Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4942, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-06-25-100411-3595-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) };
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <[email protected]>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) };
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/dissector_generators/generate-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
2807 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
2808 { 0, NULL((void*)0) }
2809};
2810
2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
2813 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2814 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2815 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2816 { 0, NULL((void*)0) }
2817};
2818
2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
2821 { 1, "I would like to receive TIME_STAMP frames" },
2822 { 2, "I am able to generate TIME_STAMP frames" },
2823 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2824 { 0, NULL((void*)0) }
2825};
2826
2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
2829 { 0, "don't support multipath" },
2830 { 1, "support multipath as defined in this document" },
2831 { 0, NULL((void*)0) }
2832};
2833
2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
2836 { 0, "Outer Client Hello" },
2837 { 1, "Inner Client Hello" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
2843 { 0x0000, "Reserved" },
2844 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2845 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2846 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2847 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2848 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2849 { 0, NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
2852 { 0x0000, "Reserved" },
2853 { 0x0001, "HKDF-SHA256" },
2854 { 0x0002, "HKDF-SHA384" },
2855 { 0x0003, "HKDF-SHA512" },
2856 { 0, NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
2859 { 0x0000, "Reserved" },
2860 { 0x0001, "AES-128-GCM" },
2861 { 0x0002, "AES-256-GCM" },
2862 { 0x0003, "ChaCha20Poly1305" },
2863 { 0xFFFF, "Export-only" },
2864 { 0, NULL((void*)0) }
2865};
2866
2867const value_string token_binding_key_parameter_vals[] = {
2868 { 0, "rsa2048_pkcs1.5" },
2869 { 1, "rsa2048_pss" },
2870 { 2, "ecdsap256" },
2871 { 0, NULL((void*)0) }
2872};
2873
2874/* Lookup tables }}} */
2875
2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
2879 const char *label;
2880 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2881 label = "GREASE";
2882 } else {
2883 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2884 }
2885 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}
2887
2888/* we keep this internal to packet-tls-utils, as there should be
2889 no need to access it any other way.
2890
2891 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
2894 int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
2896 zlib_stream istream;
2897#endif
2898};
2899
2900/* To assist in parsing client/server key exchange messages
2901 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
2904 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2905 switch(cipher) {
2906 case 0x0017:
2907 case 0x0018:
2908 case 0x0019:
2909 case 0x001a:
2910 case 0x001b:
2911 case 0x0034:
2912 case 0x003a:
2913 case 0x0046:
2914 case 0x006c:
2915 case 0x006d:
2916 case 0x0089:
2917 case 0x009b:
2918 case 0x00a6:
2919 case 0x00a7:
2920 case 0x00bf:
2921 case 0x00c5:
2922 case 0xc084:
2923 case 0xc085:
2924 return KEX_DH_ANON0x13;
2925 case 0x000b:
2926 case 0x000c:
2927 case 0x000d:
2928 case 0x0030:
2929 case 0x0036:
2930 case 0x003e:
2931 case 0x0042:
2932 case 0x0068:
2933 case 0x0085:
2934 case 0x0097:
2935 case 0x00a4:
2936 case 0x00a5:
2937 case 0x00bb:
2938 case 0x00c1:
2939 case 0xc082:
2940 case 0xc083:
2941 return KEX_DH_DSS0x14;
2942 case 0x000e:
2943 case 0x000f:
2944 case 0x0010:
2945 case 0x0031:
2946 case 0x0037:
2947 case 0x003f:
2948 case 0x0043:
2949 case 0x0069:
2950 case 0x0086:
2951 case 0x0098:
2952 case 0x00a0:
2953 case 0x00a1:
2954 case 0x00bc:
2955 case 0x00c2:
2956 case 0xc07e:
2957 case 0xc07f:
2958 return KEX_DH_RSA0x15;
2959 case 0x0011:
2960 case 0x0012:
2961 case 0x0013:
2962 case 0x0032:
2963 case 0x0038:
2964 case 0x0040:
2965 case 0x0044:
2966 case 0x0063:
2967 case 0x0065:
2968 case 0x0066:
2969 case 0x006a:
2970 case 0x0087:
2971 case 0x0099:
2972 case 0x00a2:
2973 case 0x00a3:
2974 case 0x00bd:
2975 case 0x00c3:
2976 case 0xc080:
2977 case 0xc081:
2978 return KEX_DHE_DSS0x10;
2979 case 0x002d:
2980 case 0x008e:
2981 case 0x008f:
2982 case 0x0090:
2983 case 0x0091:
2984 case 0x00aa:
2985 case 0x00ab:
2986 case 0x00b2:
2987 case 0x00b3:
2988 case 0x00b4:
2989 case 0x00b5:
2990 case 0xc090:
2991 case 0xc091:
2992 case 0xc096:
2993 case 0xc097:
2994 case 0xc0a6:
2995 case 0xc0a7:
2996 case 0xc0aa:
2997 case 0xc0ab:
2998 case 0xccad:
2999 case 0xe41c:
3000 case 0xe41d:
3001 return KEX_DHE_PSK0x11;
3002 case 0x0014:
3003 case 0x0015:
3004 case 0x0016:
3005 case 0x0033:
3006 case 0x0039:
3007 case 0x0045:
3008 case 0x0067:
3009 case 0x006b:
3010 case 0x0088:
3011 case 0x009a:
3012 case 0x009e:
3013 case 0x009f:
3014 case 0x00be:
3015 case 0x00c4:
3016 case 0xc07c:
3017 case 0xc07d:
3018 case 0xc09e:
3019 case 0xc09f:
3020 case 0xc0a2:
3021 case 0xc0a3:
3022 case 0xccaa:
3023 case 0xe41e:
3024 case 0xe41f:
3025 return KEX_DHE_RSA0x12;
3026 case 0xc015:
3027 case 0xc016:
3028 case 0xc017:
3029 case 0xc018:
3030 case 0xc019:
3031 return KEX_ECDH_ANON0x19;
3032 case 0xc001:
3033 case 0xc002:
3034 case 0xc003:
3035 case 0xc004:
3036 case 0xc005:
3037 case 0xc025:
3038 case 0xc026:
3039 case 0xc02d:
3040 case 0xc02e:
3041 case 0xc074:
3042 case 0xc075:
3043 case 0xc088:
3044 case 0xc089:
3045 return KEX_ECDH_ECDSA0x1a;
3046 case 0xc00b:
3047 case 0xc00c:
3048 case 0xc00d:
3049 case 0xc00e:
3050 case 0xc00f:
3051 case 0xc029:
3052 case 0xc02a:
3053 case 0xc031:
3054 case 0xc032:
3055 case 0xc078:
3056 case 0xc079:
3057 case 0xc08c:
3058 case 0xc08d:
3059 return KEX_ECDH_RSA0x1b;
3060 case 0xc006:
3061 case 0xc007:
3062 case 0xc008:
3063 case 0xc009:
3064 case 0xc00a:
3065 case 0xc023:
3066 case 0xc024:
3067 case 0xc02b:
3068 case 0xc02c:
3069 case 0xc072:
3070 case 0xc073:
3071 case 0xc086:
3072 case 0xc087:
3073 case 0xc0ac:
3074 case 0xc0ad:
3075 case 0xc0ae:
3076 case 0xc0af:
3077 case 0xcca9:
3078 case 0xe414:
3079 case 0xe415:
3080 return KEX_ECDHE_ECDSA0x16;
3081 case 0xc033:
3082 case 0xc034:
3083 case 0xc035:
3084 case 0xc036:
3085 case 0xc037:
3086 case 0xc038:
3087 case 0xc039:
3088 case 0xc03a:
3089 case 0xc03b:
3090 case 0xc09a:
3091 case 0xc09b:
3092 case 0xccac:
3093 case 0xe418:
3094 case 0xe419:
3095 case 0xd001:
3096 case 0xd002:
3097 case 0xd003:
3098 case 0xd005:
3099 return KEX_ECDHE_PSK0x17;
3100 case 0xc010:
3101 case 0xc011:
3102 case 0xc012:
3103 case 0xc013:
3104 case 0xc014:
3105 case 0xc027:
3106 case 0xc028:
3107 case 0xc02f:
3108 case 0xc030:
3109 case 0xc076:
3110 case 0xc077:
3111 case 0xc08a:
3112 case 0xc08b:
3113 case 0xcca8:
3114 case 0xe412:
3115 case 0xe413:
3116 return KEX_ECDHE_RSA0x18;
3117 case 0x001e:
3118 case 0x001f:
3119 case 0x0020:
3120 case 0x0021:
3121 case 0x0022:
3122 case 0x0023:
3123 case 0x0024:
3124 case 0x0025:
3125 case 0x0026:
3126 case 0x0027:
3127 case 0x0028:
3128 case 0x0029:
3129 case 0x002a:
3130 case 0x002b:
3131 return KEX_KRB50x1c;
3132 case 0x002c:
3133 case 0x008a:
3134 case 0x008b:
3135 case 0x008c:
3136 case 0x008d:
3137 case 0x00a8:
3138 case 0x00a9:
3139 case 0x00ae:
3140 case 0x00af:
3141 case 0x00b0:
3142 case 0x00b1:
3143 case 0xc064:
3144 case 0xc065:
3145 case 0xc08e:
3146 case 0xc08f:
3147 case 0xc094:
3148 case 0xc095:
3149 case 0xc0a4:
3150 case 0xc0a5:
3151 case 0xc0a8:
3152 case 0xc0a9:
3153 case 0xccab:
3154 case 0xe416:
3155 case 0xe417:
3156 return KEX_PSK0x1d;
3157 case 0x0001:
3158 case 0x0002:
3159 case 0x0003:
3160 case 0x0004:
3161 case 0x0005:
3162 case 0x0006:
3163 case 0x0007:
3164 case 0x0008:
3165 case 0x0009:
3166 case 0x000a:
3167 case 0x002f:
3168 case 0x0035:
3169 case 0x003b:
3170 case 0x003c:
3171 case 0x003d:
3172 case 0x0041:
3173 case 0x0060:
3174 case 0x0061:
3175 case 0x0062:
3176 case 0x0064:
3177 case 0x0084:
3178 case 0x0096:
3179 case 0x009c:
3180 case 0x009d:
3181 case 0x00ba:
3182 case 0x00c0:
3183 case 0xc07a:
3184 case 0xc07b:
3185 case 0xc09c:
3186 case 0xc09d:
3187 case 0xc0a0:
3188 case 0xc0a1:
3189 case 0xe410:
3190 case 0xe411:
3191 case 0xfefe:
3192 case 0xfeff:
3193 case 0xffe0:
3194 case 0xffe1:
3195 return KEX_RSA0x1e;
3196 case 0x002e:
3197 case 0x0092:
3198 case 0x0093:
3199 case 0x0094:
3200 case 0x0095:
3201 case 0x00ac:
3202 case 0x00ad:
3203 case 0x00b6:
3204 case 0x00b7:
3205 case 0x00b8:
3206 case 0x00b9:
3207 case 0xc092:
3208 case 0xc093:
3209 case 0xc098:
3210 case 0xc099:
3211 case 0xccae:
3212 case 0xe41a:
3213 case 0xe41b:
3214 return KEX_RSA_PSK0x1f;
3215 case 0xc01a:
3216 case 0xc01d:
3217 case 0xc020:
3218 return KEX_SRP_SHA0x20;
3219 case 0xc01c:
3220 case 0xc01f:
3221 case 0xc022:
3222 return KEX_SRP_SHA_DSS0x21;
3223 case 0xc01b:
3224 case 0xc01e:
3225 case 0xc021:
3226 return KEX_SRP_SHA_RSA0x22;
3227 case 0xc0ff:
3228 return KEX_ECJPAKE0x24;
3229 case 0xe003:
3230 case 0xe013:
3231 case 0xe053:
3232 return KEX_ECC_SM20x26;
3233 default:
3234 break;
3235 }
3236
3237 return 0;
3238 /* }}} */
3239}
3240
3241static wmem_list_t *connection_id_session_list;
3242
3243void
3244ssl_init_cid_list(void) {
3245 connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}
3247
3248void
3249ssl_cleanup_cid_list(void) {
3250 wmem_destroy_list(connection_id_session_list);
3251}
3252
3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
3256 wmem_list_append(connection_id_session_list, session);
3257}
3258
3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
3262 SslDecryptSession * ssl_cid = NULL((void*)0);
3263 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3264
3265 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3266 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3267 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))));
3268 SslSession *session = &ssl->session;
3269
3270 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3271 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3272 ssl_cid = ssl;
3273 }
3274 }
3275
3276 if (session->server_cid_len > 0) {
3277 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3278 ssl_cid = ssl;
3279 }
3280 }
3281
3282 it = wmem_list_frame_next(it);
3283 }
3284
3285 return ssl_cid;
3286}
3287
3288/* StringInfo structure (len + data) functions {{{ */
3289
3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
3293 str->data = (unsigned char *)g_malloc(len);
16
Memory is allocated
3294 /* the allocator can return a null pointer for a size equal to 0,
3295 * and that must be allowed */
3296 if (len
16.1
'len' is > 0
 > 0 && !str->data)
17
Assuming field 'data' is non-null
18
Taking false branch
3297 return -1;
3298 str->data_len = (unsigned) len;
3299 return 0;
3300}
3301
3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
3305 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))));
3306 memcpy(str->data, data, len);
3307 str->data_len = len;
3308}
3309
3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
3313 str->data = (unsigned char *)g_realloc(str->data, len);
3314 if (!str->data)
3315 return -1;
3316 str->data_len = len;
3317 return 0;
3318}
3319
3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
3323 StringInfo *cloned_str;
3324 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3325 sizeof(StringInfo) + str->data_len);
3326 cloned_str->data = (unsigned char *) (cloned_str + 1);
3327 ssl_data_set(cloned_str, str->data, str->data_len);
3328 return cloned_str;
3329}
3330
3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
3334 if (dst->data_len < src->data_len) {
3335 if (ssl_data_realloc(dst, src->data_len))
3336 return -1;
3337 }
3338 memcpy(dst->data, src->data, src->data_len);
3339 dst->data_len = src->data_len;
3340 return 0;
3341}
3342
3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3344 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3345 * success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3347 size_t i;
3348
3349 if (hex_len & 1)
3350 return false0;
3351
3352 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3353 for (i = 0; i < hex_len / 2; i++) {
3354 int a = ws_xton(in[i*2]);
3355 int b = ws_xton(in[i*2 + 1]);
3356 if (a == -1 || b == -1)
3357 return false0;
3358 out->data[i] = a << 4 | b;
3359 }
3360 out->data_len = (unsigned)hex_len / 2;
3361 return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */
3364
3365
3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3369
3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
3373 gcry_error_t err;
3374 const char *err_str, *err_src;
3375
3376 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3377 if (err != 0) {
3378 err_str = gcry_strerror(err);
3379 err_src = gcry_strsource(err);
3380 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3381 return -1;
3382 }
3383 return 0;
3384}
3385
3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
3389 gcry_error_t err;
3390 const char *err_str, *err_src;
3391
3392 err = gcry_md_setkey (*(md), key, len);
3393 if (err != 0) {
3394 err_str = gcry_strerror(err);
3395 err_src = gcry_strsource(err);
3396 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3397 return -1;
3398 }
3399 return 0;
3400}
3401
3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
3405 gcry_md_reset(*md);
3406 return 0;
3407}
3408
3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
3412 gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
3417 int algo;
3418 unsigned len;
3419
3420 algo = gcry_md_get_algo (*(md));
3421 len = gcry_md_get_algo_dlen(algo);
3422 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))));
3423 memcpy(data, gcry_md_read(*(md), algo), len);
3424 *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
3429 gcry_md_close(*(md));
3430}
3431
3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3434
3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
3438 gcry_error_t err;
3439 const char *err_str, *err_src;
3440 err = gcry_md_open(md,algo, 0);
3441 if (err != 0) {
3442 err_str = gcry_strerror(err);
3443 err_src = gcry_strsource(err);
3444 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3445 return -1;
3446 }
3447 return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, unsigned len)
3451{
3452 gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
3457 int algo;
3458 int len;
3459 algo = gcry_md_get_algo (*(md));
3460 len = gcry_md_get_algo_dlen (algo);
3461 memcpy(data, gcry_md_read(*(md), algo), len);
3462 *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
3467 gcry_md_close(*(md));
3468}
3469
3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
3473 gcry_md_reset(*md);
3474}
3475
3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3479
3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_error_t err;
3484 const char *err_str, *err_src;
3485 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3486 if (err != 0) {
3487 err_str = gcry_strerror(err);
3488 err_src = gcry_strsource(err);
3489 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3490 return -1;
3491 }
3492 return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
3497 gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
3502 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3503 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}
3505
3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
3509 gcry_md_reset(*md);
3510}
3511
3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
3515 gcry_md_close(*(md));
3516}
3517
3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_error_t err;
3522 const char *err_str, *err_src;
3523 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3524 if (err != 0) {
3525 err_str = gcry_strerror(err);
3526 err_src = gcry_strsource(err);
3527 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3528 return -1;
3529 }
3530 return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
3535 gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
3540 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3541 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}
3543
3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
3547 gcry_md_reset(*md);
3548}
3549
3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
3553 gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */
3556
3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
3561 int ret;
3562#if 0
3563 unsigned char *ivp;
3564 int i;
3565 gcry_cipher_hd_t c;
3566 c=(gcry_cipher_hd_t)*cipher;
3567#endif
3568 ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
3570 for(ivp=c->iv,i=0; i < iv_len; i++ )
3571 {
3572 ssl_debug_printf("%d ",ivp[i]);
3573 i++;
3574 }
3575#endif
3576 ssl_debug_printf("--------------------------------------------------------------------");
3577 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
3579 for(ivp=c->iv,i=0; i < iv_len; i++ )
3580 {
3581 ssl_debug_printf("%d ",ivp[i]);
3582 i++;
3583 }
3584#endif
3585 ssl_debug_printf("--------------------------------------------------------------------");
3586 return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3591 unsigned char* iv, int mode)
3592{
3593 int gcry_modes[] = {
3594 GCRY_CIPHER_MODE_STREAM,
3595 GCRY_CIPHER_MODE_CBC,
3596 GCRY_CIPHER_MODE_GCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_CCM,
3599 GCRY_CIPHER_MODE_POLY1305,
3600 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3601 };
3602 int err;
3603 if (algo == -1) {
3604 /* NULL mode */
3605 *(cipher) = (gcry_cipher_hd_t)-1;
3606 return 0;
3607 }
3608 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3609 if (err !=0)
3610 return -1;
3611 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3612 if (err != 0)
3613 return -1;
3614 /* AEAD cipher suites will set the nonce later. */
3615 if (mode == MODE_CBC) {
3616 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3617 if (err != 0)
3618 return -1;
3619 }
3620 return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3624 const unsigned char * in, int inl)
3625{
3626 if ((*cipher) == (gcry_cipher_hd_t)-1)
3627 {
3628 if (in && inl)
3629 memcpy(out, in, outl < inl ? outl : inl);
3630 return 0;
3631 }
3632 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
3637 return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
3642 return gcry_cipher_map_name(name);
3643}
3644
3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
3648 if ((*cipher) != (gcry_cipher_hd_t)-1)
3649 gcry_cipher_close(*cipher);
3650 *cipher = NULL((void*)0);
3651}
3652/* }}} */
3653
3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
3656 {"MD5", 16},
3657 {"SHA1", 20},
3658 {"SHA256", 32},
3659 {"SHA384", 48},
3660 {"SM3", 32},
3661 {"Not Applicable", 0},
3662};
3663
3664#define DIGEST_MAX_SIZE48 48
3665
3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3669 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3670 return &digests[DIG_NA0x45 - DIG_MD50x40];
3671 }
3672 return &digests[cs->dig - DIG_MD50x40];
3673}
3674
3675static const char *ciphers[]={
3676 "DES",
3677 "3DES",
3678 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3679 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3680 "IDEA",
3681 "AES",
3682 "AES256",
3683 "CAMELLIA128",
3684 "CAMELLIA256",
3685 "SEED",
3686 "CHACHA20", /* since Libgcrypt 1.7.0 */
3687 "SM1",
3688 "SM4",
3689 "*UNKNOWN*"
3690};
3691
3692static const SslCipherSuite cipher_suites[]={
3693 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3694 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3695 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3697 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3698 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3699 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3700 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3701 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3702 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3704 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3705 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3706 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3707 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3708 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3709 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3710 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3711 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3712 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3713 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3714 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3715 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3716 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3717 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3718 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3719 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3720 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3721 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3722 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3723 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3724 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3725 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3726 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3727 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3728 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3729 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3730 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3731 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3732 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3733 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3734 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3735 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3736 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3737 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3738 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3739 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3740 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3741 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3747 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3748 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3749 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3751 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3753 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3754 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3755 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3756 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3757 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3758 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3759 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3760 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3761 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3767 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3768 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3769 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3770 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3771 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3772 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3773 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3774 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3775 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3776 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3777 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3778 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3779 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3780 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3781 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3782 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3783 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3784 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3785 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3786 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3787 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3788 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3789 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3790 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3791 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3792 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3793 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3794 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3795 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3796 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3797 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3798 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3799 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3800 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3801 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3802 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3803 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3804 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3805 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3806 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3807 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3808 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3809 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3810 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3811 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3812 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3813 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3814 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3815 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3821 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3826 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3827
3828 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3829 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3830 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3831 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3832 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3833 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3834 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3835
3836 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3837 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3838 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3839 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3840 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3841 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3842 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3843 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3845 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3846 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3847 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3848 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3849 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3850 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3851 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3852 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3853 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3854 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3855 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3856 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3857 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3858 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3859 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3860 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3861 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3862 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3865 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3866 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3867 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3868 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3869 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3870 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3871 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3872 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3873 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3874 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3875 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3876 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3877 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3878 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3879 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3880 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3881 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3882 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3883 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3884 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3885 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3886 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3887 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3888 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3889 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3890 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3891 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3892 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3893 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3894 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3895 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3896 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3897 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3898 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3899 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3900 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3901 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3902 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3911 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3912 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3913 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3914 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3915 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3916 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3917 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3918 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3919 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3920 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3921 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3922 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3923 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3924 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3925 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3926 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3927 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3928 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3929 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3930 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3931 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3932 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3933 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3934 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3935 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3936 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3937 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3938 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3939 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3940 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3941 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3942 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3943 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3944 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3945 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3946 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3947 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3948 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3949 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3950 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3951 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3952 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3953 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3954 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3955 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3956 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3957 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3958 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3965 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3966 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3967 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3968 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3969 /* GM */
3970 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3971 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3972 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3973 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3974 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3975 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3976 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3977 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3978 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3979 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3980 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3981 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3982 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3983 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3984 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3985 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3986 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3987 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3988 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3989 {-1, 0, 0, 0, MODE_STREAM}
3990};
3991
3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32
3994
3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
3998 const SslCipherSuite *c;
3999 for(c=cipher_suites;c->number!=-1;c++){
4000 if(c->number==num){
4001 return c;
4002 }
4003 }
4004
4005 return NULL((void*)0);
4006}
4007
4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
4011 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}
4013
4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
4017 int cipher_algo;
4018 if (cipher_suite->mode != MODE_CBC) return 0;
4019 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4020 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}
4022
4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
4026 switch (cipher_suite_num) {
4027 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4028 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4029 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4030 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4035 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4036 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4037 return 5;
4038
4039 /* not defined in below draft, but "implemented by several vendors",
4040 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4041 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4042 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4043 return 7;
4044
4045 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4046 * used 7. Until a pcap proves 8, let's use the old value. Link:
4047 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4048 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4050 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4051 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4052 return 7;
4053
4054 default:
4055 return 0;
4056 }
4057}
4058
4059/* Digests, Ciphers and Cipher Suites registry }}} */
4060
4061
4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
4065 StringInfo *out, unsigned out_len)
4066{
4067 /* RFC 2246 5. HMAC and the pseudorandom function
4068 * '+' denotes concatenation.
4069 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4070 * HMAC_hash(secret, A(2) + seed) + ...
4071 * A(0) = seed
4072 * A(i) = HMAC_hash(secret, A(i - 1))
4073 */
4074 uint8_t *ptr;
4075 unsigned left, tocpy;
4076 uint8_t *A;
4077 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4078 unsigned A_l, tmp_l;
4079 SSL_HMACgcry_md_hd_t hm;
4080
4081 ptr = out->data;
4082 left = out_len;
4083
4084 ssl_print_string("tls_hash: hash secret", secret);
4085 ssl_print_string("tls_hash: hash seed", seed);
4086 /* A(0) = seed */
4087 A = seed->data;
4088 A_l = seed->data_len;
4089
4090 if (ssl_hmac_init(&hm, md) != 0) {
4091 return -1;
4092 }
4093 while (left) {
4094 /* A(i) = HMAC_hash(secret, A(i-1)) */
4095 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4096 ssl_hmac_update(&hm, A, A_l);
4097 A_l = sizeof(_A); /* upper bound len for hash output */
4098 ssl_hmac_final(&hm, _A, &A_l);
4099 A = _A;
4100
4101 /* HMAC_hash(secret, A(i) + seed) */
4102 ssl_hmac_reset(&hm);
4103 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4104 ssl_hmac_update(&hm, A, A_l);
4105 ssl_hmac_update(&hm, seed->data, seed->data_len);
4106 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4107 ssl_hmac_final(&hm, tmp, &tmp_l);
4108 ssl_hmac_reset(&hm);
4109
4110 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4111 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4112 memcpy(ptr, tmp, tocpy);
4113 ptr += tocpy;
4114 left -= tocpy;
4115 }
4116 ssl_hmac_cleanup(&hm);
4117 out->data_len = out_len;
4118
4119 ssl_print_string("hash out", out);
4120 return 0;
4121}
4122
4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
4125 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
4127 StringInfo seed, sha_out, md5_out;
4128 uint8_t *ptr;
4129 StringInfo s1, s2;
4130 unsigned i,s_l;
4131 size_t usage_len, rnd2_len;
4132 bool_Bool success = false0;
4133 usage_len = strlen(usage);
4134 rnd2_len = rnd2 ? rnd2->data_len : 0;
4135
4136 /* initialize buffer for sha, md5 random seed*/
4137 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4139 return false0;
4140 }
4141 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4143 goto free_sha;
4144 }
4145 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4146 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4147 (int) (usage_len+rnd1->data_len+rnd2_len));
4148 goto free_md5;
4149 }
4150
4151 ptr=seed.data;
4152 memcpy(ptr,usage,usage_len);
4153 ptr+=usage_len;
4154 memcpy(ptr,rnd1->data,rnd1->data_len);
4155 if (rnd2_len > 0) {
4156 ptr+=rnd1->data_len;
4157 memcpy(ptr,rnd2->data,rnd2->data_len);
4158 /*ptr+=rnd2->data_len;*/
4159 }
4160
4161 /* initialize buffer for client/server seeds*/
4162 s_l=secret->data_len/2 + secret->data_len%2;
4163 if (ssl_data_alloc(&s1, s_l) < 0) {
4164 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4165 goto free_seed;
4166 }
4167 if (ssl_data_alloc(&s2, s_l) < 0) {
4168 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4169 goto free_s1;
4170 }
4171
4172 memcpy(s1.data,secret->data,s_l);
4173 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4174
4175 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4176 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4177 goto free_s2;
4178 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4179 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4180 goto free_s2;
4181
4182 for (i = 0; i < out_len; i++)
4183 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4184 /* success, now store the new meaningful data length */
4185 out->data_len = out_len;
4186 success = true1;
4187
4188 ssl_print_string("PRF out",out);
4189free_s2:
4190 g_free(s2.data)(__builtin_object_size ((s2.data), 0) != ((size_t) - 1)) ? g_free_sized
(s2.data, __builtin_object_size ((s2.data), 0)) : (g_free) (
s2.data);
4191free_s1:
4192 g_free(s1.data)(__builtin_object_size ((s1.data), 0) != ((size_t) - 1)) ? g_free_sized
(s1.data, __builtin_object_size ((s1.data), 0)) : (g_free) (
s1.data);
4193free_seed:
4194 g_free(seed.data)(__builtin_object_size ((seed.data), 0) != ((size_t) - 1)) ? g_free_sized
(seed.data, __builtin_object_size ((seed.data), 0)) : (g_free
) (seed.data);
4195free_md5:
4196 g_free(md5_out.data)(__builtin_object_size ((md5_out.data), 0) != ((size_t) - 1))
? g_free_sized (md5_out.data, __builtin_object_size ((md5_out
.data), 0)) : (g_free) (md5_out.data);
4197free_sha:
4198 g_free(sha_out.data)(__builtin_object_size ((sha_out.data), 0) != ((size_t) - 1))
? g_free_sized (sha_out.data, __builtin_object_size ((sha_out
.data), 0)) : (g_free) (sha_out.data);
4199 return success;
4200}
4201
4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
4204 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
4206 StringInfo label_seed;
4207 int success;
4208 size_t usage_len, rnd2_len;
4209 rnd2_len = rnd2 ? rnd2->data_len : 0;
4210
4211 usage_len = strlen(usage);
4212 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4213 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4214 return false0;
4215 }
4216 memcpy(label_seed.data, usage, usage_len);
4217 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4218 if (rnd2_len > 0)
4219 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4220
4221 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4222 success = tls_hash(secret, &label_seed, md, out, out_len);
4223 g_free(label_seed.data)(__builtin_object_size ((label_seed.data), 0) != ((size_t) - 1
)) ? g_free_sized (label_seed.data, __builtin_object_size ((label_seed
.data), 0)) : (g_free) (label_seed.data);
4224 if(success != -1){
4225 ssl_print_string("PRF out", out);
4226 return true1;
4227 }
4228 return false0;
4229}
4230
4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4233 StringInfo *out, unsigned out_len)
4234{
4235 SSL_MD5_CTXgcry_md_hd_t md5;
4236 uint8_t tmp[16];
4237
4238 if (ssl_md5_init(&md5) != 0) {
4239 return false0;
4240 }
4241 ssl_md5_update(&md5,r1->data,r1->data_len);
4242 ssl_md5_update(&md5,r2->data,r2->data_len);
4243 ssl_md5_final(tmp,&md5);
4244 ssl_md5_cleanup(&md5);
4245
4246 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))));
4247 ssl_data_set(out, tmp, out_len);
4248 ssl_print_string("export iv", out);
4249 return true1;
4250}
4251
4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
4254 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
4256 SSL_MD5_CTXgcry_md_hd_t md5;
4257 SSL_SHA_CTXgcry_md_hd_t sha;
4258 unsigned off;
4259 int i = 0,j;
4260 uint8_t buf[20];
4261
4262 if (ssl_sha_init(&sha) != 0) {
4263 return false0;
4264 }
4265 if (ssl_md5_init(&md5) != 0) {
4266 ssl_sha_cleanup(&sha);
4267 return false0;
4268 }
4269 for (off = 0; off < out_len; off += 16) {
4270 unsigned char outbuf[16];
4271 i++;
4272
4273 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4274 /* A, BB, CCC, ... */
4275 for(j=0;j<i;j++){
4276 buf[j]=64+i;
4277 }
4278
4279 ssl_sha_update(&sha,buf,i);
4280 ssl_sha_update(&sha,secret->data,secret->data_len);
4281
4282 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4283 if (rnd2)
4284 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4285 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4286 }
4287 else{
4288 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4289 if (rnd2)
4290 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4291 }
4292
4293 ssl_sha_final(buf,&sha);
4294 ssl_sha_reset(&sha);
4295
4296 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4297 secret->data_len);
4298 ssl_md5_update(&md5,secret->data,secret->data_len);
4299 ssl_md5_update(&md5,buf,20);
4300 ssl_md5_final(outbuf,&md5);
4301 ssl_md5_reset(&md5);
4302
4303 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4304 }
4305 ssl_sha_cleanup(&sha);
4306 ssl_md5_cleanup(&md5);
4307 out->data_len = out_len;
4308
4309 return true1;
4310}
4311
4312/* out_len is the wanted output length for the pseudorandom function.
4313 * Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4316 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
4318 switch (ssl->session.version) {
4319 case SSLV3_VERSION0x300:
4320 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4321
4322 case TLSV1_VERSION0x301:
4323 case TLSV1DOT1_VERSION0x302:
4324 case DTLSV1DOT0_VERSION0xfeff:
4325 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4326 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4327
4328 default: /* TLSv1.2 */
4329 switch (ssl->cipher_suite->dig) {
4330 case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010c00 >= 0x010900
4332 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4333 out, out_len);
4334#else
4335 return false0;
4336#endif
4337 case DIG_SHA3840x43:
4338 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4339 out, out_len);
4340 default:
4341 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4342 out, out_len);
4343 }
4344 }
4345}
4346
4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
4349 SSL_MD5_CTXgcry_md_hd_t md5;
4350 SSL_SHA_CTXgcry_md_hd_t sha;
4351
4352 if (ssl_data_alloc(out, 36) < 0)
15
Calling 'ssl_data_alloc'
19
Returned allocated memory
20
Taking false branch
4353 return -1;
4354
4355 if (ssl_md5_init(&md5) != 0)
21
Taking true branch
4356 return -1;
4357 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md5_final(out->data,&md5);
4359 ssl_md5_cleanup(&md5);
4360
4361 if (ssl_sha_init(&sha) != 0)
4362 return -1;
4363 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4364 ssl_sha_final(out->data+16,&sha);
4365 ssl_sha_cleanup(&sha);
4366 return 0;
4367}
4368
4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
4371 SSL_MDgcry_md_hd_t mc;
4372 uint8_t tmp[48];
4373 unsigned len;
4374
4375 if (ssl_md_init(&mc, md) != 0)
4376 return -1;
4377 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4378 ssl_md_final(&mc, tmp, &len);
4379 ssl_md_cleanup(&mc);
4380
4381 if (ssl_data_alloc(out, len) < 0)
4382 return -1;
4383 memcpy(out->data, tmp, len);
4384 return 0;
4385}
4386
4387bool_Bool
4388tls_load_psk(SslDecryptSession* tls_session, const char *tls_psk)
4389{
4390 if (!tls_psk || (tls_psk[0] == 0)) {
4391 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4392 return false0;
4393 }
4394
4395 wmem_free(wmem_file_scope(), tls_session->psk.data);
4396 /* convert hex string into char*/
4397 if (!from_hex(&tls_session->psk, tls_psk, strlen(tls_psk))) {
4398 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4399 G_STRFUNC((const char*) (__func__)));
4400 return false0;
4401 }
4402
4403 if (tls_session->psk.data_len >= (2 << 15)) {
4404 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4405 G_STRFUNC((const char*) (__func__)));
4406 wmem_free(wmem_file_scope(), tls_session->psk.data);
4407 tls_session->psk.data = NULL((void*)0);
4408 tls_session->psk.data_len = 0;
4409 return false0;
4410 }
4411
4412 return true1;
4413}
4414
4415/**
4416 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4417 * inlined and removed once support for draft 19 and before is dropped.
4418 */
4419static inline const char *
4420tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4421{
4422 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4423 return "TLS 1.3, ";
4424 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4425 return "dtls13";
4426 } else {
4427 return "tls13 ";
4428 }
4429}
4430
4431/*
4432 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4433 * custom label prefix. If "context_hash" is NULL, then an empty context is
4434 * used. Otherwise it must have the same length as the hash algorithm output.
4435 */
4436bool_Bool
4437tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4438 const char *label_prefix, const char *label,
4439 const uint8_t *context_hash, uint8_t context_length,
4440 uint16_t out_len, unsigned char **out)
4441{
4442 /* RFC 8446 Section 7.1:
4443 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4444 * HKDF-Expand(Secret, HkdfLabel, Length)
4445 * struct {
4446 * uint16 length = Length;
4447 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4448 * opaque context<0..255> = Context;
4449 * } HkdfLabel;
4450 *
4451 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4452 * HKDF-Expand(PRK, info, L) -> OKM
4453 */
4454 gcry_error_t err;
4455 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4456 const unsigned label_length = (unsigned) strlen(label);
4457
4458 /* Some sanity checks */
4459 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4459, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4460
4461 /* info = HkdfLabel { length, label, context } */
4462 GByteArray *info = g_byte_array_new();
4463 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4464 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4465
4466 const uint8_t label_vector_length = label_prefix_length + label_length;
4467 g_byte_array_append(info, &label_vector_length, 1);
4468 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4469 g_byte_array_append(info, (const uint8_t*)label, label_length);
4470
4471 g_byte_array_append(info, &context_length, 1);
4472 if (context_length) {
4473 g_byte_array_append(info, context_hash, context_length);
4474 }
4475
4476 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4477 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4478 g_byte_array_free(info, true1);
4479
4480 if (err) {
4481 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4482 wmem_free(NULL((void*)0), *out);
4483 *out = NULL((void*)0);
4484 return false0;
4485 }
4486
4487 return true1;
4488}
4489
4490bool_Bool
4491tls13_hkdf_expand_label(int md, const StringInfo *secret,
4492 const char *label_prefix, const char *label,
4493 uint16_t out_len, unsigned char **out)
4494{
4495 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4496}
4497
4498static bool_Bool
4499tls13_derive_secret(int md, const StringInfo *secret,
4500 const char *label_prefix, const char *label,
4501 const uint8_t *context, unsigned context_length,
4502 uint16_t out_len, unsigned char **out)
4503{
4504 SSL_MDgcry_md_hd_t mc;
4505 uint8_t context_hash[DIGEST_MAX_SIZE48];
4506 unsigned hash_len;
4507
4508 if (ssl_md_init(&mc, md) != 0)
4509 return false0;
4510 ssl_md_update(&mc, context, context_length);
4511 ssl_md_final(&mc, context_hash, &hash_len);
4512 ssl_md_cleanup(&mc);
4513
4514 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, context_hash, hash_len, out_len, out);
4515}
4516
4517/* HMAC and the Pseudorandom function }}} */
4518
4519/* Record Decompression (after decryption) {{{ */
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521/* memory allocation functions for zlib initialization */
4522static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4523{
4524 return g_malloc0(no*size);
4525}
4526static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4527{
4528 g_free(addr)(__builtin_object_size ((addr), 0) != ((size_t) - 1)) ? g_free_sized
(addr, __builtin_object_size ((addr), 0)) : (g_free) (addr);
4529}
4530#endif /* USE_ZLIB_OR_ZLIBNG */
4531
4532static SslDecompress*
4533ssl_create_decompressor(int compression)
4534{
4535 SslDecompress *decomp;
4536#ifdef USE_ZLIB_OR_ZLIBNG
4537 int err;
4538#endif
4539
4540 if (compression == 0) return NULL((void*)0);
4541 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4542 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4543 decomp->compression = compression;
4544 switch (decomp->compression) {
4545#ifdef USE_ZLIB_OR_ZLIBNG
4546 case 1: /* DEFLATE */
4547 decomp->istream.zalloc = ssl_zalloc;
4548 decomp->istream.zfree = ssl_zfree;
4549 decomp->istream.opaque = Z_NULL0;
4550 decomp->istream.next_in = Z_NULL0;
4551 decomp->istream.next_out = Z_NULL0;
4552 decomp->istream.avail_in = 0;
4553 decomp->istream.avail_out = 0;
4554 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3.1", (int)sizeof(
z_stream));
4555 if (err != Z_OK0) {
4556 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4557 return NULL((void*)0);
4558 }
4559 break;
4560#endif /* USE_ZLIB_OR_ZLIBNG */
4561 default:
4562 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4563 return NULL((void*)0);
4564 }
4565 return decomp;
4566}
4567
4568#ifdef USE_ZLIB_OR_ZLIBNG
4569static int
4570ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4571{
4572 int err;
4573
4574 switch (decomp->compression) {
4575 case 1: /* DEFLATE */
4576 err = Z_OK0;
4577 if (out_str->data_len < 16384) { /* maximal plain length */
4578 ssl_data_realloc(out_str, 16384);
4579 }
4580#ifdef z_constconst
4581 decomp->istream.next_in = in;
4582#else
4583DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4584 decomp->istream.next_in = (Bytef *)in;
4585DIAG_ON(cast-qual)clang diagnostic pop
4586#endif
4587 decomp->istream.avail_in = inl;
4588 decomp->istream.next_out = out_str->data;
4589 decomp->istream.avail_out = out_str->data_len;
4590 if (inl > 0)
4591 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4592 if (err != Z_OK0) {
4593 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4594 return -1;
4595 }
4596 *outl = out_str->data_len - decomp->istream.avail_out;
4597 break;
4598 default:
4599 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4600 return -1;
4601 }
4602 return 0;
4603}
4604#else /* USE_ZLIB_OR_ZLIBNG */
4605int
4606ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4607{
4608 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4609 return -1;
4610}
4611#endif /* USE_ZLIB_OR_ZLIBNG */
4612/* Record Decompression (after decryption) }}} */
4613
4614/* Create a new structure to store decrypted chunks. {{{ */
4615static SslFlow*
4616ssl_create_flow(void)
4617{
4618 SslFlow *flow;
4619
4620 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4621 flow->byte_seq = 0;
4622 flow->flags = 0;
4623 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4624 return flow;
4625}
4626/* }}} */
4627
4628/* Use the negotiated security parameters for decryption. {{{ */
4629void
4630ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4631{
4632 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4633 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4634 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4635 *new_decoder ? "" : " (No decoder found - retransmission?)");
4636 if (*new_decoder) {
4637 *dest = *new_decoder;
4638 *new_decoder = NULL((void*)0);
4639 }
4640}
4641/* }}} */
4642
4643/* Init cipher state given some security parameters. {{{ */
4644static bool_Bool
4645ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4646
4647static SslDecoder*
4648ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4649 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4650{
4651 SslDecoder *dec;
4652 ssl_cipher_mode_t mode = cipher_suite->mode;
4653
4654 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4655 /* init mac buffer: mac storage is embedded into decoder struct to save a
4656 memory allocation and waste samo more memory*/
4657 dec->cipher_suite=cipher_suite;
4658 dec->compression = compression;
4659 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4660 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4661 // the special case for NULL ciphers, even if there is insufficiency
4662 // keying material (including MAC key), we will can still create
4663 // decoders since "decryption" is easy for such ciphers.
4664 dec->mac_key.data = dec->_mac_key_or_write_iv;
4665 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4666 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4667 // Input for the nonce, to be used with AEAD ciphers.
4668 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4668, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4669 dec->write_iv.data = dec->_mac_key_or_write_iv;
4670 ssl_data_set(&dec->write_iv, iv, iv_length);
4671 }
4672 dec->seq = 0;
4673 dec->decomp = ssl_create_decompressor(compression);
4674 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4675
4676 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4677 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4678 cipher_algo, cipher_suite->mode);
4679 return NULL((void*)0);
4680 }
4681
4682 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4683 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4684 mode = MODE_ECB;
4685 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4686 mode = MODE_STREAM;
4687 } else {
4688 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4689 return NULL((void*)0);
4690 }
4691
4692 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4693 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4694 cipher_algo, MODE_ECB);
4695 ssl_cipher_cleanup(&dec->evp);
4696 dec->evp = NULL((void*)0);
4697 return NULL((void*)0);
4698 }
4699 } else {
4700 dec->sn_evp = NULL((void*)0);
4701 }
4702
4703 dec->dtls13_aad.data = NULL((void*)0);
4704 dec->dtls13_aad.data_len = 0;
4705 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4706 return dec;
4707}
4708
4709static bool_Bool
4710ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4711{
4712 SslDecoder *dec = (SslDecoder *) user_data;
4713
4714 if (dec->evp)
4715 ssl_cipher_cleanup(&dec->evp);
4716 if (dec->sn_evp)
4717 ssl_cipher_cleanup(&dec->sn_evp);
4718
4719#ifdef USE_ZLIB_OR_ZLIBNG
4720 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4721 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4722#endif
4723
4724 return false0;
4725}
4726/* }}} */
4727
4728/* (Pre-)master secrets calculations {{{ */
4729#ifdef HAVE_LIBGNUTLS1
4730static bool_Bool
4731ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4732 StringInfo *encrypted_pre_master,
4733 GHashTable *key_hash);
4734#endif /* HAVE_LIBGNUTLS */
4735
4736static bool_Bool
4737ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4738 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4739
4740bool_Bool
4741ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4742 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4743 const char *ssl_psk, packet_info *pinfo,
4744#ifdef HAVE_LIBGNUTLS1
4745 GHashTable *key_hash,
4746#endif
4747 const ssl_master_key_map_t *mk_map)
4748{
4749 /* check for required session data */
4750 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4751 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4752 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4753 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4754 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4755 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4756 return false0;
4757 }
4758
4759 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4760 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4761 return false0;
4762 }
4763
4764 /* check to see if the PMS was provided to us*/
4765 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4766 mk_map->pms, &ssl_session->client_random)) {
4767 return true1;
4768 }
4769
4770 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4771 {
4772 /* calculate pre master secret*/
4773 StringInfo pre_master_secret;
4774 unsigned psk_len, pre_master_len;
4775
4776 if (!tls_load_psk(ssl_session, ssl_psk)) {
4777 return false0;
4778 }
4779 psk_len = ssl_session->psk.data_len;
4780
4781 pre_master_len = psk_len * 2 + 4;
4782
4783 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4784 pre_master_secret.data_len = pre_master_len;
4785 /* 2 bytes psk_len*/
4786 pre_master_secret.data[0] = psk_len >> 8;
4787 pre_master_secret.data[1] = psk_len & 0xFF;
4788 /* psk_len bytes times 0*/
4789 memset(&pre_master_secret.data[2], 0, psk_len);
4790 /* 2 bytes psk_len*/
4791 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4792 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4793 /* psk*/
4794 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4795
4796 ssl_session->pre_master_secret.data = pre_master_secret.data;
4797 ssl_session->pre_master_secret.data_len = pre_master_len;
4798 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4799
4800 /* Remove the master secret if it was there.
4801 This forces keying material regeneration in
4802 case we're renegotiating */
4803 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4804 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4805 return true1;
4806 }
4807 else
4808 {
4809 unsigned encrlen, skip;
4810 encrlen = length;
4811 skip = 0;
4812
4813 /* get encrypted data, on tls1 we have to skip two bytes
4814 * (it's the encrypted len and should be equal to record len - 2)
4815 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4816 */
4817 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4818 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4819 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4820 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4821 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4822 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4823 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4824 {
4825 encrlen = tvb_get_ntohs(tvb, offset);
4826 skip = 2;
4827 if (encrlen > length - 2)
4828 {
4829 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4830 G_STRFUNC((const char*) (__func__)), encrlen, length);
4831 return false0;
4832 }
4833 }
4834 /* the valid lower bound is higher than 8, but it is sufficient for the
4835 * ssl keylog file below */
4836 if (encrlen < 8) {
4837 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4838 G_STRFUNC((const char*) (__func__)), encrlen);
4839 return false0;
4840 }
4841
4842 StringInfo encrypted_pre_master = {
4843 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4844 .data_len = encrlen,
4845 };
4846
4847#ifdef HAVE_LIBGNUTLS1
4848 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4849 if (ssl_session->cert_key_id) {
4850 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4851 return true1;
4852
4853 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4854 G_STRFUNC((const char*) (__func__)));
4855 }
4856#endif /* HAVE_LIBGNUTLS */
4857
4858 /* try to find the pre-master secret from the encrypted one. The
4859 * ssl key logfile stores only the first 8 bytes, so truncate it */
4860 encrypted_pre_master.data_len = 8;
4861 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4862 true1, mk_map->pre_master, &encrypted_pre_master))
4863 return true1;
4864 }
4865 return false0;
4866}
4867
4868/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4869int
4870ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4871{
4872 StringInfo key_block = { NULL((void*)0), 0 };
4873 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4874 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4875 int needed;
4876 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4877 unsigned encr_key_len, write_iv_len = 0;
4878 bool_Bool is_export_cipher;
4879 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4880 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4881 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4882
4883 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4884 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
3
Taking false branch
4885 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4886 return -1;
4887 }
4888
4889 /* check for enough info to proceed */
4890 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4891 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4892 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4
Assuming the condition is false
5
Assuming the condition is false
6
Taking false branch
4893 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4894 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4895 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4896 /* Special case: for NULL encryption, allow dissection of data even if
4897 * the Client Hello is missing (MAC keys are now skipped though). */
4898 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4899 if ((ssl_session->state & need_all) == need_all &&
4900 cipher_suite->enc == ENC_NULL0x3D) {
4901 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4902 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4903 goto create_decoders;
4904 }
4905
4906 return -1;
4907 }
4908
4909 /* if master key is not available, generate is from the pre-master secret */
4910 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
7
Assuming the condition is true
8
Taking true branch
4911 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
9
Assuming the condition is true
10
Taking true branch
4912 StringInfo handshake_hashed_data;
4913 int ret;
4914
4915 handshake_hashed_data.data = NULL((void*)0);
4916 handshake_hashed_data.data_len = 0;
4917
4918 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4919 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4920 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4920, "ssl_session->handshake_data.data_len > 0"
))));
11
Assuming field 'data_len' is > 0
12
'?' condition is true
4921
4922 switch(ssl_session->session.version) {
13
Control jumps to 'case 257:' at line 4927
4923 case TLSV1_VERSION0x301:
4924 case TLSV1DOT1_VERSION0x302:
4925 case DTLSV1DOT0_VERSION0xfeff:
4926 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4927 case TLCPV1_VERSION0x101:
4928 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
14
Calling 'tls_handshake_hash'
22
Returned allocated memory
4929 break;
4930 default:
4931 switch (cipher_suite->dig) {
4932 case DIG_SHA3840x43:
4933 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4934 break;
4935 default:
4936 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4937 break;
4938 }
4939 break;
4940 }
4941 if (ret
23.1
'ret' is -1
) {
23
 Execution continues on line 4941
24
Taking true branch
4942 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
25
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4943 return -1;
4944 }
4945
4946 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4947 ssl_session->handshake_data.data = NULL((void*)0);
4948 ssl_session->handshake_data.data_len = 0;
4949
4950 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4951 &handshake_hashed_data,
4952 NULL((void*)0), &ssl_session->master_secret,
4953 SSL_MASTER_SECRET_LENGTH48)) {
4954 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4955 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
4956 return -1;
4957 }
4958 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data);
4959 } else {
4960 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4961 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4962 ssl_print_string("client random",&ssl_session->client_random);
4963 ssl_print_string("server random",&ssl_session->server_random);
4964 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4965 &ssl_session->client_random,
4966 &ssl_session->server_random, &ssl_session->master_secret,
4967 SSL_MASTER_SECRET_LENGTH48)) {
4968 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4969 return -1;
4970 }
4971 }
4972 ssl_print_string("master secret",&ssl_session->master_secret);
4973
4974 /* the pre-master secret has been 'consumed' so we must clear it now */
4975 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4976 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4977 }
4978
4979 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4980 if (cipher_suite->enc != ENC_NULL0x3D) {
4981 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4982 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4983 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4984 if (cipher_algo == 0) {
4985 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4986 return -1;
4987 }
4988 }
4989
4990 /* Export ciphers consume less material from the key block. */
4991 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4992 is_export_cipher = encr_key_len > 0;
4993 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4994 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4995 }
4996
4997 if (cipher_suite->mode == MODE_CBC) {
4998 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4999 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
5000 /* account for a four-byte salt for client and server side (from
5001 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
5002 write_iv_len = 4;
5003 } else if (cipher_suite->mode == MODE_POLY1305) {
5004 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
5005 write_iv_len = 12;
5006 }
5007
5008 /* Compute the key block. First figure out how much data we need */
5009 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
5010 needed += 2 * encr_key_len; /* encryption key */
5011 needed += 2 * write_iv_len; /* write IV */
5012
5013 key_block.data = (unsigned char *)g_malloc(needed);
5014 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
5015 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
5016 &ssl_session->server_random,&ssl_session->client_random,
5017 &key_block, needed)) {
5018 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
5019 goto fail;
5020 }
5021 ssl_print_string("key expansion", &key_block);
5022
5023 ptr=key_block.data;
5024 /* client/server write MAC key (for non-AEAD ciphers) */
5025 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
5026 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5027 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5028 }
5029 /* client/server write encryption key */
5030 c_wk=ptr; ptr += encr_key_len;
5031 s_wk=ptr; ptr += encr_key_len;
5032 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
5033 if (write_iv_len > 0) {
5034 c_iv=ptr; ptr += write_iv_len;
5035 s_iv=ptr; /* ptr += write_iv_len; */
5036 }
5037
5038 /* export ciphers work with a smaller key length */
5039 if (is_export_cipher) {
5040 if (cipher_suite->mode == MODE_CBC) {
5041
5042 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5043 all we should need. This is a sanity check */
5044 if (write_iv_len > MAX_BLOCK_SIZE16) {
5045 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5046 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5047 goto fail;
5048 }
5049
5050 if(ssl_session->session.version==SSLV3_VERSION0x300){
5051 /* The length of these fields are ignored by this caller */
5052 StringInfo iv_c, iv_s;
5053 iv_c.data = _iv_c;
5054 iv_s.data = _iv_s;
5055
5056 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5057 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5058 &ssl_session->server_random, &iv_c, write_iv_len)) {
5059 goto fail;
5060 }
5061 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5062 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5063 &ssl_session->client_random, &iv_s, write_iv_len)) {
5064 goto fail;
5065 }
5066 }
5067 else{
5068 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5069 StringInfo iv_block;
5070 StringInfo key_null;
5071 uint8_t _key_null;
5072
5073 key_null.data = &_key_null;
5074 key_null.data_len = 0;
5075
5076 iv_block.data = _iv_block;
5077
5078 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5079 if (!prf(ssl_session, &key_null, "IV block",
5080 &ssl_session->client_random,
5081 &ssl_session->server_random, &iv_block,
5082 write_iv_len * 2)) {
5083 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5084 goto fail;
5085 }
5086
5087 memcpy(_iv_c, iv_block.data, write_iv_len);
5088 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5089 }
5090
5091 c_iv=_iv_c;
5092 s_iv=_iv_s;
5093 }
5094
5095 if (ssl_session->session.version==SSLV3_VERSION0x300){
5096
5097 SSL_MD5_CTXgcry_md_hd_t md5;
5098 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5099
5100 if (ssl_md5_init(&md5) != 0)
5101 goto fail;
5102 ssl_md5_update(&md5,c_wk,encr_key_len);
5103 ssl_md5_update(&md5,ssl_session->client_random.data,
5104 ssl_session->client_random.data_len);
5105 ssl_md5_update(&md5,ssl_session->server_random.data,
5106 ssl_session->server_random.data_len);
5107 ssl_md5_final(_key_c,&md5);
5108 ssl_md5_cleanup(&md5);
5109 c_wk=_key_c;
5110
5111 if (ssl_md5_init(&md5) != 0)
5112 goto fail;
5113 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5114 ssl_md5_update(&md5,s_wk,encr_key_len);
5115 ssl_md5_update(&md5,ssl_session->server_random.data,
5116 ssl_session->server_random.data_len);
5117 ssl_md5_update(&md5,ssl_session->client_random.data,
5118 ssl_session->client_random.data_len);
5119 ssl_md5_final(_key_s,&md5);
5120 ssl_md5_cleanup(&md5);
5121 s_wk=_key_s;
5122 }
5123 else{
5124 StringInfo key_c, key_s, k;
5125 key_c.data = _key_c;
5126 key_s.data = _key_s;
5127
5128 k.data = c_wk;
5129 k.data_len = encr_key_len;
5130 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5131 if (!prf(ssl_session, &k, "client write key",
5132 &ssl_session->client_random,
5133 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5134 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5135 goto fail;
5136 }
5137 c_wk=_key_c;
5138
5139 k.data = s_wk;
5140 k.data_len = encr_key_len;
5141 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5142 if (!prf(ssl_session, &k, "server write key",
5143 &ssl_session->client_random,
5144 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5145 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5146 goto fail;
5147 }
5148 s_wk=_key_s;
5149 }
5150 }
5151
5152 /* show key material info */
5153 if (c_mk != NULL((void*)0)) {
5154 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5155 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5156 }
5157 ssl_print_data("Client Write key", c_wk, encr_key_len);
5158 ssl_print_data("Server Write key", s_wk, encr_key_len);
5159 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5160 if (write_iv_len > 0) {
5161 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5162 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5163 }
5164
5165create_decoders:
5166 /* create both client and server ciphers*/
5167 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5168 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5169 if (!ssl_session->client_new) {
5170 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5171 goto fail;
5172 }
5173 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5174 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5175 if (!ssl_session->server_new) {
5176 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5177 goto fail;
5178 }
5179
5180 /* Continue the SSL stream after renegotiation with new keys. */
5181 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5182 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5183
5184 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5185 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5186 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
5187 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5188 return 0;
5189
5190fail:
5191 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data);
5192 return -1;
5193}
5194
5195/* Generated the key material based on the given secret. */
5196bool_Bool
5197tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5198{
5199 bool_Bool success = false0;
5200 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5201 unsigned char *sn_key = NULL((void*)0);
5202 SslDecoder *decoder;
5203 unsigned key_length, iv_length;
5204 int hash_algo;
5205 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5206 int cipher_algo;
5207
5208 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5209 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5210 ssl_session->session.version);
5211 return false0;
5212 }
5213
5214 if (cipher_suite == NULL((void*)0)) {
5215 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5216 return false0;
5217 }
5218
5219 if (cipher_suite->kex != KEX_TLS130x23) {
5220 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5221 return false0;
5222 }
5223
5224 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5225 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5226 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5227 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5228 if (cipher_algo == 0) {
5229 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5230 return false0;
5231 }
5232
5233 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5234 hash_algo = ssl_get_digest_by_name(hash_name);
5235 if (!hash_algo) {
5236 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5237 return false0;
5238 }
5239
5240 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5241 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5242 iv_length = 12;
5243 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5244
5245 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5246 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5247 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5248 return false0;
5249 }
5250 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5251 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5252 goto end;
5253 }
5254
5255 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5256 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5257 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5258 goto end;
5259 }
5260 }
5261
5262 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5263 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5264 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5265 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5266 }
5267
5268 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5269 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5270 if (!decoder) {
5271 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5272 goto end;
5273 }
5274
5275 /* Continue the TLS session with new keys, but reuse old flow to keep things
5276 * like "Follow TLS" working (by linking application data records). */
5277 if (is_from_server) {
5278 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5279 ssl_session->server = decoder;
5280 } else {
5281 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5282 ssl_session->client = decoder;
5283 }
5284 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5285 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5286 success = true1;
5287
5288end:
5289 wmem_free(NULL((void*)0), write_key);
5290 wmem_free(NULL((void*)0), write_iv);
5291 if (sn_key)
5292 wmem_free(NULL((void*)0), sn_key);
5293 return success;
5294}
5295/* (Pre-)master secrets calculations }}} */
5296
5297#ifdef HAVE_LIBGNUTLS1
5298/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5299static bool_Bool
5300ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5301 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5302{
5303 int ret;
5304
5305 if (!encrypted_pre_master)
5306 return false0;
5307
5308 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5309 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5310 "(cipher suite 0x%04X %s) and cannot be decrypted "
5311 "using a RSA private key file.\n",
5312 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5313 val_to_str_ext_const(ssl_session->session.cipher,
5314 &ssl_31_ciphersuite_ext, "unknown"));
5315 return false0;
5316 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5317 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5318 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5319 return false0;
5320 }
5321
5322 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5323
5324 ssl_print_string("pre master encrypted", encrypted_pre_master);
5325 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5326 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5327 gnutls_datum_t pms = { 0 };
5328 if (pk) {
5329 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5330 char *err = NULL((void*)0);
5331 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5332 if (!private_key) {
5333 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5334 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
5335 return false0;
5336 }
5337
5338 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5339 rsa_private_key_free(private_key);
5340 if (pms.size == 0) {
5341 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5342 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
5343 return false0;
5344 }
5345 } else {
5346 // Try to decrypt using a hardware token.
5347 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5348 if (ret < 0) {
5349 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5350 return false0;
5351 }
5352 }
5353
5354 if (pms.size != 48) {
5355 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5356 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5357 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data);
5358 return false0;
5359 }
5360
5361 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5362 ssl_session->pre_master_secret.data_len = 48;
5363 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data);
5364 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5365
5366 /* Remove the master secret if it was there.
5367 This forces keying material regeneration in
5368 case we're renegotiating */
5369 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5370 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5371 return true1;
5372} /* }}} */
5373#endif /* HAVE_LIBGNUTLS */
5374
5375/* Decryption integrity check {{{ */
5376
5377static int
5378tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5379 uint32_t datalen, uint8_t* mac)
5380{
5381 SSL_HMACgcry_md_hd_t hm;
5382 int md;
5383 uint32_t len;
5384 uint8_t buf[DIGEST_MAX_SIZE48];
5385 int16_t temp;
5386
5387 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5388 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5389 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5390
5391 if (ssl_hmac_init(&hm,md) != 0)
5392 return -1;
5393 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5394 return -1;
5395
5396 /* hash sequence number */
5397 phtonu64(buf, decoder->seq);
5398
5399 decoder->seq++;
5400
5401 ssl_hmac_update(&hm,buf,8);
5402
5403 /* hash content type */
5404 buf[0]=ct;
5405 ssl_hmac_update(&hm,buf,1);
5406
5407 /* hash version,data length and data*/
5408 /* *((int16_t*)buf) = g_htons(ver); */
5409 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5410 memcpy(buf, &temp, 2);
5411 ssl_hmac_update(&hm,buf,2);
5412
5413 /* *((int16_t*)buf) = g_htons(datalen); */
5414 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5415 memcpy(buf, &temp, 2);
5416 ssl_hmac_update(&hm,buf,2);
5417 ssl_hmac_update(&hm,data,datalen);
5418
5419 /* get digest and digest len*/
5420 len = sizeof(buf);
5421 ssl_hmac_final(&hm,buf,&len);
5422 ssl_hmac_cleanup(&hm);
5423 ssl_print_data("Mac", buf, len);
5424 if(memcmp(mac,buf,len))
5425 return -1;
5426
5427 return 0;
5428}
5429
5430static int
5431ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5432 uint32_t datalen, uint8_t* mac)
5433{
5434 SSL_MDgcry_md_hd_t mc;
5435 int md;
5436 uint32_t len;
5437 uint8_t buf[64],dgst[20];
5438 int pad_ct;
5439 int16_t temp;
5440
5441 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5442
5443 /* get cipher used for digest computation */
5444 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5445 if (ssl_md_init(&mc,md) !=0)
5446 return -1;
5447
5448 /* do hash computation on data && padding */
5449 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5450
5451 /* hash padding*/
5452 memset(buf,0x36,pad_ct);
5453 ssl_md_update(&mc,buf,pad_ct);
5454
5455 /* hash sequence number */
5456 phtonu64(buf, decoder->seq);
5457 decoder->seq++;
5458 ssl_md_update(&mc,buf,8);
5459
5460 /* hash content type */
5461 buf[0]=ct;
5462 ssl_md_update(&mc,buf,1);
5463
5464 /* hash data length in network byte order and data*/
5465 /* *((int16_t* )buf) = g_htons(datalen); */
5466 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5467 memcpy(buf, &temp, 2);
5468 ssl_md_update(&mc,buf,2);
5469 ssl_md_update(&mc,data,datalen);
5470
5471 /* get partial digest */
5472 ssl_md_final(&mc,dgst,&len);
5473 ssl_md_reset(&mc);
5474
5475 /* hash mac key */
5476 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5477
5478 /* hash padding and partial digest*/
5479 memset(buf,0x5c,pad_ct);
5480 ssl_md_update(&mc,buf,pad_ct);
5481 ssl_md_update(&mc,dgst,len);
5482
5483 ssl_md_final(&mc,dgst,&len);
5484 ssl_md_cleanup(&mc);
5485
5486 if(memcmp(mac,dgst,len))
5487 return -1;
5488
5489 return 0;
5490}
5491
5492static int
5493dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5494 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5495{
5496 SSL_HMACgcry_md_hd_t hm;
5497 int md;
5498 uint32_t len;
5499 uint8_t buf[DIGEST_MAX_SIZE48];
5500 int16_t temp;
5501
5502 int ver = ssl->session.version;
5503 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5504
5505 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5506 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5507 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5508
5509 if (ssl_hmac_init(&hm,md) != 0)
5510 return -1;
5511 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5512 return -1;
5513
5514 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5515
5516 if (is_cid && !ssl->session.deprecated_cid) {
5517 /* hash seq num placeholder */
5518 memset(buf,0xFF,8);
5519 ssl_hmac_update(&hm,buf,8);
5520
5521 /* hash content type + cid length + content type */
5522 buf[0]=ct;
5523 buf[1]=cidl;
5524 buf[2]=ct;
5525 ssl_hmac_update(&hm,buf,3);
5526
5527 /* hash version */
5528 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5529 memcpy(buf, &temp, 2);
5530 ssl_hmac_update(&hm,buf,2);
5531
5532 /* hash sequence number */
5533 phtonu64(buf, decoder->seq);
5534 buf[0]=decoder->epoch>>8;
5535 buf[1]=(uint8_t)decoder->epoch;
5536 ssl_hmac_update(&hm,buf,8);
5537
5538 /* hash cid */
5539 ssl_hmac_update(&hm,cid,cidl);
5540 } else {
5541 /* hash sequence number */
5542 phtonu64(buf, decoder->seq);
5543 buf[0]=decoder->epoch>>8;
5544 buf[1]=(uint8_t)decoder->epoch;
5545 ssl_hmac_update(&hm,buf,8);
5546
5547 /* hash content type */
5548 buf[0]=ct;
5549 ssl_hmac_update(&hm,buf,1);
5550
5551 /* hash version */
5552 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5553 memcpy(buf, &temp, 2);
5554 ssl_hmac_update(&hm,buf,2);
5555
5556 if (is_cid && ssl->session.deprecated_cid) {
5557 /* hash cid */
5558 ssl_hmac_update(&hm,cid,cidl);
5559
5560 /* hash cid length */
5561 buf[0] = cidl;
5562 ssl_hmac_update(&hm,buf,1);
5563 }
5564 }
5565
5566 /* data length and data */
5567 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5568 memcpy(buf, &temp, 2);
5569 ssl_hmac_update(&hm,buf,2);
5570 ssl_hmac_update(&hm,data,datalen);
5571
5572 /* get digest and digest len */
5573 len = sizeof(buf);
5574 ssl_hmac_final(&hm,buf,&len);
5575 ssl_hmac_cleanup(&hm);
5576 ssl_print_data("Mac", buf, len);
5577 if(memcmp(mac,buf,len))
5578 return -1;
5579
5580 return 0;
5581}
5582/* Decryption integrity check }}} */
5583
5584
5585static bool_Bool
5586tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5587 uint8_t ct, uint16_t record_version,
5588 bool_Bool ignore_mac_failed,
5589 const unsigned char *in, uint16_t inl,
5590 const unsigned char *cid, uint8_t cidl,
5591 StringInfo *out_str, unsigned *outl)
5592{
5593 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5594 * GenericAEADCipher: { nonce_explicit, [content] }
5595 * In TLS 1.3 this explicit nonce is gone.
5596 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5597 * ciphertext and authentication tag.
5598 */
5599 const uint16_t version = ssl->session.version;
5600 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5601 gcry_error_t err;
5602 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5603 unsigned ciphertext_len, auth_tag_len;
5604 unsigned char nonce[12];
5605 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5606 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5607 const uint8_t draft_version = ssl->session.tls13_draft_version;
5608 const unsigned char *auth_tag_wire;
5609 unsigned char auth_tag_calc[16];
5610 unsigned char *aad = NULL((void*)0);
5611 unsigned aad_len = 0;
5612
5613 switch (cipher_mode) {
5614 case MODE_GCM:
5615 case MODE_CCM:
5616 case MODE_POLY1305:
5617 auth_tag_len = 16;
5618 break;
5619 case MODE_CCM_8:
5620 auth_tag_len = 8;
5621 break;
5622 default:
5623 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5624 return false0;
5625 }
5626
5627 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5628 if (is_v12 && cipher_mode != MODE_POLY1305) {
5629 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5630 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5631 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5632 return false0;
5633 }
5634 explicit_nonce = in;
5635 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5636 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5637 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5638 if (inl < auth_tag_len) {
5639 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5640 return false0;
5641 }
5642 ciphertext = in;
5643 ciphertext_len = inl - auth_tag_len;
5644 } else {
5645 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5646 return false0;
5647 }
5648 auth_tag_wire = ciphertext + ciphertext_len;
5649
5650 /*
5651 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5652 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5653 */
5654 if (is_v12 && cipher_mode != MODE_POLY1305) {
5655 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5655, "decoder->write_iv.data_len == 4"))));
5656 /* Implicit (4) and explicit (8) part of nonce. */
5657 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5658 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5659
5660 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5661 /*
5662 * Technically the nonce length must be at least 8 bytes, but for
5663 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5664 */
5665 const unsigned nonce_len = 12;
5666 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5666, "decoder->write_iv.data_len == nonce_len"
))));
5667 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5668 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5669 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5670 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5671 }
5672
5673 /* Set nonce and additional authentication data */
5674 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5675 ssl_print_data("nonce", nonce, 12);
5676 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5677 if (err) {
5678 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5679 return false0;
5680 }
5681
5682 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5683 if (is_cid) { /* if connection ID */
5684 if (ssl->session.deprecated_cid) {
5685 aad_len = 14 + cidl;
5686 aad = wmem_alloc(allocator, aad_len);
5687 phtonu64(aad, decoder->seq); /* record sequence number */
5688 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5689 aad[8] = ct; /* TLSCompressed.type */
5690 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5691 memcpy(aad + 11, cid, cidl); /* cid */
5692 aad[11 + cidl] = cidl; /* cid_length */
5693 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5694 } else {
5695 aad_len = 23 + cidl;
5696 aad = wmem_alloc(allocator, aad_len);
5697 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5698 aad[8] = ct; /* TLSCompressed.type */
5699 aad[9] = cidl; /* cid_length */
5700 aad[10] = ct; /* TLSCompressed.type */
5701 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5702 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5703 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5704 memcpy(aad + 21, cid, cidl); /* cid */
5705 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5706 }
5707 } else if (is_v12) {
5708 aad_len = 13;
5709 aad = wmem_alloc(allocator, aad_len);
5710 phtonu64(aad, decoder->seq); /* record sequence number */
5711 if (version == DTLSV1DOT2_VERSION0xfefd) {
5712 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5713 }
5714 aad[8] = ct; /* TLSCompressed.type */
5715 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5716 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5717 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5718 aad_len = decoder->dtls13_aad.data_len;
5719 aad = decoder->dtls13_aad.data;
5720 } else if (draft_version >= 25 || draft_version == 0) {
5721 aad_len = 5;
5722 aad = wmem_alloc(allocator, aad_len);
5723 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5724 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5725 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5726 }
5727
5728 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5729 /* size of plaintext, additional authenticated data and auth tag. */
5730 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5731
5732 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5733 }
5734
5735 if (aad && aad_len > 0) {
5736 ssl_print_data("AAD", aad, aad_len);
5737 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5738 if (err) {
5739 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5740 return false0;
5741 }
5742 }
5743
5744 /* Decrypt now that nonce and AAD are set. */
5745 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5746 if (err) {
5747 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5748 return false0;
5749 }
5750
5751 /* Check authentication tag for authenticity (replaces MAC) */
5752 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5753 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5754 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5755 } else {
5756 if (err) {
5757 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5758 } else {
5759 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5760 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5761 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5762 }
5763 if (ignore_mac_failed) {
5764 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5765 } else {
5766 return false0;
5767 }
5768 }
5769
5770 /*
5771 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5772 * after successful authentication to ensure that early data is skipped when
5773 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5774 */
5775 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5776 decoder->seq++;
5777 }
5778
5779 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5780 *outl = ciphertext_len;
5781 return true1;
5782}
5783
5784/* Record decryption glue based on security parameters {{{ */
5785/* Assume that we are called only for a non-NULL decoder which also means that
5786 * we have a non-NULL decoder->cipher_suite. */
5787int
5788ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5789 bool_Bool ignore_mac_failed,
5790 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5791 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5792{
5793 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5794 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5795
5796 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5797 ssl_print_data("Ciphertext",in, inl);
5798
5799 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5800 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5801 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5802 return -1;
5803 }
5804
5805 /* ensure we have enough storage space for decrypted data */
5806 if (inl > out_str->data_len)
5807 {
5808 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5809 inl + 32, out_str->data_len);
5810 ssl_data_realloc(out_str, inl + 32);
5811 }
5812
5813 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5814 * a separate MAC, so use a different routine for simplicity. */
5815 if (decoder->cipher_suite->mode == MODE_GCM ||
5816 decoder->cipher_suite->mode == MODE_CCM ||
5817 decoder->cipher_suite->mode == MODE_CCM_8 ||
5818 decoder->cipher_suite->mode == MODE_POLY1305 ||
5819 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5820 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5821
5822 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5823 /* decryption failed */
5824 return -1;
5825 }
5826
5827 goto skip_mac;
5828 }
5829
5830 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5831 * (notation: { unencrypted, [ encrypted ] })
5832 * GenericStreamCipher: { [content, mac] }
5833 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5834 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5835 * GenericAEADCipher: { nonce_explicit, [content] }
5836 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5837 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5838 */
5839
5840 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5841
5842 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5843 if (decoder->cipher_suite->mode == MODE_CBC) {
5844 unsigned blocksize = 0;
5845
5846 switch (ssl->session.version) {
5847 case TLSV1DOT1_VERSION0x302:
5848 case TLSV1DOT2_VERSION0x303:
5849 case DTLSV1DOT0_VERSION0xfeff:
5850 case DTLSV1DOT2_VERSION0xfefd:
5851 case DTLSV1DOT3_VERSION0xfefc:
5852 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5853 case TLCPV1_VERSION0x101:
5854 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5855 if (inl < blocksize) {
5856 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5857 inl, blocksize);
5858 return -1;
5859 }
5860 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5861 if (pad != 0) {
5862 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5863 gcry_strsource (pad), gcry_strerror (pad));
5864 }
5865
5866 inl -= blocksize;
5867 in += blocksize;
5868 break;
5869 }
5870
5871 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5872 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5873 /*
5874 * MAC is calculated over (IV + ) ENCRYPTED contents:
5875 *
5876 * MAC(MAC_write_key, ... +
5877 * IV + // for TLS 1.1 or greater
5878 * TLSCiphertext.enc_content);
5879 */
5880 if (inl < maclen) {
5881 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5882 G_STRFUNC((const char*) (__func__)), inl, maclen);
5883 return -1;
5884 }
5885 inl -= maclen;
5886 mac = (uint8_t *)in + inl;
5887 mac_frag = (uint8_t *)in - blocksize;
5888 mac_fraglen = blocksize + inl;
5889 }
5890 }
5891
5892 /* First decrypt*/
5893 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5894 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5895 gcry_strerror (pad));
5896 return -1;
5897 }
5898
5899 ssl_print_data("Plaintext", out_str->data, inl);
5900 worklen=inl;
5901
5902
5903 /* strip padding for GenericBlockCipher */
5904 if (decoder->cipher_suite->mode == MODE_CBC) {
5905 if (inl < 1) { /* Should this check happen earlier? */
5906 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5907 return -1;
5908 }
5909 pad=out_str->data[inl-1];
5910 if (worklen <= pad) {
5911 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5912 pad, worklen);
5913 return -1;
5914 }
5915 worklen-=(pad+1);
5916 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5917 pad, worklen);
5918 }
5919
5920 /* MAC for GenericStreamCipher and GenericBlockCipher.
5921 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5922 if (!mac) {
5923 /*
5924 * MAC is calculated over the DECRYPTED contents:
5925 *
5926 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5927 */
5928 if (worklen < maclen) {
5929 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5930 return -1;
5931 }
5932 worklen -= maclen;
5933 mac = out_str->data + worklen;
5934 mac_frag = out_str->data;
5935 mac_fraglen = worklen;
5936 }
5937
5938 /* If NULL encryption active and no keys are available, do not bother
5939 * checking the MAC. We do not have keys for that. */
5940 if (decoder->cipher_suite->mode == MODE_STREAM &&
5941 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5942 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5943 ssl_debug_printf("MAC check skipped due to missing keys\n");
5944 decoder->seq++; // Increment this for display
5945 goto skip_mac;
5946 }
5947
5948 /* Now check the MAC */
5949 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5950 worklen, ssl->session.version, ct, decoder->seq);
5951 if(ssl->session.version==SSLV3_VERSION0x300){
5952 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5953 if(ignore_mac_failed) {
5954 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5955 }
5956 else{
5957 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5958 return -1;
5959 }
5960 }
5961 else{
5962 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5963 }
5964 }
5965 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5966 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5967 if(ignore_mac_failed) {
5968 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5969 }
5970 else{
5971 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5972 return -1;
5973 }
5974 }
5975 else{
5976 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5977 }
5978 }
5979 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5980 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5981 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5982 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5983 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5984 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5985 }
5986 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5987 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5988 }
5989 else if(ignore_mac_failed) {
5990 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5991 }
5992 else{
5993 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5994 return -1;
5995 }
5996 }
5997skip_mac:
5998
5999 *outl = worklen;
6000
6001 if (decoder->compression > 0) {
6002 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
6003 ssl_data_copy(comp_str, out_str);
6004 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
6005 if (!decoder->decomp) {
6006 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
6007 return -1;
6008 }
6009 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
6010 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
6011 *outl = uncomplen;
6012 }
6013
6014 return 0;
6015}
6016/* Record decryption glue based on security parameters }}} */
6017
6018
6019
6020#ifdef HAVE_LIBGNUTLS1
6021
6022/* RSA private key file processing {{{ */
6023static void
6024ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
6025 const gnutls_datum_t *subjectPublicKeyInfo)
6026{
6027 gnutls_pubkey_t pubkey = NULL((void*)0);
6028 cert_key_id_t key_id;
6029 size_t key_id_len = sizeof(key_id);
6030 int r;
6031
6032 if (!subjectPublicKeyInfo->size) {
6033 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6034 return;
6035 }
6036
6037 r = gnutls_pubkey_init(&pubkey);
6038 if (r < 0) {
6039 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6040 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6041 return;
6042 }
6043
6044 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6045 if (r < 0) {
6046 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6047 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6048 goto end;
6049 }
6050
6051 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6052 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6053 goto end;
6054 }
6055
6056 /* Generate a 20-byte SHA-1 hash. */
6057 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6058 if (r < 0) {
6059 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6060 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6061 goto end;
6062 }
6063
6064 if (key_id_len != sizeof(key_id)) {
6065 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6066 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6067 goto end;
6068 }
6069
6070 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6071 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
6072 *ssl->cert_key_id = key_id;
6073
6074end:
6075 gnutls_pubkey_deinit(pubkey);
6076}
6077
6078/* RSA private key file processing }}} */
6079#endif /* HAVE_LIBGNUTLS */
6080
6081/*--- Start of dissector-related code below ---*/
6082
6083/* This is not a "protocol" but ensures that this gets called during
6084 * the handoff stage. */
6085void proto_reg_handoff_tls_utils(void);
6086
6087static dissector_handle_t base_tls_handle;
6088static dissector_handle_t dtls_handle;
6089
6090void
6091proto_reg_handoff_tls_utils(void)
6092{
6093 base_tls_handle = find_dissector("tls");
6094 dtls_handle = find_dissector("dtls");
6095}
6096
6097/* Look up an existing SslDecryptSession without creating one. Returns NULL if
6098 * no session exists. */
6099SslDecryptSession *
6100tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6101{
6102 void *conv_data;
6103 wmem_map_t *session_map;
6104
6105 if (!conversation)
6106 return NULL((void*)0);
6107
6108 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6109 if (conv_data == NULL((void*)0))
6110 return NULL((void*)0);
6111
6112 session_map = (wmem_map_t *)conv_data;
6113
6114 return (SslDecryptSession *)wmem_map_lookup(session_map,
6115 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6116
6117}
6118
6119/* get ssl data for this session. if no ssl data is found allocate a new one*/
6120SslDecryptSession *
6121ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6122{
6123 void *conv_data;
6124 SslDecryptSession *ssl_session;
6125 int proto_ssl;
6126 wmem_map_t *session_map;
6127
6128 /* Note proto_ssl is tls for either the main tls_handle or the
6129 * tls13_handshake handle used by QUIC. */
6130 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6131 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6132
6133 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
6134 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
6135 * preventing memory leaks on capture reload. */
6136 if (conv_data != NULL((void*)0)) {
6137 session_map = (wmem_map_t *)conv_data;
6138 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6139 if (ssl_session != NULL((void*)0)) {
6140 return ssl_session;
6141 }
6142 } else {
6143 /* Create a new wmem map to store sessions by layer number */
6144 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
6145 conversation_add_proto_data(conversation, proto_ssl, session_map);
6146 }
6147
6148 /* no previous SSL conversation info for this layer, initialize it. */
6149 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
6150
6151 /* data_len is the part that is meaningful, not the allocated length */
6152 ssl_session->master_secret.data_len = 0;
6153 ssl_session->master_secret.data = ssl_session->_master_secret;
6154 ssl_session->session_id.data_len = 0;
6155 ssl_session->session_id.data = ssl_session->_session_id;
6156 ssl_session->client_random.data_len = 0;
6157 ssl_session->client_random.data = ssl_session->_client_random;
6158 ssl_session->server_random.data_len = 0;
6159 ssl_session->server_random.data = ssl_session->_server_random;
6160 ssl_session->session_ticket.data_len = 0;
6161 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6162 ssl_session->server_data_for_iv.data_len = 0;
6163 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6164 ssl_session->client_data_for_iv.data_len = 0;
6165 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6166 ssl_session->app_data_segment.data = NULL((void*)0);
6167 ssl_session->app_data_segment.data_len = 0;
6168 ssl_session->handshake_data.data=NULL((void*)0);
6169 ssl_session->handshake_data.data_len=0;
6170 ssl_session->ech_transcript.data=NULL((void*)0);
6171 ssl_session->ech_transcript.data_len=0;
6172
6173 /* Initialize parameters which are not necessary specific to decryption. */
6174 ssl_session->session.version = SSL_VER_UNKNOWN0;
6175 clear_address(&ssl_session->session.srv_addr);
6176 ssl_session->session.srv_ptype = PT_NONE;
6177 ssl_session->session.srv_port = 0;
6178 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6179 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6180 ssl_session->session.client_random.data_len = 0;
6181 ssl_session->session.client_random.data = ssl_session->session._client_random;
6182 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6183 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6184 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6185 ssl_session->session.ech = false0;
6186 ssl_session->session.hrr_ech_declined = false0;
6187 ssl_session->session.first_ch_ech_frame = 0;
6188
6189 /* We want to increment the stream count for the normal tls handle and
6190 * dtls handle, but presumably not for the tls13_handshake handle used
6191 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6192 * doesn't get sent to the TLS follow tap.)
6193 */
6194 if (tls_handle == base_tls_handle) {
6195 ssl_session->session.stream = tls_increment_stream_count();
6196 } else if (tls_handle == dtls_handle) {
6197 ssl_session->session.stream = dtls_increment_stream_count();
6198 }
6199
6200 /* Store the session in the wmem map indexed by layer number */
6201 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
6202
6203 return ssl_session;
6204}
6205
6206void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6207{
6208 if (ssl) {
6209 /* Ensure that secrets are not restored using stale identifiers. Split
6210 * between client and server in case the packets somehow got out of order. */
6211 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6212
6213 if (is_client) {
6214 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6215 ssl->session_id.data_len = 0;
6216 ssl->session_ticket.data_len = 0;
6217 ssl->master_secret.data_len = 0;
6218 ssl->client_random.data_len = 0;
6219 ssl->has_early_data = false0;
6220 if (ssl->handshake_data.data_len > 0) {
6221 // The EMS handshake hash starts with at the Client Hello,
6222 // ensure that any messages before it are forgotten.
6223 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6224 ssl->handshake_data.data = NULL((void*)0);
6225 ssl->handshake_data.data_len = 0;
6226 }
6227 } else {
6228 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6229 ssl->server_random.data_len = 0;
6230 ssl->pre_master_secret.data_len = 0;
6231#ifdef HAVE_LIBGNUTLS1
6232 ssl->cert_key_id = NULL((void*)0);
6233#endif
6234 ssl->has_psk = false0;
6235 ssl->has_key_share = false0;
6236 // There is no point in clearing the PSK when resetting the session,
6237 // we only store one global PSK in the prefs.
6238 //ssl->psk.data_len = 0;
6239 }
6240
6241 if (ssl->state & clear_flags) {
6242 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6243 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6244 ssl->state &= ~clear_flags;
6245 }
6246 }
6247
6248 /* These flags might be used for non-decryption purposes and may affect the
6249 * dissection, so reset them as well. */
6250 if (is_client) {
6251 session->client_cert_type = 0;
6252 } else {
6253 session->compression = 0;
6254 session->server_cert_type = 0;
6255 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6256 }
6257 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6258 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6259}
6260
6261void
6262tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6263 dissector_handle_t app_handle)
6264{
6265 conversation_t *conversation;
6266 SslSession *session;
6267
6268 /* Ignore if the TLS or other dissector is disabled. */
6269 /* XXX - find_dissector still works if a dissector is disabled,
6270 * this would be if the dissector isn't registered at all or the
6271 * caller is calling this with explicit NULL. */
6272 if (!tls_handle || !app_handle)
6273 return;
6274
6275 int proto = dissector_handle_get_protocol_index(tls_handle);
6276 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6277
6278 conversation = find_or_create_conversation(pinfo);
6279 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6280 session->app_handle = app_handle;
6281}
6282
6283static uint32_t
6284ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6285 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6286{
6287
6288 conversation_t *conversation;
6289 SslSession *session;
6290
6291 /* Ignore if the TLS dissector is disabled. */
6292 /* XXX - find_dissector still works if a dissector is disabled,
6293 * this would be if the dissector isn't registered at all (or the
6294 * caller has an error.) */
6295 if (!tls_handle)
6296 return 0;
6297
6298 int proto = dissector_handle_get_protocol_index(tls_handle);
6299 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6300
6301 /* The caller should always pass a valid handle to its own dissector. */
6302 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6302, "app_handle"))));
6303
6304 conversation = find_or_create_conversation(pinfo);
6305 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6306
6307 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6308 session->last_nontls_frame,
6309 (void *)session->app_handle,
6310 dissector_handle_get_dissector_name(session->app_handle));
6311 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6312 pinfo->num, (void *)app_handle,
6313 dissector_handle_get_dissector_name(app_handle));
6314
6315 /* Do not switch again if a dissector did it before. */
6316 if (session->last_nontls_frame) {
6317 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6318 return session->last_nontls_frame;
6319 }
6320
6321 session->app_handle = app_handle;
6322 /* The TLS dissector should be called first for this conversation. */
6323 conversation_set_dissector(conversation, tls_handle);
6324 /* TLS starts after this frame. */
6325 session->last_nontls_frame = last_nontls_frame;
6326 return 0;
6327}
6328
6329/* ssl_starttls_ack: mark future frames as encrypted. */
6330uint32_t
6331ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6332 dissector_handle_t app_handle)
6333{
6334 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6335}
6336
6337uint32_t
6338ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6339 dissector_handle_t app_handle)
6340{
6341 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6342}
6343
6344dissector_handle_t
6345ssl_find_appdata_dissector(const char *name)
6346{
6347 /* Accept 'http' for backwards compatibility and sanity. */
6348 if (!strcmp(name, "http"))
6349 name = "http-over-tls";
6350 /* XXX - Should this check to see if the dissector is actually added for
6351 * Decode As in the appropriate table?
6352 */
6353 return find_dissector(name);
6354}
6355
6356/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6357static int
6358ssl_equal (const void *v, const void *v2)
6359{
6360 const StringInfo *val1;
6361 const StringInfo *val2;
6362 val1 = (const StringInfo *)v;
6363 val2 = (const StringInfo *)v2;
6364
6365 if (val1->data_len == val2->data_len &&
6366 !memcmp(val1->data, val2->data, val2->data_len)) {
6367 return 1;
6368 }
6369 return 0;
6370}
6371
6372static unsigned
6373ssl_hash(const void *v)
6374{
6375 const StringInfo* id;
6376 id = (const StringInfo*) v;
6377
6378 return wmem_strong_hash(id->data, id->data_len);
6379}
6380/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6381
6382/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6383void
6384ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6385{
6386 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6386, "main_handle"))));
6387 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6387, "subdissector_handle"))));
6388 /* Registration is required for Export PDU feature to work properly. */
6389 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6390, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6390 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6390, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6391 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6392
6393 if (port) {
6394 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6395 if (tcp)
6396 dissector_add_uint("tcp.port", port, main_handle);
6397 else
6398 dissector_add_uint("udp.port", port, main_handle);
6399 dissector_add_uint("sctp.port", port, main_handle);
6400 } else {
6401 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6402 }
6403}
6404
6405void
6406ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6407{
6408 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6409 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6410 if (main_handle) {
6411 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6412 dissector_delete_uint("sctp.port", port, main_handle);
6413 }
6414
6415 if (port) {
6416 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6417 }
6418}
6419
6420void
6421ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6422{
6423 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6424 session->srv_ptype = ptype;
6425 session->srv_port = port;
6426}
6427
6428int
6429ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6430{
6431 int ret;
6432 if (session && session->srv_addr.type != AT_NONE) {
6433 ret = (session->srv_ptype == pinfo->ptype) &&
6434 (session->srv_port == pinfo->srcport) &&
6435 addresses_equal(&session->srv_addr, &pinfo->src);
6436 } else {
6437 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6438 }
6439
6440 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6441 return ret;
6442}
6443/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6444
6445
6446/* Links SSL records with the real packet data. {{{ */
6447SslPacketInfo *
6448tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6449{
6450 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6451 if (!pi) {
6452 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6453 pi->srcport = pinfo->srcport;
6454 pi->destport = pinfo->destport;
6455 conversation_t *conv = find_or_create_conversation_strat(pinfo);
6456 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
6457 if (ssl_session) {
6458 /* This can also be called by the QUIC TLS1.3 handshake only
6459 * dissector. That is not associated with a session, or a stream,
6460 * and doesn't need the information for Follow or Decode As. */
6461 pi->stream = ssl_session->session.stream;
6462 }
6463 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6464 }
6465
6466 return pi;
6467}
6468
6469/**
6470 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6471 * avoid the need for a decoder in the second pass. Additionally, it remembers
6472 * sequence numbers (for reassembly and Follow TLS Stream).
6473 *
6474 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6475 * @param pinfo The packet where the record originates from.
6476 * @param plain_data Decrypted plaintext to store in the record.
6477 * @param plain_data_len Total length of the plaintext.
6478 * @param content_len Length of the plaintext section corresponding to the record content.
6479 * @param record_id The identifier for this record within the current packet.
6480 * @param flow Information about sequence numbers, etc.
6481 * @param type TLS Content Type (such as handshake or application_data).
6482 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6483 */
6484void
6485ssl_add_record_info(int proto, packet_info *pinfo,
6486 const unsigned char *plain_data, int plain_data_len, int content_len,
6487 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6488 uint64_t record_seq)
6489{
6490 SslRecordInfo* rec, **prec;
6491 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6492
6493 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6493
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0);
6494
6495 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6496 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6497 rec->plain_data_len = plain_data_len;
6498 rec->content_len = content_len;
6499 rec->id = record_id;
6500 rec->type = type;
6501 rec->next = NULL((void*)0);
6502 rec->record_seq = record_seq;
6503
6504 if (flow && type == SSL_ID_APP_DATA) {
6505 rec->seq = flow->byte_seq;
6506 rec->flow = flow;
6507 flow->byte_seq += content_len;
6508 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6509 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6510 }
6511
6512 /* Remember decrypted records. */
6513 prec = &pi->records;
6514 while (*prec) prec = &(*prec)->next;
6515 *prec = rec;
6516}
6517
6518/* search in packet data for the specified id; return a newly created tvb for the associated data */
6519tvbuff_t*
6520ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6521{
6522 SslRecordInfo* rec;
6523 SslPacketInfo* pi;
6524 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6525
6526 if (!pi)
6527 return NULL((void*)0);
6528
6529 for (rec = pi->records; rec; rec = rec->next)
6530 if (rec->id == record_id) {
6531 *matched_record = rec;
6532 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6533 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6534 }
6535
6536 return NULL((void*)0);
6537}
6538/* Links SSL records with the real packet data. }}} */
6539
6540/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6541void
6542ssl_common_init(ssl_master_key_map_t *mk_map,
6543 StringInfo *decrypted_data, StringInfo *compressed_data)
6544{
6545 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6546 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6547 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6548 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6549 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6550 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6551 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6552 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6553 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6554 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6555 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6556 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6557
6558 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6559 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6560
6561 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6562
6563 ssl_data_alloc(decrypted_data, 32);
6564 ssl_data_alloc(compressed_data, 32);
6565}
6566
6567void
6568ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6569 StringInfo *decrypted_data, StringInfo *compressed_data)
6570{
6571 g_hash_table_destroy(mk_map->session);
6572 g_hash_table_destroy(mk_map->tickets);
6573 g_hash_table_destroy(mk_map->crandom);
6574 g_hash_table_destroy(mk_map->pre_master);
6575 g_hash_table_destroy(mk_map->pms);
6576 g_hash_table_destroy(mk_map->tls13_client_early);
6577 g_hash_table_destroy(mk_map->tls13_client_handshake);
6578 g_hash_table_destroy(mk_map->tls13_server_handshake);
6579 g_hash_table_destroy(mk_map->tls13_client_appdata);
6580 g_hash_table_destroy(mk_map->tls13_server_appdata);
6581 g_hash_table_destroy(mk_map->tls13_early_exporter);
6582 g_hash_table_destroy(mk_map->tls13_exporter);
6583
6584 g_hash_table_destroy(mk_map->ech_secret);
6585 g_hash_table_destroy(mk_map->ech_config);
6586
6587 g_hash_table_destroy(mk_map->used_crandom);
6588
6589 g_free(decrypted_data->data)(__builtin_object_size ((decrypted_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (decrypted_data->data, __builtin_object_size
((decrypted_data->data), 0)) : (g_free) (decrypted_data->
data);
6590 g_free(compressed_data->data)(__builtin_object_size ((compressed_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (compressed_data->data, __builtin_object_size
((compressed_data->data), 0)) : (g_free) (compressed_data
->data);
6591
6592 /* close the previous keylog file now that the cache are cleared, this
6593 * allows the cache to be filled with the full keylog file contents. */
6594 if (*ssl_keylog_file) {
6595 fclose(*ssl_keylog_file);
6596 *ssl_keylog_file = NULL((void*)0);
6597 }
6598}
6599/* }}} */
6600
6601/* parse ssl related preferences (private keys and ports association strings) */
6602#if defined(HAVE_LIBGNUTLS1)
6603/* Load a single RSA key file item from preferences. {{{ */
6604void
6605ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6606{
6607 gnutls_x509_privkey_t x509_priv_key;
6608 gnutls_privkey_t priv_key = NULL((void*)0);
6609 FILE* fp = NULL((void*)0);
6610 int ret;
6611 size_t key_id_len = 20;
6612 unsigned char *key_id = NULL((void*)0);
6613 char *err = NULL((void*)0);
6614 dissector_handle_t handle;
6615 /* try to load keys file first */
6616 fp = ws_fopenfopen(uats->keyfile, "rb");
6617 if (!fp) {
6618 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6619 return;
6620 }
6621
6622 if ((int)strlen(uats->password) == 0) {
6623 x509_priv_key = rsa_load_pem_key(fp, &err);
6624 } else {
6625 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6626 }
6627 fclose(fp);
6628
6629 if (!x509_priv_key) {
6630 if (err) {
6631 report_failure("Can't load private key from %s: %s",
6632 uats->keyfile, err);
6633 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
6634 } else
6635 report_failure("Can't load private key from %s: unknown error",
6636 uats->keyfile);
6637 return;
6638 }
6639 if (err) {
6640 report_failure("Load of private key from %s \"succeeded\" with error %s",
6641 uats->keyfile, err);
6642 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err);
6643 }
6644
6645 gnutls_privkey_init(&priv_key);
6646 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6647 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6648 if (ret < 0) {
6649 report_failure("Can't convert private key %s: %s",
6650 uats->keyfile, gnutls_strerror(ret));
6651 goto end;
6652 }
6653
6654 key_id = (unsigned char *) g_malloc0(key_id_len);
6655 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6656 if (ret < 0) {
6657 report_failure("Can't calculate public key ID for %s: %s",
6658 uats->keyfile, gnutls_strerror(ret));
6659 goto end;
6660 }
6661 ssl_print_data("KeyID", key_id, key_id_len);
6662 if (key_id_len != 20) {
6663 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6664 uats->keyfile, key_id_len);
6665 goto end;
6666 }
6667
6668 g_hash_table_replace(key_hash, key_id, priv_key);
6669 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6670 priv_key = NULL((void*)0);
6671 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6672
6673 handle = ssl_find_appdata_dissector(uats->protocol);
6674 if (handle) {
6675 /* Port to subprotocol mapping */
6676 uint16_t port = 0;
6677 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6678 if (port > 0) {
6679 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6680 port, uats->keyfile, uats->password);
6681
6682 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6683 }
6684 } else {
6685 if (strcmp(uats->port, "start_tls"))
6686 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6687 }
6688 }
6689
6690end:
6691 gnutls_x509_privkey_deinit(x509_priv_key);
6692 gnutls_privkey_deinit(priv_key);
6693 g_free(key_id)(__builtin_object_size ((key_id), 0) != ((size_t) - 1)) ? g_free_sized
(key_id, __builtin_object_size ((key_id), 0)) : (g_free) (key_id
);
6694}
6695/* }}} */
6696#endif
6697
6698
6699/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6700/** store a known (pre-)master secret into cache */
6701static void
6702ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6703 StringInfo *mk)
6704{
6705 StringInfo *ht_key, *master_secret;
6706
6707 if (key->data_len == 0) {
6708 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6709 return;
6710 }
6711
6712 if (mk->data_len == 0) {
6713 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6714 G_STRFUNC((const char*) (__func__)), label);
6715 return;
6716 }
6717
6718 ht_key = ssl_data_clone(key);
6719 master_secret = ssl_data_clone(mk);
6720 g_hash_table_insert(ht, ht_key, master_secret);
6721
6722 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6723 ssl_print_string("stored key", ht_key);
6724 ssl_print_string("stored (pre-)master secret", master_secret);
6725}
6726
6727/** restore a (pre-)master secret given some key in the cache */
6728static bool_Bool
6729ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6730 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6731{
6732 StringInfo *ms;
6733
6734 if (key->data_len == 0) {
6735 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6736 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6737 return false0;
6738 }
6739
6740 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6741 if (!ms) {
6742 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6743 is_pre_master ? "pre-" : "", label);
6744 return false0;
6745 }
6746
6747 /* (pre)master secret found, clear knowledge of other keys and set it in the
6748 * current conversation */
6749 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6750 SSL_HAVE_SESSION_KEY(1<<3));
6751 if (is_pre_master) {
6752 /* unlike master secret, pre-master secret has a variable size (48 for
6753 * RSA, varying for PSK) and is therefore not statically allocated */
6754 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6755 ms->data_len);
6756 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6757 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6758 } else {
6759 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6760 ssl->state |= SSL_MASTER_SECRET(1<<5);
6761 }
6762 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6763 is_pre_master ? "pre-" : "", label);
6764 ssl_print_string(label, key);
6765 ssl_print_string("(pre-)master secret", ms);
6766 return true1;
6767}
6768/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6769
6770/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6771 * the decoder should be attempted to be initialized. {{{*/
6772void
6773ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6774{
6775 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
6776 /* TLS 1.3 implementations only provide secrets derived from the master
6777 * secret which are loaded in tls13_change_key. No master secrets can be
6778 * loaded here, so just return. */
6779 return;
6780 }
6781 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6782 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
6783 ssl_debug_printf(" session key already available, nothing to do.\n");
6784 return;
6785 }
6786 if (!(ssl->state & SSL_CIPHER(1<<2))) {
6787 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6788 return;
6789 }
6790
6791 /* for decryption, there needs to be a master secret (which can be derived
6792 * from pre-master secret). If missing, try to pick a master key from cache
6793 * (an earlier packet in the capture or key logfile). */
6794 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6795 !ssl_restore_master_key(ssl, "Session ID", false0,
6796 mk_map->session, &ssl->session_id) &&
6797 (!ssl->session.is_session_resumed ||
6798 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6799 mk_map->tickets, &ssl->session_ticket)) &&
6800 !ssl_restore_master_key(ssl, "Client Random", false0,
6801 mk_map->crandom, &ssl->client_random)) {
6802 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6803 /* how unfortunate, the master secret could not be found */
6804 ssl_debug_printf(" Cannot find master secret\n");
6805 return;
6806 } else {
6807 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6808 "because of a NULL cipher\n");
6809 }
6810 }
6811
6812 if (ssl_generate_keyring_material(ssl) < 0) {
6813 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6814 return;
6815 }
6816 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6817 ssl_save_master_key("Client Random", mk_map->crandom,
6818 &ssl->client_random, &ssl->master_secret);
6819 ssl_save_master_key("Session ID", mk_map->session,
6820 &ssl->session_id, &ssl->master_secret);
6821 /* Only save the new secrets if the server sent the ticket. The client
6822 * ticket might have become stale. */
6823 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6824 ssl_save_master_key("Session Ticket", mk_map->tickets,
6825 &ssl->session_ticket, &ssl->master_secret);
6826 }
6827} /* }}} */
6828
6829static StringInfo*
6830tls13_load_secret_from_psk(SslDecryptSession *tls, bool_Bool is_from_server,
6831 TLSRecordType type)
6832{
6833 /* XXX - In addition to an out-of-bound PSK, we could also save the
6834 * PSK from a NewSessionTicket; we would also need to compute the
6835 * resumption_master_secret. */
6836 if (tls->psk.data_len == 0)
6837 return NULL((void*)0);
6838
6839 /* We SHOULD associate each PSK with a hash algorithm (e.g., use
6840 * a UAT instead of a single global PSK string preference, preferably
6841 * following RFC 9258.) Failing that, RFC 8864 4.2.1 and 9258 say SHA-256
6842 * SHOULD be used. We will try the negotiated hash algorithm regardless
6843 * with the PSK, but fall back to SHA-256 for the Early Secret, since
6844 * that's before the Server Hello completes negotiation.
6845 */
6846 const SslDigestAlgo *dig = ssl_cipher_suite_dig(tls->cipher_suite);
6847 if (type == TLS_SECRET_0RTT_APP && dig == &digests[DIG_NA0x45 - DIG_MD50x40]) {
6848 dig = &digests[DIG_SHA2560x42 - DIG_MD50x40];
6849 ssl_debug_printf("%s assuming PSK hash function is %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6850 }
6851
6852 int hash_algo = ssl_get_digest_by_name(dig->name);
6853 if (!hash_algo) {
6854 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6855 return NULL((void*)0);
6856 }
6857
6858 /* We can re-use this to store the Pseudo Random Key for each epoch. */
6859 uint8_t prk[DIGEST_MAX_SIZE48];
6860 StringInfo prk_string = { prk, dig->len };
6861 uint8_t *derived_secret;
6862
6863 uint8_t zeroes[DIGEST_MAX_SIZE48];
6864 memset(zeroes, 0, dig->len);
6865
6866 StringInfo *secret = NULL((void*)0);
6867 const char *label;
6868
6869 /* PRK = Early Secret */
6870 hkdf_extract(hash_algo, zeroes, dig->len, tls->psk.data, tls->psk.data_len, prk);
6871
6872 if (type == TLS_SECRET_0RTT_APP) {
6873 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6873, "!is_from_server"))));
6874 label = "c e traffic";
6875 } else {
6876 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6877 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6878 return NULL((void*)0);
6879
6880 /* PRK = Handshake Secret [assume no (EC)DHE.] */
6881 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6882 wmem_free(NULL((void*)0), derived_secret);
6883
6884 if (type == TLS_SECRET_HANDSHAKE) {
6885 label = is_from_server ? "s hs traffic" : "c hs traffic";
6886 } else {
6887 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6888 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6889 return NULL((void*)0);
6890
6891 /* PRK = Master Secret */
6892 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6893 wmem_free(NULL((void*)0), derived_secret);
6894
6895 label = is_from_server ? "s ap traffic" : "c ap traffic";
6896 }
6897 }
6898
6899 /* XXX - If Encrypted Client Hello was accepted (do client/server pairs
6900 * support ECHO with psk_ke?) then we should use ech_transcript instead
6901 * of handshake_data. Perhaps we should consolidate some of that handling,
6902 * though note that we would have to keep both transcripts around after
6903 * the ClientHello until the ServerHello indicated whether ECHO was
6904 * accepted or not. */
6905 if (!tls13_derive_secret(hash_algo, &prk_string,
6906 tls13_hkdf_label_prefix(tls), label,
6907 tls->handshake_data.data, tls->handshake_data.data_len,
6908 dig->len, &derived_secret))
6909 return NULL((void*)0);
6910
6911 secret = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6912 secret->data = wmem_memdup(wmem_file_scope(), derived_secret, dig->len);
6913 secret->data_len = dig->len;
6914 wmem_free(NULL((void*)0), derived_secret);
6915 return secret;
6916}
6917
6918/* Load the traffic key secret from the keylog file. */
6919StringInfo *
6920tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6921 bool_Bool is_from_server, TLSRecordType type)
6922{
6923 GHashTable *key_map;
6924 const char *label;
6925
6926 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6927 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6928 return NULL((void*)0);
6929 }
6930
6931 if (ssl->client_random.data_len == 0) {
6932 /* May happen if Hello message is missing and Finished is found. */
6933 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6934 return NULL((void*)0);
6935 }
6936
6937 switch (type) {
6938 case TLS_SECRET_0RTT_APP:
6939 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6939, "!is_from_server"))));
6940 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6941 key_map = mk_map->tls13_client_early;
6942 break;
6943 case TLS_SECRET_HANDSHAKE:
6944 if (is_from_server) {
6945 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6946 key_map = mk_map->tls13_server_handshake;
6947 } else {
6948 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6949 key_map = mk_map->tls13_client_handshake;
6950 }
6951 break;
6952 case TLS_SECRET_APP:
6953 if (is_from_server) {
6954 label = "SERVER_TRAFFIC_SECRET_0";
6955 key_map = mk_map->tls13_server_appdata;
6956 } else {
6957 label = "CLIENT_TRAFFIC_SECRET_0";
6958 key_map = mk_map->tls13_client_appdata;
6959 }
6960 break;
6961 default:
6962 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6962, __func__, "assertion \"not reached\" failed");
6963 }
6964
6965 /* Transitioning to new keys, mark old ones as unusable. */
6966 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6967 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6968
6969 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6970 if (!secret) {
6971 secret = tls13_load_secret_from_psk(ssl, is_from_server, type);
6972 if (secret) {
6973 ssl_debug_printf("%s Calculated TLS 1.3 traffic secret from PSK.\n", G_STRFUNC((const char*) (__func__)));
6974 /* Doing this allows us to save the secret as a DSB in a pcapng. */
6975 g_hash_table_insert(key_map, ssl_data_clone(&ssl->client_random), secret);
6976 }
6977 }
6978 if (!secret) {
6979 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6980 /* Disable decryption, the keys are invalid. */
6981 if (is_from_server) {
6982 ssl->server = NULL((void*)0);
6983 } else {
6984 ssl->client = NULL((void*)0);
6985 }
6986 return NULL((void*)0);
6987 }
6988
6989 /* TLS 1.3 secret found, set new keys. */
6990 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6991 ssl_print_string("Client Random", &ssl->client_random);
6992 ssl_print_string(label, secret);
6993 return secret;
6994}
6995
6996/* Load the new key. */
6997void
6998tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6999 bool_Bool is_from_server, TLSRecordType type)
7000{
7001 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
7002 /*
7003 * QUIC does not use the TLS record layer for message protection.
7004 * The required keys will be extracted later by QUIC.
7005 */
7006 return;
7007 }
7008
7009 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7010 if (!secret) {
7011 if (type != TLS_SECRET_HANDSHAKE) {
7012 return;
7013 }
7014 /*
7015 * Workaround for when for some reason we don't have the handshake
7016 * secret but do have the application traffic secret. (#20240)
7017 * If we can't find the handshake secret, we'll never decrypt the
7018 * Finished message, so we won't know when to change to the app
7019 * traffic key, so we do so now.
7020 */
7021 type = TLS_SECRET_APP;
7022 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7023 if (!secret) {
7024 return;
7025 }
7026 }
7027
7028 if (tls13_generate_keys(ssl, secret, is_from_server)) {
7029 /*
7030 * Remember the application traffic secret to support Key Update. The
7031 * other secrets cannot be used for this purpose, so free them.
7032 */
7033 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7034 StringInfo *app_secret = &decoder->app_traffic_secret;
7035 if (type == TLS_SECRET_APP) {
7036 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7037 app_secret->data,
7038 secret->data_len);
7039 ssl_data_set(app_secret, secret->data, secret->data_len);
7040 } else {
7041 wmem_free(wmem_file_scope(), app_secret->data);
7042 app_secret->data = NULL((void*)0);
7043 app_secret->data_len = 0;
7044 }
7045 }
7046}
7047
7048/**
7049 * Update to next application data traffic secret for TLS 1.3. The previous
7050 * secret should have been set by tls13_change_key.
7051 */
7052void
7053tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
7054{
7055 /* RFC 8446 Section 7.2:
7056 * application_traffic_secret_N+1 =
7057 * HKDF-Expand-Label(application_traffic_secret_N,
7058 * "traffic upd", "", Hash.length)
7059 *
7060 * Both application_traffic_secret_N are of the same length (Hash.length).
7061 */
7062 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
7063 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7064 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
7065 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
7066
7067 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
7068 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
7069 return;
7070 }
7071
7072 /*
7073 * Previous traffic secret is available, so find the hash function,
7074 * expand the new traffic secret and generate new keys.
7075 */
7076 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
7077 int hash_algo = ssl_get_digest_by_name(hash_name);
7078 const unsigned hash_len = app_secret->data_len;
7079 unsigned char *new_secret;
7080 const char *label = "traffic upd";
7081 if (tls13_draft_version && tls13_draft_version < 20) {
7082 label = "application traffic secret";
7083 }
7084 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
7085 tls13_hkdf_label_prefix(ssl),
7086 label, hash_len, &new_secret)) {
7087 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
7088 return;
7089 }
7090 ssl_data_set(app_secret, new_secret, hash_len);
7091 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
7092 /*
7093 * Remember the application traffic secret on the new decoder to
7094 * support another Key Update.
7095 */
7096 decoder = is_from_server ? ssl->server : ssl->client;
7097 app_secret = &decoder->app_traffic_secret;
7098 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7099 app_secret->data,
7100 hash_len);
7101 ssl_data_set(app_secret, new_secret, hash_len);
7102 }
7103 wmem_free(NULL((void*)0), new_secret);
7104}
7105
7106void
7107tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
7108{
7109 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
7110 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
7111 }
7112}
7113
7114/** SSL keylog file handling. {{{ */
7115
7116static GRegex *
7117ssl_compile_keyfile_regex(void)
7118{
7119#define OCTET "(?:[[:xdigit:]]{2})"
7120 const char *pattern =
7121 "(?:"
7122 /* Matches Client Hellos having this Client Random */
7123 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
7124 /* Matches first part of encrypted RSA pre-master secret */
7125 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
7126 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
7127 but it can be of any length for DHE */
7128 ")(?<pms>" OCTET "+)"
7129 "|(?:"
7130 /* Matches Server Hellos having a Session ID */
7131 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
7132 /* Matches Client Hellos having this Client Random */
7133 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
7134 /* Master-Secret is given, its length is fixed */
7135 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
7136 "|(?"
7137 /* TLS 1.3 Client Random to Derived Secrets mapping. */
7138 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
7139 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
7140 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
7141 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
7142 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
7143 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
7144 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
7145 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
7146 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
7147 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
7148 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
7149 ") (?<derived_secret>" OCTET "+)";
7150#undef OCTET
7151 static GRegex *regex = NULL((void*)0);
7152 GError *gerr = NULL((void*)0);
7153
7154 if (!regex) {
7155 regex = g_regex_new(pattern,
7156 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
7157 G_REGEX_MATCH_ANCHORED, &gerr);
7158 if (gerr) {
7159 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
7160 gerr->message);
7161 g_error_free(gerr);
7162 regex = NULL((void*)0);
7163 }
7164 }
7165
7166 return regex;
7167}
7168
7169typedef struct ssl_master_key_match_group {
7170 const char *re_group_name;
7171 GHashTable *master_key_ht;
7172} ssl_master_key_match_group_t;
7173
7174void
7175tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7176{
7177 ssl_master_key_match_group_t mk_groups[] = {
7178 { "encrypted_pmk", mk_map->pre_master },
7179 { "session_id", mk_map->session },
7180 { "client_random", mk_map->crandom },
7181 { "client_random_pms", mk_map->pms },
7182 /* TLS 1.3 map from Client Random to derived secret. */
7183 { "client_early", mk_map->tls13_client_early },
7184 { "client_handshake", mk_map->tls13_client_handshake },
7185 { "server_handshake", mk_map->tls13_server_handshake },
7186 { "client_appdata", mk_map->tls13_client_appdata },
7187 { "server_appdata", mk_map->tls13_server_appdata },
7188 { "early_exporter", mk_map->tls13_early_exporter },
7189 { "exporter", mk_map->tls13_exporter },
7190 { "ech_secret", mk_map->ech_secret },
7191 { "ech_config", mk_map->ech_config },
7192 };
7193
7194 /* The format of the file is a series of records with one of the following formats:
7195 * - "RSA xxxx yyyy"
7196 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7197 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7198 * (this is the original format introduced with bug 4349)
7199 *
7200 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7201 * Where xxxx is the SSL session ID (hex-encoded)
7202 * Where yyyy is the cleartext master secret (hex-encoded)
7203 * (added to support openssl s_client Master-Key output)
7204 * This is somewhat is a misnomer because there's nothing RSA specific
7205 * about this.
7206 *
7207 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7208 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7209 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7210 * (This format allows SSL connections to be decrypted, if a user can
7211 * capture the PMS but could not recover the MS for a specific session
7212 * with a SSL Server.)
7213 *
7214 * - "CLIENT_RANDOM xxxx yyyy"
7215 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7216 * Where yyyy is the cleartext master secret (hex-encoded)
7217 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7218 * ECDHE-RSA.)
7219 *
7220 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7221 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7222 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7223 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7224 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7225 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7226 * - "EXPORTER_SECRET xxxx yyyy"
7227 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7228 * Where yyyy is the secret (hex-encoded) derived from the early,
7229 * handshake or master secrets. (This format is introduced with TLS 1.3
7230 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7231 */
7232 GRegex *regex = ssl_compile_keyfile_regex();
7233 if (!regex)
7234 return;
7235
7236 const char *next_line = (const char *)data;
7237 const char *line_end = next_line + datalen;
7238 while (next_line && next_line < line_end) {
7239 const char *line = next_line;
7240 next_line = (const char *)memchr(line, '\n', line_end - line);
7241 ssize_t linelen;
7242
7243 if (next_line) {
7244 linelen = next_line - line;
7245 next_line++; /* drop LF */
7246 } else {
7247 linelen = (ssize_t)(line_end - line);
7248 }
7249 if (linelen > 0 && line[linelen - 1] == '\r') {
7250 linelen--; /* drop CR */
7251 }
7252
7253 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7254 GMatchInfo *mi;
7255 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7256 char *hex_key, *hex_pre_ms_or_ms;
7257 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7258 StringInfo *pre_ms_or_ms = NULL((void*)0);
7259 GHashTable *ht = NULL((void*)0);
7260
7261 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7262 * otherwise we will use the Master Secret
7263 */
7264 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7265 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7266 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7267 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7268 }
7269 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7270 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7271 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7272 }
7273 /* There is always a match, otherwise the regex is wrong. */
7274 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7274, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
7275
7276 /* convert from hex to bytes and save to hashtable */
7277 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
7278 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7279 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms);
7280
7281 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7282 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7283 ssl_master_key_match_group_t *g = &mk_groups[i];
7284 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7285 if (hex_key && *hex_key) {
7286 ssl_debug_printf(" matched %s\n", g->re_group_name);
7287 ht = g->master_key_ht;
7288 from_hex(key, hex_key, strlen(hex_key));
7289 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
7290 break;
7291 }
7292 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key);
7293 }
7294 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7294, "ht")))); /* Cannot be reached, or regex is wrong. */
7295
7296 g_hash_table_insert(ht, key, pre_ms_or_ms);
7297
7298 } else if (linelen > 0 && line[0] != '#') {
7299 ssl_debug_printf(" unrecognized line\n");
7300 }
7301 /* always free match info even if there is no match. */
7302 g_match_info_free(mi);
7303 }
7304}
7305
7306void
7307ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7308 const ssl_master_key_map_t *mk_map)
7309{
7310 /* no need to try if no key log file is configured. */
7311 if (!tls_keylog_filename || !*tls_keylog_filename) {
7312 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7313 G_STRFUNC((const char*) (__func__)));
7314 return;
7315 }
7316
7317 /* Validate regexes before even trying to use it. */
7318 if (!ssl_compile_keyfile_regex()) {
7319 return;
7320 }
7321
7322 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7323
7324 /* if the keylog file was deleted/overwritten, re-open it */
7325 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7326 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7327 fclose(*keylog_file);
7328 *keylog_file = NULL((void*)0);
7329 }
7330
7331 if (*keylog_file == NULL((void*)0)) {
7332 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7333 if (!*keylog_file) {
7334 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7335 return;
7336 }
7337 }
7338
7339 for (;;) {
7340 char buf[1110], *line;
7341 line = fgets(buf, sizeof(buf), *keylog_file);
7342 if (!line) {
7343 if (feof(*keylog_file)) {
7344 /* Ensure that newly appended keys can be read in the future. */
7345 clearerr(*keylog_file);
7346 } else if (ferror(*keylog_file)) {
7347 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7348 fclose(*keylog_file);
7349 *keylog_file = NULL((void*)0);
7350 }
7351 break;
7352 }
7353 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7354 }
7355}
7356/** SSL keylog file handling. }}} */
7357
7358#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7359
7360static FILE* ssl_debug_file;
7361
7362void
7363ssl_set_debug(const char* name)
7364{
7365 static int debug_file_must_be_closed;
7366 int use_stderr;
7367
7368 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7369
7370 if (debug_file_must_be_closed)
7371 fclose(ssl_debug_file);
7372
7373 if (use_stderr)
7374 ssl_debug_file = stderrstderr;
7375 else if (!name || (strcmp(name, "") ==0))
7376 ssl_debug_file = NULL((void*)0);
7377 else
7378 ssl_debug_file = ws_fopenfopen(name, "w");
7379
7380 if (!use_stderr && ssl_debug_file)
7381 debug_file_must_be_closed = 1;
7382 else
7383 debug_file_must_be_closed = 0;
7384
7385 ssl_debug_printf("Wireshark SSL debug log \n\n");
7386#ifdef HAVE_LIBGNUTLS1
7387 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7388#endif
7389 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7390 ssl_debug_printf("\n");
7391}
7392
7393void
7394ssl_debug_flush(void)
7395{
7396 if (ssl_debug_file)
7397 fflush(ssl_debug_file);
7398}
7399
7400void
7401ssl_debug_printf(const char* fmt, ...)
7402{
7403 va_list ap;
7404
7405 if (!ssl_debug_file)
7406 return;
7407
7408 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7409 vfprintf(ssl_debug_file, fmt, ap);
7410 va_end(ap)__builtin_va_end(ap);
7411}
7412
7413void
7414ssl_print_data(const char* name, const unsigned char* data, size_t len)
7415{
7416 size_t i, j, k;
7417 if (!ssl_debug_file)
7418 return;
7419 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7420 for (i=0; i<len; i+=16) {
7421 fprintf(ssl_debug_file,"| ");
7422 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7423 fprintf(ssl_debug_file,"%.2x ",data[j]);
7424 for (; k<16; ++k)
7425 fprintf(ssl_debug_file," ");
7426 fputc('|', ssl_debug_file);
7427 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7428 unsigned char c = data[j];
7429 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7430 fputc(c, ssl_debug_file);
7431 }
7432 for (; k<16; ++k)
7433 fputc(' ', ssl_debug_file);
7434 fprintf(ssl_debug_file,"|\n");
7435 }
7436}
7437
7438void
7439ssl_print_string(const char* name, const StringInfo* data)
7440{
7441 ssl_print_data(name, data->data, data->data_len);
7442}
7443#endif /* SSL_DECRYPT_DEBUG }}} */
7444
7445/* UAT preferences callbacks. {{{ */
7446/* checks for SSL and DTLS UAT key list fields */
7447
7448bool_Bool
7449ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7450{
7451 // This should be removed in favor of Decode As. Make it optional.
7452 *err = NULL((void*)0);
7453 return true1;
7454}
7455
7456bool_Bool
7457ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7458{
7459 if (!p || strlen(p) == 0u) {
7460 // This should be removed in favor of Decode As. Make it optional.
7461 *err = NULL((void*)0);
7462 return true1;
7463 }
7464
7465 if (strcmp(p, "start_tls") != 0){
7466 uint16_t port;
7467 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7468 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7469 return false0;
7470 }
7471 }
7472
7473 *err = NULL((void*)0);
7474 return true1;
7475}
7476
7477bool_Bool
7478ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7479{
7480 ws_statb64struct stat st;
7481
7482 if (!p || strlen(p) == 0u) {
7483 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7484 return false0;
7485 } else {
7486 if (ws_stat64stat(p, &st) != 0) {
7487 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7488 return false0;
7489 }
7490 }
7491
7492 *err = NULL((void*)0);
7493 return true1;
7494}
7495
7496bool_Bool
7497ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7498{
7499#if defined(HAVE_LIBGNUTLS1)
7500 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7501 FILE *fp = NULL((void*)0);
7502
7503 if (p && (strlen(p) > 0u)) {
7504 fp = ws_fopenfopen(f->keyfile, "rb");
7505 if (fp) {
7506 char *msg = NULL((void*)0);
7507 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7508 if (!priv_key) {
7509 fclose(fp);
7510 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7511 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
7512 return false0;
7513 }
7514 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg);
7515 gnutls_x509_privkey_deinit(priv_key);
7516 fclose(fp);
7517 } else {
7518 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7519 return false0;
7520 }
7521 }
7522
7523 *err = NULL((void*)0);
7524 return true1;
7525#else
7526 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7527 return false0;
7528#endif
7529}
7530/* UAT preferences callbacks. }}} */
7531
7532/** maximum size of ssl_association_info() string */
7533#define SSL_ASSOC_MAX_LEN8192 8192
7534
7535typedef struct ssl_association_info_callback_data
7536{
7537 char *str;
7538 const char *table_protocol;
7539} ssl_association_info_callback_data_t;
7540
7541/**
7542 * callback function used by ssl_association_info() to traverse the SSL associations.
7543 */
7544static void
7545ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7546{
7547 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7548 const int l = (const int)strlen(data->str);
7549 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7550}
7551
7552/**
7553 * @return an information string on the SSL protocol associations. The string must be freed.
7554 */
7555char*
7556ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7557{
7558 ssl_association_info_callback_data_t data;
7559
7560 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7561 data.table_protocol = table_protocol;
7562 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7563 return data.str;
7564}
7565
7566
7567/** Begin of code related to dissection of wire data. */
7568
7569/* Helpers for dissecting Variable-Length Vectors. {{{ */
7570bool_Bool
7571ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7572 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7573 int hf_length, uint32_t min_value, uint32_t max_value)
7574{
7575 unsigned veclen_size;
7576 uint32_t veclen_value;
7577 proto_item *pi;
7578
7579 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7579, (uint64_t)min_value, (uint64_t)max_value))));
7580 if (offset > offset_end) {
7581 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7582 "Vector offset is past buffer end offset (%u > %u)",
7583 offset, offset_end);
7584 *ret_length = 0;
7585 return false0; /* Cannot read length. */
7586 }
7587
7588 if (max_value > 0xffffff) {
7589 veclen_size = 4;
7590 } else if (max_value > 0xffff) {
7591 veclen_size = 3;
7592 } else if (max_value > 0xff) {
7593 veclen_size = 2;
7594 } else {
7595 veclen_size = 1;
7596 }
7597
7598 if (offset_end - offset < veclen_size) {
7599 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7600 tvb, offset, offset_end - offset,
7601 "No more room for vector of length %u",
7602 veclen_size);
7603 *ret_length = 0;
7604 return false0; /* Cannot read length. */
7605 }
7606
7607 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7608 offset += veclen_size;
7609
7610 if (veclen_value < min_value) {
7611 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7612 "Vector length %u is smaller than minimum %u",
7613 veclen_value, min_value);
7614 } else if (veclen_value > max_value) {
7615 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7616 "Vector length %u is larger than maximum %u",
7617 veclen_value, max_value);
7618 }
7619
7620 if (offset_end - offset < veclen_value) {
7621 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7622 "Vector length %u is too large, truncating it to %u",
7623 veclen_value, offset_end - offset);
7624 *ret_length = offset_end - offset;
7625 return false0; /* Length is truncated to avoid overflow. */
7626 }
7627
7628 *ret_length = veclen_value;
7629 return true1; /* Length is OK. */
7630}
7631
7632bool_Bool
7633ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7634 unsigned offset, unsigned offset_end)
7635{
7636 if (offset < offset_end) {
7637 unsigned trailing = offset_end - offset;
7638 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7639 tvb, offset, trailing,
7640 "%u trailing byte%s unprocessed",
7641 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7642 return false0; /* unprocessed data warning */
7643 } else if (offset > offset_end) {
7644 /*
7645 * Returned offset runs past the end. This should not happen and is
7646 * possibly a dissector bug.
7647 */
7648 unsigned excess = offset - offset_end;
7649 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7650 tvb, offset_end, excess,
7651 "Dissector processed too much data (%u byte%s)",
7652 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7653 return false0; /* overflow error */
7654 }
7655
7656 return true1; /* OK, offset matches. */
7657}
7658/** }}} */
7659
7660
7661static uint32_t
7662ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7663 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7664 uint16_t version, int hf_sig_len, int hf_sig);
7665
7666/* change_cipher_spec(20) dissection */
7667void
7668ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7669 packet_info *pinfo, proto_tree *tree,
7670 uint32_t offset, SslSession *session,
7671 bool_Bool is_from_server,
7672 const SslDecryptSession *ssl)
7673{
7674 /*
7675 * struct {
7676 * enum { change_cipher_spec(1), (255) } type;
7677 * } ChangeCipherSpec;
7678 */
7679 proto_item *ti;
7680 proto_item_set_text(tree,
7681 "%s Record Layer: %s Protocol: Change Cipher Spec",
7682 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7683 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7684 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7685
7686 if (session->version == TLSV1DOT3_VERSION0x304) {
7687 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7688 return;
7689 }
7690
7691 /* Remember frame number of first CCS */
7692 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7693 if (*ccs_frame == 0)
7694 *ccs_frame = pinfo->num;
7695
7696 /* Use heuristics to detect an abbreviated handshake, assume that missing
7697 * ServerHelloDone implies reusing previously negotiating keys. Then when
7698 * a Session ID or ticket is present, it must be a resumed session.
7699 * Normally this should be done at the Finished message, but that may be
7700 * encrypted so we do it here, at the last cleartext message. */
7701 if (is_from_server && ssl) {
7702 if (session->is_session_resumed) {
7703 const char *resumed = NULL((void*)0);
7704 if (ssl->session_ticket.data_len) {
7705 resumed = "Session Ticket";
7706 } else if (ssl->session_id.data_len) {
7707 resumed = "Session ID";
7708 }
7709 if (resumed) {
7710 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7711 } else {
7712 /* Can happen if the capture somehow starts in the middle */
7713 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7714 }
7715 } else {
7716 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7717 }
7718 }
7719 if (is_from_server && session->is_session_resumed)
7720 expert_add_info(pinfo, ti, &hf->ei.resumed);
7721}
7722
7723/** Begin of handshake(22) record dissections */
7724
7725/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7726 * {{{ */
7727static void
7728tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7729{
7730 uint32_t sighash, hashalg, sigalg;
7731 proto_item *ti_sigalg;
7732 proto_tree *sigalg_tree;
7733
7734 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7735 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7736 if (ja4_data) {
7737 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7738 }
7739
7740 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7741
7742 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7743 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7744 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7745 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7746 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7747
7748 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7749 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7750 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7751 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7752 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7753 sighash);
7754 }
7755} /* }}} */
7756
7757/* dissect a list of hash algorithms, return the number of bytes dissected
7758 this is used for the signature algorithms extension and for the
7759 TLS1.2 certificate request. {{{ */
7760static int
7761ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7762 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7763{
7764 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7765 * struct {
7766 * HashAlgorithm hash;
7767 * SignatureAlgorithm signature;
7768 * } SignatureAndHashAlgorithm;
7769 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7770 */
7771 proto_tree *subtree;
7772 proto_item *ti;
7773 unsigned sh_alg_length;
7774 uint32_t next_offset;
7775
7776 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7777 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7778 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7779 return offset_end;
7780 }
7781 offset += 2;
7782 next_offset = offset + sh_alg_length;
7783
7784 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7785 "Signature Hash Algorithms (%u algorithm%s)",
7786 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7787 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7788
7789 while (offset + 2 <= next_offset) {
7790 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7791 offset += 2;
7792 }
7793
7794 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7795 offset = next_offset;
7796 }
7797
7798 return offset;
7799} /* }}} */
7800
7801/* Dissection of DistinguishedName (for CertificateRequest and
7802 * certificate_authorities extension). {{{ */
7803static uint32_t
7804tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7805 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7806{
7807 proto_item *ti;
7808 proto_tree *subtree;
7809 uint32_t dnames_length, next_offset;
7810 asn1_ctx_t asn1_ctx;
7811 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7812
7813 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7814 /* DistinguishedName certificate_authorities<0..2^16-1> */
7815 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7816 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7817 return offset_end;
7818 }
7819 offset += 2;
7820 next_offset = offset + dnames_length;
7821
7822 if (dnames_length > 0) {
7823 ti = proto_tree_add_none_format(tree,
7824 hf->hf.hs_dnames,
7825 tvb, offset, dnames_length,
7826 "Distinguished Names (%d byte%s)",
7827 dnames_length,
7828 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7829 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7830
7831 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7832
7833 while (offset < next_offset) {
7834 /* get the length of the current certificate */
7835 uint32_t name_length;
7836
7837 if (dnames_count-- == 0) {
7838 /* stop adding to tree when the list is considered too large
7839 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7840 Note: dnames_count must be set low enough not to hit the
7841 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7842 */
7843 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7844 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7845 proto_item_set_generated(ti);
7846 return next_offset;
7847 }
7848
7849 /* opaque DistinguishedName<1..2^16-1> */
7850 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7851 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7852 return next_offset;
7853 }
7854 offset += 2;
7855
7856 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7857 subtree, hf->hf.hs_dname);
7858 offset += name_length;
7859 }
7860 }
7861 return offset;
7862} /* }}} */
7863
7864
7865/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7866static int
7867ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7868 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7869{
7870 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7871}
7872
7873static int
7874ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7875 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7876{
7877 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7878 hnd_type == SSL_HND_CERT_REQUEST) {
7879 /*
7880 * struct {
7881 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7882 * } SignatureSchemeList;
7883 */
7884
7885 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7886 } else {
7887 asn1_ctx_t asn1_ctx;
7888 unsigned pubkey_length, sign_length;
7889
7890 /*
7891 * struct {
7892 * uint32 valid_time;
7893 * SignatureScheme expected_cert_verify_algorithm;
7894 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7895 * } Credential;
7896 *
7897 * struct {
7898 * Credential cred;
7899 * SignatureScheme algorithm;
7900 * opaque signature<0..2^16-1>;
7901 * } DelegatedCredential;
7902 */
7903
7904 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7905
7906 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7907 offset += 4;
7908
7909 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7910 offset += 2;
7911
7912 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7913 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7914 return offset_end;
7915 }
7916 offset += 3;
7917 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7918 offset += pubkey_length;
7919
7920 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7921 offset += 2;
7922
7923 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7924 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7925 return offset_end;
7926 }
7927 offset += 2;
7928 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7929 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7930 offset += sign_length;
7931
7932 return offset;
7933 }
7934}
7935
7936static int
7937ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7938 packet_info *pinfo, proto_tree *tree,
7939 uint32_t offset, uint32_t offset_end,
7940 uint8_t hnd_type)
7941{
7942
7943 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7944
7945 switch (hnd_type) {
7946 case SSL_HND_CLIENT_HELLO: {
7947 proto_tree *alps_tree;
7948 proto_item *ti;
7949 uint32_t next_offset, alps_length, name_length;
7950
7951 /*
7952 * opaque ProtocolName<1..2^8-1>;
7953 * struct {
7954 * ProtocolName supported_protocols<2..2^16-1>
7955 * } ApplicationSettingsSupport;
7956 */
7957
7958 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7959 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7960 return offset_end;
7961 }
7962 offset += 2;
7963 next_offset = offset + alps_length;
7964
7965 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7966 tvb, offset, alps_length, ENC_NA0x00000000);
7967 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7968
7969 /* Parse list (note missing check for end of vector, ssl_add_vector below
7970 * ensures that data is always available.) */
7971 while (offset < next_offset) {
7972 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7973 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7974 return next_offset;
7975 }
7976 offset++;
7977
7978 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7979 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7980 offset += name_length;
7981 }
7982
7983 return offset;
7984 }
7985 case SSL_HND_ENCRYPTED_EXTS:
7986 /* Opaque blob */
7987 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7988 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7989 break;
7990 }
7991
7992 return offset_end;
7993}
7994
7995static int
7996ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7997 packet_info *pinfo, proto_tree *tree,
7998 uint32_t offset, uint32_t offset_end,
7999 uint8_t hnd_type, SslSession *session,
8000 bool_Bool is_dtls, ja4_data_t *ja4_data)
8001{
8002
8003 /* https://tools.ietf.org/html/rfc7301#section-3.1
8004 * opaque ProtocolName<1..2^8-1>;
8005 * struct {
8006 * ProtocolName protocol_name_list<2..2^16-1>
8007 * } ProtocolNameList;
8008 */
8009 proto_tree *alpn_tree;
8010 proto_item *ti;
8011 uint32_t next_offset, alpn_length, name_length;
8012 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
8013
8014 /* ProtocolName protocol_name_list<2..2^16-1> */
8015 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
8016 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
8017 return offset_end;
8018 }
8019 offset += 2;
8020 next_offset = offset + alpn_length;
8021
8022 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
8023 tvb, offset, alpn_length, ENC_NA0x00000000);
8024 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
8025
8026 /* Parse list (note missing check for end of vector, ssl_add_vector below
8027 * ensures that data is always available.) */
8028 while (offset < next_offset) {
8029 /* opaque ProtocolName<1..2^8-1> */
8030 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
8031 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
8032 return next_offset;
8033 }
8034 offset++;
8035
8036 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
8037 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8038 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
8039 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
8040 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
8041 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)) {
8042 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
8043 }
8044 else {
8045 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
8046 alpn_last_char & 0x0F);
8047 }
8048 }
8049 /* Remember first ALPN ProtocolName entry for server. */
8050 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
8051 /* '\0'-terminated string for dissector table match and prefix
8052 * comparison purposes. */
8053 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8054 name_length, ENC_ASCII0x00000000);
8055 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
8056 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8057 name_length, ENC_ASCII0x00000000);
8058 }
8059 offset += name_length;
8060 }
8061
8062 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
8063 * exactly one "ProtocolName". */
8064 if (proto_name) {
8065 dissector_handle_t handle;
8066
8067 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
8068
8069 if (is_dtls) {
8070 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
8071 proto_name);
8072 } else {
8073 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
8074 proto_name);
8075 if (handle == NULL((void*)0)) {
8076 /* Try prefix matching */
8077 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
8078 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
8079
8080 /* string_string is inappropriate as it compares strings
8081 * while "byte strings MUST NOT be truncated" (RFC 7301) */
8082 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
8083 handle = find_dissector(alpn_proto->dissector_name);
8084 break;
8085 }
8086 }
8087 }
8088 }
8089 if (handle != NULL((void*)0)) {
8090 /* ProtocolName match, so set the App data dissector handle.
8091 * This may override protocols given via the UAT dialog, but
8092 * since the ALPN hint is precise, do it anyway. */
8093 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
8094 (void *)session->app_handle,
8095 (void *)handle,
8096 dissector_handle_get_dissector_name(handle));
8097 session->app_handle = handle;
8098 }
8099 } else if (client_proto_name) {
8100 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
8101 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
8102 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
8103 }
8104
8105 return offset;
8106}
8107
8108static int
8109ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8110 packet_info *pinfo, proto_tree *tree,
8111 uint32_t offset, uint32_t offset_end)
8112{
8113 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
8114 * The "extension_data" field of a "next_protocol_negotiation" extension
8115 * in a "ServerHello" contains an optional list of protocols advertised
8116 * by the server. Protocols are named by opaque, non-empty byte strings
8117 * and the list of protocols is serialized as a concatenation of 8-bit,
8118 * length prefixed byte strings. Implementations MUST ensure that the
8119 * empty string is not included and that no byte strings are truncated.
8120 */
8121 uint32_t npn_length;
8122 proto_tree *npn_tree;
8123
8124 /* List is optional, do not add tree if there are no entries. */
8125 if (offset == offset_end) {
8126 return offset;
8127 }
8128
8129 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
8130
8131 while (offset < offset_end) {
8132 /* non-empty, 8-bit length prefixed strings means range 1..255 */
8133 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
8134 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
8135 return offset_end;
8136 }
8137 offset++;
8138
8139 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
8140 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8141 offset += npn_length;
8142 }
8143
8144 return offset;
8145}
8146
8147static int
8148ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8149 packet_info *pinfo, proto_tree *tree,
8150 uint32_t offset, uint32_t offset_end)
8151{
8152 /* https://tools.ietf.org/html/rfc5746#section-3.2
8153 * struct {
8154 * opaque renegotiated_connection<0..255>;
8155 * } RenegotiationInfo;
8156 *
8157 */
8158 proto_tree *reneg_info_tree;
8159 uint32_t reneg_info_length;
8160
8161 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
8162
8163 /* opaque renegotiated_connection<0..255> */
8164 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
8165 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
8166 return offset_end;
8167 }
8168 offset++;
8169
8170 if (reneg_info_length > 0) {
8171 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
8172 offset += reneg_info_length;
8173 }
8174
8175 return offset;
8176}
8177
8178static int
8179ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8180 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8181 const char **group_name_out)
8182{
8183 /* RFC 8446 Section 4.2.8
8184 * struct {
8185 * NamedGroup group;
8186 * opaque key_exchange<1..2^16-1>;
8187 * } KeyShareEntry;
8188 */
8189 uint32_t key_exchange_length, group;
8190 proto_tree *ks_tree;
8191
8192 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8193
8194 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8195 offset += 2;
8196 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8197 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8198 if (group_name_out) {
8199 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
8200 }
8201
8202 /* opaque key_exchange<1..2^16-1> */
8203 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8204 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8205 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8206 }
8207 offset += 2;
8208 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8209 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8210
8211 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8212 offset += key_exchange_length;
8213
8214 return offset;
8215}
8216
8217static int
8218ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8219 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8220 uint8_t hnd_type, SslDecryptSession *ssl)
8221{
8222 proto_tree *key_share_tree;
8223 uint32_t next_offset;
8224 uint32_t client_shares_length;
8225 uint32_t group;
8226 const char *group_name = NULL((void*)0);
8227
8228 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8229 return offset;
8230 }
8231
8232 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8233
8234 switch(hnd_type){
8235 case SSL_HND_CLIENT_HELLO:
8236 /* KeyShareEntry client_shares<0..2^16-1> */
8237 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8238 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8239 return offset_end;
8240 }
8241 offset += 2;
8242 next_offset = offset + client_shares_length;
8243 const char *sep = " ";
8244 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8245 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8246 if (group_name) {
8247 proto_item_append_text(tree, "%s%s", sep, group_name);
8248 sep = ", ";
8249 }
8250 }
8251 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8252 return next_offset;
8253 }
8254 break;
8255 case SSL_HND_SERVER_HELLO:
8256 if (ssl) {
8257 ssl->has_key_share = true1;
8258 }
8259 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8260 if (group_name) {
8261 proto_item_append_text(tree, " %s", group_name);
8262 }
8263 break;
8264 case SSL_HND_HELLO_RETRY_REQUEST:
8265 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8266 offset += 2;
8267 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8268 proto_item_append_text(tree, " %s", group_name);
8269 break;
8270 default: /* no default */
8271 break;
8272 }
8273
8274 return offset;
8275}
8276
8277static int
8278ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8279 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8280 uint8_t hnd_type, SslDecryptSession *ssl)
8281{
8282 /* RFC 8446 Section 4.2.11
8283 * struct {
8284 * opaque identity<1..2^16-1>;
8285 * uint32 obfuscated_ticket_age;
8286 * } PskIdentity;
8287 * opaque PskBinderEntry<32..255>;
8288 * struct {
8289 * select (Handshake.msg_type) {
8290 * case client_hello:
8291 * PskIdentity identities<7..2^16-1>;
8292 * PskBinderEntry binders<33..2^16-1>;
8293 * case server_hello:
8294 * uint16 selected_identity;
8295 * };
8296 * } PreSharedKeyExtension;
8297 */
8298
8299 proto_tree *psk_tree;
8300
8301 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8302
8303 switch (hnd_type){
8304 case SSL_HND_CLIENT_HELLO: {
8305 uint32_t identities_length, identities_end, binders_length;
8306
8307 /* PskIdentity identities<7..2^16-1> */
8308 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8309 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8310 return offset_end;
8311 }
8312 offset += 2;
8313 identities_end = offset + identities_length;
8314
8315 while (offset < identities_end) {
8316 uint32_t identity_length;
8317 proto_tree *identity_tree;
8318
8319 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8320
8321 /* opaque identity<1..2^16-1> */
8322 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8323 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8324 return identities_end;
8325 }
8326 offset += 2;
8327 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8328
8329 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8330 offset += identity_length;
8331
8332 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8333 offset += 4;
8334
8335 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8336 }
8337 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8338 offset = identities_end;
8339 }
8340
8341 /* PskBinderEntry binders<33..2^16-1> */
8342 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8343 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8344 return offset_end;
8345 }
8346 offset += 2;
8347
8348 proto_item *binders_item;
8349 proto_tree *binders_tree;
8350 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8351 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8352 uint32_t binders_end = offset + binders_length;
8353 while (offset < binders_end) {
8354 uint32_t binder_length;
8355 proto_item *binder_item;
8356 proto_tree *binder_tree;
8357
8358 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8359 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8360
8361 /* opaque PskBinderEntry<32..255>; */
8362 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8363 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8364 return binders_end;
8365 }
8366 offset += 1;
8367 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8368
8369 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8370 offset += binder_length;
8371
8372 proto_item_set_end(binder_item, tvb, offset);
8373 }
8374 }
8375 break;
8376 case SSL_HND_SERVER_HELLO: {
8377 if (ssl) {
8378 ssl_debug_printf("%s found pre_shared_key extension\n", G_STRFUNC((const char*) (__func__)));
8379 ssl->has_psk = true1;
8380 }
8381 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8382 offset += 2;
8383 }
8384 break;
8385 default:
8386 break;
8387 }
8388
8389 return offset;
8390}
8391
8392static uint32_t
8393ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8394 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8395 uint8_t hnd_type, SslDecryptSession *ssl)
8396{
8397 /* RFC 8446 Section 4.2.10
8398 * struct {} Empty;
8399 * struct {
8400 * select (Handshake.msg_type) {
8401 * case new_session_ticket: uint32 max_early_data_size;
8402 * case client_hello: Empty;
8403 * case encrypted_extensions: Empty;
8404 * };
8405 * } EarlyDataIndication;
8406 */
8407 switch (hnd_type) {
8408 case SSL_HND_CLIENT_HELLO:
8409 /* Remember that early_data will follow the handshake. */
8410 if (ssl) {
8411 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8412 ssl->has_early_data = true1;
8413 }
8414 break;
8415 case SSL_HND_NEWSESSION_TICKET:
8416 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8417 offset += 4;
8418 break;
8419 default:
8420 break;
8421 }
8422 return offset;
8423}
8424
8425static uint16_t
8426tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8427{
8428 if (draft_version) {
8429 *draft_version = 0;
8430 }
8431 if (!is_dtls) {
8432 uint8_t tls13_draft = extract_tls13_draft_version(version);
8433 if (tls13_draft != 0) {
8434 /* This is TLS 1.3 (a draft version). */
8435 if (draft_version) {
8436 *draft_version = tls13_draft;
8437 }
8438 version = TLSV1DOT3_VERSION0x304;
8439 }
8440 if (version == 0xfb17 || version == 0xfb1a) {
8441 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8442 tls13_draft = (uint8_t)version;
8443 if (draft_version) {
8444 *draft_version = tls13_draft;
8445 }
8446 version = TLSV1DOT3_VERSION0x304;
8447 }
8448 }
8449
8450 switch (version) {
8451 case SSLV3_VERSION0x300:
8452 case TLSV1_VERSION0x301:
8453 case TLSV1DOT1_VERSION0x302:
8454 case TLSV1DOT2_VERSION0x303:
8455 case TLSV1DOT3_VERSION0x304:
8456 case TLCPV1_VERSION0x101:
8457 if (is_dtls)
8458 return SSL_VER_UNKNOWN0;
8459 break;
8460
8461 case DTLSV1DOT0_VERSION0xfeff:
8462 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8463 case DTLSV1DOT2_VERSION0xfefd:
8464 case DTLSV1DOT3_VERSION0xfefc:
8465 if (!is_dtls)
8466 return SSL_VER_UNKNOWN0;
8467 break;
8468
8469 default: /* invalid version number */
8470 return SSL_VER_UNKNOWN0;
8471 }
8472
8473 return version;
8474}
8475
8476static int
8477ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8478 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8479 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8480{
8481
8482 /* RFC 8446 Section 4.2.1
8483 * struct {
8484 * ProtocolVersion versions<2..254>; // ClientHello
8485 * } SupportedVersions;
8486 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8487 */
8488 uint32_t versions_length, next_offset;
8489 /* ProtocolVersion versions<2..254> */
8490 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8491 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8492 return offset_end;
8493 }
8494 offset++;
8495 next_offset = offset + versions_length;
8496
8497 unsigned version;
8498 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8499 uint8_t draft_version, max_draft_version = 0;
8500 const char *sep = " ";
8501 while (offset + 2 <= next_offset) {
8502 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8503 offset += 2;
8504
8505 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8506 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8507 sep = ", ";
8508 }
8509
8510 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8511 if (session->version == SSL_VER_UNKNOWN0) {
8512 if (lowest_version == SSL_VER_UNKNOWN0) {
8513 lowest_version = current_version;
8514 } else if (current_version != SSL_VER_UNKNOWN0) {
8515 if (!is_dtls) {
8516 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8517 } else {
8518 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8519 }
8520 }
8521 }
8522 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8523 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8524 /* The DTLS version numbers get mapped to "00" for unknown per
8525 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8526 * need to take the MIN instead of MAX here for DTLS.
8527 */
8528 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8529 }
8530 }
8531 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8532 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8533 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8534 }
8535 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8536 offset = next_offset;
8537 }
8538
8539 /* XXX remove this when draft 19 support is dropped,
8540 * this is only required for early data decryption. */
8541 if (max_draft_version) {
8542 session->tls13_draft_version = max_draft_version;
8543 }
8544
8545 return offset;
8546}
8547
8548static int
8549ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8550 packet_info *pinfo, proto_tree *tree,
8551 uint32_t offset, uint32_t offset_end)
8552{
8553 /* RFC 8446 Section 4.2.2
8554 * struct {
8555 * opaque cookie<1..2^16-1>;
8556 * } Cookie;
8557 */
8558 uint32_t cookie_length;
8559 /* opaque cookie<1..2^16-1> */
8560 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8561 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8562 return offset_end;
8563 }
8564 offset += 2;
8565
8566 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8567 offset += cookie_length;
8568
8569 return offset;
8570}
8571
8572static int
8573ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8574 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8575{
8576 /* RFC 8446 Section 4.2.9
8577 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8578 *
8579 * struct {
8580 * PskKeyExchangeMode ke_modes<1..255>;
8581 * } PskKeyExchangeModes;
8582 */
8583 uint32_t ke_modes_length, next_offset;
8584
8585 /* PskKeyExchangeMode ke_modes<1..255> */
8586 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8587 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8588 return offset_end;
8589 }
8590 offset++;
8591 next_offset = offset + ke_modes_length;
8592
8593 while (offset < next_offset) {
8594 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8595 offset++;
8596 }
8597
8598 return offset;
8599}
8600
8601static uint32_t
8602ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8603 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8604{
8605 /* RFC 8446 Section 4.2.4
8606 * opaque DistinguishedName<1..2^16-1>;
8607 * struct {
8608 * DistinguishedName authorities<3..2^16-1>;
8609 * } CertificateAuthoritiesExtension;
8610 */
8611 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8612}
8613
8614static int
8615ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8616 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8617{
8618 /* RFC 8446 Section 4.2.5
8619 * struct {
8620 * opaque certificate_extension_oid<1..2^8-1>;
8621 * opaque certificate_extension_values<0..2^16-1>;
8622 * } OIDFilter;
8623 * struct {
8624 * OIDFilter filters<0..2^16-1>;
8625 * } OIDFilterExtension;
8626 */
8627 proto_tree *subtree;
8628 uint32_t filters_length, oid_length, values_length, value_offset;
8629 asn1_ctx_t asn1_ctx;
8630 const char *oid, *name;
8631
8632 /* OIDFilter filters<0..2^16-1> */
8633 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8634 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8635 return offset_end;
8636 }
8637 offset += 2;
8638 offset_end = offset + filters_length;
8639
8640 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8641
8642 while (offset < offset_end) {
8643 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8644 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8645
8646 /* opaque certificate_extension_oid<1..2^8-1> */
8647 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8648 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8649 return offset_end;
8650 }
8651 offset++;
8652 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8653 hf->hf.hs_ext_oid_filters_oid, &oid);
8654 offset += oid_length;
8655
8656 /* Append OID to tree label */
8657 name = oid_resolved_from_string(pinfo->pool, oid);
8658 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8659
8660 /* opaque certificate_extension_values<0..2^16-1> */
8661 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8662 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8663 return offset_end;
8664 }
8665 offset += 2;
8666 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8667 if (values_length > 0) {
8668 value_offset = offset;
8669 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8670 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8671 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8672 }
8673 offset += values_length;
8674 }
8675
8676 return offset;
8677}
8678
8679static int
8680ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8681 packet_info *pinfo, proto_tree *tree,
8682 uint32_t offset, uint32_t offset_end)
8683{
8684 /* https://tools.ietf.org/html/rfc6066#section-3
8685 *
8686 * struct {
8687 * NameType name_type;
8688 * select (name_type) {
8689 * case host_name: HostName;
8690 * } name;
8691 * } ServerName;
8692 *
8693 * enum {
8694 * host_name(0), (255)
8695 * } NameType;
8696 *
8697 * opaque HostName<1..2^16-1>;
8698 *
8699 * struct {
8700 * ServerName server_name_list<1..2^16-1>
8701 * } ServerNameList;
8702 */
8703 proto_tree *server_name_tree;
8704 uint32_t list_length, server_name_length, next_offset;
8705
8706 /* The server SHALL include "server_name" extension with empty data. */
8707 if (offset == offset_end) {
8708 return offset;
8709 }
8710
8711 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8712
8713 /* ServerName server_name_list<1..2^16-1> */
8714 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8715 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8716 return offset_end;
8717 }
8718 offset += 2;
8719 next_offset = offset + list_length;
8720
8721 while (offset < next_offset) {
8722 uint32_t name_type;
8723 const char *server_name = NULL((void*)0);
8724 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8725 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8726 offset++;
8727
8728 /* opaque HostName<1..2^16-1> */
8729 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8730 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8731 return next_offset;
8732 }
8733 offset += 2;
8734
8735 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8736 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8737 pinfo->pool, (const uint8_t**)&server_name);
8738 offset += server_name_length;
8739 // Each type must only occur once, so we don't check for duplicates.
8740 if (name_type == 0) {
8741 proto_item_append_text(tree, " name=%s", server_name);
8742 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8743
8744 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8745 // Client Hello: Client (Src) -> Server (Dst)
8746 switch (pinfo->dst.type) {
8747 case AT_IPv4:
8748 if (pinfo->dst.len == sizeof(uint32_t)) {
8749 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8750 }
8751 break;
8752 case AT_IPv6:
8753 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8754 add_ipv6_name(pinfo->dst.data, server_name, false0);
8755 }
8756 break;
8757 }
8758 }
8759 }
8760 }
8761 return offset;
8762}
8763
8764static int
8765ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8766 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8767{
8768 unsigned ext_len = offset_end - offset;
8769 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8770 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8771 /* Save the Session Ticket such that it can be used as identifier for
8772 * restoring a previous Master Secret (in ChangeCipherSpec) */
8773 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8774 ssl->session_ticket.data, ext_len);
8775 ssl->session_ticket.data_len = ext_len;
8776 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8777 }
8778 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8779 tvb, offset, ext_len, ENC_NA0x00000000);
8780 return offset + ext_len;
8781}
8782
8783static int
8784ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8785 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8786 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8787{
8788 uint8_t cert_list_length;
8789 uint8_t cert_type;
8790 proto_tree *cert_list_tree;
8791 proto_item *ti;
8792
8793 switch(hnd_type){
8794 case SSL_HND_CLIENT_HELLO:
8795 cert_list_length = tvb_get_uint8(tvb, offset);
8796 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8797 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8798 offset += 1;
8799 if (offset_end - offset != (uint32_t)cert_list_length)
8800 return offset;
8801
8802 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8803 cert_list_length, cert_list_length);
8804 proto_item_append_text(ti, " (%d)", cert_list_length);
8805
8806 /* make this a subtree */
8807 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8808
8809 /* loop over all point formats */
8810 while (cert_list_length > 0)
8811 {
8812 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8813 offset++;
8814 cert_list_length--;
8815 }
8816 break;
8817 case SSL_HND_SERVER_HELLO:
8818 case SSL_HND_ENCRYPTED_EXTENSIONS:
8819 case SSL_HND_CERTIFICATE:
8820 cert_type = tvb_get_uint8(tvb, offset);
8821 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8822 offset += 1;
8823 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8824 session->client_cert_type = cert_type;
8825 }
8826 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8827 session->server_cert_type = cert_type;
8828 }
8829 break;
8830 default: /* no default */
8831 break;
8832 }
8833
8834 return offset;
8835}
8836
8837static uint32_t
8838ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8839 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8840 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8841{
8842 uint32_t compress_certificate_algorithms_length, next_offset;
8843
8844 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8845 * enum {
8846 * zlib(1),
8847 * brotli(2),
8848 * (65535)
8849 * } CertificateCompressionAlgorithm;
8850 *
8851 * struct {
8852 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8853 * } CertificateCompressionAlgorithms;
8854 */
8855 switch (hnd_type) {
8856 case SSL_HND_CLIENT_HELLO:
8857 case SSL_HND_CERT_REQUEST:
8858 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8859 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8860 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8861 return offset_end;
8862 }
8863 offset += 1;
8864 next_offset = offset + compress_certificate_algorithms_length;
8865
8866 while (offset < next_offset) {
8867 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8868 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8869 offset += 2;
8870 }
8871 break;
8872 default:
8873 break;
8874 }
8875
8876 return offset;
8877}
8878
8879static uint32_t
8880ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8881 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8882 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8883{
8884 uint32_t key_parameters_length, next_offset;
8885 proto_item *p_ti;
8886 proto_tree *p_tree;
8887
8888 /* RFC 8472
8889 *
8890 * struct {
8891 * uint8 major;
8892 * uint8 minor;
8893 * } TB_ProtocolVersion;
8894 *
8895 * enum {
8896 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8897 * } TokenBindingKeyParameters;
8898 *
8899 * struct {
8900 * TB_ProtocolVersion token_binding_version;
8901 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8902 * } TokenBindingParameters;
8903 */
8904
8905 switch (hnd_type) {
8906 case SSL_HND_CLIENT_HELLO:
8907 case SSL_HND_SERVER_HELLO:
8908 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8909 offset += 1;
8910 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8911 offset += 1;
8912
8913 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8914 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8915 return offset_end;
8916 }
8917 offset += 1;
8918 next_offset = offset + key_parameters_length;
8919
8920 p_ti = proto_tree_add_none_format(tree,
8921 hf->hf.hs_ext_token_binding_key_parameters,
8922 tvb, offset, key_parameters_length,
8923 "Key parameters identifiers (%d identifier%s)",
8924 key_parameters_length,
8925 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8926 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8927
8928 while (offset < next_offset) {
8929 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8930 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8931 offset += 1;
8932 }
8933
8934 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8935 offset = next_offset;
8936 }
8937
8938 break;
8939 default:
8940 break;
8941 }
8942
8943 return offset;
8944}
8945
8946static uint32_t
8947ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8948 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8949 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8950{
8951 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8952 uint32_t next_offset;
8953
8954 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8955 *
8956 * Note: the following structures are not literally defined in the spec,
8957 * they instead use an ASCII diagram.
8958 *
8959 * struct {
8960 * uint16 id;
8961 * opaque value<0..2^16-1>;
8962 * } TransportParameter; // before draft -27
8963 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8964 *
8965 * struct {
8966 * opaque ipv4Address[4];
8967 * uint16 ipv4Port;
8968 * opaque ipv6Address[16];
8969 * uint16 ipv6Port;
8970 * opaque connectionId<0..18>;
8971 * opaque statelessResetToken[16];
8972 * } PreferredAddress;
8973 */
8974
8975 if (offset_end - offset >= 6 &&
8976 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8977 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8978 // Assume encoding of Transport Parameters draft -26 or older with at
8979 // least one transport parameter that has a valid length.
8980 use_varint_encoding = false0;
8981 }
8982
8983 if (use_varint_encoding) {
8984 next_offset = offset_end;
8985 } else {
8986 uint32_t quic_length;
8987 // Assume draft -26 or earlier.
8988 /* TransportParameter TransportParameters<0..2^16-1>; */
8989 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8990 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8991 return offset_end;
8992 }
8993 offset += 2;
8994 next_offset = offset + quic_length;
8995 }
8996
8997 while (offset < next_offset) {
8998 uint64_t parameter_type; /* 62-bit space */
8999 uint32_t parameter_length;
9000 proto_tree *parameter_tree;
9001 uint32_t parameter_end_offset;
9002 uint64_t value;
9003 uint32_t i;
9004 int len = 0;
9005
9006 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
9007 NULL((void*)0), "Parameter");
9008 /* TransportParameter ID and Length. */
9009 if (use_varint_encoding) {
9010 uint64_t parameter_length64;
9011 int type_len = 0;
9012
9013 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9014 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
9015 offset += type_len;
9016
9017 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
9018 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
9019 parameter_length = (uint32_t)parameter_length64;
9020 offset += len;
9021
9022 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
9023 } else {
9024 parameter_type = tvb_get_ntohs(tvb, offset);
9025 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9026 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9027 offset += 2;
9028
9029 /* opaque value<0..2^16-1> */
9030 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
9031 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
9032 return next_offset;
9033 }
9034 offset += 2;
9035
9036 proto_item_set_len(parameter_tree, 4 + parameter_length);
9037 }
9038
9039 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
9040 proto_item_append_text(parameter_tree, ": GREASE");
9041 } else {
9042 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
9043 }
9044
9045 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
9046 parameter_end_offset = offset + parameter_length;
9047
9048 /* Omit the value field if the parameter's length is 0. */
9049 if (parameter_length != 0) {
9050 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
9051 tvb, offset, parameter_length, ENC_NA0x00000000);
9052 }
9053
9054 switch (parameter_type) {
9055 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
9056 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
9057 tvb, offset, parameter_length, ENC_NA0x00000000);
9058 offset += parameter_length;
9059 break;
9060 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
9061 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
9062 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9063 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
9064 offset += len;
9065 break;
9066 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
9067 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
9068 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
9069 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
9070 offset += 16;
9071 break;
9072 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
9073 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
9074 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9075 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9076 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
9077 offset += len;
9078 break;
9079 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
9080 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
9081 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9082 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9083 offset += len;
9084 break;
9085 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
9086 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
9087 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9088 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9089 offset += len;
9090 break;
9091 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
9092 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
9093 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9094 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9095 offset += len;
9096 break;
9097 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
9098 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
9099 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9100 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9101 offset += len;
9102 break;
9103 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
9104 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
9105 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9106 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9107 offset += len;
9108 break;
9109 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
9110 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
9111 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9112 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9113 offset += len;
9114 break;
9115 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
9116 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
9117 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9118 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
9119 offset += len;
9120 break;
9121 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
9122 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
9123 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9124 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9125 offset += len;
9126 break;
9127 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
9128 /* No Payload */
9129 break;
9130 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
9131 uint32_t connectionid_length;
9132 quic_cid_t cid;
9133
9134 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
9135 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9136 offset += 4;
9137 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
9138 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9139 offset += 2;
9140 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
9141 tvb, offset, 16, ENC_NA0x00000000);
9142 offset += 16;
9143 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
9144 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9145 offset += 2;
9146 /* XXX - Should we add these addresses and ports as addresses that the client
9147 * is allowed / expected to migrate the server address to? Right now we don't
9148 * enforce that (see RFC 9000 Section 9, which implies that while the client
9149 * can migrate to whatever address it wants, it can only migrate the server
9150 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
9151 */
9152
9153 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
9154 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
9155 break;
9156 }
9157 offset += 1;
9158
9159 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
9160 tvb, offset, connectionid_length, ENC_NA0x00000000);
9161 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9162 cid.len = connectionid_length;
9163 // RFC 9000 5.1.1 "If the preferred_address transport
9164 // parameter is sent, the sequence number of the supplied
9165 // connection ID is 1."
9166 cid.seq_num = 1;
9167 // Multipath draft-07 "Also, the Path Identifier for the
9168 // connection ID specified in the "preferred address"
9169 // transport parameter is 0."
9170 cid.path_id = 0;
9171 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
9172 quic_add_connection(pinfo, &cid);
9173 }
9174 offset += connectionid_length;
9175
9176 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
9177 tvb, offset, 16, ENC_NA0x00000000);
9178 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9179 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
9180 }
9181 offset += 16;
9182 }
9183 break;
9184 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
9185 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9186 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9187 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9188 offset += len;
9189 break;
9190 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9191 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9192 tvb, offset, parameter_length, ENC_NA0x00000000);
9193 offset += parameter_length;
9194 break;
9195 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9196 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9197 tvb, offset, parameter_length, ENC_NA0x00000000);
9198 offset += parameter_length;
9199 break;
9200 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9201 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9202 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9203 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9204 offset += len;
9205 break;
9206 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9207 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9208 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9209 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9210 offset += len;
9211 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9212 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9213 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9214 offset += len;
9215 break;
9216 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9217 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9218 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9219 if (len > 0) {
9220 quic_add_loss_bits(pinfo, value);
9221 }
9222 offset += 1;
9223 break;
9224 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9225 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9226 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9227 offset += len;
9228 break;
9229 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9230 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9231 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9232 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9233 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9234 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9235 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9236 offset += len;
9237 break;
9238 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9239 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9240 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9241 offset += parameter_length;
9242 break;
9243 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9244 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9245 tvb, offset, parameter_length, ENC_NA0x00000000);
9246 offset += parameter_length;
9247 break;
9248 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9249 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9250 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9251 offset += 4;
9252 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9253 uint32_t versions_length;
9254
9255 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9256 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9257 offset += 1;
9258 for (i = 0; i < versions_length / 4; i++) {
9259 quic_proto_tree_add_version(tvb, parameter_tree,
9260 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9261 offset += 4;
9262 }
9263 }
9264 break;
9265 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9266 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9267 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9268 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9269 offset += len;
9270 break;
9271 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9272 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9273 tvb, offset, parameter_length, ENC_NA0x00000000);
9274 offset += parameter_length;
9275 break;
9276 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9277 /* This field was used for non-standard Google-specific parameters encoded as a
9278 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9279 * parameters. Report it as a bytes blob... */
9280 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9281 tvb, offset, parameter_length, ENC_NA0x00000000);
9282 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9283 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9284 tvb, offset, 4, ENC_NA0x00000000);
9285 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9286 offset += parameter_length;
9287 break;
9288 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9289 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9290 tvb, offset, parameter_length, ENC_NA0x00000000);
9291 offset += parameter_length;
9292 break;
9293 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9294 /* No Payload */
9295 break;
9296 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9297 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9298 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9299 offset += parameter_length;
9300 break;
9301 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9302 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9303 quic_proto_tree_add_version(tvb, parameter_tree,
9304 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9305 offset += 4;
9306 for (i = 4; i < parameter_length; i += 4) {
9307 quic_proto_tree_add_version(tvb, parameter_tree,
9308 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9309 offset += 4;
9310 }
9311 break;
9312 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9313 /* No Payload */
9314 quic_add_grease_quic_bit(pinfo);
9315 break;
9316 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9317 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9318 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9319 offset += parameter_length;
9320 break;
9321 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9322 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9323 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9324 if (value == 1) {
9325 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9326 }
9327 offset += parameter_length;
9328 break;
9329 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9330 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9331 /* No Payload */
9332 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9333 break;
9334 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9335 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9336 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9337 if (value > 1) {
9338 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9339 }
9340 /* multipath draft-07: "The value of the initial_max_paths
9341 * parameter MUST be at least 2." TODO: Expert Info? */
9342 offset += parameter_length;
9343 break;
9344 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9345 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9346 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9347 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
9348 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
9349 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9350 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9351 /* multipath draft-09 and later: "If an endpoint receives an
9352 * initial_max_path_id transport parameter with value 0, the
9353 * peer aims to enable the multipath extension without allowing
9354 * extra paths immediately."
9355 */
9356 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9357 offset += parameter_length;
9358 break;
9359 default:
9360 offset += parameter_length;
9361 /*TODO display expert info about unknown ? */
9362 break;
9363 }
9364
9365 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9366 /* Dissection did not end at expected location, fix it. */
9367 offset = parameter_end_offset;
9368 }
9369 }
9370
9371 return offset;
9372}
9373
9374static int
9375ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9376 proto_tree *tree, uint32_t offset,
9377 SslSession *session, SslDecryptSession *ssl,
9378 bool_Bool from_server, bool_Bool is_hrr)
9379{
9380 uint8_t sessid_length;
9381 proto_item *ti;
9382 proto_tree *rnd_tree;
9383 proto_tree *ti_rnd;
9384 proto_tree *ech_confirm_tree;
9385 uint8_t draft_version = session->tls13_draft_version;
9386
9387 if (ssl) {
9388 StringInfo *rnd;
9389 if (from_server)
9390 rnd = &ssl->server_random;
9391 else
9392 rnd = &ssl->client_random;
9393
9394 /* save provided random for later keyring generation */
9395 tvb_memcpy(tvb, rnd->data, offset, 32);
9396 rnd->data_len = 32;
9397 if (from_server)
9398 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9399 else
9400 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9401 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9402 from_server ? "SERVER" : "CLIENT", ssl->state);
9403 }
9404
9405 if (!from_server && session->client_random.data_len == 0) {
9406 session->client_random.data_len = 32;
9407 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9408 }
9409
9410 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9411
9412 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9413
9414 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9415 /* show the time */
9416 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9417 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9418 offset += 4;
9419
9420 /* show the random bytes */
9421 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9422 tvb, offset, 28, ENC_NA0x00000000);
9423 offset += 28;
9424 } else {
9425 if (is_hrr) {
9426 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9427 } else if (from_server && session->ech) {
9428 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9429 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9430 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9431 session->ech_confirmation, 8);
9432 proto_item_set_generated(ti);
9433 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9434 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9435 } else {
9436 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9437 }
9438 }
9439
9440 offset += 32;
9441 }
9442
9443 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9444 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9445 /* show the session id (length followed by actual Session ID) */
9446 sessid_length = tvb_get_uint8(tvb, offset);
9447 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9448 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9449 offset++;
9450
9451 if (ssl) {
9452 /* save the authoritative SID for later use in ChangeCipherSpec.
9453 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9454 * save more, so ignore larger ones. To support ECH, also save
9455 * the SID from the ClientHelloOuter. */
9456 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
9457 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9458 ssl->session_id.data_len = sessid_length;
9459 }
9460 }
9461 if (sessid_length > 0) {
9462 proto_tree_add_item(tree, hf->hf.hs_session_id,
9463 tvb, offset, sessid_length, ENC_NA0x00000000);
9464 offset += sessid_length;
9465 }
9466 }
9467
9468 return offset;
9469}
9470
9471static int
9472ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9473 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9474 bool_Bool has_length)
9475{
9476 /* TLS 1.2/1.3 status_request Client Hello Extension.
9477 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9478 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9479 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9480 * struct {
9481 * CertificateStatusType status_type;
9482 * uint16 request_length; // for status_request_v2
9483 * select (status_type) {
9484 * case ocsp: OCSPStatusRequest;
9485 * case ocsp_multi: OCSPStatusRequest;
9486 * } request;
9487 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9488 *
9489 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9490 * struct {
9491 * ResponderID responder_id_list<0..2^16-1>;
9492 * Extensions request_extensions;
9493 * } OCSPStatusRequest;
9494 * opaque ResponderID<1..2^16-1>;
9495 * opaque Extensions<0..2^16-1>;
9496 */
9497 unsigned cert_status_type;
9498
9499 cert_status_type = tvb_get_uint8(tvb, offset);
9500 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9501 tvb, offset, 1, ENC_NA0x00000000);
9502 offset++;
9503
9504 if (has_length) {
9505 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9506 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9507 offset += 2;
9508 }
9509
9510 switch (cert_status_type) {
9511 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9512 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9513 {
9514 uint32_t responder_id_list_len;
9515 uint32_t request_extensions_len;
9516
9517 /* ResponderID responder_id_list<0..2^16-1> */
9518 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9519 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9520 return offset_end;
9521 }
9522 offset += 2;
9523 if (responder_id_list_len != 0) {
9524 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9525 tvb, offset, responder_id_list_len,
9526 "Responder ID list is not implemented, contact Wireshark"
9527 " developers if you want this to be supported");
9528 }
9529 offset += responder_id_list_len;
9530
9531 /* opaque Extensions<0..2^16-1> */
9532 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9533 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9534 return offset_end;
9535 }
9536 offset += 2;
9537 if (request_extensions_len != 0) {
9538 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9539 tvb, offset, request_extensions_len,
9540 "Request Extensions are not implemented, contact"
9541 " Wireshark developers if you want this to be supported");
9542 }
9543 offset += request_extensions_len;
9544 break;
9545 }
9546 }
9547
9548 return offset;
9549}
9550
9551static unsigned
9552ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9553 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9554{
9555 /* https://tools.ietf.org/html/rfc6961#section-2.2
9556 * struct {
9557 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9558 * } CertificateStatusRequestListV2;
9559 */
9560 uint32_t req_list_length, next_offset;
9561
9562 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9563 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9564 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9565 return offset_end;
9566 }
9567 offset += 2;
9568 next_offset = offset + req_list_length;
9569
9570 while (offset < next_offset) {
9571 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9572 }
9573
9574 return offset;
9575}
9576
9577static uint32_t
9578tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9579 uint32_t offset, uint32_t offset_end)
9580{
9581 uint32_t response_length;
9582 proto_item *ocsp_resp;
9583 proto_tree *ocsp_resp_tree;
9584 asn1_ctx_t asn1_ctx;
9585
9586 /* opaque OCSPResponse<1..2^24-1>; */
9587 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9588 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9589 return offset_end;
9590 }
9591 offset += 3;
9592
9593 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9594 response_length, ENC_BIG_ENDIAN0x00000000);
9595 proto_item_set_text(ocsp_resp, "OCSP Response");
9596 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9597 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9598 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9599 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9600 }
9601 offset += response_length;
9602
9603 return offset;
9604}
9605
9606uint32_t
9607tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9608 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9609{
9610 /* TLS 1.2 "CertificateStatus" handshake message.
9611 * TLS 1.3 "status_request" Certificate extension.
9612 * struct {
9613 * CertificateStatusType status_type;
9614 * select (status_type) {
9615 * case ocsp: OCSPResponse;
9616 * case ocsp_multi: OCSPResponseList; // status_request_v2
9617 * } response;
9618 * } CertificateStatus;
9619 * opaque OCSPResponse<1..2^24-1>;
9620 * struct {
9621 * OCSPResponse ocsp_response_list<1..2^24-1>;
9622 * } OCSPResponseList; // status_request_v2
9623 */
9624 uint32_t status_type, resp_list_length, next_offset;
9625
9626 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9627 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9628 offset += 1;
9629
9630 switch (status_type) {
9631 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9632 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9633 break;
9634
9635 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9636 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9637 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9638 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9639 return offset_end;
9640 }
9641 offset += 3;
9642 next_offset = offset + resp_list_length;
9643
9644 while (offset < next_offset) {
9645 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9646 }
9647 break;
9648 }
9649
9650 return offset;
9651}
9652
9653static unsigned
9654ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9655 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9656 wmem_strbuf_t *ja3)
9657{
9658 /* RFC 8446 Section 4.2.7
9659 * enum { ..., (0xFFFF) } NamedGroup;
9660 * struct {
9661 * NamedGroup named_group_list<2..2^16-1>
9662 * } NamedGroupList;
9663 *
9664 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9665 * the extension itself from "elliptic_curves" to "supported_groups".
9666 */
9667 uint32_t groups_length, next_offset;
9668 proto_tree *groups_tree;
9669 proto_item *ti;
9670 char *ja3_dash = "";
9671
9672 /* NamedGroup named_group_list<2..2^16-1> */
9673 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9674 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9675 return offset_end;
9676 }
9677 offset += 2;
9678 next_offset = offset + groups_length;
9679
9680 ti = proto_tree_add_none_format(tree,
9681 hf->hf.hs_ext_supported_groups,
9682 tvb, offset, groups_length,
9683 "Supported Groups (%d group%s)",
9684 groups_length / 2,
9685 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9686
9687 /* make this a subtree */
9688 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9689
9690 if (ja3) {
9691 wmem_strbuf_append_c(ja3, ',');
9692 }
9693 /* loop over all groups */
9694 while (offset + 2 <= offset_end) {
9695 uint32_t ext_supported_group;
9696
9697 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9698 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9699 offset += 2;
9700 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9701 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9702 ja3_dash = "-";
9703 }
9704 }
9705 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9706 offset = next_offset;
9707 }
9708
9709 return offset;
9710}
9711
9712static int
9713ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9714 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9715{
9716 uint8_t ecpf_length;
9717 proto_tree *ecpf_tree;
9718 proto_item *ti;
9719
9720 ecpf_length = tvb_get_uint8(tvb, offset);
9721 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9722 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9723
9724 offset += 1;
9725 ti = proto_tree_add_none_format(tree,
9726 hf->hf.hs_ext_ec_point_formats,
9727 tvb, offset, ecpf_length,
9728 "Elliptic curves point formats (%d)",
9729 ecpf_length);
9730
9731 /* make this a subtree */
9732 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9733
9734 if (ja3) {
9735 wmem_strbuf_append_c(ja3, ',');
9736 }
9737
9738 /* loop over all point formats */
9739 while (ecpf_length > 0)
9740 {
9741 uint32_t ext_ec_point_format;
9742
9743 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9744 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9745 offset++;
9746 ecpf_length--;
9747 if (ja3) {
9748 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9749 if (ecpf_length > 0) {
9750 wmem_strbuf_append_c(ja3, '-');
9751 }
9752 }
9753 }
9754
9755 return offset;
9756}
9757
9758static int
9759ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9760 packet_info *pinfo, proto_tree *tree,
9761 uint32_t offset, uint32_t next_offset)
9762{
9763 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9764 * opaque srp_I<1..2^8-1>;
9765 */
9766 uint32_t username_len;
9767
9768 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9769 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9770 return next_offset;
9771 }
9772 offset++;
9773
9774 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9775 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9776 offset += username_len;
9777
9778 return offset;
9779}
9780
9781static uint32_t
9782tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9783 uint32_t offset, uint32_t offset_end, uint16_t version)
9784{
9785 /* https://tools.ietf.org/html/rfc6962#section-3.2
9786 * enum { v1(0), (255) } Version;
9787 * struct {
9788 * opaque key_id[32];
9789 * } LogID;
9790 * opaque CtExtensions<0..2^16-1>;
9791 * struct {
9792 * Version sct_version;
9793 * LogID id;
9794 * uint64 timestamp;
9795 * CtExtensions extensions;
9796 * digitally-signed struct { ... };
9797 * } SignedCertificateTimestamp;
9798 */
9799 uint32_t sct_version;
9800 uint64_t sct_timestamp_ms;
9801 nstime_t sct_timestamp;
9802 uint32_t exts_len;
9803 const char *log_name;
9804
9805 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9806 offset++;
9807 if (sct_version != 0) {
9808 // TODO expert info about unknown SCT version?
9809 return offset;
9810 }
9811 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9812 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9813 proto_item_append_text(tree, " (%s)", log_name);
9814 offset += 32;
9815 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9816 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9817 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9818 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9819 offset += 8;
9820 /* opaque CtExtensions<0..2^16-1> */
9821 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9822 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9823 return offset_end;
9824 }
9825 offset += 2;
9826 if (exts_len > 0) {
9827 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9828 offset += exts_len;
9829 }
9830 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9831 hf->hf.sct_sct_signature_length,
9832 hf->hf.sct_sct_signature);
9833 return offset;
9834}
9835
9836uint32_t
9837tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9838 uint32_t offset, uint32_t offset_end, uint16_t version)
9839{
9840 /* https://tools.ietf.org/html/rfc6962#section-3.3
9841 * opaque SerializedSCT<1..2^16-1>;
9842 * struct {
9843 * SerializedSCT sct_list <1..2^16-1>;
9844 * } SignedCertificateTimestampList;
9845 */
9846 uint32_t list_length, sct_length, next_offset;
9847 proto_tree *subtree;
9848
9849 /* SerializedSCT sct_list <1..2^16-1> */
9850 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9851 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9852 return offset_end;
9853 }
9854 offset += 2;
9855
9856 while (offset < offset_end) {
9857 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9858
9859 /* opaque SerializedSCT<1..2^16-1> */
9860 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9861 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9862 return offset_end;
9863 }
9864 offset += 2;
9865 next_offset = offset + sct_length;
9866 proto_item_set_len(subtree, 2 + sct_length);
9867 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9868 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9869 offset = next_offset;
9870 }
9871 }
9872
9873 return offset;
9874}
9875
9876static int
9877dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9878 proto_tree *tree, uint32_t offset)
9879{
9880 uint32_t kdf_id, aead_id;
9881 proto_item *cs_ti;
9882 proto_tree *cs_tree;
9883
9884 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9885 tvb, offset, 4, ENC_NA0x00000000);
9886 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9887
9888 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9889 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9890 offset += 2;
9891 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9892 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9893 offset += 2;
9894
9895 proto_item_append_text(cs_ti, ": %s/%s",
9896 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9897 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9898 return offset;
9899}
9900
9901static int
9902dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9903 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9904 uint32_t *config_id)
9905{
9906 uint32_t length, cipher_suite_length;
9907 proto_item *kc_ti, *css_ti;
9908 proto_tree *kc_tree, *css_tree;
9909 uint32_t original_offset = offset, next_offset;
9910
9911 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9912 tvb, offset, -1, ENC_NA0x00000000);
9913 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9914
9915 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9916 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9917 offset += 1;
9918 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9919 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9920 offset += 2;
9921 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9922 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9923 offset += 2;
9924 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9925 tvb, offset, length, ENC_NA0x00000000);
9926 offset += length;
9927
9928 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9929 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9930 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9931 return offset_end;
9932 }
9933 offset += 2;
9934 next_offset = offset + cipher_suite_length;
9935
9936 css_ti = proto_tree_add_none_format(kc_tree,
9937 hf->hf.ech_hpke_keyconfig_cipher_suites,
9938 tvb, offset, cipher_suite_length,
9939 "Cipher Suites (%d suite%s)",
9940 cipher_suite_length / 4,
9941 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9942 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9943
9944
9945 while (offset + 4 <= next_offset) {
9946 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9947 }
9948
9949 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9950 offset = next_offset;
9951 }
9952
9953 proto_item_set_len(kc_ti, offset - original_offset);
9954
9955 return offset;
9956}
9957
9958static int
9959dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9960 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9961 const uint8_t **public_name, uint32_t *config_id)
9962{
9963 uint32_t public_name_length, extensions_length, next_offset;
9964
9965 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9966 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9967 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9968 offset += 1;
9969 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9970 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9971 offset += 1;
9972 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9973 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9974 offset += public_name_length;
9975
9976 /* Extension extensions<0..2^16-1>; */
9977 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9978 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9979 return offset_end;
9980 }
9981 offset += 2;
9982 next_offset = offset + extensions_length;
9983
9984 if (extensions_length > 0) {
9985 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9986 tvb, offset, extensions_length, ENC_NA0x00000000);
9987 }
9988 offset += extensions_length;
9989
9990 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9991 offset = next_offset;
9992 }
9993
9994 return offset;
9995}
9996
9997static int
9998dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9999 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10000{
10001 uint32_t version, length;
10002 proto_item *ech_ti;
10003 proto_tree *ech_tree;
10004 const uint8_t *public_name = NULL((void*)0);
10005 uint32_t config_id = 0;
10006
10007 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
10008 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
10009
10010 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
10011 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
10012 offset += 2;
10013 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
10014 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10015 offset += 2;
10016
10017 proto_item_set_len(ech_ti, 4 + length);
10018
10019 switch(version) {
10020 case 0xfe0d:
10021 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
10022 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
10023 break;
10024
10025 default:
10026 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
10027 }
10028
10029 return 4 + length;
10030}
10031
10032uint32_t
10033ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10034 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10035{
10036 uint32_t echconfiglist_length, next_offset;
10037
10038 /* ECHConfig ECHConfigList<1..2^16-1>; */
10039 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
10040 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
10041 return offset_end;
10042 }
10043 offset += 2;
10044 next_offset = offset + echconfiglist_length;
10045
10046 while (offset < next_offset) {
10047 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
10048 }
10049
10050 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
10051 offset = next_offset;
10052 }
10053
10054 return offset;
10055}
10056
10057static uint32_t
10058ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10059 uint32_t offset, uint32_t offset_end)
10060{
10061 uint32_t ext_length, next_offset;
10062 proto_tree *ext_tree;
10063 proto_item *ti;
10064
10065 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
10066 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
10067 return offset_end;
10068 }
10069 offset += 1;
10070 next_offset = offset + ext_length;
10071
10072 ti = proto_tree_add_none_format(tree,
10073 hf->hf.hs_ext_ech_outer_ext,
10074 tvb, offset, ext_length,
10075 "Outer Extensions (%d extension%s)",
10076 ext_length / 2,
10077 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
10078
10079 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
10080
10081 while (offset + 2 <= offset_end) {
10082 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10083 offset += 2;
10084 }
10085
10086 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
10087 offset = next_offset;
10088 }
10089
10090 return offset;
10091}
10092
10093static uint32_t
10094// NOLINTNEXTLINE(misc-no-recursion)
10095ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10096 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10097 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
10098{
10099 uint32_t ch_type, length;
10100 proto_item *ti, *payload_ti;
10101 proto_tree *retry_tree, *payload_tree;
10102 uint32_t hello_length = tvb_reported_length(tvb);
10103
10104 switch (hnd_type) {
10105 case SSL_HND_CLIENT_HELLO:
10106 /*
10107 * enum { outer(0), inner(1) } ECHClientHelloType;
10108 *
10109 * struct {
10110 * ECHClientHelloType type;
10111 * select (ECHClientHello.type) {
10112 * case outer:
10113 * HpkeSymmetricCipherSuite cipher_suite;
10114 * uint8 config_id;
10115 * opaque enc<0..2^16-1>;
10116 * opaque payload<1..2^16-1>;
10117 * case inner:
10118 * Empty;
10119 * };
10120 * } ECHClientHello;
10121 */
10122
10123 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
10124 offset += 1;
10125 switch (ch_type) {
10126 case 0: /* outer */
10127 if (ssl && session->first_ch_ech_frame == 0) {
10128 session->first_ch_ech_frame = pinfo->num;
10129 }
10130 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
10131 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
10132 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
10133
10134 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10135 uint8_t config_id = tvb_get_uint8(tvb, offset);
10136 offset += 1;
10137 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10138 offset += 2;
10139 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
10140 offset += length;
10141 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10142 offset += 2;
10143 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
10144 offset += length;
10145
10146 if (!mk_map) {
10147 break;
10148 }
10149 if (session->client_random.data_len == 0) {
10150 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
10151 break;
10152 }
10153 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
10154 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
10155 if (!ech_secret || !ech_config) {
10156 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
10157 G_STRFUNC((const char*) (__func__)));
10158 break;
10159 }
10160
10161 if (hpke_hkdf_len(kdf_id) == 0) {
10162 ssl_debug_printf("Unsupported KDF\n");
10163 break;
10164 }
10165
10166 if (hpke_aead_key_len(aead_id) == 0) {
10167 ssl_debug_printf("Unsupported AEAD\n");
10168 break;
10169 }
10170
10171 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
10172
10173 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
10174 if (length < aead_auth_tag_len) {
10175 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
10176 break;
10177 }
10178 unsigned decrypted_len = length - aead_auth_tag_len;
10179
10180 uint16_t version = pntohu16(ech_config->data);
10181 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10182 ssl_debug_printf("Unexpected version in ECH Config\n");
10183 break;
10184 }
10185 uint32_t ech_config_offset = 2;
10186 if (pntohu16(&ech_config->data[ech_config_offset]) != ech_config->data_len - 4) {
10187 ssl_debug_printf("Malformed ECH Config, invalid length\n");
10188 break;
10189 }
10190 ech_config_offset += 2;
10191 if (*(ech_config->data + ech_config_offset) != config_id) {
10192 ssl_debug_printf("ECH Config version mismatch\n");
10193 break;
10194 }
10195 ech_config_offset += 1;
10196 uint16_t kem_id = pntohu16(&ech_config->data[ech_config_offset]);
10197 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10198 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10199 GByteArray *info = g_byte_array_new();
10200 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10201 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10202 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10203 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10204 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10205 key, base_nonce)) {
10206 g_byte_array_free(info, TRUE(!(0)));
10207 break;
10208 }
10209 g_byte_array_free(info, TRUE(!(0)));
10210 gcry_cipher_hd_t cipher;
10211 if (hpke_setup_aead(&cipher, aead_id, key) ||
10212 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10213 gcry_cipher_close(cipher);
10214 break;
10215 }
10216 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10217 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10218 tvb_memcpy(tvb, ech_aad, 0, hello_length);
10219 memset(ech_aad + offset - length, 0, length);
10220 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10221 gcry_cipher_close(cipher);
10222 wmem_free(NULL((void*)0), ech_aad);
10223 break;
10224 }
10225 wmem_free(NULL((void*)0), ech_aad);
10226 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
10227 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
10228 gcry_cipher_close(cipher);
10229 break;
10230 }
10231 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
10232 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
10233 gcry_cipher_close(cipher);
10234 break;
10235 }
10236 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10237 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
10238 gcry_cipher_close(cipher);
10239 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10240 payload + decrypted_len, aead_auth_tag_len)) {
10241 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10242 } else {
10243 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10244 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
10245 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10246 if (ssl) {
10247 /* Note the Outer Client Random for Inject TLS Secrets */
10248 tls_save_crandom(ssl, mk_map);
10249
10250 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10251 uint32_t len_offset = ssl->ech_transcript.data_len;
10252 if (ssl->ech_transcript.data_len > 0)
10253 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10254 ssl->ech_transcript.data_len + hello_length + 4);
10255 else
10256 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10257 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10258 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10259 /* Copy ClientHelloInner up to the legacy_session_id field. */
10260 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10261 ssl->ech_transcript.data_len += 38;
10262 /* Now copy the legacy_session_id field from ClientHelloOuter. */
10263 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
10264 ssl->ech_transcript.data_len++;
10265 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
10266 ssl->ech_transcript.data_len += ssl->session_id.data_len;
10267 /* Skip past the legacy_session_id field in ClientHelloInner
10268 * (which should be the empty string, i.e. just a 0 size.) */
10269 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10270 /* Copy the Cipher Suites from ClientHelloInner. */
10271 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10272 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10273 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10274 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10275 /* Copy the Compression Methods */
10276 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10277 1 + tvb_get_uint8(ech_tvb, ech_offset));
10278 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10279 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10280 /* Now replace extensions in ech_outer_extensions with the
10281 * data from ClientHelloOuter. */
10282 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10283 ssl->ech_transcript.data_len += 2;
10284 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10285 ech_offset += 2;
10286 while (extensions_end - ech_offset >= 4) {
10287 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10288 ech_offset += 2;
10289 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
10290 ech_offset += 2;
10291 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10292 /* Copy this extension directly */
10293 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
10294 ech_offset - 4, 4 + ext_len);
10295 ssl->ech_transcript.data_len += 4 + ext_len;
10296 ech_offset += ext_len;
10297 } else if (ext_len > 0) {
10298 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
10299 ech_offset += 1;
10300 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
10301 /* In ClientHelloOuter, skip past the legacy_session_id */
10302 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
10303 /* Skip past Cipher Suites */
10304 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10305 /* Skip past Compression Methods */
10306 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10307 /* Now at the start of ClientHelloOuter's extensions */
10308 while (ech_outer_extensions_end - ech_offset >= 2) {
10309 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10310 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10311 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
10312 /* This could lead to a buffer overflow by
10313 * making the post-copying ClientHelloInner
10314 * longer than ClientHelloOuter and is
10315 * illegal, so don't copy. */
10316 break;
10317 }
10318 bool_Bool found = false0;
10319 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
10320 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
10321 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
10322 if (ext_type == outer_ext_type) {
10323 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10324 4 + outer_ext_len);
10325 ssl->ech_transcript.data_len += 4 + outer_ext_len;
10326 outer_offset += 4 + outer_ext_len;
10327 found = true1;
10328 break;
10329 } else {
10330 outer_offset += 4 + outer_ext_len;
10331 }
10332 }
10333 if (!found) {
10334 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
10335 }
10336 ech_offset += 2;
10337 }
10338 }
10339 }
10340 uint16_t ech_extensions_len = ssl->ech_transcript.data_len - ech_extensions_len_offset - 2;
10341 phtonu16(&ssl->ech_transcript.data[ech_extensions_len_offset], ech_extensions_len);
10342 phtonu16(&ssl->ech_transcript.data[len_offset + 2], ssl->ech_transcript.data_len - len_offset - 4);
10343 }
10344 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
10345 ssl, NULL((void*)0), mk_map);
10346 if (ech_padding_begin < decrypted_len) {
10347 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
10348 ENC_NA0x00000000);
10349 }
10350 }
10351
10352 break;
10353 case 1: /* inner */
10354 break;
10355 }
10356 break;
10357
10358 case SSL_HND_ENCRYPTED_EXTENSIONS:
10359 /*
10360 * struct {
10361 * ECHConfigList retry_configs;
10362 * } ECHEncryptedExtensions;
10363 */
10364
10365 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10366 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10367 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10368 break;
10369
10370 case SSL_HND_HELLO_RETRY_REQUEST:
10371 /*
10372 * struct {
10373 * opaque confirmation[8];
10374 * } ECHHelloRetryRequest;
10375 */
10376
10377 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10378 if (session->ech) {
10379 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10380 proto_item_set_generated(ti);
10381 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10382 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10383 } else {
10384 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10385 }
10386 }
10387 offset += 8;
10388 break;
10389 }
10390
10391 return offset;
10392}
10393
10394static uint32_t
10395ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10396 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10397 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10398{
10399 uint32_t record_digest_length, encrypted_sni_length;
10400
10401 switch (hnd_type) {
10402 case SSL_HND_CLIENT_HELLO:
10403 /*
10404 * struct {
10405 * CipherSuite suite;
10406 * KeyShareEntry key_share;
10407 * opaque record_digest<0..2^16-1>;
10408 * opaque encrypted_sni<0..2^16-1>;
10409 * } ClientEncryptedSNI;
10410 */
10411 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10412 offset += 2;
10413 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10414
10415 /* opaque record_digest<0..2^16-1> */
10416 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10417 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10418 return offset_end;
10419 }
10420 offset += 2;
10421 if (record_digest_length > 0) {
10422 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10423 offset += record_digest_length;
10424 }
10425
10426 /* opaque encrypted_sni<0..2^16-1> */
10427 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10428 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10429 return offset_end;
10430 }
10431 offset += 2;
10432 if (encrypted_sni_length > 0) {
10433 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10434 offset += encrypted_sni_length;
10435 }
10436 break;
10437
10438 case SSL_HND_ENCRYPTED_EXTENSIONS:
10439 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10440 offset += 16;
10441 break;
10442 }
10443
10444 return offset;
10445}
10446/** TLS Extensions (in Client Hello and Server Hello). }}} */
10447
10448/* Connection ID dissection. {{{ */
10449static uint32_t
10450ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10451 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10452 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10453{
10454 /* keep track of the decrypt session only for the first pass */
10455 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10456 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10457 *session_cidl = cidl;
10458 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10459 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10460 if (ssl) {
10461 ssl_add_session_by_cid(ssl);
10462 }
10463 }
10464
10465 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10466 tvb, offset, 1, ENC_NA0x00000000);
10467 offset++;
10468
10469 if (cidl > 0) {
10470 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10471 tvb, offset, cidl, ENC_NA0x00000000);
10472 offset += cidl;
10473 }
10474
10475 return offset;
10476}
10477
10478static uint32_t
10479ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10480 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10481 SslSession *session, SslDecryptSession *ssl)
10482{
10483 uint8_t cidl = tvb_get_uint8(tvb, offset);
10484
10485 switch (hnd_type) {
10486 case SSL_HND_CLIENT_HELLO:
10487 session->client_cid_len_present = true1;
10488 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10489 cidl, &session->client_cid, &session->client_cid_len);
10490 case SSL_HND_SERVER_HELLO:
10491 session->server_cid_len_present = true1;
10492 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10493 cidl, &session->server_cid, &session->server_cid_len);
10494 default:
10495 return offset;
10496 }
10497} /* }}} */
10498
10499/* Trusted CA dissection. {{{ */
10500static uint32_t
10501ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10502 uint32_t offset, uint32_t offset_end)
10503{
10504 proto_item *ti;
10505 proto_tree *subtree;
10506 uint32_t keys_length, next_offset;
10507
10508 /*
10509 * struct {
10510 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10511 * } TrustedAuthorities;
10512 *
10513 * struct {
10514 * IdentifierType identifier_type;
10515 * select (identifier_type) {
10516 * case pre_agreed: struct {};
10517 * case key_sha1_hash: SHA1Hash;
10518 * case x509_name: DistinguishedName;
10519 * case cert_sha1_hash: SHA1Hash;
10520 * } identifier;
10521 * } TrustedAuthority;
10522 *
10523 * enum {
10524 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10525 * cert_sha1_hash(3), (255)
10526 * } IdentifierType;
10527 *
10528 * opaque DistinguishedName<1..2^16-1>;
10529 *
10530 */
10531
10532
10533 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10534 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10535 0, UINT16_MAX(65535)))
10536 {
10537 return offset_end;
10538 }
10539 offset += 2;
10540 next_offset = offset + keys_length;
10541
10542 if (keys_length > 0)
10543 {
10544 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10545 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10546 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10547
10548 while (offset < next_offset)
10549 {
10550 uint32_t identifier_type;
10551 proto_tree *trusted_key_tree;
10552 proto_item *trusted_key_item;
10553 asn1_ctx_t asn1_ctx;
10554 uint32_t key_len = 0;
10555
10556 identifier_type = tvb_get_uint8(tvb, offset);
10557
10558 // Use 0 as length for now as we'll only know the size when we decode the identifier
10559 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10560 offset, 0, "Trusted CA Key");
10561 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10562
10563 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10564 offset, 1, identifier_type);
10565 offset++;
10566
10567 /*
10568 * enum {
10569 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10570 * cert_sha1_hash(3), (255)
10571 * } IdentifierType;
10572 */
10573 switch (identifier_type)
10574 {
10575 case 0:
10576 key_len = 0;
10577 break;
10578 case 2:
10579 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10580
10581 uint32_t name_length;
10582 /* opaque DistinguishedName<1..2^16-1> */
10583 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10584 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10585 return next_offset;
10586 }
10587 offset += 2;
10588
10589 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10590 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10591 offset += name_length;
10592 break;
10593 case 1:
10594 case 3:
10595 key_len = 20;
10596 /* opaque SHA1Hash[20]; */
10597 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10598 offset, 20, ENC_NA0x00000000);
10599 break;
10600
10601 default:
10602 key_len = 0;
10603 /*TODO display expert info about unknown ? */
10604 break;
10605 }
10606 proto_item_set_len(trusted_key_item, 1 + key_len);
10607 offset += key_len;
10608 }
10609 }
10610
10611 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10612 {
10613 offset = next_offset;
10614 }
10615
10616 return offset;
10617} /* }}} */
10618
10619
10620/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10621bool_Bool
10622ssl_is_valid_content_type(uint8_t type)
10623{
10624 switch ((ContentType) type) {
10625 case SSL_ID_CHG_CIPHER_SPEC:
10626 case SSL_ID_ALERT:
10627 case SSL_ID_HANDSHAKE:
10628 case SSL_ID_APP_DATA:
10629 case SSL_ID_HEARTBEAT:
10630 case SSL_ID_TLS12_CID:
10631 case SSL_ID_DTLS13_ACK:
10632 return true1;
10633 }
10634 return false0;
10635}
10636
10637bool_Bool
10638ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10639{
10640 switch ((HandshakeType) hs_type) {
10641 case SSL_HND_HELLO_VERIFY_REQUEST:
10642 /* hello_verify_request is DTLS-only */
10643 return is_dtls;
10644
10645 case SSL_HND_HELLO_REQUEST:
10646 case SSL_HND_CLIENT_HELLO:
10647 case SSL_HND_SERVER_HELLO:
10648 case SSL_HND_NEWSESSION_TICKET:
10649 case SSL_HND_END_OF_EARLY_DATA:
10650 case SSL_HND_HELLO_RETRY_REQUEST:
10651 case SSL_HND_ENCRYPTED_EXTENSIONS:
10652 case SSL_HND_CERTIFICATE:
10653 case SSL_HND_SERVER_KEY_EXCHG:
10654 case SSL_HND_CERT_REQUEST:
10655 case SSL_HND_SVR_HELLO_DONE:
10656 case SSL_HND_CERT_VERIFY:
10657 case SSL_HND_CLIENT_KEY_EXCHG:
10658 case SSL_HND_FINISHED:
10659 case SSL_HND_CERT_URL:
10660 case SSL_HND_CERT_STATUS:
10661 case SSL_HND_SUPPLEMENTAL_DATA:
10662 case SSL_HND_KEY_UPDATE:
10663 case SSL_HND_COMPRESSED_CERTIFICATE:
10664 case SSL_HND_ENCRYPTED_EXTS:
10665 return true1;
10666 case SSL_HND_MESSAGE_HASH:
10667 return false0;
10668 }
10669 return false0;
10670}
10671
10672static bool_Bool
10673ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10674 bool_Bool is_dtls)
10675{
10676 /* Consider all valid Handshake messages (except for Client Hello) and
10677 * all other valid record types (other than Handshake) */
10678 return (content_type == SSL_ID_HANDSHAKE &&
10679 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10680 handshake_type != SSL_HND_CLIENT_HELLO) ||
10681 (content_type != SSL_ID_HANDSHAKE &&
10682 ssl_is_valid_content_type(content_type));
10683}
10684
10685/**
10686 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10687 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10688 * Returns true if the supported_versions extension was found, false if not.
10689 */
10690bool_Bool
10691tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10692 uint16_t *server_version, bool_Bool *is_hrr)
10693{
10694 /* SHA256("HelloRetryRequest") */
10695 static const uint8_t tls13_hrr_random_magic[] = {
10696 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10697 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10698 };
10699 uint8_t session_id_length;
10700
10701 *server_version = tvb_get_ntohs(tvb, offset);
10702
10703 /*
10704 * Try to look for supported_versions extension. Minimum length:
10705 * 2 + 32 + 1 = 35 (version, random, session id length)
10706 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10707 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10708 *
10709 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10710 * there's a separate expert info warning for that.
10711 */
10712 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10713 offset += 2;
10714 if (is_hrr) {
10715 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10716 }
10717 offset += 32;
10718 session_id_length = tvb_get_uint8(tvb, offset);
10719 offset++;
10720 if (offset_end - offset < session_id_length + 5u) {
10721 return false0;
10722 }
10723 offset += session_id_length + 5;
10724
10725 while (offset_end - offset >= 6) {
10726 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10727 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10728 if (offset_end - offset < 4u + ext_len) {
10729 break; /* not enough data for type, length and data */
10730 }
10731 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10732 if (ext_len == 2) {
10733 *server_version = tvb_get_ntohs(tvb, offset + 4);
10734 }
10735 return true1;
10736 }
10737 offset += 4 + ext_len;
10738 }
10739 } else {
10740 if (is_hrr) {
10741 *is_hrr = false0;
10742 }
10743 }
10744 return false0;
10745}
10746
10747/**
10748 * Scan a Client Hello handshake message to see if the supported_versions
10749 * extension is found, in which case the version field is legacy_version.
10750 */
10751static bool_Bool
10752tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10753{
10754 uint8_t session_id_length;
10755
10756 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10757
10758 /*
10759 * Try to look for supported_versions extension. Minimum length:
10760 * 2 + 32 + 1 = 35 (version, random, session id length)
10761 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10762 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10763 *
10764 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10765 * there's a separate expert info warning for that.
10766 */
10767 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10768 offset += 2;
10769 offset += 32;
10770 session_id_length = tvb_get_uint8(tvb, offset);
10771 offset++;
10772 if (offset_end - offset < session_id_length + 2u) {
10773 return false0;
10774 }
10775 offset += session_id_length;
10776 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10777 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10778 offset++;
10779 if (offset_end - offset < cookie_length + 2u) {
10780 return false0;
10781 }
10782 }
10783 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10784 offset += 2;
10785 if (offset_end - offset < cipher_suites_length + 1u) {
10786 return false0;
10787 }
10788 offset += cipher_suites_length;
10789 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10790 offset++;
10791 if (offset_end - offset < compression_methods_length + 2u) {
10792 return false0;
10793 }
10794 offset += compression_methods_length + 2;
10795
10796 while (offset_end - offset >= 6) {
10797 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10798 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10799 if (offset_end - offset < 4u + ext_len) {
10800 break; /* not enough data for type, length and data */
10801 }
10802 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10803 return true1;
10804 }
10805 offset += 4 + ext_len;
10806 }
10807 }
10808 return false0;
10809}
10810void
10811ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10812 uint8_t content_type, uint8_t handshake_type,
10813 bool_Bool is_dtls, uint16_t version)
10814{
10815 uint8_t tls13_draft = 0;
10816
10817 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10818 is_dtls))
10819 return;
10820
10821 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10822 if (version == SSL_VER_UNKNOWN0) {
10823 return;
10824 }
10825
10826 session->tls13_draft_version = tls13_draft;
10827 session->version = version;
10828 if (ssl) {
10829 ssl->state |= SSL_VERSION(1<<4);
10830 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10831 }
10832}
10833
10834void
10835ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10836 ContentType content_type,
10837 unsigned record_length, proto_item *length_pi,
10838 uint16_t version, tvbuff_t *decrypted_tvb)
10839{
10840 unsigned max_expansion;
10841 if (version == TLSV1DOT3_VERSION0x304) {
10842 /* TLS 1.3: Max length is 2^14 + 256 */
10843 max_expansion = 256;
10844 } else {
10845 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10846 max_expansion = 2048;
10847 }
10848 /*
10849 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10850 * and ChangeCipherSpec.
10851 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10852 * so assume it is permitted.
10853 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10854 * assume TLS 1.2 requirements.
10855 */
10856 if (record_length == 0 &&
10857 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10858 content_type == SSL_ID_ALERT ||
10859 content_type == SSL_ID_HANDSHAKE)) {
10860 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10861 "Zero-length %s fragments are not allowed",
10862 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10863 }
10864 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10865 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10866 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10867 }
10868 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10869 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10870 "TLSPlaintext length MUST NOT exceed 2^14");
10871 }
10872}
10873
10874static void
10875ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10876{
10877 /* store selected cipher suite for decryption */
10878 ssl->session.cipher = cipher;
10879
10880 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10881 if (!cs) {
10882 ssl->cipher_suite = NULL((void*)0);
10883 ssl->state &= ~SSL_CIPHER(1<<2);
10884 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10885 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10886 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10887 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10888 * to avoid a potential buffer overflow in ssl3_check_mac. */
10889 ssl->cipher_suite = NULL((void*)0);
10890 ssl->state &= ~SSL_CIPHER(1<<2);
10891 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10892 } else {
10893 /* Cipher found, save this for the delayed decoder init */
10894 ssl->cipher_suite = cs;
10895 ssl->state |= SSL_CIPHER(1<<2);
10896 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10897 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10898 ssl->state);
10899 }
10900}
10901/* }}} */
10902
10903
10904/* Client Hello and Server Hello dissections. {{{ */
10905static int
10906ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10907 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10908 SslSession *session, SslDecryptSession *ssl,
10909 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10910 ssl_master_key_map_t *mk_map);
10911int
10912// NOLINTNEXTLINE(misc-no-recursion)
10913ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10914 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10915 uint32_t offset_end, SslSession *session,
10916 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10917{
10918 /* struct {
10919 * ProtocolVersion client_version;
10920 * Random random;
10921 * SessionID session_id;
10922 * opaque cookie<0..32>; //new field for DTLS
10923 * CipherSuite cipher_suites<2..2^16-1>;
10924 * CompressionMethod compression_methods<1..2^8-1>;
10925 * Extension client_hello_extension_list<0..2^16-1>;
10926 * } ClientHello;
10927 */
10928 proto_item *ti;
10929 proto_tree *cs_tree;
10930 uint32_t client_version;
10931 uint32_t cipher_suite_length;
10932 uint32_t compression_methods_length;
10933 uint8_t compression_method;
10934 uint32_t next_offset;
10935 uint32_t initial_offset = offset;
10936 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10937 char *ja3_hash;
10938 char *ja3_dash = "";
10939 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10940 ja4_data_t ja4_data;
10941 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10942 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10943 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10944 wmem_list_frame_t *curr_entry;
10945
10946 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10946, (int64_t)initial_offset, (int64_t)offset_end))));
10947 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10948 offset = 0;
10949 offset_end = tvb_reported_length(hello_tvb);
10950
10951 ja4_data.max_version = 0;
10952 ja4_data.server_name_present = false0;
10953 ja4_data.num_cipher_suites = 0;
10954 ja4_data.num_extensions = 0;
10955 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10956 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10957 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10958 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10959
10960 /* show the client version */
10961 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10962 offset, 2, ENC_BIG_ENDIAN0x00000000,
10963 &client_version);
10964 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10965 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10966 }
10967 offset += 2;
10968 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10969
10970 /*
10971 * Is it version 1.3?
10972 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10973 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10974 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10975 * Hello".
10976 */
10977 if (dtls_hfs != NULL((void*)0)) {
10978 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10979 /* Don't do that. */
10980 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10981 }
10982 } else {
10983 if (client_version == TLSV1DOT3_VERSION0x304) {
10984 /* Don't do that. */
10985 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10986 }
10987 }
10988
10989 /* dissect fields that are present in both ClientHello and ServerHello */
10990 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
10991
10992 /* fields specific for DTLS (cookie_len, cookie) */
10993 if (dtls_hfs != NULL((void*)0)) {
10994 uint32_t cookie_length;
10995 /* opaque cookie<0..32> (for DTLS only) */
10996 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
10997 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10998 return offset;
10999 }
11000 offset++;
11001 if (cookie_length > 0) {
11002 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
11003 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
11004 offset += cookie_length;
11005 }
11006 }
11007
11008 /* CipherSuite cipher_suites<2..2^16-1> */
11009 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
11010 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
11011 return offset;
11012 }
11013 offset += 2;
11014 next_offset = offset + cipher_suite_length;
11015 ti = proto_tree_add_none_format(tree,
11016 hf->hf.hs_cipher_suites,
11017 hello_tvb, offset, cipher_suite_length,
11018 "Cipher Suites (%d suite%s)",
11019 cipher_suite_length / 2,
11020 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
11021 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
11022 while (offset + 2 <= next_offset) {
11023 uint32_t cipher_suite;
11024
11025 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
11026 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11027 offset += 2;
11028 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
11029 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
11030 ja3_dash = "-";
11031 ja4_data.num_cipher_suites += 1;
11032 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
11033 }
11034 }
11035 wmem_strbuf_append_c(ja3, ',');
11036 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
11037 offset = next_offset;
11038 }
11039
11040 /* CompressionMethod compression_methods<1..2^8-1> */
11041 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
11042 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
11043 return offset;
11044 }
11045 offset++;
11046 next_offset = offset + compression_methods_length;
11047 ti = proto_tree_add_none_format(tree,
11048 hf->hf.hs_comp_methods,
11049 hello_tvb, offset, compression_methods_length,
11050 "Compression Methods (%u method%s)",
11051 compression_methods_length,
11052 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
11053 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
11054 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
11055 while (offset < next_offset) {
11056 compression_method = tvb_get_uint8(hello_tvb, offset);
11057 /* TODO: make reserved/private comp meth. fields selectable */
11058 if (compression_method < 64)
11059 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
11060 hello_tvb, offset, 1, compression_method);
11061 else if (compression_method < 193)
11062 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11063 compression_method, "Reserved - to be assigned by IANA (%u)",
11064 compression_method);
11065 else
11066 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11067 compression_method, "Private use range (%u)",
11068 compression_method);
11069 offset++;
11070 }
11071
11072 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11073 if (offset < offset_end) {
11074 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
11075 offset_end, SSL_HND_CLIENT_HELLO,
11076 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
11077 if (ja4_data.max_version > 0) {
11078 client_version = ja4_data.max_version;
11079 }
11080 } else {
11081 wmem_strbuf_append_printf(ja3, ",,");
11082 }
11083
11084 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
11085 wmem_strbuf_append(ja4_a, "t");
11086 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
11087 wmem_strbuf_append(ja4_a, "q");
11088 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
11089 wmem_strbuf_append(ja4_a, "d");
11090 }
11091 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
11092 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
11093 if (ja4_data.num_cipher_suites > 99) {
11094 wmem_strbuf_append(ja4_a, "99");
11095 } else {
11096 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
11097 }
11098 if (ja4_data.num_extensions > 99) {
11099 wmem_strbuf_append(ja4_a, "99");
11100 } else {
11101 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
11102 }
11103 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
11104 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
11105 } else {
11106 wmem_strbuf_append(ja4_a, "00");
11107 }
11108
11109 curr_entry = wmem_list_head(ja4_data.cipher_list);
11110 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
11111 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11112 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
11113 wmem_strbuf_append(ja4_br, ",");
11114 }
11115 curr_entry = wmem_list_frame_next(curr_entry);
11116 }
11117
11118 curr_entry = wmem_list_head(ja4_data.extension_list);
11119 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
11120 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11121 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
11122 wmem_strbuf_append(ja4_cr, ",");
11123 }
11124 curr_entry = wmem_list_frame_next(curr_entry);
11125 }
11126
11127 if (wmem_list_count(ja4_data.sighash_list) > 0) {
11128 wmem_strbuf_append(ja4_cr, "_");
11129 curr_entry = wmem_list_head(ja4_data.sighash_list);
11130 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
11131 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11132 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
11133 wmem_strbuf_append(ja4_cr, ",");
11134 }
11135 curr_entry = wmem_list_frame_next(curr_entry);
11136 }
11137 }
11138 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
11139 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11140 } else {
11141 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
11142 }
11143 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
11144
11145 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash);
11146 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
11147 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11148 } else {
11149 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
11150 }
11151 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
11152 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash);
11153
11154 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
11155 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
11156
11157 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
11158 proto_item_set_generated(ti);
11159 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
11160 proto_item_set_generated(ti);
11161
11162 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11163 wmem_strbuf_get_len(ja3));
11164 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
11165 proto_item_set_generated(ti);
11166 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
11167 proto_item_set_generated(ti);
11168 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash);
11169 return initial_offset + offset;
11170}
11171
11172void
11173ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11174 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11175 SslSession *session, SslDecryptSession *ssl,
11176 bool_Bool is_dtls, bool_Bool is_hrr)
11177{
11178 /* struct {
11179 * ProtocolVersion server_version;
11180 * Random random;
11181 * SessionID session_id; // TLS 1.2 and before
11182 * CipherSuite cipher_suite;
11183 * CompressionMethod compression_method; // TLS 1.2 and before
11184 * Extension server_hello_extension_list<0..2^16-1>;
11185 * } ServerHello;
11186 */
11187 uint8_t draft_version = session->tls13_draft_version;
11188 proto_item *ti;
11189 uint32_t server_version;
11190 uint32_t cipher_suite;
11191 uint32_t initial_offset = offset;
11192 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
11193 char *ja3_hash;
11194
11195 col_set_str(pinfo->cinfo, COL_PROTOCOL,
11196 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
11197
11198 /* Initially assume that the session is resumed. If this is not the case, a
11199 * ServerHelloDone will be observed before the ChangeCipherSpec message
11200 * which will reset this flag. */
11201 session->is_session_resumed = true1;
11202
11203 /* show the server version */
11204 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11205 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
11206
11207 uint16_t supported_server_version;
11208 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
11209 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
11210 }
11211 /*
11212 * Is it version 1.3?
11213 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
11214 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
11215 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
11216 * Hello".
11217 */
11218 if (is_dtls) {
11219 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
11220 /* Don't do that. */
11221 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11222 }
11223 } else {
11224 if (server_version == TLSV1DOT3_VERSION0x304) {
11225 /* Don't do that. */
11226 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11227 }
11228 }
11229
11230 offset += 2;
11231 wmem_strbuf_append_printf(ja3, "%i", server_version);
11232
11233 /* dissect fields that are present in both ClientHello and ServerHello */
11234 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11235
11236 if (ssl) {
11237 /* store selected cipher suite for decryption */
11238 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11239 }
11240
11241 /* now the server-selected cipher suite */
11242 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11243 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11244 offset += 2;
11245 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11246
11247 /* No compression with TLS 1.3 before draft -22 */
11248 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11249 if (ssl) {
11250 /* store selected compression method for decryption */
11251 ssl->session.compression = tvb_get_uint8(tvb, offset);
11252 }
11253 /* and the server-selected compression method */
11254 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11255 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11256 offset++;
11257 }
11258
11259 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11260 if (offset < offset_end) {
11261 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11262 offset_end,
11263 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11264 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
11265 }
11266
11267 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11268 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11269 if (hash_algo) {
11270 SSL_MDgcry_md_hd_t mc;
11271 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11272 unsigned char prk[DIGEST_MAX_SIZE48];
11273 unsigned char *ech_verify_out = NULL((void*)0);
11274 unsigned int len;
11275 ssl_md_init(&mc, hash_algo);
11276 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11277 if (is_hrr) {
11278 ssl_md_final(&mc, transcript_hash, &len);
11279 ssl_md_cleanup(&mc);
11280 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11281 ssl->ech_transcript.data_len = 4 + len;
11282 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11283 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11284 ssl->ech_transcript.data[1] = 0;
11285 ssl->ech_transcript.data[2] = 0;
11286 ssl->ech_transcript.data[3] = len;
11287 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11288 ssl_md_init(&mc, hash_algo);
11289 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11290 } else {
11291 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11292 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11293 }
11294 if (initial_offset > 4) {
11295 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11296 4 + offset_end - initial_offset);
11297 if (is_hrr)
11298 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11299 else
11300 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11301 } else {
11302 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11303 prefix[2] = ((offset - initial_offset) >> 8);
11304 prefix[3] = (offset - initial_offset) & 0xff;
11305 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11306 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11307 offset_end - initial_offset);
11308 ssl_md_update(&mc, prefix, 4);
11309 if (is_hrr)
11310 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11311 else
11312 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11313 }
11314 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11315 uint8_t zeros[8] = { 0 };
11316 uint32_t confirmation_offset = initial_offset + 26;
11317 if (is_hrr) {
11318 uint32_t hrr_offset = initial_offset + 34;
11319 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11320 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11321 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11322 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11323 hrr_offset += 3;
11324 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11325 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11326 hrr_offset += 2;
11327 while (extensions_end - hrr_offset >= 4) {
11328 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11329 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11330 confirmation_offset = hrr_offset + 4;
11331 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11332 ssl_md_update(&mc, zeros, 8);
11333 hrr_offset += 12;
11334 } else {
11335 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11336 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11337 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11338 }
11339 }
11340 } else {
11341 ssl_md_update(&mc, zeros, 8);
11342 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11343 offset - initial_offset - 34);
11344 }
11345 ssl_md_final(&mc, transcript_hash, &len);
11346 ssl_md_cleanup(&mc);
11347 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11348 StringInfo prk_string = {prk, len};
11349 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11350 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11351 transcript_hash, len, 8, &ech_verify_out)) {
11352 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11353 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11354 if (is_hrr) {
11355 ssl->session.hrr_ech_declined = true1;
11356 ssl->session.first_ch_ech_frame = 0;
11357 }
11358 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11359 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11360 }
11361 wmem_free(NULL((void*)0), ech_verify_out);
11362 }
11363 ssl->session.ech = true1;
11364 }
11365 }
11366
11367 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11368 wmem_strbuf_get_len(ja3));
11369 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11370 proto_item_set_generated(ti);
11371 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11372 proto_item_set_generated(ti);
11373 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash);
11374}
11375/* Client Hello and Server Hello dissections. }}} */
11376
11377/* New Session Ticket dissection. {{{ */
11378void
11379ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11380 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11381 SslSession *session, SslDecryptSession *ssl,
11382 bool_Bool is_dtls, GHashTable *session_hash)
11383{
11384 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11385 * struct {
11386 * uint32 ticket_lifetime_hint;
11387 * opaque ticket<0..2^16-1>;
11388 * } NewSessionTicket;
11389 *
11390 * RFC 8446 Section 4.6.1 (TLS 1.3):
11391 * struct {
11392 * uint32 ticket_lifetime;
11393 * uint32 ticket_age_add;
11394 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11395 * opaque ticket<1..2^16-1>;
11396 * Extension extensions<0..2^16-2>;
11397 * } NewSessionTicket;
11398 */
11399 proto_tree *subtree;
11400 proto_item *subitem;
11401 uint32_t ticket_len;
11402 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11403 unsigned char draft_version = session->tls13_draft_version;
11404 uint32_t lifetime_hint;
11405
11406 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11407 hf->ett.session_ticket, NULL((void*)0),
11408 "TLS Session Ticket");
11409
11410 /* ticket lifetime hint */
11411 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11412 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11413 offset += 4;
11414
11415 if (lifetime_hint >= 60) {
11416 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11417 proto_item_append_text(subitem, " (%s)", time_str);
11418 }
11419
11420 if (is_tls13) {
11421
11422 /* for TLS 1.3: ticket_age_add */
11423 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11424 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11425 offset += 4;
11426
11427 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11428 if (draft_version == 0 || draft_version >= 21) {
11429 uint32_t ticket_nonce_len;
11430
11431 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11432 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11433 return;
11434 }
11435 offset++;
11436
11437 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11438 offset += ticket_nonce_len;
11439 }
11440
11441 }
11442
11443 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11444 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11445 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11446 return;
11447 }
11448 offset += 2;
11449
11450 /* Content depends on implementation, so just show data! */
11451 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11452 tvb, offset, ticket_len, ENC_NA0x00000000);
11453 /* save the session ticket to cache for ssl_finalize_decryption */
11454 if (ssl && !is_tls13) {
11455 if (ssl->session.is_session_resumed) {
11456 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11457 * (Abbreviated Handshake Using New Session Ticket).
11458 * Restore the master key for this session ticket before saving
11459 * it to the new session ticket. */
11460 ssl_restore_master_key(ssl, "Session Ticket", false0,
11461 session_hash, &ssl->session_ticket);
11462 }
11463 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11464 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11465 ssl->session_ticket.data, ticket_len);
11466 ssl->session_ticket.data_len = ticket_len;
11467 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11468 /* NewSessionTicket is received after the first (client)
11469 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11470 * Since the second CCS has already the session key available it will
11471 * just return. To ensure that the session ticket is mapped to a
11472 * master key (from the first CCS), save the ticket here too. */
11473 ssl_save_master_key("Session Ticket", session_hash,
11474 &ssl->session_ticket, &ssl->master_secret);
11475 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11476 }
11477 offset += ticket_len;
11478
11479 if (is_tls13) {
11480 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11481 offset_end, SSL_HND_NEWSESSION_TICKET,
11482 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11483 }
11484} /* }}} */
11485
11486void
11487ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11488 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11489 SslSession *session, SslDecryptSession *ssl,
11490 bool_Bool is_dtls)
11491{
11492 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11493 * struct {
11494 * ProtocolVersion server_version;
11495 * CipherSuite cipher_suite; // not before draft -19
11496 * Extension extensions<2..2^16-1>;
11497 * } HelloRetryRequest;
11498 * Note: no longer used since draft -22
11499 */
11500 uint32_t version;
11501 uint8_t draft_version;
11502
11503 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11504 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11505 draft_version = extract_tls13_draft_version(version);
11506 offset += 2;
11507
11508 if (draft_version == 0 || draft_version >= 19) {
11509 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11510 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11511 offset += 2;
11512 }
11513
11514 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11515 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11516 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11517}
11518
11519void
11520ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11521 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11522 SslSession *session, SslDecryptSession *ssl,
11523 bool_Bool is_dtls)
11524{
11525 /* RFC 8446 Section 4.3.1
11526 * struct {
11527 * Extension extensions<0..2^16-1>;
11528 * } EncryptedExtensions;
11529 */
11530 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11531 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11532 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11533}
11534
11535/* Certificate and Certificate Request dissections. {{{ */
11536void
11537ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11538 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11539 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11540 bool_Bool is_from_server, bool_Bool is_dtls)
11541{
11542 /* opaque ASN.1Cert<1..2^24-1>;
11543 *
11544 * Before RFC 8446 (TLS <= 1.2):
11545 * struct {
11546 * select(certificate_type) {
11547 *
11548 * // certificate type defined in RFC 7250
11549 * case RawPublicKey:
11550 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11551 *
11552 * // X.509 certificate defined in RFC 5246
11553 * case X.509:
11554 * ASN.1Cert certificate_list<0..2^24-1>;
11555 * };
11556 * } Certificate;
11557 *
11558 * RFC 8446 (since draft -20):
11559 * struct {
11560 * select(certificate_type){
11561 * case RawPublicKey:
11562 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11563 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11564 *
11565 * case X.509:
11566 * opaque cert_data<1..2^24-1>;
11567 * }
11568 * Extension extensions<0..2^16-1>;
11569 * } CertificateEntry;
11570 * struct {
11571 * opaque certificate_request_context<0..2^8-1>;
11572 * CertificateEntry certificate_list<0..2^24-1>;
11573 * } Certificate;
11574 */
11575 enum { CERT_X509, CERT_RPK } cert_type;
11576 asn1_ctx_t asn1_ctx;
11577#if defined(HAVE_LIBGNUTLS1)
11578 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11579 unsigned certificate_index = 0;
11580#endif
11581 uint32_t next_offset, certificate_list_length, cert_length;
11582 proto_tree *subtree = tree;
11583
11584 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11585
11586 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11587 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11588 cert_type = CERT_RPK;
11589 } else {
11590 cert_type = CERT_X509;
11591 }
11592
11593#if defined(HAVE_LIBGNUTLS1)
11594 /* Ask the pkcs1 dissector to return the public key details */
11595 if (ssl)
11596 asn1_ctx.private_data = &subjectPublicKeyInfo;
11597#endif
11598
11599 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11600 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11601 uint32_t context_length;
11602 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11603 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11604 return;
11605 }
11606 offset++;
11607 if (context_length > 0) {
11608 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11609 tvb, offset, context_length, ENC_NA0x00000000);
11610 offset += context_length;
11611 }
11612 }
11613
11614 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11615 /* For RPK before TLS 1.3, the single RPK is stored directly without
11616 * another "certificate_list" field. */
11617 certificate_list_length = offset_end - offset;
11618 next_offset = offset_end;
11619 } else {
11620 /* CertificateEntry certificate_list<0..2^24-1> */
11621 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11622 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11623 return;
11624 }
11625 offset += 3; /* 24-bit length value */
11626 next_offset = offset + certificate_list_length;
11627 }
11628
11629 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11630 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11631 proto_item *ti;
11632
11633 ti = proto_tree_add_none_format(tree,
11634 hf->hf.hs_certificates,
11635 tvb, offset, certificate_list_length,
11636 "Certificates (%u bytes)",
11637 certificate_list_length);
11638
11639 /* make it a subtree */
11640 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11641 }
11642
11643 while (offset < next_offset) {
11644 switch (cert_type) {
11645 case CERT_RPK:
11646 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11647 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11648 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11649 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11650 return;
11651 }
11652 offset += 3;
11653
11654 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11655 offset += cert_length;
11656 break;
11657 case CERT_X509:
11658 /* opaque ASN1Cert<1..2^24-1> */
11659 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11660 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11661 return;
11662 }
11663 offset += 3;
11664
11665 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11666#if defined(HAVE_LIBGNUTLS1)
11667 if (is_from_server && ssl && certificate_index == 0) {
11668 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11669 /* Only attempt to get the RSA modulus for the first cert. */
11670 asn1_ctx.private_data = NULL((void*)0);
11671 }
11672#endif
11673 offset += cert_length;
11674 break;
11675 }
11676
11677 /* TLS 1.3: Extension extensions<0..2^16-1> */
11678 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11679 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11680 next_offset, SSL_HND_CERTIFICATE,
11681 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11682 }
11683
11684#if defined(HAVE_LIBGNUTLS1)
11685 certificate_index++;
11686#endif
11687 }
11688}
11689
11690void
11691ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11692 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11693 SslSession *session, bool_Bool is_dtls)
11694{
11695 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11696 * enum {
11697 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11698 * (255)
11699 * } ClientCertificateType;
11700 *
11701 * opaque DistinguishedName<1..2^16-1>;
11702 *
11703 * struct {
11704 * ClientCertificateType certificate_types<1..2^8-1>;
11705 * DistinguishedName certificate_authorities<3..2^16-1>;
11706 * } CertificateRequest;
11707 *
11708 *
11709 * As per TLSv1.2 (RFC 5246) the format has changed to:
11710 *
11711 * enum {
11712 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11713 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11714 * fortezza_dms_RESERVED(20), (255)
11715 * } ClientCertificateType;
11716 *
11717 * enum {
11718 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11719 * sha512(6), (255)
11720 * } HashAlgorithm;
11721 *
11722 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11723 * SignatureAlgorithm;
11724 *
11725 * struct {
11726 * HashAlgorithm hash;
11727 * SignatureAlgorithm signature;
11728 * } SignatureAndHashAlgorithm;
11729 *
11730 * SignatureAndHashAlgorithm
11731 * supported_signature_algorithms<2..2^16-2>;
11732 *
11733 * opaque DistinguishedName<1..2^16-1>;
11734 *
11735 * struct {
11736 * ClientCertificateType certificate_types<1..2^8-1>;
11737 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11738 * DistinguishedName certificate_authorities<0..2^16-1>;
11739 * } CertificateRequest;
11740 *
11741 * draft-ietf-tls-tls13-18:
11742 * struct {
11743 * opaque certificate_request_context<0..2^8-1>;
11744 * SignatureScheme
11745 * supported_signature_algorithms<2..2^16-2>;
11746 * DistinguishedName certificate_authorities<0..2^16-1>;
11747 * CertificateExtension certificate_extensions<0..2^16-1>;
11748 * } CertificateRequest;
11749 *
11750 * RFC 8446 (since draft-ietf-tls-tls13-19):
11751 *
11752 * struct {
11753 * opaque certificate_request_context<0..2^8-1>;
11754 * Extension extensions<2..2^16-1>;
11755 * } CertificateRequest;
11756 */
11757 proto_item *ti;
11758 proto_tree *subtree;
11759 uint32_t next_offset;
11760 asn1_ctx_t asn1_ctx;
11761 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11762 unsigned char draft_version = session->tls13_draft_version;
11763
11764 if (!tree)
11765 return;
11766
11767 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11768
11769 if (is_tls13) {
11770 uint32_t context_length;
11771 /* opaque certificate_request_context<0..2^8-1> */
11772 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11773 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11774 return;
11775 }
11776 offset++;
11777 if (context_length > 0) {
11778 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11779 tvb, offset, context_length, ENC_NA0x00000000);
11780 offset += context_length;
11781 }
11782 } else {
11783 uint32_t cert_types_count;
11784 /* ClientCertificateType certificate_types<1..2^8-1> */
11785 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11786 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11787 return;
11788 }
11789 offset++;
11790 next_offset = offset + cert_types_count;
11791
11792 ti = proto_tree_add_none_format(tree,
11793 hf->hf.hs_cert_types,
11794 tvb, offset, cert_types_count,
11795 "Certificate types (%u type%s)",
11796 cert_types_count,
11797 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11798 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11799
11800 while (offset < next_offset) {
11801 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11802 offset++;
11803 }
11804 }
11805
11806 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11807 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11808 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11809 }
11810
11811 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11812 /*
11813 * TLS 1.3 draft 19 and newer: Extensions.
11814 * SslDecryptSession pointer is NULL because Certificate Extensions
11815 * should not influence decryption state.
11816 */
11817 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11818 offset_end, SSL_HND_CERT_REQUEST,
11819 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11820 } else if (is_tls13 && draft_version <= 18) {
11821 /*
11822 * TLS 1.3 draft 18 and older: certificate_authorities and
11823 * certificate_extensions (a vector of OID mappings).
11824 */
11825 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11826 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11827 } else {
11828 /* for TLS 1.2 and older, the certificate_authorities field. */
11829 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11830 }
11831}
11832/* Certificate and Certificate Request dissections. }}} */
11833
11834void
11835ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11836 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11837{
11838 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11839 hf->hf.hs_client_cert_vrfy_sig_len,
11840 hf->hf.hs_client_cert_vrfy_sig);
11841}
11842
11843/* Finished dissection. {{{ */
11844void
11845ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11846 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11847 const SslSession *session, ssl_hfs_t *ssl_hfs)
11848{
11849 /* For SSLv3:
11850 * struct {
11851 * opaque md5_hash[16];
11852 * opaque sha_hash[20];
11853 * } Finished;
11854 *
11855 * For (D)TLS:
11856 * struct {
11857 * opaque verify_data[12];
11858 * } Finished;
11859 *
11860 * For TLS 1.3:
11861 * struct {
11862 * opaque verify_data[Hash.length];
11863 * }
11864 */
11865 if (!tree)
11866 return;
11867
11868 if (session->version == SSLV3_VERSION0x300) {
11869 if (ssl_hfs != NULL((void*)0)) {
11870 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11871 tvb, offset, 16, ENC_NA0x00000000);
11872 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11873 tvb, offset + 16, 20, ENC_NA0x00000000);
11874 }
11875 } else {
11876 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11877 proto_tree_add_item(tree, hf->hf.hs_finished,
11878 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11879 }
11880} /* }}} */
11881
11882/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11883void
11884ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11885{
11886 uint16_t url_hash_len;
11887
11888 /* enum {
11889 * individual_certs(0), pkipath(1), (255)
11890 * } CertChainType;
11891 *
11892 * struct {
11893 * CertChainType type;
11894 * URLAndHash url_and_hash_list<1..2^16-1>;
11895 * } CertificateURL;
11896 *
11897 * struct {
11898 * opaque url<1..2^16-1>;
11899 * uint8 padding;
11900 * opaque SHA1Hash[20];
11901 * } URLAndHash;
11902 */
11903
11904 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11905 tvb, offset, 1, ENC_NA0x00000000);
11906 offset++;
11907
11908 url_hash_len = tvb_get_ntohs(tvb, offset);
11909 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11910 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11911 offset += 2;
11912 while (url_hash_len-- > 0) {
11913 proto_item *urlhash_item;
11914 proto_tree *urlhash_tree;
11915 uint16_t url_len;
11916
11917 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11918 tvb, offset, -1, ENC_NA0x00000000);
11919 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11920
11921 url_len = tvb_get_ntohs(tvb, offset);
11922 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11923 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11924 offset += 2;
11925
11926 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11927 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11928 offset += url_len;
11929
11930 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11931 tvb, offset, 1, ENC_NA0x00000000);
11932 offset++;
11933 /* Note: RFC 6066 says that padding must be 0x01 */
11934
11935 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11936 tvb, offset, 20, ENC_NA0x00000000);
11937 offset += 20;
11938 }
11939} /* }}} */
11940
11941void
11942ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11943 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11944 SslSession *session, SslDecryptSession *ssl,
11945 bool_Bool is_from_server, bool_Bool is_dtls)
11946{
11947 uint32_t algorithm, uncompressed_length;
11948 uint32_t compressed_certificate_message_length;
11949 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11950 proto_item *ti;
11951 /*
11952 * enum {
11953 * zlib(1),
11954 * brotli(2),
11955 * zstd(3),
11956 * (65535)
11957 * } CertificateCompressionAlgorithm;
11958 *
11959 * struct {
11960 * CertificateCompressionAlgorithm algorithm;
11961 * uint24 uncompressed_length;
11962 * opaque compressed_certificate_message<1..2^24-1>;
11963 * } CompressedCertificate;
11964 */
11965
11966 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11967 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11968 offset += 2;
11969
11970 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11971 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11972 offset += 3;
11973
11974 /* opaque compressed_certificate_message<1..2^24-1>; */
11975 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11976 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11977 return;
11978 }
11979 offset += 3;
11980
11981 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11982 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11983
11984 /* Certificate decompression following algorithm */
11985 switch (algorithm) {
11986 case 1: /* zlib */
11987 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11988 break;
11989 case 2: /* brotli */
11990 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11991 break;
11992 case 3: /* zstd */
11993 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11994 break;
11995 }
11996
11997 if (uncompressed_tvb) {
11998 proto_tree *uncompressed_tree;
11999
12000 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
12001 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
12002 tvb, offset, offset_end - offset,
12003 "Invalid uncompressed length %u (expected %u)",
12004 tvb_captured_length(uncompressed_tvb),
12005 uncompressed_length);
12006 } else {
12007 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
12008 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
12009 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
12010 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
12011 }
12012 }
12013}
12014
12015/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
12016static int
12017// NOLINTNEXTLINE(misc-no-recursion)
12018ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
12019 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
12020 SslSession *session, SslDecryptSession *ssl,
12021 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
12022 ssl_master_key_map_t *mk_map)
12023{
12024 uint32_t exts_len;
12025 uint16_t ext_type;
12026 uint32_t ext_len;
12027 uint32_t next_offset;
12028 proto_item *ext_item;
12029 proto_tree *ext_tree;
12030 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
12031 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
12032 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
12033 char *ja3_dash = "";
12034 unsigned supported_version;
12035
12036 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
12037 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
12038 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
12039 return offset_end;
12040 }
12041 offset += 2;
12042 offset_end = offset + exts_len;
12043
12044 if (ja4_data) {
12045 ja4_data->num_extensions = 0;
12046 }
12047 while (offset_end - offset >= 4)
12048 {
12049 ext_type = tvb_get_ntohs(tvb, offset);
12050 ext_len = tvb_get_ntohs(tvb, offset + 2);
12051
12052 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
12053 ja4_data->num_extensions += 1;
12054 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
12055 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
12056 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
12057 }
12058 }
12059
12060 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
12061 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
12062 tls_hello_extension_types,
12063 "Unknown type %u"), ext_len);
12064 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
12065
12066 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
12067 tvb, offset, 2, ext_type);
12068 offset += 2;
12069 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
12070 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
12071 ja3_dash = "-";
12072 }
12073
12074 /* opaque extension_data<0..2^16-1> */
12075 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
12076 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
12077 return offset_end;
12078 }
12079 offset += 2;
12080 next_offset = offset + ext_len;
12081
12082 switch (ext_type) {
12083 case SSL_HND_HELLO_EXT_SERVER_NAME0:
12084 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12085 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
12086 if (ja4_data) {
12087 ja4_data->server_name_present = true1;
12088 }
12089 }
12090 break;
12091 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
12092 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
12093 offset += 1;
12094 break;
12095 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
12096 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12097 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
12098 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
12099 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
12100 }
12101 break;
12102 case SSL_HND_HELLO_EXT_CERT_TYPE9:
12103 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12104 offset, next_offset,
12105 hnd_type, ext_type,
12106 session);
12107 break;
12108 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
12109 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12110 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12111 next_offset, ja3_sg);
12112 } else {
12113 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12114 next_offset, NULL((void*)0));
12115 }
12116 break;
12117 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
12118 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12119 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
12120 } else {
12121 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
12122 }
12123 break;
12124 case SSL_HND_HELLO_EXT_SRP12:
12125 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
12126 break;
12127 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
12128 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
12129 break;
12130 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
12131 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
12132 break;
12133 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
12134 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
12135 break;
12136 case SSL_HND_HELLO_EXT_USE_SRTP14:
12137 if (is_dtls) {
12138 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12139 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
12140 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
12141 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
12142 }
12143 } else {
12144 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
12145 }
12146 break;
12147 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
12148 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
12149 break;
12150 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
12151 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
12152 break;
12153 case SSL_HND_HELLO_EXT_HEARTBEAT15:
12154 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
12155 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
12156 offset++;
12157 break;
12158 case SSL_HND_HELLO_EXT_ALPN16:
12159 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
12160 break;
12161 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
12162 if (hnd_type == SSL_HND_CLIENT_HELLO)
12163 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
12164 break;
12165 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
12166 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
12167 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
12168 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
12169 break;
12170 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
12171 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
12172 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12173 offset, next_offset,
12174 hnd_type, ext_type,
12175 session);
12176 break;
12177 case SSL_HND_HELLO_EXT_PADDING21:
12178 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
12179 offset += ext_len;
12180 break;
12181 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
12182 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
12183 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
12184 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
12185 }
12186 break;
12187 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
12188 if (ssl) {
12189 switch (hnd_type) {
12190 case SSL_HND_CLIENT_HELLO:
12191 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
12192 break;
12193 case SSL_HND_SERVER_HELLO:
12194 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
12195 break;
12196 default: /* no default */
12197 break;
12198 }
12199 }
12200 break;
12201 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
12202 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12203 break;
12204 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
12205 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12206 break;
12207 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
12208 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
12209 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12210 offset += 2;
12211 break;
12212 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
12213 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
12214 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12215 break;
12216 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
12217 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
12218 break;
12219 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
12220 case SSL_HND_HELLO_EXT_KEY_SHARE51:
12221 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12222 break;
12223 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
12224 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12225 break;
12226 case SSL_HND_HELLO_EXT_EARLY_DATA42:
12227 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
12228 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12229 break;
12230 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
12231 switch (hnd_type) {
12232 case SSL_HND_CLIENT_HELLO:
12233 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12234 break;
12235 case SSL_HND_SERVER_HELLO:
12236 case SSL_HND_HELLO_RETRY_REQUEST:
12237 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12238 offset += 2;
12239 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12240 break;
12241 }
12242 break;
12243 case SSL_HND_HELLO_EXT_COOKIE44:
12244 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12245 break;
12246 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12247 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12248 break;
12249 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12250 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12251 break;
12252 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12253 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12254 break;
12255 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12256 break;
12257 case SSL_HND_HELLO_EXT_NPN13172:
12258 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12259 break;
12260 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12261 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12262 break;
12263 case SSL_HND_HELLO_EXT_ALPS17613:
12264 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12265 break;
12266 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12267 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12268 break;
12269 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12270 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12271 break;
12272 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12273 session->deprecated_cid = true1;
12274 /* FALLTHRU */
12275 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12276 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12277 break;
12278 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12279 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12280 break;
12281 default:
12282 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12283 tvb, offset, ext_len, ENC_NA0x00000000);
12284 offset += ext_len;
12285 break;
12286 }
12287
12288 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12289 /* Dissection did not end at expected location, fix it. */
12290 offset = next_offset;
12291 }
12292 }
12293
12294 if (ja3) {
12295 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12296 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12297 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12298 } else {
12299 wmem_strbuf_append_c(ja3, ',');
12300 }
12301 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12302 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12303 } else {
12304 wmem_strbuf_append_c(ja3, ',');
12305 }
12306 }
12307 }
12308
12309 /* Check if Extensions vector is correctly terminated. */
12310 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12311 offset = offset_end;
12312 }
12313
12314 return offset;
12315} /* }}} */
12316
12317
12318/* ClientKeyExchange algo-specific dissectors. {{{ */
12319
12320static void
12321dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12322 proto_tree *tree, uint32_t offset,
12323 uint32_t length)
12324{
12325 int point_len;
12326 proto_tree *ssl_ecdh_tree;
12327
12328 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12329 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12330
12331 /* point */
12332 point_len = tvb_get_uint8(tvb, offset);
12333 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12334 offset, 1, ENC_BIG_ENDIAN0x00000000);
12335 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12336 offset + 1, point_len, ENC_NA0x00000000);
12337}
12338
12339static void
12340dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12341 proto_tree *tree, uint32_t offset, uint32_t length)
12342{
12343 int yc_len;
12344 proto_tree *ssl_dh_tree;
12345
12346 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12347 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12348
12349 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12350 yc_len = tvb_get_ntohs(tvb, offset);
12351 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12352 offset, 2, ENC_BIG_ENDIAN0x00000000);
12353 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12354 offset + 2, yc_len, ENC_NA0x00000000);
12355}
12356
12357static void
12358dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12359 proto_tree *tree, uint32_t offset,
12360 uint32_t length, const SslSession *session)
12361{
12362 int epms_len;
12363 proto_tree *ssl_rsa_tree;
12364
12365 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12366 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12367
12368 /* EncryptedPreMasterSecret.pre_master_secret */
12369 switch (session->version) {
12370 case SSLV2_VERSION0x0002:
12371 case SSLV3_VERSION0x300:
12372 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12373 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12374 * not present. The handshake contents represents the EPMS, see:
12375 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12376 epms_len = length;
12377 break;
12378
12379 default:
12380 /* TLS and DTLS include vector length before EPMS */
12381 epms_len = tvb_get_ntohs(tvb, offset);
12382 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12383 offset, 2, ENC_BIG_ENDIAN0x00000000);
12384 offset += 2;
12385 break;
12386 }
12387 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12388 offset, epms_len, ENC_NA0x00000000);
12389}
12390
12391/* Used in PSK cipher suites */
12392static uint32_t
12393dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12394 proto_tree *tree, uint32_t offset)
12395{
12396 unsigned identity_len;
12397 proto_tree *ssl_psk_tree;
12398
12399 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12400 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12401 /* identity */
12402 identity_len = tvb_get_ntohs(tvb, offset);
12403 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12404 offset, 2, ENC_BIG_ENDIAN0x00000000);
12405 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12406 offset + 2, identity_len, ENC_NA0x00000000);
12407
12408 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12409 return 2 + identity_len;
12410}
12411
12412/* Used in RSA PSK cipher suites */
12413static void
12414dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12415 proto_tree *tree, uint32_t offset,
12416 uint32_t length)
12417{
12418 int identity_len, epms_len;
12419 proto_tree *ssl_psk_tree;
12420
12421 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12422 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12423
12424 /* identity */
12425 identity_len = tvb_get_ntohs(tvb, offset);
12426 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12427 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12428 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12429 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12430 offset += 2 + identity_len;
12431
12432 /* Yc */
12433 epms_len = tvb_get_ntohs(tvb, offset);
12434 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12435 offset, 2, ENC_BIG_ENDIAN0x00000000);
12436 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12437 offset + 2, epms_len, ENC_NA0x00000000);
12438}
12439
12440/* Used in Diffie-Hellman PSK cipher suites */
12441static void
12442dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12443 proto_tree *tree, uint32_t offset, uint32_t length)
12444{
12445 /*
12446 * struct {
12447 * select (KeyExchangeAlgorithm) {
12448 * case diffie_hellman_psk:
12449 * opaque psk_identity<0..2^16-1>;
12450 * ClientDiffieHellmanPublic public;
12451 * } exchange_keys;
12452 * } ClientKeyExchange;
12453 */
12454
12455 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12456 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12457}
12458
12459/* Used in EC Diffie-Hellman PSK cipher suites */
12460static void
12461dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12462 proto_tree *tree, uint32_t offset, uint32_t length)
12463{
12464 /*
12465 * struct {
12466 * select (KeyExchangeAlgorithm) {
12467 * case ec_diffie_hellman_psk:
12468 * opaque psk_identity<0..2^16-1>;
12469 * ClientECDiffieHellmanPublic public;
12470 * } exchange_keys;
12471 * } ClientKeyExchange;
12472 */
12473
12474 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12475 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12476}
12477
12478/* Used in EC J-PAKE cipher suites */
12479static void
12480dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12481 proto_tree *tree, uint32_t offset,
12482 uint32_t length)
12483{
12484 /*
12485 * struct {
12486 * ECPoint V;
12487 * opaque r<1..2^8-1>;
12488 * } ECSchnorrZKP;
12489 *
12490 * struct {
12491 * ECPoint X;
12492 * ECSchnorrZKP zkp;
12493 * } ECJPAKEKeyKP;
12494 *
12495 * struct {
12496 * ECJPAKEKeyKP ecjpake_key_kp;
12497 * } ClientECJPAKEParams;
12498 *
12499 * select (KeyExchangeAlgorithm) {
12500 * case ecjpake:
12501 * ClientECJPAKEParams params;
12502 * } ClientKeyExchange;
12503 */
12504
12505 int point_len;
12506 proto_tree *ssl_ecjpake_tree;
12507
12508 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12509 hf->ett.keyex_params, NULL((void*)0),
12510 "EC J-PAKE Client Params");
12511
12512 /* ECJPAKEKeyKP.X */
12513 point_len = tvb_get_uint8(tvb, offset);
12514 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12515 offset, 1, ENC_BIG_ENDIAN0x00000000);
12516 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12517 offset + 1, point_len, ENC_NA0x00000000);
12518 offset += 1 + point_len;
12519
12520 /* ECJPAKEKeyKP.zkp.V */
12521 point_len = tvb_get_uint8(tvb, offset);
12522 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12523 offset, 1, ENC_BIG_ENDIAN0x00000000);
12524 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12525 offset + 1, point_len, ENC_NA0x00000000);
12526 offset += 1 + point_len;
12527
12528 /* ECJPAKEKeyKP.zkp.r */
12529 point_len = tvb_get_uint8(tvb, offset);
12530 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12531 offset, 1, ENC_BIG_ENDIAN0x00000000);
12532 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12533 offset + 1, point_len, ENC_NA0x00000000);
12534}
12535
12536static void
12537dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12538 proto_tree *tree, uint32_t offset,
12539 uint32_t length)
12540{
12541 int epms_len;
12542 proto_tree *ssl_ecc_sm2_tree;
12543
12544 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12545 hf->ett.keyex_params, NULL((void*)0),
12546 "ECC-SM2 Encrypted PreMaster Secret");
12547
12548 epms_len = tvb_get_ntohs(tvb, offset);
12549 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12550 offset, 2, ENC_BIG_ENDIAN0x00000000);
12551 offset += 2;
12552 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12553 offset, epms_len, ENC_NA0x00000000);
12554}
12555/* ClientKeyExchange algo-specific dissectors. }}} */
12556
12557
12558/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12559static uint32_t
12560ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12561 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12562 uint16_t version, int hf_sig_len, int hf_sig)
12563{
12564 uint32_t sig_len;
12565
12566 switch (version) {
12567 case TLSV1DOT2_VERSION0x303:
12568 case DTLSV1DOT2_VERSION0xfefd:
12569 case TLSV1DOT3_VERSION0x304:
12570 case DTLSV1DOT3_VERSION0xfefc:
12571 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12572 offset += 2;
12573 break;
12574
12575 default:
12576 break;
12577 }
12578
12579 /* Sig */
12580 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12581 hf_sig_len, 0, UINT16_MAX(65535))) {
12582 return offset_end;
12583 }
12584 offset += 2;
12585 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12586 offset += sig_len;
12587 return offset;
12588} /* }}} */
12589
12590/* ServerKeyExchange algo-specific dissectors. {{{ */
12591
12592/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12593static void
12594dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12595 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12596 uint16_t version)
12597{
12598 /*
12599 * TLSv1.2 (RFC 5246 sec 7.4.8)
12600 * struct {
12601 * digitally-signed struct {
12602 * opaque handshake_messages[handshake_messages_length];
12603 * }
12604 * } CertificateVerify;
12605 *
12606 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12607 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12608 *
12609 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12610 * does more hashing including the master secret and padding.
12611 */
12612 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12613 hf->hf.hs_server_keyex_sig_len,
12614 hf->hf.hs_server_keyex_sig);
12615}
12616
12617static uint32_t
12618dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12619{
12620 /*
12621 * RFC 4492 ECC cipher suites for TLS
12622 *
12623 * struct {
12624 * ECCurveType curve_type;
12625 * select (curve_type) {
12626 * case explicit_prime:
12627 * ...
12628 * case explicit_char2:
12629 * ...
12630 * case named_curve:
12631 * NamedCurve namedcurve;
12632 * };
12633 * } ECParameters;
12634 */
12635
12636 int curve_type;
12637
12638 /* ECParameters.curve_type */
12639 curve_type = tvb_get_uint8(tvb, offset);
12640 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12641 offset, 1, ENC_BIG_ENDIAN0x00000000);
12642 offset++;
12643
12644 if (curve_type != 3)
12645 return offset_end; /* only named_curves are supported */
12646
12647 /* case curve_type == named_curve; ECParameters.namedcurve */
12648 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12649 offset, 2, ENC_BIG_ENDIAN0x00000000);
12650 offset += 2;
12651
12652 return offset;
12653}
12654
12655static void
12656dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12657 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12658 uint16_t version, bool_Bool anon)
12659{
12660 /*
12661 * RFC 4492 ECC cipher suites for TLS
12662 *
12663 * struct {
12664 * opaque point <1..2^8-1>;
12665 * } ECPoint;
12666 *
12667 * struct {
12668 * ECParameters curve_params;
12669 * ECPoint public;
12670 * } ServerECDHParams;
12671 *
12672 * select (KeyExchangeAlgorithm) {
12673 * case ec_diffie_hellman:
12674 * ServerECDHParams params;
12675 * Signature signed_params;
12676 * } ServerKeyExchange;
12677 */
12678
12679 int point_len;
12680 proto_tree *ssl_ecdh_tree;
12681
12682 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12683 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12684
12685 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12686 if (offset >= offset_end)
12687 return; /* only named_curves are supported */
12688
12689 /* ECPoint.point */
12690 point_len = tvb_get_uint8(tvb, offset);
12691 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12692 offset, 1, ENC_BIG_ENDIAN0x00000000);
12693 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12694 offset + 1, point_len, ENC_NA0x00000000);
12695 offset += 1 + point_len;
12696
12697 /* Signature (if non-anonymous KEX) */
12698 if (!anon) {
12699 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12700 }
12701}
12702
12703static void
12704dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12705 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12706 uint16_t version, bool_Bool anon)
12707{
12708 int p_len, g_len, ys_len;
12709 proto_tree *ssl_dh_tree;
12710
12711 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12712 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12713
12714 /* p */
12715 p_len = tvb_get_ntohs(tvb, offset);
12716 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12717 offset, 2, ENC_BIG_ENDIAN0x00000000);
12718 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12719 offset + 2, p_len, ENC_NA0x00000000);
12720 offset += 2 + p_len;
12721
12722 /* g */
12723 g_len = tvb_get_ntohs(tvb, offset);
12724 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12725 offset, 2, ENC_BIG_ENDIAN0x00000000);
12726 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12727 offset + 2, g_len, ENC_NA0x00000000);
12728 offset += 2 + g_len;
12729
12730 /* Ys */
12731 ys_len = tvb_get_ntohs(tvb, offset);
12732 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12733 offset, 2, ys_len);
12734 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12735 offset + 2, ys_len, ENC_NA0x00000000);
12736 offset += 2 + ys_len;
12737
12738 /* Signature (if non-anonymous KEX) */
12739 if (!anon) {
12740 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12741 }
12742}
12743
12744/* Only used in RSA-EXPORT cipher suites */
12745static void
12746dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12747 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12748 uint16_t version)
12749{
12750 int modulus_len, exponent_len;
12751 proto_tree *ssl_rsa_tree;
12752
12753 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12754 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12755
12756 /* modulus */
12757 modulus_len = tvb_get_ntohs(tvb, offset);
12758 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12759 offset, 2, ENC_BIG_ENDIAN0x00000000);
12760 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12761 offset + 2, modulus_len, ENC_NA0x00000000);
12762 offset += 2 + modulus_len;
12763
12764 /* exponent */
12765 exponent_len = tvb_get_ntohs(tvb, offset);
12766 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12767 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12768 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12769 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12770 offset += 2 + exponent_len;
12771
12772 /* Signature */
12773 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12774}
12775
12776/* Used in RSA PSK and PSK cipher suites */
12777static uint32_t
12778dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12779 proto_tree *tree, uint32_t offset)
12780{
12781 unsigned hint_len;
12782 proto_tree *ssl_psk_tree;
12783
12784 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12785 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12786
12787 /* hint */
12788 hint_len = tvb_get_ntohs(tvb, offset);
12789 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12790 offset, 2, ENC_BIG_ENDIAN0x00000000);
12791 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12792 offset + 2, hint_len, ENC_NA0x00000000);
12793
12794 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12795 return 2 + hint_len;
12796}
12797
12798/* Used in Diffie-Hellman PSK cipher suites */
12799static void
12800dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12801 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12802{
12803 /*
12804 * struct {
12805 * select (KeyExchangeAlgorithm) {
12806 * case diffie_hellman_psk:
12807 * opaque psk_identity_hint<0..2^16-1>;
12808 * ServerDHParams params;
12809 * };
12810 * } ServerKeyExchange;
12811 */
12812
12813 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12814 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12815}
12816
12817/* Used in EC Diffie-Hellman PSK cipher suites */
12818static void
12819dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12820 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12821{
12822 /*
12823 * struct {
12824 * select (KeyExchangeAlgorithm) {
12825 * case ec_diffie_hellman_psk:
12826 * opaque psk_identity_hint<0..2^16-1>;
12827 * ServerECDHParams params;
12828 * };
12829 * } ServerKeyExchange;
12830 */
12831
12832 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12833 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12834}
12835
12836/* Used in EC J-PAKE cipher suites */
12837static void
12838dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12839 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12840{
12841 /*
12842 * struct {
12843 * ECPoint V;
12844 * opaque r<1..2^8-1>;
12845 * } ECSchnorrZKP;
12846 *
12847 * struct {
12848 * ECPoint X;
12849 * ECSchnorrZKP zkp;
12850 * } ECJPAKEKeyKP;
12851 *
12852 * struct {
12853 * ECParameters curve_params;
12854 * ECJPAKEKeyKP ecjpake_key_kp;
12855 * } ServerECJPAKEParams;
12856 *
12857 * select (KeyExchangeAlgorithm) {
12858 * case ecjpake:
12859 * ServerECJPAKEParams params;
12860 * } ServerKeyExchange;
12861 */
12862
12863 int point_len;
12864 proto_tree *ssl_ecjpake_tree;
12865
12866 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12867 hf->ett.keyex_params, NULL((void*)0),
12868 "EC J-PAKE Server Params");
12869
12870 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12871 if (offset >= offset_end)
12872 return; /* only named_curves are supported */
12873
12874 /* ECJPAKEKeyKP.X */
12875 point_len = tvb_get_uint8(tvb, offset);
12876 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12877 offset, 1, ENC_BIG_ENDIAN0x00000000);
12878 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12879 offset + 1, point_len, ENC_NA0x00000000);
12880 offset += 1 + point_len;
12881
12882 /* ECJPAKEKeyKP.zkp.V */
12883 point_len = tvb_get_uint8(tvb, offset);
12884 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12885 offset, 1, ENC_BIG_ENDIAN0x00000000);
12886 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12887 offset + 1, point_len, ENC_NA0x00000000);
12888 offset += 1 + point_len;
12889
12890 /* ECJPAKEKeyKP.zkp.r */
12891 point_len = tvb_get_uint8(tvb, offset);
12892 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12893 offset, 1, ENC_BIG_ENDIAN0x00000000);
12894 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12895 offset + 1, point_len, ENC_NA0x00000000);
12896}
12897
12898/* Only used in ECC-SM2-EXPORT cipher suites */
12899static void
12900dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12901 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12902 uint16_t version)
12903{
12904 proto_tree *ssl_ecc_sm2_tree;
12905
12906 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12907 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12908
12909 /* Signature */
12910 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12911}
12912/* ServerKeyExchange algo-specific dissectors. }}} */
12913
12914/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12915void
12916ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12917 proto_tree *tree, uint32_t offset, uint32_t length,
12918 const SslSession *session)
12919{
12920 switch (ssl_get_keyex_alg(session->cipher)) {
12921 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12922 case KEX_DH_DSS0x14:
12923 case KEX_DH_RSA0x15:
12924 case KEX_DHE_DSS0x10:
12925 case KEX_DHE_RSA0x12:
12926 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12927 break;
12928 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12929 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12930 break;
12931 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12932 case KEX_ECDH_ECDSA0x1a:
12933 case KEX_ECDH_RSA0x1b:
12934 case KEX_ECDHE_ECDSA0x16:
12935 case KEX_ECDHE_RSA0x18:
12936 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12937 break;
12938 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12939 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12940 break;
12941 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12942 /* XXX: implement support for KRB5 */
12943 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12944 tvb, offset, length,
12945 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12946 " developers if you want them to be supported");
12947 break;
12948 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12949 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12950 break;
12951 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12952 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12953 break;
12954 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12955 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12956 break;
12957 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12958 case KEX_SRP_SHA_DSS0x21:
12959 case KEX_SRP_SHA_RSA0x22:
12960 /* XXX: implement support for SRP_SHA* */
12961 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12962 tvb, offset, length,
12963 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12964 " developers if you want them to be supported");
12965 break;
12966 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12967 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12968 break;
12969 case KEX_ECC_SM20x26: /* GB/T 38636 */
12970 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12971 break;
12972 default:
12973 if (session->cipher == 0) {
12974 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12975 tvb, offset, length,
12976 "Cipher Suite not found");
12977 } else {
12978 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12979 tvb, offset, length,
12980 "Cipher Suite 0x%04x is not implemented, "
12981 "contact Wireshark developers if you want this to be supported",
12982 session->cipher);
12983 }
12984 break;
12985 }
12986}
12987
12988void
12989ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12990 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12991 const SslSession *session)
12992{
12993 switch (ssl_get_keyex_alg(session->cipher)) {
12994 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12995 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12996 break;
12997 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12998 case KEX_DH_RSA0x15:
12999 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13000 tvb, offset, offset_end - offset);
13001 break;
13002 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
13003 case KEX_DHE_RSA0x12:
13004 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13005 break;
13006 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
13007 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
13008 break;
13009 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
13010 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
13011 break;
13012 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
13013 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
13014 break;
13015 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
13016 case KEX_ECDH_RSA0x1b:
13017 case KEX_ECDHE_ECDSA0x16:
13018 case KEX_ECDHE_RSA0x18:
13019 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13020 break;
13021 case KEX_KRB50x1c: /* RFC 2712; not allowed */
13022 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13023 tvb, offset, offset_end - offset);
13024 break;
13025 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
13026 case KEX_RSA_PSK0x1f:
13027 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
13028 break;
13029 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
13030 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13031 break;
13032 case KEX_ECC_SM20x26: /* GB/T 38636 */
13033 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13034 break;
13035 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
13036 case KEX_SRP_SHA_DSS0x21:
13037 case KEX_SRP_SHA_RSA0x22:
13038 /* XXX: implement support for SRP_SHA* */
13039 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13040 tvb, offset, offset_end - offset,
13041 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
13042 " developers if you want them to be supported");
13043 break;
13044 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
13045 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
13046 break;
13047 default:
13048 if (session->cipher == 0) {
13049 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13050 tvb, offset, offset_end - offset,
13051 "Cipher Suite not found");
13052 } else {
13053 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13054 tvb, offset, offset_end - offset,
13055 "Cipher Suite 0x%04x is not implemented, "
13056 "contact Wireshark developers if you want this to be supported",
13057 session->cipher);
13058 }
13059 break;
13060 }
13061}
13062/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
13063
13064void
13065tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
13066 proto_tree *tree, uint32_t offset)
13067{
13068 /* RFC 8446 Section 4.6.3
13069 * enum {
13070 * update_not_requested(0), update_requested(1), (255)
13071 * } KeyUpdateRequest;
13072 *
13073 * struct {
13074 * KeyUpdateRequest request_update;
13075 * } KeyUpdate;
13076 */
13077 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
13078}
13079
13080void
13081ssl_common_register_ssl_alpn_dissector_table(const char *name,
13082 const char *ui_name, const int proto)
13083{
13084 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
13085 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13086 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
13087}
13088
13089void
13090ssl_common_register_dtls_alpn_dissector_table(const char *name,
13091 const char *ui_name, const int proto)
13092{
13093 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
13094 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13095 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
13096}
13097
13098void
13099ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
13100{
13101 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
13102 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
13103 &(options->psk));
13104
13105 if (is_dtls) {
13106 prefs_register_obsolete_preference(module, "keylog_file");
13107 prefs_register_static_text_preference(module, "keylog_file_removed",
13108 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
13109 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
13110 return;
13111 }
13112
13113 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
13114 "The name of a file which contains a list of \n"
13115 "(pre-)master secrets in one of the following formats:\n"
13116 "\n"
13117 "RSA <EPMS> <PMS>\n"
13118 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
13119 "CLIENT_RANDOM <CRAND> <MS>\n"
13120 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
13121 "\n"
13122 "Where:\n"
13123 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
13124 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
13125 "<SSLID> = The SSL Session ID\n"
13126 "<MS> = The Master-Secret (MS)\n"
13127 "<CRAND> = The Client's random number from the ClientHello message\n"
13128 "\n"
13129 "(All fields are in hex notation)",
13130 &(options->keylog_filename), false0);
13131}
13132
13133void
13134ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length, uint8_t msg_type, bool_Bool is_from_server)
13135{
13136 /* The handshake transcript can be used in [D]TLS 1.2 for the extended
13137 * master secret of RFC 7627, and in [D]TLS 1.3 for computing the secrets,
13138 * though the latter is only useful when pke_ke (PSK-only key exchange) is
13139 * negotiated. */
13140 if (!ssl_session)
13141 return;
13142
13143 switch (ssl_session->session.version) {
13144 /* The handshake message types used in the handshake hash are different
13145 * in different versions. [D]TLS 1.3 tracks the messages up to the
13146 * Finished, whereas 1.2 stops at the ClientKeyExchange. However, all start
13147 * at the ClientHello and include the messages up to the ServerHello, at
13148 * which point we know the version.
13149 *
13150 * XXX - However, DTLS 1.2 includes the DTLS-specific fragment info fields
13151 * in its handshake transcript, whereas DTLS 1.3 does not (using the same
13152 * format as TLS 1.3). We don't know at the point of the ClientHello which
13153 * version will be used, so PSK only likely doesn't work for DTLS 1.3 yet.
13154 *
13155 * XXX - When the server responds with a HelloRetryRequest, for subsequent
13156 * hashes (other than the first PSK Binder, see 4.2.11.2) ClientHello1 is
13157 * replaced with a synthentic handhsake message of type "message_hash",
13158 * per RFC 8446 4.4.1. We aren't concerned with that now, as a HRR generally
13159 * rules out PSK-only key exchange, which is what we calculate the hash for
13160 * here. (The possible exception is when a server sends a HRR to reject
13161 * early data but the server and client otherwise agree on psk_ke, if
13162 * any client/server pairs support that.) We do support that in the context
13163 * of computing the hash for Encrypted Client Hello; see elsewhere.
13164 */
13165 case TLSV1DOT3_VERSION0x304:
13166 case DTLSV1DOT3_VERSION0xfefc:
13167 /* In [D]TLS 1.3 only the following handshake messages are used in the
13168 * handshake transcript. EndOfEarlyData and the Client Certificate,
13169 * Certificate Verify, and Finished are used in deriving the
13170 * resumption_master_secret but not the other secrets derived from
13171 * the master secret (client or server app traffic secret, exporter
13172 * secret). We don't yet support calculating a PSK to resume via
13173 * the resumption_master_secret, so we simply stop the transcript
13174 * with the server Finished. See RFC 8446 4.4.1 & 7.1 */
13175 switch (msg_type) {
13176 case SSL_HND_CLIENT_HELLO:
13177 case SSL_HND_SERVER_HELLO:
13178 case SSL_HND_HELLO_RETRY_REQUEST:
13179 case SSL_HND_ENCRYPTED_EXTENSIONS:
13180 case SSL_HND_CERT_REQUEST:
13181 break;
13182 case SSL_HND_CERTIFICATE:
13183 case SSL_HND_CERT_VERIFY:
13184 case SSL_HND_FINISHED:
13185 if (!is_from_server)
13186 return;
13187 break;
13188 case SSL_HND_END_OF_EARLY_DATA:
13189 default:
13190 return;
13191 }
13192 break;
13193 default:
13194 /* In [D]TLS 1.2, the handshake hash for the Extended Master Secret
13195 * (RFC 7627) is calculated up to and including ClientKeyExchange,
13196 * but the keys are not retrieved until ChangeCipherSpec later. If
13197 * mutual authentication is requested by the server, an intervening
13198 * CertificateVerify message can be sent but is not to be included
13199 * in the hash. */
13200 if (msg_type == SSL_HND_CERT_VERIFY)
13201 return;
13202 if (ssl_session->state & SSL_MASTER_SECRET(1<<5))
13203 return;
13204 break;
13205 }
13206
13207 uint32_t old_length = ssl_session->handshake_data.data_len;
13208 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
13209 if (tvb) {
13210 if (tvb_bytes_exist(tvb, offset, length)) {
13211 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13212 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
13213 ssl_session->handshake_data.data_len += length;
13214 }
13215 } else {
13216 /* DTLS calculates the hash as if each handshake message had been
13217 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
13218 * in a null tvbuff to add 3 bytes for a zero fragment offset.
13219 */
13220 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13220, (int64_t)length, (int64_t)4))));
13221 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13222 memset(ssl_session->handshake_data.data + old_length, 0, length);
13223 ssl_session->handshake_data.data_len += length;
13224 }
13225}
13226
13227
13228/*
13229 * Editor modelines - https://www.wireshark.org/tools/modelines.html
13230 *
13231 * Local variables:
13232 * c-basic-offset: 4
13233 * tab-width: 8
13234 * indent-tabs-mode: nil
13235 * End:
13236 *
13237 * vi: set shiftwidth=4 tabstop=8 expandtab:
13238 * :indentSize=4:tabSize=8:noTabs=true:
13239 */