Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4909, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-05-19-100354-3659-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/make-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
2807 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
2808 { 0, NULL((void*)0) }
2809};
2810
2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
2813 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2814 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2815 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2816 { 0, NULL((void*)0) }
2817};
2818
2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
2821 { 1, "I would like to receive TIME_STAMP frames" },
2822 { 2, "I am able to generate TIME_STAMP frames" },
2823 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2824 { 0, NULL((void*)0) }
2825};
2826
2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
2829 { 0, "don't support multipath" },
2830 { 1, "support multipath as defined in this document" },
2831 { 0, NULL((void*)0) }
2832};
2833
2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
2836 { 0, "Outer Client Hello" },
2837 { 1, "Inner Client Hello" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
2843 { 0x0000, "Reserved" },
2844 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2845 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2846 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2847 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2848 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2849 { 0, NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
2852 { 0x0000, "Reserved" },
2853 { 0x0001, "HKDF-SHA256" },
2854 { 0x0002, "HKDF-SHA384" },
2855 { 0x0003, "HKDF-SHA512" },
2856 { 0, NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
2859 { 0x0000, "Reserved" },
2860 { 0x0001, "AES-128-GCM" },
2861 { 0x0002, "AES-256-GCM" },
2862 { 0x0003, "ChaCha20Poly1305" },
2863 { 0xFFFF, "Export-only" },
2864 { 0, NULL((void*)0) }
2865};
2866
2867const value_string token_binding_key_parameter_vals[] = {
2868 { 0, "rsa2048_pkcs1.5" },
2869 { 1, "rsa2048_pss" },
2870 { 2, "ecdsap256" },
2871 { 0, NULL((void*)0) }
2872};
2873
2874/* Lookup tables }}} */
2875
2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
2879 const char *label;
2880 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2881 label = "GREASE";
2882 } else {
2883 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2884 }
2885 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}
2887
2888/* we keep this internal to packet-tls-utils, as there should be
2889 no need to access it any other way.
2890
2891 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
2894 int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
2896 zlib_stream istream;
2897#endif
2898};
2899
2900/* To assist in parsing client/server key exchange messages
2901 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
2904 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2905 switch(cipher) {
2906 case 0x0017:
2907 case 0x0018:
2908 case 0x0019:
2909 case 0x001a:
2910 case 0x001b:
2911 case 0x0034:
2912 case 0x003a:
2913 case 0x0046:
2914 case 0x006c:
2915 case 0x006d:
2916 case 0x0089:
2917 case 0x009b:
2918 case 0x00a6:
2919 case 0x00a7:
2920 case 0x00bf:
2921 case 0x00c5:
2922 case 0xc084:
2923 case 0xc085:
2924 return KEX_DH_ANON0x13;
2925 case 0x000b:
2926 case 0x000c:
2927 case 0x000d:
2928 case 0x0030:
2929 case 0x0036:
2930 case 0x003e:
2931 case 0x0042:
2932 case 0x0068:
2933 case 0x0085:
2934 case 0x0097:
2935 case 0x00a4:
2936 case 0x00a5:
2937 case 0x00bb:
2938 case 0x00c1:
2939 case 0xc082:
2940 case 0xc083:
2941 return KEX_DH_DSS0x14;
2942 case 0x000e:
2943 case 0x000f:
2944 case 0x0010:
2945 case 0x0031:
2946 case 0x0037:
2947 case 0x003f:
2948 case 0x0043:
2949 case 0x0069:
2950 case 0x0086:
2951 case 0x0098:
2952 case 0x00a0:
2953 case 0x00a1:
2954 case 0x00bc:
2955 case 0x00c2:
2956 case 0xc07e:
2957 case 0xc07f:
2958 return KEX_DH_RSA0x15;
2959 case 0x0011:
2960 case 0x0012:
2961 case 0x0013:
2962 case 0x0032:
2963 case 0x0038:
2964 case 0x0040:
2965 case 0x0044:
2966 case 0x0063:
2967 case 0x0065:
2968 case 0x0066:
2969 case 0x006a:
2970 case 0x0087:
2971 case 0x0099:
2972 case 0x00a2:
2973 case 0x00a3:
2974 case 0x00bd:
2975 case 0x00c3:
2976 case 0xc080:
2977 case 0xc081:
2978 return KEX_DHE_DSS0x10;
2979 case 0x002d:
2980 case 0x008e:
2981 case 0x008f:
2982 case 0x0090:
2983 case 0x0091:
2984 case 0x00aa:
2985 case 0x00ab:
2986 case 0x00b2:
2987 case 0x00b3:
2988 case 0x00b4:
2989 case 0x00b5:
2990 case 0xc090:
2991 case 0xc091:
2992 case 0xc096:
2993 case 0xc097:
2994 case 0xc0a6:
2995 case 0xc0a7:
2996 case 0xc0aa:
2997 case 0xc0ab:
2998 case 0xccad:
2999 case 0xe41c:
3000 case 0xe41d:
3001 return KEX_DHE_PSK0x11;
3002 case 0x0014:
3003 case 0x0015:
3004 case 0x0016:
3005 case 0x0033:
3006 case 0x0039:
3007 case 0x0045:
3008 case 0x0067:
3009 case 0x006b:
3010 case 0x0088:
3011 case 0x009a:
3012 case 0x009e:
3013 case 0x009f:
3014 case 0x00be:
3015 case 0x00c4:
3016 case 0xc07c:
3017 case 0xc07d:
3018 case 0xc09e:
3019 case 0xc09f:
3020 case 0xc0a2:
3021 case 0xc0a3:
3022 case 0xccaa:
3023 case 0xe41e:
3024 case 0xe41f:
3025 return KEX_DHE_RSA0x12;
3026 case 0xc015:
3027 case 0xc016:
3028 case 0xc017:
3029 case 0xc018:
3030 case 0xc019:
3031 return KEX_ECDH_ANON0x19;
3032 case 0xc001:
3033 case 0xc002:
3034 case 0xc003:
3035 case 0xc004:
3036 case 0xc005:
3037 case 0xc025:
3038 case 0xc026:
3039 case 0xc02d:
3040 case 0xc02e:
3041 case 0xc074:
3042 case 0xc075:
3043 case 0xc088:
3044 case 0xc089:
3045 return KEX_ECDH_ECDSA0x1a;
3046 case 0xc00b:
3047 case 0xc00c:
3048 case 0xc00d:
3049 case 0xc00e:
3050 case 0xc00f:
3051 case 0xc029:
3052 case 0xc02a:
3053 case 0xc031:
3054 case 0xc032:
3055 case 0xc078:
3056 case 0xc079:
3057 case 0xc08c:
3058 case 0xc08d:
3059 return KEX_ECDH_RSA0x1b;
3060 case 0xc006:
3061 case 0xc007:
3062 case 0xc008:
3063 case 0xc009:
3064 case 0xc00a:
3065 case 0xc023:
3066 case 0xc024:
3067 case 0xc02b:
3068 case 0xc02c:
3069 case 0xc072:
3070 case 0xc073:
3071 case 0xc086:
3072 case 0xc087:
3073 case 0xc0ac:
3074 case 0xc0ad:
3075 case 0xc0ae:
3076 case 0xc0af:
3077 case 0xcca9:
3078 case 0xe414:
3079 case 0xe415:
3080 return KEX_ECDHE_ECDSA0x16;
3081 case 0xc033:
3082 case 0xc034:
3083 case 0xc035:
3084 case 0xc036:
3085 case 0xc037:
3086 case 0xc038:
3087 case 0xc039:
3088 case 0xc03a:
3089 case 0xc03b:
3090 case 0xc09a:
3091 case 0xc09b:
3092 case 0xccac:
3093 case 0xe418:
3094 case 0xe419:
3095 case 0xd001:
3096 case 0xd002:
3097 case 0xd003:
3098 case 0xd005:
3099 return KEX_ECDHE_PSK0x17;
3100 case 0xc010:
3101 case 0xc011:
3102 case 0xc012:
3103 case 0xc013:
3104 case 0xc014:
3105 case 0xc027:
3106 case 0xc028:
3107 case 0xc02f:
3108 case 0xc030:
3109 case 0xc076:
3110 case 0xc077:
3111 case 0xc08a:
3112 case 0xc08b:
3113 case 0xcca8:
3114 case 0xe412:
3115 case 0xe413:
3116 return KEX_ECDHE_RSA0x18;
3117 case 0x001e:
3118 case 0x001f:
3119 case 0x0020:
3120 case 0x0021:
3121 case 0x0022:
3122 case 0x0023:
3123 case 0x0024:
3124 case 0x0025:
3125 case 0x0026:
3126 case 0x0027:
3127 case 0x0028:
3128 case 0x0029:
3129 case 0x002a:
3130 case 0x002b:
3131 return KEX_KRB50x1c;
3132 case 0x002c:
3133 case 0x008a:
3134 case 0x008b:
3135 case 0x008c:
3136 case 0x008d:
3137 case 0x00a8:
3138 case 0x00a9:
3139 case 0x00ae:
3140 case 0x00af:
3141 case 0x00b0:
3142 case 0x00b1:
3143 case 0xc064:
3144 case 0xc065:
3145 case 0xc08e:
3146 case 0xc08f:
3147 case 0xc094:
3148 case 0xc095:
3149 case 0xc0a4:
3150 case 0xc0a5:
3151 case 0xc0a8:
3152 case 0xc0a9:
3153 case 0xccab:
3154 case 0xe416:
3155 case 0xe417:
3156 return KEX_PSK0x1d;
3157 case 0x0001:
3158 case 0x0002:
3159 case 0x0003:
3160 case 0x0004:
3161 case 0x0005:
3162 case 0x0006:
3163 case 0x0007:
3164 case 0x0008:
3165 case 0x0009:
3166 case 0x000a:
3167 case 0x002f:
3168 case 0x0035:
3169 case 0x003b:
3170 case 0x003c:
3171 case 0x003d:
3172 case 0x0041:
3173 case 0x0060:
3174 case 0x0061:
3175 case 0x0062:
3176 case 0x0064:
3177 case 0x0084:
3178 case 0x0096:
3179 case 0x009c:
3180 case 0x009d:
3181 case 0x00ba:
3182 case 0x00c0:
3183 case 0xc07a:
3184 case 0xc07b:
3185 case 0xc09c:
3186 case 0xc09d:
3187 case 0xc0a0:
3188 case 0xc0a1:
3189 case 0xe410:
3190 case 0xe411:
3191 case 0xfefe:
3192 case 0xfeff:
3193 case 0xffe0:
3194 case 0xffe1:
3195 return KEX_RSA0x1e;
3196 case 0x002e:
3197 case 0x0092:
3198 case 0x0093:
3199 case 0x0094:
3200 case 0x0095:
3201 case 0x00ac:
3202 case 0x00ad:
3203 case 0x00b6:
3204 case 0x00b7:
3205 case 0x00b8:
3206 case 0x00b9:
3207 case 0xc092:
3208 case 0xc093:
3209 case 0xc098:
3210 case 0xc099:
3211 case 0xccae:
3212 case 0xe41a:
3213 case 0xe41b:
3214 return KEX_RSA_PSK0x1f;
3215 case 0xc01a:
3216 case 0xc01d:
3217 case 0xc020:
3218 return KEX_SRP_SHA0x20;
3219 case 0xc01c:
3220 case 0xc01f:
3221 case 0xc022:
3222 return KEX_SRP_SHA_DSS0x21;
3223 case 0xc01b:
3224 case 0xc01e:
3225 case 0xc021:
3226 return KEX_SRP_SHA_RSA0x22;
3227 case 0xc0ff:
3228 return KEX_ECJPAKE0x24;
3229 case 0xe003:
3230 case 0xe013:
3231 case 0xe053:
3232 return KEX_ECC_SM20x26;
3233 default:
3234 break;
3235 }
3236
3237 return 0;
3238 /* }}} */
3239}
3240
3241static wmem_list_t *connection_id_session_list;
3242
3243void
3244ssl_init_cid_list(void) {
3245 connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}
3247
3248void
3249ssl_cleanup_cid_list(void) {
3250 wmem_destroy_list(connection_id_session_list);
3251}
3252
3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
3256 wmem_list_append(connection_id_session_list, session);
3257}
3258
3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
3262 SslDecryptSession * ssl_cid = NULL((void*)0);
3263 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3264
3265 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3266 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3267 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))));
3268 SslSession *session = &ssl->session;
3269
3270 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3271 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3272 ssl_cid = ssl;
3273 }
3274 }
3275
3276 if (session->server_cid_len > 0) {
3277 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3278 ssl_cid = ssl;
3279 }
3280 }
3281
3282 it = wmem_list_frame_next(it);
3283 }
3284
3285 return ssl_cid;
3286}
3287
3288/* StringInfo structure (len + data) functions {{{ */
3289
3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
3293 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3294 /* the allocator can return a null pointer for a size equal to 0,
3295 * and that must be allowed */
3296 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3297 return -1;
3298 str->data_len = (unsigned) len;
3299 return 0;
3300}
3301
3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
3305 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))));
3306 memcpy(str->data, data, len);
3307 str->data_len = len;
3308}
3309
3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
3313 str->data = (unsigned char *)g_realloc(str->data, len);
3314 if (!str->data)
3315 return -1;
3316 str->data_len = len;
3317 return 0;
3318}
3319
3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
3323 StringInfo *cloned_str;
3324 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3325 sizeof(StringInfo) + str->data_len);
3326 cloned_str->data = (unsigned char *) (cloned_str + 1);
3327 ssl_data_set(cloned_str, str->data, str->data_len);
3328 return cloned_str;
3329}
3330
3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
3334 if (dst->data_len < src->data_len) {
3335 if (ssl_data_realloc(dst, src->data_len))
3336 return -1;
3337 }
3338 memcpy(dst->data, src->data, src->data_len);
3339 dst->data_len = src->data_len;
3340 return 0;
3341}
3342
3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3344 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3345 * success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3347 size_t i;
3348
3349 if (hex_len & 1)
3350 return false0;
3351
3352 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3353 for (i = 0; i < hex_len / 2; i++) {
3354 int a = ws_xton(in[i*2]);
3355 int b = ws_xton(in[i*2 + 1]);
3356 if (a == -1 || b == -1)
3357 return false0;
3358 out->data[i] = a << 4 | b;
3359 }
3360 out->data_len = (unsigned)hex_len / 2;
3361 return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */
3364
3365
3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3369
3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
3373 gcry_error_t err;
3374 const char *err_str, *err_src;
3375
3376 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3377 if (err != 0) {
3378 err_str = gcry_strerror(err);
3379 err_src = gcry_strsource(err);
3380 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3381 return -1;
3382 }
3383 return 0;
3384}
3385
3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
3389 gcry_error_t err;
3390 const char *err_str, *err_src;
3391
3392 err = gcry_md_setkey (*(md), key, len);
3393 if (err != 0) {
3394 err_str = gcry_strerror(err);
3395 err_src = gcry_strsource(err);
3396 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3397 return -1;
3398 }
3399 return 0;
3400}
3401
3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
3405 gcry_md_reset(*md);
3406 return 0;
3407}
3408
3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
3412 gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
3417 int algo;
3418 unsigned len;
3419
3420 algo = gcry_md_get_algo (*(md));
3421 len = gcry_md_get_algo_dlen(algo);
3422 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))));
3423 memcpy(data, gcry_md_read(*(md), algo), len);
3424 *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
3429 gcry_md_close(*(md));
3430}
3431
3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3434
3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
3438 gcry_error_t err;
3439 const char *err_str, *err_src;
3440 err = gcry_md_open(md,algo, 0);
3441 if (err != 0) {
3442 err_str = gcry_strerror(err);
3443 err_src = gcry_strsource(err);
3444 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3445 return -1;
3446 }
3447 return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, int len)
3451{
3452 gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
3457 int algo;
3458 int len;
3459 algo = gcry_md_get_algo (*(md));
3460 len = gcry_md_get_algo_dlen (algo);
3461 memcpy(data, gcry_md_read(*(md), algo), len);
3462 *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
3467 gcry_md_close(*(md));
3468}
3469
3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
3473 gcry_md_reset(*md);
3474}
3475
3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3479
3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_error_t err;
3484 const char *err_str, *err_src;
3485 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3486 if (err != 0) {
3487 err_str = gcry_strerror(err);
3488 err_src = gcry_strsource(err);
3489 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3490 return -1;
3491 }
3492 return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
3497 gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
3502 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3503 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}
3505
3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
3509 gcry_md_reset(*md);
3510}
3511
3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
3515 gcry_md_close(*(md));
3516}
3517
3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_error_t err;
3522 const char *err_str, *err_src;
3523 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3524 if (err != 0) {
3525 err_str = gcry_strerror(err);
3526 err_src = gcry_strsource(err);
3527 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3528 return -1;
3529 }
3530 return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
3535 gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
3540 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3541 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}
3543
3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
3547 gcry_md_reset(*md);
3548}
3549
3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
3553 gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */
3556
3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
3561 int ret;
3562#if 0
3563 unsigned char *ivp;
3564 int i;
3565 gcry_cipher_hd_t c;
3566 c=(gcry_cipher_hd_t)*cipher;
3567#endif
3568 ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
3570 for(ivp=c->iv,i=0; i < iv_len; i++ )
3571 {
3572 ssl_debug_printf("%d ",ivp[i]);
3573 i++;
3574 }
3575#endif
3576 ssl_debug_printf("--------------------------------------------------------------------");
3577 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
3579 for(ivp=c->iv,i=0; i < iv_len; i++ )
3580 {
3581 ssl_debug_printf("%d ",ivp[i]);
3582 i++;
3583 }
3584#endif
3585 ssl_debug_printf("--------------------------------------------------------------------");
3586 return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3591 unsigned char* iv, int mode)
3592{
3593 int gcry_modes[] = {
3594 GCRY_CIPHER_MODE_STREAM,
3595 GCRY_CIPHER_MODE_CBC,
3596 GCRY_CIPHER_MODE_GCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_CCM,
3599 GCRY_CIPHER_MODE_POLY1305,
3600 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3601 };
3602 int err;
3603 if (algo == -1) {
3604 /* NULL mode */
3605 *(cipher) = (gcry_cipher_hd_t)-1;
3606 return 0;
3607 }
3608 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3609 if (err !=0)
3610 return -1;
3611 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3612 if (err != 0)
3613 return -1;
3614 /* AEAD cipher suites will set the nonce later. */
3615 if (mode == MODE_CBC) {
3616 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3617 if (err != 0)
3618 return -1;
3619 }
3620 return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3624 const unsigned char * in, int inl)
3625{
3626 if ((*cipher) == (gcry_cipher_hd_t)-1)
3627 {
3628 if (in && inl)
3629 memcpy(out, in, outl < inl ? outl : inl);
3630 return 0;
3631 }
3632 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
3637 return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
3642 return gcry_cipher_map_name(name);
3643}
3644
3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
3648 if ((*cipher) != (gcry_cipher_hd_t)-1)
3649 gcry_cipher_close(*cipher);
3650 *cipher = NULL((void*)0);
3651}
3652/* }}} */
3653
3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
3656 {"MD5", 16},
3657 {"SHA1", 20},
3658 {"SHA256", 32},
3659 {"SHA384", 48},
3660 {"SM3", 32},
3661 {"Not Applicable", 0},
3662};
3663
3664#define DIGEST_MAX_SIZE48 48
3665
3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3669 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3670 return &digests[DIG_NA0x45 - DIG_MD50x40];
3671 }
3672 return &digests[cs->dig - DIG_MD50x40];
3673}
3674
3675static const char *ciphers[]={
3676 "DES",
3677 "3DES",
3678 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3679 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3680 "IDEA",
3681 "AES",
3682 "AES256",
3683 "CAMELLIA128",
3684 "CAMELLIA256",
3685 "SEED",
3686 "CHACHA20", /* since Libgcrypt 1.7.0 */
3687 "SM1",
3688 "SM4",
3689 "*UNKNOWN*"
3690};
3691
3692static const SslCipherSuite cipher_suites[]={
3693 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3694 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3695 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3697 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3698 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3699 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3700 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3701 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3702 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3704 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3705 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3706 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3707 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3708 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3709 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3710 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3711 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3712 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3713 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3714 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3715 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3716 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3717 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3718 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3719 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3720 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3721 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3722 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3723 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3724 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3725 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3726 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3727 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3728 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3729 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3730 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3731 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3732 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3733 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3734 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3735 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3736 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3737 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3738 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3739 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3740 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3741 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3747 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3748 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3749 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3751 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3753 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3754 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3755 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3756 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3757 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3758 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3759 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3760 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3761 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3767 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3768 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3769 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3770 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3771 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3772 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3773 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3774 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3775 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3776 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3777 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3778 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3779 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3780 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3781 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3782 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3783 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3784 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3785 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3786 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3787 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3788 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3789 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3790 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3791 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3792 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3793 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3794 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3795 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3796 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3797 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3798 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3799 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3800 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3801 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3802 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3803 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3804 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3805 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3806 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3807 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3808 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3809 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3810 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3811 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3812 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3813 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3814 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3815 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3821 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3826 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3827
3828 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3829 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3830 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3831 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3832 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3833 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3834 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3835
3836 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3837 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3838 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3839 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3840 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3841 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3842 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3843 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3845 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3846 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3847 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3848 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3849 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3850 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3851 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3852 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3853 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3854 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3855 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3856 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3857 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3858 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3859 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3860 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3861 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3862 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3865 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3866 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3867 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3868 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3869 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3870 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3871 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3872 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3873 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3874 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3875 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3876 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3877 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3878 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3879 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3880 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3881 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3882 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3883 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3884 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3885 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3886 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3887 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3888 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3889 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3890 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3891 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3892 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3893 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3894 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3895 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3896 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3897 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3898 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3899 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3900 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3901 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3902 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3911 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3912 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3913 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3914 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3915 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3916 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3917 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3918 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3919 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3920 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3921 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3922 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3923 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3924 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3925 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3926 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3927 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3928 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3929 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3930 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3931 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3932 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3933 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3934 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3935 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3936 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3937 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3938 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3939 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3940 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3941 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3942 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3943 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3944 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3945 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3946 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3947 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3948 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3949 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3950 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3951 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3952 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3953 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3954 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3955 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3956 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3957 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3958 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3965 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3966 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3967 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3968 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3969 /* GM */
3970 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3971 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3972 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3973 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3974 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3975 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3976 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3977 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3978 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3979 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3980 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3981 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3982 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3983 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3984 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3985 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3986 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3987 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3988 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3989 {-1, 0, 0, 0, MODE_STREAM}
3990};
3991
3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32
3994
3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
3998 const SslCipherSuite *c;
3999 for(c=cipher_suites;c->number!=-1;c++){
4000 if(c->number==num){
4001 return c;
4002 }
4003 }
4004
4005 return NULL((void*)0);
4006}
4007
4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
4011 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}
4013
4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
4017 int cipher_algo;
4018 if (cipher_suite->mode != MODE_CBC) return 0;
4019 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4020 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}
4022
4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
4026 switch (cipher_suite_num) {
4027 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4028 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4029 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4030 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4035 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4036 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4037 return 5;
4038
4039 /* not defined in below draft, but "implemented by several vendors",
4040 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4041 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4042 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4043 return 7;
4044
4045 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4046 * used 7. Until a pcap proves 8, let's use the old value. Link:
4047 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4048 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4050 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4051 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4052 return 7;
4053
4054 default:
4055 return 0;
4056 }
4057}
4058
4059/* Digests, Ciphers and Cipher Suites registry }}} */
4060
4061
4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
4065 StringInfo *out, unsigned out_len)
4066{
4067 /* RFC 2246 5. HMAC and the pseudorandom function
4068 * '+' denotes concatenation.
4069 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4070 * HMAC_hash(secret, A(2) + seed) + ...
4071 * A(0) = seed
4072 * A(i) = HMAC_hash(secret, A(i - 1))
4073 */
4074 uint8_t *ptr;
4075 unsigned left, tocpy;
4076 uint8_t *A;
4077 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4078 unsigned A_l, tmp_l;
4079 SSL_HMACgcry_md_hd_t hm;
4080
4081 ptr = out->data;
4082 left = out_len;
4083
4084 ssl_print_string("tls_hash: hash secret", secret);
4085 ssl_print_string("tls_hash: hash seed", seed);
4086 /* A(0) = seed */
4087 A = seed->data;
4088 A_l = seed->data_len;
4089
4090 if (ssl_hmac_init(&hm, md) != 0) {
4091 return -1;
4092 }
4093 while (left) {
4094 /* A(i) = HMAC_hash(secret, A(i-1)) */
4095 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4096 ssl_hmac_update(&hm, A, A_l);
4097 A_l = sizeof(_A); /* upper bound len for hash output */
4098 ssl_hmac_final(&hm, _A, &A_l);
4099 A = _A;
4100
4101 /* HMAC_hash(secret, A(i) + seed) */
4102 ssl_hmac_reset(&hm);
4103 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4104 ssl_hmac_update(&hm, A, A_l);
4105 ssl_hmac_update(&hm, seed->data, seed->data_len);
4106 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4107 ssl_hmac_final(&hm, tmp, &tmp_l);
4108 ssl_hmac_reset(&hm);
4109
4110 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4111 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4112 memcpy(ptr, tmp, tocpy);
4113 ptr += tocpy;
4114 left -= tocpy;
4115 }
4116 ssl_hmac_cleanup(&hm);
4117 out->data_len = out_len;
4118
4119 ssl_print_string("hash out", out);
4120 return 0;
4121}
4122
4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
4125 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
4127 StringInfo seed, sha_out, md5_out;
4128 uint8_t *ptr;
4129 StringInfo s1, s2;
4130 unsigned i,s_l;
4131 size_t usage_len, rnd2_len;
4132 bool_Bool success = false0;
4133 usage_len = strlen(usage);
4134 rnd2_len = rnd2 ? rnd2->data_len : 0;
4135
4136 /* initialize buffer for sha, md5 random seed*/
4137 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4139 return false0;
4140 }
4141 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4143 goto free_sha;
4144 }
4145 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4146 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4147 (int) (usage_len+rnd1->data_len+rnd2_len));
4148 goto free_md5;
4149 }
4150
4151 ptr=seed.data;
4152 memcpy(ptr,usage,usage_len);
4153 ptr+=usage_len;
4154 memcpy(ptr,rnd1->data,rnd1->data_len);
4155 if (rnd2_len > 0) {
4156 ptr+=rnd1->data_len;
4157 memcpy(ptr,rnd2->data,rnd2->data_len);
4158 /*ptr+=rnd2->data_len;*/
4159 }
4160
4161 /* initialize buffer for client/server seeds*/
4162 s_l=secret->data_len/2 + secret->data_len%2;
4163 if (ssl_data_alloc(&s1, s_l) < 0) {
4164 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4165 goto free_seed;
4166 }
4167 if (ssl_data_alloc(&s2, s_l) < 0) {
4168 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4169 goto free_s1;
4170 }
4171
4172 memcpy(s1.data,secret->data,s_l);
4173 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4174
4175 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4176 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4177 goto free_s2;
4178 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4179 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4180 goto free_s2;
4181
4182 for (i = 0; i < out_len; i++)
4183 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4184 /* success, now store the new meaningful data length */
4185 out->data_len = out_len;
4186 success = true1;
4187
4188 ssl_print_string("PRF out",out);
4189free_s2:
4190 g_free(s2.data);
4191free_s1:
4192 g_free(s1.data);
4193free_seed:
4194 g_free(seed.data);
4195free_md5:
4196 g_free(md5_out.data);
4197free_sha:
4198 g_free(sha_out.data);
4199 return success;
4200}
4201
4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
4204 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
4206 StringInfo label_seed;
4207 int success;
4208 size_t usage_len, rnd2_len;
4209 rnd2_len = rnd2 ? rnd2->data_len : 0;
4210
4211 usage_len = strlen(usage);
4212 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4213 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4214 return false0;
4215 }
4216 memcpy(label_seed.data, usage, usage_len);
4217 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4218 if (rnd2_len > 0)
4219 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4220
4221 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4222 success = tls_hash(secret, &label_seed, md, out, out_len);
4223 g_free(label_seed.data);
4224 if(success != -1){
4225 ssl_print_string("PRF out", out);
4226 return true1;
4227 }
4228 return false0;
4229}
4230
4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4233 StringInfo *out, unsigned out_len)
4234{
4235 SSL_MD5_CTXgcry_md_hd_t md5;
4236 uint8_t tmp[16];
4237
4238 if (ssl_md5_init(&md5) != 0) {
4239 return false0;
4240 }
4241 ssl_md5_update(&md5,r1->data,r1->data_len);
4242 ssl_md5_update(&md5,r2->data,r2->data_len);
4243 ssl_md5_final(tmp,&md5);
4244 ssl_md5_cleanup(&md5);
4245
4246 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))));
4247 ssl_data_set(out, tmp, out_len);
4248 ssl_print_string("export iv", out);
4249 return true1;
4250}
4251
4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
4254 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
4256 SSL_MD5_CTXgcry_md_hd_t md5;
4257 SSL_SHA_CTXgcry_md_hd_t sha;
4258 unsigned off;
4259 int i = 0,j;
4260 uint8_t buf[20];
4261
4262 if (ssl_sha_init(&sha) != 0) {
4263 return false0;
4264 }
4265 if (ssl_md5_init(&md5) != 0) {
4266 ssl_sha_cleanup(&sha);
4267 return false0;
4268 }
4269 for (off = 0; off < out_len; off += 16) {
4270 unsigned char outbuf[16];
4271 i++;
4272
4273 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4274 /* A, BB, CCC, ... */
4275 for(j=0;j<i;j++){
4276 buf[j]=64+i;
4277 }
4278
4279 ssl_sha_update(&sha,buf,i);
4280 ssl_sha_update(&sha,secret->data,secret->data_len);
4281
4282 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4283 if (rnd2)
4284 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4285 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4286 }
4287 else{
4288 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4289 if (rnd2)
4290 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4291 }
4292
4293 ssl_sha_final(buf,&sha);
4294 ssl_sha_reset(&sha);
4295
4296 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4297 secret->data_len);
4298 ssl_md5_update(&md5,secret->data,secret->data_len);
4299 ssl_md5_update(&md5,buf,20);
4300 ssl_md5_final(outbuf,&md5);
4301 ssl_md5_reset(&md5);
4302
4303 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4304 }
4305 ssl_sha_cleanup(&sha);
4306 ssl_md5_cleanup(&md5);
4307 out->data_len = out_len;
4308
4309 return true1;
4310}
4311
4312/* out_len is the wanted output length for the pseudorandom function.
4313 * Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4316 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
4318 switch (ssl->session.version) {
4319 case SSLV3_VERSION0x300:
4320 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4321
4322 case TLSV1_VERSION0x301:
4323 case TLSV1DOT1_VERSION0x302:
4324 case DTLSV1DOT0_VERSION0xfeff:
4325 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4326 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4327
4328 default: /* TLSv1.2 */
4329 switch (ssl->cipher_suite->dig) {
4330 case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4332 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4333 out, out_len);
4334#else
4335 return false0;
4336#endif
4337 case DIG_SHA3840x43:
4338 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4339 out, out_len);
4340 default:
4341 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4342 out, out_len);
4343 }
4344 }
4345}
4346
4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
4349 SSL_MD5_CTXgcry_md_hd_t md5;
4350 SSL_SHA_CTXgcry_md_hd_t sha;
4351
4352 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4353 return -1;
4354
4355 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4356 return -1;
4357 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md5_final(out->data,&md5);
4359 ssl_md5_cleanup(&md5);
4360
4361 if (ssl_sha_init(&sha) != 0)
4362 return -1;
4363 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4364 ssl_sha_final(out->data+16,&sha);
4365 ssl_sha_cleanup(&sha);
4366 return 0;
4367}
4368
4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
4371 SSL_MDgcry_md_hd_t mc;
4372 uint8_t tmp[48];
4373 unsigned len;
4374
4375 if (ssl_md_init(&mc, md) != 0)
4376 return -1;
4377 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4378 ssl_md_final(&mc, tmp, &len);
4379 ssl_md_cleanup(&mc);
4380
4381 if (ssl_data_alloc(out, len) < 0)
4382 return -1;
4383 memcpy(out->data, tmp, len);
4384 return 0;
4385}
4386
4387/**
4388 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4389 * inlined and removed once support for draft 19 and before is dropped.
4390 */
4391static inline const char *
4392tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4393{
4394 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4395 return "TLS 1.3, ";
4396 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4397 return "dtls13";
4398 } else {
4399 return "tls13 ";
4400 }
4401}
4402
4403/*
4404 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4405 * custom label prefix. If "context_hash" is NULL, then an empty context is
4406 * used. Otherwise it must have the same length as the hash algorithm output.
4407 */
4408bool_Bool
4409tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4410 const char *label_prefix, const char *label,
4411 const uint8_t *context_hash, uint8_t context_length,
4412 uint16_t out_len, unsigned char **out)
4413{
4414 /* RFC 8446 Section 7.1:
4415 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4416 * HKDF-Expand(Secret, HkdfLabel, Length)
4417 * struct {
4418 * uint16 length = Length;
4419 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4420 * opaque context<0..255> = Context;
4421 * } HkdfLabel;
4422 *
4423 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4424 * HKDF-Expand(PRK, info, L) -> OKM
4425 */
4426 gcry_error_t err;
4427 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4428 const unsigned label_length = (unsigned) strlen(label);
4429
4430 /* Some sanity checks */
4431 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4431, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4432
4433 /* info = HkdfLabel { length, label, context } */
4434 GByteArray *info = g_byte_array_new();
4435 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4436 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4437
4438 const uint8_t label_vector_length = label_prefix_length + label_length;
4439 g_byte_array_append(info, &label_vector_length, 1);
4440 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4441 g_byte_array_append(info, (const uint8_t*)label, label_length);
4442
4443 g_byte_array_append(info, &context_length, 1);
4444 if (context_length) {
4445 g_byte_array_append(info, context_hash, context_length);
4446 }
4447
4448 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4449 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4450 g_byte_array_free(info, true1);
4451
4452 if (err) {
4453 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4454 wmem_free(NULL((void*)0), *out);
4455 *out = NULL((void*)0);
4456 return false0;
4457 }
4458
4459 return true1;
4460}
4461
4462bool_Bool
4463tls13_hkdf_expand_label(int md, const StringInfo *secret,
4464 const char *label_prefix, const char *label,
4465 uint16_t out_len, unsigned char **out)
4466{
4467 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4468}
4469/* HMAC and the Pseudorandom function }}} */
4470
4471/* Record Decompression (after decryption) {{{ */
4472#ifdef USE_ZLIB_OR_ZLIBNG
4473/* memory allocation functions for zlib initialization */
4474static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4475{
4476 return g_malloc0(no*size);
4477}
4478static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4479{
4480 g_free(addr);
4481}
4482#endif /* USE_ZLIB_OR_ZLIBNG */
4483
4484static SslDecompress*
4485ssl_create_decompressor(int compression)
4486{
4487 SslDecompress *decomp;
4488#ifdef USE_ZLIB_OR_ZLIBNG
4489 int err;
4490#endif
4491
4492 if (compression == 0) return NULL((void*)0);
4493 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4494 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4495 decomp->compression = compression;
4496 switch (decomp->compression) {
4497#ifdef USE_ZLIB_OR_ZLIBNG
4498 case 1: /* DEFLATE */
4499 decomp->istream.zalloc = ssl_zalloc;
4500 decomp->istream.zfree = ssl_zfree;
4501 decomp->istream.opaque = Z_NULL0;
4502 decomp->istream.next_in = Z_NULL0;
4503 decomp->istream.next_out = Z_NULL0;
4504 decomp->istream.avail_in = 0;
4505 decomp->istream.avail_out = 0;
4506 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4507 if (err != Z_OK0) {
4508 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4509 return NULL((void*)0);
4510 }
4511 break;
4512#endif /* USE_ZLIB_OR_ZLIBNG */
4513 default:
4514 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4515 return NULL((void*)0);
4516 }
4517 return decomp;
4518}
4519
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521static int
4522ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4523{
4524 int err;
4525
4526 switch (decomp->compression) {
4527 case 1: /* DEFLATE */
4528 err = Z_OK0;
4529 if (out_str->data_len < 16384) { /* maximal plain length */
4530 ssl_data_realloc(out_str, 16384);
4531 }
4532#ifdef z_constconst
4533 decomp->istream.next_in = in;
4534#else
4535DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4536 decomp->istream.next_in = (Bytef *)in;
4537DIAG_ON(cast-qual)clang diagnostic pop
4538#endif
4539 decomp->istream.avail_in = inl;
4540 decomp->istream.next_out = out_str->data;
4541 decomp->istream.avail_out = out_str->data_len;
4542 if (inl > 0)
4543 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4544 if (err != Z_OK0) {
4545 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4546 return -1;
4547 }
4548 *outl = out_str->data_len - decomp->istream.avail_out;
4549 break;
4550 default:
4551 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4552 return -1;
4553 }
4554 return 0;
4555}
4556#else /* USE_ZLIB_OR_ZLIBNG */
4557int
4558ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4559{
4560 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4561 return -1;
4562}
4563#endif /* USE_ZLIB_OR_ZLIBNG */
4564/* Record Decompression (after decryption) }}} */
4565
4566/* Create a new structure to store decrypted chunks. {{{ */
4567static SslFlow*
4568ssl_create_flow(void)
4569{
4570 SslFlow *flow;
4571
4572 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4573 flow->byte_seq = 0;
4574 flow->flags = 0;
4575 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4576 return flow;
4577}
4578/* }}} */
4579
4580/* Use the negotiated security parameters for decryption. {{{ */
4581void
4582ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4583{
4584 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4585 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4586 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4587 *new_decoder ? "" : " (No decoder found - retransmission?)");
4588 if (*new_decoder) {
4589 *dest = *new_decoder;
4590 *new_decoder = NULL((void*)0);
4591 }
4592}
4593/* }}} */
4594
4595/* Init cipher state given some security parameters. {{{ */
4596static bool_Bool
4597ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4598
4599static SslDecoder*
4600ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4601 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4602{
4603 SslDecoder *dec;
4604 ssl_cipher_mode_t mode = cipher_suite->mode;
4605
4606 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4607 /* init mac buffer: mac storage is embedded into decoder struct to save a
4608 memory allocation and waste samo more memory*/
4609 dec->cipher_suite=cipher_suite;
4610 dec->compression = compression;
4611 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4612 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4613 // the special case for NULL ciphers, even if there is insufficiency
4614 // keying material (including MAC key), we will can still create
4615 // decoders since "decryption" is easy for such ciphers.
4616 dec->mac_key.data = dec->_mac_key_or_write_iv;
4617 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4618 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4619 // Input for the nonce, to be used with AEAD ciphers.
4620 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4620, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4621 dec->write_iv.data = dec->_mac_key_or_write_iv;
4622 ssl_data_set(&dec->write_iv, iv, iv_length);
4623 }
4624 dec->seq = 0;
4625 dec->decomp = ssl_create_decompressor(compression);
4626 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4627
4628 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4629 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4630 cipher_algo, cipher_suite->mode);
4631 return NULL((void*)0);
4632 }
4633
4634 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4635 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4636 mode = MODE_ECB;
4637 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4638 mode = MODE_STREAM;
4639 } else {
4640 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4641 return NULL((void*)0);
4642 }
4643
4644 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4645 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4646 cipher_algo, MODE_ECB);
4647 ssl_cipher_cleanup(&dec->evp);
4648 dec->evp = NULL((void*)0);
4649 return NULL((void*)0);
4650 }
4651 } else {
4652 dec->sn_evp = NULL((void*)0);
4653 }
4654
4655 dec->dtls13_aad.data = NULL((void*)0);
4656 dec->dtls13_aad.data_len = 0;
4657 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4658 return dec;
4659}
4660
4661static bool_Bool
4662ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4663{
4664 SslDecoder *dec = (SslDecoder *) user_data;
4665
4666 if (dec->evp)
4667 ssl_cipher_cleanup(&dec->evp);
4668 if (dec->sn_evp)
4669 ssl_cipher_cleanup(&dec->sn_evp);
4670
4671#ifdef USE_ZLIB_OR_ZLIBNG
4672 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4673 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4674#endif
4675
4676 return false0;
4677}
4678/* }}} */
4679
4680/* (Pre-)master secrets calculations {{{ */
4681#ifdef HAVE_LIBGNUTLS1
4682static bool_Bool
4683ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4684 StringInfo *encrypted_pre_master,
4685 GHashTable *key_hash);
4686#endif /* HAVE_LIBGNUTLS */
4687
4688static bool_Bool
4689ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4690 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4691
4692bool_Bool
4693ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4694 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4695 const char *ssl_psk, packet_info *pinfo,
4696#ifdef HAVE_LIBGNUTLS1
4697 GHashTable *key_hash,
4698#endif
4699 const ssl_master_key_map_t *mk_map)
4700{
4701 /* check for required session data */
4702 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4703 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4704 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4705 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4706 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4707 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4708 return false0;
4709 }
4710
4711 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4712 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4713 return false0;
4714 }
4715
4716 /* check to see if the PMS was provided to us*/
4717 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4718 mk_map->pms, &ssl_session->client_random)) {
4719 return true1;
4720 }
4721
4722 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4723 {
4724 /* calculate pre master secret*/
4725 StringInfo pre_master_secret;
4726 unsigned psk_len, pre_master_len;
4727
4728 if (!ssl_psk || (ssl_psk[0] == 0)) {
4729 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4730 return false0;
4731 }
4732
4733 /* convert hex string into char*/
4734 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4735 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4736 G_STRFUNC((const char*) (__func__)));
4737 return false0;
4738 }
4739
4740 psk_len = ssl_session->psk.data_len;
4741 if (psk_len >= (2 << 15)) {
4742 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4743 G_STRFUNC((const char*) (__func__)));
4744 return false0;
4745 }
4746
4747
4748 pre_master_len = psk_len * 2 + 4;
4749
4750 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4751 pre_master_secret.data_len = pre_master_len;
4752 /* 2 bytes psk_len*/
4753 pre_master_secret.data[0] = psk_len >> 8;
4754 pre_master_secret.data[1] = psk_len & 0xFF;
4755 /* psk_len bytes times 0*/
4756 memset(&pre_master_secret.data[2], 0, psk_len);
4757 /* 2 bytes psk_len*/
4758 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4759 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4760 /* psk*/
4761 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4762
4763 ssl_session->pre_master_secret.data = pre_master_secret.data;
4764 ssl_session->pre_master_secret.data_len = pre_master_len;
4765 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4766
4767 /* Remove the master secret if it was there.
4768 This forces keying material regeneration in
4769 case we're renegotiating */
4770 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4771 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4772 return true1;
4773 }
4774 else
4775 {
4776 unsigned encrlen, skip;
4777 encrlen = length;
4778 skip = 0;
4779
4780 /* get encrypted data, on tls1 we have to skip two bytes
4781 * (it's the encrypted len and should be equal to record len - 2)
4782 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4783 */
4784 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4785 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4786 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4787 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4788 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4789 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4790 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4791 {
4792 encrlen = tvb_get_ntohs(tvb, offset);
4793 skip = 2;
4794 if (encrlen > length - 2)
4795 {
4796 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4797 G_STRFUNC((const char*) (__func__)), encrlen, length);
4798 return false0;
4799 }
4800 }
4801 /* the valid lower bound is higher than 8, but it is sufficient for the
4802 * ssl keylog file below */
4803 if (encrlen < 8) {
4804 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4805 G_STRFUNC((const char*) (__func__)), encrlen);
4806 return false0;
4807 }
4808
4809 StringInfo encrypted_pre_master = {
4810 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4811 .data_len = encrlen,
4812 };
4813
4814#ifdef HAVE_LIBGNUTLS1
4815 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4816 if (ssl_session->cert_key_id) {
4817 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4818 return true1;
4819
4820 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4821 G_STRFUNC((const char*) (__func__)));
4822 }
4823#endif /* HAVE_LIBGNUTLS */
4824
4825 /* try to find the pre-master secret from the encrypted one. The
4826 * ssl key logfile stores only the first 8 bytes, so truncate it */
4827 encrypted_pre_master.data_len = 8;
4828 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4829 true1, mk_map->pre_master, &encrypted_pre_master))
4830 return true1;
4831 }
4832 return false0;
4833}
4834
4835/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4836int
4837ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4838{
4839 StringInfo key_block = { NULL((void*)0), 0 };
4840 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4841 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4842 int needed;
4843 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4844 unsigned encr_key_len, write_iv_len = 0;
4845 bool_Bool is_export_cipher;
4846 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4847 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4848 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4849
4850 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4851 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4852 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4853 return -1;
4854 }
4855
4856 /* check for enough info to proceed */
4857 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4858 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4859 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4860 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4861 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4862 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4863 /* Special case: for NULL encryption, allow dissection of data even if
4864 * the Client Hello is missing (MAC keys are now skipped though). */
4865 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4866 if ((ssl_session->state & need_all) == need_all &&
4867 cipher_suite->enc == ENC_NULL0x3D) {
4868 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4869 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4870 goto create_decoders;
4871 }
4872
4873 return -1;
4874 }
4875
4876 /* if master key is not available, generate is from the pre-master secret */
4877 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4878 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4879 StringInfo handshake_hashed_data;
4880 int ret;
4881
4882 handshake_hashed_data.data = NULL((void*)0);
4883 handshake_hashed_data.data_len = 0;
4884
4885 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4886 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4887 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4887, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4888
4889 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4894
4890 case TLSV1_VERSION0x301:
4891 case TLSV1DOT1_VERSION0x302:
4892 case DTLSV1DOT0_VERSION0xfeff:
4893 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4894 case TLCPV1_VERSION0x101:
4895 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4896 break;
4897 default:
4898 switch (cipher_suite->dig) {
4899 case DIG_SHA3840x43:
4900 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4901 break;
4902 default:
4903 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4904 break;
4905 }
4906 break;
4907 }
4908 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4908
30
Taking true branch
4909 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4910 return -1;
4911 }
4912
4913 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4914 ssl_session->handshake_data.data = NULL((void*)0);
4915 ssl_session->handshake_data.data_len = 0;
4916
4917 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4918 &handshake_hashed_data,
4919 NULL((void*)0), &ssl_session->master_secret,
4920 SSL_MASTER_SECRET_LENGTH48)) {
4921 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4922 g_free(handshake_hashed_data.data);
4923 return -1;
4924 }
4925 g_free(handshake_hashed_data.data);
4926 } else {
4927 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4928 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4929 ssl_print_string("client random",&ssl_session->client_random);
4930 ssl_print_string("server random",&ssl_session->server_random);
4931 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4932 &ssl_session->client_random,
4933 &ssl_session->server_random, &ssl_session->master_secret,
4934 SSL_MASTER_SECRET_LENGTH48)) {
4935 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4936 return -1;
4937 }
4938 }
4939 ssl_print_string("master secret",&ssl_session->master_secret);
4940
4941 /* the pre-master secret has been 'consumed' so we must clear it now */
4942 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4943 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4944 }
4945
4946 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4947 if (cipher_suite->enc != ENC_NULL0x3D) {
4948 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4949 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4950 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4951 if (cipher_algo == 0) {
4952 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4953 return -1;
4954 }
4955 }
4956
4957 /* Export ciphers consume less material from the key block. */
4958 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4959 is_export_cipher = encr_key_len > 0;
4960 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4961 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4962 }
4963
4964 if (cipher_suite->mode == MODE_CBC) {
4965 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4966 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4967 /* account for a four-byte salt for client and server side (from
4968 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4969 write_iv_len = 4;
4970 } else if (cipher_suite->mode == MODE_POLY1305) {
4971 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4972 write_iv_len = 12;
4973 }
4974
4975 /* Compute the key block. First figure out how much data we need */
4976 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4977 needed += 2 * encr_key_len; /* encryption key */
4978 needed += 2 * write_iv_len; /* write IV */
4979
4980 key_block.data = (unsigned char *)g_malloc(needed);
4981 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4982 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4983 &ssl_session->server_random,&ssl_session->client_random,
4984 &key_block, needed)) {
4985 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4986 goto fail;
4987 }
4988 ssl_print_string("key expansion", &key_block);
4989
4990 ptr=key_block.data;
4991 /* client/server write MAC key (for non-AEAD ciphers) */
4992 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4993 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4994 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4995 }
4996 /* client/server write encryption key */
4997 c_wk=ptr; ptr += encr_key_len;
4998 s_wk=ptr; ptr += encr_key_len;
4999 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
5000 if (write_iv_len > 0) {
5001 c_iv=ptr; ptr += write_iv_len;
5002 s_iv=ptr; /* ptr += write_iv_len; */
5003 }
5004
5005 /* export ciphers work with a smaller key length */
5006 if (is_export_cipher) {
5007 if (cipher_suite->mode == MODE_CBC) {
5008
5009 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5010 all we should need. This is a sanity check */
5011 if (write_iv_len > MAX_BLOCK_SIZE16) {
5012 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5013 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5014 goto fail;
5015 }
5016
5017 if(ssl_session->session.version==SSLV3_VERSION0x300){
5018 /* The length of these fields are ignored by this caller */
5019 StringInfo iv_c, iv_s;
5020 iv_c.data = _iv_c;
5021 iv_s.data = _iv_s;
5022
5023 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5024 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5025 &ssl_session->server_random, &iv_c, write_iv_len)) {
5026 goto fail;
5027 }
5028 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5029 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5030 &ssl_session->client_random, &iv_s, write_iv_len)) {
5031 goto fail;
5032 }
5033 }
5034 else{
5035 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5036 StringInfo iv_block;
5037 StringInfo key_null;
5038 uint8_t _key_null;
5039
5040 key_null.data = &_key_null;
5041 key_null.data_len = 0;
5042
5043 iv_block.data = _iv_block;
5044
5045 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5046 if (!prf(ssl_session, &key_null, "IV block",
5047 &ssl_session->client_random,
5048 &ssl_session->server_random, &iv_block,
5049 write_iv_len * 2)) {
5050 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5051 goto fail;
5052 }
5053
5054 memcpy(_iv_c, iv_block.data, write_iv_len);
5055 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5056 }
5057
5058 c_iv=_iv_c;
5059 s_iv=_iv_s;
5060 }
5061
5062 if (ssl_session->session.version==SSLV3_VERSION0x300){
5063
5064 SSL_MD5_CTXgcry_md_hd_t md5;
5065 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5066
5067 if (ssl_md5_init(&md5) != 0)
5068 goto fail;
5069 ssl_md5_update(&md5,c_wk,encr_key_len);
5070 ssl_md5_update(&md5,ssl_session->client_random.data,
5071 ssl_session->client_random.data_len);
5072 ssl_md5_update(&md5,ssl_session->server_random.data,
5073 ssl_session->server_random.data_len);
5074 ssl_md5_final(_key_c,&md5);
5075 ssl_md5_cleanup(&md5);
5076 c_wk=_key_c;
5077
5078 if (ssl_md5_init(&md5) != 0)
5079 goto fail;
5080 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5081 ssl_md5_update(&md5,s_wk,encr_key_len);
5082 ssl_md5_update(&md5,ssl_session->server_random.data,
5083 ssl_session->server_random.data_len);
5084 ssl_md5_update(&md5,ssl_session->client_random.data,
5085 ssl_session->client_random.data_len);
5086 ssl_md5_final(_key_s,&md5);
5087 ssl_md5_cleanup(&md5);
5088 s_wk=_key_s;
5089 }
5090 else{
5091 StringInfo key_c, key_s, k;
5092 key_c.data = _key_c;
5093 key_s.data = _key_s;
5094
5095 k.data = c_wk;
5096 k.data_len = encr_key_len;
5097 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5098 if (!prf(ssl_session, &k, "client write key",
5099 &ssl_session->client_random,
5100 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5101 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5102 goto fail;
5103 }
5104 c_wk=_key_c;
5105
5106 k.data = s_wk;
5107 k.data_len = encr_key_len;
5108 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5109 if (!prf(ssl_session, &k, "server write key",
5110 &ssl_session->client_random,
5111 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5112 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5113 goto fail;
5114 }
5115 s_wk=_key_s;
5116 }
5117 }
5118
5119 /* show key material info */
5120 if (c_mk != NULL((void*)0)) {
5121 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5122 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5123 }
5124 ssl_print_data("Client Write key", c_wk, encr_key_len);
5125 ssl_print_data("Server Write key", s_wk, encr_key_len);
5126 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5127 if (write_iv_len > 0) {
5128 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5129 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5130 }
5131
5132create_decoders:
5133 /* create both client and server ciphers*/
5134 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5135 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5136 if (!ssl_session->client_new) {
5137 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5138 goto fail;
5139 }
5140 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5141 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5142 if (!ssl_session->server_new) {
5143 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5144 goto fail;
5145 }
5146
5147 /* Continue the SSL stream after renegotiation with new keys. */
5148 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5149 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5150
5151 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5152 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5153 g_free(key_block.data);
5154 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5155 return 0;
5156
5157fail:
5158 g_free(key_block.data);
5159 return -1;
5160}
5161
5162/* Generated the key material based on the given secret. */
5163bool_Bool
5164tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5165{
5166 bool_Bool success = false0;
5167 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5168 unsigned char *sn_key = NULL((void*)0);
5169 SslDecoder *decoder;
5170 unsigned key_length, iv_length;
5171 int hash_algo;
5172 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5173 int cipher_algo;
5174
5175 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5176 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5177 ssl_session->session.version);
5178 return false0;
5179 }
5180
5181 if (cipher_suite == NULL((void*)0)) {
5182 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5183 return false0;
5184 }
5185
5186 if (cipher_suite->kex != KEX_TLS130x23) {
5187 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5188 return false0;
5189 }
5190
5191 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5192 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5193 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5194 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5195 if (cipher_algo == 0) {
5196 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5197 return false0;
5198 }
5199
5200 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5201 hash_algo = ssl_get_digest_by_name(hash_name);
5202 if (!hash_algo) {
5203 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5204 return false0;
5205 }
5206
5207 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5208 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5209 iv_length = 12;
5210 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5211
5212 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5213 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5214 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5215 return false0;
5216 }
5217 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5218 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5219 goto end;
5220 }
5221
5222 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5223 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5224 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5225 goto end;
5226 }
5227 }
5228
5229 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5230 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5231 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5232 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5233 }
5234
5235 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5236 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5237 if (!decoder) {
5238 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5239 goto end;
5240 }
5241
5242 /* Continue the TLS session with new keys, but reuse old flow to keep things
5243 * like "Follow TLS" working (by linking application data records). */
5244 if (is_from_server) {
5245 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5246 ssl_session->server = decoder;
5247 } else {
5248 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5249 ssl_session->client = decoder;
5250 }
5251 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5252 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5253 success = true1;
5254
5255end:
5256 wmem_free(NULL((void*)0), write_key);
5257 wmem_free(NULL((void*)0), write_iv);
5258 if (sn_key)
5259 wmem_free(NULL((void*)0), sn_key);
5260 return success;
5261}
5262/* (Pre-)master secrets calculations }}} */
5263
5264#ifdef HAVE_LIBGNUTLS1
5265/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5266static bool_Bool
5267ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5268 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5269{
5270 int ret;
5271
5272 if (!encrypted_pre_master)
5273 return false0;
5274
5275 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5276 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5277 "(cipher suite 0x%04X %s) and cannot be decrypted "
5278 "using a RSA private key file.\n",
5279 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5280 val_to_str_ext_const(ssl_session->session.cipher,
5281 &ssl_31_ciphersuite_ext, "unknown"));
5282 return false0;
5283 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5284 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5285 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5286 return false0;
5287 }
5288
5289 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5290
5291 ssl_print_string("pre master encrypted", encrypted_pre_master);
5292 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5293 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5294 gnutls_datum_t pms = { 0 };
5295 if (pk) {
5296 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5297 char *err = NULL((void*)0);
5298 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5299 if (!private_key) {
5300 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5301 g_free(err);
5302 return false0;
5303 }
5304
5305 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5306 rsa_private_key_free(private_key);
5307 if (pms.size == 0) {
5308 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5309 g_free(err);
5310 return false0;
5311 }
5312 } else {
5313 // Try to decrypt using a hardware token.
5314 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5315 if (ret < 0) {
5316 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5317 return false0;
5318 }
5319 }
5320
5321 if (pms.size != 48) {
5322 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5323 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5324 g_free(pms.data);
5325 return false0;
5326 }
5327
5328 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5329 ssl_session->pre_master_secret.data_len = 48;
5330 g_free(pms.data);
5331 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5332
5333 /* Remove the master secret if it was there.
5334 This forces keying material regeneration in
5335 case we're renegotiating */
5336 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5337 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5338 return true1;
5339} /* }}} */
5340#endif /* HAVE_LIBGNUTLS */
5341
5342/* Decryption integrity check {{{ */
5343
5344static int
5345tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5346 uint32_t datalen, uint8_t* mac)
5347{
5348 SSL_HMACgcry_md_hd_t hm;
5349 int md;
5350 uint32_t len;
5351 uint8_t buf[DIGEST_MAX_SIZE48];
5352 int16_t temp;
5353
5354 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5355 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5356 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5357
5358 if (ssl_hmac_init(&hm,md) != 0)
5359 return -1;
5360 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5361 return -1;
5362
5363 /* hash sequence number */
5364 phtonu64(buf, decoder->seq);
5365
5366 decoder->seq++;
5367
5368 ssl_hmac_update(&hm,buf,8);
5369
5370 /* hash content type */
5371 buf[0]=ct;
5372 ssl_hmac_update(&hm,buf,1);
5373
5374 /* hash version,data length and data*/
5375 /* *((int16_t*)buf) = g_htons(ver); */
5376 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5377 memcpy(buf, &temp, 2);
5378 ssl_hmac_update(&hm,buf,2);
5379
5380 /* *((int16_t*)buf) = g_htons(datalen); */
5381 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5382 memcpy(buf, &temp, 2);
5383 ssl_hmac_update(&hm,buf,2);
5384 ssl_hmac_update(&hm,data,datalen);
5385
5386 /* get digest and digest len*/
5387 len = sizeof(buf);
5388 ssl_hmac_final(&hm,buf,&len);
5389 ssl_hmac_cleanup(&hm);
5390 ssl_print_data("Mac", buf, len);
5391 if(memcmp(mac,buf,len))
5392 return -1;
5393
5394 return 0;
5395}
5396
5397static int
5398ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5399 uint32_t datalen, uint8_t* mac)
5400{
5401 SSL_MDgcry_md_hd_t mc;
5402 int md;
5403 uint32_t len;
5404 uint8_t buf[64],dgst[20];
5405 int pad_ct;
5406 int16_t temp;
5407
5408 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5409
5410 /* get cipher used for digest computation */
5411 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5412 if (ssl_md_init(&mc,md) !=0)
5413 return -1;
5414
5415 /* do hash computation on data && padding */
5416 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5417
5418 /* hash padding*/
5419 memset(buf,0x36,pad_ct);
5420 ssl_md_update(&mc,buf,pad_ct);
5421
5422 /* hash sequence number */
5423 phtonu64(buf, decoder->seq);
5424 decoder->seq++;
5425 ssl_md_update(&mc,buf,8);
5426
5427 /* hash content type */
5428 buf[0]=ct;
5429 ssl_md_update(&mc,buf,1);
5430
5431 /* hash data length in network byte order and data*/
5432 /* *((int16_t* )buf) = g_htons(datalen); */
5433 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5434 memcpy(buf, &temp, 2);
5435 ssl_md_update(&mc,buf,2);
5436 ssl_md_update(&mc,data,datalen);
5437
5438 /* get partial digest */
5439 ssl_md_final(&mc,dgst,&len);
5440 ssl_md_reset(&mc);
5441
5442 /* hash mac key */
5443 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5444
5445 /* hash padding and partial digest*/
5446 memset(buf,0x5c,pad_ct);
5447 ssl_md_update(&mc,buf,pad_ct);
5448 ssl_md_update(&mc,dgst,len);
5449
5450 ssl_md_final(&mc,dgst,&len);
5451 ssl_md_cleanup(&mc);
5452
5453 if(memcmp(mac,dgst,len))
5454 return -1;
5455
5456 return 0;
5457}
5458
5459static int
5460dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5461 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5462{
5463 SSL_HMACgcry_md_hd_t hm;
5464 int md;
5465 uint32_t len;
5466 uint8_t buf[DIGEST_MAX_SIZE48];
5467 int16_t temp;
5468
5469 int ver = ssl->session.version;
5470 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5471
5472 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5473 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5474 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5475
5476 if (ssl_hmac_init(&hm,md) != 0)
5477 return -1;
5478 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5479 return -1;
5480
5481 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5482
5483 if (is_cid && !ssl->session.deprecated_cid) {
5484 /* hash seq num placeholder */
5485 memset(buf,0xFF,8);
5486 ssl_hmac_update(&hm,buf,8);
5487
5488 /* hash content type + cid length + content type */
5489 buf[0]=ct;
5490 buf[1]=cidl;
5491 buf[2]=ct;
5492 ssl_hmac_update(&hm,buf,3);
5493
5494 /* hash version */
5495 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5496 memcpy(buf, &temp, 2);
5497 ssl_hmac_update(&hm,buf,2);
5498
5499 /* hash sequence number */
5500 phtonu64(buf, decoder->seq);
5501 buf[0]=decoder->epoch>>8;
5502 buf[1]=(uint8_t)decoder->epoch;
5503 ssl_hmac_update(&hm,buf,8);
5504
5505 /* hash cid */
5506 ssl_hmac_update(&hm,cid,cidl);
5507 } else {
5508 /* hash sequence number */
5509 phtonu64(buf, decoder->seq);
5510 buf[0]=decoder->epoch>>8;
5511 buf[1]=(uint8_t)decoder->epoch;
5512 ssl_hmac_update(&hm,buf,8);
5513
5514 /* hash content type */
5515 buf[0]=ct;
5516 ssl_hmac_update(&hm,buf,1);
5517
5518 /* hash version */
5519 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5520 memcpy(buf, &temp, 2);
5521 ssl_hmac_update(&hm,buf,2);
5522
5523 if (is_cid && ssl->session.deprecated_cid) {
5524 /* hash cid */
5525 ssl_hmac_update(&hm,cid,cidl);
5526
5527 /* hash cid length */
5528 buf[0] = cidl;
5529 ssl_hmac_update(&hm,buf,1);
5530 }
5531 }
5532
5533 /* data length and data */
5534 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5535 memcpy(buf, &temp, 2);
5536 ssl_hmac_update(&hm,buf,2);
5537 ssl_hmac_update(&hm,data,datalen);
5538
5539 /* get digest and digest len */
5540 len = sizeof(buf);
5541 ssl_hmac_final(&hm,buf,&len);
5542 ssl_hmac_cleanup(&hm);
5543 ssl_print_data("Mac", buf, len);
5544 if(memcmp(mac,buf,len))
5545 return -1;
5546
5547 return 0;
5548}
5549/* Decryption integrity check }}} */
5550
5551
5552static bool_Bool
5553tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5554 uint8_t ct, uint16_t record_version,
5555 bool_Bool ignore_mac_failed,
5556 const unsigned char *in, uint16_t inl,
5557 const unsigned char *cid, uint8_t cidl,
5558 StringInfo *out_str, unsigned *outl)
5559{
5560 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5561 * GenericAEADCipher: { nonce_explicit, [content] }
5562 * In TLS 1.3 this explicit nonce is gone.
5563 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5564 * ciphertext and authentication tag.
5565 */
5566 const uint16_t version = ssl->session.version;
5567 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5568 gcry_error_t err;
5569 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5570 unsigned ciphertext_len, auth_tag_len;
5571 unsigned char nonce[12];
5572 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5573 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5574 const uint8_t draft_version = ssl->session.tls13_draft_version;
5575 const unsigned char *auth_tag_wire;
5576 unsigned char auth_tag_calc[16];
5577 unsigned char *aad = NULL((void*)0);
5578 unsigned aad_len = 0;
5579
5580 switch (cipher_mode) {
5581 case MODE_GCM:
5582 case MODE_CCM:
5583 case MODE_POLY1305:
5584 auth_tag_len = 16;
5585 break;
5586 case MODE_CCM_8:
5587 auth_tag_len = 8;
5588 break;
5589 default:
5590 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5591 return false0;
5592 }
5593
5594 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5595 if (is_v12 && cipher_mode != MODE_POLY1305) {
5596 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5597 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5598 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5599 return false0;
5600 }
5601 explicit_nonce = in;
5602 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5603 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5604 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5605 if (inl < auth_tag_len) {
5606 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5607 return false0;
5608 }
5609 ciphertext = in;
5610 ciphertext_len = inl - auth_tag_len;
5611 } else {
5612 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5613 return false0;
5614 }
5615 auth_tag_wire = ciphertext + ciphertext_len;
5616
5617 /*
5618 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5619 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5620 */
5621 if (is_v12 && cipher_mode != MODE_POLY1305) {
5622 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5622, "decoder->write_iv.data_len == 4"))));
5623 /* Implicit (4) and explicit (8) part of nonce. */
5624 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5625 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5626
5627 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5628 /*
5629 * Technically the nonce length must be at least 8 bytes, but for
5630 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5631 */
5632 const unsigned nonce_len = 12;
5633 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5633, "decoder->write_iv.data_len == nonce_len"
))));
5634 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5635 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5636 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5637 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5638 }
5639
5640 /* Set nonce and additional authentication data */
5641 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5642 ssl_print_data("nonce", nonce, 12);
5643 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5644 if (err) {
5645 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5646 return false0;
5647 }
5648
5649 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5650 if (is_cid) { /* if connection ID */
5651 if (ssl->session.deprecated_cid) {
5652 aad_len = 14 + cidl;
5653 aad = wmem_alloc(allocator, aad_len);
5654 phtonu64(aad, decoder->seq); /* record sequence number */
5655 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5656 aad[8] = ct; /* TLSCompressed.type */
5657 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5658 memcpy(aad + 11, cid, cidl); /* cid */
5659 aad[11 + cidl] = cidl; /* cid_length */
5660 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5661 } else {
5662 aad_len = 23 + cidl;
5663 aad = wmem_alloc(allocator, aad_len);
5664 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5665 aad[8] = ct; /* TLSCompressed.type */
5666 aad[9] = cidl; /* cid_length */
5667 aad[10] = ct; /* TLSCompressed.type */
5668 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5669 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5670 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5671 memcpy(aad + 21, cid, cidl); /* cid */
5672 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5673 }
5674 } else if (is_v12) {
5675 aad_len = 13;
5676 aad = wmem_alloc(allocator, aad_len);
5677 phtonu64(aad, decoder->seq); /* record sequence number */
5678 if (version == DTLSV1DOT2_VERSION0xfefd) {
5679 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5680 }
5681 aad[8] = ct; /* TLSCompressed.type */
5682 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5683 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5684 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5685 aad_len = decoder->dtls13_aad.data_len;
5686 aad = decoder->dtls13_aad.data;
5687 } else if (draft_version >= 25 || draft_version == 0) {
5688 aad_len = 5;
5689 aad = wmem_alloc(allocator, aad_len);
5690 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5691 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5692 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5693 }
5694
5695 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5696 /* size of plaintext, additional authenticated data and auth tag. */
5697 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5698
5699 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5700 }
5701
5702 if (aad && aad_len > 0) {
5703 ssl_print_data("AAD", aad, aad_len);
5704 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5705 if (err) {
5706 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5707 return false0;
5708 }
5709 }
5710
5711 /* Decrypt now that nonce and AAD are set. */
5712 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5713 if (err) {
5714 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5715 return false0;
5716 }
5717
5718 /* Check authentication tag for authenticity (replaces MAC) */
5719 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5720 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5721 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5722 } else {
5723 if (err) {
5724 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5725 } else {
5726 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5727 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5728 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5729 }
5730 if (ignore_mac_failed) {
5731 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5732 } else {
5733 return false0;
5734 }
5735 }
5736
5737 /*
5738 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5739 * after successful authentication to ensure that early data is skipped when
5740 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5741 */
5742 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5743 decoder->seq++;
5744 }
5745
5746 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5747 *outl = ciphertext_len;
5748 return true1;
5749}
5750
5751/* Record decryption glue based on security parameters {{{ */
5752/* Assume that we are called only for a non-NULL decoder which also means that
5753 * we have a non-NULL decoder->cipher_suite. */
5754int
5755ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5756 bool_Bool ignore_mac_failed,
5757 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5758 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5759{
5760 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5761 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5762
5763 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5764 ssl_print_data("Ciphertext",in, inl);
5765
5766 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5767 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5768 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5769 return -1;
5770 }
5771
5772 /* ensure we have enough storage space for decrypted data */
5773 if (inl > out_str->data_len)
5774 {
5775 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5776 inl + 32, out_str->data_len);
5777 ssl_data_realloc(out_str, inl + 32);
5778 }
5779
5780 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5781 * a separate MAC, so use a different routine for simplicity. */
5782 if (decoder->cipher_suite->mode == MODE_GCM ||
5783 decoder->cipher_suite->mode == MODE_CCM ||
5784 decoder->cipher_suite->mode == MODE_CCM_8 ||
5785 decoder->cipher_suite->mode == MODE_POLY1305 ||
5786 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5787 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5788
5789 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5790 /* decryption failed */
5791 return -1;
5792 }
5793
5794 goto skip_mac;
5795 }
5796
5797 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5798 * (notation: { unencrypted, [ encrypted ] })
5799 * GenericStreamCipher: { [content, mac] }
5800 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5801 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5802 * GenericAEADCipher: { nonce_explicit, [content] }
5803 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5804 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5805 */
5806
5807 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5808
5809 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5810 if (decoder->cipher_suite->mode == MODE_CBC) {
5811 unsigned blocksize = 0;
5812
5813 switch (ssl->session.version) {
5814 case TLSV1DOT1_VERSION0x302:
5815 case TLSV1DOT2_VERSION0x303:
5816 case DTLSV1DOT0_VERSION0xfeff:
5817 case DTLSV1DOT2_VERSION0xfefd:
5818 case DTLSV1DOT3_VERSION0xfefc:
5819 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5820 case TLCPV1_VERSION0x101:
5821 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5822 if (inl < blocksize) {
5823 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5824 inl, blocksize);
5825 return -1;
5826 }
5827 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5828 if (pad != 0) {
5829 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5830 gcry_strsource (pad), gcry_strerror (pad));
5831 }
5832
5833 inl -= blocksize;
5834 in += blocksize;
5835 break;
5836 }
5837
5838 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5839 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5840 /*
5841 * MAC is calculated over (IV + ) ENCRYPTED contents:
5842 *
5843 * MAC(MAC_write_key, ... +
5844 * IV + // for TLS 1.1 or greater
5845 * TLSCiphertext.enc_content);
5846 */
5847 if (inl < maclen) {
5848 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5849 G_STRFUNC((const char*) (__func__)), inl, maclen);
5850 return -1;
5851 }
5852 inl -= maclen;
5853 mac = (uint8_t *)in + inl;
5854 mac_frag = (uint8_t *)in - blocksize;
5855 mac_fraglen = blocksize + inl;
5856 }
5857 }
5858
5859 /* First decrypt*/
5860 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5861 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5862 gcry_strerror (pad));
5863 return -1;
5864 }
5865
5866 ssl_print_data("Plaintext", out_str->data, inl);
5867 worklen=inl;
5868
5869
5870 /* strip padding for GenericBlockCipher */
5871 if (decoder->cipher_suite->mode == MODE_CBC) {
5872 if (inl < 1) { /* Should this check happen earlier? */
5873 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5874 return -1;
5875 }
5876 pad=out_str->data[inl-1];
5877 if (worklen <= pad) {
5878 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5879 pad, worklen);
5880 return -1;
5881 }
5882 worklen-=(pad+1);
5883 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5884 pad, worklen);
5885 }
5886
5887 /* MAC for GenericStreamCipher and GenericBlockCipher.
5888 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5889 if (!mac) {
5890 /*
5891 * MAC is calculated over the DECRYPTED contents:
5892 *
5893 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5894 */
5895 if (worklen < maclen) {
5896 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5897 return -1;
5898 }
5899 worklen -= maclen;
5900 mac = out_str->data + worklen;
5901 mac_frag = out_str->data;
5902 mac_fraglen = worklen;
5903 }
5904
5905 /* If NULL encryption active and no keys are available, do not bother
5906 * checking the MAC. We do not have keys for that. */
5907 if (decoder->cipher_suite->mode == MODE_STREAM &&
5908 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5909 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5910 ssl_debug_printf("MAC check skipped due to missing keys\n");
5911 decoder->seq++; // Increment this for display
5912 goto skip_mac;
5913 }
5914
5915 /* Now check the MAC */
5916 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5917 worklen, ssl->session.version, ct, decoder->seq);
5918 if(ssl->session.version==SSLV3_VERSION0x300){
5919 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5920 if(ignore_mac_failed) {
5921 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5922 }
5923 else{
5924 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5925 return -1;
5926 }
5927 }
5928 else{
5929 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5930 }
5931 }
5932 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5933 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5934 if(ignore_mac_failed) {
5935 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5936 }
5937 else{
5938 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5939 return -1;
5940 }
5941 }
5942 else{
5943 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5944 }
5945 }
5946 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5947 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5948 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5949 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5950 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5951 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5952 }
5953 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5954 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5955 }
5956 else if(ignore_mac_failed) {
5957 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5958 }
5959 else{
5960 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5961 return -1;
5962 }
5963 }
5964skip_mac:
5965
5966 *outl = worklen;
5967
5968 if (decoder->compression > 0) {
5969 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5970 ssl_data_copy(comp_str, out_str);
5971 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5972 if (!decoder->decomp) {
5973 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5974 return -1;
5975 }
5976 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5977 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5978 *outl = uncomplen;
5979 }
5980
5981 return 0;
5982}
5983/* Record decryption glue based on security parameters }}} */
5984
5985
5986
5987#ifdef HAVE_LIBGNUTLS1
5988
5989/* RSA private key file processing {{{ */
5990static void
5991ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5992 const gnutls_datum_t *subjectPublicKeyInfo)
5993{
5994 gnutls_pubkey_t pubkey = NULL((void*)0);
5995 cert_key_id_t key_id;
5996 size_t key_id_len = sizeof(key_id);
5997 int r;
5998
5999 if (!subjectPublicKeyInfo->size) {
6000 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6001 return;
6002 }
6003
6004 r = gnutls_pubkey_init(&pubkey);
6005 if (r < 0) {
6006 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6007 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6008 return;
6009 }
6010
6011 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6012 if (r < 0) {
6013 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6014 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6015 goto end;
6016 }
6017
6018 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6019 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6020 goto end;
6021 }
6022
6023 /* Generate a 20-byte SHA-1 hash. */
6024 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6025 if (r < 0) {
6026 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6027 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6028 goto end;
6029 }
6030
6031 if (key_id_len != sizeof(key_id)) {
6032 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6033 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6034 goto end;
6035 }
6036
6037 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6038 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6039 *ssl->cert_key_id = key_id;
6040
6041end:
6042 gnutls_pubkey_deinit(pubkey);
6043}
6044
6045/* RSA private key file processing }}} */
6046#endif /* HAVE_LIBGNUTLS */
6047
6048/*--- Start of dissector-related code below ---*/
6049
6050/* This is not a "protocol" but ensures that this gets called during
6051 * the handoff stage. */
6052void proto_reg_handoff_tls_utils(void);
6053
6054static dissector_handle_t base_tls_handle;
6055static dissector_handle_t dtls_handle;
6056
6057void
6058proto_reg_handoff_tls_utils(void)
6059{
6060 base_tls_handle = find_dissector("tls");
6061 dtls_handle = find_dissector("dtls");
6062}
6063
6064/* Look up an existing SslDecryptSession without creating one. Returns NULL if
6065 * no session exists. */
6066SslDecryptSession *
6067tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6068{
6069 void *conv_data;
6070 wmem_map_t *session_map;
6071
6072 if (!conversation)
6073 return NULL((void*)0);
6074
6075 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6076 if (conv_data == NULL((void*)0))
6077 return NULL((void*)0);
6078
6079 session_map = (wmem_map_t *)conv_data;
6080
6081 return (SslDecryptSession *)wmem_map_lookup(session_map,
6082 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6083
6084}
6085
6086/* get ssl data for this session. if no ssl data is found allocate a new one*/
6087SslDecryptSession *
6088ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6089{
6090 void *conv_data;
6091 SslDecryptSession *ssl_session;
6092 int proto_ssl;
6093 wmem_map_t *session_map;
6094
6095 /* Note proto_ssl is tls for either the main tls_handle or the
6096 * tls13_handshake handle used by QUIC. */
6097 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6098 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6099
6100 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
6101 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
6102 * preventing memory leaks on capture reload. */
6103 if (conv_data != NULL((void*)0)) {
6104 session_map = (wmem_map_t *)conv_data;
6105 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6106 if (ssl_session != NULL((void*)0)) {
6107 return ssl_session;
6108 }
6109 } else {
6110 /* Create a new wmem map to store sessions by layer number */
6111 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
6112 conversation_add_proto_data(conversation, proto_ssl, session_map);
6113 }
6114
6115 /* no previous SSL conversation info for this layer, initialize it. */
6116 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6117
6118 /* data_len is the part that is meaningful, not the allocated length */
6119 ssl_session->master_secret.data_len = 0;
6120 ssl_session->master_secret.data = ssl_session->_master_secret;
6121 ssl_session->session_id.data_len = 0;
6122 ssl_session->session_id.data = ssl_session->_session_id;
6123 ssl_session->client_random.data_len = 0;
6124 ssl_session->client_random.data = ssl_session->_client_random;
6125 ssl_session->server_random.data_len = 0;
6126 ssl_session->server_random.data = ssl_session->_server_random;
6127 ssl_session->session_ticket.data_len = 0;
6128 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6129 ssl_session->server_data_for_iv.data_len = 0;
6130 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6131 ssl_session->client_data_for_iv.data_len = 0;
6132 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6133 ssl_session->app_data_segment.data = NULL((void*)0);
6134 ssl_session->app_data_segment.data_len = 0;
6135 ssl_session->handshake_data.data=NULL((void*)0);
6136 ssl_session->handshake_data.data_len=0;
6137 ssl_session->ech_transcript.data=NULL((void*)0);
6138 ssl_session->ech_transcript.data_len=0;
6139
6140 /* Initialize parameters which are not necessary specific to decryption. */
6141 ssl_session->session.version = SSL_VER_UNKNOWN0;
6142 clear_address(&ssl_session->session.srv_addr);
6143 ssl_session->session.srv_ptype = PT_NONE;
6144 ssl_session->session.srv_port = 0;
6145 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6146 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6147 ssl_session->session.client_random.data_len = 0;
6148 ssl_session->session.client_random.data = ssl_session->session._client_random;
6149 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6150 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6151 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6152 ssl_session->session.ech = false0;
6153 ssl_session->session.hrr_ech_declined = false0;
6154 ssl_session->session.first_ch_ech_frame = 0;
6155
6156 /* We want to increment the stream count for the normal tls handle and
6157 * dtls handle, but presumably not for the tls13_handshake handle used
6158 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6159 * doesn't get sent to the TLS follow tap.)
6160 */
6161 if (tls_handle == base_tls_handle) {
6162 ssl_session->session.stream = tls_increment_stream_count();
6163 } else if (tls_handle == dtls_handle) {
6164 ssl_session->session.stream = dtls_increment_stream_count();
6165 }
6166
6167 /* Store the session in the wmem map indexed by layer number */
6168 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
6169
6170 return ssl_session;
6171}
6172
6173void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6174{
6175 if (ssl) {
6176 /* Ensure that secrets are not restored using stale identifiers. Split
6177 * between client and server in case the packets somehow got out of order. */
6178 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6179
6180 if (is_client) {
6181 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6182 ssl->session_id.data_len = 0;
6183 ssl->session_ticket.data_len = 0;
6184 ssl->master_secret.data_len = 0;
6185 ssl->client_random.data_len = 0;
6186 ssl->has_early_data = false0;
6187 if (ssl->handshake_data.data_len > 0) {
6188 // The EMS handshake hash starts with at the Client Hello,
6189 // ensure that any messages before it are forgotten.
6190 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6191 ssl->handshake_data.data = NULL((void*)0);
6192 ssl->handshake_data.data_len = 0;
6193 }
6194 } else {
6195 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6196 ssl->server_random.data_len = 0;
6197 ssl->pre_master_secret.data_len = 0;
6198#ifdef HAVE_LIBGNUTLS1
6199 ssl->cert_key_id = NULL((void*)0);
6200#endif
6201 ssl->psk.data_len = 0;
6202 }
6203
6204 if (ssl->state & clear_flags) {
6205 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6206 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6207 ssl->state &= ~clear_flags;
6208 }
6209 }
6210
6211 /* These flags might be used for non-decryption purposes and may affect the
6212 * dissection, so reset them as well. */
6213 if (is_client) {
6214 session->client_cert_type = 0;
6215 } else {
6216 session->compression = 0;
6217 session->server_cert_type = 0;
6218 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6219 }
6220 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6221 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6222}
6223
6224void
6225tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6226 dissector_handle_t app_handle)
6227{
6228 conversation_t *conversation;
6229 SslSession *session;
6230 int proto = dissector_handle_get_protocol_index(tls_handle);
6231 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6232
6233 /* Ignore if the TLS or other dissector is disabled. */
6234 if (!tls_handle || !app_handle)
6235 return;
6236
6237 conversation = find_or_create_conversation(pinfo);
6238 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6239 session->app_handle = app_handle;
6240}
6241
6242static uint32_t
6243ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6244 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6245{
6246 conversation_t *conversation;
6247 SslSession *session;
6248 int proto = dissector_handle_get_protocol_index(tls_handle);
6249 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6250
6251 /* Ignore if the TLS dissector is disabled. */
6252 if (!tls_handle)
6253 return 0;
6254 /* The caller should always pass a valid handle to its own dissector. */
6255 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6255, "app_handle"))));
6256
6257 conversation = find_or_create_conversation(pinfo);
6258 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6259
6260 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6261 session->last_nontls_frame,
6262 (void *)session->app_handle,
6263 dissector_handle_get_dissector_name(session->app_handle));
6264 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6265 pinfo->num, (void *)app_handle,
6266 dissector_handle_get_dissector_name(app_handle));
6267
6268 /* Do not switch again if a dissector did it before. */
6269 if (session->last_nontls_frame) {
6270 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6271 return session->last_nontls_frame;
6272 }
6273
6274 session->app_handle = app_handle;
6275 /* The TLS dissector should be called first for this conversation. */
6276 conversation_set_dissector(conversation, tls_handle);
6277 /* TLS starts after this frame. */
6278 session->last_nontls_frame = last_nontls_frame;
6279 return 0;
6280}
6281
6282/* ssl_starttls_ack: mark future frames as encrypted. */
6283uint32_t
6284ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6285 dissector_handle_t app_handle)
6286{
6287 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6288}
6289
6290uint32_t
6291ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6292 dissector_handle_t app_handle)
6293{
6294 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6295}
6296
6297dissector_handle_t
6298ssl_find_appdata_dissector(const char *name)
6299{
6300 /* Accept 'http' for backwards compatibility and sanity. */
6301 if (!strcmp(name, "http"))
6302 name = "http-over-tls";
6303 /* XXX - Should this check to see if the dissector is actually added for
6304 * Decode As in the appropriate table?
6305 */
6306 return find_dissector(name);
6307}
6308
6309/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6310static int
6311ssl_equal (const void *v, const void *v2)
6312{
6313 const StringInfo *val1;
6314 const StringInfo *val2;
6315 val1 = (const StringInfo *)v;
6316 val2 = (const StringInfo *)v2;
6317
6318 if (val1->data_len == val2->data_len &&
6319 !memcmp(val1->data, val2->data, val2->data_len)) {
6320 return 1;
6321 }
6322 return 0;
6323}
6324
6325static unsigned
6326ssl_hash (const void *v)
6327{
6328 unsigned l,hash;
6329 const StringInfo* id;
6330 const unsigned* cur;
6331 hash = 0;
6332 id = (const StringInfo*) v;
6333
6334 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6335 * should be aligned for any kind of access (for example as a unsigned as
6336 * is done below). The intermediate void* cast is to prevent "cast
6337 * increases required alignment of target type" warnings on CPUs (such
6338 * as SPARCs) that do not allow misaligned memory accesses.
6339 */
6340 cur = (const unsigned*)(void*) id->data;
6341
6342 for (l=4; (l < id->data_len); l+=4, cur++)
6343 hash = hash ^ (*cur);
6344
6345 return hash;
6346}
6347/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6348
6349/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6350void
6351ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6352{
6353 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6353, "main_handle"))));
6354 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6354, "subdissector_handle"))));
6355 /* Registration is required for Export PDU feature to work properly. */
6356 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6357, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6357 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6357, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6358 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6359
6360 if (port) {
6361 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6362 if (tcp)
6363 dissector_add_uint("tcp.port", port, main_handle);
6364 else
6365 dissector_add_uint("udp.port", port, main_handle);
6366 dissector_add_uint("sctp.port", port, main_handle);
6367 } else {
6368 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6369 }
6370}
6371
6372void
6373ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6374{
6375 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6376 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6377 if (main_handle) {
6378 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6379 dissector_delete_uint("sctp.port", port, main_handle);
6380 }
6381
6382 if (port) {
6383 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6384 }
6385}
6386
6387void
6388ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6389{
6390 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6391 session->srv_ptype = ptype;
6392 session->srv_port = port;
6393}
6394
6395int
6396ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6397{
6398 int ret;
6399 if (session && session->srv_addr.type != AT_NONE) {
6400 ret = (session->srv_ptype == pinfo->ptype) &&
6401 (session->srv_port == pinfo->srcport) &&
6402 addresses_equal(&session->srv_addr, &pinfo->src);
6403 } else {
6404 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6405 }
6406
6407 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6408 return ret;
6409}
6410/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6411
6412
6413/* Links SSL records with the real packet data. {{{ */
6414SslPacketInfo *
6415tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6416{
6417 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6418 if (!pi) {
6419 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6420 pi->srcport = pinfo->srcport;
6421 pi->destport = pinfo->destport;
6422 conversation_t *conv = find_or_create_conversation_strat(pinfo);
6423 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
6424 if (ssl_session) {
6425 /* This can also be called by the QUIC TLS1.3 handshake only
6426 * dissector. That is not associated with a session, or a stream,
6427 * and doesn't need the information for Follow or Decode As. */
6428 pi->stream = ssl_session->session.stream;
6429 }
6430 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6431 }
6432
6433 return pi;
6434}
6435
6436/**
6437 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6438 * avoid the need for a decoder in the second pass. Additionally, it remembers
6439 * sequence numbers (for reassembly and Follow TLS Stream).
6440 *
6441 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6442 * @param pinfo The packet where the record originates from.
6443 * @param plain_data Decrypted plaintext to store in the record.
6444 * @param plain_data_len Total length of the plaintext.
6445 * @param content_len Length of the plaintext section corresponding to the record content.
6446 * @param record_id The identifier for this record within the current packet.
6447 * @param flow Information about sequence numbers, etc.
6448 * @param type TLS Content Type (such as handshake or application_data).
6449 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6450 */
6451void
6452ssl_add_record_info(int proto, packet_info *pinfo,
6453 const unsigned char *plain_data, int plain_data_len, int content_len,
6454 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6455 uint64_t record_seq)
6456{
6457 SslRecordInfo* rec, **prec;
6458 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6459
6460 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6460
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6461
6462 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6463 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6464 rec->plain_data_len = plain_data_len;
6465 rec->content_len = content_len;
6466 rec->id = record_id;
6467 rec->type = type;
6468 rec->next = NULL((void*)0);
6469 rec->record_seq = record_seq;
6470
6471 if (flow && type == SSL_ID_APP_DATA) {
6472 rec->seq = flow->byte_seq;
6473 rec->flow = flow;
6474 flow->byte_seq += content_len;
6475 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6476 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6477 }
6478
6479 /* Remember decrypted records. */
6480 prec = &pi->records;
6481 while (*prec) prec = &(*prec)->next;
6482 *prec = rec;
6483}
6484
6485/* search in packet data for the specified id; return a newly created tvb for the associated data */
6486tvbuff_t*
6487ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6488{
6489 SslRecordInfo* rec;
6490 SslPacketInfo* pi;
6491 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6492
6493 if (!pi)
6494 return NULL((void*)0);
6495
6496 for (rec = pi->records; rec; rec = rec->next)
6497 if (rec->id == record_id) {
6498 *matched_record = rec;
6499 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6500 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6501 }
6502
6503 return NULL((void*)0);
6504}
6505/* Links SSL records with the real packet data. }}} */
6506
6507/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6508void
6509ssl_common_init(ssl_master_key_map_t *mk_map,
6510 StringInfo *decrypted_data, StringInfo *compressed_data)
6511{
6512 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6513 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6514 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6515 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6516 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6517 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6518 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6519 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6520 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6521 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6522 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6523 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6524
6525 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6526 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6527
6528 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6529
6530 ssl_data_alloc(decrypted_data, 32);
6531 ssl_data_alloc(compressed_data, 32);
6532}
6533
6534void
6535ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6536 StringInfo *decrypted_data, StringInfo *compressed_data)
6537{
6538 g_hash_table_destroy(mk_map->session);
6539 g_hash_table_destroy(mk_map->tickets);
6540 g_hash_table_destroy(mk_map->crandom);
6541 g_hash_table_destroy(mk_map->pre_master);
6542 g_hash_table_destroy(mk_map->pms);
6543 g_hash_table_destroy(mk_map->tls13_client_early);
6544 g_hash_table_destroy(mk_map->tls13_client_handshake);
6545 g_hash_table_destroy(mk_map->tls13_server_handshake);
6546 g_hash_table_destroy(mk_map->tls13_client_appdata);
6547 g_hash_table_destroy(mk_map->tls13_server_appdata);
6548 g_hash_table_destroy(mk_map->tls13_early_exporter);
6549 g_hash_table_destroy(mk_map->tls13_exporter);
6550
6551 g_hash_table_destroy(mk_map->ech_secret);
6552 g_hash_table_destroy(mk_map->ech_config);
6553
6554 g_hash_table_destroy(mk_map->used_crandom);
6555
6556 g_free(decrypted_data->data);
6557 g_free(compressed_data->data);
6558
6559 /* close the previous keylog file now that the cache are cleared, this
6560 * allows the cache to be filled with the full keylog file contents. */
6561 if (*ssl_keylog_file) {
6562 fclose(*ssl_keylog_file);
6563 *ssl_keylog_file = NULL((void*)0);
6564 }
6565}
6566/* }}} */
6567
6568/* parse ssl related preferences (private keys and ports association strings) */
6569#if defined(HAVE_LIBGNUTLS1)
6570/* Load a single RSA key file item from preferences. {{{ */
6571void
6572ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6573{
6574 gnutls_x509_privkey_t x509_priv_key;
6575 gnutls_privkey_t priv_key = NULL((void*)0);
6576 FILE* fp = NULL((void*)0);
6577 int ret;
6578 size_t key_id_len = 20;
6579 unsigned char *key_id = NULL((void*)0);
6580 char *err = NULL((void*)0);
6581 dissector_handle_t handle;
6582 /* try to load keys file first */
6583 fp = ws_fopenfopen(uats->keyfile, "rb");
6584 if (!fp) {
6585 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6586 return;
6587 }
6588
6589 if ((int)strlen(uats->password) == 0) {
6590 x509_priv_key = rsa_load_pem_key(fp, &err);
6591 } else {
6592 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6593 }
6594 fclose(fp);
6595
6596 if (!x509_priv_key) {
6597 if (err) {
6598 report_failure("Can't load private key from %s: %s",
6599 uats->keyfile, err);
6600 g_free(err);
6601 } else
6602 report_failure("Can't load private key from %s: unknown error",
6603 uats->keyfile);
6604 return;
6605 }
6606 if (err) {
6607 report_failure("Load of private key from %s \"succeeded\" with error %s",
6608 uats->keyfile, err);
6609 g_free(err);
6610 }
6611
6612 gnutls_privkey_init(&priv_key);
6613 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6614 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6615 if (ret < 0) {
6616 report_failure("Can't convert private key %s: %s",
6617 uats->keyfile, gnutls_strerror(ret));
6618 goto end;
6619 }
6620
6621 key_id = (unsigned char *) g_malloc0(key_id_len);
6622 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6623 if (ret < 0) {
6624 report_failure("Can't calculate public key ID for %s: %s",
6625 uats->keyfile, gnutls_strerror(ret));
6626 goto end;
6627 }
6628 ssl_print_data("KeyID", key_id, key_id_len);
6629 if (key_id_len != 20) {
6630 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6631 uats->keyfile, key_id_len);
6632 goto end;
6633 }
6634
6635 g_hash_table_replace(key_hash, key_id, priv_key);
6636 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6637 priv_key = NULL((void*)0);
6638 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6639
6640 handle = ssl_find_appdata_dissector(uats->protocol);
6641 if (handle) {
6642 /* Port to subprotocol mapping */
6643 uint16_t port = 0;
6644 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6645 if (port > 0) {
6646 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6647 port, uats->keyfile, uats->password);
6648
6649 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6650 }
6651 } else {
6652 if (strcmp(uats->port, "start_tls"))
6653 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6654 }
6655 }
6656
6657end:
6658 gnutls_x509_privkey_deinit(x509_priv_key);
6659 gnutls_privkey_deinit(priv_key);
6660 g_free(key_id);
6661}
6662/* }}} */
6663#endif
6664
6665
6666/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6667/** store a known (pre-)master secret into cache */
6668static void
6669ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6670 StringInfo *mk)
6671{
6672 StringInfo *ht_key, *master_secret;
6673
6674 if (key->data_len == 0) {
6675 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6676 return;
6677 }
6678
6679 if (mk->data_len == 0) {
6680 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6681 G_STRFUNC((const char*) (__func__)), label);
6682 return;
6683 }
6684
6685 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6686 * so be careful in changing how it is allocated. */
6687 ht_key = ssl_data_clone(key);
6688 master_secret = ssl_data_clone(mk);
6689 g_hash_table_insert(ht, ht_key, master_secret);
6690
6691 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6692 ssl_print_string("stored key", ht_key);
6693 ssl_print_string("stored (pre-)master secret", master_secret);
6694}
6695
6696/** restore a (pre-)master secret given some key in the cache */
6697static bool_Bool
6698ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6699 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6700{
6701 StringInfo *ms;
6702
6703 if (key->data_len == 0) {
6704 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6705 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6706 return false0;
6707 }
6708
6709 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6710 if (!ms) {
6711 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6712 is_pre_master ? "pre-" : "", label);
6713 return false0;
6714 }
6715
6716 /* (pre)master secret found, clear knowledge of other keys and set it in the
6717 * current conversation */
6718 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6719 SSL_HAVE_SESSION_KEY(1<<3));
6720 if (is_pre_master) {
6721 /* unlike master secret, pre-master secret has a variable size (48 for
6722 * RSA, varying for PSK) and is therefore not statically allocated */
6723 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6724 ms->data_len);
6725 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6726 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6727 } else {
6728 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6729 ssl->state |= SSL_MASTER_SECRET(1<<5);
6730 }
6731 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6732 is_pre_master ? "pre-" : "", label);
6733 ssl_print_string(label, key);
6734 ssl_print_string("(pre-)master secret", ms);
6735 return true1;
6736}
6737/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6738
6739/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6740 * the decoder should be attempted to be initialized. {{{*/
6741void
6742ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6743{
6744 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6745 /* TLS 1.3 implementations only provide secrets derived from the master
6746 * secret which are loaded in tls13_change_key. No master secrets can be
6747 * loaded here, so just return. */
6748 return;
6749 }
6750 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6751 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6752 ssl_debug_printf(" session key already available, nothing to do.\n");
6753 return;
6754 }
6755 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6756 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6757 return;
6758 }
6759
6760 /* for decryption, there needs to be a master secret (which can be derived
6761 * from pre-master secret). If missing, try to pick a master key from cache
6762 * (an earlier packet in the capture or key logfile). */
6763 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6764 !ssl_restore_master_key(ssl, "Session ID", false0,
6765 mk_map->session, &ssl->session_id) &&
6766 (!ssl->session.is_session_resumed ||
6767 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6768 mk_map->tickets, &ssl->session_ticket)) &&
6769 !ssl_restore_master_key(ssl, "Client Random", false0,
6770 mk_map->crandom, &ssl->client_random)) {
6771 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6772 /* how unfortunate, the master secret could not be found */
6773 ssl_debug_printf(" Cannot find master secret\n");
6774 return;
6775 } else {
6776 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6777 "because of a NULL cipher\n");
6778 }
6779 }
6780
6781 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6782 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6783 return;
6784 }
6785 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6786 ssl_save_master_key("Client Random", mk_map->crandom,
6787 &ssl->client_random, &ssl->master_secret);
6788 ssl_save_master_key("Session ID", mk_map->session,
6789 &ssl->session_id, &ssl->master_secret);
6790 /* Only save the new secrets if the server sent the ticket. The client
6791 * ticket might have become stale. */
6792 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6793 ssl_save_master_key("Session Ticket", mk_map->tickets,
6794 &ssl->session_ticket, &ssl->master_secret);
6795 }
6796} /* }}} */
6797
6798/* Load the traffic key secret from the keylog file. */
6799StringInfo *
6800tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6801 bool_Bool is_from_server, TLSRecordType type)
6802{
6803 GHashTable *key_map;
6804 const char *label;
6805
6806 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6807 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6808 return NULL((void*)0);
6809 }
6810
6811 if (ssl->client_random.data_len == 0) {
6812 /* May happen if Hello message is missing and Finished is found. */
6813 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6814 return NULL((void*)0);
6815 }
6816
6817 switch (type) {
6818 case TLS_SECRET_0RTT_APP:
6819 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6819, "!is_from_server"))));
6820 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6821 key_map = mk_map->tls13_client_early;
6822 break;
6823 case TLS_SECRET_HANDSHAKE:
6824 if (is_from_server) {
6825 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6826 key_map = mk_map->tls13_server_handshake;
6827 } else {
6828 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6829 key_map = mk_map->tls13_client_handshake;
6830 }
6831 break;
6832 case TLS_SECRET_APP:
6833 if (is_from_server) {
6834 label = "SERVER_TRAFFIC_SECRET_0";
6835 key_map = mk_map->tls13_server_appdata;
6836 } else {
6837 label = "CLIENT_TRAFFIC_SECRET_0";
6838 key_map = mk_map->tls13_client_appdata;
6839 }
6840 break;
6841 default:
6842 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6842, __func__, "assertion \"not reached\" failed");
6843 }
6844
6845 /* Transitioning to new keys, mark old ones as unusable. */
6846 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6847 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6848
6849 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6850 if (!secret) {
6851 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6852 /* Disable decryption, the keys are invalid. */
6853 if (is_from_server) {
6854 ssl->server = NULL((void*)0);
6855 } else {
6856 ssl->client = NULL((void*)0);
6857 }
6858 return NULL((void*)0);
6859 }
6860
6861 /* TLS 1.3 secret found, set new keys. */
6862 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6863 ssl_print_string("Client Random", &ssl->client_random);
6864 ssl_print_string(label, secret);
6865 return secret;
6866}
6867
6868/* Load the new key. */
6869void
6870tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6871 bool_Bool is_from_server, TLSRecordType type)
6872{
6873 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6874 /*
6875 * QUIC does not use the TLS record layer for message protection.
6876 * The required keys will be extracted later by QUIC.
6877 */
6878 return;
6879 }
6880
6881 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6882 if (!secret) {
6883 if (type != TLS_SECRET_HANDSHAKE) {
6884 return;
6885 }
6886 /*
6887 * Workaround for when for some reason we don't have the handshake
6888 * secret but do have the application traffic secret. (#20240)
6889 * If we can't find the handshake secret, we'll never decrypt the
6890 * Finished message, so we won't know when to change to the app
6891 * traffic key, so we do so now.
6892 */
6893 type = TLS_SECRET_APP;
6894 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6895 if (!secret) {
6896 return;
6897 }
6898 }
6899
6900 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6901 /*
6902 * Remember the application traffic secret to support Key Update. The
6903 * other secrets cannot be used for this purpose, so free them.
6904 */
6905 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6906 StringInfo *app_secret = &decoder->app_traffic_secret;
6907 if (type == TLS_SECRET_APP) {
6908 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6909 app_secret->data,
6910 secret->data_len);
6911 ssl_data_set(app_secret, secret->data, secret->data_len);
6912 } else {
6913 wmem_free(wmem_file_scope(), app_secret->data);
6914 app_secret->data = NULL((void*)0);
6915 app_secret->data_len = 0;
6916 }
6917 }
6918}
6919
6920/**
6921 * Update to next application data traffic secret for TLS 1.3. The previous
6922 * secret should have been set by tls13_change_key.
6923 */
6924void
6925tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6926{
6927 /* RFC 8446 Section 7.2:
6928 * application_traffic_secret_N+1 =
6929 * HKDF-Expand-Label(application_traffic_secret_N,
6930 * "traffic upd", "", Hash.length)
6931 *
6932 * Both application_traffic_secret_N are of the same length (Hash.length).
6933 */
6934 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6935 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6936 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6937 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6938
6939 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6940 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6941 return;
6942 }
6943
6944 /*
6945 * Previous traffic secret is available, so find the hash function,
6946 * expand the new traffic secret and generate new keys.
6947 */
6948 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6949 int hash_algo = ssl_get_digest_by_name(hash_name);
6950 const unsigned hash_len = app_secret->data_len;
6951 unsigned char *new_secret;
6952 const char *label = "traffic upd";
6953 if (tls13_draft_version && tls13_draft_version < 20) {
6954 label = "application traffic secret";
6955 }
6956 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6957 tls13_hkdf_label_prefix(ssl),
6958 label, hash_len, &new_secret)) {
6959 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6960 return;
6961 }
6962 ssl_data_set(app_secret, new_secret, hash_len);
6963 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6964 /*
6965 * Remember the application traffic secret on the new decoder to
6966 * support another Key Update.
6967 */
6968 decoder = is_from_server ? ssl->server : ssl->client;
6969 app_secret = &decoder->app_traffic_secret;
6970 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6971 app_secret->data,
6972 hash_len);
6973 ssl_data_set(app_secret, new_secret, hash_len);
6974 }
6975 wmem_free(NULL((void*)0), new_secret);
6976}
6977
6978void
6979tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6980{
6981 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6982 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6983 }
6984}
6985
6986/** SSL keylog file handling. {{{ */
6987
6988static GRegex *
6989ssl_compile_keyfile_regex(void)
6990{
6991#define OCTET "(?:[[:xdigit:]]{2})"
6992 const char *pattern =
6993 "(?:"
6994 /* Matches Client Hellos having this Client Random */
6995 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6996 /* Matches first part of encrypted RSA pre-master secret */
6997 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6998 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6999 but it can be of any length for DHE */
7000 ")(?<pms>" OCTET "+)"
7001 "|(?:"
7002 /* Matches Server Hellos having a Session ID */
7003 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
7004 /* Matches Client Hellos having this Client Random */
7005 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
7006 /* Master-Secret is given, its length is fixed */
7007 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
7008 "|(?"
7009 /* TLS 1.3 Client Random to Derived Secrets mapping. */
7010 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
7011 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
7012 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
7013 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
7014 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
7015 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
7016 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
7017 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
7018 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
7019 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
7020 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
7021 ") (?<derived_secret>" OCTET "+)";
7022#undef OCTET
7023 static GRegex *regex = NULL((void*)0);
7024 GError *gerr = NULL((void*)0);
7025
7026 if (!regex) {
7027 regex = g_regex_new(pattern,
7028 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
7029 G_REGEX_MATCH_ANCHORED, &gerr);
7030 if (gerr) {
7031 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
7032 gerr->message);
7033 g_error_free(gerr);
7034 regex = NULL((void*)0);
7035 }
7036 }
7037
7038 return regex;
7039}
7040
7041typedef struct ssl_master_key_match_group {
7042 const char *re_group_name;
7043 GHashTable *master_key_ht;
7044} ssl_master_key_match_group_t;
7045
7046void
7047tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7048{
7049 ssl_master_key_match_group_t mk_groups[] = {
7050 { "encrypted_pmk", mk_map->pre_master },
7051 { "session_id", mk_map->session },
7052 { "client_random", mk_map->crandom },
7053 { "client_random_pms", mk_map->pms },
7054 /* TLS 1.3 map from Client Random to derived secret. */
7055 { "client_early", mk_map->tls13_client_early },
7056 { "client_handshake", mk_map->tls13_client_handshake },
7057 { "server_handshake", mk_map->tls13_server_handshake },
7058 { "client_appdata", mk_map->tls13_client_appdata },
7059 { "server_appdata", mk_map->tls13_server_appdata },
7060 { "early_exporter", mk_map->tls13_early_exporter },
7061 { "exporter", mk_map->tls13_exporter },
7062 { "ech_secret", mk_map->ech_secret },
7063 { "ech_config", mk_map->ech_config },
7064 };
7065
7066 /* The format of the file is a series of records with one of the following formats:
7067 * - "RSA xxxx yyyy"
7068 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7069 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7070 * (this is the original format introduced with bug 4349)
7071 *
7072 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7073 * Where xxxx is the SSL session ID (hex-encoded)
7074 * Where yyyy is the cleartext master secret (hex-encoded)
7075 * (added to support openssl s_client Master-Key output)
7076 * This is somewhat is a misnomer because there's nothing RSA specific
7077 * about this.
7078 *
7079 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7080 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7081 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7082 * (This format allows SSL connections to be decrypted, if a user can
7083 * capture the PMS but could not recover the MS for a specific session
7084 * with a SSL Server.)
7085 *
7086 * - "CLIENT_RANDOM xxxx yyyy"
7087 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7088 * Where yyyy is the cleartext master secret (hex-encoded)
7089 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7090 * ECDHE-RSA.)
7091 *
7092 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7093 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7094 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7095 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7096 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7097 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7098 * - "EXPORTER_SECRET xxxx yyyy"
7099 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7100 * Where yyyy is the secret (hex-encoded) derived from the early,
7101 * handshake or master secrets. (This format is introduced with TLS 1.3
7102 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7103 */
7104 GRegex *regex = ssl_compile_keyfile_regex();
7105 if (!regex)
7106 return;
7107
7108 const char *next_line = (const char *)data;
7109 const char *line_end = next_line + datalen;
7110 while (next_line && next_line < line_end) {
7111 const char *line = next_line;
7112 next_line = (const char *)memchr(line, '\n', line_end - line);
7113 ssize_t linelen;
7114
7115 if (next_line) {
7116 linelen = next_line - line;
7117 next_line++; /* drop LF */
7118 } else {
7119 linelen = (ssize_t)(line_end - line);
7120 }
7121 if (linelen > 0 && line[linelen - 1] == '\r') {
7122 linelen--; /* drop CR */
7123 }
7124
7125 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7126 GMatchInfo *mi;
7127 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7128 char *hex_key, *hex_pre_ms_or_ms;
7129 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7130 StringInfo *pre_ms_or_ms = NULL((void*)0);
7131 GHashTable *ht = NULL((void*)0);
7132
7133 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7134 * otherwise we will use the Master Secret
7135 */
7136 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7137 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7138 g_free(hex_pre_ms_or_ms);
7139 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7140 }
7141 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7142 g_free(hex_pre_ms_or_ms);
7143 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7144 }
7145 /* There is always a match, otherwise the regex is wrong. */
7146 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7146, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7147
7148 /* convert from hex to bytes and save to hashtable */
7149 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7150 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7151 g_free(hex_pre_ms_or_ms);
7152
7153 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7154 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7155 ssl_master_key_match_group_t *g = &mk_groups[i];
7156 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7157 if (hex_key && *hex_key) {
7158 ssl_debug_printf(" matched %s\n", g->re_group_name);
7159 ht = g->master_key_ht;
7160 from_hex(key, hex_key, strlen(hex_key));
7161 g_free(hex_key);
7162 break;
7163 }
7164 g_free(hex_key);
7165 }
7166 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7166, "ht")))); /* Cannot be reached, or regex is wrong. */
7167
7168 g_hash_table_insert(ht, key, pre_ms_or_ms);
7169
7170 } else if (linelen > 0 && line[0] != '#') {
7171 ssl_debug_printf(" unrecognized line\n");
7172 }
7173 /* always free match info even if there is no match. */
7174 g_match_info_free(mi);
7175 }
7176}
7177
7178void
7179ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7180 const ssl_master_key_map_t *mk_map)
7181{
7182 /* no need to try if no key log file is configured. */
7183 if (!tls_keylog_filename || !*tls_keylog_filename) {
7184 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7185 G_STRFUNC((const char*) (__func__)));
7186 return;
7187 }
7188
7189 /* Validate regexes before even trying to use it. */
7190 if (!ssl_compile_keyfile_regex()) {
7191 return;
7192 }
7193
7194 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7195
7196 /* if the keylog file was deleted/overwritten, re-open it */
7197 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7198 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7199 fclose(*keylog_file);
7200 *keylog_file = NULL((void*)0);
7201 }
7202
7203 if (*keylog_file == NULL((void*)0)) {
7204 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7205 if (!*keylog_file) {
7206 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7207 return;
7208 }
7209 }
7210
7211 for (;;) {
7212 char buf[1110], *line;
7213 line = fgets(buf, sizeof(buf), *keylog_file);
7214 if (!line) {
7215 if (feof(*keylog_file)) {
7216 /* Ensure that newly appended keys can be read in the future. */
7217 clearerr(*keylog_file);
7218 } else if (ferror(*keylog_file)) {
7219 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7220 fclose(*keylog_file);
7221 *keylog_file = NULL((void*)0);
7222 }
7223 break;
7224 }
7225 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7226 }
7227}
7228/** SSL keylog file handling. }}} */
7229
7230#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7231
7232static FILE* ssl_debug_file;
7233
7234void
7235ssl_set_debug(const char* name)
7236{
7237 static int debug_file_must_be_closed;
7238 int use_stderr;
7239
7240 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7241
7242 if (debug_file_must_be_closed)
7243 fclose(ssl_debug_file);
7244
7245 if (use_stderr)
7246 ssl_debug_file = stderrstderr;
7247 else if (!name || (strcmp(name, "") ==0))
7248 ssl_debug_file = NULL((void*)0);
7249 else
7250 ssl_debug_file = ws_fopenfopen(name, "w");
7251
7252 if (!use_stderr && ssl_debug_file)
7253 debug_file_must_be_closed = 1;
7254 else
7255 debug_file_must_be_closed = 0;
7256
7257 ssl_debug_printf("Wireshark SSL debug log \n\n");
7258#ifdef HAVE_LIBGNUTLS1
7259 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7260#endif
7261 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7262 ssl_debug_printf("\n");
7263}
7264
7265void
7266ssl_debug_flush(void)
7267{
7268 if (ssl_debug_file)
7269 fflush(ssl_debug_file);
7270}
7271
7272void
7273ssl_debug_printf(const char* fmt, ...)
7274{
7275 va_list ap;
7276
7277 if (!ssl_debug_file)
7278 return;
7279
7280 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7281 vfprintf(ssl_debug_file, fmt, ap);
7282 va_end(ap)__builtin_va_end(ap);
7283}
7284
7285void
7286ssl_print_data(const char* name, const unsigned char* data, size_t len)
7287{
7288 size_t i, j, k;
7289 if (!ssl_debug_file)
7290 return;
7291 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7292 for (i=0; i<len; i+=16) {
7293 fprintf(ssl_debug_file,"| ");
7294 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7295 fprintf(ssl_debug_file,"%.2x ",data[j]);
7296 for (; k<16; ++k)
7297 fprintf(ssl_debug_file," ");
7298 fputc('|', ssl_debug_file);
7299 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7300 unsigned char c = data[j];
7301 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7302 fputc(c, ssl_debug_file);
7303 }
7304 for (; k<16; ++k)
7305 fputc(' ', ssl_debug_file);
7306 fprintf(ssl_debug_file,"|\n");
7307 }
7308}
7309
7310void
7311ssl_print_string(const char* name, const StringInfo* data)
7312{
7313 ssl_print_data(name, data->data, data->data_len);
7314}
7315#endif /* SSL_DECRYPT_DEBUG }}} */
7316
7317/* UAT preferences callbacks. {{{ */
7318/* checks for SSL and DTLS UAT key list fields */
7319
7320bool_Bool
7321ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7322{
7323 // This should be removed in favor of Decode As. Make it optional.
7324 *err = NULL((void*)0);
7325 return true1;
7326}
7327
7328bool_Bool
7329ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7330{
7331 if (!p || strlen(p) == 0u) {
7332 // This should be removed in favor of Decode As. Make it optional.
7333 *err = NULL((void*)0);
7334 return true1;
7335 }
7336
7337 if (strcmp(p, "start_tls") != 0){
7338 uint16_t port;
7339 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7340 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7341 return false0;
7342 }
7343 }
7344
7345 *err = NULL((void*)0);
7346 return true1;
7347}
7348
7349bool_Bool
7350ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7351{
7352 ws_statb64struct stat st;
7353
7354 if (!p || strlen(p) == 0u) {
7355 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7356 return false0;
7357 } else {
7358 if (ws_stat64stat(p, &st) != 0) {
7359 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7360 return false0;
7361 }
7362 }
7363
7364 *err = NULL((void*)0);
7365 return true1;
7366}
7367
7368bool_Bool
7369ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7370{
7371#if defined(HAVE_LIBGNUTLS1)
7372 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7373 FILE *fp = NULL((void*)0);
7374
7375 if (p && (strlen(p) > 0u)) {
7376 fp = ws_fopenfopen(f->keyfile, "rb");
7377 if (fp) {
7378 char *msg = NULL((void*)0);
7379 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7380 if (!priv_key) {
7381 fclose(fp);
7382 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7383 g_free(msg);
7384 return false0;
7385 }
7386 g_free(msg);
7387 gnutls_x509_privkey_deinit(priv_key);
7388 fclose(fp);
7389 } else {
7390 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7391 return false0;
7392 }
7393 }
7394
7395 *err = NULL((void*)0);
7396 return true1;
7397#else
7398 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7399 return false0;
7400#endif
7401}
7402/* UAT preferences callbacks. }}} */
7403
7404/** maximum size of ssl_association_info() string */
7405#define SSL_ASSOC_MAX_LEN8192 8192
7406
7407typedef struct ssl_association_info_callback_data
7408{
7409 char *str;
7410 const char *table_protocol;
7411} ssl_association_info_callback_data_t;
7412
7413/**
7414 * callback function used by ssl_association_info() to traverse the SSL associations.
7415 */
7416static void
7417ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7418{
7419 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7420 const int l = (const int)strlen(data->str);
7421 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7422}
7423
7424/**
7425 * @return an information string on the SSL protocol associations. The string must be freed.
7426 */
7427char*
7428ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7429{
7430 ssl_association_info_callback_data_t data;
7431
7432 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7433 data.table_protocol = table_protocol;
7434 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7435 return data.str;
7436}
7437
7438
7439/** Begin of code related to dissection of wire data. */
7440
7441/* Helpers for dissecting Variable-Length Vectors. {{{ */
7442bool_Bool
7443ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7444 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7445 int hf_length, uint32_t min_value, uint32_t max_value)
7446{
7447 unsigned veclen_size;
7448 uint32_t veclen_value;
7449 proto_item *pi;
7450
7451 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7451, (uint64_t)min_value, (uint64_t)max_value))));
7452 if (offset > offset_end) {
7453 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7454 "Vector offset is past buffer end offset (%u > %u)",
7455 offset, offset_end);
7456 *ret_length = 0;
7457 return false0; /* Cannot read length. */
7458 }
7459
7460 if (max_value > 0xffffff) {
7461 veclen_size = 4;
7462 } else if (max_value > 0xffff) {
7463 veclen_size = 3;
7464 } else if (max_value > 0xff) {
7465 veclen_size = 2;
7466 } else {
7467 veclen_size = 1;
7468 }
7469
7470 if (offset_end - offset < veclen_size) {
7471 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7472 tvb, offset, offset_end - offset,
7473 "No more room for vector of length %u",
7474 veclen_size);
7475 *ret_length = 0;
7476 return false0; /* Cannot read length. */
7477 }
7478
7479 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7480 offset += veclen_size;
7481
7482 if (veclen_value < min_value) {
7483 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7484 "Vector length %u is smaller than minimum %u",
7485 veclen_value, min_value);
7486 } else if (veclen_value > max_value) {
7487 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7488 "Vector length %u is larger than maximum %u",
7489 veclen_value, max_value);
7490 }
7491
7492 if (offset_end - offset < veclen_value) {
7493 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7494 "Vector length %u is too large, truncating it to %u",
7495 veclen_value, offset_end - offset);
7496 *ret_length = offset_end - offset;
7497 return false0; /* Length is truncated to avoid overflow. */
7498 }
7499
7500 *ret_length = veclen_value;
7501 return true1; /* Length is OK. */
7502}
7503
7504bool_Bool
7505ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7506 unsigned offset, unsigned offset_end)
7507{
7508 if (offset < offset_end) {
7509 unsigned trailing = offset_end - offset;
7510 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7511 tvb, offset, trailing,
7512 "%u trailing byte%s unprocessed",
7513 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7514 return false0; /* unprocessed data warning */
7515 } else if (offset > offset_end) {
7516 /*
7517 * Returned offset runs past the end. This should not happen and is
7518 * possibly a dissector bug.
7519 */
7520 unsigned excess = offset - offset_end;
7521 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7522 tvb, offset_end, excess,
7523 "Dissector processed too much data (%u byte%s)",
7524 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7525 return false0; /* overflow error */
7526 }
7527
7528 return true1; /* OK, offset matches. */
7529}
7530/** }}} */
7531
7532
7533static uint32_t
7534ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7535 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7536 uint16_t version, int hf_sig_len, int hf_sig);
7537
7538/* change_cipher_spec(20) dissection */
7539void
7540ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7541 packet_info *pinfo, proto_tree *tree,
7542 uint32_t offset, SslSession *session,
7543 bool_Bool is_from_server,
7544 const SslDecryptSession *ssl)
7545{
7546 /*
7547 * struct {
7548 * enum { change_cipher_spec(1), (255) } type;
7549 * } ChangeCipherSpec;
7550 */
7551 proto_item *ti;
7552 proto_item_set_text(tree,
7553 "%s Record Layer: %s Protocol: Change Cipher Spec",
7554 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7555 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7556 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7557
7558 if (session->version == TLSV1DOT3_VERSION0x304) {
7559 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7560 return;
7561 }
7562
7563 /* Remember frame number of first CCS */
7564 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7565 if (*ccs_frame == 0)
7566 *ccs_frame = pinfo->num;
7567
7568 /* Use heuristics to detect an abbreviated handshake, assume that missing
7569 * ServerHelloDone implies reusing previously negotiating keys. Then when
7570 * a Session ID or ticket is present, it must be a resumed session.
7571 * Normally this should be done at the Finished message, but that may be
7572 * encrypted so we do it here, at the last cleartext message. */
7573 if (is_from_server && ssl) {
7574 if (session->is_session_resumed) {
7575 const char *resumed = NULL((void*)0);
7576 if (ssl->session_ticket.data_len) {
7577 resumed = "Session Ticket";
7578 } else if (ssl->session_id.data_len) {
7579 resumed = "Session ID";
7580 }
7581 if (resumed) {
7582 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7583 } else {
7584 /* Can happen if the capture somehow starts in the middle */
7585 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7586 }
7587 } else {
7588 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7589 }
7590 }
7591 if (is_from_server && session->is_session_resumed)
7592 expert_add_info(pinfo, ti, &hf->ei.resumed);
7593}
7594
7595/** Begin of handshake(22) record dissections */
7596
7597/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7598 * {{{ */
7599static void
7600tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7601{
7602 uint32_t sighash, hashalg, sigalg;
7603 proto_item *ti_sigalg;
7604 proto_tree *sigalg_tree;
7605
7606 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7607 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7608 if (ja4_data) {
7609 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7610 }
7611
7612 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7613
7614 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7615 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7616 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7617 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7618 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7619
7620 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7621 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7622 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7623 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7624 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7625 sighash);
7626 }
7627} /* }}} */
7628
7629/* dissect a list of hash algorithms, return the number of bytes dissected
7630 this is used for the signature algorithms extension and for the
7631 TLS1.2 certificate request. {{{ */
7632static int
7633ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7634 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7635{
7636 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7637 * struct {
7638 * HashAlgorithm hash;
7639 * SignatureAlgorithm signature;
7640 * } SignatureAndHashAlgorithm;
7641 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7642 */
7643 proto_tree *subtree;
7644 proto_item *ti;
7645 unsigned sh_alg_length;
7646 uint32_t next_offset;
7647
7648 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7649 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7650 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7651 return offset_end;
7652 }
7653 offset += 2;
7654 next_offset = offset + sh_alg_length;
7655
7656 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7657 "Signature Hash Algorithms (%u algorithm%s)",
7658 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7659 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7660
7661 while (offset + 2 <= next_offset) {
7662 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7663 offset += 2;
7664 }
7665
7666 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7667 offset = next_offset;
7668 }
7669
7670 return offset;
7671} /* }}} */
7672
7673/* Dissection of DistinguishedName (for CertificateRequest and
7674 * certificate_authorities extension). {{{ */
7675static uint32_t
7676tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7677 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7678{
7679 proto_item *ti;
7680 proto_tree *subtree;
7681 uint32_t dnames_length, next_offset;
7682 asn1_ctx_t asn1_ctx;
7683 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7684
7685 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7686 /* DistinguishedName certificate_authorities<0..2^16-1> */
7687 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7688 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7689 return offset_end;
7690 }
7691 offset += 2;
7692 next_offset = offset + dnames_length;
7693
7694 if (dnames_length > 0) {
7695 ti = proto_tree_add_none_format(tree,
7696 hf->hf.hs_dnames,
7697 tvb, offset, dnames_length,
7698 "Distinguished Names (%d byte%s)",
7699 dnames_length,
7700 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7701 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7702
7703 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7704
7705 while (offset < next_offset) {
7706 /* get the length of the current certificate */
7707 uint32_t name_length;
7708
7709 if (dnames_count-- == 0) {
7710 /* stop adding to tree when the list is considered too large
7711 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7712 Note: dnames_count must be set low enough not to hit the
7713 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7714 */
7715 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7716 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7717 proto_item_set_generated(ti);
7718 return next_offset;
7719 }
7720
7721 /* opaque DistinguishedName<1..2^16-1> */
7722 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7723 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7724 return next_offset;
7725 }
7726 offset += 2;
7727
7728 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7729 subtree, hf->hf.hs_dname);
7730 offset += name_length;
7731 }
7732 }
7733 return offset;
7734} /* }}} */
7735
7736
7737/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7738static int
7739ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7740 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7741{
7742 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7743}
7744
7745static int
7746ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7747 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7748{
7749 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7750 hnd_type == SSL_HND_CERT_REQUEST) {
7751 /*
7752 * struct {
7753 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7754 * } SignatureSchemeList;
7755 */
7756
7757 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7758 } else {
7759 asn1_ctx_t asn1_ctx;
7760 unsigned pubkey_length, sign_length;
7761
7762 /*
7763 * struct {
7764 * uint32 valid_time;
7765 * SignatureScheme expected_cert_verify_algorithm;
7766 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7767 * } Credential;
7768 *
7769 * struct {
7770 * Credential cred;
7771 * SignatureScheme algorithm;
7772 * opaque signature<0..2^16-1>;
7773 * } DelegatedCredential;
7774 */
7775
7776 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7777
7778 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7779 offset += 4;
7780
7781 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7782 offset += 2;
7783
7784 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7785 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7786 return offset_end;
7787 }
7788 offset += 3;
7789 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7790 offset += pubkey_length;
7791
7792 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7793 offset += 2;
7794
7795 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7796 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7797 return offset_end;
7798 }
7799 offset += 2;
7800 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7801 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7802 offset += sign_length;
7803
7804 return offset;
7805 }
7806}
7807
7808static int
7809ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7810 packet_info *pinfo, proto_tree *tree,
7811 uint32_t offset, uint32_t offset_end,
7812 uint8_t hnd_type)
7813{
7814
7815 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7816
7817 switch (hnd_type) {
7818 case SSL_HND_CLIENT_HELLO: {
7819 proto_tree *alps_tree;
7820 proto_item *ti;
7821 uint32_t next_offset, alps_length, name_length;
7822
7823 /*
7824 * opaque ProtocolName<1..2^8-1>;
7825 * struct {
7826 * ProtocolName supported_protocols<2..2^16-1>
7827 * } ApplicationSettingsSupport;
7828 */
7829
7830 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7831 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7832 return offset_end;
7833 }
7834 offset += 2;
7835 next_offset = offset + alps_length;
7836
7837 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7838 tvb, offset, alps_length, ENC_NA0x00000000);
7839 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7840
7841 /* Parse list (note missing check for end of vector, ssl_add_vector below
7842 * ensures that data is always available.) */
7843 while (offset < next_offset) {
7844 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7845 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7846 return next_offset;
7847 }
7848 offset++;
7849
7850 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7851 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7852 offset += name_length;
7853 }
7854
7855 return offset;
7856 }
7857 case SSL_HND_ENCRYPTED_EXTS:
7858 /* Opaque blob */
7859 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7860 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7861 break;
7862 }
7863
7864 return offset_end;
7865}
7866
7867static int
7868ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7869 packet_info *pinfo, proto_tree *tree,
7870 uint32_t offset, uint32_t offset_end,
7871 uint8_t hnd_type, SslSession *session,
7872 bool_Bool is_dtls, ja4_data_t *ja4_data)
7873{
7874
7875 /* https://tools.ietf.org/html/rfc7301#section-3.1
7876 * opaque ProtocolName<1..2^8-1>;
7877 * struct {
7878 * ProtocolName protocol_name_list<2..2^16-1>
7879 * } ProtocolNameList;
7880 */
7881 proto_tree *alpn_tree;
7882 proto_item *ti;
7883 uint32_t next_offset, alpn_length, name_length;
7884 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7885
7886 /* ProtocolName protocol_name_list<2..2^16-1> */
7887 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7888 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7889 return offset_end;
7890 }
7891 offset += 2;
7892 next_offset = offset + alpn_length;
7893
7894 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7895 tvb, offset, alpn_length, ENC_NA0x00000000);
7896 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7897
7898 /* Parse list (note missing check for end of vector, ssl_add_vector below
7899 * ensures that data is always available.) */
7900 while (offset < next_offset) {
7901 /* opaque ProtocolName<1..2^8-1> */
7902 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7903 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7904 return next_offset;
7905 }
7906 offset++;
7907
7908 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7909 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7910 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7911 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7912 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7913 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
7914 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7915 }
7916 else {
7917 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7918 alpn_last_char & 0x0F);
7919 }
7920 }
7921 /* Remember first ALPN ProtocolName entry for server. */
7922 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7923 /* '\0'-terminated string for dissector table match and prefix
7924 * comparison purposes. */
7925 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7926 name_length, ENC_ASCII0x00000000);
7927 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7928 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7929 name_length, ENC_ASCII0x00000000);
7930 }
7931 offset += name_length;
7932 }
7933
7934 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7935 * exactly one "ProtocolName". */
7936 if (proto_name) {
7937 dissector_handle_t handle;
7938
7939 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7940
7941 if (is_dtls) {
7942 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7943 proto_name);
7944 } else {
7945 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7946 proto_name);
7947 if (handle == NULL((void*)0)) {
7948 /* Try prefix matching */
7949 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7950 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7951
7952 /* string_string is inappropriate as it compares strings
7953 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7954 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7955 handle = find_dissector(alpn_proto->dissector_name);
7956 break;
7957 }
7958 }
7959 }
7960 }
7961 if (handle != NULL((void*)0)) {
7962 /* ProtocolName match, so set the App data dissector handle.
7963 * This may override protocols given via the UAT dialog, but
7964 * since the ALPN hint is precise, do it anyway. */
7965 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7966 (void *)session->app_handle,
7967 (void *)handle,
7968 dissector_handle_get_dissector_name(handle));
7969 session->app_handle = handle;
7970 }
7971 } else if (client_proto_name) {
7972 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7973 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7974 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7975 }
7976
7977 return offset;
7978}
7979
7980static int
7981ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7982 packet_info *pinfo, proto_tree *tree,
7983 uint32_t offset, uint32_t offset_end)
7984{
7985 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7986 * The "extension_data" field of a "next_protocol_negotiation" extension
7987 * in a "ServerHello" contains an optional list of protocols advertised
7988 * by the server. Protocols are named by opaque, non-empty byte strings
7989 * and the list of protocols is serialized as a concatenation of 8-bit,
7990 * length prefixed byte strings. Implementations MUST ensure that the
7991 * empty string is not included and that no byte strings are truncated.
7992 */
7993 uint32_t npn_length;
7994 proto_tree *npn_tree;
7995
7996 /* List is optional, do not add tree if there are no entries. */
7997 if (offset == offset_end) {
7998 return offset;
7999 }
8000
8001 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
8002
8003 while (offset < offset_end) {
8004 /* non-empty, 8-bit length prefixed strings means range 1..255 */
8005 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
8006 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
8007 return offset_end;
8008 }
8009 offset++;
8010
8011 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
8012 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8013 offset += npn_length;
8014 }
8015
8016 return offset;
8017}
8018
8019static int
8020ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8021 packet_info *pinfo, proto_tree *tree,
8022 uint32_t offset, uint32_t offset_end)
8023{
8024 /* https://tools.ietf.org/html/rfc5746#section-3.2
8025 * struct {
8026 * opaque renegotiated_connection<0..255>;
8027 * } RenegotiationInfo;
8028 *
8029 */
8030 proto_tree *reneg_info_tree;
8031 uint32_t reneg_info_length;
8032
8033 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
8034
8035 /* opaque renegotiated_connection<0..255> */
8036 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
8037 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
8038 return offset_end;
8039 }
8040 offset++;
8041
8042 if (reneg_info_length > 0) {
8043 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
8044 offset += reneg_info_length;
8045 }
8046
8047 return offset;
8048}
8049
8050static int
8051ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8052 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8053 const char **group_name_out)
8054{
8055 /* RFC 8446 Section 4.2.8
8056 * struct {
8057 * NamedGroup group;
8058 * opaque key_exchange<1..2^16-1>;
8059 * } KeyShareEntry;
8060 */
8061 uint32_t key_exchange_length, group;
8062 proto_tree *ks_tree;
8063
8064 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8065
8066 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8067 offset += 2;
8068 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8069 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8070 if (group_name_out) {
8071 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
8072 }
8073
8074 /* opaque key_exchange<1..2^16-1> */
8075 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8076 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8077 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8078 }
8079 offset += 2;
8080 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8081 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8082
8083 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8084 offset += key_exchange_length;
8085
8086 return offset;
8087}
8088
8089static int
8090ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8091 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8092 uint8_t hnd_type)
8093{
8094 proto_tree *key_share_tree;
8095 uint32_t next_offset;
8096 uint32_t client_shares_length;
8097 uint32_t group;
8098 const char *group_name = NULL((void*)0);
8099
8100 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8101 return offset;
8102 }
8103
8104 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8105
8106 switch(hnd_type){
8107 case SSL_HND_CLIENT_HELLO:
8108 /* KeyShareEntry client_shares<0..2^16-1> */
8109 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8110 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8111 return offset_end;
8112 }
8113 offset += 2;
8114 next_offset = offset + client_shares_length;
8115 const char *sep = " ";
8116 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8117 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8118 if (group_name) {
8119 proto_item_append_text(tree, "%s%s", sep, group_name);
8120 sep = ", ";
8121 }
8122 }
8123 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8124 return next_offset;
8125 }
8126 break;
8127 case SSL_HND_SERVER_HELLO:
8128 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8129 if (group_name) {
8130 proto_item_append_text(tree, " %s", group_name);
8131 }
8132 break;
8133 case SSL_HND_HELLO_RETRY_REQUEST:
8134 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8135 offset += 2;
8136 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8137 proto_item_append_text(tree, " %s", group_name);
8138 break;
8139 default: /* no default */
8140 break;
8141 }
8142
8143 return offset;
8144}
8145
8146static int
8147ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8148 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8149 uint8_t hnd_type)
8150{
8151 /* RFC 8446 Section 4.2.11
8152 * struct {
8153 * opaque identity<1..2^16-1>;
8154 * uint32 obfuscated_ticket_age;
8155 * } PskIdentity;
8156 * opaque PskBinderEntry<32..255>;
8157 * struct {
8158 * select (Handshake.msg_type) {
8159 * case client_hello:
8160 * PskIdentity identities<7..2^16-1>;
8161 * PskBinderEntry binders<33..2^16-1>;
8162 * case server_hello:
8163 * uint16 selected_identity;
8164 * };
8165 * } PreSharedKeyExtension;
8166 */
8167
8168 proto_tree *psk_tree;
8169
8170 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8171
8172 switch (hnd_type){
8173 case SSL_HND_CLIENT_HELLO: {
8174 uint32_t identities_length, identities_end, binders_length;
8175
8176 /* PskIdentity identities<7..2^16-1> */
8177 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8178 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8179 return offset_end;
8180 }
8181 offset += 2;
8182 identities_end = offset + identities_length;
8183
8184 while (offset < identities_end) {
8185 uint32_t identity_length;
8186 proto_tree *identity_tree;
8187
8188 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8189
8190 /* opaque identity<1..2^16-1> */
8191 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8192 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8193 return identities_end;
8194 }
8195 offset += 2;
8196 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8197
8198 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8199 offset += identity_length;
8200
8201 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8202 offset += 4;
8203
8204 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8205 }
8206 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8207 offset = identities_end;
8208 }
8209
8210 /* PskBinderEntry binders<33..2^16-1> */
8211 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8212 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8213 return offset_end;
8214 }
8215 offset += 2;
8216
8217 proto_item *binders_item;
8218 proto_tree *binders_tree;
8219 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8220 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8221 uint32_t binders_end = offset + binders_length;
8222 while (offset < binders_end) {
8223 uint32_t binder_length;
8224 proto_item *binder_item;
8225 proto_tree *binder_tree;
8226
8227 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8228 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8229
8230 /* opaque PskBinderEntry<32..255>; */
8231 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8232 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8233 return binders_end;
8234 }
8235 offset += 1;
8236 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8237
8238 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8239 offset += binder_length;
8240
8241 proto_item_set_end(binder_item, tvb, offset);
8242 }
8243 }
8244 break;
8245 case SSL_HND_SERVER_HELLO: {
8246 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8247 offset += 2;
8248 }
8249 break;
8250 default:
8251 break;
8252 }
8253
8254 return offset;
8255}
8256
8257static uint32_t
8258ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8259 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8260 uint8_t hnd_type, SslDecryptSession *ssl)
8261{
8262 /* RFC 8446 Section 4.2.10
8263 * struct {} Empty;
8264 * struct {
8265 * select (Handshake.msg_type) {
8266 * case new_session_ticket: uint32 max_early_data_size;
8267 * case client_hello: Empty;
8268 * case encrypted_extensions: Empty;
8269 * };
8270 * } EarlyDataIndication;
8271 */
8272 switch (hnd_type) {
8273 case SSL_HND_CLIENT_HELLO:
8274 /* Remember that early_data will follow the handshake. */
8275 if (ssl) {
8276 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8277 ssl->has_early_data = true1;
8278 }
8279 break;
8280 case SSL_HND_NEWSESSION_TICKET:
8281 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8282 offset += 4;
8283 break;
8284 default:
8285 break;
8286 }
8287 return offset;
8288}
8289
8290static uint16_t
8291tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8292{
8293 if (draft_version) {
8294 *draft_version = 0;
8295 }
8296 if (!is_dtls) {
8297 uint8_t tls13_draft = extract_tls13_draft_version(version);
8298 if (tls13_draft != 0) {
8299 /* This is TLS 1.3 (a draft version). */
8300 if (draft_version) {
8301 *draft_version = tls13_draft;
8302 }
8303 version = TLSV1DOT3_VERSION0x304;
8304 }
8305 if (version == 0xfb17 || version == 0xfb1a) {
8306 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8307 tls13_draft = (uint8_t)version;
8308 if (draft_version) {
8309 *draft_version = tls13_draft;
8310 }
8311 version = TLSV1DOT3_VERSION0x304;
8312 }
8313 }
8314
8315 switch (version) {
8316 case SSLV3_VERSION0x300:
8317 case TLSV1_VERSION0x301:
8318 case TLSV1DOT1_VERSION0x302:
8319 case TLSV1DOT2_VERSION0x303:
8320 case TLSV1DOT3_VERSION0x304:
8321 case TLCPV1_VERSION0x101:
8322 if (is_dtls)
8323 return SSL_VER_UNKNOWN0;
8324 break;
8325
8326 case DTLSV1DOT0_VERSION0xfeff:
8327 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8328 case DTLSV1DOT2_VERSION0xfefd:
8329 case DTLSV1DOT3_VERSION0xfefc:
8330 if (!is_dtls)
8331 return SSL_VER_UNKNOWN0;
8332 break;
8333
8334 default: /* invalid version number */
8335 return SSL_VER_UNKNOWN0;
8336 }
8337
8338 return version;
8339}
8340
8341static int
8342ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8343 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8344 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8345{
8346
8347 /* RFC 8446 Section 4.2.1
8348 * struct {
8349 * ProtocolVersion versions<2..254>; // ClientHello
8350 * } SupportedVersions;
8351 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8352 */
8353 uint32_t versions_length, next_offset;
8354 /* ProtocolVersion versions<2..254> */
8355 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8356 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8357 return offset_end;
8358 }
8359 offset++;
8360 next_offset = offset + versions_length;
8361
8362 unsigned version;
8363 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8364 uint8_t draft_version, max_draft_version = 0;
8365 const char *sep = " ";
8366 while (offset + 2 <= next_offset) {
8367 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8368 offset += 2;
8369
8370 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8371 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8372 sep = ", ";
8373 }
8374
8375 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8376 if (session->version == SSL_VER_UNKNOWN0) {
8377 if (lowest_version == SSL_VER_UNKNOWN0) {
8378 lowest_version = current_version;
8379 } else if (current_version != SSL_VER_UNKNOWN0) {
8380 if (!is_dtls) {
8381 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8382 } else {
8383 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8384 }
8385 }
8386 }
8387 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8388 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8389 /* The DTLS version numbers get mapped to "00" for unknown per
8390 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8391 * need to take the MIN instead of MAX here for DTLS.
8392 */
8393 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8394 }
8395 }
8396 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8397 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8398 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8399 }
8400 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8401 offset = next_offset;
8402 }
8403
8404 /* XXX remove this when draft 19 support is dropped,
8405 * this is only required for early data decryption. */
8406 if (max_draft_version) {
8407 session->tls13_draft_version = max_draft_version;
8408 }
8409
8410 return offset;
8411}
8412
8413static int
8414ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8415 packet_info *pinfo, proto_tree *tree,
8416 uint32_t offset, uint32_t offset_end)
8417{
8418 /* RFC 8446 Section 4.2.2
8419 * struct {
8420 * opaque cookie<1..2^16-1>;
8421 * } Cookie;
8422 */
8423 uint32_t cookie_length;
8424 /* opaque cookie<1..2^16-1> */
8425 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8426 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8427 return offset_end;
8428 }
8429 offset += 2;
8430
8431 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8432 offset += cookie_length;
8433
8434 return offset;
8435}
8436
8437static int
8438ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8439 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8440{
8441 /* RFC 8446 Section 4.2.9
8442 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8443 *
8444 * struct {
8445 * PskKeyExchangeMode ke_modes<1..255>;
8446 * } PskKeyExchangeModes;
8447 */
8448 uint32_t ke_modes_length, next_offset;
8449
8450 /* PskKeyExchangeMode ke_modes<1..255> */
8451 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8452 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8453 return offset_end;
8454 }
8455 offset++;
8456 next_offset = offset + ke_modes_length;
8457
8458 while (offset < next_offset) {
8459 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8460 offset++;
8461 }
8462
8463 return offset;
8464}
8465
8466static uint32_t
8467ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8468 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8469{
8470 /* RFC 8446 Section 4.2.4
8471 * opaque DistinguishedName<1..2^16-1>;
8472 * struct {
8473 * DistinguishedName authorities<3..2^16-1>;
8474 * } CertificateAuthoritiesExtension;
8475 */
8476 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8477}
8478
8479static int
8480ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8481 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8482{
8483 /* RFC 8446 Section 4.2.5
8484 * struct {
8485 * opaque certificate_extension_oid<1..2^8-1>;
8486 * opaque certificate_extension_values<0..2^16-1>;
8487 * } OIDFilter;
8488 * struct {
8489 * OIDFilter filters<0..2^16-1>;
8490 * } OIDFilterExtension;
8491 */
8492 proto_tree *subtree;
8493 uint32_t filters_length, oid_length, values_length, value_offset;
8494 asn1_ctx_t asn1_ctx;
8495 const char *oid, *name;
8496
8497 /* OIDFilter filters<0..2^16-1> */
8498 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8499 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8500 return offset_end;
8501 }
8502 offset += 2;
8503 offset_end = offset + filters_length;
8504
8505 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8506
8507 while (offset < offset_end) {
8508 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8509 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8510
8511 /* opaque certificate_extension_oid<1..2^8-1> */
8512 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8513 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8514 return offset_end;
8515 }
8516 offset++;
8517 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8518 hf->hf.hs_ext_oid_filters_oid, &oid);
8519 offset += oid_length;
8520
8521 /* Append OID to tree label */
8522 name = oid_resolved_from_string(pinfo->pool, oid);
8523 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8524
8525 /* opaque certificate_extension_values<0..2^16-1> */
8526 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8527 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8528 return offset_end;
8529 }
8530 offset += 2;
8531 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8532 if (values_length > 0) {
8533 value_offset = offset;
8534 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8535 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8536 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8537 }
8538 offset += values_length;
8539 }
8540
8541 return offset;
8542}
8543
8544static int
8545ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8546 packet_info *pinfo, proto_tree *tree,
8547 uint32_t offset, uint32_t offset_end)
8548{
8549 /* https://tools.ietf.org/html/rfc6066#section-3
8550 *
8551 * struct {
8552 * NameType name_type;
8553 * select (name_type) {
8554 * case host_name: HostName;
8555 * } name;
8556 * } ServerName;
8557 *
8558 * enum {
8559 * host_name(0), (255)
8560 * } NameType;
8561 *
8562 * opaque HostName<1..2^16-1>;
8563 *
8564 * struct {
8565 * ServerName server_name_list<1..2^16-1>
8566 * } ServerNameList;
8567 */
8568 proto_tree *server_name_tree;
8569 uint32_t list_length, server_name_length, next_offset;
8570
8571 /* The server SHALL include "server_name" extension with empty data. */
8572 if (offset == offset_end) {
8573 return offset;
8574 }
8575
8576 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8577
8578 /* ServerName server_name_list<1..2^16-1> */
8579 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8580 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8581 return offset_end;
8582 }
8583 offset += 2;
8584 next_offset = offset + list_length;
8585
8586 while (offset < next_offset) {
8587 uint32_t name_type;
8588 const char *server_name = NULL((void*)0);
8589 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8590 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8591 offset++;
8592
8593 /* opaque HostName<1..2^16-1> */
8594 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8595 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8596 return next_offset;
8597 }
8598 offset += 2;
8599
8600 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8601 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8602 pinfo->pool, (const uint8_t**)&server_name);
8603 offset += server_name_length;
8604 // Each type must only occur once, so we don't check for duplicates.
8605 if (name_type == 0) {
8606 proto_item_append_text(tree, " name=%s", server_name);
8607 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8608
8609 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8610 // Client Hello: Client (Src) -> Server (Dst)
8611 switch (pinfo->dst.type) {
8612 case AT_IPv4:
8613 if (pinfo->dst.len == sizeof(uint32_t)) {
8614 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8615 }
8616 break;
8617 case AT_IPv6:
8618 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8619 add_ipv6_name(pinfo->dst.data, server_name, false0);
8620 }
8621 break;
8622 }
8623 }
8624 }
8625 }
8626 return offset;
8627}
8628
8629static int
8630ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8631 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8632{
8633 unsigned ext_len = offset_end - offset;
8634 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8635 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8636 /* Save the Session Ticket such that it can be used as identifier for
8637 * restoring a previous Master Secret (in ChangeCipherSpec) */
8638 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8639 ssl->session_ticket.data, ext_len);
8640 ssl->session_ticket.data_len = ext_len;
8641 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8642 }
8643 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8644 tvb, offset, ext_len, ENC_NA0x00000000);
8645 return offset + ext_len;
8646}
8647
8648static int
8649ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8650 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8651 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8652{
8653 uint8_t cert_list_length;
8654 uint8_t cert_type;
8655 proto_tree *cert_list_tree;
8656 proto_item *ti;
8657
8658 switch(hnd_type){
8659 case SSL_HND_CLIENT_HELLO:
8660 cert_list_length = tvb_get_uint8(tvb, offset);
8661 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8662 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8663 offset += 1;
8664 if (offset_end - offset != (uint32_t)cert_list_length)
8665 return offset;
8666
8667 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8668 cert_list_length, cert_list_length);
8669 proto_item_append_text(ti, " (%d)", cert_list_length);
8670
8671 /* make this a subtree */
8672 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8673
8674 /* loop over all point formats */
8675 while (cert_list_length > 0)
8676 {
8677 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8678 offset++;
8679 cert_list_length--;
8680 }
8681 break;
8682 case SSL_HND_SERVER_HELLO:
8683 case SSL_HND_ENCRYPTED_EXTENSIONS:
8684 case SSL_HND_CERTIFICATE:
8685 cert_type = tvb_get_uint8(tvb, offset);
8686 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8687 offset += 1;
8688 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8689 session->client_cert_type = cert_type;
8690 }
8691 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8692 session->server_cert_type = cert_type;
8693 }
8694 break;
8695 default: /* no default */
8696 break;
8697 }
8698
8699 return offset;
8700}
8701
8702static uint32_t
8703ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8704 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8705 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8706{
8707 uint32_t compress_certificate_algorithms_length, next_offset;
8708
8709 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8710 * enum {
8711 * zlib(1),
8712 * brotli(2),
8713 * (65535)
8714 * } CertificateCompressionAlgorithm;
8715 *
8716 * struct {
8717 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8718 * } CertificateCompressionAlgorithms;
8719 */
8720 switch (hnd_type) {
8721 case SSL_HND_CLIENT_HELLO:
8722 case SSL_HND_CERT_REQUEST:
8723 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8724 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8725 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8726 return offset_end;
8727 }
8728 offset += 1;
8729 next_offset = offset + compress_certificate_algorithms_length;
8730
8731 while (offset < next_offset) {
8732 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8733 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8734 offset += 2;
8735 }
8736 break;
8737 default:
8738 break;
8739 }
8740
8741 return offset;
8742}
8743
8744static uint32_t
8745ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8746 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8747 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8748{
8749 uint32_t key_parameters_length, next_offset;
8750 proto_item *p_ti;
8751 proto_tree *p_tree;
8752
8753 /* RFC 8472
8754 *
8755 * struct {
8756 * uint8 major;
8757 * uint8 minor;
8758 * } TB_ProtocolVersion;
8759 *
8760 * enum {
8761 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8762 * } TokenBindingKeyParameters;
8763 *
8764 * struct {
8765 * TB_ProtocolVersion token_binding_version;
8766 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8767 * } TokenBindingParameters;
8768 */
8769
8770 switch (hnd_type) {
8771 case SSL_HND_CLIENT_HELLO:
8772 case SSL_HND_SERVER_HELLO:
8773 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8774 offset += 1;
8775 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8776 offset += 1;
8777
8778 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8779 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8780 return offset_end;
8781 }
8782 offset += 1;
8783 next_offset = offset + key_parameters_length;
8784
8785 p_ti = proto_tree_add_none_format(tree,
8786 hf->hf.hs_ext_token_binding_key_parameters,
8787 tvb, offset, key_parameters_length,
8788 "Key parameters identifiers (%d identifier%s)",
8789 key_parameters_length,
8790 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8791 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8792
8793 while (offset < next_offset) {
8794 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8795 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8796 offset += 1;
8797 }
8798
8799 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8800 offset = next_offset;
8801 }
8802
8803 break;
8804 default:
8805 break;
8806 }
8807
8808 return offset;
8809}
8810
8811static uint32_t
8812ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8813 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8814 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8815{
8816 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8817 uint32_t next_offset;
8818
8819 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8820 *
8821 * Note: the following structures are not literally defined in the spec,
8822 * they instead use an ASCII diagram.
8823 *
8824 * struct {
8825 * uint16 id;
8826 * opaque value<0..2^16-1>;
8827 * } TransportParameter; // before draft -27
8828 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8829 *
8830 * struct {
8831 * opaque ipv4Address[4];
8832 * uint16 ipv4Port;
8833 * opaque ipv6Address[16];
8834 * uint16 ipv6Port;
8835 * opaque connectionId<0..18>;
8836 * opaque statelessResetToken[16];
8837 * } PreferredAddress;
8838 */
8839
8840 if (offset_end - offset >= 6 &&
8841 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8842 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8843 // Assume encoding of Transport Parameters draft -26 or older with at
8844 // least one transport parameter that has a valid length.
8845 use_varint_encoding = false0;
8846 }
8847
8848 if (use_varint_encoding) {
8849 next_offset = offset_end;
8850 } else {
8851 uint32_t quic_length;
8852 // Assume draft -26 or earlier.
8853 /* TransportParameter TransportParameters<0..2^16-1>; */
8854 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8855 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8856 return offset_end;
8857 }
8858 offset += 2;
8859 next_offset = offset + quic_length;
8860 }
8861
8862 while (offset < next_offset) {
8863 uint64_t parameter_type; /* 62-bit space */
8864 uint32_t parameter_length;
8865 proto_tree *parameter_tree;
8866 uint32_t parameter_end_offset;
8867 uint64_t value;
8868 uint32_t i;
8869 int len = 0;
8870
8871 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8872 NULL((void*)0), "Parameter");
8873 /* TransportParameter ID and Length. */
8874 if (use_varint_encoding) {
8875 uint64_t parameter_length64;
8876 int type_len = 0;
8877
8878 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8879 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8880 offset += type_len;
8881
8882 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8883 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8884 parameter_length = (uint32_t)parameter_length64;
8885 offset += len;
8886
8887 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8888 } else {
8889 parameter_type = tvb_get_ntohs(tvb, offset);
8890 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8891 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8892 offset += 2;
8893
8894 /* opaque value<0..2^16-1> */
8895 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8896 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8897 return next_offset;
8898 }
8899 offset += 2;
8900
8901 proto_item_set_len(parameter_tree, 4 + parameter_length);
8902 }
8903
8904 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8905 proto_item_append_text(parameter_tree, ": GREASE");
8906 } else {
8907 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8908 }
8909
8910 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8911 parameter_end_offset = offset + parameter_length;
8912
8913 /* Omit the value field if the parameter's length is 0. */
8914 if (parameter_length != 0) {
8915 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8916 tvb, offset, parameter_length, ENC_NA0x00000000);
8917 }
8918
8919 switch (parameter_type) {
8920 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8921 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8922 tvb, offset, parameter_length, ENC_NA0x00000000);
8923 offset += parameter_length;
8924 break;
8925 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8926 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8927 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8928 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8929 offset += len;
8930 break;
8931 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8932 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8933 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8934 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8935 offset += 16;
8936 break;
8937 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8938 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8939 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8940 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8941 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8942 offset += len;
8943 break;
8944 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8945 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8946 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8947 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8948 offset += len;
8949 break;
8950 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8951 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8952 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8953 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8954 offset += len;
8955 break;
8956 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8957 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8958 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8959 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8960 offset += len;
8961 break;
8962 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8963 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8964 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8965 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8966 offset += len;
8967 break;
8968 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8969 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8970 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8971 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8972 offset += len;
8973 break;
8974 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8975 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8976 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8977 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8978 offset += len;
8979 break;
8980 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8981 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8982 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8983 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8984 offset += len;
8985 break;
8986 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8987 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8988 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8989 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8990 offset += len;
8991 break;
8992 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8993 /* No Payload */
8994 break;
8995 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8996 uint32_t connectionid_length;
8997 quic_cid_t cid;
8998
8999 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
9000 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9001 offset += 4;
9002 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
9003 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9004 offset += 2;
9005 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
9006 tvb, offset, 16, ENC_NA0x00000000);
9007 offset += 16;
9008 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
9009 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9010 offset += 2;
9011 /* XXX - Should we add these addresses and ports as addresses that the client
9012 * is allowed / expected to migrate the server address to? Right now we don't
9013 * enforce that (see RFC 9000 Section 9, which implies that while the client
9014 * can migrate to whatever address it wants, it can only migrate the server
9015 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
9016 */
9017
9018 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
9019 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
9020 break;
9021 }
9022 offset += 1;
9023
9024 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
9025 tvb, offset, connectionid_length, ENC_NA0x00000000);
9026 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9027 cid.len = connectionid_length;
9028 // RFC 9000 5.1.1 "If the preferred_address transport
9029 // parameter is sent, the sequence number of the supplied
9030 // connection ID is 1."
9031 cid.seq_num = 1;
9032 // Multipath draft-07 "Also, the Path Identifier for the
9033 // connection ID specified in the "preferred address"
9034 // transport parameter is 0."
9035 cid.path_id = 0;
9036 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
9037 quic_add_connection(pinfo, &cid);
9038 }
9039 offset += connectionid_length;
9040
9041 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
9042 tvb, offset, 16, ENC_NA0x00000000);
9043 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9044 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
9045 }
9046 offset += 16;
9047 }
9048 break;
9049 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
9050 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9051 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9052 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9053 offset += len;
9054 break;
9055 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9056 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9057 tvb, offset, parameter_length, ENC_NA0x00000000);
9058 offset += parameter_length;
9059 break;
9060 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9061 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9062 tvb, offset, parameter_length, ENC_NA0x00000000);
9063 offset += parameter_length;
9064 break;
9065 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9066 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9067 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9068 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9069 offset += len;
9070 break;
9071 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9072 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9073 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9074 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9075 offset += len;
9076 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9077 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9078 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9079 offset += len;
9080 break;
9081 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9082 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9083 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9084 if (len > 0) {
9085 quic_add_loss_bits(pinfo, value);
9086 }
9087 offset += 1;
9088 break;
9089 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9090 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9091 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9092 offset += len;
9093 break;
9094 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9095 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9096 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9097 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9098 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9099 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9100 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9101 offset += len;
9102 break;
9103 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9104 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9105 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9106 offset += parameter_length;
9107 break;
9108 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9109 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9110 tvb, offset, parameter_length, ENC_NA0x00000000);
9111 offset += parameter_length;
9112 break;
9113 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9114 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9115 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9116 offset += 4;
9117 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9118 uint32_t versions_length;
9119
9120 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9121 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9122 offset += 1;
9123 for (i = 0; i < versions_length / 4; i++) {
9124 quic_proto_tree_add_version(tvb, parameter_tree,
9125 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9126 offset += 4;
9127 }
9128 }
9129 break;
9130 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9131 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9132 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9133 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9134 offset += len;
9135 break;
9136 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9137 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9138 tvb, offset, parameter_length, ENC_NA0x00000000);
9139 offset += parameter_length;
9140 break;
9141 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9142 /* This field was used for non-standard Google-specific parameters encoded as a
9143 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9144 * parameters. Report it as a bytes blob... */
9145 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9146 tvb, offset, parameter_length, ENC_NA0x00000000);
9147 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9148 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9149 tvb, offset, 4, ENC_NA0x00000000);
9150 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9151 offset += parameter_length;
9152 break;
9153 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9154 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9155 tvb, offset, parameter_length, ENC_NA0x00000000);
9156 offset += parameter_length;
9157 break;
9158 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9159 /* No Payload */
9160 break;
9161 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9162 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9163 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9164 offset += parameter_length;
9165 break;
9166 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9167 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9168 quic_proto_tree_add_version(tvb, parameter_tree,
9169 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9170 offset += 4;
9171 for (i = 4; i < parameter_length; i += 4) {
9172 quic_proto_tree_add_version(tvb, parameter_tree,
9173 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9174 offset += 4;
9175 }
9176 break;
9177 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9178 /* No Payload */
9179 quic_add_grease_quic_bit(pinfo);
9180 break;
9181 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9182 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9183 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9184 offset += parameter_length;
9185 break;
9186 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9187 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9188 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9189 if (value == 1) {
9190 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9191 }
9192 offset += parameter_length;
9193 break;
9194 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9195 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9196 /* No Payload */
9197 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9198 break;
9199 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9200 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9201 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9202 if (value > 1) {
9203 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9204 }
9205 /* multipath draft-07: "The value of the initial_max_paths
9206 * parameter MUST be at least 2." TODO: Expert Info? */
9207 offset += parameter_length;
9208 break;
9209 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9210 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9211 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9212 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
9213 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
9214 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9215 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9216 /* multipath draft-09 and later: "If an endpoint receives an
9217 * initial_max_path_id transport parameter with value 0, the
9218 * peer aims to enable the multipath extension without allowing
9219 * extra paths immediately."
9220 */
9221 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9222 offset += parameter_length;
9223 break;
9224 default:
9225 offset += parameter_length;
9226 /*TODO display expert info about unknown ? */
9227 break;
9228 }
9229
9230 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9231 /* Dissection did not end at expected location, fix it. */
9232 offset = parameter_end_offset;
9233 }
9234 }
9235
9236 return offset;
9237}
9238
9239static int
9240ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9241 proto_tree *tree, uint32_t offset,
9242 SslSession *session, SslDecryptSession *ssl,
9243 bool_Bool from_server, bool_Bool is_hrr)
9244{
9245 uint8_t sessid_length;
9246 proto_item *ti;
9247 proto_tree *rnd_tree;
9248 proto_tree *ti_rnd;
9249 proto_tree *ech_confirm_tree;
9250 uint8_t draft_version = session->tls13_draft_version;
9251
9252 if (ssl) {
9253 StringInfo *rnd;
9254 if (from_server)
9255 rnd = &ssl->server_random;
9256 else
9257 rnd = &ssl->client_random;
9258
9259 /* save provided random for later keyring generation */
9260 tvb_memcpy(tvb, rnd->data, offset, 32);
9261 rnd->data_len = 32;
9262 if (from_server)
9263 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9264 else
9265 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9266 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9267 from_server ? "SERVER" : "CLIENT", ssl->state);
9268 }
9269
9270 if (!from_server && session->client_random.data_len == 0) {
9271 session->client_random.data_len = 32;
9272 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9273 }
9274
9275 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9276
9277 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9278
9279 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9280 /* show the time */
9281 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9282 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9283 offset += 4;
9284
9285 /* show the random bytes */
9286 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9287 tvb, offset, 28, ENC_NA0x00000000);
9288 offset += 28;
9289 } else {
9290 if (is_hrr) {
9291 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9292 } else if (from_server && session->ech) {
9293 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9294 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9295 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9296 session->ech_confirmation, 8);
9297 proto_item_set_generated(ti);
9298 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9299 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9300 } else {
9301 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9302 }
9303 }
9304
9305 offset += 32;
9306 }
9307
9308 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9309 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9310 /* show the session id (length followed by actual Session ID) */
9311 sessid_length = tvb_get_uint8(tvb, offset);
9312 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9313 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9314 offset++;
9315
9316 if (ssl) {
9317 /* save the authoritative SID for later use in ChangeCipherSpec.
9318 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9319 * save more, so ignore larger ones. To support ECH, also save
9320 * the SID from the ClientHelloOuter. */
9321 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
9322 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9323 ssl->session_id.data_len = sessid_length;
9324 }
9325 }
9326 if (sessid_length > 0) {
9327 proto_tree_add_item(tree, hf->hf.hs_session_id,
9328 tvb, offset, sessid_length, ENC_NA0x00000000);
9329 offset += sessid_length;
9330 }
9331 }
9332
9333 return offset;
9334}
9335
9336static int
9337ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9338 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9339 bool_Bool has_length)
9340{
9341 /* TLS 1.2/1.3 status_request Client Hello Extension.
9342 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9343 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9344 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9345 * struct {
9346 * CertificateStatusType status_type;
9347 * uint16 request_length; // for status_request_v2
9348 * select (status_type) {
9349 * case ocsp: OCSPStatusRequest;
9350 * case ocsp_multi: OCSPStatusRequest;
9351 * } request;
9352 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9353 *
9354 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9355 * struct {
9356 * ResponderID responder_id_list<0..2^16-1>;
9357 * Extensions request_extensions;
9358 * } OCSPStatusRequest;
9359 * opaque ResponderID<1..2^16-1>;
9360 * opaque Extensions<0..2^16-1>;
9361 */
9362 unsigned cert_status_type;
9363
9364 cert_status_type = tvb_get_uint8(tvb, offset);
9365 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9366 tvb, offset, 1, ENC_NA0x00000000);
9367 offset++;
9368
9369 if (has_length) {
9370 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9371 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9372 offset += 2;
9373 }
9374
9375 switch (cert_status_type) {
9376 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9377 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9378 {
9379 uint32_t responder_id_list_len;
9380 uint32_t request_extensions_len;
9381
9382 /* ResponderID responder_id_list<0..2^16-1> */
9383 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9384 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9385 return offset_end;
9386 }
9387 offset += 2;
9388 if (responder_id_list_len != 0) {
9389 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9390 tvb, offset, responder_id_list_len,
9391 "Responder ID list is not implemented, contact Wireshark"
9392 " developers if you want this to be supported");
9393 }
9394 offset += responder_id_list_len;
9395
9396 /* opaque Extensions<0..2^16-1> */
9397 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9398 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9399 return offset_end;
9400 }
9401 offset += 2;
9402 if (request_extensions_len != 0) {
9403 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9404 tvb, offset, request_extensions_len,
9405 "Request Extensions are not implemented, contact"
9406 " Wireshark developers if you want this to be supported");
9407 }
9408 offset += request_extensions_len;
9409 break;
9410 }
9411 }
9412
9413 return offset;
9414}
9415
9416static unsigned
9417ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9418 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9419{
9420 /* https://tools.ietf.org/html/rfc6961#section-2.2
9421 * struct {
9422 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9423 * } CertificateStatusRequestListV2;
9424 */
9425 uint32_t req_list_length, next_offset;
9426
9427 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9428 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9429 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9430 return offset_end;
9431 }
9432 offset += 2;
9433 next_offset = offset + req_list_length;
9434
9435 while (offset < next_offset) {
9436 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9437 }
9438
9439 return offset;
9440}
9441
9442static uint32_t
9443tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9444 uint32_t offset, uint32_t offset_end)
9445{
9446 uint32_t response_length;
9447 proto_item *ocsp_resp;
9448 proto_tree *ocsp_resp_tree;
9449 asn1_ctx_t asn1_ctx;
9450
9451 /* opaque OCSPResponse<1..2^24-1>; */
9452 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9453 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9454 return offset_end;
9455 }
9456 offset += 3;
9457
9458 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9459 response_length, ENC_BIG_ENDIAN0x00000000);
9460 proto_item_set_text(ocsp_resp, "OCSP Response");
9461 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9462 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9463 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9464 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9465 }
9466 offset += response_length;
9467
9468 return offset;
9469}
9470
9471uint32_t
9472tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9473 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9474{
9475 /* TLS 1.2 "CertificateStatus" handshake message.
9476 * TLS 1.3 "status_request" Certificate extension.
9477 * struct {
9478 * CertificateStatusType status_type;
9479 * select (status_type) {
9480 * case ocsp: OCSPResponse;
9481 * case ocsp_multi: OCSPResponseList; // status_request_v2
9482 * } response;
9483 * } CertificateStatus;
9484 * opaque OCSPResponse<1..2^24-1>;
9485 * struct {
9486 * OCSPResponse ocsp_response_list<1..2^24-1>;
9487 * } OCSPResponseList; // status_request_v2
9488 */
9489 uint32_t status_type, resp_list_length, next_offset;
9490
9491 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9492 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9493 offset += 1;
9494
9495 switch (status_type) {
9496 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9497 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9498 break;
9499
9500 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9501 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9502 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9503 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9504 return offset_end;
9505 }
9506 offset += 3;
9507 next_offset = offset + resp_list_length;
9508
9509 while (offset < next_offset) {
9510 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9511 }
9512 break;
9513 }
9514
9515 return offset;
9516}
9517
9518static unsigned
9519ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9520 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9521 wmem_strbuf_t *ja3)
9522{
9523 /* RFC 8446 Section 4.2.7
9524 * enum { ..., (0xFFFF) } NamedGroup;
9525 * struct {
9526 * NamedGroup named_group_list<2..2^16-1>
9527 * } NamedGroupList;
9528 *
9529 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9530 * the extension itself from "elliptic_curves" to "supported_groups".
9531 */
9532 uint32_t groups_length, next_offset;
9533 proto_tree *groups_tree;
9534 proto_item *ti;
9535 char *ja3_dash = "";
9536
9537 /* NamedGroup named_group_list<2..2^16-1> */
9538 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9539 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9540 return offset_end;
9541 }
9542 offset += 2;
9543 next_offset = offset + groups_length;
9544
9545 ti = proto_tree_add_none_format(tree,
9546 hf->hf.hs_ext_supported_groups,
9547 tvb, offset, groups_length,
9548 "Supported Groups (%d group%s)",
9549 groups_length / 2,
9550 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9551
9552 /* make this a subtree */
9553 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9554
9555 if (ja3) {
9556 wmem_strbuf_append_c(ja3, ',');
9557 }
9558 /* loop over all groups */
9559 while (offset + 2 <= offset_end) {
9560 uint32_t ext_supported_group;
9561
9562 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9563 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9564 offset += 2;
9565 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9566 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9567 ja3_dash = "-";
9568 }
9569 }
9570 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9571 offset = next_offset;
9572 }
9573
9574 return offset;
9575}
9576
9577static int
9578ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9579 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9580{
9581 uint8_t ecpf_length;
9582 proto_tree *ecpf_tree;
9583 proto_item *ti;
9584
9585 ecpf_length = tvb_get_uint8(tvb, offset);
9586 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9587 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9588
9589 offset += 1;
9590 ti = proto_tree_add_none_format(tree,
9591 hf->hf.hs_ext_ec_point_formats,
9592 tvb, offset, ecpf_length,
9593 "Elliptic curves point formats (%d)",
9594 ecpf_length);
9595
9596 /* make this a subtree */
9597 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9598
9599 if (ja3) {
9600 wmem_strbuf_append_c(ja3, ',');
9601 }
9602
9603 /* loop over all point formats */
9604 while (ecpf_length > 0)
9605 {
9606 uint32_t ext_ec_point_format;
9607
9608 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9609 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9610 offset++;
9611 ecpf_length--;
9612 if (ja3) {
9613 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9614 if (ecpf_length > 0) {
9615 wmem_strbuf_append_c(ja3, '-');
9616 }
9617 }
9618 }
9619
9620 return offset;
9621}
9622
9623static int
9624ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9625 packet_info *pinfo, proto_tree *tree,
9626 uint32_t offset, uint32_t next_offset)
9627{
9628 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9629 * opaque srp_I<1..2^8-1>;
9630 */
9631 uint32_t username_len;
9632
9633 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9634 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9635 return next_offset;
9636 }
9637 offset++;
9638
9639 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9640 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9641 offset += username_len;
9642
9643 return offset;
9644}
9645
9646static uint32_t
9647tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9648 uint32_t offset, uint32_t offset_end, uint16_t version)
9649{
9650 /* https://tools.ietf.org/html/rfc6962#section-3.2
9651 * enum { v1(0), (255) } Version;
9652 * struct {
9653 * opaque key_id[32];
9654 * } LogID;
9655 * opaque CtExtensions<0..2^16-1>;
9656 * struct {
9657 * Version sct_version;
9658 * LogID id;
9659 * uint64 timestamp;
9660 * CtExtensions extensions;
9661 * digitally-signed struct { ... };
9662 * } SignedCertificateTimestamp;
9663 */
9664 uint32_t sct_version;
9665 uint64_t sct_timestamp_ms;
9666 nstime_t sct_timestamp;
9667 uint32_t exts_len;
9668 const char *log_name;
9669
9670 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9671 offset++;
9672 if (sct_version != 0) {
9673 // TODO expert info about unknown SCT version?
9674 return offset;
9675 }
9676 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9677 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9678 proto_item_append_text(tree, " (%s)", log_name);
9679 offset += 32;
9680 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9681 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9682 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9683 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9684 offset += 8;
9685 /* opaque CtExtensions<0..2^16-1> */
9686 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9687 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9688 return offset_end;
9689 }
9690 offset += 2;
9691 if (exts_len > 0) {
9692 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9693 offset += exts_len;
9694 }
9695 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9696 hf->hf.sct_sct_signature_length,
9697 hf->hf.sct_sct_signature);
9698 return offset;
9699}
9700
9701uint32_t
9702tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9703 uint32_t offset, uint32_t offset_end, uint16_t version)
9704{
9705 /* https://tools.ietf.org/html/rfc6962#section-3.3
9706 * opaque SerializedSCT<1..2^16-1>;
9707 * struct {
9708 * SerializedSCT sct_list <1..2^16-1>;
9709 * } SignedCertificateTimestampList;
9710 */
9711 uint32_t list_length, sct_length, next_offset;
9712 proto_tree *subtree;
9713
9714 /* SerializedSCT sct_list <1..2^16-1> */
9715 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9716 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9717 return offset_end;
9718 }
9719 offset += 2;
9720
9721 while (offset < offset_end) {
9722 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9723
9724 /* opaque SerializedSCT<1..2^16-1> */
9725 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9726 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9727 return offset_end;
9728 }
9729 offset += 2;
9730 next_offset = offset + sct_length;
9731 proto_item_set_len(subtree, 2 + sct_length);
9732 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9733 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9734 offset = next_offset;
9735 }
9736 }
9737
9738 return offset;
9739}
9740
9741static int
9742dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9743 proto_tree *tree, uint32_t offset)
9744{
9745 uint32_t kdf_id, aead_id;
9746 proto_item *cs_ti;
9747 proto_tree *cs_tree;
9748
9749 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9750 tvb, offset, 4, ENC_NA0x00000000);
9751 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9752
9753 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9754 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9755 offset += 2;
9756 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9757 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9758 offset += 2;
9759
9760 proto_item_append_text(cs_ti, ": %s/%s",
9761 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9762 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9763 return offset;
9764}
9765
9766static int
9767dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9768 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9769 uint32_t *config_id)
9770{
9771 uint32_t length, cipher_suite_length;
9772 proto_item *kc_ti, *css_ti;
9773 proto_tree *kc_tree, *css_tree;
9774 uint32_t original_offset = offset, next_offset;
9775
9776 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9777 tvb, offset, -1, ENC_NA0x00000000);
9778 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9779
9780 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9781 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9782 offset += 1;
9783 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9784 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9785 offset += 2;
9786 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9787 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9788 offset += 2;
9789 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9790 tvb, offset, length, ENC_NA0x00000000);
9791 offset += length;
9792
9793 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9794 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9795 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9796 return offset_end;
9797 }
9798 offset += 2;
9799 next_offset = offset + cipher_suite_length;
9800
9801 css_ti = proto_tree_add_none_format(kc_tree,
9802 hf->hf.ech_hpke_keyconfig_cipher_suites,
9803 tvb, offset, cipher_suite_length,
9804 "Cipher Suites (%d suite%s)",
9805 cipher_suite_length / 4,
9806 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9807 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9808
9809
9810 while (offset + 4 <= next_offset) {
9811 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9812 }
9813
9814 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9815 offset = next_offset;
9816 }
9817
9818 proto_item_set_len(kc_ti, offset - original_offset);
9819
9820 return offset;
9821}
9822
9823static int
9824dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9825 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9826 const uint8_t **public_name, uint32_t *config_id)
9827{
9828 uint32_t public_name_length, extensions_length, next_offset;
9829
9830 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9831 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9832 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9833 offset += 1;
9834 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9835 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9836 offset += 1;
9837 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9838 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9839 offset += public_name_length;
9840
9841 /* Extension extensions<0..2^16-1>; */
9842 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9843 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9844 return offset_end;
9845 }
9846 offset += 2;
9847 next_offset = offset + extensions_length;
9848
9849 if (extensions_length > 0) {
9850 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9851 tvb, offset, extensions_length, ENC_NA0x00000000);
9852 }
9853 offset += extensions_length;
9854
9855 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9856 offset = next_offset;
9857 }
9858
9859 return offset;
9860}
9861
9862static int
9863dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9864 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9865{
9866 uint32_t version, length;
9867 proto_item *ech_ti;
9868 proto_tree *ech_tree;
9869 const uint8_t *public_name = NULL((void*)0);
9870 uint32_t config_id = 0;
9871
9872 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9873 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9874
9875 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9876 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9877 offset += 2;
9878 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9879 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9880 offset += 2;
9881
9882 proto_item_set_len(ech_ti, 4 + length);
9883
9884 switch(version) {
9885 case 0xfe0d:
9886 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9887 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9888 break;
9889
9890 default:
9891 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9892 }
9893
9894 return 4 + length;
9895}
9896
9897uint32_t
9898ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9899 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9900{
9901 uint32_t echconfiglist_length, next_offset;
9902
9903 /* ECHConfig ECHConfigList<1..2^16-1>; */
9904 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9905 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9906 return offset_end;
9907 }
9908 offset += 2;
9909 next_offset = offset + echconfiglist_length;
9910
9911 while (offset < next_offset) {
9912 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9913 }
9914
9915 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9916 offset = next_offset;
9917 }
9918
9919 return offset;
9920}
9921
9922static uint32_t
9923ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9924 uint32_t offset, uint32_t offset_end)
9925{
9926 uint32_t ext_length, next_offset;
9927 proto_tree *ext_tree;
9928 proto_item *ti;
9929
9930 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9931 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9932 return offset_end;
9933 }
9934 offset += 1;
9935 next_offset = offset + ext_length;
9936
9937 ti = proto_tree_add_none_format(tree,
9938 hf->hf.hs_ext_ech_outer_ext,
9939 tvb, offset, ext_length,
9940 "Outer Extensions (%d extension%s)",
9941 ext_length / 2,
9942 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9943
9944 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9945
9946 while (offset + 2 <= offset_end) {
9947 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9948 offset += 2;
9949 }
9950
9951 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9952 offset = next_offset;
9953 }
9954
9955 return offset;
9956}
9957
9958static uint32_t
9959// NOLINTNEXTLINE(misc-no-recursion)
9960ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9961 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9962 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
9963{
9964 uint32_t ch_type, length;
9965 proto_item *ti, *payload_ti;
9966 proto_tree *retry_tree, *payload_tree;
9967 uint32_t hello_length = tvb_reported_length(tvb);
9968
9969 switch (hnd_type) {
9970 case SSL_HND_CLIENT_HELLO:
9971 /*
9972 * enum { outer(0), inner(1) } ECHClientHelloType;
9973 *
9974 * struct {
9975 * ECHClientHelloType type;
9976 * select (ECHClientHello.type) {
9977 * case outer:
9978 * HpkeSymmetricCipherSuite cipher_suite;
9979 * uint8 config_id;
9980 * opaque enc<0..2^16-1>;
9981 * opaque payload<1..2^16-1>;
9982 * case inner:
9983 * Empty;
9984 * };
9985 * } ECHClientHello;
9986 */
9987
9988 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9989 offset += 1;
9990 switch (ch_type) {
9991 case 0: /* outer */
9992 if (ssl && session->first_ch_ech_frame == 0) {
9993 session->first_ch_ech_frame = pinfo->num;
9994 }
9995 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9996 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9997 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9998
9999 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10000 uint8_t config_id = tvb_get_uint8(tvb, offset);
10001 offset += 1;
10002 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10003 offset += 2;
10004 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
10005 offset += length;
10006 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10007 offset += 2;
10008 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
10009 offset += length;
10010
10011 if (!mk_map) {
10012 break;
10013 }
10014 if (session->client_random.data_len == 0) {
10015 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
10016 break;
10017 }
10018 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
10019 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
10020 if (!ech_secret || !ech_config) {
10021 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
10022 G_STRFUNC((const char*) (__func__)));
10023 break;
10024 }
10025
10026 if (hpke_hkdf_len(kdf_id) == 0) {
10027 ssl_debug_printf("Unsupported KDF\n");
10028 break;
10029 }
10030
10031 if (hpke_aead_key_len(aead_id) == 0) {
10032 ssl_debug_printf("Unsupported AEAD\n");
10033 break;
10034 }
10035
10036 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
10037
10038 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
10039 if (length < aead_auth_tag_len) {
10040 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
10041 break;
10042 }
10043 unsigned decrypted_len = length - aead_auth_tag_len;
10044
10045 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
10046 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10047 ssl_debug_printf("Unexpected version in ECH Config\n");
10048 break;
10049 }
10050 uint32_t ech_config_offset = 2;
10051 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
10052 ssl_debug_printf("Malformed ECH Config, invalid length\n");
10053 break;
10054 }
10055 ech_config_offset += 2;
10056 if (*(ech_config->data + ech_config_offset) != config_id) {
10057 ssl_debug_printf("ECH Config version mismatch\n");
10058 break;
10059 }
10060 ech_config_offset += 1;
10061 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
10062 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
10063 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10064 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10065 GByteArray *info = g_byte_array_new();
10066 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10067 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10068 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10069 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10070 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10071 key, base_nonce)) {
10072 g_byte_array_free(info, TRUE(!(0)));
10073 break;
10074 }
10075 g_byte_array_free(info, TRUE(!(0)));
10076 gcry_cipher_hd_t cipher;
10077 if (hpke_setup_aead(&cipher, aead_id, key) ||
10078 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10079 gcry_cipher_close(cipher);
10080 break;
10081 }
10082 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10083 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10084 tvb_memcpy(tvb, ech_aad, 0, hello_length);
10085 memset(ech_aad + offset - length, 0, length);
10086 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10087 gcry_cipher_close(cipher);
10088 wmem_free(NULL((void*)0), ech_aad);
10089 break;
10090 }
10091 wmem_free(NULL((void*)0), ech_aad);
10092 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
10093 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
10094 gcry_cipher_close(cipher);
10095 break;
10096 }
10097 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
10098 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
10099 gcry_cipher_close(cipher);
10100 break;
10101 }
10102 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10103 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
10104 gcry_cipher_close(cipher);
10105 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10106 payload + decrypted_len, aead_auth_tag_len)) {
10107 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10108 } else {
10109 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10110 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
10111 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10112 if (ssl) {
10113 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10114 uint32_t len_offset = ssl->ech_transcript.data_len;
10115 if (ssl->ech_transcript.data_len > 0)
10116 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10117 ssl->ech_transcript.data_len + hello_length + 4);
10118 else
10119 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10120 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10121 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10122 /* Copy ClientHelloInner up to the legacy_session_id field. */
10123 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10124 ssl->ech_transcript.data_len += 38;
10125 /* Now copy the legacy_session_id field from ClientHelloOuter. */
10126 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
10127 ssl->ech_transcript.data_len++;
10128 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
10129 ssl->ech_transcript.data_len += ssl->session_id.data_len;
10130 /* Skip past the legacy_session_id field in ClientHelloInner
10131 * (which should be the empty string, i.e. just a 0 size.) */
10132 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10133 /* Copy the Cipher Suites from ClientHelloInner. */
10134 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10135 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10136 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10137 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10138 /* Copy the Compression Methods */
10139 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10140 1 + tvb_get_uint8(ech_tvb, ech_offset));
10141 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10142 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10143 /* Now replace extensions in ech_outer_extensions with the
10144 * data from ClientHelloOuter. */
10145 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10146 ssl->ech_transcript.data_len += 2;
10147 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10148 ech_offset += 2;
10149 while (extensions_end - ech_offset >= 4) {
10150 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10151 ech_offset += 2;
10152 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
10153 ech_offset += 2;
10154 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10155 /* Copy this extension directly */
10156 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
10157 ech_offset - 4, 4 + ext_len);
10158 ssl->ech_transcript.data_len += 4 + ext_len;
10159 ech_offset += ext_len;
10160 } else if (ext_len > 0) {
10161 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
10162 ech_offset += 1;
10163 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
10164 /* In ClientHelloOuter, skip past the legacy_session_id */
10165 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
10166 /* Skip past Cipher Suites */
10167 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10168 /* Skip past Compression Methods */
10169 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10170 /* Now at the start of ClientHelloOuter's extensions */
10171 while (ech_outer_extensions_end - ech_offset >= 2) {
10172 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10173 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10174 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
10175 /* This could lead to a buffer overflow by
10176 * making the post-copying ClientHelloInner
10177 * longer than ClientHelloOuter and is
10178 * illegal, so don't copy. */
10179 break;
10180 }
10181 bool_Bool found = false0;
10182 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
10183 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
10184 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
10185 if (ext_type == outer_ext_type) {
10186 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10187 4 + outer_ext_len);
10188 ssl->ech_transcript.data_len += 4 + outer_ext_len;
10189 outer_offset += 4 + outer_ext_len;
10190 found = true1;
10191 break;
10192 } else {
10193 outer_offset += 4 + outer_ext_len;
10194 }
10195 }
10196 if (!found) {
10197 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
10198 }
10199 ech_offset += 2;
10200 }
10201 }
10202 }
10203 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
10204 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
10205 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
10206 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
10207 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
10208 }
10209 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
10210 ssl, NULL((void*)0), mk_map);
10211 if (ech_padding_begin < decrypted_len) {
10212 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
10213 ENC_NA0x00000000);
10214 }
10215 }
10216
10217 break;
10218 case 1: /* inner */
10219 break;
10220 }
10221 break;
10222
10223 case SSL_HND_ENCRYPTED_EXTENSIONS:
10224 /*
10225 * struct {
10226 * ECHConfigList retry_configs;
10227 * } ECHEncryptedExtensions;
10228 */
10229
10230 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10231 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10232 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10233 break;
10234
10235 case SSL_HND_HELLO_RETRY_REQUEST:
10236 /*
10237 * struct {
10238 * opaque confirmation[8];
10239 * } ECHHelloRetryRequest;
10240 */
10241
10242 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10243 if (session->ech) {
10244 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10245 proto_item_set_generated(ti);
10246 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10247 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10248 } else {
10249 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10250 }
10251 }
10252 offset += 8;
10253 break;
10254 }
10255
10256 return offset;
10257}
10258
10259static uint32_t
10260ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10261 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10262 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10263{
10264 uint32_t record_digest_length, encrypted_sni_length;
10265
10266 switch (hnd_type) {
10267 case SSL_HND_CLIENT_HELLO:
10268 /*
10269 * struct {
10270 * CipherSuite suite;
10271 * KeyShareEntry key_share;
10272 * opaque record_digest<0..2^16-1>;
10273 * opaque encrypted_sni<0..2^16-1>;
10274 * } ClientEncryptedSNI;
10275 */
10276 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10277 offset += 2;
10278 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10279
10280 /* opaque record_digest<0..2^16-1> */
10281 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10282 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10283 return offset_end;
10284 }
10285 offset += 2;
10286 if (record_digest_length > 0) {
10287 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10288 offset += record_digest_length;
10289 }
10290
10291 /* opaque encrypted_sni<0..2^16-1> */
10292 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10293 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10294 return offset_end;
10295 }
10296 offset += 2;
10297 if (encrypted_sni_length > 0) {
10298 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10299 offset += encrypted_sni_length;
10300 }
10301 break;
10302
10303 case SSL_HND_ENCRYPTED_EXTENSIONS:
10304 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10305 offset += 16;
10306 break;
10307 }
10308
10309 return offset;
10310}
10311/** TLS Extensions (in Client Hello and Server Hello). }}} */
10312
10313/* Connection ID dissection. {{{ */
10314static uint32_t
10315ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10316 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10317 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10318{
10319 /* keep track of the decrypt session only for the first pass */
10320 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10321 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10322 *session_cidl = cidl;
10323 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10324 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10325 if (ssl) {
10326 ssl_add_session_by_cid(ssl);
10327 }
10328 }
10329
10330 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10331 tvb, offset, 1, ENC_NA0x00000000);
10332 offset++;
10333
10334 if (cidl > 0) {
10335 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10336 tvb, offset, cidl, ENC_NA0x00000000);
10337 offset += cidl;
10338 }
10339
10340 return offset;
10341}
10342
10343static uint32_t
10344ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10345 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10346 SslSession *session, SslDecryptSession *ssl)
10347{
10348 uint8_t cidl = tvb_get_uint8(tvb, offset);
10349
10350 switch (hnd_type) {
10351 case SSL_HND_CLIENT_HELLO:
10352 session->client_cid_len_present = true1;
10353 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10354 cidl, &session->client_cid, &session->client_cid_len);
10355 case SSL_HND_SERVER_HELLO:
10356 session->server_cid_len_present = true1;
10357 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10358 cidl, &session->server_cid, &session->server_cid_len);
10359 default:
10360 return offset;
10361 }
10362} /* }}} */
10363
10364/* Trusted CA dissection. {{{ */
10365static uint32_t
10366ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10367 uint32_t offset, uint32_t offset_end)
10368{
10369 proto_item *ti;
10370 proto_tree *subtree;
10371 uint32_t keys_length, next_offset;
10372
10373 /*
10374 * struct {
10375 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10376 * } TrustedAuthorities;
10377 *
10378 * struct {
10379 * IdentifierType identifier_type;
10380 * select (identifier_type) {
10381 * case pre_agreed: struct {};
10382 * case key_sha1_hash: SHA1Hash;
10383 * case x509_name: DistinguishedName;
10384 * case cert_sha1_hash: SHA1Hash;
10385 * } identifier;
10386 * } TrustedAuthority;
10387 *
10388 * enum {
10389 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10390 * cert_sha1_hash(3), (255)
10391 * } IdentifierType;
10392 *
10393 * opaque DistinguishedName<1..2^16-1>;
10394 *
10395 */
10396
10397
10398 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10399 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10400 0, UINT16_MAX(65535)))
10401 {
10402 return offset_end;
10403 }
10404 offset += 2;
10405 next_offset = offset + keys_length;
10406
10407 if (keys_length > 0)
10408 {
10409 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10410 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10411 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10412
10413 while (offset < next_offset)
10414 {
10415 uint32_t identifier_type;
10416 proto_tree *trusted_key_tree;
10417 proto_item *trusted_key_item;
10418 asn1_ctx_t asn1_ctx;
10419 uint32_t key_len = 0;
10420
10421 identifier_type = tvb_get_uint8(tvb, offset);
10422
10423 // Use 0 as length for now as we'll only know the size when we decode the identifier
10424 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10425 offset, 0, "Trusted CA Key");
10426 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10427
10428 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10429 offset, 1, identifier_type);
10430 offset++;
10431
10432 /*
10433 * enum {
10434 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10435 * cert_sha1_hash(3), (255)
10436 * } IdentifierType;
10437 */
10438 switch (identifier_type)
10439 {
10440 case 0:
10441 key_len = 0;
10442 break;
10443 case 2:
10444 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10445
10446 uint32_t name_length;
10447 /* opaque DistinguishedName<1..2^16-1> */
10448 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10449 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10450 return next_offset;
10451 }
10452 offset += 2;
10453
10454 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10455 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10456 offset += name_length;
10457 break;
10458 case 1:
10459 case 3:
10460 key_len = 20;
10461 /* opaque SHA1Hash[20]; */
10462 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10463 offset, 20, ENC_NA0x00000000);
10464 break;
10465
10466 default:
10467 key_len = 0;
10468 /*TODO display expert info about unknown ? */
10469 break;
10470 }
10471 proto_item_set_len(trusted_key_item, 1 + key_len);
10472 offset += key_len;
10473 }
10474 }
10475
10476 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10477 {
10478 offset = next_offset;
10479 }
10480
10481 return offset;
10482} /* }}} */
10483
10484
10485/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10486bool_Bool
10487ssl_is_valid_content_type(uint8_t type)
10488{
10489 switch ((ContentType) type) {
10490 case SSL_ID_CHG_CIPHER_SPEC:
10491 case SSL_ID_ALERT:
10492 case SSL_ID_HANDSHAKE:
10493 case SSL_ID_APP_DATA:
10494 case SSL_ID_HEARTBEAT:
10495 case SSL_ID_TLS12_CID:
10496 case SSL_ID_DTLS13_ACK:
10497 return true1;
10498 }
10499 return false0;
10500}
10501
10502bool_Bool
10503ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10504{
10505 switch ((HandshakeType) hs_type) {
10506 case SSL_HND_HELLO_VERIFY_REQUEST:
10507 /* hello_verify_request is DTLS-only */
10508 return is_dtls;
10509
10510 case SSL_HND_HELLO_REQUEST:
10511 case SSL_HND_CLIENT_HELLO:
10512 case SSL_HND_SERVER_HELLO:
10513 case SSL_HND_NEWSESSION_TICKET:
10514 case SSL_HND_END_OF_EARLY_DATA:
10515 case SSL_HND_HELLO_RETRY_REQUEST:
10516 case SSL_HND_ENCRYPTED_EXTENSIONS:
10517 case SSL_HND_CERTIFICATE:
10518 case SSL_HND_SERVER_KEY_EXCHG:
10519 case SSL_HND_CERT_REQUEST:
10520 case SSL_HND_SVR_HELLO_DONE:
10521 case SSL_HND_CERT_VERIFY:
10522 case SSL_HND_CLIENT_KEY_EXCHG:
10523 case SSL_HND_FINISHED:
10524 case SSL_HND_CERT_URL:
10525 case SSL_HND_CERT_STATUS:
10526 case SSL_HND_SUPPLEMENTAL_DATA:
10527 case SSL_HND_KEY_UPDATE:
10528 case SSL_HND_COMPRESSED_CERTIFICATE:
10529 case SSL_HND_ENCRYPTED_EXTS:
10530 return true1;
10531 case SSL_HND_MESSAGE_HASH:
10532 return false0;
10533 }
10534 return false0;
10535}
10536
10537static bool_Bool
10538ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10539 bool_Bool is_dtls)
10540{
10541 /* Consider all valid Handshake messages (except for Client Hello) and
10542 * all other valid record types (other than Handshake) */
10543 return (content_type == SSL_ID_HANDSHAKE &&
10544 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10545 handshake_type != SSL_HND_CLIENT_HELLO) ||
10546 (content_type != SSL_ID_HANDSHAKE &&
10547 ssl_is_valid_content_type(content_type));
10548}
10549
10550/**
10551 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10552 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10553 * Returns true if the supported_versions extension was found, false if not.
10554 */
10555bool_Bool
10556tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10557 uint16_t *server_version, bool_Bool *is_hrr)
10558{
10559 /* SHA256("HelloRetryRequest") */
10560 static const uint8_t tls13_hrr_random_magic[] = {
10561 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10562 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10563 };
10564 uint8_t session_id_length;
10565
10566 *server_version = tvb_get_ntohs(tvb, offset);
10567
10568 /*
10569 * Try to look for supported_versions extension. Minimum length:
10570 * 2 + 32 + 1 = 35 (version, random, session id length)
10571 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10572 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10573 *
10574 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10575 * there's a separate expert info warning for that.
10576 */
10577 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10578 offset += 2;
10579 if (is_hrr) {
10580 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10581 }
10582 offset += 32;
10583 session_id_length = tvb_get_uint8(tvb, offset);
10584 offset++;
10585 if (offset_end - offset < session_id_length + 5u) {
10586 return false0;
10587 }
10588 offset += session_id_length + 5;
10589
10590 while (offset_end - offset >= 6) {
10591 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10592 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10593 if (offset_end - offset < 4u + ext_len) {
10594 break; /* not enough data for type, length and data */
10595 }
10596 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10597 if (ext_len == 2) {
10598 *server_version = tvb_get_ntohs(tvb, offset + 4);
10599 }
10600 return true1;
10601 }
10602 offset += 4 + ext_len;
10603 }
10604 } else {
10605 if (is_hrr) {
10606 *is_hrr = false0;
10607 }
10608 }
10609 return false0;
10610}
10611
10612/**
10613 * Scan a Client Hello handshake message to see if the supported_versions
10614 * extension is found, in which case the version field is legacy_version.
10615 */
10616static bool_Bool
10617tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10618{
10619 uint8_t session_id_length;
10620
10621 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10622
10623 /*
10624 * Try to look for supported_versions extension. Minimum length:
10625 * 2 + 32 + 1 = 35 (version, random, session id length)
10626 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10627 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10628 *
10629 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10630 * there's a separate expert info warning for that.
10631 */
10632 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10633 offset += 2;
10634 offset += 32;
10635 session_id_length = tvb_get_uint8(tvb, offset);
10636 offset++;
10637 if (offset_end - offset < session_id_length + 2u) {
10638 return false0;
10639 }
10640 offset += session_id_length;
10641 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10642 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10643 offset++;
10644 if (offset_end - offset < cookie_length + 2u) {
10645 return false0;
10646 }
10647 }
10648 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10649 offset += 2;
10650 if (offset_end - offset < cipher_suites_length + 1u) {
10651 return false0;
10652 }
10653 offset += cipher_suites_length;
10654 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10655 offset++;
10656 if (offset_end - offset < compression_methods_length + 2u) {
10657 return false0;
10658 }
10659 offset += compression_methods_length + 2;
10660
10661 while (offset_end - offset >= 6) {
10662 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10663 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10664 if (offset_end - offset < 4u + ext_len) {
10665 break; /* not enough data for type, length and data */
10666 }
10667 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10668 return true1;
10669 }
10670 offset += 4 + ext_len;
10671 }
10672 }
10673 return false0;
10674}
10675void
10676ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10677 uint8_t content_type, uint8_t handshake_type,
10678 bool_Bool is_dtls, uint16_t version)
10679{
10680 uint8_t tls13_draft = 0;
10681
10682 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10683 is_dtls))
10684 return;
10685
10686 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10687 if (version == SSL_VER_UNKNOWN0) {
10688 return;
10689 }
10690
10691 session->tls13_draft_version = tls13_draft;
10692 session->version = version;
10693 if (ssl) {
10694 ssl->state |= SSL_VERSION(1<<4);
10695 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10696 }
10697}
10698
10699void
10700ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10701 ContentType content_type,
10702 unsigned record_length, proto_item *length_pi,
10703 uint16_t version, tvbuff_t *decrypted_tvb)
10704{
10705 unsigned max_expansion;
10706 if (version == TLSV1DOT3_VERSION0x304) {
10707 /* TLS 1.3: Max length is 2^14 + 256 */
10708 max_expansion = 256;
10709 } else {
10710 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10711 max_expansion = 2048;
10712 }
10713 /*
10714 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10715 * and ChangeCipherSpec.
10716 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10717 * so assume it is permitted.
10718 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10719 * assume TLS 1.2 requirements.
10720 */
10721 if (record_length == 0 &&
10722 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10723 content_type == SSL_ID_ALERT ||
10724 content_type == SSL_ID_HANDSHAKE)) {
10725 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10726 "Zero-length %s fragments are not allowed",
10727 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10728 }
10729 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10730 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10731 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10732 }
10733 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10734 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10735 "TLSPlaintext length MUST NOT exceed 2^14");
10736 }
10737}
10738
10739static void
10740ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10741{
10742 /* store selected cipher suite for decryption */
10743 ssl->session.cipher = cipher;
10744
10745 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10746 if (!cs) {
10747 ssl->cipher_suite = NULL((void*)0);
10748 ssl->state &= ~SSL_CIPHER(1<<2);
10749 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10750 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10751 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10752 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10753 * to avoid a potential buffer overflow in ssl3_check_mac. */
10754 ssl->cipher_suite = NULL((void*)0);
10755 ssl->state &= ~SSL_CIPHER(1<<2);
10756 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10757 } else {
10758 /* Cipher found, save this for the delayed decoder init */
10759 ssl->cipher_suite = cs;
10760 ssl->state |= SSL_CIPHER(1<<2);
10761 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10762 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10763 ssl->state);
10764 }
10765}
10766/* }}} */
10767
10768
10769/* Client Hello and Server Hello dissections. {{{ */
10770static int
10771ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10772 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10773 SslSession *session, SslDecryptSession *ssl,
10774 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10775 ssl_master_key_map_t *mk_map);
10776int
10777// NOLINTNEXTLINE(misc-no-recursion)
10778ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10779 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10780 uint32_t offset_end, SslSession *session,
10781 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10782{
10783 /* struct {
10784 * ProtocolVersion client_version;
10785 * Random random;
10786 * SessionID session_id;
10787 * opaque cookie<0..32>; //new field for DTLS
10788 * CipherSuite cipher_suites<2..2^16-1>;
10789 * CompressionMethod compression_methods<1..2^8-1>;
10790 * Extension client_hello_extension_list<0..2^16-1>;
10791 * } ClientHello;
10792 */
10793 proto_item *ti;
10794 proto_tree *cs_tree;
10795 uint32_t client_version;
10796 uint32_t cipher_suite_length;
10797 uint32_t compression_methods_length;
10798 uint8_t compression_method;
10799 uint32_t next_offset;
10800 uint32_t initial_offset = offset;
10801 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10802 char *ja3_hash;
10803 char *ja3_dash = "";
10804 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10805 ja4_data_t ja4_data;
10806 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10807 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10808 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10809 wmem_list_frame_t *curr_entry;
10810
10811 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10811, (int64_t)initial_offset, (int64_t)offset_end))));
10812 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10813 offset = 0;
10814 offset_end = tvb_reported_length(hello_tvb);
10815
10816 ja4_data.max_version = 0;
10817 ja4_data.server_name_present = false0;
10818 ja4_data.num_cipher_suites = 0;
10819 ja4_data.num_extensions = 0;
10820 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10821 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10822 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10823 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10824
10825 /* show the client version */
10826 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10827 offset, 2, ENC_BIG_ENDIAN0x00000000,
10828 &client_version);
10829 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10830 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10831 }
10832 offset += 2;
10833 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10834
10835 /*
10836 * Is it version 1.3?
10837 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10838 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10839 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10840 * Hello".
10841 */
10842 if (dtls_hfs != NULL((void*)0)) {
10843 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10844 /* Don't do that. */
10845 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10846 }
10847 } else {
10848 if (client_version == TLSV1DOT3_VERSION0x304) {
10849 /* Don't do that. */
10850 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10851 }
10852 }
10853
10854 /* dissect fields that are present in both ClientHello and ServerHello */
10855 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
10856
10857 /* fields specific for DTLS (cookie_len, cookie) */
10858 if (dtls_hfs != NULL((void*)0)) {
10859 uint32_t cookie_length;
10860 /* opaque cookie<0..32> (for DTLS only) */
10861 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
10862 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10863 return offset;
10864 }
10865 offset++;
10866 if (cookie_length > 0) {
10867 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10868 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
10869 offset += cookie_length;
10870 }
10871 }
10872
10873 /* CipherSuite cipher_suites<2..2^16-1> */
10874 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10875 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10876 return offset;
10877 }
10878 offset += 2;
10879 next_offset = offset + cipher_suite_length;
10880 ti = proto_tree_add_none_format(tree,
10881 hf->hf.hs_cipher_suites,
10882 hello_tvb, offset, cipher_suite_length,
10883 "Cipher Suites (%d suite%s)",
10884 cipher_suite_length / 2,
10885 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10886 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10887 while (offset + 2 <= next_offset) {
10888 uint32_t cipher_suite;
10889
10890 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
10891 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10892 offset += 2;
10893 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10894 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10895 ja3_dash = "-";
10896 ja4_data.num_cipher_suites += 1;
10897 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10898 }
10899 }
10900 wmem_strbuf_append_c(ja3, ',');
10901 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
10902 offset = next_offset;
10903 }
10904
10905 /* CompressionMethod compression_methods<1..2^8-1> */
10906 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10907 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10908 return offset;
10909 }
10910 offset++;
10911 next_offset = offset + compression_methods_length;
10912 ti = proto_tree_add_none_format(tree,
10913 hf->hf.hs_comp_methods,
10914 hello_tvb, offset, compression_methods_length,
10915 "Compression Methods (%u method%s)",
10916 compression_methods_length,
10917 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10918 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10919 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10920 while (offset < next_offset) {
10921 compression_method = tvb_get_uint8(hello_tvb, offset);
10922 /* TODO: make reserved/private comp meth. fields selectable */
10923 if (compression_method < 64)
10924 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10925 hello_tvb, offset, 1, compression_method);
10926 else if (compression_method > 63 && compression_method < 193)
10927 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
10928 compression_method, "Reserved - to be assigned by IANA (%u)",
10929 compression_method);
10930 else
10931 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
10932 compression_method, "Private use range (%u)",
10933 compression_method);
10934 offset++;
10935 }
10936
10937 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10938 if (offset < offset_end) {
10939 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
10940 offset_end, SSL_HND_CLIENT_HELLO,
10941 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
10942 if (ja4_data.max_version > 0) {
10943 client_version = ja4_data.max_version;
10944 }
10945 } else {
10946 wmem_strbuf_append_printf(ja3, ",,");
10947 }
10948
10949 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10950 wmem_strbuf_append(ja4_a, "t");
10951 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10952 wmem_strbuf_append(ja4_a, "q");
10953 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10954 wmem_strbuf_append(ja4_a, "d");
10955 }
10956 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10957 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10958 if (ja4_data.num_cipher_suites > 99) {
10959 wmem_strbuf_append(ja4_a, "99");
10960 } else {
10961 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10962 }
10963 if (ja4_data.num_extensions > 99) {
10964 wmem_strbuf_append(ja4_a, "99");
10965 } else {
10966 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10967 }
10968 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10969 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10970 } else {
10971 wmem_strbuf_append(ja4_a, "00");
10972 }
10973
10974 curr_entry = wmem_list_head(ja4_data.cipher_list);
10975 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10976 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10977 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10978 wmem_strbuf_append(ja4_br, ",");
10979 }
10980 curr_entry = wmem_list_frame_next(curr_entry);
10981 }
10982
10983 curr_entry = wmem_list_head(ja4_data.extension_list);
10984 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10985 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10986 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10987 wmem_strbuf_append(ja4_cr, ",");
10988 }
10989 curr_entry = wmem_list_frame_next(curr_entry);
10990 }
10991
10992 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10993 wmem_strbuf_append(ja4_cr, "_");
10994 curr_entry = wmem_list_head(ja4_data.sighash_list);
10995 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10996 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10997 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10998 wmem_strbuf_append(ja4_cr, ",");
10999 }
11000 curr_entry = wmem_list_frame_next(curr_entry);
11001 }
11002 }
11003 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
11004 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11005 } else {
11006 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
11007 }
11008 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
11009
11010 g_free(ja4_hash);
11011 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
11012 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11013 } else {
11014 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
11015 }
11016 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
11017 g_free(ja4_hash);
11018
11019 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
11020 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
11021
11022 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
11023 proto_item_set_generated(ti);
11024 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
11025 proto_item_set_generated(ti);
11026
11027 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11028 wmem_strbuf_get_len(ja3));
11029 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
11030 proto_item_set_generated(ti);
11031 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
11032 proto_item_set_generated(ti);
11033 g_free(ja3_hash);
11034 return initial_offset + offset;
11035}
11036
11037void
11038ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11039 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11040 SslSession *session, SslDecryptSession *ssl,
11041 bool_Bool is_dtls, bool_Bool is_hrr)
11042{
11043 /* struct {
11044 * ProtocolVersion server_version;
11045 * Random random;
11046 * SessionID session_id; // TLS 1.2 and before
11047 * CipherSuite cipher_suite;
11048 * CompressionMethod compression_method; // TLS 1.2 and before
11049 * Extension server_hello_extension_list<0..2^16-1>;
11050 * } ServerHello;
11051 */
11052 uint8_t draft_version = session->tls13_draft_version;
11053 proto_item *ti;
11054 uint32_t server_version;
11055 uint32_t cipher_suite;
11056 uint32_t initial_offset = offset;
11057 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
11058 char *ja3_hash;
11059
11060 col_set_str(pinfo->cinfo, COL_PROTOCOL,
11061 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
11062
11063 /* Initially assume that the session is resumed. If this is not the case, a
11064 * ServerHelloDone will be observed before the ChangeCipherSpec message
11065 * which will reset this flag. */
11066 session->is_session_resumed = true1;
11067
11068 /* show the server version */
11069 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11070 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
11071
11072 uint16_t supported_server_version;
11073 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
11074 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
11075 }
11076 /*
11077 * Is it version 1.3?
11078 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
11079 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
11080 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
11081 * Hello".
11082 */
11083 if (is_dtls) {
11084 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
11085 /* Don't do that. */
11086 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11087 }
11088 } else {
11089 if (server_version == TLSV1DOT3_VERSION0x304) {
11090 /* Don't do that. */
11091 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11092 }
11093 }
11094
11095 offset += 2;
11096 wmem_strbuf_append_printf(ja3, "%i", server_version);
11097
11098 /* dissect fields that are present in both ClientHello and ServerHello */
11099 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11100
11101 if (ssl) {
11102 /* store selected cipher suite for decryption */
11103 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11104 }
11105
11106 /* now the server-selected cipher suite */
11107 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11108 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11109 offset += 2;
11110 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11111
11112 /* No compression with TLS 1.3 before draft -22 */
11113 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11114 if (ssl) {
11115 /* store selected compression method for decryption */
11116 ssl->session.compression = tvb_get_uint8(tvb, offset);
11117 }
11118 /* and the server-selected compression method */
11119 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11120 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11121 offset++;
11122 }
11123
11124 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11125 if (offset < offset_end) {
11126 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11127 offset_end,
11128 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11129 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
11130 }
11131
11132 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11133 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11134 if (hash_algo) {
11135 SSL_MDgcry_md_hd_t mc;
11136 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11137 unsigned char prk[DIGEST_MAX_SIZE48];
11138 unsigned char *ech_verify_out = NULL((void*)0);
11139 unsigned int len;
11140 ssl_md_init(&mc, hash_algo);
11141 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11142 if (is_hrr) {
11143 ssl_md_final(&mc, transcript_hash, &len);
11144 ssl_md_cleanup(&mc);
11145 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11146 ssl->ech_transcript.data_len = 4 + len;
11147 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11148 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11149 ssl->ech_transcript.data[1] = 0;
11150 ssl->ech_transcript.data[2] = 0;
11151 ssl->ech_transcript.data[3] = len;
11152 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11153 ssl_md_init(&mc, hash_algo);
11154 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11155 } else {
11156 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11157 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11158 }
11159 if (initial_offset > 4) {
11160 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11161 4 + offset_end - initial_offset);
11162 if (is_hrr)
11163 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11164 else
11165 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11166 } else {
11167 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11168 prefix[2] = ((offset - initial_offset) >> 8);
11169 prefix[3] = (offset - initial_offset) & 0xff;
11170 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11171 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11172 offset_end - initial_offset);
11173 ssl_md_update(&mc, prefix, 4);
11174 if (is_hrr)
11175 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11176 else
11177 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11178 }
11179 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11180 uint8_t zeros[8] = { 0 };
11181 uint32_t confirmation_offset = initial_offset + 26;
11182 if (is_hrr) {
11183 uint32_t hrr_offset = initial_offset + 34;
11184 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11185 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11186 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11187 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11188 hrr_offset += 3;
11189 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11190 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11191 hrr_offset += 2;
11192 while (extensions_end - hrr_offset >= 4) {
11193 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11194 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11195 confirmation_offset = hrr_offset + 4;
11196 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11197 ssl_md_update(&mc, zeros, 8);
11198 hrr_offset += 12;
11199 } else {
11200 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11201 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11202 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11203 }
11204 }
11205 } else {
11206 ssl_md_update(&mc, zeros, 8);
11207 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11208 offset - initial_offset - 34);
11209 }
11210 ssl_md_final(&mc, transcript_hash, &len);
11211 ssl_md_cleanup(&mc);
11212 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11213 StringInfo prk_string = {prk, len};
11214 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11215 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11216 transcript_hash, len, 8, &ech_verify_out)) {
11217 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11218 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11219 if (is_hrr) {
11220 ssl->session.hrr_ech_declined = true1;
11221 ssl->session.first_ch_ech_frame = 0;
11222 }
11223 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11224 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11225 }
11226 wmem_free(NULL((void*)0), ech_verify_out);
11227 }
11228 ssl->session.ech = true1;
11229 }
11230 }
11231
11232 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11233 wmem_strbuf_get_len(ja3));
11234 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11235 proto_item_set_generated(ti);
11236 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11237 proto_item_set_generated(ti);
11238 g_free(ja3_hash);
11239}
11240/* Client Hello and Server Hello dissections. }}} */
11241
11242/* New Session Ticket dissection. {{{ */
11243void
11244ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11245 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11246 SslSession *session, SslDecryptSession *ssl,
11247 bool_Bool is_dtls, GHashTable *session_hash)
11248{
11249 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11250 * struct {
11251 * uint32 ticket_lifetime_hint;
11252 * opaque ticket<0..2^16-1>;
11253 * } NewSessionTicket;
11254 *
11255 * RFC 8446 Section 4.6.1 (TLS 1.3):
11256 * struct {
11257 * uint32 ticket_lifetime;
11258 * uint32 ticket_age_add;
11259 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11260 * opaque ticket<1..2^16-1>;
11261 * Extension extensions<0..2^16-2>;
11262 * } NewSessionTicket;
11263 */
11264 proto_tree *subtree;
11265 proto_item *subitem;
11266 uint32_t ticket_len;
11267 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11268 unsigned char draft_version = session->tls13_draft_version;
11269 uint32_t lifetime_hint;
11270
11271 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11272 hf->ett.session_ticket, NULL((void*)0),
11273 "TLS Session Ticket");
11274
11275 /* ticket lifetime hint */
11276 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11277 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11278 offset += 4;
11279
11280 if (lifetime_hint >= 60) {
11281 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11282 proto_item_append_text(subitem, " (%s)", time_str);
11283 }
11284
11285 if (is_tls13) {
11286
11287 /* for TLS 1.3: ticket_age_add */
11288 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11289 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11290 offset += 4;
11291
11292 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11293 if (draft_version == 0 || draft_version >= 21) {
11294 uint32_t ticket_nonce_len;
11295
11296 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11297 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11298 return;
11299 }
11300 offset++;
11301
11302 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11303 offset += ticket_nonce_len;
11304 }
11305
11306 }
11307
11308 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11309 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11310 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11311 return;
11312 }
11313 offset += 2;
11314
11315 /* Content depends on implementation, so just show data! */
11316 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11317 tvb, offset, ticket_len, ENC_NA0x00000000);
11318 /* save the session ticket to cache for ssl_finalize_decryption */
11319 if (ssl && !is_tls13) {
11320 if (ssl->session.is_session_resumed) {
11321 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11322 * (Abbreviated Handshake Using New Session Ticket).
11323 * Restore the master key for this session ticket before saving
11324 * it to the new session ticket. */
11325 ssl_restore_master_key(ssl, "Session Ticket", false0,
11326 session_hash, &ssl->session_ticket);
11327 }
11328 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11329 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11330 ssl->session_ticket.data, ticket_len);
11331 ssl->session_ticket.data_len = ticket_len;
11332 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11333 /* NewSessionTicket is received after the first (client)
11334 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11335 * Since the second CCS has already the session key available it will
11336 * just return. To ensure that the session ticket is mapped to a
11337 * master key (from the first CCS), save the ticket here too. */
11338 ssl_save_master_key("Session Ticket", session_hash,
11339 &ssl->session_ticket, &ssl->master_secret);
11340 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11341 }
11342 offset += ticket_len;
11343
11344 if (is_tls13) {
11345 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11346 offset_end, SSL_HND_NEWSESSION_TICKET,
11347 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11348 }
11349} /* }}} */
11350
11351void
11352ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11353 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11354 SslSession *session, SslDecryptSession *ssl,
11355 bool_Bool is_dtls)
11356{
11357 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11358 * struct {
11359 * ProtocolVersion server_version;
11360 * CipherSuite cipher_suite; // not before draft -19
11361 * Extension extensions<2..2^16-1>;
11362 * } HelloRetryRequest;
11363 * Note: no longer used since draft -22
11364 */
11365 uint32_t version;
11366 uint8_t draft_version;
11367
11368 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11369 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11370 draft_version = extract_tls13_draft_version(version);
11371 offset += 2;
11372
11373 if (draft_version == 0 || draft_version >= 19) {
11374 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11375 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11376 offset += 2;
11377 }
11378
11379 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11380 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11381 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11382}
11383
11384void
11385ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11386 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11387 SslSession *session, SslDecryptSession *ssl,
11388 bool_Bool is_dtls)
11389{
11390 /* RFC 8446 Section 4.3.1
11391 * struct {
11392 * Extension extensions<0..2^16-1>;
11393 * } EncryptedExtensions;
11394 */
11395 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11396 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11397 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11398}
11399
11400/* Certificate and Certificate Request dissections. {{{ */
11401void
11402ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11403 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11404 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11405 bool_Bool is_from_server, bool_Bool is_dtls)
11406{
11407 /* opaque ASN.1Cert<1..2^24-1>;
11408 *
11409 * Before RFC 8446 (TLS <= 1.2):
11410 * struct {
11411 * select(certificate_type) {
11412 *
11413 * // certificate type defined in RFC 7250
11414 * case RawPublicKey:
11415 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11416 *
11417 * // X.509 certificate defined in RFC 5246
11418 * case X.509:
11419 * ASN.1Cert certificate_list<0..2^24-1>;
11420 * };
11421 * } Certificate;
11422 *
11423 * RFC 8446 (since draft -20):
11424 * struct {
11425 * select(certificate_type){
11426 * case RawPublicKey:
11427 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11428 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11429 *
11430 * case X.509:
11431 * opaque cert_data<1..2^24-1>;
11432 * }
11433 * Extension extensions<0..2^16-1>;
11434 * } CertificateEntry;
11435 * struct {
11436 * opaque certificate_request_context<0..2^8-1>;
11437 * CertificateEntry certificate_list<0..2^24-1>;
11438 * } Certificate;
11439 */
11440 enum { CERT_X509, CERT_RPK } cert_type;
11441 asn1_ctx_t asn1_ctx;
11442#if defined(HAVE_LIBGNUTLS1)
11443 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11444 unsigned certificate_index = 0;
11445#endif
11446 uint32_t next_offset, certificate_list_length, cert_length;
11447 proto_tree *subtree = tree;
11448
11449 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11450
11451 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11452 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11453 cert_type = CERT_RPK;
11454 } else {
11455 cert_type = CERT_X509;
11456 }
11457
11458#if defined(HAVE_LIBGNUTLS1)
11459 /* Ask the pkcs1 dissector to return the public key details */
11460 if (ssl)
11461 asn1_ctx.private_data = &subjectPublicKeyInfo;
11462#endif
11463
11464 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11465 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11466 uint32_t context_length;
11467 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11468 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11469 return;
11470 }
11471 offset++;
11472 if (context_length > 0) {
11473 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11474 tvb, offset, context_length, ENC_NA0x00000000);
11475 offset += context_length;
11476 }
11477 }
11478
11479 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11480 /* For RPK before TLS 1.3, the single RPK is stored directly without
11481 * another "certificate_list" field. */
11482 certificate_list_length = offset_end - offset;
11483 next_offset = offset_end;
11484 } else {
11485 /* CertificateEntry certificate_list<0..2^24-1> */
11486 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11487 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11488 return;
11489 }
11490 offset += 3; /* 24-bit length value */
11491 next_offset = offset + certificate_list_length;
11492 }
11493
11494 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11495 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11496 proto_item *ti;
11497
11498 ti = proto_tree_add_none_format(tree,
11499 hf->hf.hs_certificates,
11500 tvb, offset, certificate_list_length,
11501 "Certificates (%u bytes)",
11502 certificate_list_length);
11503
11504 /* make it a subtree */
11505 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11506 }
11507
11508 while (offset < next_offset) {
11509 switch (cert_type) {
11510 case CERT_RPK:
11511 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11512 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11513 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11514 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11515 return;
11516 }
11517 offset += 3;
11518
11519 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11520 offset += cert_length;
11521 break;
11522 case CERT_X509:
11523 /* opaque ASN1Cert<1..2^24-1> */
11524 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11525 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11526 return;
11527 }
11528 offset += 3;
11529
11530 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11531#if defined(HAVE_LIBGNUTLS1)
11532 if (is_from_server && ssl && certificate_index == 0) {
11533 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11534 /* Only attempt to get the RSA modulus for the first cert. */
11535 asn1_ctx.private_data = NULL((void*)0);
11536 }
11537#endif
11538 offset += cert_length;
11539 break;
11540 }
11541
11542 /* TLS 1.3: Extension extensions<0..2^16-1> */
11543 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11544 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11545 next_offset, SSL_HND_CERTIFICATE,
11546 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11547 }
11548
11549#if defined(HAVE_LIBGNUTLS1)
11550 certificate_index++;
11551#endif
11552 }
11553}
11554
11555void
11556ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11557 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11558 SslSession *session, bool_Bool is_dtls)
11559{
11560 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11561 * enum {
11562 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11563 * (255)
11564 * } ClientCertificateType;
11565 *
11566 * opaque DistinguishedName<1..2^16-1>;
11567 *
11568 * struct {
11569 * ClientCertificateType certificate_types<1..2^8-1>;
11570 * DistinguishedName certificate_authorities<3..2^16-1>;
11571 * } CertificateRequest;
11572 *
11573 *
11574 * As per TLSv1.2 (RFC 5246) the format has changed to:
11575 *
11576 * enum {
11577 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11578 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11579 * fortezza_dms_RESERVED(20), (255)
11580 * } ClientCertificateType;
11581 *
11582 * enum {
11583 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11584 * sha512(6), (255)
11585 * } HashAlgorithm;
11586 *
11587 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11588 * SignatureAlgorithm;
11589 *
11590 * struct {
11591 * HashAlgorithm hash;
11592 * SignatureAlgorithm signature;
11593 * } SignatureAndHashAlgorithm;
11594 *
11595 * SignatureAndHashAlgorithm
11596 * supported_signature_algorithms<2..2^16-2>;
11597 *
11598 * opaque DistinguishedName<1..2^16-1>;
11599 *
11600 * struct {
11601 * ClientCertificateType certificate_types<1..2^8-1>;
11602 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11603 * DistinguishedName certificate_authorities<0..2^16-1>;
11604 * } CertificateRequest;
11605 *
11606 * draft-ietf-tls-tls13-18:
11607 * struct {
11608 * opaque certificate_request_context<0..2^8-1>;
11609 * SignatureScheme
11610 * supported_signature_algorithms<2..2^16-2>;
11611 * DistinguishedName certificate_authorities<0..2^16-1>;
11612 * CertificateExtension certificate_extensions<0..2^16-1>;
11613 * } CertificateRequest;
11614 *
11615 * RFC 8446 (since draft-ietf-tls-tls13-19):
11616 *
11617 * struct {
11618 * opaque certificate_request_context<0..2^8-1>;
11619 * Extension extensions<2..2^16-1>;
11620 * } CertificateRequest;
11621 */
11622 proto_item *ti;
11623 proto_tree *subtree;
11624 uint32_t next_offset;
11625 asn1_ctx_t asn1_ctx;
11626 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11627 unsigned char draft_version = session->tls13_draft_version;
11628
11629 if (!tree)
11630 return;
11631
11632 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11633
11634 if (is_tls13) {
11635 uint32_t context_length;
11636 /* opaque certificate_request_context<0..2^8-1> */
11637 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11638 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11639 return;
11640 }
11641 offset++;
11642 if (context_length > 0) {
11643 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11644 tvb, offset, context_length, ENC_NA0x00000000);
11645 offset += context_length;
11646 }
11647 } else {
11648 uint32_t cert_types_count;
11649 /* ClientCertificateType certificate_types<1..2^8-1> */
11650 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11651 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11652 return;
11653 }
11654 offset++;
11655 next_offset = offset + cert_types_count;
11656
11657 ti = proto_tree_add_none_format(tree,
11658 hf->hf.hs_cert_types,
11659 tvb, offset, cert_types_count,
11660 "Certificate types (%u type%s)",
11661 cert_types_count,
11662 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11663 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11664
11665 while (offset < next_offset) {
11666 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11667 offset++;
11668 }
11669 }
11670
11671 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11672 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11673 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11674 }
11675
11676 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11677 /*
11678 * TLS 1.3 draft 19 and newer: Extensions.
11679 * SslDecryptSession pointer is NULL because Certificate Extensions
11680 * should not influence decryption state.
11681 */
11682 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11683 offset_end, SSL_HND_CERT_REQUEST,
11684 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11685 } else if (is_tls13 && draft_version <= 18) {
11686 /*
11687 * TLS 1.3 draft 18 and older: certificate_authorities and
11688 * certificate_extensions (a vector of OID mappings).
11689 */
11690 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11691 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11692 } else {
11693 /* for TLS 1.2 and older, the certificate_authorities field. */
11694 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11695 }
11696}
11697/* Certificate and Certificate Request dissections. }}} */
11698
11699void
11700ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11701 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11702{
11703 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11704 hf->hf.hs_client_cert_vrfy_sig_len,
11705 hf->hf.hs_client_cert_vrfy_sig);
11706}
11707
11708/* Finished dissection. {{{ */
11709void
11710ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11711 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11712 const SslSession *session, ssl_hfs_t *ssl_hfs)
11713{
11714 /* For SSLv3:
11715 * struct {
11716 * opaque md5_hash[16];
11717 * opaque sha_hash[20];
11718 * } Finished;
11719 *
11720 * For (D)TLS:
11721 * struct {
11722 * opaque verify_data[12];
11723 * } Finished;
11724 *
11725 * For TLS 1.3:
11726 * struct {
11727 * opaque verify_data[Hash.length];
11728 * }
11729 */
11730 if (!tree)
11731 return;
11732
11733 if (session->version == SSLV3_VERSION0x300) {
11734 if (ssl_hfs != NULL((void*)0)) {
11735 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11736 tvb, offset, 16, ENC_NA0x00000000);
11737 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11738 tvb, offset + 16, 20, ENC_NA0x00000000);
11739 }
11740 } else {
11741 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11742 proto_tree_add_item(tree, hf->hf.hs_finished,
11743 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11744 }
11745} /* }}} */
11746
11747/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11748void
11749ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11750{
11751 uint16_t url_hash_len;
11752
11753 /* enum {
11754 * individual_certs(0), pkipath(1), (255)
11755 * } CertChainType;
11756 *
11757 * struct {
11758 * CertChainType type;
11759 * URLAndHash url_and_hash_list<1..2^16-1>;
11760 * } CertificateURL;
11761 *
11762 * struct {
11763 * opaque url<1..2^16-1>;
11764 * uint8 padding;
11765 * opaque SHA1Hash[20];
11766 * } URLAndHash;
11767 */
11768
11769 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11770 tvb, offset, 1, ENC_NA0x00000000);
11771 offset++;
11772
11773 url_hash_len = tvb_get_ntohs(tvb, offset);
11774 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11775 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11776 offset += 2;
11777 while (url_hash_len-- > 0) {
11778 proto_item *urlhash_item;
11779 proto_tree *urlhash_tree;
11780 uint16_t url_len;
11781
11782 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11783 tvb, offset, -1, ENC_NA0x00000000);
11784 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11785
11786 url_len = tvb_get_ntohs(tvb, offset);
11787 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11788 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11789 offset += 2;
11790
11791 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11792 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11793 offset += url_len;
11794
11795 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11796 tvb, offset, 1, ENC_NA0x00000000);
11797 offset++;
11798 /* Note: RFC 6066 says that padding must be 0x01 */
11799
11800 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11801 tvb, offset, 20, ENC_NA0x00000000);
11802 offset += 20;
11803 }
11804} /* }}} */
11805
11806void
11807ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11808 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11809 SslSession *session, SslDecryptSession *ssl,
11810 bool_Bool is_from_server, bool_Bool is_dtls)
11811{
11812 uint32_t algorithm, uncompressed_length;
11813 uint32_t compressed_certificate_message_length;
11814 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11815 proto_item *ti;
11816 /*
11817 * enum {
11818 * zlib(1),
11819 * brotli(2),
11820 * zstd(3),
11821 * (65535)
11822 * } CertificateCompressionAlgorithm;
11823 *
11824 * struct {
11825 * CertificateCompressionAlgorithm algorithm;
11826 * uint24 uncompressed_length;
11827 * opaque compressed_certificate_message<1..2^24-1>;
11828 * } CompressedCertificate;
11829 */
11830
11831 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11832 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11833 offset += 2;
11834
11835 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11836 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11837 offset += 3;
11838
11839 /* opaque compressed_certificate_message<1..2^24-1>; */
11840 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11841 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11842 return;
11843 }
11844 offset += 3;
11845
11846 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11847 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11848
11849 /* Certificate decompression following algorithm */
11850 switch (algorithm) {
11851 case 1: /* zlib */
11852 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11853 break;
11854 case 2: /* brotli */
11855 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11856 break;
11857 case 3: /* zstd */
11858 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11859 break;
11860 }
11861
11862 if (uncompressed_tvb) {
11863 proto_tree *uncompressed_tree;
11864
11865 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11866 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11867 tvb, offset, offset_end - offset,
11868 "Invalid uncompressed length %u (expected %u)",
11869 tvb_captured_length(uncompressed_tvb),
11870 uncompressed_length);
11871 } else {
11872 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11873 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11874 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11875 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11876 }
11877 }
11878}
11879
11880/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11881static int
11882// NOLINTNEXTLINE(misc-no-recursion)
11883ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11884 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11885 SslSession *session, SslDecryptSession *ssl,
11886 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11887 ssl_master_key_map_t *mk_map)
11888{
11889 uint32_t exts_len;
11890 uint16_t ext_type;
11891 uint32_t ext_len;
11892 uint32_t next_offset;
11893 proto_item *ext_item;
11894 proto_tree *ext_tree;
11895 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11896 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11897 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11898 char *ja3_dash = "";
11899 unsigned supported_version;
11900
11901 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11902 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11903 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11904 return offset_end;
11905 }
11906 offset += 2;
11907 offset_end = offset + exts_len;
11908
11909 if (ja4_data) {
11910 ja4_data->num_extensions = 0;
11911 }
11912 while (offset_end - offset >= 4)
11913 {
11914 ext_type = tvb_get_ntohs(tvb, offset);
11915 ext_len = tvb_get_ntohs(tvb, offset + 2);
11916
11917 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11918 ja4_data->num_extensions += 1;
11919 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11920 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11921 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11922 }
11923 }
11924
11925 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11926 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11927 tls_hello_extension_types,
11928 "Unknown type %u"), ext_len);
11929 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11930
11931 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11932 tvb, offset, 2, ext_type);
11933 offset += 2;
11934 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11935 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11936 ja3_dash = "-";
11937 }
11938
11939 /* opaque extension_data<0..2^16-1> */
11940 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11941 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11942 return offset_end;
11943 }
11944 offset += 2;
11945 next_offset = offset + ext_len;
11946
11947 switch (ext_type) {
11948 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11949 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11950 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11951 if (ja4_data) {
11952 ja4_data->server_name_present = true1;
11953 }
11954 }
11955 break;
11956 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11957 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11958 offset += 1;
11959 break;
11960 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11961 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11962 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11963 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11964 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11965 }
11966 break;
11967 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11968 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11969 offset, next_offset,
11970 hnd_type, ext_type,
11971 session);
11972 break;
11973 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11974 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11975 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11976 next_offset, ja3_sg);
11977 } else {
11978 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11979 next_offset, NULL((void*)0));
11980 }
11981 break;
11982 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11983 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11984 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11985 } else {
11986 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11987 }
11988 break;
11989 break;
11990 case SSL_HND_HELLO_EXT_SRP12:
11991 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11992 break;
11993 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11994 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11995 break;
11996 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11997 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11998 break;
11999 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
12000 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
12001 break;
12002 case SSL_HND_HELLO_EXT_USE_SRTP14:
12003 if (is_dtls) {
12004 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12005 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
12006 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
12007 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
12008 }
12009 } else {
12010 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
12011 }
12012 break;
12013 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
12014 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
12015 break;
12016 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
12017 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
12018 break;
12019 case SSL_HND_HELLO_EXT_HEARTBEAT15:
12020 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
12021 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
12022 offset++;
12023 break;
12024 case SSL_HND_HELLO_EXT_ALPN16:
12025 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
12026 break;
12027 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
12028 if (hnd_type == SSL_HND_CLIENT_HELLO)
12029 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
12030 break;
12031 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
12032 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
12033 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
12034 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
12035 break;
12036 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
12037 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
12038 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12039 offset, next_offset,
12040 hnd_type, ext_type,
12041 session);
12042 break;
12043 case SSL_HND_HELLO_EXT_PADDING21:
12044 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
12045 offset += ext_len;
12046 break;
12047 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
12048 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
12049 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
12050 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
12051 }
12052 break;
12053 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
12054 if (ssl) {
12055 switch (hnd_type) {
12056 case SSL_HND_CLIENT_HELLO:
12057 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
12058 break;
12059 case SSL_HND_SERVER_HELLO:
12060 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
12061 break;
12062 default: /* no default */
12063 break;
12064 }
12065 }
12066 break;
12067 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
12068 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12069 break;
12070 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
12071 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12072 break;
12073 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
12074 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
12075 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12076 offset += 2;
12077 break;
12078 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
12079 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
12080 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12081 break;
12082 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
12083 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
12084 break;
12085 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
12086 case SSL_HND_HELLO_EXT_KEY_SHARE51:
12087 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12088 break;
12089 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
12090 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12091 break;
12092 case SSL_HND_HELLO_EXT_EARLY_DATA42:
12093 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
12094 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12095 break;
12096 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
12097 switch (hnd_type) {
12098 case SSL_HND_CLIENT_HELLO:
12099 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12100 break;
12101 case SSL_HND_SERVER_HELLO:
12102 case SSL_HND_HELLO_RETRY_REQUEST:
12103 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12104 offset += 2;
12105 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12106 break;
12107 }
12108 break;
12109 case SSL_HND_HELLO_EXT_COOKIE44:
12110 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12111 break;
12112 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12113 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12114 break;
12115 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12116 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12117 break;
12118 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12119 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12120 break;
12121 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12122 break;
12123 case SSL_HND_HELLO_EXT_NPN13172:
12124 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12125 break;
12126 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12127 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12128 break;
12129 case SSL_HND_HELLO_EXT_ALPS17613:
12130 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12131 break;
12132 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12133 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12134 break;
12135 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12136 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12137 break;
12138 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12139 session->deprecated_cid = true1;
12140 /* FALLTHRU */
12141 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12142 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12143 break;
12144 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12145 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12146 break;
12147 default:
12148 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12149 tvb, offset, ext_len, ENC_NA0x00000000);
12150 offset += ext_len;
12151 break;
12152 }
12153
12154 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12155 /* Dissection did not end at expected location, fix it. */
12156 offset = next_offset;
12157 }
12158 }
12159
12160 if (ja3) {
12161 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12162 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12163 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12164 } else {
12165 wmem_strbuf_append_c(ja3, ',');
12166 }
12167 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12168 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12169 } else {
12170 wmem_strbuf_append_c(ja3, ',');
12171 }
12172 }
12173 }
12174
12175 /* Check if Extensions vector is correctly terminated. */
12176 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12177 offset = offset_end;
12178 }
12179
12180 return offset;
12181} /* }}} */
12182
12183
12184/* ClientKeyExchange algo-specific dissectors. {{{ */
12185
12186static void
12187dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12188 proto_tree *tree, uint32_t offset,
12189 uint32_t length)
12190{
12191 int point_len;
12192 proto_tree *ssl_ecdh_tree;
12193
12194 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12195 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12196
12197 /* point */
12198 point_len = tvb_get_uint8(tvb, offset);
12199 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12200 offset, 1, ENC_BIG_ENDIAN0x00000000);
12201 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12202 offset + 1, point_len, ENC_NA0x00000000);
12203}
12204
12205static void
12206dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12207 proto_tree *tree, uint32_t offset, uint32_t length)
12208{
12209 int yc_len;
12210 proto_tree *ssl_dh_tree;
12211
12212 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12213 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12214
12215 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12216 yc_len = tvb_get_ntohs(tvb, offset);
12217 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12218 offset, 2, ENC_BIG_ENDIAN0x00000000);
12219 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12220 offset + 2, yc_len, ENC_NA0x00000000);
12221}
12222
12223static void
12224dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12225 proto_tree *tree, uint32_t offset,
12226 uint32_t length, const SslSession *session)
12227{
12228 int epms_len;
12229 proto_tree *ssl_rsa_tree;
12230
12231 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12232 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12233
12234 /* EncryptedPreMasterSecret.pre_master_secret */
12235 switch (session->version) {
12236 case SSLV2_VERSION0x0002:
12237 case SSLV3_VERSION0x300:
12238 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12239 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12240 * not present. The handshake contents represents the EPMS, see:
12241 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12242 epms_len = length;
12243 break;
12244
12245 default:
12246 /* TLS and DTLS include vector length before EPMS */
12247 epms_len = tvb_get_ntohs(tvb, offset);
12248 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12249 offset, 2, ENC_BIG_ENDIAN0x00000000);
12250 offset += 2;
12251 break;
12252 }
12253 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12254 offset, epms_len, ENC_NA0x00000000);
12255}
12256
12257/* Used in PSK cipher suites */
12258static uint32_t
12259dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12260 proto_tree *tree, uint32_t offset)
12261{
12262 unsigned identity_len;
12263 proto_tree *ssl_psk_tree;
12264
12265 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12266 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12267 /* identity */
12268 identity_len = tvb_get_ntohs(tvb, offset);
12269 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12270 offset, 2, ENC_BIG_ENDIAN0x00000000);
12271 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12272 offset + 2, identity_len, ENC_NA0x00000000);
12273
12274 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12275 return 2 + identity_len;
12276}
12277
12278/* Used in RSA PSK cipher suites */
12279static void
12280dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12281 proto_tree *tree, uint32_t offset,
12282 uint32_t length)
12283{
12284 int identity_len, epms_len;
12285 proto_tree *ssl_psk_tree;
12286
12287 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12288 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12289
12290 /* identity */
12291 identity_len = tvb_get_ntohs(tvb, offset);
12292 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12293 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12294 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12295 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12296 offset += 2 + identity_len;
12297
12298 /* Yc */
12299 epms_len = tvb_get_ntohs(tvb, offset);
12300 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12301 offset, 2, ENC_BIG_ENDIAN0x00000000);
12302 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12303 offset + 2, epms_len, ENC_NA0x00000000);
12304}
12305
12306/* Used in Diffie-Hellman PSK cipher suites */
12307static void
12308dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12309 proto_tree *tree, uint32_t offset, uint32_t length)
12310{
12311 /*
12312 * struct {
12313 * select (KeyExchangeAlgorithm) {
12314 * case diffie_hellman_psk:
12315 * opaque psk_identity<0..2^16-1>;
12316 * ClientDiffieHellmanPublic public;
12317 * } exchange_keys;
12318 * } ClientKeyExchange;
12319 */
12320
12321 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12322 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12323}
12324
12325/* Used in EC Diffie-Hellman PSK cipher suites */
12326static void
12327dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12328 proto_tree *tree, uint32_t offset, uint32_t length)
12329{
12330 /*
12331 * struct {
12332 * select (KeyExchangeAlgorithm) {
12333 * case ec_diffie_hellman_psk:
12334 * opaque psk_identity<0..2^16-1>;
12335 * ClientECDiffieHellmanPublic public;
12336 * } exchange_keys;
12337 * } ClientKeyExchange;
12338 */
12339
12340 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12341 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12342}
12343
12344/* Used in EC J-PAKE cipher suites */
12345static void
12346dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12347 proto_tree *tree, uint32_t offset,
12348 uint32_t length)
12349{
12350 /*
12351 * struct {
12352 * ECPoint V;
12353 * opaque r<1..2^8-1>;
12354 * } ECSchnorrZKP;
12355 *
12356 * struct {
12357 * ECPoint X;
12358 * ECSchnorrZKP zkp;
12359 * } ECJPAKEKeyKP;
12360 *
12361 * struct {
12362 * ECJPAKEKeyKP ecjpake_key_kp;
12363 * } ClientECJPAKEParams;
12364 *
12365 * select (KeyExchangeAlgorithm) {
12366 * case ecjpake:
12367 * ClientECJPAKEParams params;
12368 * } ClientKeyExchange;
12369 */
12370
12371 int point_len;
12372 proto_tree *ssl_ecjpake_tree;
12373
12374 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12375 hf->ett.keyex_params, NULL((void*)0),
12376 "EC J-PAKE Client Params");
12377
12378 /* ECJPAKEKeyKP.X */
12379 point_len = tvb_get_uint8(tvb, offset);
12380 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12381 offset, 1, ENC_BIG_ENDIAN0x00000000);
12382 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12383 offset + 1, point_len, ENC_NA0x00000000);
12384 offset += 1 + point_len;
12385
12386 /* ECJPAKEKeyKP.zkp.V */
12387 point_len = tvb_get_uint8(tvb, offset);
12388 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12389 offset, 1, ENC_BIG_ENDIAN0x00000000);
12390 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12391 offset + 1, point_len, ENC_NA0x00000000);
12392 offset += 1 + point_len;
12393
12394 /* ECJPAKEKeyKP.zkp.r */
12395 point_len = tvb_get_uint8(tvb, offset);
12396 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12397 offset, 1, ENC_BIG_ENDIAN0x00000000);
12398 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12399 offset + 1, point_len, ENC_NA0x00000000);
12400}
12401
12402static void
12403dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12404 proto_tree *tree, uint32_t offset,
12405 uint32_t length)
12406{
12407 int epms_len;
12408 proto_tree *ssl_ecc_sm2_tree;
12409
12410 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12411 hf->ett.keyex_params, NULL((void*)0),
12412 "ECC-SM2 Encrypted PreMaster Secret");
12413
12414 epms_len = tvb_get_ntohs(tvb, offset);
12415 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12416 offset, 2, ENC_BIG_ENDIAN0x00000000);
12417 offset += 2;
12418 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12419 offset, epms_len, ENC_NA0x00000000);
12420}
12421/* ClientKeyExchange algo-specific dissectors. }}} */
12422
12423
12424/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12425static uint32_t
12426ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12427 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12428 uint16_t version, int hf_sig_len, int hf_sig)
12429{
12430 uint32_t sig_len;
12431
12432 switch (version) {
12433 case TLSV1DOT2_VERSION0x303:
12434 case DTLSV1DOT2_VERSION0xfefd:
12435 case TLSV1DOT3_VERSION0x304:
12436 case DTLSV1DOT3_VERSION0xfefc:
12437 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12438 offset += 2;
12439 break;
12440
12441 default:
12442 break;
12443 }
12444
12445 /* Sig */
12446 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12447 hf_sig_len, 0, UINT16_MAX(65535))) {
12448 return offset_end;
12449 }
12450 offset += 2;
12451 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12452 offset += sig_len;
12453 return offset;
12454} /* }}} */
12455
12456/* ServerKeyExchange algo-specific dissectors. {{{ */
12457
12458/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12459static void
12460dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12461 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12462 uint16_t version)
12463{
12464 /*
12465 * TLSv1.2 (RFC 5246 sec 7.4.8)
12466 * struct {
12467 * digitally-signed struct {
12468 * opaque handshake_messages[handshake_messages_length];
12469 * }
12470 * } CertificateVerify;
12471 *
12472 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12473 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12474 *
12475 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12476 * does more hashing including the master secret and padding.
12477 */
12478 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12479 hf->hf.hs_server_keyex_sig_len,
12480 hf->hf.hs_server_keyex_sig);
12481}
12482
12483static uint32_t
12484dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12485{
12486 /*
12487 * RFC 4492 ECC cipher suites for TLS
12488 *
12489 * struct {
12490 * ECCurveType curve_type;
12491 * select (curve_type) {
12492 * case explicit_prime:
12493 * ...
12494 * case explicit_char2:
12495 * ...
12496 * case named_curve:
12497 * NamedCurve namedcurve;
12498 * };
12499 * } ECParameters;
12500 */
12501
12502 int curve_type;
12503
12504 /* ECParameters.curve_type */
12505 curve_type = tvb_get_uint8(tvb, offset);
12506 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12507 offset, 1, ENC_BIG_ENDIAN0x00000000);
12508 offset++;
12509
12510 if (curve_type != 3)
12511 return offset_end; /* only named_curves are supported */
12512
12513 /* case curve_type == named_curve; ECParameters.namedcurve */
12514 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12515 offset, 2, ENC_BIG_ENDIAN0x00000000);
12516 offset += 2;
12517
12518 return offset;
12519}
12520
12521static void
12522dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12523 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12524 uint16_t version, bool_Bool anon)
12525{
12526 /*
12527 * RFC 4492 ECC cipher suites for TLS
12528 *
12529 * struct {
12530 * opaque point <1..2^8-1>;
12531 * } ECPoint;
12532 *
12533 * struct {
12534 * ECParameters curve_params;
12535 * ECPoint public;
12536 * } ServerECDHParams;
12537 *
12538 * select (KeyExchangeAlgorithm) {
12539 * case ec_diffie_hellman:
12540 * ServerECDHParams params;
12541 * Signature signed_params;
12542 * } ServerKeyExchange;
12543 */
12544
12545 int point_len;
12546 proto_tree *ssl_ecdh_tree;
12547
12548 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12549 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12550
12551 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12552 if (offset >= offset_end)
12553 return; /* only named_curves are supported */
12554
12555 /* ECPoint.point */
12556 point_len = tvb_get_uint8(tvb, offset);
12557 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12558 offset, 1, ENC_BIG_ENDIAN0x00000000);
12559 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12560 offset + 1, point_len, ENC_NA0x00000000);
12561 offset += 1 + point_len;
12562
12563 /* Signature (if non-anonymous KEX) */
12564 if (!anon) {
12565 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12566 }
12567}
12568
12569static void
12570dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12571 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12572 uint16_t version, bool_Bool anon)
12573{
12574 int p_len, g_len, ys_len;
12575 proto_tree *ssl_dh_tree;
12576
12577 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12578 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12579
12580 /* p */
12581 p_len = tvb_get_ntohs(tvb, offset);
12582 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12583 offset, 2, ENC_BIG_ENDIAN0x00000000);
12584 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12585 offset + 2, p_len, ENC_NA0x00000000);
12586 offset += 2 + p_len;
12587
12588 /* g */
12589 g_len = tvb_get_ntohs(tvb, offset);
12590 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12591 offset, 2, ENC_BIG_ENDIAN0x00000000);
12592 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12593 offset + 2, g_len, ENC_NA0x00000000);
12594 offset += 2 + g_len;
12595
12596 /* Ys */
12597 ys_len = tvb_get_ntohs(tvb, offset);
12598 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12599 offset, 2, ys_len);
12600 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12601 offset + 2, ys_len, ENC_NA0x00000000);
12602 offset += 2 + ys_len;
12603
12604 /* Signature (if non-anonymous KEX) */
12605 if (!anon) {
12606 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12607 }
12608}
12609
12610/* Only used in RSA-EXPORT cipher suites */
12611static void
12612dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12613 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12614 uint16_t version)
12615{
12616 int modulus_len, exponent_len;
12617 proto_tree *ssl_rsa_tree;
12618
12619 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12620 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12621
12622 /* modulus */
12623 modulus_len = tvb_get_ntohs(tvb, offset);
12624 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12625 offset, 2, ENC_BIG_ENDIAN0x00000000);
12626 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12627 offset + 2, modulus_len, ENC_NA0x00000000);
12628 offset += 2 + modulus_len;
12629
12630 /* exponent */
12631 exponent_len = tvb_get_ntohs(tvb, offset);
12632 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12633 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12634 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12635 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12636 offset += 2 + exponent_len;
12637
12638 /* Signature */
12639 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12640}
12641
12642/* Used in RSA PSK and PSK cipher suites */
12643static uint32_t
12644dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12645 proto_tree *tree, uint32_t offset)
12646{
12647 unsigned hint_len;
12648 proto_tree *ssl_psk_tree;
12649
12650 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12651 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12652
12653 /* hint */
12654 hint_len = tvb_get_ntohs(tvb, offset);
12655 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12656 offset, 2, ENC_BIG_ENDIAN0x00000000);
12657 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12658 offset + 2, hint_len, ENC_NA0x00000000);
12659
12660 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12661 return 2 + hint_len;
12662}
12663
12664/* Used in Diffie-Hellman PSK cipher suites */
12665static void
12666dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12667 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12668{
12669 /*
12670 * struct {
12671 * select (KeyExchangeAlgorithm) {
12672 * case diffie_hellman_psk:
12673 * opaque psk_identity_hint<0..2^16-1>;
12674 * ServerDHParams params;
12675 * };
12676 * } ServerKeyExchange;
12677 */
12678
12679 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12680 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12681}
12682
12683/* Used in EC Diffie-Hellman PSK cipher suites */
12684static void
12685dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12686 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12687{
12688 /*
12689 * struct {
12690 * select (KeyExchangeAlgorithm) {
12691 * case ec_diffie_hellman_psk:
12692 * opaque psk_identity_hint<0..2^16-1>;
12693 * ServerECDHParams params;
12694 * };
12695 * } ServerKeyExchange;
12696 */
12697
12698 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12699 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12700}
12701
12702/* Used in EC J-PAKE cipher suites */
12703static void
12704dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12705 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12706{
12707 /*
12708 * struct {
12709 * ECPoint V;
12710 * opaque r<1..2^8-1>;
12711 * } ECSchnorrZKP;
12712 *
12713 * struct {
12714 * ECPoint X;
12715 * ECSchnorrZKP zkp;
12716 * } ECJPAKEKeyKP;
12717 *
12718 * struct {
12719 * ECParameters curve_params;
12720 * ECJPAKEKeyKP ecjpake_key_kp;
12721 * } ServerECJPAKEParams;
12722 *
12723 * select (KeyExchangeAlgorithm) {
12724 * case ecjpake:
12725 * ServerECJPAKEParams params;
12726 * } ServerKeyExchange;
12727 */
12728
12729 int point_len;
12730 proto_tree *ssl_ecjpake_tree;
12731
12732 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12733 hf->ett.keyex_params, NULL((void*)0),
12734 "EC J-PAKE Server Params");
12735
12736 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12737 if (offset >= offset_end)
12738 return; /* only named_curves are supported */
12739
12740 /* ECJPAKEKeyKP.X */
12741 point_len = tvb_get_uint8(tvb, offset);
12742 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12743 offset, 1, ENC_BIG_ENDIAN0x00000000);
12744 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12745 offset + 1, point_len, ENC_NA0x00000000);
12746 offset += 1 + point_len;
12747
12748 /* ECJPAKEKeyKP.zkp.V */
12749 point_len = tvb_get_uint8(tvb, offset);
12750 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12751 offset, 1, ENC_BIG_ENDIAN0x00000000);
12752 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12753 offset + 1, point_len, ENC_NA0x00000000);
12754 offset += 1 + point_len;
12755
12756 /* ECJPAKEKeyKP.zkp.r */
12757 point_len = tvb_get_uint8(tvb, offset);
12758 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12759 offset, 1, ENC_BIG_ENDIAN0x00000000);
12760 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12761 offset + 1, point_len, ENC_NA0x00000000);
12762}
12763
12764/* Only used in ECC-SM2-EXPORT cipher suites */
12765static void
12766dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12767 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12768 uint16_t version)
12769{
12770 proto_tree *ssl_ecc_sm2_tree;
12771
12772 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12773 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12774
12775 /* Signature */
12776 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12777}
12778/* ServerKeyExchange algo-specific dissectors. }}} */
12779
12780/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12781void
12782ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12783 proto_tree *tree, uint32_t offset, uint32_t length,
12784 const SslSession *session)
12785{
12786 switch (ssl_get_keyex_alg(session->cipher)) {
12787 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12788 case KEX_DH_DSS0x14:
12789 case KEX_DH_RSA0x15:
12790 case KEX_DHE_DSS0x10:
12791 case KEX_DHE_RSA0x12:
12792 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12793 break;
12794 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12795 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12796 break;
12797 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12798 case KEX_ECDH_ECDSA0x1a:
12799 case KEX_ECDH_RSA0x1b:
12800 case KEX_ECDHE_ECDSA0x16:
12801 case KEX_ECDHE_RSA0x18:
12802 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12803 break;
12804 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12805 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12806 break;
12807 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12808 /* XXX: implement support for KRB5 */
12809 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12810 tvb, offset, length,
12811 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12812 " developers if you want them to be supported");
12813 break;
12814 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12815 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12816 break;
12817 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12818 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12819 break;
12820 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12821 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12822 break;
12823 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12824 case KEX_SRP_SHA_DSS0x21:
12825 case KEX_SRP_SHA_RSA0x22:
12826 /* XXX: implement support for SRP_SHA* */
12827 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12828 tvb, offset, length,
12829 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12830 " developers if you want them to be supported");
12831 break;
12832 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12833 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12834 break;
12835 case KEX_ECC_SM20x26: /* GB/T 38636 */
12836 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12837 break;
12838 default:
12839 if (session->cipher == 0) {
12840 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12841 tvb, offset, length,
12842 "Cipher Suite not found");
12843 } else {
12844 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12845 tvb, offset, length,
12846 "Cipher Suite 0x%04x is not implemented, "
12847 "contact Wireshark developers if you want this to be supported",
12848 session->cipher);
12849 }
12850 break;
12851 }
12852}
12853
12854void
12855ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12856 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12857 const SslSession *session)
12858{
12859 switch (ssl_get_keyex_alg(session->cipher)) {
12860 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12861 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12862 break;
12863 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12864 case KEX_DH_RSA0x15:
12865 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12866 tvb, offset, offset_end - offset);
12867 break;
12868 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12869 case KEX_DHE_RSA0x12:
12870 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12871 break;
12872 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12873 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12874 break;
12875 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12876 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12877 break;
12878 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12879 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12880 break;
12881 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12882 case KEX_ECDH_RSA0x1b:
12883 case KEX_ECDHE_ECDSA0x16:
12884 case KEX_ECDHE_RSA0x18:
12885 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12886 break;
12887 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12888 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12889 tvb, offset, offset_end - offset);
12890 break;
12891 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12892 case KEX_RSA_PSK0x1f:
12893 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12894 break;
12895 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12896 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12897 break;
12898 case KEX_ECC_SM20x26: /* GB/T 38636 */
12899 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12900 break;
12901 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12902 case KEX_SRP_SHA_DSS0x21:
12903 case KEX_SRP_SHA_RSA0x22:
12904 /* XXX: implement support for SRP_SHA* */
12905 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12906 tvb, offset, offset_end - offset,
12907 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12908 " developers if you want them to be supported");
12909 break;
12910 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12911 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12912 break;
12913 default:
12914 if (session->cipher == 0) {
12915 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12916 tvb, offset, offset_end - offset,
12917 "Cipher Suite not found");
12918 } else {
12919 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12920 tvb, offset, offset_end - offset,
12921 "Cipher Suite 0x%04x is not implemented, "
12922 "contact Wireshark developers if you want this to be supported",
12923 session->cipher);
12924 }
12925 break;
12926 }
12927}
12928/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12929
12930void
12931tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12932 proto_tree *tree, uint32_t offset)
12933{
12934 /* RFC 8446 Section 4.6.3
12935 * enum {
12936 * update_not_requested(0), update_requested(1), (255)
12937 * } KeyUpdateRequest;
12938 *
12939 * struct {
12940 * KeyUpdateRequest request_update;
12941 * } KeyUpdate;
12942 */
12943 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12944}
12945
12946void
12947ssl_common_register_ssl_alpn_dissector_table(const char *name,
12948 const char *ui_name, const int proto)
12949{
12950 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12951 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12952 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12953}
12954
12955void
12956ssl_common_register_dtls_alpn_dissector_table(const char *name,
12957 const char *ui_name, const int proto)
12958{
12959 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12960 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12961 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12962}
12963
12964void
12965ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12966{
12967 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12968 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12969 &(options->psk));
12970
12971 if (is_dtls) {
12972 prefs_register_obsolete_preference(module, "keylog_file");
12973 prefs_register_static_text_preference(module, "keylog_file_removed",
12974 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12975 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12976 return;
12977 }
12978
12979 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12980 "The name of a file which contains a list of \n"
12981 "(pre-)master secrets in one of the following formats:\n"
12982 "\n"
12983 "RSA <EPMS> <PMS>\n"
12984 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12985 "CLIENT_RANDOM <CRAND> <MS>\n"
12986 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12987 "\n"
12988 "Where:\n"
12989 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12990 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12991 "<SSLID> = The SSL Session ID\n"
12992 "<MS> = The Master-Secret (MS)\n"
12993 "<CRAND> = The Client's random number from the ClientHello message\n"
12994 "\n"
12995 "(All fields are in hex notation)",
12996 &(options->keylog_filename), false0);
12997}
12998
12999void
13000ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
13001{
13002 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13003 uint32_t old_length = ssl_session->handshake_data.data_len;
13004 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
13005 if (tvb) {
13006 if (tvb_bytes_exist(tvb, offset, length)) {
13007 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13008 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
13009 ssl_session->handshake_data.data_len += length;
13010 }
13011 } else {
13012 /* DTLS calculates the hash as if each handshake message had been
13013 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
13014 * in a null tvbuff to add 3 bytes for a zero fragment offset.
13015 */
13016 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13016, (int64_t)length, (int64_t)4))));
13017 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13018 memset(ssl_session->handshake_data.data + old_length, 0, length);
13019 ssl_session->handshake_data.data_len += length;
13020 }
13021 }
13022}
13023
13024
13025/*
13026 * Editor modelines - https://www.wireshark.org/tools/modelines.html
13027 *
13028 * Local variables:
13029 * c-basic-offset: 4
13030 * tab-width: 8
13031 * indent-tabs-mode: nil
13032 * End:
13033 *
13034 * vi: set shiftwidth=4 tabstop=8 expandtab:
13035 * :indentSize=4:tabSize=8:noTabs=true:
13036 */