Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4072, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-22/lib/clang/22 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D CARES_NO_DEPRECATED -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-22/lib/clang/22/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/16/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu17 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -fdwarf2-cfi-asm -o /builds/wireshark/wireshark/sbout/2026-07-13-100348-3642-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#include <stdlib.h>
18#include <errno(*__errno_location ()).h>
19
20#include <epan/packet.h>
21#include <epan/strutil.h>
22#include <epan/addr_resolv.h>
23#include <epan/expert.h>
24#include <epan/asn1.h>
25#include <epan/proto_data.h>
26#include <epan/oids.h>
27#include <epan/secrets.h>
28
29#include <wsutil/inet_cidr.h>
30#include <wsutil/filesystem.h>
31#include <wsutil/file_util.h>
32#include <wsutil/str_util.h>
33#include <wsutil/report_message.h>
34#include <wsutil/pint.h>
35#include <wsutil/strtoi.h>
36#include <wsutil/wsgcrypt.h>
37#include <wsutil/rsa.h>
38#include <wsutil/ws_assert.h>
39#include <wsutil/zlib_compat.h>
40#include "packet-ber.h"
41#include "packet-x509af.h"
42#include "packet-x509if.h"
43#include "packet-tls-utils.h"
44#include "packet-ocsp.h"
45#include "packet-tls.h"
46#include "packet-dtls.h"
47#include "packet-quic.h"
48#if defined(HAVE_LIBGNUTLS1)
49#include <gnutls/abstract.h>
50#include <gnutls/x509.h>
51#include <gnutls/pkcs12.h>
52#endif
53
54/* JA3/JA3S calculations must ignore GREASE values
55 * as described in RFC 8701.
56 */
57#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff)))
((((x) & 0x0f0f) == 0x0a0a) && \
58 (((x) & 0xff) == (((x)>>8) & 0xff)))
59
60/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
61 * form for a similar purpose as GREASE.
62 */
63#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
64
65#define DTLS13_MAX_EPOCH10 10
66
67/* Lookup tables {{{ */
68const value_string ssl_version_short_names[] = {
69 { SSLV2_VERSION0x0002, "SSLv2" },
70 { SSLV3_VERSION0x300, "SSLv3" },
71 { TLSV1_VERSION0x301, "TLSv1" },
72 { TLCPV1_VERSION0x101, "TLCP" },
73 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
74 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
75 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
76 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
77 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
78 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
79 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
80 { 0x00, NULL((void*)0) }
81};
82
83const value_string ssl_versions[] = {
84 { SSLV2_VERSION0x0002, "SSL 2.0" },
85 { SSLV3_VERSION0x300, "SSL 3.0" },
86 { TLSV1_VERSION0x301, "TLS 1.0" },
87 { TLCPV1_VERSION0x101, "TLCP" },
88 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
89 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
90 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
91 { 0x7F0E, "TLS 1.3 (draft 14)" },
92 { 0x7F0F, "TLS 1.3 (draft 15)" },
93 { 0x7F10, "TLS 1.3 (draft 16)" },
94 { 0x7F11, "TLS 1.3 (draft 17)" },
95 { 0x7F12, "TLS 1.3 (draft 18)" },
96 { 0x7F13, "TLS 1.3 (draft 19)" },
97 { 0x7F14, "TLS 1.3 (draft 20)" },
98 { 0x7F15, "TLS 1.3 (draft 21)" },
99 { 0x7F16, "TLS 1.3 (draft 22)" },
100 { 0x7F17, "TLS 1.3 (draft 23)" },
101 { 0x7F18, "TLS 1.3 (draft 24)" },
102 { 0x7F19, "TLS 1.3 (draft 25)" },
103 { 0x7F1A, "TLS 1.3 (draft 26)" },
104 { 0x7F1B, "TLS 1.3 (draft 27)" },
105 { 0x7F1C, "TLS 1.3 (draft 28)" },
106 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
107 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
108 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
109 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
110 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
111 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
112 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
113 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
114 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
115 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
116 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
117 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
118 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
119 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
120 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
121 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
122 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x00, NULL((void*)0) }
129};
130
131static const value_string ssl_version_ja4_names[] = {
132 { 0x0100, "s1" },
133 { SSLV2_VERSION0x0002, "s2" },
134 { SSLV3_VERSION0x300, "s3" },
135 { TLSV1_VERSION0x301, "10" },
136 { TLSV1DOT1_VERSION0x302, "11" },
137 { TLSV1DOT2_VERSION0x303, "12" },
138 { TLSV1DOT3_VERSION0x304, "13" },
139 { DTLSV1DOT0_VERSION0xfeff, "d1" },
140 { DTLSV1DOT2_VERSION0xfefd, "d2" },
141 { DTLSV1DOT3_VERSION0xfefc, "d3" },
142 { 0x00, NULL((void*)0) }
143};
144
145const value_string ssl_20_msg_types[] = {
146 { SSL2_HND_ERROR0x00, "Error" },
147 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
148 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
149 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
150 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
151 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
152 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
153 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
154 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
155 { 0x00, NULL((void*)0) }
156};
157/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
158/* Note: sorted by ascending value so value_string-ext can do a binary search */
159static const value_string ssl_20_cipher_suites[] = {
160 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
161 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
162 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
163 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
164 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
165 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
166 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
167 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
168 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
169 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
170 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
171 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
172 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
173 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
174 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
175 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
176 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
177 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
178 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
179 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
180 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
181 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
182 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
183 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
184 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
185 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
186 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
187 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
188 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
189 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
190#if 0
191 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
192#endif
193 /* RFC 2712 */
194 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
195 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
196 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
197 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
198 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
199 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
200 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
201 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
202 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
203 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
204 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
205 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
206 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
207 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
208 /* RFC 4785 */
209 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
210 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
211 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
212 /* RFC 5246 */
213 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
214 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
215 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
216 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
217 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
218 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
219 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
220 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
221 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
222 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
223 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
224 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
225 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
226 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
227 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
228 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
229 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
230 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
231 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
232 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
233 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
234 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
235 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
236 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
237 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
238 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
239 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
240 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
241 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
242 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
243 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
244 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
245 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
246 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
247 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
248 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
249 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
250 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
251 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
252 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
253 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
254 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
255 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
256 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
257 /* 0x00,0x6E-83 Unassigned */
258 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
259 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
260 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
261 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
262 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
263 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
264 /* RFC 4279 */
265 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
266 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
267 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
268 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
269 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
270 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
271 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
272 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
273 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
274 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
275 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
276 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
277 /* RFC 4162 */
278 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
279 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
280 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
281 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
282 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
283 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
284 /* RFC 5288 */
285 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
286 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
287 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
288 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
289 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
290 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
291 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
292 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
293 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
294 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
295 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
296 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
297 /* RFC 5487 */
298 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
299 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
300 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
301 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
302 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
303 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
304 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
305 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
306 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
307 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
308 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
309 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
310 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
311 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
312 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
313 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
314 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
315 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
316 /* From RFC 5932 */
317 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
318 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
319 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
320 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
321 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
322 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
323 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
324 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
325 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
326 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
327 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
328 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
329 /* 0x00,0xC6-FE Unassigned */
330 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
331 /* 0x01-BF,* Unassigned */
332 /* From RFC 4492 */
333 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
334 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
335 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
336 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
337 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
338 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
339 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
340 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
341 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
342 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
343 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
344 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
345 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
349 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
350 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
354 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
355 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
357 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
358 /* RFC 5054 */
359 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
360 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
362 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
363 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
364 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
365 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
366 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
367 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
368 /* RFC 5589 */
369 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
370 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
371 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
372 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
373 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
374 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
375 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
376 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
377 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
378 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
379 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
380 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
381 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
382 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
383 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
384 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
385 /* RFC 5489 */
386 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
387 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
388 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
389 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
390 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
391 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
392 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
393 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
394 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
395 /* 0xC0,0x3C-FF Unassigned
396 0xC1-FD,* Unassigned
397 0xFE,0x00-FD Unassigned
398 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
399 0xFF,0x00-FF Reserved for Private Use [RFC5246]
400 */
401
402 /* old numbers used in the beginning
403 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
404 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
405 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
406 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
407
408 /* https://tools.ietf.org/html/rfc7905 */
409 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
410 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
411 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
412 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
413 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
414 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
416
417 /* GM/T 0024-2014 */
418 { 0x00e001, "ECDHE_SM1_SM3"},
419 { 0x00e003, "ECC_SM1_SM3"},
420 { 0x00e005, "IBSDH_SM1_SM3"},
421 { 0x00e007, "IBC_SM1_SM3"},
422 { 0x00e009, "RSA_SM1_SM3"},
423 { 0x00e00a, "RSA_SM1_SHA1"},
424 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
425 { 0x00e013, "ECC_SM4_CBC_SM3"},
426 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
427 { 0x00e017, "IBC_SM4_CBC_SM3"},
428 { 0x00e019, "RSA_SM4_CBC_SM3"},
429 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
430 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
431 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
432 { 0x00e053, "ECC_SM4_GCM_SM3"},
433 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
434 { 0x00e057, "IBC_SM4_GCM_SM3"},
435 { 0x00e059, "RSA_SM4_GCM_SM3"},
436 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
437
438 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
439 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
440 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
441 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
442 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
443 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
444 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
445 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
446 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
447 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
448 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
449 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
451 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
453 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
455
456 /* these from http://www.mozilla.org/projects/
457 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
458 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
459 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
460 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
461 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
462 /* note that ciphersuites of {0x00????} are TLS cipher suites in
463 * a sslv2 client hello message; the ???? above is the two-byte
464 * tls cipher suite id
465 */
466
467 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
468 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
469 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
470 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
471 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
472 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
473 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
474 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
475
476 { 0x00, NULL((void*)0) }
477};
478
479value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites", ((void*)0) }
;
480
481
482/*
483 * Supported Groups (formerly named "EC Named Curve").
484 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
485 */
486const value_string ssl_extension_curves[] = {
487 { 1, "sect163k1" },
488 { 2, "sect163r1" },
489 { 3, "sect163r2" },
490 { 4, "sect193r1" },
491 { 5, "sect193r2" },
492 { 6, "sect233k1" },
493 { 7, "sect233r1" },
494 { 8, "sect239k1" },
495 { 9, "sect283k1" },
496 { 10, "sect283r1" },
497 { 11, "sect409k1" },
498 { 12, "sect409r1" },
499 { 13, "sect571k1" },
500 { 14, "sect571r1" },
501 { 15, "secp160k1" },
502 { 16, "secp160r1" },
503 { 17, "secp160r2" },
504 { 18, "secp192k1" },
505 { 19, "secp192r1" },
506 { 20, "secp224k1" },
507 { 21, "secp224r1" },
508 { 22, "secp256k1" },
509 { 23, "secp256r1" },
510 { 24, "secp384r1" },
511 { 25, "secp521r1" },
512 { 26, "brainpoolP256r1" }, /* RFC 7027 */
513 { 27, "brainpoolP384r1" }, /* RFC 7027 */
514 { 28, "brainpoolP512r1" }, /* RFC 7027 */
515 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
516 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
517 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
518 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
519 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
520 { 34, "GC256A" }, /* RFC9189 */
521 { 35, "GC256B" }, /* RFC9189 */
522 { 36, "GC256C" }, /* RFC9189 */
523 { 37, "GC256D" }, /* RFC9189 */
524 { 38, "GC512A" }, /* RFC9189 */
525 { 39, "GC512B" }, /* RFC9189 */
526 { 40, "GC512C" }, /* RFC9189 */
527 { 41, "curveSM2" }, /* RFC 8998 */
528 { 256, "ffdhe2048" }, /* RFC 7919 */
529 { 257, "ffdhe3072" }, /* RFC 7919 */
530 { 258, "ffdhe4096" }, /* RFC 7919 */
531 { 259, "ffdhe6144" }, /* RFC 7919 */
532 { 260, "ffdhe8192" }, /* RFC 7919 */
533 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
534 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
535 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
536 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
537 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
538 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
539 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
540 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
541 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
542 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
543 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
545 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
546 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
547 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 0xFF01, "arbitrary_explicit_prime_curves" },
558 { 0xFF02, "arbitrary_explicit_char2_curves" },
559 /* Below are various unofficial values that have been used for testing. */
560 /* PQC key exchange algorithms from OQS-OpenSSL,
561 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
562 These use IANA unassigned values and this list may be incomplete.
563 */
564 { 0x2F00, "p256_frodo640aes" },
565 { 0x2F01, "p256_frodo640shake" },
566 { 0x2F02, "p384_frodo976aes" },
567 { 0x0203, "frodo976shake" },
568 { 0x2F03, "p384_frodo976shake" },
569 { 0x0204, "frodo1344aes" },
570 { 0x2F04, "p521_frodo1344aes" },
571 { 0x0205, "frodo1344shake" },
572 { 0x2F05, "p521_frodo1344shake" },
573 { 0x023A, "kyber512" },
574 { 0x2F3A, "p256_kyber512" },
575 { 0x023C, "kyber768" },
576 { 0x2F3C, "p384_kyber768" },
577 { 0x023D, "kyber1024" },
578 { 0x2F3D, "p521_kyber1024" },
579 { 0x0214, "ntru_hps2048509" },
580 { 0x2F14, "p256_ntru_hps2048509" },
581 { 0x0215, "ntru_hps2048677" },
582 { 0x2F15, "p384_ntru_hps2048677" },
583 { 0x0216, "ntru_hps4096821" },
584 { 0x2F16, "p521_ntru_hps4096821" },
585 { 0x0245, "ntru_hps40961229" },
586 { 0x2F45, "p521_ntru_hps40961229" },
587 { 0x0217, "ntru_hrss701" },
588 { 0x2F17, "p384_ntru_hrss701" },
589 { 0x0246, "ntru_hrss1373" },
590 { 0x2F46, "p521_ntru_hrss1373" },
591 { 0x0218, "lightsaber" },
592 { 0x2F18, "p256_lightsaber" },
593 { 0x0219, "saber" },
594 { 0x2F19, "p384_saber" },
595 { 0x021A, "firesaber" },
596 { 0x2F1A, "p521_firesaber" },
597 { 0x021B, "sidhp434" },
598 { 0x2F1B, "p256_sidhp434" },
599 { 0x021C, "sidhp503" },
600 { 0x2F1C, "p256_sidhp503" },
601 { 0x021D, "sidhp610" },
602 { 0x2F1D, "p384_sidhp610" },
603 { 0x021E, "sidhp751" },
604 { 0x2F1E, "p521_sidhp751" },
605 { 0x021F, "sikep434" },
606 { 0x2F1F, "p256_sikep434" },
607 { 0x0220, "sikep503" },
608 { 0x2F20, "p256_sikep503" },
609 { 0x0221, "sikep610" },
610 { 0x2F21, "p384_sikep610" },
611 { 0x0222, "sikep751" },
612 { 0x2F22, "p521_sikep751" },
613 { 0x0238, "bikel1" },
614 { 0x2F38, "p256_bikel1" },
615 { 0x023B, "bikel3" },
616 { 0x2F3B, "p384_bikel3" },
617 { 0x023E, "kyber90s512" },
618 { 0x2F3E, "p256_kyber90s512" },
619 { 0x023F, "kyber90s768" },
620 { 0x2F3F, "p384_kyber90s768" },
621 { 0x0240, "kyber90s1024" },
622 { 0x2F40, "p521_kyber90s1024" },
623 { 0x022C, "hqc128" },
624 { 0x2F2C, "p256_hqc128" },
625 { 0x022D, "hqc192" },
626 { 0x2F2D, "p384_hqc192" },
627 { 0x022E, "hqc256" },
628 { 0x2F2E, "p521_hqc256" },
629 { 0x022F, "ntrulpr653" },
630 { 0x2F2F, "p256_ntrulpr653" },
631 { 0x0230, "ntrulpr761" },
632 { 0x2F43, "p256_ntrulpr761" },
633 { 0x0231, "ntrulpr857" },
634 { 0x2F31, "p384_ntrulpr857" },
635 { 0x0241, "ntrulpr1277" },
636 { 0x2F41, "p521_ntrulpr1277" },
637 { 0x0232, "sntrup653" },
638 { 0x2F32, "p256_sntrup653" },
639 { 0x0233, "sntrup761" },
640 { 0x2F44, "p256_sntrup761" },
641 { 0x0234, "sntrup857" },
642 { 0x2F34, "p384_sntrup857" },
643 { 0x0242, "sntrup1277" },
644 { 0x2F42, "p521_sntrup1277" },
645 /* Other PQ key exchange algorithms, using Reserved for Private Use values
646 https://blog.cloudflare.com/post-quantum-for-all
647 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
648 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
649 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
650 { 0x00, NULL((void*)0) }
651};
652
653const value_string ssl_curve_types[] = {
654 { 1, "explicit_prime" },
655 { 2, "explicit_char2" },
656 { 3, "named_curve" },
657 { 0x00, NULL((void*)0) }
658};
659
660const value_string ssl_extension_ec_point_formats[] = {
661 { 0, "uncompressed" },
662 { 1, "ansiX962_compressed_prime" },
663 { 2, "ansiX962_compressed_char2" },
664 { 0x00, NULL((void*)0) }
665};
666
667const value_string ssl_20_certificate_type[] = {
668 { 0x00, "N/A" },
669 { 0x01, "X.509 Certificate" },
670 { 0x00, NULL((void*)0) }
671};
672
673const value_string ssl_31_content_type[] = {
674 { 20, "Change Cipher Spec" },
675 { 21, "Alert" },
676 { 22, "Handshake" },
677 { 23, "Application Data" },
678 { 24, "Heartbeat" },
679 { 25, "Connection ID" },
680 { 0x00, NULL((void*)0) }
681};
682
683#if 0
684/* XXX - would be used if we dissected the body of a Change Cipher Spec
685 message. */
686const value_string ssl_31_change_cipher_spec[] = {
687 { 1, "Change Cipher Spec" },
688 { 0x00, NULL((void*)0) }
689};
690#endif
691
692const value_string ssl_31_alert_level[] = {
693 { 1, "Warning" },
694 { 2, "Fatal" },
695 { 0x00, NULL((void*)0) }
696};
697
698const value_string ssl_31_alert_description[] = {
699 { 0, "Close Notify" },
700 { 1, "End of Early Data" },
701 { 10, "Unexpected Message" },
702 { 20, "Bad Record MAC" },
703 { 21, "Decryption Failed" },
704 { 22, "Record Overflow" },
705 { 30, "Decompression Failure" },
706 { 40, "Handshake Failure" },
707 { 41, "No Certificate" },
708 { 42, "Bad Certificate" },
709 { 43, "Unsupported Certificate" },
710 { 44, "Certificate Revoked" },
711 { 45, "Certificate Expired" },
712 { 46, "Certificate Unknown" },
713 { 47, "Illegal Parameter" },
714 { 48, "Unknown CA" },
715 { 49, "Access Denied" },
716 { 50, "Decode Error" },
717 { 51, "Decrypt Error" },
718 { 60, "Export Restriction" },
719 { 70, "Protocol Version" },
720 { 71, "Insufficient Security" },
721 { 80, "Internal Error" },
722 { 86, "Inappropriate Fallback" },
723 { 90, "User Canceled" },
724 { 100, "No Renegotiation" },
725 { 109, "Missing Extension" },
726 { 110, "Unsupported Extension" },
727 { 111, "Certificate Unobtainable" },
728 { 112, "Unrecognized Name" },
729 { 113, "Bad Certificate Status Response" },
730 { 114, "Bad Certificate Hash Value" },
731 { 115, "Unknown PSK Identity" },
732 { 116, "Certificate Required" },
733 { 120, "No application Protocol" },
734 { 121, "ECH Required" },
735 { 0x00, NULL((void*)0) }
736};
737
738const value_string ssl_31_handshake_type[] = {
739 { SSL_HND_HELLO_REQUEST, "Hello Request" },
740 { SSL_HND_CLIENT_HELLO, "Client Hello" },
741 { SSL_HND_SERVER_HELLO, "Server Hello" },
742 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
743 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
744 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
745 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
746 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
747 { SSL_HND_CERTIFICATE, "Certificate" },
748 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
749 { SSL_HND_CERT_REQUEST, "Certificate Request" },
750 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
751 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
752 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
753 { SSL_HND_FINISHED, "Finished" },
754 { SSL_HND_CERT_URL, "Client Certificate URL" },
755 { SSL_HND_CERT_STATUS, "Certificate Status" },
756 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
757 { SSL_HND_KEY_UPDATE, "Key Update" },
758 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
759 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
760 { 0x00, NULL((void*)0) }
761};
762
763const value_string tls_heartbeat_type[] = {
764 { 1, "Request" },
765 { 2, "Response" },
766 { 0x00, NULL((void*)0) }
767};
768
769const value_string tls_heartbeat_mode[] = {
770 { 1, "Peer allowed to send requests" },
771 { 2, "Peer not allowed to send requests" },
772 { 0x00, NULL((void*)0) }
773};
774
775const value_string ssl_31_compression_method[] = {
776 { 0, "null" },
777 { 1, "DEFLATE" },
778 { 64, "LZS" },
779 { 0x00, NULL((void*)0) }
780};
781
782#if 0
783/* XXX - would be used if we dissected a Signature, as would be
784 seen in a server key exchange or certificate verify message. */
785const value_string ssl_31_key_exchange_algorithm[] = {
786 { 0, "RSA" },
787 { 1, "Diffie Hellman" },
788 { 0x00, NULL((void*)0) }
789};
790
791const value_string ssl_31_signature_algorithm[] = {
792 { 0, "Anonymous" },
793 { 1, "RSA" },
794 { 2, "DSA" },
795 { 0x00, NULL((void*)0) }
796};
797#endif
798
799const value_string ssl_31_client_certificate_type[] = {
800 { 1, "RSA Sign" },
801 { 2, "DSS Sign" },
802 { 3, "RSA Fixed DH" },
803 { 4, "DSS Fixed DH" },
804 /* GOST certificate types */
805 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
806 { 21, "GOST R 34.10-94" },
807 { 22, "GOST R 34.10-2001" },
808 /* END GOST certificate types */
809 { 64, "ECDSA Sign" },
810 { 65, "RSA Fixed ECDH" },
811 { 66, "ECDSA Fixed ECDH" },
812 { 80, "IBC Params" },
813 { 0x00, NULL((void*)0) }
814};
815
816#if 0
817/* XXX - would be used if we dissected exchange keys, as would be
818 seen in a client key exchange message. */
819const value_string ssl_31_public_value_encoding[] = {
820 { 0, "Implicit" },
821 { 1, "Explicit" },
822 { 0x00, NULL((void*)0) }
823};
824#endif
825
826/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
827/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
828static const value_string ssl_31_ciphersuite[] = {
829 /* RFC 2246, RFC 4346, RFC 5246 */
830 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
831 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
832 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
833 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
834 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
835 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
836 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
837 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
838 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
839 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
840 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
841 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
842 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
843 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
844 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
845 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
846 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
847 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
849 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
850 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
852 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
853 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
854 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
855 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
856 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
857 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
858
859 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
860 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
861#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
862 to remove according to David Hopwood <[email protected]>
863 of the ietf-tls list */
864 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
865#endif
866 /* RFC 2712 */
867 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
868 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
869 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
870 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
871 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
872 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
873 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
874 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
875 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
876 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
877 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
878 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
879 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
880 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
881 /* RFC 4785 */
882 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
883 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
884 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
885 /* RFC 5246 */
886 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
887 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
888 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
889 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
890 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
891 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
892 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
893 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
894 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
895 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
896 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
897 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
898 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
899 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
900 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
901 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
902 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
903 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
904 /* RFC 4132 */
905 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
906 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
907 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
908 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
909 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
910 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
911 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
912 /* --- ??? --- */
913 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
914 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
915 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
916 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
917 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
918 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
919 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
920 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
921 /* --- ??? ---*/
922 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
923 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
924 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
925 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
926 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
927 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
928 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
929 /* draft-chudov-cryptopro-cptls-04.txt */
930 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
931 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
932 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
933 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
934 /* RFC 4132 */
935 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
936 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
937 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
938 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
939 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
940 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
941 /* RFC 4279 */
942 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
943 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
944 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
945 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
946 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
947 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
948 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
949 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
950 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
951 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
952 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
953 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
954 /* RFC 4162 */
955 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
956 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
957 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
958 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
959 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
960 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
961 /* RFC 5288 */
962 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
963 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
964 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
965 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
966 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
967 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
968 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
969 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
970 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
971 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
972 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
973 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
974 /* RFC 5487 */
975 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
976 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
977 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
978 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
979 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
980 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
981 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
982 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
983 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
984 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
985 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
986 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
987 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
988 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
989 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
990 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
991 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
992 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
993 /* From RFC 5932 */
994 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
995 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
996 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
997 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
998 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
999 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1000 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1001 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1002 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1003 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1004 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1005 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1006 /* RFC 8998 */
1007 { 0x00C6, "TLS_SM4_GCM_SM3" },
1008 { 0x00C7, "TLS_SM4_CCM_SM3" },
1009 /* 0x00,0xC8-FE Unassigned */
1010 /* From RFC 5746 */
1011 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1012 /* RFC 8701 */
1013 { 0x0A0A, "Reserved (GREASE)" },
1014 /* RFC 8446 */
1015 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1016 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1017 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1018 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1019 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1020 /* RFC 8701 */
1021 { 0x1A1A, "Reserved (GREASE)" },
1022 { 0x2A2A, "Reserved (GREASE)" },
1023 { 0x3A3A, "Reserved (GREASE)" },
1024 { 0x4A4A, "Reserved (GREASE)" },
1025 /* From RFC 7507 */
1026 { 0x5600, "TLS_FALLBACK_SCSV" },
1027 /* RFC 8701 */
1028 { 0x5A5A, "Reserved (GREASE)" },
1029 { 0x6A6A, "Reserved (GREASE)" },
1030 { 0x7A7A, "Reserved (GREASE)" },
1031 { 0x8A8A, "Reserved (GREASE)" },
1032 { 0x9A9A, "Reserved (GREASE)" },
1033 { 0xAAAA, "Reserved (GREASE)" },
1034 { 0xBABA, "Reserved (GREASE)" },
1035 /* From RFC 4492 */
1036 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1037 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1038 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1039 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1040 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1041 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1042 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1043 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1044 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1045 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1046 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1047 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1048 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1052 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1053 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1057 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1058 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1060 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1061 /* RFC 5054 */
1062 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1065 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1066 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1067 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1068 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1069 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1070 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5589 */
1072 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1073 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1074 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1075 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1076 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1077 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1078 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1079 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1080 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1081 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1082 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1083 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1084 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1085 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1086 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1087 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1088 /* RFC 5489 */
1089 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1090 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1091 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1092 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1093 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1094 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1095 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1096 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1097 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1098 /* RFC 6209 */
1099 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1100 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1101 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1102 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1103 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1104 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1105 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1106 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1107 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1108 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1109 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1120 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1121 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1122 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1123 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1124 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1125 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1126 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1127 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1128 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1129 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1140 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1141 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1142 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1143 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1144 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1145 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1150 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1151 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 /* RFC 6367 */
1154 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1155 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1156 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1157 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1158 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1159 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1160 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1161 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1162 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1163 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1164 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1165 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1166 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1167 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1168 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1169 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1170 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1171 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1172 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1189 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1190 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1191 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1192 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1193 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1194 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1195 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1196 /* RFC 6655 */
1197 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1198 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1199 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1200 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1201 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1202 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1203 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1204 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1205 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1206 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1207 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1208 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1209 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1210 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1211 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1212 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1213 /* RFC 7251 */
1214 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1215 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1216 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1217 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1218 /* RFC 8492 */
1219 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1220 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1221 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1222 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1223 /* draft-camwinget-tls-ts13-macciphersuites */
1224 { 0xC0B4, "TLS_SHA256_SHA256" },
1225 { 0xC0B5, "TLS_SHA384_SHA384" },
1226 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1227 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1228 /* draft-smyshlyaev-tls12-gost-suites */
1229 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1230 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1231 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1232 /* draft-smyshlyaev-tls13-gost-suites */
1233 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1234 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1235 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1236 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1237 /* RFC 8701 */
1238 { 0xCACA, "Reserved (GREASE)" },
1239/*
12400xC0,0xAB-FF Unassigned
12410xC1,0x03-FD,* Unassigned
12420xFE,0x00-FD Unassigned
12430xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12440xFF,0x00-FF Reserved for Private Use [RFC5246]
1245*/
1246 /* old numbers used in the beginning
1247 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1248 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1249 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1250 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1251 /* RFC 7905 */
1252 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1253 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1254 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1255 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1256 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1257 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1259 /* RFC 8442 */
1260 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1261 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1262 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1263 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1264 /* RFC 8701 */
1265 { 0xDADA, "Reserved (GREASE)" },
1266 /* GM/T 0024-2014 */
1267 { 0xe001, "ECDHE_SM1_SM3"},
1268 { 0xe003, "ECC_SM1_SM3"},
1269 { 0xe005, "IBSDH_SM1_SM3"},
1270 { 0xe007, "IBC_SM1_SM3"},
1271 { 0xe009, "RSA_SM1_SM3"},
1272 { 0xe00a, "RSA_SM1_SHA1"},
1273 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1274 { 0xe013, "ECC_SM4_CBC_SM3"},
1275 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1276 { 0xe017, "IBC_SM4_CBC_SM3"},
1277 { 0xe019, "RSA_SM4_CBC_SM3"},
1278 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1279 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1280 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1281 { 0xe053, "ECC_SM4_GCM_SM3"},
1282 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1283 { 0xe057, "IBC_SM4_GCM_SM3"},
1284 { 0xe059, "RSA_SM4_GCM_SM3"},
1285 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1286 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1287 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1288 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1289 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1290 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1291 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1292 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1293 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1294 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1295 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1296 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1297 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1299 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1301 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1303 /* RFC 8701 */
1304 { 0xEAEA, "Reserved (GREASE)" },
1305 { 0xFAFA, "Reserved (GREASE)" },
1306 /* these from http://www.mozilla.org/projects/
1307 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1308 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1309 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1310 /* https://datatracker.ietf.org/doc/html/rfc9189 */
1311 { 0xff85, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT"},
1312 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1313 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1314 /* note that ciphersuites 0xff00 - 0xffff are private */
1315 { 0x00, NULL((void*)0) }
1316};
1317
1318value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
, ((void*)0) }
;
1319
1320/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1321const value_string tls_hello_extension_types[] = {
1322 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1323 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1324 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1325 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1326 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1327 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1328 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1329 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1330 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1331 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1332 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1333 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1334 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1335 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1336 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1337 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1338 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1339 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1340 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1341 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1342 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1343 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1344 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1345 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1346 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1347 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1348 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1349 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1350 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1351 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1352 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1353 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1354 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1355 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1356 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1357 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1358 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1359 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1360 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1365 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1366 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1367 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1368 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1369 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1370 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1371 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1372 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1373 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1374 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1375 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg-03 */
1376 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1377 { SSL_HND_HELLO_EXT_ALPS_OLD17513, "application_settings_old" }, /* draft-vvv-tls-alps-01 */
1378 { SSL_HND_HELLO_EXT_ALPS17613, "application_settings" }, /* draft-vvv-tls-alps-01 */ /* https://chromestatus.com/feature/5149147365900288 */
1379 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1383 https://twitter.com/ericlaw/status/274237352531083264 */
1384 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1385 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1386 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1387 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1390 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1391 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1392 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1393 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1397 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1398 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1399 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1400 { 0, NULL((void*)0) }
1401};
1402
1403const value_string tls_hello_ext_server_name_type_vs[] = {
1404 { 0, "host_name" },
1405 { 0, NULL((void*)0) }
1406};
1407
1408/* RFC 6066 Section 4 */
1409const value_string tls_hello_ext_max_fragment_length[] = {
1410 { 1, "512" }, // 2^9
1411 { 2, "1024" }, // 2^10
1412 { 3, "2048" }, // 2^11
1413 { 4, "4096" }, // 2^12
1414 { 0, NULL((void*)0) }
1415};
1416
1417/* RFC 8446 Section 4.2.9 */
1418const value_string tls_hello_ext_psk_ke_mode[] = {
1419 { 0, "PSK-only key establishment (psk_ke)" },
1420 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 6066 Section 6 */
1425const value_string tls_hello_ext_trusted_ca_key_type[] = {
1426 {0, "pre_agreed"},
1427 {1, "key_sha1_hash"},
1428 {2, "x509_name"},
1429 {3, "cert_sha1_hash"},
1430 {0, NULL((void*)0)}
1431};
1432
1433const value_string tls13_key_update_request[] = {
1434 { 0, "update_not_requested" },
1435 { 1, "update_requested" },
1436 { 0, NULL((void*)0) }
1437};
1438
1439/* RFC 5246 7.4.1.4.1 */
1440/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1441/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1442 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1443 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1444 *
1445 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1446 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1447 * and TLS HashAlgorithm registries, but the new values are not compatible
1448 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1449 * cause confusion if used to interpret one of those schemes in a
1450 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1451 */
1452const value_string tls_hash_algorithm[] = {
1453 { 0, "None" },
1454 { 1, "MD5" },
1455 { 2, "SHA1" },
1456 { 3, "SHA224" },
1457 { 4, "SHA256" },
1458 { 5, "SHA384" },
1459 { 6, "SHA512" },
1460#if 0
1461 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1462 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1463 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1464 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1465 */
1466 { 8, "Intrinsic" },
1467#endif
1468 { 0, NULL((void*)0) }
1469};
1470
1471const value_string tls_signature_algorithm[] = {
1472 { 0, "Anonymous" },
1473 { 1, "RSA" },
1474 { 2, "DSA" },
1475 { 3, "ECDSA" },
1476#if 0
1477 /* As above. */
1478 { 7, "ED25519" },
1479 { 8, "ED448" },
1480 { 64, "GOSTR34102012_256" },
1481 { 65, "GOSTR34102012_512" },
1482#endif
1483 { 0, NULL((void*)0) }
1484};
1485
1486/* RFC 8446 Section 4.2.3 */
1487const value_string tls13_signature_algorithm[] = {
1488 { 0x0201, "rsa_pkcs1_sha1" },
1489 { 0x0203, "ecdsa_sha1" },
1490 { 0x0401, "rsa_pkcs1_sha256" },
1491 { 0x0403, "ecdsa_secp256r1_sha256" },
1492 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1493 { 0x0501, "rsa_pkcs1_sha384" },
1494 { 0x0503, "ecdsa_secp384r1_sha384" },
1495 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1496 { 0x0601, "rsa_pkcs1_sha512" },
1497 { 0x0603, "ecdsa_secp521r1_sha512" },
1498 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0704, "eccsi_sha256" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1500 { 0x0705, "iso_ibs1" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1501 { 0x0706, "iso_ibs2" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1502 { 0x0707, "iso_chinese_ibs" }, /* draft-wang-tls-raw-public-key-with-ibc-02 */
1503 { 0x0708, "sm2sig_sm3" },
1504 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1505 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1506 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1507 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1508 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1509 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1510 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1511 { 0x0804, "rsa_pss_rsae_sha256" },
1512 { 0x0805, "rsa_pss_rsae_sha384" },
1513 { 0x0806, "rsa_pss_rsae_sha512" },
1514 { 0x0807, "ed25519" },
1515 { 0x0808, "ed448" },
1516 { 0x0809, "rsa_pss_pss_sha256" },
1517 { 0x080a, "rsa_pss_pss_sha384" },
1518 { 0x080b, "rsa_pss_pss_sha512" },
1519 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1520 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1521 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1522 { 0x0904, "mldsa44" }, /* draft-ietf-tls-mldsa-00 */
1523 { 0x0905, "mldsa65" }, /* draft-ietf-tls-mldsa-00 */
1524 { 0x0906, "mldsa87" }, /* draft-ietf-tls-mldsa-00 */
1525 { 0x0911, "slhdsa_sha2_128s" }, /* draft-reddy-tls-slhdsa-01 */
1526 { 0x0912, "slhdsa_sha2_128f" }, /* draft-reddy-tls-slhdsa-01 */
1527 { 0x0913, "slhdsa_sha2_192s" }, /* draft-reddy-tls-slhdsa-01 */
1528 { 0x0914, "slhdsa_sha2_192f" }, /* draft-reddy-tls-slhdsa-01 */
1529 { 0x0915, "slhdsa_sha2_256s" }, /* draft-reddy-tls-slhdsa-01 */
1530 { 0x0916, "slhdsa_sha2_256f" }, /* draft-reddy-tls-slhdsa-01 */
1531 { 0x0917, "slhdsa_shake_128s" }, /* draft-reddy-tls-slhdsa-01 */
1532 { 0x0918, "slhdsa_shake_128f" }, /* draft-reddy-tls-slhdsa-01 */
1533 { 0x0919, "slhdsa_shake_192s" }, /* draft-reddy-tls-slhdsa-01 */
1534 { 0x091a, "slhdsa_shake_192f" }, /* draft-reddy-tls-slhdsa-01 */
1535 { 0x091b, "slhdsa_shake_256s" }, /* draft-reddy-tls-slhdsa-01 */
1536 { 0x091c, "slhdsa_shake_256f" }, /* draft-reddy-tls-slhdsa-01 */
1537 /* PQC digital signature algorithms from OQS-OpenSSL,
1538 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-sig-info.md */
1539 { 0xfea0, "dilithium2" },
1540 { 0xfea1, "p256_dilithium2" },
1541 { 0xfea2, "rsa3072_dilithium2" },
1542 { 0xfea3, "dilithium3" },
1543 { 0xfea4, "p384_dilithium3" },
1544 { 0xfea5, "dilithium5" },
1545 { 0xfea6, "p521_dilithium5" },
1546 { 0xfea7, "dilithium2_aes" },
1547 { 0xfea8, "p256_dilithium2_aes" },
1548 { 0xfea9, "rsa3072_dilithium2_aes" },
1549 { 0xfeaa, "dilithium3_aes" },
1550 { 0xfeab, "p384_dilithium3_aes" },
1551 { 0xfeac, "dilithium5_aes" },
1552 { 0xfead, "p521_dilithium5_aes" },
1553 { 0xfe0b, "falcon512" },
1554 { 0xfe0c, "p256_falcon512" },
1555 { 0xfe0d, "rsa3072_falcon512" },
1556 { 0xfe0e, "falcon1024" },
1557 { 0xfe0f, "p521_falcon1024" },
1558 { 0xfe96, "picnicl1full" },
1559 { 0xfe97, "p256_picnicl1full" },
1560 { 0xfe98, "rsa3072_picnicl1full" },
1561 { 0xfe1b, "picnic3l1" },
1562 { 0xfe1c, "p256_picnic3l1" },
1563 { 0xfe1d, "rsa3072_picnic3l1" },
1564 { 0xfe27, "rainbowIclassic" },
1565 { 0xfe28, "p256_rainbowIclassic" },
1566 { 0xfe29, "rsa3072_rainbowIclassic" },
1567 { 0xfe3c, "rainbowVclassic" },
1568 { 0xfe3d, "p521_rainbowVclassic" },
1569 { 0xfe42, "sphincsharaka128frobust" },
1570 { 0xfe43, "p256_sphincsharaka128frobust" },
1571 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1572 { 0xfe5e, "sphincssha256128frobust" },
1573 { 0xfe5f, "p256_sphincssha256128frobust" },
1574 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1575 { 0xfe7a, "sphincsshake256128frobust" },
1576 { 0xfe7b, "p256_sphincsshake256128frobust" },
1577 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1578 { 0, NULL((void*)0) }
1579};
1580
1581/* RFC 6091 3.1 */
1582const value_string tls_certificate_type[] = {
1583 { 0, "X.509" },
1584 { 1, "OpenPGP" },
1585 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1586 { 0, NULL((void*)0) }
1587};
1588
1589const value_string tls_cert_chain_type[] = {
1590 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1591 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1592 { 0, NULL((void*)0) }
1593};
1594
1595const value_string tls_cert_status_type[] = {
1596 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1597 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1598 { 0, NULL((void*)0) }
1599};
1600
1601/* Generated by tools/dissector_generators/generate-tls-ct-logids.py
1602 * Last-Modified Sat, 11 Jul 2026 13:58:00 GMT, 42 entries. */
1603static const bytes_string ct_logids[] = {
1604 { (const uint8_t[]){
1605 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1606 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1607 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1608 },
1609 32, "Google 'Argon2026h1' log" },
1610 { (const uint8_t[]){
1611 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1612 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1613 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1614 },
1615 32, "Google 'Argon2026h2' log" },
1616 { (const uint8_t[]){
1617 0xd6, 0xd5, 0x8d, 0xa9, 0xd0, 0x17, 0x53, 0xf3, 0x6a, 0x4a, 0xa0,
1618 0xc7, 0x57, 0x49, 0x02, 0xaf, 0xeb, 0xc7, 0xdc, 0x2c, 0xd3, 0x8c,
1619 0xd9, 0xf7, 0x64, 0xc8, 0x0c, 0x89, 0x19, 0x1e, 0x9f, 0x02,
1620 },
1621 32, "Google 'Argon2027h1'" },
1622 { (const uint8_t[]){
1623 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1624 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1625 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1626 },
1627 32, "Google 'Xenon2026h1' log" },
1628 { (const uint8_t[]){
1629 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1630 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1631 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1632 },
1633 32, "Google 'Xenon2026h2' log" },
1634 { (const uint8_t[]){
1635 0x44, 0xc2, 0xbd, 0x0c, 0xe9, 0x14, 0x0e, 0x64, 0xa5, 0xc9, 0x4a,
1636 0x01, 0x93, 0x0a, 0x5a, 0xa1, 0xbb, 0x35, 0x97, 0x0e, 0x00, 0xee,
1637 0x11, 0x16, 0x89, 0x68, 0x2a, 0x1c, 0x44, 0xd7, 0xb5, 0x66,
1638 },
1639 32, "Google 'Xenon2027h1'" },
1640 { (const uint8_t[]){
1641 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1642 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1643 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1644 },
1645 32, "Google 'Submariner' log" },
1646 { (const uint8_t[]){
1647 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1648 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1649 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1650 },
1651 32, "Google 'Daedalus' log" },
1652 { (const uint8_t[]){
1653 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1654 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1655 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1656 },
1657 32, "Google 'Testtube' log" },
1658 { (const uint8_t[]){
1659 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1660 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1661 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1662 },
1663 32, "Google 'Crucible' log" },
1664 { (const uint8_t[]){
1665 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1666 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1667 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1668 },
1669 32, "Google 'Solera2026h1' log" },
1670 { (const uint8_t[]){
1671 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1672 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1673 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1674 },
1675 32, "Google 'Solera2026h2' log" },
1676 { (const uint8_t[]){
1677 0x3d, 0xe4, 0x92, 0xa8, 0x98, 0x93, 0xad, 0x70, 0x5e, 0x78, 0x46,
1678 0xed, 0x21, 0xd4, 0x8d, 0xca, 0xfb, 0xad, 0x13, 0x9e, 0xa6, 0x4e,
1679 0xd1, 0xe3, 0x49, 0xf9, 0x00, 0xb0, 0xa2, 0xcd, 0xa5, 0xe2,
1680 },
1681 32, "Google 'Solera2027h1' log" },
1682 { (const uint8_t[]){
1683 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1684 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1685 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1686 },
1687 32, "Cloudflare 'Nimbus2026'" },
1688 { (const uint8_t[]){
1689 0x4c, 0x63, 0xdc, 0x98, 0xe5, 0x9c, 0x1d, 0xab, 0x88, 0xf6, 0x1e,
1690 0x8a, 0x3d, 0xde, 0xae, 0x8f, 0xab, 0x44, 0xa3, 0x37, 0x7b, 0x5f,
1691 0x9b, 0x94, 0xc3, 0xfb, 0xa1, 0x9c, 0xfc, 0xc1, 0xbe, 0x26,
1692 },
1693 32, "Cloudflare 'Nimbus2027'" },
1694 { (const uint8_t[]){
1695 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
1696 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
1697 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
1698 },
1699 32, "DigiCert 'Wyvern2026h1'" },
1700 { (const uint8_t[]){
1701 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
1702 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
1703 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
1704 },
1705 32, "DigiCert 'Wyvern2026h2'" },
1706 { (const uint8_t[]){
1707 0x00, 0x1a, 0x5d, 0x1a, 0x1c, 0x2d, 0x93, 0x75, 0xb6, 0x48, 0x55,
1708 0x78, 0xf8, 0x2f, 0x71, 0xa1, 0xae, 0x6e, 0xef, 0x39, 0x7d, 0x29,
1709 0x7c, 0x8a, 0xe3, 0x15, 0x7b, 0xca, 0xde, 0xe1, 0xa0, 0x1e,
1710 },
1711 32, "DigiCert 'Wyvern2027h1'" },
1712 { (const uint8_t[]){
1713 0x37, 0xaa, 0x07, 0xcc, 0x21, 0x6f, 0x2e, 0x6d, 0x91, 0x9c, 0x70,
1714 0x9d, 0x24, 0xd8, 0xf7, 0x31, 0xb0, 0x0f, 0x2b, 0x14, 0x7c, 0x62,
1715 0x1c, 0xc0, 0x91, 0xa5, 0xfa, 0x1a, 0x84, 0xd8, 0x16, 0xdd,
1716 },
1717 32, "DigiCert 'Wyvern2027h2'" },
1718 { (const uint8_t[]){
1719 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
1720 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
1721 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
1722 },
1723 32, "DigiCert 'Sphinx2026h1'" },
1724 { (const uint8_t[]){
1725 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
1726 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
1727 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
1728 },
1729 32, "DigiCert 'Sphinx2026h2'" },
1730 { (const uint8_t[]){
1731 0x46, 0xa2, 0x39, 0x67, 0xc6, 0x0d, 0xb6, 0x46, 0x87, 0xc6, 0x6f,
1732 0x3d, 0xf9, 0x99, 0x94, 0x76, 0x93, 0xa6, 0xa6, 0x11, 0x20, 0x84,
1733 0x57, 0xd5, 0x55, 0xe7, 0xe3, 0xd0, 0xa1, 0xd9, 0xb6, 0x46,
1734 },
1735 32, "DigiCert 'sphinx2027h1'" },
1736 { (const uint8_t[]){
1737 0x1f, 0xb0, 0xf8, 0xa9, 0x2d, 0x8a, 0xdd, 0xa1, 0x21, 0x77, 0x6c,
1738 0x05, 0xe2, 0xaa, 0x2e, 0x15, 0xba, 0xcb, 0xc6, 0x2b, 0x65, 0x39,
1739 0x36, 0x95, 0x57, 0x6a, 0xaa, 0xb5, 0x2e, 0x11, 0xd1, 0x1d,
1740 },
1741 32, "DigiCert 'sphinx2027h2'" },
1742 { (const uint8_t[]){
1743 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
1744 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
1745 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
1746 },
1747 32, "Sectigo 'Mammoth2026h1'" },
1748 { (const uint8_t[]){
1749 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
1750 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
1751 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
1752 },
1753 32, "Sectigo 'Mammoth2026h2'" },
1754 { (const uint8_t[]){
1755 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
1756 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
1757 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
1758 },
1759 32, "Sectigo 'Sabre2026h1'" },
1760 { (const uint8_t[]){
1761 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
1762 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
1763 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
1764 },
1765 32, "Sectigo 'Sabre2026h2'" },
1766 { (const uint8_t[]){
1767 0xd1, 0x6e, 0xa9, 0xa5, 0x68, 0x07, 0x7e, 0x66, 0x35, 0xa0, 0x3f,
1768 0x37, 0xa5, 0xdd, 0xbc, 0x03, 0xa5, 0x3c, 0x41, 0x12, 0x14, 0xd4,
1769 0x88, 0x18, 0xf5, 0xe9, 0x31, 0xb3, 0x23, 0xcb, 0x95, 0x04,
1770 },
1771 32, "Sectigo 'Elephant2026h1'" },
1772 { (const uint8_t[]){
1773 0xaf, 0x67, 0x88, 0x3b, 0x57, 0xb0, 0x4e, 0xdd, 0x8f, 0xa6, 0xd9,
1774 0x7e, 0xf6, 0x2e, 0xa8, 0xeb, 0x81, 0x0a, 0xc7, 0x71, 0x60, 0xf0,
1775 0x24, 0x5e, 0x55, 0xd6, 0x0c, 0x2f, 0xe7, 0x85, 0x87, 0x3a,
1776 },
1777 32, "Sectigo 'Elephant2026h2'" },
1778 { (const uint8_t[]){
1779 0x60, 0x4c, 0x9a, 0xaf, 0x7a, 0x7f, 0x77, 0x5f, 0x01, 0xd4, 0x06,
1780 0xfc, 0x92, 0x0d, 0xc8, 0x99, 0xeb, 0x0b, 0x1c, 0x7d, 0xf8, 0xc9,
1781 0x52, 0x1b, 0xfa, 0xfa, 0x17, 0x77, 0x3b, 0x97, 0x8b, 0xc9,
1782 },
1783 32, "Sectigo 'Elephant2027h1'" },
1784 { (const uint8_t[]){
1785 0xa2, 0x49, 0x0c, 0xdc, 0xdb, 0x8e, 0x33, 0xa4, 0x00, 0x32, 0x17,
1786 0x60, 0xd6, 0xd4, 0xd5, 0x1a, 0x20, 0x36, 0x19, 0x1e, 0xa7, 0x7d,
1787 0x96, 0x8b, 0xe2, 0x6a, 0x8a, 0x00, 0xf6, 0xff, 0xff, 0xf7,
1788 },
1789 32, "Sectigo 'Elephant2027h2'" },
1790 { (const uint8_t[]){
1791 0x16, 0x83, 0x2d, 0xab, 0xf0, 0xa9, 0x25, 0x0f, 0x0f, 0xf0, 0x3a,
1792 0xa5, 0x45, 0xff, 0xc8, 0xbf, 0xc8, 0x23, 0xd0, 0x87, 0x4b, 0xf6,
1793 0x04, 0x29, 0x27, 0xf8, 0xe7, 0x1f, 0x33, 0x13, 0xf5, 0xfa,
1794 },
1795 32, "Sectigo 'Tiger2026h1'" },
1796 { (const uint8_t[]){
1797 0xc8, 0xa3, 0xc4, 0x7f, 0xc7, 0xb3, 0xad, 0xb9, 0x35, 0x6b, 0x01,
1798 0x3f, 0x6a, 0x7a, 0x12, 0x6d, 0xe3, 0x3a, 0x4e, 0x43, 0xa5, 0xc6,
1799 0x46, 0xf9, 0x97, 0xad, 0x39, 0x75, 0x99, 0x1d, 0xcf, 0x9a,
1800 },
1801 32, "Sectigo 'Tiger2026h2'" },
1802 { (const uint8_t[]){
1803 0x1c, 0x9f, 0x68, 0x2c, 0xe9, 0xfa, 0xf0, 0x45, 0x69, 0x50, 0xf8,
1804 0x1b, 0x96, 0x8a, 0x87, 0xdd, 0xdb, 0x32, 0x10, 0xd8, 0x4c, 0xe6,
1805 0xc8, 0xb2, 0xe3, 0x82, 0x52, 0x4a, 0xc4, 0xcf, 0x59, 0x9f,
1806 },
1807 32, "Sectigo 'Tiger2027h1'" },
1808 { (const uint8_t[]){
1809 0x03, 0x80, 0x2a, 0xc2, 0x62, 0xf6, 0xe0, 0x5e, 0x03, 0xf8, 0xbc,
1810 0x6f, 0x7b, 0x98, 0x51, 0x32, 0x4f, 0xd7, 0x6a, 0x3d, 0xf5, 0xb7,
1811 0x59, 0x51, 0x75, 0xe2, 0x22, 0xfb, 0x8e, 0x9b, 0xd5, 0xf6,
1812 },
1813 32, "Sectigo 'Tiger2027h2'" },
1814 { (const uint8_t[]){
1815 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
1816 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
1817 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
1818 },
1819 32, "Let's Encrypt 'Oak2026h1'" },
1820 { (const uint8_t[]){
1821 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
1822 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
1823 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
1824 },
1825 32, "Let's Encrypt 'Oak2026h2'" },
1826 { (const uint8_t[]){
1827 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
1828 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
1829 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
1830 },
1831 32, "TrustAsia 'log2026a'" },
1832 { (const uint8_t[]){
1833 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
1834 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
1835 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
1836 },
1837 32, "TrustAsia 'log2026b'" },
1838 { (const uint8_t[]){
1839 0xed, 0xda, 0xeb, 0x81, 0x5c, 0x63, 0x21, 0x34, 0x49, 0xb4, 0x7b,
1840 0xe5, 0x07, 0x79, 0x05, 0xab, 0xd0, 0xd9, 0x31, 0x47, 0xc2, 0x7a,
1841 0xc5, 0x14, 0x6b, 0x3b, 0xc5, 0x8e, 0x43, 0xe9, 0xb6, 0xc7,
1842 },
1843 32, "TrustAsia 'HETU2027'" },
1844 { (const uint8_t[]){
1845 0x2e, 0xd6, 0xa4, 0x4d, 0xeb, 0x8f, 0x0c, 0x86, 0x46, 0x67, 0x76,
1846 0x9c, 0x4e, 0xdd, 0x04, 0x1f, 0x84, 0x23, 0x67, 0x55, 0xfa, 0x3a,
1847 0xac, 0xa6, 0x34, 0xd0, 0x93, 0x5d, 0xfc, 0xd5, 0x9a, 0x70,
1848 },
1849 32, "Bogus placeholder log to unbreak misbehaving CT libraries" },
1850 { (const uint8_t[]){
1851 0xd2, 0xfc, 0x65, 0x2f, 0xa5, 0xf9, 0xb7, 0x38, 0xb8, 0x37, 0x55,
1852 0xfa, 0x5e, 0xb1, 0x5f, 0x0b, 0x45, 0x25, 0x3f, 0x4e, 0x8f, 0xa3,
1853 0xb9, 0xb6, 0x4f, 0xd4, 0xde, 0x56, 0x62, 0xd1, 0x87, 0x08,
1854 },
1855 32, "Bogus RFC6962 log to avoid breaking misbehaving CT libraries" },
1856 { NULL((void*)0), 0, NULL((void*)0) }
1857};
1858
1859/*
1860 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
1861 */
1862static dissector_table_t ssl_alpn_dissector_table;
1863static dissector_table_t dtls_alpn_dissector_table;
1864
1865/*
1866 * Special cases for prefix matching of the ALPN, if the ALPN includes
1867 * a version number for a draft or protocol revision.
1868 */
1869typedef struct ssl_alpn_prefix_match_protocol {
1870 const char *proto_prefix;
1871 const char *dissector_name;
1872} ssl_alpn_prefix_match_protocol_t;
1873
1874static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
1875 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
1876 * already exists 3.1 as of this writing... match the prefix. */
1877 { "spdy/", "spdy" },
1878 /* draft-ietf-httpbis-http2-16 */
1879 { "h2-", "http2" }, /* draft versions */
1880};
1881
1882const value_string compress_certificate_algorithm_vals[] = {
1883 { 1, "zlib" },
1884 { 2, "brotli" },
1885 { 3, "zstd" },
1886 { 0, NULL((void*)0) }
1887};
1888
1889
1890const val64_string quic_transport_parameter_id[] = {
1891 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
1892 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
1893 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
1894 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
1895 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
1896 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
1897 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
1898 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
1899 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
1900 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
1901 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
1902 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
1903 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
1904 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
1905 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
1906 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
1907 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
1908 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
1909 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
1910 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
1911 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
1912 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
1913 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
1914 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
1915 { SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db, "version_information_draft" },
1916 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
1917 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
1918 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
1919 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
1920 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
1921 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
1922 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
1923 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
1924 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
1925 { SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176, "address_discovery" },
1926 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
1927 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
1928 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
1929 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
1930 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
1931 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
1932 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
1933 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
1934 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11, "initial_max_path_id (draft-11)" },
1935 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c, "initial_max_path_id (draft-12)" },
1936 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d, "initial_max_path_id (draft-13)" },
1937 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e, "initial_max_path_id" },
1938 { 0, NULL((void*)0) }
1939};
1940
1941/* https://tools.ietf.org/html/draft-ietf-quic-address-discovery-00 */
1942const val64_string quic_address_discovery_vals[] = {
1943 { 0, "The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself" },
1944 { 1, "The node is interested in receiving address observations, but it is not willing to provide address observations" },
1945 { 2, "The node is interested in receiving address observations, and it is willing to provide address observations" },
1946 { 0, NULL((void*)0) }
1947};
1948
1949/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
1950const val64_string quic_enable_time_stamp_v2_vals[] = {
1951 { 1, "I would like to receive TIME_STAMP frames" },
1952 { 2, "I am able to generate TIME_STAMP frames" },
1953 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
1954 { 0, NULL((void*)0) }
1955};
1956
1957/* https://datatracker.ietf.org/doc/draft-ietf-quic-multipath/04/ */
1958const val64_string quic_enable_multipath_vals[] = {
1959 { 0, "don't support multipath" },
1960 { 1, "support multipath as defined in this document" },
1961 { 0, NULL((void*)0) }
1962};
1963
1964/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
1965const value_string tls_hello_ext_ech_clienthello_types[] = {
1966 { 0, "Outer Client Hello" },
1967 { 1, "Inner Client Hello" },
1968 { 0, NULL((void*)0) }
1969};
1970
1971/* RFC 9180 */
1972const value_string kem_id_type_vals[] = {
1973 { 0x0000, "Reserved" },
1974 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
1975 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
1976 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
1977 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
1978 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
1979 { 0, NULL((void*)0) }
1980};
1981const value_string kdf_id_type_vals[] = {
1982 { 0x0000, "Reserved" },
1983 { 0x0001, "HKDF-SHA256" },
1984 { 0x0002, "HKDF-SHA384" },
1985 { 0x0003, "HKDF-SHA512" },
1986 { 0, NULL((void*)0) }
1987};
1988const value_string aead_id_type_vals[] = {
1989 { 0x0000, "Reserved" },
1990 { 0x0001, "AES-128-GCM" },
1991 { 0x0002, "AES-256-GCM" },
1992 { 0x0003, "ChaCha20Poly1305" },
1993 { 0xFFFF, "Export-only" },
1994 { 0, NULL((void*)0) }
1995};
1996
1997const value_string token_binding_key_parameter_vals[] = {
1998 { 0, "rsa2048_pkcs1.5" },
1999 { 1, "rsa2048_pss" },
2000 { 2, "ecdsap256" },
2001 { 0, NULL((void*)0) }
2002};
2003
2004/* Lookup tables }}} */
2005
2006void
2007quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2008{
2009 const char *label;
2010 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)
) {
2011 label = "GREASE";
2012 } else {
2013 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2014 }
2015 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2016}
2017
2018/* we keep this internal to packet-tls-utils, as there should be
2019 no need to access it any other way.
2020
2021 This also allows us to hide the dependency on zlib.
2022*/
2023struct _SslDecompress {
2024 int compression;
2025#ifdef USE_ZLIB_OR_ZLIBNG
2026 zlib_stream istream;
2027#endif
2028};
2029
2030/* To assist in parsing client/server key exchange messages
2031 0 indicates unknown */
2032int ssl_get_keyex_alg(int cipher)
2033{
2034 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2035 switch(cipher) {
2036 case 0x0017:
2037 case 0x0018:
2038 case 0x0019:
2039 case 0x001a:
2040 case 0x001b:
2041 case 0x0034:
2042 case 0x003a:
2043 case 0x0046:
2044 case 0x006c:
2045 case 0x006d:
2046 case 0x0089:
2047 case 0x009b:
2048 case 0x00a6:
2049 case 0x00a7:
2050 case 0x00bf:
2051 case 0x00c5:
2052 case 0xc084:
2053 case 0xc085:
2054 return KEX_DH_ANON0x13;
2055 case 0x000b:
2056 case 0x000c:
2057 case 0x000d:
2058 case 0x0030:
2059 case 0x0036:
2060 case 0x003e:
2061 case 0x0042:
2062 case 0x0068:
2063 case 0x0085:
2064 case 0x0097:
2065 case 0x00a4:
2066 case 0x00a5:
2067 case 0x00bb:
2068 case 0x00c1:
2069 case 0xc082:
2070 case 0xc083:
2071 return KEX_DH_DSS0x14;
2072 case 0x000e:
2073 case 0x000f:
2074 case 0x0010:
2075 case 0x0031:
2076 case 0x0037:
2077 case 0x003f:
2078 case 0x0043:
2079 case 0x0069:
2080 case 0x0086:
2081 case 0x0098:
2082 case 0x00a0:
2083 case 0x00a1:
2084 case 0x00bc:
2085 case 0x00c2:
2086 case 0xc07e:
2087 case 0xc07f:
2088 return KEX_DH_RSA0x15;
2089 case 0x0011:
2090 case 0x0012:
2091 case 0x0013:
2092 case 0x0032:
2093 case 0x0038:
2094 case 0x0040:
2095 case 0x0044:
2096 case 0x0063:
2097 case 0x0065:
2098 case 0x0066:
2099 case 0x006a:
2100 case 0x0087:
2101 case 0x0099:
2102 case 0x00a2:
2103 case 0x00a3:
2104 case 0x00bd:
2105 case 0x00c3:
2106 case 0xc080:
2107 case 0xc081:
2108 return KEX_DHE_DSS0x10;
2109 case 0x002d:
2110 case 0x008e:
2111 case 0x008f:
2112 case 0x0090:
2113 case 0x0091:
2114 case 0x00aa:
2115 case 0x00ab:
2116 case 0x00b2:
2117 case 0x00b3:
2118 case 0x00b4:
2119 case 0x00b5:
2120 case 0xc090:
2121 case 0xc091:
2122 case 0xc096:
2123 case 0xc097:
2124 case 0xc0a6:
2125 case 0xc0a7:
2126 case 0xc0aa:
2127 case 0xc0ab:
2128 case 0xccad:
2129 case 0xe41c:
2130 case 0xe41d:
2131 return KEX_DHE_PSK0x11;
2132 case 0x0014:
2133 case 0x0015:
2134 case 0x0016:
2135 case 0x0033:
2136 case 0x0039:
2137 case 0x0045:
2138 case 0x0067:
2139 case 0x006b:
2140 case 0x0088:
2141 case 0x009a:
2142 case 0x009e:
2143 case 0x009f:
2144 case 0x00be:
2145 case 0x00c4:
2146 case 0xc07c:
2147 case 0xc07d:
2148 case 0xc09e:
2149 case 0xc09f:
2150 case 0xc0a2:
2151 case 0xc0a3:
2152 case 0xccaa:
2153 case 0xe41e:
2154 case 0xe41f:
2155 return KEX_DHE_RSA0x12;
2156 case 0xc015:
2157 case 0xc016:
2158 case 0xc017:
2159 case 0xc018:
2160 case 0xc019:
2161 return KEX_ECDH_ANON0x19;
2162 case 0xc001:
2163 case 0xc002:
2164 case 0xc003:
2165 case 0xc004:
2166 case 0xc005:
2167 case 0xc025:
2168 case 0xc026:
2169 case 0xc02d:
2170 case 0xc02e:
2171 case 0xc074:
2172 case 0xc075:
2173 case 0xc088:
2174 case 0xc089:
2175 return KEX_ECDH_ECDSA0x1a;
2176 case 0xc00b:
2177 case 0xc00c:
2178 case 0xc00d:
2179 case 0xc00e:
2180 case 0xc00f:
2181 case 0xc029:
2182 case 0xc02a:
2183 case 0xc031:
2184 case 0xc032:
2185 case 0xc078:
2186 case 0xc079:
2187 case 0xc08c:
2188 case 0xc08d:
2189 return KEX_ECDH_RSA0x1b;
2190 case 0xc006:
2191 case 0xc007:
2192 case 0xc008:
2193 case 0xc009:
2194 case 0xc00a:
2195 case 0xc023:
2196 case 0xc024:
2197 case 0xc02b:
2198 case 0xc02c:
2199 case 0xc072:
2200 case 0xc073:
2201 case 0xc086:
2202 case 0xc087:
2203 case 0xc0ac:
2204 case 0xc0ad:
2205 case 0xc0ae:
2206 case 0xc0af:
2207 case 0xcca9:
2208 case 0xe414:
2209 case 0xe415:
2210 return KEX_ECDHE_ECDSA0x16;
2211 case 0xc033:
2212 case 0xc034:
2213 case 0xc035:
2214 case 0xc036:
2215 case 0xc037:
2216 case 0xc038:
2217 case 0xc039:
2218 case 0xc03a:
2219 case 0xc03b:
2220 case 0xc09a:
2221 case 0xc09b:
2222 case 0xccac:
2223 case 0xe418:
2224 case 0xe419:
2225 case 0xd001:
2226 case 0xd002:
2227 case 0xd003:
2228 case 0xd005:
2229 return KEX_ECDHE_PSK0x17;
2230 case 0xc010:
2231 case 0xc011:
2232 case 0xc012:
2233 case 0xc013:
2234 case 0xc014:
2235 case 0xc027:
2236 case 0xc028:
2237 case 0xc02f:
2238 case 0xc030:
2239 case 0xc076:
2240 case 0xc077:
2241 case 0xc08a:
2242 case 0xc08b:
2243 case 0xcca8:
2244 case 0xe412:
2245 case 0xe413:
2246 return KEX_ECDHE_RSA0x18;
2247 case 0x001e:
2248 case 0x001f:
2249 case 0x0020:
2250 case 0x0021:
2251 case 0x0022:
2252 case 0x0023:
2253 case 0x0024:
2254 case 0x0025:
2255 case 0x0026:
2256 case 0x0027:
2257 case 0x0028:
2258 case 0x0029:
2259 case 0x002a:
2260 case 0x002b:
2261 return KEX_KRB50x1c;
2262 case 0x002c:
2263 case 0x008a:
2264 case 0x008b:
2265 case 0x008c:
2266 case 0x008d:
2267 case 0x00a8:
2268 case 0x00a9:
2269 case 0x00ae:
2270 case 0x00af:
2271 case 0x00b0:
2272 case 0x00b1:
2273 case 0xc064:
2274 case 0xc065:
2275 case 0xc08e:
2276 case 0xc08f:
2277 case 0xc094:
2278 case 0xc095:
2279 case 0xc0a4:
2280 case 0xc0a5:
2281 case 0xc0a8:
2282 case 0xc0a9:
2283 case 0xccab:
2284 case 0xe416:
2285 case 0xe417:
2286 return KEX_PSK0x1d;
2287 case 0x0001:
2288 case 0x0002:
2289 case 0x0003:
2290 case 0x0004:
2291 case 0x0005:
2292 case 0x0006:
2293 case 0x0007:
2294 case 0x0008:
2295 case 0x0009:
2296 case 0x000a:
2297 case 0x002f:
2298 case 0x0035:
2299 case 0x003b:
2300 case 0x003c:
2301 case 0x003d:
2302 case 0x0041:
2303 case 0x0060:
2304 case 0x0061:
2305 case 0x0062:
2306 case 0x0064:
2307 case 0x0084:
2308 case 0x0096:
2309 case 0x009c:
2310 case 0x009d:
2311 case 0x00ba:
2312 case 0x00c0:
2313 case 0xc07a:
2314 case 0xc07b:
2315 case 0xc09c:
2316 case 0xc09d:
2317 case 0xc0a0:
2318 case 0xc0a1:
2319 case 0xe410:
2320 case 0xe411:
2321 case 0xfefe:
2322 case 0xfeff:
2323 case 0xffe0:
2324 case 0xffe1:
2325 return KEX_RSA0x1e;
2326 case 0x002e:
2327 case 0x0092:
2328 case 0x0093:
2329 case 0x0094:
2330 case 0x0095:
2331 case 0x00ac:
2332 case 0x00ad:
2333 case 0x00b6:
2334 case 0x00b7:
2335 case 0x00b8:
2336 case 0x00b9:
2337 case 0xc092:
2338 case 0xc093:
2339 case 0xc098:
2340 case 0xc099:
2341 case 0xccae:
2342 case 0xe41a:
2343 case 0xe41b:
2344 return KEX_RSA_PSK0x1f;
2345 case 0xc01a:
2346 case 0xc01d:
2347 case 0xc020:
2348 return KEX_SRP_SHA0x20;
2349 case 0xc01c:
2350 case 0xc01f:
2351 case 0xc022:
2352 return KEX_SRP_SHA_DSS0x21;
2353 case 0xc01b:
2354 case 0xc01e:
2355 case 0xc021:
2356 return KEX_SRP_SHA_RSA0x22;
2357 case 0xc0ff:
2358 return KEX_ECJPAKE0x24;
2359 case 0xe003:
2360 case 0xe013:
2361 case 0xe053:
2362 return KEX_ECC_SM20x26;
2363 default:
2364 break;
2365 }
2366
2367 return 0;
2368 /* }}} */
2369}
2370
2371static wmem_list_t *connection_id_session_list;
2372
2373void
2374ssl_init_cid_list(void) {
2375 connection_id_session_list = wmem_list_new(wmem_file_scope());
2376}
2377
2378void
2379ssl_cleanup_cid_list(void) {
2380 wmem_destroy_list(connection_id_session_list);
2381}
2382
2383void
2384ssl_add_session_by_cid(SslDecryptSession *session)
2385{
2386 wmem_list_append(connection_id_session_list, session);
2387}
2388
2389SslDecryptSession *
2390ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
2391{
2392 SslDecryptSession * ssl_cid = NULL((void*)0);
2393 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
2394
2395 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
2396 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
2397 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 2397, "ssl != ((void*)0)"))))
;
2398 SslSession *session = &ssl->session;
2399
2400 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
2401 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
2402 ssl_cid = ssl;
2403 }
2404 }
2405
2406 if (session->server_cid_len > 0) {
2407 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
2408 ssl_cid = ssl;
2409 }
2410 }
2411
2412 it = wmem_list_frame_next(it);
2413 }
2414
2415 return ssl_cid;
2416}
2417
2418/* StringInfo structure (len + data) functions {{{ */
2419
2420int
2421ssl_data_alloc(StringInfo* str, size_t len)
2422{
2423 str->data = (unsigned char *)g_malloc(len);
16
Memory is allocated
2424 /* the allocator can return a null pointer for a size equal to 0,
2425 * and that must be allowed */
2426 if (len
16.1
'len' is > 0
> 0 && !str->data)
17
Assuming field 'data' is non-null
18
Taking false branch
2427 return -1;
2428 str->data_len = (unsigned) len;
2429 return 0;
2430}
2431
2432void
2433ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
2434{
2435 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 2435, "data"))))
;
2436 memcpy(str->data, data, len);
2437 str->data_len = len;
2438}
2439
2440static int
2441ssl_data_realloc(StringInfo* str, unsigned len)
2442{
2443 str->data = (unsigned char *)g_realloc(str->data, len);
2444 if (!str->data)
2445 return -1;
2446 str->data_len = len;
2447 return 0;
2448}
2449
2450static StringInfo *
2451ssl_data_clone(StringInfo *str)
2452{
2453 StringInfo *cloned_str;
2454 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
2455 sizeof(StringInfo) + str->data_len);
2456 cloned_str->data = (unsigned char *) (cloned_str + 1);
2457 ssl_data_set(cloned_str, str->data, str->data_len);
2458 return cloned_str;
2459}
2460
2461static int
2462ssl_data_copy(StringInfo* dst, StringInfo* src)
2463{
2464 if (dst->data_len < src->data_len) {
2465 if (ssl_data_realloc(dst, src->data_len))
2466 return -1;
2467 }
2468 memcpy(dst->data, src->data, src->data_len);
2469 dst->data_len = src->data_len;
2470 return 0;
2471}
2472
2473/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
2474 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
2475 * success. */
2476static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
2477 size_t i;
2478
2479 if (hex_len & 1)
2480 return false0;
2481
2482 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
2483 for (i = 0; i < hex_len / 2; i++) {
2484 int a = ws_xton(in[i*2]);
2485 int b = ws_xton(in[i*2 + 1]);
2486 if (a == -1 || b == -1)
2487 return false0;
2488 out->data[i] = a << 4 | b;
2489 }
2490 out->data_len = (unsigned)hex_len / 2;
2491 return true1;
2492}
2493/* StringInfo structure (len + data) functions }}} */
2494
2495
2496/* libgcrypt wrappers for HMAC/message digest operations {{{ */
2497/* hmac abstraction layer */
2498#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
2499
2500static inline int
2501ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
2502{
2503 gcry_error_t err;
2504 const char *err_str, *err_src;
2505
2506 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
2507 if (err != 0) {
2508 err_str = gcry_strerror(err);
2509 err_src = gcry_strsource(err);
2510 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
2511 return -1;
2512 }
2513 return 0;
2514}
2515
2516static inline int
2517ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
2518{
2519 gcry_error_t err;
2520 const char *err_str, *err_src;
2521
2522 err = gcry_md_setkey (*(md), key, len);
2523 if (err != 0) {
2524 err_str = gcry_strerror(err);
2525 err_src = gcry_strsource(err);
2526 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
2527 return -1;
2528 }
2529 return 0;
2530}
2531
2532static inline int
2533ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
2534{
2535 gcry_md_reset(*md);
2536 return 0;
2537}
2538
2539static inline void
2540ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
2541{
2542 gcry_md_write(*(md), data, len);
2543}
2544static inline void
2545ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
2546{
2547 int algo;
2548 unsigned len;
2549
2550 algo = gcry_md_get_algo (*(md));
2551 len = gcry_md_get_algo_dlen(algo);
2552 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 2552, "len <= *datalen"))))
;
2553 memcpy(data, gcry_md_read(*(md), algo), len);
2554 *datalen = len;
2555}
2556static inline void
2557ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
2558{
2559 gcry_md_close(*(md));
2560}
2561
2562/* message digest abstraction layer*/
2563#define SSL_MDgcry_md_hd_t gcry_md_hd_t
2564
2565static inline int
2566ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
2567{
2568 gcry_error_t err;
2569 const char *err_str, *err_src;
2570 err = gcry_md_open(md,algo, 0);
2571 if (err != 0) {
2572 err_str = gcry_strerror(err);
2573 err_src = gcry_strsource(err);
2574 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
2575 return -1;
2576 }
2577 return 0;
2578}
2579static inline void
2580ssl_md_update(SSL_MDgcry_md_hd_t* md, const unsigned char* data, unsigned len)
2581{
2582 gcry_md_write(*(md), data, len);
2583}
2584static inline void
2585ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
2586{
2587 int algo;
2588 int len;
2589 algo = gcry_md_get_algo (*(md));
2590 len = gcry_md_get_algo_dlen (algo);
2591 memcpy(data, gcry_md_read(*(md), algo), len);
2592 *datalen = len;
2593}
2594static inline void
2595ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
2596{
2597 gcry_md_close(*(md));
2598}
2599
2600static inline void
2601ssl_md_reset(SSL_MDgcry_md_hd_t* md)
2602{
2603 gcry_md_reset(*md);
2604}
2605
2606/* md5 /sha abstraction layer */
2607#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
2608#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
2609
2610static inline int
2611ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
2612{
2613 gcry_error_t err;
2614 const char *err_str, *err_src;
2615 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
2616 if (err != 0) {
2617 err_str = gcry_strerror(err);
2618 err_src = gcry_strsource(err);
2619 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
2620 return -1;
2621 }
2622 return 0;
2623}
2624static inline void
2625ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
2626{
2627 gcry_md_write(*(md), data, len);
2628}
2629static inline void
2630ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
2631{
2632 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
2633 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
2634}
2635
2636static inline void
2637ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
2638{
2639 gcry_md_reset(*md);
2640}
2641
2642static inline void
2643ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
2644{
2645 gcry_md_close(*(md));
2646}
2647
2648static inline int
2649ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
2650{
2651 gcry_error_t err;
2652 const char *err_str, *err_src;
2653 err = gcry_md_open(md,GCRY_MD_MD5, 0);
2654 if (err != 0) {
2655 err_str = gcry_strerror(err);
2656 err_src = gcry_strsource(err);
2657 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
2658 return -1;
2659 }
2660 return 0;
2661}
2662static inline void
2663ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
2664{
2665 gcry_md_write(*(md), data, len);
2666}
2667static inline void
2668ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
2669{
2670 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
2671 gcry_md_get_algo_dlen(GCRY_MD_MD5));
2672}
2673
2674static inline void
2675ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
2676{
2677 gcry_md_reset(*md);
2678}
2679
2680static inline void
2681ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
2682{
2683 gcry_md_close(*(md));
2684}
2685/* libgcrypt wrappers for HMAC/message digest operations }}} */
2686
2687/* libgcrypt wrappers for Cipher state manipulation {{{ */
2688int
2689ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
2690{
2691 int ret;
2692#if 0
2693 unsigned char *ivp;
2694 int i;
2695 gcry_cipher_hd_t c;
2696 c=(gcry_cipher_hd_t)*cipher;
2697#endif
2698 ssl_debug_printf("--------------------------------------------------------------------");
2699#if 0
2700 for(ivp=c->iv,i=0; i < iv_len; i++ )
2701 {
2702 ssl_debug_printf("%d ",ivp[i]);
2703 i++;
2704 }
2705#endif
2706 ssl_debug_printf("--------------------------------------------------------------------");
2707 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
2708#if 0
2709 for(ivp=c->iv,i=0; i < iv_len; i++ )
2710 {
2711 ssl_debug_printf("%d ",ivp[i]);
2712 i++;
2713 }
2714#endif
2715 ssl_debug_printf("--------------------------------------------------------------------");
2716 return ret;
2717}
2718/* stream cipher abstraction layer*/
2719static int
2720ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
2721 unsigned char* iv, int mode)
2722{
2723 int gcry_modes[] = {
2724 GCRY_CIPHER_MODE_STREAM,
2725 GCRY_CIPHER_MODE_CBC,
2726 GCRY_CIPHER_MODE_GCM,
2727 GCRY_CIPHER_MODE_CCM,
2728 GCRY_CIPHER_MODE_CCM,
2729 GCRY_CIPHER_MODE_POLY1305,
2730 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
2731 };
2732 int err;
2733 if (algo == -1) {
2734 /* NULL mode */
2735 *(cipher) = (gcry_cipher_hd_t)-1;
2736 return 0;
2737 }
2738 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
2739 if (err !=0)
2740 return -1;
2741 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
2742 if (err != 0)
2743 return -1;
2744 /* AEAD cipher suites will set the nonce later. */
2745 if (mode == MODE_CBC) {
2746 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
2747 if (err != 0)
2748 return -1;
2749 }
2750 return 0;
2751}
2752static inline int
2753ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
2754 const unsigned char * in, int inl)
2755{
2756 if ((*cipher) == (gcry_cipher_hd_t)-1)
2757 {
2758 if (in && inl)
2759 memcpy(out, in, outl < inl ? outl : inl);
2760 return 0;
2761 }
2762 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
2763}
2764static inline int
2765ssl_get_digest_by_name(const char*name)
2766{
2767 return gcry_md_map_name(name);
2768}
2769static inline int
2770ssl_get_cipher_by_name(const char* name)
2771{
2772 return gcry_cipher_map_name(name);
2773}
2774
2775static inline void
2776ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
2777{
2778 if ((*cipher) != (gcry_cipher_hd_t)-1)
2779 gcry_cipher_close(*cipher);
2780 *cipher = NULL((void*)0);
2781}
2782/* }}} */
2783
2784/* Digests, Ciphers and Cipher Suites registry {{{ */
2785static const SslDigestAlgo digests[]={
2786 {"MD5", 16},
2787 {"SHA1", 20},
2788 {"SHA256", 32},
2789 {"SHA384", 48},
2790 {"SM3", 32},
2791 {"Not Applicable", 0},
2792};
2793
2794#define DIGEST_MAX_SIZE48 48
2795
2796/* get index digest index */
2797static const SslDigestAlgo *
2798ssl_cipher_suite_dig(const SslCipherSuite *cs) {
2799 if (!cs || cs->dig < DIG_MD50x40 || cs->dig > DIG_NA0x45) {
2800 return &digests[DIG_NA0x45 - DIG_MD50x40];
2801 }
2802 return &digests[cs->dig - DIG_MD50x40];
2803}
2804
2805static const char *ciphers[]={
2806 "DES",
2807 "3DES",
2808 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
2809 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
2810 "IDEA",
2811 "AES",
2812 "AES256",
2813 "CAMELLIA128",
2814 "CAMELLIA256",
2815 "SEED",
2816 "CHACHA20", /* since Libgcrypt 1.7.0 */
2817 "SM1",
2818 "SM4",
2819 "*UNKNOWN*"
2820};
2821
2822static const SslCipherSuite cipher_suites[]={
2823 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
2824 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
2825 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
2826 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
2827 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
2828 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
2829 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
2830 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
2831 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
2832 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
2833 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
2834 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
2835 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
2836 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
2837 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
2838 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
2839 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
2840 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
2841 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
2842 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
2843 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
2844 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
2845 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
2846 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
2847 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
2848 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
2849 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
2850 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
2851 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
2852 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
2853 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
2854 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
2855 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
2856 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
2857 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
2858 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
2859 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
2860 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
2861 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
2862 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
2863 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
2864 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
2865 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
2866 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
2867 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
2868 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
2869 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
2870 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
2871 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
2872 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
2873 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
2874 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
2875 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
2876 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
2877 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
2878 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
2879 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
2880 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
2881 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
2882 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
2883 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
2884 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
2885 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
2886 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
2887 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
2888 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
2889 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
2890 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
2891 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
2892 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
2893 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
2894 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
2895 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
2896 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
2897 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
2898 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
2899 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
2900 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
2901 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
2902 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
2903 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
2904 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
2905 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
2906 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
2907 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
2908 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
2909 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
2910 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
2911 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
2912 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
2913 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
2914 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
2915 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
2916 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
2917 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
2918 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
2919 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
2920 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
2921 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
2922 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
2923 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
2924 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
2925 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
2926 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
2927 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
2928 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
2929 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
2930 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
2931 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
2932 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
2933 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
2934 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
2935 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
2936 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
2937 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
2938 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
2939 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
2940 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
2941 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
2942 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
2943 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
2944 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
2945 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
2946 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
2947 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
2948 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
2949 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
2950 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
2951 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
2952 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
2953 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
2954 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
2955 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
2956 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
2957
2958 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
2959 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
2960 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
2961 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
2962 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
2963 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
2964 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
2965
2966 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
2967 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
2968 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
2969 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
2970 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
2971 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
2972 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
2973 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
2974 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
2975 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
2976 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
2977 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
2978 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
2979 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
2980 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
2981 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
2982 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
2983 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
2984 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
2985 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
2986 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
2987 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
2988 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
2989 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
2990 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
2991 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
2992 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
2993 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
2994 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
2995 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
2996 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
2997 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
2998 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
2999 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3000 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3001 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3002 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3003 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3004 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3005 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3006 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3007 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3008 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3009 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3010 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3011 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3012 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3013 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3014 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3015 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3016 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3017 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3018 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3019 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3020 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3021 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3022 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3023 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3024 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3025 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3026 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3027 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3028 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3029 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3030 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3031 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3032 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3033 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3034 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3035 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3036 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3037 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3038 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3039 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3040 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3041 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3042 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3043 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3044 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3045 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3046 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3047 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3048 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3049 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3050 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3051 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3052 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3053 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3054 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3055 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3056 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3057 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3058 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3059 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3060 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3061 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3062 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3063 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3064 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3065 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3066 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3067 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3068 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3069 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3070 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3071 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3072 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3073 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3074 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3075 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3076 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3077 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3078 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3079 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3080 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3081 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3082 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3083 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3084 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3085 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3086 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3087 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3088 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3089 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3090 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3091 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3092 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3093 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3094 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3095 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3096 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3097 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3098 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3099 /* GM */
3100 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3101 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3102 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3103 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3104 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3105 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3106 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3107 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3108 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3109 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3110 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3111 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3112 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3113 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3114 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3115 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3116 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3117 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3118 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3119 {-1, 0, 0, 0, MODE_STREAM}
3120};
3121
3122#define MAX_BLOCK_SIZE16 16
3123#define MAX_KEY_SIZE32 32
3124
3125const SslCipherSuite *
3126ssl_find_cipher(int num)
3127{
3128 const SslCipherSuite *c;
3129 for(c=cipher_suites;c->number!=-1;c++){
3130 if(c->number==num){
3131 return c;
3132 }
3133 }
3134
3135 return NULL((void*)0);
3136}
3137
3138int
3139ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3140{
3141 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3142}
3143
3144unsigned
3145ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3146{
3147 int cipher_algo;
3148 if (cipher_suite->mode != MODE_CBC) return 0;
3149 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3150 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3151}
3152
3153static unsigned
3154ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3155{
3156 switch (cipher_suite_num) {
3157 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
3158 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3159 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3160 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3161 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3162 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3163 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3164 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3165 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3166 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3167 return 5;
3168
3169 /* not defined in below draft, but "implemented by several vendors",
3170 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
3171 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3172 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3173 return 7;
3174
3175 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
3176 * used 7. Until a pcap proves 8, let's use the old value. Link:
3177 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
3178 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3179 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3180 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3181 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3182 return 7;
3183
3184 default:
3185 return 0;
3186 }
3187}
3188
3189/* Digests, Ciphers and Cipher Suites registry }}} */
3190
3191
3192/* HMAC and the Pseudorandom function {{{ */
3193static int
3194tls_hash(StringInfo *secret, StringInfo *seed, int md,
3195 StringInfo *out, unsigned out_len)
3196{
3197 /* RFC 2246 5. HMAC and the pseudorandom function
3198 * '+' denotes concatenation.
3199 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
3200 * HMAC_hash(secret, A(2) + seed) + ...
3201 * A(0) = seed
3202 * A(i) = HMAC_hash(secret, A(i - 1))
3203 */
3204 uint8_t *ptr;
3205 unsigned left, tocpy;
3206 uint8_t *A;
3207 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
3208 unsigned A_l, tmp_l;
3209 SSL_HMACgcry_md_hd_t hm;
3210
3211 ptr = out->data;
3212 left = out_len;
3213
3214 ssl_print_string("tls_hash: hash secret", secret);
3215 ssl_print_string("tls_hash: hash seed", seed);
3216 /* A(0) = seed */
3217 A = seed->data;
3218 A_l = seed->data_len;
3219
3220 if (ssl_hmac_init(&hm, md) != 0) {
3221 return -1;
3222 }
3223 while (left) {
3224 /* A(i) = HMAC_hash(secret, A(i-1)) */
3225 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3226 ssl_hmac_update(&hm, A, A_l);
3227 A_l = sizeof(_A); /* upper bound len for hash output */
3228 ssl_hmac_final(&hm, _A, &A_l);
3229 A = _A;
3230
3231 /* HMAC_hash(secret, A(i) + seed) */
3232 ssl_hmac_reset(&hm);
3233 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3234 ssl_hmac_update(&hm, A, A_l);
3235 ssl_hmac_update(&hm, seed->data, seed->data_len);
3236 tmp_l = sizeof(tmp); /* upper bound len for hash output */
3237 ssl_hmac_final(&hm, tmp, &tmp_l);
3238 ssl_hmac_reset(&hm);
3239
3240 /* ssl_hmac_final puts the actual digest output size in tmp_l */
3241 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
3242 memcpy(ptr, tmp, tocpy);
3243 ptr += tocpy;
3244 left -= tocpy;
3245 }
3246 ssl_hmac_cleanup(&hm);
3247 out->data_len = out_len;
3248
3249 ssl_print_string("hash out", out);
3250 return 0;
3251}
3252
3253static bool_Bool
3254tls_prf(StringInfo* secret, const char *usage,
3255 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
3256{
3257 StringInfo seed, sha_out, md5_out;
3258 uint8_t *ptr;
3259 StringInfo s1, s2;
3260 unsigned i,s_l;
3261 size_t usage_len, rnd2_len;
3262 bool_Bool success = false0;
3263 usage_len = strlen(usage);
3264 rnd2_len = rnd2 ? rnd2->data_len : 0;
3265
3266 /* initialize buffer for sha, md5 random seed*/
3267 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
3268 ssl_debug_printf("tls_prf: can't allocate sha out\n");
3269 return false0;
3270 }
3271 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
3272 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
3273 goto free_sha;
3274 }
3275 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
3276 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
3277 (int) (usage_len+rnd1->data_len+rnd2_len));
3278 goto free_md5;
3279 }
3280
3281 ptr=seed.data;
3282 memcpy(ptr,usage,usage_len);
3283 ptr+=usage_len;
3284 memcpy(ptr,rnd1->data,rnd1->data_len);
3285 if (rnd2_len > 0) {
3286 ptr+=rnd1->data_len;
3287 memcpy(ptr,rnd2->data,rnd2->data_len);
3288 /*ptr+=rnd2->data_len;*/
3289 }
3290
3291 /* initialize buffer for client/server seeds*/
3292 s_l=secret->data_len/2 + secret->data_len%2;
3293 if (ssl_data_alloc(&s1, s_l) < 0) {
3294 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
3295 goto free_seed;
3296 }
3297 if (ssl_data_alloc(&s2, s_l) < 0) {
3298 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
3299 goto free_s1;
3300 }
3301
3302 memcpy(s1.data,secret->data,s_l);
3303 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
3304
3305 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
3306 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
3307 goto free_s2;
3308 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
3309 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
3310 goto free_s2;
3311
3312 for (i = 0; i < out_len; i++)
3313 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
3314 /* success, now store the new meaningful data length */
3315 out->data_len = out_len;
3316 success = true1;
3317
3318 ssl_print_string("PRF out",out);
3319free_s2:
3320 g_free(s2.data)(__builtin_object_size ((s2.data), 0) != ((size_t) - 1)) ? g_free_sized
(s2.data, __builtin_object_size ((s2.data), 0)) : (g_free) (
s2.data)
;
3321free_s1:
3322 g_free(s1.data)(__builtin_object_size ((s1.data), 0) != ((size_t) - 1)) ? g_free_sized
(s1.data, __builtin_object_size ((s1.data), 0)) : (g_free) (
s1.data)
;
3323free_seed:
3324 g_free(seed.data)(__builtin_object_size ((seed.data), 0) != ((size_t) - 1)) ? g_free_sized
(seed.data, __builtin_object_size ((seed.data), 0)) : (g_free
) (seed.data)
;
3325free_md5:
3326 g_free(md5_out.data)(__builtin_object_size ((md5_out.data), 0) != ((size_t) - 1))
? g_free_sized (md5_out.data, __builtin_object_size ((md5_out
.data), 0)) : (g_free) (md5_out.data)
;
3327free_sha:
3328 g_free(sha_out.data)(__builtin_object_size ((sha_out.data), 0) != ((size_t) - 1))
? g_free_sized (sha_out.data, __builtin_object_size ((sha_out
.data), 0)) : (g_free) (sha_out.data)
;
3329 return success;
3330}
3331
3332static bool_Bool
3333tls12_prf(int md, StringInfo* secret, const char* usage,
3334 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
3335{
3336 StringInfo label_seed;
3337 int success;
3338 size_t usage_len, rnd2_len;
3339 rnd2_len = rnd2 ? rnd2->data_len : 0;
3340
3341 usage_len = strlen(usage);
3342 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
3343 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
3344 return false0;
3345 }
3346 memcpy(label_seed.data, usage, usage_len);
3347 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
3348 if (rnd2_len > 0)
3349 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
3350
3351 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
3352 success = tls_hash(secret, &label_seed, md, out, out_len);
3353 g_free(label_seed.data)(__builtin_object_size ((label_seed.data), 0) != ((size_t) - 1
)) ? g_free_sized (label_seed.data, __builtin_object_size ((label_seed
.data), 0)) : (g_free) (label_seed.data)
;
3354 if(success != -1){
3355 ssl_print_string("PRF out", out);
3356 return true1;
3357 }
3358 return false0;
3359}
3360
3361static bool_Bool
3362ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
3363 StringInfo *out, unsigned out_len)
3364{
3365 SSL_MD5_CTXgcry_md_hd_t md5;
3366 uint8_t tmp[16];
3367
3368 if (ssl_md5_init(&md5) != 0) {
3369 return false0;
3370 }
3371 ssl_md5_update(&md5,r1->data,r1->data_len);
3372 ssl_md5_update(&md5,r2->data,r2->data_len);
3373 ssl_md5_final(tmp,&md5);
3374 ssl_md5_cleanup(&md5);
3375
3376 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3376, "out_len <= sizeof(tmp)"))))
;
3377 ssl_data_set(out, tmp, out_len);
3378 ssl_print_string("export iv", out);
3379 return true1;
3380}
3381
3382static bool_Bool
3383ssl3_prf(StringInfo* secret, const char* usage,
3384 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
3385{
3386 SSL_MD5_CTXgcry_md_hd_t md5;
3387 SSL_SHA_CTXgcry_md_hd_t sha;
3388 unsigned off;
3389 int i = 0,j;
3390 uint8_t buf[20];
3391
3392 if (ssl_sha_init(&sha) != 0) {
3393 return false0;
3394 }
3395 if (ssl_md5_init(&md5) != 0) {
3396 ssl_sha_cleanup(&sha);
3397 return false0;
3398 }
3399 for (off = 0; off < out_len; off += 16) {
3400 unsigned char outbuf[16];
3401 i++;
3402
3403 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
3404 /* A, BB, CCC, ... */
3405 for(j=0;j<i;j++){
3406 buf[j]=64+i;
3407 }
3408
3409 ssl_sha_update(&sha,buf,i);
3410 ssl_sha_update(&sha,secret->data,secret->data_len);
3411
3412 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
3413 if (rnd2)
3414 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
3415 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
3416 }
3417 else{
3418 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
3419 if (rnd2)
3420 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
3421 }
3422
3423 ssl_sha_final(buf,&sha);
3424 ssl_sha_reset(&sha);
3425
3426 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
3427 secret->data_len);
3428 ssl_md5_update(&md5,secret->data,secret->data_len);
3429 ssl_md5_update(&md5,buf,20);
3430 ssl_md5_final(outbuf,&md5);
3431 ssl_md5_reset(&md5);
3432
3433 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
3434 }
3435 ssl_sha_cleanup(&sha);
3436 ssl_md5_cleanup(&md5);
3437 out->data_len = out_len;
3438
3439 return true1;
3440}
3441
3442/* out_len is the wanted output length for the pseudorandom function.
3443 * Ensure that ssl->cipher_suite is set. */
3444static bool_Bool
3445prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
3446 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
3447{
3448 switch (ssl->session.version) {
3449 case SSLV3_VERSION0x300:
3450 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
3451
3452 case TLSV1_VERSION0x301:
3453 case TLSV1DOT1_VERSION0x302:
3454 case DTLSV1DOT0_VERSION0xfeff:
3455 case DTLSV1DOT0_OPENSSL_VERSION0x100:
3456 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
3457
3458 default: /* TLSv1.2 */
3459 switch (ssl->cipher_suite->dig) {
3460 case DIG_SM30x44:
3461#if GCRYPT_VERSION_NUMBER0x010c00 >= 0x010900
3462 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
3463 out, out_len);
3464#else
3465 return false0;
3466#endif
3467 case DIG_SHA3840x43:
3468 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
3469 out, out_len);
3470 default:
3471 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
3472 out, out_len);
3473 }
3474 }
3475}
3476
3477static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
3478{
3479 SSL_MD5_CTXgcry_md_hd_t md5;
3480 SSL_SHA_CTXgcry_md_hd_t sha;
3481
3482 if (ssl_data_alloc(out, 36) < 0)
15
Calling 'ssl_data_alloc'
19
Returned allocated memory
20
Taking false branch
3483 return -1;
3484
3485 if (ssl_md5_init(&md5) != 0)
21
Taking true branch
3486 return -1;
3487 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
3488 ssl_md5_final(out->data,&md5);
3489 ssl_md5_cleanup(&md5);
3490
3491 if (ssl_sha_init(&sha) != 0)
3492 return -1;
3493 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
3494 ssl_sha_final(out->data+16,&sha);
3495 ssl_sha_cleanup(&sha);
3496 return 0;
3497}
3498
3499static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
3500{
3501 SSL_MDgcry_md_hd_t mc;
3502 uint8_t tmp[48];
3503 unsigned len;
3504
3505 if (ssl_md_init(&mc, md) != 0)
3506 return -1;
3507 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
3508 ssl_md_final(&mc, tmp, &len);
3509 ssl_md_cleanup(&mc);
3510
3511 if (ssl_data_alloc(out, len) < 0)
3512 return -1;
3513 memcpy(out->data, tmp, len);
3514 return 0;
3515}
3516
3517bool_Bool
3518tls_load_psk(SslDecryptSession* tls_session, const char *tls_psk)
3519{
3520 if (!tls_psk || (tls_psk[0] == 0)) {
3521 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
3522 return false0;
3523 }
3524
3525 wmem_free(wmem_file_scope(), tls_session->psk.data);
3526 /* convert hex string into char*/
3527 if (!from_hex(&tls_session->psk, tls_psk, strlen(tls_psk))) {
3528 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
3529 G_STRFUNC((const char*) (__func__)));
3530 return false0;
3531 }
3532
3533 if (tls_session->psk.data_len >= (2 << 15)) {
3534 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
3535 G_STRFUNC((const char*) (__func__)));
3536 wmem_free(wmem_file_scope(), tls_session->psk.data);
3537 tls_session->psk.data = NULL((void*)0);
3538 tls_session->psk.data_len = 0;
3539 return false0;
3540 }
3541
3542 return true1;
3543}
3544
3545/**
3546 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
3547 * inlined and removed once support for draft 19 and before is dropped.
3548 */
3549static inline const char *
3550tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
3551{
3552 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
3553 return "TLS 1.3, ";
3554 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
3555 return "dtls13";
3556 } else {
3557 return "tls13 ";
3558 }
3559}
3560
3561/*
3562 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
3563 * custom label prefix. If "context_hash" is NULL, then an empty context is
3564 * used. Otherwise it must have the same length as the hash algorithm output.
3565 */
3566bool_Bool
3567tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
3568 const char *label_prefix, const char *label,
3569 const uint8_t *context_hash, uint8_t context_length,
3570 uint16_t out_len, unsigned char **out)
3571{
3572 /* RFC 8446 Section 7.1:
3573 * HKDF-Expand-Label(Secret, Label, Context, Length) =
3574 * HKDF-Expand(Secret, HkdfLabel, Length)
3575 * struct {
3576 * uint16 length = Length;
3577 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
3578 * opaque context<0..255> = Context;
3579 * } HkdfLabel;
3580 *
3581 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
3582 * HKDF-Expand(PRK, info, L) -> OKM
3583 */
3584 gcry_error_t err;
3585 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
3586 const unsigned label_length = (unsigned) strlen(label);
3587
3588 /* Some sanity checks */
3589 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3589, "label_length > 0 && label_prefix_length + label_length <= 255"
))))
;
3590
3591 /* info = HkdfLabel { length, label, context } */
3592 GByteArray *info = g_byte_array_new();
3593 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))))
;
3594 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
3595
3596 const uint8_t label_vector_length = label_prefix_length + label_length;
3597 g_byte_array_append(info, &label_vector_length, 1);
3598 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
3599 g_byte_array_append(info, (const uint8_t*)label, label_length);
3600
3601 g_byte_array_append(info, &context_length, 1);
3602 if (context_length) {
3603 g_byte_array_append(info, context_hash, context_length);
3604 }
3605
3606 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
3607 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
3608 g_byte_array_free(info, true1);
3609
3610 if (err) {
3611 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
3612 wmem_free(NULL((void*)0), *out);
3613 *out = NULL((void*)0);
3614 return false0;
3615 }
3616
3617 return true1;
3618}
3619
3620bool_Bool
3621tls13_hkdf_expand_label(int md, const StringInfo *secret,
3622 const char *label_prefix, const char *label,
3623 uint16_t out_len, unsigned char **out)
3624{
3625 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
3626}
3627
3628static bool_Bool
3629tls13_derive_secret(int md, const StringInfo *secret,
3630 const char *label_prefix, const char *label,
3631 const uint8_t *context, unsigned context_length,
3632 uint16_t out_len, unsigned char **out)
3633{
3634 SSL_MDgcry_md_hd_t mc;
3635 uint8_t context_hash[DIGEST_MAX_SIZE48];
3636 unsigned hash_len;
3637
3638 if (ssl_md_init(&mc, md) != 0)
3639 return false0;
3640 ssl_md_update(&mc, context, context_length);
3641 ssl_md_final(&mc, context_hash, &hash_len);
3642 ssl_md_cleanup(&mc);
3643
3644 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, context_hash, hash_len, out_len, out);
3645}
3646
3647/* HMAC and the Pseudorandom function }}} */
3648
3649/* Record Decompression (after decryption) {{{ */
3650#ifdef USE_ZLIB_OR_ZLIBNG
3651/* memory allocation functions for zlib initialization */
3652static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
3653{
3654 return g_malloc0(no*size);
3655}
3656static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
3657{
3658 g_free(addr)(__builtin_object_size ((addr), 0) != ((size_t) - 1)) ? g_free_sized
(addr, __builtin_object_size ((addr), 0)) : (g_free) (addr)
;
3659}
3660#endif /* USE_ZLIB_OR_ZLIBNG */
3661
3662static SslDecompress*
3663ssl_create_decompressor(int compression)
3664{
3665 SslDecompress *decomp;
3666#ifdef USE_ZLIB_OR_ZLIBNG
3667 int err;
3668#endif
3669
3670 if (compression == 0) return NULL((void*)0);
3671 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
3672 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)))
;
3673 decomp->compression = compression;
3674 switch (decomp->compression) {
3675#ifdef USE_ZLIB_OR_ZLIBNG
3676 case 1: /* DEFLATE */
3677 decomp->istream.zalloc = ssl_zalloc;
3678 decomp->istream.zfree = ssl_zfree;
3679 decomp->istream.opaque = Z_NULL0;
3680 decomp->istream.next_in = Z_NULL0;
3681 decomp->istream.next_out = Z_NULL0;
3682 decomp->istream.avail_in = 0;
3683 decomp->istream.avail_out = 0;
3684 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3.1", (int)sizeof(
z_stream))
;
3685 if (err != Z_OK0) {
3686 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
3687 return NULL((void*)0);
3688 }
3689 break;
3690#endif /* USE_ZLIB_OR_ZLIBNG */
3691 default:
3692 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
3693 return NULL((void*)0);
3694 }
3695 return decomp;
3696}
3697
3698#ifdef USE_ZLIB_OR_ZLIBNG
3699static int
3700ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
3701{
3702 int err;
3703
3704 switch (decomp->compression) {
3705 case 1: /* DEFLATE */
3706 err = Z_OK0;
3707 if (out_str->data_len < 16384) { /* maximal plain length */
3708 ssl_data_realloc(out_str, 16384);
3709 }
3710#ifdef z_constconst
3711 decomp->istream.next_in = in;
3712#else
3713DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
3714 decomp->istream.next_in = (Bytef *)in;
3715DIAG_ON(cast-qual)clang diagnostic pop
3716#endif
3717 decomp->istream.avail_in = inl;
3718 decomp->istream.next_out = out_str->data;
3719 decomp->istream.avail_out = out_str->data_len;
3720 if (inl > 0)
3721 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
3722 if (err != Z_OK0) {
3723 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
3724 return -1;
3725 }
3726 *outl = out_str->data_len - decomp->istream.avail_out;
3727 break;
3728 default:
3729 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
3730 return -1;
3731 }
3732 return 0;
3733}
3734#else /* USE_ZLIB_OR_ZLIBNG */
3735int
3736ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
3737{
3738 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
3739 return -1;
3740}
3741#endif /* USE_ZLIB_OR_ZLIBNG */
3742/* Record Decompression (after decryption) }}} */
3743
3744/* Create a new structure to store decrypted chunks. {{{ */
3745static SslFlow*
3746ssl_create_flow(void)
3747{
3748 SslFlow *flow;
3749
3750 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
3751 flow->byte_seq = 0;
3752 flow->flags = 0;
3753 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
3754 return flow;
3755}
3756/* }}} */
3757
3758/* Use the negotiated security parameters for decryption. {{{ */
3759void
3760ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
3761{
3762 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
3763 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
3764 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
3765 *new_decoder ? "" : " (No decoder found - retransmission?)");
3766 if (*new_decoder) {
3767 *dest = *new_decoder;
3768 *new_decoder = NULL((void*)0);
3769 }
3770}
3771/* }}} */
3772
3773/* Init cipher state given some security parameters. {{{ */
3774static bool_Bool
3775ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
3776
3777static SslDecoder*
3778ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
3779 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
3780{
3781 SslDecoder *dec;
3782 ssl_cipher_mode_t mode = cipher_suite->mode;
3783
3784 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)))
;
3785 /* init mac buffer: mac storage is embedded into decoder struct to save a
3786 memory allocation and waste samo more memory*/
3787 dec->cipher_suite=cipher_suite;
3788 dec->compression = compression;
3789 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
3790 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
3791 // the special case for NULL ciphers, even if there is insufficiency
3792 // keying material (including MAC key), we will can still create
3793 // decoders since "decryption" is easy for such ciphers.
3794 dec->mac_key.data = dec->_mac_key_or_write_iv;
3795 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
3796 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
3797 // Input for the nonce, to be used with AEAD ciphers.
3798 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3798, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))))
;
3799 dec->write_iv.data = dec->_mac_key_or_write_iv;
3800 ssl_data_set(&dec->write_iv, iv, iv_length);
3801 }
3802 dec->seq = 0;
3803 dec->decomp = ssl_create_decompressor(compression);
3804 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
3805
3806 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
3807 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
3808 cipher_algo, cipher_suite->mode);
3809 return NULL((void*)0);
3810 }
3811
3812 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
3813 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
3814 mode = MODE_ECB;
3815 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
3816 mode = MODE_STREAM;
3817 } else {
3818 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
3819 return NULL((void*)0);
3820 }
3821
3822 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
3823 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
3824 cipher_algo, MODE_ECB);
3825 ssl_cipher_cleanup(&dec->evp);
3826 dec->evp = NULL((void*)0);
3827 return NULL((void*)0);
3828 }
3829 } else {
3830 dec->sn_evp = NULL((void*)0);
3831 }
3832
3833 dec->dtls13_aad.data = NULL((void*)0);
3834 dec->dtls13_aad.data_len = 0;
3835 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
3836 return dec;
3837}
3838
3839static bool_Bool
3840ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
3841{
3842 SslDecoder *dec = (SslDecoder *) user_data;
3843
3844 if (dec->evp)
3845 ssl_cipher_cleanup(&dec->evp);
3846 if (dec->sn_evp)
3847 ssl_cipher_cleanup(&dec->sn_evp);
3848
3849#ifdef USE_ZLIB_OR_ZLIBNG
3850 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
3851 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
3852#endif
3853
3854 return false0;
3855}
3856/* }}} */
3857
3858/* (Pre-)master secrets calculations {{{ */
3859#ifdef HAVE_LIBGNUTLS1
3860static bool_Bool
3861ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
3862 StringInfo *encrypted_pre_master,
3863 GHashTable *key_hash);
3864#endif /* HAVE_LIBGNUTLS */
3865
3866static bool_Bool
3867ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
3868 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
3869
3870bool_Bool
3871ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
3872 uint32_t length, tvbuff_t *tvb, uint32_t offset,
3873 const char *ssl_psk, packet_info *pinfo,
3874#ifdef HAVE_LIBGNUTLS1
3875 GHashTable *key_hash,
3876#endif
3877 const ssl_master_key_map_t *mk_map)
3878{
3879 /* check for required session data */
3880 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
3881 G_STRFUNC((const char*) (__func__)), ssl_session->state);
3882 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
3883 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
3884 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
3885 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
3886 return false0;
3887 }
3888
3889 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
3890 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
3891 return false0;
3892 }
3893
3894 /* check to see if the PMS was provided to us*/
3895 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
3896 mk_map->pms, &ssl_session->client_random)) {
3897 return true1;
3898 }
3899
3900 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
3901 {
3902 /* calculate pre master secret*/
3903 StringInfo pre_master_secret;
3904 unsigned psk_len, pre_master_len;
3905
3906 if (!tls_load_psk(ssl_session, ssl_psk)) {
3907 return false0;
3908 }
3909 psk_len = ssl_session->psk.data_len;
3910
3911 pre_master_len = psk_len * 2 + 4;
3912
3913 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
3914 pre_master_secret.data_len = pre_master_len;
3915 /* 2 bytes psk_len*/
3916 pre_master_secret.data[0] = psk_len >> 8;
3917 pre_master_secret.data[1] = psk_len & 0xFF;
3918 /* psk_len bytes times 0*/
3919 memset(&pre_master_secret.data[2], 0, psk_len);
3920 /* 2 bytes psk_len*/
3921 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
3922 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
3923 /* psk*/
3924 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
3925
3926 ssl_session->pre_master_secret.data = pre_master_secret.data;
3927 ssl_session->pre_master_secret.data_len = pre_master_len;
3928 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
3929
3930 /* Remove the master secret if it was there.
3931 This forces keying material regeneration in
3932 case we're renegotiating */
3933 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
3934 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
3935 return true1;
3936 }
3937 else
3938 {
3939 unsigned encrlen, skip;
3940 encrlen = length;
3941 skip = 0;
3942
3943 /* get encrypted data, on tls1 we have to skip two bytes
3944 * (it's the encrypted len and should be equal to record len - 2)
3945 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
3946 */
3947 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
3948 (ssl_session->session.version == TLSV1_VERSION0x301 ||
3949 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
3950 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
3951 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
3952 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
3953 ssl_session->session.version == TLCPV1_VERSION0x101 ))
3954 {
3955 encrlen = tvb_get_ntohs(tvb, offset);
3956 skip = 2;
3957 if (encrlen > length - 2)
3958 {
3959 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
3960 G_STRFUNC((const char*) (__func__)), encrlen, length);
3961 return false0;
3962 }
3963 }
3964 /* the valid lower bound is higher than 8, but it is sufficient for the
3965 * ssl keylog file below */
3966 if (encrlen < 8) {
3967 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
3968 G_STRFUNC((const char*) (__func__)), encrlen);
3969 return false0;
3970 }
3971
3972 StringInfo encrypted_pre_master = {
3973 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
3974 .data_len = encrlen,
3975 };
3976
3977#ifdef HAVE_LIBGNUTLS1
3978 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
3979 if (ssl_session->cert_key_id) {
3980 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
3981 return true1;
3982
3983 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
3984 G_STRFUNC((const char*) (__func__)));
3985 }
3986#endif /* HAVE_LIBGNUTLS */
3987
3988 /* try to find the pre-master secret from the encrypted one. The
3989 * ssl key logfile stores only the first 8 bytes, so truncate it */
3990 encrypted_pre_master.data_len = 8;
3991 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
3992 true1, mk_map->pre_master, &encrypted_pre_master))
3993 return true1;
3994 }
3995 return false0;
3996}
3997
3998/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
3999int
4000ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4001{
4002 StringInfo key_block = { NULL((void*)0), 0 };
4003 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4004 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4005 int needed;
4006 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4007 unsigned encr_key_len, write_iv_len = 0;
4008 bool_Bool is_export_cipher;
4009 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4010 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4011 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4012
4013 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4014 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
3
Taking false branch
4015 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4016 return -1;
4017 }
4018
4019 /* check for enough info to proceed */
4020 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4021 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4022 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4
Assuming the condition is false
5
Assuming the condition is false
6
Taking false branch
4023 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4024 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4025 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4026 /* Special case: for NULL encryption, allow dissection of data even if
4027 * the Client Hello is missing (MAC keys are now skipped though). */
4028 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4029 if ((ssl_session->state & need_all) == need_all &&
4030 cipher_suite->enc == ENC_NULL0x3D) {
4031 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4032 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4033 goto create_decoders;
4034 }
4035
4036 return -1;
4037 }
4038
4039 /* if master key is not available, generate is from the pre-master secret */
4040 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
7
Assuming the condition is true
8
Taking true branch
4041 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
9
Assuming the condition is true
10
Taking true branch
4042 StringInfo handshake_hashed_data;
4043 int ret;
4044
4045 handshake_hashed_data.data = NULL((void*)0);
4046 handshake_hashed_data.data_len = 0;
4047
4048 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4049 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4050 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4050, "ssl_session->handshake_data.data_len > 0"
))))
;
11
Assuming field 'data_len' is > 0
12
'?' condition is true
4051
4052 switch(ssl_session->session.version) {
13
Control jumps to 'case 257:' at line 4057
4053 case TLSV1_VERSION0x301:
4054 case TLSV1DOT1_VERSION0x302:
4055 case DTLSV1DOT0_VERSION0xfeff:
4056 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4057 case TLCPV1_VERSION0x101:
4058 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
14
Calling 'tls_handshake_hash'
22
Returned allocated memory
4059 break;
4060 default:
4061 switch (cipher_suite->dig) {
4062 case DIG_SHA3840x43:
4063 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4064 break;
4065 default:
4066 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4067 break;
4068 }
4069 break;
4070 }
4071 if (ret
23.1
'ret' is -1
) {
23
Execution continues on line 4071
24
Taking true branch
4072 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
25
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4073 return -1;
4074 }
4075
4076 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4077 ssl_session->handshake_data.data = NULL((void*)0);
4078 ssl_session->handshake_data.data_len = 0;
4079
4080 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4081 &handshake_hashed_data,
4082 NULL((void*)0), &ssl_session->master_secret,
4083 SSL_MASTER_SECRET_LENGTH48)) {
4084 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4085 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data)
;
4086 return -1;
4087 }
4088 g_free(handshake_hashed_data.data)(__builtin_object_size ((handshake_hashed_data.data), 0) != (
(size_t) - 1)) ? g_free_sized (handshake_hashed_data.data, __builtin_object_size
((handshake_hashed_data.data), 0)) : (g_free) (handshake_hashed_data
.data)
;
4089 } else {
4090 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4091 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4092 ssl_print_string("client random",&ssl_session->client_random);
4093 ssl_print_string("server random",&ssl_session->server_random);
4094 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4095 &ssl_session->client_random,
4096 &ssl_session->server_random, &ssl_session->master_secret,
4097 SSL_MASTER_SECRET_LENGTH48)) {
4098 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4099 return -1;
4100 }
4101 }
4102 ssl_print_string("master secret",&ssl_session->master_secret);
4103
4104 /* the pre-master secret has been 'consumed' so we must clear it now */
4105 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4106 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4107 }
4108
4109 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4110 if (cipher_suite->enc != ENC_NULL0x3D) {
4111 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4112 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4113 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4114 if (cipher_algo == 0) {
4115 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4116 return -1;
4117 }
4118 }
4119
4120 /* Export ciphers consume less material from the key block. */
4121 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4122 is_export_cipher = encr_key_len > 0;
4123 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4124 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4125 }
4126
4127 if (cipher_suite->mode == MODE_CBC) {
4128 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4129 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4130 /* account for a four-byte salt for client and server side (from
4131 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4132 write_iv_len = 4;
4133 } else if (cipher_suite->mode == MODE_POLY1305) {
4134 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4135 write_iv_len = 12;
4136 }
4137
4138 /* Compute the key block. First figure out how much data we need */
4139 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4140 needed += 2 * encr_key_len; /* encryption key */
4141 needed += 2 * write_iv_len; /* write IV */
4142
4143 key_block.data = (unsigned char *)g_malloc(needed);
4144 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4145 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4146 &ssl_session->server_random,&ssl_session->client_random,
4147 &key_block, needed)) {
4148 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4149 goto fail;
4150 }
4151 ssl_print_string("key expansion", &key_block);
4152
4153 ptr=key_block.data;
4154 /* client/server write MAC key (for non-AEAD ciphers) */
4155 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4156 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4157 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4158 }
4159 /* client/server write encryption key */
4160 c_wk=ptr; ptr += encr_key_len;
4161 s_wk=ptr; ptr += encr_key_len;
4162 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4163 if (write_iv_len > 0) {
4164 c_iv=ptr; ptr += write_iv_len;
4165 s_iv=ptr; /* ptr += write_iv_len; */
4166 }
4167
4168 /* export ciphers work with a smaller key length */
4169 if (is_export_cipher) {
4170 if (cipher_suite->mode == MODE_CBC) {
4171
4172 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4173 all we should need. This is a sanity check */
4174 if (write_iv_len > MAX_BLOCK_SIZE16) {
4175 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4176 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4177 goto fail;
4178 }
4179
4180 if(ssl_session->session.version==SSLV3_VERSION0x300){
4181 /* The length of these fields are ignored by this caller */
4182 StringInfo iv_c, iv_s;
4183 iv_c.data = _iv_c;
4184 iv_s.data = _iv_s;
4185
4186 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4187 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4188 &ssl_session->server_random, &iv_c, write_iv_len)) {
4189 goto fail;
4190 }
4191 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
4192 if (!ssl3_generate_export_iv(&ssl_session->server_random,
4193 &ssl_session->client_random, &iv_s, write_iv_len)) {
4194 goto fail;
4195 }
4196 }
4197 else{
4198 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
4199 StringInfo iv_block;
4200 StringInfo key_null;
4201 uint8_t _key_null;
4202
4203 key_null.data = &_key_null;
4204 key_null.data_len = 0;
4205
4206 iv_block.data = _iv_block;
4207
4208 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
4209 if (!prf(ssl_session, &key_null, "IV block",
4210 &ssl_session->client_random,
4211 &ssl_session->server_random, &iv_block,
4212 write_iv_len * 2)) {
4213 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
4214 goto fail;
4215 }
4216
4217 memcpy(_iv_c, iv_block.data, write_iv_len);
4218 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
4219 }
4220
4221 c_iv=_iv_c;
4222 s_iv=_iv_s;
4223 }
4224
4225 if (ssl_session->session.version==SSLV3_VERSION0x300){
4226
4227 SSL_MD5_CTXgcry_md_hd_t md5;
4228 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
4229
4230 if (ssl_md5_init(&md5) != 0)
4231 goto fail;
4232 ssl_md5_update(&md5,c_wk,encr_key_len);
4233 ssl_md5_update(&md5,ssl_session->client_random.data,
4234 ssl_session->client_random.data_len);
4235 ssl_md5_update(&md5,ssl_session->server_random.data,
4236 ssl_session->server_random.data_len);
4237 ssl_md5_final(_key_c,&md5);
4238 ssl_md5_cleanup(&md5);
4239 c_wk=_key_c;
4240
4241 if (ssl_md5_init(&md5) != 0)
4242 goto fail;
4243 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
4244 ssl_md5_update(&md5,s_wk,encr_key_len);
4245 ssl_md5_update(&md5,ssl_session->server_random.data,
4246 ssl_session->server_random.data_len);
4247 ssl_md5_update(&md5,ssl_session->client_random.data,
4248 ssl_session->client_random.data_len);
4249 ssl_md5_final(_key_s,&md5);
4250 ssl_md5_cleanup(&md5);
4251 s_wk=_key_s;
4252 }
4253 else{
4254 StringInfo key_c, key_s, k;
4255 key_c.data = _key_c;
4256 key_s.data = _key_s;
4257
4258 k.data = c_wk;
4259 k.data_len = encr_key_len;
4260 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
4261 if (!prf(ssl_session, &k, "client write key",
4262 &ssl_session->client_random,
4263 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
4264 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
4265 goto fail;
4266 }
4267 c_wk=_key_c;
4268
4269 k.data = s_wk;
4270 k.data_len = encr_key_len;
4271 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
4272 if (!prf(ssl_session, &k, "server write key",
4273 &ssl_session->client_random,
4274 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
4275 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
4276 goto fail;
4277 }
4278 s_wk=_key_s;
4279 }
4280 }
4281
4282 /* show key material info */
4283 if (c_mk != NULL((void*)0)) {
4284 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4285 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4286 }
4287 ssl_print_data("Client Write key", c_wk, encr_key_len);
4288 ssl_print_data("Server Write key", s_wk, encr_key_len);
4289 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
4290 if (write_iv_len > 0) {
4291 ssl_print_data("Client Write IV", c_iv, write_iv_len);
4292 ssl_print_data("Server Write IV", s_iv, write_iv_len);
4293 }
4294
4295create_decoders:
4296 /* create both client and server ciphers*/
4297 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
4298 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
4299 if (!ssl_session->client_new) {
4300 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
4301 goto fail;
4302 }
4303 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
4304 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
4305 if (!ssl_session->server_new) {
4306 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
4307 goto fail;
4308 }
4309
4310 /* Continue the SSL stream after renegotiation with new keys. */
4311 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
4312 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
4313
4314 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
4315 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
4316 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data)
;
4317 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
4318 return 0;
4319
4320fail:
4321 g_free(key_block.data)(__builtin_object_size ((key_block.data), 0) != ((size_t) - 1
)) ? g_free_sized (key_block.data, __builtin_object_size ((key_block
.data), 0)) : (g_free) (key_block.data)
;
4322 return -1;
4323}
4324
4325/* Generated the key material based on the given secret. */
4326bool_Bool
4327tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
4328{
4329 bool_Bool success = false0;
4330 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
4331 unsigned char *sn_key = NULL((void*)0);
4332 SslDecoder *decoder;
4333 unsigned key_length, iv_length;
4334 int hash_algo;
4335 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4336 int cipher_algo;
4337
4338 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
4339 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
4340 ssl_session->session.version);
4341 return false0;
4342 }
4343
4344 if (cipher_suite == NULL((void*)0)) {
4345 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
4346 return false0;
4347 }
4348
4349 if (cipher_suite->kex != KEX_TLS130x23) {
4350 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
4351 return false0;
4352 }
4353
4354 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4355 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4356 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4357 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4358 if (cipher_algo == 0) {
4359 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4360 return false0;
4361 }
4362
4363 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
4364 hash_algo = ssl_get_digest_by_name(hash_name);
4365 if (!hash_algo) {
4366 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
4367 return false0;
4368 }
4369
4370 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
4371 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
4372 iv_length = 12;
4373 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
4374
4375 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
4376 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
4377 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
4378 return false0;
4379 }
4380 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
4381 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
4382 goto end;
4383 }
4384
4385 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4386 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
4387 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
4388 goto end;
4389 }
4390 }
4391
4392 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
4393 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
4394 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4395 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
4396 }
4397
4398 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
4399 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
4400 if (!decoder) {
4401 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
4402 goto end;
4403 }
4404
4405 /* Continue the TLS session with new keys, but reuse old flow to keep things
4406 * like "Follow TLS" working (by linking application data records). */
4407 if (is_from_server) {
4408 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
4409 ssl_session->server = decoder;
4410 } else {
4411 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
4412 ssl_session->client = decoder;
4413 }
4414 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
4415 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
4416 success = true1;
4417
4418end:
4419 wmem_free(NULL((void*)0), write_key);
4420 wmem_free(NULL((void*)0), write_iv);
4421 if (sn_key)
4422 wmem_free(NULL((void*)0), sn_key);
4423 return success;
4424}
4425/* (Pre-)master secrets calculations }}} */
4426
4427#ifdef HAVE_LIBGNUTLS1
4428/* Decrypt RSA pre-master secret using RSA private key. {{{ */
4429static bool_Bool
4430ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4431 StringInfo *encrypted_pre_master, GHashTable *key_hash)
4432{
4433 int ret;
4434
4435 if (!encrypted_pre_master)
4436 return false0;
4437
4438 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)
) {
4439 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
4440 "(cipher suite 0x%04X %s) and cannot be decrypted "
4441 "using a RSA private key file.\n",
4442 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
4443 val_to_str_ext_const(ssl_session->session.cipher,
4444 &ssl_31_ciphersuite_ext, "unknown"));
4445 return false0;
4446 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
4447 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
4448 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
4449 return false0;
4450 }
4451
4452 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
4453
4454 ssl_print_string("pre master encrypted", encrypted_pre_master);
4455 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
4456 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
4457 gnutls_datum_t pms = { 0 };
4458 if (pk) {
4459 // Try to decrypt using the RSA keys table from (D)TLS preferences.
4460 char *err = NULL((void*)0);
4461 gcry_sexp_t private_key = rsa_abstract_privkey_to_sexp(pk, &err);
4462 if (!private_key) {
4463 ssl_debug_printf("%s: decryption failed: Can't export private key: %s", G_STRFUNC((const char*) (__func__)), err);
4464 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
4465 return false0;
4466 }
4467
4468 pms.size = (int)rsa_decrypt(encrypted_pre_master->data_len, encrypted_pre_master->data, &pms.data, private_key, "pkcs1", &err);
4469 rsa_private_key_free(private_key);
4470 if (pms.size == 0) {
4471 ssl_debug_printf("%s: decryption failed: %s\n", G_STRFUNC((const char*) (__func__)), err);
4472 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
4473 return false0;
4474 }
4475 } else {
4476 // Try to decrypt using a hardware token.
4477 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
4478 if (ret < 0) {
4479 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
4480 return false0;
4481 }
4482 }
4483
4484 if (pms.size != 48) {
4485 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
4486 G_STRFUNC((const char*) (__func__)), pms.size, 48);
4487 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data)
;
4488 return false0;
4489 }
4490
4491 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
4492 ssl_session->pre_master_secret.data_len = 48;
4493 g_free(pms.data)(__builtin_object_size ((pms.data), 0) != ((size_t) - 1)) ? g_free_sized
(pms.data, __builtin_object_size ((pms.data), 0)) : (g_free)
(pms.data)
;
4494 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
4495
4496 /* Remove the master secret if it was there.
4497 This forces keying material regeneration in
4498 case we're renegotiating */
4499 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4500 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4501 return true1;
4502} /* }}} */
4503#endif /* HAVE_LIBGNUTLS */
4504
4505/* Decryption integrity check {{{ */
4506
4507static int
4508tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
4509 uint32_t datalen, uint8_t* mac)
4510{
4511 SSL_HMACgcry_md_hd_t hm;
4512 int md;
4513 uint32_t len;
4514 uint8_t buf[DIGEST_MAX_SIZE48];
4515 int16_t temp;
4516
4517 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
4518 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
4519 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
4520
4521 if (ssl_hmac_init(&hm,md) != 0)
4522 return -1;
4523 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
4524 return -1;
4525
4526 /* hash sequence number */
4527 phtonu64(buf, decoder->seq);
4528
4529 decoder->seq++;
4530
4531 ssl_hmac_update(&hm,buf,8);
4532
4533 /* hash content type */
4534 buf[0]=ct;
4535 ssl_hmac_update(&hm,buf,1);
4536
4537 /* hash version,data length and data*/
4538 /* *((int16_t*)buf) = g_htons(ver); */
4539 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))))
;
4540 memcpy(buf, &temp, 2);
4541 ssl_hmac_update(&hm,buf,2);
4542
4543 /* *((int16_t*)buf) = g_htons(datalen); */
4544 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))))
;
4545 memcpy(buf, &temp, 2);
4546 ssl_hmac_update(&hm,buf,2);
4547 ssl_hmac_update(&hm,data,datalen);
4548
4549 /* get digest and digest len*/
4550 len = sizeof(buf);
4551 ssl_hmac_final(&hm,buf,&len);
4552 ssl_hmac_cleanup(&hm);
4553 ssl_print_data("Mac", buf, len);
4554 if(memcmp(mac,buf,len))
4555 return -1;
4556
4557 return 0;
4558}
4559
4560static int
4561ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
4562 uint32_t datalen, uint8_t* mac)
4563{
4564 SSL_MDgcry_md_hd_t mc;
4565 int md;
4566 uint32_t len;
4567 uint8_t buf[64],dgst[20];
4568 int pad_ct;
4569 int16_t temp;
4570
4571 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
4572
4573 /* get cipher used for digest computation */
4574 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
4575 if (ssl_md_init(&mc,md) !=0)
4576 return -1;
4577
4578 /* do hash computation on data && padding */
4579 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
4580
4581 /* hash padding*/
4582 memset(buf,0x36,pad_ct);
4583 ssl_md_update(&mc,buf,pad_ct);
4584
4585 /* hash sequence number */
4586 phtonu64(buf, decoder->seq);
4587 decoder->seq++;
4588 ssl_md_update(&mc,buf,8);
4589
4590 /* hash content type */
4591 buf[0]=ct;
4592 ssl_md_update(&mc,buf,1);
4593
4594 /* hash data length in network byte order and data*/
4595 /* *((int16_t* )buf) = g_htons(datalen); */
4596 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))))
;
4597 memcpy(buf, &temp, 2);
4598 ssl_md_update(&mc,buf,2);
4599 ssl_md_update(&mc,data,datalen);
4600
4601 /* get partial digest */
4602 ssl_md_final(&mc,dgst,&len);
4603 ssl_md_reset(&mc);
4604
4605 /* hash mac key */
4606 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
4607
4608 /* hash padding and partial digest*/
4609 memset(buf,0x5c,pad_ct);
4610 ssl_md_update(&mc,buf,pad_ct);
4611 ssl_md_update(&mc,dgst,len);
4612
4613 ssl_md_final(&mc,dgst,&len);
4614 ssl_md_cleanup(&mc);
4615
4616 if(memcmp(mac,dgst,len))
4617 return -1;
4618
4619 return 0;
4620}
4621
4622static int
4623dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
4624 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
4625{
4626 SSL_HMACgcry_md_hd_t hm;
4627 int md;
4628 uint32_t len;
4629 uint8_t buf[DIGEST_MAX_SIZE48];
4630 int16_t temp;
4631
4632 int ver = ssl->session.version;
4633 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
4634
4635 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
4636 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
4637 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
4638
4639 if (ssl_hmac_init(&hm,md) != 0)
4640 return -1;
4641 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
4642 return -1;
4643
4644 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
4645
4646 if (is_cid && !ssl->session.deprecated_cid) {
4647 /* hash seq num placeholder */
4648 memset(buf,0xFF,8);
4649 ssl_hmac_update(&hm,buf,8);
4650
4651 /* hash content type + cid length + content type */
4652 buf[0]=ct;
4653 buf[1]=cidl;
4654 buf[2]=ct;
4655 ssl_hmac_update(&hm,buf,3);
4656
4657 /* hash version */
4658 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))))
;
4659 memcpy(buf, &temp, 2);
4660 ssl_hmac_update(&hm,buf,2);
4661
4662 /* hash sequence number */
4663 phtonu64(buf, decoder->seq);
4664 buf[0]=decoder->epoch>>8;
4665 buf[1]=(uint8_t)decoder->epoch;
4666 ssl_hmac_update(&hm,buf,8);
4667
4668 /* hash cid */
4669 ssl_hmac_update(&hm,cid,cidl);
4670 } else {
4671 /* hash sequence number */
4672 phtonu64(buf, decoder->seq);
4673 buf[0]=decoder->epoch>>8;
4674 buf[1]=(uint8_t)decoder->epoch;
4675 ssl_hmac_update(&hm,buf,8);
4676
4677 /* hash content type */
4678 buf[0]=ct;
4679 ssl_hmac_update(&hm,buf,1);
4680
4681 /* hash version */
4682 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))))
;
4683 memcpy(buf, &temp, 2);
4684 ssl_hmac_update(&hm,buf,2);
4685
4686 if (is_cid && ssl->session.deprecated_cid) {
4687 /* hash cid */
4688 ssl_hmac_update(&hm,cid,cidl);
4689
4690 /* hash cid length */
4691 buf[0] = cidl;
4692 ssl_hmac_update(&hm,buf,1);
4693 }
4694 }
4695
4696 /* data length and data */
4697 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))))
;
4698 memcpy(buf, &temp, 2);
4699 ssl_hmac_update(&hm,buf,2);
4700 ssl_hmac_update(&hm,data,datalen);
4701
4702 /* get digest and digest len */
4703 len = sizeof(buf);
4704 ssl_hmac_final(&hm,buf,&len);
4705 ssl_hmac_cleanup(&hm);
4706 ssl_print_data("Mac", buf, len);
4707 if(memcmp(mac,buf,len))
4708 return -1;
4709
4710 return 0;
4711}
4712/* Decryption integrity check }}} */
4713
4714
4715static bool_Bool
4716tls_decrypt_aead_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder,
4717 uint8_t ct, uint16_t record_version,
4718 bool_Bool ignore_mac_failed,
4719 const unsigned char *in, uint16_t inl,
4720 const unsigned char *cid, uint8_t cidl,
4721 StringInfo *out_str, unsigned *outl)
4722{
4723 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
4724 * GenericAEADCipher: { nonce_explicit, [content] }
4725 * In TLS 1.3 this explicit nonce is gone.
4726 * With AES GCM/CCM, "[content]" is actually the concatenation of the
4727 * ciphertext and authentication tag.
4728 */
4729 const uint16_t version = ssl->session.version;
4730 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
4731 gcry_error_t err;
4732 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
4733 unsigned ciphertext_len, auth_tag_len;
4734 unsigned char nonce[12];
4735 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
4736 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
4737 const uint8_t draft_version = ssl->session.tls13_draft_version;
4738 const unsigned char *auth_tag_wire;
4739 unsigned char auth_tag_calc[16];
4740 unsigned char *aad = NULL((void*)0);
4741 unsigned aad_len = 0;
4742
4743 switch (cipher_mode) {
4744 case MODE_GCM:
4745 case MODE_CCM:
4746 case MODE_POLY1305:
4747 auth_tag_len = 16;
4748 break;
4749 case MODE_CCM_8:
4750 auth_tag_len = 8;
4751 break;
4752 default:
4753 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
4754 return false0;
4755 }
4756
4757 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
4758 if (is_v12 && cipher_mode != MODE_POLY1305) {
4759 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
4760 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
4761 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
4762 return false0;
4763 }
4764 explicit_nonce = in;
4765 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
4766 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
4767 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
4768 if (inl < auth_tag_len) {
4769 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
4770 return false0;
4771 }
4772 ciphertext = in;
4773 ciphertext_len = inl - auth_tag_len;
4774 } else {
4775 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
4776 return false0;
4777 }
4778 auth_tag_wire = ciphertext + ciphertext_len;
4779
4780 /*
4781 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
4782 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
4783 */
4784 if (is_v12 && cipher_mode != MODE_POLY1305) {
4785 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4785, "decoder->write_iv.data_len == 4"))))
;
4786 /* Implicit (4) and explicit (8) part of nonce. */
4787 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
4788 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
4789
4790 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
4791 /*
4792 * Technically the nonce length must be at least 8 bytes, but for
4793 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
4794 */
4795 const unsigned nonce_len = 12;
4796 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4796, "decoder->write_iv.data_len == nonce_len"
))))
;
4797 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
4798 /* Sequence number is left-padded with zeroes and XORed with write_iv */
4799 phtonu64(nonce + nonce_len - 8, pntohu64(nonce + nonce_len - 8) ^ decoder->seq);
4800 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
4801 }
4802
4803 /* Set nonce and additional authentication data */
4804 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0)
;
4805 ssl_print_data("nonce", nonce, 12);
4806 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
4807 if (err) {
4808 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
4809 return false0;
4810 }
4811
4812 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
4813 if (is_cid) { /* if connection ID */
4814 if (ssl->session.deprecated_cid) {
4815 aad_len = 14 + cidl;
4816 aad = wmem_alloc(allocator, aad_len);
4817 phtonu64(aad, decoder->seq); /* record sequence number */
4818 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
4819 aad[8] = ct; /* TLSCompressed.type */
4820 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
4821 memcpy(aad + 11, cid, cidl); /* cid */
4822 aad[11 + cidl] = cidl; /* cid_length */
4823 phtonu16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
4824 } else {
4825 aad_len = 23 + cidl;
4826 aad = wmem_alloc(allocator, aad_len);
4827 memset(aad, 0xFF, 8); /* seq_num_placeholder */
4828 aad[8] = ct; /* TLSCompressed.type */
4829 aad[9] = cidl; /* cid_length */
4830 aad[10] = ct; /* TLSCompressed.type */
4831 phtonu16(aad + 11, record_version); /* TLSCompressed.version */
4832 phtonu64(aad + 13, decoder->seq); /* record sequence number */
4833 phtonu16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
4834 memcpy(aad + 21, cid, cidl); /* cid */
4835 phtonu16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
4836 }
4837 } else if (is_v12) {
4838 aad_len = 13;
4839 aad = wmem_alloc(allocator, aad_len);
4840 phtonu64(aad, decoder->seq); /* record sequence number */
4841 if (version == DTLSV1DOT2_VERSION0xfefd) {
4842 phtonu16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
4843 }
4844 aad[8] = ct; /* TLSCompressed.type */
4845 phtonu16(aad + 9, record_version); /* TLSCompressed.version */
4846 phtonu16(aad + 11, ciphertext_len); /* TLSCompressed.length */
4847 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
4848 aad_len = decoder->dtls13_aad.data_len;
4849 aad = decoder->dtls13_aad.data;
4850 } else if (draft_version >= 25 || draft_version == 0) {
4851 aad_len = 5;
4852 aad = wmem_alloc(allocator, aad_len);
4853 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
4854 phtonu16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
4855 phtonu16(aad + 3, inl); /* TLSCiphertext.length */
4856 }
4857
4858 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
4859 /* size of plaintext, additional authenticated data and auth tag. */
4860 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
4861
4862 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
4863 }
4864
4865 if (aad && aad_len > 0) {
4866 ssl_print_data("AAD", aad, aad_len);
4867 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
4868 if (err) {
4869 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
4870 return false0;
4871 }
4872 }
4873
4874 /* Decrypt now that nonce and AAD are set. */
4875 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
4876 if (err) {
4877 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
4878 return false0;
4879 }
4880
4881 /* Check authentication tag for authenticity (replaces MAC) */
4882 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
4883 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
4884 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
4885 } else {
4886 if (err) {
4887 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
4888 } else {
4889 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
4890 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
4891 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
4892 }
4893 if (ignore_mac_failed) {
4894 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
4895 } else {
4896 return false0;
4897 }
4898 }
4899
4900 /*
4901 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
4902 * after successful authentication to ensure that early data is skipped when
4903 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
4904 */
4905 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
4906 decoder->seq++;
4907 }
4908
4909 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
4910 *outl = ciphertext_len;
4911 return true1;
4912}
4913
4914/* Record decryption glue based on security parameters {{{ */
4915/* Assume that we are called only for a non-NULL decoder which also means that
4916 * we have a non-NULL decoder->cipher_suite. */
4917int
4918ssl_decrypt_record(wmem_allocator_t* allocator, SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
4919 bool_Bool ignore_mac_failed,
4920 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
4921 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
4922{
4923 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
4924 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
4925
4926 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
4927 ssl_print_data("Ciphertext",in, inl);
4928
4929 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
4930 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
4931 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
4932 return -1;
4933 }
4934
4935 /* ensure we have enough storage space for decrypted data */
4936 if (inl > out_str->data_len)
4937 {
4938 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
4939 inl + 32, out_str->data_len);
4940 ssl_data_realloc(out_str, inl + 32);
4941 }
4942
4943 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
4944 * a separate MAC, so use a different routine for simplicity. */
4945 if (decoder->cipher_suite->mode == MODE_GCM ||
4946 decoder->cipher_suite->mode == MODE_CCM ||
4947 decoder->cipher_suite->mode == MODE_CCM_8 ||
4948 decoder->cipher_suite->mode == MODE_POLY1305 ||
4949 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
4950 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
4951
4952 if (!tls_decrypt_aead_record(allocator, ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
4953 /* decryption failed */
4954 return -1;
4955 }
4956
4957 goto skip_mac;
4958 }
4959
4960 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
4961 * (notation: { unencrypted, [ encrypted ] })
4962 * GenericStreamCipher: { [content, mac] }
4963 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
4964 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
4965 * GenericAEADCipher: { nonce_explicit, [content] }
4966 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
4967 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
4968 */
4969
4970 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
4971
4972 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
4973 if (decoder->cipher_suite->mode == MODE_CBC) {
4974 unsigned blocksize = 0;
4975
4976 switch (ssl->session.version) {
4977 case TLSV1DOT1_VERSION0x302:
4978 case TLSV1DOT2_VERSION0x303:
4979 case DTLSV1DOT0_VERSION0xfeff:
4980 case DTLSV1DOT2_VERSION0xfefd:
4981 case DTLSV1DOT3_VERSION0xfefc:
4982 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4983 case TLCPV1_VERSION0x101:
4984 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
4985 if (inl < blocksize) {
4986 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
4987 inl, blocksize);
4988 return -1;
4989 }
4990 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
4991 if (pad != 0) {
4992 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
4993 gcry_strsource (pad), gcry_strerror (pad));
4994 }
4995
4996 inl -= blocksize;
4997 in += blocksize;
4998 break;
4999 }
5000
5001 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5002 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5003 /*
5004 * MAC is calculated over (IV + ) ENCRYPTED contents:
5005 *
5006 * MAC(MAC_write_key, ... +
5007 * IV + // for TLS 1.1 or greater
5008 * TLSCiphertext.enc_content);
5009 */
5010 if (inl < maclen) {
5011 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5012 G_STRFUNC((const char*) (__func__)), inl, maclen);
5013 return -1;
5014 }
5015 inl -= maclen;
5016 mac = (uint8_t *)in + inl;
5017 mac_frag = (uint8_t *)in - blocksize;
5018 mac_fraglen = blocksize + inl;
5019 }
5020 }
5021
5022 /* First decrypt*/
5023 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5024 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5025 gcry_strerror (pad));
5026 return -1;
5027 }
5028
5029 ssl_print_data("Plaintext", out_str->data, inl);
5030 worklen=inl;
5031
5032
5033 /* strip padding for GenericBlockCipher */
5034 if (decoder->cipher_suite->mode == MODE_CBC) {
5035 if (inl < 1) { /* Should this check happen earlier? */
5036 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5037 return -1;
5038 }
5039 pad=out_str->data[inl-1];
5040 if (worklen <= pad) {
5041 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5042 pad, worklen);
5043 return -1;
5044 }
5045 worklen-=(pad+1);
5046 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5047 pad, worklen);
5048 }
5049
5050 /* MAC for GenericStreamCipher and GenericBlockCipher.
5051 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5052 if (!mac) {
5053 /*
5054 * MAC is calculated over the DECRYPTED contents:
5055 *
5056 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5057 */
5058 if (worklen < maclen) {
5059 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5060 return -1;
5061 }
5062 worklen -= maclen;
5063 mac = out_str->data + worklen;
5064 mac_frag = out_str->data;
5065 mac_fraglen = worklen;
5066 }
5067
5068 /* If NULL encryption active and no keys are available, do not bother
5069 * checking the MAC. We do not have keys for that. */
5070 if (decoder->cipher_suite->mode == MODE_STREAM &&
5071 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5072 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5073 ssl_debug_printf("MAC check skipped due to missing keys\n");
5074 decoder->seq++; // Increment this for display
5075 goto skip_mac;
5076 }
5077
5078 /* Now check the MAC */
5079 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5080 worklen, ssl->session.version, ct, decoder->seq);
5081 if(ssl->session.version==SSLV3_VERSION0x300){
5082 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5083 if(ignore_mac_failed) {
5084 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5085 }
5086 else{
5087 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5088 return -1;
5089 }
5090 }
5091 else{
5092 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5093 }
5094 }
5095 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5096 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5097 if(ignore_mac_failed) {
5098 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5099 }
5100 else{
5101 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5102 return -1;
5103 }
5104 }
5105 else{
5106 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5107 }
5108 }
5109 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5110 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5111 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5112 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5113 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5114 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5115 }
5116 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5117 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5118 }
5119 else if(ignore_mac_failed) {
5120 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5121 }
5122 else{
5123 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5124 return -1;
5125 }
5126 }
5127skip_mac:
5128
5129 *outl = worklen;
5130
5131 if (decoder->compression > 0) {
5132 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5133 ssl_data_copy(comp_str, out_str);
5134 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5135 if (!decoder->decomp) {
5136 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5137 return -1;
5138 }
5139 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5140 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5141 *outl = uncomplen;
5142 }
5143
5144 return 0;
5145}
5146/* Record decryption glue based on security parameters }}} */
5147
5148
5149
5150#ifdef HAVE_LIBGNUTLS1
5151
5152/* RSA private key file processing {{{ */
5153static void
5154ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5155 const gnutls_datum_t *subjectPublicKeyInfo)
5156{
5157 gnutls_pubkey_t pubkey = NULL((void*)0);
5158 cert_key_id_t key_id;
5159 size_t key_id_len = sizeof(key_id);
5160 int r;
5161
5162 if (!subjectPublicKeyInfo->size) {
5163 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5164 return;
5165 }
5166
5167 r = gnutls_pubkey_init(&pubkey);
5168 if (r < 0) {
5169 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5170 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5171 return;
5172 }
5173
5174 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5175 if (r < 0) {
5176 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5177 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5178 goto end;
5179 }
5180
5181 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5182 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5183 goto end;
5184 }
5185
5186 /* Generate a 20-byte SHA-1 hash. */
5187 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5188 if (r < 0) {
5189 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5190 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5191 goto end;
5192 }
5193
5194 if (key_id_len != sizeof(key_id)) {
5195 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5196 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
5197 goto end;
5198 }
5199
5200 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
5201 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)))
;
5202 *ssl->cert_key_id = key_id;
5203
5204end:
5205 gnutls_pubkey_deinit(pubkey);
5206}
5207
5208/* RSA private key file processing }}} */
5209#endif /* HAVE_LIBGNUTLS */
5210
5211/*--- Start of dissector-related code below ---*/
5212
5213/* This is not a "protocol" but ensures that this gets called during
5214 * the handoff stage. */
5215void proto_reg_handoff_tls_utils(void);
5216
5217static dissector_handle_t base_tls_handle;
5218static dissector_handle_t dtls_handle;
5219
5220void
5221proto_reg_handoff_tls_utils(void)
5222{
5223 base_tls_handle = find_dissector("tls");
5224 dtls_handle = find_dissector("dtls");
5225}
5226
5227/* Look up an existing SslDecryptSession without creating one. Returns NULL if
5228 * no session exists. */
5229SslDecryptSession *
5230tls_get_session(conversation_t *conversation, int proto_ssl, uint8_t curr_layer_num)
5231{
5232 void *conv_data;
5233 wmem_map_t *session_map;
5234
5235 if (!conversation)
5236 return NULL((void*)0);
5237
5238 conv_data = conversation_get_proto_data(conversation, proto_ssl);
5239 if (conv_data == NULL((void*)0))
5240 return NULL((void*)0);
5241
5242 session_map = (wmem_map_t *)conv_data;
5243
5244 return (SslDecryptSession *)wmem_map_lookup(session_map,
5245 GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
5246
5247}
5248
5249/* get ssl data for this session. if no ssl data is found allocate a new one*/
5250SslDecryptSession *
5251ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle, uint8_t curr_layer_num)
5252{
5253 void *conv_data;
5254 SslDecryptSession *ssl_session;
5255 int proto_ssl;
5256 wmem_map_t *session_map;
5257
5258 /* Note proto_ssl is tls for either the main tls_handle or the
5259 * tls13_handshake handle used by QUIC. */
5260 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
5261 conv_data = conversation_get_proto_data(conversation, proto_ssl);
5262
5263 /* For nested TLS support, we store a wmem map of sessions indexed by layer number.
5264 * Using wmem_file_scope ensures the map is freed when the capture file is closed,
5265 * preventing memory leaks on capture reload. */
5266 if (conv_data != NULL((void*)0)) {
5267 session_map = (wmem_map_t *)conv_data;
5268 ssl_session = (SslDecryptSession *)wmem_map_lookup(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)));
5269 if (ssl_session != NULL((void*)0)) {
5270 return ssl_session;
5271 }
5272 } else {
5273 /* Create a new wmem map to store sessions by layer number */
5274 session_map = wmem_map_new(wmem_file_scope(), g_direct_hash, g_direct_equal);
5275 conversation_add_proto_data(conversation, proto_ssl, session_map);
5276 }
5277
5278 /* no previous SSL conversation info for this layer, initialize it. */
5279 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)))
;
5280
5281 /* data_len is the part that is meaningful, not the allocated length */
5282 ssl_session->master_secret.data_len = 0;
5283 ssl_session->master_secret.data = ssl_session->_master_secret;
5284 ssl_session->session_id.data_len = 0;
5285 ssl_session->session_id.data = ssl_session->_session_id;
5286 ssl_session->client_random.data_len = 0;
5287 ssl_session->client_random.data = ssl_session->_client_random;
5288 ssl_session->server_random.data_len = 0;
5289 ssl_session->server_random.data = ssl_session->_server_random;
5290 ssl_session->session_ticket.data_len = 0;
5291 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
5292 ssl_session->server_data_for_iv.data_len = 0;
5293 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
5294 ssl_session->client_data_for_iv.data_len = 0;
5295 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
5296 ssl_session->app_data_segment.data = NULL((void*)0);
5297 ssl_session->app_data_segment.data_len = 0;
5298 ssl_session->handshake_data.data=NULL((void*)0);
5299 ssl_session->handshake_data.data_len=0;
5300 ssl_session->ech_transcript.data=NULL((void*)0);
5301 ssl_session->ech_transcript.data_len=0;
5302
5303 /* Initialize parameters which are not necessary specific to decryption. */
5304 ssl_session->session.version = SSL_VER_UNKNOWN0;
5305 clear_address(&ssl_session->session.srv_addr);
5306 ssl_session->session.srv_ptype = PT_NONE;
5307 ssl_session->session.srv_port = 0;
5308 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
5309 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
5310 ssl_session->session.client_random.data_len = 0;
5311 ssl_session->session.client_random.data = ssl_session->session._client_random;
5312 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
5313 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
5314 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
5315 ssl_session->session.ech = false0;
5316 ssl_session->session.hrr_ech_declined = false0;
5317 ssl_session->session.first_ch_ech_frame = 0;
5318
5319 /* We want to increment the stream count for the normal tls handle and
5320 * dtls handle, but presumably not for the tls13_handshake handle used
5321 * by QUIC (it has its own Follow Stream handling, and the QUIC stream
5322 * doesn't get sent to the TLS follow tap.)
5323 */
5324 if (tls_handle == base_tls_handle) {
5325 ssl_session->session.stream = tls_increment_stream_count();
5326 } else if (tls_handle == dtls_handle) {
5327 ssl_session->session.stream = dtls_increment_stream_count();
5328 }
5329
5330 /* Store the session in the wmem map indexed by layer number */
5331 wmem_map_insert(session_map, GUINT_TO_POINTER((unsigned)curr_layer_num)((gpointer) (gulong) ((unsigned)curr_layer_num)), ssl_session);
5332
5333 return ssl_session;
5334}
5335
5336void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
5337{
5338 if (ssl) {
5339 /* Ensure that secrets are not restored using stale identifiers. Split
5340 * between client and server in case the packets somehow got out of order. */
5341 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
5342
5343 if (is_client) {
5344 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
5345 ssl->session_id.data_len = 0;
5346 ssl->session_ticket.data_len = 0;
5347 ssl->master_secret.data_len = 0;
5348 ssl->client_random.data_len = 0;
5349 ssl->has_early_data = false0;
5350 if (ssl->handshake_data.data_len > 0) {
5351 // The EMS handshake hash starts with at the Client Hello,
5352 // ensure that any messages before it are forgotten.
5353 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
5354 ssl->handshake_data.data = NULL((void*)0);
5355 ssl->handshake_data.data_len = 0;
5356 }
5357 } else {
5358 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
5359 ssl->server_random.data_len = 0;
5360 ssl->pre_master_secret.data_len = 0;
5361#ifdef HAVE_LIBGNUTLS1
5362 ssl->cert_key_id = NULL((void*)0);
5363#endif
5364 ssl->has_psk = false0;
5365 ssl->has_key_share = false0;
5366 // There is no point in clearing the PSK when resetting the session,
5367 // we only store one global PSK in the prefs.
5368 //ssl->psk.data_len = 0;
5369 }
5370
5371 if (ssl->state & clear_flags) {
5372 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
5373 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
5374 ssl->state &= ~clear_flags;
5375 }
5376 }
5377
5378 /* These flags might be used for non-decryption purposes and may affect the
5379 * dissection, so reset them as well. */
5380 if (is_client) {
5381 session->client_cert_type = 0;
5382 } else {
5383 session->compression = 0;
5384 session->server_cert_type = 0;
5385 /* session->is_session_resumed is already handled in the ServerHello dissection. */
5386 }
5387 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
5388 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
5389}
5390
5391void
5392tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
5393 dissector_handle_t app_handle)
5394{
5395 conversation_t *conversation;
5396 SslSession *session;
5397
5398 /* Ignore if the TLS or other dissector is disabled. */
5399 /* XXX - find_dissector still works if a dissector is disabled,
5400 * this would be if the dissector isn't registered at all or the
5401 * caller is calling this with explicit NULL. */
5402 if (!tls_handle || !app_handle)
5403 return;
5404
5405 int proto = dissector_handle_get_protocol_index(tls_handle);
5406 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
5407
5408 conversation = find_or_create_conversation(pinfo);
5409 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
5410 session->app_handle = app_handle;
5411}
5412
5413static uint32_t
5414ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
5415 dissector_handle_t app_handle, uint32_t last_nontls_frame)
5416{
5417
5418 conversation_t *conversation;
5419 SslSession *session;
5420
5421 /* Ignore if the TLS dissector is disabled. */
5422 /* XXX - find_dissector still works if a dissector is disabled,
5423 * this would be if the dissector isn't registered at all (or the
5424 * caller has an error.) */
5425 if (!tls_handle)
5426 return 0;
5427
5428 int proto = dissector_handle_get_protocol_index(tls_handle);
5429 uint8_t curr_layer_num = p_get_proto_depth(pinfo, proto);
5430
5431 /* The caller should always pass a valid handle to its own dissector. */
5432 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5432, "app_handle"))))
;
5433
5434 conversation = find_or_create_conversation(pinfo);
5435 session = &ssl_get_session(conversation, tls_handle, curr_layer_num)->session;
5436
5437 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
5438 session->last_nontls_frame,
5439 (void *)session->app_handle,
5440 dissector_handle_get_dissector_name(session->app_handle));
5441 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
5442 pinfo->num, (void *)app_handle,
5443 dissector_handle_get_dissector_name(app_handle));
5444
5445 /* Do not switch again if a dissector did it before. */
5446 if (session->last_nontls_frame) {
5447 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
5448 return session->last_nontls_frame;
5449 }
5450
5451 session->app_handle = app_handle;
5452 /* The TLS dissector should be called first for this conversation. */
5453 conversation_set_dissector(conversation, tls_handle);
5454 /* TLS starts after this frame. */
5455 session->last_nontls_frame = last_nontls_frame;
5456 return 0;
5457}
5458
5459/* ssl_starttls_ack: mark future frames as encrypted. */
5460uint32_t
5461ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
5462 dissector_handle_t app_handle)
5463{
5464 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
5465}
5466
5467uint32_t
5468ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
5469 dissector_handle_t app_handle)
5470{
5471 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
5472}
5473
5474dissector_handle_t
5475ssl_find_appdata_dissector(const char *name)
5476{
5477 /* Accept 'http' for backwards compatibility and sanity. */
5478 if (!strcmp(name, "http"))
5479 name = "http-over-tls";
5480 /* XXX - Should this check to see if the dissector is actually added for
5481 * Decode As in the appropriate table?
5482 */
5483 return find_dissector(name);
5484}
5485
5486/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
5487static int
5488ssl_equal (const void *v, const void *v2)
5489{
5490 const StringInfo *val1;
5491 const StringInfo *val2;
5492 val1 = (const StringInfo *)v;
5493 val2 = (const StringInfo *)v2;
5494
5495 if (val1->data_len == val2->data_len &&
5496 !memcmp(val1->data, val2->data, val2->data_len)) {
5497 return 1;
5498 }
5499 return 0;
5500}
5501
5502static unsigned
5503ssl_hash(const void *v)
5504{
5505 const StringInfo* id;
5506 id = (const StringInfo*) v;
5507
5508 return wmem_strong_hash(id->data, id->data_len);
5509}
5510/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
5511
5512/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
5513void
5514ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
5515{
5516 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5516, "main_handle"))))
;
5517 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5517, "subdissector_handle"))))
;
5518 /* Registration is required for Export PDU feature to work properly. */
5519 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 5520, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
5520 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 5520, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
;
5521 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
5522
5523 if (port) {
5524 dissector_add_uint(dissector_table_name, port, subdissector_handle);
5525 if (tcp)
5526 dissector_add_uint("tcp.port", port, main_handle);
5527 else
5528 dissector_add_uint("udp.port", port, main_handle);
5529 dissector_add_uint("sctp.port", port, main_handle);
5530 } else {
5531 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
5532 }
5533}
5534
5535void
5536ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
5537{
5538 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
5539 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
5540 if (main_handle) {
5541 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
5542 dissector_delete_uint("sctp.port", port, main_handle);
5543 }
5544
5545 if (port) {
5546 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
5547 }
5548}
5549
5550void
5551ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
5552{
5553 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
5554 session->srv_ptype = ptype;
5555 session->srv_port = port;
5556}
5557
5558int
5559ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
5560{
5561 int ret;
5562 if (session && session->srv_addr.type != AT_NONE) {
5563 ret = (session->srv_ptype == pinfo->ptype) &&
5564 (session->srv_port == pinfo->srcport) &&
5565 addresses_equal(&session->srv_addr, &pinfo->src);
5566 } else {
5567 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
5568 }
5569
5570 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
5571 return ret;
5572}
5573/* Handling of association between tls/dtls ports and clear text protocol. }}} */
5574
5575
5576/* Links SSL records with the real packet data. {{{ */
5577SslPacketInfo *
5578tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
5579{
5580 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
5581 if (!pi) {
5582 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)))
;
5583 pi->srcport = pinfo->srcport;
5584 pi->destport = pinfo->destport;
5585 conversation_t *conv = find_or_create_conversation_strat(pinfo);
5586 SslDecryptSession *ssl_session = tls_get_session(conv, proto, curr_layer_num_ssl);
5587 if (ssl_session) {
5588 /* This can also be called by the QUIC TLS1.3 handshake only
5589 * dissector. That is not associated with a session, or a stream,
5590 * and doesn't need the information for Follow or Decode As. */
5591 pi->stream = ssl_session->session.stream;
5592 }
5593 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
5594 }
5595
5596 return pi;
5597}
5598
5599/**
5600 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
5601 * avoid the need for a decoder in the second pass. Additionally, it remembers
5602 * sequence numbers (for reassembly and Follow TLS Stream).
5603 *
5604 * @param proto The protocol identifier (proto_ssl or proto_dtls).
5605 * @param pinfo The packet where the record originates from.
5606 * @param plain_data Decrypted plaintext to store in the record.
5607 * @param plain_data_len Total length of the plaintext.
5608 * @param content_len Length of the plaintext section corresponding to the record content.
5609 * @param record_id The identifier for this record within the current packet.
5610 * @param flow Information about sequence numbers, etc.
5611 * @param type TLS Content Type (such as handshake or application_data).
5612 * @param curr_layer_num_ssl The layer identifier for this TLS session.
5613 */
5614void
5615ssl_add_record_info(int proto, packet_info *pinfo,
5616 const unsigned char *plain_data, int plain_data_len, int content_len,
5617 int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl,
5618 uint64_t record_seq)
5619{
5620 SslRecordInfo* rec, **prec;
5621 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
5622
5623 ws_assert(content_len <= plain_data_len)do { if ((1) && !(content_len <= plain_data_len)) ws_log_fatal_full
("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c", 5623
, __func__, "assertion failed: %s", "content_len <= plain_data_len"
); } while (0)
;
5624
5625 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)))
;
5626 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), plain_data, plain_data_len);
5627 rec->plain_data_len = plain_data_len;
5628 rec->content_len = content_len;
5629 rec->id = record_id;
5630 rec->type = type;
5631 rec->next = NULL((void*)0);
5632 rec->record_seq = record_seq;
5633
5634 if (flow && type == SSL_ID_APP_DATA) {
5635 rec->seq = flow->byte_seq;
5636 rec->flow = flow;
5637 flow->byte_seq += content_len;
5638 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
5639 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + content_len, (void*)flow);
5640 }
5641
5642 /* Remember decrypted records. */
5643 prec = &pi->records;
5644 while (*prec) prec = &(*prec)->next;
5645 *prec = rec;
5646}
5647
5648/* search in packet data for the specified id; return a newly created tvb for the associated data */
5649tvbuff_t*
5650ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
5651{
5652 SslRecordInfo* rec;
5653 SslPacketInfo* pi;
5654 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
5655
5656 if (!pi)
5657 return NULL((void*)0);
5658
5659 for (rec = pi->records; rec; rec = rec->next)
5660 if (rec->id == record_id) {
5661 *matched_record = rec;
5662 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
5663 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->plain_data_len, rec->plain_data_len);
5664 }
5665
5666 return NULL((void*)0);
5667}
5668/* Links SSL records with the real packet data. }}} */
5669
5670/* initialize/reset per capture state data (ssl sessions cache). {{{ */
5671void
5672ssl_common_init(ssl_master_key_map_t *mk_map,
5673 StringInfo *decrypted_data, StringInfo *compressed_data)
5674{
5675 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
5676 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
5677 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
5678 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
5679 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
5680 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
5681 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
5682 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
5683 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
5684 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
5685 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
5686 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
5687
5688 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
5689 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
5690
5691 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
5692
5693 ssl_data_alloc(decrypted_data, 32);
5694 ssl_data_alloc(compressed_data, 32);
5695}
5696
5697void
5698ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
5699 StringInfo *decrypted_data, StringInfo *compressed_data)
5700{
5701 g_hash_table_destroy(mk_map->session);
5702 g_hash_table_destroy(mk_map->tickets);
5703 g_hash_table_destroy(mk_map->crandom);
5704 g_hash_table_destroy(mk_map->pre_master);
5705 g_hash_table_destroy(mk_map->pms);
5706 g_hash_table_destroy(mk_map->tls13_client_early);
5707 g_hash_table_destroy(mk_map->tls13_client_handshake);
5708 g_hash_table_destroy(mk_map->tls13_server_handshake);
5709 g_hash_table_destroy(mk_map->tls13_client_appdata);
5710 g_hash_table_destroy(mk_map->tls13_server_appdata);
5711 g_hash_table_destroy(mk_map->tls13_early_exporter);
5712 g_hash_table_destroy(mk_map->tls13_exporter);
5713
5714 g_hash_table_destroy(mk_map->ech_secret);
5715 g_hash_table_destroy(mk_map->ech_config);
5716
5717 g_hash_table_destroy(mk_map->used_crandom);
5718
5719 g_free(decrypted_data->data)(__builtin_object_size ((decrypted_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (decrypted_data->data, __builtin_object_size
((decrypted_data->data), 0)) : (g_free) (decrypted_data->
data)
;
5720 g_free(compressed_data->data)(__builtin_object_size ((compressed_data->data), 0) != ((size_t
) - 1)) ? g_free_sized (compressed_data->data, __builtin_object_size
((compressed_data->data), 0)) : (g_free) (compressed_data
->data)
;
5721
5722 /* close the previous keylog file now that the cache are cleared, this
5723 * allows the cache to be filled with the full keylog file contents. */
5724 if (*ssl_keylog_file) {
5725 fclose(*ssl_keylog_file);
5726 *ssl_keylog_file = NULL((void*)0);
5727 }
5728}
5729/* }}} */
5730
5731/* parse ssl related preferences (private keys and ports association strings) */
5732#if defined(HAVE_LIBGNUTLS1)
5733/* Load a single RSA key file item from preferences. {{{ */
5734void
5735ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
5736{
5737 gnutls_x509_privkey_t x509_priv_key;
5738 gnutls_privkey_t priv_key = NULL((void*)0);
5739 FILE* fp = NULL((void*)0);
5740 int ret;
5741 size_t key_id_len = 20;
5742 unsigned char *key_id = NULL((void*)0);
5743 char *err = NULL((void*)0);
5744 dissector_handle_t handle;
5745 /* try to load keys file first */
5746 fp = ws_fopenfopen(uats->keyfile, "rb");
5747 if (!fp) {
5748 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
5749 return;
5750 }
5751
5752 if ((int)strlen(uats->password) == 0) {
5753 x509_priv_key = rsa_load_pem_key(fp, &err);
5754 } else {
5755 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
5756 }
5757 fclose(fp);
5758
5759 if (!x509_priv_key) {
5760 if (err) {
5761 report_failure("Can't load private key from %s: %s",
5762 uats->keyfile, err);
5763 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
5764 } else
5765 report_failure("Can't load private key from %s: unknown error",
5766 uats->keyfile);
5767 return;
5768 }
5769 if (err) {
5770 report_failure("Load of private key from %s \"succeeded\" with error %s",
5771 uats->keyfile, err);
5772 g_free(err)(__builtin_object_size ((err), 0) != ((size_t) - 1)) ? g_free_sized
(err, __builtin_object_size ((err), 0)) : (g_free) (err)
;
5773 }
5774
5775 gnutls_privkey_init(&priv_key);
5776 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
5777 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
5778 if (ret < 0) {
5779 report_failure("Can't convert private key %s: %s",
5780 uats->keyfile, gnutls_strerror(ret));
5781 goto end;
5782 }
5783
5784 key_id = (unsigned char *) g_malloc0(key_id_len);
5785 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
5786 if (ret < 0) {
5787 report_failure("Can't calculate public key ID for %s: %s",
5788 uats->keyfile, gnutls_strerror(ret));
5789 goto end;
5790 }
5791 ssl_print_data("KeyID", key_id, key_id_len);
5792 if (key_id_len != 20) {
5793 report_failure("Expected Key ID size %u for %s, got %zu", 20,
5794 uats->keyfile, key_id_len);
5795 goto end;
5796 }
5797
5798 g_hash_table_replace(key_hash, key_id, priv_key);
5799 key_id = NULL((void*)0); /* used in key_hash, do not free. */
5800 priv_key = NULL((void*)0);
5801 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
5802
5803 handle = ssl_find_appdata_dissector(uats->protocol);
5804 if (handle) {
5805 /* Port to subprotocol mapping */
5806 uint16_t port = 0;
5807 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
5808 if (port > 0) {
5809 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
5810 port, uats->keyfile, uats->password);
5811
5812 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
5813 }
5814 } else {
5815 if (strcmp(uats->port, "start_tls"))
5816 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
5817 }
5818 }
5819
5820end:
5821 gnutls_x509_privkey_deinit(x509_priv_key);
5822 gnutls_privkey_deinit(priv_key);
5823 g_free(key_id)(__builtin_object_size ((key_id), 0) != ((size_t) - 1)) ? g_free_sized
(key_id, __builtin_object_size ((key_id), 0)) : (g_free) (key_id
)
;
5824}
5825/* }}} */
5826#endif
5827
5828
5829/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
5830/** store a known (pre-)master secret into cache */
5831static void
5832ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
5833 StringInfo *mk)
5834{
5835 StringInfo *ht_key, *master_secret;
5836
5837 if (key->data_len == 0) {
5838 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
5839 return;
5840 }
5841
5842 if (mk->data_len == 0) {
5843 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
5844 G_STRFUNC((const char*) (__func__)), label);
5845 return;
5846 }
5847
5848 ht_key = ssl_data_clone(key);
5849 master_secret = ssl_data_clone(mk);
5850 g_hash_table_insert(ht, ht_key, master_secret);
5851
5852 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
5853 ssl_print_string("stored key", ht_key);
5854 ssl_print_string("stored (pre-)master secret", master_secret);
5855}
5856
5857/** restore a (pre-)master secret given some key in the cache */
5858static bool_Bool
5859ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
5860 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
5861{
5862 StringInfo *ms;
5863
5864 if (key->data_len == 0) {
5865 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
5866 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
5867 return false0;
5868 }
5869
5870 ms = (StringInfo *)g_hash_table_lookup(ht, key);
5871 if (!ms) {
5872 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
5873 is_pre_master ? "pre-" : "", label);
5874 return false0;
5875 }
5876
5877 /* (pre)master secret found, clear knowledge of other keys and set it in the
5878 * current conversation */
5879 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
5880 SSL_HAVE_SESSION_KEY(1<<3));
5881 if (is_pre_master) {
5882 /* unlike master secret, pre-master secret has a variable size (48 for
5883 * RSA, varying for PSK) and is therefore not statically allocated */
5884 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
5885 ms->data_len);
5886 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
5887 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
5888 } else {
5889 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
5890 ssl->state |= SSL_MASTER_SECRET(1<<5);
5891 }
5892 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
5893 is_pre_master ? "pre-" : "", label);
5894 ssl_print_string(label, key);
5895 ssl_print_string("(pre-)master secret", ms);
5896 return true1;
5897}
5898/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
5899
5900/* Should be called when all parameters are ready (after ChangeCipherSpec), and
5901 * the decoder should be attempted to be initialized. {{{*/
5902void
5903ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
5904{
5905 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
5906 /* TLS 1.3 implementations only provide secrets derived from the master
5907 * secret which are loaded in tls13_change_key. No master secrets can be
5908 * loaded here, so just return. */
5909 return;
5910 }
5911 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
5912 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
5913 ssl_debug_printf(" session key already available, nothing to do.\n");
5914 return;
5915 }
5916 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5917 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
5918 return;
5919 }
5920
5921 /* for decryption, there needs to be a master secret (which can be derived
5922 * from pre-master secret). If missing, try to pick a master key from cache
5923 * (an earlier packet in the capture or key logfile). */
5924 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
5925 !ssl_restore_master_key(ssl, "Session ID", false0,
5926 mk_map->session, &ssl->session_id) &&
5927 (!ssl->session.is_session_resumed ||
5928 !ssl_restore_master_key(ssl, "Session Ticket", false0,
5929 mk_map->tickets, &ssl->session_ticket)) &&
5930 !ssl_restore_master_key(ssl, "Client Random", false0,
5931 mk_map->crandom, &ssl->client_random)) {
5932 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
5933 /* how unfortunate, the master secret could not be found */
5934 ssl_debug_printf(" Cannot find master secret\n");
5935 return;
5936 } else {
5937 ssl_debug_printf(" Cannot find master secret, continuing anyway "
5938 "because of a NULL cipher\n");
5939 }
5940 }
5941
5942 if (ssl_generate_keyring_material(ssl) < 0) {
5943 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
5944 return;
5945 }
5946 /* Save Client Random/ Session ID for "SSL Export Session keys" */
5947 ssl_save_master_key("Client Random", mk_map->crandom,
5948 &ssl->client_random, &ssl->master_secret);
5949 ssl_save_master_key("Session ID", mk_map->session,
5950 &ssl->session_id, &ssl->master_secret);
5951 /* Only save the new secrets if the server sent the ticket. The client
5952 * ticket might have become stale. */
5953 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
5954 ssl_save_master_key("Session Ticket", mk_map->tickets,
5955 &ssl->session_ticket, &ssl->master_secret);
5956 }
5957} /* }}} */
5958
5959static StringInfo*
5960tls13_load_secret_from_psk(SslDecryptSession *tls, bool_Bool is_from_server,
5961 TLSRecordType type)
5962{
5963 /* XXX - In addition to an out-of-bound PSK, we could also save the
5964 * PSK from a NewSessionTicket; we would also need to compute the
5965 * resumption_master_secret. */
5966 if (tls->psk.data_len == 0)
5967 return NULL((void*)0);
5968
5969 /* We SHOULD associate each PSK with a hash algorithm (e.g., use
5970 * a UAT instead of a single global PSK string preference, preferably
5971 * following RFC 9258.) Failing that, RFC 8864 4.2.1 and 9258 say SHA-256
5972 * SHOULD be used. We will try the negotiated hash algorithm regardless
5973 * with the PSK, but fall back to SHA-256 for the Early Secret, since
5974 * that's before the Server Hello completes negotiation.
5975 */
5976 const SslDigestAlgo *dig = ssl_cipher_suite_dig(tls->cipher_suite);
5977 if (type == TLS_SECRET_0RTT_APP && dig == &digests[DIG_NA0x45 - DIG_MD50x40]) {
5978 dig = &digests[DIG_SHA2560x42 - DIG_MD50x40];
5979 ssl_debug_printf("%s assuming PSK hash function is %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
5980 }
5981
5982 int hash_algo = ssl_get_digest_by_name(dig->name);
5983 if (!hash_algo) {
5984 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), dig->name);
5985 return NULL((void*)0);
5986 }
5987
5988 /* We can re-use this to store the Pseudo Random Key for each epoch. */
5989 uint8_t prk[DIGEST_MAX_SIZE48];
5990 StringInfo prk_string = { prk, dig->len };
5991 uint8_t *derived_secret;
5992
5993 uint8_t zeroes[DIGEST_MAX_SIZE48];
5994 memset(zeroes, 0, dig->len);
5995
5996 StringInfo *secret = NULL((void*)0);
5997 const char *label;
5998
5999 /* PRK = Early Secret */
6000 hkdf_extract(hash_algo, zeroes, dig->len, tls->psk.data, tls->psk.data_len, prk);
6001
6002 if (type == TLS_SECRET_0RTT_APP) {
6003 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6003, "!is_from_server"))))
;
6004 label = "c e traffic";
6005 } else {
6006 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6007 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6008 return NULL((void*)0);
6009
6010 /* PRK = Handshake Secret [assume no (EC)DHE.] */
6011 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6012 wmem_free(NULL((void*)0), derived_secret);
6013
6014 if (type == TLS_SECRET_HANDSHAKE) {
6015 label = is_from_server ? "s hs traffic" : "c hs traffic";
6016 } else {
6017 if (!tls13_derive_secret(hash_algo, &prk_string, tls13_hkdf_label_prefix(tls),
6018 "derived", NULL((void*)0), 0, dig->len, &derived_secret))
6019 return NULL((void*)0);
6020
6021 /* PRK = Master Secret */
6022 hkdf_extract(hash_algo, derived_secret, dig->len, zeroes, dig->len, prk);
6023 wmem_free(NULL((void*)0), derived_secret);
6024
6025 label = is_from_server ? "s ap traffic" : "c ap traffic";
6026 }
6027 }
6028
6029 /* XXX - If Encrypted Client Hello was accepted (do client/server pairs
6030 * support ECHO with psk_ke?) then we should use ech_transcript instead
6031 * of handshake_data. Perhaps we should consolidate some of that handling,
6032 * though note that we would have to keep both transcripts around after
6033 * the ClientHello until the ServerHello indicated whether ECHO was
6034 * accepted or not. */
6035 if (!tls13_derive_secret(hash_algo, &prk_string,
6036 tls13_hkdf_label_prefix(tls), label,
6037 tls->handshake_data.data, tls->handshake_data.data_len,
6038 dig->len, &derived_secret))
6039 return NULL((void*)0);
6040
6041 secret = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)))
;
6042 secret->data = wmem_memdup(wmem_file_scope(), derived_secret, dig->len);
6043 secret->data_len = dig->len;
6044 wmem_free(NULL((void*)0), derived_secret);
6045 return secret;
6046}
6047
6048/* Load the traffic key secret from the keylog file. */
6049StringInfo *
6050tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6051 bool_Bool is_from_server, TLSRecordType type)
6052{
6053 GHashTable *key_map;
6054 const char *label;
6055
6056 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6057 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6058 return NULL((void*)0);
6059 }
6060
6061 if (ssl->client_random.data_len == 0) {
6062 /* May happen if Hello message is missing and Finished is found. */
6063 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6064 return NULL((void*)0);
6065 }
6066
6067 switch (type) {
6068 case TLS_SECRET_0RTT_APP:
6069 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6069, "!is_from_server"))))
;
6070 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6071 key_map = mk_map->tls13_client_early;
6072 break;
6073 case TLS_SECRET_HANDSHAKE:
6074 if (is_from_server) {
6075 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6076 key_map = mk_map->tls13_server_handshake;
6077 } else {
6078 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6079 key_map = mk_map->tls13_client_handshake;
6080 }
6081 break;
6082 case TLS_SECRET_APP:
6083 if (is_from_server) {
6084 label = "SERVER_TRAFFIC_SECRET_0";
6085 key_map = mk_map->tls13_server_appdata;
6086 } else {
6087 label = "CLIENT_TRAFFIC_SECRET_0";
6088 key_map = mk_map->tls13_client_appdata;
6089 }
6090 break;
6091 default:
6092 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6092, __func__, "assertion \"not reached\" failed")
;
6093 }
6094
6095 /* Transitioning to new keys, mark old ones as unusable. */
6096 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6097 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6098
6099 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6100 if (!secret) {
6101 secret = tls13_load_secret_from_psk(ssl, is_from_server, type);
6102 if (secret) {
6103 ssl_debug_printf("%s Calculated TLS 1.3 traffic secret from PSK.\n", G_STRFUNC((const char*) (__func__)));
6104 /* Doing this allows us to save the secret as a DSB in a pcapng. */
6105 g_hash_table_insert(key_map, ssl_data_clone(&ssl->client_random), secret);
6106 }
6107 }
6108 if (!secret) {
6109 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6110 /* Disable decryption, the keys are invalid. */
6111 if (is_from_server) {
6112 ssl->server = NULL((void*)0);
6113 } else {
6114 ssl->client = NULL((void*)0);
6115 }
6116 return NULL((void*)0);
6117 }
6118
6119 /* TLS 1.3 secret found, set new keys. */
6120 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6121 ssl_print_string("Client Random", &ssl->client_random);
6122 ssl_print_string(label, secret);
6123 return secret;
6124}
6125
6126/* Load the new key. */
6127void
6128tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6129 bool_Bool is_from_server, TLSRecordType type)
6130{
6131 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6132 /*
6133 * QUIC does not use the TLS record layer for message protection.
6134 * The required keys will be extracted later by QUIC.
6135 */
6136 return;
6137 }
6138
6139 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6140 if (!secret) {
6141 if (type != TLS_SECRET_HANDSHAKE) {
6142 return;
6143 }
6144 /*
6145 * Workaround for when for some reason we don't have the handshake
6146 * secret but do have the application traffic secret. (#20240)
6147 * If we can't find the handshake secret, we'll never decrypt the
6148 * Finished message, so we won't know when to change to the app
6149 * traffic key, so we do so now.
6150 */
6151 type = TLS_SECRET_APP;
6152 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6153 if (!secret) {
6154 return;
6155 }
6156 }
6157
6158 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6159 /*
6160 * Remember the application traffic secret to support Key Update. The
6161 * other secrets cannot be used for this purpose, so free them.
6162 */
6163 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6164 StringInfo *app_secret = &decoder->app_traffic_secret;
6165 if (type == TLS_SECRET_APP) {
6166 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6167 app_secret->data,
6168 secret->data_len);
6169 ssl_data_set(app_secret, secret->data, secret->data_len);
6170 } else {
6171 wmem_free(wmem_file_scope(), app_secret->data);
6172 app_secret->data = NULL((void*)0);
6173 app_secret->data_len = 0;
6174 }
6175 }
6176}
6177
6178/**
6179 * Update to next application data traffic secret for TLS 1.3. The previous
6180 * secret should have been set by tls13_change_key.
6181 */
6182void
6183tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6184{
6185 /* RFC 8446 Section 7.2:
6186 * application_traffic_secret_N+1 =
6187 * HKDF-Expand-Label(application_traffic_secret_N,
6188 * "traffic upd", "", Hash.length)
6189 *
6190 * Both application_traffic_secret_N are of the same length (Hash.length).
6191 */
6192 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6193 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6194 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6195 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6196
6197 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6198 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6199 return;
6200 }
6201
6202 /*
6203 * Previous traffic secret is available, so find the hash function,
6204 * expand the new traffic secret and generate new keys.
6205 */
6206 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6207 int hash_algo = ssl_get_digest_by_name(hash_name);
6208 const unsigned hash_len = app_secret->data_len;
6209 unsigned char *new_secret;
6210 const char *label = "traffic upd";
6211 if (tls13_draft_version && tls13_draft_version < 20) {
6212 label = "application traffic secret";
6213 }
6214 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6215 tls13_hkdf_label_prefix(ssl),
6216 label, hash_len, &new_secret)) {
6217 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6218 return;
6219 }
6220 ssl_data_set(app_secret, new_secret, hash_len);
6221 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6222 /*
6223 * Remember the application traffic secret on the new decoder to
6224 * support another Key Update.
6225 */
6226 decoder = is_from_server ? ssl->server : ssl->client;
6227 app_secret = &decoder->app_traffic_secret;
6228 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6229 app_secret->data,
6230 hash_len);
6231 ssl_data_set(app_secret, new_secret, hash_len);
6232 }
6233 wmem_free(NULL((void*)0), new_secret);
6234}
6235
6236void
6237tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6238{
6239 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6240 g_hash_table_add(mk_map->used_crandom, ssl_data_clone(&ssl->client_random));
6241 }
6242}
6243
6244/** SSL keylog file handling. {{{ */
6245
6246static GRegex *
6247ssl_compile_keyfile_regex(void)
6248{
6249#define OCTET "(?:[[:xdigit:]]{2})"
6250 const char *pattern =
6251 "(?:"
6252 /* Matches Client Hellos having this Client Random */
6253 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6254 /* Matches first part of encrypted RSA pre-master secret */
6255 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6256 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6257 but it can be of any length for DHE */
6258 ")(?<pms>" OCTET "+)"
6259 "|(?:"
6260 /* Matches Server Hellos having a Session ID */
6261 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6262 /* Matches Client Hellos having this Client Random */
6263 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6264 /* Master-Secret is given, its length is fixed */
6265 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6266 "|(?"
6267 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6268 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6269 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6270 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6271 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6272 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6273 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6274 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6275 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6276 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6277 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6278 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6279 ") (?<derived_secret>" OCTET "+)";
6280#undef OCTET
6281 static GRegex *regex = NULL((void*)0);
6282 GError *gerr = NULL((void*)0);
6283
6284 if (!regex) {
6285 regex = g_regex_new(pattern,
6286 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6287 G_REGEX_MATCH_ANCHORED, &gerr);
6288 if (gerr) {
6289 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6290 gerr->message);
6291 g_error_free(gerr);
6292 regex = NULL((void*)0);
6293 }
6294 }
6295
6296 return regex;
6297}
6298
6299typedef struct ssl_master_key_match_group {
6300 const char *re_group_name;
6301 GHashTable *master_key_ht;
6302} ssl_master_key_match_group_t;
6303
6304void
6305tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6306{
6307 ssl_master_key_match_group_t mk_groups[] = {
6308 { "encrypted_pmk", mk_map->pre_master },
6309 { "session_id", mk_map->session },
6310 { "client_random", mk_map->crandom },
6311 { "client_random_pms", mk_map->pms },
6312 /* TLS 1.3 map from Client Random to derived secret. */
6313 { "client_early", mk_map->tls13_client_early },
6314 { "client_handshake", mk_map->tls13_client_handshake },
6315 { "server_handshake", mk_map->tls13_server_handshake },
6316 { "client_appdata", mk_map->tls13_client_appdata },
6317 { "server_appdata", mk_map->tls13_server_appdata },
6318 { "early_exporter", mk_map->tls13_early_exporter },
6319 { "exporter", mk_map->tls13_exporter },
6320 { "ech_secret", mk_map->ech_secret },
6321 { "ech_config", mk_map->ech_config },
6322 };
6323
6324 /* The format of the file is a series of records with one of the following formats:
6325 * - "RSA xxxx yyyy"
6326 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6327 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6328 * (this is the original format introduced with bug 4349)
6329 *
6330 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6331 * Where xxxx is the SSL session ID (hex-encoded)
6332 * Where yyyy is the cleartext master secret (hex-encoded)
6333 * (added to support openssl s_client Master-Key output)
6334 * This is somewhat is a misnomer because there's nothing RSA specific
6335 * about this.
6336 *
6337 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6338 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6339 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6340 * (This format allows SSL connections to be decrypted, if a user can
6341 * capture the PMS but could not recover the MS for a specific session
6342 * with a SSL Server.)
6343 *
6344 * - "CLIENT_RANDOM xxxx yyyy"
6345 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6346 * Where yyyy is the cleartext master secret (hex-encoded)
6347 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6348 * ECDHE-RSA.)
6349 *
6350 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
6351 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6352 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6353 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
6354 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
6355 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
6356 * - "EXPORTER_SECRET xxxx yyyy"
6357 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6358 * Where yyyy is the secret (hex-encoded) derived from the early,
6359 * handshake or master secrets. (This format is introduced with TLS 1.3
6360 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
6361 */
6362 GRegex *regex = ssl_compile_keyfile_regex();
6363 if (!regex)
6364 return;
6365
6366 const char *next_line = (const char *)data;
6367 const char *line_end = next_line + datalen;
6368 while (next_line && next_line < line_end) {
6369 const char *line = next_line;
6370 next_line = (const char *)memchr(line, '\n', line_end - line);
6371 ssize_t linelen;
6372
6373 if (next_line) {
6374 linelen = next_line - line;
6375 next_line++; /* drop LF */
6376 } else {
6377 linelen = (ssize_t)(line_end - line);
6378 }
6379 if (linelen > 0 && line[linelen - 1] == '\r') {
6380 linelen--; /* drop CR */
6381 }
6382
6383 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
6384 GMatchInfo *mi;
6385 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
6386 char *hex_key, *hex_pre_ms_or_ms;
6387 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)))
;
6388 StringInfo *pre_ms_or_ms = NULL((void*)0);
6389 GHashTable *ht = NULL((void*)0);
6390
6391 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
6392 * otherwise we will use the Master Secret
6393 */
6394 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
6395 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
6396 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms)
;
6397 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
6398 }
6399 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
6400 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms)
;
6401 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
6402 }
6403 /* There is always a match, otherwise the regex is wrong. */
6404 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6404, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))))
;
6405
6406 /* convert from hex to bytes and save to hashtable */
6407 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)))
;
6408 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
6409 g_free(hex_pre_ms_or_ms)(__builtin_object_size ((hex_pre_ms_or_ms), 0) != ((size_t) -
1)) ? g_free_sized (hex_pre_ms_or_ms, __builtin_object_size (
(hex_pre_ms_or_ms), 0)) : (g_free) (hex_pre_ms_or_ms)
;
6410
6411 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
6412 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
6413 ssl_master_key_match_group_t *g = &mk_groups[i];
6414 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
6415 if (hex_key && *hex_key) {
6416 ssl_debug_printf(" matched %s\n", g->re_group_name);
6417 ht = g->master_key_ht;
6418 from_hex(key, hex_key, strlen(hex_key));
6419 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key)
;
6420 break;
6421 }
6422 g_free(hex_key)(__builtin_object_size ((hex_key), 0) != ((size_t) - 1)) ? g_free_sized
(hex_key, __builtin_object_size ((hex_key), 0)) : (g_free) (
hex_key)
;
6423 }
6424 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6424, "ht"))))
; /* Cannot be reached, or regex is wrong. */
6425
6426 g_hash_table_insert(ht, key, pre_ms_or_ms);
6427
6428 } else if (linelen > 0 && line[0] != '#') {
6429 ssl_debug_printf(" unrecognized line\n");
6430 }
6431 /* always free match info even if there is no match. */
6432 g_match_info_free(mi);
6433 }
6434}
6435
6436void
6437ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
6438 const ssl_master_key_map_t *mk_map)
6439{
6440 /* no need to try if no key log file is configured. */
6441 if (!tls_keylog_filename || !*tls_keylog_filename) {
6442 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
6443 G_STRFUNC((const char*) (__func__)));
6444 return;
6445 }
6446
6447 /* Validate regexes before even trying to use it. */
6448 if (!ssl_compile_keyfile_regex()) {
6449 return;
6450 }
6451
6452 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
6453
6454 /* if the keylog file was deleted/overwritten, re-open it */
6455 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
6456 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
6457 fclose(*keylog_file);
6458 *keylog_file = NULL((void*)0);
6459 }
6460
6461 if (*keylog_file == NULL((void*)0)) {
6462 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
6463 if (!*keylog_file) {
6464 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
6465 return;
6466 }
6467 }
6468
6469 for (;;) {
6470 char buf[1110], *line;
6471 line = fgets(buf, sizeof(buf), *keylog_file);
6472 if (!line) {
6473 if (feof(*keylog_file)) {
6474 /* Ensure that newly appended keys can be read in the future. */
6475 clearerr(*keylog_file);
6476 } else if (ferror(*keylog_file)) {
6477 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
6478 fclose(*keylog_file);
6479 *keylog_file = NULL((void*)0);
6480 }
6481 break;
6482 }
6483 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
6484 }
6485}
6486/** SSL keylog file handling. }}} */
6487
6488#ifdef SSL_DECRYPT_DEBUG /* {{{ */
6489
6490static FILE* ssl_debug_file;
6491
6492void
6493ssl_set_debug(const char* name)
6494{
6495 static int debug_file_must_be_closed;
6496 int use_stderr;
6497
6498 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
6499
6500 if (debug_file_must_be_closed)
6501 fclose(ssl_debug_file);
6502
6503 if (use_stderr)
6504 ssl_debug_file = stderrstderr;
6505 else if (!name || (strcmp(name, "") ==0))
6506 ssl_debug_file = NULL((void*)0);
6507 else
6508 ssl_debug_file = ws_fopenfopen(name, "w");
6509
6510 if (!use_stderr && ssl_debug_file)
6511 debug_file_must_be_closed = 1;
6512 else
6513 debug_file_must_be_closed = 0;
6514
6515 ssl_debug_printf("Wireshark SSL debug log \n\n");
6516#ifdef HAVE_LIBGNUTLS1
6517 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
6518#endif
6519 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
6520 ssl_debug_printf("\n");
6521}
6522
6523void
6524ssl_debug_flush(void)
6525{
6526 if (ssl_debug_file)
6527 fflush(ssl_debug_file);
6528}
6529
6530void
6531ssl_debug_printf(const char* fmt, ...)
6532{
6533 va_list ap;
6534
6535 if (!ssl_debug_file)
6536 return;
6537
6538 va_start(ap, fmt)__builtin_va_start(ap, fmt);
6539 vfprintf(ssl_debug_file, fmt, ap);
6540 va_end(ap)__builtin_va_end(ap);
6541}
6542
6543void
6544ssl_print_data(const char* name, const unsigned char* data, size_t len)
6545{
6546 size_t i, j, k;
6547 if (!ssl_debug_file)
6548 return;
6549 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
6550 for (i=0; i<len; i+=16) {
6551 fprintf(ssl_debug_file,"| ");
6552 for (j=i, k=0; k<16 && j<len; ++j, ++k)
6553 fprintf(ssl_debug_file,"%.2x ",data[j]);
6554 for (; k<16; ++k)
6555 fprintf(ssl_debug_file," ");
6556 fputc('|', ssl_debug_file);
6557 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
6558 unsigned char c = data[j];
6559 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
6560 fputc(c, ssl_debug_file);
6561 }
6562 for (; k<16; ++k)
6563 fputc(' ', ssl_debug_file);
6564 fprintf(ssl_debug_file,"|\n");
6565 }
6566}
6567
6568void
6569ssl_print_string(const char* name, const StringInfo* data)
6570{
6571 ssl_print_data(name, data->data, data->data_len);
6572}
6573#endif /* SSL_DECRYPT_DEBUG }}} */
6574
6575/* UAT preferences callbacks. {{{ */
6576/* checks for SSL and DTLS UAT key list fields */
6577
6578bool_Bool
6579ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
6580{
6581 // This should be removed in favor of Decode As. Make it optional.
6582 *err = NULL((void*)0);
6583 return true1;
6584}
6585
6586bool_Bool
6587ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
6588{
6589 if (!p || strlen(p) == 0u) {
6590 // This should be removed in favor of Decode As. Make it optional.
6591 *err = NULL((void*)0);
6592 return true1;
6593 }
6594
6595 if (strcmp(p, "start_tls") != 0){
6596 uint16_t port;
6597 if (!ws_strtou16(p, NULL((void*)0), &port)) {
6598 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
6599 return false0;
6600 }
6601 }
6602
6603 *err = NULL((void*)0);
6604 return true1;
6605}
6606
6607bool_Bool
6608ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
6609{
6610 ws_statb64struct stat st;
6611
6612 if (!p || strlen(p) == 0u) {
6613 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
6614 return false0;
6615 } else {
6616 if (ws_stat64stat(p, &st) != 0) {
6617 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p)
;
6618 return false0;
6619 }
6620 }
6621
6622 *err = NULL((void*)0);
6623 return true1;
6624}
6625
6626bool_Bool
6627ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
6628{
6629#if defined(HAVE_LIBGNUTLS1)
6630 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
6631 FILE *fp = NULL((void*)0);
6632
6633 if (p && (strlen(p) > 0u)) {
6634 fp = ws_fopenfopen(f->keyfile, "rb");
6635 if (fp) {
6636 char *msg = NULL((void*)0);
6637 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
6638 if (!priv_key) {
6639 fclose(fp);
6640 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg)
;
6641 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg)
;
6642 return false0;
6643 }
6644 g_free(msg)(__builtin_object_size ((msg), 0) != ((size_t) - 1)) ? g_free_sized
(msg, __builtin_object_size ((msg), 0)) : (g_free) (msg)
;
6645 gnutls_x509_privkey_deinit(priv_key);
6646 fclose(fp);
6647 } else {
6648 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
)
;
6649 return false0;
6650 }
6651 }
6652
6653 *err = NULL((void*)0);
6654 return true1;
6655#else
6656 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
)
;
6657 return false0;
6658#endif
6659}
6660/* UAT preferences callbacks. }}} */
6661
6662/** maximum size of ssl_association_info() string */
6663#define SSL_ASSOC_MAX_LEN8192 8192
6664
6665typedef struct ssl_association_info_callback_data
6666{
6667 char *str;
6668 const char *table_protocol;
6669} ssl_association_info_callback_data_t;
6670
6671/**
6672 * callback function used by ssl_association_info() to traverse the SSL associations.
6673 */
6674static void
6675ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
6676{
6677 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
6678 const int l = (const int)strlen(data->str);
6679 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
6680}
6681
6682/**
6683 * @return an information string on the SSL protocol associations. The string must be freed.
6684 */
6685char*
6686ssl_association_info(const char* dissector_table_name, const char* table_protocol)
6687{
6688 ssl_association_info_callback_data_t data;
6689
6690 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
6691 data.table_protocol = table_protocol;
6692 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
6693 return data.str;
6694}
6695
6696
6697/** Begin of code related to dissection of wire data. */
6698
6699/* Helpers for dissecting Variable-Length Vectors. {{{ */
6700bool_Bool
6701ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
6702 unsigned offset, unsigned offset_end, uint32_t *ret_length,
6703 int hf_length, uint32_t min_value, uint32_t max_value)
6704{
6705 unsigned veclen_size;
6706 uint32_t veclen_value;
6707 proto_item *pi;
6708
6709 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 6709, (uint64_t)min_value, (uint64_t)max_value))))
;
6710 if (offset > offset_end) {
6711 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
6712 "Vector offset is past buffer end offset (%u > %u)",
6713 offset, offset_end);
6714 *ret_length = 0;
6715 return false0; /* Cannot read length. */
6716 }
6717
6718 if (max_value > 0xffffff) {
6719 veclen_size = 4;
6720 } else if (max_value > 0xffff) {
6721 veclen_size = 3;
6722 } else if (max_value > 0xff) {
6723 veclen_size = 2;
6724 } else {
6725 veclen_size = 1;
6726 }
6727
6728 if (offset_end - offset < veclen_size) {
6729 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
6730 tvb, offset, offset_end - offset,
6731 "No more room for vector of length %u",
6732 veclen_size);
6733 *ret_length = 0;
6734 return false0; /* Cannot read length. */
6735 }
6736
6737 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
6738 offset += veclen_size;
6739
6740 if (veclen_value < min_value) {
6741 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
6742 "Vector length %u is smaller than minimum %u",
6743 veclen_value, min_value);
6744 } else if (veclen_value > max_value) {
6745 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
6746 "Vector length %u is larger than maximum %u",
6747 veclen_value, max_value);
6748 }
6749
6750 if (offset_end - offset < veclen_value) {
6751 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
6752 "Vector length %u is too large, truncating it to %u",
6753 veclen_value, offset_end - offset);
6754 *ret_length = offset_end - offset;
6755 return false0; /* Length is truncated to avoid overflow. */
6756 }
6757
6758 *ret_length = veclen_value;
6759 return true1; /* Length is OK. */
6760}
6761
6762bool_Bool
6763ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
6764 unsigned offset, unsigned offset_end)
6765{
6766 if (offset < offset_end) {
6767 unsigned trailing = offset_end - offset;
6768 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
6769 tvb, offset, trailing,
6770 "%u trailing byte%s unprocessed",
6771 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
6772 return false0; /* unprocessed data warning */
6773 } else if (offset > offset_end) {
6774 /*
6775 * Returned offset runs past the end. This should not happen and is
6776 * possibly a dissector bug.
6777 */
6778 unsigned excess = offset - offset_end;
6779 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
6780 tvb, offset_end, excess,
6781 "Dissector processed too much data (%u byte%s)",
6782 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
6783 return false0; /* overflow error */
6784 }
6785
6786 return true1; /* OK, offset matches. */
6787}
6788/** }}} */
6789
6790
6791static uint32_t
6792ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
6793 proto_tree *tree, uint32_t offset, uint32_t offset_end,
6794 uint16_t version, int hf_sig_len, int hf_sig);
6795
6796/* change_cipher_spec(20) dissection */
6797void
6798ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
6799 packet_info *pinfo, proto_tree *tree,
6800 uint32_t offset, SslSession *session,
6801 bool_Bool is_from_server,
6802 const SslDecryptSession *ssl)
6803{
6804 /*
6805 * struct {
6806 * enum { change_cipher_spec(1), (255) } type;
6807 * } ChangeCipherSpec;
6808 */
6809 proto_item *ti;
6810 proto_item_set_text(tree,
6811 "%s Record Layer: %s Protocol: Change Cipher Spec",
6812 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
6813 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
6814 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
6815
6816 if (session->version == TLSV1DOT3_VERSION0x304) {
6817 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
6818 return;
6819 }
6820
6821 /* Remember frame number of first CCS */
6822 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
6823 if (*ccs_frame == 0)
6824 *ccs_frame = pinfo->num;
6825
6826 /* Use heuristics to detect an abbreviated handshake, assume that missing
6827 * ServerHelloDone implies reusing previously negotiating keys. Then when
6828 * a Session ID or ticket is present, it must be a resumed session.
6829 * Normally this should be done at the Finished message, but that may be
6830 * encrypted so we do it here, at the last cleartext message. */
6831 if (is_from_server && ssl) {
6832 if (session->is_session_resumed) {
6833 const char *resumed = NULL((void*)0);
6834 if (ssl->session_ticket.data_len) {
6835 resumed = "Session Ticket";
6836 } else if (ssl->session_id.data_len) {
6837 resumed = "Session ID";
6838 }
6839 if (resumed) {
6840 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
6841 } else {
6842 /* Can happen if the capture somehow starts in the middle */
6843 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
6844 }
6845 } else {
6846 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
6847 }
6848 }
6849 if (is_from_server && session->is_session_resumed)
6850 expert_add_info(pinfo, ti, &hf->ei.resumed);
6851}
6852
6853/** Begin of handshake(22) record dissections */
6854
6855/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
6856 * {{{ */
6857static void
6858tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
6859{
6860 uint32_t sighash, hashalg, sigalg;
6861 proto_item *ti_sigalg;
6862 proto_tree *sigalg_tree;
6863
6864 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
6865 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
6866 if (ja4_data) {
6867 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
6868 }
6869
6870 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
6871
6872 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
6873 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
6874 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
6875 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
6876 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
6877
6878 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
6879 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
6880 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
6881 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
6882 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
6883 sighash);
6884 }
6885} /* }}} */
6886
6887/* dissect a list of hash algorithms, return the number of bytes dissected
6888 this is used for the signature algorithms extension and for the
6889 TLS1.2 certificate request. {{{ */
6890static int
6891ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
6892 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
6893{
6894 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
6895 * struct {
6896 * HashAlgorithm hash;
6897 * SignatureAlgorithm signature;
6898 * } SignatureAndHashAlgorithm;
6899 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
6900 */
6901 proto_tree *subtree;
6902 proto_item *ti;
6903 unsigned sh_alg_length;
6904 uint32_t next_offset;
6905
6906 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
6907 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
6908 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
6909 return offset_end;
6910 }
6911 offset += 2;
6912 next_offset = offset + sh_alg_length;
6913
6914 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
6915 "Signature Hash Algorithms (%u algorithm%s)",
6916 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
6917 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
6918
6919 while (offset + 2 <= next_offset) {
6920 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
6921 offset += 2;
6922 }
6923
6924 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
6925 offset = next_offset;
6926 }
6927
6928 return offset;
6929} /* }}} */
6930
6931/* Dissection of DistinguishedName (for CertificateRequest and
6932 * certificate_authorities extension). {{{ */
6933static uint32_t
6934tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
6935 proto_tree *tree, uint32_t offset, uint32_t offset_end)
6936{
6937 proto_item *ti;
6938 proto_tree *subtree;
6939 uint32_t dnames_length, next_offset;
6940 asn1_ctx_t asn1_ctx;
6941 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
6942
6943 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
6944 /* DistinguishedName certificate_authorities<0..2^16-1> */
6945 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
6946 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
6947 return offset_end;
6948 }
6949 offset += 2;
6950 next_offset = offset + dnames_length;
6951
6952 if (dnames_length > 0) {
6953 ti = proto_tree_add_none_format(tree,
6954 hf->hf.hs_dnames,
6955 tvb, offset, dnames_length,
6956 "Distinguished Names (%d byte%s)",
6957 dnames_length,
6958 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
6959 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
6960
6961 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
6962
6963 while (offset < next_offset) {
6964 /* get the length of the current certificate */
6965 uint32_t name_length;
6966
6967 if (dnames_count-- == 0) {
6968 /* stop adding to tree when the list is considered too large
6969 * https://gitlab.com/wireshark/wireshark/-/issues/16202
6970 Note: dnames_count must be set low enough not to hit the
6971 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
6972 */
6973 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
6974 tvb, offset, next_offset - offset, ENC_NA0x00000000);
6975 proto_item_set_generated(ti);
6976 return next_offset;
6977 }
6978
6979 /* opaque DistinguishedName<1..2^16-1> */
6980 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
6981 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
6982 return next_offset;
6983 }
6984 offset += 2;
6985
6986 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
6987 subtree, hf->hf.hs_dname);
6988 offset += name_length;
6989 }
6990 }
6991 return offset;
6992} /* }}} */
6993
6994
6995/** TLS Extensions (in Client Hello and Server Hello). {{{ */
6996static int
6997ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
6998 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
6999{
7000 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7001}
7002
7003static int
7004ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7005 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7006{
7007 if (hnd_type == SSL_HND_CLIENT_HELLO ||
7008 hnd_type == SSL_HND_CERT_REQUEST) {
7009 /*
7010 * struct {
7011 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7012 * } SignatureSchemeList;
7013 */
7014
7015 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7016 } else {
7017 asn1_ctx_t asn1_ctx;
7018 unsigned pubkey_length, sign_length;
7019
7020 /*
7021 * struct {
7022 * uint32 valid_time;
7023 * SignatureScheme expected_cert_verify_algorithm;
7024 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7025 * } Credential;
7026 *
7027 * struct {
7028 * Credential cred;
7029 * SignatureScheme algorithm;
7030 * opaque signature<0..2^16-1>;
7031 * } DelegatedCredential;
7032 */
7033
7034 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7035
7036 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7037 offset += 4;
7038
7039 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7040 offset += 2;
7041
7042 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7043 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7044 return offset_end;
7045 }
7046 offset += 3;
7047 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7048 offset += pubkey_length;
7049
7050 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7051 offset += 2;
7052
7053 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7054 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7055 return offset_end;
7056 }
7057 offset += 2;
7058 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7059 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7060 offset += sign_length;
7061
7062 return offset;
7063 }
7064}
7065
7066static int
7067ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7068 packet_info *pinfo, proto_tree *tree,
7069 uint32_t offset, uint32_t offset_end,
7070 uint8_t hnd_type)
7071{
7072
7073 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7074
7075 switch (hnd_type) {
7076 case SSL_HND_CLIENT_HELLO: {
7077 proto_tree *alps_tree;
7078 proto_item *ti;
7079 uint32_t next_offset, alps_length, name_length;
7080
7081 /*
7082 * opaque ProtocolName<1..2^8-1>;
7083 * struct {
7084 * ProtocolName supported_protocols<2..2^16-1>
7085 * } ApplicationSettingsSupport;
7086 */
7087
7088 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7089 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7090 return offset_end;
7091 }
7092 offset += 2;
7093 next_offset = offset + alps_length;
7094
7095 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7096 tvb, offset, alps_length, ENC_NA0x00000000);
7097 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7098
7099 /* Parse list (note missing check for end of vector, ssl_add_vector below
7100 * ensures that data is always available.) */
7101 while (offset < next_offset) {
7102 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7103 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7104 return next_offset;
7105 }
7106 offset++;
7107
7108 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7109 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7110 offset += name_length;
7111 }
7112
7113 return offset;
7114 }
7115 case SSL_HND_ENCRYPTED_EXTS:
7116 /* Opaque blob */
7117 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7118 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7119 break;
7120 }
7121
7122 return offset_end;
7123}
7124
7125static int
7126ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7127 packet_info *pinfo, proto_tree *tree,
7128 uint32_t offset, uint32_t offset_end,
7129 uint8_t hnd_type, SslSession *session,
7130 bool_Bool is_dtls, ja4_data_t *ja4_data)
7131{
7132
7133 /* https://tools.ietf.org/html/rfc7301#section-3.1
7134 * opaque ProtocolName<1..2^8-1>;
7135 * struct {
7136 * ProtocolName protocol_name_list<2..2^16-1>
7137 * } ProtocolNameList;
7138 */
7139 proto_tree *alpn_tree;
7140 proto_item *ti;
7141 uint32_t next_offset, alpn_length, name_length;
7142 const char *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7143
7144 /* ProtocolName protocol_name_list<2..2^16-1> */
7145 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7146 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7147 return offset_end;
7148 }
7149 offset += 2;
7150 next_offset = offset + alpn_length;
7151
7152 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7153 tvb, offset, alpn_length, ENC_NA0x00000000);
7154 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7155
7156 /* Parse list (note missing check for end of vector, ssl_add_vector below
7157 * ensures that data is always available.) */
7158 while (offset < next_offset) {
7159 /* opaque ProtocolName<1..2^8-1> */
7160 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7161 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7162 return next_offset;
7163 }
7164 offset++;
7165
7166 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7167 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7168 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7169 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7170 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7171 if ((g_ascii_isalnum(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_ALNUM
) != 0)
) && g_ascii_isalnum(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_ALNUM
) != 0)
) {
7172 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7173 }
7174 else {
7175 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7176 alpn_last_char & 0x0F);
7177 }
7178 }
7179 /* Remember first ALPN ProtocolName entry for server. */
7180 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7181 /* '\0'-terminated string for dissector table match and prefix
7182 * comparison purposes. */
7183 proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7184 name_length, ENC_ASCII0x00000000);
7185 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7186 client_proto_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, offset,
7187 name_length, ENC_ASCII0x00000000);
7188 }
7189 offset += name_length;
7190 }
7191
7192 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7193 * exactly one "ProtocolName". */
7194 if (proto_name) {
7195 dissector_handle_t handle;
7196
7197 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7198
7199 if (is_dtls) {
7200 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7201 proto_name);
7202 } else {
7203 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7204 proto_name);
7205 if (handle == NULL((void*)0)) {
7206 /* Try prefix matching */
7207 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0]))
; i++) {
7208 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7209
7210 /* string_string is inappropriate as it compares strings
7211 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7212 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )
) {
7213 handle = find_dissector(alpn_proto->dissector_name);
7214 break;
7215 }
7216 }
7217 }
7218 }
7219 if (handle != NULL((void*)0)) {
7220 /* ProtocolName match, so set the App data dissector handle.
7221 * This may override protocols given via the UAT dialog, but
7222 * since the ALPN hint is precise, do it anyway. */
7223 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7224 (void *)session->app_handle,
7225 (void *)handle,
7226 dissector_handle_get_dissector_name(handle));
7227 session->app_handle = handle;
7228 }
7229 } else if (client_proto_name) {
7230 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7231 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7232 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7233 }
7234
7235 return offset;
7236}
7237
7238static int
7239ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7240 packet_info *pinfo, proto_tree *tree,
7241 uint32_t offset, uint32_t offset_end)
7242{
7243 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7244 * The "extension_data" field of a "next_protocol_negotiation" extension
7245 * in a "ServerHello" contains an optional list of protocols advertised
7246 * by the server. Protocols are named by opaque, non-empty byte strings
7247 * and the list of protocols is serialized as a concatenation of 8-bit,
7248 * length prefixed byte strings. Implementations MUST ensure that the
7249 * empty string is not included and that no byte strings are truncated.
7250 */
7251 uint32_t npn_length;
7252 proto_tree *npn_tree;
7253
7254 /* List is optional, do not add tree if there are no entries. */
7255 if (offset == offset_end) {
7256 return offset;
7257 }
7258
7259 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7260
7261 while (offset < offset_end) {
7262 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7263 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7264 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7265 return offset_end;
7266 }
7267 offset++;
7268
7269 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7270 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7271 offset += npn_length;
7272 }
7273
7274 return offset;
7275}
7276
7277static int
7278ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7279 packet_info *pinfo, proto_tree *tree,
7280 uint32_t offset, uint32_t offset_end)
7281{
7282 /* https://tools.ietf.org/html/rfc5746#section-3.2
7283 * struct {
7284 * opaque renegotiated_connection<0..255>;
7285 * } RenegotiationInfo;
7286 *
7287 */
7288 proto_tree *reneg_info_tree;
7289 uint32_t reneg_info_length;
7290
7291 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7292
7293 /* opaque renegotiated_connection<0..255> */
7294 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7295 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7296 return offset_end;
7297 }
7298 offset++;
7299
7300 if (reneg_info_length > 0) {
7301 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7302 offset += reneg_info_length;
7303 }
7304
7305 return offset;
7306}
7307
7308static int
7309ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7310 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7311 const char **group_name_out)
7312{
7313 /* RFC 8446 Section 4.2.8
7314 * struct {
7315 * NamedGroup group;
7316 * opaque key_exchange<1..2^16-1>;
7317 * } KeyShareEntry;
7318 */
7319 uint32_t key_exchange_length, group;
7320 proto_tree *ks_tree;
7321
7322 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7323
7324 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7325 offset += 2;
7326 const char *group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7327 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7328 if (group_name_out) {
7329 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff)))
? group_name : NULL((void*)0);
7330 }
7331
7332 /* opaque key_exchange<1..2^16-1> */
7333 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7334 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7335 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7336 }
7337 offset += 2;
7338 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7339 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7340
7341 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
7342 offset += key_exchange_length;
7343
7344 return offset;
7345}
7346
7347static int
7348ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7349 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7350 uint8_t hnd_type, SslDecryptSession *ssl)
7351{
7352 proto_tree *key_share_tree;
7353 uint32_t next_offset;
7354 uint32_t client_shares_length;
7355 uint32_t group;
7356 const char *group_name = NULL((void*)0);
7357
7358 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
7359 return offset;
7360 }
7361
7362 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
7363
7364 switch(hnd_type){
7365 case SSL_HND_CLIENT_HELLO:
7366 /* KeyShareEntry client_shares<0..2^16-1> */
7367 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
7368 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
7369 return offset_end;
7370 }
7371 offset += 2;
7372 next_offset = offset + client_shares_length;
7373 const char *sep = " ";
7374 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
7375 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
7376 if (group_name) {
7377 proto_item_append_text(tree, "%s%s", sep, group_name);
7378 sep = ", ";
7379 }
7380 }
7381 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
7382 return next_offset;
7383 }
7384 break;
7385 case SSL_HND_SERVER_HELLO:
7386 if (ssl) {
7387 ssl->has_key_share = true1;
7388 }
7389 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
7390 if (group_name) {
7391 proto_item_append_text(tree, " %s", group_name);
7392 }
7393 break;
7394 case SSL_HND_HELLO_RETRY_REQUEST:
7395 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7396 offset += 2;
7397 group_name = val_to_str(pinfo->pool, group, ssl_extension_curves, "Unknown (%u)");
7398 proto_item_append_text(tree, " %s", group_name);
7399 break;
7400 default: /* no default */
7401 break;
7402 }
7403
7404 return offset;
7405}
7406
7407static int
7408ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7409 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7410 uint8_t hnd_type, SslDecryptSession *ssl)
7411{
7412 /* RFC 8446 Section 4.2.11
7413 * struct {
7414 * opaque identity<1..2^16-1>;
7415 * uint32 obfuscated_ticket_age;
7416 * } PskIdentity;
7417 * opaque PskBinderEntry<32..255>;
7418 * struct {
7419 * select (Handshake.msg_type) {
7420 * case client_hello:
7421 * PskIdentity identities<7..2^16-1>;
7422 * PskBinderEntry binders<33..2^16-1>;
7423 * case server_hello:
7424 * uint16 selected_identity;
7425 * };
7426 * } PreSharedKeyExtension;
7427 */
7428
7429 proto_tree *psk_tree;
7430
7431 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
7432
7433 switch (hnd_type){
7434 case SSL_HND_CLIENT_HELLO: {
7435 uint32_t identities_length, identities_end, binders_length;
7436
7437 /* PskIdentity identities<7..2^16-1> */
7438 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
7439 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
7440 return offset_end;
7441 }
7442 offset += 2;
7443 identities_end = offset + identities_length;
7444
7445 while (offset < identities_end) {
7446 uint32_t identity_length;
7447 proto_tree *identity_tree;
7448
7449 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
7450
7451 /* opaque identity<1..2^16-1> */
7452 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
7453 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
7454 return identities_end;
7455 }
7456 offset += 2;
7457 proto_item_append_text(identity_tree, "length: %u)", identity_length);
7458
7459 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
7460 offset += identity_length;
7461
7462 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7463 offset += 4;
7464
7465 proto_item_set_len(identity_tree, 2 + identity_length + 4);
7466 }
7467 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
7468 offset = identities_end;
7469 }
7470
7471 /* PskBinderEntry binders<33..2^16-1> */
7472 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
7473 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
7474 return offset_end;
7475 }
7476 offset += 2;
7477
7478 proto_item *binders_item;
7479 proto_tree *binders_tree;
7480 binders_item = proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
7481 binders_tree = proto_item_add_subtree(binders_item, hf->ett.hs_ext_psk_binders);
7482 uint32_t binders_end = offset + binders_length;
7483 while (offset < binders_end) {
7484 uint32_t binder_length;
7485 proto_item *binder_item;
7486 proto_tree *binder_tree;
7487
7488 binder_item = proto_tree_add_item(binders_tree, hf->hf.hs_ext_psk_binder, tvb, offset, 1, ENC_NA0x00000000);
7489 binder_tree = proto_item_add_subtree(binder_item, hf->ett.hs_ext_psk_binder);
7490
7491 /* opaque PskBinderEntry<32..255>; */
7492 if (!ssl_add_vector(hf, tvb, pinfo, binder_tree, offset, binders_end, &binder_length,
7493 hf->hf.hs_ext_psk_binder_binder_length, 32, 255)) {
7494 return binders_end;
7495 }
7496 offset += 1;
7497 proto_item_append_text(binder_tree, " (length: %u)", binder_length);
7498
7499 proto_tree_add_item(binder_tree, hf->hf.hs_ext_psk_binder_binder, tvb, offset, binder_length, ENC_BIG_ENDIAN0x00000000);
7500 offset += binder_length;
7501
7502 proto_item_set_end(binder_item, tvb, offset);
7503 }
7504 }
7505 break;
7506 case SSL_HND_SERVER_HELLO: {
7507 if (ssl) {
7508 ssl_debug_printf("%s found pre_shared_key extension\n", G_STRFUNC((const char*) (__func__)));
7509 ssl->has_psk = true1;
7510 }
7511 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
7512 offset += 2;
7513 }
7514 break;
7515 default:
7516 break;
7517 }
7518
7519 return offset;
7520}
7521
7522static uint32_t
7523ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
7524 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
7525 uint8_t hnd_type, SslDecryptSession *ssl)
7526{
7527 /* RFC 8446 Section 4.2.10
7528 * struct {} Empty;
7529 * struct {
7530 * select (Handshake.msg_type) {
7531 * case new_session_ticket: uint32 max_early_data_size;
7532 * case client_hello: Empty;
7533 * case encrypted_extensions: Empty;
7534 * };
7535 * } EarlyDataIndication;
7536 */
7537 switch (hnd_type) {
7538 case SSL_HND_CLIENT_HELLO:
7539 /* Remember that early_data will follow the handshake. */
7540 if (ssl) {
7541 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
7542 ssl->has_early_data = true1;
7543 }
7544 break;
7545 case SSL_HND_NEWSESSION_TICKET:
7546 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7547 offset += 4;
7548 break;
7549 default:
7550 break;
7551 }
7552 return offset;
7553}
7554
7555static uint16_t
7556tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
7557{
7558 if (draft_version) {
7559 *draft_version = 0;
7560 }
7561 if (!is_dtls) {
7562 uint8_t tls13_draft = extract_tls13_draft_version(version);
7563 if (tls13_draft != 0) {
7564 /* This is TLS 1.3 (a draft version). */
7565 if (draft_version) {
7566 *draft_version = tls13_draft;
7567 }
7568 version = TLSV1DOT3_VERSION0x304;
7569 }
7570 if (version == 0xfb17 || version == 0xfb1a) {
7571 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
7572 tls13_draft = (uint8_t)version;
7573 if (draft_version) {
7574 *draft_version = tls13_draft;
7575 }
7576 version = TLSV1DOT3_VERSION0x304;
7577 }
7578 }
7579
7580 switch (version) {
7581 case SSLV3_VERSION0x300:
7582 case TLSV1_VERSION0x301:
7583 case TLSV1DOT1_VERSION0x302:
7584 case TLSV1DOT2_VERSION0x303:
7585 case TLSV1DOT3_VERSION0x304:
7586 case TLCPV1_VERSION0x101:
7587 if (is_dtls)
7588 return SSL_VER_UNKNOWN0;
7589 break;
7590
7591 case DTLSV1DOT0_VERSION0xfeff:
7592 case DTLSV1DOT0_OPENSSL_VERSION0x100:
7593 case DTLSV1DOT2_VERSION0xfefd:
7594 case DTLSV1DOT3_VERSION0xfefc:
7595 if (!is_dtls)
7596 return SSL_VER_UNKNOWN0;
7597 break;
7598
7599 default: /* invalid version number */
7600 return SSL_VER_UNKNOWN0;
7601 }
7602
7603 return version;
7604}
7605
7606static int
7607ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7608 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7609 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
7610{
7611
7612 /* RFC 8446 Section 4.2.1
7613 * struct {
7614 * ProtocolVersion versions<2..254>; // ClientHello
7615 * } SupportedVersions;
7616 * Note that ServerHello and HelloRetryRequest are handled by the caller.
7617 */
7618 uint32_t versions_length, next_offset;
7619 /* ProtocolVersion versions<2..254> */
7620 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
7621 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
7622 return offset_end;
7623 }
7624 offset++;
7625 next_offset = offset + versions_length;
7626
7627 unsigned version;
7628 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
7629 uint8_t draft_version, max_draft_version = 0;
7630 const char *sep = " ";
7631 while (offset + 2 <= next_offset) {
7632 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
7633 offset += 2;
7634
7635 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))
) {
7636 proto_item_append_text(tree, "%s%s", sep, val_to_str(pinfo->pool, version, ssl_versions, "Unknown (0x%04x)"));
7637 sep = ", ";
7638 }
7639
7640 current_version = tls_try_get_version(is_dtls, version, &draft_version);
7641 if (session->version == SSL_VER_UNKNOWN0) {
7642 if (lowest_version == SSL_VER_UNKNOWN0) {
7643 lowest_version = current_version;
7644 } else if (current_version != SSL_VER_UNKNOWN0) {
7645 if (!is_dtls) {
7646 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version))
;
7647 } else {
7648 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version))
;
7649 }
7650 }
7651 }
7652 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version))
;
7653 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))
) {
7654 /* The DTLS version numbers get mapped to "00" for unknown per
7655 * JA4 spec, but if JA4 ever does support DTLS we'll probably
7656 * need to take the MIN instead of MAX here for DTLS.
7657 */
7658 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version))
;
7659 }
7660 }
7661 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
7662 col_set_str(pinfo->cinfo, COL_PROTOCOL,
7663 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
7664 }
7665 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
7666 offset = next_offset;
7667 }
7668
7669 /* XXX remove this when draft 19 support is dropped,
7670 * this is only required for early data decryption. */
7671 if (max_draft_version) {
7672 session->tls13_draft_version = max_draft_version;
7673 }
7674
7675 return offset;
7676}
7677
7678static int
7679ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7680 packet_info *pinfo, proto_tree *tree,
7681 uint32_t offset, uint32_t offset_end)
7682{
7683 /* RFC 8446 Section 4.2.2
7684 * struct {
7685 * opaque cookie<1..2^16-1>;
7686 * } Cookie;
7687 */
7688 uint32_t cookie_length;
7689 /* opaque cookie<1..2^16-1> */
7690 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
7691 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
7692 return offset_end;
7693 }
7694 offset += 2;
7695
7696 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
7697 offset += cookie_length;
7698
7699 return offset;
7700}
7701
7702static int
7703ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7704 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7705{
7706 /* RFC 8446 Section 4.2.9
7707 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
7708 *
7709 * struct {
7710 * PskKeyExchangeMode ke_modes<1..255>;
7711 * } PskKeyExchangeModes;
7712 */
7713 uint32_t ke_modes_length, next_offset;
7714
7715 /* PskKeyExchangeMode ke_modes<1..255> */
7716 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
7717 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
7718 return offset_end;
7719 }
7720 offset++;
7721 next_offset = offset + ke_modes_length;
7722
7723 while (offset < next_offset) {
7724 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
7725 offset++;
7726 }
7727
7728 return offset;
7729}
7730
7731static uint32_t
7732ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7733 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7734{
7735 /* RFC 8446 Section 4.2.4
7736 * opaque DistinguishedName<1..2^16-1>;
7737 * struct {
7738 * DistinguishedName authorities<3..2^16-1>;
7739 * } CertificateAuthoritiesExtension;
7740 */
7741 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
7742}
7743
7744static int
7745ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7746 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7747{
7748 /* RFC 8446 Section 4.2.5
7749 * struct {
7750 * opaque certificate_extension_oid<1..2^8-1>;
7751 * opaque certificate_extension_values<0..2^16-1>;
7752 * } OIDFilter;
7753 * struct {
7754 * OIDFilter filters<0..2^16-1>;
7755 * } OIDFilterExtension;
7756 */
7757 proto_tree *subtree;
7758 uint32_t filters_length, oid_length, values_length, value_offset;
7759 asn1_ctx_t asn1_ctx;
7760 const char *oid, *name;
7761
7762 /* OIDFilter filters<0..2^16-1> */
7763 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
7764 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
7765 return offset_end;
7766 }
7767 offset += 2;
7768 offset_end = offset + filters_length;
7769
7770 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7771
7772 while (offset < offset_end) {
7773 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
7774 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
7775
7776 /* opaque certificate_extension_oid<1..2^8-1> */
7777 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
7778 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
7779 return offset_end;
7780 }
7781 offset++;
7782 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
7783 hf->hf.hs_ext_oid_filters_oid, &oid);
7784 offset += oid_length;
7785
7786 /* Append OID to tree label */
7787 name = oid_resolved_from_string(pinfo->pool, oid);
7788 proto_item_append_text(subtree, " (%s)", name ? name : oid);
7789
7790 /* opaque certificate_extension_values<0..2^16-1> */
7791 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
7792 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
7793 return offset_end;
7794 }
7795 offset += 2;
7796 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
7797 if (values_length > 0) {
7798 value_offset = offset;
7799 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
7800 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
7801 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
7802 }
7803 offset += values_length;
7804 }
7805
7806 return offset;
7807}
7808
7809static int
7810ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7811 packet_info *pinfo, proto_tree *tree,
7812 uint32_t offset, uint32_t offset_end)
7813{
7814 /* https://tools.ietf.org/html/rfc6066#section-3
7815 *
7816 * struct {
7817 * NameType name_type;
7818 * select (name_type) {
7819 * case host_name: HostName;
7820 * } name;
7821 * } ServerName;
7822 *
7823 * enum {
7824 * host_name(0), (255)
7825 * } NameType;
7826 *
7827 * opaque HostName<1..2^16-1>;
7828 *
7829 * struct {
7830 * ServerName server_name_list<1..2^16-1>
7831 * } ServerNameList;
7832 */
7833 proto_tree *server_name_tree;
7834 uint32_t list_length, server_name_length, next_offset;
7835
7836 /* The server SHALL include "server_name" extension with empty data. */
7837 if (offset == offset_end) {
7838 return offset;
7839 }
7840
7841 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
7842
7843 /* ServerName server_name_list<1..2^16-1> */
7844 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
7845 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
7846 return offset_end;
7847 }
7848 offset += 2;
7849 next_offset = offset + list_length;
7850
7851 while (offset < next_offset) {
7852 uint32_t name_type;
7853 const char *server_name = NULL((void*)0);
7854 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
7855 tvb, offset, 1, ENC_NA0x00000000, &name_type);
7856 offset++;
7857
7858 /* opaque HostName<1..2^16-1> */
7859 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
7860 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
7861 return next_offset;
7862 }
7863 offset += 2;
7864
7865 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
7866 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
7867 pinfo->pool, (const uint8_t**)&server_name);
7868 offset += server_name_length;
7869 // Each type must only occur once, so we don't check for duplicates.
7870 if (name_type == 0) {
7871 proto_item_append_text(tree, " name=%s", server_name);
7872 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
7873
7874 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
7875 // Client Hello: Client (Src) -> Server (Dst)
7876 switch (pinfo->dst.type) {
7877 case AT_IPv4:
7878 if (pinfo->dst.len == sizeof(uint32_t)) {
7879 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
7880 }
7881 break;
7882 case AT_IPv6:
7883 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
7884 add_ipv6_name(pinfo->dst.data, server_name, false0);
7885 }
7886 break;
7887 }
7888 }
7889 }
7890 }
7891 return offset;
7892}
7893
7894static int
7895ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7896 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
7897{
7898 unsigned ext_len = offset_end - offset;
7899 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
7900 tvb_ensure_bytes_exist(tvb, offset, ext_len);
7901 /* Save the Session Ticket such that it can be used as identifier for
7902 * restoring a previous Master Secret (in ChangeCipherSpec) */
7903 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
7904 ssl->session_ticket.data, ext_len);
7905 ssl->session_ticket.data_len = ext_len;
7906 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
7907 }
7908 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
7909 tvb, offset, ext_len, ENC_NA0x00000000);
7910 return offset + ext_len;
7911}
7912
7913static int
7914ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7915 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7916 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
7917{
7918 uint8_t cert_list_length;
7919 uint8_t cert_type;
7920 proto_tree *cert_list_tree;
7921 proto_item *ti;
7922
7923 switch(hnd_type){
7924 case SSL_HND_CLIENT_HELLO:
7925 cert_list_length = tvb_get_uint8(tvb, offset);
7926 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
7927 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
7928 offset += 1;
7929 if (offset_end - offset != (uint32_t)cert_list_length)
7930 return offset;
7931
7932 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
7933 cert_list_length, cert_list_length);
7934 proto_item_append_text(ti, " (%d)", cert_list_length);
7935
7936 /* make this a subtree */
7937 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
7938
7939 /* loop over all point formats */
7940 while (cert_list_length > 0)
7941 {
7942 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
7943 offset++;
7944 cert_list_length--;
7945 }
7946 break;
7947 case SSL_HND_SERVER_HELLO:
7948 case SSL_HND_ENCRYPTED_EXTENSIONS:
7949 case SSL_HND_CERTIFICATE:
7950 cert_type = tvb_get_uint8(tvb, offset);
7951 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
7952 offset += 1;
7953 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
7954 session->client_cert_type = cert_type;
7955 }
7956 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
7957 session->server_cert_type = cert_type;
7958 }
7959 break;
7960 default: /* no default */
7961 break;
7962 }
7963
7964 return offset;
7965}
7966
7967static uint32_t
7968ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7969 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7970 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
7971{
7972 uint32_t compress_certificate_algorithms_length, next_offset;
7973
7974 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
7975 * enum {
7976 * zlib(1),
7977 * brotli(2),
7978 * (65535)
7979 * } CertificateCompressionAlgorithm;
7980 *
7981 * struct {
7982 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
7983 * } CertificateCompressionAlgorithms;
7984 */
7985 switch (hnd_type) {
7986 case SSL_HND_CLIENT_HELLO:
7987 case SSL_HND_CERT_REQUEST:
7988 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
7989 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
7990 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
7991 return offset_end;
7992 }
7993 offset += 1;
7994 next_offset = offset + compress_certificate_algorithms_length;
7995
7996 while (offset < next_offset) {
7997 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
7998 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
7999 offset += 2;
8000 }
8001 break;
8002 default:
8003 break;
8004 }
8005
8006 return offset;
8007}
8008
8009static uint32_t
8010ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8011 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8012 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8013{
8014 uint32_t key_parameters_length, next_offset;
8015 proto_item *p_ti;
8016 proto_tree *p_tree;
8017
8018 /* RFC 8472
8019 *
8020 * struct {
8021 * uint8 major;
8022 * uint8 minor;
8023 * } TB_ProtocolVersion;
8024 *
8025 * enum {
8026 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8027 * } TokenBindingKeyParameters;
8028 *
8029 * struct {
8030 * TB_ProtocolVersion token_binding_version;
8031 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8032 * } TokenBindingParameters;
8033 */
8034
8035 switch (hnd_type) {
8036 case SSL_HND_CLIENT_HELLO:
8037 case SSL_HND_SERVER_HELLO:
8038 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8039 offset += 1;
8040 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8041 offset += 1;
8042
8043 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8044 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8045 return offset_end;
8046 }
8047 offset += 1;
8048 next_offset = offset + key_parameters_length;
8049
8050 p_ti = proto_tree_add_none_format(tree,
8051 hf->hf.hs_ext_token_binding_key_parameters,
8052 tvb, offset, key_parameters_length,
8053 "Key parameters identifiers (%d identifier%s)",
8054 key_parameters_length,
8055 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8056 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8057
8058 while (offset < next_offset) {
8059 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8060 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8061 offset += 1;
8062 }
8063
8064 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8065 offset = next_offset;
8066 }
8067
8068 break;
8069 default:
8070 break;
8071 }
8072
8073 return offset;
8074}
8075
8076static uint32_t
8077ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8078 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8079 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8080{
8081 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8082 uint32_t next_offset;
8083
8084 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8085 *
8086 * Note: the following structures are not literally defined in the spec,
8087 * they instead use an ASCII diagram.
8088 *
8089 * struct {
8090 * uint16 id;
8091 * opaque value<0..2^16-1>;
8092 * } TransportParameter; // before draft -27
8093 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8094 *
8095 * struct {
8096 * opaque ipv4Address[4];
8097 * uint16 ipv4Port;
8098 * opaque ipv6Address[16];
8099 * uint16 ipv6Port;
8100 * opaque connectionId<0..18>;
8101 * opaque statelessResetToken[16];
8102 * } PreferredAddress;
8103 */
8104
8105 if (offset_end - offset >= 6 &&
8106 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8107 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8108 // Assume encoding of Transport Parameters draft -26 or older with at
8109 // least one transport parameter that has a valid length.
8110 use_varint_encoding = false0;
8111 }
8112
8113 if (use_varint_encoding) {
8114 next_offset = offset_end;
8115 } else {
8116 uint32_t quic_length;
8117 // Assume draft -26 or earlier.
8118 /* TransportParameter TransportParameters<0..2^16-1>; */
8119 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8120 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8121 return offset_end;
8122 }
8123 offset += 2;
8124 next_offset = offset + quic_length;
8125 }
8126
8127 while (offset < next_offset) {
8128 uint64_t parameter_type; /* 62-bit space */
8129 uint32_t parameter_length;
8130 proto_tree *parameter_tree;
8131 uint32_t parameter_end_offset;
8132 uint64_t value;
8133 uint32_t i;
8134 unsigned len = 0;
8135
8136 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8137 NULL((void*)0), "Parameter");
8138 /* TransportParameter ID and Length. */
8139 if (use_varint_encoding) {
8140 uint64_t parameter_length64;
8141 unsigned type_len = 0;
8142
8143 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8144 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8145 offset += type_len;
8146
8147 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8148 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8149 parameter_length = (uint32_t)parameter_length64;
8150 offset += len;
8151
8152 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8153 } else {
8154 parameter_type = tvb_get_ntohs(tvb, offset);
8155 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8156 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8157 offset += 2;
8158
8159 /* opaque value<0..2^16-1> */
8160 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8161 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8162 return next_offset;
8163 }
8164 offset += 2;
8165
8166 proto_item_set_len(parameter_tree, 4 + parameter_length);
8167 }
8168
8169 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)
) {
8170 proto_item_append_text(parameter_tree, ": GREASE");
8171 } else {
8172 proto_item_append_text(parameter_tree, ": %s", val64_to_str_wmem(pinfo->pool, parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8173 }
8174
8175 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8176 parameter_end_offset = offset + parameter_length;
8177
8178 /* Omit the value field if the parameter's length is 0. */
8179 if (parameter_length != 0) {
8180 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8181 tvb, offset, parameter_length, ENC_NA0x00000000);
8182 }
8183
8184 switch (parameter_type) {
8185 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8186 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8187 tvb, offset, parameter_length, ENC_NA0x00000000);
8188 offset += parameter_length;
8189 break;
8190 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8191 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8192 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8193 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8194 offset += len;
8195 break;
8196 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8197 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8198 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8199 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8200 offset += 16;
8201 break;
8202 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8203 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8204 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8205 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8206 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8207 offset += len;
8208 break;
8209 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8210 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8211 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8212 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8213 offset += len;
8214 break;
8215 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8216 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8217 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8218 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8219 offset += len;
8220 break;
8221 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8222 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8223 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8224 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8225 offset += len;
8226 break;
8227 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8228 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8229 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8230 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8231 offset += len;
8232 break;
8233 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8234 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8235 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8236 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8237 offset += len;
8238 break;
8239 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8240 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8241 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8242 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8243 offset += len;
8244 break;
8245 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8246 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8247 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8248 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8249 offset += len;
8250 break;
8251 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8252 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8253 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8254 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8255 offset += len;
8256 break;
8257 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8258 /* No Payload */
8259 break;
8260 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8261 uint32_t connectionid_length;
8262 quic_cid_t cid;
8263
8264 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8265 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8266 offset += 4;
8267 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8268 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8269 offset += 2;
8270 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8271 tvb, offset, 16, ENC_NA0x00000000);
8272 offset += 16;
8273 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8274 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8275 offset += 2;
8276 /* XXX - Should we add these addresses and ports as addresses that the client
8277 * is allowed / expected to migrate the server address to? Right now we don't
8278 * enforce that (see RFC 9000 Section 9, which implies that while the client
8279 * can migrate to whatever address it wants, it can only migrate the server
8280 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8281 */
8282
8283 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8284 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8285 break;
8286 }
8287 offset += 1;
8288
8289 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8290 tvb, offset, connectionid_length, ENC_NA0x00000000);
8291 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8292 cid.len = connectionid_length;
8293 // RFC 9000 5.1.1 "If the preferred_address transport
8294 // parameter is sent, the sequence number of the supplied
8295 // connection ID is 1."
8296 cid.seq_num = 1;
8297 // Multipath draft-07 "Also, the Path Identifier for the
8298 // connection ID specified in the "preferred address"
8299 // transport parameter is 0."
8300 cid.path_id = 0;
8301 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8302 quic_add_connection(pinfo, &cid);
8303 }
8304 offset += connectionid_length;
8305
8306 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8307 tvb, offset, 16, ENC_NA0x00000000);
8308 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8309 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8310 }
8311 offset += 16;
8312 }
8313 break;
8314 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8315 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8316 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8317 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8318 offset += len;
8319 break;
8320 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8321 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8322 tvb, offset, parameter_length, ENC_NA0x00000000);
8323 offset += parameter_length;
8324 break;
8325 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8326 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8327 tvb, offset, parameter_length, ENC_NA0x00000000);
8328 offset += parameter_length;
8329 break;
8330 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8331 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8332 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8333 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8334 offset += len;
8335 break;
8336 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8337 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8338 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8339 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8340 offset += len;
8341 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8342 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8343 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8344 offset += len;
8345 break;
8346 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8347 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8348 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8349 if (len > 0) {
8350 quic_add_loss_bits(pinfo, value);
8351 }
8352 offset += 1;
8353 break;
8354 case SSL_HND_QUIC_TP_ADDRESS_DISCOVERY0x9f81a176:
8355 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_address_discovery,
8356 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8357 offset += len;
8358 break;
8359 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
8360 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
8361 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
8362 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
8363 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
8364 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8365 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8366 offset += len;
8367 break;
8368 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
8369 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
8370 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8371 offset += parameter_length;
8372 break;
8373 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
8374 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
8375 tvb, offset, parameter_length, ENC_NA0x00000000);
8376 offset += parameter_length;
8377 break;
8378 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
8379 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
8380 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8381 offset += 4;
8382 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
8383 uint32_t versions_length;
8384
8385 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
8386 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
8387 offset += 1;
8388 for (i = 0; i < versions_length / 4; i++) {
8389 quic_proto_tree_add_version(tvb, parameter_tree,
8390 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
8391 offset += 4;
8392 }
8393 }
8394 break;
8395 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
8396 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
8397 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8398 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
8399 offset += len;
8400 break;
8401 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
8402 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
8403 tvb, offset, parameter_length, ENC_NA0x00000000);
8404 offset += parameter_length;
8405 break;
8406 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
8407 /* This field was used for non-standard Google-specific parameters encoded as a
8408 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
8409 * parameters. Report it as a bytes blob... */
8410 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
8411 tvb, offset, parameter_length, ENC_NA0x00000000);
8412 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
8413 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
8414 tvb, offset, 4, ENC_NA0x00000000);
8415 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
8416 offset += parameter_length;
8417 break;
8418 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
8419 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
8420 tvb, offset, parameter_length, ENC_NA0x00000000);
8421 offset += parameter_length;
8422 break;
8423 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
8424 /* No Payload */
8425 break;
8426 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
8427 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
8428 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8429 offset += parameter_length;
8430 break;
8431 case SSL_HND_QUIC_TP_VERSION_INFORMATION_DRAFT0xff73db:
8432 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
8433 quic_proto_tree_add_version(tvb, parameter_tree,
8434 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
8435 offset += 4;
8436 for (i = 4; i < parameter_length; i += 4) {
8437 quic_proto_tree_add_version(tvb, parameter_tree,
8438 hf->hf.hs_ext_quictp_parameter_other_version, offset);
8439 offset += 4;
8440 }
8441 break;
8442 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
8443 /* No Payload */
8444 quic_add_grease_quic_bit(pinfo);
8445 break;
8446 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
8447 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
8448 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8449 offset += parameter_length;
8450 break;
8451 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
8452 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
8453 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8454 if (value == 1) {
8455 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
8456 }
8457 offset += parameter_length;
8458 break;
8459 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
8460 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
8461 /* No Payload */
8462 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
8463 break;
8464 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
8465 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
8466 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8467 if (value > 1) {
8468 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
8469 }
8470 /* multipath draft-07: "The value of the initial_max_paths
8471 * parameter MUST be at least 2." TODO: Expert Info? */
8472 offset += parameter_length;
8473 break;
8474 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
8475 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT110x0f739bbc1b666d11:
8476 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT120x0f739bbc1b666d0c:
8477 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT130x0f739bbc1b666d0d:
8478 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x3e:
8479 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
8480 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8481 /* multipath draft-09 and later: "If an endpoint receives an
8482 * initial_max_path_id transport parameter with value 0, the
8483 * peer aims to enable the multipath extension without allowing
8484 * extra paths immediately."
8485 */
8486 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
8487 offset += parameter_length;
8488 break;
8489 default:
8490 offset += parameter_length;
8491 /*TODO display expert info about unknown ? */
8492 break;
8493 }
8494
8495 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
8496 /* Dissection did not end at expected location, fix it. */
8497 offset = parameter_end_offset;
8498 }
8499 }
8500
8501 return offset;
8502}
8503
8504static int
8505ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8506 proto_tree *tree, uint32_t offset,
8507 SslSession *session, SslDecryptSession *ssl,
8508 bool_Bool from_server, bool_Bool is_hrr)
8509{
8510 uint8_t sessid_length;
8511 proto_item *ti;
8512 proto_tree *rnd_tree;
8513 proto_tree *ti_rnd;
8514 proto_tree *ech_confirm_tree;
8515 uint8_t draft_version = session->tls13_draft_version;
8516
8517 if (ssl) {
8518 StringInfo *rnd;
8519 if (from_server)
8520 rnd = &ssl->server_random;
8521 else
8522 rnd = &ssl->client_random;
8523
8524 /* save provided random for later keyring generation */
8525 tvb_memcpy(tvb, rnd->data, offset, 32);
8526 rnd->data_len = 32;
8527 if (from_server)
8528 ssl->state |= SSL_SERVER_RANDOM(1<<1);
8529 else
8530 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
8531 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
8532 from_server ? "SERVER" : "CLIENT", ssl->state);
8533 }
8534
8535 if (!from_server && session->client_random.data_len == 0) {
8536 session->client_random.data_len = 32;
8537 tvb_memcpy(tvb, session->client_random.data, offset, 32);
8538 }
8539
8540 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
8541
8542 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
8543
8544 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
8545 /* show the time */
8546 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
8547 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
8548 offset += 4;
8549
8550 /* show the random bytes */
8551 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
8552 tvb, offset, 28, ENC_NA0x00000000);
8553 offset += 28;
8554 } else {
8555 if (is_hrr) {
8556 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
8557 } else if (from_server && session->ech) {
8558 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
8559 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
8560 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
8561 session->ech_confirmation, 8);
8562 proto_item_set_generated(ti);
8563 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
8564 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
8565 } else {
8566 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
8567 }
8568 }
8569
8570 offset += 32;
8571 }
8572
8573 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
8574 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
8575 /* show the session id (length followed by actual Session ID) */
8576 sessid_length = tvb_get_uint8(tvb, offset);
8577 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
8578 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8579 offset++;
8580
8581 if (ssl) {
8582 /* save the authoritative SID for later use in ChangeCipherSpec.
8583 * (D)TLS restricts the SID to 32 chars, it does not make sense to
8584 * save more, so ignore larger ones. To support ECH, also save
8585 * the SID from the ClientHelloOuter. */
8586 if (sessid_length <= 32 && (from_server || sessid_length > 0)) {
8587 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
8588 ssl->session_id.data_len = sessid_length;
8589 }
8590 }
8591 if (sessid_length > 0) {
8592 proto_tree_add_item(tree, hf->hf.hs_session_id,
8593 tvb, offset, sessid_length, ENC_NA0x00000000);
8594 offset += sessid_length;
8595 }
8596 }
8597
8598 return offset;
8599}
8600
8601static int
8602ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8603 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8604 bool_Bool has_length)
8605{
8606 /* TLS 1.2/1.3 status_request Client Hello Extension.
8607 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
8608 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
8609 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
8610 * struct {
8611 * CertificateStatusType status_type;
8612 * uint16 request_length; // for status_request_v2
8613 * select (status_type) {
8614 * case ocsp: OCSPStatusRequest;
8615 * case ocsp_multi: OCSPStatusRequest;
8616 * } request;
8617 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
8618 *
8619 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
8620 * struct {
8621 * ResponderID responder_id_list<0..2^16-1>;
8622 * Extensions request_extensions;
8623 * } OCSPStatusRequest;
8624 * opaque ResponderID<1..2^16-1>;
8625 * opaque Extensions<0..2^16-1>;
8626 */
8627 unsigned cert_status_type;
8628
8629 cert_status_type = tvb_get_uint8(tvb, offset);
8630 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
8631 tvb, offset, 1, ENC_NA0x00000000);
8632 offset++;
8633
8634 if (has_length) {
8635 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
8636 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8637 offset += 2;
8638 }
8639
8640 switch (cert_status_type) {
8641 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
8642 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
8643 {
8644 uint32_t responder_id_list_len;
8645 uint32_t request_extensions_len;
8646
8647 /* ResponderID responder_id_list<0..2^16-1> */
8648 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
8649 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
8650 return offset_end;
8651 }
8652 offset += 2;
8653 if (responder_id_list_len != 0) {
8654 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
8655 tvb, offset, responder_id_list_len,
8656 "Responder ID list is not implemented, contact Wireshark"
8657 " developers if you want this to be supported");
8658 }
8659 offset += responder_id_list_len;
8660
8661 /* opaque Extensions<0..2^16-1> */
8662 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
8663 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
8664 return offset_end;
8665 }
8666 offset += 2;
8667 if (request_extensions_len != 0) {
8668 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
8669 tvb, offset, request_extensions_len,
8670 "Request Extensions are not implemented, contact"
8671 " Wireshark developers if you want this to be supported");
8672 }
8673 offset += request_extensions_len;
8674 break;
8675 }
8676 }
8677
8678 return offset;
8679}
8680
8681static unsigned
8682ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8683 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8684{
8685 /* https://tools.ietf.org/html/rfc6961#section-2.2
8686 * struct {
8687 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
8688 * } CertificateStatusRequestListV2;
8689 */
8690 uint32_t req_list_length, next_offset;
8691
8692 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
8693 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
8694 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
8695 return offset_end;
8696 }
8697 offset += 2;
8698 next_offset = offset + req_list_length;
8699
8700 while (offset < next_offset) {
8701 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
8702 }
8703
8704 return offset;
8705}
8706
8707static uint32_t
8708tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
8709 uint32_t offset, uint32_t offset_end)
8710{
8711 uint32_t response_length;
8712 proto_item *ocsp_resp;
8713 proto_tree *ocsp_resp_tree;
8714 asn1_ctx_t asn1_ctx;
8715
8716 /* opaque OCSPResponse<1..2^24-1>; */
8717 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
8718 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
8719 return offset_end;
8720 }
8721 offset += 3;
8722
8723 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
8724 response_length, ENC_BIG_ENDIAN0x00000000);
8725 proto_item_set_text(ocsp_resp, "OCSP Response");
8726 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
8727 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
8728 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8729 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
8730 }
8731 offset += response_length;
8732
8733 return offset;
8734}
8735
8736uint32_t
8737tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8738 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8739{
8740 /* TLS 1.2 "CertificateStatus" handshake message.
8741 * TLS 1.3 "status_request" Certificate extension.
8742 * struct {
8743 * CertificateStatusType status_type;
8744 * select (status_type) {
8745 * case ocsp: OCSPResponse;
8746 * case ocsp_multi: OCSPResponseList; // status_request_v2
8747 * } response;
8748 * } CertificateStatus;
8749 * opaque OCSPResponse<1..2^24-1>;
8750 * struct {
8751 * OCSPResponse ocsp_response_list<1..2^24-1>;
8752 * } OCSPResponseList; // status_request_v2
8753 */
8754 uint32_t status_type, resp_list_length, next_offset;
8755
8756 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
8757 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
8758 offset += 1;
8759
8760 switch (status_type) {
8761 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
8762 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
8763 break;
8764
8765 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
8766 /* OCSPResponse ocsp_response_list<1..2^24-1> */
8767 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
8768 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
8769 return offset_end;
8770 }
8771 offset += 3;
8772 next_offset = offset + resp_list_length;
8773
8774 while (offset < next_offset) {
8775 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
8776 }
8777 break;
8778 }
8779
8780 return offset;
8781}
8782
8783static unsigned
8784ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8785 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8786 wmem_strbuf_t *ja3)
8787{
8788 /* RFC 8446 Section 4.2.7
8789 * enum { ..., (0xFFFF) } NamedGroup;
8790 * struct {
8791 * NamedGroup named_group_list<2..2^16-1>
8792 * } NamedGroupList;
8793 *
8794 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
8795 * the extension itself from "elliptic_curves" to "supported_groups".
8796 */
8797 uint32_t groups_length, next_offset;
8798 proto_tree *groups_tree;
8799 proto_item *ti;
8800 char *ja3_dash = "";
8801
8802 /* NamedGroup named_group_list<2..2^16-1> */
8803 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
8804 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
8805 return offset_end;
8806 }
8807 offset += 2;
8808 next_offset = offset + groups_length;
8809
8810 ti = proto_tree_add_none_format(tree,
8811 hf->hf.hs_ext_supported_groups,
8812 tvb, offset, groups_length,
8813 "Supported Groups (%d group%s)",
8814 groups_length / 2,
8815 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
8816
8817 /* make this a subtree */
8818 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
8819
8820 if (ja3) {
8821 wmem_strbuf_append_c(ja3, ',');
8822 }
8823 /* loop over all groups */
8824 while (offset + 2 <= offset_end) {
8825 uint32_t ext_supported_group;
8826
8827 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
8828 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
8829 offset += 2;
8830 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))
) {
8831 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
8832 ja3_dash = "-";
8833 }
8834 }
8835 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
8836 offset = next_offset;
8837 }
8838
8839 return offset;
8840}
8841
8842static int
8843ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8844 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
8845{
8846 uint8_t ecpf_length;
8847 proto_tree *ecpf_tree;
8848 proto_item *ti;
8849
8850 ecpf_length = tvb_get_uint8(tvb, offset);
8851 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
8852 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8853
8854 offset += 1;
8855 ti = proto_tree_add_none_format(tree,
8856 hf->hf.hs_ext_ec_point_formats,
8857 tvb, offset, ecpf_length,
8858 "Elliptic curves point formats (%d)",
8859 ecpf_length);
8860
8861 /* make this a subtree */
8862 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
8863
8864 if (ja3) {
8865 wmem_strbuf_append_c(ja3, ',');
8866 }
8867
8868 /* loop over all point formats */
8869 while (ecpf_length > 0)
8870 {
8871 uint32_t ext_ec_point_format;
8872
8873 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
8874 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
8875 offset++;
8876 ecpf_length--;
8877 if (ja3) {
8878 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
8879 if (ecpf_length > 0) {
8880 wmem_strbuf_append_c(ja3, '-');
8881 }
8882 }
8883 }
8884
8885 return offset;
8886}
8887
8888static int
8889ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8890 packet_info *pinfo, proto_tree *tree,
8891 uint32_t offset, uint32_t next_offset)
8892{
8893 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
8894 * opaque srp_I<1..2^8-1>;
8895 */
8896 uint32_t username_len;
8897
8898 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
8899 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
8900 return next_offset;
8901 }
8902 offset++;
8903
8904 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
8905 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
8906 offset += username_len;
8907
8908 return offset;
8909}
8910
8911static uint32_t
8912tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
8913 uint32_t offset, uint32_t offset_end, uint16_t version)
8914{
8915 /* https://tools.ietf.org/html/rfc6962#section-3.2
8916 * enum { v1(0), (255) } Version;
8917 * struct {
8918 * opaque key_id[32];
8919 * } LogID;
8920 * opaque CtExtensions<0..2^16-1>;
8921 * struct {
8922 * Version sct_version;
8923 * LogID id;
8924 * uint64 timestamp;
8925 * CtExtensions extensions;
8926 * digitally-signed struct { ... };
8927 * } SignedCertificateTimestamp;
8928 */
8929 uint32_t sct_version;
8930 uint64_t sct_timestamp_ms;
8931 nstime_t sct_timestamp;
8932 uint32_t exts_len;
8933 const char *log_name;
8934
8935 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
8936 offset++;
8937 if (sct_version != 0) {
8938 // TODO expert info about unknown SCT version?
8939 return offset;
8940 }
8941 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
8942 log_name = bytesval_to_str_wmem(pinfo->pool, tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
8943 proto_item_append_text(tree, " (%s)", log_name);
8944 offset += 32;
8945 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
8946 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
8947 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
8948 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
8949 offset += 8;
8950 /* opaque CtExtensions<0..2^16-1> */
8951 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
8952 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
8953 return offset_end;
8954 }
8955 offset += 2;
8956 if (exts_len > 0) {
8957 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
8958 offset += exts_len;
8959 }
8960 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
8961 hf->hf.sct_sct_signature_length,
8962 hf->hf.sct_sct_signature);
8963 return offset;
8964}
8965
8966uint32_t
8967tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
8968 uint32_t offset, uint32_t offset_end, uint16_t version)
8969{
8970 /* https://tools.ietf.org/html/rfc6962#section-3.3
8971 * opaque SerializedSCT<1..2^16-1>;
8972 * struct {
8973 * SerializedSCT sct_list <1..2^16-1>;
8974 * } SignedCertificateTimestampList;
8975 */
8976 uint32_t list_length, sct_length, next_offset;
8977 proto_tree *subtree;
8978
8979 /* SerializedSCT sct_list <1..2^16-1> */
8980 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
8981 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
8982 return offset_end;
8983 }
8984 offset += 2;
8985
8986 while (offset < offset_end) {
8987 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
8988
8989 /* opaque SerializedSCT<1..2^16-1> */
8990 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
8991 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
8992 return offset_end;
8993 }
8994 offset += 2;
8995 next_offset = offset + sct_length;
8996 proto_item_set_len(subtree, 2 + sct_length);
8997 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
8998 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
8999 offset = next_offset;
9000 }
9001 }
9002
9003 return offset;
9004}
9005
9006static int
9007dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9008 proto_tree *tree, uint32_t offset)
9009{
9010 uint32_t kdf_id, aead_id;
9011 proto_item *cs_ti;
9012 proto_tree *cs_tree;
9013
9014 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9015 tvb, offset, 4, ENC_NA0x00000000);
9016 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9017
9018 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9019 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9020 offset += 2;
9021 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9022 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9023 offset += 2;
9024
9025 proto_item_append_text(cs_ti, ": %s/%s",
9026 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9027 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9028 return offset;
9029}
9030
9031static int
9032dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9033 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9034 uint32_t *config_id)
9035{
9036 uint32_t length, cipher_suite_length;
9037 proto_item *kc_ti, *css_ti;
9038 proto_tree *kc_tree, *css_tree;
9039 uint32_t original_offset = offset, next_offset;
9040
9041 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9042 tvb, offset, -1, ENC_NA0x00000000);
9043 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9044
9045 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9046 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9047 offset += 1;
9048 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9049 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9050 offset += 2;
9051 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9052 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9053 offset += 2;
9054 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9055 tvb, offset, length, ENC_NA0x00000000);
9056 offset += length;
9057
9058 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9059 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9060 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9061 return offset_end;
9062 }
9063 offset += 2;
9064 next_offset = offset + cipher_suite_length;
9065
9066 css_ti = proto_tree_add_none_format(kc_tree,
9067 hf->hf.ech_hpke_keyconfig_cipher_suites,
9068 tvb, offset, cipher_suite_length,
9069 "Cipher Suites (%d suite%s)",
9070 cipher_suite_length / 4,
9071 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9072 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9073
9074
9075 while (offset + 4 <= next_offset) {
9076 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9077 }
9078
9079 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9080 offset = next_offset;
9081 }
9082
9083 proto_item_set_len(kc_ti, offset - original_offset);
9084
9085 return offset;
9086}
9087
9088static int
9089dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9090 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9091 const uint8_t **public_name, uint32_t *config_id)
9092{
9093 uint32_t public_name_length, extensions_length, next_offset;
9094
9095 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9096 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9097 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9098 offset += 1;
9099 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9100 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9101 offset += 1;
9102 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9103 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9104 offset += public_name_length;
9105
9106 /* Extension extensions<0..2^16-1>; */
9107 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9108 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9109 return offset_end;
9110 }
9111 offset += 2;
9112 next_offset = offset + extensions_length;
9113
9114 if (extensions_length > 0) {
9115 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9116 tvb, offset, extensions_length, ENC_NA0x00000000);
9117 }
9118 offset += extensions_length;
9119
9120 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9121 offset = next_offset;
9122 }
9123
9124 return offset;
9125}
9126
9127static int
9128dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9129 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9130{
9131 uint32_t version, length;
9132 proto_item *ech_ti;
9133 proto_tree *ech_tree;
9134 const uint8_t *public_name = NULL((void*)0);
9135 uint32_t config_id = 0;
9136
9137 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9138 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9139
9140 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9141 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9142 offset += 2;
9143 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9144 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9145 offset += 2;
9146
9147 proto_item_set_len(ech_ti, 4 + length);
9148
9149 switch(version) {
9150 case 0xfe0d:
9151 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9152 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9153 break;
9154
9155 default:
9156 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9157 }
9158
9159 return 4 + length;
9160}
9161
9162uint32_t
9163ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9164 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9165{
9166 uint32_t echconfiglist_length, next_offset;
9167
9168 /* ECHConfig ECHConfigList<1..2^16-1>; */
9169 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9170 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9171 return offset_end;
9172 }
9173 offset += 2;
9174 next_offset = offset + echconfiglist_length;
9175
9176 while (offset < next_offset) {
9177 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9178 }
9179
9180 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9181 offset = next_offset;
9182 }
9183
9184 return offset;
9185}
9186
9187static uint32_t
9188ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9189 uint32_t offset, uint32_t offset_end)
9190{
9191 uint32_t ext_length, next_offset;
9192 proto_tree *ext_tree;
9193 proto_item *ti;
9194
9195 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9196 hf->hf.hs_ext_ech_outer_ext_len, 2, UINT8_MAX(255))) {
9197 return offset_end;
9198 }
9199 offset += 1;
9200 next_offset = offset + ext_length;
9201
9202 ti = proto_tree_add_none_format(tree,
9203 hf->hf.hs_ext_ech_outer_ext,
9204 tvb, offset, ext_length,
9205 "Outer Extensions (%d extension%s)",
9206 ext_length / 2,
9207 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9208
9209 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9210
9211 while (offset + 2 <= offset_end) {
9212 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9213 offset += 2;
9214 }
9215
9216 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9217 offset = next_offset;
9218 }
9219
9220 return offset;
9221}
9222
9223static uint32_t
9224// NOLINTNEXTLINE(misc-no-recursion)
9225ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9226 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9227 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
9228{
9229 uint32_t ch_type, length;
9230 proto_item *ti, *payload_ti;
9231 proto_tree *retry_tree, *payload_tree;
9232 uint32_t hello_length = tvb_reported_length(tvb);
9233
9234 switch (hnd_type) {
9235 case SSL_HND_CLIENT_HELLO:
9236 /*
9237 * enum { outer(0), inner(1) } ECHClientHelloType;
9238 *
9239 * struct {
9240 * ECHClientHelloType type;
9241 * select (ECHClientHello.type) {
9242 * case outer:
9243 * HpkeSymmetricCipherSuite cipher_suite;
9244 * uint8 config_id;
9245 * opaque enc<0..2^16-1>;
9246 * opaque payload<1..2^16-1>;
9247 * case inner:
9248 * Empty;
9249 * };
9250 * } ECHClientHello;
9251 */
9252
9253 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9254 offset += 1;
9255 switch (ch_type) {
9256 case 0: /* outer */
9257 if (ssl && session->first_ch_ech_frame == 0) {
9258 session->first_ch_ech_frame = pinfo->num;
9259 }
9260 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9261 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9262 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9263
9264 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9265 uint8_t config_id = tvb_get_uint8(tvb, offset);
9266 offset += 1;
9267 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9268 offset += 2;
9269 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9270 offset += length;
9271 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9272 offset += 2;
9273 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9274 offset += length;
9275
9276 if (!mk_map) {
9277 break;
9278 }
9279 if (session->client_random.data_len == 0) {
9280 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9281 break;
9282 }
9283 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9284 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9285 if (!ech_secret || !ech_config) {
9286 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9287 G_STRFUNC((const char*) (__func__)));
9288 break;
9289 }
9290
9291 if (hpke_hkdf_len(kdf_id) == 0) {
9292 ssl_debug_printf("Unsupported KDF\n");
9293 break;
9294 }
9295
9296 if (hpke_aead_key_len(aead_id) == 0) {
9297 ssl_debug_printf("Unsupported AEAD\n");
9298 break;
9299 }
9300
9301 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9302
9303 unsigned aead_auth_tag_len = hpke_aead_auth_tag_len(aead_id);
9304 if (length < aead_auth_tag_len) {
9305 ssl_debug_printf("Encrypted payload length %u < Cipher suite authentication tag length %u.\n", length, aead_auth_tag_len);
9306 break;
9307 }
9308 unsigned decrypted_len = length - aead_auth_tag_len;
9309
9310 uint16_t version = pntohu16(ech_config->data);
9311 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9312 ssl_debug_printf("Unexpected version in ECH Config\n");
9313 break;
9314 }
9315 uint32_t ech_config_offset = 2;
9316 if (pntohu16(&ech_config->data[ech_config_offset]) != ech_config->data_len - 4) {
9317 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9318 break;
9319 }
9320 ech_config_offset += 2;
9321 if (*(ech_config->data + ech_config_offset) != config_id) {
9322 ssl_debug_printf("ECH Config version mismatch\n");
9323 break;
9324 }
9325 ech_config_offset += 1;
9326 uint16_t kem_id = pntohu16(&ech_config->data[ech_config_offset]);
9327 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9328 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9329 GByteArray *info = g_byte_array_new();
9330 g_byte_array_append(info, (const uint8_t*)"tls ech", 8);
9331 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9332 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9333 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9334 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9335 key, base_nonce)) {
9336 g_byte_array_free(info, TRUE(!(0)));
9337 break;
9338 }
9339 g_byte_array_free(info, TRUE(!(0)));
9340 gcry_cipher_hd_t cipher;
9341 if (hpke_setup_aead(&cipher, aead_id, key) ||
9342 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9343 gcry_cipher_close(cipher);
9344 break;
9345 }
9346 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9347 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9348 tvb_memcpy(tvb, ech_aad, 0, hello_length);
9349 memset(ech_aad + offset - length, 0, length);
9350 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9351 gcry_cipher_close(cipher);
9352 wmem_free(NULL((void*)0), ech_aad);
9353 break;
9354 }
9355 wmem_free(NULL((void*)0), ech_aad);
9356 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, decrypted_len);
9357 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, decrypted_len, payload, decrypted_len)) {
9358 gcry_cipher_close(cipher);
9359 break;
9360 }
9361 unsigned char *ech_auth_tag_calc = wmem_alloc0(pinfo->pool, aead_auth_tag_len);
9362 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, aead_auth_tag_len)) {
9363 gcry_cipher_close(cipher);
9364 break;
9365 }
9366 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
9367 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, aead_auth_tag_len);
9368 gcry_cipher_close(cipher);
9369 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
9370 payload + decrypted_len, aead_auth_tag_len)) {
9371 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
9372 } else {
9373 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
9374 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, decrypted_len, decrypted_len);
9375 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
9376 if (ssl) {
9377 /* Note the Outer Client Random for Inject TLS Secrets */
9378 tls_save_crandom(ssl, mk_map);
9379
9380 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
9381 uint32_t len_offset = ssl->ech_transcript.data_len;
9382 if (ssl->ech_transcript.data_len > 0)
9383 ssl->ech_transcript.data = (unsigned char*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
9384 ssl->ech_transcript.data_len + hello_length + 4);
9385 else
9386 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), hello_length + 4);
9387 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
9388 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
9389 /* Copy ClientHelloInner up to the legacy_session_id field. */
9390 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
9391 ssl->ech_transcript.data_len += 38;
9392 /* Now copy the legacy_session_id field from ClientHelloOuter. */
9393 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = ssl->session_id.data_len;
9394 ssl->ech_transcript.data_len++;
9395 memcpy(&ssl->ech_transcript.data[ssl->ech_transcript.data_len], ssl->session_id.data, ssl->session_id.data_len);
9396 ssl->ech_transcript.data_len += ssl->session_id.data_len;
9397 /* Skip past the legacy_session_id field in ClientHelloInner
9398 * (which should be the empty string, i.e. just a 0 size.) */
9399 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
9400 /* Copy the Cipher Suites from ClientHelloInner. */
9401 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9402 2 + tvb_get_ntohs(ech_tvb, ech_offset));
9403 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
9404 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
9405 /* Copy the Compression Methods */
9406 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9407 1 + tvb_get_uint8(ech_tvb, ech_offset));
9408 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
9409 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
9410 /* Now replace extensions in ech_outer_extensions with the
9411 * data from ClientHelloOuter. */
9412 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
9413 ssl->ech_transcript.data_len += 2;
9414 uint32_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
9415 ech_offset += 2;
9416 bool_Bool ech_outer_extensions_found = false0;
9417 while (extensions_end - ech_offset >= 4) {
9418 uint16_t ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
9419 ech_offset += 2;
9420 uint16_t ext_len = tvb_get_ntohs(ech_tvb, ech_offset);
9421 ech_offset += 2;
9422 if (ext_type != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
9423 /* Copy this extension directly */
9424 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len,
9425 ech_offset - 4, 4 + ext_len);
9426 ssl->ech_transcript.data_len += 4 + ext_len;
9427 ech_offset += ext_len;
9428 } else if (ext_len > 0) {
9429 if (ech_outer_extensions_found) {
9430 ssl_debug_printf("Illegal parameter; only a single \"ech_outer_extensions\" extension is allowed\n");
9431 /* This could lead to a buffer overflow by
9432 * making the post-copying ClientHelloInner
9433 * longer than ClientHelloOuter and is
9434 * illegal, so skip this and don't copy. */
9435 ech_offset += ext_len;
9436 continue;
9437 }
9438 ech_outer_extensions_found = true1;
9439 unsigned num_ech_outer_extensions = tvb_get_uint8(ech_tvb, ech_offset);
9440 ech_offset += 1;
9441 uint32_t ech_outer_extensions_end = ech_offset + num_ech_outer_extensions;
9442 /* In ClientHelloOuter, skip past the legacy_session_id */
9443 uint32_t outer_offset = 35 + tvb_get_uint8(tvb, 34);
9444 /* Skip past Cipher Suites */
9445 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
9446 /* Skip past Compression Methods */
9447 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
9448 /* Now at the start of ClientHelloOuter's extensions */
9449 while (ech_outer_extensions_end - ech_offset >= 2) {
9450 ext_type = tvb_get_ntohs(ech_tvb, ech_offset);
9451 if (ext_type == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9452 ssl_debug_printf("Illegal parameter; encrypted_client_hello cannot appear within ech_outer_extensions\n");
9453 /* This could lead to a buffer overflow by
9454 * making the post-copying ClientHelloInner
9455 * longer than ClientHelloOuter and is
9456 * illegal, so don't copy. */
9457 break;
9458 }
9459 bool_Bool found = false0;
9460 while (tvb_reported_length_remaining(tvb, outer_offset) >= 4) {
9461 uint16_t outer_ext_type = tvb_get_ntohs(tvb, outer_offset);
9462 uint16_t outer_ext_len = tvb_get_ntohs(tvb, outer_offset + 2);
9463 if (ext_type == outer_ext_type) {
9464 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
9465 4 + outer_ext_len);
9466 ssl->ech_transcript.data_len += 4 + outer_ext_len;
9467 outer_offset += 4 + outer_ext_len;
9468 found = true1;
9469 break;
9470 } else {
9471 outer_offset += 4 + outer_ext_len;
9472 }
9473 }
9474 if (!found) {
9475 ssl_debug_printf("Extension %s was not found in ClientHelloOuter (possibly out of order or referenced more than once)\n", val_to_str(pinfo->pool, ext_type, tls_hello_extension_types, "unknown (0x%02x)"));
9476 }
9477 ech_offset += 2;
9478 }
9479 }
9480 }
9481 uint16_t ech_extensions_len = ssl->ech_transcript.data_len - ech_extensions_len_offset - 2;
9482 phtonu16(&ssl->ech_transcript.data[ech_extensions_len_offset], ech_extensions_len);
9483 phtonu16(&ssl->ech_transcript.data[len_offset + 2], ssl->ech_transcript.data_len - len_offset - 4);
9484 }
9485 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, decrypted_len, session,
9486 ssl, NULL((void*)0), mk_map);
9487 if (ech_padding_begin < decrypted_len) {
9488 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, decrypted_len - ech_padding_begin,
9489 ENC_NA0x00000000);
9490 }
9491 }
9492
9493 break;
9494 case 1: /* inner */
9495 break;
9496 }
9497 break;
9498
9499 case SSL_HND_ENCRYPTED_EXTENSIONS:
9500 /*
9501 * struct {
9502 * ECHConfigList retry_configs;
9503 * } ECHEncryptedExtensions;
9504 */
9505
9506 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
9507 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
9508 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
9509 break;
9510
9511 case SSL_HND_HELLO_RETRY_REQUEST:
9512 /*
9513 * struct {
9514 * opaque confirmation[8];
9515 * } ECHHelloRetryRequest;
9516 */
9517
9518 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
9519 if (session->ech) {
9520 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
9521 proto_item_set_generated(ti);
9522 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
9523 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9524 } else {
9525 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9526 }
9527 }
9528 offset += 8;
9529 break;
9530 }
9531
9532 return offset;
9533}
9534
9535static uint32_t
9536ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9537 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9538 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
9539{
9540 uint32_t record_digest_length, encrypted_sni_length;
9541
9542 switch (hnd_type) {
9543 case SSL_HND_CLIENT_HELLO:
9544 /*
9545 * struct {
9546 * CipherSuite suite;
9547 * KeyShareEntry key_share;
9548 * opaque record_digest<0..2^16-1>;
9549 * opaque encrypted_sni<0..2^16-1>;
9550 * } ClientEncryptedSNI;
9551 */
9552 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9553 offset += 2;
9554 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
9555
9556 /* opaque record_digest<0..2^16-1> */
9557 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
9558 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
9559 return offset_end;
9560 }
9561 offset += 2;
9562 if (record_digest_length > 0) {
9563 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
9564 offset += record_digest_length;
9565 }
9566
9567 /* opaque encrypted_sni<0..2^16-1> */
9568 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
9569 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
9570 return offset_end;
9571 }
9572 offset += 2;
9573 if (encrypted_sni_length > 0) {
9574 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
9575 offset += encrypted_sni_length;
9576 }
9577 break;
9578
9579 case SSL_HND_ENCRYPTED_EXTENSIONS:
9580 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
9581 offset += 16;
9582 break;
9583 }
9584
9585 return offset;
9586}
9587/** TLS Extensions (in Client Hello and Server Hello). }}} */
9588
9589/* Connection ID dissection. {{{ */
9590static uint32_t
9591ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9592 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
9593 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
9594{
9595 /* keep track of the decrypt session only for the first pass */
9596 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
9597 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
9598 *session_cidl = cidl;
9599 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
9600 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
9601 if (ssl) {
9602 ssl_add_session_by_cid(ssl);
9603 }
9604 }
9605
9606 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
9607 tvb, offset, 1, ENC_NA0x00000000);
9608 offset++;
9609
9610 if (cidl > 0) {
9611 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
9612 tvb, offset, cidl, ENC_NA0x00000000);
9613 offset += cidl;
9614 }
9615
9616 return offset;
9617}
9618
9619static uint32_t
9620ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9621 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
9622 SslSession *session, SslDecryptSession *ssl)
9623{
9624 uint8_t cidl = tvb_get_uint8(tvb, offset);
9625
9626 switch (hnd_type) {
9627 case SSL_HND_CLIENT_HELLO:
9628 session->client_cid_len_present = true1;
9629 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
9630 cidl, &session->client_cid, &session->client_cid_len);
9631 case SSL_HND_SERVER_HELLO:
9632 session->server_cid_len_present = true1;
9633 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
9634 cidl, &session->server_cid, &session->server_cid_len);
9635 default:
9636 return offset;
9637 }
9638} /* }}} */
9639
9640/* Trusted CA dissection. {{{ */
9641static uint32_t
9642ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9643 uint32_t offset, uint32_t offset_end)
9644{
9645 proto_item *ti;
9646 proto_tree *subtree;
9647 uint32_t keys_length, next_offset;
9648
9649 /*
9650 * struct {
9651 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
9652 * } TrustedAuthorities;
9653 *
9654 * struct {
9655 * IdentifierType identifier_type;
9656 * select (identifier_type) {
9657 * case pre_agreed: struct {};
9658 * case key_sha1_hash: SHA1Hash;
9659 * case x509_name: DistinguishedName;
9660 * case cert_sha1_hash: SHA1Hash;
9661 * } identifier;
9662 * } TrustedAuthority;
9663 *
9664 * enum {
9665 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
9666 * cert_sha1_hash(3), (255)
9667 * } IdentifierType;
9668 *
9669 * opaque DistinguishedName<1..2^16-1>;
9670 *
9671 */
9672
9673
9674 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
9675 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
9676 0, UINT16_MAX(65535)))
9677 {
9678 return offset_end;
9679 }
9680 offset += 2;
9681 next_offset = offset + keys_length;
9682
9683 if (keys_length > 0)
9684 {
9685 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
9686 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
9687 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
9688
9689 while (offset < next_offset)
9690 {
9691 uint32_t identifier_type;
9692 proto_tree *trusted_key_tree;
9693 proto_item *trusted_key_item;
9694 asn1_ctx_t asn1_ctx;
9695 uint32_t key_len = 0;
9696
9697 identifier_type = tvb_get_uint8(tvb, offset);
9698
9699 // Use 0 as length for now as we'll only know the size when we decode the identifier
9700 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
9701 offset, 0, "Trusted CA Key");
9702 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
9703
9704 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
9705 offset, 1, identifier_type);
9706 offset++;
9707
9708 /*
9709 * enum {
9710 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
9711 * cert_sha1_hash(3), (255)
9712 * } IdentifierType;
9713 */
9714 switch (identifier_type)
9715 {
9716 case 0:
9717 key_len = 0;
9718 break;
9719 case 2:
9720 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9721
9722 uint32_t name_length;
9723 /* opaque DistinguishedName<1..2^16-1> */
9724 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
9725 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
9726 return next_offset;
9727 }
9728 offset += 2;
9729
9730 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
9731 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
9732 offset += name_length;
9733 break;
9734 case 1:
9735 case 3:
9736 key_len = 20;
9737 /* opaque SHA1Hash[20]; */
9738 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
9739 offset, 20, ENC_NA0x00000000);
9740 break;
9741
9742 default:
9743 key_len = 0;
9744 /*TODO display expert info about unknown ? */
9745 break;
9746 }
9747 proto_item_set_len(trusted_key_item, 1 + key_len);
9748 offset += key_len;
9749 }
9750 }
9751
9752 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
9753 {
9754 offset = next_offset;
9755 }
9756
9757 return offset;
9758} /* }}} */
9759
9760
9761/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
9762bool_Bool
9763ssl_is_valid_content_type(uint8_t type)
9764{
9765 switch ((ContentType) type) {
9766 case SSL_ID_CHG_CIPHER_SPEC:
9767 case SSL_ID_ALERT:
9768 case SSL_ID_HANDSHAKE:
9769 case SSL_ID_APP_DATA:
9770 case SSL_ID_HEARTBEAT:
9771 case SSL_ID_TLS12_CID:
9772 case SSL_ID_DTLS13_ACK:
9773 return true1;
9774 }
9775 return false0;
9776}
9777
9778bool_Bool
9779ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
9780{
9781 switch ((HandshakeType) hs_type) {
9782 case SSL_HND_HELLO_VERIFY_REQUEST:
9783 /* hello_verify_request is DTLS-only */
9784 return is_dtls;
9785
9786 case SSL_HND_HELLO_REQUEST:
9787 case SSL_HND_CLIENT_HELLO:
9788 case SSL_HND_SERVER_HELLO:
9789 case SSL_HND_NEWSESSION_TICKET:
9790 case SSL_HND_END_OF_EARLY_DATA:
9791 case SSL_HND_HELLO_RETRY_REQUEST:
9792 case SSL_HND_ENCRYPTED_EXTENSIONS:
9793 case SSL_HND_CERTIFICATE:
9794 case SSL_HND_SERVER_KEY_EXCHG:
9795 case SSL_HND_CERT_REQUEST:
9796 case SSL_HND_SVR_HELLO_DONE:
9797 case SSL_HND_CERT_VERIFY:
9798 case SSL_HND_CLIENT_KEY_EXCHG:
9799 case SSL_HND_FINISHED:
9800 case SSL_HND_CERT_URL:
9801 case SSL_HND_CERT_STATUS:
9802 case SSL_HND_SUPPLEMENTAL_DATA:
9803 case SSL_HND_KEY_UPDATE:
9804 case SSL_HND_COMPRESSED_CERTIFICATE:
9805 case SSL_HND_ENCRYPTED_EXTS:
9806 return true1;
9807 case SSL_HND_MESSAGE_HASH:
9808 return false0;
9809 }
9810 return false0;
9811}
9812
9813static bool_Bool
9814ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
9815 bool_Bool is_dtls)
9816{
9817 /* Consider all valid Handshake messages (except for Client Hello) and
9818 * all other valid record types (other than Handshake) */
9819 return (content_type == SSL_ID_HANDSHAKE &&
9820 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
9821 handshake_type != SSL_HND_CLIENT_HELLO) ||
9822 (content_type != SSL_ID_HANDSHAKE &&
9823 ssl_is_valid_content_type(content_type));
9824}
9825
9826/**
9827 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
9828 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
9829 * Returns true if the supported_versions extension was found, false if not.
9830 */
9831bool_Bool
9832tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
9833 uint16_t *server_version, bool_Bool *is_hrr)
9834{
9835 /* SHA256("HelloRetryRequest") */
9836 static const uint8_t tls13_hrr_random_magic[] = {
9837 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
9838 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
9839 };
9840 uint8_t session_id_length;
9841
9842 *server_version = tvb_get_ntohs(tvb, offset);
9843
9844 /*
9845 * Try to look for supported_versions extension. Minimum length:
9846 * 2 + 32 + 1 = 35 (version, random, session id length)
9847 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
9848 * 2 + 2 + 2 = 6 (ext type, ext len, version)
9849 *
9850 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
9851 * there's a separate expert info warning for that.
9852 */
9853 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
9854 offset += 2;
9855 if (is_hrr) {
9856 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
9857 }
9858 offset += 32;
9859 session_id_length = tvb_get_uint8(tvb, offset);
9860 offset++;
9861 if (offset_end - offset < session_id_length + 5u) {
9862 return false0;
9863 }
9864 offset += session_id_length + 5;
9865
9866 while (offset_end - offset >= 6) {
9867 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
9868 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
9869 if (offset_end - offset < 4u + ext_len) {
9870 break; /* not enough data for type, length and data */
9871 }
9872 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
9873 if (ext_len == 2) {
9874 *server_version = tvb_get_ntohs(tvb, offset + 4);
9875 }
9876 return true1;
9877 }
9878 offset += 4 + ext_len;
9879 }
9880 } else {
9881 if (is_hrr) {
9882 *is_hrr = false0;
9883 }
9884 }
9885 return false0;
9886}
9887
9888/**
9889 * Scan a Client Hello handshake message to see if the supported_versions
9890 * extension is found, in which case the version field is legacy_version.
9891 */
9892static bool_Bool
9893tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
9894{
9895 uint8_t session_id_length;
9896
9897 uint16_t client_version = tvb_get_ntohs(tvb, offset);
9898
9899 /*
9900 * Try to look for supported_versions extension. Minimum length:
9901 * 2 + 32 + 1 = 35 (version, random, session id length)
9902 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
9903 * 2 + 2 + 2 = 6 (ext type, ext len, version)
9904 *
9905 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
9906 * there's a separate expert info warning for that.
9907 */
9908 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
9909 offset += 2;
9910 offset += 32;
9911 session_id_length = tvb_get_uint8(tvb, offset);
9912 offset++;
9913 if (offset_end - offset < session_id_length + 2u) {
9914 return false0;
9915 }
9916 offset += session_id_length;
9917 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
9918 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
9919 offset++;
9920 if (offset_end - offset < cookie_length + 2u) {
9921 return false0;
9922 }
9923 }
9924 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
9925 offset += 2;
9926 if (offset_end - offset < cipher_suites_length + 1u) {
9927 return false0;
9928 }
9929 offset += cipher_suites_length;
9930 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
9931 offset++;
9932 if (offset_end - offset < compression_methods_length + 2u) {
9933 return false0;
9934 }
9935 offset += compression_methods_length + 2;
9936
9937 while (offset_end - offset >= 6) {
9938 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
9939 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
9940 if (offset_end - offset < 4u + ext_len) {
9941 break; /* not enough data for type, length and data */
9942 }
9943 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
9944 return true1;
9945 }
9946 offset += 4 + ext_len;
9947 }
9948 }
9949 return false0;
9950}
9951void
9952ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
9953 uint8_t content_type, uint8_t handshake_type,
9954 bool_Bool is_dtls, uint16_t version)
9955{
9956 uint8_t tls13_draft = 0;
9957
9958 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
9959 is_dtls))
9960 return;
9961
9962 version = tls_try_get_version(is_dtls, version, &tls13_draft);
9963 if (version == SSL_VER_UNKNOWN0) {
9964 return;
9965 }
9966
9967 session->tls13_draft_version = tls13_draft;
9968 session->version = version;
9969 if (ssl) {
9970 ssl->state |= SSL_VERSION(1<<4);
9971 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
9972 }
9973}
9974
9975void
9976ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
9977 ContentType content_type,
9978 unsigned record_length, proto_item *length_pi,
9979 uint16_t version, tvbuff_t *decrypted_tvb)
9980{
9981 unsigned max_expansion;
9982 if (version == TLSV1DOT3_VERSION0x304) {
9983 /* TLS 1.3: Max length is 2^14 + 256 */
9984 max_expansion = 256;
9985 } else {
9986 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
9987 max_expansion = 2048;
9988 }
9989 /*
9990 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
9991 * and ChangeCipherSpec.
9992 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
9993 * so assume it is permitted.
9994 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
9995 * assume TLS 1.2 requirements.
9996 */
9997 if (record_length == 0 &&
9998 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
9999 content_type == SSL_ID_ALERT ||
10000 content_type == SSL_ID_HANDSHAKE)) {
10001 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10002 "Zero-length %s fragments are not allowed",
10003 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10004 }
10005 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10006 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10007 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10008 }
10009 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10010 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10011 "TLSPlaintext length MUST NOT exceed 2^14");
10012 }
10013}
10014
10015static void
10016ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10017{
10018 /* store selected cipher suite for decryption */
10019 ssl->session.cipher = cipher;
10020
10021 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10022 if (!cs) {
10023 ssl->cipher_suite = NULL((void*)0);
10024 ssl->state &= ~SSL_CIPHER(1<<2);
10025 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10026 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10027 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10028 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10029 * to avoid a potential buffer overflow in ssl3_check_mac. */
10030 ssl->cipher_suite = NULL((void*)0);
10031 ssl->state &= ~SSL_CIPHER(1<<2);
10032 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10033 } else {
10034 /* Cipher found, save this for the delayed decoder init */
10035 ssl->cipher_suite = cs;
10036 ssl->state |= SSL_CIPHER(1<<2);
10037 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10038 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10039 ssl->state);
10040 }
10041}
10042/* }}} */
10043
10044
10045/* Client Hello and Server Hello dissections. {{{ */
10046static int
10047ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10048 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10049 SslSession *session, SslDecryptSession *ssl,
10050 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10051 ssl_master_key_map_t *mk_map);
10052int
10053// NOLINTNEXTLINE(misc-no-recursion)
10054ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10055 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10056 uint32_t offset_end, SslSession *session,
10057 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10058{
10059 /* struct {
10060 * ProtocolVersion client_version;
10061 * Random random;
10062 * SessionID session_id;
10063 * opaque cookie<0..32>; //new field for DTLS
10064 * CipherSuite cipher_suites<2..2^16-1>;
10065 * CompressionMethod compression_methods<1..2^8-1>;
10066 * Extension client_hello_extension_list<0..2^16-1>;
10067 * } ClientHello;
10068 */
10069 proto_item *ti;
10070 proto_tree *cs_tree;
10071 uint32_t client_version;
10072 uint32_t cipher_suite_length;
10073 uint32_t compression_methods_length;
10074 uint8_t compression_method;
10075 uint32_t next_offset;
10076 uint32_t initial_offset = offset;
10077 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10078 char *ja3_hash;
10079 char *ja3_dash = "";
10080 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10081 ja4_data_t ja4_data;
10082 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10083 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10084 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10085 wmem_list_frame_t *curr_entry;
10086
10087 DISSECTOR_ASSERT_CMPINT(initial_offset, <=, offset_end)((void) ((initial_offset <= offset_end) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "initial_offset" " " "<=" " " "offset_end"
" (" "%" "l" "d" " " "<=" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 10087, (int64_t)initial_offset, (int64_t)offset_end))))
;
10088 tvbuff_t *hello_tvb = tvb_new_subset_length(tvb, initial_offset, offset_end - initial_offset);
10089 offset = 0;
10090 offset_end = tvb_reported_length(hello_tvb);
10091
10092 ja4_data.max_version = 0;
10093 ja4_data.server_name_present = false0;
10094 ja4_data.num_cipher_suites = 0;
10095 ja4_data.num_extensions = 0;
10096 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10097 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10098 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10099 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10100
10101 /* show the client version */
10102 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, hello_tvb,
10103 offset, 2, ENC_BIG_ENDIAN0x00000000,
10104 &client_version);
10105 if (tls_scan_client_hello(hello_tvb, offset, offset_end)) {
10106 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10107 }
10108 offset += 2;
10109 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10110
10111 /*
10112 * Is it version 1.3?
10113 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10114 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10115 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10116 * Hello".
10117 */
10118 if (dtls_hfs != NULL((void*)0)) {
10119 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10120 /* Don't do that. */
10121 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10122 }
10123 } else {
10124 if (client_version == TLSV1DOT3_VERSION0x304) {
10125 /* Don't do that. */
10126 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10127 }
10128 }
10129
10130 /* dissect fields that are present in both ClientHello and ServerHello */
10131 offset = ssl_dissect_hnd_hello_common(hf, hello_tvb, pinfo, tree, offset, session, ssl, false0, false0);
10132
10133 /* fields specific for DTLS (cookie_len, cookie) */
10134 if (dtls_hfs != NULL((void*)0)) {
10135 uint32_t cookie_length;
10136 /* opaque cookie<0..32> (for DTLS only) */
10137 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cookie_length,
10138 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10139 return offset;
10140 }
10141 offset++;
10142 if (cookie_length > 0) {
10143 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10144 hello_tvb, offset, cookie_length, ENC_NA0x00000000);
10145 offset += cookie_length;
10146 }
10147 }
10148
10149 /* CipherSuite cipher_suites<2..2^16-1> */
10150 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10151 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10152 return offset;
10153 }
10154 offset += 2;
10155 next_offset = offset + cipher_suite_length;
10156 ti = proto_tree_add_none_format(tree,
10157 hf->hf.hs_cipher_suites,
10158 hello_tvb, offset, cipher_suite_length,
10159 "Cipher Suites (%d suite%s)",
10160 cipher_suite_length / 2,
10161 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10162 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10163 while (offset + 2 <= next_offset) {
10164 uint32_t cipher_suite;
10165
10166 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, hello_tvb, offset, 2,
10167 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10168 offset += 2;
10169 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))
) {
10170 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10171 ja3_dash = "-";
10172 ja4_data.num_cipher_suites += 1;
10173 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10174 }
10175 }
10176 wmem_strbuf_append_c(ja3, ',');
10177 if (!ssl_end_vector(hf, hello_tvb, pinfo, cs_tree, offset, next_offset)) {
10178 offset = next_offset;
10179 }
10180
10181 /* CompressionMethod compression_methods<1..2^8-1> */
10182 if (!ssl_add_vector(hf, hello_tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10183 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10184 return offset;
10185 }
10186 offset++;
10187 next_offset = offset + compression_methods_length;
10188 ti = proto_tree_add_none_format(tree,
10189 hf->hf.hs_comp_methods,
10190 hello_tvb, offset, compression_methods_length,
10191 "Compression Methods (%u method%s)",
10192 compression_methods_length,
10193 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10194 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10195 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10196 while (offset < next_offset) {
10197 compression_method = tvb_get_uint8(hello_tvb, offset);
10198 /* TODO: make reserved/private comp meth. fields selectable */
10199 if (compression_method < 64)
10200 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10201 hello_tvb, offset, 1, compression_method);
10202 else if (compression_method < 193)
10203 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
10204 compression_method, "Reserved - to be assigned by IANA (%u)",
10205 compression_method);
10206 else
10207 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, hello_tvb, offset, 1,
10208 compression_method, "Private use range (%u)",
10209 compression_method);
10210 offset++;
10211 }
10212
10213 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10214 if (offset < offset_end) {
10215 offset = ssl_dissect_hnd_extension(hf, hello_tvb, tree, pinfo, offset,
10216 offset_end, SSL_HND_CLIENT_HELLO,
10217 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map);
10218 if (ja4_data.max_version > 0) {
10219 client_version = ja4_data.max_version;
10220 }
10221 } else {
10222 wmem_strbuf_append_printf(ja3, ",,");
10223 }
10224
10225 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10226 wmem_strbuf_append(ja4_a, "t");
10227 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10228 wmem_strbuf_append(ja4_a, "q");
10229 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10230 wmem_strbuf_append(ja4_a, "d");
10231 }
10232 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10233 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10234 if (ja4_data.num_cipher_suites > 99) {
10235 wmem_strbuf_append(ja4_a, "99");
10236 } else {
10237 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10238 }
10239 if (ja4_data.num_extensions > 99) {
10240 wmem_strbuf_append(ja4_a, "99");
10241 } else {
10242 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10243 }
10244 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10245 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10246 } else {
10247 wmem_strbuf_append(ja4_a, "00");
10248 }
10249
10250 curr_entry = wmem_list_head(ja4_data.cipher_list);
10251 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10252 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10253 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10254 wmem_strbuf_append(ja4_br, ",");
10255 }
10256 curr_entry = wmem_list_frame_next(curr_entry);
10257 }
10258
10259 curr_entry = wmem_list_head(ja4_data.extension_list);
10260 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10261 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10262 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10263 wmem_strbuf_append(ja4_cr, ",");
10264 }
10265 curr_entry = wmem_list_frame_next(curr_entry);
10266 }
10267
10268 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10269 wmem_strbuf_append(ja4_cr, "_");
10270 curr_entry = wmem_list_head(ja4_data.sighash_list);
10271 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10272 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10273 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10274 wmem_strbuf_append(ja4_cr, ",");
10275 }
10276 curr_entry = wmem_list_frame_next(curr_entry);
10277 }
10278 }
10279 if ( wmem_strbuf_get_len(ja4_br) == 0 ) {
10280 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10281 } else {
10282 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10283 }
10284 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10285
10286 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash)
;
10287 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10288 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10289 } else {
10290 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10291 }
10292 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10293 g_free(ja4_hash)(__builtin_object_size ((ja4_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja4_hash, __builtin_object_size ((ja4_hash), 0)) : (g_free)
(ja4_hash)
;
10294
10295 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10296 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10297
10298 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, hello_tvb, offset, 0, ja4);
10299 proto_item_set_generated(ti);
10300 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, hello_tvb, offset, 0, ja4_r);
10301 proto_item_set_generated(ti);
10302
10303 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10304 wmem_strbuf_get_len(ja3));
10305 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, hello_tvb, offset, 0, wmem_strbuf_get_str(ja3));
10306 proto_item_set_generated(ti);
10307 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, hello_tvb, offset, 0, ja3_hash);
10308 proto_item_set_generated(ti);
10309 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash)
;
10310 return initial_offset + offset;
10311}
10312
10313void
10314ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10315 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10316 SslSession *session, SslDecryptSession *ssl,
10317 bool_Bool is_dtls, bool_Bool is_hrr)
10318{
10319 /* struct {
10320 * ProtocolVersion server_version;
10321 * Random random;
10322 * SessionID session_id; // TLS 1.2 and before
10323 * CipherSuite cipher_suite;
10324 * CompressionMethod compression_method; // TLS 1.2 and before
10325 * Extension server_hello_extension_list<0..2^16-1>;
10326 * } ServerHello;
10327 */
10328 uint8_t draft_version = session->tls13_draft_version;
10329 proto_item *ti;
10330 uint32_t server_version;
10331 uint32_t cipher_suite;
10332 uint32_t initial_offset = offset;
10333 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10334 char *ja3_hash;
10335
10336 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10337 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10338
10339 /* Initially assume that the session is resumed. If this is not the case, a
10340 * ServerHelloDone will be observed before the ChangeCipherSpec message
10341 * which will reset this flag. */
10342 session->is_session_resumed = true1;
10343
10344 /* show the server version */
10345 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10346 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10347
10348 uint16_t supported_server_version;
10349 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10350 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10351 }
10352 /*
10353 * Is it version 1.3?
10354 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10355 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10356 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10357 * Hello".
10358 */
10359 if (is_dtls) {
10360 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10361 /* Don't do that. */
10362 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10363 }
10364 } else {
10365 if (server_version == TLSV1DOT3_VERSION0x304) {
10366 /* Don't do that. */
10367 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10368 }
10369 }
10370
10371 offset += 2;
10372 wmem_strbuf_append_printf(ja3, "%i", server_version);
10373
10374 /* dissect fields that are present in both ClientHello and ServerHello */
10375 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10376
10377 if (ssl) {
10378 /* store selected cipher suite for decryption */
10379 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10380 }
10381
10382 /* now the server-selected cipher suite */
10383 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10384 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10385 offset += 2;
10386 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10387
10388 /* No compression with TLS 1.3 before draft -22 */
10389 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10390 if (ssl) {
10391 /* store selected compression method for decryption */
10392 ssl->session.compression = tvb_get_uint8(tvb, offset);
10393 }
10394 /* and the server-selected compression method */
10395 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10396 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10397 offset++;
10398 }
10399
10400 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10401 if (offset < offset_end) {
10402 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10403 offset_end,
10404 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10405 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0));
10406 }
10407
10408 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
10409 /* RFC 9849 7.2 Backend Server */
10410 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
10411 SSL_MDgcry_md_hd_t mc;
10412 if (hash_algo && ssl_md_init(&mc, hash_algo) == 0) {
10413 unsigned char transcript_hash[DIGEST_MAX_SIZE48];
10414 unsigned char prk[DIGEST_MAX_SIZE48];
10415 unsigned char *ech_verify_out = NULL((void*)0);
10416 unsigned int len;
10417 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
10418 if (is_hrr) {
10419 /* RFC 8446 4.4.1 The Transcript Hash
10420 * Special synthetic handshake following a HelloRetryRequest */
10421 ssl_md_final(&mc, transcript_hash, &len);
10422 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
10423 ssl->ech_transcript.data_len = 4 + len;
10424 ssl->ech_transcript.data = (unsigned char*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
10425 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
10426 ssl->ech_transcript.data[1] = 0;
10427 ssl->ech_transcript.data[2] = 0;
10428 ssl->ech_transcript.data[3] = len;
10429 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
10430 ssl_md_reset(&mc);
10431 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
10432 } else {
10433 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10434 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
10435 }
10436 if (initial_offset > 4) {
10437 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
10438 4 + offset_end - initial_offset);
10439 if (is_hrr)
10440 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 38), 38);
10441 else
10442 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset-4, 30), 30);
10443 } else {
10444 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
10445 prefix[2] = ((offset - initial_offset) >> 8);
10446 prefix[3] = (offset - initial_offset) & 0xff;
10447 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
10448 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
10449 offset_end - initial_offset);
10450 ssl_md_update(&mc, prefix, 4);
10451 if (is_hrr)
10452 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 34), 34);
10453 else
10454 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset, 26), 26);
10455 }
10456 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
10457 uint8_t zeros[8] = { 0 };
10458 uint32_t confirmation_offset = initial_offset + 26;
10459 if (is_hrr) {
10460 uint32_t hrr_offset = initial_offset + 34;
10461 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset,
10462 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
10463 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
10464 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 3), 3);
10465 hrr_offset += 3;
10466 uint32_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
10467 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 2), 2);
10468 hrr_offset += 2;
10469 while (extensions_end - hrr_offset >= 4) {
10470 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
10471 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
10472 confirmation_offset = hrr_offset + 4;
10473 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, 4), 4);
10474 ssl_md_update(&mc, zeros, 8);
10475 hrr_offset += 12;
10476 } else {
10477 ssl_md_update(&mc, tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
10478 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
10479 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
10480 }
10481 }
10482 } else {
10483 ssl_md_update(&mc, zeros, 8);
10484 ssl_md_update(&mc, tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
10485 offset - initial_offset - 34);
10486 }
10487 ssl_md_final(&mc, transcript_hash, &len);
10488 ssl_md_cleanup(&mc);
10489 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
10490 StringInfo prk_string = {prk, len};
10491 if (tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
10492 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
10493 transcript_hash, len, 8, &ech_verify_out)) {
10494 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
10495 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
10496 if (is_hrr) {
10497 ssl->session.hrr_ech_declined = true1;
10498 ssl->session.first_ch_ech_frame = 0;
10499 }
10500 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
10501 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
10502 }
10503 wmem_free(NULL((void*)0), ech_verify_out);
10504 }
10505 ssl->session.ech = true1;
10506 }
10507 }
10508
10509 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10510 wmem_strbuf_get_len(ja3));
10511 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10512 proto_item_set_generated(ti);
10513 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
10514 proto_item_set_generated(ti);
10515 g_free(ja3_hash)(__builtin_object_size ((ja3_hash), 0) != ((size_t) - 1)) ? g_free_sized
(ja3_hash, __builtin_object_size ((ja3_hash), 0)) : (g_free)
(ja3_hash)
;
10516}
10517/* Client Hello and Server Hello dissections. }}} */
10518
10519/* New Session Ticket dissection. {{{ */
10520void
10521ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10522 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10523 SslSession *session, SslDecryptSession *ssl,
10524 bool_Bool is_dtls, GHashTable *session_hash)
10525{
10526 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
10527 * struct {
10528 * uint32 ticket_lifetime_hint;
10529 * opaque ticket<0..2^16-1>;
10530 * } NewSessionTicket;
10531 *
10532 * RFC 8446 Section 4.6.1 (TLS 1.3):
10533 * struct {
10534 * uint32 ticket_lifetime;
10535 * uint32 ticket_age_add;
10536 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
10537 * opaque ticket<1..2^16-1>;
10538 * Extension extensions<0..2^16-2>;
10539 * } NewSessionTicket;
10540 */
10541 proto_tree *subtree;
10542 proto_item *subitem;
10543 uint32_t ticket_len;
10544 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
10545 unsigned char draft_version = session->tls13_draft_version;
10546 uint32_t lifetime_hint;
10547
10548 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
10549 hf->ett.session_ticket, NULL((void*)0),
10550 "TLS Session Ticket");
10551
10552 /* ticket lifetime hint */
10553 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
10554 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
10555 offset += 4;
10556
10557 if (lifetime_hint >= 60) {
10558 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
10559 proto_item_append_text(subitem, " (%s)", time_str);
10560 }
10561
10562 if (is_tls13) {
10563
10564 /* for TLS 1.3: ticket_age_add */
10565 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
10566 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
10567 offset += 4;
10568
10569 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
10570 if (draft_version == 0 || draft_version >= 21) {
10571 uint32_t ticket_nonce_len;
10572
10573 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
10574 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
10575 return;
10576 }
10577 offset++;
10578
10579 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
10580 offset += ticket_nonce_len;
10581 }
10582
10583 }
10584
10585 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
10586 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
10587 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
10588 return;
10589 }
10590 offset += 2;
10591
10592 /* Content depends on implementation, so just show data! */
10593 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
10594 tvb, offset, ticket_len, ENC_NA0x00000000);
10595 /* save the session ticket to cache for ssl_finalize_decryption */
10596 if (ssl && !is_tls13) {
10597 if (ssl->session.is_session_resumed) {
10598 /* NewSessionTicket is received in ServerHello before ChangeCipherSpec
10599 * (Abbreviated Handshake Using New Session Ticket).
10600 * Restore the master key for this session ticket before saving
10601 * it to the new session ticket. */
10602 ssl_restore_master_key(ssl, "Session Ticket", false0,
10603 session_hash, &ssl->session_ticket);
10604 }
10605 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
10606 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
10607 ssl->session_ticket.data, ticket_len);
10608 ssl->session_ticket.data_len = ticket_len;
10609 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
10610 /* NewSessionTicket is received after the first (client)
10611 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
10612 * Since the second CCS has already the session key available it will
10613 * just return. To ensure that the session ticket is mapped to a
10614 * master key (from the first CCS), save the ticket here too. */
10615 ssl_save_master_key("Session Ticket", session_hash,
10616 &ssl->session_ticket, &ssl->master_secret);
10617 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
10618 }
10619 offset += ticket_len;
10620
10621 if (is_tls13) {
10622 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
10623 offset_end, SSL_HND_NEWSESSION_TICKET,
10624 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
10625 }
10626} /* }}} */
10627
10628void
10629ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10630 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10631 SslSession *session, SslDecryptSession *ssl,
10632 bool_Bool is_dtls)
10633{
10634 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
10635 * struct {
10636 * ProtocolVersion server_version;
10637 * CipherSuite cipher_suite; // not before draft -19
10638 * Extension extensions<2..2^16-1>;
10639 * } HelloRetryRequest;
10640 * Note: no longer used since draft -22
10641 */
10642 uint32_t version;
10643 uint8_t draft_version;
10644
10645 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10646 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
10647 draft_version = extract_tls13_draft_version(version);
10648 offset += 2;
10649
10650 if (draft_version == 0 || draft_version >= 19) {
10651 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
10652 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
10653 offset += 2;
10654 }
10655
10656 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10657 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
10658 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
10659}
10660
10661void
10662ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10663 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10664 SslSession *session, SslDecryptSession *ssl,
10665 bool_Bool is_dtls)
10666{
10667 /* RFC 8446 Section 4.3.1
10668 * struct {
10669 * Extension extensions<0..2^16-1>;
10670 * } EncryptedExtensions;
10671 */
10672 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10673 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
10674 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
10675}
10676
10677/* Certificate and Certificate Request dissections. {{{ */
10678void
10679ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10680 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
10681 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
10682 bool_Bool is_from_server, bool_Bool is_dtls)
10683{
10684 /* opaque ASN.1Cert<1..2^24-1>;
10685 *
10686 * Before RFC 8446 (TLS <= 1.2):
10687 * struct {
10688 * select(certificate_type) {
10689 *
10690 * // certificate type defined in RFC 7250
10691 * case RawPublicKey:
10692 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
10693 *
10694 * // X.509 certificate defined in RFC 5246
10695 * case X.509:
10696 * ASN.1Cert certificate_list<0..2^24-1>;
10697 * };
10698 * } Certificate;
10699 *
10700 * RFC 8446 (since draft -20):
10701 * struct {
10702 * select(certificate_type){
10703 * case RawPublicKey:
10704 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
10705 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
10706 *
10707 * case X.509:
10708 * opaque cert_data<1..2^24-1>;
10709 * }
10710 * Extension extensions<0..2^16-1>;
10711 * } CertificateEntry;
10712 * struct {
10713 * opaque certificate_request_context<0..2^8-1>;
10714 * CertificateEntry certificate_list<0..2^24-1>;
10715 * } Certificate;
10716 */
10717 enum { CERT_X509, CERT_RPK } cert_type;
10718 asn1_ctx_t asn1_ctx;
10719#if defined(HAVE_LIBGNUTLS1)
10720 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
10721 unsigned certificate_index = 0;
10722#endif
10723 uint32_t next_offset, certificate_list_length, cert_length;
10724 proto_tree *subtree = tree;
10725
10726 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10727
10728 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
10729 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
10730 cert_type = CERT_RPK;
10731 } else {
10732 cert_type = CERT_X509;
10733 }
10734
10735#if defined(HAVE_LIBGNUTLS1)
10736 /* Ask the pkcs1 dissector to return the public key details */
10737 if (ssl)
10738 asn1_ctx.private_data = &subjectPublicKeyInfo;
10739#endif
10740
10741 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
10742 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
10743 uint32_t context_length;
10744 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
10745 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
10746 return;
10747 }
10748 offset++;
10749 if (context_length > 0) {
10750 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
10751 tvb, offset, context_length, ENC_NA0x00000000);
10752 offset += context_length;
10753 }
10754 }
10755
10756 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
10757 /* For RPK before TLS 1.3, the single RPK is stored directly without
10758 * another "certificate_list" field. */
10759 certificate_list_length = offset_end - offset;
10760 next_offset = offset_end;
10761 } else {
10762 /* CertificateEntry certificate_list<0..2^24-1> */
10763 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
10764 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
10765 return;
10766 }
10767 offset += 3; /* 24-bit length value */
10768 next_offset = offset + certificate_list_length;
10769 }
10770
10771 /* RawPublicKey must have one cert, but X.509 can have multiple. */
10772 if (certificate_list_length > 0 && cert_type == CERT_X509) {
10773 proto_item *ti;
10774
10775 ti = proto_tree_add_none_format(tree,
10776 hf->hf.hs_certificates,
10777 tvb, offset, certificate_list_length,
10778 "Certificates (%u bytes)",
10779 certificate_list_length);
10780
10781 /* make it a subtree */
10782 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
10783 }
10784
10785 while (offset < next_offset) {
10786 switch (cert_type) {
10787 case CERT_RPK:
10788 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
10789 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
10790 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
10791 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
10792 return;
10793 }
10794 offset += 3;
10795
10796 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
10797 offset += cert_length;
10798 break;
10799 case CERT_X509:
10800 /* opaque ASN1Cert<1..2^24-1> */
10801 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
10802 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
10803 return;
10804 }
10805 offset += 3;
10806
10807 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
10808#if defined(HAVE_LIBGNUTLS1)
10809 if (is_from_server && ssl && certificate_index == 0) {
10810 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
10811 /* Only attempt to get the RSA modulus for the first cert. */
10812 asn1_ctx.private_data = NULL((void*)0);
10813 }
10814#endif
10815 offset += cert_length;
10816 break;
10817 }
10818
10819 /* TLS 1.3: Extension extensions<0..2^16-1> */
10820 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
10821 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
10822 next_offset, SSL_HND_CERTIFICATE,
10823 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
10824 }
10825
10826#if defined(HAVE_LIBGNUTLS1)
10827 certificate_index++;
10828#endif
10829 }
10830}
10831
10832void
10833ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10834 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10835 SslSession *session, bool_Bool is_dtls)
10836{
10837 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
10838 * enum {
10839 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
10840 * (255)
10841 * } ClientCertificateType;
10842 *
10843 * opaque DistinguishedName<1..2^16-1>;
10844 *
10845 * struct {
10846 * ClientCertificateType certificate_types<1..2^8-1>;
10847 * DistinguishedName certificate_authorities<3..2^16-1>;
10848 * } CertificateRequest;
10849 *
10850 *
10851 * As per TLSv1.2 (RFC 5246) the format has changed to:
10852 *
10853 * enum {
10854 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
10855 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
10856 * fortezza_dms_RESERVED(20), (255)
10857 * } ClientCertificateType;
10858 *
10859 * enum {
10860 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
10861 * sha512(6), (255)
10862 * } HashAlgorithm;
10863 *
10864 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
10865 * SignatureAlgorithm;
10866 *
10867 * struct {
10868 * HashAlgorithm hash;
10869 * SignatureAlgorithm signature;
10870 * } SignatureAndHashAlgorithm;
10871 *
10872 * SignatureAndHashAlgorithm
10873 * supported_signature_algorithms<2..2^16-2>;
10874 *
10875 * opaque DistinguishedName<1..2^16-1>;
10876 *
10877 * struct {
10878 * ClientCertificateType certificate_types<1..2^8-1>;
10879 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
10880 * DistinguishedName certificate_authorities<0..2^16-1>;
10881 * } CertificateRequest;
10882 *
10883 * draft-ietf-tls-tls13-18:
10884 * struct {
10885 * opaque certificate_request_context<0..2^8-1>;
10886 * SignatureScheme
10887 * supported_signature_algorithms<2..2^16-2>;
10888 * DistinguishedName certificate_authorities<0..2^16-1>;
10889 * CertificateExtension certificate_extensions<0..2^16-1>;
10890 * } CertificateRequest;
10891 *
10892 * RFC 8446 (since draft-ietf-tls-tls13-19):
10893 *
10894 * struct {
10895 * opaque certificate_request_context<0..2^8-1>;
10896 * Extension extensions<2..2^16-1>;
10897 * } CertificateRequest;
10898 */
10899 proto_item *ti;
10900 proto_tree *subtree;
10901 uint32_t next_offset;
10902 asn1_ctx_t asn1_ctx;
10903 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
10904 unsigned char draft_version = session->tls13_draft_version;
10905
10906 if (!tree)
10907 return;
10908
10909 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10910
10911 if (is_tls13) {
10912 uint32_t context_length;
10913 /* opaque certificate_request_context<0..2^8-1> */
10914 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
10915 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
10916 return;
10917 }
10918 offset++;
10919 if (context_length > 0) {
10920 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
10921 tvb, offset, context_length, ENC_NA0x00000000);
10922 offset += context_length;
10923 }
10924 } else {
10925 uint32_t cert_types_count;
10926 /* ClientCertificateType certificate_types<1..2^8-1> */
10927 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
10928 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
10929 return;
10930 }
10931 offset++;
10932 next_offset = offset + cert_types_count;
10933
10934 ti = proto_tree_add_none_format(tree,
10935 hf->hf.hs_cert_types,
10936 tvb, offset, cert_types_count,
10937 "Certificate types (%u type%s)",
10938 cert_types_count,
10939 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
10940 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
10941
10942 while (offset < next_offset) {
10943 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10944 offset++;
10945 }
10946 }
10947
10948 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
10949 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
10950 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
10951 }
10952
10953 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
10954 /*
10955 * TLS 1.3 draft 19 and newer: Extensions.
10956 * SslDecryptSession pointer is NULL because Certificate Extensions
10957 * should not influence decryption state.
10958 */
10959 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10960 offset_end, SSL_HND_CERT_REQUEST,
10961 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0));
10962 } else if (is_tls13 && draft_version <= 18) {
10963 /*
10964 * TLS 1.3 draft 18 and older: certificate_authorities and
10965 * certificate_extensions (a vector of OID mappings).
10966 */
10967 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
10968 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
10969 } else {
10970 /* for TLS 1.2 and older, the certificate_authorities field. */
10971 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
10972 }
10973}
10974/* Certificate and Certificate Request dissections. }}} */
10975
10976void
10977ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10978 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
10979{
10980 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
10981 hf->hf.hs_client_cert_vrfy_sig_len,
10982 hf->hf.hs_client_cert_vrfy_sig);
10983}
10984
10985/* Finished dissection. {{{ */
10986void
10987ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10988 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10989 const SslSession *session, ssl_hfs_t *ssl_hfs)
10990{
10991 /* For SSLv3:
10992 * struct {
10993 * opaque md5_hash[16];
10994 * opaque sha_hash[20];
10995 * } Finished;
10996 *
10997 * For (D)TLS:
10998 * struct {
10999 * opaque verify_data[12];
11000 * } Finished;
11001 *
11002 * For TLS 1.3:
11003 * struct {
11004 * opaque verify_data[Hash.length];
11005 * }
11006 */
11007 if (!tree)
11008 return;
11009
11010 if (session->version == SSLV3_VERSION0x300) {
11011 if (ssl_hfs != NULL((void*)0)) {
11012 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11013 tvb, offset, 16, ENC_NA0x00000000);
11014 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11015 tvb, offset + 16, 20, ENC_NA0x00000000);
11016 }
11017 } else {
11018 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11019 proto_tree_add_item(tree, hf->hf.hs_finished,
11020 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11021 }
11022} /* }}} */
11023
11024/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11025void
11026ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11027{
11028 uint16_t url_hash_len;
11029
11030 /* enum {
11031 * individual_certs(0), pkipath(1), (255)
11032 * } CertChainType;
11033 *
11034 * struct {
11035 * CertChainType type;
11036 * URLAndHash url_and_hash_list<1..2^16-1>;
11037 * } CertificateURL;
11038 *
11039 * struct {
11040 * opaque url<1..2^16-1>;
11041 * uint8 padding;
11042 * opaque SHA1Hash[20];
11043 * } URLAndHash;
11044 */
11045
11046 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11047 tvb, offset, 1, ENC_NA0x00000000);
11048 offset++;
11049
11050 url_hash_len = tvb_get_ntohs(tvb, offset);
11051 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11052 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11053 offset += 2;
11054 while (url_hash_len-- > 0) {
11055 proto_item *urlhash_item;
11056 proto_tree *urlhash_tree;
11057 uint16_t url_len;
11058
11059 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11060 tvb, offset, -1, ENC_NA0x00000000);
11061 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11062
11063 url_len = tvb_get_ntohs(tvb, offset);
11064 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11065 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11066 offset += 2;
11067
11068 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11069 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11070 offset += url_len;
11071
11072 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11073 tvb, offset, 1, ENC_NA0x00000000);
11074 offset++;
11075 /* Note: RFC 6066 says that padding must be 0x01 */
11076
11077 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11078 tvb, offset, 20, ENC_NA0x00000000);
11079 offset += 20;
11080 }
11081} /* }}} */
11082
11083void
11084ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11085 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11086 SslSession *session, SslDecryptSession *ssl,
11087 bool_Bool is_from_server, bool_Bool is_dtls)
11088{
11089 uint32_t algorithm, uncompressed_length;
11090 uint32_t compressed_certificate_message_length;
11091 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11092 proto_item *ti;
11093 /*
11094 * enum {
11095 * zlib(1),
11096 * brotli(2),
11097 * zstd(3),
11098 * (65535)
11099 * } CertificateCompressionAlgorithm;
11100 *
11101 * struct {
11102 * CertificateCompressionAlgorithm algorithm;
11103 * uint24 uncompressed_length;
11104 * opaque compressed_certificate_message<1..2^24-1>;
11105 * } CompressedCertificate;
11106 */
11107
11108 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11109 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11110 offset += 2;
11111
11112 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11113 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11114 offset += 3;
11115
11116 /* opaque compressed_certificate_message<1..2^24-1>; */
11117 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11118 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11119 return;
11120 }
11121 offset += 3;
11122
11123 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11124 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11125
11126 /* Certificate decompression following algorithm */
11127 switch (algorithm) {
11128 case 1: /* zlib */
11129 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11130 break;
11131 case 2: /* brotli */
11132 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11133 break;
11134 case 3: /* zstd */
11135 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11136 break;
11137 }
11138
11139 if (uncompressed_tvb) {
11140 proto_tree *uncompressed_tree;
11141
11142 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11143 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11144 tvb, offset, offset_end - offset,
11145 "Invalid uncompressed length %u (expected %u)",
11146 tvb_captured_length(uncompressed_tvb),
11147 uncompressed_length);
11148 } else {
11149 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11150 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11151 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11152 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11153 }
11154 }
11155}
11156
11157/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11158static int
11159// NOLINTNEXTLINE(misc-no-recursion)
11160ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11161 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11162 SslSession *session, SslDecryptSession *ssl,
11163 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11164 ssl_master_key_map_t *mk_map)
11165{
11166 uint32_t exts_len;
11167 uint16_t ext_type;
11168 uint32_t ext_len;
11169 uint32_t next_offset;
11170 proto_item *ext_item;
11171 proto_tree *ext_tree;
11172 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11173 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11174 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11175 char *ja3_dash = "";
11176 unsigned supported_version;
11177
11178 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11179 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11180 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11181 return offset_end;
11182 }
11183 offset += 2;
11184 offset_end = offset + exts_len;
11185
11186 if (ja4_data) {
11187 ja4_data->num_extensions = 0;
11188 }
11189 while (offset_end - offset >= 4)
11190 {
11191 ext_type = tvb_get_ntohs(tvb, offset);
11192 ext_len = tvb_get_ntohs(tvb, offset + 2);
11193
11194 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))
) {
11195 ja4_data->num_extensions += 1;
11196 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11197 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11198 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11199 }
11200 }
11201
11202 ext_item = proto_tree_add_none_format(tree, hf->hf.hs_ext, tvb, offset, 4 + ext_len,
11203 "Extension: %s (len=%u)", val_to_str(pinfo->pool, ext_type,
11204 tls_hello_extension_types,
11205 "Unknown type %u"), ext_len);
11206 ext_tree = proto_item_add_subtree(ext_item, hf->ett.hs_ext);
11207
11208 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11209 tvb, offset, 2, ext_type);
11210 offset += 2;
11211 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))
) {
11212 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11213 ja3_dash = "-";
11214 }
11215
11216 /* opaque extension_data<0..2^16-1> */
11217 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11218 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11219 return offset_end;
11220 }
11221 offset += 2;
11222 next_offset = offset + ext_len;
11223
11224 switch (ext_type) {
11225 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11226 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11227 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11228 if (ja4_data) {
11229 ja4_data->server_name_present = true1;
11230 }
11231 }
11232 break;
11233 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11234 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11235 offset += 1;
11236 break;
11237 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11238 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11239 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11240 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11241 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11242 }
11243 break;
11244 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11245 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11246 offset, next_offset,
11247 hnd_type, ext_type,
11248 session);
11249 break;
11250 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11251 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11252 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11253 next_offset, ja3_sg);
11254 } else {
11255 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11256 next_offset, NULL((void*)0));
11257 }
11258 break;
11259 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11260 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11261 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11262 } else {
11263 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11264 }
11265 break;
11266 case SSL_HND_HELLO_EXT_SRP12:
11267 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11268 break;
11269 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11270 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11271 break;
11272 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11273 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11274 break;
11275 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11276 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11277 break;
11278 case SSL_HND_HELLO_EXT_USE_SRTP14:
11279 if (is_dtls) {
11280 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11281 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11282 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11283 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11284 }
11285 } else {
11286 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11287 }
11288 break;
11289 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11290 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11291 break;
11292 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11293 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map);
11294 break;
11295 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11296 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11297 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11298 offset++;
11299 break;
11300 case SSL_HND_HELLO_EXT_ALPN16:
11301 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11302 break;
11303 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11304 if (hnd_type == SSL_HND_CLIENT_HELLO)
11305 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11306 break;
11307 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11308 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11309 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11310 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11311 break;
11312 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11313 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11314 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11315 offset, next_offset,
11316 hnd_type, ext_type,
11317 session);
11318 break;
11319 case SSL_HND_HELLO_EXT_PADDING21:
11320 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11321 offset += ext_len;
11322 break;
11323 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11324 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11325 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11326 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11327 }
11328 break;
11329 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11330 if (ssl) {
11331 switch (hnd_type) {
11332 case SSL_HND_CLIENT_HELLO:
11333 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11334 break;
11335 case SSL_HND_SERVER_HELLO:
11336 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11337 break;
11338 default: /* no default */
11339 break;
11340 }
11341 }
11342 break;
11343 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11344 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11345 break;
11346 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11347 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11348 break;
11349 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11350 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11351 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11352 offset += 2;
11353 break;
11354 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11355 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11356 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11357 break;
11358 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11359 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11360 break;
11361 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11362 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11363 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11364 break;
11365 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11366 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11367 break;
11368 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11369 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11370 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11371 break;
11372 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11373 switch (hnd_type) {
11374 case SSL_HND_CLIENT_HELLO:
11375 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11376 break;
11377 case SSL_HND_SERVER_HELLO:
11378 case SSL_HND_HELLO_RETRY_REQUEST:
11379 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11380 offset += 2;
11381 proto_item_append_text(ext_tree, " %s", val_to_str(pinfo->pool, supported_version, ssl_versions, "Unknown (0x%04x)"));
11382 break;
11383 }
11384 break;
11385 case SSL_HND_HELLO_EXT_COOKIE44:
11386 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11387 break;
11388 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11389 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11390 break;
11391 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11392 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11393 break;
11394 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11395 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11396 break;
11397 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11398 break;
11399 case SSL_HND_HELLO_EXT_NPN13172:
11400 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11401 break;
11402 case SSL_HND_HELLO_EXT_ALPS_OLD17513:
11403 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11404 break;
11405 case SSL_HND_HELLO_EXT_ALPS17613:
11406 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11407 break;
11408 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
11409 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
11410 break;
11411 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
11412 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11413 break;
11414 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
11415 session->deprecated_cid = true1;
11416 /* FALLTHRU */
11417 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
11418 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
11419 break;
11420 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
11421 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
11422 break;
11423 default:
11424 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
11425 tvb, offset, ext_len, ENC_NA0x00000000);
11426 offset += ext_len;
11427 break;
11428 }
11429
11430 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
11431 /* Dissection did not end at expected location, fix it. */
11432 offset = next_offset;
11433 }
11434 }
11435
11436 if (ja3) {
11437 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11438 if(wmem_strbuf_get_len(ja3_sg) > 0) {
11439 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
11440 } else {
11441 wmem_strbuf_append_c(ja3, ',');
11442 }
11443 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
11444 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
11445 } else {
11446 wmem_strbuf_append_c(ja3, ',');
11447 }
11448 }
11449 }
11450
11451 /* Check if Extensions vector is correctly terminated. */
11452 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
11453 offset = offset_end;
11454 }
11455
11456 return offset;
11457} /* }}} */
11458
11459
11460/* ClientKeyExchange algo-specific dissectors. {{{ */
11461
11462static void
11463dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11464 proto_tree *tree, uint32_t offset,
11465 uint32_t length)
11466{
11467 int point_len;
11468 proto_tree *ssl_ecdh_tree;
11469
11470 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11471 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
11472
11473 /* point */
11474 point_len = tvb_get_uint8(tvb, offset);
11475 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
11476 offset, 1, ENC_BIG_ENDIAN0x00000000);
11477 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
11478 offset + 1, point_len, ENC_NA0x00000000);
11479}
11480
11481static void
11482dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11483 proto_tree *tree, uint32_t offset, uint32_t length)
11484{
11485 int yc_len;
11486 proto_tree *ssl_dh_tree;
11487
11488 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11489 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
11490
11491 /* ClientDiffieHellmanPublic.dh_public (explicit) */
11492 yc_len = tvb_get_ntohs(tvb, offset);
11493 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
11494 offset, 2, ENC_BIG_ENDIAN0x00000000);
11495 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
11496 offset + 2, yc_len, ENC_NA0x00000000);
11497}
11498
11499static void
11500dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11501 proto_tree *tree, uint32_t offset,
11502 uint32_t length, const SslSession *session)
11503{
11504 int epms_len;
11505 proto_tree *ssl_rsa_tree;
11506
11507 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11508 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
11509
11510 /* EncryptedPreMasterSecret.pre_master_secret */
11511 switch (session->version) {
11512 case SSLV2_VERSION0x0002:
11513 case SSLV3_VERSION0x300:
11514 case DTLSV1DOT0_OPENSSL_VERSION0x100:
11515 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
11516 * not present. The handshake contents represents the EPMS, see:
11517 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
11518 epms_len = length;
11519 break;
11520
11521 default:
11522 /* TLS and DTLS include vector length before EPMS */
11523 epms_len = tvb_get_ntohs(tvb, offset);
11524 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11525 offset, 2, ENC_BIG_ENDIAN0x00000000);
11526 offset += 2;
11527 break;
11528 }
11529 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
11530 offset, epms_len, ENC_NA0x00000000);
11531}
11532
11533/* Used in PSK cipher suites */
11534static uint32_t
11535dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11536 proto_tree *tree, uint32_t offset)
11537{
11538 unsigned identity_len;
11539 proto_tree *ssl_psk_tree;
11540
11541 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
11542 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
11543 /* identity */
11544 identity_len = tvb_get_ntohs(tvb, offset);
11545 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
11546 offset, 2, ENC_BIG_ENDIAN0x00000000);
11547 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
11548 offset + 2, identity_len, ENC_NA0x00000000);
11549
11550 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
11551 return 2 + identity_len;
11552}
11553
11554/* Used in RSA PSK cipher suites */
11555static void
11556dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11557 proto_tree *tree, uint32_t offset,
11558 uint32_t length)
11559{
11560 int identity_len, epms_len;
11561 proto_tree *ssl_psk_tree;
11562
11563 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11564 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
11565
11566 /* identity */
11567 identity_len = tvb_get_ntohs(tvb, offset);
11568 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
11569 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11570 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
11571 tvb, offset + 2, identity_len, ENC_NA0x00000000);
11572 offset += 2 + identity_len;
11573
11574 /* Yc */
11575 epms_len = tvb_get_ntohs(tvb, offset);
11576 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11577 offset, 2, ENC_BIG_ENDIAN0x00000000);
11578 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
11579 offset + 2, epms_len, ENC_NA0x00000000);
11580}
11581
11582/* Used in Diffie-Hellman PSK cipher suites */
11583static void
11584dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11585 proto_tree *tree, uint32_t offset, uint32_t length)
11586{
11587 /*
11588 * struct {
11589 * select (KeyExchangeAlgorithm) {
11590 * case diffie_hellman_psk:
11591 * opaque psk_identity<0..2^16-1>;
11592 * ClientDiffieHellmanPublic public;
11593 * } exchange_keys;
11594 * } ClientKeyExchange;
11595 */
11596
11597 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11598 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
11599}
11600
11601/* Used in EC Diffie-Hellman PSK cipher suites */
11602static void
11603dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11604 proto_tree *tree, uint32_t offset, uint32_t length)
11605{
11606 /*
11607 * struct {
11608 * select (KeyExchangeAlgorithm) {
11609 * case ec_diffie_hellman_psk:
11610 * opaque psk_identity<0..2^16-1>;
11611 * ClientECDiffieHellmanPublic public;
11612 * } exchange_keys;
11613 * } ClientKeyExchange;
11614 */
11615
11616 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11617 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
11618}
11619
11620/* Used in EC J-PAKE cipher suites */
11621static void
11622dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11623 proto_tree *tree, uint32_t offset,
11624 uint32_t length)
11625{
11626 /*
11627 * struct {
11628 * ECPoint V;
11629 * opaque r<1..2^8-1>;
11630 * } ECSchnorrZKP;
11631 *
11632 * struct {
11633 * ECPoint X;
11634 * ECSchnorrZKP zkp;
11635 * } ECJPAKEKeyKP;
11636 *
11637 * struct {
11638 * ECJPAKEKeyKP ecjpake_key_kp;
11639 * } ClientECJPAKEParams;
11640 *
11641 * select (KeyExchangeAlgorithm) {
11642 * case ecjpake:
11643 * ClientECJPAKEParams params;
11644 * } ClientKeyExchange;
11645 */
11646
11647 int point_len;
11648 proto_tree *ssl_ecjpake_tree;
11649
11650 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11651 hf->ett.keyex_params, NULL((void*)0),
11652 "EC J-PAKE Client Params");
11653
11654 /* ECJPAKEKeyKP.X */
11655 point_len = tvb_get_uint8(tvb, offset);
11656 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
11657 offset, 1, ENC_BIG_ENDIAN0x00000000);
11658 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
11659 offset + 1, point_len, ENC_NA0x00000000);
11660 offset += 1 + point_len;
11661
11662 /* ECJPAKEKeyKP.zkp.V */
11663 point_len = tvb_get_uint8(tvb, offset);
11664 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
11665 offset, 1, ENC_BIG_ENDIAN0x00000000);
11666 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
11667 offset + 1, point_len, ENC_NA0x00000000);
11668 offset += 1 + point_len;
11669
11670 /* ECJPAKEKeyKP.zkp.r */
11671 point_len = tvb_get_uint8(tvb, offset);
11672 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
11673 offset, 1, ENC_BIG_ENDIAN0x00000000);
11674 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
11675 offset + 1, point_len, ENC_NA0x00000000);
11676}
11677
11678static void
11679dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11680 proto_tree *tree, uint32_t offset,
11681 uint32_t length)
11682{
11683 int epms_len;
11684 proto_tree *ssl_ecc_sm2_tree;
11685
11686 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11687 hf->ett.keyex_params, NULL((void*)0),
11688 "ECC-SM2 Encrypted PreMaster Secret");
11689
11690 epms_len = tvb_get_ntohs(tvb, offset);
11691 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11692 offset, 2, ENC_BIG_ENDIAN0x00000000);
11693 offset += 2;
11694 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
11695 offset, epms_len, ENC_NA0x00000000);
11696}
11697/* ClientKeyExchange algo-specific dissectors. }}} */
11698
11699
11700/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
11701static uint32_t
11702ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11703 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11704 uint16_t version, int hf_sig_len, int hf_sig)
11705{
11706 uint32_t sig_len;
11707
11708 switch (version) {
11709 case TLSV1DOT2_VERSION0x303:
11710 case DTLSV1DOT2_VERSION0xfefd:
11711 case TLSV1DOT3_VERSION0x304:
11712 case DTLSV1DOT3_VERSION0xfefc:
11713 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
11714 offset += 2;
11715 break;
11716
11717 default:
11718 break;
11719 }
11720
11721 /* Sig */
11722 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
11723 hf_sig_len, 0, UINT16_MAX(65535))) {
11724 return offset_end;
11725 }
11726 offset += 2;
11727 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
11728 offset += sig_len;
11729 return offset;
11730} /* }}} */
11731
11732/* ServerKeyExchange algo-specific dissectors. {{{ */
11733
11734/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
11735static void
11736dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11737 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11738 uint16_t version)
11739{
11740 /*
11741 * TLSv1.2 (RFC 5246 sec 7.4.8)
11742 * struct {
11743 * digitally-signed struct {
11744 * opaque handshake_messages[handshake_messages_length];
11745 * }
11746 * } CertificateVerify;
11747 *
11748 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
11749 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
11750 *
11751 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
11752 * does more hashing including the master secret and padding.
11753 */
11754 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11755 hf->hf.hs_server_keyex_sig_len,
11756 hf->hf.hs_server_keyex_sig);
11757}
11758
11759static uint32_t
11760dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
11761{
11762 /*
11763 * RFC 4492 ECC cipher suites for TLS
11764 *
11765 * struct {
11766 * ECCurveType curve_type;
11767 * select (curve_type) {
11768 * case explicit_prime:
11769 * ...
11770 * case explicit_char2:
11771 * ...
11772 * case named_curve:
11773 * NamedCurve namedcurve;
11774 * };
11775 * } ECParameters;
11776 */
11777
11778 int curve_type;
11779
11780 /* ECParameters.curve_type */
11781 curve_type = tvb_get_uint8(tvb, offset);
11782 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
11783 offset, 1, ENC_BIG_ENDIAN0x00000000);
11784 offset++;
11785
11786 if (curve_type != 3)
11787 return offset_end; /* only named_curves are supported */
11788
11789 /* case curve_type == named_curve; ECParameters.namedcurve */
11790 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
11791 offset, 2, ENC_BIG_ENDIAN0x00000000);
11792 offset += 2;
11793
11794 return offset;
11795}
11796
11797static void
11798dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11799 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11800 uint16_t version, bool_Bool anon)
11801{
11802 /*
11803 * RFC 4492 ECC cipher suites for TLS
11804 *
11805 * struct {
11806 * opaque point <1..2^8-1>;
11807 * } ECPoint;
11808 *
11809 * struct {
11810 * ECParameters curve_params;
11811 * ECPoint public;
11812 * } ServerECDHParams;
11813 *
11814 * select (KeyExchangeAlgorithm) {
11815 * case ec_diffie_hellman:
11816 * ServerECDHParams params;
11817 * Signature signed_params;
11818 * } ServerKeyExchange;
11819 */
11820
11821 int point_len;
11822 proto_tree *ssl_ecdh_tree;
11823
11824 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11825 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
11826
11827 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
11828 if (offset >= offset_end)
11829 return; /* only named_curves are supported */
11830
11831 /* ECPoint.point */
11832 point_len = tvb_get_uint8(tvb, offset);
11833 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
11834 offset, 1, ENC_BIG_ENDIAN0x00000000);
11835 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
11836 offset + 1, point_len, ENC_NA0x00000000);
11837 offset += 1 + point_len;
11838
11839 /* Signature (if non-anonymous KEX) */
11840 if (!anon) {
11841 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
11842 }
11843}
11844
11845static void
11846dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11847 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11848 uint16_t version, bool_Bool anon)
11849{
11850 int p_len, g_len, ys_len;
11851 proto_tree *ssl_dh_tree;
11852
11853 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11854 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
11855
11856 /* p */
11857 p_len = tvb_get_ntohs(tvb, offset);
11858 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
11859 offset, 2, ENC_BIG_ENDIAN0x00000000);
11860 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
11861 offset + 2, p_len, ENC_NA0x00000000);
11862 offset += 2 + p_len;
11863
11864 /* g */
11865 g_len = tvb_get_ntohs(tvb, offset);
11866 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
11867 offset, 2, ENC_BIG_ENDIAN0x00000000);
11868 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
11869 offset + 2, g_len, ENC_NA0x00000000);
11870 offset += 2 + g_len;
11871
11872 /* Ys */
11873 ys_len = tvb_get_ntohs(tvb, offset);
11874 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
11875 offset, 2, ys_len);
11876 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
11877 offset + 2, ys_len, ENC_NA0x00000000);
11878 offset += 2 + ys_len;
11879
11880 /* Signature (if non-anonymous KEX) */
11881 if (!anon) {
11882 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
11883 }
11884}
11885
11886/* Only used in RSA-EXPORT cipher suites */
11887static void
11888dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11889 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11890 uint16_t version)
11891{
11892 int modulus_len, exponent_len;
11893 proto_tree *ssl_rsa_tree;
11894
11895 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
11896 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
11897
11898 /* modulus */
11899 modulus_len = tvb_get_ntohs(tvb, offset);
11900 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
11901 offset, 2, ENC_BIG_ENDIAN0x00000000);
11902 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
11903 offset + 2, modulus_len, ENC_NA0x00000000);
11904 offset += 2 + modulus_len;
11905
11906 /* exponent */
11907 exponent_len = tvb_get_ntohs(tvb, offset);
11908 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
11909 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11910 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
11911 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
11912 offset += 2 + exponent_len;
11913
11914 /* Signature */
11915 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
11916}
11917
11918/* Used in RSA PSK and PSK cipher suites */
11919static uint32_t
11920dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11921 proto_tree *tree, uint32_t offset)
11922{
11923 unsigned hint_len;
11924 proto_tree *ssl_psk_tree;
11925
11926 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
11927 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
11928
11929 /* hint */
11930 hint_len = tvb_get_ntohs(tvb, offset);
11931 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
11932 offset, 2, ENC_BIG_ENDIAN0x00000000);
11933 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
11934 offset + 2, hint_len, ENC_NA0x00000000);
11935
11936 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
11937 return 2 + hint_len;
11938}
11939
11940/* Used in Diffie-Hellman PSK cipher suites */
11941static void
11942dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11943 proto_tree *tree, uint32_t offset, uint32_t offset_end)
11944{
11945 /*
11946 * struct {
11947 * select (KeyExchangeAlgorithm) {
11948 * case diffie_hellman_psk:
11949 * opaque psk_identity_hint<0..2^16-1>;
11950 * ServerDHParams params;
11951 * };
11952 * } ServerKeyExchange;
11953 */
11954
11955 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
11956 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
11957}
11958
11959/* Used in EC Diffie-Hellman PSK cipher suites */
11960static void
11961dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11962 proto_tree *tree, uint32_t offset, uint32_t offset_end)
11963{
11964 /*
11965 * struct {
11966 * select (KeyExchangeAlgorithm) {
11967 * case ec_diffie_hellman_psk:
11968 * opaque psk_identity_hint<0..2^16-1>;
11969 * ServerECDHParams params;
11970 * };
11971 * } ServerKeyExchange;
11972 */
11973
11974 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
11975 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
11976}
11977
11978/* Used in EC J-PAKE cipher suites */
11979static void
11980dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11981 proto_tree *tree, uint32_t offset, uint32_t offset_end)
11982{
11983 /*
11984 * struct {
11985 * ECPoint V;
11986 * opaque r<1..2^8-1>;
11987 * } ECSchnorrZKP;
11988 *
11989 * struct {
11990 * ECPoint X;
11991 * ECSchnorrZKP zkp;
11992 * } ECJPAKEKeyKP;
11993 *
11994 * struct {
11995 * ECParameters curve_params;
11996 * ECJPAKEKeyKP ecjpake_key_kp;
11997 * } ServerECJPAKEParams;
11998 *
11999 * select (KeyExchangeAlgorithm) {
12000 * case ecjpake:
12001 * ServerECJPAKEParams params;
12002 * } ServerKeyExchange;
12003 */
12004
12005 int point_len;
12006 proto_tree *ssl_ecjpake_tree;
12007
12008 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12009 hf->ett.keyex_params, NULL((void*)0),
12010 "EC J-PAKE Server Params");
12011
12012 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12013 if (offset >= offset_end)
12014 return; /* only named_curves are supported */
12015
12016 /* ECJPAKEKeyKP.X */
12017 point_len = tvb_get_uint8(tvb, offset);
12018 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12019 offset, 1, ENC_BIG_ENDIAN0x00000000);
12020 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12021 offset + 1, point_len, ENC_NA0x00000000);
12022 offset += 1 + point_len;
12023
12024 /* ECJPAKEKeyKP.zkp.V */
12025 point_len = tvb_get_uint8(tvb, offset);
12026 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12027 offset, 1, ENC_BIG_ENDIAN0x00000000);
12028 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12029 offset + 1, point_len, ENC_NA0x00000000);
12030 offset += 1 + point_len;
12031
12032 /* ECJPAKEKeyKP.zkp.r */
12033 point_len = tvb_get_uint8(tvb, offset);
12034 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12035 offset, 1, ENC_BIG_ENDIAN0x00000000);
12036 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12037 offset + 1, point_len, ENC_NA0x00000000);
12038}
12039
12040/* Only used in ECC-SM2-EXPORT cipher suites */
12041static void
12042dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12043 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12044 uint16_t version)
12045{
12046 proto_tree *ssl_ecc_sm2_tree;
12047
12048 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12049 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12050
12051 /* Signature */
12052 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12053}
12054/* ServerKeyExchange algo-specific dissectors. }}} */
12055
12056/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12057void
12058ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12059 proto_tree *tree, uint32_t offset, uint32_t length,
12060 const SslSession *session)
12061{
12062 switch (ssl_get_keyex_alg(session->cipher)) {
12063 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12064 case KEX_DH_DSS0x14:
12065 case KEX_DH_RSA0x15:
12066 case KEX_DHE_DSS0x10:
12067 case KEX_DHE_RSA0x12:
12068 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12069 break;
12070 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12071 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12072 break;
12073 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12074 case KEX_ECDH_ECDSA0x1a:
12075 case KEX_ECDH_RSA0x1b:
12076 case KEX_ECDHE_ECDSA0x16:
12077 case KEX_ECDHE_RSA0x18:
12078 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12079 break;
12080 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12081 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12082 break;
12083 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12084 /* XXX: implement support for KRB5 */
12085 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12086 tvb, offset, length,
12087 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12088 " developers if you want them to be supported");
12089 break;
12090 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12091 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12092 break;
12093 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12094 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12095 break;
12096 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12097 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12098 break;
12099 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12100 case KEX_SRP_SHA_DSS0x21:
12101 case KEX_SRP_SHA_RSA0x22:
12102 /* XXX: implement support for SRP_SHA* */
12103 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12104 tvb, offset, length,
12105 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12106 " developers if you want them to be supported");
12107 break;
12108 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12109 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12110 break;
12111 case KEX_ECC_SM20x26: /* GB/T 38636 */
12112 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12113 break;
12114 default:
12115 if (session->cipher == 0) {
12116 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12117 tvb, offset, length,
12118 "Cipher Suite not found");
12119 } else {
12120 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12121 tvb, offset, length,
12122 "Cipher Suite 0x%04x is not implemented, "
12123 "contact Wireshark developers if you want this to be supported",
12124 session->cipher);
12125 }
12126 break;
12127 }
12128}
12129
12130void
12131ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12132 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12133 const SslSession *session)
12134{
12135 switch (ssl_get_keyex_alg(session->cipher)) {
12136 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12137 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12138 break;
12139 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12140 case KEX_DH_RSA0x15:
12141 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12142 tvb, offset, offset_end - offset);
12143 break;
12144 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12145 case KEX_DHE_RSA0x12:
12146 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12147 break;
12148 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12149 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12150 break;
12151 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12152 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12153 break;
12154 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12155 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12156 break;
12157 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12158 case KEX_ECDH_RSA0x1b:
12159 case KEX_ECDHE_ECDSA0x16:
12160 case KEX_ECDHE_RSA0x18:
12161 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12162 break;
12163 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12164 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12165 tvb, offset, offset_end - offset);
12166 break;
12167 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12168 case KEX_RSA_PSK0x1f:
12169 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12170 break;
12171 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12172 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12173 break;
12174 case KEX_ECC_SM20x26: /* GB/T 38636 */
12175 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12176 break;
12177 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12178 case KEX_SRP_SHA_DSS0x21:
12179 case KEX_SRP_SHA_RSA0x22:
12180 /* XXX: implement support for SRP_SHA* */
12181 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12182 tvb, offset, offset_end - offset,
12183 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12184 " developers if you want them to be supported");
12185 break;
12186 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12187 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12188 break;
12189 default:
12190 if (session->cipher == 0) {
12191 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12192 tvb, offset, offset_end - offset,
12193 "Cipher Suite not found");
12194 } else {
12195 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12196 tvb, offset, offset_end - offset,
12197 "Cipher Suite 0x%04x is not implemented, "
12198 "contact Wireshark developers if you want this to be supported",
12199 session->cipher);
12200 }
12201 break;
12202 }
12203}
12204/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12205
12206void
12207tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12208 proto_tree *tree, uint32_t offset)
12209{
12210 /* RFC 8446 Section 4.6.3
12211 * enum {
12212 * update_not_requested(0), update_requested(1), (255)
12213 * } KeyUpdateRequest;
12214 *
12215 * struct {
12216 * KeyUpdateRequest request_update;
12217 * } KeyUpdate;
12218 */
12219 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12220}
12221
12222void
12223ssl_common_register_ssl_alpn_dissector_table(const char *name,
12224 const char *ui_name, const int proto)
12225{
12226 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12227 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12228 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12229}
12230
12231void
12232ssl_common_register_dtls_alpn_dissector_table(const char *name,
12233 const char *ui_name, const int proto)
12234{
12235 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12236 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12237 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12238}
12239
12240void
12241ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12242{
12243 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12244 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12245 &(options->psk));
12246
12247 if (is_dtls) {
12248 prefs_register_obsolete_preference(module, "keylog_file");
12249 prefs_register_static_text_preference(module, "keylog_file_removed",
12250 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12251 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12252 return;
12253 }
12254
12255 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12256 "The name of a file which contains a list of \n"
12257 "(pre-)master secrets in one of the following formats:\n"
12258 "\n"
12259 "RSA <EPMS> <PMS>\n"
12260 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12261 "CLIENT_RANDOM <CRAND> <MS>\n"
12262 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12263 "\n"
12264 "Where:\n"
12265 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12266 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12267 "<SSLID> = The SSL Session ID\n"
12268 "<MS> = The Master-Secret (MS)\n"
12269 "<CRAND> = The Client's random number from the ClientHello message\n"
12270 "\n"
12271 "(All fields are in hex notation)",
12272 &(options->keylog_filename), false0);
12273}
12274
12275void
12276ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length, uint8_t msg_type, bool_Bool is_from_server)
12277{
12278 /* The handshake transcript can be used in [D]TLS 1.2 for the extended
12279 * master secret of RFC 7627, and in [D]TLS 1.3 for computing the secrets,
12280 * though the latter is only useful when pke_ke (PSK-only key exchange) is
12281 * negotiated. */
12282 if (!ssl_session)
12283 return;
12284
12285 switch (ssl_session->session.version) {
12286 /* The handshake message types used in the handshake hash are different
12287 * in different versions. [D]TLS 1.3 tracks the messages up to the
12288 * Finished, whereas 1.2 stops at the ClientKeyExchange. However, all start
12289 * at the ClientHello and include the messages up to the ServerHello, at
12290 * which point we know the version.
12291 *
12292 * XXX - However, DTLS 1.2 includes the DTLS-specific fragment info fields
12293 * in its handshake transcript, whereas DTLS 1.3 does not (using the same
12294 * format as TLS 1.3). We don't know at the point of the ClientHello which
12295 * version will be used, so PSK only likely doesn't work for DTLS 1.3 yet.
12296 *
12297 * XXX - When the server responds with a HelloRetryRequest, for subsequent
12298 * hashes (other than the first PSK Binder, see 4.2.11.2) ClientHello1 is
12299 * replaced with a synthentic handhsake message of type "message_hash",
12300 * per RFC 8446 4.4.1. We aren't concerned with that now, as a HRR generally
12301 * rules out PSK-only key exchange, which is what we calculate the hash for
12302 * here. (The possible exception is when a server sends a HRR to reject
12303 * early data but the server and client otherwise agree on psk_ke, if
12304 * any client/server pairs support that.) We do support that in the context
12305 * of computing the hash for Encrypted Client Hello; see elsewhere.
12306 */
12307 case TLSV1DOT3_VERSION0x304:
12308 case DTLSV1DOT3_VERSION0xfefc:
12309 /* In [D]TLS 1.3 only the following handshake messages are used in the
12310 * handshake transcript. EndOfEarlyData and the Client Certificate,
12311 * Certificate Verify, and Finished are used in deriving the
12312 * resumption_master_secret but not the other secrets derived from
12313 * the master secret (client or server app traffic secret, exporter
12314 * secret). We don't yet support calculating a PSK to resume via
12315 * the resumption_master_secret, so we simply stop the transcript
12316 * with the server Finished. See RFC 8446 4.4.1 & 7.1 */
12317 switch (msg_type) {
12318 case SSL_HND_CLIENT_HELLO:
12319 case SSL_HND_SERVER_HELLO:
12320 case SSL_HND_HELLO_RETRY_REQUEST:
12321 case SSL_HND_ENCRYPTED_EXTENSIONS:
12322 case SSL_HND_CERT_REQUEST:
12323 break;
12324 case SSL_HND_CERTIFICATE:
12325 case SSL_HND_CERT_VERIFY:
12326 case SSL_HND_FINISHED:
12327 if (!is_from_server)
12328 return;
12329 break;
12330 case SSL_HND_END_OF_EARLY_DATA:
12331 default:
12332 return;
12333 }
12334 break;
12335 default:
12336 /* In [D]TLS 1.2, the handshake hash for the Extended Master Secret
12337 * (RFC 7627) is calculated up to and including ClientKeyExchange,
12338 * but the keys are not retrieved until ChangeCipherSpec later. If
12339 * mutual authentication is requested by the server, an intervening
12340 * CertificateVerify message can be sent but is not to be included
12341 * in the hash. */
12342 if (msg_type == SSL_HND_CERT_VERIFY)
12343 return;
12344 if (ssl_session->state & SSL_MASTER_SECRET(1<<5))
12345 return;
12346 break;
12347 }
12348
12349 uint32_t old_length = ssl_session->handshake_data.data_len;
12350 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12351 if (tvb) {
12352 if (tvb_bytes_exist(tvb, offset, length)) {
12353 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12354 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12355 ssl_session->handshake_data.data_len += length;
12356 }
12357 } else {
12358 /* DTLS calculates the hash as if each handshake message had been
12359 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12360 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12361 */
12362 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12362, (int64_t)length, (int64_t)4))))
;
12363 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12364 memset(ssl_session->handshake_data.data + old_length, 0, length);
12365 ssl_session->handshake_data.data_len += length;
12366 }
12367}
12368
12369
12370/*
12371 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12372 *
12373 * Local variables:
12374 * c-basic-offset: 4
12375 * tab-width: 8
12376 * indent-tabs-mode: nil
12377 * End:
12378 *
12379 * vi: set shiftwidth=4 tabstop=8 expandtab:
12380 * :indentSize=4:tabSize=8:noTabs=true:
12381 */