/builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c

Bug Summary

File:	builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:	line 4942, column 17 Potential leak of memory pointed to by 'handshake_hashed_data.data'
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-06-19-100415-3567-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
* ssl manipulation functions
* By Paolo Abeni <paolo.abeni@email.com>
*
* Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
* Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/

15#include "config.h"

17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>

20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>

29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif

54/* JA3/JA3S calculations must ignore GREASE values
* as described in RFC 8701.
*/
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
 (((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
                      (((x) & 0xff) == (((x)>>8) & 0xff)))

60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
* form for a similar purpose as GREASE.
*/
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)

65#define DTLS13_MAX_EPOCH10 10

67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
  { SSLV2_VERSION0x0002,        "SSLv2" },
  { SSLV3_VERSION0x300,        "SSLv3" },
  { TLSV1_VERSION0x301,        "TLSv1" },
  { TLCPV1_VERSION0x101,       "TLCP" },
  { TLSV1DOT1_VERSION0x302,    "TLSv1.1" },
  { TLSV1DOT2_VERSION0x303,    "TLSv1.2" },
  { TLSV1DOT3_VERSION0x304,    "TLSv1.3" },
  { DTLSV1DOT0_VERSION0xfeff,   "DTLSv1.0" },
  { DTLSV1DOT2_VERSION0xfefd,   "DTLSv1.2" },
  { DTLSV1DOT3_VERSION0xfefc,   "DTLSv1.3" },
  { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
  { 0x00, NULL((void*)0) }
81};

83const value_string ssl_versions[] = {
  { SSLV2_VERSION0x0002,        "SSL 2.0" },
  { SSLV3_VERSION0x300,        "SSL 3.0" },
  { TLSV1_VERSION0x301,        "TLS 1.0" },
  { TLCPV1_VERSION0x101,       "TLCP" },
  { TLSV1DOT1_VERSION0x302,    "TLS 1.1" },
  { TLSV1DOT2_VERSION0x303,    "TLS 1.2" },
  { TLSV1DOT3_VERSION0x304,    "TLS 1.3" },
  { 0x7F0E,               "TLS 1.3 (draft 14)" },
  { 0x7F0F,               "TLS 1.3 (draft 15)" },
  { 0x7F10,               "TLS 1.3 (draft 16)" },
  { 0x7F11,               "TLS 1.3 (draft 17)" },
  { 0x7F12,               "TLS 1.3 (draft 18)" },
  { 0x7F13,               "TLS 1.3 (draft 19)" },
  { 0x7F14,               "TLS 1.3 (draft 20)" },
  { 0x7F15,               "TLS 1.3 (draft 21)" },
  { 0x7F16,               "TLS 1.3 (draft 22)" },
  { 0x7F17,               "TLS 1.3 (draft 23)" },
  { 0x7F18,               "TLS 1.3 (draft 24)" },
  { 0x7F19,               "TLS 1.3 (draft 25)" },
  { 0x7F1A,               "TLS 1.3 (draft 26)" },
  { 0x7F1B,               "TLS 1.3 (draft 27)" },
  { 0x7F1C,               "TLS 1.3 (draft 28)" },
  { 0xFB17,               "TLS 1.3 (Facebook draft 23)" },
  { 0xFB1A,               "TLS 1.3 (Facebook draft 26)" },
  { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
  { DTLSV1DOT0_VERSION0xfeff,   "DTLS 1.0" },
  { DTLSV1DOT2_VERSION0xfefd,   "DTLS 1.2" },
  { DTLSV1DOT3_VERSION0xfefc,   "DTLS 1.3" },
  { 0x0A0A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x1A1A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x2A2A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x3A3A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x4A4A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x5A5A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x6A6A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x7A7A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x8A8A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x9A9A,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xAAAA,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xBABA,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xCACA,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xDADA,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xEAEA,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xFAFA,               "Reserved (GREASE)" }, /* RFC 8701 */
  { 0x00, NULL((void*)0) }
129};

131static const value_string ssl_version_ja4_names[] = {
  { 0x0100,               "s1" },
  { SSLV2_VERSION0x0002,        "s2" },
  { SSLV3_VERSION0x300,        "s3" },
  { TLSV1_VERSION0x301,        "10" },
  { TLSV1DOT1_VERSION0x302,    "11" },
  { TLSV1DOT2_VERSION0x303,    "12" },
  { TLSV1DOT3_VERSION0x304,    "13" },
  { DTLSV1DOT0_VERSION0xfeff,   "d1" },
  { DTLSV1DOT2_VERSION0xfefd,   "d2" },
  { DTLSV1DOT3_VERSION0xfefc,   "d3" },
  { 0x00, NULL((void*)0) }
143};

145const value_string ssl_20_msg_types[] = {
  { SSL2_HND_ERROR0x00,               "Error" },
  { SSL2_HND_CLIENT_HELLO0x01,        "Client Hello" },
  { SSL2_HND_CLIENT_MASTER_KEY0x02,   "Client Master Key" },
  { SSL2_HND_CLIENT_FINISHED0x03,     "Client Finished" },
  { SSL2_HND_SERVER_HELLO0x04,        "Server Hello" },
  { SSL2_HND_SERVER_VERIFY0x05,       "Server Verify" },
  { SSL2_HND_SERVER_FINISHED0x06,     "Server Finished" },
  { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
  { SSL2_HND_CLIENT_CERTIFICATE0x08,  "Client Certificate" },
  { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
  { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
  { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
  { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
  { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
  { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
  { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
  { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
  { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
  { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
  { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
  { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
  { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
  { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
  { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
  { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
  { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
  { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
  { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
  { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
  { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
  { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
  { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
  /* RFC 2712 */
  { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
  { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
  { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
  { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
  { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
  { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
  { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
  { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
  { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
  { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
  { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
  { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
  { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
  { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
  /* RFC 4785 */
  { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
  { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
  { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
  /* RFC 5246 */
  { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
  { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
  { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
  { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
  { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
  { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
  { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
  { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
  { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
  { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
  { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
  { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
  { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
  { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
  { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
  { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
  { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
  { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
  { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
  { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
  { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
  { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
  { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
  { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
  { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
  { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
  { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
  { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
  { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
  { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
  { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
  { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
  { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
  { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
  /* 0x00,0x6E-83 Unassigned  */
  { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
  /* RFC 4279 */
  { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
  { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
  { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
  { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
  { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
  { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
  { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
  { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
  { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
  /* RFC 4162 */
  { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
  { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
  { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
  { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
  { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
  { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
  /* RFC 5288 */
  { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
  { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
  { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
  { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
  { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
  { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
  /* RFC 5487 */
  { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
  { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
  { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
  { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
  { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
  { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
  { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
  { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
  { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
  { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
  { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
  { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
  /* From RFC 5932 */
  { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
  /* 0x00,0xC6-FE Unassigned  */
  { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
  /* 0x01-BF,* Unassigned  */
  /* From RFC 4492 */
  { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
  { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
  { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
  { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
  { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
  { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
  { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
  { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
  { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
  { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
  { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
  { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
  { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
  { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
  { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
  { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
  { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
  { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
  { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
  { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
  { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
  /* RFC 5054 */
  { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
  { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
  { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
  { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
  { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
  { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
  { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
  /* RFC 5589 */
  { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
  { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
  { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
  { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
  { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
  { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
  { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
  { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
  { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
  { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
  { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
  /* RFC 5489 */
  { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
  { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
  { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
  { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
  { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
  { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
  /* 0xC0,0x3C-FF Unassigned
          0xC1-FD,* Unassigned
          0xFE,0x00-FD Unassigned
          0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
          0xFF,0x00-FF Reserved for Private Use [RFC5246]
          */

  /* old numbers used in the beginning
   * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
  { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },

  /* https://tools.ietf.org/html/rfc7905 */
  { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },

  /* GM/T 0024-2014 */
  { 0x00e001, "ECDHE_SM1_SM3"},
  { 0x00e003, "ECC_SM1_SM3"},
  { 0x00e005, "IBSDH_SM1_SM3"},
  { 0x00e007, "IBC_SM1_SM3"},
  { 0x00e009, "RSA_SM1_SM3"},
  { 0x00e00a, "RSA_SM1_SHA1"},
  { 0x00e011, "ECDHE_SM4_CBC_SM3"},
  { 0x00e013, "ECC_SM4_CBC_SM3"},
  { 0x00e015, "IBSDH_SM4_CBC_SM3"},
  { 0x00e017, "IBC_SM4_CBC_SM3"},
  { 0x00e019, "RSA_SM4_CBC_SM3"},
  { 0x00e01a, "RSA_SM4_CBC_SHA1"},
  { 0x00e01c, "RSA_SM4_CBC_SHA256"},
  { 0x00e051, "ECDHE_SM4_GCM_SM3"},
  { 0x00e053, "ECC_SM4_GCM_SM3"},
  { 0x00e055, "IBSDH_SM4_GCM_SM3"},
  { 0x00e057, "IBC_SM4_GCM_SM3"},
  { 0x00e059, "RSA_SM4_GCM_SM3"},
  { 0x00e05a, "RSA_SM4_GCM_SHA256"},

  /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
  { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
  { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
  { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
  { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
  { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
  { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
  { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
  { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },

  /* these from http://www.mozilla.org/projects/
       security/pki/nss/ssl/fips-ssl-ciphersuites.html */
  { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
  { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
  { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
  { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
  /* note that ciphersuites of {0x00????} are TLS cipher suites in
   * a sslv2 client hello message; the ???? above is the two-byte
   * tls cipher suite id
   */

  { 0x010080, "SSL2_RC4_128_WITH_MD5" },
  { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
  { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
  { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
  { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
  { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
  { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
  { 0x080080, "SSL2_RC4_64_WITH_MD5" },

  { 0x00, NULL((void*)0) }
477};

479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
 / sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };


482/*
* Supported Groups (formerly named "EC Named Curve").
* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
*/
486const value_string ssl_extension_curves[] = {
  {  1, "sect163k1" },
  {  2, "sect163r1" },
  {  3, "sect163r2" },
  {  4, "sect193r1" },
  {  5, "sect193r2" },
  {  6, "sect233k1" },
  {  7, "sect233r1" },
  {  8, "sect239k1" },
  {  9, "sect283k1" },
  { 10, "sect283r1" },
  { 11, "sect409k1" },
  { 12, "sect409r1" },
  { 13, "sect571k1" },
  { 14, "sect571r1" },
  { 15, "secp160k1" },
  { 16, "secp160r1" },
  { 17, "secp160r2" },
  { 18, "secp192k1" },
  { 19, "secp192r1" },
  { 20, "secp224k1" },
  { 21, "secp224r1" },
  { 22, "secp256k1" },
  { 23, "secp256r1" },
  { 24, "secp384r1" },
  { 25, "secp521r1" },
  { 26, "brainpoolP256r1" }, /* RFC 7027 */
  { 27, "brainpoolP384r1" }, /* RFC 7027 */
  { 28, "brainpoolP512r1" }, /* RFC 7027 */
  { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
  { 30, "x448" }, /* RFC 8446 / RFC 8422 */
  { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
  { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
  { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
  { 34, "GC256A" }, /* RFC9189 */
  { 35, "GC256B" }, /* RFC9189 */
  { 36, "GC256C" }, /* RFC9189 */
  { 37, "GC256D" }, /* RFC9189 */
  { 38, "GC512A" }, /* RFC9189 */
  { 39, "GC512B" }, /* RFC9189 */
  { 40, "GC512C" }, /* RFC9189 */
  { 41, "curveSM2" }, /* RFC 8998 */
  { 256, "ffdhe2048" }, /* RFC 7919 */
  { 257, "ffdhe3072" }, /* RFC 7919 */
  { 258, "ffdhe4096" }, /* RFC 7919 */
  { 259, "ffdhe6144" }, /* RFC 7919 */
  { 260, "ffdhe8192" }, /* RFC 7919 */
  { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
  { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
  { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
  { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
  { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
  { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
  { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
  { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
  { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
  { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
  { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
  { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
  { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
  { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
  { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
  { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
  { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
  { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
  { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
  { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
  { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
  { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
  { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
  { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
  { 0xFF01, "arbitrary_explicit_prime_curves" },
  { 0xFF02, "arbitrary_explicit_char2_curves" },
  /* Below are various unofficial values that have been used for testing. */
  /* PQC key exchange algorithms from OQS-OpenSSL,
      see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
      These use IANA unassigned values and this list may be incomplete.
   */
  { 0x2F00, "p256_frodo640aes" },
  { 0x2F01, "p256_frodo640shake" },
  { 0x2F02, "p384_frodo976aes" },
  { 0x0203, "frodo976shake" },
  { 0x2F03, "p384_frodo976shake" },
  { 0x0204, "frodo1344aes" },
  { 0x2F04, "p521_frodo1344aes" },
  { 0x0205, "frodo1344shake" },
  { 0x2F05, "p521_frodo1344shake" },
  { 0x023A, "kyber512" },
  { 0x2F3A, "p256_kyber512" },
  { 0x023C, "kyber768" },
  { 0x2F3C, "p384_kyber768" },
  { 0x023D, "kyber1024" },
  { 0x2F3D, "p521_kyber1024" },
  { 0x0214, "ntru_hps2048509" },
  { 0x2F14, "p256_ntru_hps2048509" },
  { 0x0215, "ntru_hps2048677" },
  { 0x2F15, "p384_ntru_hps2048677" },
  { 0x0216, "ntru_hps4096821" },
  { 0x2F16, "p521_ntru_hps4096821" },
  { 0x0245, "ntru_hps40961229" },
  { 0x2F45, "p521_ntru_hps40961229" },
  { 0x0217, "ntru_hrss701" },
  { 0x2F17, "p384_ntru_hrss701" },
  { 0x0246, "ntru_hrss1373" },
  { 0x2F46, "p521_ntru_hrss1373" },
  { 0x0218, "lightsaber" },
  { 0x2F18, "p256_lightsaber" },
  { 0x0219, "saber" },
  { 0x2F19, "p384_saber" },
  { 0x021A, "firesaber" },
  { 0x2F1A, "p521_firesaber" },
  { 0x021B, "sidhp434" },
  { 0x2F1B, "p256_sidhp434" },
  { 0x021C, "sidhp503" },
  { 0x2F1C, "p256_sidhp503" },
  { 0x021D, "sidhp610" },
  { 0x2F1D, "p384_sidhp610" },
  { 0x021E, "sidhp751" },
  { 0x2F1E, "p521_sidhp751" },
  { 0x021F, "sikep434" },
  { 0x2F1F, "p256_sikep434" },
  { 0x0220, "sikep503" },
  { 0x2F20, "p256_sikep503" },
  { 0x0221, "sikep610" },
  { 0x2F21, "p384_sikep610" },
  { 0x0222, "sikep751" },
  { 0x2F22, "p521_sikep751" },
  { 0x0238, "bikel1" },
  { 0x2F38, "p256_bikel1" },
  { 0x023B, "bikel3" },
  { 0x2F3B, "p384_bikel3" },
  { 0x023E, "kyber90s512" },
  { 0x2F3E, "p256_kyber90s512" },
  { 0x023F, "kyber90s768" },
  { 0x2F3F, "p384_kyber90s768" },
  { 0x0240, "kyber90s1024" },
  { 0x2F40, "p521_kyber90s1024" },
  { 0x022C, "hqc128" },
  { 0x2F2C, "p256_hqc128" },
  { 0x022D, "hqc192" },
  { 0x2F2D, "p384_hqc192" },
  { 0x022E, "hqc256" },
  { 0x2F2E, "p521_hqc256" },
  { 0x022F, "ntrulpr653" },
  { 0x2F2F, "p256_ntrulpr653" },
  { 0x0230, "ntrulpr761" },
  { 0x2F43, "p256_ntrulpr761" },
  { 0x0231, "ntrulpr857" },
  { 0x2F31, "p384_ntrulpr857" },
  { 0x0241, "ntrulpr1277" },
  { 0x2F41, "p521_ntrulpr1277" },
  { 0x0232, "sntrup653" },
  { 0x2F32, "p256_sntrup653" },
  { 0x0233, "sntrup761" },
  { 0x2F44, "p256_sntrup761" },
  { 0x0234, "sntrup857" },
  { 0x2F34, "p384_sntrup857" },
  { 0x0242, "sntrup1277" },
  { 0x2F42, "p521_sntrup1277" },
  /* Other PQ key exchange algorithms, using Reserved for Private Use values
      https://blog.cloudflare.com/post-quantum-for-all
https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
  { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
  { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
  { 0x00, NULL((void*)0) }
651};

653const value_string ssl_curve_types[] = {
  { 1, "explicit_prime" },
  { 2, "explicit_char2" },
  { 3, "named_curve" },
  { 0x00, NULL((void*)0) }
658};

660const value_string ssl_extension_ec_point_formats[] = {
  { 0, "uncompressed" },
  { 1, "ansiX962_compressed_prime" },
  { 2, "ansiX962_compressed_char2" },
  { 0x00, NULL((void*)0) }
665};

667const value_string ssl_20_certificate_type[] = {
  { 0x00, "N/A" },
  { 0x01, "X.509 Certificate" },
  { 0x00, NULL((void*)0) }
671};

673const value_string ssl_31_content_type[] = {
  { 20, "Change Cipher Spec" },
  { 21, "Alert" },
  { 22, "Handshake" },
  { 23, "Application Data" },
  { 24, "Heartbeat" },
  { 25, "Connection ID" },
  { 0x00, NULL((void*)0) }
681};

683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
 message. */
686const value_string ssl_31_change_cipher_spec[] = {
  { 1, "Change Cipher Spec" },
  { 0x00, NULL((void*)0) }
689};
690#endif

692const value_string ssl_31_alert_level[] = {
  { 1, "Warning" },
  { 2, "Fatal" },
  { 0x00, NULL((void*)0) }
696};

698const value_string ssl_31_alert_description[] = {
  {   0,  "Close Notify" },
  {   1,  "End of Early Data" },
  {  10,  "Unexpected Message" },
  {  20,  "Bad Record MAC" },
  {  21,  "Decryption Failed" },
  {  22,  "Record Overflow" },
  {  30,  "Decompression Failure" },
  {  40,  "Handshake Failure" },
  {  41,  "No Certificate" },
  {  42,  "Bad Certificate" },
  {  43,  "Unsupported Certificate" },
  {  44,  "Certificate Revoked" },
  {  45,  "Certificate Expired" },
  {  46,  "Certificate Unknown" },
  {  47,  "Illegal Parameter" },
  {  48,  "Unknown CA" },
  {  49,  "Access Denied" },
  {  50,  "Decode Error" },
  {  51,  "Decrypt Error" },
  {  60,  "Export Restriction" },
  {  70,  "Protocol Version" },
  {  71,  "Insufficient Security" },
  {  80,  "Internal Error" },
  {  86,  "Inappropriate Fallback" },
  {  90,  "User Canceled" },
  { 100, "No Renegotiation" },
  { 109, "Missing Extension" },
  { 110, "Unsupported Extension" },
  { 111, "Certificate Unobtainable" },
  { 112, "Unrecognized Name" },
  { 113, "Bad Certificate Status Response" },
  { 114, "Bad Certificate Hash Value" },
  { 115, "Unknown PSK Identity" },
  { 116, "Certificate Required" },
  { 120, "No application Protocol" },
  { 121, "ECH Required" },
  { 0x00, NULL((void*)0) }
736};

738const value_string ssl_31_handshake_type[] = {
  { SSL_HND_HELLO_REQUEST,     "Hello Request" },
  { SSL_HND_CLIENT_HELLO,      "Client Hello" },
  { SSL_HND_SERVER_HELLO,      "Server Hello" },
  { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
  { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
  { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
  { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
  { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
  { SSL_HND_CERTIFICATE,       "Certificate" },
  { SSL_HND_SERVER_KEY_EXCHG,  "Server Key Exchange" },
  { SSL_HND_CERT_REQUEST,      "Certificate Request" },
  { SSL_HND_SVR_HELLO_DONE,    "Server Hello Done" },
  { SSL_HND_CERT_VERIFY,       "Certificate Verify" },
  { SSL_HND_CLIENT_KEY_EXCHG,  "Client Key Exchange" },
  { SSL_HND_FINISHED,          "Finished" },
  { SSL_HND_CERT_URL,          "Client Certificate URL" },
  { SSL_HND_CERT_STATUS,       "Certificate Status" },
  { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
  { SSL_HND_KEY_UPDATE,        "Key Update" },
  { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
  { SSL_HND_ENCRYPTED_EXTS,    "Encrypted Extensions" },
  { 0x00, NULL((void*)0) }
761};

763const value_string tls_heartbeat_type[] = {
  { 1, "Request" },
  { 2, "Response" },
  { 0x00, NULL((void*)0) }
767};

769const value_string tls_heartbeat_mode[] = {
  { 1, "Peer allowed to send requests" },
  { 2, "Peer not allowed to send requests" },
  { 0x00, NULL((void*)0) }
773};

775const value_string ssl_31_compression_method[] = {
  {  0, "null" },
  {  1, "DEFLATE" },
  { 64, "LZS" },
  { 0x00, NULL((void*)0) }
780};

782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
  { 0, "RSA" },
  { 1, "Diffie Hellman" },
  { 0x00, NULL((void*)0) }
789};

791const value_string ssl_31_signature_algorithm[] = {
  { 0, "Anonymous" },
  { 1, "RSA" },
  { 2, "DSA" },
  { 0x00, NULL((void*)0) }
796};
797#endif

799const value_string ssl_31_client_certificate_type[] = {
  { 1, "RSA Sign" },
  { 2, "DSS Sign" },
  { 3, "RSA Fixed DH" },
  { 4, "DSS Fixed DH" },
  /* GOST certificate types */
  /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
  { 21, "GOST R 34.10-94" },
  { 22, "GOST R 34.10-2001" },
  /* END GOST certificate types */
  { 64, "ECDSA Sign" },
  { 65, "RSA Fixed ECDH" },
  { 66, "ECDSA Fixed ECDH" },
  { 80, "IBC Params" },
  { 0x00, NULL((void*)0) }
814};

816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
  { 0, "Implicit" },
  { 1, "Explicit" },
  { 0x00, NULL((void*)0) }
823};
824#endif

826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
  /* RFC 2246, RFC 4346, RFC 5246 */
  { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
  { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
  { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
  { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
  { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
  { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
  { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
  { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
  { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
  { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
  { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
  { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
  { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
  { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
  { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
  { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
  { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
  { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
  { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
  { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },

  { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
  { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
       to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
       of the ietf-tls list */
  { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
  /* RFC 2712 */
  { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
  { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
  { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
  { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
  { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
  { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
  { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
  { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
  { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
  { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
  { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
  { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
  { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
  { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
  /* RFC 4785 */
  { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
  { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
  { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
  /* RFC 5246 */
  { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
  { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
  { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
  { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
  { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
  { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
  { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
  { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
  { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
  { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
  { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
  { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
  { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
  { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
  { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
  { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
  /* RFC 4132 */
  { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
  { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
  /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations  */
  /* --- ??? --- */
  { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
  { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
  /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
  { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
  { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
  { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
  { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
  { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
  /* --- ??? ---*/
  { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
  { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
  { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
  { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
  { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
  { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
  { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
  /* draft-chudov-cryptopro-cptls-04.txt */
  { 0x0080,  "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
  { 0x0081,  "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
  { 0x0082,  "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
  { 0x0083,  "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
  /* RFC 4132 */
  { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
  { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
  /* RFC 4279 */
  { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
  { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
  { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
  { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
  { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
  { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
  { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
  { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
  { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
  /* RFC 4162 */
  { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
  { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
  { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
  { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
  { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
  { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
  /* RFC 5288 */
  { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
  { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
  { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
  { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
  { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
  { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
  { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
  { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
  /* RFC 5487 */
  { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
  { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
  { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
  { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
  { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
  { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
  { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
  { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
  { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
  { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
  { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
  { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
  { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
  { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
  /* From RFC 5932 */
  { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
  { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
  /* RFC 8998 */
  { 0x00C6, "TLS_SM4_GCM_SM3" },
  { 0x00C7, "TLS_SM4_CCM_SM3" },
  /* 0x00,0xC8-FE Unassigned */
  /* From RFC 5746 */
  { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
  /* RFC 8701 */
  { 0x0A0A, "Reserved (GREASE)" },
  /* RFC 8446 */
  { 0x1301, "TLS_AES_128_GCM_SHA256" },
  { 0x1302, "TLS_AES_256_GCM_SHA384" },
  { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
  { 0x1304, "TLS_AES_128_CCM_SHA256" },
  { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
  /* RFC 8701 */
  { 0x1A1A, "Reserved (GREASE)" },
  { 0x2A2A, "Reserved (GREASE)" },
  { 0x3A3A, "Reserved (GREASE)" },
  { 0x4A4A, "Reserved (GREASE)" },
  /* From RFC 7507 */
  { 0x5600, "TLS_FALLBACK_SCSV" },
  /* RFC 8701 */
  { 0x5A5A, "Reserved (GREASE)" },
  { 0x6A6A, "Reserved (GREASE)" },
  { 0x7A7A, "Reserved (GREASE)" },
  { 0x8A8A, "Reserved (GREASE)" },
  { 0x9A9A, "Reserved (GREASE)" },
  { 0xAAAA, "Reserved (GREASE)" },
  { 0xBABA, "Reserved (GREASE)" },
  /* From RFC 4492 */
  { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
  { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
  { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
  { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
  { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
  { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
  { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
  { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
  { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
  { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
  { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
  { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
  { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
  { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
  { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
  { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
  { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
  { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
  { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
  { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
  { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
  { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
  { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
  /* RFC 5054 */
  { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
  { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
  { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
  { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
  { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
  { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
  { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
  { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
  { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
  /* RFC 5589 */
  { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
  { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
  { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
  { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
  { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
  { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
  { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
  { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
  { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
  { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
  { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
  { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
  { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
  { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
  { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
  { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
  /* RFC 5489 */
  { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
  { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
  { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
  { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
  { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
  { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
  { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
  { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
  { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
  /* RFC 6209 */
  { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
  { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
  { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
  { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
  { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
  { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
  { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
  { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
  { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
  { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
  { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
  { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
  { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
  { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
  { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
  { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
  { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
  { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
  { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
  { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
  { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
  { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
  { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
  { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
  { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
  { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
  { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
  { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
  { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
  { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
  /* RFC 6367 */
  { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
  { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
  { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
  { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
  { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
  /* RFC 6655 */
  { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
  { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
  { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
  { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
  { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
  { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
  { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
  { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
  { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
  { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
  { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
  { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
  { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
  { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
  { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
  { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
  /* RFC 7251 */
  { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
  { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
  { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
  { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
  /* RFC 8492 */
  { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
  { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
  { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
  { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
  /* draft-camwinget-tls-ts13-macciphersuites */
  { 0xC0B4, "TLS_SHA256_SHA256" },
  { 0xC0B5, "TLS_SHA384_SHA384" },
  /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
  { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
  /* draft-smyshlyaev-tls12-gost-suites */
  { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
  { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
  { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
  /* draft-smyshlyaev-tls13-gost-suites */
  { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
  { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
  { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
  { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
  /* RFC 8701 */
  { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
  /* old numbers used in the beginning
   * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
  { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  /* RFC 7905 */
  { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
  /* RFC 8442 */
  { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
  { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
  { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
  { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
  /* RFC 8701 */
  { 0xDADA, "Reserved (GREASE)" },
  /* GM/T 0024-2014 */
  { 0xe001, "ECDHE_SM1_SM3"},
  { 0xe003, "ECC_SM1_SM3"},
  { 0xe005, "IBSDH_SM1_SM3"},
  { 0xe007, "IBC_SM1_SM3"},
  { 0xe009, "RSA_SM1_SM3"},
  { 0xe00a, "RSA_SM1_SHA1"},
  { 0xe011, "ECDHE_SM4_CBC_SM3"},
  { 0xe013, "ECC_SM4_CBC_SM3"},
  { 0xe015, "IBSDH_SM4_CBC_SM3"},
  { 0xe017, "IBC_SM4_CBC_SM3"},
  { 0xe019, "RSA_SM4_CBC_SM3"},
  { 0xe01a, "RSA_SM4_CBC_SHA1"},
  { 0xe01c, "RSA_SM4_CBC_SHA256"},
  { 0xe051, "ECDHE_SM4_GCM_SM3"},
  { 0xe053, "ECC_SM4_GCM_SM3"},
  { 0xe055, "IBSDH_SM4_GCM_SM3"},
  { 0xe057, "IBC_SM4_GCM_SM3"},
  { 0xe059, "RSA_SM4_GCM_SM3"},
  { 0xe05a, "RSA_SM4_GCM_SHA256"},
  /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
  { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
  { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
  { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
  { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
  { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
  { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
  { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
  { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
  { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
  /* RFC 8701 */
  { 0xEAEA, "Reserved (GREASE)" },
  { 0xFAFA, "Reserved (GREASE)" },
  /* these from http://www.mozilla.org/projects/
       security/pki/nss/ssl/fips-ssl-ciphersuites.html */
  { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
  { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
  /* https://datatracker.ietf.org/doc/html/rfc9189 */
  { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
  { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
  { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
  /* note that ciphersuites 0xff00 - 0xffff are private */
  { 0x00, NULL((void*)0) }
1316};

1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
 sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };

1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
  { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
  { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
  { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
  { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
  { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
  { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
  { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
  { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
  { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
  { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
  { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
  { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
  { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
  { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
  { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
  { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
  { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
  { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
  { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
  { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
  { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
  { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
  { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
  { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
  { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
  { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
  { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
  { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
  { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
  { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
  { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
  { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
  { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
  { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
  { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
  { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
  { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
  { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
  { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
  { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
  { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
  { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
  { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
  { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
  { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
     https://twitter.com/ericlaw/status/274237352531083264 */
  { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
     https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
  { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
  { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
  { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
  { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
  { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
  { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
  { 0, NULL((void*)0) }
1401};

1403const value_string tls_hello_ext_server_name_type_vs[] = {
  { 0, "host_name" },
  { 0, NULL((void*)0) }
1406};

1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
  { 1, "512" },  // 2^9
  { 2, "1024" }, // 2^10
  { 3, "2048" }, // 2^11
  { 4, "4096" }, // 2^12
  { 0, NULL((void*)0) }
1415};

1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
  { 0, "PSK-only key establishment (psk_ke)" },
  { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
  { 0, NULL((void*)0) }
1422};

1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
  {0, "pre_agreed"},
  {1, "key_sha1_hash"},
  {2, "x509_name"},
  {3, "cert_sha1_hash"},
  {0, NULL((void*)0)}
1431};

1433const value_string tls13_key_update_request[] = {
  { 0, "update_not_requested" },
  { 1, "update_requested" },
  { 0, NULL((void*)0) }
1437};

1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
* with first octet 0x00-0x06 and all values with second octet 0x00-0x03
* for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
*
* RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
* originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
* and TLS HashAlgorithm registries, but the new values are not compatible
* with all of the TLS 1.3-only SignatureSchemes. Adding those values could
* cause confusion if used to interpret one of those schemes in a
* signature_algorithms extension offered in a TLS 1.3 ClientHello.
*/
1452const value_string tls_hash_algorithm[] = {
  { 0, "None" },
  { 1, "MD5" },
  { 2, "SHA1" },
  { 3, "SHA224" },
  { 4, "SHA256" },
  { 5, "SHA384" },
  { 6, "SHA512" },
1460#if 0
  /* RFC 8422 adds this to the HashAlgorithm registry, but it really
   * only applies to 0x0807 and 0x0808, not for other TLS 1.3
   * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
   * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
   */
  { 8, "Intrinsic" },
1467#endif
  { 0, NULL((void*)0) }
1469};

1471const value_string tls_signature_algorithm[] = {
  { 0, "Anonymous" },
  { 1, "RSA" },
  { 2, "DSA" },
  { 3, "ECDSA" },
1476#if 0
  /* As above. */
  { 7, "ED25519" },
  { 8, "ED448" },
  { 64, "GOSTR34102012_256" },
  { 65, "GOSTR34102012_512" },
1482#endif
  { 0, NULL((void*)0) }
1484};

1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
  { 0x0201, "rsa_pkcs1_sha1" },
  { 0x0203, "ecdsa_sha1" },
  { 0x0401, "rsa_pkcs1_sha256" },
  { 0x0403, "ecdsa_secp256r1_sha256" },
  { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
  { 0x0501, "rsa_pkcs1_sha384" },
  { 0x0503, "ecdsa_secp384r1_sha384" },
  { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
  { 0x0601, "rsa_pkcs1_sha512" },
  { 0x0603, "ecdsa_secp521r1_sha512" },
  { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
  { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
  { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
  { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
  { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
  { 0x0708, "sm2sig_sm3" },
  { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
  { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
  { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
  { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
  { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
  { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
  { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
  { 0x0804, "rsa_pss_rsae_sha256" },
  { 0x0805, "rsa_pss_rsae_sha384" },
  { 0x0806, "rsa_pss_rsae_sha512" },
  { 0x0807, "ed25519" },
  { 0x0808, "ed448" },
  { 0x0809, "rsa_pss_pss_sha256" },
  { 0x080a, "rsa_pss_pss_sha384" },
  { 0x080b, "rsa_pss_pss_sha512" },
  { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
  { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
  { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
  { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
  { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
  { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
  { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
  { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
  /* PQC digital signature algorithms from OQS-OpenSSL,
      see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
  { 0xfea0, "dilithium2" },
  { 0xfea1, "p256_dilithium2" },
  { 0xfea2, "rsa3072_dilithium2" },
  { 0xfea3, "dilithium3" },
  { 0xfea4, "p384_dilithium3" },
  { 0xfea5, "dilithium5" },
  { 0xfea6, "p521_dilithium5" },
  { 0xfea7, "dilithium2_aes" },
  { 0xfea8, "p256_dilithium2_aes" },
  { 0xfea9, "rsa3072_dilithium2_aes" },
  { 0xfeaa, "dilithium3_aes" },
  { 0xfeab, "p384_dilithium3_aes" },
  { 0xfeac, "dilithium5_aes" },
  { 0xfead, "p521_dilithium5_aes" },
  { 0xfe0b, "falcon512" },
  { 0xfe0c, "p256_falcon512" },
  { 0xfe0d, "rsa3072_falcon512" },
  { 0xfe0e, "falcon1024" },
  { 0xfe0f, "p521_falcon1024" },
  { 0xfe96, "picnicl1full" },
  { 0xfe97, "p256_picnicl1full" },
  { 0xfe98, "rsa3072_picnicl1full" },
  { 0xfe1b, "picnic3l1" },
  { 0xfe1c, "p256_picnic3l1" },
  { 0xfe1d, "rsa3072_picnic3l1" },
  { 0xfe27, "rainbowIclassic" },
  { 0xfe28, "p256_rainbowIclassic" },
  { 0xfe29, "rsa3072_rainbowIclassic" },
  { 0xfe3c, "rainbowVclassic" },
  { 0xfe3d, "p521_rainbowVclassic" },
  { 0xfe42, "sphincsharaka128frobust" },
  { 0xfe43, "p256_sphincsharaka128frobust" },
  { 0xfe44, "rsa3072_sphincsharaka128frobust" },
  { 0xfe5e, "sphincssha256128frobust" },
  { 0xfe5f, "p256_sphincssha256128frobust" },
  { 0xfe60, "rsa3072_sphincssha256128frobust" },
  { 0xfe7a, "sphincsshake256128frobust" },
  { 0xfe7b, "p256_sphincsshake256128frobust" },
  { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
  { 0, NULL((void*)0) }
1579};

1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
  { 0, "X.509" },
  { 1, "OpenPGP" },
  { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
  { 0, NULL((void*)0) }
1587};

1589const value_string tls_cert_chain_type[] = {
  { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1,    "Individual Certificates" },
  { SSL_HND_CERT_URL_TYPE_PKIPATH2,            "PKI Path" },
  { 0, NULL((void*)0) }
1593};

1595const value_string tls_cert_status_type[] = {
  { SSL_HND_CERT_STATUS_TYPE_OCSP1,            "OCSP" },
  { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2,      "OCSP Multi" },
  { 0, NULL((void*)0) }
1599};

1601/* Generated by tools/dissector_generators/generate-tls-ct-logids.py
* Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
  { (const uint8_t[]){
        0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
        0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
        0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
    },
    32, "Google 'Argon2020' log" },
  { (const uint8_t[]){
        0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
        0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
        0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
    },
    32, "Google 'Argon2021' log" },
  { (const uint8_t[]){
        0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
        0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
        0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
    },
    32, "Google 'Argon2022' log" },
  { (const uint8_t[]){
        0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
        0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
        0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
    },
    32, "Google 'Argon2023' log" },
  { (const uint8_t[]){
        0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
        0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
        0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
    },
    32, "Google 'Argon2024' log" },
  { (const uint8_t[]){
        0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
        0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
        0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
    },
    32, "Google 'Argon2025h1' log" },
  { (const uint8_t[]){
        0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
        0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
        0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
    },
    32, "Google 'Argon2025h2' log" },
  { (const uint8_t[]){
        0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
        0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
        0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
    },
    32, "Google 'Argon2026h1' log" },
  { (const uint8_t[]){
        0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
        0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
        0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
    },
    32, "Google 'Argon2026h2' log" },
  { (const uint8_t[]){
        0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
        0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
        0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
    },
    32, "Google 'Argon2027h1'" },
  { (const uint8_t[]){
        0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
        0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
        0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
    },
    32, "Google 'Xenon2020' log" },
  { (const uint8_t[]){
        0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
        0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
        0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
    },
    32, "Google 'Xenon2021' log" },
  { (const uint8_t[]){
        0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
        0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
        0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
    },
    32, "Google 'Xenon2022' log" },
  { (const uint8_t[]){
        0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
        0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
        0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
    },
    32, "Google 'Xenon2023' log" },
  { (const uint8_t[]){
        0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
        0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
        0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
    },
    32, "Google 'Xenon2024' log" },
  { (const uint8_t[]){
        0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
        0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
        0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
    },
    32, "Google 'Xenon2025h1' log" },
  { (const uint8_t[]){
        0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
        0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
        0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
    },
    32, "Google 'Xenon2025h2' log" },
  { (const uint8_t[]){
        0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
        0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
        0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
    },
    32, "Google 'Xenon2026h1' log" },
  { (const uint8_t[]){
        0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
        0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
        0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
    },
    32, "Google 'Xenon2026h2' log" },
  { (const uint8_t[]){
        0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
        0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
        0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
    },
    32, "Google 'Xenon2027h1'" },
  { (const uint8_t[]){
        0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
        0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
        0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
    },
    32, "Google 'Aviator' log" },
  { (const uint8_t[]){
        0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
        0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
        0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
    },
    32, "Google 'Icarus' log" },
  { (const uint8_t[]){
        0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
        0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
        0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
    },
    32, "Google 'Pilot' log" },
  { (const uint8_t[]){
        0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
        0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
        0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
    },
    32, "Google 'Rocketeer' log" },
  { (const uint8_t[]){
        0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
        0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
        0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
    },
    32, "Google 'Skydiver' log" },
  { (const uint8_t[]){
        0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
        0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
        0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
    },
    32, "Google 'Argon2017' log" },
  { (const uint8_t[]){
        0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
        0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
        0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
    },
    32, "Google 'Argon2018' log" },
  { (const uint8_t[]){
        0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
        0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
        0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
    },
    32, "Google 'Argon2019' log" },
  { (const uint8_t[]){
        0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
        0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
        0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
    },
    32, "Google 'Xenon2018' log" },
  { (const uint8_t[]){
        0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
        0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
        0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
    },
    32, "Google 'Xenon2019' log" },
  { (const uint8_t[]){
        0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
        0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
        0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
    },
    32, "Google 'Submariner' log" },
  { (const uint8_t[]){
        0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
        0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
        0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
    },
    32, "Google 'Daedalus' log" },
  { (const uint8_t[]){
        0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
        0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
        0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
    },
    32, "Google 'Testtube' log" },
  { (const uint8_t[]){
        0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
        0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
        0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
    },
    32, "Google 'Crucible' log" },
  { (const uint8_t[]){
        0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
        0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
        0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
    },
    32, "Google 'Solera2018' log" },
  { (const uint8_t[]){
        0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
        0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
        0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
    },
    32, "Google 'Solera2019' log" },
  { (const uint8_t[]){
        0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
        0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
        0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
    },
    32, "Google 'Solera2020' log" },
  { (const uint8_t[]){
        0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
        0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
        0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
    },
    32, "Google 'Solera2021' log" },
  { (const uint8_t[]){
        0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
        0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
        0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
    },
    32, "Google 'Solera2022' log" },
  { (const uint8_t[]){
        0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
        0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
        0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
    },
    32, "Google 'Solera2023' log" },
  { (const uint8_t[]){
        0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
        0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
        0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
    },
    32, "Google 'Solera2024' log" },
  { (const uint8_t[]){
        0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
        0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
        0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
    },
    32, "Google 'Solera2025h1' log" },
  { (const uint8_t[]){
        0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
        0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
        0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
    },
    32, "Google 'Solera2025h2' log" },
  { (const uint8_t[]){
        0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
        0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
        0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
    },
    32, "Google 'Solera2026h1' log" },
  { (const uint8_t[]){
        0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
        0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
        0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
    },
    32, "Google 'Solera2026h2' log" },
  { (const uint8_t[]){
        0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
        0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
        0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
    },
    32, "Google 'Solera2027h1' log" },
  { (const uint8_t[]){
        0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
        0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
        0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
    },
    32, "Cloudflare 'Nimbus2020' Log" },
  { (const uint8_t[]){
        0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
        0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
        0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
    },
    32, "Cloudflare 'Nimbus2021' Log" },
  { (const uint8_t[]){
        0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
        0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
        0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
    },
    32, "Cloudflare 'Nimbus2022' Log" },
  { (const uint8_t[]){
        0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
        0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
        0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
    },
    32, "Cloudflare 'Nimbus2023' Log" },
  { (const uint8_t[]){
        0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
        0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
        0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
    },
    32, "Cloudflare 'Nimbus2024' Log" },
  { (const uint8_t[]){
        0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
        0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
        0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
    },
    32, "Cloudflare 'Nimbus2025'" },
  { (const uint8_t[]){
        0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
        0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
        0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
    },
    32, "Cloudflare 'Nimbus2026'" },
  { (const uint8_t[]){
        0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
        0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
        0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
    },
    32, "Cloudflare 'Nimbus2027'" },
  { (const uint8_t[]){
        0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
        0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
        0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
    },
    32, "Cloudflare 'Nimbus2017' Log" },
  { (const uint8_t[]){
        0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
        0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
        0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
    },
    32, "Cloudflare 'Nimbus2018' Log" },
  { (const uint8_t[]){
        0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
        0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
        0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
    },
    32, "Cloudflare 'Nimbus2019' Log" },
  { (const uint8_t[]){
        0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
        0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
        0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
    },
    32, "DigiCert Log Server" },
  { (const uint8_t[]){
        0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
        0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
        0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
    },
    32, "DigiCert Log Server 2" },
  { (const uint8_t[]){
        0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
        0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
        0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
    },
    32, "DigiCert Yeti2020 Log" },
  { (const uint8_t[]){
        0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
        0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
        0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
    },
    32, "DigiCert Yeti2021 Log" },
  { (const uint8_t[]){
        0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
        0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
        0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
    },
    32, "DigiCert Yeti2022 Log" },
  { (const uint8_t[]){
        0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
        0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
        0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
    },
    32, "DigiCert Yeti2023 Log" },
  { (const uint8_t[]){
        0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
        0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
        0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
    },
    32, "DigiCert Yeti2024 Log" },
  { (const uint8_t[]){
        0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
        0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
        0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
    },
    32, "DigiCert Yeti2025 Log" },
  { (const uint8_t[]){
        0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
        0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
        0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
    },
    32, "DigiCert Nessie2020 Log" },
  { (const uint8_t[]){
        0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
        0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
        0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
    },
    32, "DigiCert Nessie2021 Log" },
  { (const uint8_t[]){
        0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
        0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
        0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
    },
    32, "DigiCert Nessie2022 Log" },
  { (const uint8_t[]){
        0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
        0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
        0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
    },
    32, "DigiCert Nessie2023 Log" },
  { (const uint8_t[]){
        0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
        0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
        0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
    },
    32, "DigiCert Nessie2024 Log" },
  { (const uint8_t[]){
        0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
        0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
        0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
    },
    32, "DigiCert Nessie2025 Log" },
  { (const uint8_t[]){
        0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
        0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
        0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
    },
    32, "DigiCert 'Wyvern2024h1' Log" },
  { (const uint8_t[]){
        0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
        0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
        0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
    },
    32, "DigiCert 'Wyvern2024h2' Log" },
  { (const uint8_t[]){
        0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
        0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
        0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
    },
    32, "DigiCert 'Wyvern2025h1' Log" },
  { (const uint8_t[]){
        0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
        0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
        0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
    },
    32, "DigiCert 'Wyvern2025h2' Log" },
  { (const uint8_t[]){
        0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
        0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
        0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
    },
    32, "DigiCert 'Wyvern2026h1'" },
  { (const uint8_t[]){
        0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
        0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
        0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
    },
    32, "DigiCert 'Wyvern2026h2'" },
  { (const uint8_t[]){
        0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
        0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
        0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
    },
    32, "DigiCert 'Wyvern2027h1'" },
  { (const uint8_t[]){
        0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
        0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
        0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
    },
    32, "DigiCert 'Wyvern2027h2'" },
  { (const uint8_t[]){
        0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
        0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
        0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
    },
    32, "DigiCert 'Sphinx2024h1' Log" },
  { (const uint8_t[]){
        0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
        0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
        0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
    },
    32, "DigiCert 'Sphinx2024h2' Log" },
  { (const uint8_t[]){
        0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
        0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
        0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
    },
    32, "DigiCert 'Sphinx2025h1' Log" },
  { (const uint8_t[]){
        0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
        0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
        0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
    },
    32, "DigiCert 'Sphinx2025h2' Log" },
  { (const uint8_t[]){
        0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
        0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
        0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
    },
    32, "DigiCert 'Sphinx2026h1'" },
  { (const uint8_t[]){
        0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
        0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
        0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
    },
    32, "DigiCert 'Sphinx2026h2'" },
  { (const uint8_t[]){
        0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
        0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
        0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
    },
    32, "DigiCert 'sphinx2027h1'" },
  { (const uint8_t[]){
        0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
        0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
        0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
    },
    32, "DigiCert 'sphinx2027h2'" },
  { (const uint8_t[]){
        0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
        0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
        0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
    },
    32, "Symantec log" },
  { (const uint8_t[]){
        0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
        0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
        0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
    },
    32, "Symantec 'Vega' log" },
  { (const uint8_t[]){
        0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
        0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
        0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
    },
    32, "Symantec 'Sirius' log" },
  { (const uint8_t[]){
        0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
        0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
        0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
    },
    32, "DigiCert Yeti2022-2 Log" },
  { (const uint8_t[]){
        0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
        0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
        0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
    },
    32, "DigiCert Yeti2018 Log" },
  { (const uint8_t[]){
        0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
        0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
        0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
    },
    32, "DigiCert Yeti2019 Log" },
  { (const uint8_t[]){
        0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
        0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
        0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
    },
    32, "DigiCert Nessie2018 Log" },
  { (const uint8_t[]){
        0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
        0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
        0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
    },
    32, "DigiCert Nessie2019 Log" },
  { (const uint8_t[]){
        0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
        0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
        0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
    },
    32, "Symantec Deneb" },
  { (const uint8_t[]){
        0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
        0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
        0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
    },
    32, "Certly.IO log" },
  { (const uint8_t[]){
        0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
        0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
        0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
    },
    32, "Izenpe log" },
  { (const uint8_t[]){
        0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
        0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
        0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
    },
    32, "Izenpe 'Argi' log" },
  { (const uint8_t[]){
        0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
        0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
        0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
    },
    32, "WoSign log" },
  { (const uint8_t[]){
        0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
        0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
        0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
    },
    32, "WoSign CT log #1" },
  { (const uint8_t[]){
        0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
        0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
        0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
    },
    32, "WoSign log 2" },
  { (const uint8_t[]){
        0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
        0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
        0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
    },
    32, "Venafi log" },
  { (const uint8_t[]){
        0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
        0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
        0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
    },
    32, "Venafi Gen2 CT log" },
  { (const uint8_t[]){
        0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
        0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
        0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
    },
    32, "CNNIC CT log" },
  { (const uint8_t[]){
        0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
        0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
        0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
    },
    32, "StartCom log" },
  { (const uint8_t[]){
        0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
        0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
        0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
    },
    32, "Sectigo 'Sabre' CT log" },
  { (const uint8_t[]){
        0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
        0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
        0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
    },
    32, "Sectigo 'Sabre2024h1'" },
  { (const uint8_t[]){
        0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
        0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
        0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
    },
    32, "Sectigo 'Sabre2024h2'" },
  { (const uint8_t[]){
        0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
        0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
        0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
    },
    32, "Sectigo 'Sabre2025h1'" },
  { (const uint8_t[]){
        0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
        0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
        0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
    },
    32, "Sectigo 'Sabre2025h2'" },
  { (const uint8_t[]){
        0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
        0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
        0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
    },
    32, "Sectigo 'Mammoth' CT log" },
  { (const uint8_t[]){
        0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
        0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
        0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
    },
    32, "Sectigo 'Mammoth2024h1'" },
  { (const uint8_t[]){
        0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
        0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
        0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
    },
    32, "Sectigo 'Mammoth2024h1b'" },
  { (const uint8_t[]){
        0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
        0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
        0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
    },
    32, "Sectigo 'Mammoth2024h2'" },
  { (const uint8_t[]){
        0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
        0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
        0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
    },
    32, "Sectigo 'Mammoth2025h1'" },
  { (const uint8_t[]){
        0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
        0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
        0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
    },
    32, "Sectigo 'Mammoth2025h2'" },
  { (const uint8_t[]){
        0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
        0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
        0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
    },
    32, "Sectigo 'Mammoth2026h1'" },
  { (const uint8_t[]){
        0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
        0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
        0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
    },
    32, "Sectigo 'Mammoth2026h2'" },
  { (const uint8_t[]){
        0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
        0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
        0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
    },
    32, "Sectigo 'Sabre2026h1'" },
  { (const uint8_t[]){
        0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
        0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
        0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
    },
    32, "Sectigo 'Sabre2026h2'" },
  { (const uint8_t[]){
        0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
        0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
        0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
    },
    32, "Sectigo 'Elephant2025h2'" },
  { (const uint8_t[]){
        0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
        0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
        0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
    },
    32, "Sectigo 'Elephant2026h1'" },
  { (const uint8_t[]){
        0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
        0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
        0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
    },
    32, "Sectigo 'Elephant2026h2'" },
  { (const uint8_t[]){
        0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
        0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
        0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
    },
    32, "Sectigo 'Elephant2027h1'" },
  { (const uint8_t[]){
        0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
        0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
        0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
    },
    32, "Sectigo 'Elephant2027h2'" },
  { (const uint8_t[]){
        0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
        0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
        0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
    },
    32, "Sectigo 'Tiger2025h2'" },
  { (const uint8_t[]){
        0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
        0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
        0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
    },
    32, "Sectigo 'Tiger2026h1'" },
  { (const uint8_t[]){
        0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
        0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
        0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
    },
    32, "Sectigo 'Tiger2026h2'" },
  { (const uint8_t[]){
        0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
        0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
        0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
    },
    32, "Sectigo 'Tiger2027h1'" },
  { (const uint8_t[]){
        0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
        0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
        0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
    },
    32, "Sectigo 'Tiger2027h2'" },
  { (const uint8_t[]){
        0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
        0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
        0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
    },
    32, "Sectigo 'Dodo' CT log" },
  { (const uint8_t[]){
        0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
        0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
        0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
    },
    32, "Let's Encrypt 'Oak2020' log" },
  { (const uint8_t[]){
        0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
        0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
        0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
    },
    32, "Let's Encrypt 'Oak2021' log" },
  { (const uint8_t[]){
        0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
        0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
        0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
    },
    32, "Let's Encrypt 'Oak2022' log" },
  { (const uint8_t[]){
        0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
        0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
        0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
    },
    32, "Let's Encrypt 'Oak2023' log" },
  { (const uint8_t[]){
        0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
        0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
        0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
    },
    32, "Let's Encrypt 'Oak2024H1' log" },
  { (const uint8_t[]){
        0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
        0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
        0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
    },
    32, "Let's Encrypt 'Oak2024H2' log" },
  { (const uint8_t[]){
        0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
        0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
        0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
    },
    32, "Let's Encrypt 'Oak2025h1'" },
  { (const uint8_t[]){
        0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
        0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
        0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
    },
    32, "Let's Encrypt 'Oak2025h2'" },
  { (const uint8_t[]){
        0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
        0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
        0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
    },
    32, "Let's Encrypt 'Oak2026h1'" },
  { (const uint8_t[]){
        0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
        0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
        0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
    },
    32, "Let's Encrypt 'Oak2026h2'" },
  { (const uint8_t[]){
        0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
        0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
        0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
    },
    32, "Let's Encrypt 'Oak2019' log" },
  { (const uint8_t[]){
        0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
        0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
        0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
    },
    32, "Let's Encrypt 'Testflume2019' log" },
  { (const uint8_t[]){
        0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
        0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
        0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
    },
    32, "Let's Encrypt 'Sapling 2022h2' log" },
  { (const uint8_t[]){
        0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
        0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
        0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
    },
    32, "Let's Encrypt 'Sapling 2023h1' log" },
  { (const uint8_t[]){
        0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
        0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
        0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
    },
    32, "Let's Encrypt 'Testflume2020' log" },
  { (const uint8_t[]){
        0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
        0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
        0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
    },
    32, "Let's Encrypt 'Testflume2021' log" },
  { (const uint8_t[]){
        0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
        0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
        0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
    },
    32, "Let's Encrypt 'Testflume2022' log" },
  { (const uint8_t[]){
        0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
        0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
        0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
    },
    32, "Let's Encrypt 'Testflume2023' log" },
  { (const uint8_t[]){
        0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
        0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
        0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
    },
    32, "Let's Encrypt 'Clicky' log" },
  { (const uint8_t[]){
        0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
        0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
        0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
    },
    32, "Trust Asia Log2020" },
  { (const uint8_t[]){
        0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
        0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
        0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
    },
    32, "Trust Asia CT2021" },
  { (const uint8_t[]){
        0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
        0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
        0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
    },
    32, "Trust Asia Log2021" },
  { (const uint8_t[]){
        0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
        0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
        0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
    },
    32, "Trust Asia Log2022" },
  { (const uint8_t[]){
        0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
        0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
        0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
    },
    32, "Trust Asia Log2023" },
  { (const uint8_t[]){
        0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
        0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
        0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
    },
    32, "Trust Asia Log2024" },
  { (const uint8_t[]){
        0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
        0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
        0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
    },
    32, "Trust Asia Log2024-2" },
  { (const uint8_t[]){
        0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
        0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
        0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
    },
    32, "TrustAsia Log2025a" },
  { (const uint8_t[]){
        0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
        0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
        0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
    },
    32, "TrustAsia Log2025b" },
  { (const uint8_t[]){
        0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
        0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
        0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
    },
    32, "TrustAsia 'log2026a'" },
  { (const uint8_t[]){
        0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
        0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
        0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
    },
    32, "TrustAsia 'log2026b'" },
  { (const uint8_t[]){
        0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
        0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
        0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
    },
    32, "TrustAsia 'HETU2027'" },
  { (const uint8_t[]){
        0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
        0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
        0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
    },
    32, "Trust Asia Log1" },
  { (const uint8_t[]){
        0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
        0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
        0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
    },
    32, "GDCA CT log #1" },
  { (const uint8_t[]){
        0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
        0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
        0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
    },
    32, "GDCA CT log #2" },
  { (const uint8_t[]){
        0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
        0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
        0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
    },
    32, "GDCA Log 1" },
  { (const uint8_t[]){
        0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
        0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
        0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
    },
    32, "GDCA Log 2" },
  { (const uint8_t[]){
        0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
        0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
        0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
    },
    32, "PuChuangSiDa CT log" },
  { (const uint8_t[]){
        0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
        0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
        0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
    },
    32, "Nordu 'flimsy' log" },
  { (const uint8_t[]){
        0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
        0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
        0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
    },
    32, "Nordu 'plausible' log" },
  { (const uint8_t[]){
        0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
        0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
        0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
    },
    32, "SHECA CT log 1" },
  { (const uint8_t[]){
        0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
        0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
        0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
    },
    32, "SHECA CT log 2" },
  { (const uint8_t[]){
        0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
        0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
        0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
    },
    32, "Akamai CT Log" },
  { (const uint8_t[]){
        0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
        0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
        0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
    },
    32, "Alpha CT Log" },
  { (const uint8_t[]){
        0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
        0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
        0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
    },
    32, "Up In The Air 'Behind the Sofa' log" },
  { (const uint8_t[]){
        0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
        0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
        0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
    },
    32, "Qihoo 360 2020" },
  { (const uint8_t[]){
        0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
        0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
        0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
    },
    32, "Qihoo 360 2021" },
  { (const uint8_t[]){
        0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
        0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
        0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
    },
    32, "Qihoo 360 2022" },
  { (const uint8_t[]){
        0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
        0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
        0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
    },
    32, "Qihoo 360 2023" },
  { (const uint8_t[]){
        0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
        0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
        0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
    },
    32, "Qihoo 360 v1 2020" },
  { (const uint8_t[]){
        0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
        0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
        0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
    },
    32, "Qihoo 360 v1 2021" },
  { (const uint8_t[]){
        0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
        0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
        0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
    },
    32, "Qihoo 360 v1 2022" },
  { (const uint8_t[]){
        0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
        0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
        0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
    },
    32, "Qihoo 360 v1 2023" },
  { (const uint8_t[]){
        0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
        0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
        0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
    },
    32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
  { (const uint8_t[]){
        0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
        0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
        0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
    },
    32, "Merklemap 'CompactLog' log" },
  { (const uint8_t[]){
        0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
        0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
        0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
    },
    32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
  { NULL((void*)0), 0, NULL((void*)0) }
2727};

2729/*
* Application-Layer Protocol Negotiation (ALPN) dissector tables.
*/
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;

2735/*
* Special cases for prefix matching of the ALPN, if the ALPN includes
* a version number for a draft or protocol revision.
*/
2739typedef struct ssl_alpn_prefix_match_protocol {
  const char      *proto_prefix;
  const char      *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;

2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
  /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
   * already exists 3.1 as of this writing... match the prefix. */
  { "spdy/",              "spdy" },
  /* draft-ietf-httpbis-http2-16 */
  { "h2-",                "http2" }, /* draft versions */
2750};

2752const value_string compress_certificate_algorithm_vals[] = {
  { 1, "zlib" },
  { 2, "brotli" },
  { 3, "zstd" },
  { 0, NULL((void*)0) }
2757};


2760const val64_string quic_transport_parameter_id[] = {
  { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
  { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
  { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
  { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
  { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
  { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
  { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
  { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
  { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
  { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
  { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
  { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
  { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
  { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
  { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
  { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
  { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
  { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
  { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
  { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
  { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
  { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
  { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
  { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
  { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
  { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
  { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
  { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
  { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
  { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
  { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
  { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
  { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
  { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
  { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
  { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
  { 0, NULL((void*)0) }
2809};

2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
  { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
  { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
  { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
  { 0, NULL((void*)0) }
2817};

2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
  { 1, "I would like to receive TIME_STAMP frames" },
  { 2, "I am able to generate TIME_STAMP frames" },
  { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
  { 0, NULL((void*)0) }
2825};

2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
  { 0, "don't support multipath" },
  { 1, "support multipath as defined in this document" },
  { 0, NULL((void*)0) }
2832};

2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
  { 0, "Outer Client Hello" },
  { 1, "Inner Client Hello" },
  { 0, NULL((void*)0) }
2839};

2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
  { 0x0000, "Reserved" },
  { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
  { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
  { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
  { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
  { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
  { 0,      NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
  { 0x0000, "Reserved" },
  { 0x0001, "HKDF-SHA256" },
  { 0x0002, "HKDF-SHA384" },
  { 0x0003, "HKDF-SHA512" },
  { 0,      NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
  { 0x0000, "Reserved" },
  { 0x0001, "AES-128-GCM" },
  { 0x0002, "AES-256-GCM" },
  { 0x0003, "ChaCha20Poly1305" },
  { 0xFFFF, "Export-only" },
  { 0,      NULL((void*)0) }
2865};

2867const value_string token_binding_key_parameter_vals[] = {
  { 0, "rsa2048_pkcs1.5" },
  { 1, "rsa2048_pss" },
  { 2, "ecdsap256" },
  { 0, NULL((void*)0) }
2872};

2874/* Lookup tables }}} */

2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
  const char *label;
  if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
 : 0)) {
      label = "GREASE";
  } else {
      label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
  }
  snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}

2888/* we keep this internal to packet-tls-utils, as there should be
 no need to access it any other way.

 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
  int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
  zlib_stream istream;
2897#endif
2898};

2900/* To assist in parsing client/server key exchange messages
 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
  /* Map Cipher suite number to Key Exchange algorithm {{{ */
  switch(cipher) {
  case 0x0017:
  case 0x0018:
  case 0x0019:
  case 0x001a:
  case 0x001b:
  case 0x0034:
  case 0x003a:
  case 0x0046:
  case 0x006c:
  case 0x006d:
  case 0x0089:
  case 0x009b:
  case 0x00a6:
  case 0x00a7:
  case 0x00bf:
  case 0x00c5:
  case 0xc084:
  case 0xc085:
      return KEX_DH_ANON0x13;
  case 0x000b:
  case 0x000c:
  case 0x000d:
  case 0x0030:
  case 0x0036:
  case 0x003e:
  case 0x0042:
  case 0x0068:
  case 0x0085:
  case 0x0097:
  case 0x00a4:
  case 0x00a5:
  case 0x00bb:
  case 0x00c1:
  case 0xc082:
  case 0xc083:
      return KEX_DH_DSS0x14;
  case 0x000e:
  case 0x000f:
  case 0x0010:
  case 0x0031:
  case 0x0037:
  case 0x003f:
  case 0x0043:
  case 0x0069:
  case 0x0086:
  case 0x0098:
  case 0x00a0:
  case 0x00a1:
  case 0x00bc:
  case 0x00c2:
  case 0xc07e:
  case 0xc07f:
      return KEX_DH_RSA0x15;
  case 0x0011:
  case 0x0012:
  case 0x0013:
  case 0x0032:
  case 0x0038:
  case 0x0040:
  case 0x0044:
  case 0x0063:
  case 0x0065:
  case 0x0066:
  case 0x006a:
  case 0x0087:
  case 0x0099:
  case 0x00a2:
  case 0x00a3:
  case 0x00bd:
  case 0x00c3:
  case 0xc080:
  case 0xc081:
      return KEX_DHE_DSS0x10;
  case 0x002d:
  case 0x008e:
  case 0x008f:
  case 0x0090:
  case 0x0091:
  case 0x00aa:
  case 0x00ab:
  case 0x00b2:
  case 0x00b3:
  case 0x00b4:
  case 0x00b5:
  case 0xc090:
  case 0xc091:
  case 0xc096:
  case 0xc097:
  case 0xc0a6:
  case 0xc0a7:
  case 0xc0aa:
  case 0xc0ab:
  case 0xccad:
  case 0xe41c:
  case 0xe41d:
      return KEX_DHE_PSK0x11;
  case 0x0014:
  case 0x0015:
  case 0x0016:
  case 0x0033:
  case 0x0039:
  case 0x0045:
  case 0x0067:
  case 0x006b:
  case 0x0088:
  case 0x009a:
  case 0x009e:
  case 0x009f:
  case 0x00be:
  case 0x00c4:
  case 0xc07c:
  case 0xc07d:
  case 0xc09e:
  case 0xc09f:
  case 0xc0a2:
  case 0xc0a3:
  case 0xccaa:
  case 0xe41e:
  case 0xe41f:
      return KEX_DHE_RSA0x12;
  case 0xc015:
  case 0xc016:
  case 0xc017:
  case 0xc018:
  case 0xc019:
      return KEX_ECDH_ANON0x19;
  case 0xc001:
  case 0xc002:
  case 0xc003:
  case 0xc004:
  case 0xc005:
  case 0xc025:
  case 0xc026:
  case 0xc02d:
  case 0xc02e:
  case 0xc074:
  case 0xc075:
  case 0xc088:
  case 0xc089:
      return KEX_ECDH_ECDSA0x1a;
  case 0xc00b:
  case 0xc00c:
  case 0xc00d:
  case 0xc00e:
  case 0xc00f:
  case 0xc029:
  case 0xc02a:
  case 0xc031:
  case 0xc032:
  case 0xc078:
  case 0xc079:
  case 0xc08c:
  case 0xc08d:
      return KEX_ECDH_RSA0x1b;
  case 0xc006:
  case 0xc007:
  case 0xc008:
  case 0xc009:
  case 0xc00a:
  case 0xc023:
  case 0xc024:
  case 0xc02b:
  case 0xc02c:
  case 0xc072:
  case 0xc073:
  case 0xc086:
  case 0xc087:
  case 0xc0ac:
  case 0xc0ad:
  case 0xc0ae:
  case 0xc0af:
  case 0xcca9:
  case 0xe414:
  case 0xe415:
      return KEX_ECDHE_ECDSA0x16;
  case 0xc033:
  case 0xc034:
  case 0xc035:
  case 0xc036:
  case 0xc037:
  case 0xc038:
  case 0xc039:
  case 0xc03a:
  case 0xc03b:
  case 0xc09a:
  case 0xc09b:
  case 0xccac:
  case 0xe418:
  case 0xe419:
  case 0xd001:
  case 0xd002:
  case 0xd003:
  case 0xd005:
      return KEX_ECDHE_PSK0x17;
  case 0xc010:
  case 0xc011:
  case 0xc012:
  case 0xc013:
  case 0xc014:
  case 0xc027:
  case 0xc028:
  case 0xc02f:
  case 0xc030:
  case 0xc076:
  case 0xc077:
  case 0xc08a:
  case 0xc08b:
  case 0xcca8:
  case 0xe412:
  case 0xe413:
      return KEX_ECDHE_RSA0x18;
  case 0x001e:
  case 0x001f:
  case 0x0020:
  case 0x0021:
  case 0x0022:
  case 0x0023:
  case 0x0024:
  case 0x0025:
  case 0x0026:
  case 0x0027:
  case 0x0028:
  case 0x0029:
  case 0x002a:
  case 0x002b:
      return KEX_KRB50x1c;
  case 0x002c:
  case 0x008a:
  case 0x008b:
  case 0x008c:
  case 0x008d:
  case 0x00a8:
  case 0x00a9:
  case 0x00ae:
  case 0x00af:
  case 0x00b0:
  case 0x00b1:
  case 0xc064:
  case 0xc065:
  case 0xc08e:
  case 0xc08f:
  case 0xc094:
  case 0xc095:
  case 0xc0a4:
  case 0xc0a5:
  case 0xc0a8:
  case 0xc0a9:
  case 0xccab:
  case 0xe416:
  case 0xe417:
      return KEX_PSK0x1d;
  case 0x0001:
  case 0x0002:
  case 0x0003:
  case 0x0004:
  case 0x0005:
  case 0x0006:
  case 0x0007:
  case 0x0008:
  case 0x0009:
  case 0x000a:
  case 0x002f:
  case 0x0035:
  case 0x003b:
  case 0x003c:
  case 0x003d:
  case 0x0041:
  case 0x0060:
  case 0x0061:
  case 0x0062:
  case 0x0064:
  case 0x0084:
  case 0x0096:
  case 0x009c:
  case 0x009d:
  case 0x00ba:
  case 0x00c0:
  case 0xc07a:
  case 0xc07b:
  case 0xc09c:
  case 0xc09d:
  case 0xc0a0:
  case 0xc0a1:
  case 0xe410:
  case 0xe411:
  case 0xfefe:
  case 0xfeff:
  case 0xffe0:
  case 0xffe1:
      return KEX_RSA0x1e;
  case 0x002e:
  case 0x0092:
  case 0x0093:
  case 0x0094:
  case 0x0095:
  case 0x00ac:
  case 0x00ad:
  case 0x00b6:
  case 0x00b7:
  case 0x00b8:
  case 0x00b9:
  case 0xc092:
  case 0xc093:
  case 0xc098:
  case 0xc099:
  case 0xccae:
  case 0xe41a:
  case 0xe41b:
      return KEX_RSA_PSK0x1f;
  case 0xc01a:
  case 0xc01d:
  case 0xc020:
      return KEX_SRP_SHA0x20;
  case 0xc01c:
  case 0xc01f:
  case 0xc022:
      return KEX_SRP_SHA_DSS0x21;
  case 0xc01b:
  case 0xc01e:
  case 0xc021:
      return KEX_SRP_SHA_RSA0x22;
  case 0xc0ff:
      return KEX_ECJPAKE0x24;
  case 0xe003:
  case 0xe013:
  case 0xe053:
      return KEX_ECC_SM20x26;
  default:
      break;
  }

  return 0;
  /* }}} */
3239}

3241static wmem_list_t *connection_id_session_list;

3243void
3244ssl_init_cid_list(void) {
  connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}

3248void
3249ssl_cleanup_cid_list(void) {
  wmem_destroy_list(connection_id_session_list);
3251}

3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
  wmem_list_append(connection_id_session_list, session);
3257}

3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
  SslDecryptSession * ssl_cid = NULL((void*)0);
  wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);

  while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
      SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
      DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))));
      SslSession *session = &ssl->session;

      if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
          if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
              ssl_cid = ssl;
          }
      }

      if (session->server_cid_len > 0) {
          if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
              ssl_cid = ssl;
          }
      }

      it = wmem_list_frame_next(it);
  }

  return ssl_cid;
3286}

3288/* StringInfo structure (len + data) functions {{{ */

3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
  str->data = (unsigned char *)g_malloc(len);
16
←
Memory is allocated→
  /* the allocator can return a null pointer for a size equal to 0,
   * and that must be allowed */
  if (len16.1
'len' is > 0
 > 0 && !str->data)
17
←
Assuming field 'data' is non-null→
18
←
Taking false branch→
      return -1;
  str->data_len = (unsigned) len;
  return 0;
3300}

3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
  DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))));
  memcpy(str->data, data, len);
  str->data_len = len;
3308}

3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
  str->data = (unsigned char *)g_realloc(str->data, len);
  if (!str->data)
      return -1;
  str->data_len = len;
  return 0;
3318}

3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
  StringInfo *cloned_str;
  cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
          sizeof(StringInfo) + str->data_len);
  cloned_str->data = (unsigned char *) (cloned_str + 1);
  ssl_data_set(cloned_str, str->data, str->data_len);
  return cloned_str;
3329}

3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
  if (dst->data_len < src->data_len) {
    if (ssl_data_realloc(dst, src->data_len))
      return -1;
  }
  memcpy(dst->data, src->data, src->data_len);
  dst->data_len = src->data_len;
  return 0;
3341}

3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
* the result. |out->data| will be allocated using wmem_file_scope. Returns true on
* success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
  size_t i;

  if (hex_len & 1)
      return false0;

  out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
  for (i = 0; i < hex_len / 2; i++) {
      int a = ws_xton(in[i*2]);
      int b = ws_xton(in[i*2 + 1]);
      if (a == -1 || b == -1)
          return false0;
      out->data[i] = a << 4 | b;
  }
  out->data_len = (unsigned)hex_len / 2;
  return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */


3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t

3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
  gcry_error_t  err;
  const char   *err_str, *err_src;

  err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
  if (err != 0) {
      err_str = gcry_strerror(err);
      err_src = gcry_strsource(err);
      ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
      return -1;
  }
  return 0;
3384}

3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
  gcry_error_t  err;
  const char   *err_str, *err_src;

  err = gcry_md_setkey (*(md), key, len);
  if (err != 0) {
      err_str = gcry_strerror(err);
      err_src = gcry_strsource(err);
      ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
      return -1;
  }
  return 0;
3400}

3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
  gcry_md_reset(*md);
  return 0;
3407}

3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
  gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
  int   algo;
  unsigned len;

  algo = gcry_md_get_algo (*(md));
  len  = gcry_md_get_algo_dlen(algo);
  DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))));
  memcpy(data, gcry_md_read(*(md), algo), len);
  *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
  gcry_md_close(*(md));
3430}

3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t

3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
  gcry_error_t  err;
  const char   *err_str, *err_src;
  err = gcry_md_open(md,algo, 0);
  if (err != 0) {
      err_str = gcry_strerror(err);
      err_src = gcry_strsource(err);
      ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
      return -1;
  }
  return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, unsigned len)
3451{
  gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
  int algo;
  int len;
  algo = gcry_md_get_algo (*(md));
  len = gcry_md_get_algo_dlen (algo);
  memcpy(data, gcry_md_read(*(md),  algo), len);
  *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
  gcry_md_close(*(md));
3468}

3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
  gcry_md_reset(*md);
3474}

3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t

3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
  gcry_error_t  err;
  const char   *err_str, *err_src;
  err = gcry_md_open(md, GCRY_MD_SHA1, 0);
  if (err != 0) {
      err_str = gcry_strerror(err);
      err_src = gcry_strsource(err);
      ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
      return -1;
  }
  return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
  gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
  memcpy(buf, gcry_md_read(*(md),  GCRY_MD_SHA1),
         gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}

3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
  gcry_md_reset(*md);
3510}

3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
  gcry_md_close(*(md));
3516}

3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
  gcry_error_t  err;
  const char   *err_str, *err_src;
  err = gcry_md_open(md,GCRY_MD_MD5, 0);
  if (err != 0) {
      err_str = gcry_strerror(err);
      err_src = gcry_strsource(err);
      ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
      return -1;
  }
  return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
  gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
  memcpy(buf, gcry_md_read(*(md),  GCRY_MD_MD5),
         gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}

3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
  gcry_md_reset(*md);
3548}

3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
  gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */

3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
  int ret;
3562#if 0
  unsigned char *ivp;
  int i;
  gcry_cipher_hd_t c;
  c=(gcry_cipher_hd_t)*cipher;
3567#endif
  ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
  for(ivp=c->iv,i=0; i < iv_len; i++ )
      {
      ssl_debug_printf("%d ",ivp[i]);
      i++;
      }
3575#endif
  ssl_debug_printf("--------------------------------------------------------------------");
  ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
  for(ivp=c->iv,i=0; i < iv_len; i++ )
      {
      ssl_debug_printf("%d ",ivp[i]);
      i++;
      }
3584#endif
  ssl_debug_printf("--------------------------------------------------------------------");
  return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
      unsigned char* iv, int mode)
3592{
  int gcry_modes[] = {
      GCRY_CIPHER_MODE_STREAM,
      GCRY_CIPHER_MODE_CBC,
      GCRY_CIPHER_MODE_GCM,
      GCRY_CIPHER_MODE_CCM,
      GCRY_CIPHER_MODE_CCM,
      GCRY_CIPHER_MODE_POLY1305,
      GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
  };
  int err;
  if (algo == -1) {
      /* NULL mode */
      *(cipher) = (gcry_cipher_hd_t)-1;
      return 0;
  }
  err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
  if (err !=0)
      return  -1;
  err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
  if (err != 0)
      return -1;
  /* AEAD cipher suites will set the nonce later. */
  if (mode == MODE_CBC) {
      err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
      if (err != 0)
          return -1;
  }
  return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
                 const unsigned char * in, int inl)
3625{
  if ((*cipher) == (gcry_cipher_hd_t)-1)
  {
      if (in && inl)
          memcpy(out, in, outl < inl ? outl : inl);
      return 0;
  }
  return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
  return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
  return gcry_cipher_map_name(name);
3643}

3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
  if ((*cipher) != (gcry_cipher_hd_t)-1)
      gcry_cipher_close(*cipher);
  *cipher = NULL((void*)0);
3651}
3652/* }}} */

3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
  {"MD5",     16},
  {"SHA1",    20},
  {"SHA256",  32},
  {"SHA384",  48},
  {"SM3",     32},
  {"Not Applicable",  0},
3662};

3664#define DIGEST_MAX_SIZE48 48

3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
  if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
      return &digests[DIG_NA0x45 - DIG_MD50x40];
  }
  return &digests[cs->dig - DIG_MD50x40];
3673}

3675static const char *ciphers[]={
  "DES",
  "3DES",
  "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
  "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
  "IDEA",
  "AES",
  "AES256",
  "CAMELLIA128",
  "CAMELLIA256",
  "SEED",
  "CHACHA20", /* since Libgcrypt 1.7.0 */
  "SM1",
  "SM4",
  "*UNKNOWN*"
3690};

3692static const SslCipherSuite cipher_suites[]={
  {0x0001,KEX_RSA0x1e,            ENC_NULL0x3D,       DIG_MD50x40,    MODE_STREAM},   /* TLS_RSA_WITH_NULL_MD5 */
  {0x0002,KEX_RSA0x1e,            ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_RSA_WITH_NULL_SHA */
  {0x0003,KEX_RSA0x1e,            ENC_RC40x32,        DIG_MD50x40,    MODE_STREAM},   /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
  {0x0004,KEX_RSA0x1e,            ENC_RC40x32,        DIG_MD50x40,    MODE_STREAM},   /* TLS_RSA_WITH_RC4_128_MD5 */
  {0x0005,KEX_RSA0x1e,            ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_RSA_WITH_RC4_128_SHA */
  {0x0006,KEX_RSA0x1e,            ENC_RC20x33,        DIG_MD50x40,    MODE_CBC   },   /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
  {0x0007,KEX_RSA0x1e,            ENC_IDEA0x34,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_IDEA_CBC_SHA */
  {0x0008,KEX_RSA0x1e,            ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
  {0x0009,KEX_RSA0x1e,            ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_DES_CBC_SHA */
  {0x000A,KEX_RSA0x1e,            ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
  {0x000B,KEX_DH_DSS0x14,         ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
  {0x000C,KEX_DH_DSS0x14,         ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_DES_CBC_SHA */
  {0x000D,KEX_DH_DSS0x14,         ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
  {0x000E,KEX_DH_RSA0x15,         ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
  {0x000F,KEX_DH_RSA0x15,         ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_DES_CBC_SHA */
  {0x0010,KEX_DH_RSA0x15,         ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
  {0x0011,KEX_DHE_DSS0x10,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
  {0x0012,KEX_DHE_DSS0x10,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
  {0x0013,KEX_DHE_DSS0x10,        ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
  {0x0014,KEX_DHE_RSA0x12,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
  {0x0015,KEX_DHE_RSA0x12,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
  {0x0016,KEX_DHE_RSA0x12,        ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
  {0x0017,KEX_DH_ANON0x13,        ENC_RC40x32,        DIG_MD50x40,    MODE_STREAM},   /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
  {0x0018,KEX_DH_ANON0x13,        ENC_RC40x32,        DIG_MD50x40,    MODE_STREAM},   /* TLS_DH_anon_WITH_RC4_128_MD5 */
  {0x0019,KEX_DH_ANON0x13,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
  {0x001A,KEX_DH_ANON0x13,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_DES_CBC_SHA */
  {0x001B,KEX_DH_ANON0x13,        ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
  {0x002C,KEX_PSK0x1d,            ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_PSK_WITH_NULL_SHA */
  {0x002D,KEX_DHE_PSK0x11,        ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_DHE_PSK_WITH_NULL_SHA */
  {0x002E,KEX_RSA_PSK0x1f,        ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_RSA_PSK_WITH_NULL_SHA */
  {0x002F,KEX_RSA0x1e,            ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_AES_128_CBC_SHA */
  {0x0030,KEX_DH_DSS0x14,         ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
  {0x0031,KEX_DH_RSA0x15,         ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
  {0x0032,KEX_DHE_DSS0x10,        ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
  {0x0033,KEX_DHE_RSA0x12,        ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
  {0x0034,KEX_DH_ANON0x13,        ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
  {0x0035,KEX_RSA0x1e,            ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_AES_256_CBC_SHA */
  {0x0036,KEX_DH_DSS0x14,         ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
  {0x0037,KEX_DH_RSA0x15,         ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
  {0x0038,KEX_DHE_DSS0x10,        ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
  {0x0039,KEX_DHE_RSA0x12,        ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
  {0x003A,KEX_DH_ANON0x13,        ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
  {0x003B,KEX_RSA0x1e,            ENC_NULL0x3D,       DIG_SHA2560x42, MODE_STREAM},   /* TLS_RSA_WITH_NULL_SHA256 */
  {0x003C,KEX_RSA0x1e,            ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
  {0x003D,KEX_RSA0x1e,            ENC_AES2560x36,     DIG_SHA2560x42, MODE_CBC   },   /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
  {0x003E,KEX_DH_DSS0x14,         ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
  {0x003F,KEX_DH_RSA0x15,         ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
  {0x0040,KEX_DHE_DSS0x10,        ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
  {0x0041,KEX_RSA0x1e,            ENC_CAMELLIA1280x37,DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
  {0x0042,KEX_DH_DSS0x14,         ENC_CAMELLIA1280x37,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
  {0x0043,KEX_DH_RSA0x15,         ENC_CAMELLIA1280x37,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
  {0x0044,KEX_DHE_DSS0x10,        ENC_CAMELLIA1280x37,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
  {0x0045,KEX_DHE_RSA0x12,        ENC_CAMELLIA1280x37,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
  {0x0046,KEX_DH_ANON0x13,        ENC_CAMELLIA1280x37,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
  {0x0060,KEX_RSA0x1e,            ENC_RC40x32,        DIG_MD50x40,    MODE_STREAM},   /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
  {0x0061,KEX_RSA0x1e,            ENC_RC20x33,        DIG_MD50x40,    MODE_STREAM},   /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
  {0x0062,KEX_RSA0x1e,            ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
  {0x0063,KEX_DHE_DSS0x10,        ENC_DES0x30,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
  {0x0064,KEX_RSA0x1e,            ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
  {0x0065,KEX_DHE_DSS0x10,        ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
  {0x0066,KEX_DHE_DSS0x10,        ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_DHE_DSS_WITH_RC4_128_SHA */
  {0x0067,KEX_DHE_RSA0x12,        ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
  {0x0068,KEX_DH_DSS0x14,         ENC_AES2560x36,     DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
  {0x0069,KEX_DH_RSA0x15,         ENC_AES2560x36,     DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
  {0x006A,KEX_DHE_DSS0x10,        ENC_AES2560x36,     DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
  {0x006B,KEX_DHE_RSA0x12,        ENC_AES2560x36,     DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
  {0x006C,KEX_DH_ANON0x13,        ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
  {0x006D,KEX_DH_ANON0x13,        ENC_AES2560x36,     DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
  {0x0084,KEX_RSA0x1e,            ENC_CAMELLIA2560x38,DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
  {0x0085,KEX_DH_DSS0x14,         ENC_CAMELLIA2560x38,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
  {0x0086,KEX_DH_RSA0x15,         ENC_CAMELLIA2560x38,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
  {0x0087,KEX_DHE_DSS0x10,        ENC_CAMELLIA2560x38,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
  {0x0088,KEX_DHE_RSA0x12,        ENC_CAMELLIA2560x38,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
  {0x0089,KEX_DH_ANON0x13,        ENC_CAMELLIA2560x38,DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
  {0x008A,KEX_PSK0x1d,            ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_PSK_WITH_RC4_128_SHA */
  {0x008B,KEX_PSK0x1d,            ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
  {0x008C,KEX_PSK0x1d,            ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_PSK_WITH_AES_128_CBC_SHA */
  {0x008D,KEX_PSK0x1d,            ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_PSK_WITH_AES_256_CBC_SHA */
  {0x008E,KEX_DHE_PSK0x11,        ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_DHE_PSK_WITH_RC4_128_SHA */
  {0x008F,KEX_DHE_PSK0x11,        ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
  {0x0090,KEX_DHE_PSK0x11,        ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
  {0x0091,KEX_DHE_PSK0x11,        ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
  {0x0092,KEX_RSA_PSK0x1f,        ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_RSA_PSK_WITH_RC4_128_SHA */
  {0x0093,KEX_RSA_PSK0x1f,        ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
  {0x0094,KEX_RSA_PSK0x1f,        ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
  {0x0095,KEX_RSA_PSK0x1f,        ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
  {0x0096,KEX_RSA0x1e,            ENC_SEED0x39,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_RSA_WITH_SEED_CBC_SHA */
  {0x0097,KEX_DH_DSS0x14,         ENC_SEED0x39,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
  {0x0098,KEX_DH_RSA0x15,         ENC_SEED0x39,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
  {0x0099,KEX_DHE_DSS0x10,        ENC_SEED0x39,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
  {0x009A,KEX_DHE_RSA0x12,        ENC_SEED0x39,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
  {0x009B,KEX_DH_ANON0x13,        ENC_SEED0x39,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_DH_anon_WITH_SEED_CBC_SHA */
  {0x009C,KEX_RSA0x1e,            ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
  {0x009D,KEX_RSA0x1e,            ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
  {0x009E,KEX_DHE_RSA0x12,        ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
  {0x009F,KEX_DHE_RSA0x12,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
  {0x00A0,KEX_DH_RSA0x15,         ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
  {0x00A1,KEX_DH_RSA0x15,         ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
  {0x00A2,KEX_DHE_DSS0x10,        ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
  {0x00A3,KEX_DHE_DSS0x10,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
  {0x00A4,KEX_DH_DSS0x14,         ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
  {0x00A5,KEX_DH_DSS0x14,         ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
  {0x00A6,KEX_DH_ANON0x13,        ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
  {0x00A7,KEX_DH_ANON0x13,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
  {0x00A8,KEX_PSK0x1d,            ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
  {0x00A9,KEX_PSK0x1d,            ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
  {0x00AA,KEX_DHE_PSK0x11,        ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
  {0x00AB,KEX_DHE_PSK0x11,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
  {0x00AC,KEX_RSA_PSK0x1f,        ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
  {0x00AD,KEX_RSA_PSK0x1f,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
  {0x00AE,KEX_PSK0x1d,            ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
  {0x00AF,KEX_PSK0x1d,            ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
  {0x00B0,KEX_PSK0x1d,            ENC_NULL0x3D,       DIG_SHA2560x42, MODE_STREAM},   /* TLS_PSK_WITH_NULL_SHA256 */
  {0x00B1,KEX_PSK0x1d,            ENC_NULL0x3D,       DIG_SHA3840x43, MODE_STREAM},   /* TLS_PSK_WITH_NULL_SHA384 */
  {0x00B2,KEX_DHE_PSK0x11,        ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
  {0x00B3,KEX_DHE_PSK0x11,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
  {0x00B4,KEX_DHE_PSK0x11,        ENC_NULL0x3D,       DIG_SHA2560x42, MODE_STREAM},   /* TLS_DHE_PSK_WITH_NULL_SHA256 */
  {0x00B5,KEX_DHE_PSK0x11,        ENC_NULL0x3D,       DIG_SHA3840x43, MODE_STREAM},   /* TLS_DHE_PSK_WITH_NULL_SHA384 */
  {0x00B6,KEX_RSA_PSK0x1f,        ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
  {0x00B7,KEX_RSA_PSK0x1f,        ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
  {0x00B8,KEX_RSA_PSK0x1f,        ENC_NULL0x3D,       DIG_SHA2560x42, MODE_STREAM},   /* TLS_RSA_PSK_WITH_NULL_SHA256 */
  {0x00B9,KEX_RSA_PSK0x1f,        ENC_NULL0x3D,       DIG_SHA3840x43, MODE_STREAM},   /* TLS_RSA_PSK_WITH_NULL_SHA384 */
  {0x00BA,KEX_RSA0x1e,            ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0x00BB,KEX_DH_DSS0x14,         ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
  {0x00BC,KEX_DH_RSA0x15,         ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0x00BD,KEX_DHE_DSS0x10,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
  {0x00BE,KEX_DHE_RSA0x12,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0x00BF,KEX_DH_ANON0x13,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
  {0x00C0,KEX_RSA0x1e,            ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC   },   /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
  {0x00C1,KEX_DH_DSS0x14,         ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
  {0x00C2,KEX_DH_RSA0x15,         ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
  {0x00C3,KEX_DHE_DSS0x10,        ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
  {0x00C4,KEX_DHE_RSA0x12,        ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
  {0x00C5,KEX_DH_ANON0x13,        ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */

  /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
  {0x1301,KEX_TLS130x23,          ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_AES_128_GCM_SHA256 */
  {0x1302,KEX_TLS130x23,          ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_AES_256_GCM_SHA384 */
  {0x1303,KEX_TLS130x23,          ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
  {0x1304,KEX_TLS130x23,          ENC_AES0x35,        DIG_SHA2560x42, MODE_CCM   },   /* TLS_AES_128_CCM_SHA256 */
  {0x1305,KEX_TLS130x23,          ENC_AES0x35,        DIG_SHA2560x42, MODE_CCM_8 },   /* TLS_AES_128_CCM_8_SHA256 */
  {0x00C6,KEX_TLS130x23,          ENC_SM40x3C,        DIG_SM30x44,    MODE_GCM   },   /* TLS_SM4_GCM_SM3 */

  {0xC001,KEX_ECDH_ECDSA0x1a,     ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
  {0xC002,KEX_ECDH_ECDSA0x1a,     ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
  {0xC003,KEX_ECDH_ECDSA0x1a,     ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
  {0xC004,KEX_ECDH_ECDSA0x1a,     ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
  {0xC005,KEX_ECDH_ECDSA0x1a,     ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
  {0xC006,KEX_ECDHE_ECDSA0x16,    ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
  {0xC007,KEX_ECDHE_ECDSA0x16,    ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
  {0xC008,KEX_ECDHE_ECDSA0x16,    ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
  {0xC009,KEX_ECDHE_ECDSA0x16,    ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
  {0xC00A,KEX_ECDHE_ECDSA0x16,    ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
  {0xC00B,KEX_ECDH_RSA0x1b,       ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDH_RSA_WITH_NULL_SHA */
  {0xC00C,KEX_ECDH_RSA0x1b,       ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
  {0xC00D,KEX_ECDH_RSA0x1b,       ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
  {0xC00E,KEX_ECDH_RSA0x1b,       ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
  {0xC00F,KEX_ECDH_RSA0x1b,       ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
  {0xC0FF,KEX_ECJPAKE0x24,        ENC_AES0x35,        DIG_NA0x45,     MODE_CCM_8 },   /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
  {0xC010,KEX_ECDHE_RSA0x18,      ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDHE_RSA_WITH_NULL_SHA */
  {0xC011,KEX_ECDHE_RSA0x18,      ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
  {0xC012,KEX_ECDHE_RSA0x18,      ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
  {0xC013,KEX_ECDHE_RSA0x18,      ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
  {0xC014,KEX_ECDHE_RSA0x18,      ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
  {0xC015,KEX_ECDH_ANON0x19,      ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDH_anon_WITH_NULL_SHA */
  {0xC016,KEX_ECDH_ANON0x19,      ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDH_anon_WITH_RC4_128_SHA */
  {0xC017,KEX_ECDH_ANON0x19,      ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
  {0xC018,KEX_ECDH_ANON0x19,      ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
  {0xC019,KEX_ECDH_ANON0x19,      ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
  {0xC01A,KEX_SRP_SHA0x20,        ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
  {0xC01B,KEX_SRP_SHA_RSA0x22,    ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
  {0xC01C,KEX_SRP_SHA_DSS0x21,    ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
  {0xC01D,KEX_SRP_SHA0x20,        ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
  {0xC01E,KEX_SRP_SHA_RSA0x22,    ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
  {0xC01F,KEX_SRP_SHA_DSS0x21,    ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
  {0xC020,KEX_SRP_SHA0x20,        ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
  {0xC021,KEX_SRP_SHA_RSA0x22,    ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
  {0xC022,KEX_SRP_SHA_DSS0x21,    ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
  {0xC023,KEX_ECDHE_ECDSA0x16,    ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
  {0xC024,KEX_ECDHE_ECDSA0x16,    ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
  {0xC025,KEX_ECDH_ECDSA0x1a,     ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
  {0xC026,KEX_ECDH_ECDSA0x1a,     ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
  {0xC027,KEX_ECDHE_RSA0x18,      ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
  {0xC028,KEX_ECDHE_RSA0x18,      ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
  {0xC029,KEX_ECDH_RSA0x1b,       ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
  {0xC02A,KEX_ECDH_RSA0x1b,       ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
  {0xC02B,KEX_ECDHE_ECDSA0x16,    ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
  {0xC02C,KEX_ECDHE_ECDSA0x16,    ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
  {0xC02D,KEX_ECDH_ECDSA0x1a,     ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
  {0xC02E,KEX_ECDH_ECDSA0x1a,     ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
  {0xC02F,KEX_ECDHE_RSA0x18,      ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
  {0xC030,KEX_ECDHE_RSA0x18,      ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
  {0xC031,KEX_ECDH_RSA0x1b,       ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
  {0xC032,KEX_ECDH_RSA0x1b,       ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
  {0xC033,KEX_ECDHE_PSK0x17,      ENC_RC40x32,        DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
  {0xC034,KEX_ECDHE_PSK0x17,      ENC_3DES0x31,       DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
  {0xC035,KEX_ECDHE_PSK0x17,      ENC_AES0x35,        DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
  {0xC036,KEX_ECDHE_PSK0x17,      ENC_AES2560x36,     DIG_SHA0x41,    MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
  {0xC037,KEX_ECDHE_PSK0x17,      ENC_AES0x35,        DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
  {0xC038,KEX_ECDHE_PSK0x17,      ENC_AES2560x36,     DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
  {0xC039,KEX_ECDHE_PSK0x17,      ENC_NULL0x3D,       DIG_SHA0x41,    MODE_STREAM},   /* TLS_ECDHE_PSK_WITH_NULL_SHA */
  {0xC03A,KEX_ECDHE_PSK0x17,      ENC_NULL0x3D,       DIG_SHA2560x42, MODE_STREAM},   /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
  {0xC03B,KEX_ECDHE_PSK0x17,      ENC_NULL0x3D,       DIG_SHA3840x43, MODE_STREAM},   /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
  {0xC072,KEX_ECDHE_ECDSA0x16,    ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC073,KEX_ECDHE_ECDSA0x16,    ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC074,KEX_ECDH_ECDSA0x1a,     ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC075,KEX_ECDH_ECDSA0x1a,     ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC076,KEX_ECDHE_RSA0x18,      ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC077,KEX_ECDHE_RSA0x18,      ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC078,KEX_ECDH_RSA0x1b,       ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC079,KEX_ECDH_RSA0x1b,       ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC07A,KEX_RSA0x1e,            ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC07B,KEX_RSA0x1e,            ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC07C,KEX_DHE_RSA0x12,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC07D,KEX_DHE_RSA0x12,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC07E,KEX_DH_RSA0x15,         ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC07F,KEX_DH_RSA0x15,         ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC080,KEX_DHE_DSS0x10,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC081,KEX_DHE_DSS0x10,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC082,KEX_DH_DSS0x14,         ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC083,KEX_DH_DSS0x14,         ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC084,KEX_DH_ANON0x13,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC085,KEX_DH_ANON0x13,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC086,KEX_ECDHE_ECDSA0x16,    ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC087,KEX_ECDHE_ECDSA0x16,    ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC088,KEX_ECDH_ECDSA0x1a,     ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC089,KEX_ECDH_ECDSA0x1a,     ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC08A,KEX_ECDHE_RSA0x18,      ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC08B,KEX_ECDHE_RSA0x18,      ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC08C,KEX_ECDH_RSA0x1b,       ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC08D,KEX_ECDH_RSA0x1b,       ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC08E,KEX_PSK0x1d,            ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC08F,KEX_PSK0x1d,            ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC090,KEX_DHE_PSK0x11,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC091,KEX_DHE_PSK0x11,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC092,KEX_RSA_PSK0x1f,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM   },   /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
  {0xC093,KEX_RSA_PSK0x1f,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM   },   /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
  {0xC094,KEX_PSK0x1d,            ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC095,KEX_PSK0x1d,            ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC096,KEX_DHE_PSK0x11,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC097,KEX_DHE_PSK0x11,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC098,KEX_RSA_PSK0x1f,        ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC099,KEX_RSA_PSK0x1f,        ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC09A,KEX_ECDHE_PSK0x17,      ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
  {0xC09B,KEX_ECDHE_PSK0x17,      ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC   },   /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
  {0xC09C,KEX_RSA0x1e,            ENC_AES0x35,        DIG_NA0x45,     MODE_CCM   },   /* TLS_RSA_WITH_AES_128_CCM */
  {0xC09D,KEX_RSA0x1e,            ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM   },   /* TLS_RSA_WITH_AES_256_CCM */
  {0xC09E,KEX_DHE_RSA0x12,        ENC_AES0x35,        DIG_NA0x45,     MODE_CCM   },   /* TLS_DHE_RSA_WITH_AES_128_CCM */
  {0xC09F,KEX_DHE_RSA0x12,        ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM   },   /* TLS_DHE_RSA_WITH_AES_256_CCM */
  {0xC0A0,KEX_RSA0x1e,            ENC_AES0x35,        DIG_NA0x45,     MODE_CCM_8 },   /* TLS_RSA_WITH_AES_128_CCM_8 */
  {0xC0A1,KEX_RSA0x1e,            ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM_8 },   /* TLS_RSA_WITH_AES_256_CCM_8 */
  {0xC0A2,KEX_DHE_RSA0x12,        ENC_AES0x35,        DIG_NA0x45,     MODE_CCM_8 },   /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
  {0xC0A3,KEX_DHE_RSA0x12,        ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM_8 },   /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
  {0xC0A4,KEX_PSK0x1d,            ENC_AES0x35,        DIG_NA0x45,     MODE_CCM   },   /* TLS_PSK_WITH_AES_128_CCM */
  {0xC0A5,KEX_PSK0x1d,            ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM   },   /* TLS_PSK_WITH_AES_256_CCM */
  {0xC0A6,KEX_DHE_PSK0x11,        ENC_AES0x35,        DIG_NA0x45,     MODE_CCM   },   /* TLS_DHE_PSK_WITH_AES_128_CCM */
  {0xC0A7,KEX_DHE_PSK0x11,        ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM   },   /* TLS_DHE_PSK_WITH_AES_256_CCM */
  {0xC0A8,KEX_PSK0x1d,            ENC_AES0x35,        DIG_NA0x45,     MODE_CCM_8 },   /* TLS_PSK_WITH_AES_128_CCM_8 */
  {0xC0A9,KEX_PSK0x1d,            ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM_8 },   /* TLS_PSK_WITH_AES_256_CCM_8 */
  {0xC0AA,KEX_DHE_PSK0x11,        ENC_AES0x35,        DIG_NA0x45,     MODE_CCM_8 },   /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
  {0xC0AB,KEX_DHE_PSK0x11,        ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM_8 },   /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
  {0xC0AC,KEX_ECDHE_ECDSA0x16,    ENC_AES0x35,        DIG_NA0x45,     MODE_CCM   },   /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
  {0xC0AD,KEX_ECDHE_ECDSA0x16,    ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM   },   /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
  {0xC0AE,KEX_ECDHE_ECDSA0x16,    ENC_AES0x35,        DIG_NA0x45,     MODE_CCM_8 },   /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
  {0xC0AF,KEX_ECDHE_ECDSA0x16,    ENC_AES2560x36,     DIG_NA0x45,     MODE_CCM_8 },   /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
  {0xCCA8,KEX_ECDHE_RSA0x18,      ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
  {0xCCA9,KEX_ECDHE_ECDSA0x16,    ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
  {0xCCAA,KEX_DHE_RSA0x12,        ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
  {0xCCAB,KEX_PSK0x1d,            ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
  {0xCCAC,KEX_ECDHE_PSK0x17,      ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
  {0xCCAD,KEX_DHE_PSK0x11,        ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
  {0xCCAE,KEX_RSA_PSK0x1f,        ENC_CHACHA200x3A,   DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
  {0xD001,KEX_ECDHE_PSK0x17,      ENC_AES0x35,        DIG_SHA2560x42, MODE_GCM},       /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
  {0xD002,KEX_ECDHE_PSK0x17,      ENC_AES2560x36,     DIG_SHA3840x43, MODE_GCM},       /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
  {0xD003,KEX_ECDHE_PSK0x17,      ENC_AES0x35,        DIG_SHA2560x42, MODE_CCM_8},     /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
  {0xD005,KEX_ECDHE_PSK0x17,      ENC_AES0x35,        DIG_SHA2560x42, MODE_CCM},       /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
  /* GM */
  {0xe001,KEX_ECDHE_SM20x25,      ENC_SM10x3B,        DIG_SM30x44,    MODE_CBC},        /* ECDHE_SM1_SM3 */
  {0xe003,KEX_ECC_SM20x26,        ENC_SM10x3B,        DIG_SM30x44,    MODE_CBC},        /* ECC_SM1_SM3 */
  {0xe005,KEX_IBSDH_SM90x27,      ENC_SM10x3B,        DIG_SM30x44,    MODE_CBC},        /* IBSDH_SM1_SM3 */
  {0xe007,KEX_IBC_SM90x28,        ENC_SM10x3B,        DIG_SM30x44,    MODE_CBC},        /* IBC_SM1_SM3 */
  {0xe009,KEX_RSA0x1e,            ENC_SM10x3B,        DIG_SM30x44,    MODE_CBC},        /* RSA_SM1_SM3 */
  {0xe00a,KEX_RSA0x1e,            ENC_SM10x3B,        DIG_SHA0x41,    MODE_CBC},        /* RSA_SM1_SHA1 */
  {0xe011,KEX_ECDHE_SM20x25,      ENC_SM40x3C,        DIG_SM30x44,    MODE_CBC},        /* ECDHE_SM4_CBC_SM3 */
  {0xe013,KEX_ECC_SM20x26,        ENC_SM40x3C,        DIG_SM30x44,    MODE_CBC},        /* ECC_SM4_CBC_SM3 */
  {0xe015,KEX_IBSDH_SM90x27,      ENC_SM40x3C,        DIG_SM30x44,    MODE_CBC},        /* IBSDH_SM4_CBC_SM3 */
  {0xe017,KEX_IBC_SM90x28,        ENC_SM40x3C,        DIG_SM30x44,    MODE_CBC},        /* IBC_SM4_CBC_SM3 */
  {0xe019,KEX_RSA0x1e,            ENC_SM40x3C,        DIG_SM30x44,    MODE_CBC},        /* RSA_SM4_CBC_SM3 */
  {0xe01a,KEX_RSA0x1e,            ENC_SM40x3C,        DIG_SHA0x41,    MODE_CBC},        /* RSA_SM4_CBC_SHA1 */
  {0xe01c,KEX_RSA0x1e,            ENC_SM40x3C,        DIG_SHA2560x42, MODE_CBC},        /* RSA_SM4_CBC_SHA256 */
  {0xe051,KEX_ECDHE_SM20x25,      ENC_SM40x3C,        DIG_SM30x44,    MODE_GCM},        /* ECDHE_SM4_GCM_SM3 */
  {0xe053,KEX_ECC_SM20x26,        ENC_SM40x3C,        DIG_SM30x44,    MODE_GCM},        /* ECC_SM4_GCM_SM3 */
  {0xe055,KEX_IBSDH_SM90x27,      ENC_SM40x3C,        DIG_SM30x44,    MODE_GCM},        /* IBSDH_SM4_GCM_SM3 */
  {0xe057,KEX_IBC_SM90x28,        ENC_SM40x3C,        DIG_SM30x44,    MODE_GCM},        /* IBC_SM4_GCM_SM3 */
  {0xe059,KEX_RSA0x1e,            ENC_SM40x3C,        DIG_SM30x44,    MODE_GCM},        /* RSA_SM4_GCM_SM3 */
  {0xe05a,KEX_RSA0x1e,            ENC_SM40x3C,        DIG_SHA2560x42, MODE_GCM},        /* RSA_SM4_GCM_SHA256 */
  {-1,    0,                  0,              0,          MODE_STREAM}
3990};

3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32

3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
  const SslCipherSuite *c;
  for(c=cipher_suites;c->number!=-1;c++){
      if(c->number==num){
          return c;
      }
  }

  return NULL((void*)0);
4006}

4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
  return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}

4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
  int cipher_algo;
  if (cipher_suite->mode != MODE_CBC) return 0;
  cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
  return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}

4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
  switch (cipher_suite_num) {
  /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
  case 0x0003:    /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
  case 0x0006:    /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
  case 0x0008:    /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
  case 0x000B:    /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
  case 0x000E:    /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
  case 0x0011:    /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
  case 0x0014:    /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
  case 0x0017:    /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
  case 0x0019:    /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
      return 5;

  /* not defined in below draft, but "implemented by several vendors",
   * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
  case 0x0060:    /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
  case 0x0061:    /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
      return 7;

  /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
   * used 7. Until a pcap proves 8, let's use the old value. Link:
   * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
  case 0x0062:    /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
  case 0x0063:    /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
  case 0x0064:    /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
  case 0x0065:    /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
      return 7;

  default:
      return 0;
  }
4057}

4059/* Digests, Ciphers and Cipher Suites registry }}} */


4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
       StringInfo *out, unsigned out_len)
4066{
  /* RFC 2246 5. HMAC and the pseudorandom function
   * '+' denotes concatenation.
   * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
   *                        HMAC_hash(secret, A(2) + seed) + ...
   * A(0) = seed
   * A(i) = HMAC_hash(secret, A(i - 1))
   */
  uint8_t  *ptr;
  unsigned  left, tocpy;
  uint8_t  *A;
  uint8_t   _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
  unsigned  A_l, tmp_l;
  SSL_HMACgcry_md_hd_t  hm;

  ptr  = out->data;
  left = out_len;

  ssl_print_string("tls_hash: hash secret", secret);
  ssl_print_string("tls_hash: hash seed", seed);
  /* A(0) = seed */
  A = seed->data;
  A_l = seed->data_len;

  if (ssl_hmac_init(&hm, md) != 0) {
      return -1;
  }
  while (left) {
      /* A(i) = HMAC_hash(secret, A(i-1)) */
      ssl_hmac_setkey(&hm, secret->data, secret->data_len);
      ssl_hmac_update(&hm, A, A_l);
      A_l = sizeof(_A); /* upper bound len for hash output */
      ssl_hmac_final(&hm, _A, &A_l);
      A = _A;

      /* HMAC_hash(secret, A(i) + seed) */
      ssl_hmac_reset(&hm);
      ssl_hmac_setkey(&hm, secret->data, secret->data_len);
      ssl_hmac_update(&hm, A, A_l);
      ssl_hmac_update(&hm, seed->data, seed->data_len);
      tmp_l = sizeof(tmp); /* upper bound len for hash output */
      ssl_hmac_final(&hm, tmp, &tmp_l);
      ssl_hmac_reset(&hm);

      /* ssl_hmac_final puts the actual digest output size in tmp_l */
      tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
      memcpy(ptr, tmp, tocpy);
      ptr += tocpy;
      left -= tocpy;
  }
  ssl_hmac_cleanup(&hm);
  out->data_len = out_len;

  ssl_print_string("hash out", out);
  return 0;
4121}

4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
      StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
  StringInfo  seed, sha_out, md5_out;
  uint8_t    *ptr;
  StringInfo  s1, s2;
  unsigned    i,s_l;
  size_t      usage_len, rnd2_len;
  bool_Bool        success = false0;
  usage_len = strlen(usage);
  rnd2_len = rnd2 ? rnd2->data_len : 0;

  /* initialize buffer for sha, md5 random seed*/
  if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
      ssl_debug_printf("tls_prf: can't allocate sha out\n");
      return false0;
  }
  if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
      ssl_debug_printf("tls_prf: can't allocate md5 out\n");
      goto free_sha;
  }
  if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
      ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
                       (int) (usage_len+rnd1->data_len+rnd2_len));
      goto free_md5;
  }

  ptr=seed.data;
  memcpy(ptr,usage,usage_len);
  ptr+=usage_len;
  memcpy(ptr,rnd1->data,rnd1->data_len);
  if (rnd2_len > 0) {
      ptr+=rnd1->data_len;
      memcpy(ptr,rnd2->data,rnd2->data_len);
      /*ptr+=rnd2->data_len;*/
  }

  /* initialize buffer for client/server seeds*/
  s_l=secret->data_len/2 + secret->data_len%2;
  if (ssl_data_alloc(&s1, s_l) < 0) {
      ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
      goto free_seed;
  }
  if (ssl_data_alloc(&s2, s_l) < 0) {
      ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
      goto free_s1;
  }

  memcpy(s1.data,secret->data,s_l);
  memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);

  ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
  if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
      goto free_s2;
  ssl_debug_printf("tls_prf: tls_hash(sha)\n");
  if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
      goto free_s2;

  for (i = 0; i < out_len; i++)
      out->data[i] = md5_out.data[i] ^ sha_out.data[i];
  /* success, now store the new meaningful data length */
  out->data_len = out_len;
  success = true1;

  ssl_print_string("PRF out",out);
4189free_s2:
  g_free(s2.data)(__builtin_object_size ((s2.data), 0) != ((size_t) - 1)) ? g_free_sized
 (s2.data, __builtin_object_size ((s2.data), 0)) : (g_free) (
s2.data);
4191free_s1:
  g_free(s1.data)(__builtin_object_size ((s1.data), 0) != ((size_t) - 1)) ? g_free_sized
 (s1.data, __builtin_object_size ((s1.data), 0)) : (g_free) (
s1.data);
4193free_seed:
  g_free(seed.data)(__builtin_object_size ((seed.data), 0) != ((size_t) - 1)) ? g_free_sized
 (seed.data, __builtin_object_size ((seed.data), 0)) : (g_free
) (seed.data);
4195free_md5:
  g_free(md5_out.data)(__builtin_object_size ((md5_out.data), 0) != ((size_t) - 1))
 ? g_free_sized (md5_out.data, __builtin_object_size ((md5_out
.data), 0)) : (g_free) (md5_out.data);
4197free_sha:
  g_free(sha_out.data)(__builtin_object_size ((sha_out.data), 0) != ((size_t) - 1))
 ? g_free_sized (sha_out.data, __builtin_object_size ((sha_out
.data), 0)) : (g_free) (sha_out.data);
  return success;
4200}

4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
        StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
  StringInfo label_seed;
  int success;
  size_t     usage_len, rnd2_len;
  rnd2_len = rnd2 ? rnd2->data_len : 0;

  usage_len = strlen(usage);
  if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
      ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
      return false0;
  }
  memcpy(label_seed.data, usage, usage_len);
  memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
  if (rnd2_len > 0)
      memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);

  ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
  success = tls_hash(secret, &label_seed, md, out, out_len);
  g_free(label_seed.data)(__builtin_object_size ((label_seed.data), 0) != ((size_t) - 1
)) ? g_free_sized (label_seed.data, __builtin_object_size ((label_seed
.data), 0)) : (g_free) (label_seed.data);
  if(success != -1){
      ssl_print_string("PRF out", out);
      return true1;
  }
  return false0;
4229}

4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
                      StringInfo *out, unsigned out_len)
4234{
  SSL_MD5_CTXgcry_md_hd_t md5;
  uint8_t     tmp[16];

  if (ssl_md5_init(&md5) != 0) {
      return false0;
  }
  ssl_md5_update(&md5,r1->data,r1->data_len);
  ssl_md5_update(&md5,r2->data,r2->data_len);
  ssl_md5_final(tmp,&md5);
  ssl_md5_cleanup(&md5);

  DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))));
  ssl_data_set(out, tmp, out_len);
  ssl_print_string("export iv", out);
  return true1;
4250}

4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
       StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
  SSL_MD5_CTXgcry_md_hd_t  md5;
  SSL_SHA_CTXgcry_md_hd_t  sha;
  unsigned     off;
  int          i = 0,j;
  uint8_t      buf[20];

  if (ssl_sha_init(&sha) != 0) {
      return false0;
  }
  if (ssl_md5_init(&md5) != 0) {
      ssl_sha_cleanup(&sha);
      return false0;
  }
  for (off = 0; off < out_len; off += 16) {
      unsigned char outbuf[16];
      i++;

      ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
      /* A, BB, CCC,  ... */
      for(j=0;j<i;j++){
          buf[j]=64+i;
      }

      ssl_sha_update(&sha,buf,i);
      ssl_sha_update(&sha,secret->data,secret->data_len);

      if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
          if (rnd2)
              ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
          ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
      }
      else{
          ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
          if (rnd2)
              ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
      }

      ssl_sha_final(buf,&sha);
      ssl_sha_reset(&sha);

      ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
          secret->data_len);
      ssl_md5_update(&md5,secret->data,secret->data_len);
      ssl_md5_update(&md5,buf,20);
      ssl_md5_final(outbuf,&md5);
      ssl_md5_reset(&md5);

      memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
  }
  ssl_sha_cleanup(&sha);
  ssl_md5_cleanup(&md5);
  out->data_len = out_len;

  return true1;
4310}

4312/* out_len is the wanted output length for the pseudorandom function.
* Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
  StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
  switch (ssl->session.version) {
  case SSLV3_VERSION0x300:
      return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);

  case TLSV1_VERSION0x301:
  case TLSV1DOT1_VERSION0x302:
  case DTLSV1DOT0_VERSION0xfeff:
  case DTLSV1DOT0_OPENSSL_VERSION0x100:
      return tls_prf(secret, usage, rnd1, rnd2, out, out_len);

  default: /* TLSv1.2 */
      switch (ssl->cipher_suite->dig) {
      case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010c00 >= 0x010900
          return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
                           out, out_len);
4334#else
          return false0;
4336#endif
      case DIG_SHA3840x43:
          return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
                           out, out_len);
      default:
          return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
                           out, out_len);
      }
  }
4345}

4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
  SSL_MD5_CTXgcry_md_hd_t  md5;
  SSL_SHA_CTXgcry_md_hd_t  sha;

  if (ssl_data_alloc(out, 36) < 0)
15
←
Calling 'ssl_data_alloc'→
19
←
Returned allocated memory→
20
←
Taking false branch→
      return -1;

  if (ssl_md5_init(&md5) != 0)
21
←
Taking true branch→
      return -1;
  ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
  ssl_md5_final(out->data,&md5);
  ssl_md5_cleanup(&md5);

  if (ssl_sha_init(&sha) != 0)
      return -1;
  ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
  ssl_sha_final(out->data+16,&sha);
  ssl_sha_cleanup(&sha);
  return 0;
4367}

4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
  SSL_MDgcry_md_hd_t  mc;
  uint8_t tmp[48];
  unsigned  len;

  if (ssl_md_init(&mc, md) != 0)
      return -1;
  ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
  ssl_md_final(&mc, tmp, &len);
  ssl_md_cleanup(&mc);

  if (ssl_data_alloc(out, len) < 0)
      return -1;
  memcpy(out->data, tmp, len);
  return 0;
4385}

4387bool_Bool
4388tls_load_psk(SslDecryptSession* tls_session, const char *tls_psk)
4389{
  if (!tls_psk || (tls_psk[0] == 0)) {
      ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
      return false0;
  }

  wmem_free(wmem_file_scope(), tls_session->psk.data);
  /* convert hex string into char*/
  if (!from_hex(&tls_session->psk, tls_psk, strlen(tls_psk))) {
      ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
                       G_STRFUNC((const char*) (__func__)));
      return false0;
  }

  if (tls_session->psk.data_len >= (2 << 15)) {
      ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
                       G_STRFUNC((const char*) (__func__)));
      wmem_free(wmem_file_scope(), tls_session->psk.data);
      tls_session->psk.data = NULL((void*)0);
      tls_session->psk.data_len = 0;
      return false0;
  }

  return true1;
4413}

4415/**
* Obtains the label prefix used in HKDF-Expand-Label.  This function can be
* inlined and removed once support for draft 19 and before is dropped.
*/
4419static inline const char *
4420tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4421{
  if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
      return "TLS 1.3, ";
  } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
      return "dtls13";
  } else {
      return "tls13 ";
  }
4429}

4431/*
* Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
* custom label prefix. If "context_hash" is NULL, then an empty context is
* used. Otherwise it must have the same length as the hash algorithm output.
*/
4436bool_Bool
4437tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
                      const char *label_prefix, const char *label,
                      const uint8_t *context_hash, uint8_t context_length,
                      uint16_t out_len, unsigned char **out)
4441{
  /* RFC 8446 Section 7.1:
   * HKDF-Expand-Label(Secret, Label, Context, Length) =
   *      HKDF-Expand(Secret, HkdfLabel, Length)
   * struct {
   *     uint16 length = Length;
   *     opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
   *     opaque context<0..255> = Context;
   * } HkdfLabel;
   *
   * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
   * HKDF-Expand(PRK, info, L) -> OKM
   */
  gcry_error_t err;
  const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
  const unsigned label_length = (unsigned) strlen(label);

  /* Some sanity checks */
  DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
 label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4459, "label_length > 0 && label_prefix_length + label_length <= 255"
))));

  /* info = HkdfLabel { length, label, context } */
  GByteArray *info = g_byte_array_new();
  const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
  g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));

  const uint8_t label_vector_length = label_prefix_length + label_length;
  g_byte_array_append(info, &label_vector_length, 1);
  g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
  g_byte_array_append(info, (const uint8_t*)label, label_length);

  g_byte_array_append(info, &context_length, 1);
  if (context_length) {
      g_byte_array_append(info, context_hash, context_length);
  }

  *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
  err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
  g_byte_array_free(info, true1);

  if (err) {
      ssl_debug_printf("%s failed  %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
      wmem_free(NULL((void*)0), *out);
      *out = NULL((void*)0);
      return false0;
  }

  return true1;
4488}

4490bool_Bool
4491tls13_hkdf_expand_label(int md, const StringInfo *secret,
                      const char *label_prefix, const char *label,
                      uint16_t out_len, unsigned char **out)
4494{
  return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4496}

4498static bool_Bool
4499tls13_derive_secret(int md, const StringInfo *secret,
                  const char *label_prefix, const char *label,
                  const uint8_t *context, unsigned context_length,
                  uint16_t out_len, unsigned char **out)
4503{
  SSL_MDgcry_md_hd_t  mc;
  uint8_t context_hash[DIGEST_MAX_SIZE48];
  unsigned hash_len;

  if (ssl_md_init(&mc, md) != 0)
      return false0;
  ssl_md_update(&mc, context, context_length);
  ssl_md_final(&mc, context_hash, &hash_len);
  ssl_md_cleanup(&mc);

  return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, context_hash, hash_len, out_len, out);
4515}

4517/* HMAC and the Pseudorandom function }}} */

4519/* Record Decompression (after decryption) {{{ */
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521/* memory allocation functions for zlib initialization */
4522static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4523{
  return g_malloc0(no*size);
4525}
4526static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4527{
  g_free(addr)(__builtin_object_size ((addr), 0) != ((size_t) - 1)) ? g_free_sized
 (addr, __builtin_object_size ((addr), 0)) : (g_free) (addr);
4529}
4530#endif /* USE_ZLIB_OR_ZLIBNG */

4532static SslDecompress*
4533ssl_create_decompressor(int compression)
4534{
  SslDecompress *decomp;
4536#ifdef USE_ZLIB_OR_ZLIBNG
  int err;
4538#endif

  if (compression == 0) return NULL((void*)0);
  ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
  decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
  decomp->compression = compression;
  switch (decomp->compression) {
4545#ifdef USE_ZLIB_OR_ZLIBNG
      case 1:  /* DEFLATE */
          decomp->istream.zalloc = ssl_zalloc;
          decomp->istream.zfree = ssl_zfree;
          decomp->istream.opaque = Z_NULL0;
          decomp->istream.next_in = Z_NULL0;
          decomp->istream.next_out = Z_NULL0;
          decomp->istream.avail_in = 0;
          decomp->istream.avail_out = 0;
          err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3.1", (int)sizeof(
z_stream));
          if (err != Z_OK0) {
              ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
              return NULL((void*)0);
          }
          break;
4560#endif /* USE_ZLIB_OR_ZLIBNG */
      default:
          ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
          return NULL((void*)0);
  }
  return decomp;
4566}

4568#ifdef USE_ZLIB_OR_ZLIBNG
4569static int
4570ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4571{
  int err;

  switch (decomp->compression) {
      case 1:  /* DEFLATE */
          err = Z_OK0;
          if (out_str->data_len < 16384) {  /* maximal plain length */
              ssl_data_realloc(out_str, 16384);
          }
4580#ifdef z_constconst
          decomp->istream.next_in = in;
4582#else
4583DIAG_OFF(cast-qual)clang diagnostic push
 clang diagnostic ignored "-Wcast-qual"

          decomp->istream.next_in = (Bytef *)in;
4585DIAG_ON(cast-qual)clang diagnostic pop
4586#endif
          decomp->istream.avail_in = inl;
          decomp->istream.next_out = out_str->data;
          decomp->istream.avail_out = out_str->data_len;
          if (inl > 0)
              err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
          if (err != Z_OK0) {
              ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
              return -1;
          }
          *outl = out_str->data_len - decomp->istream.avail_out;
          break;
      default:
          ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
          return -1;
  }
  return 0;
4603}
4604#else /* USE_ZLIB_OR_ZLIBNG */
4605int
4606ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4607{
  ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
  return -1;
4610}
4611#endif /* USE_ZLIB_OR_ZLIBNG */
4612/* Record Decompression (after decryption) }}} */

4614/* Create a new structure to store decrypted chunks. {{{ */
4615static SslFlow*
4616ssl_create_flow(void)
4617{
SslFlow *flow;

flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
flow->byte_seq = 0;
flow->flags = 0;
flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
return flow;
4625}
4626/* }}} */

4628/* Use the negotiated security parameters for decryption. {{{ */
4629void
4630ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4631{
  SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
  SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
  ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
          *new_decoder ? "" : " (No decoder found - retransmission?)");
  if (*new_decoder) {
      *dest = *new_decoder;
      *new_decoder = NULL((void*)0);
  }
4640}
4641/* }}} */

4643/* Init cipher state given some security parameters. {{{ */
4644static bool_Bool
4645ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);

4647static SslDecoder*
4648ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
      int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4650{
  SslDecoder *dec;
  ssl_cipher_mode_t mode = cipher_suite->mode;

  dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
  /* init mac buffer: mac storage is embedded into decoder struct to save a
   memory allocation and waste samo more memory*/
  dec->cipher_suite=cipher_suite;
  dec->compression = compression;
  if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
      // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
      // the special case for NULL ciphers, even if there is insufficiency
      // keying material (including MAC key), we will can still create
      // decoders since "decryption" is easy for such ciphers.
      dec->mac_key.data = dec->_mac_key_or_write_iv;
      ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
  } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
      // Input for the nonce, to be used with AEAD ciphers.
      DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4668, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
      dec->write_iv.data = dec->_mac_key_or_write_iv;
      ssl_data_set(&dec->write_iv, iv, iv_length);
  }
  dec->seq = 0;
  dec->decomp = ssl_create_decompressor(compression);
  wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);

  if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
      ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
          cipher_algo, cipher_suite->mode);
      return NULL((void*)0);
  }

  if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
      if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
          mode = MODE_ECB;
      } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
          mode = MODE_STREAM;
      } else {
          ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
          return NULL((void*)0);
      }

      if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
          ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
             cipher_algo, MODE_ECB);
          ssl_cipher_cleanup(&dec->evp);
          dec->evp = NULL((void*)0);
          return NULL((void*)0);
      }
  } else {
      dec->sn_evp = NULL((void*)0);
  }

  dec->dtls13_aad.data = NULL((void*)0);
  dec->dtls13_aad.data_len = 0;
  ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
  return dec;
4707}

4709static bool_Bool
4710ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4711{
  SslDecoder *dec = (SslDecoder *) user_data;

  if (dec->evp)
      ssl_cipher_cleanup(&dec->evp);
  if (dec->sn_evp)
    ssl_cipher_cleanup(&dec->sn_evp);

4719#ifdef USE_ZLIB_OR_ZLIBNG
  if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
      ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4722#endif

  return false0;
4725}
4726/* }}} */

4728/* (Pre-)master secrets calculations {{{ */
4729#ifdef HAVE_LIBGNUTLS1
4730static bool_Bool
4731ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
                            StringInfo *encrypted_pre_master,
                            GHashTable *key_hash);
4734#endif /* HAVE_LIBGNUTLS */

4736static bool_Bool
4737ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
                     bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);

4740bool_Bool
4741ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
                             uint32_t length, tvbuff_t *tvb, uint32_t offset,
                             const char *ssl_psk, packet_info *pinfo,
4744#ifdef HAVE_LIBGNUTLS1
                             GHashTable *key_hash,
4746#endif
                             const ssl_master_key_map_t *mk_map)
4748{
  /* check for required session data */
  ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
                   G_STRFUNC((const char*) (__func__)), ssl_session->state);
  if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
      (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
      ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
                       (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
      return false0;
  }

  if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
      ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
      return false0;
  }

  /* check to see if the PMS was provided to us*/
  if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
         mk_map->pms, &ssl_session->client_random)) {
      return true1;
  }

  if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
  {
      /* calculate pre master secret*/
      StringInfo pre_master_secret;
      unsigned psk_len, pre_master_len;

      if (!tls_load_psk(ssl_session, ssl_psk)) {
          return false0;
      }
      psk_len = ssl_session->psk.data_len;

      pre_master_len = psk_len * 2 + 4;

      pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
      pre_master_secret.data_len = pre_master_len;
      /* 2 bytes psk_len*/
      pre_master_secret.data[0] = psk_len >> 8;
      pre_master_secret.data[1] = psk_len & 0xFF;
      /* psk_len bytes times 0*/
      memset(&pre_master_secret.data[2], 0, psk_len);
      /* 2 bytes psk_len*/
      pre_master_secret.data[psk_len + 2] = psk_len >> 8;
      pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
      /* psk*/
      memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);

      ssl_session->pre_master_secret.data = pre_master_secret.data;
      ssl_session->pre_master_secret.data_len = pre_master_len;
      /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/

      /* Remove the master secret if it was there.
         This forces keying material regeneration in
         case we're renegotiating */
      ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
      ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
      return true1;
  }
  else
  {
      unsigned encrlen, skip;
      encrlen = length;
      skip = 0;

      /* get encrypted data, on tls1 we have to skip two bytes
       * (it's the encrypted len and should be equal to record len - 2)
       * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
       */
      if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
         (ssl_session->session.version == TLSV1_VERSION0x301 ||
          ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
          ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
          ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
          ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
          ssl_session->session.version == TLCPV1_VERSION0x101 ))
      {
          encrlen  = tvb_get_ntohs(tvb, offset);
          skip = 2;
          if (encrlen > length - 2)
          {
              ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
                               G_STRFUNC((const char*) (__func__)), encrlen, length);
              return false0;
          }
      }
      /* the valid lower bound is higher than 8, but it is sufficient for the
       * ssl keylog file below */
      if (encrlen < 8) {
          ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
                           G_STRFUNC((const char*) (__func__)), encrlen);
          return false0;
      }

      StringInfo encrypted_pre_master = {
          .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
          .data_len = encrlen,
      };

4847#ifdef HAVE_LIBGNUTLS1
      /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
      if (ssl_session->cert_key_id) {
          if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
              return true1;

          ssl_debug_printf("%s: can't decrypt pre-master secret\n",
                           G_STRFUNC((const char*) (__func__)));
      }
4856#endif /* HAVE_LIBGNUTLS */

      /* try to find the pre-master secret from the encrypted one. The
       * ssl key logfile stores only the first 8 bytes, so truncate it */
      encrypted_pre_master.data_len = 8;
      if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
          true1, mk_map->pre_master, &encrypted_pre_master))
          return true1;
  }
  return false0;
4866}

4868/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4869int
4870ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4871{
  StringInfo  key_block = { NULL((void*)0), 0 };
  uint8_t     _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
  uint8_t     _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
  int         needed;
  int         cipher_algo = -1;   /* special value (-1) for NULL encryption */
  unsigned    encr_key_len, write_iv_len = 0;
  bool_Bool        is_export_cipher;
  uint8_t    *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
  uint8_t    *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
  const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;

  /* (D)TLS 1.3 is handled directly in tls13_change_key. */
  if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION→
2
←
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION→
3
←
Taking false branch→
      ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
      return -1;
  }

  /* check for enough info to proceed */
  unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
  unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
  if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4
←
Assuming the condition is false→
5
←
Assuming the condition is false→
6
←
Taking false branch→
      ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
                       "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
                       need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
      /* Special case: for NULL encryption, allow dissection of data even if
       * the Client Hello is missing (MAC keys are now skipped though). */
      need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
      if ((ssl_session->state & need_all) == need_all &&
              cipher_suite->enc == ENC_NULL0x3D) {
          ssl_debug_printf("%s NULL cipher found, will create a decoder but "
                  "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
          goto create_decoders;
      }

      return -1;
  }

  /* if master key is not available, generate is from the pre-master secret */
  if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
7
←
Assuming the condition is true→
8
←
Taking true branch→
      if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
9
←
Assuming the condition is true→
10
←
Taking true branch→
          StringInfo handshake_hashed_data;
          int ret;

          handshake_hashed_data.data = NULL((void*)0);
          handshake_hashed_data.data_len = 0;

          ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
          ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
          DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4920, "ssl_session->handshake_data.data_len > 0"
))));
11
←
Assuming field 'data_len' is > 0→
12
←
'?' condition is true→

          switch(ssl_session->session.version) {
13
←
Control jumps to 'case 257:'  at line 4927→
          case TLSV1_VERSION0x301:
          case TLSV1DOT1_VERSION0x302:
          case DTLSV1DOT0_VERSION0xfeff:
          case DTLSV1DOT0_OPENSSL_VERSION0x100:
          case TLCPV1_VERSION0x101:
              ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
14
←
Calling 'tls_handshake_hash'→
22
←
Returned allocated memory→
              break;
          default:
              switch (cipher_suite->dig) {
              case DIG_SHA3840x43:
                  ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
                  break;
              default:
                  ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
                  break;
              }
              break;
          }
          if (ret23.1
'ret' is -1
) {
23
←
 Execution continues on line 4941→
24
←
Taking true branch→
              ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
25
←
Potential leak of memory pointed to by 'handshake_hashed_data.data'
              return -1;
          }

          wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
          ssl_session->handshake_data.data = NULL((void*)0);
          ssl_session->handshake_data.data_len = 0;

          if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
                   &handshake_hashed_data,
                   NULL((void*)0), &ssl_session->master_secret,
                   SSL_MASTER_SECRET_LENGTH48)) {
              ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
              g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
 ((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
              return -1;
          }
          g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
 ((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
      } else {
          ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
          ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
          ssl_print_string("client random",&ssl_session->client_random);
          ssl_print_string("server random",&ssl_session->server_random);
          if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
                   &ssl_session->client_random,
                   &ssl_session->server_random, &ssl_session->master_secret,
                   SSL_MASTER_SECRET_LENGTH48)) {
              ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
              return -1;
          }
      }
      ssl_print_string("master secret",&ssl_session->master_secret);

      /* the pre-master secret has been 'consumed' so we must clear it now */
      ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
      ssl_session->state |= SSL_MASTER_SECRET(1<<5);
  }

  /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
  if (cipher_suite->enc != ENC_NULL0x3D) {
      const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
      ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
      cipher_algo = ssl_get_cipher_by_name(cipher_name);
      if (cipher_algo == 0) {
          ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
          return -1;
      }
  }

  /* Export ciphers consume less material from the key block. */
  encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
  is_export_cipher = encr_key_len > 0;
  if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
      encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
  }

  if (cipher_suite->mode == MODE_CBC) {
      write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
  } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
      /* account for a four-byte salt for client and server side (from
       * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
      write_iv_len = 4;
  } else if (cipher_suite->mode == MODE_POLY1305) {
      /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
      write_iv_len = 12;
  }

  /* Compute the key block. First figure out how much data we need */
  needed = ssl_cipher_suite_dig(cipher_suite)->len*2;     /* MAC key  */
  needed += 2 * encr_key_len;                             /* encryption key */
  needed += 2 * write_iv_len;                             /* write IV */

  key_block.data = (unsigned char *)g_malloc(needed);
  ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
  if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
          &ssl_session->server_random,&ssl_session->client_random,
          &key_block, needed)) {
      ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
      goto fail;
  }
  ssl_print_string("key expansion", &key_block);

  ptr=key_block.data;
  /* client/server write MAC key (for non-AEAD ciphers) */
  if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
      c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
      s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
  }
  /* client/server write encryption key */
  c_wk=ptr; ptr += encr_key_len;
  s_wk=ptr; ptr += encr_key_len;
  /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
  if (write_iv_len > 0) {
      c_iv=ptr; ptr += write_iv_len;
      s_iv=ptr; /* ptr += write_iv_len; */
  }

  /* export ciphers work with a smaller key length */
  if (is_export_cipher) {
      if (cipher_suite->mode == MODE_CBC) {

          /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
           all we should need. This is a sanity check */
          if (write_iv_len > MAX_BLOCK_SIZE16) {
              ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
                      G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
              goto fail;
          }

          if(ssl_session->session.version==SSLV3_VERSION0x300){
              /* The length of these fields are ignored by this caller */
              StringInfo iv_c, iv_s;
              iv_c.data = _iv_c;
              iv_s.data = _iv_s;

              ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
              if (!ssl3_generate_export_iv(&ssl_session->client_random,
                           &ssl_session->server_random, &iv_c, write_iv_len)) {
                  goto fail;
              }
              ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
              if (!ssl3_generate_export_iv(&ssl_session->server_random,
                           &ssl_session->client_random, &iv_s, write_iv_len)) {
                  goto fail;
              }
          }
          else{
              uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
              StringInfo iv_block;
              StringInfo key_null;
              uint8_t _key_null;

              key_null.data = &_key_null;
              key_null.data_len = 0;

              iv_block.data = _iv_block;

              ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
              if (!prf(ssl_session, &key_null, "IV block",
                      &ssl_session->client_random,
                      &ssl_session->server_random, &iv_block,
                      write_iv_len * 2)) {
                  ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
                  goto fail;
              }

              memcpy(_iv_c, iv_block.data, write_iv_len);
              memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
          }

          c_iv=_iv_c;
          s_iv=_iv_s;
      }

      if (ssl_session->session.version==SSLV3_VERSION0x300){

          SSL_MD5_CTXgcry_md_hd_t md5;
          ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));

          if (ssl_md5_init(&md5) != 0)
              goto fail;
          ssl_md5_update(&md5,c_wk,encr_key_len);
          ssl_md5_update(&md5,ssl_session->client_random.data,
              ssl_session->client_random.data_len);
          ssl_md5_update(&md5,ssl_session->server_random.data,
              ssl_session->server_random.data_len);
          ssl_md5_final(_key_c,&md5);
          ssl_md5_cleanup(&md5);
          c_wk=_key_c;

          if (ssl_md5_init(&md5) != 0)
              goto fail;
          ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
          ssl_md5_update(&md5,s_wk,encr_key_len);
          ssl_md5_update(&md5,ssl_session->server_random.data,
              ssl_session->server_random.data_len);
          ssl_md5_update(&md5,ssl_session->client_random.data,
              ssl_session->client_random.data_len);
          ssl_md5_final(_key_s,&md5);
          ssl_md5_cleanup(&md5);
          s_wk=_key_s;
      }
      else{
          StringInfo key_c, key_s, k;
          key_c.data = _key_c;
          key_s.data = _key_s;

          k.data = c_wk;
          k.data_len = encr_key_len;
          ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
          if (!prf(ssl_session, &k, "client write key",
                  &ssl_session->client_random,
                  &ssl_session->server_random, &key_c, sizeof(_key_c))) {
              ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
              goto fail;
          }
          c_wk=_key_c;

          k.data = s_wk;
          k.data_len = encr_key_len;
          ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
          if (!prf(ssl_session, &k, "server write key",
                  &ssl_session->client_random,
                  &ssl_session->server_random, &key_s, sizeof(_key_s))) {
              ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
              goto fail;
          }
          s_wk=_key_s;
      }
  }

  /* show key material info */
  if (c_mk != NULL((void*)0)) {
      ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
      ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
  }
  ssl_print_data("Client Write key", c_wk, encr_key_len);
  ssl_print_data("Server Write key", s_wk, encr_key_len);
  /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
  if (write_iv_len > 0) {
      ssl_print_data("Client Write IV", c_iv, write_iv_len);
      ssl_print_data("Server Write IV", s_iv, write_iv_len);
  }

5165create_decoders:
  /* create both client and server ciphers*/
  ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
  ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
  if (!ssl_session->client_new) {
      ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
      goto fail;
  }
  ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
  ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
  if (!ssl_session->server_new) {
      ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
      goto fail;
  }

  /* Continue the SSL stream after renegotiation with new keys. */
  ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
  ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();

  ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
      G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
  g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
  ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
  return 0;

5190fail:
  g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
  return -1;
5193}

5195/* Generated the key material based on the given secret. */
5196bool_Bool
5197tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5198{
  bool_Bool        success = false0;
  unsigned char     *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
  unsigned char     *sn_key = NULL((void*)0);
  SslDecoder *decoder;
  unsigned    key_length, iv_length;
  int         hash_algo;
  const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
  int         cipher_algo;

  if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
      ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
              ssl_session->session.version);
      return false0;
  }

  if (cipher_suite == NULL((void*)0)) {
      ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
      return false0;
  }

  if (cipher_suite->kex != KEX_TLS130x23) {
      ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
      return false0;
  }

  /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
  const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
  ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
  cipher_algo = ssl_get_cipher_by_name(cipher_name);
  if (cipher_algo == 0) {
      ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
      return false0;
  }

  const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
  hash_algo = ssl_get_digest_by_name(hash_name);
  if (!hash_algo) {
      ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
      return false0;
  }

  key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
  /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
  iv_length = 12;
  ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);

  const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
  if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
      ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
      return false0;
  }
  if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
      ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
      goto end;
  }

  if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
      if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
          ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
          goto end;
      }
  }

  ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
  ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
  if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
      ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
  }

  ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
  decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
  if (!decoder) {
      ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
      goto end;
  }

  /* Continue the TLS session with new keys, but reuse old flow to keep things
   * like "Follow TLS" working (by linking application data records). */
  if (is_from_server) {
      decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
      ssl_session->server = decoder;
  } else {
      decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
      ssl_session->client = decoder;
  }
  ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
                   is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
  success = true1;

5288end:
  wmem_free(NULL((void*)0), write_key);
  wmem_free(NULL((void*)0), write_iv);
  if (sn_key)
      wmem_free(NULL((void*)0), sn_key);
  return success;
5294}
5295/* (Pre-)master secrets calculations }}} */

5297#ifdef HAVE_LIBGNUTLS1
5298/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5299static bool_Bool
5300ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
  StringInfo *encrypted_pre_master, GHashTable *key_hash)
5302{
  int ret;

  if (!encrypted_pre_master)
      return false0;

  if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
 (ssl_session->cipher_suite->kex) <= 0x1b)) {
      ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
                       "(cipher suite 0x%04X %s) and cannot be decrypted "
                       "using a RSA private key file.\n",
                       G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
                       val_to_str_ext_const(ssl_session->session.cipher,
                           &ssl_31_ciphersuite_ext, "unknown"));
      return false0;
  } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
       ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
                        G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
      return false0;
  }

  gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);

  ssl_print_string("pre master encrypted", encrypted_pre_master);
  ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
  const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
  gnutls_datum_t pms = { 0 };
  if (pk) {
      // Try to decrypt using the RSA keys table from (D)TLS preferences.
      char *err = NULL((void*)0);
      gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
      if (!private_key) {
          ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
          g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
 (err, __builtin_object_size ((err), 0)) : (g_free) (err);
          return false0;
      }

      pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
      rsa_private_key_free(private_key);
      if (pms.size == 0) {
          ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
          g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
 (err, __builtin_object_size ((err), 0)) : (g_free) (err);
          return false0;
      }
  } else {
      // Try to decrypt using a hardware token.
      ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
      if (ret < 0) {
          ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
          return false0;
      }
  }

  if (pms.size != 48) {
      ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
                       G_STRFUNC((const char*) (__func__)), pms.size, 48);
      g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
 (pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
 (pms.data);
      return false0;
  }

  ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
  ssl_session->pre_master_secret.data_len = 48;
  g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
 (pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
 (pms.data);
  ssl_print_string("pre master secret", &ssl_session->pre_master_secret);

  /* Remove the master secret if it was there.
     This forces keying material regeneration in
     case we're renegotiating */
  ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
  ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
  return true1;
5372} /* }}} */
5373#endif /* HAVE_LIBGNUTLS */

5375/* Decryption integrity check {{{ */

5377static int
5378tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
      uint32_t datalen, uint8_t* mac)
5380{
  SSL_HMACgcry_md_hd_t hm;
  int      md;
  uint32_t len;
  uint8_t  buf[DIGEST_MAX_SIZE48];
  int16_t  temp;

  md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
  ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
      ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);

  if (ssl_hmac_init(&hm,md) != 0)
      return -1;
  if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
      return -1;

  /* hash sequence number */
  phtonu64(buf, decoder->seq);

  decoder->seq++;

  ssl_hmac_update(&hm,buf,8);

  /* hash content type */
  buf[0]=ct;
  ssl_hmac_update(&hm,buf,1);

  /* hash version,data length and data*/
  /* *((int16_t*)buf) = g_htons(ver); */
  temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
  memcpy(buf, &temp, 2);
  ssl_hmac_update(&hm,buf,2);

  /* *((int16_t*)buf) = g_htons(datalen); */
  temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
  memcpy(buf, &temp, 2);
  ssl_hmac_update(&hm,buf,2);
  ssl_hmac_update(&hm,data,datalen);

  /* get digest and digest len*/
  len = sizeof(buf);
  ssl_hmac_final(&hm,buf,&len);
  ssl_hmac_cleanup(&hm);
  ssl_print_data("Mac", buf, len);
  if(memcmp(mac,buf,len))
      return -1;

  return 0;
5428}

5430static int
5431ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
      uint32_t datalen, uint8_t* mac)
5433{
  SSL_MDgcry_md_hd_t  mc;
  int     md;
  uint32_t len;
  uint8_t buf[64],dgst[20];
  int     pad_ct;
  int16_t temp;

  pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;

  /* get cipher used for digest computation */
  md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
  if (ssl_md_init(&mc,md) !=0)
      return -1;

  /* do hash computation on data && padding */
  ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);

  /* hash padding*/
  memset(buf,0x36,pad_ct);
  ssl_md_update(&mc,buf,pad_ct);

  /* hash sequence number */
  phtonu64(buf, decoder->seq);
  decoder->seq++;
  ssl_md_update(&mc,buf,8);

  /* hash content type */
  buf[0]=ct;
  ssl_md_update(&mc,buf,1);

  /* hash data length in network byte order and data*/
  /* *((int16_t* )buf) = g_htons(datalen); */
  temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
  memcpy(buf, &temp, 2);
  ssl_md_update(&mc,buf,2);
  ssl_md_update(&mc,data,datalen);

  /* get partial digest */
  ssl_md_final(&mc,dgst,&len);
  ssl_md_reset(&mc);

  /* hash mac key */
  ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);

  /* hash padding and partial digest*/
  memset(buf,0x5c,pad_ct);
  ssl_md_update(&mc,buf,pad_ct);
  ssl_md_update(&mc,dgst,len);

  ssl_md_final(&mc,dgst,&len);
  ssl_md_cleanup(&mc);

  if(memcmp(mac,dgst,len))
      return -1;

  return 0;
5490}

5492static int
5493dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
      uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5495{
  SSL_HMACgcry_md_hd_t hm;
  int      md;
  uint32_t len;
  uint8_t  buf[DIGEST_MAX_SIZE48];
  int16_t  temp;

  int ver = ssl->session.version;
  bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));

  md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
  ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
      ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);

  if (ssl_hmac_init(&hm,md) != 0)
      return -1;
  if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
      return -1;

  ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);

  if (is_cid && !ssl->session.deprecated_cid) {
      /* hash seq num placeholder */
      memset(buf,0xFF,8);
      ssl_hmac_update(&hm,buf,8);

      /* hash content type + cid length + content type */
      buf[0]=ct;
      buf[1]=cidl;
      buf[2]=ct;
      ssl_hmac_update(&hm,buf,3);

      /* hash version */
      temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
      memcpy(buf, &temp, 2);
      ssl_hmac_update(&hm,buf,2);

      /* hash sequence number */
      phtonu64(buf, decoder->seq);
      buf[0]=decoder->epoch>>8;
      buf[1]=(uint8_t)decoder->epoch;
      ssl_hmac_update(&hm,buf,8);

      /* hash cid */
      ssl_hmac_update(&hm,cid,cidl);
  } else {
      /* hash sequence number */
      phtonu64(buf, decoder->seq);
      buf[0]=decoder->epoch>>8;
      buf[1]=(uint8_t)decoder->epoch;
      ssl_hmac_update(&hm,buf,8);

      /* hash content type */
      buf[0]=ct;
      ssl_hmac_update(&hm,buf,1);

      /* hash version */
      temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
      memcpy(buf, &temp, 2);
      ssl_hmac_update(&hm,buf,2);

      if (is_cid && ssl->session.deprecated_cid) {
          /* hash cid */
          ssl_hmac_update(&hm,cid,cidl);

          /* hash cid length */
          buf[0] = cidl;
          ssl_hmac_update(&hm,buf,1);
      }
  }

  /* data length and data */
  temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
  memcpy(buf, &temp, 2);
  ssl_hmac_update(&hm,buf,2);
  ssl_hmac_update(&hm,data,datalen);

  /* get digest and digest len */
  len = sizeof(buf);
  ssl_hmac_final(&hm,buf,&len);
  ssl_hmac_cleanup(&hm);
  ssl_print_data("Mac", buf, len);
  if(memcmp(mac,buf,len))
      return -1;

  return 0;
5581}
5582/* Decryption integrity check }}} */


5585static bool_Bool
5586tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
      uint8_t ct, uint16_t record_version,
      bool_Bool ignore_mac_failed,
      const unsigned char *in, uint16_t inl,
      const unsigned char *cid, uint8_t cidl,
      StringInfo *out_str, unsigned *outl)
5592{
  /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
   * GenericAEADCipher: { nonce_explicit, [content] }
   * In TLS 1.3 this explicit nonce is gone.
   * With AES GCM/CCM, "[content]" is actually the concatenation of the
   * ciphertext and authentication tag.
   */
  const uint16_t  version = ssl->session.version;
  const bool_Bool      is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
  gcry_error_t    err;
  const unsigned char   *explicit_nonce = NULL((void*)0), *ciphertext;
  unsigned        ciphertext_len, auth_tag_len;
  unsigned char   nonce[12];
  const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
  const bool_Bool      is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
  const uint8_t   draft_version = ssl->session.tls13_draft_version;
  const unsigned char   *auth_tag_wire;
  unsigned char   auth_tag_calc[16];
  unsigned char  *aad = NULL((void*)0);
  unsigned        aad_len = 0;

  switch (cipher_mode) {
  case MODE_GCM:
  case MODE_CCM:
  case MODE_POLY1305:
      auth_tag_len = 16;
      break;
  case MODE_CCM_8:
      auth_tag_len = 8;
      break;
  default:
      ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
      return false0;
  }

  /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
  if (is_v12 && cipher_mode != MODE_POLY1305) {
      if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
          ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
                  G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
          return false0;
      }
      explicit_nonce = in;
      ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
      ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
  } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
      if (inl < auth_tag_len) {
          ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
          return false0;
      }
      ciphertext = in;
      ciphertext_len = inl - auth_tag_len;
  } else {
      ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
      return false0;
  }
  auth_tag_wire = ciphertext + ciphertext_len;

  /*
   * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
   * (RFC 7905) uses a nonce construction similar to TLS 1.3.
   */
  if (is_v12 && cipher_mode != MODE_POLY1305) {
      DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5655, "decoder->write_iv.data_len == 4"))));
      /* Implicit (4) and explicit (8) part of nonce. */
      memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
      memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);

  } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc ||  cipher_mode == MODE_POLY1305) {
      /*
       * Technically the nonce length must be at least 8 bytes, but for
       * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
       */
      const unsigned nonce_len = 12;
      DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5666, "decoder->write_iv.data_len == nonce_len"
))));
      memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
      /* Sequence number is left-padded with zeroes and XORed with write_iv */
      phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
      ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
  }

  /* Set nonce and additional authentication data */
  gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
  ssl_print_data("nonce", nonce, 12);
  err = gcry_cipher_setiv(decoder->evp, nonce, 12);
  if (err) {
      ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
      return false0;
  }

  /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
  if (is_cid) { /* if connection ID */
      if (ssl->session.deprecated_cid) {
          aad_len = 14 + cidl;
          aad = wmem_alloc(allocator, aad_len);
          phtonu64(aad, decoder->seq);         /* record sequence number */
          phtonu16(aad, decoder->epoch);       /* DTLS 1.2 includes epoch. */
          aad[8] = ct;                        /* TLSCompressed.type */
          phtonu16(aad + 9, record_version);   /* TLSCompressed.version */
          memcpy(aad + 11, cid, cidl);        /* cid */
          aad[11 + cidl] = cidl;              /* cid_length */
          phtonu16(aad + 12 + cidl, ciphertext_len);  /* TLSCompressed.length */
      } else {
          aad_len = 23 + cidl;
          aad = wmem_alloc(allocator, aad_len);
          memset(aad, 0xFF, 8);               /* seq_num_placeholder */
          aad[8] = ct;                        /* TLSCompressed.type */
          aad[9] = cidl;                      /* cid_length */
          aad[10] = ct;                       /* TLSCompressed.type */
          phtonu16(aad + 11, record_version);  /* TLSCompressed.version */
          phtonu64(aad + 13, decoder->seq);    /* record sequence number */
          phtonu16(aad + 13, decoder->epoch);  /* DTLS 1.2 includes epoch. */
          memcpy(aad + 21, cid, cidl);        /* cid */
          phtonu16(aad + 21 + cidl, ciphertext_len);  /* TLSCompressed.length */
      }
  } else if (is_v12) {
      aad_len = 13;
      aad = wmem_alloc(allocator, aad_len);
      phtonu64(aad, decoder->seq);         /* record sequence number */
      if (version == DTLSV1DOT2_VERSION0xfefd) {
          phtonu16(aad, decoder->epoch);   /* DTLS 1.2 includes epoch. */
      }
      aad[8] = ct;                        /* TLSCompressed.type */
      phtonu16(aad + 9, record_version);   /* TLSCompressed.version */
      phtonu16(aad + 11, ciphertext_len);  /* TLSCompressed.length */
  } else if (version == DTLSV1DOT3_VERSION0xfefc) {
      aad_len = decoder->dtls13_aad.data_len;
      aad = decoder->dtls13_aad.data;
  } else if (draft_version >= 25 || draft_version == 0) {
      aad_len = 5;
      aad = wmem_alloc(allocator, aad_len);
      aad[0] = ct;                        /* TLSCiphertext.opaque_type (23) */
      phtonu16(aad + 1, record_version);   /* TLSCiphertext.legacy_record_version (0x0303) */
      phtonu16(aad + 3, inl);              /* TLSCiphertext.length */
  }

  if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
      /* size of plaintext, additional authenticated data and auth tag. */
      uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };

      gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
  }

  if (aad && aad_len > 0) {
      ssl_print_data("AAD", aad, aad_len);
      err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
      if (err) {
          ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
          return false0;
      }
  }

  /* Decrypt now that nonce and AAD are set. */
  err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
  if (err) {
      ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
      return false0;
  }

  /* Check authentication tag for authenticity (replaces MAC) */
  err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
  if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
      ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
  } else {
      if (err) {
          ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
      } else {
          ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
          ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
          ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
      }
      if (ignore_mac_failed) {
          ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
      } else {
          return false0;
      }
  }

  /*
   * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
   * after successful authentication to ensure that early data is skipped when
   * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
   */
  if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
      decoder->seq++;
  }

  ssl_print_data("Plaintext", out_str->data, ciphertext_len);
  *outl = ciphertext_len;
  return true1;
5782}

5784/* Record decryption glue based on security parameters {{{ */
5785/* Assume that we are called only for a non-NULL decoder which also means that
* we have a non-NULL decoder->cipher_suite. */
5787int
5788ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
      bool_Bool ignore_mac_failed,
      const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
      StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5792{
  unsigned   pad, worklen, uncomplen, maclen, mac_fraglen = 0;
  uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);

  ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
  ssl_print_data("Ciphertext",in, inl);

  if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
          != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
      ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
      return -1;
  }

  /* ensure we have enough storage space for decrypted data */
  if (inl > out_str->data_len)
  {
      ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
              inl + 32, out_str->data_len);
      ssl_data_realloc(out_str, inl + 32);
  }

  /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
   * a separate MAC, so use a different routine for simplicity. */
  if (decoder->cipher_suite->mode == MODE_GCM ||
      decoder->cipher_suite->mode == MODE_CCM ||
      decoder->cipher_suite->mode == MODE_CCM_8 ||
      decoder->cipher_suite->mode == MODE_POLY1305 ||
      ssl->session.version == TLSV1DOT3_VERSION0x304 ||
      ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {

      if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
          /* decryption failed */
          return -1;
      }

      goto skip_mac;
  }

  /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
   * (notation: { unencrypted, [ encrypted ] })
   * GenericStreamCipher: { [content, mac] }
   * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
   * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
   * GenericAEADCipher: { nonce_explicit, [content] }
   * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
   * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
   */

  maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;

  /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
  if (decoder->cipher_suite->mode == MODE_CBC) {
      unsigned blocksize = 0;

      switch (ssl->session.version) {
      case TLSV1DOT1_VERSION0x302:
      case TLSV1DOT2_VERSION0x303:
      case DTLSV1DOT0_VERSION0xfeff:
      case DTLSV1DOT2_VERSION0xfefd:
      case DTLSV1DOT3_VERSION0xfefc:
      case DTLSV1DOT0_OPENSSL_VERSION0x100:
      case TLCPV1_VERSION0x101:
          blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
          if (inl < blocksize) {
              ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
                      inl, blocksize);
              return -1;
          }
          pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
          if (pad != 0) {
              ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
                      gcry_strsource (pad), gcry_strerror (pad));
          }

          inl -= blocksize;
          in += blocksize;
          break;
      }

      /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
      if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
          /*
           * MAC is calculated over (IV + ) ENCRYPTED contents:
           *
           *      MAC(MAC_write_key, ... +
           *          IV +       // for TLS 1.1 or greater
           *          TLSCiphertext.enc_content);
           */
          if (inl < maclen) {
              ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
                               G_STRFUNC((const char*) (__func__)), inl, maclen);
              return -1;
          }
          inl -= maclen;
          mac = (uint8_t *)in + inl;
          mac_frag = (uint8_t *)in - blocksize;
          mac_fraglen = blocksize + inl;
      }
  }

  /* First decrypt*/
  if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
      ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
                  gcry_strerror (pad));
      return -1;
  }

  ssl_print_data("Plaintext", out_str->data, inl);
  worklen=inl;


  /* strip padding for GenericBlockCipher */
  if (decoder->cipher_suite->mode == MODE_CBC) {
      if (inl < 1) { /* Should this check happen earlier? */
          ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
          return -1;
      }
      pad=out_str->data[inl-1];
      if (worklen <= pad) {
          ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
              pad, worklen);
          return -1;
      }
      worklen-=(pad+1);
      ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
          pad, worklen);
  }

  /* MAC for GenericStreamCipher and GenericBlockCipher.
   * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
  if (!mac) {
      /*
       * MAC is calculated over the DECRYPTED contents:
       *
       *      MAC(MAC_write_key, ... + TLSCompressed.fragment);
       */
      if (worklen < maclen) {
          ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
          return -1;
      }
      worklen -= maclen;
      mac = out_str->data + worklen;
      mac_frag = out_str->data;
      mac_fraglen = worklen;
  }

  /* If NULL encryption active and no keys are available, do not bother
   * checking the MAC. We do not have keys for that. */
  if (decoder->cipher_suite->mode == MODE_STREAM &&
          decoder->cipher_suite->enc == ENC_NULL0x3D &&
          !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
      ssl_debug_printf("MAC check skipped due to missing keys\n");
      decoder->seq++; // Increment this for display
      goto skip_mac;
  }

  /* Now check the MAC */
  ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
      worklen, ssl->session.version, ct, decoder->seq);
  if(ssl->session.version==SSLV3_VERSION0x300){
      if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
          if(ignore_mac_failed) {
              ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
          }
          else{
              ssl_debug_printf("ssl_decrypt_record: mac failed\n");
              return -1;
          }
      }
      else{
          ssl_debug_printf("ssl_decrypt_record: mac ok\n");
      }
  }
  else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
      if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
          if(ignore_mac_failed) {
              ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
          }
          else{
              ssl_debug_printf("ssl_decrypt_record: mac failed\n");
              return -1;
          }
      }
      else{
          ssl_debug_printf("ssl_decrypt_record: mac ok\n");
      }
  }
  else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
      ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
      ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
      /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
      if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
          ssl_debug_printf("ssl_decrypt_record: mac ok\n");
      }
      else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
          ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
      }
      else if(ignore_mac_failed) {
          ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
      }
      else{
          ssl_debug_printf("ssl_decrypt_record: mac failed\n");
          return -1;
      }
  }
5997skip_mac:

  *outl = worklen;

  if (decoder->compression > 0) {
      ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
      ssl_data_copy(comp_str, out_str);
      ssl_print_data("Plaintext compressed", comp_str->data, worklen);
      if (!decoder->decomp) {
          ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
          return -1;
      }
      if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
      ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
      *outl = uncomplen;
  }

  return 0;
6015}
6016/* Record decryption glue based on security parameters }}} */



6020#ifdef HAVE_LIBGNUTLS1

6022/* RSA private key file processing {{{ */
6023static void
6024ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
                             const gnutls_datum_t *subjectPublicKeyInfo)
6026{
  gnutls_pubkey_t pubkey = NULL((void*)0);
  cert_key_id_t key_id;
  size_t key_id_len = sizeof(key_id);
  int r;

  if (!subjectPublicKeyInfo->size) {
      ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
      return;
  }

  r = gnutls_pubkey_init(&pubkey);
  if (r < 0) {
      ssl_debug_printf("%s: failed to init pubkey: %s\n",
              G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
      return;
  }

  r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
  if (r < 0) {
      ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
              G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
      goto end;
  }

  if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
      ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
      goto end;
  }

  /* Generate a 20-byte SHA-1 hash. */
  r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
  if (r < 0) {
      ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
              G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
      goto end;
  }

  if (key_id_len != sizeof(key_id)) {
      ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
              G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
      goto end;
  }

  ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
  ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
  *ssl->cert_key_id = key_id;

6074end:
  gnutls_pubkey_deinit(pubkey);
6076}

6078/* RSA private key file processing }}} */
6079#endif  /* HAVE_LIBGNUTLS */

6081/*--- Start of dissector-related code below ---*/

6083/* This is not a "protocol" but ensures that this gets called during
* the handoff stage. */
6085void proto_reg_handoff_tls_utils(void);

6087static dissector_handle_t base_tls_handle;
6088static dissector_handle_t dtls_handle;

6090void
6091proto_reg_handoff_tls_utils(void)
6092{
  base_tls_handle = find_dissector("tls");
  dtls_handle = find_dissector("dtls");
6095}

6097/* Look up an existing SslDecryptSession without creating one. Returns NULL if
* no session exists. */
6099SslDecryptSession *
6100tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6101{
  void       *conv_data;
  wmem_map_t *session_map;

  if (!conversation)
      return NULL((void*)0);

  conv_data = conversation_get_proto_data(conversation, proto_ssl);
  if (conv_data == NULL((void*)0))
      return NULL((void*)0);

  session_map = (wmem_map_t *)conv_data;

  return (SslDecryptSession *)wmem_map_lookup(session_map,
              GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));

6117}

6119/* get ssl data for this session. if no ssl data is found allocate a new one*/
6120SslDecryptSession *
6121ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6122{
  void               *conv_data;
  SslDecryptSession  *ssl_session;
  int                 proto_ssl;
  wmem_map_t         *session_map;

  /* Note proto_ssl is tls for either the main tls_handle or the
   * tls13_handshake handle used by QUIC. */
  proto_ssl = dissector_handle_get_protocol_index(tls_handle);
  conv_data = conversation_get_proto_data(conversation, proto_ssl);

  /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
   * Using wmem_file_scope ensures the map is freed when the capture file is closed,
   * preventing memory leaks on capture reload. */
  if (conv_data != NULL((void*)0)) {
      session_map = (wmem_map_t *)conv_data;
      ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
      if (ssl_session != NULL((void*)0)) {
          return ssl_session;
      }
  } else {
      /* Create a new wmem map to store sessions by layer number */
      session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
      conversation_add_proto_data(conversation, proto_ssl, session_map);
  }

  /* no previous SSL conversation info for this layer, initialize it. */
  ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));

  /* data_len is the part that is meaningful, not the allocated length */
  ssl_session->master_secret.data_len = 0;
  ssl_session->master_secret.data = ssl_session->_master_secret;
  ssl_session->session_id.data_len = 0;
  ssl_session->session_id.data = ssl_session->_session_id;
  ssl_session->client_random.data_len = 0;
  ssl_session->client_random.data = ssl_session->_client_random;
  ssl_session->server_random.data_len = 0;
  ssl_session->server_random.data = ssl_session->_server_random;
  ssl_session->session_ticket.data_len = 0;
  ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
  ssl_session->server_data_for_iv.data_len = 0;
  ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
  ssl_session->client_data_for_iv.data_len = 0;
  ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
  ssl_session->app_data_segment.data = NULL((void*)0);
  ssl_session->app_data_segment.data_len = 0;
  ssl_session->handshake_data.data=NULL((void*)0);
  ssl_session->handshake_data.data_len=0;
  ssl_session->ech_transcript.data=NULL((void*)0);
  ssl_session->ech_transcript.data_len=0;

  /* Initialize parameters which are not necessary specific to decryption. */
  ssl_session->session.version = SSL_VER_UNKNOWN0;
  clear_address(&ssl_session->session.srv_addr);
  ssl_session->session.srv_ptype = PT_NONE;
  ssl_session->session.srv_port = 0;
  ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
  ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
  ssl_session->session.client_random.data_len = 0;
  ssl_session->session.client_random.data = ssl_session->session._client_random;
  memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
  memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
  memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
  ssl_session->session.ech = false0;
  ssl_session->session.hrr_ech_declined = false0;
  ssl_session->session.first_ch_ech_frame = 0;

  /* We want to increment the stream count for the normal tls handle and
   * dtls handle, but presumably not for the tls13_handshake handle used
   * by QUIC (it has its own Follow Stream handling, and the QUIC stream
   * doesn't get sent to the TLS follow tap.)
   */
  if (tls_handle == base_tls_handle) {
      ssl_session->session.stream = tls_increment_stream_count();
  } else if (tls_handle == dtls_handle) {
      ssl_session->session.stream = dtls_increment_stream_count();
  }

  /* Store the session in the wmem map indexed by layer number */
  wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);

  return ssl_session;
6204}

6206void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6207{
  if (ssl) {
      /* Ensure that secrets are not restored using stale identifiers. Split
       * between client and server in case the packets somehow got out of order. */
      int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);

      if (is_client) {
          clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
          ssl->session_id.data_len = 0;
          ssl->session_ticket.data_len = 0;
          ssl->master_secret.data_len = 0;
          ssl->client_random.data_len = 0;
          ssl->has_early_data = false0;
          if (ssl->handshake_data.data_len > 0) {
              // The EMS handshake hash starts with at the Client Hello,
              // ensure that any messages before it are forgotten.
              wmem_free(wmem_file_scope(), ssl->handshake_data.data);
              ssl->handshake_data.data = NULL((void*)0);
              ssl->handshake_data.data_len = 0;
          }
      } else {
          clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
          ssl->server_random.data_len = 0;
          ssl->pre_master_secret.data_len = 0;
6231#ifdef HAVE_LIBGNUTLS1
          ssl->cert_key_id = NULL((void*)0);
6233#endif
          ssl->has_psk = false0;
          ssl->has_key_share = false0;
          // There is no point in clearing the PSK when resetting the session,
          // we only store one global PSK in the prefs.
          //ssl->psk.data_len = 0;
      }

      if (ssl->state & clear_flags) {
          ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
                  G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
          ssl->state &= ~clear_flags;
      }
  }

  /* These flags might be used for non-decryption purposes and may affect the
   * dissection, so reset them as well. */
  if (is_client) {
      session->client_cert_type = 0;
  } else {
      session->compression = 0;
      session->server_cert_type = 0;
      /* session->is_session_resumed is already handled in the ServerHello dissection. */
  }
  session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
  session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6259}

6261void
6262tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
                        dissector_handle_t app_handle)
6264{
  conversation_t  *conversation;
  SslSession      *session;
  int             proto = dissector_handle_get_protocol_index(tls_handle);
  uint8_t         curr_layer_num = p_get_proto_depth(pinfo, proto);

  /* Ignore if the TLS or other dissector is disabled. */
  if (!tls_handle || !app_handle)
      return;

  conversation = find_or_create_conversation(pinfo);
  session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
  session->app_handle = app_handle;
6277}

6279static uint32_t
6280ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
               dissector_handle_t app_handle, uint32_t last_nontls_frame)
6282{
  conversation_t  *conversation;
  SslSession      *session;
  int             proto = dissector_handle_get_protocol_index(tls_handle);
  uint8_t         curr_layer_num = p_get_proto_depth(pinfo, proto);

  /* Ignore if the TLS dissector is disabled. */
  if (!tls_handle)
      return 0;
  /* The caller should always pass a valid handle to its own dissector. */
  DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6292, "app_handle"))));

  conversation = find_or_create_conversation(pinfo);
  session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;

  ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
                   session->last_nontls_frame,
                   (void *)session->app_handle,
                   dissector_handle_get_dissector_name(session->app_handle));
  ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
                   pinfo->num, (void *)app_handle,
                   dissector_handle_get_dissector_name(app_handle));

  /* Do not switch again if a dissector did it before. */
  if (session->last_nontls_frame) {
      ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
      return session->last_nontls_frame;
  }

  session->app_handle = app_handle;
  /* The TLS dissector should be called first for this conversation. */
  conversation_set_dissector(conversation, tls_handle);
  /* TLS starts after this frame. */
  session->last_nontls_frame = last_nontls_frame;
  return 0;
6317}

6319/* ssl_starttls_ack: mark future frames as encrypted. */
6320uint32_t
6321ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
               dissector_handle_t app_handle)
6323{
  return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6325}

6327uint32_t
6328ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
               dissector_handle_t app_handle)
6330{
  return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6332}

6334dissector_handle_t
6335ssl_find_appdata_dissector(const char *name)
6336{
  /* Accept 'http' for backwards compatibility and sanity. */
  if (!strcmp(name, "http"))
      name = "http-over-tls";
  /* XXX - Should this check to see if the dissector is actually added for
   * Decode As in the appropriate table?
   */
  return find_dissector(name);
6344}

6346/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6347static int
6348ssl_equal (const void *v, const void *v2)
6349{
  const StringInfo *val1;
  const StringInfo *val2;
  val1 = (const StringInfo *)v;
  val2 = (const StringInfo *)v2;

  if (val1->data_len == val2->data_len &&
      !memcmp(val1->data, val2->data, val2->data_len)) {
      return 1;
  }
  return 0;
6360}

6362static unsigned
6363ssl_hash(const void *v)
6364{
  const StringInfo* id;
  id = (const StringInfo*) v;

  return wmem_strong_hash(id->data, id->data_len);
6369}
6370/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */

6372/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6373void
6374ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6375{
  DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6376, "main_handle"))));
  DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6377, "subdissector_handle"))));
  /* Registration is required for Export PDU feature to work properly. */
  DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6380, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
          "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6380, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
  ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);

  if (port) {
      dissector_add_uint(dissector_table_name, port, subdissector_handle);
      if (tcp)
          dissector_add_uint("tcp.port", port, main_handle);
      else
          dissector_add_uint("udp.port", port, main_handle);
      dissector_add_uint("sctp.port", port, main_handle);
  } else {
      dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
  }
6393}

6395void
6396ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6397{
  ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
                   tcp?"TCP":"UDP", port, (void *)subdissector_handle);
  if (main_handle) {
      dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
      dissector_delete_uint("sctp.port", port, main_handle);
  }

  if (port) {
      dissector_delete_uint(dissector_table_name, port, subdissector_handle);
  }
6408}

6410void
6411ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6412{
  copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
  session->srv_ptype = ptype;
  session->srv_port = port;
6416}

6418int
6419ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6420{
  int ret;
  if (session && session->srv_addr.type != AT_NONE) {
      ret = (session->srv_ptype == pinfo->ptype) &&
            (session->srv_port == pinfo->srcport) &&
            addresses_equal(&session->srv_addr, &pinfo->src);
  } else {
      ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
  }

  ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
  return ret;
6432}
6433/* Handling of association between tls/dtls ports and clear text protocol. }}} */


6436/* Links SSL records with the real packet data. {{{ */
6437SslPacketInfo *
6438tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6439{
  SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
  if (!pi) {
      pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
      pi->srcport = pinfo->srcport;
      pi->destport = pinfo->destport;
      conversation_t *conv = find_or_create_conversation_strat(pinfo);
      SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
      if (ssl_session) {
          /* This can also be called by the QUIC TLS1.3 handshake only
           * dissector. That is not associated with a session, or a stream,
           * and doesn't need the information for Follow or Decode As. */
          pi->stream = ssl_session->session.stream;
      }
      p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
  }

  return pi;
6457}

6459/**
* Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
* avoid the need for a decoder in the second pass. Additionally, it remembers
* sequence numbers (for reassembly and Follow TLS Stream).
*
* @param proto The protocol identifier (proto_ssl or proto_dtls).
* @param pinfo The packet where the record originates from.
* @param plain_data Decrypted plaintext to store in the record.
* @param plain_data_len Total length of the plaintext.
* @param content_len Length of the plaintext section corresponding to the record content.
* @param record_id The identifier for this record within the current packet.
* @param flow Information about sequence numbers, etc.
* @param type TLS Content Type (such as handshake or application_data).
* @param curr_layer_num_ssl The layer identifier for this TLS session.
*/
6474void
6475ssl_add_record_info(int proto, packet_info *pinfo,
                  const unsigned char *plain_data, int plain_data_len, int content_len,
                  int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
                  uint64_t record_seq)
6479{
  SslRecordInfo* rec, **prec;
  SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);

  ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6483
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);

  rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
  rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
  rec->plain_data_len = plain_data_len;
  rec->content_len = content_len;
  rec->id = record_id;
  rec->type = type;
  rec->next = NULL((void*)0);
  rec->record_seq = record_seq;

  if (flow && type == SSL_ID_APP_DATA) {
      rec->seq = flow->byte_seq;
      rec->flow = flow;
      flow->byte_seq += content_len;
      ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
                       G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
  }

  /* Remember decrypted records. */
  prec = &pi->records;
  while (*prec) prec = &(*prec)->next;
  *prec = rec;
6506}

6508/* search in packet data for the specified id; return a newly created tvb for the associated data */
6509tvbuff_t*
6510ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6511{
  SslRecordInfo* rec;
  SslPacketInfo* pi;
  pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);

  if (!pi)
      return NULL((void*)0);

  for (rec = pi->records; rec; rec = rec->next)
      if (rec->id == record_id) {
          *matched_record = rec;
          /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
          return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
      }

  return NULL((void*)0);
6527}
6528/* Links SSL records with the real packet data. }}} */

6530/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6531void
6532ssl_common_init(ssl_master_key_map_t *mk_map,
              StringInfo *decrypted_data, StringInfo *compressed_data)
6534{
  mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);

  mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
  mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);

  mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);

  ssl_data_alloc(decrypted_data, 32);
  ssl_data_alloc(compressed_data, 32);
6555}

6557void
6558ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
                 StringInfo *decrypted_data, StringInfo *compressed_data)
6560{
  g_hash_table_destroy(mk_map->session);
  g_hash_table_destroy(mk_map->tickets);
  g_hash_table_destroy(mk_map->crandom);
  g_hash_table_destroy(mk_map->pre_master);
  g_hash_table_destroy(mk_map->pms);
  g_hash_table_destroy(mk_map->tls13_client_early);
  g_hash_table_destroy(mk_map->tls13_client_handshake);
  g_hash_table_destroy(mk_map->tls13_server_handshake);
  g_hash_table_destroy(mk_map->tls13_client_appdata);
  g_hash_table_destroy(mk_map->tls13_server_appdata);
  g_hash_table_destroy(mk_map->tls13_early_exporter);
  g_hash_table_destroy(mk_map->tls13_exporter);

  g_hash_table_destroy(mk_map->ech_secret);
  g_hash_table_destroy(mk_map->ech_config);

  g_hash_table_destroy(mk_map->used_crandom);

  g_free(decrypted_data->data)(__builtin_object_size ((decrypted_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (decrypted_data->data, __builtin_object_size
 ((decrypted_data->data), 0)) : (g_free) (decrypted_data->
data);
  g_free(compressed_data->data)(__builtin_object_size ((compressed_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (compressed_data->data, __builtin_object_size
 ((compressed_data->data), 0)) : (g_free) (compressed_data
->data);

  /* close the previous keylog file now that the cache are cleared, this
   * allows the cache to be filled with the full keylog file contents. */
  if (*ssl_keylog_file) {
      fclose(*ssl_keylog_file);
      *ssl_keylog_file = NULL((void*)0);
  }
6588}
6589/* }}} */

6591/* parse ssl related preferences (private keys and ports association strings) */
6592#if defined(HAVE_LIBGNUTLS1)
6593/* Load a single RSA key file item from preferences. {{{ */
6594void
6595ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6596{
  gnutls_x509_privkey_t x509_priv_key;
  gnutls_privkey_t   priv_key = NULL((void*)0);
  FILE*              fp     = NULL((void*)0);
  int                ret;
  size_t             key_id_len = 20;
  unsigned char     *key_id = NULL((void*)0);
  char              *err = NULL((void*)0);
  dissector_handle_t handle;
  /* try to load keys file first */
  fp = ws_fopenfopen(uats->keyfile, "rb");
  if (!fp) {
      report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
      return;
  }

  if ((int)strlen(uats->password) == 0) {
      x509_priv_key = rsa_load_pem_key(fp, &err);
  } else {
      x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
  }
  fclose(fp);

  if (!x509_priv_key) {
      if (err) {
          report_failure("Can't load private key from %s: %s",
                         uats->keyfile, err);
          g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
 (err, __builtin_object_size ((err), 0)) : (g_free) (err);
      } else
          report_failure("Can't load private key from %s: unknown error",
                         uats->keyfile);
      return;
  }
  if (err) {
      report_failure("Load of private key from %s \"succeeded\" with error %s",
                     uats->keyfile, err);
      g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
 (err, __builtin_object_size ((err), 0)) : (g_free) (err);
  }

  gnutls_privkey_init(&priv_key);
  ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
          GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
  if (ret < 0) {
      report_failure("Can't convert private key %s: %s",
              uats->keyfile, gnutls_strerror(ret));
      goto end;
  }

  key_id = (unsigned char *) g_malloc0(key_id_len);
  ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
  if (ret < 0) {
      report_failure("Can't calculate public key ID for %s: %s",
              uats->keyfile, gnutls_strerror(ret));
      goto end;
  }
  ssl_print_data("KeyID", key_id, key_id_len);
  if (key_id_len != 20) {
      report_failure("Expected Key ID size %u for %s, got %zu", 20,
              uats->keyfile, key_id_len);
      goto end;
  }

  g_hash_table_replace(key_hash, key_id, priv_key);
  key_id = NULL((void*)0); /* used in key_hash, do not free. */
  priv_key = NULL((void*)0);
  ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);

  handle = ssl_find_appdata_dissector(uats->protocol);
  if (handle) {
      /* Port to subprotocol mapping */
      uint16_t port = 0;
      if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
          if (port > 0) {
              ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
                  port, uats->keyfile, uats->password);

              ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
          }
      } else {
          if (strcmp(uats->port, "start_tls"))
              ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
      }
  }

6680end:
  gnutls_x509_privkey_deinit(x509_priv_key);
  gnutls_privkey_deinit(priv_key);
  g_free(key_id)(__builtin_object_size ((key_id), 0) != ((size_t) - 1)) ? g_free_sized
 (key_id, __builtin_object_size ((key_id), 0)) : (g_free) (key_id
);
6684}
6685/* }}} */
6686#endif


6689/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6690/** store a known (pre-)master secret into cache */
6691static void
6692ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
                  StringInfo *mk)
6694{
  StringInfo *ht_key, *master_secret;

  if (key->data_len == 0) {
      ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
      return;
  }

  if (mk->data_len == 0) {
      ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
                       G_STRFUNC((const char*) (__func__)), label);
      return;
  }

  ht_key = ssl_data_clone(key);
  master_secret = ssl_data_clone(mk);
  g_hash_table_insert(ht, ht_key, master_secret);

  ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
  ssl_print_string("stored key", ht_key);
  ssl_print_string("stored (pre-)master secret", master_secret);
6715}

6717/** restore a (pre-)master secret given some key in the cache */
6718static bool_Bool
6719ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
                     bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6721{
  StringInfo *ms;

  if (key->data_len == 0) {
      ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
                       G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
      return false0;
  }

  ms = (StringInfo *)g_hash_table_lookup(ht, key);
  if (!ms) {
      ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
                       is_pre_master ? "pre-" : "", label);
      return false0;
  }

  /* (pre)master secret found, clear knowledge of other keys and set it in the
   * current conversation */
  ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
                  SSL_HAVE_SESSION_KEY(1<<3));
  if (is_pre_master) {
      /* unlike master secret, pre-master secret has a variable size (48 for
       * RSA, varying for PSK) and is therefore not statically allocated */
      ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
                                                          ms->data_len);
      ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
      ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
  } else {
      ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
      ssl->state |= SSL_MASTER_SECRET(1<<5);
  }
  ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
                   is_pre_master ? "pre-" : "", label);
  ssl_print_string(label, key);
  ssl_print_string("(pre-)master secret", ms);
  return true1;
6757}
6758/* Store/load a known (pre-)master secret from/for this SSL session. }}} */

6760/* Should be called when all parameters are ready (after ChangeCipherSpec), and
* the decoder should be attempted to be initialized. {{{*/
6762void
6763ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6764{
  if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
      /* TLS 1.3 implementations only provide secrets derived from the master
       * secret which are loaded in tls13_change_key. No master secrets can be
       * loaded here, so just return. */
      return;
  }
  ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
  if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
      ssl_debug_printf("  session key already available, nothing to do.\n");
      return;
  }
  if (!(ssl->state & SSL_CIPHER(1<<2))) {
      ssl_debug_printf("  Cipher suite (Server Hello) is missing!\n");
      return;
  }

  /* for decryption, there needs to be a master secret (which can be derived
   * from pre-master secret). If missing, try to pick a master key from cache
   * (an earlier packet in the capture or key logfile). */
  if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
      !ssl_restore_master_key(ssl, "Session ID", false0,
                              mk_map->session, &ssl->session_id) &&
      (!ssl->session.is_session_resumed ||
       !ssl_restore_master_key(ssl, "Session Ticket", false0,
                               mk_map->tickets, &ssl->session_ticket)) &&
      !ssl_restore_master_key(ssl, "Client Random", false0,
                              mk_map->crandom, &ssl->client_random)) {
      if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
          /* how unfortunate, the master secret could not be found */
          ssl_debug_printf("  Cannot find master secret\n");
          return;
      } else {
          ssl_debug_printf(" Cannot find master secret, continuing anyway "
                  "because of a NULL cipher\n");
      }
  }

  if (ssl_generate_keyring_material(ssl) < 0) {
      ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
      return;
  }
  /* Save Client Random/ Session ID for "SSL Export Session keys" */
  ssl_save_master_key("Client Random", mk_map->crandom,
                      &ssl->client_random, &ssl->master_secret);
  ssl_save_master_key("Session ID", mk_map->session,
                      &ssl->session_id, &ssl->master_secret);
  /* Only save the new secrets if the server sent the ticket. The client
   * ticket might have become stale. */
  if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
      ssl_save_master_key("Session Ticket", mk_map->tickets,
                          &ssl->session_ticket, &ssl->master_secret);
  }
6817} /* }}} */

6819static StringInfo*
6820tls13_load_secret_from_psk(SslDecryptSession *tls, bool_Bool is_from_server,
                         TLSRecordType type)
6822{
  /* XXX - In addition to an out-of-bound PSK, we could also save the
   * PSK from a NewSessionTicket; we would also need to compute the
   * resumption_master_secret.  */
  if (tls->psk.data_len == 0)
      return NULL((void*)0);

  /* We SHOULD associate each PSK with a hash algorithm (e.g., use
   * a UAT instead of a single global PSK string preference, preferably
   * following RFC 9258.) Failing that, RFC 8864 4.2.1 and 9258 say SHA-256
   * SHOULD be used. We will try the negotiated hash algorithm regardless
   * with the PSK, but fall back to SHA-256 for the Early Secret, since
   * that's before the Server Hello completes negotiation.
   */
  const SslDigestAlgo *dig = ssl_cipher_suite_dig(tls->cipher_suite);
  if (type == TLS_SECRET_0RTT_APP && dig == &digests[DIG_NA0x45 - DIG_MD50x40]) {
      dig = &digests[DIG_SHA2560x42 - DIG_MD50x40];
      ssl_debug_printf("%s assuming PSK hash function is %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
  }

  int hash_algo = ssl_get_digest_by_name(dig->name);
  if (!hash_algo) {
      ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
      return NULL((void*)0);
  }

  /* We can re-use this to store the Pseudo Random Key for each epoch. */
  uint8_t prk[DIGEST_MAX_SIZE48];
  StringInfo prk_string = { prk, dig->len };
  uint8_t *derived_secret;

  uint8_t zeroes[DIGEST_MAX_SIZE48];
  memset(zeroes, 0, dig->len);

  StringInfo *secret = NULL((void*)0);
  const char *label;

  /* PRK = Early Secret */
  hkdf_extract(hash_algo, zeroes, dig->len, tls->psk.data, tls->psk.data_len, prk);

  if (type == TLS_SECRET_0RTT_APP) {
      DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6863, "!is_from_server"))));
      label = "c e traffic";
  } else {
      if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
                          "derived", NULL((void*)0), 0, dig->len, &derived_secret))
          return NULL((void*)0);

      /* PRK = Handshake Secret [assume no (EC)DHE.] */
      hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
      wmem_free(NULL((void*)0), derived_secret);

      if (type == TLS_SECRET_HANDSHAKE) {
          label = is_from_server ? "s hs traffic" : "c hs traffic";
      } else {
          if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
                              "derived", NULL((void*)0), 0, dig->len, &derived_secret))
              return NULL((void*)0);

          /* PRK = Master Secret */
          hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
          wmem_free(NULL((void*)0), derived_secret);

          label = is_from_server ? "s ap traffic" : "c ap traffic";
      }
  }

  /* XXX - If Encrypted Client Hello was accepted (do client/server pairs
   * support ECHO with psk_ke?) then we should use ech_transcript instead
   * of handshake_data. Perhaps we should consolidate some of that handling,
   * though note that we would have to keep both transcripts around after
   * the ClientHello until the ServerHello indicated whether ECHO was
   * accepted or not. */
  if (!tls13_derive_secret(hash_algo, &prk_string,
                      tls13_hkdf_label_prefix(tls), label,
                      tls->handshake_data.data, tls->handshake_data.data_len,
                      dig->len, &derived_secret))
      return NULL((void*)0);

  secret = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
  secret->data = wmem_memdup(wmem_file_scope(), derived_secret, dig->len);
  secret->data_len = dig->len;
  wmem_free(NULL((void*)0), derived_secret);
  return secret;
6906}

6908/* Load the traffic key secret from the keylog file. */
6909StringInfo *
6910tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
                bool_Bool is_from_server, TLSRecordType type)
6912{
  GHashTable *key_map;
  const char *label;

  if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
      ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
      return NULL((void*)0);
  }

  if (ssl->client_random.data_len == 0) {
      /* May happen if Hello message is missing and Finished is found. */
      ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
      return NULL((void*)0);
  }

  switch (type) {
  case TLS_SECRET_0RTT_APP:
      DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6929, "!is_from_server"))));
      label = "CLIENT_EARLY_TRAFFIC_SECRET";
      key_map = mk_map->tls13_client_early;
      break;
  case TLS_SECRET_HANDSHAKE:
      if (is_from_server) {
          label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
          key_map = mk_map->tls13_server_handshake;
      } else {
          label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
          key_map = mk_map->tls13_client_handshake;
      }
      break;
  case TLS_SECRET_APP:
      if (is_from_server) {
          label = "SERVER_TRAFFIC_SECRET_0";
          key_map = mk_map->tls13_server_appdata;
      } else {
          label = "CLIENT_TRAFFIC_SECRET_0";
          key_map = mk_map->tls13_client_appdata;
      }
      break;
  default:
      ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6952, __func__, "assertion \"not reached\" failed");
  }

  /* Transitioning to new keys, mark old ones as unusable. */
  ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
  ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));

  StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
  if (!secret) {
      secret = tls13_load_secret_from_psk(ssl, is_from_server, type);
      if (secret) {
          ssl_debug_printf("%s Calculated TLS 1.3 traffic secret from PSK.\n", G_STRFUNC((const char*) (__func__)));
          /* Doing this allows us to save the secret as a DSB in a pcapng. */
          g_hash_table_insert(key_map, ssl_data_clone(&ssl->client_random), secret);
      }
  }
  if (!secret) {
      ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
      /* Disable decryption, the keys are invalid. */
      if (is_from_server) {
          ssl->server = NULL((void*)0);
      } else {
          ssl->client = NULL((void*)0);
      }
      return NULL((void*)0);
  }

  /* TLS 1.3 secret found, set new keys. */
  ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
  ssl_print_string("Client Random", &ssl->client_random);
  ssl_print_string(label, secret);
  return secret;
6984}

6986/* Load the new key. */
6987void
6988tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
               bool_Bool is_from_server, TLSRecordType type)
6990{
  if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
      /*
       * QUIC does not use the TLS record layer for message protection.
       * The required keys will be extracted later by QUIC.
       */
      return;
  }

  StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
  if (!secret) {
      if (type != TLS_SECRET_HANDSHAKE) {
          return;
      }
      /*
       * Workaround for when for some reason we don't have the handshake
       * secret but do have the application traffic secret. (#20240)
       * If we can't find the handshake secret, we'll never decrypt the
       * Finished message, so we won't know when to change to the app
       * traffic key, so we do so now.
       */
      type = TLS_SECRET_APP;
      secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
      if (!secret) {
          return;
      }
  }

  if (tls13_generate_keys(ssl, secret, is_from_server)) {
      /*
       * Remember the application traffic secret to support Key Update. The
       * other secrets cannot be used for this purpose, so free them.
       */
      SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
      StringInfo *app_secret = &decoder->app_traffic_secret;
      if (type == TLS_SECRET_APP) {
          app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
                                                     app_secret->data,
                                                     secret->data_len);
          ssl_data_set(app_secret, secret->data, secret->data_len);
      } else {
          wmem_free(wmem_file_scope(), app_secret->data);
          app_secret->data = NULL((void*)0);
          app_secret->data_len = 0;
      }
  }
7036}

7038/**
* Update to next application data traffic secret for TLS 1.3. The previous
* secret should have been set by tls13_change_key.
*/
7042void
7043tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
7044{
  /* RFC 8446 Section 7.2:
   * application_traffic_secret_N+1 =
   *     HKDF-Expand-Label(application_traffic_secret_N,
   *                       "traffic upd", "", Hash.length)
   *
   * Both application_traffic_secret_N are of the same length (Hash.length).
   */
  const SslCipherSuite *cipher_suite = ssl->cipher_suite;
  SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
  StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
  uint8_t tls13_draft_version = ssl->session.tls13_draft_version;

  if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
      ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
      return;
  }

  /*
   * Previous traffic secret is available, so find the hash function,
   * expand the new traffic secret and generate new keys.
   */
  const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
  int hash_algo = ssl_get_digest_by_name(hash_name);
  const unsigned hash_len = app_secret->data_len;
  unsigned char *new_secret;
  const char *label = "traffic upd";
  if (tls13_draft_version && tls13_draft_version < 20) {
      label = "application traffic secret";
  }
  if (!tls13_hkdf_expand_label(hash_algo, app_secret,
                               tls13_hkdf_label_prefix(ssl),
                               label, hash_len, &new_secret)) {
      ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
      return;
  }
  ssl_data_set(app_secret, new_secret, hash_len);
  if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
      /*
       * Remember the application traffic secret on the new decoder to
       * support another Key Update.
       */
      decoder = is_from_server ? ssl->server : ssl->client;
      app_secret = &decoder->app_traffic_secret;
      app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
                                                 app_secret->data,
                                                 hash_len);
      ssl_data_set(app_secret, new_secret, hash_len);
  }
  wmem_free(NULL((void*)0), new_secret);
7094}

7096void
7097tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
7098{
  if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
      g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
  }
7102}

7104/** SSL keylog file handling. {{{ */

7106static GRegex *
7107ssl_compile_keyfile_regex(void)
7108{
7109#define OCTET "(?:[[:xdigit:]]{2})"
  const char *pattern =
      "(?:"
      /* Matches Client Hellos having this Client Random */
      "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
      /* Matches first part of encrypted RSA pre-master secret */
      "|RSA (?<encrypted_pmk>" OCTET "{8}) "
      /* Pre-Master-Secret is given, it is 48 bytes for RSA,
         but it can be of any length for DHE */
      ")(?<pms>" OCTET "+)"
      "|(?:"
      /* Matches Server Hellos having a Session ID */
      "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
      /* Matches Client Hellos having this Client Random */
      "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
      /* Master-Secret is given, its length is fixed */
      ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
      "|(?"
      /* TLS 1.3 Client Random to Derived Secrets mapping. */
      ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
      "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
      "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
      "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
      "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
      "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
      "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
      /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
      /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
      "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
      "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
      ") (?<derived_secret>" OCTET "+)";
7140#undef OCTET
  static GRegex *regex = NULL((void*)0);
  GError *gerr = NULL((void*)0);

  if (!regex) {
      regex = g_regex_new(pattern,
              (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
              G_REGEX_MATCH_ANCHORED, &gerr);
      if (gerr) {
          ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
                           gerr->message);
          g_error_free(gerr);
          regex = NULL((void*)0);
      }
  }

  return regex;
7157}

7159typedef struct ssl_master_key_match_group {
  const char *re_group_name;
  GHashTable *master_key_ht;
7162} ssl_master_key_match_group_t;

7164void
7165tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7166{
  ssl_master_key_match_group_t mk_groups[] = {
      { "encrypted_pmk",  mk_map->pre_master },
      { "session_id",     mk_map->session },
      { "client_random",  mk_map->crandom },
      { "client_random_pms",  mk_map->pms },
      /* TLS 1.3 map from Client Random to derived secret. */
      { "client_early",       mk_map->tls13_client_early },
      { "client_handshake",   mk_map->tls13_client_handshake },
      { "server_handshake",   mk_map->tls13_server_handshake },
      { "client_appdata",     mk_map->tls13_client_appdata },
      { "server_appdata",     mk_map->tls13_server_appdata },
      { "early_exporter",     mk_map->tls13_early_exporter },
      { "exporter",           mk_map->tls13_exporter },
      { "ech_secret",         mk_map->ech_secret },
      { "ech_config",         mk_map->ech_config },
  };

  /* The format of the file is a series of records with one of the following formats:
   *   - "RSA xxxx yyyy"
   *     Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
   *     Where yyyy is the cleartext pre-master secret (hex-encoded)
   *     (this is the original format introduced with bug 4349)
   *
   *   - "RSA Session-ID:xxxx Master-Key:yyyy"
   *     Where xxxx is the SSL session ID (hex-encoded)
   *     Where yyyy is the cleartext master secret (hex-encoded)
   *     (added to support openssl s_client Master-Key output)
   *     This is somewhat is a misnomer because there's nothing RSA specific
   *     about this.
   *
   *   - "PMS_CLIENT_RANDOM xxxx yyyy"
   *     Where xxxx is the client_random from the ClientHello (hex-encoded)
   *     Where yyyy is the cleartext pre-master secret (hex-encoded)
   *     (This format allows SSL connections to be decrypted, if a user can
   *     capture the PMS but could not recover the MS for a specific session
   *     with a SSL Server.)
   *
   *   - "CLIENT_RANDOM xxxx yyyy"
   *     Where xxxx is the client_random from the ClientHello (hex-encoded)
   *     Where yyyy is the cleartext master secret (hex-encoded)
   *     (This format allows non-RSA SSL connections to be decrypted, i.e.
   *     ECDHE-RSA.)
   *
   *   - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
   *   - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
   *   - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
   *   - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
   *   - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
   *   - "EARLY_EXPORTER_SECRET xxxx yyyy"
   *   - "EXPORTER_SECRET xxxx yyyy"
   *     Where xxxx is the client_random from the ClientHello (hex-encoded)
   *     Where yyyy is the secret (hex-encoded) derived from the early,
   *     handshake or master secrets. (This format is introduced with TLS 1.3
   *     and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
   */
  GRegex *regex = ssl_compile_keyfile_regex();
  if (!regex)
      return;

  const char *next_line = (const char *)data;
  const char *line_end = next_line + datalen;
  while (next_line && next_line < line_end) {
      const char *line = next_line;
      next_line = (const char *)memchr(line, '\n', line_end - line);
      ssize_t linelen;

      if (next_line) {
          linelen = next_line - line;
          next_line++;    /* drop LF */
      } else {
          linelen = (ssize_t)(line_end - line);
      }
      if (linelen > 0 && line[linelen - 1] == '\r') {
          linelen--;      /* drop CR */
      }

      ssl_debug_printf("  checking keylog line: %.*s\n", (int)linelen, line);
      GMatchInfo *mi;
      if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
          char *hex_key, *hex_pre_ms_or_ms;
          StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
          StringInfo *pre_ms_or_ms = NULL((void*)0);
          GHashTable *ht = NULL((void*)0);

          /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
           * otherwise we will use the Master Secret
           */
          hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
          if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
              g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
 1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
              hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
          }
          if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
              g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
 1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
              hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
          }
          /* There is always a match, otherwise the regex is wrong. */
          DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7264, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));

          /* convert from hex to bytes and save to hashtable */
          pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
          from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
          g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
 1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);

          /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
          for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
              ssl_master_key_match_group_t *g = &mk_groups[i];
              hex_key = g_match_info_fetch_named(mi, g->re_group_name);
              if (hex_key && *hex_key) {
                  ssl_debug_printf("    matched %s\n", g->re_group_name);
                  ht = g->master_key_ht;
                  from_hex(key, hex_key, strlen(hex_key));
                  g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
 (hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
                  break;
              }
              g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
 (hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
          }
          DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7284, "ht")))); /* Cannot be reached, or regex is wrong. */

          g_hash_table_insert(ht, key, pre_ms_or_ms);

      } else if (linelen > 0 && line[0] != '#') {
          ssl_debug_printf("    unrecognized line\n");
      }
      /* always free match info even if there is no match. */
      g_match_info_free(mi);
  }
7294}

7296void
7297ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
               const ssl_master_key_map_t *mk_map)
7299{
  /* no need to try if no key log file is configured. */
  if (!tls_keylog_filename || !*tls_keylog_filename) {
      ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
                       G_STRFUNC((const char*) (__func__)));
      return;
  }

  /* Validate regexes before even trying to use it. */
  if (!ssl_compile_keyfile_regex()) {
      return;
  }

  ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);

  /* if the keylog file was deleted/overwritten, re-open it */
  if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
      ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
      fclose(*keylog_file);
      *keylog_file = NULL((void*)0);
  }

  if (*keylog_file == NULL((void*)0)) {
      *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
      if (!*keylog_file) {
          ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
          return;
      }
  }

  for (;;) {
      char buf[1110], *line;
      line = fgets(buf, sizeof(buf), *keylog_file);
      if (!line) {
          if (feof(*keylog_file)) {
              /* Ensure that newly appended keys can be read in the future. */
              clearerr(*keylog_file);
          } else if (ferror(*keylog_file)) {
              ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
              fclose(*keylog_file);
              *keylog_file = NULL((void*)0);
          }
          break;
      }
      tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
  }
7345}
7346/** SSL keylog file handling. }}} */

7348#ifdef SSL_DECRYPT_DEBUG /* {{{ */

7350static FILE* ssl_debug_file;

7352void
7353ssl_set_debug(const char* name)
7354{
  static int debug_file_must_be_closed;
  int         use_stderr;

  use_stderr                = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;

  if (debug_file_must_be_closed)
      fclose(ssl_debug_file);

  if (use_stderr)
      ssl_debug_file = stderrstderr;
  else if (!name || (strcmp(name, "") ==0))
      ssl_debug_file = NULL((void*)0);
  else
      ssl_debug_file = ws_fopenfopen(name, "w");

  if (!use_stderr && ssl_debug_file)
      debug_file_must_be_closed = 1;
  else
      debug_file_must_be_closed = 0;

  ssl_debug_printf("Wireshark SSL debug log \n\n");
7376#ifdef HAVE_LIBGNUTLS1
  ssl_debug_printf("GnuTLS version:    %s\n", gnutls_check_version(NULL((void*)0)));
7378#endif
  ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
  ssl_debug_printf("\n");
7381}

7383void
7384ssl_debug_flush(void)
7385{
  if (ssl_debug_file)
      fflush(ssl_debug_file);
7388}

7390void
7391ssl_debug_printf(const char* fmt, ...)
7392{
  va_list ap;

  if (!ssl_debug_file)
      return;

  va_start(ap, fmt)__builtin_va_start(ap, fmt);
  vfprintf(ssl_debug_file, fmt, ap);
  va_end(ap)__builtin_va_end(ap);
7401}

7403void
7404ssl_print_data(const char* name, const unsigned char* data, size_t len)
7405{
  size_t i, j, k;
  if (!ssl_debug_file)
      return;
  fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
  for (i=0; i<len; i+=16) {
      fprintf(ssl_debug_file,"| ");
      for (j=i, k=0; k<16 && j<len; ++j, ++k)
          fprintf(ssl_debug_file,"%.2x ",data[j]);
      for (; k<16; ++k)
          fprintf(ssl_debug_file,"   ");
      fputc('|', ssl_debug_file);
      for (j=i, k=0; k<16 && j<len; ++j, ++k) {
          unsigned char c = data[j];
          if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
          fputc(c, ssl_debug_file);
      }
      for (; k<16; ++k)
          fputc(' ', ssl_debug_file);
      fprintf(ssl_debug_file,"|\n");
  }
7426}

7428void
7429ssl_print_string(const char* name, const StringInfo* data)
7430{
  ssl_print_data(name, data->data, data->data_len);
7432}
7433#endif /* SSL_DECRYPT_DEBUG }}} */

7435/* UAT preferences callbacks. {{{ */
7436/* checks for SSL and DTLS UAT key list fields */

7438bool_Bool
7439ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7440{
  // This should be removed in favor of Decode As. Make it optional.
  *err = NULL((void*)0);
  return true1;
7444}

7446bool_Bool
7447ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7448{
  if (!p || strlen(p) == 0u) {
      // This should be removed in favor of Decode As. Make it optional.
      *err = NULL((void*)0);
      return true1;
  }

  if (strcmp(p, "start_tls") != 0){
      uint16_t port;
      if (!ws_strtou16(p, NULL((void*)0), &port)) {
          *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
          return false0;
      }
  }

  *err = NULL((void*)0);
  return true1;
7465}

7467bool_Bool
7468ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7469{
  ws_statb64struct stat st;

  if (!p || strlen(p) == 0u) {
      *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
      return false0;
  } else {
      if (ws_stat64stat(p, &st) != 0) {
          *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
          return false0;
      }
  }

  *err = NULL((void*)0);
  return true1;
7484}

7486bool_Bool
7487ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7488{
7489#if defined(HAVE_LIBGNUTLS1)
  ssldecrypt_assoc_t*  f  = (ssldecrypt_assoc_t *)r;
  FILE                *fp = NULL((void*)0);

  if (p && (strlen(p) > 0u)) {
      fp = ws_fopenfopen(f->keyfile, "rb");
      if (fp) {
          char *msg = NULL((void*)0);
          gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
          if (!priv_key) {
              fclose(fp);
              *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
              g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
 (msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
              return false0;
          }
          g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
 (msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
          gnutls_x509_privkey_deinit(priv_key);
          fclose(fp);
      } else {
          *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
          return false0;
      }
  }

  *err = NULL((void*)0);
  return true1;
7515#else
  *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
  return false0;
7518#endif
7519}
7520/* UAT preferences callbacks. }}} */

7522/** maximum size of ssl_association_info() string */
7523#define SSL_ASSOC_MAX_LEN8192 8192

7525typedef struct ssl_association_info_callback_data
7526{
  char *str;
  const char *table_protocol;
7529} ssl_association_info_callback_data_t;

7531/**
* callback function used by ssl_association_info() to traverse the SSL associations.
*/
7534static void
7535ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7536{
  ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
  const int l = (const int)strlen(data->str);
  snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7540}

7542/**
* @return an information string on the SSL protocol associations. The string must be freed.
*/
7545char*
7546ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7547{
  ssl_association_info_callback_data_t data;

  data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
  data.table_protocol = table_protocol;
  dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
  return data.str;
7554}


7557/** Begin of code related to dissection of wire data. */

7559/* Helpers for dissecting Variable-Length Vectors. {{{ */
7560bool_Bool
7561ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             unsigned offset, unsigned offset_end, uint32_t *ret_length,
             int hf_length, uint32_t min_value, uint32_t max_value)
7564{
  unsigned    veclen_size;
  uint32_t    veclen_value;
  proto_item *pi;

  DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
 " (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7569, (uint64_t)min_value, (uint64_t)max_value))));
  if (offset > offset_end) {
      expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
                             "Vector offset is past buffer end offset (%u > %u)",
                             offset, offset_end);
      *ret_length = 0;
      return false0;   /* Cannot read length. */
  }

  if (max_value > 0xffffff) {
      veclen_size = 4;
  } else if (max_value > 0xffff) {
      veclen_size = 3;
  } else if (max_value > 0xff) {
      veclen_size = 2;
  } else {
      veclen_size = 1;
  }

  if (offset_end - offset < veclen_size) {
      proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
                                   tvb, offset, offset_end - offset,
                                   "No more room for vector of length %u",
                                   veclen_size);
      *ret_length = 0;
      return false0;   /* Cannot read length. */
  }

  pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
  offset += veclen_size;

  if (veclen_value < min_value) {
      expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
                             "Vector length %u is smaller than minimum %u",
                             veclen_value, min_value);
  } else if (veclen_value > max_value) {
      expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
                             "Vector length %u is larger than maximum %u",
                             veclen_value, max_value);
  }

  if (offset_end - offset < veclen_value) {
      expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
                             "Vector length %u is too large, truncating it to %u",
                             veclen_value, offset_end - offset);
      *ret_length = offset_end - offset;
      return false0;   /* Length is truncated to avoid overflow. */
  }

  *ret_length = veclen_value;
  return true1;        /* Length is OK. */
7620}

7622bool_Bool
7623ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
             unsigned offset, unsigned offset_end)
7625{
  if (offset < offset_end) {
      unsigned trailing = offset_end - offset;
      proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
                                   tvb, offset, trailing,
                                   "%u trailing byte%s unprocessed",
                                   trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
      return false0;   /* unprocessed data warning */
  } else if (offset > offset_end) {
      /*
       * Returned offset runs past the end. This should not happen and is
       * possibly a dissector bug.
       */
      unsigned excess = offset - offset_end;
      proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
                                   tvb, offset_end, excess,
                                   "Dissector processed too much data (%u byte%s)",
                                   excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
      return false0;   /* overflow error */
  }

  return true1;    /* OK, offset matches. */
7647}
7648/** }}} */


7651static uint32_t
7652ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                           proto_tree *tree, uint32_t offset, uint32_t offset_end,
                           uint16_t version, int hf_sig_len, int hf_sig);

7656/* change_cipher_spec(20) dissection */
7657void
7658ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             packet_info *pinfo, proto_tree *tree,
                             uint32_t offset, SslSession *session,
                             bool_Bool is_from_server,
                             const SslDecryptSession *ssl)
7663{
  /*
   * struct {
   *     enum { change_cipher_spec(1), (255) } type;
   * } ChangeCipherSpec;
   */
  proto_item *ti;
  proto_item_set_text(tree,
          "%s Record Layer: %s Protocol: Change Cipher Spec",
          val_to_str_const(session->version, ssl_version_short_names, "SSL"),
          val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
  ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);

  if (session->version == TLSV1DOT3_VERSION0x304) {
      /* CCS is a dummy message in TLS 1.3, do not parse it further. */
      return;
  }

  /* Remember frame number of first CCS */
  uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
  if (*ccs_frame == 0)
      *ccs_frame = pinfo->num;

  /* Use heuristics to detect an abbreviated handshake, assume that missing
   * ServerHelloDone implies reusing previously negotiating keys. Then when
   * a Session ID or ticket is present, it must be a resumed session.
   * Normally this should be done at the Finished message, but that may be
   * encrypted so we do it here, at the last cleartext message. */
  if (is_from_server && ssl) {
      if (session->is_session_resumed) {
          const char *resumed = NULL((void*)0);
          if (ssl->session_ticket.data_len) {
              resumed = "Session Ticket";
          } else if (ssl->session_id.data_len) {
              resumed = "Session ID";
          }
          if (resumed) {
              ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
          } else {
              /* Can happen if the capture somehow starts in the middle */
              ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
          }
      } else {
          ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
      }
  }
  if (is_from_server && session->is_session_resumed)
      expert_add_info(pinfo, ti, &hf->ei.resumed);
7711}

7713/** Begin of handshake(22) record dissections */

7715/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
* {{{ */
7717static void
7718tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7719{
  uint32_t    sighash, hashalg, sigalg;
  proto_item *ti_sigalg;
  proto_tree *sigalg_tree;

  ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
                                           offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
  if (ja4_data) {
      wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
  }

  sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);

  /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
  proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
                               offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
  proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
                               offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);

  /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
  if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
      proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
              val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
              val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
              sighash);
  }
7745} /* }}} */

7747/* dissect a list of hash algorithms, return the number of bytes dissected
 this is used for the signature algorithms extension and for the
 TLS1.2 certificate request. {{{ */
7750static int
7751ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
                        packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7753{
  /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
   *  struct {
   *       HashAlgorithm hash;
   *       SignatureAlgorithm signature;
   *  } SignatureAndHashAlgorithm;
   *  SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
   */
  proto_tree *subtree;
  proto_item *ti;
  unsigned sh_alg_length;
  uint32_t    next_offset;

  /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
                      hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + sh_alg_length;

  ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
                                  "Signature Hash Algorithms (%u algorithm%s)",
                                  sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
  subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);

  while (offset + 2 <= next_offset) {
      tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
      offset += 2;
  }

  if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
      offset = next_offset;
  }

  return offset;
7789} /* }}} */

7791/* Dissection of DistinguishedName (for CertificateRequest and
* certificate_authorities extension). {{{ */
7793static uint32_t
7794tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                  proto_tree *tree, uint32_t offset, uint32_t offset_end)
7796{
  proto_item *ti;
  proto_tree *subtree;
  uint32_t    dnames_length, next_offset;
  asn1_ctx_t  asn1_ctx;
  int         dnames_count = 100; /* the maximum number of DNs to add to the tree */

  /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
  /* DistinguishedName certificate_authorities<0..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
                      hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + dnames_length;

  if (dnames_length > 0) {
      ti = proto_tree_add_none_format(tree,
              hf->hf.hs_dnames,
              tvb, offset, dnames_length,
              "Distinguished Names (%d byte%s)",
              dnames_length,
              plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
      subtree = proto_item_add_subtree(ti, hf->ett.dnames);

      asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);

      while (offset < next_offset) {
          /* get the length of the current certificate */
          uint32_t name_length;

          if (dnames_count-- == 0) {
              /* stop adding to tree when the list is considered too large
               * https://gitlab.com/wireshark/wireshark/-/issues/16202
                 Note: dnames_count must be set low enough not to hit the
                 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
               */
              ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
                  tvb, offset, next_offset - offset, ENC_NA0x00000000);
              proto_item_set_generated(ti);
              return next_offset;
          }

          /* opaque DistinguishedName<1..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
                              hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
              return next_offset;
          }
          offset += 2;

          dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
                                           subtree, hf->hf.hs_dname);
          offset += name_length;
      }
  }
  return offset;
7852} /* }}} */


7855/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7856static int
7857ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                      proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7859{
  return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7861}

7863static int
7864ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                        proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7866{
  if (hnd_type == SSL_HND_CLIENT_HELLO ||
      hnd_type == SSL_HND_CERT_REQUEST) {
      /*
       *  struct {
       *    SignatureScheme supported_signature_algorithm<2..2^16-2>;
       *  } SignatureSchemeList;
       */

      return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
  } else {
      asn1_ctx_t asn1_ctx;
      unsigned pubkey_length, sign_length;

      /*
       *  struct {
       *    uint32 valid_time;
       *    SignatureScheme expected_cert_verify_algorithm;
       *    opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
       *  } Credential;
       *
       *  struct {
       *    Credential cred;
       *    SignatureScheme algorithm;
       *    opaque signature<0..2^16-1>;
       *  } DelegatedCredential;
       */

      asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);

      proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
      offset += 4;

      tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
      offset += 2;

      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
                          hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
          return offset_end;
      }
      offset += 3;
      dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
      offset += pubkey_length;

      tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
      offset += 2;

      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
                          hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      proto_tree_add_item(tree, hf->hf.hs_cred_signature,
                          tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
      offset += sign_length;

      return offset;
  }
7924}

7926static int
7927ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             packet_info *pinfo, proto_tree *tree,
                             uint32_t offset, uint32_t offset_end,
                             uint8_t hnd_type)
7931{

  /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */

  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO: {
      proto_tree *alps_tree;
      proto_item *ti;
      uint32_t    next_offset, alps_length, name_length;

     /*
      *  opaque ProtocolName<1..2^8-1>;
      *  struct {
      *      ProtocolName supported_protocols<2..2^16-1>
      *  } ApplicationSettingsSupport;
      */

      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
                          hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      next_offset = offset + alps_length;

      ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
                               tvb, offset, alps_length, ENC_NA0x00000000);
      alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);

      /* Parse list (note missing check for end of vector, ssl_add_vector below
       * ensures that data is always available.) */
      while (offset < next_offset) {
          if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
                              hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
              return next_offset;
          }
          offset++;

          proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
                              tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
          offset += name_length;
      }

      return offset;
  }
  case SSL_HND_ENCRYPTED_EXTS:
/* Opaque blob */
      proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
                          tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
      break;
  }

  return offset_end;
7983}

7985static int
7986ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             packet_info *pinfo, proto_tree *tree,
                             uint32_t offset, uint32_t offset_end,
                             uint8_t hnd_type, SslSession *session,
                             bool_Bool is_dtls, ja4_data_t *ja4_data)
7991{

  /* https://tools.ietf.org/html/rfc7301#section-3.1
   *  opaque ProtocolName<1..2^8-1>;
   *  struct {
   *      ProtocolName protocol_name_list<2..2^16-1>
   *  } ProtocolNameList;
   */
  proto_tree *alpn_tree;
  proto_item *ti;
  uint32_t    next_offset, alpn_length, name_length;
  const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);

  /* ProtocolName protocol_name_list<2..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
                      hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + alpn_length;

  ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
                           tvb, offset, alpn_length, ENC_NA0x00000000);
  alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);

  /* Parse list (note missing check for end of vector, ssl_add_vector below
   * ensures that data is always available.) */
  while (offset < next_offset) {
      /* opaque ProtocolName<1..2^8-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
                          hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
          return next_offset;
      }
      offset++;

      proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
                          tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
      if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
          const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
          const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
          if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
              wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
          }
          else {
              wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
                  alpn_last_char & 0x0F);
          }
      }
      /* Remember first ALPN ProtocolName entry for server. */
      if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
          /* '\0'-terminated string for dissector table match and prefix
           * comparison purposes. */
          proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
                                          name_length, ENC_ASCII0x00000000);
      } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
          client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
                                                 name_length, ENC_ASCII0x00000000);
      }
      offset += name_length;
  }

  /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
   * exactly one "ProtocolName". */
  if (proto_name) {
      dissector_handle_t handle;

      session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);

      if (is_dtls) {
          handle = dissector_get_string_handle(dtls_alpn_dissector_table,
                                               proto_name);
      } else {
          handle = dissector_get_string_handle(ssl_alpn_dissector_table,
                                               proto_name);
          if (handle == NULL((void*)0)) {
              /* Try prefix matching */
              for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
                  const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];

                  /* string_string is inappropriate as it compares strings
                   * while "byte strings MUST NOT be truncated" (RFC 7301) */
                  if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
 ({ const char * const __str = (proto_name); const char * const
 __prefix = (alpn_proto->proto_prefix); gboolean __result =
 (0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
 = (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
 = strlen (((__str) + !(__str))); const size_t __prefix_len =
 strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
                      handle = find_dissector(alpn_proto->dissector_name);
                      break;
                  }
              }
          }
      }
      if (handle != NULL((void*)0)) {
          /* ProtocolName match, so set the App data dissector handle.
           * This may override protocols given via the UAT dialog, but
           * since the ALPN hint is precise, do it anyway. */
          ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
                           (void *)session->app_handle,
                           (void *)handle,
                           dissector_handle_get_dissector_name(handle));
          session->app_handle = handle;
      }
  } else if (client_proto_name) {
      // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
      // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
      session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
  }

  return offset;
8096}

8098static int
8099ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                            packet_info *pinfo, proto_tree *tree,
                            uint32_t offset, uint32_t offset_end)
8102{
  /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
   *   The "extension_data" field of a "next_protocol_negotiation" extension
   *   in a "ServerHello" contains an optional list of protocols advertised
   *   by the server.  Protocols are named by opaque, non-empty byte strings
   *   and the list of protocols is serialized as a concatenation of 8-bit,
   *   length prefixed byte strings.  Implementations MUST ensure that the
   *   empty string is not included and that no byte strings are truncated.
   */
  uint32_t    npn_length;
  proto_tree *npn_tree;

  /* List is optional, do not add tree if there are no entries. */
  if (offset == offset_end) {
      return offset;
  }

  npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");

  while (offset < offset_end) {
      /* non-empty, 8-bit length prefixed strings means range 1..255 */
      if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
                          hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
          return offset_end;
      }
      offset++;

      proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
                          tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
      offset += npn_length;
  }

  return offset;
8135}

8137static int
8138ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                   packet_info *pinfo, proto_tree *tree,
                                   uint32_t offset, uint32_t offset_end)
8141{
  /* https://tools.ietf.org/html/rfc5746#section-3.2
   *  struct {
   *      opaque renegotiated_connection<0..255>;
   *  } RenegotiationInfo;
   *
   */
  proto_tree *reneg_info_tree;
  uint32_t    reneg_info_length;

  reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");

  /* opaque renegotiated_connection<0..255> */
  if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
                      hf->hf.hs_ext_reneg_info_len, 0, 255)) {
      return offset_end;
  }
  offset++;

  if (reneg_info_length > 0) {
      proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
      offset += reneg_info_length;
  }

  return offset;
8166}

8168static int
8169ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                        proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                        const char **group_name_out)
8172{
 /* RFC 8446 Section 4.2.8
  *   struct {
  *       NamedGroup group;
  *       opaque key_exchange<1..2^16-1>;
  *   } KeyShareEntry;
  */
  uint32_t key_exchange_length, group;
  proto_tree *ks_tree;

  ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");

  proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
  offset += 2;
  const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
  proto_item_append_text(ks_tree, ": Group: %s", group_name);
  if (group_name_out) {
      *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
 0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
  }

  /* opaque key_exchange<1..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
                      hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
      return offset_end;  /* Bad (possible truncated) length, skip to end of KeyShare extension. */
  }
  offset += 2;
  proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
  proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);

  proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
  offset += key_exchange_length;

  return offset;
8205}

8207static int
8208ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                  proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                  uint8_t hnd_type, SslDecryptSession *ssl)
8211{
  proto_tree *key_share_tree;
  uint32_t next_offset;
  uint32_t client_shares_length;
  uint32_t group;
  const char *group_name = NULL((void*)0);

  if (offset_end <= offset) {  /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
      return offset;
  }

  key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");

  switch(hnd_type){
      case SSL_HND_CLIENT_HELLO:
          /* KeyShareEntry client_shares<0..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
                              hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
              return offset_end;
          }
          offset += 2;
          next_offset = offset + client_shares_length;
          const char *sep = " ";
          while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
              offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
              if (group_name) {
                  proto_item_append_text(tree, "%s%s", sep, group_name);
                  sep = ", ";
              }
          }
          if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
              return next_offset;
          }
      break;
      case SSL_HND_SERVER_HELLO:
          if (ssl) {
              ssl->has_key_share = true1;
          }
          offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
          if (group_name) {
              proto_item_append_text(tree, " %s", group_name);
          }
      break;
      case SSL_HND_HELLO_RETRY_REQUEST:
          proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
          offset += 2;
          group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
          proto_item_append_text(tree, " %s", group_name);
      break;
      default: /* no default */
      break;
  }

  return offset;
8265}

8267static int
8268ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                       proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                       uint8_t hnd_type, SslDecryptSession *ssl)
8271{
  /* RFC 8446 Section 4.2.11
   *  struct {
   *      opaque identity<1..2^16-1>;
   *      uint32 obfuscated_ticket_age;
   *  } PskIdentity;
   *  opaque PskBinderEntry<32..255>;
   *  struct {
   *      select (Handshake.msg_type) {
   *          case client_hello:
   *              PskIdentity identities<7..2^16-1>;
   *              PskBinderEntry binders<33..2^16-1>;
   *          case server_hello:
   *              uint16 selected_identity;
   *      };
   *  } PreSharedKeyExtension;
   */

  proto_tree *psk_tree;

  psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");

  switch (hnd_type){
      case SSL_HND_CLIENT_HELLO: {
          uint32_t identities_length, identities_end, binders_length;

          /* PskIdentity identities<7..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
                              hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
              return offset_end;
          }
          offset += 2;
          identities_end = offset + identities_length;

          while (offset < identities_end) {
              uint32_t identity_length;
              proto_tree *identity_tree;

              identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");

              /* opaque identity<1..2^16-1> */
              if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
                                  hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
                  return identities_end;
              }
              offset += 2;
              proto_item_append_text(identity_tree, "length: %u)", identity_length);

              proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
              offset += identity_length;

              proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
              offset += 4;

              proto_item_set_len(identity_tree, 2 + identity_length + 4);
          }
          if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
              offset = identities_end;
          }

          /* PskBinderEntry binders<33..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
                              hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
              return offset_end;
          }
          offset += 2;

          proto_item *binders_item;
          proto_tree *binders_tree;
          binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
          binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
          uint32_t binders_end = offset + binders_length;
          while (offset < binders_end) {
              uint32_t binder_length;
              proto_item *binder_item;
              proto_tree *binder_tree;

              binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
              binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);

              /* opaque PskBinderEntry<32..255>; */
              if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
                                  hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
                  return binders_end;
              }
              offset += 1;
              proto_item_append_text(binder_tree, " (length: %u)", binder_length);

              proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
              offset += binder_length;

              proto_item_set_end(binder_item, tvb, offset);
          }
      }
      break;
      case SSL_HND_SERVER_HELLO: {
          if (ssl) {
              ssl_debug_printf("%s found pre_shared_key extension\n", G_STRFUNC((const char*) (__func__)));
              ssl->has_psk = true1;
          }
          proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
          offset += 2;
      }
      break;
      default:
      break;
  }

  return offset;
8380}

8382static uint32_t
8383ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
                                   proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
                                   uint8_t hnd_type, SslDecryptSession *ssl)
8386{
  /* RFC 8446 Section 4.2.10
   *  struct {} Empty;
   *  struct {
   *      select (Handshake.msg_type) {
   *          case new_session_ticket:   uint32 max_early_data_size;
   *          case client_hello:         Empty;
   *          case encrypted_extensions: Empty;
   *      };
   *  } EarlyDataIndication;
   */
  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO:
      /* Remember that early_data will follow the handshake. */
      if (ssl) {
          ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
          ssl->has_early_data = true1;
      }
      break;
  case SSL_HND_NEWSESSION_TICKET:
      proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
      offset += 4;
      break;
  default:
      break;
  }
  return offset;
8413}

8415static uint16_t
8416tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8417{
  if (draft_version) {
      *draft_version = 0;
  }
  if (!is_dtls) {
      uint8_t tls13_draft = extract_tls13_draft_version(version);
      if (tls13_draft != 0) {
          /* This is TLS 1.3 (a draft version). */
          if (draft_version) {
              *draft_version = tls13_draft;
          }
          version = TLSV1DOT3_VERSION0x304;
      }
      if (version == 0xfb17 || version == 0xfb1a) {
          /* Unofficial TLS 1.3 draft version for Facebook fizz. */
          tls13_draft = (uint8_t)version;
          if (draft_version) {
              *draft_version = tls13_draft;
          }
          version = TLSV1DOT3_VERSION0x304;
      }
  }

  switch (version) {
  case SSLV3_VERSION0x300:
  case TLSV1_VERSION0x301:
  case TLSV1DOT1_VERSION0x302:
  case TLSV1DOT2_VERSION0x303:
  case TLSV1DOT3_VERSION0x304:
  case TLCPV1_VERSION0x101:
      if (is_dtls)
          return SSL_VER_UNKNOWN0;
      break;

  case DTLSV1DOT0_VERSION0xfeff:
  case DTLSV1DOT0_OPENSSL_VERSION0x100:
  case DTLSV1DOT2_VERSION0xfefd:
  case DTLSV1DOT3_VERSION0xfefc:
      if (!is_dtls)
          return SSL_VER_UNKNOWN0;
      break;

  default: /* invalid version number */
      return SSL_VER_UNKNOWN0;
  }

  return version;
8464}

8466static int
8467ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                           proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                           SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8470{

 /* RFC 8446 Section 4.2.1
  * struct {
  *     ProtocolVersion versions<2..254>; // ClientHello
  * } SupportedVersions;
  * Note that ServerHello and HelloRetryRequest are handled by the caller.
  */
  uint32_t    versions_length, next_offset;
  /* ProtocolVersion versions<2..254> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
                      hf->hf.hs_ext_supported_versions_len, 2, 254)) {
      return offset_end;
  }
  offset++;
  next_offset = offset + versions_length;

  unsigned version;
  unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
  uint8_t draft_version, max_draft_version = 0;
  const char *sep = " ";
  while (offset + 2 <= next_offset) {
      proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
      offset += 2;

      if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
 0xff) == (((version)>>8) & 0xff)))) {
          proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
          sep = ", ";
      }

      current_version = tls_try_get_version(is_dtls, version, &draft_version);
      if (session->version == SSL_VER_UNKNOWN0) {
          if (lowest_version == SSL_VER_UNKNOWN0) {
              lowest_version = current_version;
          } else if (current_version != SSL_VER_UNKNOWN0) {
              if (!is_dtls) {
                  lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
 : (current_version));
              } else {
                  lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
 : (current_version));
              }
          }
      }
      max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
 : (max_draft_version));
      if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
 0xff) == (((version)>>8) & 0xff)))) {
          /* The DTLS version numbers get mapped to "00" for unknown per
           * JA4 spec, but if JA4 ever does support DTLS we'll probably
           * need to take the MIN instead of MAX here for DTLS.
           */
          ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
      }
  }
  if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
      col_set_str(pinfo->cinfo, COL_PROTOCOL,
                  val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
  }
  if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
      offset = next_offset;
  }

  /* XXX remove this when draft 19 support is dropped,
   * this is only required for early data decryption. */
  if (max_draft_version) {
      session->tls13_draft_version = max_draft_version;
  }

  return offset;
8536}

8538static int
8539ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                               packet_info *pinfo, proto_tree *tree,
                               uint32_t offset, uint32_t offset_end)
8542{
  /* RFC 8446 Section 4.2.2
   *  struct {
   *      opaque cookie<1..2^16-1>;
   *  } Cookie;
   */
  uint32_t cookie_length;
  /* opaque cookie<1..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
                      hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;

  proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
  offset += cookie_length;

  return offset;
8560}

8562static int
8563ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                               proto_tree *tree, uint32_t offset, uint32_t offset_end)
8565{
  /* RFC 8446 Section 4.2.9
   * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
   *
   * struct {
   *     PskKeyExchangeMode ke_modes<1..255>;
   * } PskKeyExchangeModes;
   */
  uint32_t ke_modes_length, next_offset;

  /* PskKeyExchangeMode ke_modes<1..255> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
                      hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
      return offset_end;
  }
  offset++;
  next_offset = offset + ke_modes_length;

  while (offset < next_offset) {
      proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
      offset++;
  }

  return offset;
8589}

8591static uint32_t
8592ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                                proto_tree *tree, uint32_t offset, uint32_t offset_end)
8594{
  /* RFC 8446 Section 4.2.4
   *  opaque DistinguishedName<1..2^16-1>;
   *  struct {
   *      DistinguishedName authorities<3..2^16-1>;
   *  } CertificateAuthoritiesExtension;
   */
  return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8602}

8604static int
8605ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                    proto_tree *tree, uint32_t offset, uint32_t offset_end)
8607{
  /* RFC 8446 Section 4.2.5
   *  struct {
   *      opaque certificate_extension_oid<1..2^8-1>;
   *      opaque certificate_extension_values<0..2^16-1>;
   *  } OIDFilter;
   *  struct {
   *      OIDFilter filters<0..2^16-1>;
   *  } OIDFilterExtension;
   */
  proto_tree *subtree;
  uint32_t    filters_length, oid_length, values_length, value_offset;
  asn1_ctx_t  asn1_ctx;
  const char *oid, *name;

  /* OIDFilter filters<0..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
                      hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  offset_end = offset + filters_length;

  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);

  while (offset < offset_end) {
      subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                                       hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");

      /* opaque certificate_extension_oid<1..2^8-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
                  hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
          return offset_end;
      }
      offset++;
      dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
                                        hf->hf.hs_ext_oid_filters_oid, &oid);
      offset += oid_length;

      /* Append OID to tree label */
      name = oid_resolved_from_string(pinfo->pool, oid);
      proto_item_append_text(subtree, " (%s)", name ? name : oid);

      /* opaque certificate_extension_values<0..2^16-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
                  hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
      if (values_length > 0) {
          value_offset = offset;
          value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
          value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
          call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
      }
      offset += values_length;
  }

  return offset;
8667}

8669static int
8670ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                    packet_info *pinfo, proto_tree *tree,
                                    uint32_t offset, uint32_t offset_end)
8673{
  /* https://tools.ietf.org/html/rfc6066#section-3
   *
   *  struct {
   *      NameType name_type;
   *      select (name_type) {
   *          case host_name: HostName;
   *      } name;
   *  } ServerName;
   *
   *  enum {
   *      host_name(0), (255)
   *  } NameType;
   *
   *  opaque HostName<1..2^16-1>;
   *
   *  struct {
   *      ServerName server_name_list<1..2^16-1>
   *  } ServerNameList;
   */
  proto_tree *server_name_tree;
  uint32_t    list_length, server_name_length, next_offset;

  /* The server SHALL include "server_name" extension with empty data. */
  if (offset == offset_end) {
      return offset;
  }

  server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");

  /* ServerName server_name_list<1..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
                      hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + list_length;

  while (offset < next_offset) {
      uint32_t name_type;
      const char *server_name = NULL((void*)0);
      proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
                                   tvb, offset, 1, ENC_NA0x00000000, &name_type);
      offset++;

      /* opaque HostName<1..2^16-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
                         hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
          return next_offset;
      }
      offset += 2;

      proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
                                     tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
                                     pinfo->pool, (const uint8_t**)&server_name);
      offset += server_name_length;
      // Each type must only occur once, so we don't check for duplicates.
      if (name_type == 0) {
          proto_item_append_text(tree, " name=%s", server_name);
          col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);

          if (gbl_resolv_flags.handshake_sni_addr_resolution) {
              // Client Hello: Client (Src) -> Server (Dst)
              switch (pinfo->dst.type) {
                  case AT_IPv4:
                      if (pinfo->dst.len == sizeof(uint32_t)) {
                          add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
                      }
                      break;
                  case AT_IPv6:
                      if (pinfo->dst.len == sizeof(ws_in6_addr)) {
                          add_ipv6_name(pinfo->dst.data, server_name, false0);
                      }
                      break;
              }
          }
      }
  }
  return offset;
8752}

8754static int
8755ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                    proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8757{
  unsigned    ext_len = offset_end - offset;
  if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
      tvb_ensure_bytes_exist(tvb, offset, ext_len);
      /* Save the Session Ticket such that it can be used as identifier for
       * restoring a previous Master Secret (in ChangeCipherSpec) */
      ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
                                  ssl->session_ticket.data, ext_len);
      ssl->session_ticket.data_len = ext_len;
      tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
  }
  proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
                      tvb, offset, ext_len, ENC_NA0x00000000);
  return offset + ext_len;
8771}

8773static int
8774ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                  proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                  uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8777{
  uint8_t     cert_list_length;
  uint8_t     cert_type;
  proto_tree *cert_list_tree;
  proto_item *ti;

  switch(hnd_type){
  case SSL_HND_CLIENT_HELLO:
      cert_list_length = tvb_get_uint8(tvb, offset);
      proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
                          tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
      offset += 1;
      if (offset_end - offset != (uint32_t)cert_list_length)
          return offset;

      ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
                               cert_list_length, cert_list_length);
      proto_item_append_text(ti, " (%d)", cert_list_length);

      /* make this a subtree */
      cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);

      /* loop over all point formats */
      while (cert_list_length > 0)
      {
          proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
          offset++;
          cert_list_length--;
      }
  break;
  case SSL_HND_SERVER_HELLO:
  case SSL_HND_ENCRYPTED_EXTENSIONS:
  case SSL_HND_CERTIFICATE:
      cert_type = tvb_get_uint8(tvb, offset);
      proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
      offset += 1;
      if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
          session->client_cert_type = cert_type;
      }
      if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
          session->server_cert_type = cert_type;
      }
  break;
  default: /* no default */
  break;
  }

  return offset;
8825}

8827static uint32_t
8828ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                                  proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                                  uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8831{
  uint32_t compress_certificate_algorithms_length, next_offset;

  /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
   * enum {
   *     zlib(1),
   *     brotli(2),
   *     (65535)
   * } CertificateCompressionAlgorithm;
   *
   * struct {
   *     CertificateCompressionAlgorithm algorithms<1..2^8-1>;
   * } CertificateCompressionAlgorithms;
   */
  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO:
  case SSL_HND_CERT_REQUEST:
      /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
                          hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
          return offset_end;
      }
      offset += 1;
      next_offset = offset + compress_certificate_algorithms_length;

      while (offset < next_offset) {
          proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
                              tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
          offset += 2;
      }
      break;
  default:
      break;
  }

  return offset;
8867}

8869static uint32_t
8870ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                      proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                      uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8873{
 uint32_t key_parameters_length, next_offset;
 proto_item *p_ti;
 proto_tree *p_tree;

 /* RFC 8472
  *
  * struct {
  *     uint8 major;
  *     uint8 minor;
  * } TB_ProtocolVersion;
  *
  * enum {
  *     rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
  * } TokenBindingKeyParameters;
  *
  * struct {
  *     TB_ProtocolVersion token_binding_version;
  *     TokenBindingKeyParameters key_parameters_list<1..2^8-1>
  * } TokenBindingParameters;
  */

  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO:
  case SSL_HND_SERVER_HELLO:
      proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
      offset += 1;
      proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
      offset += 1;

      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
                          hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
          return offset_end;
      }
      offset += 1;
      next_offset = offset + key_parameters_length;

      p_ti = proto_tree_add_none_format(tree,
                                        hf->hf.hs_ext_token_binding_key_parameters,
                                        tvb, offset, key_parameters_length,
                                        "Key parameters identifiers (%d identifier%s)",
                                        key_parameters_length,
                                        plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
      p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);

      while (offset < next_offset) {
          proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
                              tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
          offset += 1;
      }

      if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
          offset = next_offset;
      }

      break;
  default:
      break;
  }

  return offset;
8934}

8936static uint32_t
8937ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                                  proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                                  uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8940{
  bool_Bool use_varint_encoding = true1;    // Whether this is draft -27 or newer.
  uint32_t next_offset;

  /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
   *
   * Note: the following structures are not literally defined in the spec,
   * they instead use an ASCII diagram.
   *
   *   struct {
   *     uint16 id;
   *     opaque value<0..2^16-1>;
   *  } TransportParameter;                               // before draft -27
   *  TransportParameter TransportParameters<0..2^16-1>;  // before draft -27
   *
   *  struct {
   *    opaque ipv4Address[4];
   *    uint16 ipv4Port;
   *    opaque ipv6Address[16];
   *    uint16 ipv6Port;
   *    opaque connectionId<0..18>;
   *    opaque statelessResetToken[16];
   *  } PreferredAddress;
   */

  if (offset_end - offset >= 6 &&
          2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
          6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
      // Assume encoding of Transport Parameters draft -26 or older with at
      // least one transport parameter that has a valid length.
      use_varint_encoding = false0;
  }

  if (use_varint_encoding) {
      next_offset = offset_end;
  } else {
      uint32_t quic_length;
      // Assume draft -26 or earlier.
      /* TransportParameter TransportParameters<0..2^16-1>; */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
                          hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      next_offset = offset + quic_length;
  }

  while (offset < next_offset) {
      uint64_t parameter_type;     /* 62-bit space */
      uint32_t parameter_length;
      proto_tree *parameter_tree;
      uint32_t parameter_end_offset;
      uint64_t value;
      uint32_t i;
      int len = 0;

      parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
                                              NULL((void*)0), "Parameter");
      /* TransportParameter ID and Length. */
      if (use_varint_encoding) {
          uint64_t parameter_length64;
          int type_len = 0;

          proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
                                         tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
          offset += type_len;

          proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
                                         tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
          parameter_length = (uint32_t)parameter_length64;
          offset += len;

          proto_item_set_len(parameter_tree, type_len + len + parameter_length);
      } else {
          parameter_type = tvb_get_ntohs(tvb, offset);
          proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
                              tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
          offset += 2;

          /* opaque value<0..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
                              hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
              return next_offset;
          }
          offset += 2;

          proto_item_set_len(parameter_tree, 4 + parameter_length);
      }

      if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
 0) : 0)) {
          proto_item_append_text(parameter_tree, ": GREASE");
      } else {
          proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
      }

      proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
      parameter_end_offset = offset + parameter_length;

      /* Omit the value field if the parameter's length is 0. */
      if (parameter_length != 0) {
          proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
                              tvb, offset, parameter_length, ENC_NA0x00000000);
      }

      switch (parameter_type) {
          case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
                                  tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
              quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
              offset += 16;
          break;
          case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              /*TODO display expert info about invalid value (< 1252 or >65527) ? */
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
              /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
              offset += len;
          break;
          case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
              /* No Payload */
          break;
          case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
              uint32_t connectionid_length;
              quic_cid_t cid;

              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
                                  tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
              offset += 4;
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
                                  tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
              offset += 2;
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
                                  tvb, offset, 16, ENC_NA0x00000000);
              offset += 16;
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
                                  tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
              offset += 2;
              /* XXX - Should we add these addresses and ports as addresses that the client
               * is allowed / expected to migrate the server address to? Right now we don't
               * enforce that (see RFC 9000 Section 9, which implies that while the client
               * can migrate to whatever address it wants, it can only migrate the server
               * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
               */

              if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
                                  hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
                  break;
              }
              offset += 1;

              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
                                  tvb, offset, connectionid_length, ENC_NA0x00000000);
              if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
                  cid.len = connectionid_length;
                  // RFC 9000 5.1.1 "If the preferred_address transport
                  // parameter is sent, the sequence number of the supplied
                  // connection ID is 1."
                  cid.seq_num = 1;
                  // Multipath draft-07 "Also, the Path Identifier for the
                  // connection ID specified in the "preferred address"
                  // transport parameter is 0."
                  cid.path_id = 0;
                  tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
                  quic_add_connection(pinfo, &cid);
              }
              offset += connectionid_length;

              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
                                  tvb, offset, 16, ENC_NA0x00000000);
              if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
                  quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
              }
              offset += 16;
          }
          break;
          case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
              offset += len;
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              if (len > 0) {
                  quic_add_loss_bits(pinfo, value);
              }
              offset += 1;
          break;
          case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
          case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
          case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
          case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
                                  tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
                                  tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
              offset += 4;
              if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
                  uint32_t versions_length;

                  proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
                                               tvb, offset, 1, ENC_NA0x00000000, &versions_length);
                  offset += 1;
                  for (i = 0; i < versions_length / 4; i++) {
                      quic_proto_tree_add_version(tvb, parameter_tree,
                                                  hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
                      offset += 4;
                  }
              }
          break;
          case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
              offset += len;
          break;
          case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
              /* This field was used for non-standard Google-specific parameters encoded as a
               * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
               * parameters. Report it as a bytes blob... */
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
                                  tvb, offset, 4, ENC_NA0x00000000);
              dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
              proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
                                  tvb, offset, parameter_length, ENC_NA0x00000000);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
              /* No Payload */
          break;
          case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
          case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
              quic_proto_tree_add_version(tvb, parameter_tree,
                                          hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
              offset += 4;
              for (i = 4; i < parameter_length; i += 4) {
                  quic_proto_tree_add_version(tvb, parameter_tree,
                                              hf->hf.hs_ext_quictp_parameter_other_version, offset);
                  offset += 4;
              }
          break;
          case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
              /* No Payload */
              quic_add_grease_quic_bit(pinfo);
          break;
          case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              if (value == 1) {
                  quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
              }
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
          case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
              /* No Payload */
              quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              if (value > 1) {
                  quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
              }
              /* multipath draft-07: "The value of the initial_max_paths
               * parameter MUST be at least 2." TODO: Expert Info? */
              offset += parameter_length;
          break;
          case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
          case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
          case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
          case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
          case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
              proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
                                             tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
              /* multipath draft-09 and later: "If an endpoint receives an
              * initial_max_path_id transport parameter with value 0, the
              * peer aims to enable the multipath extension without allowing
              * extra paths immediately."
              */
              quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
              offset += parameter_length;
          break;
          default:
              offset += parameter_length;
              /*TODO display expert info about unknown ? */
          break;
      }

      if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
          /* Dissection did not end at expected location, fix it. */
          offset = parameter_end_offset;
      }
  }

  return offset;
9362}

9364static int
9365ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                           proto_tree *tree, uint32_t offset,
                           SslSession *session, SslDecryptSession *ssl,
                           bool_Bool from_server, bool_Bool is_hrr)
9369{
  uint8_t      sessid_length;
  proto_item  *ti;
  proto_tree  *rnd_tree;
  proto_tree  *ti_rnd;
  proto_tree  *ech_confirm_tree;
  uint8_t      draft_version = session->tls13_draft_version;

  if (ssl) {
      StringInfo *rnd;
      if (from_server)
          rnd = &ssl->server_random;
      else
          rnd = &ssl->client_random;

      /* save provided random for later keyring generation */
      tvb_memcpy(tvb, rnd->data, offset, 32);
      rnd->data_len = 32;
      if (from_server)
          ssl->state |= SSL_SERVER_RANDOM(1<<1);
      else
          ssl->state |= SSL_CLIENT_RANDOM(1<<0);
      ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
              from_server ? "SERVER" : "CLIENT", ssl->state);
  }

  if (!from_server && session->client_random.data_len == 0) {
      session->client_random.data_len = 32;
      tvb_memcpy(tvb, session->client_random.data, offset, 32);
  }

  ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);

  if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */

      rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
      /* show the time */
      proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
              tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
      offset += 4;

      /* show the random bytes */
      proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
              tvb, offset, 28, ENC_NA0x00000000);
      offset += 28;
  } else {
      if (is_hrr) {
          proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
      } else if (from_server && session->ech) {
          ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
          proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
          ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
                                                session->ech_confirmation, 8);
          proto_item_set_generated(ti);
          if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
              expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
          } else {
              expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
          }
      }

      offset += 32;
  }

  /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
  if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
      /* show the session id (length followed by actual Session ID) */
      sessid_length = tvb_get_uint8(tvb, offset);
      proto_tree_add_item(tree, hf->hf.hs_session_id_len,
              tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
      offset++;

      if (ssl) {
          /* save the authoritative SID for later use in ChangeCipherSpec.
           * (D)TLS restricts the SID to 32 chars, it does not make sense to
           * save more, so ignore larger ones. To support ECH, also save
           * the SID from the ClientHelloOuter. */
          if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
              tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
              ssl->session_id.data_len = sessid_length;
          }
      }
      if (sessid_length > 0) {
          proto_tree_add_item(tree, hf->hf.hs_session_id,
                  tvb, offset, sessid_length, ENC_NA0x00000000);
          offset += sessid_length;
      }
  }

  return offset;
9459}

9461static int
9462ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                       proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                       bool_Bool has_length)
9465{
  /* TLS 1.2/1.3 status_request Client Hello Extension.
   * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
   * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
   * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
   *  struct {
   *      CertificateStatusType status_type;
   *      uint16 request_length;  // for status_request_v2
   *      select (status_type) {
   *          case ocsp: OCSPStatusRequest;
   *          case ocsp_multi: OCSPStatusRequest;
   *      } request;
   *  } CertificateStatusRequest; // CertificateStatusRequestItemV2
   *
   *  enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
   *  struct {
   *      ResponderID responder_id_list<0..2^16-1>;
   *      Extensions  request_extensions;
   *  } OCSPStatusRequest;
   *  opaque ResponderID<1..2^16-1>;
   *  opaque Extensions<0..2^16-1>;
   */
  unsigned cert_status_type;

  cert_status_type = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
                      tvb, offset, 1, ENC_NA0x00000000);
  offset++;

  if (has_length) {
      proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
                          tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
      offset += 2;
  }

  switch (cert_status_type) {
  case SSL_HND_CERT_STATUS_TYPE_OCSP1:
  case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
      {
          uint32_t     responder_id_list_len;
          uint32_t     request_extensions_len;

          /* ResponderID responder_id_list<0..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
                              hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
              return offset_end;
          }
          offset += 2;
          if (responder_id_list_len != 0) {
              proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
                                           tvb, offset, responder_id_list_len,
                                     "Responder ID list is not implemented, contact Wireshark"
                                     " developers if you want this to be supported");
          }
          offset += responder_id_list_len;

          /* opaque Extensions<0..2^16-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
                              hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
              return offset_end;
          }
          offset += 2;
          if (request_extensions_len != 0) {
              proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
                                           tvb, offset, request_extensions_len,
                                     "Request Extensions are not implemented, contact"
                                     " Wireshark developers if you want this to be supported");
          }
          offset += request_extensions_len;
          break;
      }
  }

  return offset;
9539}

9541static unsigned
9542ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                          proto_tree *tree, uint32_t offset, uint32_t offset_end)
9544{
  /* https://tools.ietf.org/html/rfc6961#section-2.2
   *  struct {
   *    CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
   *  } CertificateStatusRequestListV2;
   */
  uint32_t req_list_length, next_offset;

  /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
                      hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + req_list_length;

  while (offset < next_offset) {
      offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
  }

  return offset;
9565}

9567static uint32_t
9568tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                        uint32_t offset, uint32_t offset_end)
9570{
  uint32_t    response_length;
  proto_item *ocsp_resp;
  proto_tree *ocsp_resp_tree;
  asn1_ctx_t  asn1_ctx;

  /* opaque OCSPResponse<1..2^24-1>; */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
                      hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
      return offset_end;
  }
  offset += 3;

  ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
                                  response_length, ENC_BIG_ENDIAN0x00000000);
  proto_item_set_text(ocsp_resp, "OCSP Response");
  ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
  if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
      asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
      dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
  }
  offset += response_length;

  return offset;
9594}

9596uint32_t
9597tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9599{
  /* TLS 1.2 "CertificateStatus" handshake message.
   * TLS 1.3 "status_request" Certificate extension.
   *  struct {
   *    CertificateStatusType status_type;
   *    select (status_type) {
   *      case ocsp: OCSPResponse;
   *      case ocsp_multi: OCSPResponseList;  // status_request_v2
   *    } response;
   *  } CertificateStatus;
   *  opaque OCSPResponse<1..2^24-1>;
   *  struct {
   *    OCSPResponse ocsp_response_list<1..2^24-1>;
   *  } OCSPResponseList;                     // status_request_v2
   */
  uint32_t    status_type, resp_list_length, next_offset;

  proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
                               tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
  offset += 1;

  switch (status_type) {
  case SSL_HND_CERT_STATUS_TYPE_OCSP1:
      offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
      break;

  case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
      /* OCSPResponse ocsp_response_list<1..2^24-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
                          hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
          return offset_end;
      }
      offset += 3;
      next_offset = offset + resp_list_length;

      while (offset < next_offset) {
          offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
      }
      break;
  }

  return offset;
9641}

9643static unsigned
9644ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                         proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                         wmem_strbuf_t *ja3)
9647{
  /* RFC 8446 Section 4.2.7
   *  enum { ..., (0xFFFF) } NamedGroup;
   *  struct {
   *      NamedGroup named_group_list<2..2^16-1>
   *  } NamedGroupList;
   *
   * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
   * the extension itself from "elliptic_curves" to "supported_groups".
   */
  uint32_t    groups_length, next_offset;
  proto_tree *groups_tree;
  proto_item *ti;
  char       *ja3_dash = "";

  /* NamedGroup named_group_list<2..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
                      hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + groups_length;

  ti = proto_tree_add_none_format(tree,
                                  hf->hf.hs_ext_supported_groups,
                                  tvb, offset, groups_length,
                                  "Supported Groups (%d group%s)",
                                  groups_length / 2,
                                  plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));

  /* make this a subtree */
  groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);

  if (ja3) {
      wmem_strbuf_append_c(ja3, ',');
  }
  /* loop over all groups */
  while (offset + 2 <= offset_end) {
      uint32_t    ext_supported_group;

      proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
                                   ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
      offset += 2;
      if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
          wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
          ja3_dash = "-";
      }
  }
  if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
      offset = next_offset;
  }

  return offset;
9700}

9702static int
9703ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                         proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9705{
  uint8_t     ecpf_length;
  proto_tree *ecpf_tree;
  proto_item *ti;

  ecpf_length = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
      tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);

  offset += 1;
  ti = proto_tree_add_none_format(tree,
                                  hf->hf.hs_ext_ec_point_formats,
                                  tvb, offset, ecpf_length,
                                  "Elliptic curves point formats (%d)",
                                  ecpf_length);

  /* make this a subtree */
  ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);

  if (ja3) {
      wmem_strbuf_append_c(ja3, ',');
  }

  /* loop over all point formats */
  while (ecpf_length > 0)
  {
      uint32_t    ext_ec_point_format;

      proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
                                   ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
      offset++;
      ecpf_length--;
      if (ja3) {
          wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
          if (ecpf_length > 0) {
              wmem_strbuf_append_c(ja3, '-');
          }
      }
  }

  return offset;
9746}

9748static int
9749ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             packet_info *pinfo, proto_tree *tree,
                             uint32_t offset, uint32_t next_offset)
9752{
  /* https://tools.ietf.org/html/rfc5054#section-2.8.1
   *  opaque srp_I<1..2^8-1>;
   */
  uint32_t username_len;

  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
                      hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
      return next_offset;
  }
  offset++;

  proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
                      tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
  offset += username_len;

  return offset;
9769}

9771static uint32_t
9772tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
              uint32_t offset, uint32_t offset_end, uint16_t version)
9774{
  /* https://tools.ietf.org/html/rfc6962#section-3.2
   *  enum { v1(0), (255) } Version;
   *  struct {
   *      opaque key_id[32];
   *  } LogID;
   *  opaque CtExtensions<0..2^16-1>;
   *  struct {
   *      Version sct_version;
   *      LogID id;
   *      uint64 timestamp;
   *      CtExtensions extensions;
   *      digitally-signed struct { ... };
   *  } SignedCertificateTimestamp;
   */
  uint32_t    sct_version;
  uint64_t    sct_timestamp_ms;
  nstime_t    sct_timestamp;
  uint32_t    exts_len;
  const char *log_name;

  proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
  offset++;
  if (sct_version != 0) {
      // TODO expert info about unknown SCT version?
      return offset;
  }
  proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
  log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
  proto_item_append_text(tree, " (%s)", log_name);
  offset += 32;
  sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
  sct_timestamp.secs  = (time_t)(sct_timestamp_ms / 1000);
  sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
  proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
  offset += 8;
  /* opaque CtExtensions<0..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
                      hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  if (exts_len > 0) {
      proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
      offset += exts_len;
  }
  offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
                                        hf->hf.sct_sct_signature_length,
                                        hf->hf.sct_sct_signature);
  return offset;
9824}

9826uint32_t
9827tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                   uint32_t offset, uint32_t offset_end, uint16_t version)
9829{
  /* https://tools.ietf.org/html/rfc6962#section-3.3
   *  opaque SerializedSCT<1..2^16-1>;
   *  struct {
   *      SerializedSCT sct_list <1..2^16-1>;
   *  } SignedCertificateTimestampList;
   */
  uint32_t    list_length, sct_length, next_offset;
  proto_tree *subtree;

  /* SerializedSCT sct_list <1..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
                      hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;

  while (offset < offset_end) {
      subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");

      /* opaque SerializedSCT<1..2^16-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
                          hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      next_offset = offset + sct_length;
      proto_item_set_len(subtree, 2 + sct_length);
      offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
      if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
          offset = next_offset;
      }
  }

  return offset;
9864}

9866static int
9867dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
                            proto_tree *tree, uint32_t offset)
9869{
  uint32_t kdf_id, aead_id;
  proto_item *cs_ti;
  proto_tree *cs_tree;

  cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
                              tvb, offset, 4, ENC_NA0x00000000);
  cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);

  proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
                               tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
  offset += 2;
  proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
                               tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
  offset += 2;

  proto_item_append_text(cs_ti, ": %s/%s",
                         val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
                         val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
  return offset;
9889}

9891static int
9892dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                          proto_tree *tree, uint32_t offset, uint32_t offset_end,
                          uint32_t *config_id)
9895{
  uint32_t length, cipher_suite_length;
  proto_item *kc_ti, *css_ti;
  proto_tree *kc_tree, *css_tree;
  uint32_t original_offset = offset, next_offset;

  kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
                              tvb, offset, -1, ENC_NA0x00000000);
  kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);

  proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
                               tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
  offset += 1;
  proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
                      tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
  offset += 2;
  proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
                               tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
  offset += 2;
  proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
                      tvb, offset, length, ENC_NA0x00000000);
  offset += length;

  /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
  if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
                      hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + cipher_suite_length;

  css_ti = proto_tree_add_none_format(kc_tree,
                                      hf->hf.ech_hpke_keyconfig_cipher_suites,
                                      tvb, offset, cipher_suite_length,
                                      "Cipher Suites (%d suite%s)",
                                      cipher_suite_length / 4,
                                      plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
  css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);


  while (offset + 4 <= next_offset) {
      offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
  }

  if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
      offset = next_offset;
  }

  proto_item_set_len(kc_ti, offset - original_offset);

  return offset;
9946}

9948static int
9949dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                             proto_tree *tree, uint32_t offset, uint32_t offset_end,
                             const uint8_t **public_name, uint32_t *config_id)
9952{
  uint32_t public_name_length, extensions_length, next_offset;

  offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
  proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
                      tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
  offset += 1;
  proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
                               tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
  offset += 1;
  proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
                                 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
  offset += public_name_length;

  /* Extension extensions<0..2^16-1>; */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
                      hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + extensions_length;

  if (extensions_length > 0) {
      proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
                          tvb, offset, extensions_length, ENC_NA0x00000000);
  }
  offset += extensions_length;

  if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
      offset = next_offset;
  }

  return offset;
9985}

9987static int
9988dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                    proto_tree *tree, uint32_t offset, uint32_t offset_end)
9990{
  uint32_t version, length;
  proto_item *ech_ti;
  proto_tree *ech_tree;
  const uint8_t *public_name = NULL((void*)0);
  uint32_t config_id = 0;

  ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
  ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);

  proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
                               tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
  offset += 2;
  proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
                               tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
  offset += 2;

  proto_item_set_len(ech_ti, 4 + length);

  switch(version) {
    case 0xfe0d:
      dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
      proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
      break;

    default:
      expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
  }

  return 4 + length;
10020}

10022uint32_t
10023ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                proto_tree *tree, uint32_t offset, uint32_t offset_end)
10025{
  uint32_t echconfiglist_length, next_offset;

  /* ECHConfig ECHConfigList<1..2^16-1>; */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
                      hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + echconfiglist_length;

  while (offset < next_offset) {
      offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
  }

  if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
      offset = next_offset;
  }

  return offset;
10045}

10047static uint32_t
10048ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                            uint32_t offset, uint32_t offset_end)
10050{
  uint32_t     ext_length, next_offset;
  proto_tree *ext_tree;
  proto_item *ti;

  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
                      hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
      return offset_end;
  }
  offset += 1;
  next_offset = offset + ext_length;

  ti = proto_tree_add_none_format(tree,
                                  hf->hf.hs_ext_ech_outer_ext,
                                  tvb, offset, ext_length,
                                  "Outer Extensions (%d extension%s)",
                                  ext_length / 2,
                                  plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));

  ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);

  while (offset + 2 <= offset_end) {
      proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
      offset += 2;
  }

  if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
      offset = next_offset;
  }

  return offset;
10081}

10083static uint32_t
10084// NOLINTNEXTLINE(misc-no-recursion)
10085ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                            proto_tree *tree, uint32_t offset, uint32_t offset_end,
                            uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
10088{
  uint32_t ch_type, length;
  proto_item *ti, *payload_ti;
  proto_tree *retry_tree, *payload_tree;
  uint32_t hello_length = tvb_reported_length(tvb);

  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO:
      /*
       *  enum { outer(0), inner(1) } ECHClientHelloType;
       *
       *  struct {
       *     ECHClientHelloType type;
       *     select (ECHClientHello.type) {
       *         case outer:
       *             HpkeSymmetricCipherSuite cipher_suite;
       *             uint8 config_id;
       *             opaque enc<0..2^16-1>;
       *             opaque payload<1..2^16-1>;
       *         case inner:
       *             Empty;
       *     };
       *  } ECHClientHello;
       */

      proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
      offset += 1;
      switch (ch_type) {
      case 0: /* outer */
          if (ssl && session->first_ch_ech_frame == 0) {
              session->first_ch_ech_frame = pinfo->num;
          }
          offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
          uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
          uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);

          proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
          uint8_t config_id = tvb_get_uint8(tvb, offset);
          offset += 1;
          proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
          offset += 2;
          proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
          offset += length;
          proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
          offset += 2;
          payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
          offset += length;

          if (!mk_map) {
              break;
          }
          if (session->client_random.data_len == 0) {
              ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
              break;
          }
          StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
          StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
          if (!ech_secret || !ech_config) {
              ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
                               G_STRFUNC((const char*) (__func__)));
              break;
          }

          if (hpke_hkdf_len(kdf_id) == 0) {
              ssl_debug_printf("Unsupported KDF\n");
              break;
          }

          if (hpke_aead_key_len(aead_id) == 0) {
              ssl_debug_printf("Unsupported AEAD\n");
              break;
          }

          size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);

          unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
          if (length < aead_auth_tag_len) {
              ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
              break;
          }
          unsigned decrypted_len = length - aead_auth_tag_len;

          uint16_t version = pntohu16(ech_config->data);
          if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
              ssl_debug_printf("Unexpected version in ECH Config\n");
              break;
          }
          uint32_t ech_config_offset = 2;
          if (pntohu16(&ech_config->data[ech_config_offset]) != ech_config->data_len - 4) {
              ssl_debug_printf("Malformed ECH Config, invalid length\n");
              break;
          }
          ech_config_offset += 2;
          if (*(ech_config->data + ech_config_offset) != config_id) {
              ssl_debug_printf("ECH Config version mismatch\n");
              break;
          }
          ech_config_offset += 1;
          uint16_t kem_id = pntohu16(&ech_config->data[ech_config_offset]);
          uint8_t suite_id[HPKE_SUIT_ID_LEN10];
          hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
          GByteArray *info = g_byte_array_new();
          g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
          g_byte_array_append(info, ech_config->data, ech_config->data_len);
          uint8_t key[AEAD_MAX_KEY_LENGTH32];
          uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
          if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
                            key, base_nonce)) {
              g_byte_array_free(info, TRUE(!(0)));
              break;
          }
          g_byte_array_free(info, TRUE(!(0)));
          gcry_cipher_hd_t cipher;
          if (hpke_setup_aead(&cipher, aead_id, key) ||
              hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
                  gcry_cipher_close(cipher);
                  break;
          }
          const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
          uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
          tvb_memcpy(tvb, ech_aad, 0, hello_length);
          memset(ech_aad + offset - length, 0, length);
          if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
              gcry_cipher_close(cipher);
              wmem_free(NULL((void*)0), ech_aad);
              break;
          }
          wmem_free(NULL((void*)0), ech_aad);
          uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
          if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
              gcry_cipher_close(cipher);
              break;
          }
          unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
          if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
              gcry_cipher_close(cipher);
              break;
          }
          if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
              memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
          gcry_cipher_close(cipher);
          if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
                     payload + decrypted_len, aead_auth_tag_len)) {
              ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
          } else {
              payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
              tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
              add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
              if (ssl) {
                  /* Note the Outer Client Random for Inject TLS Secrets */
                  tls_save_crandom(ssl, mk_map);

                  tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
                  uint32_t len_offset = ssl->ech_transcript.data_len;
                  if (ssl->ech_transcript.data_len > 0)
                      ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
                                                                       ssl->ech_transcript.data_len + hello_length + 4);
                  else
                      ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
                  ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
                  ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
                  /* Copy ClientHelloInner up to the legacy_session_id field. */
                  tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
                  ssl->ech_transcript.data_len += 38;
                  /* Now copy the legacy_session_id field from ClientHelloOuter. */
                  ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
                  ssl->ech_transcript.data_len++;
                  memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
                  ssl->ech_transcript.data_len += ssl->session_id.data_len;
                  /* Skip past the legacy_session_id field in ClientHelloInner
                   * (which should be the empty string, i.e. just a 0 size.) */
                  uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
                  /* Copy the Cipher Suites from ClientHelloInner. */
                  tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
                             2 + tvb_get_ntohs(ech_tvb, ech_offset));
                  ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
                  ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
                  /* Copy the Compression Methods */
                  tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
                             1 + tvb_get_uint8(ech_tvb, ech_offset));
                  ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
                  ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
                  /* Now replace extensions in ech_outer_extensions with the
                   * data from ClientHelloOuter. */
                  uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
                  ssl->ech_transcript.data_len += 2;
                  uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
                  ech_offset += 2;
                  while (extensions_end - ech_offset >= 4) {
                      uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
                      ech_offset += 2;
                      uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
                      ech_offset += 2;
                      if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
                          /* Copy this extension directly */
                          tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
                                     ech_offset - 4, 4 + ext_len);
                          ssl->ech_transcript.data_len += 4 + ext_len;
                          ech_offset += ext_len;
                      } else if (ext_len > 0) {
                          unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
                          ech_offset += 1;
                          uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
                          /* In ClientHelloOuter, skip past the legacy_session_id */
                          uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
                          /* Skip past Cipher Suites */
                          outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
                          /* Skip past Compression Methods */
                          outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
                          /* Now at the start of ClientHelloOuter's extensions */
                          while (ech_outer_extensions_end - ech_offset >= 2) {
                              ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
                              if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
                                  ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
                                  /* This could lead to a buffer overflow by
                                   * making the post-copying ClientHelloInner
                                   * longer than ClientHelloOuter and is
                                   * illegal, so don't copy. */
                                  break;
                              }
                              bool_Bool found = false0;
                              while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
                                  uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
                                  uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
                                  if (ext_type == outer_ext_type) {
                                      tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
                                                 4 + outer_ext_len);
                                      ssl->ech_transcript.data_len += 4 + outer_ext_len;
                                      outer_offset += 4 + outer_ext_len;
                                      found = true1;
                                      break;
                                  } else {
                                      outer_offset += 4 + outer_ext_len;
                                  }
                              }
                              if (!found) {
                                  ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
                              }
                              ech_offset += 2;
                          }
                      }
                  }
                  uint16_t ech_extensions_len = ssl->ech_transcript.data_len - ech_extensions_len_offset - 2;
                  phtonu16(&ssl->ech_transcript.data[ech_extensions_len_offset], ech_extensions_len);
                  phtonu16(&ssl->ech_transcript.data[len_offset + 2], ssl->ech_transcript.data_len - len_offset - 4);
              }
              uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
                                                                             ssl, NULL((void*)0), mk_map);
              if (ech_padding_begin < decrypted_len) {
                  proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
                                      ENC_NA0x00000000);
              }
          }

          break;
      case 1: /* inner */
          break;
      }
      break;

  case SSL_HND_ENCRYPTED_EXTENSIONS:
      /*
       * struct {
       *     ECHConfigList retry_configs;
       * } ECHEncryptedExtensions;
       */

      ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
      retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
      offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
      break;

  case SSL_HND_HELLO_RETRY_REQUEST:
      /*
       * struct {
       *     opaque confirmation[8];
       * } ECHHelloRetryRequest;
       */

      proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
      if (session->ech) {
          ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
          proto_item_set_generated(ti);
          if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
              expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
          } else {
              expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
          }
      }
      offset += 8;
      break;
  }

  return offset;
10382}

10384static uint32_t
10385ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                             proto_tree *tree, uint32_t offset, uint32_t offset_end,
                             uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10388{
  uint32_t record_digest_length, encrypted_sni_length;

  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO:
      /*
       * struct {
       *     CipherSuite suite;
       *     KeyShareEntry key_share;
       *     opaque record_digest<0..2^16-1>;
       *     opaque encrypted_sni<0..2^16-1>;
       * } ClientEncryptedSNI;
       */
      proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
      offset += 2;
      offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));

      /* opaque record_digest<0..2^16-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
                          hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      if (record_digest_length > 0) {
          proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
          offset += record_digest_length;
      }

      /* opaque encrypted_sni<0..2^16-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
                          hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      if (encrypted_sni_length > 0) {
          proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
          offset += encrypted_sni_length;
      }
      break;

  case SSL_HND_ENCRYPTED_EXTENSIONS:
      proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
      offset += 16;
      break;
  }

  return offset;
10435}
10436/** TLS Extensions (in Client Hello and Server Hello). }}} */

10438/* Connection ID dissection. {{{ */
10439static uint32_t
10440ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                            proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
                            uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10443{
  /* keep track of the decrypt session only for the first pass */
  if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
    tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
    *session_cidl = cidl;
    *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
    tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
    if (ssl) {
        ssl_add_session_by_cid(ssl);
    }
  }

  proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
                      tvb, offset, 1, ENC_NA0x00000000);
  offset++;

  if (cidl > 0) {
      proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
                          tvb, offset, cidl, ENC_NA0x00000000);
      offset += cidl;
  }

  return offset;
10466}

10468static uint32_t
10469ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                      proto_tree *tree, uint32_t offset, uint8_t hnd_type,
                                      SslSession *session, SslDecryptSession *ssl)
10472{
  uint8_t cidl = tvb_get_uint8(tvb, offset);

  switch (hnd_type) {
  case SSL_HND_CLIENT_HELLO:
      session->client_cid_len_present = true1;
      return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
                                           cidl, &session->client_cid, &session->client_cid_len);
  case SSL_HND_SERVER_HELLO:
      session->server_cid_len_present = true1;
      return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
                                           cidl, &session->server_cid, &session->server_cid_len);
  default:
      return offset;
  }
10487} /* }}} */

10489/* Trusted CA dissection. {{{ */
10490static uint32_t
10491ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
                                        uint32_t offset, uint32_t offset_end)
10493{
  proto_item *ti;
  proto_tree *subtree;
  uint32_t keys_length, next_offset;

  /*
   * struct {
   *     TrustedAuthority trusted_authorities_list<0..2^16-1>;
   * } TrustedAuthorities;
   *
   * struct {
   *     IdentifierType identifier_type;
   *     select (identifier_type) {
   *         case pre_agreed: struct {};
   *         case key_sha1_hash: SHA1Hash;
   *         case x509_name: DistinguishedName;
   *         case cert_sha1_hash: SHA1Hash;
   *     } identifier;
   * } TrustedAuthority;
   *
   * enum {
   *     pre_agreed(0), key_sha1_hash(1), x509_name(2),
   *     cert_sha1_hash(3), (255)
   * } IdentifierType;
   *
   * opaque DistinguishedName<1..2^16-1>;
   *
   */


  /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
                      0, UINT16_MAX(65535)))
  {
      return offset_end;
  }
  offset += 2;
  next_offset = offset + keys_length;

  if (keys_length > 0)
  {
      ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
                                      "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
      subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);

      while (offset < next_offset)
      {
          uint32_t identifier_type;
          proto_tree *trusted_key_tree;
          proto_item *trusted_key_item;
          asn1_ctx_t  asn1_ctx;
          uint32_t key_len = 0;

          identifier_type = tvb_get_uint8(tvb, offset);

          // Use 0 as length for now as we'll only know the size when we decode the identifier
          trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
                                                        offset, 0, "Trusted CA Key");
          trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);

          proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
                              offset, 1, identifier_type);
          offset++;

          /*
           * enum {
           *       pre_agreed(0), key_sha1_hash(1), x509_name(2),
           *       cert_sha1_hash(3), (255)
           *   } IdentifierType;
           */
          switch (identifier_type)
          {
              case 0:
                  key_len = 0;
                  break;
              case 2:
                  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);

                  uint32_t name_length;
                  /* opaque DistinguishedName<1..2^16-1> */
                  if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
                                      hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
                      return next_offset;
                  }
                  offset += 2;

                  dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
                                                   trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
                  offset += name_length;
                  break;
              case 1:
              case 3:
                  key_len = 20;
                  /* opaque SHA1Hash[20]; */
                  proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
                                      offset, 20, ENC_NA0x00000000);
                  break;

              default:
                  key_len = 0;
                  /*TODO display expert info about unknown ? */
                  break;
          }
          proto_item_set_len(trusted_key_item, 1 + key_len);
          offset += key_len;
      }
  }

  if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
  {
      offset = next_offset;
  }

  return offset;
10607} /* }}} */


10610/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10611bool_Bool
10612ssl_is_valid_content_type(uint8_t type)
10613{
  switch ((ContentType) type) {
  case SSL_ID_CHG_CIPHER_SPEC:
  case SSL_ID_ALERT:
  case SSL_ID_HANDSHAKE:
  case SSL_ID_APP_DATA:
  case SSL_ID_HEARTBEAT:
  case SSL_ID_TLS12_CID:
  case SSL_ID_DTLS13_ACK:
      return true1;
  }
  return false0;
10625}

10627bool_Bool
10628ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10629{
  switch ((HandshakeType) hs_type) {
  case SSL_HND_HELLO_VERIFY_REQUEST:
      /* hello_verify_request is DTLS-only */
      return is_dtls;

  case SSL_HND_HELLO_REQUEST:
  case SSL_HND_CLIENT_HELLO:
  case SSL_HND_SERVER_HELLO:
  case SSL_HND_NEWSESSION_TICKET:
  case SSL_HND_END_OF_EARLY_DATA:
  case SSL_HND_HELLO_RETRY_REQUEST:
  case SSL_HND_ENCRYPTED_EXTENSIONS:
  case SSL_HND_CERTIFICATE:
  case SSL_HND_SERVER_KEY_EXCHG:
  case SSL_HND_CERT_REQUEST:
  case SSL_HND_SVR_HELLO_DONE:
  case SSL_HND_CERT_VERIFY:
  case SSL_HND_CLIENT_KEY_EXCHG:
  case SSL_HND_FINISHED:
  case SSL_HND_CERT_URL:
  case SSL_HND_CERT_STATUS:
  case SSL_HND_SUPPLEMENTAL_DATA:
  case SSL_HND_KEY_UPDATE:
  case SSL_HND_COMPRESSED_CERTIFICATE:
  case SSL_HND_ENCRYPTED_EXTS:
      return true1;
  case SSL_HND_MESSAGE_HASH:
      return false0;
  }
  return false0;
10660}

10662static bool_Bool
10663ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
                                   bool_Bool is_dtls)
10665{
  /* Consider all valid Handshake messages (except for Client Hello) and
   * all other valid record types (other than Handshake) */
  return (content_type == SSL_ID_HANDSHAKE &&
          ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
          handshake_type != SSL_HND_CLIENT_HELLO) ||
         (content_type != SSL_ID_HANDSHAKE &&
          ssl_is_valid_content_type(content_type));
10673}

10675/**
* Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
* draft 22 and newer, it also checks whether it is a HelloRetryRequest.
* Returns true if the supported_versions extension was found, false if not.
*/
10680bool_Bool
10681tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
                    uint16_t *server_version, bool_Bool *is_hrr)
10683{
  /* SHA256("HelloRetryRequest") */
  static const uint8_t tls13_hrr_random_magic[] = {
      0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
      0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
  };
  uint8_t session_id_length;

  *server_version = tvb_get_ntohs(tvb, offset);

  /*
   * Try to look for supported_versions extension. Minimum length:
   * 2 + 32 + 1 = 35 (version, random, session id length)
   * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
   * 2 + 2 + 2 = 6 (ext type, ext len, version)
   *
   * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
   * there's a separate expert info warning for that.
   */
  if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
      offset += 2;
      if (is_hrr) {
          *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
      }
      offset += 32;
      session_id_length = tvb_get_uint8(tvb, offset);
      offset++;
      if (offset_end - offset < session_id_length + 5u) {
          return false0;
      }
      offset += session_id_length + 5;

      while (offset_end - offset >= 6) {
          uint16_t ext_type = tvb_get_ntohs(tvb, offset);
          uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
          if (offset_end - offset < 4u + ext_len) {
              break;  /* not enough data for type, length and data */
          }
          if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
              if (ext_len == 2) {
                  *server_version = tvb_get_ntohs(tvb, offset + 4);
              }
              return true1;
          }
          offset += 4 + ext_len;
      }
  } else {
      if (is_hrr) {
          *is_hrr = false0;
      }
  }
  return false0;
10735}

10737/**
* Scan a Client Hello handshake message to see if the supported_versions
* extension is found, in which case the version field is legacy_version.
*/
10741static bool_Bool
10742tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10743{
  uint8_t session_id_length;

  uint16_t client_version = tvb_get_ntohs(tvb, offset);

  /*
   * Try to look for supported_versions extension. Minimum length:
   * 2 + 32 + 1 = 35 (version, random, session id length)
   * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
   * 2 + 2 + 2 = 6 (ext type, ext len, version)
   *
   * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
   * there's a separate expert info warning for that.
   */
  if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
      offset += 2;
      offset += 32;
      session_id_length = tvb_get_uint8(tvb, offset);
      offset++;
      if (offset_end - offset < session_id_length + 2u) {
          return false0;
      }
      offset += session_id_length;
      if (client_version == DTLSV1DOT2_VERSION0xfefd) {
          uint8_t cookie_length = tvb_get_uint8(tvb, offset);
          offset++;
          if (offset_end - offset < cookie_length + 2u) {
              return false0;
          }
      }
      uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
      offset += 2;
      if (offset_end - offset < cipher_suites_length + 1u) {
          return false0;
      }
      offset += cipher_suites_length;
      uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
      offset++;
      if (offset_end - offset < compression_methods_length + 2u) {
          return false0;
      }
      offset += compression_methods_length + 2;

      while (offset_end - offset >= 6) {
          uint16_t ext_type = tvb_get_ntohs(tvb, offset);
          uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
          if (offset_end - offset < 4u + ext_len) {
              break;  /* not enough data for type, length and data */
          }
          if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
              return true1;
          }
          offset += 4 + ext_len;
      }
  }
  return false0;
10799}
10800void
10801ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
                  uint8_t content_type, uint8_t handshake_type,
                  bool_Bool is_dtls, uint16_t version)
10804{
  uint8_t tls13_draft = 0;

  if (!ssl_is_authoritative_version_message(content_type, handshake_type,
              is_dtls))
      return;

  version = tls_try_get_version(is_dtls, version, &tls13_draft);
  if (version == SSL_VER_UNKNOWN0) {
      return;
  }

  session->tls13_draft_version = tls13_draft;
  session->version = version;
  if (ssl) {
      ssl->state |= SSL_VERSION(1<<4);
      ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
  }
10822}

10824void
10825ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
                      ContentType content_type,
                      unsigned record_length, proto_item *length_pi,
                      uint16_t version, tvbuff_t *decrypted_tvb)
10829{
  unsigned max_expansion;
  if (version == TLSV1DOT3_VERSION0x304) {
      /* TLS 1.3: Max length is 2^14 + 256 */
      max_expansion = 256;
  } else {
      /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
      max_expansion = 2048;
  }
  /*
   * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
   * and ChangeCipherSpec.
   * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
   * so assume it is permitted.
   * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
   * assume TLS 1.2 requirements.
   */
  if (record_length == 0 &&
          (content_type == SSL_ID_CHG_CIPHER_SPEC ||
           content_type == SSL_ID_ALERT ||
           content_type == SSL_ID_HANDSHAKE)) {
      expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
                             "Zero-length %s fragments are not allowed",
                             val_to_str_const(content_type, ssl_31_content_type, "unknown"));
  }
  if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
      expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
                             "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
  }
  if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
      expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
                             "TLSPlaintext length MUST NOT exceed 2^14");
  }
10862}

10864static void
10865ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10866{
  /* store selected cipher suite for decryption */
  ssl->session.cipher = cipher;

  const SslCipherSuite *cs = ssl_find_cipher(cipher);
  if (!cs) {
      ssl->cipher_suite = NULL((void*)0);
      ssl->state &= ~SSL_CIPHER(1<<2);
      ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
  } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
      /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
       * cipher suite that uses for example MACAlgorithm SHA256. Reject that
       * to avoid a potential buffer overflow in ssl3_check_mac. */
      ssl->cipher_suite = NULL((void*)0);
      ssl->state &= ~SSL_CIPHER(1<<2);
      ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
  } else {
      /* Cipher found, save this for the delayed decoder init */
      ssl->cipher_suite = cs;
      ssl->state |= SSL_CIPHER(1<<2);
      ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
                       val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
                       ssl->state);
  }
10890}
10891/* }}} */


10894/* Client Hello and Server Hello dissections. {{{ */
10895static int
10896ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
                        packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
                        SslSession *session, SslDecryptSession *ssl,
                        bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
                        ssl_master_key_map_t *mk_map);
10901int
10902// NOLINTNEXTLINE(misc-no-recursion)
10903ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                        packet_info *pinfo, proto_tree *tree, uint32_t offset,
                        uint32_t offset_end, SslSession *session,
                        SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10907{
  /* struct {
   *     ProtocolVersion client_version;
   *     Random random;
   *     SessionID session_id;
   *     opaque cookie<0..32>;                   //new field for DTLS
   *     CipherSuite cipher_suites<2..2^16-1>;
   *     CompressionMethod compression_methods<1..2^8-1>;
   *     Extension client_hello_extension_list<0..2^16-1>;
   * } ClientHello;
   */
  proto_item *ti;
  proto_tree *cs_tree;
  uint32_t    client_version;
  uint32_t    cipher_suite_length;
  uint32_t    compression_methods_length;
  uint8_t     compression_method;
  uint32_t    next_offset;
  uint32_t    initial_offset = offset;
  wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
  char       *ja3_hash;
  char       *ja3_dash = "";
  char       *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
  ja4_data_t  ja4_data;
  wmem_strbuf_t *ja4_a  = wmem_strbuf_new(pinfo->pool, "");
  wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
  wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
  wmem_list_frame_t *curr_entry;

  DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
 " (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10936, (int64_t)initial_offset, (int64_t)offset_end))));
  tvbuff_t   *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
  offset = 0;
  offset_end = tvb_reported_length(hello_tvb);

  ja4_data.max_version = 0;
  ja4_data.server_name_present = false0;
  ja4_data.num_cipher_suites = 0;
  ja4_data.num_extensions = 0;
  ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
  ja4_data.cipher_list = wmem_list_new(pinfo->pool);
  ja4_data.extension_list = wmem_list_new(pinfo->pool);
  ja4_data.sighash_list = wmem_list_new(pinfo->pool);

  /* show the client version */
  ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
                                    offset, 2, ENC_BIG_ENDIAN0x00000000,
                                    &client_version);
  if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
      expert_add_info(pinfo, ti, &hf->ei.legacy_version);
  }
  offset += 2;
  wmem_strbuf_append_printf(ja3, "%i,", client_version);

  /*
   * Is it version 1.3?
   * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
   * to be TLS 1.2, and mention 1.3 in an extension.  See RFC 8446
   * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
   * Hello".
   */
  if (dtls_hfs != NULL((void*)0)) {
      if (client_version  == DTLSV1DOT3_VERSION0xfefc) {
          /* Don't do that. */
          expert_add_info(pinfo, ti, &hf->ei.client_version_error);
      }
  } else {
      if (client_version == TLSV1DOT3_VERSION0x304) {
          /* Don't do that. */
          expert_add_info(pinfo, ti, &hf->ei.client_version_error);
      }
  }

  /* dissect fields that are present in both ClientHello and ServerHello */
  offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);

  /* fields specific for DTLS (cookie_len, cookie) */
  if (dtls_hfs != NULL((void*)0)) {
      uint32_t cookie_length;
      /* opaque cookie<0..32> (for DTLS only) */
      if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
                          dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
          return offset;
      }
      offset++;
      if (cookie_length > 0) {
          proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
                              hello_tvb, offset, cookie_length, ENC_NA0x00000000);
          offset += cookie_length;
      }
  }

  /* CipherSuite cipher_suites<2..2^16-1> */
  if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
                      hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
      return offset;
  }
  offset += 2;
  next_offset = offset + cipher_suite_length;
  ti = proto_tree_add_none_format(tree,
                                  hf->hf.hs_cipher_suites,
                                  hello_tvb, offset, cipher_suite_length,
                                  "Cipher Suites (%d suite%s)",
                                  cipher_suite_length / 2,
                                  plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
  cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
  while (offset + 2 <= next_offset) {
      uint32_t    cipher_suite;

      proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
                                   ENC_BIG_ENDIAN0x00000000, &cipher_suite);
      offset += 2;
      if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
          wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
          ja3_dash = "-";
          ja4_data.num_cipher_suites += 1;
          wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
      }
  }
  wmem_strbuf_append_c(ja3, ',');
  if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
      offset = next_offset;
  }

  /* CompressionMethod compression_methods<1..2^8-1> */
  if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
                      hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
      return offset;
  }
  offset++;
  next_offset = offset + compression_methods_length;
  ti = proto_tree_add_none_format(tree,
                                  hf->hf.hs_comp_methods,
                                  hello_tvb, offset, compression_methods_length,
                                  "Compression Methods (%u method%s)",
                                  compression_methods_length,
                                  plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
                                    "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
  cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
  while (offset < next_offset) {
      compression_method = tvb_get_uint8(hello_tvb, offset);
      /* TODO: make reserved/private comp meth. fields selectable */
      if (compression_method < 64)
          proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
                              hello_tvb, offset, 1, compression_method);
      else if (compression_method > 63 && compression_method < 193)
          proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
                              compression_method, "Reserved - to be assigned by IANA (%u)",
                              compression_method);
      else
          proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
                              compression_method, "Private use range (%u)",
                              compression_method);
      offset++;
  }

  /* SSL v3.0 has no extensions, so length field can indeed be missing. */
  if (offset < offset_end) {
      offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
                                         offset_end, SSL_HND_CLIENT_HELLO,
                                         session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
      if (ja4_data.max_version > 0) {
          client_version = ja4_data.max_version;
      }
  } else {
      wmem_strbuf_append_printf(ja3, ",,");
  }

  if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
      wmem_strbuf_append(ja4_a, "t");
  } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
      wmem_strbuf_append(ja4_a, "q");
  } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
      wmem_strbuf_append(ja4_a, "d");
  }
  wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
  wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
  if (ja4_data.num_cipher_suites > 99) {
      wmem_strbuf_append(ja4_a, "99");
  } else {
      wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
  }
  if (ja4_data.num_extensions > 99) {
      wmem_strbuf_append(ja4_a, "99");
  } else {
      wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
  }
  if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
      wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
  } else {
      wmem_strbuf_append(ja4_a, "00");
  }

  curr_entry = wmem_list_head(ja4_data.cipher_list);
  for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
      wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
      if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
          wmem_strbuf_append(ja4_br, ",");
      }
      curr_entry = wmem_list_frame_next(curr_entry);
  }

  curr_entry = wmem_list_head(ja4_data.extension_list);
  for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
      wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
      if (i < wmem_list_count(ja4_data.extension_list) - 1) {
          wmem_strbuf_append(ja4_cr, ",");
      }
      curr_entry = wmem_list_frame_next(curr_entry);
  }

  if (wmem_list_count(ja4_data.sighash_list) > 0) {
      wmem_strbuf_append(ja4_cr, "_");
      curr_entry = wmem_list_head(ja4_data.sighash_list);
      for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
          wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
          if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
              wmem_strbuf_append(ja4_cr, ",");
          }
          curr_entry = wmem_list_frame_next(curr_entry);
      }
  }
  if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
      ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
  } else {
      ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
  }
  ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);

  g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
 (ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
 (ja4_hash);
  if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
      ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
  } else {
      ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
  }
  ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
  g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
 (ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
 (ja4_hash);

  ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
  ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));

  ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
  proto_item_set_generated(ti);
  ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
  proto_item_set_generated(ti);

  ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
          wmem_strbuf_get_len(ja3));
  ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
  proto_item_set_generated(ti);
  ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
  proto_item_set_generated(ti);
  g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
 (ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
 (ja3_hash);
  return initial_offset + offset;
11160}

11162void
11163ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                        packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
                        SslSession *session, SslDecryptSession *ssl,
                        bool_Bool is_dtls, bool_Bool is_hrr)
11167{
  /* struct {
   *     ProtocolVersion server_version;
   *     Random random;
   *     SessionID session_id;                    // TLS 1.2 and before
   *     CipherSuite cipher_suite;
   *     CompressionMethod compression_method;    // TLS 1.2 and before
   *     Extension server_hello_extension_list<0..2^16-1>;
   * } ServerHello;
   */
  uint8_t draft_version = session->tls13_draft_version;
  proto_item *ti;
  uint32_t    server_version;
  uint32_t    cipher_suite;
  uint32_t    initial_offset = offset;
  wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
  char       *ja3_hash;

  col_set_str(pinfo->cinfo, COL_PROTOCOL,
              val_to_str_const(session->version, ssl_version_short_names, "SSL"));

  /* Initially assume that the session is resumed. If this is not the case, a
   * ServerHelloDone will be observed before the ChangeCipherSpec message
   * which will reset this flag. */
  session->is_session_resumed = true1;

  /* show the server version */
  ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);

  uint16_t supported_server_version;
  if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
      expert_add_info(pinfo, ti, &hf->ei.legacy_version);
  }
  /*
   * Is it version 1.3?
   * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
   * to be TLS 1.2, and mention 1.3 in an extension.  See RFC 8446
   * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
   * Hello".
   */
  if (is_dtls) {
      if (server_version  == DTLSV1DOT3_VERSION0xfefc) {
          /* Don't do that. */
          expert_add_info(pinfo, ti, &hf->ei.server_version_error);
      }
  } else {
      if (server_version == TLSV1DOT3_VERSION0x304) {
          /* Don't do that. */
          expert_add_info(pinfo, ti, &hf->ei.server_version_error);
      }
  }

  offset += 2;
  wmem_strbuf_append_printf(ja3, "%i", server_version);

  /* dissect fields that are present in both ClientHello and ServerHello */
  offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);

  if (ssl) {
      /* store selected cipher suite for decryption */
      ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
  }

  /* now the server-selected cipher suite */
  proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
                      tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
  offset += 2;
  wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);

  /* No compression with TLS 1.3 before draft -22 */
  if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
      if (ssl) {
          /* store selected compression method for decryption */
          ssl->session.compression = tvb_get_uint8(tvb, offset);
      }
      /* and the server-selected compression method */
      proto_tree_add_item(tree, hf->hf.hs_comp_method,
                          tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
      offset++;
  }

  /* SSL v3.0 has no extensions, so length field can indeed be missing. */
  if (offset < offset_end) {
      offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
                                         offset_end,
                                         is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
                                         session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
  }

  if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
      int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
      if (hash_algo) {
          SSL_MDgcry_md_hd_t mc;
          unsigned char transcript_hash[DIGEST_MAX_SIZE48];
          unsigned char prk[DIGEST_MAX_SIZE48];
          unsigned char *ech_verify_out = NULL((void*)0);
          unsigned int  len;
          ssl_md_init(&mc, hash_algo);
          ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
          if (is_hrr) {
              ssl_md_final(&mc, transcript_hash, &len);
              ssl_md_cleanup(&mc);
              wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
              ssl->ech_transcript.data_len = 4 + len;
              ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
              ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
              ssl->ech_transcript.data[1] = 0;
              ssl->ech_transcript.data[2] = 0;
              ssl->ech_transcript.data[3] = len;
              memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
              ssl_md_init(&mc, hash_algo);
              ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
          } else {
              ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
                                                      ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
          }
          if (initial_offset > 4) {
              tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
                         4 + offset_end - initial_offset);
              if (is_hrr)
                  ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
              else
                  ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
          } else {
              uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
              prefix[2] = ((offset - initial_offset) >> 8);
              prefix[3] = (offset - initial_offset) & 0xff;
              memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
              tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
                         offset_end - initial_offset);
              ssl_md_update(&mc, prefix, 4);
              if (is_hrr)
                  ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
              else
                  ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
          }
          ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
          uint8_t zeros[8] = { 0 };
          uint32_t confirmation_offset = initial_offset + 26;
          if (is_hrr) {
              uint32_t hrr_offset = initial_offset + 34;
              ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
                                           tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
              hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
              ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
              hrr_offset += 3;
              uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
              ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
              hrr_offset += 2;
              while (extensions_end - hrr_offset >= 4) {
                  if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
                      tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
                      confirmation_offset = hrr_offset + 4;
                      ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
                      ssl_md_update(&mc, zeros, 8);
                      hrr_offset += 12;
                  } else {
                      ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
                          tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
                      hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
                  }
              }
          } else {
              ssl_md_update(&mc, zeros, 8);
              ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
                            offset - initial_offset - 34);
          }
          ssl_md_final(&mc, transcript_hash, &len);
          ssl_md_cleanup(&mc);
          hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
          StringInfo prk_string = {prk, len};
          if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
                                          is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
                                          transcript_hash, len, 8, &ech_verify_out)) {
              memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
              if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
                  if (is_hrr) {
                      ssl->session.hrr_ech_declined = true1;
                      ssl->session.first_ch_ech_frame = 0;
                  }
                  memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
                  ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
              }
              wmem_free(NULL((void*)0), ech_verify_out);
          }
          ssl->session.ech = true1;
      }
  }

  ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
          wmem_strbuf_get_len(ja3));
  ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
  proto_item_set_generated(ti);
  ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
  proto_item_set_generated(ti);
  g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
 (ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
 (ja3_hash);
11364}
11365/* Client Hello and Server Hello dissections. }}} */

11367/* New Session Ticket dissection. {{{ */
11368void
11369ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                             proto_tree *tree, uint32_t offset, uint32_t offset_end,
                             SslSession *session, SslDecryptSession *ssl,
                             bool_Bool is_dtls, GHashTable *session_hash)
11373{
  /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
   *  struct {
   *      uint32 ticket_lifetime_hint;
   *      opaque ticket<0..2^16-1>;
   *  } NewSessionTicket;
   *
   * RFC 8446 Section 4.6.1 (TLS 1.3):
   *  struct {
   *      uint32 ticket_lifetime;
   *      uint32 ticket_age_add;
   *      opaque ticket_nonce<0..255>;    // new in draft -21, updated in -22
   *      opaque ticket<1..2^16-1>;
   *      Extension extensions<0..2^16-2>;
   *  } NewSessionTicket;
   */
  proto_tree *subtree;
  proto_item *subitem;
  uint32_t    ticket_len;
  bool_Bool        is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
  unsigned char      draft_version = session->tls13_draft_version;
  uint32_t    lifetime_hint;

  subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                                   hf->ett.session_ticket, NULL((void*)0),
                                   "TLS Session Ticket");

  /* ticket lifetime hint */
  subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
                                         tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
  offset += 4;

  if (lifetime_hint >= 60) {
      char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
      proto_item_append_text(subitem, " (%s)", time_str);
  }

  if (is_tls13) {

      /* for TLS 1.3: ticket_age_add */
      proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
                          tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
      offset += 4;

      /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
      if (draft_version == 0 || draft_version >= 21) {
          uint32_t ticket_nonce_len;

          if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
                              hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
              return;
          }
          offset++;

          proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
          offset += ticket_nonce_len;
      }

  }

  /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
  if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
                      hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
      return;
  }
  offset += 2;

  /* Content depends on implementation, so just show data! */
  proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
                      tvb, offset, ticket_len, ENC_NA0x00000000);
  /* save the session ticket to cache for ssl_finalize_decryption */
  if (ssl && !is_tls13) {
      if (ssl->session.is_session_resumed) {
          /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
           * (Abbreviated Handshake Using New Session Ticket).
           * Restore the master key for this session ticket before saving
           * it to the new session ticket. */
          ssl_restore_master_key(ssl, "Session Ticket", false0,
                                 session_hash, &ssl->session_ticket);
      }
      tvb_ensure_bytes_exist(tvb, offset, ticket_len);
      ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
                                  ssl->session_ticket.data, ticket_len);
      ssl->session_ticket.data_len = ticket_len;
      tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
      /* NewSessionTicket is received after the first (client)
       * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
       * Since the second CCS has already the session key available it will
       * just return. To ensure that the session ticket is mapped to a
       * master key (from the first CCS), save the ticket here too. */
      ssl_save_master_key("Session Ticket", session_hash,
                          &ssl->session_ticket, &ssl->master_secret);
      ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
  }
  offset += ticket_len;

  if (is_tls13) {
      ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
                                offset_end, SSL_HND_NEWSESSION_TICKET,
                                session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
  }
11474} /* }}} */

11476void
11477ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                  packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                  SslSession *session, SslDecryptSession *ssl,
                                  bool_Bool is_dtls)
11481{
  /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
   * struct {
   *     ProtocolVersion server_version;
   *     CipherSuite cipher_suite;        // not before draft -19
   *     Extension extensions<2..2^16-1>;
   * } HelloRetryRequest;
   * Note: no longer used since draft -22
   */
  uint32_t    version;
  uint8_t     draft_version;

  proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
                               offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
  draft_version = extract_tls13_draft_version(version);
  offset += 2;

  if (draft_version == 0 || draft_version >= 19) {
      proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
                          tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
      offset += 2;
  }

  ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
                            offset_end, SSL_HND_HELLO_RETRY_REQUEST,
                            session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11507}

11509void
11510ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                   packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                   SslSession *session, SslDecryptSession *ssl,
                                   bool_Bool is_dtls)
11514{
  /* RFC 8446 Section 4.3.1
   * struct {
   *     Extension extensions<0..2^16-1>;
   * } EncryptedExtensions;
   */
  ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
                            offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
                            session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11523}

11525/* Certificate and Certificate Request dissections. {{{ */
11526void
11527ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
                   uint32_t offset, uint32_t offset_end, packet_info *pinfo,
                   SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
                   bool_Bool is_from_server, bool_Bool is_dtls)
11531{
  /* opaque ASN.1Cert<1..2^24-1>;
   *
   * Before RFC 8446 (TLS <= 1.2):
   *  struct {
   *     select(certificate_type) {
   *
   *         // certificate type defined in RFC 7250
   *         case RawPublicKey:
   *           opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
   *
   *         // X.509 certificate defined in RFC 5246
   *         case X.509:
   *           ASN.1Cert certificate_list<0..2^24-1>;
   *     };
   *  } Certificate;
   *
   * RFC 8446 (since draft -20):
   *  struct {
   *      select(certificate_type){
   *          case RawPublicKey:
   *            // From RFC 7250 ASN.1_subjectPublicKeyInfo
   *            opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
   *
   *          case X.509:
   *            opaque cert_data<1..2^24-1>;
   *      }
   *      Extension extensions<0..2^16-1>;
   *  } CertificateEntry;
   *  struct {
   *      opaque certificate_request_context<0..2^8-1>;
   *      CertificateEntry certificate_list<0..2^24-1>;
   *  } Certificate;
   */
  enum { CERT_X509, CERT_RPK } cert_type;
  asn1_ctx_t  asn1_ctx;
11567#if defined(HAVE_LIBGNUTLS1)
  gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
  unsigned    certificate_index = 0;
11570#endif
  uint32_t    next_offset, certificate_list_length, cert_length;
  proto_tree *subtree = tree;

  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);

  if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
      (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
      cert_type = CERT_RPK;
  } else {
      cert_type = CERT_X509;
  }

11583#if defined(HAVE_LIBGNUTLS1)
  /* Ask the pkcs1 dissector to return the public key details */
  if (ssl)
      asn1_ctx.private_data = &subjectPublicKeyInfo;
11587#endif

  /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
  if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
      uint32_t context_length;
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
                          hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
          return;
      }
      offset++;
      if (context_length > 0) {
          proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
                              tvb, offset, context_length, ENC_NA0x00000000);
          offset += context_length;
      }
  }

  if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
      /* For RPK before TLS 1.3, the single RPK is stored directly without
       * another "certificate_list" field. */
      certificate_list_length = offset_end - offset;
      next_offset = offset_end;
  } else {
      /* CertificateEntry certificate_list<0..2^24-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
                          hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
          return;
      }
      offset += 3;            /* 24-bit length value */
      next_offset = offset + certificate_list_length;
  }

  /* RawPublicKey must have one cert, but X.509 can have multiple. */
  if (certificate_list_length > 0 && cert_type == CERT_X509) {
      proto_item *ti;

      ti = proto_tree_add_none_format(tree,
                                      hf->hf.hs_certificates,
                                      tvb, offset, certificate_list_length,
                                      "Certificates (%u bytes)",
                                      certificate_list_length);

      /* make it a subtree */
      subtree = proto_item_add_subtree(ti, hf->ett.certificates);
  }

  while (offset < next_offset) {
      switch (cert_type) {
      case CERT_RPK:
          /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
          /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
                              hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
              return;
          }
          offset += 3;

          dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
          offset += cert_length;
          break;
      case CERT_X509:
          /* opaque ASN1Cert<1..2^24-1> */
          if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
                              hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
              return;
          }
          offset += 3;

          dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11656#if defined(HAVE_LIBGNUTLS1)
          if (is_from_server && ssl && certificate_index == 0) {
              ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
              /* Only attempt to get the RSA modulus for the first cert. */
              asn1_ctx.private_data = NULL((void*)0);
          }
11662#endif
          offset += cert_length;
          break;
      }

      /* TLS 1.3: Extension extensions<0..2^16-1> */
      if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
          offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
                                             next_offset, SSL_HND_CERTIFICATE,
                                             session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
      }

11674#if defined(HAVE_LIBGNUTLS1)
      certificate_index++;
11676#endif
  }
11678}

11680void
11681ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                       proto_tree *tree, uint32_t offset, uint32_t offset_end,
                       SslSession *session, bool_Bool is_dtls)
11684{
  /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
   *    enum {
   *        rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
   *        (255)
   *    } ClientCertificateType;
   *
   *    opaque DistinguishedName<1..2^16-1>;
   *
   *    struct {
   *        ClientCertificateType certificate_types<1..2^8-1>;
   *        DistinguishedName certificate_authorities<3..2^16-1>;
   *    } CertificateRequest;
   *
   *
   * As per TLSv1.2 (RFC 5246) the format has changed to:
   *
   *    enum {
   *        rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
   *        rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
   *        fortezza_dms_RESERVED(20), (255)
   *    } ClientCertificateType;
   *
   *    enum {
   *        none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
   *        sha512(6), (255)
   *    } HashAlgorithm;
   *
   *    enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
   *      SignatureAlgorithm;
   *
   *    struct {
   *          HashAlgorithm hash;
   *          SignatureAlgorithm signature;
   *    } SignatureAndHashAlgorithm;
   *
   *    SignatureAndHashAlgorithm
   *      supported_signature_algorithms<2..2^16-2>;
   *
   *    opaque DistinguishedName<1..2^16-1>;
   *
   *    struct {
   *        ClientCertificateType certificate_types<1..2^8-1>;
   *        SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
   *        DistinguishedName certificate_authorities<0..2^16-1>;
   *    } CertificateRequest;
   *
   * draft-ietf-tls-tls13-18:
   *    struct {
   *        opaque certificate_request_context<0..2^8-1>;
   *        SignatureScheme
   *          supported_signature_algorithms<2..2^16-2>;
   *        DistinguishedName certificate_authorities<0..2^16-1>;
   *        CertificateExtension certificate_extensions<0..2^16-1>;
   *    } CertificateRequest;
   *
   * RFC 8446 (since draft-ietf-tls-tls13-19):
   *
   *    struct {
   *        opaque certificate_request_context<0..2^8-1>;
   *        Extension extensions<2..2^16-1>;
   *    } CertificateRequest;
   */
  proto_item *ti;
  proto_tree *subtree;
  uint32_t    next_offset;
  asn1_ctx_t  asn1_ctx;
  bool_Bool        is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
  unsigned char      draft_version = session->tls13_draft_version;

  if (!tree)
      return;

  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);

  if (is_tls13) {
      uint32_t context_length;
      /* opaque certificate_request_context<0..2^8-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
                          hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
          return;
      }
      offset++;
      if (context_length > 0) {
          proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
                              tvb, offset, context_length, ENC_NA0x00000000);
          offset += context_length;
      }
  } else {
      uint32_t cert_types_count;
      /* ClientCertificateType certificate_types<1..2^8-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
                          hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
          return;
      }
      offset++;
      next_offset = offset + cert_types_count;

      ti = proto_tree_add_none_format(tree,
              hf->hf.hs_cert_types,
              tvb, offset, cert_types_count,
              "Certificate types (%u type%s)",
              cert_types_count,
              plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
      subtree = proto_item_add_subtree(ti, hf->ett.cert_types);

      while (offset < next_offset) {
          proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
          offset++;
      }
  }

  if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
          (is_tls13 && (draft_version > 0 && draft_version < 19))) {
      offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
  }

  if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
      /*
       * TLS 1.3 draft 19 and newer: Extensions.
       * SslDecryptSession pointer is NULL because Certificate Extensions
       * should not influence decryption state.
       */
      ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
                                offset_end, SSL_HND_CERT_REQUEST,
                                session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
  } else if (is_tls13 && draft_version <= 18) {
      /*
       * TLS 1.3 draft 18 and older: certificate_authorities and
       * certificate_extensions (a vector of OID mappings).
       */
      offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
      ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
  } else {
      /* for TLS 1.2 and older, the certificate_authorities field. */
      tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
  }
11821}
11822/* Certificate and Certificate Request dissections. }}} */

11824void
11825ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                              proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11827{
  ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
                               hf->hf.hs_client_cert_vrfy_sig_len,
                               hf->hf.hs_client_cert_vrfy_sig);
11831}

11833/* Finished dissection. {{{ */
11834void
11835ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                       proto_tree *tree, uint32_t offset, uint32_t offset_end,
                       const SslSession *session, ssl_hfs_t *ssl_hfs)
11838{
  /* For SSLv3:
   *     struct {
   *         opaque md5_hash[16];
   *         opaque sha_hash[20];
   *     } Finished;
   *
   * For (D)TLS:
   *     struct {
   *         opaque verify_data[12];
   *     } Finished;
   *
   * For TLS 1.3:
   *     struct {
   *         opaque verify_data[Hash.length];
   *     }
   */
  if (!tree)
      return;

  if (session->version == SSLV3_VERSION0x300) {
      if (ssl_hfs != NULL((void*)0)) {
          proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
                              tvb, offset, 16, ENC_NA0x00000000);
          proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
                              tvb, offset + 16, 20, ENC_NA0x00000000);
      }
  } else {
      /* Length should be 12 for TLS before 1.3, assume this is the case. */
      proto_tree_add_item(tree, hf->hf.hs_finished,
                          tvb, offset, offset_end - offset, ENC_NA0x00000000);
  }
11870} /* }}} */

11872/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11873void
11874ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11875{
  uint16_t url_hash_len;

  /* enum {
   *     individual_certs(0), pkipath(1), (255)
   * } CertChainType;
   *
   * struct {
   *     CertChainType type;
   *     URLAndHash url_and_hash_list<1..2^16-1>;
   * } CertificateURL;
   *
   * struct {
   *     opaque url<1..2^16-1>;
   *     uint8 padding;
   *     opaque SHA1Hash[20];
   * } URLAndHash;
   */

  proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
                      tvb, offset, 1, ENC_NA0x00000000);
  offset++;

  url_hash_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
                      tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
  offset += 2;
  while (url_hash_len-- > 0) {
      proto_item  *urlhash_item;
      proto_tree  *urlhash_tree;
      uint16_t     url_len;

      urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
                                         tvb, offset, -1, ENC_NA0x00000000);
      urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);

      url_len = tvb_get_ntohs(tvb, offset);
      proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
                          tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
      offset += 2;

      proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
                          tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
      offset += url_len;

      proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
                          tvb, offset, 1, ENC_NA0x00000000);
      offset++;
      /* Note: RFC 6066 says that padding must be 0x01 */

      proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
                          tvb, offset, 20, ENC_NA0x00000000);
      offset += 20;
  }
11929} /* }}} */

11931void
11932ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
                                    uint32_t offset, uint32_t offset_end, packet_info *pinfo,
                                    SslSession *session, SslDecryptSession *ssl,
                                    bool_Bool is_from_server, bool_Bool is_dtls)
11936{
  uint32_t algorithm, uncompressed_length;
  uint32_t compressed_certificate_message_length;
  tvbuff_t *uncompressed_tvb = NULL((void*)0);
  proto_item *ti;
  /*
   * enum {
   *     zlib(1),
   *     brotli(2),
   *     zstd(3),
   *     (65535)
   * } CertificateCompressionAlgorithm;
   *
   * struct {
   *       CertificateCompressionAlgorithm algorithm;
   *       uint24 uncompressed_length;
   *       opaque compressed_certificate_message<1..2^24-1>;
   * } CompressedCertificate;
   */

  proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
                               tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
  offset += 2;

  proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
                               tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
  offset += 3;

  /* opaque compressed_certificate_message<1..2^24-1>; */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
                      hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
      return;
  }
  offset += 3;

  ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
                           tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);

  /* Certificate decompression following algorithm */
  switch (algorithm) {
  case 1: /* zlib */
      uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
      break;
  case 2: /* brotli */
      uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
      break;
  case 3: /* zstd */
      uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
      break;
  }

  if (uncompressed_tvb) {
      proto_tree *uncompressed_tree;

      if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
          proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
                                       tvb, offset, offset_end - offset,
                                       "Invalid uncompressed length %u (expected %u)",
                                       tvb_captured_length(uncompressed_tvb),
                                       uncompressed_length);
      } else {
          uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
          ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
                               0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
          add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
      }
  }
12003}

12005/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
12006static int
12007// NOLINTNEXTLINE(misc-no-recursion)
12008ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
                        packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
                        SslSession *session, SslDecryptSession *ssl,
                        bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
                        ssl_master_key_map_t *mk_map)
12013{
  uint32_t    exts_len;
  uint16_t    ext_type;
  uint32_t    ext_len;
  uint32_t    next_offset;
  proto_item *ext_item;
  proto_tree *ext_tree;
  bool_Bool        is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
  wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
  wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
  char       *ja3_dash = "";
  unsigned    supported_version;

  /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
                      hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  offset_end = offset + exts_len;

  if (ja4_data) {
      ja4_data->num_extensions = 0;
  }
  while (offset_end - offset >= 4)
  {
      ext_type = tvb_get_ntohs(tvb, offset);
      ext_len  = tvb_get_ntohs(tvb, offset + 2);

      if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
          ja4_data->num_extensions += 1;
          if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
              ext_type != SSL_HND_HELLO_EXT_ALPN16) {
              wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
          }
      }

      ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
                                "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
                                          tls_hello_extension_types,
                                          "Unknown type %u"), ext_len);
      ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);

      proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
                          tvb, offset, 2, ext_type);
      offset += 2;
      if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
          wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
          ja3_dash = "-";
      }

      /* opaque extension_data<0..2^16-1> */
      if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
                          hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
          return offset_end;
      }
      offset += 2;
      next_offset = offset + ext_len;

      switch (ext_type) {
      case SSL_HND_HELLO_EXT_SERVER_NAME0:
          if (hnd_type == SSL_HND_CLIENT_HELLO) {
              offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
              if (ja4_data) {
                  ja4_data->server_name_present = true1;
              }
          }
          break;
      case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
          proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
          offset += 1;
          break;
      case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
          if (hnd_type == SSL_HND_CLIENT_HELLO) {
              offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
          } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
              offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
          }
          break;
      case SSL_HND_HELLO_EXT_CERT_TYPE9:
          offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
                                                       offset, next_offset,
                                                       hnd_type, ext_type,
                                                       session);
          break;
      case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
          if (hnd_type == SSL_HND_CLIENT_HELLO) {
              offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
                      next_offset, ja3_sg);
          } else {
              offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
                      next_offset, NULL((void*)0));
          }
          break;
      case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
          if (hnd_type == SSL_HND_CLIENT_HELLO) {
              offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
          } else {
              offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
          }
          break;
          break;
      case SSL_HND_HELLO_EXT_SRP12:
          offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
          offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
          break;
      case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
          offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
          break;
      case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
          offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
          break;
      case SSL_HND_HELLO_EXT_USE_SRTP14:
          if (is_dtls) {
              if (hnd_type == SSL_HND_CLIENT_HELLO) {
                  offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
              } else if (hnd_type == SSL_HND_SERVER_HELLO) {
                  offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
              }
          } else {
              // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
          }
          break;
      case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
          offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
          offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
          break;
      case SSL_HND_HELLO_EXT_HEARTBEAT15:
          proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
                              tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
          offset++;
          break;
      case SSL_HND_HELLO_EXT_ALPN16:
          offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
          break;
      case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
          if (hnd_type == SSL_HND_CLIENT_HELLO)
              offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
          // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
          if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
              offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
          break;
      case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
      case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
          offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
                                                       offset, next_offset,
                                                       hnd_type, ext_type,
                                                       session);
          break;
      case SSL_HND_HELLO_EXT_PADDING21:
          proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
          offset += ext_len;
          break;
      case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
          if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
              ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
              ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
          }
          break;
      case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
          if (ssl) {
              switch (hnd_type) {
              case SSL_HND_CLIENT_HELLO:
                  ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
                  break;
              case SSL_HND_SERVER_HELLO:
                  ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
                  break;
              default: /* no default */
                  break;
              }
          }
          break;
      case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
          offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
          offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
          proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
                              tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
          offset += 2;
          break;
      case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
      case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
          offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
          offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
      case SSL_HND_HELLO_EXT_KEY_SHARE51:
          offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
          offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_EARLY_DATA42:
      case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
          offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
          switch (hnd_type) {
          case SSL_HND_CLIENT_HELLO:
              offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
              break;
          case SSL_HND_SERVER_HELLO:
          case SSL_HND_HELLO_RETRY_REQUEST:
              proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
              offset += 2;
              proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
              break;
          }
          break;
      case SSL_HND_HELLO_EXT_COOKIE44:
          offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
          offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
          offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_OID_FILTERS48:
          offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
          break;
      case SSL_HND_HELLO_EXT_NPN13172:
          offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_ALPS_OLD17513:
          offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
          break;
      case SSL_HND_HELLO_EXT_ALPS17613:
          offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
          break;
      case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
          offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
          offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
          break;
      case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
          session->deprecated_cid = true1;
          /* FALLTHRU */
      case SSL_HND_HELLO_EXT_CONNECTION_ID54:
          offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
          break;
      case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
              offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
          break;
      default:
          proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
                                      tvb, offset, ext_len, ENC_NA0x00000000);
          offset += ext_len;
          break;
      }

      if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
          /* Dissection did not end at expected location, fix it. */
          offset = next_offset;
      }
  }

  if (ja3) {
      if (hnd_type == SSL_HND_CLIENT_HELLO) {
          if(wmem_strbuf_get_len(ja3_sg) > 0) {
              wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
          } else {
              wmem_strbuf_append_c(ja3, ',');
          }
          if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
              wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
          } else {
              wmem_strbuf_append_c(ja3, ',');
          }
      }
  }

  /* Check if Extensions vector is correctly terminated. */
  if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
      offset = offset_end;
  }

  return offset;
12306} /* }}} */


12309/* ClientKeyExchange algo-specific dissectors. {{{ */

12311static void
12312dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                              proto_tree *tree, uint32_t offset,
                              uint32_t length)
12315{
  int         point_len;
  proto_tree *ssl_ecdh_tree;

  ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                                hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");

  /* point */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
12328}

12330static void
12331dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             proto_tree *tree, uint32_t offset, uint32_t length)
12333{
  int         yc_len;
  proto_tree *ssl_dh_tree;

  ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                              hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");

  /* ClientDiffieHellmanPublic.dh_public (explicit) */
  yc_len  = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
                      offset + 2, yc_len, ENC_NA0x00000000);
12346}

12348static void
12349dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             proto_tree *tree, uint32_t offset,
                             uint32_t length, const SslSession *session)
12352{
  int         epms_len;
  proto_tree *ssl_rsa_tree;

  ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                               hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");

  /* EncryptedPreMasterSecret.pre_master_secret */
  switch (session->version) {
  case SSLV2_VERSION0x0002:
  case SSLV3_VERSION0x300:
  case DTLSV1DOT0_OPENSSL_VERSION0x100:
      /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
       * not present. The handshake contents represents the EPMS, see:
       * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
      epms_len = length;
      break;

  default:
      /* TLS and DTLS include vector length before EPMS */
      epms_len = tvb_get_ntohs(tvb, offset);
      proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
                          offset, 2, ENC_BIG_ENDIAN0x00000000);
      offset += 2;
      break;
  }
  proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
                      offset, epms_len, ENC_NA0x00000000);
12380}

12382/* Used in PSK cipher suites */
12383static uint32_t
12384dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             proto_tree *tree, uint32_t offset)
12386{
  unsigned     identity_len;
  proto_tree *ssl_psk_tree;

  ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
                               hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
  /* identity */
  identity_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
                      offset + 2, identity_len, ENC_NA0x00000000);

  proto_item_set_len(ssl_psk_tree, 2 + identity_len);
  return 2 + identity_len;
12401}

12403/* Used in RSA PSK cipher suites */
12404static void
12405dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                 proto_tree *tree, uint32_t offset,
                                 uint32_t length)
12408{
  int         identity_len, epms_len;
  proto_tree *ssl_psk_tree;

  ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                               hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");

  /* identity */
  identity_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
                      tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
                      tvb, offset + 2, identity_len, ENC_NA0x00000000);
  offset += 2 + identity_len;

  /* Yc */
  epms_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
                      offset + 2, epms_len, ENC_NA0x00000000);
12429}

12431/* Used in Diffie-Hellman PSK cipher suites */
12432static void
12433dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                 proto_tree *tree, uint32_t offset, uint32_t length)
12435{
  /*
   *  struct {
   *      select (KeyExchangeAlgorithm) {
   *          case diffie_hellman_psk:
   *              opaque psk_identity<0..2^16-1>;
   *              ClientDiffieHellmanPublic public;
   *      } exchange_keys;
   *  } ClientKeyExchange;
   */

  uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
  dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12448}

12450/* Used in EC Diffie-Hellman PSK cipher suites */
12451static void
12452dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                  proto_tree *tree, uint32_t offset, uint32_t length)
12454{
  /*
   *  struct {
   *      select (KeyExchangeAlgorithm) {
   *          case ec_diffie_hellman_psk:
   *              opaque psk_identity<0..2^16-1>;
   *              ClientECDiffieHellmanPublic public;
   *      } exchange_keys;
   *  } ClientKeyExchange;
   */

  uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
  dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12467}

12469/* Used in EC J-PAKE cipher suites */
12470static void
12471dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                 proto_tree *tree, uint32_t offset,
                                 uint32_t length)
12474{
  /*
   *  struct {
   *      ECPoint V;
   *      opaque r<1..2^8-1>;
   *  } ECSchnorrZKP;
   *
   *  struct {
   *      ECPoint X;
   *      ECSchnorrZKP zkp;
   *  } ECJPAKEKeyKP;
   *
   *  struct {
   *      ECJPAKEKeyKP ecjpake_key_kp;
   *  } ClientECJPAKEParams;
   *
   *  select (KeyExchangeAlgorithm) {
   *      case ecjpake:
   *          ClientECJPAKEParams params;
   *  } ClientKeyExchange;
   */

  int         point_len;
  proto_tree *ssl_ecjpake_tree;

  ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                                            hf->ett.keyex_params, NULL((void*)0),
                                            "EC J-PAKE Client Params");

  /* ECJPAKEKeyKP.X */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
  offset += 1 + point_len;

  /* ECJPAKEKeyKP.zkp.V */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
  offset += 1 + point_len;

  /* ECJPAKEKeyKP.zkp.r */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
12525}

12527static void
12528dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                 proto_tree *tree, uint32_t offset,
                                 uint32_t length)
12531{
  int epms_len;
  proto_tree *ssl_ecc_sm2_tree;

  ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
                                            hf->ett.keyex_params, NULL((void*)0),
                                            "ECC-SM2 Encrypted PreMaster Secret");

  epms_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  offset += 2;
  proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
                      offset, epms_len, ENC_NA0x00000000);
12545}
12546/* ClientKeyExchange algo-specific dissectors. }}} */


12549/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12550static uint32_t
12551ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                           proto_tree *tree, uint32_t offset, uint32_t offset_end,
                           uint16_t version, int hf_sig_len, int hf_sig)
12554{
  uint32_t    sig_len;

  switch (version) {
  case TLSV1DOT2_VERSION0x303:
  case DTLSV1DOT2_VERSION0xfefd:
  case TLSV1DOT3_VERSION0x304:
  case DTLSV1DOT3_VERSION0xfefc:
      tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
      offset += 2;
      break;

  default:
      break;
  }

  /* Sig */
  if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
                      hf_sig_len, 0, UINT16_MAX(65535))) {
      return offset_end;
  }
  offset += 2;
  proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
  offset += sig_len;
  return offset;
12579} /* }}} */

12581/* ServerKeyExchange algo-specific dissectors. {{{ */

12583/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12584static void
12585dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                             proto_tree *tree, uint32_t offset, uint32_t offset_end,
                             uint16_t version)
12588{
  /*
   * TLSv1.2 (RFC 5246 sec 7.4.8)
   *  struct {
   *      digitally-signed struct {
   *          opaque handshake_messages[handshake_messages_length];
   *      }
   *  } CertificateVerify;
   *
   * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
   * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
   *
   * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
   * does more hashing including the master secret and padding.
   */
  ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
                               hf->hf.hs_server_keyex_sig_len,
                               hf->hf.hs_server_keyex_sig);
12606}

12608static uint32_t
12609dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12610{
  /*
   * RFC 4492 ECC cipher suites for TLS
   *
   *  struct {
   *      ECCurveType    curve_type;
   *      select (curve_type) {
   *          case explicit_prime:
   *              ...
   *          case explicit_char2:
   *              ...
   *          case named_curve:
   *              NamedCurve namedcurve;
   *      };
   *  } ECParameters;
   */

  int         curve_type;

  /* ECParameters.curve_type */
  curve_type = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  offset++;

  if (curve_type != 3)
      return offset_end; /* only named_curves are supported */

  /* case curve_type == named_curve; ECParameters.namedcurve */
  proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  offset += 2;

  return offset;
12644}

12646static void
12647dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                              proto_tree *tree, uint32_t offset, uint32_t offset_end,
                              uint16_t version, bool_Bool anon)
12650{
  /*
   * RFC 4492 ECC cipher suites for TLS
   *
   *  struct {
   *      opaque point <1..2^8-1>;
   *  } ECPoint;
   *
   *  struct {
   *      ECParameters    curve_params;
   *      ECPoint         public;
   *  } ServerECDHParams;
   *
   *  select (KeyExchangeAlgorithm) {
   *      case ec_diffie_hellman:
   *          ServerECDHParams    params;
   *          Signature           signed_params;
   *  } ServerKeyExchange;
   */

  int         point_len;
  proto_tree *ssl_ecdh_tree;

  ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                                hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");

  offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
  if (offset >= offset_end)
      return; /* only named_curves are supported */

  /* ECPoint.point */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
  offset += 1 + point_len;

  /* Signature (if non-anonymous KEX) */
  if (!anon) {
      dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
  }
12692}

12694static void
12695dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                             proto_tree *tree, uint32_t offset, uint32_t offset_end,
                             uint16_t version, bool_Bool anon)
12698{
  int         p_len, g_len, ys_len;
  proto_tree *ssl_dh_tree;

  ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                              hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");

  /* p */
  p_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
                      offset + 2, p_len, ENC_NA0x00000000);
  offset += 2 + p_len;

  /* g */
  g_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
                      offset + 2, g_len, ENC_NA0x00000000);
  offset += 2 + g_len;

  /* Ys */
  ys_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
                      offset, 2, ys_len);
  proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
                      offset + 2, ys_len, ENC_NA0x00000000);
  offset += 2 + ys_len;

  /* Signature (if non-anonymous KEX) */
  if (!anon) {
      dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
  }
12733}

12735/* Only used in RSA-EXPORT cipher suites */
12736static void
12737dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                             proto_tree *tree, uint32_t offset, uint32_t offset_end,
                             uint16_t version)
12740{
  int         modulus_len, exponent_len;
  proto_tree *ssl_rsa_tree;

  ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                               hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");

  /* modulus */
  modulus_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
                      offset + 2, modulus_len, ENC_NA0x00000000);
  offset += 2 + modulus_len;

  /* exponent */
  exponent_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
                      tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
                      tvb, offset + 2, exponent_len, ENC_NA0x00000000);
  offset += 2 + exponent_len;

  /* Signature */
  dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12765}

12767/* Used in RSA PSK and PSK cipher suites */
12768static uint32_t
12769dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                             proto_tree *tree, uint32_t offset)
12771{
  unsigned     hint_len;
  proto_tree *ssl_psk_tree;

  ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
                               hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");

  /* hint */
  hint_len = tvb_get_ntohs(tvb, offset);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
                      offset, 2, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
                      offset + 2, hint_len, ENC_NA0x00000000);

  proto_item_set_len(ssl_psk_tree, 2 + hint_len);
  return 2 + hint_len;
12787}

12789/* Used in Diffie-Hellman PSK cipher suites */
12790static void
12791dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12793{
  /*
   *  struct {
   *      select (KeyExchangeAlgorithm) {
   *          case diffie_hellman_psk:
   *              opaque psk_identity_hint<0..2^16-1>;
   *              ServerDHParams params;
   *      };
   *  } ServerKeyExchange;
   */

  uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
  dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12806}

12808/* Used in EC Diffie-Hellman PSK cipher suites */
12809static void
12810dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                  proto_tree *tree, uint32_t offset, uint32_t offset_end)
12812{
  /*
   *  struct {
   *      select (KeyExchangeAlgorithm) {
   *          case ec_diffie_hellman_psk:
   *              opaque psk_identity_hint<0..2^16-1>;
   *              ServerECDHParams params;
   *      };
   *  } ServerKeyExchange;
   */

  uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
  dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12825}

12827/* Used in EC J-PAKE cipher suites */
12828static void
12829dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                                 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12831{
  /*
   *  struct {
   *      ECPoint V;
   *      opaque r<1..2^8-1>;
   *  } ECSchnorrZKP;
   *
   *  struct {
   *      ECPoint X;
   *      ECSchnorrZKP zkp;
   *  } ECJPAKEKeyKP;
   *
   *  struct {
   *      ECParameters curve_params;
   *      ECJPAKEKeyKP ecjpake_key_kp;
   *  } ServerECJPAKEParams;
   *
   *  select (KeyExchangeAlgorithm) {
   *      case ecjpake:
   *          ServerECJPAKEParams params;
   *  } ServerKeyExchange;
   */

  int         point_len;
  proto_tree *ssl_ecjpake_tree;

  ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                                            hf->ett.keyex_params, NULL((void*)0),
                                            "EC J-PAKE Server Params");

  offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
  if (offset >= offset_end)
      return; /* only named_curves are supported */

  /* ECJPAKEKeyKP.X */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
  offset += 1 + point_len;

  /* ECJPAKEKeyKP.zkp.V */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
  offset += 1 + point_len;

  /* ECJPAKEKeyKP.zkp.r */
  point_len = tvb_get_uint8(tvb, offset);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
                      offset, 1, ENC_BIG_ENDIAN0x00000000);
  proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
                      offset + 1, point_len, ENC_NA0x00000000);
12887}

12889/* Only used in ECC-SM2-EXPORT cipher suites */
12890static void
12891dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                 proto_tree *tree, uint32_t offset, uint32_t offset_end,
                                 uint16_t version)
12894{
  proto_tree *ssl_ecc_sm2_tree;

  ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
                                            hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");

  /* Signature */
  dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12902}
12903/* ServerKeyExchange algo-specific dissectors. }}} */

12905/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12906void
12907ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                        proto_tree *tree, uint32_t offset, uint32_t length,
                        const SslSession *session)
12910{
  switch (ssl_get_keyex_alg(session->cipher)) {
  case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
  case KEX_DH_DSS0x14:
  case KEX_DH_RSA0x15:
  case KEX_DHE_DSS0x10:
  case KEX_DHE_RSA0x12:
      dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
      break;
  case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
      dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
      break;
  case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
  case KEX_ECDH_ECDSA0x1a:
  case KEX_ECDH_RSA0x1b:
  case KEX_ECDHE_ECDSA0x16:
  case KEX_ECDHE_RSA0x18:
      dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
      break;
  case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
      dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
      break;
  case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
      /* XXX: implement support for KRB5 */
      proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                   tvb, offset, length,
                             "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
                             " developers if you want them to be supported");
      break;
  case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
      dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
      break;
  case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
      dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
      break;
  case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
      dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
      break;
  case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
  case KEX_SRP_SHA_DSS0x21:
  case KEX_SRP_SHA_RSA0x22:
      /* XXX: implement support for SRP_SHA* */
      proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                   tvb, offset, length,
                             "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
                             " developers if you want them to be supported");
      break;
  case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
      dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
      break;
  case KEX_ECC_SM20x26: /* GB/T 38636 */
      dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
      break;
  default:
      if (session->cipher == 0) {
          proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                tvb, offset, length,
                                "Cipher Suite not found");
      } else {
          proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                tvb, offset, length,
                                "Cipher Suite 0x%04x is not implemented, "
                                "contact Wireshark developers if you want this to be supported",
                                session->cipher);
      }
      break;
  }
12977}

12979void
12980ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                        proto_tree *tree, uint32_t offset, uint32_t offset_end,
                        const SslSession *session)
12983{
  switch (ssl_get_keyex_alg(session->cipher)) {
  case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
      dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
      break;
  case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
  case KEX_DH_RSA0x15:
      proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
                            tvb, offset, offset_end - offset);
      break;
  case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
  case KEX_DHE_RSA0x12:
      dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
      break;
  case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
      dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
      break;
  case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
      dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
      break;
  case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
      dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
      break;
  case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
  case KEX_ECDH_RSA0x1b:
  case KEX_ECDHE_ECDSA0x16:
  case KEX_ECDHE_RSA0x18:
      dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
      break;
  case KEX_KRB50x1c: /* RFC 2712; not allowed */
      proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
                            tvb, offset, offset_end - offset);
      break;
  case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
  case KEX_RSA_PSK0x1f:
      dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
      break;
  case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
      dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
      break;
  case KEX_ECC_SM20x26: /* GB/T 38636 */
      dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
      break;
  case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
  case KEX_SRP_SHA_DSS0x21:
  case KEX_SRP_SHA_RSA0x22:
      /* XXX: implement support for SRP_SHA* */
      proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                   tvb, offset, offset_end - offset,
                             "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
                             " developers if you want them to be supported");
      break;
  case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
      dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
      break;
  default:
      if (session->cipher == 0) {
          proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                tvb, offset, offset_end - offset,
                                "Cipher Suite not found");
      } else {
          proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
                                tvb, offset, offset_end - offset,
                                "Cipher Suite 0x%04x is not implemented, "
                                "contact Wireshark developers if you want this to be supported",
                                session->cipher);
      }
      break;
  }
13052}
13053/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */

13055void
13056tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
                           proto_tree *tree, uint32_t offset)
13058{
  /* RFC 8446 Section 4.6.3
   *  enum {
   *      update_not_requested(0), update_requested(1), (255)
   *  } KeyUpdateRequest;
   *
   *  struct {
   *      KeyUpdateRequest request_update;
   *  } KeyUpdate;
   */
  proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
13069}

13071void
13072ssl_common_register_ssl_alpn_dissector_table(const char *name,
  const char *ui_name, const int proto)
13074{
  ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
      proto, FT_STRING, STRING_CASE_SENSITIVE0);
  register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
13078}

13080void
13081ssl_common_register_dtls_alpn_dissector_table(const char *name,
  const char *ui_name, const int proto)
13083{
  dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
      proto, FT_STRING, STRING_CASE_SENSITIVE0);
  register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
13087}

13089void
13090ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
13091{
      prefs_register_string_preference(module, "psk", "Pre-Shared Key",
           "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
           &(options->psk));

      if (is_dtls) {
          prefs_register_obsolete_preference(module, "keylog_file");
          prefs_register_static_text_preference(module, "keylog_file_removed",
                  "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
                  "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
          return;
      }

      prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
           "The name of a file which contains a list of \n"
           "(pre-)master secrets in one of the following formats:\n"
           "\n"
           "RSA <EPMS> <PMS>\n"
           "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
           "CLIENT_RANDOM <CRAND> <MS>\n"
           "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
           "\n"
           "Where:\n"
           "<EPMS> = First 8 bytes of the Encrypted PMS\n"
           "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
           "<SSLID> = The SSL Session ID\n"
           "<MS> = The Master-Secret (MS)\n"
           "<CRAND> = The Client's random number from the ClientHello message\n"
           "\n"
           "(All fields are in hex notation)",
           &(options->keylog_filename), false0);
13122}

13124void
13125ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length, uint8_t msg_type, bool_Bool is_from_server)
13126{
  /* The handshake transcript can be used in [D]TLS 1.2 for the extended
   * master secret of RFC 7627, and in [D]TLS 1.3 for computing the secrets,
   * though the latter is only useful when pke_ke (PSK-only key exchange) is
   * negotiated. */
  if (!ssl_session)
      return;

  switch (ssl_session->session.version) {
  /* The handshake message types used in the handshake hash are different
   * in different versions. [D]TLS 1.3 tracks the messages up to the
   * Finished, whereas 1.2 stops at the ClientKeyExchange. However, all start
   * at the ClientHello and include the messages up to the ServerHello, at
   * which point we know the version.
   *
   * XXX - However, DTLS 1.2 includes the DTLS-specific fragment info fields
   * in its handshake transcript, whereas DTLS 1.3 does not (using the same
   * format as TLS 1.3). We don't know at the point of the ClientHello which
   * version will be used, so PSK only likely doesn't work for DTLS 1.3 yet.
   *
   * XXX - When the server responds with a HelloRetryRequest, for subsequent
   * hashes (other than the first PSK Binder, see 4.2.11.2) ClientHello1 is
   * replaced with a synthentic handhsake message of type "message_hash",
   * per RFC 8446 4.4.1. We aren't concerned with that now, as a HRR generally
   * rules out PSK-only key exchange, which is what we calculate the hash for
   * here. (The possible exception is when a server sends a HRR to reject
   * early data but the server and client otherwise agree on psk_ke, if
   * any client/server pairs support that.) We do support that in the context
   * of computing the hash for Encrypted Client Hello; see elsewhere.
   */
  case TLSV1DOT3_VERSION0x304:
  case DTLSV1DOT3_VERSION0xfefc:
      /* In [D]TLS 1.3 only the following handshake messages are used in the
       * handshake transcript. EndOfEarlyData and the Client Certificate,
       * Certificate Verify, and Finished are used in deriving the
       * resumption_master_secret but not the other secrets derived from
       * the master secret (client or server app traffic secret, exporter
       * secret). We don't yet support calculating a PSK to resume via
       * the resumption_master_secret, so we simply stop the transcript
       * with the server Finished. See RFC 8446 4.4.1 & 7.1 */
      switch (msg_type) {
      case SSL_HND_CLIENT_HELLO:
      case SSL_HND_SERVER_HELLO:
      case SSL_HND_HELLO_RETRY_REQUEST:
      case SSL_HND_ENCRYPTED_EXTENSIONS:
      case SSL_HND_CERT_REQUEST:
          break;
      case SSL_HND_CERTIFICATE:
      case SSL_HND_CERT_VERIFY:
      case SSL_HND_FINISHED:
          if (!is_from_server)
              return;
          break;
      case SSL_HND_END_OF_EARLY_DATA:
      default:
          return;
      }
      break;
  default:
      /* In [D]TLS 1.2, the handshake hash for the Extended Master Secret
       * (RFC 7627) is calculated up to and including ClientKeyExchange,
       * but the keys are not retrieved until ChangeCipherSpec later. If
       * mutual authentication is requested by the server, an intervening
       * CertificateVerify message can be sent but is not to be included
       * in the hash. */
      if (msg_type == SSL_HND_CERT_VERIFY)
          return;
      if (ssl_session->state & SSL_MASTER_SECRET(1<<5))
          return;
      break;
  }

  uint32_t old_length = ssl_session->handshake_data.data_len;
  ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
  if (tvb) {
      if (tvb_bytes_exist(tvb, offset, length)) {
          ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
          tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
          ssl_session->handshake_data.data_len += length;
      }
  } else {
      /* DTLS calculates the hash as if each handshake message had been
       * sent as a single fragment (RFC 6347, section 4.2.6) and passes
       * in a null tvbuff to add 3 bytes for a zero fragment offset.
       */
      DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
 "l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13211, (int64_t)length, (int64_t)4))));
      ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
      memset(ssl_session->handshake_data.data + old_length, 0, length);
      ssl_session->handshake_data.data_len += length;
  }
13216}


13219/*
* Editor modelines  -  https://www.wireshark.org/tools/modelines.html
*
* Local variables:
* c-basic-offset: 4
* tab-width: 8
* indent-tabs-mode: nil
* End:
*
* vi: set shiftwidth=4 tabstop=8 expandtab:
* :indentSize=4:tabSize=8:noTabs=true:
*/