Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4942, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-07-05-100322-3576-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <paolo.abeni@email.com>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <hauke@hauke-m.de>
6 * Copyright (c) 2014, Peter Wu <peter@lekensteyn.nl>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff)))
((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) }
;
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) }
;
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/dissector_generators/generate-tls-ct-logids.py
1602 * Last-Modified Sat, 15 Nov 2025 14:27:28 GMT, 187 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1606 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1607 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1608 },
1609 32, "Google 'Argon2020' log" },
1610 { (const uint8_t[]){
1611 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1612 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1613 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1614 },
1615 32, "Google 'Argon2021' log" },
1616 { (const uint8_t[]){
1617 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1618 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1619 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1620 },
1621 32, "Google 'Argon2022' log" },
1622 { (const uint8_t[]){
1623 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1624 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1625 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1626 },
1627 32, "Google 'Argon2023' log" },
1628 { (const uint8_t[]){
1629 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1630 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1631 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1632 },
1633 32, "Google 'Argon2024' log" },
1634 { (const uint8_t[]){
1635 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1636 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1637 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1638 },
1639 32, "Google 'Argon2025h1' log" },
1640 { (const uint8_t[]){
1641 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1642 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1643 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1644 },
1645 32, "Google 'Argon2025h2' log" },
1646 { (const uint8_t[]){
1647 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1648 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1649 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1650 },
1651 32, "Google 'Argon2026h1' log" },
1652 { (const uint8_t[]){
1653 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1654 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1655 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1656 },
1657 32, "Google 'Argon2026h2' log" },
1658 { (const uint8_t[]){
1659 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1660 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1661 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1662 },
1663 32, "Google 'Argon2027h1'" },
1664 { (const uint8_t[]){
1665 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1666 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1667 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1668 },
1669 32, "Google 'Xenon2020' log" },
1670 { (const uint8_t[]){
1671 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1672 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1673 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1674 },
1675 32, "Google 'Xenon2021' log" },
1676 { (const uint8_t[]){
1677 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1678 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1679 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1680 },
1681 32, "Google 'Xenon2022' log" },
1682 { (const uint8_t[]){
1683 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1684 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1685 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1686 },
1687 32, "Google 'Xenon2023' log" },
1688 { (const uint8_t[]){
1689 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1690 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1691 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1692 },
1693 32, "Google 'Xenon2024' log" },
1694 { (const uint8_t[]){
1695 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1696 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1697 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1698 },
1699 32, "Google 'Xenon2025h1' log" },
1700 { (const uint8_t[]){
1701 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1702 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1703 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1704 },
1705 32, "Google 'Xenon2025h2' log" },
1706 { (const uint8_t[]){
1707 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1708 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1709 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1710 },
1711 32, "Google 'Xenon2026h1' log" },
1712 { (const uint8_t[]){
1713 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1714 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1715 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1716 },
1717 32, "Google 'Xenon2026h2' log" },
1718 { (const uint8_t[]){
1719 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1720 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1721 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1722 },
1723 32, "Google 'Xenon2027h1'" },
1724 { (const uint8_t[]){
1725 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1726 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1727 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1728 },
1729 32, "Google 'Aviator' log" },
1730 { (const uint8_t[]){
1731 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1732 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1733 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1734 },
1735 32, "Google 'Icarus' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1738 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1739 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1740 },
1741 32, "Google 'Pilot' log" },
1742 { (const uint8_t[]){
1743 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1744 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1745 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1746 },
1747 32, "Google 'Rocketeer' log" },
1748 { (const uint8_t[]){
1749 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1750 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1751 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1752 },
1753 32, "Google 'Skydiver' log" },
1754 { (const uint8_t[]){
1755 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1756 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1757 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1758 },
1759 32, "Google 'Argon2017' log" },
1760 { (const uint8_t[]){
1761 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1762 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1763 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1764 },
1765 32, "Google 'Argon2018' log" },
1766 { (const uint8_t[]){
1767 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1768 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1769 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1770 },
1771 32, "Google 'Argon2019' log" },
1772 { (const uint8_t[]){
1773 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1774 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1775 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1776 },
1777 32, "Google 'Xenon2018' log" },
1778 { (const uint8_t[]){
1779 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1780 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1781 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1782 },
1783 32, "Google 'Xenon2019' log" },
1784 { (const uint8_t[]){
1785 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1786 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1787 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1788 },
1789 32, "Google 'Submariner' log" },
1790 { (const uint8_t[]){
1791 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1792 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1793 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1794 },
1795 32, "Google 'Daedalus' log" },
1796 { (const uint8_t[]){
1797 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1798 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1799 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1800 },
1801 32, "Google 'Testtube' log" },
1802 { (const uint8_t[]){
1803 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1804 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1805 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1806 },
1807 32, "Google 'Crucible' log" },
1808 { (const uint8_t[]){
1809 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1810 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1811 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1812 },
1813 32, "Google 'Solera2018' log" },
1814 { (const uint8_t[]){
1815 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1816 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1817 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1818 },
1819 32, "Google 'Solera2019' log" },
1820 { (const uint8_t[]){
1821 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1822 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1823 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1824 },
1825 32, "Google 'Solera2020' log" },
1826 { (const uint8_t[]){
1827 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1828 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1829 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1830 },
1831 32, "Google 'Solera2021' log" },
1832 { (const uint8_t[]){
1833 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1834 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1835 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1836 },
1837 32, "Google 'Solera2022' log" },
1838 { (const uint8_t[]){
1839 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1840 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1841 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1842 },
1843 32, "Google 'Solera2023' log" },
1844 { (const uint8_t[]){
1845 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1846 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1847 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1848 },
1849 32, "Google 'Solera2024' log" },
1850 { (const uint8_t[]){
1851 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1852 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1853 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1854 },
1855 32, "Google 'Solera2025h1' log" },
1856 { (const uint8_t[]){
1857 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1858 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1859 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1860 },
1861 32, "Google 'Solera2025h2' log" },
1862 { (const uint8_t[]){
1863 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1864 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1865 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1866 },
1867 32, "Google 'Solera2026h1' log" },
1868 { (const uint8_t[]){
1869 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1870 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1871 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1872 },
1873 32, "Google 'Solera2026h2' log" },
1874 { (const uint8_t[]){
1875 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1876 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1877 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1878 },
1879 32, "Google 'Solera2027h1' log" },
1880 { (const uint8_t[]){
1881 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1882 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1883 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1884 },
1885 32, "Cloudflare 'Nimbus2020' Log" },
1886 { (const uint8_t[]){
1887 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1888 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1889 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1890 },
1891 32, "Cloudflare 'Nimbus2021' Log" },
1892 { (const uint8_t[]){
1893 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1894 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1895 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1896 },
1897 32, "Cloudflare 'Nimbus2022' Log" },
1898 { (const uint8_t[]){
1899 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1900 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1901 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1902 },
1903 32, "Cloudflare 'Nimbus2023' Log" },
1904 { (const uint8_t[]){
1905 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1906 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1907 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1908 },
1909 32, "Cloudflare 'Nimbus2024' Log" },
1910 { (const uint8_t[]){
1911 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1912 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1913 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1914 },
1915 32, "Cloudflare 'Nimbus2025'" },
1916 { (const uint8_t[]){
1917 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1918 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1919 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1920 },
1921 32, "Cloudflare 'Nimbus2026'" },
1922 { (const uint8_t[]){
1923 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1924 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1925 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1926 },
1927 32, "Cloudflare 'Nimbus2027'" },
1928 { (const uint8_t[]){
1929 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1930 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1931 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1932 },
1933 32, "Cloudflare 'Nimbus2017' Log" },
1934 { (const uint8_t[]){
1935 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1936 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1937 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1938 },
1939 32, "Cloudflare 'Nimbus2018' Log" },
1940 { (const uint8_t[]){
1941 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1942 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1943 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1944 },
1945 32, "Cloudflare 'Nimbus2019' Log" },
1946 { (const uint8_t[]){
1947 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1948 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1949 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1950 },
1951 32, "DigiCert Log Server" },
1952 { (const uint8_t[]){
1953 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1954 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1955 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1956 },
1957 32, "DigiCert Log Server 2" },
1958 { (const uint8_t[]){
1959 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1960 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1961 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1962 },
1963 32, "DigiCert Yeti2020 Log" },
1964 { (const uint8_t[]){
1965 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1966 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1967 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1968 },
1969 32, "DigiCert Yeti2021 Log" },
1970 { (const uint8_t[]){
1971 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1972 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1973 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1974 },
1975 32, "DigiCert Yeti2022 Log" },
1976 { (const uint8_t[]){
1977 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1978 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1979 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1980 },
1981 32, "DigiCert Yeti2023 Log" },
1982 { (const uint8_t[]){
1983 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1984 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1985 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1986 },
1987 32, "DigiCert Yeti2024 Log" },
1988 { (const uint8_t[]){
1989 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1990 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1991 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1992 },
1993 32, "DigiCert Yeti2025 Log" },
1994 { (const uint8_t[]){
1995 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1996 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1997 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1998 },
1999 32, "DigiCert Nessie2020 Log" },
2000 { (const uint8_t[]){
2001 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
2002 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
2003 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
2004 },
2005 32, "DigiCert Nessie2021 Log" },
2006 { (const uint8_t[]){
2007 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
2008 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
2009 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
2010 },
2011 32, "DigiCert Nessie2022 Log" },
2012 { (const uint8_t[]){
2013 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
2014 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
2015 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
2016 },
2017 32, "DigiCert Nessie2023 Log" },
2018 { (const uint8_t[]){
2019 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
2020 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
2021 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
2022 },
2023 32, "DigiCert Nessie2024 Log" },
2024 { (const uint8_t[]){
2025 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
2026 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
2027 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
2028 },
2029 32, "DigiCert Nessie2025 Log" },
2030 { (const uint8_t[]){
2031 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
2032 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
2033 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
2034 },
2035 32, "DigiCert 'Wyvern2024h1' Log" },
2036 { (const uint8_t[]){
2037 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2038 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2039 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2040 },
2041 32, "DigiCert 'Wyvern2024h2' Log" },
2042 { (const uint8_t[]){
2043 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2044 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2045 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2046 },
2047 32, "DigiCert 'Wyvern2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2050 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2051 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2052 },
2053 32, "DigiCert 'Wyvern2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2056 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2057 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2058 },
2059 32, "DigiCert 'Wyvern2026h1'" },
2060 { (const uint8_t[]){
2061 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2062 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2063 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2064 },
2065 32, "DigiCert 'Wyvern2026h2'" },
2066 { (const uint8_t[]){
2067 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
2068 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
2069 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
2070 },
2071 32, "DigiCert 'Wyvern2027h1'" },
2072 { (const uint8_t[]){
2073 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
2074 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
2075 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
2076 },
2077 32, "DigiCert 'Wyvern2027h2'" },
2078 { (const uint8_t[]){
2079 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2080 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2081 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2082 },
2083 32, "DigiCert 'Sphinx2024h1' Log" },
2084 { (const uint8_t[]){
2085 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2086 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2087 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2088 },
2089 32, "DigiCert 'Sphinx2024h2' Log" },
2090 { (const uint8_t[]){
2091 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2092 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2093 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2094 },
2095 32, "DigiCert 'Sphinx2025h1' Log" },
2096 { (const uint8_t[]){
2097 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2098 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2099 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2100 },
2101 32, "DigiCert 'Sphinx2025h2' Log" },
2102 { (const uint8_t[]){
2103 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2104 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2105 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2106 },
2107 32, "DigiCert 'Sphinx2026h1'" },
2108 { (const uint8_t[]){
2109 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2110 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2111 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2112 },
2113 32, "DigiCert 'Sphinx2026h2'" },
2114 { (const uint8_t[]){
2115 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
2116 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
2117 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
2118 },
2119 32, "DigiCert 'sphinx2027h1'" },
2120 { (const uint8_t[]){
2121 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
2122 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
2123 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
2124 },
2125 32, "DigiCert 'sphinx2027h2'" },
2126 { (const uint8_t[]){
2127 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2128 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2129 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2130 },
2131 32, "Symantec log" },
2132 { (const uint8_t[]){
2133 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2134 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2135 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2136 },
2137 32, "Symantec 'Vega' log" },
2138 { (const uint8_t[]){
2139 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2140 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2141 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2142 },
2143 32, "Symantec 'Sirius' log" },
2144 { (const uint8_t[]){
2145 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2146 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2147 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2148 },
2149 32, "DigiCert Yeti2022-2 Log" },
2150 { (const uint8_t[]){
2151 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2152 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2153 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2154 },
2155 32, "DigiCert Yeti2018 Log" },
2156 { (const uint8_t[]){
2157 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2158 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2159 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2160 },
2161 32, "DigiCert Yeti2019 Log" },
2162 { (const uint8_t[]){
2163 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2164 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2165 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2166 },
2167 32, "DigiCert Nessie2018 Log" },
2168 { (const uint8_t[]){
2169 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2170 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2171 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2172 },
2173 32, "DigiCert Nessie2019 Log" },
2174 { (const uint8_t[]){
2175 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2176 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2177 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2178 },
2179 32, "Symantec Deneb" },
2180 { (const uint8_t[]){
2181 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2182 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2183 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2184 },
2185 32, "Certly.IO log" },
2186 { (const uint8_t[]){
2187 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2188 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2189 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2190 },
2191 32, "Izenpe log" },
2192 { (const uint8_t[]){
2193 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2194 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2195 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2196 },
2197 32, "Izenpe 'Argi' log" },
2198 { (const uint8_t[]){
2199 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2200 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2201 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2202 },
2203 32, "WoSign log" },
2204 { (const uint8_t[]){
2205 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2206 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2207 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2208 },
2209 32, "WoSign CT log #1" },
2210 { (const uint8_t[]){
2211 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2212 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2213 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2214 },
2215 32, "WoSign log 2" },
2216 { (const uint8_t[]){
2217 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2218 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2219 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2220 },
2221 32, "Venafi log" },
2222 { (const uint8_t[]){
2223 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2224 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2225 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2226 },
2227 32, "Venafi Gen2 CT log" },
2228 { (const uint8_t[]){
2229 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2230 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2231 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2232 },
2233 32, "CNNIC CT log" },
2234 { (const uint8_t[]){
2235 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2236 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2237 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2238 },
2239 32, "StartCom log" },
2240 { (const uint8_t[]){
2241 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2242 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2243 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2244 },
2245 32, "Sectigo 'Sabre' CT log" },
2246 { (const uint8_t[]){
2247 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2248 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2249 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2250 },
2251 32, "Sectigo 'Sabre2024h1'" },
2252 { (const uint8_t[]){
2253 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2254 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2255 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2256 },
2257 32, "Sectigo 'Sabre2024h2'" },
2258 { (const uint8_t[]){
2259 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2260 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2261 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2262 },
2263 32, "Sectigo 'Sabre2025h1'" },
2264 { (const uint8_t[]){
2265 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2266 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2267 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2268 },
2269 32, "Sectigo 'Sabre2025h2'" },
2270 { (const uint8_t[]){
2271 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2272 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2273 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2274 },
2275 32, "Sectigo 'Mammoth' CT log" },
2276 { (const uint8_t[]){
2277 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2278 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2279 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2280 },
2281 32, "Sectigo 'Mammoth2024h1'" },
2282 { (const uint8_t[]){
2283 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2284 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2285 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2286 },
2287 32, "Sectigo 'Mammoth2024h1b'" },
2288 { (const uint8_t[]){
2289 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2290 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2291 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2292 },
2293 32, "Sectigo 'Mammoth2024h2'" },
2294 { (const uint8_t[]){
2295 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2296 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2297 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2298 },
2299 32, "Sectigo 'Mammoth2025h1'" },
2300 { (const uint8_t[]){
2301 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2302 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2303 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2304 },
2305 32, "Sectigo 'Mammoth2025h2'" },
2306 { (const uint8_t[]){
2307 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2308 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2309 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2310 },
2311 32, "Sectigo 'Mammoth2026h1'" },
2312 { (const uint8_t[]){
2313 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2314 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2315 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2316 },
2317 32, "Sectigo 'Mammoth2026h2'" },
2318 { (const uint8_t[]){
2319 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2320 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2321 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2322 },
2323 32, "Sectigo 'Sabre2026h1'" },
2324 { (const uint8_t[]){
2325 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2326 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2327 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2328 },
2329 32, "Sectigo 'Sabre2026h2'" },
2330 { (const uint8_t[]){
2331 0x0d, 0x1d, 0xbc, 0x89, 0x44, 0xe9, 0xf5, 0x00, 0x55, 0x42, 0xd7,
2332 0x2d, 0x3e, 0x14, 0x4c, 0xcc, 0x43, 0x08, 0x2a, 0xb6, 0xea, 0x1e,
2333 0x94, 0xdf, 0xd7, 0x06, 0x65, 0x7d, 0x2e, 0x86, 0xf3, 0x01,
2334 },
2335 32, "Sectigo 'Elephant2025h2'" },
2336 { (const uint8_t[]){
2337 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
2338 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
2339 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
2340 },
2341 32, "Sectigo 'Elephant2026h1'" },
2342 { (const uint8_t[]){
2343 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
2344 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
2345 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
2346 },
2347 32, "Sectigo 'Elephant2026h2'" },
2348 { (const uint8_t[]){
2349 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
2350 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
2351 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
2352 },
2353 32, "Sectigo 'Elephant2027h1'" },
2354 { (const uint8_t[]){
2355 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
2356 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
2357 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
2358 },
2359 32, "Sectigo 'Elephant2027h2'" },
2360 { (const uint8_t[]){
2361 0x5c, 0xa5, 0x77, 0xd2, 0x9b, 0x7f, 0x8b, 0xaf, 0x41, 0x9e, 0xd8,
2362 0xec, 0xab, 0xfb, 0x6d, 0xcb, 0xae, 0xc3, 0x85, 0x37, 0x02, 0xd5,
2363 0x74, 0x6f, 0x17, 0x4d, 0xad, 0x3c, 0x93, 0x4a, 0xa9, 0x6a,
2364 },
2365 32, "Sectigo 'Tiger2025h2'" },
2366 { (const uint8_t[]){
2367 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
2368 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
2369 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
2370 },
2371 32, "Sectigo 'Tiger2026h1'" },
2372 { (const uint8_t[]){
2373 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
2374 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
2375 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
2376 },
2377 32, "Sectigo 'Tiger2026h2'" },
2378 { (const uint8_t[]){
2379 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
2380 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
2381 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
2382 },
2383 32, "Sectigo 'Tiger2027h1'" },
2384 { (const uint8_t[]){
2385 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
2386 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
2387 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
2388 },
2389 32, "Sectigo 'Tiger2027h2'" },
2390 { (const uint8_t[]){
2391 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2392 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2393 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2394 },
2395 32, "Sectigo 'Dodo' CT log" },
2396 { (const uint8_t[]){
2397 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2398 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2399 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2400 },
2401 32, "Let's Encrypt 'Oak2020' log" },
2402 { (const uint8_t[]){
2403 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2404 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2405 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2406 },
2407 32, "Let's Encrypt 'Oak2021' log" },
2408 { (const uint8_t[]){
2409 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2410 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2411 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2412 },
2413 32, "Let's Encrypt 'Oak2022' log" },
2414 { (const uint8_t[]){
2415 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2416 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2417 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2418 },
2419 32, "Let's Encrypt 'Oak2023' log" },
2420 { (const uint8_t[]){
2421 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2422 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2423 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2424 },
2425 32, "Let's Encrypt 'Oak2024H1' log" },
2426 { (const uint8_t[]){
2427 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2428 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2429 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2430 },
2431 32, "Let's Encrypt 'Oak2024H2' log" },
2432 { (const uint8_t[]){
2433 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2434 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2435 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2436 },
2437 32, "Let's Encrypt 'Oak2025h1'" },
2438 { (const uint8_t[]){
2439 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2440 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2441 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2442 },
2443 32, "Let's Encrypt 'Oak2025h2'" },
2444 { (const uint8_t[]){
2445 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2446 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2447 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2448 },
2449 32, "Let's Encrypt 'Oak2026h1'" },
2450 { (const uint8_t[]){
2451 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2452 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2453 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2454 },
2455 32, "Let's Encrypt 'Oak2026h2'" },
2456 { (const uint8_t[]){
2457 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2458 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2459 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2460 },
2461 32, "Let's Encrypt 'Oak2019' log" },
2462 { (const uint8_t[]){
2463 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2464 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2465 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2466 },
2467 32, "Let's Encrypt 'Testflume2019' log" },
2468 { (const uint8_t[]){
2469 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2470 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2471 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2472 },
2473 32, "Let's Encrypt 'Sapling 2022h2' log" },
2474 { (const uint8_t[]){
2475 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2476 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2477 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2478 },
2479 32, "Let's Encrypt 'Sapling 2023h1' log" },
2480 { (const uint8_t[]){
2481 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2482 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2483 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2484 },
2485 32, "Let's Encrypt 'Testflume2020' log" },
2486 { (const uint8_t[]){
2487 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2488 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2489 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2490 },
2491 32, "Let's Encrypt 'Testflume2021' log" },
2492 { (const uint8_t[]){
2493 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2494 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2495 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2496 },
2497 32, "Let's Encrypt 'Testflume2022' log" },
2498 { (const uint8_t[]){
2499 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2500 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2501 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2502 },
2503 32, "Let's Encrypt 'Testflume2023' log" },
2504 { (const uint8_t[]){
2505 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2506 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2507 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2508 },
2509 32, "Let's Encrypt 'Clicky' log" },
2510 { (const uint8_t[]){
2511 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2512 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2513 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2514 },
2515 32, "Trust Asia Log2020" },
2516 { (const uint8_t[]){
2517 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2518 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2519 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2520 },
2521 32, "Trust Asia CT2021" },
2522 { (const uint8_t[]){
2523 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2524 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2525 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2526 },
2527 32, "Trust Asia Log2021" },
2528 { (const uint8_t[]){
2529 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2530 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2531 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2532 },
2533 32, "Trust Asia Log2022" },
2534 { (const uint8_t[]){
2535 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2536 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2537 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2538 },
2539 32, "Trust Asia Log2023" },
2540 { (const uint8_t[]){
2541 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2542 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2543 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2544 },
2545 32, "Trust Asia Log2024" },
2546 { (const uint8_t[]){
2547 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2548 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2549 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2550 },
2551 32, "Trust Asia Log2024-2" },
2552 { (const uint8_t[]){
2553 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2554 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2555 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2556 },
2557 32, "TrustAsia Log2025a" },
2558 { (const uint8_t[]){
2559 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2560 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2561 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2562 },
2563 32, "TrustAsia Log2025b" },
2564 { (const uint8_t[]){
2565 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2566 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2567 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2568 },
2569 32, "TrustAsia 'log2026a'" },
2570 { (const uint8_t[]){
2571 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2572 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2573 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2574 },
2575 32, "TrustAsia 'log2026b'" },
2576 { (const uint8_t[]){
2577 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
2578 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
2579 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
2580 },
2581 32, "TrustAsia 'HETU2027'" },
2582 { (const uint8_t[]){
2583 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2584 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2585 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2586 },
2587 32, "Trust Asia Log1" },
2588 { (const uint8_t[]){
2589 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2590 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2591 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2592 },
2593 32, "GDCA CT log #1" },
2594 { (const uint8_t[]){
2595 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2596 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2597 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2598 },
2599 32, "GDCA CT log #2" },
2600 { (const uint8_t[]){
2601 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2602 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2603 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2604 },
2605 32, "GDCA Log 1" },
2606 { (const uint8_t[]){
2607 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2608 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2609 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2610 },
2611 32, "GDCA Log 2" },
2612 { (const uint8_t[]){
2613 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2614 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2615 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2616 },
2617 32, "PuChuangSiDa CT log" },
2618 { (const uint8_t[]){
2619 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2620 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2621 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2622 },
2623 32, "Nordu 'flimsy' log" },
2624 { (const uint8_t[]){
2625 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2626 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2627 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2628 },
2629 32, "Nordu 'plausible' log" },
2630 { (const uint8_t[]){
2631 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2632 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2633 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2634 },
2635 32, "SHECA CT log 1" },
2636 { (const uint8_t[]){
2637 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2638 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2639 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2640 },
2641 32, "SHECA CT log 2" },
2642 { (const uint8_t[]){
2643 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2644 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2645 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2646 },
2647 32, "Akamai CT Log" },
2648 { (const uint8_t[]){
2649 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2650 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2651 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2652 },
2653 32, "Alpha CT Log" },
2654 { (const uint8_t[]){
2655 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2656 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2657 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2658 },
2659 32, "Up In The Air 'Behind the Sofa' log" },
2660 { (const uint8_t[]){
2661 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2662 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2663 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2664 },
2665 32, "Qihoo 360 2020" },
2666 { (const uint8_t[]){
2667 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2668 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2669 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2670 },
2671 32, "Qihoo 360 2021" },
2672 { (const uint8_t[]){
2673 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2674 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2675 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2676 },
2677 32, "Qihoo 360 2022" },
2678 { (const uint8_t[]){
2679 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2680 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2681 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2682 },
2683 32, "Qihoo 360 2023" },
2684 { (const uint8_t[]){
2685 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2686 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2687 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2688 },
2689 32, "Qihoo 360 v1 2020" },
2690 { (const uint8_t[]){
2691 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2692 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2693 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2694 },
2695 32, "Qihoo 360 v1 2021" },
2696 { (const uint8_t[]){
2697 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2698 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2699 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2700 },
2701 32, "Qihoo 360 v1 2022" },
2702 { (const uint8_t[]){
2703 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2704 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2705 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2706 },
2707 32, "Qihoo 360 v1 2023" },
2708 { (const uint8_t[]){
2709 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
2710 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
2711 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
2712 },
2713 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
2714 { (const uint8_t[]){
2715 0x39, 0xb9, 0x87, 0x88, 0x28, 0x19, 0x5f, 0x3b, 0x2d, 0x0d, 0x1b,
2716 0x48, 0x14, 0xa3, 0xae, 0x8c, 0x0d, 0x01, 0xfe, 0x48, 0x62, 0x21,
2717 0xdd, 0x69, 0x39, 0x7d, 0x76, 0xf7, 0x85, 0x74, 0x11, 0xc3,
2718 },
2719 32, "Merklemap 'CompactLog' log" },
2720 { (const uint8_t[]){
2721 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
2722 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
2723 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
2724 },
2725 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
2726 { NULL((void*)0), 0, NULL((void*)0) }
2727};
2728
2729/*
2730 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2731 */
2732static dissector_table_t ssl_alpn_dissector_table;
2733static dissector_table_t dtls_alpn_dissector_table;
2734
2735/*
2736 * Special cases for prefix matching of the ALPN, if the ALPN includes
2737 * a version number for a draft or protocol revision.
2738 */
2739typedef struct ssl_alpn_prefix_match_protocol {
2740 const char *proto_prefix;
2741 const char *dissector_name;
2742} ssl_alpn_prefix_match_protocol_t;
2743
2744static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2745 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2746 * already exists 3.1 as of this writing... match the prefix. */
2747 { "spdy/", "spdy" },
2748 /* draft-ietf-httpbis-http2-16 */
2749 { "h2-", "http2" }, /* draft versions */
2750};
2751
2752const value_string compress_certificate_algorithm_vals[] = {
2753 { 1, "zlib" },
2754 { 2, "brotli" },
2755 { 3, "zstd" },
2756 { 0, NULL((void*)0) }
2757};
2758
2759
2760const val64_string quic_transport_parameter_id[] = {
2761 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2762 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2763 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2764 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2765 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2766 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2767 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2768 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2769 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2770 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2771 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2772 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2773 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2774 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2775 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2776 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2777 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2778 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2779 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2780 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2781 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2782 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2783 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2784 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2785 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
2786 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2787 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2788 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2789 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2790 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2791 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2792 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2793 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2794 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2795 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
2796 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2797 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2798 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2799 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2800 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2801 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2802 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2803 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2804 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
2805 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
2806 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
2807 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
2808 { 0, NULL((void*)0) }
2809};
2810
2811/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
2812const val64_string quic_address_discovery_vals[] = {
2813 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
2814 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
2815 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
2816 { 0, NULL((void*)0) }
2817};
2818
2819/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2820const val64_string quic_enable_time_stamp_v2_vals[] = {
2821 { 1, "I would like to receive TIME_STAMP frames" },
2822 { 2, "I am able to generate TIME_STAMP frames" },
2823 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2824 { 0, NULL((void*)0) }
2825};
2826
2827/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
2828const val64_string quic_enable_multipath_vals[] = {
2829 { 0, "don't support multipath" },
2830 { 1, "support multipath as defined in this document" },
2831 { 0, NULL((void*)0) }
2832};
2833
2834/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2835const value_string tls_hello_ext_ech_clienthello_types[] = {
2836 { 0, "Outer Client Hello" },
2837 { 1, "Inner Client Hello" },
2838 { 0, NULL((void*)0) }
2839};
2840
2841/* RFC 9180 */
2842const value_string kem_id_type_vals[] = {
2843 { 0x0000, "Reserved" },
2844 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2845 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2846 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2847 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2848 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2849 { 0, NULL((void*)0) }
2850};
2851const value_string kdf_id_type_vals[] = {
2852 { 0x0000, "Reserved" },
2853 { 0x0001, "HKDF-SHA256" },
2854 { 0x0002, "HKDF-SHA384" },
2855 { 0x0003, "HKDF-SHA512" },
2856 { 0, NULL((void*)0) }
2857};
2858const value_string aead_id_type_vals[] = {
2859 { 0x0000, "Reserved" },
2860 { 0x0001, "AES-128-GCM" },
2861 { 0x0002, "AES-256-GCM" },
2862 { 0x0003, "ChaCha20Poly1305" },
2863 { 0xFFFF, "Export-only" },
2864 { 0, NULL((void*)0) }
2865};
2866
2867const value_string token_binding_key_parameter_vals[] = {
2868 { 0, "rsa2048_pkcs1.5" },
2869 { 1, "rsa2048_pss" },
2870 { 2, "ecdsap256" },
2871 { 0, NULL((void*)0) }
2872};
2873
2874/* Lookup tables }}} */
2875
2876void
2877quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2878{
2879 const char *label;
2880 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)
) {
2881 label = "GREASE";
2882 } else {
2883 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2884 }
2885 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2886}
2887
2888/* we keep this internal to packet-tls-utils, as there should be
2889 no need to access it any other way.
2890
2891 This also allows us to hide the dependency on zlib.
2892*/
2893struct _SslDecompress {
2894 int compression;
2895#ifdef USE_ZLIB_OR_ZLIBNG
2896 zlib_stream istream;
2897#endif
2898};
2899
2900/* To assist in parsing client/server key exchange messages
2901 0 indicates unknown */
2902int ssl_get_keyex_alg(int cipher)
2903{
2904 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2905 switch(cipher) {
2906 case 0x0017:
2907 case 0x0018:
2908 case 0x0019:
2909 case 0x001a:
2910 case 0x001b:
2911 case 0x0034:
2912 case 0x003a:
2913 case 0x0046:
2914 case 0x006c:
2915 case 0x006d:
2916 case 0x0089:
2917 case 0x009b:
2918 case 0x00a6:
2919 case 0x00a7:
2920 case 0x00bf:
2921 case 0x00c5:
2922 case 0xc084:
2923 case 0xc085:
2924 return KEX_DH_ANON0x13;
2925 case 0x000b:
2926 case 0x000c:
2927 case 0x000d:
2928 case 0x0030:
2929 case 0x0036:
2930 case 0x003e:
2931 case 0x0042:
2932 case 0x0068:
2933 case 0x0085:
2934 case 0x0097:
2935 case 0x00a4:
2936 case 0x00a5:
2937 case 0x00bb:
2938 case 0x00c1:
2939 case 0xc082:
2940 case 0xc083:
2941 return KEX_DH_DSS0x14;
2942 case 0x000e:
2943 case 0x000f:
2944 case 0x0010:
2945 case 0x0031:
2946 case 0x0037:
2947 case 0x003f:
2948 case 0x0043:
2949 case 0x0069:
2950 case 0x0086:
2951 case 0x0098:
2952 case 0x00a0:
2953 case 0x00a1:
2954 case 0x00bc:
2955 case 0x00c2:
2956 case 0xc07e:
2957 case 0xc07f:
2958 return KEX_DH_RSA0x15;
2959 case 0x0011:
2960 case 0x0012:
2961 case 0x0013:
2962 case 0x0032:
2963 case 0x0038:
2964 case 0x0040:
2965 case 0x0044:
2966 case 0x0063:
2967 case 0x0065:
2968 case 0x0066:
2969 case 0x006a:
2970 case 0x0087:
2971 case 0x0099:
2972 case 0x00a2:
2973 case 0x00a3:
2974 case 0x00bd:
2975 case 0x00c3:
2976 case 0xc080:
2977 case 0xc081:
2978 return KEX_DHE_DSS0x10;
2979 case 0x002d:
2980 case 0x008e:
2981 case 0x008f:
2982 case 0x0090:
2983 case 0x0091:
2984 case 0x00aa:
2985 case 0x00ab:
2986 case 0x00b2:
2987 case 0x00b3:
2988 case 0x00b4:
2989 case 0x00b5:
2990 case 0xc090:
2991 case 0xc091:
2992 case 0xc096:
2993 case 0xc097:
2994 case 0xc0a6:
2995 case 0xc0a7:
2996 case 0xc0aa:
2997 case 0xc0ab:
2998 case 0xccad:
2999 case 0xe41c:
3000 case 0xe41d:
3001 return KEX_DHE_PSK0x11;
3002 case 0x0014:
3003 case 0x0015:
3004 case 0x0016:
3005 case 0x0033:
3006 case 0x0039:
3007 case 0x0045:
3008 case 0x0067:
3009 case 0x006b:
3010 case 0x0088:
3011 case 0x009a:
3012 case 0x009e:
3013 case 0x009f:
3014 case 0x00be:
3015 case 0x00c4:
3016 case 0xc07c:
3017 case 0xc07d:
3018 case 0xc09e:
3019 case 0xc09f:
3020 case 0xc0a2:
3021 case 0xc0a3:
3022 case 0xccaa:
3023 case 0xe41e:
3024 case 0xe41f:
3025 return KEX_DHE_RSA0x12;
3026 case 0xc015:
3027 case 0xc016:
3028 case 0xc017:
3029 case 0xc018:
3030 case 0xc019:
3031 return KEX_ECDH_ANON0x19;
3032 case 0xc001:
3033 case 0xc002:
3034 case 0xc003:
3035 case 0xc004:
3036 case 0xc005:
3037 case 0xc025:
3038 case 0xc026:
3039 case 0xc02d:
3040 case 0xc02e:
3041 case 0xc074:
3042 case 0xc075:
3043 case 0xc088:
3044 case 0xc089:
3045 return KEX_ECDH_ECDSA0x1a;
3046 case 0xc00b:
3047 case 0xc00c:
3048 case 0xc00d:
3049 case 0xc00e:
3050 case 0xc00f:
3051 case 0xc029:
3052 case 0xc02a:
3053 case 0xc031:
3054 case 0xc032:
3055 case 0xc078:
3056 case 0xc079:
3057 case 0xc08c:
3058 case 0xc08d:
3059 return KEX_ECDH_RSA0x1b;
3060 case 0xc006:
3061 case 0xc007:
3062 case 0xc008:
3063 case 0xc009:
3064 case 0xc00a:
3065 case 0xc023:
3066 case 0xc024:
3067 case 0xc02b:
3068 case 0xc02c:
3069 case 0xc072:
3070 case 0xc073:
3071 case 0xc086:
3072 case 0xc087:
3073 case 0xc0ac:
3074 case 0xc0ad:
3075 case 0xc0ae:
3076 case 0xc0af:
3077 case 0xcca9:
3078 case 0xe414:
3079 case 0xe415:
3080 return KEX_ECDHE_ECDSA0x16;
3081 case 0xc033:
3082 case 0xc034:
3083 case 0xc035:
3084 case 0xc036:
3085 case 0xc037:
3086 case 0xc038:
3087 case 0xc039:
3088 case 0xc03a:
3089 case 0xc03b:
3090 case 0xc09a:
3091 case 0xc09b:
3092 case 0xccac:
3093 case 0xe418:
3094 case 0xe419:
3095 case 0xd001:
3096 case 0xd002:
3097 case 0xd003:
3098 case 0xd005:
3099 return KEX_ECDHE_PSK0x17;
3100 case 0xc010:
3101 case 0xc011:
3102 case 0xc012:
3103 case 0xc013:
3104 case 0xc014:
3105 case 0xc027:
3106 case 0xc028:
3107 case 0xc02f:
3108 case 0xc030:
3109 case 0xc076:
3110 case 0xc077:
3111 case 0xc08a:
3112 case 0xc08b:
3113 case 0xcca8:
3114 case 0xe412:
3115 case 0xe413:
3116 return KEX_ECDHE_RSA0x18;
3117 case 0x001e:
3118 case 0x001f:
3119 case 0x0020:
3120 case 0x0021:
3121 case 0x0022:
3122 case 0x0023:
3123 case 0x0024:
3124 case 0x0025:
3125 case 0x0026:
3126 case 0x0027:
3127 case 0x0028:
3128 case 0x0029:
3129 case 0x002a:
3130 case 0x002b:
3131 return KEX_KRB50x1c;
3132 case 0x002c:
3133 case 0x008a:
3134 case 0x008b:
3135 case 0x008c:
3136 case 0x008d:
3137 case 0x00a8:
3138 case 0x00a9:
3139 case 0x00ae:
3140 case 0x00af:
3141 case 0x00b0:
3142 case 0x00b1:
3143 case 0xc064:
3144 case 0xc065:
3145 case 0xc08e:
3146 case 0xc08f:
3147 case 0xc094:
3148 case 0xc095:
3149 case 0xc0a4:
3150 case 0xc0a5:
3151 case 0xc0a8:
3152 case 0xc0a9:
3153 case 0xccab:
3154 case 0xe416:
3155 case 0xe417:
3156 return KEX_PSK0x1d;
3157 case 0x0001:
3158 case 0x0002:
3159 case 0x0003:
3160 case 0x0004:
3161 case 0x0005:
3162 case 0x0006:
3163 case 0x0007:
3164 case 0x0008:
3165 case 0x0009:
3166 case 0x000a:
3167 case 0x002f:
3168 case 0x0035:
3169 case 0x003b:
3170 case 0x003c:
3171 case 0x003d:
3172 case 0x0041:
3173 case 0x0060:
3174 case 0x0061:
3175 case 0x0062:
3176 case 0x0064:
3177 case 0x0084:
3178 case 0x0096:
3179 case 0x009c:
3180 case 0x009d:
3181 case 0x00ba:
3182 case 0x00c0:
3183 case 0xc07a:
3184 case 0xc07b:
3185 case 0xc09c:
3186 case 0xc09d:
3187 case 0xc0a0:
3188 case 0xc0a1:
3189 case 0xe410:
3190 case 0xe411:
3191 case 0xfefe:
3192 case 0xfeff:
3193 case 0xffe0:
3194 case 0xffe1:
3195 return KEX_RSA0x1e;
3196 case 0x002e:
3197 case 0x0092:
3198 case 0x0093:
3199 case 0x0094:
3200 case 0x0095:
3201 case 0x00ac:
3202 case 0x00ad:
3203 case 0x00b6:
3204 case 0x00b7:
3205 case 0x00b8:
3206 case 0x00b9:
3207 case 0xc092:
3208 case 0xc093:
3209 case 0xc098:
3210 case 0xc099:
3211 case 0xccae:
3212 case 0xe41a:
3213 case 0xe41b:
3214 return KEX_RSA_PSK0x1f;
3215 case 0xc01a:
3216 case 0xc01d:
3217 case 0xc020:
3218 return KEX_SRP_SHA0x20;
3219 case 0xc01c:
3220 case 0xc01f:
3221 case 0xc022:
3222 return KEX_SRP_SHA_DSS0x21;
3223 case 0xc01b:
3224 case 0xc01e:
3225 case 0xc021:
3226 return KEX_SRP_SHA_RSA0x22;
3227 case 0xc0ff:
3228 return KEX_ECJPAKE0x24;
3229 case 0xe003:
3230 case 0xe013:
3231 case 0xe053:
3232 return KEX_ECC_SM20x26;
3233 default:
3234 break;
3235 }
3236
3237 return 0;
3238 /* }}} */
3239}
3240
3241static wmem_list_t *connection_id_session_list;
3242
3243void
3244ssl_init_cid_list(void) {
3245 connection_id_session_list = wmem_list_new(wmem_file_scope());
3246}
3247
3248void
3249ssl_cleanup_cid_list(void) {
3250 wmem_destroy_list(connection_id_session_list);
3251}
3252
3253void
3254ssl_add_session_by_cid(SslDecryptSession *session)
3255{
3256 wmem_list_append(connection_id_session_list, session);
3257}
3258
3259SslDecryptSession *
3260ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3261{
3262 SslDecryptSession * ssl_cid = NULL((void*)0);
3263 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3264
3265 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3266 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3267 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3267, "ssl != ((void*)0)"))))
;
3268 SslSession *session = &ssl->session;
3269
3270 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3271 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3272 ssl_cid = ssl;
3273 }
3274 }
3275
3276 if (session->server_cid_len > 0) {
3277 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3278 ssl_cid = ssl;
3279 }
3280 }
3281
3282 it = wmem_list_frame_next(it);
3283 }
3284
3285 return ssl_cid;
3286}
3287
3288/* StringInfo structure (len + data) functions {{{ */
3289
3290int
3291ssl_data_alloc(StringInfo* str, size_t len)
3292{
3293 str->data = (unsigned char *)g_malloc(len);
16
Memory is allocated
3294 /* the allocator can return a null pointer for a size equal to 0,
3295 * and that must be allowed */
3296 if (len
16.1
'len' is > 0
> 0 && !str->data)
17
Assuming field 'data' is non-null
18
Taking false branch
3297 return -1;
3298 str->data_len = (unsigned) len;
3299 return 0;
3300}
3301
3302void
3303ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3304{
3305 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3305, "data"))))
;
3306 memcpy(str->data, data, len);
3307 str->data_len = len;
3308}
3309
3310static int
3311ssl_data_realloc(StringInfo* str, unsigned len)
3312{
3313 str->data = (unsigned char *)g_realloc(str->data, len);
3314 if (!str->data)
3315 return -1;
3316 str->data_len = len;
3317 return 0;
3318}
3319
3320static StringInfo *
3321ssl_data_clone(StringInfo *str)
3322{
3323 StringInfo *cloned_str;
3324 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3325 sizeof(StringInfo) + str->data_len);
3326 cloned_str->data = (unsigned char *) (cloned_str + 1);
3327 ssl_data_set(cloned_str, str->data, str->data_len);
3328 return cloned_str;
3329}
3330
3331static int
3332ssl_data_copy(StringInfo* dst, StringInfo* src)
3333{
3334 if (dst->data_len < src->data_len) {
3335 if (ssl_data_realloc(dst, src->data_len))
3336 return -1;
3337 }
3338 memcpy(dst->data, src->data, src->data_len);
3339 dst->data_len = src->data_len;
3340 return 0;
3341}
3342
3343/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3344 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3345 * success. */
3346static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3347 size_t i;
3348
3349 if (hex_len & 1)
3350 return false0;
3351
3352 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3353 for (i = 0; i < hex_len / 2; i++) {
3354 int a = ws_xton(in[i*2]);
3355 int b = ws_xton(in[i*2 + 1]);
3356 if (a == -1 || b == -1)
3357 return false0;
3358 out->data[i] = a << 4 | b;
3359 }
3360 out->data_len = (unsigned)hex_len / 2;
3361 return true1;
3362}
3363/* StringInfo structure (len + data) functions }}} */
3364
3365
3366/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3367/* hmac abstraction layer */
3368#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3369
3370static inline int
3371ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3372{
3373 gcry_error_t err;
3374 const char *err_str, *err_src;
3375
3376 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3377 if (err != 0) {
3378 err_str = gcry_strerror(err);
3379 err_src = gcry_strsource(err);
3380 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3381 return -1;
3382 }
3383 return 0;
3384}
3385
3386static inline int
3387ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3388{
3389 gcry_error_t err;
3390 const char *err_str, *err_src;
3391
3392 err = gcry_md_setkey (*(md), key, len);
3393 if (err != 0) {
3394 err_str = gcry_strerror(err);
3395 err_src = gcry_strsource(err);
3396 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3397 return -1;
3398 }
3399 return 0;
3400}
3401
3402static inline int
3403ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3404{
3405 gcry_md_reset(*md);
3406 return 0;
3407}
3408
3409static inline void
3410ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3411{
3412 gcry_md_write(*(md), data, len);
3413}
3414static inline void
3415ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3416{
3417 int algo;
3418 unsigned len;
3419
3420 algo = gcry_md_get_algo (*(md));
3421 len = gcry_md_get_algo_dlen(algo);
3422 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3422, "len <= *datalen"))))
;
3423 memcpy(data, gcry_md_read(*(md), algo), len);
3424 *datalen = len;
3425}
3426static inline void
3427ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3428{
3429 gcry_md_close(*(md));
3430}
3431
3432/* message digest abstraction layer*/
3433#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3434
3435static inline int
3436ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3437{
3438 gcry_error_t err;
3439 const char *err_str, *err_src;
3440 err = gcry_md_open(md,algo, 0);
3441 if (err != 0) {
3442 err_str = gcry_strerror(err);
3443 err_src = gcry_strsource(err);
3444 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3445 return -1;
3446 }
3447 return 0;
3448}
3449static inline void
3450ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, unsigned len)
3451{
3452 gcry_md_write(*(md), data, len);
3453}
3454static inline void
3455ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3456{
3457 int algo;
3458 int len;
3459 algo = gcry_md_get_algo (*(md));
3460 len = gcry_md_get_algo_dlen (algo);
3461 memcpy(data, gcry_md_read(*(md), algo), len);
3462 *datalen = len;
3463}
3464static inline void
3465ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3466{
3467 gcry_md_close(*(md));
3468}
3469
3470static inline void
3471ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3472{
3473 gcry_md_reset(*md);
3474}
3475
3476/* md5 /sha abstraction layer */
3477#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3478#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3479
3480static inline int
3481ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3482{
3483 gcry_error_t err;
3484 const char *err_str, *err_src;
3485 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3486 if (err != 0) {
3487 err_str = gcry_strerror(err);
3488 err_src = gcry_strsource(err);
3489 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3490 return -1;
3491 }
3492 return 0;
3493}
3494static inline void
3495ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3496{
3497 gcry_md_write(*(md), data, len);
3498}
3499static inline void
3500ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3501{
3502 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3503 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3504}
3505
3506static inline void
3507ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3508{
3509 gcry_md_reset(*md);
3510}
3511
3512static inline void
3513ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3514{
3515 gcry_md_close(*(md));
3516}
3517
3518static inline int
3519ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3520{
3521 gcry_error_t err;
3522 const char *err_str, *err_src;
3523 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3524 if (err != 0) {
3525 err_str = gcry_strerror(err);
3526 err_src = gcry_strsource(err);
3527 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3528 return -1;
3529 }
3530 return 0;
3531}
3532static inline void
3533ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3534{
3535 gcry_md_write(*(md), data, len);
3536}
3537static inline void
3538ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3539{
3540 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3541 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3542}
3543
3544static inline void
3545ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3546{
3547 gcry_md_reset(*md);
3548}
3549
3550static inline void
3551ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3552{
3553 gcry_md_close(*(md));
3554}
3555/* libgcrypt wrappers for HMAC/message digest operations }}} */
3556
3557/* libgcrypt wrappers for Cipher state manipulation {{{ */
3558int
3559ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3560{
3561 int ret;
3562#if 0
3563 unsigned char *ivp;
3564 int i;
3565 gcry_cipher_hd_t c;
3566 c=(gcry_cipher_hd_t)*cipher;
3567#endif
3568 ssl_debug_printf("--------------------------------------------------------------------");
3569#if 0
3570 for(ivp=c->iv,i=0; i < iv_len; i++ )
3571 {
3572 ssl_debug_printf("%d ",ivp[i]);
3573 i++;
3574 }
3575#endif
3576 ssl_debug_printf("--------------------------------------------------------------------");
3577 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3578#if 0
3579 for(ivp=c->iv,i=0; i < iv_len; i++ )
3580 {
3581 ssl_debug_printf("%d ",ivp[i]);
3582 i++;
3583 }
3584#endif
3585 ssl_debug_printf("--------------------------------------------------------------------");
3586 return ret;
3587}
3588/* stream cipher abstraction layer*/
3589static int
3590ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3591 unsigned char* iv, int mode)
3592{
3593 int gcry_modes[] = {
3594 GCRY_CIPHER_MODE_STREAM,
3595 GCRY_CIPHER_MODE_CBC,
3596 GCRY_CIPHER_MODE_GCM,
3597 GCRY_CIPHER_MODE_CCM,
3598 GCRY_CIPHER_MODE_CCM,
3599 GCRY_CIPHER_MODE_POLY1305,
3600 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3601 };
3602 int err;
3603 if (algo == -1) {
3604 /* NULL mode */
3605 *(cipher) = (gcry_cipher_hd_t)-1;
3606 return 0;
3607 }
3608 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3609 if (err !=0)
3610 return -1;
3611 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3612 if (err != 0)
3613 return -1;
3614 /* AEAD cipher suites will set the nonce later. */
3615 if (mode == MODE_CBC) {
3616 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3617 if (err != 0)
3618 return -1;
3619 }
3620 return 0;
3621}
3622static inline int
3623ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3624 const unsigned char * in, int inl)
3625{
3626 if ((*cipher) == (gcry_cipher_hd_t)-1)
3627 {
3628 if (in && inl)
3629 memcpy(out, in, outl < inl ? outl : inl);
3630 return 0;
3631 }
3632 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3633}
3634static inline int
3635ssl_get_digest_by_name(const char*name)
3636{
3637 return gcry_md_map_name(name);
3638}
3639static inline int
3640ssl_get_cipher_by_name(const char* name)
3641{
3642 return gcry_cipher_map_name(name);
3643}
3644
3645static inline void
3646ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3647{
3648 if ((*cipher) != (gcry_cipher_hd_t)-1)
3649 gcry_cipher_close(*cipher);
3650 *cipher = NULL((void*)0);
3651}
3652/* }}} */
3653
3654/* Digests, Ciphers and Cipher Suites registry {{{ */
3655static const SslDigestAlgo digests[]={
3656 {"MD5", 16},
3657 {"SHA1", 20},
3658 {"SHA256", 32},
3659 {"SHA384", 48},
3660 {"SM3", 32},
3661 {"Not Applicable", 0},
3662};
3663
3664#define DIGEST_MAX_SIZE48 48
3665
3666/* get index digest index */
3667static const SslDigestAlgo *
3668ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3669 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
3670 return &digests[DIG_NA0x45 - DIG_MD50x40];
3671 }
3672 return &digests[cs->dig - DIG_MD50x40];
3673}
3674
3675static const char *ciphers[]={
3676 "DES",
3677 "3DES",
3678 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3679 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3680 "IDEA",
3681 "AES",
3682 "AES256",
3683 "CAMELLIA128",
3684 "CAMELLIA256",
3685 "SEED",
3686 "CHACHA20", /* since Libgcrypt 1.7.0 */
3687 "SM1",
3688 "SM4",
3689 "*UNKNOWN*"
3690};
3691
3692static const SslCipherSuite cipher_suites[]={
3693 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3694 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3695 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3696 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3697 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3698 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3699 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3700 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3701 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3702 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3704 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3705 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3706 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3707 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3708 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3709 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3710 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3711 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3712 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3713 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3714 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3715 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3716 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3717 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3718 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3719 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3720 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3721 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3722 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3723 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3724 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3725 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3726 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3727 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3728 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3729 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3730 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3731 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3732 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3733 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3734 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3735 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3736 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3737 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3738 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3739 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3740 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3741 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3742 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3743 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3744 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3745 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3746 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3747 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3748 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3749 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3750 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3751 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3752 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3753 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3754 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3755 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3756 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3757 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3758 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3759 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3760 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3761 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3762 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3763 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3764 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3765 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3766 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3767 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3768 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3769 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3770 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3771 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3772 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3773 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3774 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3775 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3776 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3777 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3778 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3779 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3780 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3781 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3782 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3783 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3784 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3785 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3786 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3787 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3788 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3789 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3790 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3791 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3792 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3793 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3794 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3795 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3796 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3797 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3798 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3799 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3800 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3801 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3802 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3803 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3804 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3805 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3806 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3807 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3808 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3809 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3810 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3811 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3812 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3813 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3814 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3815 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3816 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3817 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3818 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3819 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3820 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3821 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3822 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3823 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3824 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3825 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3826 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3827
3828 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3829 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3830 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3831 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3832 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3833 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3834 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3835
3836 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3837 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3838 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3839 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3840 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3841 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3842 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3843 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3844 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3845 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3846 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3847 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3848 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3849 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3850 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3851 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3852 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3853 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3854 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3855 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3856 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3857 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3858 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3859 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3860 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3861 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3862 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3863 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3864 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3865 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3866 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3867 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3868 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3869 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3870 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3871 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3872 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3873 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3874 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3875 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3876 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3877 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3878 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3879 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3880 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3881 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3882 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3883 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3884 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3885 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3886 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3887 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3888 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3889 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3890 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3891 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3892 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3893 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3894 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3895 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3896 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3897 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3898 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3899 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3900 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3901 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3902 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3903 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3904 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3905 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3906 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3907 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3908 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3909 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3910 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3911 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3912 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3913 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3914 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3915 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3916 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3917 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3918 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3919 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3920 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3921 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3922 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3923 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3924 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3925 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3926 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3927 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3928 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3929 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3930 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3931 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3932 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3933 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3934 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3935 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3936 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3937 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3938 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3939 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3940 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3941 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3942 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3943 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3944 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3945 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3946 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3947 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3948 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3949 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3950 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3951 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3952 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3953 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3954 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3955 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3956 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3957 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3958 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3959 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3960 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3961 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3962 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3963 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3964 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3965 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3966 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3967 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3968 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3969 /* GM */
3970 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3971 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3972 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3973 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3974 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3975 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3976 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3977 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3978 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3979 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3980 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3981 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3982 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3983 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3984 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3985 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3986 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3987 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3988 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3989 {-1, 0, 0, 0, MODE_STREAM}
3990};
3991
3992#define MAX_BLOCK_SIZE16 16
3993#define MAX_KEY_SIZE32 32
3994
3995const SslCipherSuite *
3996ssl_find_cipher(int num)
3997{
3998 const SslCipherSuite *c;
3999 for(c=cipher_suites;c->number!=-1;c++){
4000 if(c->number==num){
4001 return c;
4002 }
4003 }
4004
4005 return NULL((void*)0);
4006}
4007
4008int
4009ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
4010{
4011 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4012}
4013
4014unsigned
4015ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
4016{
4017 int cipher_algo;
4018 if (cipher_suite->mode != MODE_CBC) return 0;
4019 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
4020 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4021}
4022
4023static unsigned
4024ssl_get_cipher_export_keymat_size(int cipher_suite_num)
4025{
4026 switch (cipher_suite_num) {
4027 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
4028 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
4029 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
4030 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
4031 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
4032 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
4033 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
4034 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
4035 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
4036 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
4037 return 5;
4038
4039 /* not defined in below draft, but "implemented by several vendors",
4040 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
4041 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
4042 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
4043 return 7;
4044
4045 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
4046 * used 7. Until a pcap proves 8, let's use the old value. Link:
4047 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
4048 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
4049 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
4050 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
4051 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
4052 return 7;
4053
4054 default:
4055 return 0;
4056 }
4057}
4058
4059/* Digests, Ciphers and Cipher Suites registry }}} */
4060
4061
4062/* HMAC and the Pseudorandom function {{{ */
4063static int
4064tls_hash(StringInfo *secret, StringInfo *seed, int md,
4065 StringInfo *out, unsigned out_len)
4066{
4067 /* RFC 2246 5. HMAC and the pseudorandom function
4068 * '+' denotes concatenation.
4069 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
4070 * HMAC_hash(secret, A(2) + seed) + ...
4071 * A(0) = seed
4072 * A(i) = HMAC_hash(secret, A(i - 1))
4073 */
4074 uint8_t *ptr;
4075 unsigned left, tocpy;
4076 uint8_t *A;
4077 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
4078 unsigned A_l, tmp_l;
4079 SSL_HMACgcry_md_hd_t hm;
4080
4081 ptr = out->data;
4082 left = out_len;
4083
4084 ssl_print_string("tls_hash: hash secret", secret);
4085 ssl_print_string("tls_hash: hash seed", seed);
4086 /* A(0) = seed */
4087 A = seed->data;
4088 A_l = seed->data_len;
4089
4090 if (ssl_hmac_init(&hm, md) != 0) {
4091 return -1;
4092 }
4093 while (left) {
4094 /* A(i) = HMAC_hash(secret, A(i-1)) */
4095 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4096 ssl_hmac_update(&hm, A, A_l);
4097 A_l = sizeof(_A); /* upper bound len for hash output */
4098 ssl_hmac_final(&hm, _A, &A_l);
4099 A = _A;
4100
4101 /* HMAC_hash(secret, A(i) + seed) */
4102 ssl_hmac_reset(&hm);
4103 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
4104 ssl_hmac_update(&hm, A, A_l);
4105 ssl_hmac_update(&hm, seed->data, seed->data_len);
4106 tmp_l = sizeof(tmp); /* upper bound len for hash output */
4107 ssl_hmac_final(&hm, tmp, &tmp_l);
4108 ssl_hmac_reset(&hm);
4109
4110 /* ssl_hmac_final puts the actual digest output size in tmp_l */
4111 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
4112 memcpy(ptr, tmp, tocpy);
4113 ptr += tocpy;
4114 left -= tocpy;
4115 }
4116 ssl_hmac_cleanup(&hm);
4117 out->data_len = out_len;
4118
4119 ssl_print_string("hash out", out);
4120 return 0;
4121}
4122
4123static bool_Bool
4124tls_prf(StringInfo* secret, const char *usage,
4125 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4126{
4127 StringInfo seed, sha_out, md5_out;
4128 uint8_t *ptr;
4129 StringInfo s1, s2;
4130 unsigned i,s_l;
4131 size_t usage_len, rnd2_len;
4132 bool_Bool success = false0;
4133 usage_len = strlen(usage);
4134 rnd2_len = rnd2 ? rnd2->data_len : 0;
4135
4136 /* initialize buffer for sha, md5 random seed*/
4137 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
4138 ssl_debug_printf("tls_prf: can't allocate sha out\n");
4139 return false0;
4140 }
4141 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
4142 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
4143 goto free_sha;
4144 }
4145 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4146 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
4147 (int) (usage_len+rnd1->data_len+rnd2_len));
4148 goto free_md5;
4149 }
4150
4151 ptr=seed.data;
4152 memcpy(ptr,usage,usage_len);
4153 ptr+=usage_len;
4154 memcpy(ptr,rnd1->data,rnd1->data_len);
4155 if (rnd2_len > 0) {
4156 ptr+=rnd1->data_len;
4157 memcpy(ptr,rnd2->data,rnd2->data_len);
4158 /*ptr+=rnd2->data_len;*/
4159 }
4160
4161 /* initialize buffer for client/server seeds*/
4162 s_l=secret->data_len/2 + secret->data_len%2;
4163 if (ssl_data_alloc(&s1, s_l) < 0) {
4164 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4165 goto free_seed;
4166 }
4167 if (ssl_data_alloc(&s2, s_l) < 0) {
4168 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4169 goto free_s1;
4170 }
4171
4172 memcpy(s1.data,secret->data,s_l);
4173 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4174
4175 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4176 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4177 goto free_s2;
4178 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4179 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4180 goto free_s2;
4181
4182 for (i = 0; i < out_len; i++)
4183 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4184 /* success, now store the new meaningful data length */
4185 out->data_len = out_len;
4186 success = true1;
4187
4188 ssl_print_string("PRF out",out);
4189free_s2:
4190 g_free(s2.data)(__builtin_object_size ((s2.data), 0) != ((size_t) - 1)) ? g_free_sized
(s2.data, __builtin_object_size ((s2.data), 0)) : (g_free) (
s2.data)
;
4191free_s1:
4192 g_free(s1.data)(__builtin_object_size ((s1.data), 0) != ((size_t) - 1)) ? g_free_sized
(s1.data, __builtin_object_size ((s1.data), 0)) : (g_free) (
s1.data)
;
4193free_seed:
4194 g_free(seed.data)(__builtin_object_size ((seed.data), 0) != ((size_t) - 1)) ? g_free_sized
(seed.data, __builtin_object_size ((seed.data), 0)) : (g_free
) (seed.data)
;
4195free_md5:
4196 g_free(md5_out.data)(__builtin_object_size ((md5_out.data), 0) != ((size_t) - 1))
? g_free_sized (md5_out.data, __builtin_object_size ((md5_out
.data), 0)) : (g_free) (md5_out.data)
;
4197free_sha:
4198 g_free(sha_out.data)(__builtin_object_size ((sha_out.data), 0) != ((size_t) - 1))
? g_free_sized (sha_out.data, __builtin_object_size ((sha_out
.data), 0)) : (g_free) (sha_out.data)
;
4199 return success;
4200}
4201
4202static bool_Bool
4203tls12_prf(int md, StringInfo* secret, const char* usage,
4204 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4205{
4206 StringInfo label_seed;
4207 int success;
4208 size_t usage_len, rnd2_len;
4209 rnd2_len = rnd2 ? rnd2->data_len : 0;
4210
4211 usage_len = strlen(usage);
4212 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4213 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4214 return false0;
4215 }
4216 memcpy(label_seed.data, usage, usage_len);
4217 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4218 if (rnd2_len > 0)
4219 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4220
4221 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4222 success = tls_hash(secret, &label_seed, md, out, out_len);
4223 g_free(label_seed.data)(__builtin_object_size ((label_seed.data), 0) != ((size_t) - 1
)) ? g_free_sized (label_seed.data, __builtin_object_size ((label_seed
.data), 0)) : (g_free) (label_seed.data)
;
4224 if(success != -1){
4225 ssl_print_string("PRF out", out);
4226 return true1;
4227 }
4228 return false0;
4229}
4230
4231static bool_Bool
4232ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4233 StringInfo *out, unsigned out_len)
4234{
4235 SSL_MD5_CTXgcry_md_hd_t md5;
4236 uint8_t tmp[16];
4237
4238 if (ssl_md5_init(&md5) != 0) {
4239 return false0;
4240 }
4241 ssl_md5_update(&md5,r1->data,r1->data_len);
4242 ssl_md5_update(&md5,r2->data,r2->data_len);
4243 ssl_md5_final(tmp,&md5);
4244 ssl_md5_cleanup(&md5);
4245
4246 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4246, "out_len <= sizeof(tmp)"))))
;
4247 ssl_data_set(out, tmp, out_len);
4248 ssl_print_string("export iv", out);
4249 return true1;
4250}
4251
4252static bool_Bool
4253ssl3_prf(StringInfo* secret, const char* usage,
4254 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4255{
4256 SSL_MD5_CTXgcry_md_hd_t md5;
4257 SSL_SHA_CTXgcry_md_hd_t sha;
4258 unsigned off;
4259 int i = 0,j;
4260 uint8_t buf[20];
4261
4262 if (ssl_sha_init(&sha) != 0) {
4263 return false0;
4264 }
4265 if (ssl_md5_init(&md5) != 0) {
4266 ssl_sha_cleanup(&sha);
4267 return false0;
4268 }
4269 for (off = 0; off < out_len; off += 16) {
4270 unsigned char outbuf[16];
4271 i++;
4272
4273 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4274 /* A, BB, CCC, ... */
4275 for(j=0;j<i;j++){
4276 buf[j]=64+i;
4277 }
4278
4279 ssl_sha_update(&sha,buf,i);
4280 ssl_sha_update(&sha,secret->data,secret->data_len);
4281
4282 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4283 if (rnd2)
4284 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4285 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4286 }
4287 else{
4288 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4289 if (rnd2)
4290 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4291 }
4292
4293 ssl_sha_final(buf,&sha);
4294 ssl_sha_reset(&sha);
4295
4296 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4297 secret->data_len);
4298 ssl_md5_update(&md5,secret->data,secret->data_len);
4299 ssl_md5_update(&md5,buf,20);
4300 ssl_md5_final(outbuf,&md5);
4301 ssl_md5_reset(&md5);
4302
4303 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4304 }
4305 ssl_sha_cleanup(&sha);
4306 ssl_md5_cleanup(&md5);
4307 out->data_len = out_len;
4308
4309 return true1;
4310}
4311
4312/* out_len is the wanted output length for the pseudorandom function.
4313 * Ensure that ssl->cipher_suite is set. */
4314static bool_Bool
4315prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4316 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4317{
4318 switch (ssl->session.version) {
4319 case SSLV3_VERSION0x300:
4320 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4321
4322 case TLSV1_VERSION0x301:
4323 case TLSV1DOT1_VERSION0x302:
4324 case DTLSV1DOT0_VERSION0xfeff:
4325 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4326 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4327
4328 default: /* TLSv1.2 */
4329 switch (ssl->cipher_suite->dig) {
4330 case DIG_SM30x44:
4331#if GCRYPT_VERSION_NUMBER0x010c00 >= 0x010900
4332 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4333 out, out_len);
4334#else
4335 return false0;
4336#endif
4337 case DIG_SHA3840x43:
4338 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4339 out, out_len);
4340 default:
4341 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4342 out, out_len);
4343 }
4344 }
4345}
4346
4347static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4348{
4349 SSL_MD5_CTXgcry_md_hd_t md5;
4350 SSL_SHA_CTXgcry_md_hd_t sha;
4351
4352 if (ssl_data_alloc(out, 36) < 0)
15
Calling 'ssl_data_alloc'
19
Returned allocated memory
20
Taking false branch
4353 return -1;
4354
4355 if (ssl_md5_init(&md5) != 0)
21
Taking true branch
4356 return -1;
4357 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4358 ssl_md5_final(out->data,&md5);
4359 ssl_md5_cleanup(&md5);
4360
4361 if (ssl_sha_init(&sha) != 0)
4362 return -1;
4363 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4364 ssl_sha_final(out->data+16,&sha);
4365 ssl_sha_cleanup(&sha);
4366 return 0;
4367}
4368
4369static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4370{
4371 SSL_MDgcry_md_hd_t mc;
4372 uint8_t tmp[48];
4373 unsigned len;
4374
4375 if (ssl_md_init(&mc, md) != 0)
4376 return -1;
4377 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4378 ssl_md_final(&mc, tmp, &len);
4379 ssl_md_cleanup(&mc);
4380
4381 if (ssl_data_alloc(out, len) < 0)
4382 return -1;
4383 memcpy(out->data, tmp, len);
4384 return 0;
4385}
4386
4387bool_Bool
4388tls_load_psk(SslDecryptSession* tls_session, const char *tls_psk)
4389{
4390 if (!tls_psk || (tls_psk[0] == 0)) {
4391 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4392 return false0;
4393 }
4394
4395 wmem_free(wmem_file_scope(), tls_session->psk.data);
4396 /* convert hex string into char*/
4397 if (!from_hex(&tls_session->psk, tls_psk, strlen(tls_psk))) {
4398 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4399 G_STRFUNC((const char*) (__func__)));
4400 return false0;
4401 }
4402
4403 if (tls_session->psk.data_len >= (2 << 15)) {
4404 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4405 G_STRFUNC((const char*) (__func__)));
4406 wmem_free(wmem_file_scope(), tls_session->psk.data);
4407 tls_session->psk.data = NULL((void*)0);
4408 tls_session->psk.data_len = 0;
4409 return false0;
4410 }
4411
4412 return true1;
4413}
4414
4415/**
4416 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4417 * inlined and removed once support for draft 19 and before is dropped.
4418 */
4419static inline const char *
4420tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4421{
4422 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4423 return "TLS 1.3, ";
4424 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4425 return "dtls13";
4426 } else {
4427 return "tls13 ";
4428 }
4429}
4430
4431/*
4432 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4433 * custom label prefix. If "context_hash" is NULL, then an empty context is
4434 * used. Otherwise it must have the same length as the hash algorithm output.
4435 */
4436bool_Bool
4437tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4438 const char *label_prefix, const char *label,
4439 const uint8_t *context_hash, uint8_t context_length,
4440 uint16_t out_len, unsigned char **out)
4441{
4442 /* RFC 8446 Section 7.1:
4443 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4444 * HKDF-Expand(Secret, HkdfLabel, Length)
4445 * struct {
4446 * uint16 length = Length;
4447 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4448 * opaque context<0..255> = Context;
4449 * } HkdfLabel;
4450 *
4451 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4452 * HKDF-Expand(PRK, info, L) -> OKM
4453 */
4454 gcry_error_t err;
4455 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4456 const unsigned label_length = (unsigned) strlen(label);
4457
4458 /* Some sanity checks */
4459 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4459, "label_length > 0 && label_prefix_length + label_length <= 255"
))))
;
4460
4461 /* info = HkdfLabel { length, label, context } */
4462 GByteArray *info = g_byte_array_new();
4463 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))))
;
4464 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4465
4466 const uint8_t label_vector_length = label_prefix_length + label_length;
4467 g_byte_array_append(info, &label_vector_length, 1);
4468 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4469 g_byte_array_append(info, (const uint8_t*)label, label_length);
4470
4471 g_byte_array_append(info, &context_length, 1);
4472 if (context_length) {
4473 g_byte_array_append(info, context_hash, context_length);
4474 }
4475
4476 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4477 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4478 g_byte_array_free(info, true1);
4479
4480 if (err) {
4481 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4482 wmem_free(NULL((void*)0), *out);
4483 *out = NULL((void*)0);
4484 return false0;
4485 }
4486
4487 return true1;
4488}
4489
4490bool_Bool
4491tls13_hkdf_expand_label(int md, const StringInfo *secret,
4492 const char *label_prefix, const char *label,
4493 uint16_t out_len, unsigned char **out)
4494{
4495 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4496}
4497
4498static bool_Bool
4499tls13_derive_secret(int md, const StringInfo *secret,
4500 const char *label_prefix, const char *label,
4501 const uint8_t *context, unsigned context_length,
4502 uint16_t out_len, unsigned char **out)
4503{
4504 SSL_MDgcry_md_hd_t mc;
4505 uint8_t context_hash[DIGEST_MAX_SIZE48];
4506 unsigned hash_len;
4507
4508 if (ssl_md_init(&mc, md) != 0)
4509 return false0;
4510 ssl_md_update(&mc, context, context_length);
4511 ssl_md_final(&mc, context_hash, &hash_len);
4512 ssl_md_cleanup(&mc);
4513
4514 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, context_hash, hash_len, out_len, out);
4515}
4516
4517/* HMAC and the Pseudorandom function }}} */
4518
4519/* Record Decompression (after decryption) {{{ */
4520#ifdef USE_ZLIB_OR_ZLIBNG
4521/* memory allocation functions for zlib initialization */
4522static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4523{
4524 return g_malloc0(no*size);
4525}
4526static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4527{
4528 g_free(addr)(__builtin_object_size ((addr), 0) != ((size_t) - 1)) ? g_free_sized
(addr, __builtin_object_size ((addr), 0)) : (g_free) (addr)
;
4529}
4530#endif /* USE_ZLIB_OR_ZLIBNG */
4531
4532static SslDecompress*
4533ssl_create_decompressor(int compression)
4534{
4535 SslDecompress *decomp;
4536#ifdef USE_ZLIB_OR_ZLIBNG
4537 int err;
4538#endif
4539
4540 if (compression == 0) return NULL((void*)0);
4541 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4542 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)))
;
4543 decomp->compression = compression;
4544 switch (decomp->compression) {
4545#ifdef USE_ZLIB_OR_ZLIBNG
4546 case 1: /* DEFLATE */
4547 decomp->istream.zalloc = ssl_zalloc;
4548 decomp->istream.zfree = ssl_zfree;
4549 decomp->istream.opaque = Z_NULL0;
4550 decomp->istream.next_in = Z_NULL0;
4551 decomp->istream.next_out = Z_NULL0;
4552 decomp->istream.avail_in = 0;
4553 decomp->istream.avail_out = 0;
4554 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3.1", (int)sizeof(
z_stream))
;
4555 if (err != Z_OK0) {
4556 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4557 return NULL((void*)0);
4558 }
4559 break;
4560#endif /* USE_ZLIB_OR_ZLIBNG */
4561 default:
4562 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4563 return NULL((void*)0);
4564 }
4565 return decomp;
4566}
4567
4568#ifdef USE_ZLIB_OR_ZLIBNG
4569static int
4570ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4571{
4572 int err;
4573
4574 switch (decomp->compression) {
4575 case 1: /* DEFLATE */
4576 err = Z_OK0;
4577 if (out_str->data_len < 16384) { /* maximal plain length */
4578 ssl_data_realloc(out_str, 16384);
4579 }
4580#ifdef z_constconst
4581 decomp->istream.next_in = in;
4582#else
4583DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4584 decomp->istream.next_in = (Bytef *)in;
4585DIAG_ON(cast-qual)clang diagnostic pop
4586#endif
4587 decomp->istream.avail_in = inl;
4588 decomp->istream.next_out = out_str->data;
4589 decomp->istream.avail_out = out_str->data_len;
4590 if (inl > 0)
4591 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4592 if (err != Z_OK0) {
4593 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4594 return -1;
4595 }
4596 *outl = out_str->data_len - decomp->istream.avail_out;
4597 break;
4598 default:
4599 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4600 return -1;
4601 }
4602 return 0;
4603}
4604#else /* USE_ZLIB_OR_ZLIBNG */
4605int
4606ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4607{
4608 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4609 return -1;
4610}
4611#endif /* USE_ZLIB_OR_ZLIBNG */
4612/* Record Decompression (after decryption) }}} */
4613
4614/* Create a new structure to store decrypted chunks. {{{ */
4615static SslFlow*
4616ssl_create_flow(void)
4617{
4618 SslFlow *flow;
4619
4620 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4621 flow->byte_seq = 0;
4622 flow->flags = 0;
4623 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4624 return flow;
4625}
4626/* }}} */
4627
4628/* Use the negotiated security parameters for decryption. {{{ */
4629void
4630ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4631{
4632 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4633 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4634 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4635 *new_decoder ? "" : " (No decoder found - retransmission?)");
4636 if (*new_decoder) {
4637 *dest = *new_decoder;
4638 *new_decoder = NULL((void*)0);
4639 }
4640}
4641/* }}} */
4642
4643/* Init cipher state given some security parameters. {{{ */
4644static bool_Bool
4645ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4646
4647static SslDecoder*
4648ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4649 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4650{
4651 SslDecoder *dec;
4652 ssl_cipher_mode_t mode = cipher_suite->mode;
4653
4654 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)))
;
4655 /* init mac buffer: mac storage is embedded into decoder struct to save a
4656 memory allocation and waste samo more memory*/
4657 dec->cipher_suite=cipher_suite;
4658 dec->compression = compression;
4659 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4660 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4661 // the special case for NULL ciphers, even if there is insufficiency
4662 // keying material (including MAC key), we will can still create
4663 // decoders since "decryption" is easy for such ciphers.
4664 dec->mac_key.data = dec->_mac_key_or_write_iv;
4665 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4666 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4667 // Input for the nonce, to be used with AEAD ciphers.
4668 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4668, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))))
;
4669 dec->write_iv.data = dec->_mac_key_or_write_iv;
4670 ssl_data_set(&dec->write_iv, iv, iv_length);
4671 }
4672 dec->seq = 0;
4673 dec->decomp = ssl_create_decompressor(compression);
4674 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4675
4676 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4677 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4678 cipher_algo, cipher_suite->mode);
4679 return NULL((void*)0);
4680 }
4681
4682 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4683 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4684 mode = MODE_ECB;
4685 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4686 mode = MODE_STREAM;
4687 } else {
4688 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4689 return NULL((void*)0);
4690 }
4691
4692 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4693 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4694 cipher_algo, MODE_ECB);
4695 ssl_cipher_cleanup(&dec->evp);
4696 dec->evp = NULL((void*)0);
4697 return NULL((void*)0);
4698 }
4699 } else {
4700 dec->sn_evp = NULL((void*)0);
4701 }
4702
4703 dec->dtls13_aad.data = NULL((void*)0);
4704 dec->dtls13_aad.data_len = 0;
4705 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4706 return dec;
4707}
4708
4709static bool_Bool
4710ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4711{
4712 SslDecoder *dec = (SslDecoder *) user_data;
4713
4714 if (dec->evp)
4715 ssl_cipher_cleanup(&dec->evp);
4716 if (dec->sn_evp)
4717 ssl_cipher_cleanup(&dec->sn_evp);
4718
4719#ifdef USE_ZLIB_OR_ZLIBNG
4720 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4721 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4722#endif
4723
4724 return false0;
4725}
4726/* }}} */
4727
4728/* (Pre-)master secrets calculations {{{ */
4729#ifdef HAVE_LIBGNUTLS1
4730static bool_Bool
4731ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4732 StringInfo *encrypted_pre_master,
4733 GHashTable *key_hash);
4734#endif /* HAVE_LIBGNUTLS */
4735
4736static bool_Bool
4737ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4738 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4739
4740bool_Bool
4741ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4742 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4743 const char *ssl_psk, packet_info *pinfo,
4744#ifdef HAVE_LIBGNUTLS1
4745 GHashTable *key_hash,
4746#endif
4747 const ssl_master_key_map_t *mk_map)
4748{
4749 /* check for required session data */
4750 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4751 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4752 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4753 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4754 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4755 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4756 return false0;
4757 }
4758
4759 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4760 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4761 return false0;
4762 }
4763
4764 /* check to see if the PMS was provided to us*/
4765 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4766 mk_map->pms, &ssl_session->client_random)) {
4767 return true1;
4768 }
4769
4770 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4771 {
4772 /* calculate pre master secret*/
4773 StringInfo pre_master_secret;
4774 unsigned psk_len, pre_master_len;
4775
4776 if (!tls_load_psk(ssl_session, ssl_psk)) {
4777 return false0;
4778 }
4779 psk_len = ssl_session->psk.data_len;
4780
4781 pre_master_len = psk_len * 2 + 4;
4782
4783 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4784 pre_master_secret.data_len = pre_master_len;
4785 /* 2 bytes psk_len*/
4786 pre_master_secret.data[0] = psk_len >> 8;
4787 pre_master_secret.data[1] = psk_len & 0xFF;
4788 /* psk_len bytes times 0*/
4789 memset(&pre_master_secret.data[2], 0, psk_len);
4790 /* 2 bytes psk_len*/
4791 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4792 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4793 /* psk*/
4794 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4795
4796 ssl_session->pre_master_secret.data = pre_master_secret.data;
4797 ssl_session->pre_master_secret.data_len = pre_master_len;
4798 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4799
4800 /* Remove the master secret if it was there.
4801 This forces keying material regeneration in
4802 case we're renegotiating */
4803 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4804 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4805 return true1;
4806 }
4807 else
4808 {
4809 unsigned encrlen, skip;
4810 encrlen = length;
4811 skip = 0;
4812
4813 /* get encrypted data, on tls1 we have to skip two bytes
4814 * (it's the encrypted len and should be equal to record len - 2)
4815 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4816 */
4817 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4818 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4819 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4820 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4821 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4822 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4823 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4824 {
4825 encrlen = tvb_get_ntohs(tvb, offset);
4826 skip = 2;
4827 if (encrlen > length - 2)
4828 {
4829 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4830 G_STRFUNC((const char*) (__func__)), encrlen, length);
4831 return false0;
4832 }
4833 }
4834 /* the valid lower bound is higher than 8, but it is sufficient for the
4835 * ssl keylog file below */
4836 if (encrlen < 8) {
4837 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4838 G_STRFUNC((const char*) (__func__)), encrlen);
4839 return false0;
4840 }
4841
4842 StringInfo encrypted_pre_master = {
4843 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4844 .data_len = encrlen,
4845 };
4846
4847#ifdef HAVE_LIBGNUTLS1
4848 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4849 if (ssl_session->cert_key_id) {
4850 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4851 return true1;
4852
4853 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4854 G_STRFUNC((const char*) (__func__)));
4855 }
4856#endif /* HAVE_LIBGNUTLS */
4857
4858 /* try to find the pre-master secret from the encrypted one. The
4859 * ssl key logfile stores only the first 8 bytes, so truncate it */
4860 encrypted_pre_master.data_len = 8;
4861 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4862 true1, mk_map->pre_master, &encrypted_pre_master))
4863 return true1;
4864 }
4865 return false0;
4866}
4867
4868/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4869int
4870ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4871{
4872 StringInfo key_block = { NULL((void*)0), 0 };
4873 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4874 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4875 int needed;
4876 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4877 unsigned encr_key_len, write_iv_len = 0;
4878 bool_Bool is_export_cipher;
4879 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4880 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4881 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4882
4883 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4884 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
3
Taking false branch
4885 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4886 return -1;
4887 }
4888
4889 /* check for enough info to proceed */
4890 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4891 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4892 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4
Assuming the condition is false
5
Assuming the condition is false
6
Taking false branch
4893 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4894 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4895 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4896 /* Special case: for NULL encryption, allow dissection of data even if
4897 * the Client Hello is missing (MAC keys are now skipped though). */
4898 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4899 if ((ssl_session->state & need_all) == need_all &&
4900 cipher_suite->enc == ENC_NULL0x3D) {
4901 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4902 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4903 goto create_decoders;
4904 }
4905
4906 return -1;
4907 }
4908
4909 /* if master key is not available, generate is from the pre-master secret */
4910 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
7
Assuming the condition is true
8
Taking true branch
4911 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
9
Assuming the condition is true
10
Taking true branch
4912 StringInfo handshake_hashed_data;
4913 int ret;
4914
4915 handshake_hashed_data.data = NULL((void*)0);
4916 handshake_hashed_data.data_len = 0;
4917
4918 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4919 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4920 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4920, "ssl_session->handshake_data.data_len > 0"
))))
;
11
Assuming field 'data_len' is > 0
12
'?' condition is true
4921
4922 switch(ssl_session->session.version) {
13
Control jumps to 'case 257:' at line 4927
4923 case TLSV1_VERSION0x301:
4924 case TLSV1DOT1_VERSION0x302:
4925 case DTLSV1DOT0_VERSION0xfeff:
4926 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4927 case TLCPV1_VERSION0x101:
4928 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
14
Calling 'tls_handshake_hash'
22
Returned allocated memory
4929 break;
4930 default:
4931 switch (cipher_suite->dig) {
4932 case DIG_SHA3840x43:
4933 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4934 break;
4935 default:
4936 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4937 break;
4938 }
4939 break;
4940 }
4941 if (ret
23.1
'ret' is -1
) {
23
Execution continues on line 4941
24
Taking true branch
4942 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
25
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4943 return -1;
4944 }
4945
4946 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4947 ssl_session->handshake_data.data = NULL((void*)0);
4948 ssl_session->handshake_data.data_len = 0;
4949
4950 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4951 &handshake_hashed_data,
4952 NULL((void*)0), &ssl_session->master_secret,
4953 SSL_MASTER_SECRET_LENGTH48)) {
4954 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4955 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data)
;
4956 return -1;
4957 }
4958 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data)
;
4959 } else {
4960 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4961 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4962 ssl_print_string("client random",&ssl_session->client_random);
4963 ssl_print_string("server random",&ssl_session->server_random);
4964 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4965 &ssl_session->client_random,
4966 &ssl_session->server_random, &ssl_session->master_secret,
4967 SSL_MASTER_SECRET_LENGTH48)) {
4968 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4969 return -1;
4970 }
4971 }
4972 ssl_print_string("master secret",&ssl_session->master_secret);
4973
4974 /* the pre-master secret has been 'consumed' so we must clear it now */
4975 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4976 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4977 }
4978
4979 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4980 if (cipher_suite->enc != ENC_NULL0x3D) {
4981 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4982 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4983 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4984 if (cipher_algo == 0) {
4985 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4986 return -1;
4987 }
4988 }
4989
4990 /* Export ciphers consume less material from the key block. */
4991 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4992 is_export_cipher = encr_key_len > 0;
4993 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4994 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4995 }
4996
4997 if (cipher_suite->mode == MODE_CBC) {
4998 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4999 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
5000 /* account for a four-byte salt for client and server side (from
5001 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
5002 write_iv_len = 4;
5003 } else if (cipher_suite->mode == MODE_POLY1305) {
5004 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
5005 write_iv_len = 12;
5006 }
5007
5008 /* Compute the key block. First figure out how much data we need */
5009 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
5010 needed += 2 * encr_key_len; /* encryption key */
5011 needed += 2 * write_iv_len; /* write IV */
5012
5013 key_block.data = (unsigned char *)g_malloc(needed);
5014 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
5015 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
5016 &ssl_session->server_random,&ssl_session->client_random,
5017 &key_block, needed)) {
5018 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
5019 goto fail;
5020 }
5021 ssl_print_string("key expansion", &key_block);
5022
5023 ptr=key_block.data;
5024 /* client/server write MAC key (for non-AEAD ciphers) */
5025 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
5026 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5027 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
5028 }
5029 /* client/server write encryption key */
5030 c_wk=ptr; ptr += encr_key_len;
5031 s_wk=ptr; ptr += encr_key_len;
5032 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
5033 if (write_iv_len > 0) {
5034 c_iv=ptr; ptr += write_iv_len;
5035 s_iv=ptr; /* ptr += write_iv_len; */
5036 }
5037
5038 /* export ciphers work with a smaller key length */
5039 if (is_export_cipher) {
5040 if (cipher_suite->mode == MODE_CBC) {
5041
5042 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
5043 all we should need. This is a sanity check */
5044 if (write_iv_len > MAX_BLOCK_SIZE16) {
5045 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
5046 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
5047 goto fail;
5048 }
5049
5050 if(ssl_session->session.version==SSLV3_VERSION0x300){
5051 /* The length of these fields are ignored by this caller */
5052 StringInfo iv_c, iv_s;
5053 iv_c.data = _iv_c;
5054 iv_s.data = _iv_s;
5055
5056 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
5057 if (!ssl3_generate_export_iv(&ssl_session->client_random,
5058 &ssl_session->server_random, &iv_c, write_iv_len)) {
5059 goto fail;
5060 }
5061 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
5062 if (!ssl3_generate_export_iv(&ssl_session->server_random,
5063 &ssl_session->client_random, &iv_s, write_iv_len)) {
5064 goto fail;
5065 }
5066 }
5067 else{
5068 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
5069 StringInfo iv_block;
5070 StringInfo key_null;
5071 uint8_t _key_null;
5072
5073 key_null.data = &_key_null;
5074 key_null.data_len = 0;
5075
5076 iv_block.data = _iv_block;
5077
5078 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
5079 if (!prf(ssl_session, &key_null, "IV block",
5080 &ssl_session->client_random,
5081 &ssl_session->server_random, &iv_block,
5082 write_iv_len * 2)) {
5083 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
5084 goto fail;
5085 }
5086
5087 memcpy(_iv_c, iv_block.data, write_iv_len);
5088 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
5089 }
5090
5091 c_iv=_iv_c;
5092 s_iv=_iv_s;
5093 }
5094
5095 if (ssl_session->session.version==SSLV3_VERSION0x300){
5096
5097 SSL_MD5_CTXgcry_md_hd_t md5;
5098 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
5099
5100 if (ssl_md5_init(&md5) != 0)
5101 goto fail;
5102 ssl_md5_update(&md5,c_wk,encr_key_len);
5103 ssl_md5_update(&md5,ssl_session->client_random.data,
5104 ssl_session->client_random.data_len);
5105 ssl_md5_update(&md5,ssl_session->server_random.data,
5106 ssl_session->server_random.data_len);
5107 ssl_md5_final(_key_c,&md5);
5108 ssl_md5_cleanup(&md5);
5109 c_wk=_key_c;
5110
5111 if (ssl_md5_init(&md5) != 0)
5112 goto fail;
5113 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
5114 ssl_md5_update(&md5,s_wk,encr_key_len);
5115 ssl_md5_update(&md5,ssl_session->server_random.data,
5116 ssl_session->server_random.data_len);
5117 ssl_md5_update(&md5,ssl_session->client_random.data,
5118 ssl_session->client_random.data_len);
5119 ssl_md5_final(_key_s,&md5);
5120 ssl_md5_cleanup(&md5);
5121 s_wk=_key_s;
5122 }
5123 else{
5124 StringInfo key_c, key_s, k;
5125 key_c.data = _key_c;
5126 key_s.data = _key_s;
5127
5128 k.data = c_wk;
5129 k.data_len = encr_key_len;
5130 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
5131 if (!prf(ssl_session, &k, "client write key",
5132 &ssl_session->client_random,
5133 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
5134 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
5135 goto fail;
5136 }
5137 c_wk=_key_c;
5138
5139 k.data = s_wk;
5140 k.data_len = encr_key_len;
5141 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
5142 if (!prf(ssl_session, &k, "server write key",
5143 &ssl_session->client_random,
5144 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
5145 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
5146 goto fail;
5147 }
5148 s_wk=_key_s;
5149 }
5150 }
5151
5152 /* show key material info */
5153 if (c_mk != NULL((void*)0)) {
5154 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5155 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
5156 }
5157 ssl_print_data("Client Write key", c_wk, encr_key_len);
5158 ssl_print_data("Server Write key", s_wk, encr_key_len);
5159 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
5160 if (write_iv_len > 0) {
5161 ssl_print_data("Client Write IV", c_iv, write_iv_len);
5162 ssl_print_data("Server Write IV", s_iv, write_iv_len);
5163 }
5164
5165create_decoders:
5166 /* create both client and server ciphers*/
5167 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
5168 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
5169 if (!ssl_session->client_new) {
5170 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
5171 goto fail;
5172 }
5173 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
5174 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
5175 if (!ssl_session->server_new) {
5176 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
5177 goto fail;
5178 }
5179
5180 /* Continue the SSL stream after renegotiation with new keys. */
5181 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5182 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5183
5184 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
5185 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
5186 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data)
;
5187 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
5188 return 0;
5189
5190fail:
5191 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data)
;
5192 return -1;
5193}
5194
5195/* Generated the key material based on the given secret. */
5196bool_Bool
5197tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5198{
5199 bool_Bool success = false0;
5200 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5201 unsigned char *sn_key = NULL((void*)0);
5202 SslDecoder *decoder;
5203 unsigned key_length, iv_length;
5204 int hash_algo;
5205 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5206 int cipher_algo;
5207
5208 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5209 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5210 ssl_session->session.version);
5211 return false0;
5212 }
5213
5214 if (cipher_suite == NULL((void*)0)) {
5215 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5216 return false0;
5217 }
5218
5219 if (cipher_suite->kex != KEX_TLS130x23) {
5220 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5221 return false0;
5222 }
5223
5224 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5225 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5226 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5227 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5228 if (cipher_algo == 0) {
5229 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5230 return false0;
5231 }
5232
5233 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5234 hash_algo = ssl_get_digest_by_name(hash_name);
5235 if (!hash_algo) {
5236 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5237 return false0;
5238 }
5239
5240 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5241 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5242 iv_length = 12;
5243 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5244
5245 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5246 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5247 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5248 return false0;
5249 }
5250 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5251 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5252 goto end;
5253 }
5254
5255 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5256 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5257 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5258 goto end;
5259 }
5260 }
5261
5262 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5263 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5264 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5265 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5266 }
5267
5268 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5269 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5270 if (!decoder) {
5271 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5272 goto end;
5273 }
5274
5275 /* Continue the TLS session with new keys, but reuse old flow to keep things
5276 * like "Follow TLS" working (by linking application data records). */
5277 if (is_from_server) {
5278 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5279 ssl_session->server = decoder;
5280 } else {
5281 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5282 ssl_session->client = decoder;
5283 }
5284 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5285 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5286 success = true1;
5287
5288end:
5289 wmem_free(NULL((void*)0), write_key);
5290 wmem_free(NULL((void*)0), write_iv);
5291 if (sn_key)
5292 wmem_free(NULL((void*)0), sn_key);
5293 return success;
5294}
5295/* (Pre-)master secrets calculations }}} */
5296
5297#ifdef HAVE_LIBGNUTLS1
5298/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5299static bool_Bool
5300ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5301 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5302{
5303 int ret;
5304
5305 if (!encrypted_pre_master)
5306 return false0;
5307
5308 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)
) {
5309 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5310 "(cipher suite 0x%04X %s) and cannot be decrypted "
5311 "using a RSA private key file.\n",
5312 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5313 val_to_str_ext_const(ssl_session->session.cipher,
5314 &ssl_31_ciphersuite_ext, "unknown"));
5315 return false0;
5316 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5317 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5318 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5319 return false0;
5320 }
5321
5322 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5323
5324 ssl_print_string("pre master encrypted", encrypted_pre_master);
5325 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5326 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5327 gnutls_datum_t pms = { 0 };
5328 if (pk) {
5329 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5330 char *err = NULL((void*)0);
5331 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
5332 if (!private_key) {
5333 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
5334 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
5335 return false0;
5336 }
5337
5338 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
5339 rsa_private_key_free(private_key);
5340 if (pms.size == 0) {
5341 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
5342 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
5343 return false0;
5344 }
5345 } else {
5346 // Try to decrypt using a hardware token.
5347 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5348 if (ret < 0) {
5349 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5350 return false0;
5351 }
5352 }
5353
5354 if (pms.size != 48) {
5355 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5356 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5357 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data)
;
5358 return false0;
5359 }
5360
5361 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5362 ssl_session->pre_master_secret.data_len = 48;
5363 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data)
;
5364 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5365
5366 /* Remove the master secret if it was there.
5367 This forces keying material regeneration in
5368 case we're renegotiating */
5369 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5370 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5371 return true1;
5372} /* }}} */
5373#endif /* HAVE_LIBGNUTLS */
5374
5375/* Decryption integrity check {{{ */
5376
5377static int
5378tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5379 uint32_t datalen, uint8_t* mac)
5380{
5381 SSL_HMACgcry_md_hd_t hm;
5382 int md;
5383 uint32_t len;
5384 uint8_t buf[DIGEST_MAX_SIZE48];
5385 int16_t temp;
5386
5387 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5388 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5389 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5390
5391 if (ssl_hmac_init(&hm,md) != 0)
5392 return -1;
5393 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5394 return -1;
5395
5396 /* hash sequence number */
5397 phtonu64(buf, decoder->seq);
5398
5399 decoder->seq++;
5400
5401 ssl_hmac_update(&hm,buf,8);
5402
5403 /* hash content type */
5404 buf[0]=ct;
5405 ssl_hmac_update(&hm,buf,1);
5406
5407 /* hash version,data length and data*/
5408 /* *((int16_t*)buf) = g_htons(ver); */
5409 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))))
;
5410 memcpy(buf, &temp, 2);
5411 ssl_hmac_update(&hm,buf,2);
5412
5413 /* *((int16_t*)buf) = g_htons(datalen); */
5414 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))))
;
5415 memcpy(buf, &temp, 2);
5416 ssl_hmac_update(&hm,buf,2);
5417 ssl_hmac_update(&hm,data,datalen);
5418
5419 /* get digest and digest len*/
5420 len = sizeof(buf);
5421 ssl_hmac_final(&hm,buf,&len);
5422 ssl_hmac_cleanup(&hm);
5423 ssl_print_data("Mac", buf, len);
5424 if(memcmp(mac,buf,len))
5425 return -1;
5426
5427 return 0;
5428}
5429
5430static int
5431ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5432 uint32_t datalen, uint8_t* mac)
5433{
5434 SSL_MDgcry_md_hd_t mc;
5435 int md;
5436 uint32_t len;
5437 uint8_t buf[64],dgst[20];
5438 int pad_ct;
5439 int16_t temp;
5440
5441 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5442
5443 /* get cipher used for digest computation */
5444 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5445 if (ssl_md_init(&mc,md) !=0)
5446 return -1;
5447
5448 /* do hash computation on data && padding */
5449 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5450
5451 /* hash padding*/
5452 memset(buf,0x36,pad_ct);
5453 ssl_md_update(&mc,buf,pad_ct);
5454
5455 /* hash sequence number */
5456 phtonu64(buf, decoder->seq);
5457 decoder->seq++;
5458 ssl_md_update(&mc,buf,8);
5459
5460 /* hash content type */
5461 buf[0]=ct;
5462 ssl_md_update(&mc,buf,1);
5463
5464 /* hash data length in network byte order and data*/
5465 /* *((int16_t* )buf) = g_htons(datalen); */
5466 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))))
;
5467 memcpy(buf, &temp, 2);
5468 ssl_md_update(&mc,buf,2);
5469 ssl_md_update(&mc,data,datalen);
5470
5471 /* get partial digest */
5472 ssl_md_final(&mc,dgst,&len);
5473 ssl_md_reset(&mc);
5474
5475 /* hash mac key */
5476 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5477
5478 /* hash padding and partial digest*/
5479 memset(buf,0x5c,pad_ct);
5480 ssl_md_update(&mc,buf,pad_ct);
5481 ssl_md_update(&mc,dgst,len);
5482
5483 ssl_md_final(&mc,dgst,&len);
5484 ssl_md_cleanup(&mc);
5485
5486 if(memcmp(mac,dgst,len))
5487 return -1;
5488
5489 return 0;
5490}
5491
5492static int
5493dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5494 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5495{
5496 SSL_HMACgcry_md_hd_t hm;
5497 int md;
5498 uint32_t len;
5499 uint8_t buf[DIGEST_MAX_SIZE48];
5500 int16_t temp;
5501
5502 int ver = ssl->session.version;
5503 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5504
5505 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5506 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5507 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5508
5509 if (ssl_hmac_init(&hm,md) != 0)
5510 return -1;
5511 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5512 return -1;
5513
5514 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5515
5516 if (is_cid && !ssl->session.deprecated_cid) {
5517 /* hash seq num placeholder */
5518 memset(buf,0xFF,8);
5519 ssl_hmac_update(&hm,buf,8);
5520
5521 /* hash content type + cid length + content type */
5522 buf[0]=ct;
5523 buf[1]=cidl;
5524 buf[2]=ct;
5525 ssl_hmac_update(&hm,buf,3);
5526
5527 /* hash version */
5528 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))))
;
5529 memcpy(buf, &temp, 2);
5530 ssl_hmac_update(&hm,buf,2);
5531
5532 /* hash sequence number */
5533 phtonu64(buf, decoder->seq);
5534 buf[0]=decoder->epoch>>8;
5535 buf[1]=(uint8_t)decoder->epoch;
5536 ssl_hmac_update(&hm,buf,8);
5537
5538 /* hash cid */
5539 ssl_hmac_update(&hm,cid,cidl);
5540 } else {
5541 /* hash sequence number */
5542 phtonu64(buf, decoder->seq);
5543 buf[0]=decoder->epoch>>8;
5544 buf[1]=(uint8_t)decoder->epoch;
5545 ssl_hmac_update(&hm,buf,8);
5546
5547 /* hash content type */
5548 buf[0]=ct;
5549 ssl_hmac_update(&hm,buf,1);
5550
5551 /* hash version */
5552 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))))
;
5553 memcpy(buf, &temp, 2);
5554 ssl_hmac_update(&hm,buf,2);
5555
5556 if (is_cid && ssl->session.deprecated_cid) {
5557 /* hash cid */
5558 ssl_hmac_update(&hm,cid,cidl);
5559
5560 /* hash cid length */
5561 buf[0] = cidl;
5562 ssl_hmac_update(&hm,buf,1);
5563 }
5564 }
5565
5566 /* data length and data */
5567 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))))
;
5568 memcpy(buf, &temp, 2);
5569 ssl_hmac_update(&hm,buf,2);
5570 ssl_hmac_update(&hm,data,datalen);
5571
5572 /* get digest and digest len */
5573 len = sizeof(buf);
5574 ssl_hmac_final(&hm,buf,&len);
5575 ssl_hmac_cleanup(&hm);
5576 ssl_print_data("Mac", buf, len);
5577 if(memcmp(mac,buf,len))
5578 return -1;
5579
5580 return 0;
5581}
5582/* Decryption integrity check }}} */
5583
5584
5585static bool_Bool
5586tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
5587 uint8_t ct, uint16_t record_version,
5588 bool_Bool ignore_mac_failed,
5589 const unsigned char *in, uint16_t inl,
5590 const unsigned char *cid, uint8_t cidl,
5591 StringInfo *out_str, unsigned *outl)
5592{
5593 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5594 * GenericAEADCipher: { nonce_explicit, [content] }
5595 * In TLS 1.3 this explicit nonce is gone.
5596 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5597 * ciphertext and authentication tag.
5598 */
5599 const uint16_t version = ssl->session.version;
5600 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5601 gcry_error_t err;
5602 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5603 unsigned ciphertext_len, auth_tag_len;
5604 unsigned char nonce[12];
5605 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5606 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5607 const uint8_t draft_version = ssl->session.tls13_draft_version;
5608 const unsigned char *auth_tag_wire;
5609 unsigned char auth_tag_calc[16];
5610 unsigned char *aad = NULL((void*)0);
5611 unsigned aad_len = 0;
5612
5613 switch (cipher_mode) {
5614 case MODE_GCM:
5615 case MODE_CCM:
5616 case MODE_POLY1305:
5617 auth_tag_len = 16;
5618 break;
5619 case MODE_CCM_8:
5620 auth_tag_len = 8;
5621 break;
5622 default:
5623 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5624 return false0;
5625 }
5626
5627 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5628 if (is_v12 && cipher_mode != MODE_POLY1305) {
5629 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5630 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5631 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5632 return false0;
5633 }
5634 explicit_nonce = in;
5635 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5636 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5637 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5638 if (inl < auth_tag_len) {
5639 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5640 return false0;
5641 }
5642 ciphertext = in;
5643 ciphertext_len = inl - auth_tag_len;
5644 } else {
5645 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5646 return false0;
5647 }
5648 auth_tag_wire = ciphertext + ciphertext_len;
5649
5650 /*
5651 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5652 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5653 */
5654 if (is_v12 && cipher_mode != MODE_POLY1305) {
5655 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5655, "decoder->write_iv.data_len == 4"))))
;
5656 /* Implicit (4) and explicit (8) part of nonce. */
5657 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5658 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5659
5660 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5661 /*
5662 * Technically the nonce length must be at least 8 bytes, but for
5663 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5664 */
5665 const unsigned nonce_len = 12;
5666 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5666, "decoder->write_iv.data_len == nonce_len"
))))
;
5667 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5668 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5669 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
5670 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5671 }
5672
5673 /* Set nonce and additional authentication data */
5674 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0)
;
5675 ssl_print_data("nonce", nonce, 12);
5676 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5677 if (err) {
5678 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5679 return false0;
5680 }
5681
5682 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5683 if (is_cid) { /* if connection ID */
5684 if (ssl->session.deprecated_cid) {
5685 aad_len = 14 + cidl;
5686 aad = wmem_alloc(allocator, aad_len);
5687 phtonu64(aad, decoder->seq); /* record sequence number */
5688 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5689 aad[8] = ct; /* TLSCompressed.type */
5690 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5691 memcpy(aad + 11, cid, cidl); /* cid */
5692 aad[11 + cidl] = cidl; /* cid_length */
5693 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5694 } else {
5695 aad_len = 23 + cidl;
5696 aad = wmem_alloc(allocator, aad_len);
5697 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5698 aad[8] = ct; /* TLSCompressed.type */
5699 aad[9] = cidl; /* cid_length */
5700 aad[10] = ct; /* TLSCompressed.type */
5701 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
5702 phtonu64(aad + 13, decoder->seq); /* record sequence number */
5703 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5704 memcpy(aad + 21, cid, cidl); /* cid */
5705 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5706 }
5707 } else if (is_v12) {
5708 aad_len = 13;
5709 aad = wmem_alloc(allocator, aad_len);
5710 phtonu64(aad, decoder->seq); /* record sequence number */
5711 if (version == DTLSV1DOT2_VERSION0xfefd) {
5712 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5713 }
5714 aad[8] = ct; /* TLSCompressed.type */
5715 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
5716 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5717 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5718 aad_len = decoder->dtls13_aad.data_len;
5719 aad = decoder->dtls13_aad.data;
5720 } else if (draft_version >= 25 || draft_version == 0) {
5721 aad_len = 5;
5722 aad = wmem_alloc(allocator, aad_len);
5723 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5724 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5725 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
5726 }
5727
5728 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5729 /* size of plaintext, additional authenticated data and auth tag. */
5730 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5731
5732 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5733 }
5734
5735 if (aad && aad_len > 0) {
5736 ssl_print_data("AAD", aad, aad_len);
5737 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5738 if (err) {
5739 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5740 return false0;
5741 }
5742 }
5743
5744 /* Decrypt now that nonce and AAD are set. */
5745 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5746 if (err) {
5747 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5748 return false0;
5749 }
5750
5751 /* Check authentication tag for authenticity (replaces MAC) */
5752 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5753 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5754 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5755 } else {
5756 if (err) {
5757 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5758 } else {
5759 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5760 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5761 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5762 }
5763 if (ignore_mac_failed) {
5764 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5765 } else {
5766 return false0;
5767 }
5768 }
5769
5770 /*
5771 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5772 * after successful authentication to ensure that early data is skipped when
5773 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5774 */
5775 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5776 decoder->seq++;
5777 }
5778
5779 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5780 *outl = ciphertext_len;
5781 return true1;
5782}
5783
5784/* Record decryption glue based on security parameters {{{ */
5785/* Assume that we are called only for a non-NULL decoder which also means that
5786 * we have a non-NULL decoder->cipher_suite. */
5787int
5788ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5789 bool_Bool ignore_mac_failed,
5790 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5791 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5792{
5793 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5794 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5795
5796 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5797 ssl_print_data("Ciphertext",in, inl);
5798
5799 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5800 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5801 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5802 return -1;
5803 }
5804
5805 /* ensure we have enough storage space for decrypted data */
5806 if (inl > out_str->data_len)
5807 {
5808 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5809 inl + 32, out_str->data_len);
5810 ssl_data_realloc(out_str, inl + 32);
5811 }
5812
5813 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5814 * a separate MAC, so use a different routine for simplicity. */
5815 if (decoder->cipher_suite->mode == MODE_GCM ||
5816 decoder->cipher_suite->mode == MODE_CCM ||
5817 decoder->cipher_suite->mode == MODE_CCM_8 ||
5818 decoder->cipher_suite->mode == MODE_POLY1305 ||
5819 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5820 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5821
5822 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5823 /* decryption failed */
5824 return -1;
5825 }
5826
5827 goto skip_mac;
5828 }
5829
5830 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5831 * (notation: { unencrypted, [ encrypted ] })
5832 * GenericStreamCipher: { [content, mac] }
5833 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5834 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5835 * GenericAEADCipher: { nonce_explicit, [content] }
5836 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5837 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5838 */
5839
5840 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5841
5842 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5843 if (decoder->cipher_suite->mode == MODE_CBC) {
5844 unsigned blocksize = 0;
5845
5846 switch (ssl->session.version) {
5847 case TLSV1DOT1_VERSION0x302:
5848 case TLSV1DOT2_VERSION0x303:
5849 case DTLSV1DOT0_VERSION0xfeff:
5850 case DTLSV1DOT2_VERSION0xfefd:
5851 case DTLSV1DOT3_VERSION0xfefc:
5852 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5853 case TLCPV1_VERSION0x101:
5854 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5855 if (inl < blocksize) {
5856 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5857 inl, blocksize);
5858 return -1;
5859 }
5860 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5861 if (pad != 0) {
5862 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5863 gcry_strsource (pad), gcry_strerror (pad));
5864 }
5865
5866 inl -= blocksize;
5867 in += blocksize;
5868 break;
5869 }
5870
5871 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5872 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5873 /*
5874 * MAC is calculated over (IV + ) ENCRYPTED contents:
5875 *
5876 * MAC(MAC_write_key, ... +
5877 * IV + // for TLS 1.1 or greater
5878 * TLSCiphertext.enc_content);
5879 */
5880 if (inl < maclen) {
5881 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5882 G_STRFUNC((const char*) (__func__)), inl, maclen);
5883 return -1;
5884 }
5885 inl -= maclen;
5886 mac = (uint8_t *)in + inl;
5887 mac_frag = (uint8_t *)in - blocksize;
5888 mac_fraglen = blocksize + inl;
5889 }
5890 }
5891
5892 /* First decrypt*/
5893 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5894 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5895 gcry_strerror (pad));
5896 return -1;
5897 }
5898
5899 ssl_print_data("Plaintext", out_str->data, inl);
5900 worklen=inl;
5901
5902
5903 /* strip padding for GenericBlockCipher */
5904 if (decoder->cipher_suite->mode == MODE_CBC) {
5905 if (inl < 1) { /* Should this check happen earlier? */
5906 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5907 return -1;
5908 }
5909 pad=out_str->data[inl-1];
5910 if (worklen <= pad) {
5911 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5912 pad, worklen);
5913 return -1;
5914 }
5915 worklen-=(pad+1);
5916 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5917 pad, worklen);
5918 }
5919
5920 /* MAC for GenericStreamCipher and GenericBlockCipher.
5921 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5922 if (!mac) {
5923 /*
5924 * MAC is calculated over the DECRYPTED contents:
5925 *
5926 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5927 */
5928 if (worklen < maclen) {
5929 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5930 return -1;
5931 }
5932 worklen -= maclen;
5933 mac = out_str->data + worklen;
5934 mac_frag = out_str->data;
5935 mac_fraglen = worklen;
5936 }
5937
5938 /* If NULL encryption active and no keys are available, do not bother
5939 * checking the MAC. We do not have keys for that. */
5940 if (decoder->cipher_suite->mode == MODE_STREAM &&
5941 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5942 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5943 ssl_debug_printf("MAC check skipped due to missing keys\n");
5944 decoder->seq++; // Increment this for display
5945 goto skip_mac;
5946 }
5947
5948 /* Now check the MAC */
5949 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5950 worklen, ssl->session.version, ct, decoder->seq);
5951 if(ssl->session.version==SSLV3_VERSION0x300){
5952 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5953 if(ignore_mac_failed) {
5954 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5955 }
5956 else{
5957 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5958 return -1;
5959 }
5960 }
5961 else{
5962 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5963 }
5964 }
5965 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5966 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5967 if(ignore_mac_failed) {
5968 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5969 }
5970 else{
5971 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5972 return -1;
5973 }
5974 }
5975 else{
5976 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5977 }
5978 }
5979 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5980 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5981 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5982 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5983 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5984 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5985 }
5986 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5987 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5988 }
5989 else if(ignore_mac_failed) {
5990 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5991 }
5992 else{
5993 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5994 return -1;
5995 }
5996 }
5997skip_mac:
5998
5999 *outl = worklen;
6000
6001 if (decoder->compression > 0) {
6002 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
6003 ssl_data_copy(comp_str, out_str);
6004 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
6005 if (!decoder->decomp) {
6006 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
6007 return -1;
6008 }
6009 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
6010 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
6011 *outl = uncomplen;
6012 }
6013
6014 return 0;
6015}
6016/* Record decryption glue based on security parameters }}} */
6017
6018
6019
6020#ifdef HAVE_LIBGNUTLS1
6021
6022/* RSA private key file processing {{{ */
6023static void
6024ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
6025 const gnutls_datum_t *subjectPublicKeyInfo)
6026{
6027 gnutls_pubkey_t pubkey = NULL((void*)0);
6028 cert_key_id_t key_id;
6029 size_t key_id_len = sizeof(key_id);
6030 int r;
6031
6032 if (!subjectPublicKeyInfo->size) {
6033 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
6034 return;
6035 }
6036
6037 r = gnutls_pubkey_init(&pubkey);
6038 if (r < 0) {
6039 ssl_debug_printf("%s: failed to init pubkey: %s\n",
6040 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6041 return;
6042 }
6043
6044 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
6045 if (r < 0) {
6046 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
6047 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6048 goto end;
6049 }
6050
6051 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
6052 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
6053 goto end;
6054 }
6055
6056 /* Generate a 20-byte SHA-1 hash. */
6057 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
6058 if (r < 0) {
6059 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
6060 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
6061 goto end;
6062 }
6063
6064 if (key_id_len != sizeof(key_id)) {
6065 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
6066 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
6067 goto end;
6068 }
6069
6070 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
6071 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)))
;
6072 *ssl->cert_key_id = key_id;
6073
6074end:
6075 gnutls_pubkey_deinit(pubkey);
6076}
6077
6078/* RSA private key file processing }}} */
6079#endif /* HAVE_LIBGNUTLS */
6080
6081/*--- Start of dissector-related code below ---*/
6082
6083/* This is not a "protocol" but ensures that this gets called during
6084 * the handoff stage. */
6085void proto_reg_handoff_tls_utils(void);
6086
6087static dissector_handle_t base_tls_handle;
6088static dissector_handle_t dtls_handle;
6089
6090void
6091proto_reg_handoff_tls_utils(void)
6092{
6093 base_tls_handle = find_dissector("tls");
6094 dtls_handle = find_dissector("dtls");
6095}
6096
6097/* Look up an existing SslDecryptSession without creating one. Returns NULL if
6098 * no session exists. */
6099SslDecryptSession *
6100tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
6101{
6102 void *conv_data;
6103 wmem_map_t *session_map;
6104
6105 if (!conversation)
6106 return NULL((void*)0);
6107
6108 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6109 if (conv_data == NULL((void*)0))
6110 return NULL((void*)0);
6111
6112 session_map = (wmem_map_t *)conv_data;
6113
6114 return (SslDecryptSession *)wmem_map_lookup(session_map,
6115 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6116
6117}
6118
6119/* get ssl data for this session. if no ssl data is found allocate a new one*/
6120SslDecryptSession *
6121ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
6122{
6123 void *conv_data;
6124 SslDecryptSession *ssl_session;
6125 int proto_ssl;
6126 wmem_map_t *session_map;
6127
6128 /* Note proto_ssl is tls for either the main tls_handle or the
6129 * tls13_handshake handle used by QUIC. */
6130 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
6131 conv_data = conversation_get_proto_data(conversation, proto_ssl);
6132
6133 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
6134 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
6135 * preventing memory leaks on capture reload. */
6136 if (conv_data != NULL((void*)0)) {
6137 session_map = (wmem_map_t *)conv_data;
6138 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
6139 if (ssl_session != NULL((void*)0)) {
6140 return ssl_session;
6141 }
6142 } else {
6143 /* Create a new wmem map to store sessions by layer number */
6144 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
6145 conversation_add_proto_data(conversation, proto_ssl, session_map);
6146 }
6147
6148 /* no previous SSL conversation info for this layer, initialize it. */
6149 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)))
;
6150
6151 /* data_len is the part that is meaningful, not the allocated length */
6152 ssl_session->master_secret.data_len = 0;
6153 ssl_session->master_secret.data = ssl_session->_master_secret;
6154 ssl_session->session_id.data_len = 0;
6155 ssl_session->session_id.data = ssl_session->_session_id;
6156 ssl_session->client_random.data_len = 0;
6157 ssl_session->client_random.data = ssl_session->_client_random;
6158 ssl_session->server_random.data_len = 0;
6159 ssl_session->server_random.data = ssl_session->_server_random;
6160 ssl_session->session_ticket.data_len = 0;
6161 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
6162 ssl_session->server_data_for_iv.data_len = 0;
6163 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
6164 ssl_session->client_data_for_iv.data_len = 0;
6165 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
6166 ssl_session->app_data_segment.data = NULL((void*)0);
6167 ssl_session->app_data_segment.data_len = 0;
6168 ssl_session->handshake_data.data=NULL((void*)0);
6169 ssl_session->handshake_data.data_len=0;
6170 ssl_session->ech_transcript.data=NULL((void*)0);
6171 ssl_session->ech_transcript.data_len=0;
6172
6173 /* Initialize parameters which are not necessary specific to decryption. */
6174 ssl_session->session.version = SSL_VER_UNKNOWN0;
6175 clear_address(&ssl_session->session.srv_addr);
6176 ssl_session->session.srv_ptype = PT_NONE;
6177 ssl_session->session.srv_port = 0;
6178 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
6179 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
6180 ssl_session->session.client_random.data_len = 0;
6181 ssl_session->session.client_random.data = ssl_session->session._client_random;
6182 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
6183 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
6184 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
6185 ssl_session->session.ech = false0;
6186 ssl_session->session.hrr_ech_declined = false0;
6187 ssl_session->session.first_ch_ech_frame = 0;
6188
6189 /* We want to increment the stream count for the normal tls handle and
6190 * dtls handle, but presumably not for the tls13_handshake handle used
6191 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
6192 * doesn't get sent to the TLS follow tap.)
6193 */
6194 if (tls_handle == base_tls_handle) {
6195 ssl_session->session.stream = tls_increment_stream_count();
6196 } else if (tls_handle == dtls_handle) {
6197 ssl_session->session.stream = dtls_increment_stream_count();
6198 }
6199
6200 /* Store the session in the wmem map indexed by layer number */
6201 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
6202
6203 return ssl_session;
6204}
6205
6206void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
6207{
6208 if (ssl) {
6209 /* Ensure that secrets are not restored using stale identifiers. Split
6210 * between client and server in case the packets somehow got out of order. */
6211 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
6212
6213 if (is_client) {
6214 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
6215 ssl->session_id.data_len = 0;
6216 ssl->session_ticket.data_len = 0;
6217 ssl->master_secret.data_len = 0;
6218 ssl->client_random.data_len = 0;
6219 ssl->has_early_data = false0;
6220 if (ssl->handshake_data.data_len > 0) {
6221 // The EMS handshake hash starts with at the Client Hello,
6222 // ensure that any messages before it are forgotten.
6223 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
6224 ssl->handshake_data.data = NULL((void*)0);
6225 ssl->handshake_data.data_len = 0;
6226 }
6227 } else {
6228 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
6229 ssl->server_random.data_len = 0;
6230 ssl->pre_master_secret.data_len = 0;
6231#ifdef HAVE_LIBGNUTLS1
6232 ssl->cert_key_id = NULL((void*)0);
6233#endif
6234 ssl->has_psk = false0;
6235 ssl->has_key_share = false0;
6236 // There is no point in clearing the PSK when resetting the session,
6237 // we only store one global PSK in the prefs.
6238 //ssl->psk.data_len = 0;
6239 }
6240
6241 if (ssl->state & clear_flags) {
6242 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
6243 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
6244 ssl->state &= ~clear_flags;
6245 }
6246 }
6247
6248 /* These flags might be used for non-decryption purposes and may affect the
6249 * dissection, so reset them as well. */
6250 if (is_client) {
6251 session->client_cert_type = 0;
6252 } else {
6253 session->compression = 0;
6254 session->server_cert_type = 0;
6255 /* session->is_session_resumed is already handled in the ServerHello dissection. */
6256 }
6257 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
6258 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
6259}
6260
6261void
6262tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
6263 dissector_handle_t app_handle)
6264{
6265 conversation_t *conversation;
6266 SslSession *session;
6267
6268 /* Ignore if the TLS or other dissector is disabled. */
6269 /* XXX - find_dissector still works if a dissector is disabled,
6270 * this would be if the dissector isn't registered at all or the
6271 * caller is calling this with explicit NULL. */
6272 if (!tls_handle || !app_handle)
6273 return;
6274
6275 int proto = dissector_handle_get_protocol_index(tls_handle);
6276 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6277
6278 conversation = find_or_create_conversation(pinfo);
6279 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6280 session->app_handle = app_handle;
6281}
6282
6283static uint32_t
6284ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6285 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6286{
6287
6288 conversation_t *conversation;
6289 SslSession *session;
6290
6291 /* Ignore if the TLS dissector is disabled. */
6292 /* XXX - find_dissector still works if a dissector is disabled,
6293 * this would be if the dissector isn't registered at all (or the
6294 * caller has an error.) */
6295 if (!tls_handle)
6296 return 0;
6297
6298 int proto = dissector_handle_get_protocol_index(tls_handle);
6299 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
6300
6301 /* The caller should always pass a valid handle to its own dissector. */
6302 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6302, "app_handle"))))
;
6303
6304 conversation = find_or_create_conversation(pinfo);
6305 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
6306
6307 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6308 session->last_nontls_frame,
6309 (void *)session->app_handle,
6310 dissector_handle_get_dissector_name(session->app_handle));
6311 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6312 pinfo->num, (void *)app_handle,
6313 dissector_handle_get_dissector_name(app_handle));
6314
6315 /* Do not switch again if a dissector did it before. */
6316 if (session->last_nontls_frame) {
6317 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6318 return session->last_nontls_frame;
6319 }
6320
6321 session->app_handle = app_handle;
6322 /* The TLS dissector should be called first for this conversation. */
6323 conversation_set_dissector(conversation, tls_handle);
6324 /* TLS starts after this frame. */
6325 session->last_nontls_frame = last_nontls_frame;
6326 return 0;
6327}
6328
6329/* ssl_starttls_ack: mark future frames as encrypted. */
6330uint32_t
6331ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6332 dissector_handle_t app_handle)
6333{
6334 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6335}
6336
6337uint32_t
6338ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6339 dissector_handle_t app_handle)
6340{
6341 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6342}
6343
6344dissector_handle_t
6345ssl_find_appdata_dissector(const char *name)
6346{
6347 /* Accept 'http' for backwards compatibility and sanity. */
6348 if (!strcmp(name, "http"))
6349 name = "http-over-tls";
6350 /* XXX - Should this check to see if the dissector is actually added for
6351 * Decode As in the appropriate table?
6352 */
6353 return find_dissector(name);
6354}
6355
6356/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6357static int
6358ssl_equal (const void *v, const void *v2)
6359{
6360 const StringInfo *val1;
6361 const StringInfo *val2;
6362 val1 = (const StringInfo *)v;
6363 val2 = (const StringInfo *)v2;
6364
6365 if (val1->data_len == val2->data_len &&
6366 !memcmp(val1->data, val2->data, val2->data_len)) {
6367 return 1;
6368 }
6369 return 0;
6370}
6371
6372static unsigned
6373ssl_hash(const void *v)
6374{
6375 const StringInfo* id;
6376 id = (const StringInfo*) v;
6377
6378 return wmem_strong_hash(id->data, id->data_len);
6379}
6380/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6381
6382/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6383void
6384ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6385{
6386 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6386, "main_handle"))))
;
6387 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6387, "subdissector_handle"))))
;
6388 /* Registration is required for Export PDU feature to work properly. */
6389 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6390, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6390 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6390, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
;
6391 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6392
6393 if (port) {
6394 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6395 if (tcp)
6396 dissector_add_uint("tcp.port", port, main_handle);
6397 else
6398 dissector_add_uint("udp.port", port, main_handle);
6399 dissector_add_uint("sctp.port", port, main_handle);
6400 } else {
6401 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6402 }
6403}
6404
6405void
6406ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6407{
6408 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6409 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6410 if (main_handle) {
6411 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6412 dissector_delete_uint("sctp.port", port, main_handle);
6413 }
6414
6415 if (port) {
6416 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6417 }
6418}
6419
6420void
6421ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6422{
6423 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6424 session->srv_ptype = ptype;
6425 session->srv_port = port;
6426}
6427
6428int
6429ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6430{
6431 int ret;
6432 if (session && session->srv_addr.type != AT_NONE) {
6433 ret = (session->srv_ptype == pinfo->ptype) &&
6434 (session->srv_port == pinfo->srcport) &&
6435 addresses_equal(&session->srv_addr, &pinfo->src);
6436 } else {
6437 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6438 }
6439
6440 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6441 return ret;
6442}
6443/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6444
6445
6446/* Links SSL records with the real packet data. {{{ */
6447SslPacketInfo *
6448tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6449{
6450 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6451 if (!pi) {
6452 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)))
;
6453 pi->srcport = pinfo->srcport;
6454 pi->destport = pinfo->destport;
6455 conversation_t *conv = find_or_create_conversation_strat(pinfo);
6456 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
6457 if (ssl_session) {
6458 /* This can also be called by the QUIC TLS1.3 handshake only
6459 * dissector. That is not associated with a session, or a stream,
6460 * and doesn't need the information for Follow or Decode As. */
6461 pi->stream = ssl_session->session.stream;
6462 }
6463 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6464 }
6465
6466 return pi;
6467}
6468
6469/**
6470 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6471 * avoid the need for a decoder in the second pass. Additionally, it remembers
6472 * sequence numbers (for reassembly and Follow TLS Stream).
6473 *
6474 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6475 * @param pinfo The packet where the record originates from.
6476 * @param plain_data Decrypted plaintext to store in the record.
6477 * @param plain_data_len Total length of the plaintext.
6478 * @param content_len Length of the plaintext section corresponding to the record content.
6479 * @param record_id The identifier for this record within the current packet.
6480 * @param flow Information about sequence numbers, etc.
6481 * @param type TLS Content Type (such as handshake or application_data).
6482 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6483 */
6484void
6485ssl_add_record_info(int proto, packet_info *pinfo,
6486 const unsigned char *plain_data, int plain_data_len, int content_len,
6487 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
6488 uint64_t record_seq)
6489{
6490 SslRecordInfo* rec, **prec;
6491 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6492
6493 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 6493
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0)
;
6494
6495 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)))
;
6496 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
6497 rec->plain_data_len = plain_data_len;
6498 rec->content_len = content_len;
6499 rec->id = record_id;
6500 rec->type = type;
6501 rec->next = NULL((void*)0);
6502 rec->record_seq = record_seq;
6503
6504 if (flow && type == SSL_ID_APP_DATA) {
6505 rec->seq = flow->byte_seq;
6506 rec->flow = flow;
6507 flow->byte_seq += content_len;
6508 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6509 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
6510 }
6511
6512 /* Remember decrypted records. */
6513 prec = &pi->records;
6514 while (*prec) prec = &(*prec)->next;
6515 *prec = rec;
6516}
6517
6518/* search in packet data for the specified id; return a newly created tvb for the associated data */
6519tvbuff_t*
6520ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6521{
6522 SslRecordInfo* rec;
6523 SslPacketInfo* pi;
6524 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6525
6526 if (!pi)
6527 return NULL((void*)0);
6528
6529 for (rec = pi->records; rec; rec = rec->next)
6530 if (rec->id == record_id) {
6531 *matched_record = rec;
6532 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6533 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
6534 }
6535
6536 return NULL((void*)0);
6537}
6538/* Links SSL records with the real packet data. }}} */
6539
6540/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6541void
6542ssl_common_init(ssl_master_key_map_t *mk_map,
6543 StringInfo *decrypted_data, StringInfo *compressed_data)
6544{
6545 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6546 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6547 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6548 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6549 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6550 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6551 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6552 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6553 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6554 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6555 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6556 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6557
6558 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6559 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6560
6561 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6562
6563 ssl_data_alloc(decrypted_data, 32);
6564 ssl_data_alloc(compressed_data, 32);
6565}
6566
6567void
6568ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6569 StringInfo *decrypted_data, StringInfo *compressed_data)
6570{
6571 g_hash_table_destroy(mk_map->session);
6572 g_hash_table_destroy(mk_map->tickets);
6573 g_hash_table_destroy(mk_map->crandom);
6574 g_hash_table_destroy(mk_map->pre_master);
6575 g_hash_table_destroy(mk_map->pms);
6576 g_hash_table_destroy(mk_map->tls13_client_early);
6577 g_hash_table_destroy(mk_map->tls13_client_handshake);
6578 g_hash_table_destroy(mk_map->tls13_server_handshake);
6579 g_hash_table_destroy(mk_map->tls13_client_appdata);
6580 g_hash_table_destroy(mk_map->tls13_server_appdata);
6581 g_hash_table_destroy(mk_map->tls13_early_exporter);
6582 g_hash_table_destroy(mk_map->tls13_exporter);
6583
6584 g_hash_table_destroy(mk_map->ech_secret);
6585 g_hash_table_destroy(mk_map->ech_config);
6586
6587 g_hash_table_destroy(mk_map->used_crandom);
6588
6589 g_free(decrypted_data->data)(__builtin_object_size ((decrypted_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (decrypted_data->data, __builtin_object_size
((decrypted_data->data), 0)) : (g_free) (decrypted_data->
data)
;
6590 g_free(compressed_data->data)(__builtin_object_size ((compressed_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (compressed_data->data, __builtin_object_size
((compressed_data->data), 0)) : (g_free) (compressed_data
->data)
;
6591
6592 /* close the previous keylog file now that the cache are cleared, this
6593 * allows the cache to be filled with the full keylog file contents. */
6594 if (*ssl_keylog_file) {
6595 fclose(*ssl_keylog_file);
6596 *ssl_keylog_file = NULL((void*)0);
6597 }
6598}
6599/* }}} */
6600
6601/* parse ssl related preferences (private keys and ports association strings) */
6602#if defined(HAVE_LIBGNUTLS1)
6603/* Load a single RSA key file item from preferences. {{{ */
6604void
6605ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6606{
6607 gnutls_x509_privkey_t x509_priv_key;
6608 gnutls_privkey_t priv_key = NULL((void*)0);
6609 FILE* fp = NULL((void*)0);
6610 int ret;
6611 size_t key_id_len = 20;
6612 unsigned char *key_id = NULL((void*)0);
6613 char *err = NULL((void*)0);
6614 dissector_handle_t handle;
6615 /* try to load keys file first */
6616 fp = ws_fopenfopen(uats->keyfile, "rb");
6617 if (!fp) {
6618 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6619 return;
6620 }
6621
6622 if ((int)strlen(uats->password) == 0) {
6623 x509_priv_key = rsa_load_pem_key(fp, &err);
6624 } else {
6625 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6626 }
6627 fclose(fp);
6628
6629 if (!x509_priv_key) {
6630 if (err) {
6631 report_failure("Can't load private key from %s: %s",
6632 uats->keyfile, err);
6633 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
6634 } else
6635 report_failure("Can't load private key from %s: unknown error",
6636 uats->keyfile);
6637 return;
6638 }
6639 if (err) {
6640 report_failure("Load of private key from %s \"succeeded\" with error %s",
6641 uats->keyfile, err);
6642 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
6643 }
6644
6645 gnutls_privkey_init(&priv_key);
6646 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6647 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6648 if (ret < 0) {
6649 report_failure("Can't convert private key %s: %s",
6650 uats->keyfile, gnutls_strerror(ret));
6651 goto end;
6652 }
6653
6654 key_id = (unsigned char *) g_malloc0(key_id_len);
6655 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6656 if (ret < 0) {
6657 report_failure("Can't calculate public key ID for %s: %s",
6658 uats->keyfile, gnutls_strerror(ret));
6659 goto end;
6660 }
6661 ssl_print_data("KeyID", key_id, key_id_len);
6662 if (key_id_len != 20) {
6663 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6664 uats->keyfile, key_id_len);
6665 goto end;
6666 }
6667
6668 g_hash_table_replace(key_hash, key_id, priv_key);
6669 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6670 priv_key = NULL((void*)0);
6671 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6672
6673 handle = ssl_find_appdata_dissector(uats->protocol);
6674 if (handle) {
6675 /* Port to subprotocol mapping */
6676 uint16_t port = 0;
6677 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6678 if (port > 0) {
6679 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6680 port, uats->keyfile, uats->password);
6681
6682 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6683 }
6684 } else {
6685 if (strcmp(uats->port, "start_tls"))
6686 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6687 }
6688 }
6689
6690end:
6691 gnutls_x509_privkey_deinit(x509_priv_key);
6692 gnutls_privkey_deinit(priv_key);
6693 g_free(key_id)(__builtin_object_size ((key_id), 0) != ((size_t) - 1)) ? g_free_sized
(key_id, __builtin_object_size ((key_id), 0)) : (g_free) (key_id
)
;
6694}
6695/* }}} */
6696#endif
6697
6698
6699/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6700/** store a known (pre-)master secret into cache */
6701static void
6702ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6703 StringInfo *mk)
6704{
6705 StringInfo *ht_key, *master_secret;
6706
6707 if (key->data_len == 0) {
6708 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6709 return;
6710 }
6711
6712 if (mk->data_len == 0) {
6713 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6714 G_STRFUNC((const char*) (__func__)), label);
6715 return;
6716 }
6717
6718 ht_key = ssl_data_clone(key);
6719 master_secret = ssl_data_clone(mk);
6720 g_hash_table_insert(ht, ht_key, master_secret);
6721
6722 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6723 ssl_print_string("stored key", ht_key);
6724 ssl_print_string("stored (pre-)master secret", master_secret);
6725}
6726
6727/** restore a (pre-)master secret given some key in the cache */
6728static bool_Bool
6729ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6730 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6731{
6732 StringInfo *ms;
6733
6734 if (key->data_len == 0) {
6735 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6736 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6737 return false0;
6738 }
6739
6740 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6741 if (!ms) {
6742 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6743 is_pre_master ? "pre-" : "", label);
6744 return false0;
6745 }
6746
6747 /* (pre)master secret found, clear knowledge of other keys and set it in the
6748 * current conversation */
6749 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6750 SSL_HAVE_SESSION_KEY(1<<3));
6751 if (is_pre_master) {
6752 /* unlike master secret, pre-master secret has a variable size (48 for
6753 * RSA, varying for PSK) and is therefore not statically allocated */
6754 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6755 ms->data_len);
6756 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6757 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6758 } else {
6759 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6760 ssl->state |= SSL_MASTER_SECRET(1<<5);
6761 }
6762 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6763 is_pre_master ? "pre-" : "", label);
6764 ssl_print_string(label, key);
6765 ssl_print_string("(pre-)master secret", ms);
6766 return true1;
6767}
6768/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6769
6770/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6771 * the decoder should be attempted to be initialized. {{{*/
6772void
6773ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6774{
6775 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
6776 /* TLS 1.3 implementations only provide secrets derived from the master
6777 * secret which are loaded in tls13_change_key. No master secrets can be
6778 * loaded here, so just return. */
6779 return;
6780 }
6781 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6782 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
6783 ssl_debug_printf(" session key already available, nothing to do.\n");
6784 return;
6785 }
6786 if (!(ssl->state & SSL_CIPHER(1<<2))) {
6787 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6788 return;
6789 }
6790
6791 /* for decryption, there needs to be a master secret (which can be derived
6792 * from pre-master secret). If missing, try to pick a master key from cache
6793 * (an earlier packet in the capture or key logfile). */
6794 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6795 !ssl_restore_master_key(ssl, "Session ID", false0,
6796 mk_map->session, &ssl->session_id) &&
6797 (!ssl->session.is_session_resumed ||
6798 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6799 mk_map->tickets, &ssl->session_ticket)) &&
6800 !ssl_restore_master_key(ssl, "Client Random", false0,
6801 mk_map->crandom, &ssl->client_random)) {
6802 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6803 /* how unfortunate, the master secret could not be found */
6804 ssl_debug_printf(" Cannot find master secret\n");
6805 return;
6806 } else {
6807 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6808 "because of a NULL cipher\n");
6809 }
6810 }
6811
6812 if (ssl_generate_keyring_material(ssl) < 0) {
6813 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6814 return;
6815 }
6816 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6817 ssl_save_master_key("Client Random", mk_map->crandom,
6818 &ssl->client_random, &ssl->master_secret);
6819 ssl_save_master_key("Session ID", mk_map->session,
6820 &ssl->session_id, &ssl->master_secret);
6821 /* Only save the new secrets if the server sent the ticket. The client
6822 * ticket might have become stale. */
6823 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6824 ssl_save_master_key("Session Ticket", mk_map->tickets,
6825 &ssl->session_ticket, &ssl->master_secret);
6826 }
6827} /* }}} */
6828
6829static StringInfo*
6830tls13_load_secret_from_psk(SslDecryptSession *tls, bool_Bool is_from_server,
6831 TLSRecordType type)
6832{
6833 /* XXX - In addition to an out-of-bound PSK, we could also save the
6834 * PSK from a NewSessionTicket; we would also need to compute the
6835 * resumption_master_secret. */
6836 if (tls->psk.data_len == 0)
6837 return NULL((void*)0);
6838
6839 /* We SHOULD associate each PSK with a hash algorithm (e.g., use
6840 * a UAT instead of a single global PSK string preference, preferably
6841 * following RFC 9258.) Failing that, RFC 8864 4.2.1 and 9258 say SHA-256
6842 * SHOULD be used. We will try the negotiated hash algorithm regardless
6843 * with the PSK, but fall back to SHA-256 for the Early Secret, since
6844 * that's before the Server Hello completes negotiation.
6845 */
6846 const SslDigestAlgo *dig = ssl_cipher_suite_dig(tls->cipher_suite);
6847 if (type == TLS_SECRET_0RTT_APP && dig == &digests[DIG_NA0x45 - DIG_MD50x40]) {
6848 dig = &digests[DIG_SHA2560x42 - DIG_MD50x40];
6849 ssl_debug_printf("%s assuming PSK hash function is %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6850 }
6851
6852 int hash_algo = ssl_get_digest_by_name(dig->name);
6853 if (!hash_algo) {
6854 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
6855 return NULL((void*)0);
6856 }
6857
6858 /* We can re-use this to store the Pseudo Random Key for each epoch. */
6859 uint8_t prk[DIGEST_MAX_SIZE48];
6860 StringInfo prk_string = { prk, dig->len };
6861 uint8_t *derived_secret;
6862
6863 uint8_t zeroes[DIGEST_MAX_SIZE48];
6864 memset(zeroes, 0, dig->len);
6865
6866 StringInfo *secret = NULL((void*)0);
6867 const char *label;
6868
6869 /* PRK = Early Secret */
6870 hkdf_extract(hash_algo, zeroes, dig->len, tls->psk.data, tls->psk.data_len, prk);
6871
6872 if (type == TLS_SECRET_0RTT_APP) {
6873 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6873, "!is_from_server"))))
;
6874 label = "c e traffic";
6875 } else {
6876 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6877 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6878 return NULL((void*)0);
6879
6880 /* PRK = Handshake Secret [assume no (EC)DHE.] */
6881 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6882 wmem_free(NULL((void*)0), derived_secret);
6883
6884 if (type == TLS_SECRET_HANDSHAKE) {
6885 label = is_from_server ? "s hs traffic" : "c hs traffic";
6886 } else {
6887 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6888 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6889 return NULL((void*)0);
6890
6891 /* PRK = Master Secret */
6892 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6893 wmem_free(NULL((void*)0), derived_secret);
6894
6895 label = is_from_server ? "s ap traffic" : "c ap traffic";
6896 }
6897 }
6898
6899 /* XXX - If Encrypted Client Hello was accepted (do client/server pairs
6900 * support ECHO with psk_ke?) then we should use ech_transcript instead
6901 * of handshake_data. Perhaps we should consolidate some of that handling,
6902 * though note that we would have to keep both transcripts around after
6903 * the ClientHello until the ServerHello indicated whether ECHO was
6904 * accepted or not. */
6905 if (!tls13_derive_secret(hash_algo, &prk_string,
6906 tls13_hkdf_label_prefix(tls), label,
6907 tls->handshake_data.data, tls->handshake_data.data_len,
6908 dig->len, &derived_secret))
6909 return NULL((void*)0);
6910
6911 secret = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)))
;
6912 secret->data = wmem_memdup(wmem_file_scope(), derived_secret, dig->len);
6913 secret->data_len = dig->len;
6914 wmem_free(NULL((void*)0), derived_secret);
6915 return secret;
6916}
6917
6918/* Load the traffic key secret from the keylog file. */
6919StringInfo *
6920tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6921 bool_Bool is_from_server, TLSRecordType type)
6922{
6923 GHashTable *key_map;
6924 const char *label;
6925
6926 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6927 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6928 return NULL((void*)0);
6929 }
6930
6931 if (ssl->client_random.data_len == 0) {
6932 /* May happen if Hello message is missing and Finished is found. */
6933 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6934 return NULL((void*)0);
6935 }
6936
6937 switch (type) {
6938 case TLS_SECRET_0RTT_APP:
6939 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6939, "!is_from_server"))))
;
6940 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6941 key_map = mk_map->tls13_client_early;
6942 break;
6943 case TLS_SECRET_HANDSHAKE:
6944 if (is_from_server) {
6945 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6946 key_map = mk_map->tls13_server_handshake;
6947 } else {
6948 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6949 key_map = mk_map->tls13_client_handshake;
6950 }
6951 break;
6952 case TLS_SECRET_APP:
6953 if (is_from_server) {
6954 label = "SERVER_TRAFFIC_SECRET_0";
6955 key_map = mk_map->tls13_server_appdata;
6956 } else {
6957 label = "CLIENT_TRAFFIC_SECRET_0";
6958 key_map = mk_map->tls13_client_appdata;
6959 }
6960 break;
6961 default:
6962 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6962, __func__, "assertion \"not reached\" failed")
;
6963 }
6964
6965 /* Transitioning to new keys, mark old ones as unusable. */
6966 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6967 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6968
6969 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6970 if (!secret) {
6971 secret = tls13_load_secret_from_psk(ssl, is_from_server, type);
6972 if (secret) {
6973 ssl_debug_printf("%s Calculated TLS 1.3 traffic secret from PSK.\n", G_STRFUNC((const char*) (__func__)));
6974 /* Doing this allows us to save the secret as a DSB in a pcapng. */
6975 g_hash_table_insert(key_map, ssl_data_clone(&ssl->client_random), secret);
6976 }
6977 }
6978 if (!secret) {
6979 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6980 /* Disable decryption, the keys are invalid. */
6981 if (is_from_server) {
6982 ssl->server = NULL((void*)0);
6983 } else {
6984 ssl->client = NULL((void*)0);
6985 }
6986 return NULL((void*)0);
6987 }
6988
6989 /* TLS 1.3 secret found, set new keys. */
6990 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6991 ssl_print_string("Client Random", &ssl->client_random);
6992 ssl_print_string(label, secret);
6993 return secret;
6994}
6995
6996/* Load the new key. */
6997void
6998tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6999 bool_Bool is_from_server, TLSRecordType type)
7000{
7001 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
7002 /*
7003 * QUIC does not use the TLS record layer for message protection.
7004 * The required keys will be extracted later by QUIC.
7005 */
7006 return;
7007 }
7008
7009 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7010 if (!secret) {
7011 if (type != TLS_SECRET_HANDSHAKE) {
7012 return;
7013 }
7014 /*
7015 * Workaround for when for some reason we don't have the handshake
7016 * secret but do have the application traffic secret. (#20240)
7017 * If we can't find the handshake secret, we'll never decrypt the
7018 * Finished message, so we won't know when to change to the app
7019 * traffic key, so we do so now.
7020 */
7021 type = TLS_SECRET_APP;
7022 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
7023 if (!secret) {
7024 return;
7025 }
7026 }
7027
7028 if (tls13_generate_keys(ssl, secret, is_from_server)) {
7029 /*
7030 * Remember the application traffic secret to support Key Update. The
7031 * other secrets cannot be used for this purpose, so free them.
7032 */
7033 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7034 StringInfo *app_secret = &decoder->app_traffic_secret;
7035 if (type == TLS_SECRET_APP) {
7036 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7037 app_secret->data,
7038 secret->data_len);
7039 ssl_data_set(app_secret, secret->data, secret->data_len);
7040 } else {
7041 wmem_free(wmem_file_scope(), app_secret->data);
7042 app_secret->data = NULL((void*)0);
7043 app_secret->data_len = 0;
7044 }
7045 }
7046}
7047
7048/**
7049 * Update to next application data traffic secret for TLS 1.3. The previous
7050 * secret should have been set by tls13_change_key.
7051 */
7052void
7053tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
7054{
7055 /* RFC 8446 Section 7.2:
7056 * application_traffic_secret_N+1 =
7057 * HKDF-Expand-Label(application_traffic_secret_N,
7058 * "traffic upd", "", Hash.length)
7059 *
7060 * Both application_traffic_secret_N are of the same length (Hash.length).
7061 */
7062 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
7063 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
7064 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
7065 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
7066
7067 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
7068 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
7069 return;
7070 }
7071
7072 /*
7073 * Previous traffic secret is available, so find the hash function,
7074 * expand the new traffic secret and generate new keys.
7075 */
7076 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
7077 int hash_algo = ssl_get_digest_by_name(hash_name);
7078 const unsigned hash_len = app_secret->data_len;
7079 unsigned char *new_secret;
7080 const char *label = "traffic upd";
7081 if (tls13_draft_version && tls13_draft_version < 20) {
7082 label = "application traffic secret";
7083 }
7084 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
7085 tls13_hkdf_label_prefix(ssl),
7086 label, hash_len, &new_secret)) {
7087 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
7088 return;
7089 }
7090 ssl_data_set(app_secret, new_secret, hash_len);
7091 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
7092 /*
7093 * Remember the application traffic secret on the new decoder to
7094 * support another Key Update.
7095 */
7096 decoder = is_from_server ? ssl->server : ssl->client;
7097 app_secret = &decoder->app_traffic_secret;
7098 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
7099 app_secret->data,
7100 hash_len);
7101 ssl_data_set(app_secret, new_secret, hash_len);
7102 }
7103 wmem_free(NULL((void*)0), new_secret);
7104}
7105
7106void
7107tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
7108{
7109 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
7110 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
7111 }
7112}
7113
7114/** SSL keylog file handling. {{{ */
7115
7116static GRegex *
7117ssl_compile_keyfile_regex(void)
7118{
7119#define OCTET "(?:[[:xdigit:]]{2})"
7120 const char *pattern =
7121 "(?:"
7122 /* Matches Client Hellos having this Client Random */
7123 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
7124 /* Matches first part of encrypted RSA pre-master secret */
7125 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
7126 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
7127 but it can be of any length for DHE */
7128 ")(?<pms>" OCTET "+)"
7129 "|(?:"
7130 /* Matches Server Hellos having a Session ID */
7131 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
7132 /* Matches Client Hellos having this Client Random */
7133 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
7134 /* Master-Secret is given, its length is fixed */
7135 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
7136 "|(?"
7137 /* TLS 1.3 Client Random to Derived Secrets mapping. */
7138 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
7139 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
7140 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
7141 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
7142 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
7143 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
7144 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
7145 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
7146 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
7147 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
7148 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
7149 ") (?<derived_secret>" OCTET "+)";
7150#undef OCTET
7151 static GRegex *regex = NULL((void*)0);
7152 GError *gerr = NULL((void*)0);
7153
7154 if (!regex) {
7155 regex = g_regex_new(pattern,
7156 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
7157 G_REGEX_MATCH_ANCHORED, &gerr);
7158 if (gerr) {
7159 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
7160 gerr->message);
7161 g_error_free(gerr);
7162 regex = NULL((void*)0);
7163 }
7164 }
7165
7166 return regex;
7167}
7168
7169typedef struct ssl_master_key_match_group {
7170 const char *re_group_name;
7171 GHashTable *master_key_ht;
7172} ssl_master_key_match_group_t;
7173
7174void
7175tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
7176{
7177 ssl_master_key_match_group_t mk_groups[] = {
7178 { "encrypted_pmk", mk_map->pre_master },
7179 { "session_id", mk_map->session },
7180 { "client_random", mk_map->crandom },
7181 { "client_random_pms", mk_map->pms },
7182 /* TLS 1.3 map from Client Random to derived secret. */
7183 { "client_early", mk_map->tls13_client_early },
7184 { "client_handshake", mk_map->tls13_client_handshake },
7185 { "server_handshake", mk_map->tls13_server_handshake },
7186 { "client_appdata", mk_map->tls13_client_appdata },
7187 { "server_appdata", mk_map->tls13_server_appdata },
7188 { "early_exporter", mk_map->tls13_early_exporter },
7189 { "exporter", mk_map->tls13_exporter },
7190 { "ech_secret", mk_map->ech_secret },
7191 { "ech_config", mk_map->ech_config },
7192 };
7193
7194 /* The format of the file is a series of records with one of the following formats:
7195 * - "RSA xxxx yyyy"
7196 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
7197 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7198 * (this is the original format introduced with bug 4349)
7199 *
7200 * - "RSA Session-ID:xxxx Master-Key:yyyy"
7201 * Where xxxx is the SSL session ID (hex-encoded)
7202 * Where yyyy is the cleartext master secret (hex-encoded)
7203 * (added to support openssl s_client Master-Key output)
7204 * This is somewhat is a misnomer because there's nothing RSA specific
7205 * about this.
7206 *
7207 * - "PMS_CLIENT_RANDOM xxxx yyyy"
7208 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7209 * Where yyyy is the cleartext pre-master secret (hex-encoded)
7210 * (This format allows SSL connections to be decrypted, if a user can
7211 * capture the PMS but could not recover the MS for a specific session
7212 * with a SSL Server.)
7213 *
7214 * - "CLIENT_RANDOM xxxx yyyy"
7215 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7216 * Where yyyy is the cleartext master secret (hex-encoded)
7217 * (This format allows non-RSA SSL connections to be decrypted, i.e.
7218 * ECDHE-RSA.)
7219 *
7220 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
7221 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7222 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
7223 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
7224 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
7225 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
7226 * - "EXPORTER_SECRET xxxx yyyy"
7227 * Where xxxx is the client_random from the ClientHello (hex-encoded)
7228 * Where yyyy is the secret (hex-encoded) derived from the early,
7229 * handshake or master secrets. (This format is introduced with TLS 1.3
7230 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
7231 */
7232 GRegex *regex = ssl_compile_keyfile_regex();
7233 if (!regex)
7234 return;
7235
7236 const char *next_line = (const char *)data;
7237 const char *line_end = next_line + datalen;
7238 while (next_line && next_line < line_end) {
7239 const char *line = next_line;
7240 next_line = (const char *)memchr(line, '\n', line_end - line);
7241 ssize_t linelen;
7242
7243 if (next_line) {
7244 linelen = next_line - line;
7245 next_line++; /* drop LF */
7246 } else {
7247 linelen = (ssize_t)(line_end - line);
7248 }
7249 if (linelen > 0 && line[linelen - 1] == '\r') {
7250 linelen--; /* drop CR */
7251 }
7252
7253 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
7254 GMatchInfo *mi;
7255 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
7256 char *hex_key, *hex_pre_ms_or_ms;
7257 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)))
;
7258 StringInfo *pre_ms_or_ms = NULL((void*)0);
7259 GHashTable *ht = NULL((void*)0);
7260
7261 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
7262 * otherwise we will use the Master Secret
7263 */
7264 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
7265 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7266 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms)
;
7267 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
7268 }
7269 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
7270 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms)
;
7271 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
7272 }
7273 /* There is always a match, otherwise the regex is wrong. */
7274 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7274, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))))
;
7275
7276 /* convert from hex to bytes and save to hashtable */
7277 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)))
;
7278 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
7279 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms)
;
7280
7281 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
7282 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
7283 ssl_master_key_match_group_t *g = &mk_groups[i];
7284 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
7285 if (hex_key && *hex_key) {
7286 ssl_debug_printf(" matched %s\n", g->re_group_name);
7287 ht = g->master_key_ht;
7288 from_hex(key, hex_key, strlen(hex_key));
7289 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key)
;
7290 break;
7291 }
7292 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key)
;
7293 }
7294 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 7294, "ht"))))
; /* Cannot be reached, or regex is wrong. */
7295
7296 g_hash_table_insert(ht, key, pre_ms_or_ms);
7297
7298 } else if (linelen > 0 && line[0] != '#') {
7299 ssl_debug_printf(" unrecognized line\n");
7300 }
7301 /* always free match info even if there is no match. */
7302 g_match_info_free(mi);
7303 }
7304}
7305
7306void
7307ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
7308 const ssl_master_key_map_t *mk_map)
7309{
7310 /* no need to try if no key log file is configured. */
7311 if (!tls_keylog_filename || !*tls_keylog_filename) {
7312 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
7313 G_STRFUNC((const char*) (__func__)));
7314 return;
7315 }
7316
7317 /* Validate regexes before even trying to use it. */
7318 if (!ssl_compile_keyfile_regex()) {
7319 return;
7320 }
7321
7322 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
7323
7324 /* if the keylog file was deleted/overwritten, re-open it */
7325 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
7326 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
7327 fclose(*keylog_file);
7328 *keylog_file = NULL((void*)0);
7329 }
7330
7331 if (*keylog_file == NULL((void*)0)) {
7332 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
7333 if (!*keylog_file) {
7334 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
7335 return;
7336 }
7337 }
7338
7339 for (;;) {
7340 char buf[1110], *line;
7341 line = fgets(buf, sizeof(buf), *keylog_file);
7342 if (!line) {
7343 if (feof(*keylog_file)) {
7344 /* Ensure that newly appended keys can be read in the future. */
7345 clearerr(*keylog_file);
7346 } else if (ferror(*keylog_file)) {
7347 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
7348 fclose(*keylog_file);
7349 *keylog_file = NULL((void*)0);
7350 }
7351 break;
7352 }
7353 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
7354 }
7355}
7356/** SSL keylog file handling. }}} */
7357
7358#ifdef SSL_DECRYPT_DEBUG /* {{{ */
7359
7360static FILE* ssl_debug_file;
7361
7362void
7363ssl_set_debug(const char* name)
7364{
7365 static int debug_file_must_be_closed;
7366 int use_stderr;
7367
7368 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
7369
7370 if (debug_file_must_be_closed)
7371 fclose(ssl_debug_file);
7372
7373 if (use_stderr)
7374 ssl_debug_file = stderrstderr;
7375 else if (!name || (strcmp(name, "") ==0))
7376 ssl_debug_file = NULL((void*)0);
7377 else
7378 ssl_debug_file = ws_fopenfopen(name, "w");
7379
7380 if (!use_stderr && ssl_debug_file)
7381 debug_file_must_be_closed = 1;
7382 else
7383 debug_file_must_be_closed = 0;
7384
7385 ssl_debug_printf("Wireshark SSL debug log \n\n");
7386#ifdef HAVE_LIBGNUTLS1
7387 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7388#endif
7389 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7390 ssl_debug_printf("\n");
7391}
7392
7393void
7394ssl_debug_flush(void)
7395{
7396 if (ssl_debug_file)
7397 fflush(ssl_debug_file);
7398}
7399
7400void
7401ssl_debug_printf(const char* fmt, ...)
7402{
7403 va_list ap;
7404
7405 if (!ssl_debug_file)
7406 return;
7407
7408 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7409 vfprintf(ssl_debug_file, fmt, ap);
7410 va_end(ap)__builtin_va_end(ap);
7411}
7412
7413void
7414ssl_print_data(const char* name, const unsigned char* data, size_t len)
7415{
7416 size_t i, j, k;
7417 if (!ssl_debug_file)
7418 return;
7419 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7420 for (i=0; i<len; i+=16) {
7421 fprintf(ssl_debug_file,"| ");
7422 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7423 fprintf(ssl_debug_file,"%.2x ",data[j]);
7424 for (; k<16; ++k)
7425 fprintf(ssl_debug_file," ");
7426 fputc('|', ssl_debug_file);
7427 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7428 unsigned char c = data[j];
7429 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7430 fputc(c, ssl_debug_file);
7431 }
7432 for (; k<16; ++k)
7433 fputc(' ', ssl_debug_file);
7434 fprintf(ssl_debug_file,"|\n");
7435 }
7436}
7437
7438void
7439ssl_print_string(const char* name, const StringInfo* data)
7440{
7441 ssl_print_data(name, data->data, data->data_len);
7442}
7443#endif /* SSL_DECRYPT_DEBUG }}} */
7444
7445/* UAT preferences callbacks. {{{ */
7446/* checks for SSL and DTLS UAT key list fields */
7447
7448bool_Bool
7449ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7450{
7451 // This should be removed in favor of Decode As. Make it optional.
7452 *err = NULL((void*)0);
7453 return true1;
7454}
7455
7456bool_Bool
7457ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7458{
7459 if (!p || strlen(p) == 0u) {
7460 // This should be removed in favor of Decode As. Make it optional.
7461 *err = NULL((void*)0);
7462 return true1;
7463 }
7464
7465 if (strcmp(p, "start_tls") != 0){
7466 uint16_t port;
7467 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7468 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7469 return false0;
7470 }
7471 }
7472
7473 *err = NULL((void*)0);
7474 return true1;
7475}
7476
7477bool_Bool
7478ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7479{
7480 ws_statb64struct stat st;
7481
7482 if (!p || strlen(p) == 0u) {
7483 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7484 return false0;
7485 } else {
7486 if (ws_stat64stat(p, &st) != 0) {
7487 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p)
;
7488 return false0;
7489 }
7490 }
7491
7492 *err = NULL((void*)0);
7493 return true1;
7494}
7495
7496bool_Bool
7497ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7498{
7499#if defined(HAVE_LIBGNUTLS1)
7500 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7501 FILE *fp = NULL((void*)0);
7502
7503 if (p && (strlen(p) > 0u)) {
7504 fp = ws_fopenfopen(f->keyfile, "rb");
7505 if (fp) {
7506 char *msg = NULL((void*)0);
7507 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7508 if (!priv_key) {
7509 fclose(fp);
7510 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg)
;
7511 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg)
;
7512 return false0;
7513 }
7514 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg)
;
7515 gnutls_x509_privkey_deinit(priv_key);
7516 fclose(fp);
7517 } else {
7518 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
)
;
7519 return false0;
7520 }
7521 }
7522
7523 *err = NULL((void*)0);
7524 return true1;
7525#else
7526 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
)
;
7527 return false0;
7528#endif
7529}
7530/* UAT preferences callbacks. }}} */
7531
7532/** maximum size of ssl_association_info() string */
7533#define SSL_ASSOC_MAX_LEN8192 8192
7534
7535typedef struct ssl_association_info_callback_data
7536{
7537 char *str;
7538 const char *table_protocol;
7539} ssl_association_info_callback_data_t;
7540
7541/**
7542 * callback function used by ssl_association_info() to traverse the SSL associations.
7543 */
7544static void
7545ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7546{
7547 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7548 const int l = (const int)strlen(data->str);
7549 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7550}
7551
7552/**
7553 * @return an information string on the SSL protocol associations. The string must be freed.
7554 */
7555char*
7556ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7557{
7558 ssl_association_info_callback_data_t data;
7559
7560 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7561 data.table_protocol = table_protocol;
7562 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7563 return data.str;
7564}
7565
7566
7567/** Begin of code related to dissection of wire data. */
7568
7569/* Helpers for dissecting Variable-Length Vectors. {{{ */
7570bool_Bool
7571ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7572 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7573 int hf_length, uint32_t min_value, uint32_t max_value)
7574{
7575 unsigned veclen_size;
7576 uint32_t veclen_value;
7577 proto_item *pi;
7578
7579 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7579, (uint64_t)min_value, (uint64_t)max_value))))
;
7580 if (offset > offset_end) {
7581 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7582 "Vector offset is past buffer end offset (%u > %u)",
7583 offset, offset_end);
7584 *ret_length = 0;
7585 return false0; /* Cannot read length. */
7586 }
7587
7588 if (max_value > 0xffffff) {
7589 veclen_size = 4;
7590 } else if (max_value > 0xffff) {
7591 veclen_size = 3;
7592 } else if (max_value > 0xff) {
7593 veclen_size = 2;
7594 } else {
7595 veclen_size = 1;
7596 }
7597
7598 if (offset_end - offset < veclen_size) {
7599 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7600 tvb, offset, offset_end - offset,
7601 "No more room for vector of length %u",
7602 veclen_size);
7603 *ret_length = 0;
7604 return false0; /* Cannot read length. */
7605 }
7606
7607 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7608 offset += veclen_size;
7609
7610 if (veclen_value < min_value) {
7611 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7612 "Vector length %u is smaller than minimum %u",
7613 veclen_value, min_value);
7614 } else if (veclen_value > max_value) {
7615 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7616 "Vector length %u is larger than maximum %u",
7617 veclen_value, max_value);
7618 }
7619
7620 if (offset_end - offset < veclen_value) {
7621 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7622 "Vector length %u is too large, truncating it to %u",
7623 veclen_value, offset_end - offset);
7624 *ret_length = offset_end - offset;
7625 return false0; /* Length is truncated to avoid overflow. */
7626 }
7627
7628 *ret_length = veclen_value;
7629 return true1; /* Length is OK. */
7630}
7631
7632bool_Bool
7633ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7634 unsigned offset, unsigned offset_end)
7635{
7636 if (offset < offset_end) {
7637 unsigned trailing = offset_end - offset;
7638 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7639 tvb, offset, trailing,
7640 "%u trailing byte%s unprocessed",
7641 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7642 return false0; /* unprocessed data warning */
7643 } else if (offset > offset_end) {
7644 /*
7645 * Returned offset runs past the end. This should not happen and is
7646 * possibly a dissector bug.
7647 */
7648 unsigned excess = offset - offset_end;
7649 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7650 tvb, offset_end, excess,
7651 "Dissector processed too much data (%u byte%s)",
7652 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7653 return false0; /* overflow error */
7654 }
7655
7656 return true1; /* OK, offset matches. */
7657}
7658/** }}} */
7659
7660
7661static uint32_t
7662ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7663 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7664 uint16_t version, int hf_sig_len, int hf_sig);
7665
7666/* change_cipher_spec(20) dissection */
7667void
7668ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7669 packet_info *pinfo, proto_tree *tree,
7670 uint32_t offset, SslSession *session,
7671 bool_Bool is_from_server,
7672 const SslDecryptSession *ssl)
7673{
7674 /*
7675 * struct {
7676 * enum { change_cipher_spec(1), (255) } type;
7677 * } ChangeCipherSpec;
7678 */
7679 proto_item *ti;
7680 proto_item_set_text(tree,
7681 "%s Record Layer: %s Protocol: Change Cipher Spec",
7682 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7683 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7684 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7685
7686 if (session->version == TLSV1DOT3_VERSION0x304) {
7687 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7688 return;
7689 }
7690
7691 /* Remember frame number of first CCS */
7692 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7693 if (*ccs_frame == 0)
7694 *ccs_frame = pinfo->num;
7695
7696 /* Use heuristics to detect an abbreviated handshake, assume that missing
7697 * ServerHelloDone implies reusing previously negotiating keys. Then when
7698 * a Session ID or ticket is present, it must be a resumed session.
7699 * Normally this should be done at the Finished message, but that may be
7700 * encrypted so we do it here, at the last cleartext message. */
7701 if (is_from_server && ssl) {
7702 if (session->is_session_resumed) {
7703 const char *resumed = NULL((void*)0);
7704 if (ssl->session_ticket.data_len) {
7705 resumed = "Session Ticket";
7706 } else if (ssl->session_id.data_len) {
7707 resumed = "Session ID";
7708 }
7709 if (resumed) {
7710 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7711 } else {
7712 /* Can happen if the capture somehow starts in the middle */
7713 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7714 }
7715 } else {
7716 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7717 }
7718 }
7719 if (is_from_server && session->is_session_resumed)
7720 expert_add_info(pinfo, ti, &hf->ei.resumed);
7721}
7722
7723/** Begin of handshake(22) record dissections */
7724
7725/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7726 * {{{ */
7727static void
7728tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7729{
7730 uint32_t sighash, hashalg, sigalg;
7731 proto_item *ti_sigalg;
7732 proto_tree *sigalg_tree;
7733
7734 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7735 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7736 if (ja4_data) {
7737 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7738 }
7739
7740 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7741
7742 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7743 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7744 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7745 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7746 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7747
7748 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7749 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7750 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7751 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7752 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7753 sighash);
7754 }
7755} /* }}} */
7756
7757/* dissect a list of hash algorithms, return the number of bytes dissected
7758 this is used for the signature algorithms extension and for the
7759 TLS1.2 certificate request. {{{ */
7760static int
7761ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7762 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7763{
7764 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7765 * struct {
7766 * HashAlgorithm hash;
7767 * SignatureAlgorithm signature;
7768 * } SignatureAndHashAlgorithm;
7769 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7770 */
7771 proto_tree *subtree;
7772 proto_item *ti;
7773 unsigned sh_alg_length;
7774 uint32_t next_offset;
7775
7776 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7777 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7778 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7779 return offset_end;
7780 }
7781 offset += 2;
7782 next_offset = offset + sh_alg_length;
7783
7784 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7785 "Signature Hash Algorithms (%u algorithm%s)",
7786 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7787 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7788
7789 while (offset + 2 <= next_offset) {
7790 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7791 offset += 2;
7792 }
7793
7794 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7795 offset = next_offset;
7796 }
7797
7798 return offset;
7799} /* }}} */
7800
7801/* Dissection of DistinguishedName (for CertificateRequest and
7802 * certificate_authorities extension). {{{ */
7803static uint32_t
7804tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7805 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7806{
7807 proto_item *ti;
7808 proto_tree *subtree;
7809 uint32_t dnames_length, next_offset;
7810 asn1_ctx_t asn1_ctx;
7811 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7812
7813 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7814 /* DistinguishedName certificate_authorities<0..2^16-1> */
7815 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7816 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7817 return offset_end;
7818 }
7819 offset += 2;
7820 next_offset = offset + dnames_length;
7821
7822 if (dnames_length > 0) {
7823 ti = proto_tree_add_none_format(tree,
7824 hf->hf.hs_dnames,
7825 tvb, offset, dnames_length,
7826 "Distinguished Names (%d byte%s)",
7827 dnames_length,
7828 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7829 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7830
7831 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7832
7833 while (offset < next_offset) {
7834 /* get the length of the current certificate */
7835 uint32_t name_length;
7836
7837 if (dnames_count-- == 0) {
7838 /* stop adding to tree when the list is considered too large
7839 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7840 Note: dnames_count must be set low enough not to hit the
7841 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7842 */
7843 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7844 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7845 proto_item_set_generated(ti);
7846 return next_offset;
7847 }
7848
7849 /* opaque DistinguishedName<1..2^16-1> */
7850 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7851 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7852 return next_offset;
7853 }
7854 offset += 2;
7855
7856 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7857 subtree, hf->hf.hs_dname);
7858 offset += name_length;
7859 }
7860 }
7861 return offset;
7862} /* }}} */
7863
7864
7865/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7866static int
7867ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7868 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7869{
7870 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7871}
7872
7873static int
7874ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7875 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7876{
7877 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7878 hnd_type == SSL_HND_CERT_REQUEST) {
7879 /*
7880 * struct {
7881 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7882 * } SignatureSchemeList;
7883 */
7884
7885 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7886 } else {
7887 asn1_ctx_t asn1_ctx;
7888 unsigned pubkey_length, sign_length;
7889
7890 /*
7891 * struct {
7892 * uint32 valid_time;
7893 * SignatureScheme expected_cert_verify_algorithm;
7894 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7895 * } Credential;
7896 *
7897 * struct {
7898 * Credential cred;
7899 * SignatureScheme algorithm;
7900 * opaque signature<0..2^16-1>;
7901 * } DelegatedCredential;
7902 */
7903
7904 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7905
7906 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7907 offset += 4;
7908
7909 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7910 offset += 2;
7911
7912 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7913 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7914 return offset_end;
7915 }
7916 offset += 3;
7917 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7918 offset += pubkey_length;
7919
7920 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7921 offset += 2;
7922
7923 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7924 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7925 return offset_end;
7926 }
7927 offset += 2;
7928 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7929 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7930 offset += sign_length;
7931
7932 return offset;
7933 }
7934}
7935
7936static int
7937ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7938 packet_info *pinfo, proto_tree *tree,
7939 uint32_t offset, uint32_t offset_end,
7940 uint8_t hnd_type)
7941{
7942
7943 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7944
7945 switch (hnd_type) {
7946 case SSL_HND_CLIENT_HELLO: {
7947 proto_tree *alps_tree;
7948 proto_item *ti;
7949 uint32_t next_offset, alps_length, name_length;
7950
7951 /*
7952 * opaque ProtocolName<1..2^8-1>;
7953 * struct {
7954 * ProtocolName supported_protocols<2..2^16-1>
7955 * } ApplicationSettingsSupport;
7956 */
7957
7958 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7959 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7960 return offset_end;
7961 }
7962 offset += 2;
7963 next_offset = offset + alps_length;
7964
7965 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7966 tvb, offset, alps_length, ENC_NA0x00000000);
7967 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7968
7969 /* Parse list (note missing check for end of vector, ssl_add_vector below
7970 * ensures that data is always available.) */
7971 while (offset < next_offset) {
7972 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7973 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7974 return next_offset;
7975 }
7976 offset++;
7977
7978 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7979 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7980 offset += name_length;
7981 }
7982
7983 return offset;
7984 }
7985 case SSL_HND_ENCRYPTED_EXTS:
7986 /* Opaque blob */
7987 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7988 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7989 break;
7990 }
7991
7992 return offset_end;
7993}
7994
7995static int
7996ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7997 packet_info *pinfo, proto_tree *tree,
7998 uint32_t offset, uint32_t offset_end,
7999 uint8_t hnd_type, SslSession *session,
8000 bool_Bool is_dtls, ja4_data_t *ja4_data)
8001{
8002
8003 /* https://tools.ietf.org/html/rfc7301#section-3.1
8004 * opaque ProtocolName<1..2^8-1>;
8005 * struct {
8006 * ProtocolName protocol_name_list<2..2^16-1>
8007 * } ProtocolNameList;
8008 */
8009 proto_tree *alpn_tree;
8010 proto_item *ti;
8011 uint32_t next_offset, alpn_length, name_length;
8012 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
8013
8014 /* ProtocolName protocol_name_list<2..2^16-1> */
8015 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
8016 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
8017 return offset_end;
8018 }
8019 offset += 2;
8020 next_offset = offset + alpn_length;
8021
8022 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
8023 tvb, offset, alpn_length, ENC_NA0x00000000);
8024 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
8025
8026 /* Parse list (note missing check for end of vector, ssl_add_vector below
8027 * ensures that data is always available.) */
8028 while (offset < next_offset) {
8029 /* opaque ProtocolName<1..2^8-1> */
8030 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
8031 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
8032 return next_offset;
8033 }
8034 offset++;
8035
8036 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
8037 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8038 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
8039 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
8040 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
8041 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)
) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)
) {
8042 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
8043 }
8044 else {
8045 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
8046 alpn_last_char & 0x0F);
8047 }
8048 }
8049 /* Remember first ALPN ProtocolName entry for server. */
8050 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
8051 /* '\0'-terminated string for dissector table match and prefix
8052 * comparison purposes. */
8053 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8054 name_length, ENC_ASCII0x00000000);
8055 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
8056 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
8057 name_length, ENC_ASCII0x00000000);
8058 }
8059 offset += name_length;
8060 }
8061
8062 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
8063 * exactly one "ProtocolName". */
8064 if (proto_name) {
8065 dissector_handle_t handle;
8066
8067 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
8068
8069 if (is_dtls) {
8070 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
8071 proto_name);
8072 } else {
8073 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
8074 proto_name);
8075 if (handle == NULL((void*)0)) {
8076 /* Try prefix matching */
8077 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0]))
; i++) {
8078 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
8079
8080 /* string_string is inappropriate as it compares strings
8081 * while "byte strings MUST NOT be truncated" (RFC 7301) */
8082 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )
) {
8083 handle = find_dissector(alpn_proto->dissector_name);
8084 break;
8085 }
8086 }
8087 }
8088 }
8089 if (handle != NULL((void*)0)) {
8090 /* ProtocolName match, so set the App data dissector handle.
8091 * This may override protocols given via the UAT dialog, but
8092 * since the ALPN hint is precise, do it anyway. */
8093 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
8094 (void *)session->app_handle,
8095 (void *)handle,
8096 dissector_handle_get_dissector_name(handle));
8097 session->app_handle = handle;
8098 }
8099 } else if (client_proto_name) {
8100 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
8101 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
8102 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
8103 }
8104
8105 return offset;
8106}
8107
8108static int
8109ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8110 packet_info *pinfo, proto_tree *tree,
8111 uint32_t offset, uint32_t offset_end)
8112{
8113 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
8114 * The "extension_data" field of a "next_protocol_negotiation" extension
8115 * in a "ServerHello" contains an optional list of protocols advertised
8116 * by the server. Protocols are named by opaque, non-empty byte strings
8117 * and the list of protocols is serialized as a concatenation of 8-bit,
8118 * length prefixed byte strings. Implementations MUST ensure that the
8119 * empty string is not included and that no byte strings are truncated.
8120 */
8121 uint32_t npn_length;
8122 proto_tree *npn_tree;
8123
8124 /* List is optional, do not add tree if there are no entries. */
8125 if (offset == offset_end) {
8126 return offset;
8127 }
8128
8129 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
8130
8131 while (offset < offset_end) {
8132 /* non-empty, 8-bit length prefixed strings means range 1..255 */
8133 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
8134 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
8135 return offset_end;
8136 }
8137 offset++;
8138
8139 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
8140 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8141 offset += npn_length;
8142 }
8143
8144 return offset;
8145}
8146
8147static int
8148ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8149 packet_info *pinfo, proto_tree *tree,
8150 uint32_t offset, uint32_t offset_end)
8151{
8152 /* https://tools.ietf.org/html/rfc5746#section-3.2
8153 * struct {
8154 * opaque renegotiated_connection<0..255>;
8155 * } RenegotiationInfo;
8156 *
8157 */
8158 proto_tree *reneg_info_tree;
8159 uint32_t reneg_info_length;
8160
8161 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
8162
8163 /* opaque renegotiated_connection<0..255> */
8164 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
8165 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
8166 return offset_end;
8167 }
8168 offset++;
8169
8170 if (reneg_info_length > 0) {
8171 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
8172 offset += reneg_info_length;
8173 }
8174
8175 return offset;
8176}
8177
8178static int
8179ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8180 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8181 const char **group_name_out)
8182{
8183 /* RFC 8446 Section 4.2.8
8184 * struct {
8185 * NamedGroup group;
8186 * opaque key_exchange<1..2^16-1>;
8187 * } KeyShareEntry;
8188 */
8189 uint32_t key_exchange_length, group;
8190 proto_tree *ks_tree;
8191
8192 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
8193
8194 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8195 offset += 2;
8196 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8197 proto_item_append_text(ks_tree, ": Group: %s", group_name);
8198 if (group_name_out) {
8199 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff)))
? group_name : NULL((void*)0);
8200 }
8201
8202 /* opaque key_exchange<1..2^16-1> */
8203 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
8204 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
8205 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
8206 }
8207 offset += 2;
8208 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
8209 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
8210
8211 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
8212 offset += key_exchange_length;
8213
8214 return offset;
8215}
8216
8217static int
8218ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8219 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8220 uint8_t hnd_type, SslDecryptSession *ssl)
8221{
8222 proto_tree *key_share_tree;
8223 uint32_t next_offset;
8224 uint32_t client_shares_length;
8225 uint32_t group;
8226 const char *group_name = NULL((void*)0);
8227
8228 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
8229 return offset;
8230 }
8231
8232 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
8233
8234 switch(hnd_type){
8235 case SSL_HND_CLIENT_HELLO:
8236 /* KeyShareEntry client_shares<0..2^16-1> */
8237 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
8238 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
8239 return offset_end;
8240 }
8241 offset += 2;
8242 next_offset = offset + client_shares_length;
8243 const char *sep = " ";
8244 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
8245 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
8246 if (group_name) {
8247 proto_item_append_text(tree, "%s%s", sep, group_name);
8248 sep = ", ";
8249 }
8250 }
8251 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
8252 return next_offset;
8253 }
8254 break;
8255 case SSL_HND_SERVER_HELLO:
8256 if (ssl) {
8257 ssl->has_key_share = true1;
8258 }
8259 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
8260 if (group_name) {
8261 proto_item_append_text(tree, " %s", group_name);
8262 }
8263 break;
8264 case SSL_HND_HELLO_RETRY_REQUEST:
8265 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
8266 offset += 2;
8267 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
8268 proto_item_append_text(tree, " %s", group_name);
8269 break;
8270 default: /* no default */
8271 break;
8272 }
8273
8274 return offset;
8275}
8276
8277static int
8278ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8279 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8280 uint8_t hnd_type, SslDecryptSession *ssl)
8281{
8282 /* RFC 8446 Section 4.2.11
8283 * struct {
8284 * opaque identity<1..2^16-1>;
8285 * uint32 obfuscated_ticket_age;
8286 * } PskIdentity;
8287 * opaque PskBinderEntry<32..255>;
8288 * struct {
8289 * select (Handshake.msg_type) {
8290 * case client_hello:
8291 * PskIdentity identities<7..2^16-1>;
8292 * PskBinderEntry binders<33..2^16-1>;
8293 * case server_hello:
8294 * uint16 selected_identity;
8295 * };
8296 * } PreSharedKeyExtension;
8297 */
8298
8299 proto_tree *psk_tree;
8300
8301 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
8302
8303 switch (hnd_type){
8304 case SSL_HND_CLIENT_HELLO: {
8305 uint32_t identities_length, identities_end, binders_length;
8306
8307 /* PskIdentity identities<7..2^16-1> */
8308 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
8309 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
8310 return offset_end;
8311 }
8312 offset += 2;
8313 identities_end = offset + identities_length;
8314
8315 while (offset < identities_end) {
8316 uint32_t identity_length;
8317 proto_tree *identity_tree;
8318
8319 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
8320
8321 /* opaque identity<1..2^16-1> */
8322 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
8323 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
8324 return identities_end;
8325 }
8326 offset += 2;
8327 proto_item_append_text(identity_tree, "length: %u)", identity_length);
8328
8329 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
8330 offset += identity_length;
8331
8332 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8333 offset += 4;
8334
8335 proto_item_set_len(identity_tree, 2 + identity_length + 4);
8336 }
8337 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
8338 offset = identities_end;
8339 }
8340
8341 /* PskBinderEntry binders<33..2^16-1> */
8342 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
8343 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
8344 return offset_end;
8345 }
8346 offset += 2;
8347
8348 proto_item *binders_item;
8349 proto_tree *binders_tree;
8350 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
8351 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
8352 uint32_t binders_end = offset + binders_length;
8353 while (offset < binders_end) {
8354 uint32_t binder_length;
8355 proto_item *binder_item;
8356 proto_tree *binder_tree;
8357
8358 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
8359 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
8360
8361 /* opaque PskBinderEntry<32..255>; */
8362 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
8363 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
8364 return binders_end;
8365 }
8366 offset += 1;
8367 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
8368
8369 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
8370 offset += binder_length;
8371
8372 proto_item_set_end(binder_item, tvb, offset);
8373 }
8374 }
8375 break;
8376 case SSL_HND_SERVER_HELLO: {
8377 if (ssl) {
8378 ssl_debug_printf("%s found pre_shared_key extension\n", G_STRFUNC((const char*) (__func__)));
8379 ssl->has_psk = true1;
8380 }
8381 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8382 offset += 2;
8383 }
8384 break;
8385 default:
8386 break;
8387 }
8388
8389 return offset;
8390}
8391
8392static uint32_t
8393ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
8394 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
8395 uint8_t hnd_type, SslDecryptSession *ssl)
8396{
8397 /* RFC 8446 Section 4.2.10
8398 * struct {} Empty;
8399 * struct {
8400 * select (Handshake.msg_type) {
8401 * case new_session_ticket: uint32 max_early_data_size;
8402 * case client_hello: Empty;
8403 * case encrypted_extensions: Empty;
8404 * };
8405 * } EarlyDataIndication;
8406 */
8407 switch (hnd_type) {
8408 case SSL_HND_CLIENT_HELLO:
8409 /* Remember that early_data will follow the handshake. */
8410 if (ssl) {
8411 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8412 ssl->has_early_data = true1;
8413 }
8414 break;
8415 case SSL_HND_NEWSESSION_TICKET:
8416 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8417 offset += 4;
8418 break;
8419 default:
8420 break;
8421 }
8422 return offset;
8423}
8424
8425static uint16_t
8426tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8427{
8428 if (draft_version) {
8429 *draft_version = 0;
8430 }
8431 if (!is_dtls) {
8432 uint8_t tls13_draft = extract_tls13_draft_version(version);
8433 if (tls13_draft != 0) {
8434 /* This is TLS 1.3 (a draft version). */
8435 if (draft_version) {
8436 *draft_version = tls13_draft;
8437 }
8438 version = TLSV1DOT3_VERSION0x304;
8439 }
8440 if (version == 0xfb17 || version == 0xfb1a) {
8441 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8442 tls13_draft = (uint8_t)version;
8443 if (draft_version) {
8444 *draft_version = tls13_draft;
8445 }
8446 version = TLSV1DOT3_VERSION0x304;
8447 }
8448 }
8449
8450 switch (version) {
8451 case SSLV3_VERSION0x300:
8452 case TLSV1_VERSION0x301:
8453 case TLSV1DOT1_VERSION0x302:
8454 case TLSV1DOT2_VERSION0x303:
8455 case TLSV1DOT3_VERSION0x304:
8456 case TLCPV1_VERSION0x101:
8457 if (is_dtls)
8458 return SSL_VER_UNKNOWN0;
8459 break;
8460
8461 case DTLSV1DOT0_VERSION0xfeff:
8462 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8463 case DTLSV1DOT2_VERSION0xfefd:
8464 case DTLSV1DOT3_VERSION0xfefc:
8465 if (!is_dtls)
8466 return SSL_VER_UNKNOWN0;
8467 break;
8468
8469 default: /* invalid version number */
8470 return SSL_VER_UNKNOWN0;
8471 }
8472
8473 return version;
8474}
8475
8476static int
8477ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8478 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8479 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8480{
8481
8482 /* RFC 8446 Section 4.2.1
8483 * struct {
8484 * ProtocolVersion versions<2..254>; // ClientHello
8485 * } SupportedVersions;
8486 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8487 */
8488 uint32_t versions_length, next_offset;
8489 /* ProtocolVersion versions<2..254> */
8490 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8491 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8492 return offset_end;
8493 }
8494 offset++;
8495 next_offset = offset + versions_length;
8496
8497 unsigned version;
8498 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8499 uint8_t draft_version, max_draft_version = 0;
8500 const char *sep = " ";
8501 while (offset + 2 <= next_offset) {
8502 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8503 offset += 2;
8504
8505 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))
) {
8506 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
8507 sep = ", ";
8508 }
8509
8510 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8511 if (session->version == SSL_VER_UNKNOWN0) {
8512 if (lowest_version == SSL_VER_UNKNOWN0) {
8513 lowest_version = current_version;
8514 } else if (current_version != SSL_VER_UNKNOWN0) {
8515 if (!is_dtls) {
8516 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version))
;
8517 } else {
8518 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version))
;
8519 }
8520 }
8521 }
8522 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version))
;
8523 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))
) {
8524 /* The DTLS version numbers get mapped to "00" for unknown per
8525 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8526 * need to take the MIN instead of MAX here for DTLS.
8527 */
8528 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version))
;
8529 }
8530 }
8531 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8532 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8533 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8534 }
8535 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8536 offset = next_offset;
8537 }
8538
8539 /* XXX remove this when draft 19 support is dropped,
8540 * this is only required for early data decryption. */
8541 if (max_draft_version) {
8542 session->tls13_draft_version = max_draft_version;
8543 }
8544
8545 return offset;
8546}
8547
8548static int
8549ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8550 packet_info *pinfo, proto_tree *tree,
8551 uint32_t offset, uint32_t offset_end)
8552{
8553 /* RFC 8446 Section 4.2.2
8554 * struct {
8555 * opaque cookie<1..2^16-1>;
8556 * } Cookie;
8557 */
8558 uint32_t cookie_length;
8559 /* opaque cookie<1..2^16-1> */
8560 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8561 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8562 return offset_end;
8563 }
8564 offset += 2;
8565
8566 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8567 offset += cookie_length;
8568
8569 return offset;
8570}
8571
8572static int
8573ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8574 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8575{
8576 /* RFC 8446 Section 4.2.9
8577 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8578 *
8579 * struct {
8580 * PskKeyExchangeMode ke_modes<1..255>;
8581 * } PskKeyExchangeModes;
8582 */
8583 uint32_t ke_modes_length, next_offset;
8584
8585 /* PskKeyExchangeMode ke_modes<1..255> */
8586 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8587 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8588 return offset_end;
8589 }
8590 offset++;
8591 next_offset = offset + ke_modes_length;
8592
8593 while (offset < next_offset) {
8594 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8595 offset++;
8596 }
8597
8598 return offset;
8599}
8600
8601static uint32_t
8602ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8603 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8604{
8605 /* RFC 8446 Section 4.2.4
8606 * opaque DistinguishedName<1..2^16-1>;
8607 * struct {
8608 * DistinguishedName authorities<3..2^16-1>;
8609 * } CertificateAuthoritiesExtension;
8610 */
8611 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8612}
8613
8614static int
8615ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8616 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8617{
8618 /* RFC 8446 Section 4.2.5
8619 * struct {
8620 * opaque certificate_extension_oid<1..2^8-1>;
8621 * opaque certificate_extension_values<0..2^16-1>;
8622 * } OIDFilter;
8623 * struct {
8624 * OIDFilter filters<0..2^16-1>;
8625 * } OIDFilterExtension;
8626 */
8627 proto_tree *subtree;
8628 uint32_t filters_length, oid_length, values_length, value_offset;
8629 asn1_ctx_t asn1_ctx;
8630 const char *oid, *name;
8631
8632 /* OIDFilter filters<0..2^16-1> */
8633 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8634 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8635 return offset_end;
8636 }
8637 offset += 2;
8638 offset_end = offset + filters_length;
8639
8640 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8641
8642 while (offset < offset_end) {
8643 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8644 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8645
8646 /* opaque certificate_extension_oid<1..2^8-1> */
8647 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8648 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8649 return offset_end;
8650 }
8651 offset++;
8652 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8653 hf->hf.hs_ext_oid_filters_oid, &oid);
8654 offset += oid_length;
8655
8656 /* Append OID to tree label */
8657 name = oid_resolved_from_string(pinfo->pool, oid);
8658 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8659
8660 /* opaque certificate_extension_values<0..2^16-1> */
8661 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8662 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8663 return offset_end;
8664 }
8665 offset += 2;
8666 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8667 if (values_length > 0) {
8668 value_offset = offset;
8669 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8670 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8671 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8672 }
8673 offset += values_length;
8674 }
8675
8676 return offset;
8677}
8678
8679static int
8680ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8681 packet_info *pinfo, proto_tree *tree,
8682 uint32_t offset, uint32_t offset_end)
8683{
8684 /* https://tools.ietf.org/html/rfc6066#section-3
8685 *
8686 * struct {
8687 * NameType name_type;
8688 * select (name_type) {
8689 * case host_name: HostName;
8690 * } name;
8691 * } ServerName;
8692 *
8693 * enum {
8694 * host_name(0), (255)
8695 * } NameType;
8696 *
8697 * opaque HostName<1..2^16-1>;
8698 *
8699 * struct {
8700 * ServerName server_name_list<1..2^16-1>
8701 * } ServerNameList;
8702 */
8703 proto_tree *server_name_tree;
8704 uint32_t list_length, server_name_length, next_offset;
8705
8706 /* The server SHALL include "server_name" extension with empty data. */
8707 if (offset == offset_end) {
8708 return offset;
8709 }
8710
8711 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8712
8713 /* ServerName server_name_list<1..2^16-1> */
8714 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8715 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8716 return offset_end;
8717 }
8718 offset += 2;
8719 next_offset = offset + list_length;
8720
8721 while (offset < next_offset) {
8722 uint32_t name_type;
8723 const char *server_name = NULL((void*)0);
8724 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8725 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8726 offset++;
8727
8728 /* opaque HostName<1..2^16-1> */
8729 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8730 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8731 return next_offset;
8732 }
8733 offset += 2;
8734
8735 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8736 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8737 pinfo->pool, (const uint8_t**)&server_name);
8738 offset += server_name_length;
8739 // Each type must only occur once, so we don't check for duplicates.
8740 if (name_type == 0) {
8741 proto_item_append_text(tree, " name=%s", server_name);
8742 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8743
8744 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8745 // Client Hello: Client (Src) -> Server (Dst)
8746 switch (pinfo->dst.type) {
8747 case AT_IPv4:
8748 if (pinfo->dst.len == sizeof(uint32_t)) {
8749 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8750 }
8751 break;
8752 case AT_IPv6:
8753 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8754 add_ipv6_name(pinfo->dst.data, server_name, false0);
8755 }
8756 break;
8757 }
8758 }
8759 }
8760 }
8761 return offset;
8762}
8763
8764static int
8765ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8766 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8767{
8768 unsigned ext_len = offset_end - offset;
8769 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8770 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8771 /* Save the Session Ticket such that it can be used as identifier for
8772 * restoring a previous Master Secret (in ChangeCipherSpec) */
8773 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8774 ssl->session_ticket.data, ext_len);
8775 ssl->session_ticket.data_len = ext_len;
8776 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8777 }
8778 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8779 tvb, offset, ext_len, ENC_NA0x00000000);
8780 return offset + ext_len;
8781}
8782
8783static int
8784ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8785 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8786 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8787{
8788 uint8_t cert_list_length;
8789 uint8_t cert_type;
8790 proto_tree *cert_list_tree;
8791 proto_item *ti;
8792
8793 switch(hnd_type){
8794 case SSL_HND_CLIENT_HELLO:
8795 cert_list_length = tvb_get_uint8(tvb, offset);
8796 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8797 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8798 offset += 1;
8799 if (offset_end - offset != (uint32_t)cert_list_length)
8800 return offset;
8801
8802 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8803 cert_list_length, cert_list_length);
8804 proto_item_append_text(ti, " (%d)", cert_list_length);
8805
8806 /* make this a subtree */
8807 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8808
8809 /* loop over all point formats */
8810 while (cert_list_length > 0)
8811 {
8812 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8813 offset++;
8814 cert_list_length--;
8815 }
8816 break;
8817 case SSL_HND_SERVER_HELLO:
8818 case SSL_HND_ENCRYPTED_EXTENSIONS:
8819 case SSL_HND_CERTIFICATE:
8820 cert_type = tvb_get_uint8(tvb, offset);
8821 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8822 offset += 1;
8823 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8824 session->client_cert_type = cert_type;
8825 }
8826 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8827 session->server_cert_type = cert_type;
8828 }
8829 break;
8830 default: /* no default */
8831 break;
8832 }
8833
8834 return offset;
8835}
8836
8837static uint32_t
8838ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8839 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8840 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8841{
8842 uint32_t compress_certificate_algorithms_length, next_offset;
8843
8844 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8845 * enum {
8846 * zlib(1),
8847 * brotli(2),
8848 * (65535)
8849 * } CertificateCompressionAlgorithm;
8850 *
8851 * struct {
8852 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8853 * } CertificateCompressionAlgorithms;
8854 */
8855 switch (hnd_type) {
8856 case SSL_HND_CLIENT_HELLO:
8857 case SSL_HND_CERT_REQUEST:
8858 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8859 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8860 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8861 return offset_end;
8862 }
8863 offset += 1;
8864 next_offset = offset + compress_certificate_algorithms_length;
8865
8866 while (offset < next_offset) {
8867 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8868 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8869 offset += 2;
8870 }
8871 break;
8872 default:
8873 break;
8874 }
8875
8876 return offset;
8877}
8878
8879static uint32_t
8880ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8881 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8882 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8883{
8884 uint32_t key_parameters_length, next_offset;
8885 proto_item *p_ti;
8886 proto_tree *p_tree;
8887
8888 /* RFC 8472
8889 *
8890 * struct {
8891 * uint8 major;
8892 * uint8 minor;
8893 * } TB_ProtocolVersion;
8894 *
8895 * enum {
8896 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8897 * } TokenBindingKeyParameters;
8898 *
8899 * struct {
8900 * TB_ProtocolVersion token_binding_version;
8901 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8902 * } TokenBindingParameters;
8903 */
8904
8905 switch (hnd_type) {
8906 case SSL_HND_CLIENT_HELLO:
8907 case SSL_HND_SERVER_HELLO:
8908 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8909 offset += 1;
8910 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8911 offset += 1;
8912
8913 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8914 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8915 return offset_end;
8916 }
8917 offset += 1;
8918 next_offset = offset + key_parameters_length;
8919
8920 p_ti = proto_tree_add_none_format(tree,
8921 hf->hf.hs_ext_token_binding_key_parameters,
8922 tvb, offset, key_parameters_length,
8923 "Key parameters identifiers (%d identifier%s)",
8924 key_parameters_length,
8925 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8926 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8927
8928 while (offset < next_offset) {
8929 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8930 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8931 offset += 1;
8932 }
8933
8934 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8935 offset = next_offset;
8936 }
8937
8938 break;
8939 default:
8940 break;
8941 }
8942
8943 return offset;
8944}
8945
8946static uint32_t
8947ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8948 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8949 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8950{
8951 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8952 uint32_t next_offset;
8953
8954 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8955 *
8956 * Note: the following structures are not literally defined in the spec,
8957 * they instead use an ASCII diagram.
8958 *
8959 * struct {
8960 * uint16 id;
8961 * opaque value<0..2^16-1>;
8962 * } TransportParameter; // before draft -27
8963 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8964 *
8965 * struct {
8966 * opaque ipv4Address[4];
8967 * uint16 ipv4Port;
8968 * opaque ipv6Address[16];
8969 * uint16 ipv6Port;
8970 * opaque connectionId<0..18>;
8971 * opaque statelessResetToken[16];
8972 * } PreferredAddress;
8973 */
8974
8975 if (offset_end - offset >= 6 &&
8976 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8977 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8978 // Assume encoding of Transport Parameters draft -26 or older with at
8979 // least one transport parameter that has a valid length.
8980 use_varint_encoding = false0;
8981 }
8982
8983 if (use_varint_encoding) {
8984 next_offset = offset_end;
8985 } else {
8986 uint32_t quic_length;
8987 // Assume draft -26 or earlier.
8988 /* TransportParameter TransportParameters<0..2^16-1>; */
8989 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8990 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8991 return offset_end;
8992 }
8993 offset += 2;
8994 next_offset = offset + quic_length;
8995 }
8996
8997 while (offset < next_offset) {
8998 uint64_t parameter_type; /* 62-bit space */
8999 uint32_t parameter_length;
9000 proto_tree *parameter_tree;
9001 uint32_t parameter_end_offset;
9002 uint64_t value;
9003 uint32_t i;
9004 unsigned len = 0;
9005
9006 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
9007 NULL((void*)0), "Parameter");
9008 /* TransportParameter ID and Length. */
9009 if (use_varint_encoding) {
9010 uint64_t parameter_length64;
9011 unsigned type_len = 0;
9012
9013 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9014 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
9015 offset += type_len;
9016
9017 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
9018 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
9019 parameter_length = (uint32_t)parameter_length64;
9020 offset += len;
9021
9022 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
9023 } else {
9024 parameter_type = tvb_get_ntohs(tvb, offset);
9025 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
9026 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9027 offset += 2;
9028
9029 /* opaque value<0..2^16-1> */
9030 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
9031 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
9032 return next_offset;
9033 }
9034 offset += 2;
9035
9036 proto_item_set_len(parameter_tree, 4 + parameter_length);
9037 }
9038
9039 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)
) {
9040 proto_item_append_text(parameter_tree, ": GREASE");
9041 } else {
9042 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
9043 }
9044
9045 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
9046 parameter_end_offset = offset + parameter_length;
9047
9048 /* Omit the value field if the parameter's length is 0. */
9049 if (parameter_length != 0) {
9050 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
9051 tvb, offset, parameter_length, ENC_NA0x00000000);
9052 }
9053
9054 switch (parameter_type) {
9055 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
9056 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
9057 tvb, offset, parameter_length, ENC_NA0x00000000);
9058 offset += parameter_length;
9059 break;
9060 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
9061 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
9062 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9063 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
9064 offset += len;
9065 break;
9066 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
9067 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
9068 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
9069 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
9070 offset += 16;
9071 break;
9072 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
9073 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
9074 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9075 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9076 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
9077 offset += len;
9078 break;
9079 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
9080 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
9081 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9082 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9083 offset += len;
9084 break;
9085 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
9086 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
9087 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9088 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9089 offset += len;
9090 break;
9091 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
9092 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
9093 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9094 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9095 offset += len;
9096 break;
9097 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
9098 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
9099 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9100 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9101 offset += len;
9102 break;
9103 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
9104 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
9105 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9106 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9107 offset += len;
9108 break;
9109 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
9110 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
9111 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9112 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9113 offset += len;
9114 break;
9115 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
9116 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
9117 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9118 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
9119 offset += len;
9120 break;
9121 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
9122 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
9123 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9124 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9125 offset += len;
9126 break;
9127 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
9128 /* No Payload */
9129 break;
9130 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
9131 uint32_t connectionid_length;
9132 quic_cid_t cid;
9133
9134 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
9135 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9136 offset += 4;
9137 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
9138 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9139 offset += 2;
9140 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
9141 tvb, offset, 16, ENC_NA0x00000000);
9142 offset += 16;
9143 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
9144 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9145 offset += 2;
9146 /* XXX - Should we add these addresses and ports as addresses that the client
9147 * is allowed / expected to migrate the server address to? Right now we don't
9148 * enforce that (see RFC 9000 Section 9, which implies that while the client
9149 * can migrate to whatever address it wants, it can only migrate the server
9150 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
9151 */
9152
9153 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
9154 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
9155 break;
9156 }
9157 offset += 1;
9158
9159 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
9160 tvb, offset, connectionid_length, ENC_NA0x00000000);
9161 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9162 cid.len = connectionid_length;
9163 // RFC 9000 5.1.1 "If the preferred_address transport
9164 // parameter is sent, the sequence number of the supplied
9165 // connection ID is 1."
9166 cid.seq_num = 1;
9167 // Multipath draft-07 "Also, the Path Identifier for the
9168 // connection ID specified in the "preferred address"
9169 // transport parameter is 0."
9170 cid.path_id = 0;
9171 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
9172 quic_add_connection(pinfo, &cid);
9173 }
9174 offset += connectionid_length;
9175
9176 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
9177 tvb, offset, 16, ENC_NA0x00000000);
9178 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
9179 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
9180 }
9181 offset += 16;
9182 }
9183 break;
9184 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
9185 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
9186 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9187 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9188 offset += len;
9189 break;
9190 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
9191 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
9192 tvb, offset, parameter_length, ENC_NA0x00000000);
9193 offset += parameter_length;
9194 break;
9195 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
9196 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
9197 tvb, offset, parameter_length, ENC_NA0x00000000);
9198 offset += parameter_length;
9199 break;
9200 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
9201 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
9202 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9203 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9204 offset += len;
9205 break;
9206 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
9207 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
9208 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9209 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
9210 offset += len;
9211 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
9212 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9213 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
9214 offset += len;
9215 break;
9216 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
9217 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
9218 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9219 if (len > 0) {
9220 quic_add_loss_bits(pinfo, value);
9221 }
9222 offset += 1;
9223 break;
9224 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
9225 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
9226 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
9227 offset += len;
9228 break;
9229 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
9230 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
9231 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
9232 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
9233 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
9234 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9235 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
9236 offset += len;
9237 break;
9238 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
9239 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
9240 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
9241 offset += parameter_length;
9242 break;
9243 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
9244 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
9245 tvb, offset, parameter_length, ENC_NA0x00000000);
9246 offset += parameter_length;
9247 break;
9248 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
9249 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
9250 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
9251 offset += 4;
9252 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
9253 uint32_t versions_length;
9254
9255 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
9256 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
9257 offset += 1;
9258 for (i = 0; i < versions_length / 4; i++) {
9259 quic_proto_tree_add_version(tvb, parameter_tree,
9260 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
9261 offset += 4;
9262 }
9263 }
9264 break;
9265 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
9266 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
9267 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9268 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
9269 offset += len;
9270 break;
9271 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
9272 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
9273 tvb, offset, parameter_length, ENC_NA0x00000000);
9274 offset += parameter_length;
9275 break;
9276 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
9277 /* This field was used for non-standard Google-specific parameters encoded as a
9278 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
9279 * parameters. Report it as a bytes blob... */
9280 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
9281 tvb, offset, parameter_length, ENC_NA0x00000000);
9282 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
9283 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
9284 tvb, offset, 4, ENC_NA0x00000000);
9285 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
9286 offset += parameter_length;
9287 break;
9288 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
9289 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
9290 tvb, offset, parameter_length, ENC_NA0x00000000);
9291 offset += parameter_length;
9292 break;
9293 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
9294 /* No Payload */
9295 break;
9296 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
9297 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
9298 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9299 offset += parameter_length;
9300 break;
9301 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
9302 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
9303 quic_proto_tree_add_version(tvb, parameter_tree,
9304 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
9305 offset += 4;
9306 for (i = 4; i < parameter_length; i += 4) {
9307 quic_proto_tree_add_version(tvb, parameter_tree,
9308 hf->hf.hs_ext_quictp_parameter_other_version, offset);
9309 offset += 4;
9310 }
9311 break;
9312 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
9313 /* No Payload */
9314 quic_add_grease_quic_bit(pinfo);
9315 break;
9316 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
9317 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
9318 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9319 offset += parameter_length;
9320 break;
9321 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
9322 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
9323 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9324 if (value == 1) {
9325 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9326 }
9327 offset += parameter_length;
9328 break;
9329 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
9330 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
9331 /* No Payload */
9332 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
9333 break;
9334 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
9335 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
9336 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9337 if (value > 1) {
9338 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9339 }
9340 /* multipath draft-07: "The value of the initial_max_paths
9341 * parameter MUST be at least 2." TODO: Expert Info? */
9342 offset += parameter_length;
9343 break;
9344 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
9345 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
9346 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
9347 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
9348 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
9349 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
9350 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
9351 /* multipath draft-09 and later: "If an endpoint receives an
9352 * initial_max_path_id transport parameter with value 0, the
9353 * peer aims to enable the multipath extension without allowing
9354 * extra paths immediately."
9355 */
9356 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
9357 offset += parameter_length;
9358 break;
9359 default:
9360 offset += parameter_length;
9361 /*TODO display expert info about unknown ? */
9362 break;
9363 }
9364
9365 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
9366 /* Dissection did not end at expected location, fix it. */
9367 offset = parameter_end_offset;
9368 }
9369 }
9370
9371 return offset;
9372}
9373
9374static int
9375ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9376 proto_tree *tree, uint32_t offset,
9377 SslSession *session, SslDecryptSession *ssl,
9378 bool_Bool from_server, bool_Bool is_hrr)
9379{
9380 uint8_t sessid_length;
9381 proto_item *ti;
9382 proto_tree *rnd_tree;
9383 proto_tree *ti_rnd;
9384 proto_tree *ech_confirm_tree;
9385 uint8_t draft_version = session->tls13_draft_version;
9386
9387 if (ssl) {
9388 StringInfo *rnd;
9389 if (from_server)
9390 rnd = &ssl->server_random;
9391 else
9392 rnd = &ssl->client_random;
9393
9394 /* save provided random for later keyring generation */
9395 tvb_memcpy(tvb, rnd->data, offset, 32);
9396 rnd->data_len = 32;
9397 if (from_server)
9398 ssl->state |= SSL_SERVER_RANDOM(1<<1);
9399 else
9400 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
9401 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
9402 from_server ? "SERVER" : "CLIENT", ssl->state);
9403 }
9404
9405 if (!from_server && session->client_random.data_len == 0) {
9406 session->client_random.data_len = 32;
9407 tvb_memcpy(tvb, session->client_random.data, offset, 32);
9408 }
9409
9410 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
9411
9412 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
9413
9414 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9415 /* show the time */
9416 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
9417 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
9418 offset += 4;
9419
9420 /* show the random bytes */
9421 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
9422 tvb, offset, 28, ENC_NA0x00000000);
9423 offset += 28;
9424 } else {
9425 if (is_hrr) {
9426 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9427 } else if (from_server && session->ech) {
9428 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9429 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9430 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9431 session->ech_confirmation, 8);
9432 proto_item_set_generated(ti);
9433 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9434 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9435 } else {
9436 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9437 }
9438 }
9439
9440 offset += 32;
9441 }
9442
9443 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9444 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9445 /* show the session id (length followed by actual Session ID) */
9446 sessid_length = tvb_get_uint8(tvb, offset);
9447 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9448 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9449 offset++;
9450
9451 if (ssl) {
9452 /* save the authoritative SID for later use in ChangeCipherSpec.
9453 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9454 * save more, so ignore larger ones. To support ECH, also save
9455 * the SID from the ClientHelloOuter. */
9456 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
9457 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9458 ssl->session_id.data_len = sessid_length;
9459 }
9460 }
9461 if (sessid_length > 0) {
9462 proto_tree_add_item(tree, hf->hf.hs_session_id,
9463 tvb, offset, sessid_length, ENC_NA0x00000000);
9464 offset += sessid_length;
9465 }
9466 }
9467
9468 return offset;
9469}
9470
9471static int
9472ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9473 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9474 bool_Bool has_length)
9475{
9476 /* TLS 1.2/1.3 status_request Client Hello Extension.
9477 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9478 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9479 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9480 * struct {
9481 * CertificateStatusType status_type;
9482 * uint16 request_length; // for status_request_v2
9483 * select (status_type) {
9484 * case ocsp: OCSPStatusRequest;
9485 * case ocsp_multi: OCSPStatusRequest;
9486 * } request;
9487 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9488 *
9489 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9490 * struct {
9491 * ResponderID responder_id_list<0..2^16-1>;
9492 * Extensions request_extensions;
9493 * } OCSPStatusRequest;
9494 * opaque ResponderID<1..2^16-1>;
9495 * opaque Extensions<0..2^16-1>;
9496 */
9497 unsigned cert_status_type;
9498
9499 cert_status_type = tvb_get_uint8(tvb, offset);
9500 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9501 tvb, offset, 1, ENC_NA0x00000000);
9502 offset++;
9503
9504 if (has_length) {
9505 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9506 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9507 offset += 2;
9508 }
9509
9510 switch (cert_status_type) {
9511 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9512 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9513 {
9514 uint32_t responder_id_list_len;
9515 uint32_t request_extensions_len;
9516
9517 /* ResponderID responder_id_list<0..2^16-1> */
9518 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9519 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9520 return offset_end;
9521 }
9522 offset += 2;
9523 if (responder_id_list_len != 0) {
9524 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9525 tvb, offset, responder_id_list_len,
9526 "Responder ID list is not implemented, contact Wireshark"
9527 " developers if you want this to be supported");
9528 }
9529 offset += responder_id_list_len;
9530
9531 /* opaque Extensions<0..2^16-1> */
9532 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9533 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9534 return offset_end;
9535 }
9536 offset += 2;
9537 if (request_extensions_len != 0) {
9538 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9539 tvb, offset, request_extensions_len,
9540 "Request Extensions are not implemented, contact"
9541 " Wireshark developers if you want this to be supported");
9542 }
9543 offset += request_extensions_len;
9544 break;
9545 }
9546 }
9547
9548 return offset;
9549}
9550
9551static unsigned
9552ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9553 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9554{
9555 /* https://tools.ietf.org/html/rfc6961#section-2.2
9556 * struct {
9557 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9558 * } CertificateStatusRequestListV2;
9559 */
9560 uint32_t req_list_length, next_offset;
9561
9562 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9563 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9564 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9565 return offset_end;
9566 }
9567 offset += 2;
9568 next_offset = offset + req_list_length;
9569
9570 while (offset < next_offset) {
9571 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9572 }
9573
9574 return offset;
9575}
9576
9577static uint32_t
9578tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9579 uint32_t offset, uint32_t offset_end)
9580{
9581 uint32_t response_length;
9582 proto_item *ocsp_resp;
9583 proto_tree *ocsp_resp_tree;
9584 asn1_ctx_t asn1_ctx;
9585
9586 /* opaque OCSPResponse<1..2^24-1>; */
9587 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9588 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9589 return offset_end;
9590 }
9591 offset += 3;
9592
9593 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9594 response_length, ENC_BIG_ENDIAN0x00000000);
9595 proto_item_set_text(ocsp_resp, "OCSP Response");
9596 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9597 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9598 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9599 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9600 }
9601 offset += response_length;
9602
9603 return offset;
9604}
9605
9606uint32_t
9607tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9608 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9609{
9610 /* TLS 1.2 "CertificateStatus" handshake message.
9611 * TLS 1.3 "status_request" Certificate extension.
9612 * struct {
9613 * CertificateStatusType status_type;
9614 * select (status_type) {
9615 * case ocsp: OCSPResponse;
9616 * case ocsp_multi: OCSPResponseList; // status_request_v2
9617 * } response;
9618 * } CertificateStatus;
9619 * opaque OCSPResponse<1..2^24-1>;
9620 * struct {
9621 * OCSPResponse ocsp_response_list<1..2^24-1>;
9622 * } OCSPResponseList; // status_request_v2
9623 */
9624 uint32_t status_type, resp_list_length, next_offset;
9625
9626 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9627 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9628 offset += 1;
9629
9630 switch (status_type) {
9631 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9632 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9633 break;
9634
9635 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9636 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9637 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9638 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9639 return offset_end;
9640 }
9641 offset += 3;
9642 next_offset = offset + resp_list_length;
9643
9644 while (offset < next_offset) {
9645 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9646 }
9647 break;
9648 }
9649
9650 return offset;
9651}
9652
9653static unsigned
9654ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9655 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9656 wmem_strbuf_t *ja3)
9657{
9658 /* RFC 8446 Section 4.2.7
9659 * enum { ..., (0xFFFF) } NamedGroup;
9660 * struct {
9661 * NamedGroup named_group_list<2..2^16-1>
9662 * } NamedGroupList;
9663 *
9664 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9665 * the extension itself from "elliptic_curves" to "supported_groups".
9666 */
9667 uint32_t groups_length, next_offset;
9668 proto_tree *groups_tree;
9669 proto_item *ti;
9670 char *ja3_dash = "";
9671
9672 /* NamedGroup named_group_list<2..2^16-1> */
9673 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9674 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9675 return offset_end;
9676 }
9677 offset += 2;
9678 next_offset = offset + groups_length;
9679
9680 ti = proto_tree_add_none_format(tree,
9681 hf->hf.hs_ext_supported_groups,
9682 tvb, offset, groups_length,
9683 "Supported Groups (%d group%s)",
9684 groups_length / 2,
9685 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9686
9687 /* make this a subtree */
9688 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9689
9690 if (ja3) {
9691 wmem_strbuf_append_c(ja3, ',');
9692 }
9693 /* loop over all groups */
9694 while (offset + 2 <= offset_end) {
9695 uint32_t ext_supported_group;
9696
9697 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9698 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9699 offset += 2;
9700 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))
) {
9701 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9702 ja3_dash = "-";
9703 }
9704 }
9705 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9706 offset = next_offset;
9707 }
9708
9709 return offset;
9710}
9711
9712static int
9713ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9714 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9715{
9716 uint8_t ecpf_length;
9717 proto_tree *ecpf_tree;
9718 proto_item *ti;
9719
9720 ecpf_length = tvb_get_uint8(tvb, offset);
9721 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9722 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9723
9724 offset += 1;
9725 ti = proto_tree_add_none_format(tree,
9726 hf->hf.hs_ext_ec_point_formats,
9727 tvb, offset, ecpf_length,
9728 "Elliptic curves point formats (%d)",
9729 ecpf_length);
9730
9731 /* make this a subtree */
9732 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9733
9734 if (ja3) {
9735 wmem_strbuf_append_c(ja3, ',');
9736 }
9737
9738 /* loop over all point formats */
9739 while (ecpf_length > 0)
9740 {
9741 uint32_t ext_ec_point_format;
9742
9743 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9744 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9745 offset++;
9746 ecpf_length--;
9747 if (ja3) {
9748 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9749 if (ecpf_length > 0) {
9750 wmem_strbuf_append_c(ja3, '-');
9751 }
9752 }
9753 }
9754
9755 return offset;
9756}
9757
9758static int
9759ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9760 packet_info *pinfo, proto_tree *tree,
9761 uint32_t offset, uint32_t next_offset)
9762{
9763 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9764 * opaque srp_I<1..2^8-1>;
9765 */
9766 uint32_t username_len;
9767
9768 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9769 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9770 return next_offset;
9771 }
9772 offset++;
9773
9774 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9775 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9776 offset += username_len;
9777
9778 return offset;
9779}
9780
9781static uint32_t
9782tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9783 uint32_t offset, uint32_t offset_end, uint16_t version)
9784{
9785 /* https://tools.ietf.org/html/rfc6962#section-3.2
9786 * enum { v1(0), (255) } Version;
9787 * struct {
9788 * opaque key_id[32];
9789 * } LogID;
9790 * opaque CtExtensions<0..2^16-1>;
9791 * struct {
9792 * Version sct_version;
9793 * LogID id;
9794 * uint64 timestamp;
9795 * CtExtensions extensions;
9796 * digitally-signed struct { ... };
9797 * } SignedCertificateTimestamp;
9798 */
9799 uint32_t sct_version;
9800 uint64_t sct_timestamp_ms;
9801 nstime_t sct_timestamp;
9802 uint32_t exts_len;
9803 const char *log_name;
9804
9805 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9806 offset++;
9807 if (sct_version != 0) {
9808 // TODO expert info about unknown SCT version?
9809 return offset;
9810 }
9811 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9812 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9813 proto_item_append_text(tree, " (%s)", log_name);
9814 offset += 32;
9815 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9816 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9817 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9818 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9819 offset += 8;
9820 /* opaque CtExtensions<0..2^16-1> */
9821 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9822 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9823 return offset_end;
9824 }
9825 offset += 2;
9826 if (exts_len > 0) {
9827 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9828 offset += exts_len;
9829 }
9830 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9831 hf->hf.sct_sct_signature_length,
9832 hf->hf.sct_sct_signature);
9833 return offset;
9834}
9835
9836uint32_t
9837tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9838 uint32_t offset, uint32_t offset_end, uint16_t version)
9839{
9840 /* https://tools.ietf.org/html/rfc6962#section-3.3
9841 * opaque SerializedSCT<1..2^16-1>;
9842 * struct {
9843 * SerializedSCT sct_list <1..2^16-1>;
9844 * } SignedCertificateTimestampList;
9845 */
9846 uint32_t list_length, sct_length, next_offset;
9847 proto_tree *subtree;
9848
9849 /* SerializedSCT sct_list <1..2^16-1> */
9850 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9851 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9852 return offset_end;
9853 }
9854 offset += 2;
9855
9856 while (offset < offset_end) {
9857 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9858
9859 /* opaque SerializedSCT<1..2^16-1> */
9860 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9861 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9862 return offset_end;
9863 }
9864 offset += 2;
9865 next_offset = offset + sct_length;
9866 proto_item_set_len(subtree, 2 + sct_length);
9867 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9868 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9869 offset = next_offset;
9870 }
9871 }
9872
9873 return offset;
9874}
9875
9876static int
9877dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9878 proto_tree *tree, uint32_t offset)
9879{
9880 uint32_t kdf_id, aead_id;
9881 proto_item *cs_ti;
9882 proto_tree *cs_tree;
9883
9884 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9885 tvb, offset, 4, ENC_NA0x00000000);
9886 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9887
9888 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9889 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9890 offset += 2;
9891 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9892 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9893 offset += 2;
9894
9895 proto_item_append_text(cs_ti, ": %s/%s",
9896 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9897 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9898 return offset;
9899}
9900
9901static int
9902dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9903 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9904 uint32_t *config_id)
9905{
9906 uint32_t length, cipher_suite_length;
9907 proto_item *kc_ti, *css_ti;
9908 proto_tree *kc_tree, *css_tree;
9909 uint32_t original_offset = offset, next_offset;
9910
9911 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9912 tvb, offset, -1, ENC_NA0x00000000);
9913 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9914
9915 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9916 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9917 offset += 1;
9918 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9919 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9920 offset += 2;
9921 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9922 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9923 offset += 2;
9924 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9925 tvb, offset, length, ENC_NA0x00000000);
9926 offset += length;
9927
9928 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9929 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9930 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9931 return offset_end;
9932 }
9933 offset += 2;
9934 next_offset = offset + cipher_suite_length;
9935
9936 css_ti = proto_tree_add_none_format(kc_tree,
9937 hf->hf.ech_hpke_keyconfig_cipher_suites,
9938 tvb, offset, cipher_suite_length,
9939 "Cipher Suites (%d suite%s)",
9940 cipher_suite_length / 4,
9941 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9942 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9943
9944
9945 while (offset + 4 <= next_offset) {
9946 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9947 }
9948
9949 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9950 offset = next_offset;
9951 }
9952
9953 proto_item_set_len(kc_ti, offset - original_offset);
9954
9955 return offset;
9956}
9957
9958static int
9959dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9960 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9961 const uint8_t **public_name, uint32_t *config_id)
9962{
9963 uint32_t public_name_length, extensions_length, next_offset;
9964
9965 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9966 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9967 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9968 offset += 1;
9969 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9970 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9971 offset += 1;
9972 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9973 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9974 offset += public_name_length;
9975
9976 /* Extension extensions<0..2^16-1>; */
9977 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9978 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9979 return offset_end;
9980 }
9981 offset += 2;
9982 next_offset = offset + extensions_length;
9983
9984 if (extensions_length > 0) {
9985 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9986 tvb, offset, extensions_length, ENC_NA0x00000000);
9987 }
9988 offset += extensions_length;
9989
9990 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9991 offset = next_offset;
9992 }
9993
9994 return offset;
9995}
9996
9997static int
9998dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9999 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10000{
10001 uint32_t version, length;
10002 proto_item *ech_ti;
10003 proto_tree *ech_tree;
10004 const uint8_t *public_name = NULL((void*)0);
10005 uint32_t config_id = 0;
10006
10007 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
10008 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
10009
10010 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
10011 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
10012 offset += 2;
10013 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
10014 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10015 offset += 2;
10016
10017 proto_item_set_len(ech_ti, 4 + length);
10018
10019 switch(version) {
10020 case 0xfe0d:
10021 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
10022 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
10023 break;
10024
10025 default:
10026 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
10027 }
10028
10029 return 4 + length;
10030}
10031
10032uint32_t
10033ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10034 proto_tree *tree, uint32_t offset, uint32_t offset_end)
10035{
10036 uint32_t echconfiglist_length, next_offset;
10037
10038 /* ECHConfig ECHConfigList<1..2^16-1>; */
10039 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
10040 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
10041 return offset_end;
10042 }
10043 offset += 2;
10044 next_offset = offset + echconfiglist_length;
10045
10046 while (offset < next_offset) {
10047 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
10048 }
10049
10050 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
10051 offset = next_offset;
10052 }
10053
10054 return offset;
10055}
10056
10057static uint32_t
10058ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10059 uint32_t offset, uint32_t offset_end)
10060{
10061 uint32_t ext_length, next_offset;
10062 proto_tree *ext_tree;
10063 proto_item *ti;
10064
10065 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
10066 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
10067 return offset_end;
10068 }
10069 offset += 1;
10070 next_offset = offset + ext_length;
10071
10072 ti = proto_tree_add_none_format(tree,
10073 hf->hf.hs_ext_ech_outer_ext,
10074 tvb, offset, ext_length,
10075 "Outer Extensions (%d extension%s)",
10076 ext_length / 2,
10077 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
10078
10079 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
10080
10081 while (offset + 2 <= offset_end) {
10082 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10083 offset += 2;
10084 }
10085
10086 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
10087 offset = next_offset;
10088 }
10089
10090 return offset;
10091}
10092
10093static uint32_t
10094// NOLINTNEXTLINE(misc-no-recursion)
10095ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10096 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10097 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
10098{
10099 uint32_t ch_type, length;
10100 proto_item *ti, *payload_ti;
10101 proto_tree *retry_tree, *payload_tree;
10102 uint32_t hello_length = tvb_reported_length(tvb);
10103
10104 switch (hnd_type) {
10105 case SSL_HND_CLIENT_HELLO:
10106 /*
10107 * enum { outer(0), inner(1) } ECHClientHelloType;
10108 *
10109 * struct {
10110 * ECHClientHelloType type;
10111 * select (ECHClientHello.type) {
10112 * case outer:
10113 * HpkeSymmetricCipherSuite cipher_suite;
10114 * uint8 config_id;
10115 * opaque enc<0..2^16-1>;
10116 * opaque payload<1..2^16-1>;
10117 * case inner:
10118 * Empty;
10119 * };
10120 * } ECHClientHello;
10121 */
10122
10123 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
10124 offset += 1;
10125 switch (ch_type) {
10126 case 0: /* outer */
10127 if (ssl && session->first_ch_ech_frame == 0) {
10128 session->first_ch_ech_frame = pinfo->num;
10129 }
10130 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
10131 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
10132 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
10133
10134 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10135 uint8_t config_id = tvb_get_uint8(tvb, offset);
10136 offset += 1;
10137 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10138 offset += 2;
10139 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
10140 offset += length;
10141 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
10142 offset += 2;
10143 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
10144 offset += length;
10145
10146 if (!mk_map) {
10147 break;
10148 }
10149 if (session->client_random.data_len == 0) {
10150 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
10151 break;
10152 }
10153 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
10154 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
10155 if (!ech_secret || !ech_config) {
10156 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
10157 G_STRFUNC((const char*) (__func__)));
10158 break;
10159 }
10160
10161 if (hpke_hkdf_len(kdf_id) == 0) {
10162 ssl_debug_printf("Unsupported KDF\n");
10163 break;
10164 }
10165
10166 if (hpke_aead_key_len(aead_id) == 0) {
10167 ssl_debug_printf("Unsupported AEAD\n");
10168 break;
10169 }
10170
10171 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
10172
10173 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
10174 if (length < aead_auth_tag_len) {
10175 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
10176 break;
10177 }
10178 unsigned decrypted_len = length - aead_auth_tag_len;
10179
10180 uint16_t version = pntohu16(ech_config->data);
10181 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10182 ssl_debug_printf("Unexpected version in ECH Config\n");
10183 break;
10184 }
10185 uint32_t ech_config_offset = 2;
10186 if (pntohu16(&ech_config->data[ech_config_offset]) != ech_config->data_len - 4) {
10187 ssl_debug_printf("Malformed ECH Config, invalid length\n");
10188 break;
10189 }
10190 ech_config_offset += 2;
10191 if (*(ech_config->data + ech_config_offset) != config_id) {
10192 ssl_debug_printf("ECH Config version mismatch\n");
10193 break;
10194 }
10195 ech_config_offset += 1;
10196 uint16_t kem_id = pntohu16(&ech_config->data[ech_config_offset]);
10197 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
10198 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
10199 GByteArray *info = g_byte_array_new();
10200 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
10201 g_byte_array_append(info, ech_config->data, ech_config->data_len);
10202 uint8_t key[AEAD_MAX_KEY_LENGTH32];
10203 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
10204 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
10205 key, base_nonce)) {
10206 g_byte_array_free(info, TRUE(!(0)));
10207 break;
10208 }
10209 g_byte_array_free(info, TRUE(!(0)));
10210 gcry_cipher_hd_t cipher;
10211 if (hpke_setup_aead(&cipher, aead_id, key) ||
10212 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
10213 gcry_cipher_close(cipher);
10214 break;
10215 }
10216 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
10217 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
10218 tvb_memcpy(tvb, ech_aad, 0, hello_length);
10219 memset(ech_aad + offset - length, 0, length);
10220 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
10221 gcry_cipher_close(cipher);
10222 wmem_free(NULL((void*)0), ech_aad);
10223 break;
10224 }
10225 wmem_free(NULL((void*)0), ech_aad);
10226 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
10227 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
10228 gcry_cipher_close(cipher);
10229 break;
10230 }
10231 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
10232 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
10233 gcry_cipher_close(cipher);
10234 break;
10235 }
10236 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
10237 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
10238 gcry_cipher_close(cipher);
10239 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
10240 payload + decrypted_len, aead_auth_tag_len)) {
10241 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
10242 } else {
10243 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
10244 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
10245 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
10246 if (ssl) {
10247 /* Note the Outer Client Random for Inject TLS Secrets */
10248 tls_save_crandom(ssl, mk_map);
10249
10250 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
10251 uint32_t len_offset = ssl->ech_transcript.data_len;
10252 if (ssl->ech_transcript.data_len > 0)
10253 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10254 ssl->ech_transcript.data_len + hello_length + 4);
10255 else
10256 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
10257 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
10258 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
10259 /* Copy ClientHelloInner up to the legacy_session_id field. */
10260 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
10261 ssl->ech_transcript.data_len += 38;
10262 /* Now copy the legacy_session_id field from ClientHelloOuter. */
10263 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
10264 ssl->ech_transcript.data_len++;
10265 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
10266 ssl->ech_transcript.data_len += ssl->session_id.data_len;
10267 /* Skip past the legacy_session_id field in ClientHelloInner
10268 * (which should be the empty string, i.e. just a 0 size.) */
10269 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
10270 /* Copy the Cipher Suites from ClientHelloInner. */
10271 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10272 2 + tvb_get_ntohs(ech_tvb, ech_offset));
10273 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10274 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
10275 /* Copy the Compression Methods */
10276 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
10277 1 + tvb_get_uint8(ech_tvb, ech_offset));
10278 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10279 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
10280 /* Now replace extensions in ech_outer_extensions with the
10281 * data from ClientHelloOuter. */
10282 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
10283 ssl->ech_transcript.data_len += 2;
10284 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
10285 ech_offset += 2;
10286 bool_Bool ech_outer_extensions_found = false0;
10287 while (extensions_end - ech_offset >= 4) {
10288 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10289 ech_offset += 2;
10290 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
10291 ech_offset += 2;
10292 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
10293 /* Copy this extension directly */
10294 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
10295 ech_offset - 4, 4 + ext_len);
10296 ssl->ech_transcript.data_len += 4 + ext_len;
10297 ech_offset += ext_len;
10298 } else if (ext_len > 0) {
10299 if (ech_outer_extensions_found) {
10300 ssl_debug_printf("Illegal parameter; only a single \"ech_outer_extensions\" extension is allowed\n");
10301 /* This could lead to a buffer overflow by
10302 * making the post-copying ClientHelloInner
10303 * longer than ClientHelloOuter and is
10304 * illegal, so skip this and don't copy. */
10305 ech_offset += ext_len;
10306 continue;
10307 }
10308 ech_outer_extensions_found = true1;
10309 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
10310 ech_offset += 1;
10311 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
10312 /* In ClientHelloOuter, skip past the legacy_session_id */
10313 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
10314 /* Skip past Cipher Suites */
10315 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
10316 /* Skip past Compression Methods */
10317 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
10318 /* Now at the start of ClientHelloOuter's extensions */
10319 while (ech_outer_extensions_end - ech_offset >= 2) {
10320 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
10321 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
10322 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
10323 /* This could lead to a buffer overflow by
10324 * making the post-copying ClientHelloInner
10325 * longer than ClientHelloOuter and is
10326 * illegal, so don't copy. */
10327 break;
10328 }
10329 bool_Bool found = false0;
10330 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
10331 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
10332 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
10333 if (ext_type == outer_ext_type) {
10334 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
10335 4 + outer_ext_len);
10336 ssl->ech_transcript.data_len += 4 + outer_ext_len;
10337 outer_offset += 4 + outer_ext_len;
10338 found = true1;
10339 break;
10340 } else {
10341 outer_offset += 4 + outer_ext_len;
10342 }
10343 }
10344 if (!found) {
10345 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
10346 }
10347 ech_offset += 2;
10348 }
10349 }
10350 }
10351 uint16_t ech_extensions_len = ssl->ech_transcript.data_len - ech_extensions_len_offset - 2;
10352 phtonu16(&ssl->ech_transcript.data[ech_extensions_len_offset], ech_extensions_len);
10353 phtonu16(&ssl->ech_transcript.data[len_offset + 2], ssl->ech_transcript.data_len - len_offset - 4);
10354 }
10355 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
10356 ssl, NULL((void*)0), mk_map);
10357 if (ech_padding_begin < decrypted_len) {
10358 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
10359 ENC_NA0x00000000);
10360 }
10361 }
10362
10363 break;
10364 case 1: /* inner */
10365 break;
10366 }
10367 break;
10368
10369 case SSL_HND_ENCRYPTED_EXTENSIONS:
10370 /*
10371 * struct {
10372 * ECHConfigList retry_configs;
10373 * } ECHEncryptedExtensions;
10374 */
10375
10376 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
10377 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
10378 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
10379 break;
10380
10381 case SSL_HND_HELLO_RETRY_REQUEST:
10382 /*
10383 * struct {
10384 * opaque confirmation[8];
10385 * } ECHHelloRetryRequest;
10386 */
10387
10388 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
10389 if (session->ech) {
10390 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
10391 proto_item_set_generated(ti);
10392 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
10393 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
10394 } else {
10395 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
10396 }
10397 }
10398 offset += 8;
10399 break;
10400 }
10401
10402 return offset;
10403}
10404
10405static uint32_t
10406ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10407 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10408 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
10409{
10410 uint32_t record_digest_length, encrypted_sni_length;
10411
10412 switch (hnd_type) {
10413 case SSL_HND_CLIENT_HELLO:
10414 /*
10415 * struct {
10416 * CipherSuite suite;
10417 * KeyShareEntry key_share;
10418 * opaque record_digest<0..2^16-1>;
10419 * opaque encrypted_sni<0..2^16-1>;
10420 * } ClientEncryptedSNI;
10421 */
10422 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10423 offset += 2;
10424 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
10425
10426 /* opaque record_digest<0..2^16-1> */
10427 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
10428 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
10429 return offset_end;
10430 }
10431 offset += 2;
10432 if (record_digest_length > 0) {
10433 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
10434 offset += record_digest_length;
10435 }
10436
10437 /* opaque encrypted_sni<0..2^16-1> */
10438 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
10439 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
10440 return offset_end;
10441 }
10442 offset += 2;
10443 if (encrypted_sni_length > 0) {
10444 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
10445 offset += encrypted_sni_length;
10446 }
10447 break;
10448
10449 case SSL_HND_ENCRYPTED_EXTENSIONS:
10450 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
10451 offset += 16;
10452 break;
10453 }
10454
10455 return offset;
10456}
10457/** TLS Extensions (in Client Hello and Server Hello). }}} */
10458
10459/* Connection ID dissection. {{{ */
10460static uint32_t
10461ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10462 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
10463 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
10464{
10465 /* keep track of the decrypt session only for the first pass */
10466 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
10467 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
10468 *session_cidl = cidl;
10469 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
10470 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
10471 if (ssl) {
10472 ssl_add_session_by_cid(ssl);
10473 }
10474 }
10475
10476 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
10477 tvb, offset, 1, ENC_NA0x00000000);
10478 offset++;
10479
10480 if (cidl > 0) {
10481 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10482 tvb, offset, cidl, ENC_NA0x00000000);
10483 offset += cidl;
10484 }
10485
10486 return offset;
10487}
10488
10489static uint32_t
10490ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10491 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10492 SslSession *session, SslDecryptSession *ssl)
10493{
10494 uint8_t cidl = tvb_get_uint8(tvb, offset);
10495
10496 switch (hnd_type) {
10497 case SSL_HND_CLIENT_HELLO:
10498 session->client_cid_len_present = true1;
10499 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10500 cidl, &session->client_cid, &session->client_cid_len);
10501 case SSL_HND_SERVER_HELLO:
10502 session->server_cid_len_present = true1;
10503 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10504 cidl, &session->server_cid, &session->server_cid_len);
10505 default:
10506 return offset;
10507 }
10508} /* }}} */
10509
10510/* Trusted CA dissection. {{{ */
10511static uint32_t
10512ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10513 uint32_t offset, uint32_t offset_end)
10514{
10515 proto_item *ti;
10516 proto_tree *subtree;
10517 uint32_t keys_length, next_offset;
10518
10519 /*
10520 * struct {
10521 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10522 * } TrustedAuthorities;
10523 *
10524 * struct {
10525 * IdentifierType identifier_type;
10526 * select (identifier_type) {
10527 * case pre_agreed: struct {};
10528 * case key_sha1_hash: SHA1Hash;
10529 * case x509_name: DistinguishedName;
10530 * case cert_sha1_hash: SHA1Hash;
10531 * } identifier;
10532 * } TrustedAuthority;
10533 *
10534 * enum {
10535 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10536 * cert_sha1_hash(3), (255)
10537 * } IdentifierType;
10538 *
10539 * opaque DistinguishedName<1..2^16-1>;
10540 *
10541 */
10542
10543
10544 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10545 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10546 0, UINT16_MAX(65535)))
10547 {
10548 return offset_end;
10549 }
10550 offset += 2;
10551 next_offset = offset + keys_length;
10552
10553 if (keys_length > 0)
10554 {
10555 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10556 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10557 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10558
10559 while (offset < next_offset)
10560 {
10561 uint32_t identifier_type;
10562 proto_tree *trusted_key_tree;
10563 proto_item *trusted_key_item;
10564 asn1_ctx_t asn1_ctx;
10565 uint32_t key_len = 0;
10566
10567 identifier_type = tvb_get_uint8(tvb, offset);
10568
10569 // Use 0 as length for now as we'll only know the size when we decode the identifier
10570 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10571 offset, 0, "Trusted CA Key");
10572 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10573
10574 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10575 offset, 1, identifier_type);
10576 offset++;
10577
10578 /*
10579 * enum {
10580 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10581 * cert_sha1_hash(3), (255)
10582 * } IdentifierType;
10583 */
10584 switch (identifier_type)
10585 {
10586 case 0:
10587 key_len = 0;
10588 break;
10589 case 2:
10590 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10591
10592 uint32_t name_length;
10593 /* opaque DistinguishedName<1..2^16-1> */
10594 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10595 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10596 return next_offset;
10597 }
10598 offset += 2;
10599
10600 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10601 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10602 offset += name_length;
10603 break;
10604 case 1:
10605 case 3:
10606 key_len = 20;
10607 /* opaque SHA1Hash[20]; */
10608 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10609 offset, 20, ENC_NA0x00000000);
10610 break;
10611
10612 default:
10613 key_len = 0;
10614 /*TODO display expert info about unknown ? */
10615 break;
10616 }
10617 proto_item_set_len(trusted_key_item, 1 + key_len);
10618 offset += key_len;
10619 }
10620 }
10621
10622 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10623 {
10624 offset = next_offset;
10625 }
10626
10627 return offset;
10628} /* }}} */
10629
10630
10631/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10632bool_Bool
10633ssl_is_valid_content_type(uint8_t type)
10634{
10635 switch ((ContentType) type) {
10636 case SSL_ID_CHG_CIPHER_SPEC:
10637 case SSL_ID_ALERT:
10638 case SSL_ID_HANDSHAKE:
10639 case SSL_ID_APP_DATA:
10640 case SSL_ID_HEARTBEAT:
10641 case SSL_ID_TLS12_CID:
10642 case SSL_ID_DTLS13_ACK:
10643 return true1;
10644 }
10645 return false0;
10646}
10647
10648bool_Bool
10649ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10650{
10651 switch ((HandshakeType) hs_type) {
10652 case SSL_HND_HELLO_VERIFY_REQUEST:
10653 /* hello_verify_request is DTLS-only */
10654 return is_dtls;
10655
10656 case SSL_HND_HELLO_REQUEST:
10657 case SSL_HND_CLIENT_HELLO:
10658 case SSL_HND_SERVER_HELLO:
10659 case SSL_HND_NEWSESSION_TICKET:
10660 case SSL_HND_END_OF_EARLY_DATA:
10661 case SSL_HND_HELLO_RETRY_REQUEST:
10662 case SSL_HND_ENCRYPTED_EXTENSIONS:
10663 case SSL_HND_CERTIFICATE:
10664 case SSL_HND_SERVER_KEY_EXCHG:
10665 case SSL_HND_CERT_REQUEST:
10666 case SSL_HND_SVR_HELLO_DONE:
10667 case SSL_HND_CERT_VERIFY:
10668 case SSL_HND_CLIENT_KEY_EXCHG:
10669 case SSL_HND_FINISHED:
10670 case SSL_HND_CERT_URL:
10671 case SSL_HND_CERT_STATUS:
10672 case SSL_HND_SUPPLEMENTAL_DATA:
10673 case SSL_HND_KEY_UPDATE:
10674 case SSL_HND_COMPRESSED_CERTIFICATE:
10675 case SSL_HND_ENCRYPTED_EXTS:
10676 return true1;
10677 case SSL_HND_MESSAGE_HASH:
10678 return false0;
10679 }
10680 return false0;
10681}
10682
10683static bool_Bool
10684ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10685 bool_Bool is_dtls)
10686{
10687 /* Consider all valid Handshake messages (except for Client Hello) and
10688 * all other valid record types (other than Handshake) */
10689 return (content_type == SSL_ID_HANDSHAKE &&
10690 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10691 handshake_type != SSL_HND_CLIENT_HELLO) ||
10692 (content_type != SSL_ID_HANDSHAKE &&
10693 ssl_is_valid_content_type(content_type));
10694}
10695
10696/**
10697 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10698 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10699 * Returns true if the supported_versions extension was found, false if not.
10700 */
10701bool_Bool
10702tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10703 uint16_t *server_version, bool_Bool *is_hrr)
10704{
10705 /* SHA256("HelloRetryRequest") */
10706 static const uint8_t tls13_hrr_random_magic[] = {
10707 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10708 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10709 };
10710 uint8_t session_id_length;
10711
10712 *server_version = tvb_get_ntohs(tvb, offset);
10713
10714 /*
10715 * Try to look for supported_versions extension. Minimum length:
10716 * 2 + 32 + 1 = 35 (version, random, session id length)
10717 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10718 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10719 *
10720 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10721 * there's a separate expert info warning for that.
10722 */
10723 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10724 offset += 2;
10725 if (is_hrr) {
10726 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10727 }
10728 offset += 32;
10729 session_id_length = tvb_get_uint8(tvb, offset);
10730 offset++;
10731 if (offset_end - offset < session_id_length + 5u) {
10732 return false0;
10733 }
10734 offset += session_id_length + 5;
10735
10736 while (offset_end - offset >= 6) {
10737 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10738 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10739 if (offset_end - offset < 4u + ext_len) {
10740 break; /* not enough data for type, length and data */
10741 }
10742 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10743 if (ext_len == 2) {
10744 *server_version = tvb_get_ntohs(tvb, offset + 4);
10745 }
10746 return true1;
10747 }
10748 offset += 4 + ext_len;
10749 }
10750 } else {
10751 if (is_hrr) {
10752 *is_hrr = false0;
10753 }
10754 }
10755 return false0;
10756}
10757
10758/**
10759 * Scan a Client Hello handshake message to see if the supported_versions
10760 * extension is found, in which case the version field is legacy_version.
10761 */
10762static bool_Bool
10763tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10764{
10765 uint8_t session_id_length;
10766
10767 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10768
10769 /*
10770 * Try to look for supported_versions extension. Minimum length:
10771 * 2 + 32 + 1 = 35 (version, random, session id length)
10772 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10773 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10774 *
10775 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10776 * there's a separate expert info warning for that.
10777 */
10778 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10779 offset += 2;
10780 offset += 32;
10781 session_id_length = tvb_get_uint8(tvb, offset);
10782 offset++;
10783 if (offset_end - offset < session_id_length + 2u) {
10784 return false0;
10785 }
10786 offset += session_id_length;
10787 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10788 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10789 offset++;
10790 if (offset_end - offset < cookie_length + 2u) {
10791 return false0;
10792 }
10793 }
10794 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10795 offset += 2;
10796 if (offset_end - offset < cipher_suites_length + 1u) {
10797 return false0;
10798 }
10799 offset += cipher_suites_length;
10800 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10801 offset++;
10802 if (offset_end - offset < compression_methods_length + 2u) {
10803 return false0;
10804 }
10805 offset += compression_methods_length + 2;
10806
10807 while (offset_end - offset >= 6) {
10808 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10809 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10810 if (offset_end - offset < 4u + ext_len) {
10811 break; /* not enough data for type, length and data */
10812 }
10813 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10814 return true1;
10815 }
10816 offset += 4 + ext_len;
10817 }
10818 }
10819 return false0;
10820}
10821void
10822ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10823 uint8_t content_type, uint8_t handshake_type,
10824 bool_Bool is_dtls, uint16_t version)
10825{
10826 uint8_t tls13_draft = 0;
10827
10828 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10829 is_dtls))
10830 return;
10831
10832 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10833 if (version == SSL_VER_UNKNOWN0) {
10834 return;
10835 }
10836
10837 session->tls13_draft_version = tls13_draft;
10838 session->version = version;
10839 if (ssl) {
10840 ssl->state |= SSL_VERSION(1<<4);
10841 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10842 }
10843}
10844
10845void
10846ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10847 ContentType content_type,
10848 unsigned record_length, proto_item *length_pi,
10849 uint16_t version, tvbuff_t *decrypted_tvb)
10850{
10851 unsigned max_expansion;
10852 if (version == TLSV1DOT3_VERSION0x304) {
10853 /* TLS 1.3: Max length is 2^14 + 256 */
10854 max_expansion = 256;
10855 } else {
10856 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10857 max_expansion = 2048;
10858 }
10859 /*
10860 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10861 * and ChangeCipherSpec.
10862 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10863 * so assume it is permitted.
10864 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10865 * assume TLS 1.2 requirements.
10866 */
10867 if (record_length == 0 &&
10868 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10869 content_type == SSL_ID_ALERT ||
10870 content_type == SSL_ID_HANDSHAKE)) {
10871 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10872 "Zero-length %s fragments are not allowed",
10873 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10874 }
10875 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10876 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10877 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10878 }
10879 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10880 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10881 "TLSPlaintext length MUST NOT exceed 2^14");
10882 }
10883}
10884
10885static void
10886ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10887{
10888 /* store selected cipher suite for decryption */
10889 ssl->session.cipher = cipher;
10890
10891 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10892 if (!cs) {
10893 ssl->cipher_suite = NULL((void*)0);
10894 ssl->state &= ~SSL_CIPHER(1<<2);
10895 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10896 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10897 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10898 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10899 * to avoid a potential buffer overflow in ssl3_check_mac. */
10900 ssl->cipher_suite = NULL((void*)0);
10901 ssl->state &= ~SSL_CIPHER(1<<2);
10902 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10903 } else {
10904 /* Cipher found, save this for the delayed decoder init */
10905 ssl->cipher_suite = cs;
10906 ssl->state |= SSL_CIPHER(1<<2);
10907 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10908 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10909 ssl->state);
10910 }
10911}
10912/* }}} */
10913
10914
10915/* Client Hello and Server Hello dissections. {{{ */
10916static int
10917ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10918 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10919 SslSession *session, SslDecryptSession *ssl,
10920 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10921 ssl_master_key_map_t *mk_map);
10922int
10923// NOLINTNEXTLINE(misc-no-recursion)
10924ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10925 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10926 uint32_t offset_end, SslSession *session,
10927 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10928{
10929 /* struct {
10930 * ProtocolVersion client_version;
10931 * Random random;
10932 * SessionID session_id;
10933 * opaque cookie<0..32>; //new field for DTLS
10934 * CipherSuite cipher_suites<2..2^16-1>;
10935 * CompressionMethod compression_methods<1..2^8-1>;
10936 * Extension client_hello_extension_list<0..2^16-1>;
10937 * } ClientHello;
10938 */
10939 proto_item *ti;
10940 proto_tree *cs_tree;
10941 uint32_t client_version;
10942 uint32_t cipher_suite_length;
10943 uint32_t compression_methods_length;
10944 uint8_t compression_method;
10945 uint32_t next_offset;
10946 uint32_t initial_offset = offset;
10947 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10948 char *ja3_hash;
10949 char *ja3_dash = "";
10950 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10951 ja4_data_t ja4_data;
10952 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10953 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10954 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10955 wmem_list_frame_t *curr_entry;
10956
10957 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10957, (int64_t)initial_offset, (int64_t)offset_end))))
;
10958 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10959 offset = 0;
10960 offset_end = tvb_reported_length(hello_tvb);
10961
10962 ja4_data.max_version = 0;
10963 ja4_data.server_name_present = false0;
10964 ja4_data.num_cipher_suites = 0;
10965 ja4_data.num_extensions = 0;
10966 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10967 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10968 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10969 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10970
10971 /* show the client version */
10972 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10973 offset, 2, ENC_BIG_ENDIAN0x00000000,
10974 &client_version);
10975 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10976 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10977 }
10978 offset += 2;
10979 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10980
10981 /*
10982 * Is it version 1.3?
10983 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10984 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10985 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10986 * Hello".
10987 */
10988 if (dtls_hfs != NULL((void*)0)) {
10989 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10990 /* Don't do that. */
10991 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10992 }
10993 } else {
10994 if (client_version == TLSV1DOT3_VERSION0x304) {
10995 /* Don't do that. */
10996 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10997 }
10998 }
10999
11000 /* dissect fields that are present in both ClientHello and ServerHello */
11001 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
11002
11003 /* fields specific for DTLS (cookie_len, cookie) */
11004 if (dtls_hfs != NULL((void*)0)) {
11005 uint32_t cookie_length;
11006 /* opaque cookie<0..32> (for DTLS only) */
11007 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
11008 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
11009 return offset;
11010 }
11011 offset++;
11012 if (cookie_length > 0) {
11013 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
11014 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
11015 offset += cookie_length;
11016 }
11017 }
11018
11019 /* CipherSuite cipher_suites<2..2^16-1> */
11020 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
11021 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
11022 return offset;
11023 }
11024 offset += 2;
11025 next_offset = offset + cipher_suite_length;
11026 ti = proto_tree_add_none_format(tree,
11027 hf->hf.hs_cipher_suites,
11028 hello_tvb, offset, cipher_suite_length,
11029 "Cipher Suites (%d suite%s)",
11030 cipher_suite_length / 2,
11031 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
11032 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
11033 while (offset + 2 <= next_offset) {
11034 uint32_t cipher_suite;
11035
11036 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
11037 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11038 offset += 2;
11039 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))
) {
11040 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
11041 ja3_dash = "-";
11042 ja4_data.num_cipher_suites += 1;
11043 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
11044 }
11045 }
11046 wmem_strbuf_append_c(ja3, ',');
11047 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
11048 offset = next_offset;
11049 }
11050
11051 /* CompressionMethod compression_methods<1..2^8-1> */
11052 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
11053 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
11054 return offset;
11055 }
11056 offset++;
11057 next_offset = offset + compression_methods_length;
11058 ti = proto_tree_add_none_format(tree,
11059 hf->hf.hs_comp_methods,
11060 hello_tvb, offset, compression_methods_length,
11061 "Compression Methods (%u method%s)",
11062 compression_methods_length,
11063 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
11064 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
11065 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
11066 while (offset < next_offset) {
11067 compression_method = tvb_get_uint8(hello_tvb, offset);
11068 /* TODO: make reserved/private comp meth. fields selectable */
11069 if (compression_method < 64)
11070 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
11071 hello_tvb, offset, 1, compression_method);
11072 else if (compression_method < 193)
11073 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11074 compression_method, "Reserved - to be assigned by IANA (%u)",
11075 compression_method);
11076 else
11077 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
11078 compression_method, "Private use range (%u)",
11079 compression_method);
11080 offset++;
11081 }
11082
11083 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11084 if (offset < offset_end) {
11085 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
11086 offset_end, SSL_HND_CLIENT_HELLO,
11087 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
11088 if (ja4_data.max_version > 0) {
11089 client_version = ja4_data.max_version;
11090 }
11091 } else {
11092 wmem_strbuf_append_printf(ja3, ",,");
11093 }
11094
11095 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
11096 wmem_strbuf_append(ja4_a, "t");
11097 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
11098 wmem_strbuf_append(ja4_a, "q");
11099 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
11100 wmem_strbuf_append(ja4_a, "d");
11101 }
11102 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
11103 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
11104 if (ja4_data.num_cipher_suites > 99) {
11105 wmem_strbuf_append(ja4_a, "99");
11106 } else {
11107 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
11108 }
11109 if (ja4_data.num_extensions > 99) {
11110 wmem_strbuf_append(ja4_a, "99");
11111 } else {
11112 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
11113 }
11114 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
11115 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
11116 } else {
11117 wmem_strbuf_append(ja4_a, "00");
11118 }
11119
11120 curr_entry = wmem_list_head(ja4_data.cipher_list);
11121 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
11122 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11123 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
11124 wmem_strbuf_append(ja4_br, ",");
11125 }
11126 curr_entry = wmem_list_frame_next(curr_entry);
11127 }
11128
11129 curr_entry = wmem_list_head(ja4_data.extension_list);
11130 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
11131 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11132 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
11133 wmem_strbuf_append(ja4_cr, ",");
11134 }
11135 curr_entry = wmem_list_frame_next(curr_entry);
11136 }
11137
11138 if (wmem_list_count(ja4_data.sighash_list) > 0) {
11139 wmem_strbuf_append(ja4_cr, "_");
11140 curr_entry = wmem_list_head(ja4_data.sighash_list);
11141 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
11142 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
11143 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
11144 wmem_strbuf_append(ja4_cr, ",");
11145 }
11146 curr_entry = wmem_list_frame_next(curr_entry);
11147 }
11148 }
11149 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
11150 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11151 } else {
11152 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
11153 }
11154 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
11155
11156 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash)
;
11157 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
11158 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
11159 } else {
11160 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
11161 }
11162 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
11163 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash)
;
11164
11165 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
11166 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
11167
11168 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
11169 proto_item_set_generated(ti);
11170 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
11171 proto_item_set_generated(ti);
11172
11173 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11174 wmem_strbuf_get_len(ja3));
11175 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
11176 proto_item_set_generated(ti);
11177 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
11178 proto_item_set_generated(ti);
11179 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash)
;
11180 return initial_offset + offset;
11181}
11182
11183void
11184ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11185 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11186 SslSession *session, SslDecryptSession *ssl,
11187 bool_Bool is_dtls, bool_Bool is_hrr)
11188{
11189 /* struct {
11190 * ProtocolVersion server_version;
11191 * Random random;
11192 * SessionID session_id; // TLS 1.2 and before
11193 * CipherSuite cipher_suite;
11194 * CompressionMethod compression_method; // TLS 1.2 and before
11195 * Extension server_hello_extension_list<0..2^16-1>;
11196 * } ServerHello;
11197 */
11198 uint8_t draft_version = session->tls13_draft_version;
11199 proto_item *ti;
11200 uint32_t server_version;
11201 uint32_t cipher_suite;
11202 uint32_t initial_offset = offset;
11203 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
11204 char *ja3_hash;
11205
11206 col_set_str(pinfo->cinfo, COL_PROTOCOL,
11207 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
11208
11209 /* Initially assume that the session is resumed. If this is not the case, a
11210 * ServerHelloDone will be observed before the ChangeCipherSpec message
11211 * which will reset this flag. */
11212 session->is_session_resumed = true1;
11213
11214 /* show the server version */
11215 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11216 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
11217
11218 uint16_t supported_server_version;
11219 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
11220 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
11221 }
11222 /*
11223 * Is it version 1.3?
11224 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
11225 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
11226 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
11227 * Hello".
11228 */
11229 if (is_dtls) {
11230 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
11231 /* Don't do that. */
11232 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11233 }
11234 } else {
11235 if (server_version == TLSV1DOT3_VERSION0x304) {
11236 /* Don't do that. */
11237 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
11238 }
11239 }
11240
11241 offset += 2;
11242 wmem_strbuf_append_printf(ja3, "%i", server_version);
11243
11244 /* dissect fields that are present in both ClientHello and ServerHello */
11245 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
11246
11247 if (ssl) {
11248 /* store selected cipher suite for decryption */
11249 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
11250 }
11251
11252 /* now the server-selected cipher suite */
11253 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
11254 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
11255 offset += 2;
11256 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
11257
11258 /* No compression with TLS 1.3 before draft -22 */
11259 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
11260 if (ssl) {
11261 /* store selected compression method for decryption */
11262 ssl->session.compression = tvb_get_uint8(tvb, offset);
11263 }
11264 /* and the server-selected compression method */
11265 proto_tree_add_item(tree, hf->hf.hs_comp_method,
11266 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11267 offset++;
11268 }
11269
11270 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
11271 if (offset < offset_end) {
11272 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11273 offset_end,
11274 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
11275 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
11276 }
11277
11278 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
11279 /* RFC 9849 7.2 Backend Server */
11280 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
11281 SSL_MDgcry_md_hd_t mc;
11282 if (hash_algo && ssl_md_init(&mc, hash_algo) == 0) {
11283 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
11284 unsigned char prk[DIGEST_MAX_SIZE48];
11285 unsigned char *ech_verify_out = NULL((void*)0);
11286 unsigned int len;
11287 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
11288 if (is_hrr) {
11289 /* RFC 8446 4.4.1 The Transcript Hash
11290 * Special synthetic handshake following a HelloRetryRequest */
11291 ssl_md_final(&mc, transcript_hash, &len);
11292 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
11293 ssl->ech_transcript.data_len = 4 + len;
11294 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
11295 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
11296 ssl->ech_transcript.data[1] = 0;
11297 ssl->ech_transcript.data[2] = 0;
11298 ssl->ech_transcript.data[3] = len;
11299 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
11300 ssl_md_reset(&mc);
11301 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
11302 } else {
11303 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
11304 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
11305 }
11306 if (initial_offset > 4) {
11307 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
11308 4 + offset_end - initial_offset);
11309 if (is_hrr)
11310 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
11311 else
11312 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
11313 } else {
11314 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
11315 prefix[2] = ((offset - initial_offset) >> 8);
11316 prefix[3] = (offset - initial_offset) & 0xff;
11317 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
11318 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
11319 offset_end - initial_offset);
11320 ssl_md_update(&mc, prefix, 4);
11321 if (is_hrr)
11322 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
11323 else
11324 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
11325 }
11326 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
11327 uint8_t zeros[8] = { 0 };
11328 uint32_t confirmation_offset = initial_offset + 26;
11329 if (is_hrr) {
11330 uint32_t hrr_offset = initial_offset + 34;
11331 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
11332 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
11333 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
11334 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
11335 hrr_offset += 3;
11336 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
11337 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
11338 hrr_offset += 2;
11339 while (extensions_end - hrr_offset >= 4) {
11340 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
11341 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
11342 confirmation_offset = hrr_offset + 4;
11343 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
11344 ssl_md_update(&mc, zeros, 8);
11345 hrr_offset += 12;
11346 } else {
11347 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
11348 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
11349 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
11350 }
11351 }
11352 } else {
11353 ssl_md_update(&mc, zeros, 8);
11354 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
11355 offset - initial_offset - 34);
11356 }
11357 ssl_md_final(&mc, transcript_hash, &len);
11358 ssl_md_cleanup(&mc);
11359 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
11360 StringInfo prk_string = {prk, len};
11361 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
11362 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
11363 transcript_hash, len, 8, &ech_verify_out)) {
11364 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
11365 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
11366 if (is_hrr) {
11367 ssl->session.hrr_ech_declined = true1;
11368 ssl->session.first_ch_ech_frame = 0;
11369 }
11370 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
11371 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
11372 }
11373 wmem_free(NULL((void*)0), ech_verify_out);
11374 }
11375 ssl->session.ech = true1;
11376 }
11377 }
11378
11379 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
11380 wmem_strbuf_get_len(ja3));
11381 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
11382 proto_item_set_generated(ti);
11383 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
11384 proto_item_set_generated(ti);
11385 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash)
;
11386}
11387/* Client Hello and Server Hello dissections. }}} */
11388
11389/* New Session Ticket dissection. {{{ */
11390void
11391ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11392 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11393 SslSession *session, SslDecryptSession *ssl,
11394 bool_Bool is_dtls, GHashTable *session_hash)
11395{
11396 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
11397 * struct {
11398 * uint32 ticket_lifetime_hint;
11399 * opaque ticket<0..2^16-1>;
11400 * } NewSessionTicket;
11401 *
11402 * RFC 8446 Section 4.6.1 (TLS 1.3):
11403 * struct {
11404 * uint32 ticket_lifetime;
11405 * uint32 ticket_age_add;
11406 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
11407 * opaque ticket<1..2^16-1>;
11408 * Extension extensions<0..2^16-2>;
11409 * } NewSessionTicket;
11410 */
11411 proto_tree *subtree;
11412 proto_item *subitem;
11413 uint32_t ticket_len;
11414 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
11415 unsigned char draft_version = session->tls13_draft_version;
11416 uint32_t lifetime_hint;
11417
11418 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11419 hf->ett.session_ticket, NULL((void*)0),
11420 "TLS Session Ticket");
11421
11422 /* ticket lifetime hint */
11423 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
11424 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
11425 offset += 4;
11426
11427 if (lifetime_hint >= 60) {
11428 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
11429 proto_item_append_text(subitem, " (%s)", time_str);
11430 }
11431
11432 if (is_tls13) {
11433
11434 /* for TLS 1.3: ticket_age_add */
11435 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
11436 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
11437 offset += 4;
11438
11439 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
11440 if (draft_version == 0 || draft_version >= 21) {
11441 uint32_t ticket_nonce_len;
11442
11443 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
11444 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
11445 return;
11446 }
11447 offset++;
11448
11449 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
11450 offset += ticket_nonce_len;
11451 }
11452
11453 }
11454
11455 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
11456 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
11457 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
11458 return;
11459 }
11460 offset += 2;
11461
11462 /* Content depends on implementation, so just show data! */
11463 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
11464 tvb, offset, ticket_len, ENC_NA0x00000000);
11465 /* save the session ticket to cache for ssl_finalize_decryption */
11466 if (ssl && !is_tls13) {
11467 if (ssl->session.is_session_resumed) {
11468 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
11469 * (Abbreviated Handshake Using New Session Ticket).
11470 * Restore the master key for this session ticket before saving
11471 * it to the new session ticket. */
11472 ssl_restore_master_key(ssl, "Session Ticket", false0,
11473 session_hash, &ssl->session_ticket);
11474 }
11475 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
11476 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
11477 ssl->session_ticket.data, ticket_len);
11478 ssl->session_ticket.data_len = ticket_len;
11479 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
11480 /* NewSessionTicket is received after the first (client)
11481 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
11482 * Since the second CCS has already the session key available it will
11483 * just return. To ensure that the session ticket is mapped to a
11484 * master key (from the first CCS), save the ticket here too. */
11485 ssl_save_master_key("Session Ticket", session_hash,
11486 &ssl->session_ticket, &ssl->master_secret);
11487 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
11488 }
11489 offset += ticket_len;
11490
11491 if (is_tls13) {
11492 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11493 offset_end, SSL_HND_NEWSESSION_TICKET,
11494 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11495 }
11496} /* }}} */
11497
11498void
11499ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11500 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11501 SslSession *session, SslDecryptSession *ssl,
11502 bool_Bool is_dtls)
11503{
11504 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11505 * struct {
11506 * ProtocolVersion server_version;
11507 * CipherSuite cipher_suite; // not before draft -19
11508 * Extension extensions<2..2^16-1>;
11509 * } HelloRetryRequest;
11510 * Note: no longer used since draft -22
11511 */
11512 uint32_t version;
11513 uint8_t draft_version;
11514
11515 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11516 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11517 draft_version = extract_tls13_draft_version(version);
11518 offset += 2;
11519
11520 if (draft_version == 0 || draft_version >= 19) {
11521 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11522 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11523 offset += 2;
11524 }
11525
11526 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11527 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11528 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11529}
11530
11531void
11532ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11533 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11534 SslSession *session, SslDecryptSession *ssl,
11535 bool_Bool is_dtls)
11536{
11537 /* RFC 8446 Section 4.3.1
11538 * struct {
11539 * Extension extensions<0..2^16-1>;
11540 * } EncryptedExtensions;
11541 */
11542 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11543 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11544 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11545}
11546
11547/* Certificate and Certificate Request dissections. {{{ */
11548void
11549ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11550 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11551 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11552 bool_Bool is_from_server, bool_Bool is_dtls)
11553{
11554 /* opaque ASN.1Cert<1..2^24-1>;
11555 *
11556 * Before RFC 8446 (TLS <= 1.2):
11557 * struct {
11558 * select(certificate_type) {
11559 *
11560 * // certificate type defined in RFC 7250
11561 * case RawPublicKey:
11562 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11563 *
11564 * // X.509 certificate defined in RFC 5246
11565 * case X.509:
11566 * ASN.1Cert certificate_list<0..2^24-1>;
11567 * };
11568 * } Certificate;
11569 *
11570 * RFC 8446 (since draft -20):
11571 * struct {
11572 * select(certificate_type){
11573 * case RawPublicKey:
11574 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11575 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11576 *
11577 * case X.509:
11578 * opaque cert_data<1..2^24-1>;
11579 * }
11580 * Extension extensions<0..2^16-1>;
11581 * } CertificateEntry;
11582 * struct {
11583 * opaque certificate_request_context<0..2^8-1>;
11584 * CertificateEntry certificate_list<0..2^24-1>;
11585 * } Certificate;
11586 */
11587 enum { CERT_X509, CERT_RPK } cert_type;
11588 asn1_ctx_t asn1_ctx;
11589#if defined(HAVE_LIBGNUTLS1)
11590 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11591 unsigned certificate_index = 0;
11592#endif
11593 uint32_t next_offset, certificate_list_length, cert_length;
11594 proto_tree *subtree = tree;
11595
11596 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11597
11598 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11599 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11600 cert_type = CERT_RPK;
11601 } else {
11602 cert_type = CERT_X509;
11603 }
11604
11605#if defined(HAVE_LIBGNUTLS1)
11606 /* Ask the pkcs1 dissector to return the public key details */
11607 if (ssl)
11608 asn1_ctx.private_data = &subjectPublicKeyInfo;
11609#endif
11610
11611 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11612 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11613 uint32_t context_length;
11614 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11615 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11616 return;
11617 }
11618 offset++;
11619 if (context_length > 0) {
11620 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11621 tvb, offset, context_length, ENC_NA0x00000000);
11622 offset += context_length;
11623 }
11624 }
11625
11626 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11627 /* For RPK before TLS 1.3, the single RPK is stored directly without
11628 * another "certificate_list" field. */
11629 certificate_list_length = offset_end - offset;
11630 next_offset = offset_end;
11631 } else {
11632 /* CertificateEntry certificate_list<0..2^24-1> */
11633 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11634 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11635 return;
11636 }
11637 offset += 3; /* 24-bit length value */
11638 next_offset = offset + certificate_list_length;
11639 }
11640
11641 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11642 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11643 proto_item *ti;
11644
11645 ti = proto_tree_add_none_format(tree,
11646 hf->hf.hs_certificates,
11647 tvb, offset, certificate_list_length,
11648 "Certificates (%u bytes)",
11649 certificate_list_length);
11650
11651 /* make it a subtree */
11652 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11653 }
11654
11655 while (offset < next_offset) {
11656 switch (cert_type) {
11657 case CERT_RPK:
11658 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11659 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11660 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11661 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11662 return;
11663 }
11664 offset += 3;
11665
11666 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11667 offset += cert_length;
11668 break;
11669 case CERT_X509:
11670 /* opaque ASN1Cert<1..2^24-1> */
11671 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11672 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11673 return;
11674 }
11675 offset += 3;
11676
11677 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11678#if defined(HAVE_LIBGNUTLS1)
11679 if (is_from_server && ssl && certificate_index == 0) {
11680 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11681 /* Only attempt to get the RSA modulus for the first cert. */
11682 asn1_ctx.private_data = NULL((void*)0);
11683 }
11684#endif
11685 offset += cert_length;
11686 break;
11687 }
11688
11689 /* TLS 1.3: Extension extensions<0..2^16-1> */
11690 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11691 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11692 next_offset, SSL_HND_CERTIFICATE,
11693 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11694 }
11695
11696#if defined(HAVE_LIBGNUTLS1)
11697 certificate_index++;
11698#endif
11699 }
11700}
11701
11702void
11703ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11704 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11705 SslSession *session, bool_Bool is_dtls)
11706{
11707 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11708 * enum {
11709 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11710 * (255)
11711 * } ClientCertificateType;
11712 *
11713 * opaque DistinguishedName<1..2^16-1>;
11714 *
11715 * struct {
11716 * ClientCertificateType certificate_types<1..2^8-1>;
11717 * DistinguishedName certificate_authorities<3..2^16-1>;
11718 * } CertificateRequest;
11719 *
11720 *
11721 * As per TLSv1.2 (RFC 5246) the format has changed to:
11722 *
11723 * enum {
11724 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11725 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11726 * fortezza_dms_RESERVED(20), (255)
11727 * } ClientCertificateType;
11728 *
11729 * enum {
11730 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11731 * sha512(6), (255)
11732 * } HashAlgorithm;
11733 *
11734 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11735 * SignatureAlgorithm;
11736 *
11737 * struct {
11738 * HashAlgorithm hash;
11739 * SignatureAlgorithm signature;
11740 * } SignatureAndHashAlgorithm;
11741 *
11742 * SignatureAndHashAlgorithm
11743 * supported_signature_algorithms<2..2^16-2>;
11744 *
11745 * opaque DistinguishedName<1..2^16-1>;
11746 *
11747 * struct {
11748 * ClientCertificateType certificate_types<1..2^8-1>;
11749 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11750 * DistinguishedName certificate_authorities<0..2^16-1>;
11751 * } CertificateRequest;
11752 *
11753 * draft-ietf-tls-tls13-18:
11754 * struct {
11755 * opaque certificate_request_context<0..2^8-1>;
11756 * SignatureScheme
11757 * supported_signature_algorithms<2..2^16-2>;
11758 * DistinguishedName certificate_authorities<0..2^16-1>;
11759 * CertificateExtension certificate_extensions<0..2^16-1>;
11760 * } CertificateRequest;
11761 *
11762 * RFC 8446 (since draft-ietf-tls-tls13-19):
11763 *
11764 * struct {
11765 * opaque certificate_request_context<0..2^8-1>;
11766 * Extension extensions<2..2^16-1>;
11767 * } CertificateRequest;
11768 */
11769 proto_item *ti;
11770 proto_tree *subtree;
11771 uint32_t next_offset;
11772 asn1_ctx_t asn1_ctx;
11773 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11774 unsigned char draft_version = session->tls13_draft_version;
11775
11776 if (!tree)
11777 return;
11778
11779 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11780
11781 if (is_tls13) {
11782 uint32_t context_length;
11783 /* opaque certificate_request_context<0..2^8-1> */
11784 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11785 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11786 return;
11787 }
11788 offset++;
11789 if (context_length > 0) {
11790 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11791 tvb, offset, context_length, ENC_NA0x00000000);
11792 offset += context_length;
11793 }
11794 } else {
11795 uint32_t cert_types_count;
11796 /* ClientCertificateType certificate_types<1..2^8-1> */
11797 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11798 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11799 return;
11800 }
11801 offset++;
11802 next_offset = offset + cert_types_count;
11803
11804 ti = proto_tree_add_none_format(tree,
11805 hf->hf.hs_cert_types,
11806 tvb, offset, cert_types_count,
11807 "Certificate types (%u type%s)",
11808 cert_types_count,
11809 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11810 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11811
11812 while (offset < next_offset) {
11813 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11814 offset++;
11815 }
11816 }
11817
11818 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11819 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11820 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11821 }
11822
11823 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11824 /*
11825 * TLS 1.3 draft 19 and newer: Extensions.
11826 * SslDecryptSession pointer is NULL because Certificate Extensions
11827 * should not influence decryption state.
11828 */
11829 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11830 offset_end, SSL_HND_CERT_REQUEST,
11831 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
11832 } else if (is_tls13 && draft_version <= 18) {
11833 /*
11834 * TLS 1.3 draft 18 and older: certificate_authorities and
11835 * certificate_extensions (a vector of OID mappings).
11836 */
11837 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11838 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11839 } else {
11840 /* for TLS 1.2 and older, the certificate_authorities field. */
11841 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11842 }
11843}
11844/* Certificate and Certificate Request dissections. }}} */
11845
11846void
11847ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11848 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11849{
11850 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11851 hf->hf.hs_client_cert_vrfy_sig_len,
11852 hf->hf.hs_client_cert_vrfy_sig);
11853}
11854
11855/* Finished dissection. {{{ */
11856void
11857ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11858 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11859 const SslSession *session, ssl_hfs_t *ssl_hfs)
11860{
11861 /* For SSLv3:
11862 * struct {
11863 * opaque md5_hash[16];
11864 * opaque sha_hash[20];
11865 * } Finished;
11866 *
11867 * For (D)TLS:
11868 * struct {
11869 * opaque verify_data[12];
11870 * } Finished;
11871 *
11872 * For TLS 1.3:
11873 * struct {
11874 * opaque verify_data[Hash.length];
11875 * }
11876 */
11877 if (!tree)
11878 return;
11879
11880 if (session->version == SSLV3_VERSION0x300) {
11881 if (ssl_hfs != NULL((void*)0)) {
11882 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11883 tvb, offset, 16, ENC_NA0x00000000);
11884 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11885 tvb, offset + 16, 20, ENC_NA0x00000000);
11886 }
11887 } else {
11888 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11889 proto_tree_add_item(tree, hf->hf.hs_finished,
11890 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11891 }
11892} /* }}} */
11893
11894/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11895void
11896ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11897{
11898 uint16_t url_hash_len;
11899
11900 /* enum {
11901 * individual_certs(0), pkipath(1), (255)
11902 * } CertChainType;
11903 *
11904 * struct {
11905 * CertChainType type;
11906 * URLAndHash url_and_hash_list<1..2^16-1>;
11907 * } CertificateURL;
11908 *
11909 * struct {
11910 * opaque url<1..2^16-1>;
11911 * uint8 padding;
11912 * opaque SHA1Hash[20];
11913 * } URLAndHash;
11914 */
11915
11916 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11917 tvb, offset, 1, ENC_NA0x00000000);
11918 offset++;
11919
11920 url_hash_len = tvb_get_ntohs(tvb, offset);
11921 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11922 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11923 offset += 2;
11924 while (url_hash_len-- > 0) {
11925 proto_item *urlhash_item;
11926 proto_tree *urlhash_tree;
11927 uint16_t url_len;
11928
11929 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11930 tvb, offset, -1, ENC_NA0x00000000);
11931 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11932
11933 url_len = tvb_get_ntohs(tvb, offset);
11934 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11935 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11936 offset += 2;
11937
11938 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11939 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11940 offset += url_len;
11941
11942 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11943 tvb, offset, 1, ENC_NA0x00000000);
11944 offset++;
11945 /* Note: RFC 6066 says that padding must be 0x01 */
11946
11947 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11948 tvb, offset, 20, ENC_NA0x00000000);
11949 offset += 20;
11950 }
11951} /* }}} */
11952
11953void
11954ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11955 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11956 SslSession *session, SslDecryptSession *ssl,
11957 bool_Bool is_from_server, bool_Bool is_dtls)
11958{
11959 uint32_t algorithm, uncompressed_length;
11960 uint32_t compressed_certificate_message_length;
11961 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11962 proto_item *ti;
11963 /*
11964 * enum {
11965 * zlib(1),
11966 * brotli(2),
11967 * zstd(3),
11968 * (65535)
11969 * } CertificateCompressionAlgorithm;
11970 *
11971 * struct {
11972 * CertificateCompressionAlgorithm algorithm;
11973 * uint24 uncompressed_length;
11974 * opaque compressed_certificate_message<1..2^24-1>;
11975 * } CompressedCertificate;
11976 */
11977
11978 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11979 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11980 offset += 2;
11981
11982 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11983 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11984 offset += 3;
11985
11986 /* opaque compressed_certificate_message<1..2^24-1>; */
11987 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11988 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11989 return;
11990 }
11991 offset += 3;
11992
11993 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11994 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11995
11996 /* Certificate decompression following algorithm */
11997 switch (algorithm) {
11998 case 1: /* zlib */
11999 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
12000 break;
12001 case 2: /* brotli */
12002 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
12003 break;
12004 case 3: /* zstd */
12005 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
12006 break;
12007 }
12008
12009 if (uncompressed_tvb) {
12010 proto_tree *uncompressed_tree;
12011
12012 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
12013 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
12014 tvb, offset, offset_end - offset,
12015 "Invalid uncompressed length %u (expected %u)",
12016 tvb_captured_length(uncompressed_tvb),
12017 uncompressed_length);
12018 } else {
12019 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
12020 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
12021 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
12022 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
12023 }
12024 }
12025}
12026
12027/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
12028static int
12029// NOLINTNEXTLINE(misc-no-recursion)
12030ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
12031 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
12032 SslSession *session, SslDecryptSession *ssl,
12033 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
12034 ssl_master_key_map_t *mk_map)
12035{
12036 uint32_t exts_len;
12037 uint16_t ext_type;
12038 uint32_t ext_len;
12039 uint32_t next_offset;
12040 proto_item *ext_item;
12041 proto_tree *ext_tree;
12042 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
12043 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
12044 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
12045 char *ja3_dash = "";
12046 unsigned supported_version;
12047
12048 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
12049 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
12050 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
12051 return offset_end;
12052 }
12053 offset += 2;
12054 offset_end = offset + exts_len;
12055
12056 if (ja4_data) {
12057 ja4_data->num_extensions = 0;
12058 }
12059 while (offset_end - offset >= 4)
12060 {
12061 ext_type = tvb_get_ntohs(tvb, offset);
12062 ext_len = tvb_get_ntohs(tvb, offset + 2);
12063
12064 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))
) {
12065 ja4_data->num_extensions += 1;
12066 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
12067 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
12068 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
12069 }
12070 }
12071
12072 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
12073 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
12074 tls_hello_extension_types,
12075 "Unknown type %u"), ext_len);
12076 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
12077
12078 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
12079 tvb, offset, 2, ext_type);
12080 offset += 2;
12081 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))
) {
12082 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
12083 ja3_dash = "-";
12084 }
12085
12086 /* opaque extension_data<0..2^16-1> */
12087 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
12088 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
12089 return offset_end;
12090 }
12091 offset += 2;
12092 next_offset = offset + ext_len;
12093
12094 switch (ext_type) {
12095 case SSL_HND_HELLO_EXT_SERVER_NAME0:
12096 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12097 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
12098 if (ja4_data) {
12099 ja4_data->server_name_present = true1;
12100 }
12101 }
12102 break;
12103 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
12104 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
12105 offset += 1;
12106 break;
12107 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
12108 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12109 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
12110 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
12111 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
12112 }
12113 break;
12114 case SSL_HND_HELLO_EXT_CERT_TYPE9:
12115 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12116 offset, next_offset,
12117 hnd_type, ext_type,
12118 session);
12119 break;
12120 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
12121 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12122 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12123 next_offset, ja3_sg);
12124 } else {
12125 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
12126 next_offset, NULL((void*)0));
12127 }
12128 break;
12129 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
12130 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12131 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
12132 } else {
12133 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
12134 }
12135 break;
12136 case SSL_HND_HELLO_EXT_SRP12:
12137 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
12138 break;
12139 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
12140 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
12141 break;
12142 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
12143 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
12144 break;
12145 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
12146 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
12147 break;
12148 case SSL_HND_HELLO_EXT_USE_SRTP14:
12149 if (is_dtls) {
12150 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12151 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
12152 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
12153 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
12154 }
12155 } else {
12156 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
12157 }
12158 break;
12159 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
12160 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
12161 break;
12162 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
12163 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
12164 break;
12165 case SSL_HND_HELLO_EXT_HEARTBEAT15:
12166 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
12167 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
12168 offset++;
12169 break;
12170 case SSL_HND_HELLO_EXT_ALPN16:
12171 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
12172 break;
12173 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
12174 if (hnd_type == SSL_HND_CLIENT_HELLO)
12175 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
12176 break;
12177 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
12178 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
12179 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
12180 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
12181 break;
12182 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
12183 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
12184 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
12185 offset, next_offset,
12186 hnd_type, ext_type,
12187 session);
12188 break;
12189 case SSL_HND_HELLO_EXT_PADDING21:
12190 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
12191 offset += ext_len;
12192 break;
12193 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
12194 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
12195 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
12196 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
12197 }
12198 break;
12199 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
12200 if (ssl) {
12201 switch (hnd_type) {
12202 case SSL_HND_CLIENT_HELLO:
12203 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
12204 break;
12205 case SSL_HND_SERVER_HELLO:
12206 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
12207 break;
12208 default: /* no default */
12209 break;
12210 }
12211 }
12212 break;
12213 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
12214 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12215 break;
12216 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
12217 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12218 break;
12219 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
12220 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
12221 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12222 offset += 2;
12223 break;
12224 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
12225 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
12226 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12227 break;
12228 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
12229 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
12230 break;
12231 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
12232 case SSL_HND_HELLO_EXT_KEY_SHARE51:
12233 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12234 break;
12235 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
12236 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12237 break;
12238 case SSL_HND_HELLO_EXT_EARLY_DATA42:
12239 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
12240 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12241 break;
12242 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
12243 switch (hnd_type) {
12244 case SSL_HND_CLIENT_HELLO:
12245 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
12246 break;
12247 case SSL_HND_SERVER_HELLO:
12248 case SSL_HND_HELLO_RETRY_REQUEST:
12249 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
12250 offset += 2;
12251 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
12252 break;
12253 }
12254 break;
12255 case SSL_HND_HELLO_EXT_COOKIE44:
12256 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
12257 break;
12258 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
12259 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
12260 break;
12261 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
12262 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
12263 break;
12264 case SSL_HND_HELLO_EXT_OID_FILTERS48:
12265 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
12266 break;
12267 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
12268 break;
12269 case SSL_HND_HELLO_EXT_NPN13172:
12270 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
12271 break;
12272 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
12273 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12274 break;
12275 case SSL_HND_HELLO_EXT_ALPS17613:
12276 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
12277 break;
12278 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
12279 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
12280 break;
12281 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
12282 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
12283 break;
12284 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
12285 session->deprecated_cid = true1;
12286 /* FALLTHRU */
12287 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
12288 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
12289 break;
12290 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
12291 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
12292 break;
12293 default:
12294 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
12295 tvb, offset, ext_len, ENC_NA0x00000000);
12296 offset += ext_len;
12297 break;
12298 }
12299
12300 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
12301 /* Dissection did not end at expected location, fix it. */
12302 offset = next_offset;
12303 }
12304 }
12305
12306 if (ja3) {
12307 if (hnd_type == SSL_HND_CLIENT_HELLO) {
12308 if(wmem_strbuf_get_len(ja3_sg) > 0) {
12309 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
12310 } else {
12311 wmem_strbuf_append_c(ja3, ',');
12312 }
12313 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
12314 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
12315 } else {
12316 wmem_strbuf_append_c(ja3, ',');
12317 }
12318 }
12319 }
12320
12321 /* Check if Extensions vector is correctly terminated. */
12322 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
12323 offset = offset_end;
12324 }
12325
12326 return offset;
12327} /* }}} */
12328
12329
12330/* ClientKeyExchange algo-specific dissectors. {{{ */
12331
12332static void
12333dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12334 proto_tree *tree, uint32_t offset,
12335 uint32_t length)
12336{
12337 int point_len;
12338 proto_tree *ssl_ecdh_tree;
12339
12340 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12341 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
12342
12343 /* point */
12344 point_len = tvb_get_uint8(tvb, offset);
12345 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
12346 offset, 1, ENC_BIG_ENDIAN0x00000000);
12347 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
12348 offset + 1, point_len, ENC_NA0x00000000);
12349}
12350
12351static void
12352dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12353 proto_tree *tree, uint32_t offset, uint32_t length)
12354{
12355 int yc_len;
12356 proto_tree *ssl_dh_tree;
12357
12358 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12359 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
12360
12361 /* ClientDiffieHellmanPublic.dh_public (explicit) */
12362 yc_len = tvb_get_ntohs(tvb, offset);
12363 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
12364 offset, 2, ENC_BIG_ENDIAN0x00000000);
12365 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
12366 offset + 2, yc_len, ENC_NA0x00000000);
12367}
12368
12369static void
12370dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12371 proto_tree *tree, uint32_t offset,
12372 uint32_t length, const SslSession *session)
12373{
12374 int epms_len;
12375 proto_tree *ssl_rsa_tree;
12376
12377 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12378 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
12379
12380 /* EncryptedPreMasterSecret.pre_master_secret */
12381 switch (session->version) {
12382 case SSLV2_VERSION0x0002:
12383 case SSLV3_VERSION0x300:
12384 case DTLSV1DOT0_OPENSSL_VERSION0x100:
12385 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
12386 * not present. The handshake contents represents the EPMS, see:
12387 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
12388 epms_len = length;
12389 break;
12390
12391 default:
12392 /* TLS and DTLS include vector length before EPMS */
12393 epms_len = tvb_get_ntohs(tvb, offset);
12394 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12395 offset, 2, ENC_BIG_ENDIAN0x00000000);
12396 offset += 2;
12397 break;
12398 }
12399 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
12400 offset, epms_len, ENC_NA0x00000000);
12401}
12402
12403/* Used in PSK cipher suites */
12404static uint32_t
12405dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12406 proto_tree *tree, uint32_t offset)
12407{
12408 unsigned identity_len;
12409 proto_tree *ssl_psk_tree;
12410
12411 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12412 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
12413 /* identity */
12414 identity_len = tvb_get_ntohs(tvb, offset);
12415 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
12416 offset, 2, ENC_BIG_ENDIAN0x00000000);
12417 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
12418 offset + 2, identity_len, ENC_NA0x00000000);
12419
12420 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
12421 return 2 + identity_len;
12422}
12423
12424/* Used in RSA PSK cipher suites */
12425static void
12426dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12427 proto_tree *tree, uint32_t offset,
12428 uint32_t length)
12429{
12430 int identity_len, epms_len;
12431 proto_tree *ssl_psk_tree;
12432
12433 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12434 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
12435
12436 /* identity */
12437 identity_len = tvb_get_ntohs(tvb, offset);
12438 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
12439 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12440 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
12441 tvb, offset + 2, identity_len, ENC_NA0x00000000);
12442 offset += 2 + identity_len;
12443
12444 /* Yc */
12445 epms_len = tvb_get_ntohs(tvb, offset);
12446 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12447 offset, 2, ENC_BIG_ENDIAN0x00000000);
12448 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
12449 offset + 2, epms_len, ENC_NA0x00000000);
12450}
12451
12452/* Used in Diffie-Hellman PSK cipher suites */
12453static void
12454dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12455 proto_tree *tree, uint32_t offset, uint32_t length)
12456{
12457 /*
12458 * struct {
12459 * select (KeyExchangeAlgorithm) {
12460 * case diffie_hellman_psk:
12461 * opaque psk_identity<0..2^16-1>;
12462 * ClientDiffieHellmanPublic public;
12463 * } exchange_keys;
12464 * } ClientKeyExchange;
12465 */
12466
12467 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12468 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
12469}
12470
12471/* Used in EC Diffie-Hellman PSK cipher suites */
12472static void
12473dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12474 proto_tree *tree, uint32_t offset, uint32_t length)
12475{
12476 /*
12477 * struct {
12478 * select (KeyExchangeAlgorithm) {
12479 * case ec_diffie_hellman_psk:
12480 * opaque psk_identity<0..2^16-1>;
12481 * ClientECDiffieHellmanPublic public;
12482 * } exchange_keys;
12483 * } ClientKeyExchange;
12484 */
12485
12486 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12487 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
12488}
12489
12490/* Used in EC J-PAKE cipher suites */
12491static void
12492dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12493 proto_tree *tree, uint32_t offset,
12494 uint32_t length)
12495{
12496 /*
12497 * struct {
12498 * ECPoint V;
12499 * opaque r<1..2^8-1>;
12500 * } ECSchnorrZKP;
12501 *
12502 * struct {
12503 * ECPoint X;
12504 * ECSchnorrZKP zkp;
12505 * } ECJPAKEKeyKP;
12506 *
12507 * struct {
12508 * ECJPAKEKeyKP ecjpake_key_kp;
12509 * } ClientECJPAKEParams;
12510 *
12511 * select (KeyExchangeAlgorithm) {
12512 * case ecjpake:
12513 * ClientECJPAKEParams params;
12514 * } ClientKeyExchange;
12515 */
12516
12517 int point_len;
12518 proto_tree *ssl_ecjpake_tree;
12519
12520 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12521 hf->ett.keyex_params, NULL((void*)0),
12522 "EC J-PAKE Client Params");
12523
12524 /* ECJPAKEKeyKP.X */
12525 point_len = tvb_get_uint8(tvb, offset);
12526 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12527 offset, 1, ENC_BIG_ENDIAN0x00000000);
12528 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12529 offset + 1, point_len, ENC_NA0x00000000);
12530 offset += 1 + point_len;
12531
12532 /* ECJPAKEKeyKP.zkp.V */
12533 point_len = tvb_get_uint8(tvb, offset);
12534 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12535 offset, 1, ENC_BIG_ENDIAN0x00000000);
12536 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12537 offset + 1, point_len, ENC_NA0x00000000);
12538 offset += 1 + point_len;
12539
12540 /* ECJPAKEKeyKP.zkp.r */
12541 point_len = tvb_get_uint8(tvb, offset);
12542 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12543 offset, 1, ENC_BIG_ENDIAN0x00000000);
12544 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12545 offset + 1, point_len, ENC_NA0x00000000);
12546}
12547
12548static void
12549dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12550 proto_tree *tree, uint32_t offset,
12551 uint32_t length)
12552{
12553 int epms_len;
12554 proto_tree *ssl_ecc_sm2_tree;
12555
12556 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12557 hf->ett.keyex_params, NULL((void*)0),
12558 "ECC-SM2 Encrypted PreMaster Secret");
12559
12560 epms_len = tvb_get_ntohs(tvb, offset);
12561 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12562 offset, 2, ENC_BIG_ENDIAN0x00000000);
12563 offset += 2;
12564 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12565 offset, epms_len, ENC_NA0x00000000);
12566}
12567/* ClientKeyExchange algo-specific dissectors. }}} */
12568
12569
12570/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12571static uint32_t
12572ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12573 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12574 uint16_t version, int hf_sig_len, int hf_sig)
12575{
12576 uint32_t sig_len;
12577
12578 switch (version) {
12579 case TLSV1DOT2_VERSION0x303:
12580 case DTLSV1DOT2_VERSION0xfefd:
12581 case TLSV1DOT3_VERSION0x304:
12582 case DTLSV1DOT3_VERSION0xfefc:
12583 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12584 offset += 2;
12585 break;
12586
12587 default:
12588 break;
12589 }
12590
12591 /* Sig */
12592 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12593 hf_sig_len, 0, UINT16_MAX(65535))) {
12594 return offset_end;
12595 }
12596 offset += 2;
12597 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12598 offset += sig_len;
12599 return offset;
12600} /* }}} */
12601
12602/* ServerKeyExchange algo-specific dissectors. {{{ */
12603
12604/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12605static void
12606dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12607 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12608 uint16_t version)
12609{
12610 /*
12611 * TLSv1.2 (RFC 5246 sec 7.4.8)
12612 * struct {
12613 * digitally-signed struct {
12614 * opaque handshake_messages[handshake_messages_length];
12615 * }
12616 * } CertificateVerify;
12617 *
12618 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12619 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12620 *
12621 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12622 * does more hashing including the master secret and padding.
12623 */
12624 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12625 hf->hf.hs_server_keyex_sig_len,
12626 hf->hf.hs_server_keyex_sig);
12627}
12628
12629static uint32_t
12630dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12631{
12632 /*
12633 * RFC 4492 ECC cipher suites for TLS
12634 *
12635 * struct {
12636 * ECCurveType curve_type;
12637 * select (curve_type) {
12638 * case explicit_prime:
12639 * ...
12640 * case explicit_char2:
12641 * ...
12642 * case named_curve:
12643 * NamedCurve namedcurve;
12644 * };
12645 * } ECParameters;
12646 */
12647
12648 int curve_type;
12649
12650 /* ECParameters.curve_type */
12651 curve_type = tvb_get_uint8(tvb, offset);
12652 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12653 offset, 1, ENC_BIG_ENDIAN0x00000000);
12654 offset++;
12655
12656 if (curve_type != 3)
12657 return offset_end; /* only named_curves are supported */
12658
12659 /* case curve_type == named_curve; ECParameters.namedcurve */
12660 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12661 offset, 2, ENC_BIG_ENDIAN0x00000000);
12662 offset += 2;
12663
12664 return offset;
12665}
12666
12667static void
12668dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12669 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12670 uint16_t version, bool_Bool anon)
12671{
12672 /*
12673 * RFC 4492 ECC cipher suites for TLS
12674 *
12675 * struct {
12676 * opaque point <1..2^8-1>;
12677 * } ECPoint;
12678 *
12679 * struct {
12680 * ECParameters curve_params;
12681 * ECPoint public;
12682 * } ServerECDHParams;
12683 *
12684 * select (KeyExchangeAlgorithm) {
12685 * case ec_diffie_hellman:
12686 * ServerECDHParams params;
12687 * Signature signed_params;
12688 * } ServerKeyExchange;
12689 */
12690
12691 int point_len;
12692 proto_tree *ssl_ecdh_tree;
12693
12694 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12695 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12696
12697 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12698 if (offset >= offset_end)
12699 return; /* only named_curves are supported */
12700
12701 /* ECPoint.point */
12702 point_len = tvb_get_uint8(tvb, offset);
12703 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12704 offset, 1, ENC_BIG_ENDIAN0x00000000);
12705 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12706 offset + 1, point_len, ENC_NA0x00000000);
12707 offset += 1 + point_len;
12708
12709 /* Signature (if non-anonymous KEX) */
12710 if (!anon) {
12711 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12712 }
12713}
12714
12715static void
12716dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12717 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12718 uint16_t version, bool_Bool anon)
12719{
12720 int p_len, g_len, ys_len;
12721 proto_tree *ssl_dh_tree;
12722
12723 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12724 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12725
12726 /* p */
12727 p_len = tvb_get_ntohs(tvb, offset);
12728 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12729 offset, 2, ENC_BIG_ENDIAN0x00000000);
12730 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12731 offset + 2, p_len, ENC_NA0x00000000);
12732 offset += 2 + p_len;
12733
12734 /* g */
12735 g_len = tvb_get_ntohs(tvb, offset);
12736 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12737 offset, 2, ENC_BIG_ENDIAN0x00000000);
12738 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12739 offset + 2, g_len, ENC_NA0x00000000);
12740 offset += 2 + g_len;
12741
12742 /* Ys */
12743 ys_len = tvb_get_ntohs(tvb, offset);
12744 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12745 offset, 2, ys_len);
12746 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12747 offset + 2, ys_len, ENC_NA0x00000000);
12748 offset += 2 + ys_len;
12749
12750 /* Signature (if non-anonymous KEX) */
12751 if (!anon) {
12752 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12753 }
12754}
12755
12756/* Only used in RSA-EXPORT cipher suites */
12757static void
12758dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12759 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12760 uint16_t version)
12761{
12762 int modulus_len, exponent_len;
12763 proto_tree *ssl_rsa_tree;
12764
12765 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12766 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12767
12768 /* modulus */
12769 modulus_len = tvb_get_ntohs(tvb, offset);
12770 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12771 offset, 2, ENC_BIG_ENDIAN0x00000000);
12772 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12773 offset + 2, modulus_len, ENC_NA0x00000000);
12774 offset += 2 + modulus_len;
12775
12776 /* exponent */
12777 exponent_len = tvb_get_ntohs(tvb, offset);
12778 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12779 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12780 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12781 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12782 offset += 2 + exponent_len;
12783
12784 /* Signature */
12785 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12786}
12787
12788/* Used in RSA PSK and PSK cipher suites */
12789static uint32_t
12790dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12791 proto_tree *tree, uint32_t offset)
12792{
12793 unsigned hint_len;
12794 proto_tree *ssl_psk_tree;
12795
12796 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12797 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12798
12799 /* hint */
12800 hint_len = tvb_get_ntohs(tvb, offset);
12801 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12802 offset, 2, ENC_BIG_ENDIAN0x00000000);
12803 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12804 offset + 2, hint_len, ENC_NA0x00000000);
12805
12806 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12807 return 2 + hint_len;
12808}
12809
12810/* Used in Diffie-Hellman PSK cipher suites */
12811static void
12812dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12813 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12814{
12815 /*
12816 * struct {
12817 * select (KeyExchangeAlgorithm) {
12818 * case diffie_hellman_psk:
12819 * opaque psk_identity_hint<0..2^16-1>;
12820 * ServerDHParams params;
12821 * };
12822 * } ServerKeyExchange;
12823 */
12824
12825 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12826 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12827}
12828
12829/* Used in EC Diffie-Hellman PSK cipher suites */
12830static void
12831dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12832 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12833{
12834 /*
12835 * struct {
12836 * select (KeyExchangeAlgorithm) {
12837 * case ec_diffie_hellman_psk:
12838 * opaque psk_identity_hint<0..2^16-1>;
12839 * ServerECDHParams params;
12840 * };
12841 * } ServerKeyExchange;
12842 */
12843
12844 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12845 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12846}
12847
12848/* Used in EC J-PAKE cipher suites */
12849static void
12850dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12851 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12852{
12853 /*
12854 * struct {
12855 * ECPoint V;
12856 * opaque r<1..2^8-1>;
12857 * } ECSchnorrZKP;
12858 *
12859 * struct {
12860 * ECPoint X;
12861 * ECSchnorrZKP zkp;
12862 * } ECJPAKEKeyKP;
12863 *
12864 * struct {
12865 * ECParameters curve_params;
12866 * ECJPAKEKeyKP ecjpake_key_kp;
12867 * } ServerECJPAKEParams;
12868 *
12869 * select (KeyExchangeAlgorithm) {
12870 * case ecjpake:
12871 * ServerECJPAKEParams params;
12872 * } ServerKeyExchange;
12873 */
12874
12875 int point_len;
12876 proto_tree *ssl_ecjpake_tree;
12877
12878 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12879 hf->ett.keyex_params, NULL((void*)0),
12880 "EC J-PAKE Server Params");
12881
12882 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12883 if (offset >= offset_end)
12884 return; /* only named_curves are supported */
12885
12886 /* ECJPAKEKeyKP.X */
12887 point_len = tvb_get_uint8(tvb, offset);
12888 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12889 offset, 1, ENC_BIG_ENDIAN0x00000000);
12890 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12891 offset + 1, point_len, ENC_NA0x00000000);
12892 offset += 1 + point_len;
12893
12894 /* ECJPAKEKeyKP.zkp.V */
12895 point_len = tvb_get_uint8(tvb, offset);
12896 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12897 offset, 1, ENC_BIG_ENDIAN0x00000000);
12898 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12899 offset + 1, point_len, ENC_NA0x00000000);
12900 offset += 1 + point_len;
12901
12902 /* ECJPAKEKeyKP.zkp.r */
12903 point_len = tvb_get_uint8(tvb, offset);
12904 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12905 offset, 1, ENC_BIG_ENDIAN0x00000000);
12906 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12907 offset + 1, point_len, ENC_NA0x00000000);
12908}
12909
12910/* Only used in ECC-SM2-EXPORT cipher suites */
12911static void
12912dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12913 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12914 uint16_t version)
12915{
12916 proto_tree *ssl_ecc_sm2_tree;
12917
12918 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12919 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12920
12921 /* Signature */
12922 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12923}
12924/* ServerKeyExchange algo-specific dissectors. }}} */
12925
12926/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12927void
12928ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12929 proto_tree *tree, uint32_t offset, uint32_t length,
12930 const SslSession *session)
12931{
12932 switch (ssl_get_keyex_alg(session->cipher)) {
12933 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12934 case KEX_DH_DSS0x14:
12935 case KEX_DH_RSA0x15:
12936 case KEX_DHE_DSS0x10:
12937 case KEX_DHE_RSA0x12:
12938 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12939 break;
12940 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12941 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12942 break;
12943 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12944 case KEX_ECDH_ECDSA0x1a:
12945 case KEX_ECDH_RSA0x1b:
12946 case KEX_ECDHE_ECDSA0x16:
12947 case KEX_ECDHE_RSA0x18:
12948 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12949 break;
12950 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12951 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12952 break;
12953 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12954 /* XXX: implement support for KRB5 */
12955 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12956 tvb, offset, length,
12957 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12958 " developers if you want them to be supported");
12959 break;
12960 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12961 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12962 break;
12963 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12964 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12965 break;
12966 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12967 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12968 break;
12969 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12970 case KEX_SRP_SHA_DSS0x21:
12971 case KEX_SRP_SHA_RSA0x22:
12972 /* XXX: implement support for SRP_SHA* */
12973 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12974 tvb, offset, length,
12975 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12976 " developers if you want them to be supported");
12977 break;
12978 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12979 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12980 break;
12981 case KEX_ECC_SM20x26: /* GB/T 38636 */
12982 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12983 break;
12984 default:
12985 if (session->cipher == 0) {
12986 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12987 tvb, offset, length,
12988 "Cipher Suite not found");
12989 } else {
12990 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12991 tvb, offset, length,
12992 "Cipher Suite 0x%04x is not implemented, "
12993 "contact Wireshark developers if you want this to be supported",
12994 session->cipher);
12995 }
12996 break;
12997 }
12998}
12999
13000void
13001ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
13002 proto_tree *tree, uint32_t offset, uint32_t offset_end,
13003 const SslSession *session)
13004{
13005 switch (ssl_get_keyex_alg(session->cipher)) {
13006 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
13007 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
13008 break;
13009 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
13010 case KEX_DH_RSA0x15:
13011 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13012 tvb, offset, offset_end - offset);
13013 break;
13014 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
13015 case KEX_DHE_RSA0x12:
13016 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13017 break;
13018 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
13019 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
13020 break;
13021 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
13022 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
13023 break;
13024 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
13025 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
13026 break;
13027 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
13028 case KEX_ECDH_RSA0x1b:
13029 case KEX_ECDHE_ECDSA0x16:
13030 case KEX_ECDHE_RSA0x18:
13031 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
13032 break;
13033 case KEX_KRB50x1c: /* RFC 2712; not allowed */
13034 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
13035 tvb, offset, offset_end - offset);
13036 break;
13037 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
13038 case KEX_RSA_PSK0x1f:
13039 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
13040 break;
13041 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
13042 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13043 break;
13044 case KEX_ECC_SM20x26: /* GB/T 38636 */
13045 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
13046 break;
13047 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
13048 case KEX_SRP_SHA_DSS0x21:
13049 case KEX_SRP_SHA_RSA0x22:
13050 /* XXX: implement support for SRP_SHA* */
13051 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13052 tvb, offset, offset_end - offset,
13053 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
13054 " developers if you want them to be supported");
13055 break;
13056 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
13057 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
13058 break;
13059 default:
13060 if (session->cipher == 0) {
13061 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13062 tvb, offset, offset_end - offset,
13063 "Cipher Suite not found");
13064 } else {
13065 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
13066 tvb, offset, offset_end - offset,
13067 "Cipher Suite 0x%04x is not implemented, "
13068 "contact Wireshark developers if you want this to be supported",
13069 session->cipher);
13070 }
13071 break;
13072 }
13073}
13074/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
13075
13076void
13077tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
13078 proto_tree *tree, uint32_t offset)
13079{
13080 /* RFC 8446 Section 4.6.3
13081 * enum {
13082 * update_not_requested(0), update_requested(1), (255)
13083 * } KeyUpdateRequest;
13084 *
13085 * struct {
13086 * KeyUpdateRequest request_update;
13087 * } KeyUpdate;
13088 */
13089 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
13090}
13091
13092void
13093ssl_common_register_ssl_alpn_dissector_table(const char *name,
13094 const char *ui_name, const int proto)
13095{
13096 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
13097 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13098 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
13099}
13100
13101void
13102ssl_common_register_dtls_alpn_dissector_table(const char *name,
13103 const char *ui_name, const int proto)
13104{
13105 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
13106 proto, FT_STRING, STRING_CASE_SENSITIVE0);
13107 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
13108}
13109
13110void
13111ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
13112{
13113 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
13114 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
13115 &(options->psk));
13116
13117 if (is_dtls) {
13118 prefs_register_obsolete_preference(module, "keylog_file");
13119 prefs_register_static_text_preference(module, "keylog_file_removed",
13120 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
13121 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
13122 return;
13123 }
13124
13125 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
13126 "The name of a file which contains a list of \n"
13127 "(pre-)master secrets in one of the following formats:\n"
13128 "\n"
13129 "RSA <EPMS> <PMS>\n"
13130 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
13131 "CLIENT_RANDOM <CRAND> <MS>\n"
13132 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
13133 "\n"
13134 "Where:\n"
13135 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
13136 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
13137 "<SSLID> = The SSL Session ID\n"
13138 "<MS> = The Master-Secret (MS)\n"
13139 "<CRAND> = The Client's random number from the ClientHello message\n"
13140 "\n"
13141 "(All fields are in hex notation)",
13142 &(options->keylog_filename), false0);
13143}
13144
13145void
13146ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length, uint8_t msg_type, bool_Bool is_from_server)
13147{
13148 /* The handshake transcript can be used in [D]TLS 1.2 for the extended
13149 * master secret of RFC 7627, and in [D]TLS 1.3 for computing the secrets,
13150 * though the latter is only useful when pke_ke (PSK-only key exchange) is
13151 * negotiated. */
13152 if (!ssl_session)
13153 return;
13154
13155 switch (ssl_session->session.version) {
13156 /* The handshake message types used in the handshake hash are different
13157 * in different versions. [D]TLS 1.3 tracks the messages up to the
13158 * Finished, whereas 1.2 stops at the ClientKeyExchange. However, all start
13159 * at the ClientHello and include the messages up to the ServerHello, at
13160 * which point we know the version.
13161 *
13162 * XXX - However, DTLS 1.2 includes the DTLS-specific fragment info fields
13163 * in its handshake transcript, whereas DTLS 1.3 does not (using the same
13164 * format as TLS 1.3). We don't know at the point of the ClientHello which
13165 * version will be used, so PSK only likely doesn't work for DTLS 1.3 yet.
13166 *
13167 * XXX - When the server responds with a HelloRetryRequest, for subsequent
13168 * hashes (other than the first PSK Binder, see 4.2.11.2) ClientHello1 is
13169 * replaced with a synthentic handhsake message of type "message_hash",
13170 * per RFC 8446 4.4.1. We aren't concerned with that now, as a HRR generally
13171 * rules out PSK-only key exchange, which is what we calculate the hash for
13172 * here. (The possible exception is when a server sends a HRR to reject
13173 * early data but the server and client otherwise agree on psk_ke, if
13174 * any client/server pairs support that.) We do support that in the context
13175 * of computing the hash for Encrypted Client Hello; see elsewhere.
13176 */
13177 case TLSV1DOT3_VERSION0x304:
13178 case DTLSV1DOT3_VERSION0xfefc:
13179 /* In [D]TLS 1.3 only the following handshake messages are used in the
13180 * handshake transcript. EndOfEarlyData and the Client Certificate,
13181 * Certificate Verify, and Finished are used in deriving the
13182 * resumption_master_secret but not the other secrets derived from
13183 * the master secret (client or server app traffic secret, exporter
13184 * secret). We don't yet support calculating a PSK to resume via
13185 * the resumption_master_secret, so we simply stop the transcript
13186 * with the server Finished. See RFC 8446 4.4.1 & 7.1 */
13187 switch (msg_type) {
13188 case SSL_HND_CLIENT_HELLO:
13189 case SSL_HND_SERVER_HELLO:
13190 case SSL_HND_HELLO_RETRY_REQUEST:
13191 case SSL_HND_ENCRYPTED_EXTENSIONS:
13192 case SSL_HND_CERT_REQUEST:
13193 break;
13194 case SSL_HND_CERTIFICATE:
13195 case SSL_HND_CERT_VERIFY:
13196 case SSL_HND_FINISHED:
13197 if (!is_from_server)
13198 return;
13199 break;
13200 case SSL_HND_END_OF_EARLY_DATA:
13201 default:
13202 return;
13203 }
13204 break;
13205 default:
13206 /* In [D]TLS 1.2, the handshake hash for the Extended Master Secret
13207 * (RFC 7627) is calculated up to and including ClientKeyExchange,
13208 * but the keys are not retrieved until ChangeCipherSpec later. If
13209 * mutual authentication is requested by the server, an intervening
13210 * CertificateVerify message can be sent but is not to be included
13211 * in the hash. */
13212 if (msg_type == SSL_HND_CERT_VERIFY)
13213 return;
13214 if (ssl_session->state & SSL_MASTER_SECRET(1<<5))
13215 return;
13216 break;
13217 }
13218
13219 uint32_t old_length = ssl_session->handshake_data.data_len;
13220 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
13221 if (tvb) {
13222 if (tvb_bytes_exist(tvb, offset, length)) {
13223 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13224 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
13225 ssl_session->handshake_data.data_len += length;
13226 }
13227 } else {
13228 /* DTLS calculates the hash as if each handshake message had been
13229 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
13230 * in a null tvbuff to add 3 bytes for a zero fragment offset.
13231 */
13232 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 13232, (int64_t)length, (int64_t)4))))
;
13233 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
13234 memset(ssl_session->handshake_data.data + old_length, 0, length);
13235 ssl_session->handshake_data.data_len += length;
13236 }
13237}
13238
13239
13240/*
13241 * Editor modelines - https://www.wireshark.org/tools/modelines.html
13242 *
13243 * Local variables:
13244 * c-basic-offset: 4
13245 * tab-width: 8
13246 * indent-tabs-mode: nil
13247 * End:
13248 *
13249 * vi: set shiftwidth=4 tabstop=8 expandtab:
13250 * :indentSize=4:tabSize=8:noTabs=true:
13251 */