */
10854 if (dtls_hfs != NULL((void*)0)) {
10855 uint32_t cookie_length;
10856 /* opaque cookie<0..32> (for DTLS only) */
10857 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
10858 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10859 return offset;
10860 }
10861 offset++;
10862 if (cookie_length > 0) {
10863 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10864 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
10865 offset += cookie_length;
10866 }
10867 }
10868
10869 /* CipherSuite cipher_suites<2..2^16-1> */
10870 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10871 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10872 return offset;
10873 }
10874 offset += 2;
10875 next_offset = offset + cipher_suite_length;
10876 ti = proto_tree_add_none_format(tree,
10877 hf->hf.hs_cipher_suites,
10878 hello_tvb, offset, cipher_suite_length,
10879 "Cipher Suites (%d suite%s)",
10880 cipher_suite_length / 2,
10881 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10882 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10883 while (offset + 2 <= next_offset) {
10884 uint32_t cipher_suite;
10885
10886 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
10887 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10888 offset += 2;
10889 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10890 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10891 ja3_dash = "-";
10892 ja4_data.num_cipher_suites += 1;
10893 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10894 }
10895 }
10896 wmem_strbuf_append_c(ja3, ',');
10897 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
10898 offset = next_offset;
10899 }
10900
10901 /* CompressionMethod compression_methods<1..2^8-1> */
10902 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10903 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10904 return offset;
10905 }
10906 offset++;
10907 next_offset = offset + compression_methods_length;
10908 ti = proto_tree_add_none_format(tree,
10909 hf->hf.hs_comp_methods,
10910 hello_tvb, offset, compression_methods_length,
10911 "Compression Methods (%u method%s)",
10912 compression_methods_length,
10913 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10914 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10915 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10916 while (offset < next_offset) {
10917 compression_method = tvb_get_uint8(hello_tvb, offset);
10918 /* TODO: make reserved/private comp meth. fields selectable */
10919 if (compression_method < 64)
10920 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10921 hello_tvb, offset, 1, compression_method);
10922 else if (compression_method > 63 && compression_method < 193)
10923 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
10924 compression_method, "Reserved - to be assigned by IANA (%u)",
10925 compression_method);
10926 else
10927 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
10928 compression_method, "Private use range (%u)",
10929 compression_method);
10930 offset++;
10931 }
10932
10933 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10934 if (offset < offset_end) {
10935 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
10936 offset_end, SSL_HND_CLIENT_HELLO,
10937 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
10938 if (ja4_data.max_version > 0) {
10939 client_version = ja4_data.max_version;
10940 }
10941 } else {
10942 wmem_strbuf_append_printf(ja3, ",,");
10943 }
10944
10945 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10946 wmem_strbuf_append(ja4_a, "t");
10947 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10948 wmem_strbuf_append(ja4_a, "q");
10949 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10950 wmem_strbuf_append(ja4_a, "d");
10951 }
10952 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10953 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10954 if (ja4_data.num_cipher_suites > 99) {
10955 wmem_strbuf_append(ja4_a, "99");
10956 } else {
10957 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10958 }
10959 if (ja4_data.num_extensions > 99) {
10960 wmem_strbuf_append(ja4_a, "99");
10961 } else {
10962 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10963 }
10964 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10965 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10966 } else {
10967 wmem_strbuf_append(ja4_a, "00");
10968 }
10969
10970 curr_entry = wmem_list_head(ja4_data.cipher_list);
10971 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10972 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10973 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10974 wmem_strbuf_append(ja4_br, ",");
10975 }
10976 curr_entry = wmem_list_frame_next(curr_entry);
10977 }
10978
10979 curr_entry = wmem_list_head(ja4_data.extension_list);
10980 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10981 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10982 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10983 wmem_strbuf_append(ja4_cr, ",");
10984 }
10985 curr_entry = wmem_list_frame_next(curr_entry);
10986 }
10987
10988 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10989 wmem_strbuf_append(ja4_cr, "_");
10990 curr_entry = wmem_list_head(ja4_data.sighash_list);
10991 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10992 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10993 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10994 wmem_strbuf_append(ja4_cr, ",");
10995 }
10996 curr_entry = wmem_list_frame_next(curr_entry);
10997 }
10998 }
10999 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
11000 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11001 } else {
11002 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
11003 }
11004 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
11005
11006 g_free(ja4_hash);
11007 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
11008 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11009 } else {
11010 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
11011 }
11012 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
11013 g_free(ja4_hash);
11014
11015 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
11016 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
11017
11018 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
11019 proto_item_set_generated(ti);
11020 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
11021 proto_item_set_generated(ti);
11022
11023 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11024 wmem_strbuf_get_len(ja3));
11025 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
11026 proto_item_set_generated(ti);
11027 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
11028 proto_item_set_generated(ti);
11029 g_free(ja3_hash);
11030 return initial_offset + offset;
11031}
11032
11033void
11034ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11035 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11036 SslSession *session, SslDecryptSession *ssl,
11037 bool_Bool is_dtls, bool_Bool is_hrr)
11038{
11039 /* struct {
11040 * ProtocolVersion server_version;
11041 * Random random;
11042 * SessionID session_id; // TLS 1.2 and before
11043 * CipherSuite cipher_suite;
11044 * CompressionMethod compression_method; // TLS 1.2 and before
11045 * Extension server_hello_extension_list<0..2^16-1>;
11046 * } ServerHello;
11047 */
11048 uint8_t draft_version = session->tls13_draft_version;
11049 proto_item *ti;
11050 uint32_t server_version;
11051 uint32_t cipher_suite;
11052 uint32_t initial_offset = offset;
11053 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
11054 char *ja3_hash;
11055
11056 col_set_str(pinfo->cinfo, COL_PROTOCOL,
11057 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
11058
11059 /* Initially assume that the session is resumed. If this is not the case, a
11060 * ServerHelloDone will be observed before the ChangeCipherSpec message
11061 * which will reset this flag. */
11062 session->is_session_resumed = true1;
11063
11064 /* show the server version */
11065 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11066 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
11067
11068 uint16_t supported_server_version;
11069 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
11070 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
11071 }
11072 /*
11073 * Is it version 1.3?
11074 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
11075 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
11076 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
11077 * Hello".
11078 */
11079 if (is_dtls) {
11080 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
11081 /* Don't do that. */
11082 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11083 }
11084 } else {
11085 if (server_version == TLSV1DOT3_VERSION0x304) {
11086 /* Don't do that. */
11087 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11088 }
11089 }
11090
11091 offset += 2;
11092 wmem_strbuf_append_printf(ja3, "%i", server_version);
11093
11094 /* dissect fields that are present in both ClientHello and ServerHello */
11095 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11096
11097 if (ssl) {
11098 /* store selected cipher suite for decryption */
11099 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11100 }
11101
11102 /* now the server-selected cipher suite */
11103 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11104 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11105 offset += 2;
11106 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11107
11108 /* No compression with TLS 1.3 before draft -22 */
11109 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11110 if (ssl) {
11111 /* store selected compression method for decryption */
11112 ssl->session.compression = tvb_get_uint8(tvb, offset);
11113 }
11114 /* and the server-selected compression method */
11115 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11116 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11117 offset++;
11118 }
11119
11120 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11121 if (offset < offset_end) {
11122 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11123 offset_end,
11124 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11125 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
11126 }
11127
11128 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11129 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11130 if (hash_algo) {
11131 SSL_MDgcry_md_hd_t mc;
11132 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11133 unsigned char prk[DIGEST_MAX_SIZE48];
11134 unsigned char *ech_verify_out = NULL((void*)0);
11135 unsigned int len;
11136 ssl_md_init(&mc, hash_algo);
11137 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11138 if (is_hrr) {
11139 ssl_md_final(&mc, transcript_hash, &len);
11140 ssl_md_cleanup(&mc);
11141 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11142 ssl->ech_transcript.data_len = 4 + len;
11143 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11144 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11145 ssl->ech_transcript.data[1] = 0;
11146 ssl->ech_transcript.data[2] = 0;
11147 ssl->ech_transcript.data[3] = len;
11148 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11149 ssl_md_init(&mc, hash_algo);
11150 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11151 } else {
11152 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11153 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11154 }
11155 if (initial_offset > 4) {
11156 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11157 4 + offset_end - initial_offset);
11158 if (is_hrr)
11159 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11160 else
11161 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11162 } else {
11163 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11164 prefix[2] = ((offset - initial_offset) >> 8);
11165 prefix[3] = (offset - initial_offset) & 0xff;
11166 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11167 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11168 offset_end - initial_offset);
11169 ssl_md_update(&mc, prefix, 4);
11170 if (is_hrr)
11171 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11172 else
11173 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11174 }
11175 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11176 uint8_t zeros[8] = { 0 };
11177 uint32_t confirmation_offset = initial_offset + 26;
11178 if (is_hrr) {
11179 uint32_t hrr_offset = initial_offset + 34;
11180 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11181 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11182 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11183 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11184 hrr_offset += 3;
11185 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11186 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11187 hrr_offset += 2;
11188 while (extensions_end - hrr_offset >= 4) {
11189 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11190 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11191 confirmation_offset = hrr_offset + 4;
11192 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11193 ssl_md_update(&mc, zeros, 8);
11194 hrr_offset += 12;
11195 } else {
11196 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11197 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11198 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11199 }
11200 }
11201 } else {
11202 ssl_md_update(&mc, zeros, 8);
11203 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11204 offset - initial_offset - 34);
11205 }
11206 ssl_md_final(&mc, transcript_hash, &len);
11207 ssl_md_cleanup(&mc);
11208 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11209 StringInfo prk_string = {prk, len};
11210 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11211 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11212 transcript_hash, len, 8, &ech_verify_out)) {
11213 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11214 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11215 if (is_hrr) {
11216 ssl->session.hrr_ech_declined = true1;
11217 ssl->session.first_ch_ech_frame = 0;
11218 }
11219 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11220 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11221 }
11222 wmem_free(NULL((void*)0), ech_verify_out);
11223 }
11224 ssl->session.ech = true1;
11225 }
11226 }
11227
11228 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11229 wmem_strbuf_get_len(ja3));
11230 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11231 proto_item_set_generated(ti);
11232 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11233 proto_item_set_generated(ti);
11234 g_free(ja3_hash);
11235}
11236/* Client Hello and Server Hello dissections. }}} */
11237
11238/* New Session Ticket dissection. {{{ */
11239void
11240ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11241 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11242 SslSession *session, SslDecryptSession *ssl,
11243 bool_Bool is_dtls, GHashTable *session_hash)
11244{
11245 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11246 * struct {
11247 * uint32 ticket_lifetime_hint;
11248 * opaque ticket<0..2^16-1>;
11249 * } NewSessionTicket;
11250 *
11251 * RFC 8446 Section 4.6.1 (TLS 1.3):
11252 * struct {
11253 * uint32 ticket_lifetime;
11254 * uint32 ticket_age_add;
11255 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11256 * opaque ticket<1..2^16-1>;
11257 * Extension extensions<0..2^16-2>;
11258 * } NewSessionTicket;
11259 */
11260 proto_tree *subtree;
11261 proto_item *subitem;
11262 uint32_t ticket_len;
11263 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11264 unsigned char draft_version = session->tls13_draft_version;
11265 uint32_t lifetime_hint;
11266
11267 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11268 hf->ett.session_ticket, NULL((void*)0),
11269 "TLS Session Ticket");
11270
11271 /* ticket lifetime hint */
11272 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11273 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11274 offset += 4;
11275
11276 if (lifetime_hint >= 60) {
11277 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11278 proto_item_append_text(subitem, " (%s)", time_str);
11279 }
11280
11281 if (is_tls13) {
11282
11283 /* for TLS 1.3: ticket_age_add */
11284 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11285 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11286 offset += 4;
11287
11288 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11289 if (draft_version == 0 || draft_version >= 21) {
11290 uint32_t ticket_nonce_len;
11291
11292 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11293 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11294 return;
11295 }
11296 offset++;
11297
11298 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11299 offset += ticket_nonce_len;
11300 }
11301
11302 }
11303
11304 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11305 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11306 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11307 return;
11308 }
11309 offset += 2;
11310
11311 /* Content depends on implementation, so just show data! */
11312 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11313 tvb, offset, ticket_len, ENC_NA0x00000000);
11314 /* save the session ticket to cache for ssl_finalize_decryption */
11315 if (ssl && !is_tls13) {
11316 if (ssl->session.is_session_resumed) {
11317 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11318 * (Abbreviated Handshake Using New Session Ticket).
11319 * Restore the master key for this session ticket before saving
11320 * it to the new session ticket. */
11321 ssl_restore_master_key(ssl, "Session Ticket", false0,
11322 session_hash, &ssl->session_ticket);
11323 }
11324 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11325 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11326 ssl->session_ticket.data, ticket_len);
11327 ssl->session_ticket.data_len = ticket_len;
11328 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11329 /* NewSessionTicket is received after the first (client)
11330 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11331 * Since the second CCS has already the session key available it will
11332 * just return. To ensure that the session ticket is mapped to a
11333 * master key (from the first CCS), save the ticket here too. */
11334 ssl_save_master_key("Session Ticket", session_hash,
11335 &ssl->session_ticket, &ssl->master_secret);
11336 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11337 }
11338 offset += ticket_len;
11339
11340 if (is_tls13) {
11341 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11342 offset_end, SSL_HND_NEWSESSION_TICKET,
11343 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11344 }
11345} /* }}} */
11346
11347void
11348ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11349 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11350 SslSession *session, SslDecryptSession *ssl,
11351 bool_Bool is_dtls)
11352{
11353 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11354 * struct {
11355 * ProtocolVersion server_version;
11356 * CipherSuite cipher_suite; // not before draft -19
11357 * Extension extensions<2..2^16-1>;
11358 * } HelloRetryRequest;
11359 * Note: no longer used since draft -22
11360 */
11361 uint32_t version;
11362 uint8_t draft_version;
11363
11364 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11365 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11366 draft_version = extract_tls13_draft_version(version);
11367 offset += 2;
11368
11369 if (draft_version == 0 || draft_version >= 19) {
11370 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11371 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11372 offset += 2;
11373 }
11374
11375 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11376 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11377 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11378}
11379
11380void
11381ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11382 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11383 SslSession *session, SslDecryptSession *ssl,
11384 bool_Bool is_dtls)
11385{
11386 /* RFC 8446 Section 4.3.1
11387 * struct {
11388 * Extension extensions<0..2^16-1>;
11389 * } EncryptedExtensions;
11390 */
11391 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11392 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11393 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11394}
11395
11396/* Certificate and Certificate Request dissections. {{{ */
11397void
11398ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11399 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11400 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11401 bool_Bool is_from_server, bool_Bool is_dtls)
11402{
11403 /* opaque ASN.1Cert<1..2^24-1>;
11404 *
11405 * Before RFC 8446 (TLS <= 1.2):
11406 * struct {
11407 * select(certificate_type) {
11408 *
11409 * // certificate type defined in RFC 7250
11410 * case RawPublicKey:
11411 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11412 *
11413 * // X.509 certificate defined in RFC 5246
11414 * case X.509:
11415 * ASN.1Cert certificate_list<0..2^24-1>;
11416 * };
11417 * } Certificate;
11418 *
11419 * RFC 8446 (since draft -20):
11420 * struct {
11421 * select(certificate_type){
11422 * case RawPublicKey:
11423 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11424 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11425 *
11426 * case X.509:
11427 * opaque cert_data<1..2^24-1>;
11428 * }
11429 * Extension extensions<0..2^16-1>;
11430 * } CertificateEntry;
11431 * struct {
11432 * opaque certificate_request_context<0..2^8-1>;
11433 * CertificateEntry certificate_list<0..2^24-1>;
11434 * } Certificate;
11435 */
11436 enum { CERT_X509, CERT_RPK } cert_type;
11437 asn1_ctx_t asn1_ctx;
11438#if defined(HAVE_LIBGNUTLS1)
11439 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11440 unsigned certificate_index = 0;
11441#endif
11442 uint32_t next_offset, certificate_list_length, cert_length;
11443 proto_tree *subtree = tree;
11444
11445 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11446
11447 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11448 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11449 cert_type = CERT_RPK;
11450 } else {
11451 cert_type = CERT_X509;
11452 }
11453
11454#if defined(HAVE_LIBGNUTLS1)
11455 /* Ask the pkcs1 dissector to return the public key details */
11456 if (ssl)
11457 asn1_ctx.private_data = &subjectPublicKeyInfo;
11458#endif
11459
11460 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11461 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11462 uint32_t context_length;
11463 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11464 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11465 return;
11466 }
11467 offset++;
11468 if (context_length > 0) {
11469 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11470 tvb, offset, context_length, ENC_NA0x00000000);
11471 offset += context_length;
11472 }
11473 }
11474
11475 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11476 /* For RPK before TLS 1.3, the single RPK is stored directly without
11477 * another "certificate_list" field. */
11478 certificate_list_length = offset_end - offset;
11479 next_offset = offset_end;
11480 } else {
11481 /* CertificateEntry certificate_list<0..2^24-1> */
11482 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11483 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11484 return;
11485 }
11486 offset += 3; /* 24-bit length value */
11487 next_offset = offset + certificate_list_length;
11488 }
11489
11490 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11491 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11492 proto_item *ti;
11493
11494 ti = proto_tree_add_none_format(tree,
11495 hf->hf.hs_certificates,
11496 tvb, offset, certificate_list_length,
11497 "Certificates (%u bytes)",
11498 certificate_list_length);
11499
11500 /* make it a subtree */
11501 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11502 }
11503
11504 while (offset < next_offset) {
11505 switch (cert_type) {
11506 case CERT_RPK:
11507 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11508 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11509 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11510 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11511 return;
11512 }
11513 offset += 3;
11514
11515 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11516 offset += cert_length;
11517 break;
11518 case CERT_X509:
11519 /* opaque ASN1Cert<1..2^24-1> */
11520 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11521 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11522 return;
11523 }
11524 offset += 3;
11525
11526 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11527#if defined(HAVE_LIBGNUTLS1)
11528 if (is_from_server && ssl && certificate_index == 0) {
11529 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11530 /* Only attempt to get the RSA modulus for the first cert. */
11531 asn1_ctx.private_data = NULL((void*)0);
11532 }
11533#endif
11534 offset += cert_length;
11535 break;
11536 }
11537
11538 /* TLS 1.3: Extension extensions<0..2^16-1> */
11539 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11540 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11541 next_offset, SSL_HND_CERTIFICATE,
11542 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11543 }
11544
11545#if defined(HAVE_LIBGNUTLS1)
11546 certificate_index++;
11547#endif
11548 }
11549}
11550
11551void
11552ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11553 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11554 SslSession *session, bool_Bool is_dtls)
11555{
11556 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11557 * enum {
11558 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11559 * (255)
11560 * } ClientCertificateType;
11561 *
11562 * opaque DistinguishedName<1..2^16-1>;
11563 *
11564 * struct {
11565 * ClientCertificateType certificate_types<1..2^8-1>;
11566 * DistinguishedName certificate_authorities<3..2^16-1>;
11567 * } CertificateRequest;
11568 *
11569 *
11570 * As per TLSv1.2 (RFC 5246) the format has changed to:
11571 *
11572 * enum {
11573 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11574 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11575 * fortezza_dms_RESERVED(20), (255)
11576 * } ClientCertificateType;
11577 *
11578 * enum {
11579 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11580 * sha512(6), (255)
11581 * } HashAlgorithm;
11582 *
11583 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11584 * SignatureAlgorithm;
11585 *
11586 * struct {
11587 * HashAlgorithm hash;
11588 * SignatureAlgorithm signature;
11589 * } SignatureAndHashAlgorithm;
11590 *
11591 * SignatureAndHashAlgorithm
11592 * supported_signature_algorithms<2..2^16-2>;
11593 *
11594 * opaque DistinguishedName<1..2^16-1>;
11595 *
11596 * struct {
11597 * ClientCertificateType certificate_types<1..2^8-1>;
11598 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11599 * DistinguishedName certificate_authorities<0..2^16-1>;
11600 * } CertificateRequest;
11601 *
11602 * draft-ietf-tls-tls13-18:
11603 * struct {
11604 * opaque certificate_request_context<0..2^8-1>;
11605 * SignatureScheme
11606 * supported_signature_algorithms<2..2^16-2>;
11607 * DistinguishedName certificate_authorities<0..2^16-1>;
11608 * CertificateExtension certificate_extensions<0..2^16-1>;
11609 * } CertificateRequest;
11610 *
11611 * RFC 8446 (since draft-ietf-tls-tls13-19):
11612 *
11613 * struct {
11614 * opaque certificate_request_context<0..2^8-1>;
11615 * Extension extensions<2..2^16-1>;
11616 * } CertificateRequest;
11617 */
11618 proto_item *ti;
11619 proto_tree *subtree;
11620 uint32_t next_offset;
11621 asn1_ctx_t asn1_ctx;
11622 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11623 unsigned char draft_version = session->tls13_draft_version;
11624
11625 if (!tree)
11626 return;
11627
11628 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11629
11630 if (is_tls13) {
11631 uint32_t context_length;
11632 /* opaque certificate_request_context<0..2^8-1> */
11633 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11634 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11635 return;
11636 }
11637 offset++;
11638 if (context_length > 0) {
11639 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11640 tvb, offset, context_length, ENC_NA0x00000000);
11641 offset += context_length;
11642 }
11643 } else {
11644 uint32_t cert_types_count;
11645 /* ClientCertificateType certificate_types<1..2^8-1> */
11646 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11647 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11648 return;
11649 }
11650 offset++;
11651 next_offset = offset + cert_types_count;
11652
11653 ti = proto_tree_add_none_format(tree,
11654 hf->hf.hs_cert_types,
11655 tvb, offset, cert_types_count,
11656 "Certificate types (%u type%s)",
11657 cert_types_count,
11658 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11659 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11660
11661 while (offset < next_offset) {
11662 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11663 offset++;
11664 }
11665 }
11666
11667 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11668 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11669 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11670 }
11671
11672 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11673 /*
11674 * TLS 1.3 draft 19 and newer: Extensions.
11675 * SslDecryptSession pointer is NULL because Certificate Extensions
11676 * should not influence decryption state.
11677 */
11678 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11679 offset_end, SSL_HND_CERT_REQUEST,
11680 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11681 } else if (is_tls13 && draft_version <= 18) {
11682 /*
11683 * TLS 1.3 draft 18 and older: certificate_authorities and
11684 * certificate_extensions (a vector of OID mappings).
11685 */
11686 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11687 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11688 } else {
11689 /* for TLS 1.2 and older, the certificate_authorities field. */
11690 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11691 }
11692}
11693/* Certificate and Certificate Request dissections. }}} */
11694
11695void
11696ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11697 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11698{
11699 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11700 hf->hf.hs_client_cert_vrfy_sig_len,
11701 hf->hf.hs_client_cert_vrfy_sig);
11702}
11703
11704/* Finished dissection. {{{ */
11705void
11706ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11707 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11708 const SslSession *session, ssl_hfs_t *ssl_hfs)
11709{
11710 /* For SSLv3:
11711 * struct {
11712 * opaque md5_hash[16];
11713 * opaque sha_hash[20];
11714 * } Finished;
11715 *
11716 * For (D)TLS:
11717 * struct {
11718 * opaque verify_data[12];
11719 * } Finished;
11720 *
11721 * For TLS 1.3:
11722 * struct {
11723 * opaque verify_data[Hash.length];
11724 * }
11725 */
11726 if (!tree)
11727 return;
11728
11729 if (session->version == SSLV3_VERSION0x300) {
11730 if (ssl_hfs != NULL((void*)0)) {
11731 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11732 tvb, offset, 16, ENC_NA0x00000000);
11733 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11734 tvb, offset + 16, 20, ENC_NA0x00000000);
11735 }
11736 } else {
11737 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11738 proto_tree_add_item(tree, hf->hf.hs_finished,
11739 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11740 }
11741} /* }}} */
11742
11743/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11744void
11745ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11746{
11747 uint16_t url_hash_len;
11748
11749 /* enum {
11750 * individual_certs(0), pkipath(1), (255)
11751 * } CertChainType;
11752 *
11753 * struct {
11754 * CertChainType type;
11755 * URLAndHash url_and_hash_list<1..2^16-1>;
11756 * } CertificateURL;
11757 *
11758 * struct {
11759 * opaque url<1..2^16-1>;
11760 * uint8 padding;
11761 * opaque SHA1Hash[20];
11762 * } URLAndHash;
11763 */
11764
11765 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11766 tvb, offset, 1, ENC_NA0x00000000);
11767 offset++;
11768
11769 url_hash_len = tvb_get_ntohs(tvb, offset);
11770 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11771 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11772 offset += 2;
11773 while (url_hash_len-- > 0) {
11774 proto_item *urlhash_item;
11775 proto_tree *urlhash_tree;
11776 uint16_t url_len;
11777
11778 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11779 tvb, offset, -1, ENC_NA0x00000000);
11780 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11781
11782 url_len = tvb_get_ntohs(tvb, offset);
11783 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11784 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11785 offset += 2;
11786
11787 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11788 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11789 offset += url_len;
11790
11791 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11792 tvb, offset, 1, ENC_NA0x00000000);
11793 offset++;
11794 /* Note: RFC 6066 says that padding must be 0x01 */
11795
11796 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11797 tvb, offset, 20, ENC_NA0x00000000);
11798 offset += 20;
11799 }
11800} /* }}} */
11801
11802void
11803ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11804 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11805 SslSession *session, SslDecryptSession *ssl,
11806 bool_Bool is_from_server, bool_Bool is_dtls)
11807{
11808 uint32_t algorithm, uncompressed_length;
11809 uint32_t compressed_certificate_message_length;
11810 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11811 proto_item *ti;
11812 /*
11813 * enum {
11814 * zlib(1),
11815 * brotli(2),
11816 * zstd(3),
11817 * (65535)
11818 * } CertificateCompressionAlgorithm;
11819 *
11820 * struct {
11821 * CertificateCompressionAlgorithm algorithm;
11822 * uint24 uncompressed_length;
11823 * opaque compressed_certificate_message<1..2^24-1>;
11824 * } CompressedCertificate;
11825 */
11826
11827 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11828 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11829 offset += 2;
11830
11831 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11832 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11833 offset += 3;
11834
11835 /* opaque compressed_certificate_message<1..2^24-1>; */
11836 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11837 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11838 return;
11839 }
11840 offset += 3;
11841
11842 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11843 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11844
11845 /* Certificate decompression following algorithm */
11846 switch (algorithm) {
11847 case 1: /* zlib */
11848 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11849 break;
11850 case 2: /* brotli */
11851 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11852 break;
11853 case 3: /* zstd */
11854 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11855 break;
11856 }
11857
11858 if (uncompressed_tvb) {
11859 proto_tree *uncompressed_tree;
11860
11861 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11862 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11863 tvb, offset, offset_end - offset,
11864 "Invalid uncompressed length %u (expected %u)",
11865 tvb_captured_length(uncompressed_tvb),
11866 uncompressed_length);
11867 } else {
11868 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11869 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11870 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11871 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11872 }
11873 }
11874}
11875
11876/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11877static int
11878// NOLINTNEXTLINE(misc-no-recursion)
11879ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11880 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11881 SslSession *session, SslDecryptSession *ssl,
11882 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11883 ssl_master_key_map_t *mk_map)
11884{
11885 uint32_t exts_len;
11886 uint16_t ext_type;
11887 uint32_t ext_len;
11888 uint32_t next_offset;
11889 proto_item *ext_item;
11890 proto_tree *ext_tree;
11891 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11892 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11893 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11894 char *ja3_dash = "";
11895 unsigned supported_version;
11896
11897 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11898 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11899 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11900 return offset_end;
11901 }
11902 offset += 2;
11903 offset_end = offset + exts_len;
11904
11905 if (ja4_data) {
11906 ja4_data->num_extensions = 0;
11907 }
11908 while (offset_end - offset >= 4)
11909 {
11910 ext_type = tvb_get_ntohs(tvb, offset);
11911 ext_len = tvb_get_ntohs(tvb, offset + 2);
11912
11913 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11914 ja4_data->num_extensions += 1;
11915 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11916 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11917 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11918 }
11919 }
11920
11921 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11922 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11923 tls_hello_extension_types,
11924 "Unknown type %u"), ext_len);
11925 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11926
11927 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11928 tvb, offset, 2, ext_type);
11929 offset += 2;
11930 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11931 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11932 ja3_dash = "-";
11933 }
11934
11935 /* opaque extension_data<0..2^16-1> */
11936 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11937 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11938 return offset_end;
11939 }
11940 offset += 2;
11941 next_offset = offset + ext_len;
11942
11943 switch (ext_type) {
11944 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11945 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11946 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11947 if (ja4_data) {
11948 ja4_data->server_name_present = true1;
11949 }
11950 }
11951 break;
11952 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11953 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11954 offset += 1;
11955 break;
11956 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11957 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11958 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11959 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11960 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11961 }
11962 break;
11963 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11964 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11965 offset, next_offset,
11966 hnd_type, ext_type,
11967 session);
11968 break;
11969 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11970 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11971 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11972 next_offset, ja3_sg);
11973 } else {
11974 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11975 next_offset, NULL((void*)0));
11976 }
11977 break;
11978 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11979 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11980 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11981 } else {
11982 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11983 }
11984 break;
11985 break;
11986 case SSL_HND_HELLO_EXT_SRP12:
11987 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11988 break;
11989 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11990 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11991 break;
11992 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11993 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11994 break;
11995 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11996 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11997 break;
11998 case SSL_HND_HELLO_EXT_USE_SRTP14:
11999 if (is_dtls) {
12000 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12001 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
12002 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
12003 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
12004 }
12005 } else {
12006 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
12007 }
12008 break;
12009 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
12010 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
12011 break;
12012 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
12013 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
12014 break;
12015 case SSL_HND_HELLO_EXT_HEARTBEAT15:
12016 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
12017 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
12018 offset++;
12019 break;
12020 case SSL_HND_HELLO_EXT_ALPN16:
12021 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
12022 break;
12023 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
12024 if (hnd_type == SSL_HND_CLIENT_HELLO)
12025 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
12026 break;
12027 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
12028 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
12029 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
12030 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
12031 break;
12032 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
12033 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
12034 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12035 offset, next_offset,
12036 hnd_type, ext_type,
12037 session);
12038 break;
12039 case SSL_HND_HELLO_EXT_PADDING21:
12040 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
12041 offset += ext_len;
12042 break;
12043 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
12044 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
12045 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
12046 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
12047 }
12048 break;
12049 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
12050 if (ssl) {
12051 switch (hnd_type) {
12052 case SSL_HND_CLIENT_HELLO:
12053 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
12054 break;
12055 case SSL_HND_SERVER_HELLO:
12056 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
12057 break;
12058 default: /* no default */
12059 break;
12060 }
12061 }
12062 break;
12063 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
12064 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12065 break;
12066 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
12067 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12068 break;
12069 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
12070 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
12071 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12072 offset += 2;
12073 break;
12074 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
12075 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
12076 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12077 break;
12078 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
12079 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
12080 break;
12081 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
12082 case SSL_HND_HELLO_EXT_KEY_SHARE51:
12083 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12084 break;
12085 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
12086 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12087 break;
12088 case SSL_HND_HELLO_EXT_EARLY_DATA42:
12089 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
12090 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12091 break;
12092 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
12093 switch (hnd_type) {
12094 case SSL_HND_CLIENT_HELLO:
12095 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12096 break;
12097 case SSL_HND_SERVER_HELLO:
12098 case SSL_HND_HELLO_RETRY_REQUEST:
12099 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12100 offset += 2;
12101 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12102 break;
12103 }
12104 break;
12105 case SSL_HND_HELLO_EXT_COOKIE44:
12106 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12107 break;
12108 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12109 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12110 break;
12111 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12112 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12113 break;
12114 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12115 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12116 break;
12117 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12118 break;
12119 case SSL_HND_HELLO_EXT_NPN13172:
12120 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12121 break;
12122 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12123 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12124 break;
12125 case SSL_HND_HELLO_EXT_ALPS17613:
12126 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12127 break;
12128 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12129 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12130 break;
12131 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12132 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12133 break;
12134 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12135 session->deprecated_cid = true1;
12136 /* FALLTHRU */
12137 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12138 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12139 break;
12140 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12141 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12142 break;
12143 default:
12144 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12145 tvb, offset, ext_len, ENC_NA0x00000000);
12146 offset += ext_len;
12147 break;
12148 }
12149
12150 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12151 /* Dissection did not end at expected location, fix it. */
12152 offset = next_offset;
12153 }
12154 }
12155
12156 if (ja3) {
12157 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12158 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12159 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12160 } else {
12161 wmem_strbuf_append_c(ja3, ',');
12162 }
12163 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12164 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12165 } else {
12166 wmem_strbuf_append_c(ja3, ',');
12167 }
12168 }
12169 }
12170
12171 /* Check if Extensions vector is correctly terminated. */
12172 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12173 offset = offset_end;
12174 }
12175
12176 return offset;
12177} /* }}} */
12178
12179
12180/* ClientKeyExchange algo-specific dissectors. {{{ */
12181
12182static void
12183dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12184 proto_tree *tree, uint32_t offset,
12185 uint32_t length)
12186{
12187 int point_len;
12188 proto_tree *ssl_ecdh_tree;
12189
12190 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12191 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12192
12193 /* point */
12194 point_len = tvb_get_uint8(tvb, offset);
12195 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12196 offset, 1, ENC_BIG_ENDIAN0x00000000);
12197 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12198 offset + 1, point_len, ENC_NA0x00000000);
12199}
12200
12201static void
12202dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12203 proto_tree *tree, uint32_t offset, uint32_t length)
12204{
12205 int yc_len;
12206 proto_tree *ssl_dh_tree;
12207
12208 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12209 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12210
12211 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12212 yc_len = tvb_get_ntohs(tvb, offset);
12213 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12214 offset, 2, ENC_BIG_ENDIAN0x00000000);
12215 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12216 offset + 2, yc_len, ENC_NA0x00000000);
12217}
12218
12219static void
12220dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12221 proto_tree *tree, uint32_t offset,
12222 uint32_t length, const SslSession *session)
12223{
12224 int epms_len;
12225 proto_tree *ssl_rsa_tree;
12226
12227 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12228 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12229
12230 /* EncryptedPreMasterSecret.pre_master_secret */
12231 switch (session->version) {
12232 case SSLV2_VERSION0x0002:
12233 case SSLV3_VERSION0x300:
12234 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12235 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12236 * not present. The handshake contents represents the EPMS, see:
12237 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12238 epms_len = length;
12239 break;
12240
12241 default:
12242 /* TLS and DTLS include vector length before EPMS */
12243 epms_len = tvb_get_ntohs(tvb, offset);
12244 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12245 offset, 2, ENC_BIG_ENDIAN0x00000000);
12246 offset += 2;
12247 break;
12248 }
12249 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12250 offset, epms_len, ENC_NA0x00000000);
12251}
12252
12253/* Used in PSK cipher suites */
12254static uint32_t
12255dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12256 proto_tree *tree, uint32_t offset)
12257{
12258 unsigned identity_len;
12259 proto_tree *ssl_psk_tree;
12260
12261 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12262 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12263 /* identity */
12264 identity_len = tvb_get_ntohs(tvb, offset);
12265 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12266 offset, 2, ENC_BIG_ENDIAN0x00000000);
12267 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12268 offset + 2, identity_len, ENC_NA0x00000000);
12269
12270 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12271 return 2 + identity_len;
12272}
12273
12274/* Used in RSA PSK cipher suites */
12275static void
12276dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12277 proto_tree *tree, uint32_t offset,
12278 uint32_t length)
12279{
12280 int identity_len, epms_len;
12281 proto_tree *ssl_psk_tree;
12282
12283 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12284 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12285
12286 /* identity */
12287 identity_len = tvb_get_ntohs(tvb, offset);
12288 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12289 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12290 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12291 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12292 offset += 2 + identity_len;
12293
12294 /* Yc */
12295 epms_len = tvb_get_ntohs(tvb, offset);
12296 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12297 offset, 2, ENC_BIG_ENDIAN0x00000000);
12298 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12299 offset + 2, epms_len, ENC_NA0x00000000);
12300}
12301
12302/* Used in Diffie-Hellman PSK cipher suites */
12303static void
12304dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12305 proto_tree *tree, uint32_t offset, uint32_t length)
12306{
12307 /*
12308 * struct {
12309 * select (KeyExchangeAlgorithm) {
12310 * case diffie_hellman_psk:
12311 * opaque psk_identity<0..2^16-1>;
12312 * ClientDiffieHellmanPublic public;
12313 * } exchange_keys;
12314 * } ClientKeyExchange;
12315 */
12316
12317 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12318 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12319}
12320
12321/* Used in EC Diffie-Hellman PSK cipher suites */
12322static void
12323dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12324 proto_tree *tree, uint32_t offset, uint32_t length)
12325{
12326 /*
12327 * struct {
12328 * select (KeyExchangeAlgorithm) {
12329 * case ec_diffie_hellman_psk:
12330 * opaque psk_identity<0..2^16-1>;
12331 * ClientECDiffieHellmanPublic public;
12332 * } exchange_keys;
12333 * } ClientKeyExchange;
12334 */
12335
12336 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12337 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12338}
12339
12340/* Used in EC J-PAKE cipher suites */
12341static void
12342dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12343 proto_tree *tree, uint32_t offset,
12344 uint32_t length)
12345{
12346 /*
12347 * struct {
12348 * ECPoint V;
12349 * opaque r<1..2^8-1>;
12350 * } ECSchnorrZKP;
12351 *
12352 * struct {
12353 * ECPoint X;
12354 * ECSchnorrZKP zkp;
12355 * } ECJPAKEKeyKP;
12356 *
12357 * struct {
12358 * ECJPAKEKeyKP ecjpake_key_kp;
12359 * } ClientECJPAKEParams;
12360 *
12361 * select (KeyExchangeAlgorithm) {
12362 * case ecjpake:
12363 * ClientECJPAKEParams params;
12364 * } ClientKeyExchange;
12365 */
12366
12367 int point_len;
12368 proto_tree *ssl_ecjpake_tree;
12369
12370 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12371 hf->ett.keyex_params, NULL((void*)0),
12372 "EC J-PAKE Client Params");
12373
12374 /* ECJPAKEKeyKP.X */
12375 point_len = tvb_get_uint8(tvb, offset);
12376 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12377 offset, 1, ENC_BIG_ENDIAN0x00000000);
12378 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12379 offset + 1, point_len, ENC_NA0x00000000);
12380 offset += 1 + point_len;
12381
12382 /* ECJPAKEKeyKP.zkp.V */
12383 point_len = tvb_get_uint8(tvb, offset);
12384 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12385 offset, 1, ENC_BIG_ENDIAN0x00000000);
12386 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12387 offset + 1, point_len, ENC_NA0x00000000);
12388 offset += 1 + point_len;
12389
12390 /* ECJPAKEKeyKP.zkp.r */
12391 point_len = tvb_get_uint8(tvb, offset);
12392 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12393 offset, 1, ENC_BIG_ENDIAN0x00000000);
12394 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12395 offset + 1, point_len, ENC_NA0x00000000);
12396}
12397
12398static void
12399dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12400 proto_tree *tree, uint32_t offset,
12401 uint32_t length)
12402{
12403 int epms_len;
12404 proto_tree *ssl_ecc_sm2_tree;
12405
12406 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12407 hf->ett.keyex_params, NULL((void*)0),
12408 "ECC-SM2 Encrypted PreMaster Secret");
12409
12410 epms_len = tvb_get_ntohs(tvb, offset);
12411 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12412 offset, 2, ENC_BIG_ENDIAN0x00000000);
12413 offset += 2;
12414 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12415 offset, epms_len, ENC_NA0x00000000);
12416}
12417/* ClientKeyExchange algo-specific dissectors. }}} */
12418
12419
12420/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12421static uint32_t
12422ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12423 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12424 uint16_t version, int hf_sig_len, int hf_sig)
12425{
12426 uint32_t sig_len;
12427
12428 switch (version) {
12429 case TLSV1DOT2_VERSION0x303:
12430 case DTLSV1DOT2_VERSION0xfefd:
12431 case TLSV1DOT3_VERSION0x304:
12432 case DTLSV1DOT3_VERSION0xfefc:
12433 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12434 offset += 2;
12435 break;
12436
12437 default:
12438 break;
12439 }
12440
12441 /* Sig */
12442 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12443 hf_sig_len, 0, UINT16_MAX(65535))) {
12444 return offset_end;
12445 }
12446 offset += 2;
12447 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12448 offset += sig_len;
12449 return offset;
12450} /* }}} */
12451
12452/* ServerKeyExchange algo-specific dissectors. {{{ */
12453
12454/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12455static void
12456dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12457 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12458 uint16_t version)
12459{
12460 /*
12461 * TLSv1.2 (RFC 5246 sec 7.4.8)
12462 * struct {
12463 * digitally-signed struct {
12464 * opaque handshake_messages[handshake_messages_length];
12465 * }
12466 * } CertificateVerify;
12467 *
12468 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12469 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12470 *
12471 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12472 * does more hashing including the master secret and padding.
12473 */
12474 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12475 hf->hf.hs_server_keyex_sig_len,
12476 hf->hf.hs_server_keyex_sig);
12477}
12478
12479static uint32_t
12480dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12481{
12482 /*
12483 * RFC 4492 ECC cipher suites for TLS
12484 *
12485 * struct {
12486 * ECCurveType curve_type;
12487 * select (curve_type) {
12488 * case explicit_prime:
12489 * ...
12490 * case explicit_char2:
12491 * ...
12492 * case named_curve:
12493 * NamedCurve namedcurve;
12494 * };
12495 * } ECParameters;
12496 */
12497
12498 int curve_type;
12499
12500 /* ECParameters.curve_type */
12501 curve_type = tvb_get_uint8(tvb, offset);
12502 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12503 offset, 1, ENC_BIG_ENDIAN0x00000000);
12504 offset++;
12505
12506 if (curve_type != 3)
12507 return offset_end; /* only named_curves are supported */
12508
12509 /* case curve_type == named_curve; ECParameters.namedcurve */
12510 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12511 offset, 2, ENC_BIG_ENDIAN0x00000000);
12512 offset += 2;
12513
12514 return offset;
12515}
12516
12517static void
12518dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12519 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12520 uint16_t version, bool_Bool anon)
12521{
12522 /*
12523 * RFC 4492 ECC cipher suites for TLS
12524 *
12525 * struct {
12526 * opaque point <1..2^8-1>;
12527 * } ECPoint;
12528 *
12529 * struct {
12530 * ECParameters curve_params;
12531 * ECPoint public;
12532 * } ServerECDHParams;
12533 *
12534 * select (KeyExchangeAlgorithm) {
12535 * case ec_diffie_hellman:
12536 * ServerECDHParams params;
12537 * Signature signed_params;
12538 * } ServerKeyExchange;
12539 */
12540
12541 int point_len;
12542 proto_tree *ssl_ecdh_tree;
12543
12544 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12545 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12546
12547 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12548 if (offset >= offset_end)
12549 return; /* only named_curves are supported */
12550
12551 /* ECPoint.point */
12552 point_len = tvb_get_uint8(tvb, offset);
12553 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12554 offset, 1, ENC_BIG_ENDIAN0x00000000);
12555 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12556 offset + 1, point_len, ENC_NA0x00000000);
12557 offset += 1 + point_len;
12558
12559 /* Signature (if non-anonymous KEX) */
12560 if (!anon) {
12561 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12562 }
12563}
12564
12565static void
12566dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12567 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12568 uint16_t version, bool_Bool anon)
12569{
12570 int p_len, g_len, ys_len;
12571 proto_tree *ssl_dh_tree;
12572
12573 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12574 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12575
12576 /* p */
12577 p_len = tvb_get_ntohs(tvb, offset);
12578 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12579 offset, 2, ENC_BIG_ENDIAN0x00000000);
12580 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12581 offset + 2, p_len, ENC_NA0x00000000);
12582 offset += 2 + p_len;
12583
12584 /* g */
12585 g_len = tvb_get_ntohs(tvb, offset);
12586 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12587 offset, 2, ENC_BIG_ENDIAN0x00000000);
12588 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12589 offset + 2, g_len, ENC_NA0x00000000);
12590 offset += 2 + g_len;
12591
12592 /* Ys */
12593 ys_len = tvb_get_ntohs(tvb, offset);
12594 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12595 offset, 2, ys_len);
12596 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12597 offset + 2, ys_len, ENC_NA0x00000000);
12598 offset += 2 + ys_len;
12599
12600 /* Signature (if non-anonymous KEX) */
12601 if (!anon) {
12602 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12603 }
12604}
12605
12606/* Only used in RSA-EXPORT cipher suites */
12607static void
12608dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12609 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12610 uint16_t version)
12611{
12612 int modulus_len, exponent_len;
12613 proto_tree *ssl_rsa_tree;
12614
12615 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12616 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12617
12618 /* modulus */
12619 modulus_len = tvb_get_ntohs(tvb, offset);
12620 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12621 offset, 2, ENC_BIG_ENDIAN0x00000000);
12622 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12623 offset + 2, modulus_len, ENC_NA0x00000000);
12624 offset += 2 + modulus_len;
12625
12626 /* exponent */
12627 exponent_len = tvb_get_ntohs(tvb, offset);
12628 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12629 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12630 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12631 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12632 offset += 2 + exponent_len;
12633
12634 /* Signature */
12635 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12636}
12637
12638/* Used in RSA PSK and PSK cipher suites */
12639static uint32_t
12640dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12641 proto_tree *tree, uint32_t offset)
12642{
12643 unsigned hint_len;
12644 proto_tree *ssl_psk_tree;
12645
12646 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12647 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12648
12649 /* hint */
12650 hint_len = tvb_get_ntohs(tvb, offset);
12651 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12652 offset, 2, ENC_BIG_ENDIAN0x00000000);
12653 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12654 offset + 2, hint_len, ENC_NA0x00000000);
12655
12656 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12657 return 2 + hint_len;
12658}
12659
12660/* Used in Diffie-Hellman PSK cipher suites */
12661static void
12662dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12663 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12664{
12665 /*
12666 * struct {
12667 * select (KeyExchangeAlgorithm) {
12668 * case diffie_hellman_psk:
12669 * opaque psk_identity_hint<0..2^16-1>;
12670 * ServerDHParams params;
12671 * };
12672 * } ServerKeyExchange;
12673 */
12674
12675 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12676 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12677}
12678
12679/* Used in EC Diffie-Hellman PSK cipher suites */
12680static void
12681dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12682 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12683{
12684 /*
12685 * struct {
12686 * select (KeyExchangeAlgorithm) {
12687 * case ec_diffie_hellman_psk:
12688 * opaque psk_identity_hint<0..2^16-1>;
12689 * ServerECDHParams params;
12690 * };
12691 * } ServerKeyExchange;
12692 */
12693
12694 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12695 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12696}
12697
12698/* Used in EC J-PAKE cipher suites */
12699static void
12700dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12701 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12702{
12703 /*
12704 * struct {
12705 * ECPoint V;
12706 * opaque r<1..2^8-1>;
12707 * } ECSchnorrZKP;
12708 *
12709 * struct {
12710 * ECPoint X;
12711 * ECSchnorrZKP zkp;
12712 * } ECJPAKEKeyKP;
12713 *
12714 * struct {
12715 * ECParameters curve_params;
12716 * ECJPAKEKeyKP ecjpake_key_kp;
12717 * } ServerECJPAKEParams;
12718 *
12719 * select (KeyExchangeAlgorithm) {
12720 * case ecjpake:
12721 * ServerECJPAKEParams params;
12722 * } ServerKeyExchange;
12723 */
12724
12725 int point_len;
12726 proto_tree *ssl_ecjpake_tree;
12727
12728 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12729 hf->ett.keyex_params, NULL((void*)0),
12730 "EC J-PAKE Server Params");
12731
12732 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12733 if (offset >= offset_end)
12734 return; /* only named_curves are supported */
12735
12736 /* ECJPAKEKeyKP.X */
12737 point_len = tvb_get_uint8(tvb, offset);
12738 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12739 offset, 1, ENC_BIG_ENDIAN0x00000000);
12740 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12741 offset + 1, point_len, ENC_NA0x00000000);
12742 offset += 1 + point_len;
12743
12744 /* ECJPAKEKeyKP.zkp.V */
12745 point_len = tvb_get_uint8(tvb, offset);
12746 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12747 offset, 1, ENC_BIG_ENDIAN0x00000000);
12748 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12749 offset + 1, point_len, ENC_NA0x00000000);
12750 offset += 1 + point_len;
12751
12752 /* ECJPAKEKeyKP.zkp.r */
12753 point_len = tvb_get_uint8(tvb, offset);
12754 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12755 offset, 1, ENC_BIG_ENDIAN0x00000000);
12756 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12757 offset + 1, point_len, ENC_NA0x00000000);
12758}
12759
12760/* Only used in ECC-SM2-EXPORT cipher suites */
12761static void
12762dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12763 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12764 uint16_t version)
12765{
12766 proto_tree *ssl_ecc_sm2_tree;
12767
12768 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12769 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12770
12771 /* Signature */
12772 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12773}
12774/* ServerKeyExchange algo-specific dissectors. }}} */
12775
12776/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12777void
12778ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12779 proto_tree *tree, uint32_t offset, uint32_t length,
12780 const SslSession *session)
12781{
12782 switch (ssl_get_keyex_alg(session->cipher)) {
12783 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12784 case KEX_DH_DSS0x14:
12785 case KEX_DH_RSA0x15:
12786 case KEX_DHE_DSS0x10:
12787 case KEX_DHE_RSA0x12:
12788 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12789 break;
12790 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12791 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12792 break;
12793 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12794 case KEX_ECDH_ECDSA0x1a:
12795 case KEX_ECDH_RSA0x1b:
12796 case KEX_ECDHE_ECDSA0x16:
12797 case KEX_ECDHE_RSA0x18:
12798 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12799 break;
12800 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12801 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12802 break;
12803 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12804 /* XXX: implement support for KRB5 */
12805 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12806 tvb, offset, length,
12807 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12808 " developers if you want them to be supported");
12809 break;
12810 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12811 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12812 break;
12813 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12814 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12815 break;
12816 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12817 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12818 break;
12819 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12820 case KEX_SRP_SHA_DSS0x21:
12821 case KEX_SRP_SHA_RSA0x22:
12822 /* XXX: implement support for SRP_SHA* */
12823 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12824 tvb, offset, length,
12825 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12826 " developers if you want them to be supported");
12827 break;
12828 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12829 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12830 break;
12831 case KEX_ECC_SM20x26: /* GB/T 38636 */
12832 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12833 break;
12834 default:
12835 if (session->cipher == 0) {
12836 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12837 tvb, offset, length,
12838 "Cipher Suite not found");
12839 } else {
12840 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12841 tvb, offset, length,
12842 "Cipher Suite 0x%04x is not implemented, "
12843 "contact Wireshark developers if you want this to be supported",
12844 session->cipher);
12845 }
12846 break;
12847 }
12848}
12849
12850void
12851ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12852 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12853 const SslSession *session)
12854{
12855 switch (ssl_get_keyex_alg(session->cipher)) {
12856 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12857 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12858 break;
12859 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12860 case KEX_DH_RSA0x15:
12861 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12862 tvb, offset, offset_end - offset);
12863 break;
12864 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12865 case KEX_DHE_RSA0x12:
12866 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12867 break;
12868 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12869 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12870 break;
12871 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12872 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12873 break;
12874 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12875 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12876 break;
12877 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12878 case KEX_ECDH_RSA0x1b:
12879 case KEX_ECDHE_ECDSA0x16:
12880 case KEX_ECDHE_RSA0x18:
12881 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12882 break;
12883 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12884 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12885 tvb, offset, offset_end - offset);
12886 break;
12887 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12888 case KEX_RSA_PSK0x1f:
12889 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12890 break;
12891 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12892 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12893 break;
12894 case KEX_ECC_SM20x26: /* GB/T 38636 */
12895 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12896 break;
12897 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12898 case KEX_SRP_SHA_DSS0x21:
12899 case KEX_SRP_SHA_RSA0x22:
12900 /* XXX: implement support for SRP_SHA* */
12901 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12902 tvb, offset, offset_end - offset,
12903 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12904 " developers if you want them to be supported");
12905 break;
12906 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12907 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12908 break;
12909 default:
12910 if (session->cipher == 0) {
12911 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12912 tvb, offset, offset_end - offset,
12913 "Cipher Suite not found");
12914 } else {
12915 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12916 tvb, offset, offset_end - offset,
12917 "Cipher Suite 0x%04x is not implemented, "
12918 "contact Wireshark developers if you want this to be supported",
12919 session->cipher);
12920 }
12921 break;
12922 }
12923}
12924/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12925
12926void
12927tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12928 proto_tree *tree, uint32_t offset)
12929{
12930 /* RFC 8446 Section 4.6.3
12931 * enum {
12932 * update_not_requested(0), update_requested(1), (255)
12933 * } KeyUpdateRequest;
12934 *
12935 * struct {
12936 * KeyUpdateRequest request_update;
12937 * } KeyUpdate;
12938 */
12939 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12940}
12941
12942void
12943ssl_common_register_ssl_alpn_dissector_table(const char *name,
12944 const char *ui_name, const int proto)
12945{
12946 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12947 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12948 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12949}
12950
12951void
12952ssl_common_register_dtls_alpn_dissector_table(const char *name,
12953 const char *ui_name, const int proto)
12954{
12955 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12956 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12957 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12958}
12959
12960void
12961ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12962{
12963 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12964 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12965 &(options->psk));
12966
12967 if (is_dtls) {
12968 prefs_register_obsolete_preference(module, "keylog_file");
12969 prefs_register_static_text_preference(module, "keylog_file_removed",
12970 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12971 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12972 return;
12973 }
12974
12975 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12976 "The name of a file which contains a list of \n"
12977 "(pre-)master secrets in one of the following formats:\n"
12978 "\n"
12979 "RSA <EPMS> <PMS>\n"
12980 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12981 "CLIENT_RANDOM <CRAND> <MS>\n"
12982 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12983 "\n"
12984 "Where:\n"
12985 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12986 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12987 "<SSLID> = The SSL Session ID\n"
12988 "<MS> = The Master-Secret (MS)\n"
12989 "<CRAND> = The Client's random number from the ClientHello message\n"
12990 "\n"
12991 "(All fields are in hex notation)",
12992 &(options->keylog_filename), false0);
12993}
12994
12995void
12996ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12997{
12998 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12999 uint32_t old_length = ssl_session->handshake_data.data_len;
13000 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
13001 if (tvb) {
13002 if (tvb_bytes_exist(tvb, offset, length)) {
13003 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13004 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
13005 ssl_session->handshake_data.data_len += length;
13006 }
13007 } else {
13008 /* DTLS calculates the hash as if each handshake message had been
13009 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
13010 * in a null tvbuff to add 3 bytes for a zero fragment offset.
13011 */
13012 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13012, (int64_t)length, (int64_t)4))));
13013 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13014 memset(ssl_session->handshake_data.data + old_length, 0, length);
13015 ssl_session->handshake_data.data_len += length;
13016 }
13017 }
13018}
13019
13020
13021/*
13022 * Editor modelines - https://www.wireshark.org/tools/modelines.html
13023 *
13024 * Local variables:
13025 * c-basic-offset: 4
13026 * tab-width: 8
13027 * indent-tabs-mode: nil
13028 * End:
13029 *
13030 * vi: set shiftwidth=4 tabstop=8 expandtab:
13031 * :indentSize=4:tabSize=8:noTabs=true:
13032 */