Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 10860, column 13
Null pointer passed to 2nd parameter expecting 'nonnull'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-18/lib/clang/18 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-18/lib/clang/18/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -dwarf-debug-flags /usr/lib/llvm-18/bin/clang -### --analyze -x c -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/epan -fvisibility=hidden -fexcess-precision=fast -fstrict-flex-arrays=3 -fstack-clash-protection -fcf-protection=full -D _GLIBCXX_ASSERTIONS -fstack-protector-strong -fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -fexceptions -Wno-format-truncation -Wno-format-nonliteral -fdiagnostics-color=always -Wno-pointer-sign -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -std=gnu11 -fPIC /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c -o /builds/wireshark/wireshark/sbout/2024-11-20-100252-3912-1 -Xclang -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2024-11-20-100252-3912-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#if defined(HAVE_ZLIB1) && !defined(HAVE_ZLIBNG)
18#define ZLIB_CONST
19#define ZLIB_PREFIX(x)x x
20#include <zlib.h>
21typedef z_stream zlib_stream;
22#endif /* HAVE_ZLIB */
23
24#ifdef HAVE_ZLIBNG
25#define ZLIB_PREFIX(x)x zng_ ## x
26#include <zlib-ng.h>
27typedef zng_stream zlib_stream;
28#endif /* HAVE_ZLIBNG */
29
30#include <stdlib.h>
31#include <errno(*__errno_location ()).h>
32
33#include <epan/packet.h>
34#include <epan/strutil.h>
35#include <epan/addr_resolv.h>
36#include <epan/expert.h>
37#include <epan/asn1.h>
38#include <epan/proto_data.h>
39#include <epan/oids.h>
40#include <epan/secrets.h>
41
42#include <wsutil/inet_cidr.h>
43#include <wsutil/filesystem.h>
44#include <wsutil/file_util.h>
45#include <wsutil/str_util.h>
46#include <wsutil/report_message.h>
47#include <wsutil/pint.h>
48#include <wsutil/strtoi.h>
49#include <wsutil/wsgcrypt.h>
50#include <wsutil/rsa.h>
51#include <wsutil/ws_assert.h>
52#include "packet-ber.h"
53#include "packet-x509af.h"
54#include "packet-x509if.h"
55#include "packet-tls-utils.h"
56#include "packet-ocsp.h"
57#include "packet-tls.h"
58#include "packet-dtls.h"
59#include "packet-quic.h"
60#if defined(HAVE_LIBGNUTLS1)
61#include <gnutls/abstract.h>
62#endif
63
64/* JA3/JA3S calculations must ignore GREASE values
65 * as described in RFC 8701.
66 */
67#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
68 (((x) & 0xff) == (((x)>>8) & 0xff)))
69
70/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
71 * form for a similar purpose as GREASE.
72 */
73#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
74
75#define DTLS13_MAX_EPOCH10 10
76
77/* Lookup tables {{{ */
78const value_string ssl_version_short_names[] = {
79 { SSLV2_VERSION0x0002, "SSLv2" },
80 { SSLV3_VERSION0x300, "SSLv3" },
81 { TLSV1_VERSION0x301, "TLSv1" },
82 { TLCPV1_VERSION0x101, "TLCP" },
83 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
84 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
85 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
86 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
87 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
88 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
89 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
90 { 0x00, NULL((void*)0) }
91};
92
93const value_string ssl_versions[] = {
94 { SSLV2_VERSION0x0002, "SSL 2.0" },
95 { SSLV3_VERSION0x300, "SSL 3.0" },
96 { TLSV1_VERSION0x301, "TLS 1.0" },
97 { TLCPV1_VERSION0x101, "TLCP" },
98 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
99 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
100 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
101 { 0x7F0E, "TLS 1.3 (draft 14)" },
102 { 0x7F0F, "TLS 1.3 (draft 15)" },
103 { 0x7F10, "TLS 1.3 (draft 16)" },
104 { 0x7F11, "TLS 1.3 (draft 17)" },
105 { 0x7F12, "TLS 1.3 (draft 18)" },
106 { 0x7F13, "TLS 1.3 (draft 19)" },
107 { 0x7F14, "TLS 1.3 (draft 20)" },
108 { 0x7F15, "TLS 1.3 (draft 21)" },
109 { 0x7F16, "TLS 1.3 (draft 22)" },
110 { 0x7F17, "TLS 1.3 (draft 23)" },
111 { 0x7F18, "TLS 1.3 (draft 24)" },
112 { 0x7F19, "TLS 1.3 (draft 25)" },
113 { 0x7F1A, "TLS 1.3 (draft 26)" },
114 { 0x7F1B, "TLS 1.3 (draft 27)" },
115 { 0x7F1C, "TLS 1.3 (draft 28)" },
116 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
117 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
118 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
119 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
120 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
121 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
122 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
129 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
130 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
131 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
132 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
133 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
134 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
135 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
136 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
137 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
138 { 0x00, NULL((void*)0) }
139};
140
141static const value_string ssl_version_ja4_names[] = {
142 { 0x0100, "s1" },
143 { SSLV2_VERSION0x0002, "s2" },
144 { SSLV3_VERSION0x300, "s3" },
145 { TLSV1_VERSION0x301, "10" },
146 { TLSV1DOT1_VERSION0x302, "11" },
147 { TLSV1DOT2_VERSION0x303, "12" },
148 { TLSV1DOT3_VERSION0x304, "13" },
149 { DTLSV1DOT0_VERSION0xfeff, "d1" },
150 { DTLSV1DOT2_VERSION0xfefd, "d2" },
151 { DTLSV1DOT3_VERSION0xfefc, "d3" },
152 { 0x00, NULL((void*)0) }
153};
154
155const value_string ssl_20_msg_types[] = {
156 { SSL2_HND_ERROR0x00, "Error" },
157 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
158 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
159 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
160 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
161 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
162 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
163 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
164 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
165 { 0x00, NULL((void*)0) }
166};
167/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
168/* Note: sorted by ascending value so value_string-ext can do a binary search */
169static const value_string ssl_20_cipher_suites[] = {
170 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
171 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
172 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
173 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
174 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
175 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
176 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
177 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
178 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
180 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
182 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
183 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
184 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
185 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
186 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
187 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
188 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
189 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
190 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
191 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
192 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
193 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
194 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
195 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
196 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
197 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
198 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
199 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
200#if 0
201 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
202#endif
203 /* RFC 2712 */
204 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
205 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
206 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
207 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
208 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
209 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
210 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
211 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
212 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
213 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
214 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
215 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
216 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
217 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
218 /* RFC 4785 */
219 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
220 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
221 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
222 /* RFC 5246 */
223 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
224 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
225 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
226 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
227 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
228 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
229 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
230 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
231 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
232 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
233 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
234 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
235 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
236 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
237 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
238 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
239 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
240 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
241 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
242 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
243 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
244 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
245 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
246 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
247 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
248 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
249 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
250 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
251 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
252 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
253 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
254 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
255 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
256 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
257 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
258 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
259 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
260 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
261 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
262 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
263 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
264 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
265 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
266 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
267 /* 0x00,0x6E-83 Unassigned */
268 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
269 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
270 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
271 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
272 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
273 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
274 /* RFC 4279 */
275 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
276 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
277 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
278 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
279 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
280 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
281 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
282 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
283 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
284 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
285 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
286 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
287 /* RFC 4162 */
288 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
289 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
290 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
291 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
292 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
293 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
294 /* RFC 5288 */
295 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
296 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
297 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
298 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
299 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
300 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
301 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
302 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
303 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
304 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
305 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
306 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
307 /* RFC 5487 */
308 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
309 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
310 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
311 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
312 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
313 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
314 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
315 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
316 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
317 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
318 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
319 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
320 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
321 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
322 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
323 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
324 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
325 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
326 /* From RFC 5932 */
327 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
328 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
329 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
330 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
331 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
332 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
333 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
334 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
335 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
336 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
337 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
338 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
339 /* 0x00,0xC6-FE Unassigned */
340 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
341 /* 0x01-BF,* Unassigned */
342 /* From RFC 4492 */
343 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
344 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
345 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
349 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
350 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
354 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
355 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
357 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
358 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
359 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
360 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
363 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
364 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
365 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
366 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
367 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
368 /* RFC 5054 */
369 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
370 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
371 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
372 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
373 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
374 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
375 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
376 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
377 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
378 /* RFC 5589 */
379 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
380 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
381 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
382 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
383 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
384 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
385 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
386 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
387 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
388 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
389 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
390 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
391 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
392 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
393 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
394 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
395 /* RFC 5489 */
396 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
397 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
398 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
399 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
400 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
401 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
402 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
403 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
404 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
405 /* 0xC0,0x3C-FF Unassigned
406 0xC1-FD,* Unassigned
407 0xFE,0x00-FD Unassigned
408 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
409 0xFF,0x00-FF Reserved for Private Use [RFC5246]
410 */
411
412 /* old numbers used in the beginning
413 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
414 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
416 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
417
418 /* https://tools.ietf.org/html/rfc7905 */
419 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
420 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
421 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
422 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
423 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
424 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
425 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
426
427 /* GM/T 0024-2014 */
428 { 0x00e001, "ECDHE_SM1_SM3"},
429 { 0x00e003, "ECC_SM1_SM3"},
430 { 0x00e005, "IBSDH_SM1_SM3"},
431 { 0x00e007, "IBC_SM1_SM3"},
432 { 0x00e009, "RSA_SM1_SM3"},
433 { 0x00e00a, "RSA_SM1_SHA1"},
434 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
435 { 0x00e013, "ECC_SM4_CBC_SM3"},
436 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
437 { 0x00e017, "IBC_SM4_CBC_SM3"},
438 { 0x00e019, "RSA_SM4_CBC_SM3"},
439 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
440 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
441 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
442 { 0x00e053, "ECC_SM4_GCM_SM3"},
443 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
444 { 0x00e057, "IBC_SM4_GCM_SM3"},
445 { 0x00e059, "RSA_SM4_GCM_SM3"},
446 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
447
448 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
449 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
451 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
453 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
455 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
456 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
457 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
458 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
459 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
460 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
461 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
462 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
463 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
464 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
465
466 /* these from http://www.mozilla.org/projects/
467 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
468 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
469 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
470 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
471 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
472 /* note that ciphersuites of {0x00????} are TLS cipher suites in
473 * a sslv2 client hello message; the ???? above is the two-byte
474 * tls cipher suite id
475 */
476
477 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
478 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
479 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
480 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
481 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
482 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
483 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
484 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
485
486 { 0x00, NULL((void*)0) }
487};
488
489value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites" };
490
491
492/*
493 * Supported Groups (formerly named "EC Named Curve").
494 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
495 */
496const value_string ssl_extension_curves[] = {
497 { 1, "sect163k1" },
498 { 2, "sect163r1" },
499 { 3, "sect163r2" },
500 { 4, "sect193r1" },
501 { 5, "sect193r2" },
502 { 6, "sect233k1" },
503 { 7, "sect233r1" },
504 { 8, "sect239k1" },
505 { 9, "sect283k1" },
506 { 10, "sect283r1" },
507 { 11, "sect409k1" },
508 { 12, "sect409r1" },
509 { 13, "sect571k1" },
510 { 14, "sect571r1" },
511 { 15, "secp160k1" },
512 { 16, "secp160r1" },
513 { 17, "secp160r2" },
514 { 18, "secp192k1" },
515 { 19, "secp192r1" },
516 { 20, "secp224k1" },
517 { 21, "secp224r1" },
518 { 22, "secp256k1" },
519 { 23, "secp256r1" },
520 { 24, "secp384r1" },
521 { 25, "secp521r1" },
522 { 26, "brainpoolP256r1" }, /* RFC 7027 */
523 { 27, "brainpoolP384r1" }, /* RFC 7027 */
524 { 28, "brainpoolP512r1" }, /* RFC 7027 */
525 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
526 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
527 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
528 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
529 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
530 { 34, "GC256A" }, /* RFC9189 */
531 { 35, "GC256B" }, /* RFC9189 */
532 { 36, "GC256C" }, /* RFC9189 */
533 { 37, "GC256D" }, /* RFC9189 */
534 { 38, "GC512A" }, /* RFC9189 */
535 { 39, "GC512B" }, /* RFC9189 */
536 { 40, "GC512C" }, /* RFC9189 */
537 { 41, "curveSM2" }, /* RFC 8998 */
538 { 256, "ffdhe2048" }, /* RFC 7919 */
539 { 257, "ffdhe3072" }, /* RFC 7919 */
540 { 258, "ffdhe4096" }, /* RFC 7919 */
541 { 259, "ffdhe6144" }, /* RFC 7919 */
542 { 260, "ffdhe8192" }, /* RFC 7919 */
543 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
544 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
545 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
546 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
548 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
549 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
550 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
552 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
553 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
556 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
557 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
558 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
559 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
560 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
561 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
562 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
563 { 0xFF01, "arbitrary_explicit_prime_curves" },
564 { 0xFF02, "arbitrary_explicit_char2_curves" },
565 /* Below are various unofficial values that have been used for testing. */
566 /* PQC key exchange algorithms from OQS-OpenSSL,
567 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
568 These use IANA unassigned values and this list may be incomplete.
569 */
570 { 0x0200, "frodo640aes" },
571 { 0x2F00, "p256_frodo640aes" },
572 { 0x0201, "frodo640shake" },
573 { 0x2F01, "p256_frodo640shake" },
574 { 0x0202, "frodo976aes" },
575 { 0x2F02, "p384_frodo976aes" },
576 { 0x0203, "frodo976shake" },
577 { 0x2F03, "p384_frodo976shake" },
578 { 0x0204, "frodo1344aes" },
579 { 0x2F04, "p521_frodo1344aes" },
580 { 0x0205, "frodo1344shake" },
581 { 0x2F05, "p521_frodo1344shake" },
582 { 0x023A, "kyber512" },
583 { 0x2F3A, "p256_kyber512" },
584 { 0x023C, "kyber768" },
585 { 0x2F3C, "p384_kyber768" },
586 { 0x023D, "kyber1024" },
587 { 0x2F3D, "p521_kyber1024" },
588 { 0x0214, "ntru_hps2048509" },
589 { 0x2F14, "p256_ntru_hps2048509" },
590 { 0x0215, "ntru_hps2048677" },
591 { 0x2F15, "p384_ntru_hps2048677" },
592 { 0x0216, "ntru_hps4096821" },
593 { 0x2F16, "p521_ntru_hps4096821" },
594 { 0x0245, "ntru_hps40961229" },
595 { 0x2F45, "p521_ntru_hps40961229" },
596 { 0x0217, "ntru_hrss701" },
597 { 0x2F17, "p384_ntru_hrss701" },
598 { 0x0246, "ntru_hrss1373" },
599 { 0x2F46, "p521_ntru_hrss1373" },
600 { 0x0218, "lightsaber" },
601 { 0x2F18, "p256_lightsaber" },
602 { 0x0219, "saber" },
603 { 0x2F19, "p384_saber" },
604 { 0x021A, "firesaber" },
605 { 0x2F1A, "p521_firesaber" },
606 { 0x021B, "sidhp434" },
607 { 0x2F1B, "p256_sidhp434" },
608 { 0x021C, "sidhp503" },
609 { 0x2F1C, "p256_sidhp503" },
610 { 0x021D, "sidhp610" },
611 { 0x2F1D, "p384_sidhp610" },
612 { 0x021E, "sidhp751" },
613 { 0x2F1E, "p521_sidhp751" },
614 { 0x021F, "sikep434" },
615 { 0x2F1F, "p256_sikep434" },
616 { 0x0220, "sikep503" },
617 { 0x2F20, "p256_sikep503" },
618 { 0x0221, "sikep610" },
619 { 0x2F21, "p384_sikep610" },
620 { 0x0222, "sikep751" },
621 { 0x2F22, "p521_sikep751" },
622 { 0x0238, "bikel1" },
623 { 0x2F38, "p256_bikel1" },
624 { 0x023B, "bikel3" },
625 { 0x2F3B, "p384_bikel3" },
626 { 0x023E, "kyber90s512" },
627 { 0x2F3E, "p256_kyber90s512" },
628 { 0x023F, "kyber90s768" },
629 { 0x2F3F, "p384_kyber90s768" },
630 { 0x0240, "kyber90s1024" },
631 { 0x2F40, "p521_kyber90s1024" },
632 { 0x022C, "hqc128" },
633 { 0x2F2C, "p256_hqc128" },
634 { 0x022D, "hqc192" },
635 { 0x2F2D, "p384_hqc192" },
636 { 0x022E, "hqc256" },
637 { 0x2F2E, "p521_hqc256" },
638 { 0x022F, "ntrulpr653" },
639 { 0x2F2F, "p256_ntrulpr653" },
640 { 0x0230, "ntrulpr761" },
641 { 0x2F43, "p256_ntrulpr761" },
642 { 0x0231, "ntrulpr857" },
643 { 0x2F31, "p384_ntrulpr857" },
644 { 0x0241, "ntrulpr1277" },
645 { 0x2F41, "p521_ntrulpr1277" },
646 { 0x0232, "sntrup653" },
647 { 0x2F32, "p256_sntrup653" },
648 { 0x0233, "sntrup761" },
649 { 0x2F44, "p256_sntrup761" },
650 { 0x0234, "sntrup857" },
651 { 0x2F34, "p384_sntrup857" },
652 { 0x0242, "sntrup1277" },
653 { 0x2F42, "p521_sntrup1277" },
654 /* Other PQ key exchange algorithms, using Reserved for Private Use values
655 https://blog.cloudflare.com/post-quantum-for-all
656 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
657 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
658 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
659 { 0x00, NULL((void*)0) }
660};
661
662const value_string ssl_curve_types[] = {
663 { 1, "explicit_prime" },
664 { 2, "explicit_char2" },
665 { 3, "named_curve" },
666 { 0x00, NULL((void*)0) }
667};
668
669const value_string ssl_extension_ec_point_formats[] = {
670 { 0, "uncompressed" },
671 { 1, "ansiX962_compressed_prime" },
672 { 2, "ansiX962_compressed_char2" },
673 { 0x00, NULL((void*)0) }
674};
675
676const value_string ssl_20_certificate_type[] = {
677 { 0x00, "N/A" },
678 { 0x01, "X.509 Certificate" },
679 { 0x00, NULL((void*)0) }
680};
681
682const value_string ssl_31_content_type[] = {
683 { 20, "Change Cipher Spec" },
684 { 21, "Alert" },
685 { 22, "Handshake" },
686 { 23, "Application Data" },
687 { 24, "Heartbeat" },
688 { 25, "Connection ID" },
689 { 0x00, NULL((void*)0) }
690};
691
692#if 0
693/* XXX - would be used if we dissected the body of a Change Cipher Spec
694 message. */
695const value_string ssl_31_change_cipher_spec[] = {
696 { 1, "Change Cipher Spec" },
697 { 0x00, NULL((void*)0) }
698};
699#endif
700
701const value_string ssl_31_alert_level[] = {
702 { 1, "Warning" },
703 { 2, "Fatal" },
704 { 0x00, NULL((void*)0) }
705};
706
707const value_string ssl_31_alert_description[] = {
708 { 0, "Close Notify" },
709 { 1, "End of Early Data" },
710 { 10, "Unexpected Message" },
711 { 20, "Bad Record MAC" },
712 { 21, "Decryption Failed" },
713 { 22, "Record Overflow" },
714 { 30, "Decompression Failure" },
715 { 40, "Handshake Failure" },
716 { 41, "No Certificate" },
717 { 42, "Bad Certificate" },
718 { 43, "Unsupported Certificate" },
719 { 44, "Certificate Revoked" },
720 { 45, "Certificate Expired" },
721 { 46, "Certificate Unknown" },
722 { 47, "Illegal Parameter" },
723 { 48, "Unknown CA" },
724 { 49, "Access Denied" },
725 { 50, "Decode Error" },
726 { 51, "Decrypt Error" },
727 { 60, "Export Restriction" },
728 { 70, "Protocol Version" },
729 { 71, "Insufficient Security" },
730 { 80, "Internal Error" },
731 { 86, "Inappropriate Fallback" },
732 { 90, "User Canceled" },
733 { 100, "No Renegotiation" },
734 { 109, "Missing Extension" },
735 { 110, "Unsupported Extension" },
736 { 111, "Certificate Unobtainable" },
737 { 112, "Unrecognized Name" },
738 { 113, "Bad Certificate Status Response" },
739 { 114, "Bad Certificate Hash Value" },
740 { 115, "Unknown PSK Identity" },
741 { 116, "Certificate Required" },
742 { 120, "No application Protocol" },
743 { 121, "ECH Required" },
744 { 0x00, NULL((void*)0) }
745};
746
747const value_string ssl_31_handshake_type[] = {
748 { SSL_HND_HELLO_REQUEST, "Hello Request" },
749 { SSL_HND_CLIENT_HELLO, "Client Hello" },
750 { SSL_HND_SERVER_HELLO, "Server Hello" },
751 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
752 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
753 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
754 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
755 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
756 { SSL_HND_CERTIFICATE, "Certificate" },
757 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
758 { SSL_HND_CERT_REQUEST, "Certificate Request" },
759 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
760 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
761 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
762 { SSL_HND_FINISHED, "Finished" },
763 { SSL_HND_CERT_URL, "Client Certificate URL" },
764 { SSL_HND_CERT_STATUS, "Certificate Status" },
765 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
766 { SSL_HND_KEY_UPDATE, "Key Update" },
767 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
768 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
769 { 0x00, NULL((void*)0) }
770};
771
772const value_string tls_heartbeat_type[] = {
773 { 1, "Request" },
774 { 2, "Response" },
775 { 0x00, NULL((void*)0) }
776};
777
778const value_string tls_heartbeat_mode[] = {
779 { 1, "Peer allowed to send requests" },
780 { 2, "Peer not allowed to send requests" },
781 { 0x00, NULL((void*)0) }
782};
783
784const value_string ssl_31_compression_method[] = {
785 { 0, "null" },
786 { 1, "DEFLATE" },
787 { 64, "LZS" },
788 { 0x00, NULL((void*)0) }
789};
790
791#if 0
792/* XXX - would be used if we dissected a Signature, as would be
793 seen in a server key exchange or certificate verify message. */
794const value_string ssl_31_key_exchange_algorithm[] = {
795 { 0, "RSA" },
796 { 1, "Diffie Hellman" },
797 { 0x00, NULL((void*)0) }
798};
799
800const value_string ssl_31_signature_algorithm[] = {
801 { 0, "Anonymous" },
802 { 1, "RSA" },
803 { 2, "DSA" },
804 { 0x00, NULL((void*)0) }
805};
806#endif
807
808const value_string ssl_31_client_certificate_type[] = {
809 { 1, "RSA Sign" },
810 { 2, "DSS Sign" },
811 { 3, "RSA Fixed DH" },
812 { 4, "DSS Fixed DH" },
813 /* GOST certificate types */
814 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
815 { 21, "GOST R 34.10-94" },
816 { 22, "GOST R 34.10-2001" },
817 /* END GOST certificate types */
818 { 64, "ECDSA Sign" },
819 { 65, "RSA Fixed ECDH" },
820 { 66, "ECDSA Fixed ECDH" },
821 { 80, "IBC Params" },
822 { 0x00, NULL((void*)0) }
823};
824
825#if 0
826/* XXX - would be used if we dissected exchange keys, as would be
827 seen in a client key exchange message. */
828const value_string ssl_31_public_value_encoding[] = {
829 { 0, "Implicit" },
830 { 1, "Explicit" },
831 { 0x00, NULL((void*)0) }
832};
833#endif
834
835/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
836/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
837static const value_string ssl_31_ciphersuite[] = {
838 /* RFC 2246, RFC 4346, RFC 5246 */
839 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
840 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
841 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
842 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
843 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
844 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
845 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
846 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
847 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
848 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
849 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
850 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
851 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
852 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
853 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
854 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
855 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
856 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
857 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
858 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
859 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
860 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
861 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
862 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
863 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
864 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
865 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
866 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
867
868 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
869 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
870#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
871 to remove according to David Hopwood <[email protected]>
872 of the ietf-tls list */
873 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
874#endif
875 /* RFC 2712 */
876 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
877 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
878 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
879 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
880 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
881 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
882 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
883 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
884 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
885 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
886 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
887 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
888 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
889 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
890 /* RFC 4785 */
891 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
892 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
893 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
894 /* RFC 5246 */
895 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
896 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
897 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
898 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
899 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
900 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
901 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
902 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
903 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
904 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
905 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
906 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
907 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
908 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
909 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
910 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
911 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
912 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
913 /* RFC 4132 */
914 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
915 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
916 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
917 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
918 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
919 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
920 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
921 /* --- ??? --- */
922 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
923 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
924 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
925 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
926 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
927 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
928 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
929 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
930 /* --- ??? ---*/
931 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
932 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
933 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
934 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
935 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
936 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
937 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
938 /* draft-chudov-cryptopro-cptls-04.txt */
939 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
940 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
941 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
942 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
943 /* RFC 4132 */
944 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
945 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
946 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
947 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
948 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
949 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
950 /* RFC 4279 */
951 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
952 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
953 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
954 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
955 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
956 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
957 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
958 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
959 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
960 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
961 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
962 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
963 /* RFC 4162 */
964 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
965 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
966 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
967 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
968 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
969 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
970 /* RFC 5288 */
971 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
972 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
973 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
974 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
975 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
976 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
977 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
978 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
979 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
980 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
981 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
982 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
983 /* RFC 5487 */
984 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
985 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
986 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
987 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
988 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
989 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
990 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
991 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
992 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
993 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
994 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
995 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
996 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
997 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
998 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
999 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
1000 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
1001 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
1002 /* From RFC 5932 */
1003 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1004 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1005 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1006 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1007 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1008 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1009 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1010 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1011 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1012 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1013 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1014 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1015 /* RFC 8998 */
1016 { 0x00C6, "TLS_SM4_GCM_SM3" },
1017 { 0x00C7, "TLS_SM4_CCM_SM3" },
1018 /* 0x00,0xC8-FE Unassigned */
1019 /* From RFC 5746 */
1020 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1021 /* RFC 8701 */
1022 { 0x0A0A, "Reserved (GREASE)" },
1023 /* RFC 8446 */
1024 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1025 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1026 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1027 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1028 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1029 /* RFC 8701 */
1030 { 0x1A1A, "Reserved (GREASE)" },
1031 { 0x2A2A, "Reserved (GREASE)" },
1032 { 0x3A3A, "Reserved (GREASE)" },
1033 { 0x4A4A, "Reserved (GREASE)" },
1034 /* From RFC 7507 */
1035 { 0x5600, "TLS_FALLBACK_SCSV" },
1036 /* RFC 8701 */
1037 { 0x5A5A, "Reserved (GREASE)" },
1038 { 0x6A6A, "Reserved (GREASE)" },
1039 { 0x7A7A, "Reserved (GREASE)" },
1040 { 0x8A8A, "Reserved (GREASE)" },
1041 { 0x9A9A, "Reserved (GREASE)" },
1042 { 0xAAAA, "Reserved (GREASE)" },
1043 { 0xBABA, "Reserved (GREASE)" },
1044 /* From RFC 4492 */
1045 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1046 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1047 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1048 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1049 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1050 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1051 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1052 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1053 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1054 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1055 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1056 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1057 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1058 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1059 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1060 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1061 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1062 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1063 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1064 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1065 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1066 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1067 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1068 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1069 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1070 /* RFC 5054 */
1071 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1072 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1073 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1074 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1075 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1076 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1077 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1078 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1079 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1080 /* RFC 5589 */
1081 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1082 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1083 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1084 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1085 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1086 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1087 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1088 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1089 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1090 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1091 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1092 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1093 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1094 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1095 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1096 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1097 /* RFC 5489 */
1098 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1099 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1100 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1101 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1102 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1103 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1104 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1105 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1106 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1107 /* RFC 6209 */
1108 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1109 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1110 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1111 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1112 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1113 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1114 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1115 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1116 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1117 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1118 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1119 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1120 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1121 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1122 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1123 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1124 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1125 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1126 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1127 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1128 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1129 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1130 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1131 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1132 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1133 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1134 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1135 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1136 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1137 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1138 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1139 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1140 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1141 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1142 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1143 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1144 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1145 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1146 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1147 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1148 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1149 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1150 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1151 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1152 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1153 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1154 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1155 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1156 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1157 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1158 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1159 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1160 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1161 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1162 /* RFC 6367 */
1163 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1164 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1165 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1166 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1167 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1168 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1169 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1170 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1171 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1172 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1173 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1174 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1175 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1176 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1177 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1178 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1179 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1180 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1181 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1182 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1183 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1184 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1185 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1186 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1187 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1188 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1189 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1190 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1191 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1192 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1193 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1194 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1195 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1196 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1197 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1198 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1199 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1200 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1201 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1202 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1203 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1204 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1205 /* RFC 6655 */
1206 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1207 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1208 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1209 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1210 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1211 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1212 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1213 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1214 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1215 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1216 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1217 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1218 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1219 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1220 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1221 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1222 /* RFC 7251 */
1223 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1224 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1225 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1226 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1227 /* RFC 8492 */
1228 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1229 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1230 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1231 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1232 /* draft-camwinget-tls-ts13-macciphersuites */
1233 { 0xC0B4, "TLS_SHA256_SHA256" },
1234 { 0xC0B5, "TLS_SHA384_SHA384" },
1235 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1236 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1237 /* draft-smyshlyaev-tls12-gost-suites */
1238 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1239 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1240 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1241 /* draft-smyshlyaev-tls13-gost-suites */
1242 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1243 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1244 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1245 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1246 /* RFC 8701 */
1247 { 0xCACA, "Reserved (GREASE)" },
1248/*
12490xC0,0xAB-FF Unassigned
12500xC1,0x03-FD,* Unassigned
12510xFE,0x00-FD Unassigned
12520xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12530xFF,0x00-FF Reserved for Private Use [RFC5246]
1254*/
1255 /* old numbers used in the beginning
1256 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1257 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1258 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1259 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1260 /* RFC 7905 */
1261 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1262 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1263 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1264 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1265 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1266 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1267 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1268 /* RFC 8442 */
1269 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1270 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1271 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1272 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1273 /* RFC 8701 */
1274 { 0xDADA, "Reserved (GREASE)" },
1275 /* GM/T 0024-2014 */
1276 { 0xe001, "ECDHE_SM1_SM3"},
1277 { 0xe003, "ECC_SM1_SM3"},
1278 { 0xe005, "IBSDH_SM1_SM3"},
1279 { 0xe007, "IBC_SM1_SM3"},
1280 { 0xe009, "RSA_SM1_SM3"},
1281 { 0xe00a, "RSA_SM1_SHA1"},
1282 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1283 { 0xe013, "ECC_SM4_CBC_SM3"},
1284 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1285 { 0xe017, "IBC_SM4_CBC_SM3"},
1286 { 0xe019, "RSA_SM4_CBC_SM3"},
1287 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1288 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1289 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1290 { 0xe053, "ECC_SM4_GCM_SM3"},
1291 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1292 { 0xe057, "IBC_SM4_GCM_SM3"},
1293 { 0xe059, "RSA_SM4_GCM_SM3"},
1294 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1295 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1296 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1297 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1298 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1299 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1300 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1301 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1302 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1303 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1304 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1305 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1306 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1307 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1308 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1309 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1310 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1311 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1312 /* RFC 8701 */
1313 { 0xEAEA, "Reserved (GREASE)" },
1314 { 0xFAFA, "Reserved (GREASE)" },
1315 /* these from http://www.mozilla.org/projects/
1316 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1317 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1318 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1319 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1320 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1321 /* note that ciphersuites 0xff00 - 0xffff are private */
1322 { 0x00, NULL((void*)0) }
1323};
1324
1325value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
};
1326
1327/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1328const value_string tls_hello_extension_types[] = {
1329 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1330 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1331 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1332 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1333 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1334 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1335 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1336 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1337 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1338 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1339 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1340 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1341 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1342 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1343 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1344 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1345 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1346 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1347 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1348 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1349 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1350 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1351 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1352 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1353 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1354 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1355 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1356 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1357 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1358 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1359 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1360 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1361 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1365 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1366 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1367 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1368 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1369 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1370 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1371 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1372 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1373 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1374 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1375 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1376 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1377 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1378 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1379 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1380 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html */
1383 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1384 { SSL_HND_HELLO_EXT_ALPS17513, "application_settings" }, /* draft-vvv-tls-alps-01 */
1385 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1386 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1389 https://twitter.com/ericlaw/status/274237352531083264 */
1390 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1391 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1392 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1393 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1394 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1397 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1398 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1399 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1400 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1401 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1402 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1403 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1404 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1405 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1406 { 0, NULL((void*)0) }
1407};
1408
1409const value_string tls_hello_ext_server_name_type_vs[] = {
1410 { 0, "host_name" },
1411 { 0, NULL((void*)0) }
1412};
1413
1414/* RFC 6066 Section 4 */
1415const value_string tls_hello_ext_max_fragment_length[] = {
1416 { 1, "512" }, // 2^9
1417 { 2, "1024" }, // 2^10
1418 { 3, "2048" }, // 2^11
1419 { 4, "4096" }, // 2^12
1420 { 0, NULL((void*)0) }
1421};
1422
1423/* RFC 8446 Section 4.2.9 */
1424const value_string tls_hello_ext_psk_ke_mode[] = {
1425 { 0, "PSK-only key establishment (psk_ke)" },
1426 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1427 { 0, NULL((void*)0) }
1428};
1429
1430/* RFC 6066 Section 6 */
1431const value_string tls_hello_ext_trusted_ca_key_type[] = {
1432 {0, "pre_agreed"},
1433 {1, "key_sha1_hash"},
1434 {2, "x509_name"},
1435 {3, "cert_sha1_hash"},
1436 {0, NULL((void*)0)}
1437};
1438
1439const value_string tls13_key_update_request[] = {
1440 { 0, "update_not_requested" },
1441 { 1, "update_requested" },
1442 { 0, NULL((void*)0) }
1443};
1444
1445/* RFC 5246 7.4.1.4.1 */
1446/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1447/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1448 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1449 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1450 *
1451 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1452 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1453 * and TLS HashAlgorithm registries, but the new values are not compatible
1454 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1455 * cause confusion if used to interpret one of those schemes in a
1456 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1457 */
1458const value_string tls_hash_algorithm[] = {
1459 { 0, "None" },
1460 { 1, "MD5" },
1461 { 2, "SHA1" },
1462 { 3, "SHA224" },
1463 { 4, "SHA256" },
1464 { 5, "SHA384" },
1465 { 6, "SHA512" },
1466#if 0
1467 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1468 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1469 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1470 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1471 */
1472 { 8, "Intrinsic" },
1473#endif
1474 { 0, NULL((void*)0) }
1475};
1476
1477const value_string tls_signature_algorithm[] = {
1478 { 0, "Anonymous" },
1479 { 1, "RSA" },
1480 { 2, "DSA" },
1481 { 3, "ECDSA" },
1482#if 0
1483 /* As above. */
1484 { 7, "ED25519" },
1485 { 8, "ED448" },
1486 { 64, "GOSTR34102012_256" },
1487 { 65, "GOSTR34102012_512" },
1488#endif
1489 { 0, NULL((void*)0) }
1490};
1491
1492/* RFC 8446 Section 4.2.3 */
1493const value_string tls13_signature_algorithm[] = {
1494 { 0x0201, "rsa_pkcs1_sha1" },
1495 { 0x0203, "ecdsa_sha1" },
1496 { 0x0401, "rsa_pkcs1_sha256" },
1497 { 0x0403, "ecdsa_secp256r1_sha256" },
1498 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1499 { 0x0501, "rsa_pkcs1_sha384" },
1500 { 0x0503, "ecdsa_secp384r1_sha384" },
1501 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1502 { 0x0601, "rsa_pkcs1_sha512" },
1503 { 0x0603, "ecdsa_secp521r1_sha512" },
1504 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1505 { 0x0708, "sm2sig_sm3" },
1506 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1507 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1508 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1509 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1510 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1511 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1512 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1513 { 0x0804, "rsa_pss_rsae_sha256" },
1514 { 0x0805, "rsa_pss_rsae_sha384" },
1515 { 0x0806, "rsa_pss_rsae_sha512" },
1516 { 0x0807, "ed25519" },
1517 { 0x0808, "ed448" },
1518 { 0x0809, "rsa_pss_pss_sha256" },
1519 { 0x080a, "rsa_pss_pss_sha384" },
1520 { 0x080b, "rsa_pss_pss_sha512" },
1521 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1522 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1523 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1524 /* PQC digital signature algorithms from OQS-OpenSSL,
1525 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1526 { 0xfea0, "dilithium2" },
1527 { 0xfea1, "p256_dilithium2" },
1528 { 0xfea2, "rsa3072_dilithium2" },
1529 { 0xfea3, "dilithium3" },
1530 { 0xfea4, "p384_dilithium3" },
1531 { 0xfea5, "dilithium5" },
1532 { 0xfea6, "p521_dilithium5" },
1533 { 0xfea7, "dilithium2_aes" },
1534 { 0xfea8, "p256_dilithium2_aes" },
1535 { 0xfea9, "rsa3072_dilithium2_aes" },
1536 { 0xfeaa, "dilithium3_aes" },
1537 { 0xfeab, "p384_dilithium3_aes" },
1538 { 0xfeac, "dilithium5_aes" },
1539 { 0xfead, "p521_dilithium5_aes" },
1540 { 0xfe0b, "falcon512" },
1541 { 0xfe0c, "p256_falcon512" },
1542 { 0xfe0d, "rsa3072_falcon512" },
1543 { 0xfe0e, "falcon1024" },
1544 { 0xfe0f, "p521_falcon1024" },
1545 { 0xfe96, "picnicl1full" },
1546 { 0xfe97, "p256_picnicl1full" },
1547 { 0xfe98, "rsa3072_picnicl1full" },
1548 { 0xfe1b, "picnic3l1" },
1549 { 0xfe1c, "p256_picnic3l1" },
1550 { 0xfe1d, "rsa3072_picnic3l1" },
1551 { 0xfe27, "rainbowIclassic" },
1552 { 0xfe28, "p256_rainbowIclassic" },
1553 { 0xfe29, "rsa3072_rainbowIclassic" },
1554 { 0xfe3c, "rainbowVclassic" },
1555 { 0xfe3d, "p521_rainbowVclassic" },
1556 { 0xfe42, "sphincsharaka128frobust" },
1557 { 0xfe43, "p256_sphincsharaka128frobust" },
1558 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1559 { 0xfe5e, "sphincssha256128frobust" },
1560 { 0xfe5f, "p256_sphincssha256128frobust" },
1561 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1562 { 0xfe7a, "sphincsshake256128frobust" },
1563 { 0xfe7b, "p256_sphincsshake256128frobust" },
1564 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1565 { 0, NULL((void*)0) }
1566};
1567
1568/* RFC 6091 3.1 */
1569const value_string tls_certificate_type[] = {
1570 { 0, "X.509" },
1571 { 1, "OpenPGP" },
1572 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1573 { 0, NULL((void*)0) }
1574};
1575
1576const value_string tls_cert_chain_type[] = {
1577 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1578 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1579 { 0, NULL((void*)0) }
1580};
1581
1582const value_string tls_cert_status_type[] = {
1583 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1584 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1585 { 0, NULL((void*)0) }
1586};
1587
1588/* Generated by tools/make-tls-ct-logids.py
1589 * Last-Modified Sat, 05 Oct 2024 13:48:00 GMT, 165 entries. */
1590static const bytes_string ct_logids[] = {
1591 { (const uint8_t[]){
1592 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1593 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1594 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1595 },
1596 32, "Google 'Argon2020' log" },
1597 { (const uint8_t[]){
1598 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1599 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1600 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1601 },
1602 32, "Google 'Argon2021' log" },
1603 { (const uint8_t[]){
1604 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1605 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1606 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1607 },
1608 32, "Google 'Argon2022' log" },
1609 { (const uint8_t[]){
1610 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1611 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1612 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1613 },
1614 32, "Google 'Argon2023' log" },
1615 { (const uint8_t[]){
1616 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1617 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1618 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1619 },
1620 32, "Google 'Argon2024' log" },
1621 { (const uint8_t[]){
1622 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1623 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1624 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1625 },
1626 32, "Google 'Argon2025h1' log" },
1627 { (const uint8_t[]){
1628 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1629 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1630 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1631 },
1632 32, "Google 'Argon2025h2' log" },
1633 { (const uint8_t[]){
1634 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1635 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1636 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1637 },
1638 32, "Google 'Argon2026h1' log" },
1639 { (const uint8_t[]){
1640 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1641 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1642 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1643 },
1644 32, "Google 'Argon2026h2' log" },
1645 { (const uint8_t[]){
1646 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1647 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1648 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1649 },
1650 32, "Google 'Xenon2020' log" },
1651 { (const uint8_t[]){
1652 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1653 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1654 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1655 },
1656 32, "Google 'Xenon2021' log" },
1657 { (const uint8_t[]){
1658 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1659 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1660 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1661 },
1662 32, "Google 'Xenon2022' log" },
1663 { (const uint8_t[]){
1664 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1665 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1666 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1667 },
1668 32, "Google 'Xenon2023' log" },
1669 { (const uint8_t[]){
1670 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1671 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1672 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1673 },
1674 32, "Google 'Xenon2024' log" },
1675 { (const uint8_t[]){
1676 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1677 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1678 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1679 },
1680 32, "Google 'Xenon2025h1' log" },
1681 { (const uint8_t[]){
1682 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1683 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1684 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1685 },
1686 32, "Google 'Xenon2025h2' log" },
1687 { (const uint8_t[]){
1688 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1689 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1690 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1691 },
1692 32, "Google 'Xenon2026h1' log" },
1693 { (const uint8_t[]){
1694 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1695 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1696 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1697 },
1698 32, "Google 'Xenon2026h2' log" },
1699 { (const uint8_t[]){
1700 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1701 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1702 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1703 },
1704 32, "Google 'Aviator' log" },
1705 { (const uint8_t[]){
1706 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1707 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1708 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1709 },
1710 32, "Google 'Icarus' log" },
1711 { (const uint8_t[]){
1712 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1713 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1714 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1715 },
1716 32, "Google 'Pilot' log" },
1717 { (const uint8_t[]){
1718 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1719 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1720 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1721 },
1722 32, "Google 'Rocketeer' log" },
1723 { (const uint8_t[]){
1724 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1725 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1726 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1727 },
1728 32, "Google 'Skydiver' log" },
1729 { (const uint8_t[]){
1730 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1731 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1732 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1733 },
1734 32, "Google 'Argon2017' log" },
1735 { (const uint8_t[]){
1736 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1737 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1738 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1739 },
1740 32, "Google 'Argon2018' log" },
1741 { (const uint8_t[]){
1742 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1743 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1744 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1745 },
1746 32, "Google 'Argon2019' log" },
1747 { (const uint8_t[]){
1748 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1749 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1750 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1751 },
1752 32, "Google 'Xenon2018' log" },
1753 { (const uint8_t[]){
1754 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1755 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1756 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1757 },
1758 32, "Google 'Xenon2019' log" },
1759 { (const uint8_t[]){
1760 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1761 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1762 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1763 },
1764 32, "Google 'Submariner' log" },
1765 { (const uint8_t[]){
1766 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1767 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1768 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1769 },
1770 32, "Google 'Daedalus' log" },
1771 { (const uint8_t[]){
1772 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1773 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1774 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1775 },
1776 32, "Google 'Testtube' log" },
1777 { (const uint8_t[]){
1778 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1779 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1780 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1781 },
1782 32, "Google 'Crucible' log" },
1783 { (const uint8_t[]){
1784 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1785 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1786 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1787 },
1788 32, "Google 'Solera2018' log" },
1789 { (const uint8_t[]){
1790 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1791 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1792 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1793 },
1794 32, "Google 'Solera2019' log" },
1795 { (const uint8_t[]){
1796 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1797 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1798 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1799 },
1800 32, "Google 'Solera2020' log" },
1801 { (const uint8_t[]){
1802 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1803 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1804 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1805 },
1806 32, "Google 'Solera2021' log" },
1807 { (const uint8_t[]){
1808 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1809 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1810 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1811 },
1812 32, "Google 'Solera2022' log" },
1813 { (const uint8_t[]){
1814 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1815 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1816 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1817 },
1818 32, "Google 'Solera2023' log" },
1819 { (const uint8_t[]){
1820 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1821 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1822 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1823 },
1824 32, "Google 'Solera2024' log" },
1825 { (const uint8_t[]){
1826 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1827 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1828 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1829 },
1830 32, "Google 'Solera2025h1' log" },
1831 { (const uint8_t[]){
1832 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1833 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1834 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1835 },
1836 32, "Google 'Solera2025h2' log" },
1837 { (const uint8_t[]){
1838 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1839 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1840 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1841 },
1842 32, "Google 'Solera2026h1' log" },
1843 { (const uint8_t[]){
1844 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1845 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1846 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1847 },
1848 32, "Google 'Solera2026h2' log" },
1849 { (const uint8_t[]){
1850 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1851 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1852 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1853 },
1854 32, "Cloudflare 'Nimbus2020' Log" },
1855 { (const uint8_t[]){
1856 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1857 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1858 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1859 },
1860 32, "Cloudflare 'Nimbus2021' Log" },
1861 { (const uint8_t[]){
1862 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1863 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1864 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1865 },
1866 32, "Cloudflare 'Nimbus2022' Log" },
1867 { (const uint8_t[]){
1868 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1869 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1870 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1871 },
1872 32, "Cloudflare 'Nimbus2023' Log" },
1873 { (const uint8_t[]){
1874 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1875 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1876 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1877 },
1878 32, "Cloudflare 'Nimbus2024' Log" },
1879 { (const uint8_t[]){
1880 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1881 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1882 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1883 },
1884 32, "Cloudflare 'Nimbus2025'" },
1885 { (const uint8_t[]){
1886 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1887 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1888 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1889 },
1890 32, "Cloudflare 'Nimbus2026'" },
1891 { (const uint8_t[]){
1892 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1893 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1894 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1895 },
1896 32, "Cloudflare 'Nimbus2017' Log" },
1897 { (const uint8_t[]){
1898 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1899 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1900 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1901 },
1902 32, "Cloudflare 'Nimbus2018' Log" },
1903 { (const uint8_t[]){
1904 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1905 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1906 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1907 },
1908 32, "Cloudflare 'Nimbus2019' Log" },
1909 { (const uint8_t[]){
1910 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1911 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1912 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1913 },
1914 32, "DigiCert Log Server" },
1915 { (const uint8_t[]){
1916 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1917 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1918 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1919 },
1920 32, "DigiCert Log Server 2" },
1921 { (const uint8_t[]){
1922 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1923 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1924 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1925 },
1926 32, "DigiCert Yeti2020 Log" },
1927 { (const uint8_t[]){
1928 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1929 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1930 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1931 },
1932 32, "DigiCert Yeti2021 Log" },
1933 { (const uint8_t[]){
1934 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1935 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1936 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1937 },
1938 32, "DigiCert Yeti2022 Log" },
1939 { (const uint8_t[]){
1940 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1941 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1942 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1943 },
1944 32, "DigiCert Yeti2023 Log" },
1945 { (const uint8_t[]){
1946 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1947 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1948 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1949 },
1950 32, "DigiCert Yeti2024 Log" },
1951 { (const uint8_t[]){
1952 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1953 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1954 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1955 },
1956 32, "DigiCert Yeti2025 Log" },
1957 { (const uint8_t[]){
1958 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1959 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1960 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1961 },
1962 32, "DigiCert Nessie2020 Log" },
1963 { (const uint8_t[]){
1964 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1965 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1966 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1967 },
1968 32, "DigiCert Nessie2021 Log" },
1969 { (const uint8_t[]){
1970 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1971 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1972 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1973 },
1974 32, "DigiCert Nessie2022 Log" },
1975 { (const uint8_t[]){
1976 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1977 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1978 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1979 },
1980 32, "DigiCert Nessie2023 Log" },
1981 { (const uint8_t[]){
1982 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1983 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1984 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1985 },
1986 32, "DigiCert Nessie2024 Log" },
1987 { (const uint8_t[]){
1988 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1989 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
1990 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
1991 },
1992 32, "DigiCert Nessie2025 Log" },
1993 { (const uint8_t[]){
1994 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
1995 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
1996 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
1997 },
1998 32, "DigiCert 'Wyvern2024h1' Log" },
1999 { (const uint8_t[]){
2000 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2001 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2002 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2003 },
2004 32, "DigiCert 'Wyvern2024h2' Log" },
2005 { (const uint8_t[]){
2006 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2007 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2008 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2009 },
2010 32, "DigiCert 'Wyvern2025h1' Log" },
2011 { (const uint8_t[]){
2012 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2013 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2014 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2015 },
2016 32, "DigiCert 'Wyvern2025h2' Log" },
2017 { (const uint8_t[]){
2018 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2019 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2020 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2021 },
2022 32, "DigiCert 'Wyvern2026h1'" },
2023 { (const uint8_t[]){
2024 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2025 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2026 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2027 },
2028 32, "DigiCert 'Wyvern2026h2'" },
2029 { (const uint8_t[]){
2030 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2031 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2032 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2033 },
2034 32, "DigiCert 'Sphinx2024h1' Log" },
2035 { (const uint8_t[]){
2036 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2037 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2038 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2039 },
2040 32, "DigiCert 'Sphinx2024h2' Log" },
2041 { (const uint8_t[]){
2042 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2043 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2044 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2045 },
2046 32, "DigiCert 'Sphinx2025h1' Log" },
2047 { (const uint8_t[]){
2048 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2049 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2050 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2051 },
2052 32, "DigiCert 'Sphinx2025h2' Log" },
2053 { (const uint8_t[]){
2054 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2055 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2056 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2057 },
2058 32, "DigiCert 'Sphinx2026h1'" },
2059 { (const uint8_t[]){
2060 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2061 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2062 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2063 },
2064 32, "DigiCert 'Sphinx2026h2'" },
2065 { (const uint8_t[]){
2066 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2067 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2068 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2069 },
2070 32, "Symantec log" },
2071 { (const uint8_t[]){
2072 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2073 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2074 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2075 },
2076 32, "Symantec 'Vega' log" },
2077 { (const uint8_t[]){
2078 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2079 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2080 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2081 },
2082 32, "Symantec 'Sirius' log" },
2083 { (const uint8_t[]){
2084 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2085 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2086 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2087 },
2088 32, "DigiCert Yeti2022-2 Log" },
2089 { (const uint8_t[]){
2090 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2091 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2092 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2093 },
2094 32, "DigiCert Yeti2018 Log" },
2095 { (const uint8_t[]){
2096 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2097 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2098 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2099 },
2100 32, "DigiCert Yeti2019 Log" },
2101 { (const uint8_t[]){
2102 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2103 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2104 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2105 },
2106 32, "DigiCert Nessie2018 Log" },
2107 { (const uint8_t[]){
2108 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2109 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2110 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2111 },
2112 32, "DigiCert Nessie2019 Log" },
2113 { (const uint8_t[]){
2114 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2115 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2116 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2117 },
2118 32, "Symantec Deneb" },
2119 { (const uint8_t[]){
2120 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2121 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2122 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2123 },
2124 32, "Certly.IO log" },
2125 { (const uint8_t[]){
2126 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2127 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2128 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2129 },
2130 32, "Izenpe log" },
2131 { (const uint8_t[]){
2132 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2133 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2134 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2135 },
2136 32, "Izenpe 'Argi' log" },
2137 { (const uint8_t[]){
2138 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2139 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2140 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2141 },
2142 32, "WoSign log" },
2143 { (const uint8_t[]){
2144 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2145 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2146 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2147 },
2148 32, "WoSign CT log #1" },
2149 { (const uint8_t[]){
2150 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2151 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2152 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2153 },
2154 32, "WoSign log 2" },
2155 { (const uint8_t[]){
2156 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2157 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2158 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2159 },
2160 32, "Venafi log" },
2161 { (const uint8_t[]){
2162 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2163 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2164 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2165 },
2166 32, "Venafi Gen2 CT log" },
2167 { (const uint8_t[]){
2168 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2169 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2170 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2171 },
2172 32, "CNNIC CT log" },
2173 { (const uint8_t[]){
2174 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2175 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2176 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2177 },
2178 32, "StartCom log" },
2179 { (const uint8_t[]){
2180 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2181 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2182 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2183 },
2184 32, "Sectigo 'Sabre' CT log" },
2185 { (const uint8_t[]){
2186 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2187 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2188 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2189 },
2190 32, "Sectigo 'Sabre2024h1'" },
2191 { (const uint8_t[]){
2192 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2193 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2194 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2195 },
2196 32, "Sectigo 'Sabre2024h2'" },
2197 { (const uint8_t[]){
2198 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2199 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2200 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2201 },
2202 32, "Sectigo 'Sabre2025h1'" },
2203 { (const uint8_t[]){
2204 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2205 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2206 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2207 },
2208 32, "Sectigo 'Sabre2025h2'" },
2209 { (const uint8_t[]){
2210 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2211 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2212 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2213 },
2214 32, "Sectigo 'Mammoth' CT log" },
2215 { (const uint8_t[]){
2216 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2217 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2218 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2219 },
2220 32, "Sectigo 'Mammoth2024h1'" },
2221 { (const uint8_t[]){
2222 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2223 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2224 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2225 },
2226 32, "Sectigo 'Mammoth2024h1b'" },
2227 { (const uint8_t[]){
2228 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2229 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2230 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2231 },
2232 32, "Sectigo 'Mammoth2024h2'" },
2233 { (const uint8_t[]){
2234 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2235 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2236 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2237 },
2238 32, "Sectigo 'Mammoth2025h1'" },
2239 { (const uint8_t[]){
2240 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2241 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2242 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2243 },
2244 32, "Sectigo 'Mammoth2025h2'" },
2245 { (const uint8_t[]){
2246 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2247 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2248 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2249 },
2250 32, "Sectigo 'Mammoth2026h1'" },
2251 { (const uint8_t[]){
2252 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2253 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2254 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2255 },
2256 32, "Sectigo 'Mammoth2026h2'" },
2257 { (const uint8_t[]){
2258 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2259 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2260 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2261 },
2262 32, "Sectigo 'Sabre2026h1'" },
2263 { (const uint8_t[]){
2264 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2265 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2266 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2267 },
2268 32, "Sectigo 'Sabre2026h2'" },
2269 { (const uint8_t[]){
2270 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2271 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2272 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2273 },
2274 32, "Sectigo 'Dodo' CT log" },
2275 { (const uint8_t[]){
2276 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2277 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2278 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2279 },
2280 32, "Let's Encrypt 'Oak2020' log" },
2281 { (const uint8_t[]){
2282 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2283 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2284 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2285 },
2286 32, "Let's Encrypt 'Oak2021' log" },
2287 { (const uint8_t[]){
2288 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2289 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2290 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2291 },
2292 32, "Let's Encrypt 'Oak2022' log" },
2293 { (const uint8_t[]){
2294 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2295 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2296 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2297 },
2298 32, "Let's Encrypt 'Oak2023' log" },
2299 { (const uint8_t[]){
2300 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2301 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2302 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2303 },
2304 32, "Let's Encrypt 'Oak2024H1' log" },
2305 { (const uint8_t[]){
2306 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2307 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2308 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2309 },
2310 32, "Let's Encrypt 'Oak2024H2' log" },
2311 { (const uint8_t[]){
2312 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2313 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2314 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2315 },
2316 32, "Let's Encrypt 'Oak2025h1'" },
2317 { (const uint8_t[]){
2318 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2319 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2320 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2321 },
2322 32, "Let's Encrypt 'Oak2025h2'" },
2323 { (const uint8_t[]){
2324 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2325 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2326 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2327 },
2328 32, "Let's Encrypt 'Oak2026h1'" },
2329 { (const uint8_t[]){
2330 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2331 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2332 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2333 },
2334 32, "Let's Encrypt 'Oak2026h2'" },
2335 { (const uint8_t[]){
2336 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2337 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2338 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2339 },
2340 32, "Let's Encrypt 'Oak2019' log" },
2341 { (const uint8_t[]){
2342 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2343 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2344 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2345 },
2346 32, "Let's Encrypt 'Testflume2019' log" },
2347 { (const uint8_t[]){
2348 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2349 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2350 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2351 },
2352 32, "Let's Encrypt 'Sapling 2022h2' log" },
2353 { (const uint8_t[]){
2354 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2355 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2356 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2357 },
2358 32, "Let's Encrypt 'Sapling 2023h1' log" },
2359 { (const uint8_t[]){
2360 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2361 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2362 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2363 },
2364 32, "Let's Encrypt 'Testflume2020' log" },
2365 { (const uint8_t[]){
2366 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2367 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2368 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2369 },
2370 32, "Let's Encrypt 'Testflume2021' log" },
2371 { (const uint8_t[]){
2372 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2373 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2374 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2375 },
2376 32, "Let's Encrypt 'Testflume2022' log" },
2377 { (const uint8_t[]){
2378 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2379 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2380 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2381 },
2382 32, "Let's Encrypt 'Testflume2023' log" },
2383 { (const uint8_t[]){
2384 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2385 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2386 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2387 },
2388 32, "Let's Encrypt 'Clicky' log" },
2389 { (const uint8_t[]){
2390 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2391 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2392 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2393 },
2394 32, "Trust Asia Log2020" },
2395 { (const uint8_t[]){
2396 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2397 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2398 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2399 },
2400 32, "Trust Asia CT2021" },
2401 { (const uint8_t[]){
2402 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2403 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2404 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2405 },
2406 32, "Trust Asia Log2021" },
2407 { (const uint8_t[]){
2408 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2409 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2410 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2411 },
2412 32, "Trust Asia Log2022" },
2413 { (const uint8_t[]){
2414 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2415 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2416 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2417 },
2418 32, "Trust Asia Log2023" },
2419 { (const uint8_t[]){
2420 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2421 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2422 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2423 },
2424 32, "Trust Asia Log2024" },
2425 { (const uint8_t[]){
2426 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2427 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2428 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2429 },
2430 32, "Trust Asia Log2024-2" },
2431 { (const uint8_t[]){
2432 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2433 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2434 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2435 },
2436 32, "TrustAsia Log2025a" },
2437 { (const uint8_t[]){
2438 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2439 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2440 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2441 },
2442 32, "TrustAsia Log2025b" },
2443 { (const uint8_t[]){
2444 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2445 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2446 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2447 },
2448 32, "TrustAsia 'log2026a'" },
2449 { (const uint8_t[]){
2450 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2451 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2452 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2453 },
2454 32, "TrustAsia 'log2026b'" },
2455 { (const uint8_t[]){
2456 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2457 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2458 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2459 },
2460 32, "Trust Asia Log1" },
2461 { (const uint8_t[]){
2462 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2463 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2464 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2465 },
2466 32, "GDCA CT log #1" },
2467 { (const uint8_t[]){
2468 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2469 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2470 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2471 },
2472 32, "GDCA CT log #2" },
2473 { (const uint8_t[]){
2474 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2475 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2476 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2477 },
2478 32, "GDCA Log 1" },
2479 { (const uint8_t[]){
2480 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2481 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2482 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2483 },
2484 32, "GDCA Log 2" },
2485 { (const uint8_t[]){
2486 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2487 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2488 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2489 },
2490 32, "PuChuangSiDa CT log" },
2491 { (const uint8_t[]){
2492 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2493 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2494 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2495 },
2496 32, "Nordu 'flimsy' log" },
2497 { (const uint8_t[]){
2498 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2499 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2500 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2501 },
2502 32, "Nordu 'plausible' log" },
2503 { (const uint8_t[]){
2504 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2505 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2506 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2507 },
2508 32, "SHECA CT log 1" },
2509 { (const uint8_t[]){
2510 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2511 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2512 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2513 },
2514 32, "SHECA CT log 2" },
2515 { (const uint8_t[]){
2516 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2517 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2518 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2519 },
2520 32, "Akamai CT Log" },
2521 { (const uint8_t[]){
2522 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2523 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2524 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2525 },
2526 32, "Alpha CT Log" },
2527 { (const uint8_t[]){
2528 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2529 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2530 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2531 },
2532 32, "Up In The Air 'Behind the Sofa' log" },
2533 { (const uint8_t[]){
2534 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2535 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2536 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2537 },
2538 32, "Qihoo 360 2020" },
2539 { (const uint8_t[]){
2540 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2541 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2542 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2543 },
2544 32, "Qihoo 360 2021" },
2545 { (const uint8_t[]){
2546 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2547 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2548 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2549 },
2550 32, "Qihoo 360 2022" },
2551 { (const uint8_t[]){
2552 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2553 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2554 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2555 },
2556 32, "Qihoo 360 2023" },
2557 { (const uint8_t[]){
2558 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2559 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2560 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2561 },
2562 32, "Qihoo 360 v1 2020" },
2563 { (const uint8_t[]){
2564 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2565 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2566 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2567 },
2568 32, "Qihoo 360 v1 2021" },
2569 { (const uint8_t[]){
2570 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2571 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2572 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2573 },
2574 32, "Qihoo 360 v1 2022" },
2575 { (const uint8_t[]){
2576 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2577 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2578 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2579 },
2580 32, "Qihoo 360 v1 2023" },
2581 { NULL((void*)0), 0, NULL((void*)0) }
2582};
2583
2584/*
2585 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2586 */
2587static dissector_table_t ssl_alpn_dissector_table;
2588static dissector_table_t dtls_alpn_dissector_table;
2589
2590/*
2591 * Special cases for prefix matching of the ALPN, if the ALPN includes
2592 * a version number for a draft or protocol revision.
2593 */
2594typedef struct ssl_alpn_prefix_match_protocol {
2595 const char *proto_prefix;
2596 const char *dissector_name;
2597} ssl_alpn_prefix_match_protocol_t;
2598
2599static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2600 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2601 * already exists 3.1 as of this writing... match the prefix. */
2602 { "spdy/", "spdy" },
2603 /* draft-ietf-httpbis-http2-16 */
2604 { "h2-", "http2" }, /* draft versions */
2605};
2606
2607const value_string compress_certificate_algorithm_vals[] = {
2608 { 1, "zlib" },
2609 { 2, "brotli" },
2610 { 3, "zstd" },
2611 { 0, NULL((void*)0) }
2612};
2613
2614
2615const val64_string quic_transport_parameter_id[] = {
2616 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2617 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2618 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2619 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2620 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2621 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2622 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2623 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2624 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2625 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2626 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2627 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2628 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2629 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2630 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2631 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2632 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2633 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2634 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2635 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2636 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2637 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2638 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2639 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2640 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2641 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2642 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2643 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2644 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2645 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2646 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2647 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2648 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2649 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2650 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2651 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2652 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2653 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2654 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2655 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2656 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2657 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d11, "initial_max_path_id" },
2658 { 0, NULL((void*)0) }
2659};
2660
2661/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2662const val64_string quic_enable_time_stamp_v2_vals[] = {
2663 { 1, "I would like to receive TIME_STAMP frames" },
2664 { 2, "I am able to generate TIME_STAMP frames" },
2665 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2666 { 0, NULL((void*)0) }
2667};
2668
2669/* https://tools.ietf.org/html/draft-multipath-04 */
2670const val64_string quic_enable_multipath_vals[] = {
2671 { 0, "don't support multipath" },
2672 { 1, "support multipath as defined in this document" },
2673 { 0, NULL((void*)0) }
2674};
2675
2676/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2677const value_string tls_hello_ext_ech_clienthello_types[] = {
2678 { 0, "Outer Client Hello" },
2679 { 1, "Inner Client Hello" },
2680 { 0, NULL((void*)0) }
2681};
2682
2683/* RFC 9180 */
2684const value_string kem_id_type_vals[] = {
2685 { 0x0000, "Reserved" },
2686 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2687 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2688 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2689 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2690 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2691 { 0, NULL((void*)0) }
2692};
2693const value_string kdf_id_type_vals[] = {
2694 { 0x0000, "Reserved" },
2695 { 0x0001, "HKDF-SHA256" },
2696 { 0x0002, "HKDF-SHA384" },
2697 { 0x0003, "HKDF-SHA512" },
2698 { 0, NULL((void*)0) }
2699};
2700const value_string aead_id_type_vals[] = {
2701 { 0x0000, "Reserved" },
2702 { 0x0001, "AES-128-GCM" },
2703 { 0x0002, "AES-256-GCM" },
2704 { 0x0003, "ChaCha20Poly1305" },
2705 { 0xFFFF, "Export-only" },
2706 { 0, NULL((void*)0) }
2707};
2708
2709const value_string token_binding_key_parameter_vals[] = {
2710 { 0, "rsa2048_pkcs1.5" },
2711 { 1, "rsa2048_pss" },
2712 { 2, "ecdsap256" },
2713 { 0, NULL((void*)0) }
2714};
2715
2716/* Lookup tables }}} */
2717
2718void
2719quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2720{
2721 const char *label;
2722 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2723 label = "GREASE";
2724 } else {
2725 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2726 }
2727 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2728}
2729
2730/* we keep this internal to packet-tls-utils, as there should be
2731 no need to access it any other way.
2732
2733 This also allows us to hide the dependency on zlib.
2734*/
2735struct _SslDecompress {
2736 int compression;
2737#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
2738 zlib_stream istream;
2739#endif
2740};
2741
2742/* To assist in parsing client/server key exchange messages
2743 0 indicates unknown */
2744int ssl_get_keyex_alg(int cipher)
2745{
2746 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2747 switch(cipher) {
2748 case 0x0017:
2749 case 0x0018:
2750 case 0x0019:
2751 case 0x001a:
2752 case 0x001b:
2753 case 0x0034:
2754 case 0x003a:
2755 case 0x0046:
2756 case 0x006c:
2757 case 0x006d:
2758 case 0x0089:
2759 case 0x009b:
2760 case 0x00a6:
2761 case 0x00a7:
2762 case 0x00bf:
2763 case 0x00c5:
2764 case 0xc084:
2765 case 0xc085:
2766 return KEX_DH_ANON0x13;
2767 case 0x000b:
2768 case 0x000c:
2769 case 0x000d:
2770 case 0x0030:
2771 case 0x0036:
2772 case 0x003e:
2773 case 0x0042:
2774 case 0x0068:
2775 case 0x0085:
2776 case 0x0097:
2777 case 0x00a4:
2778 case 0x00a5:
2779 case 0x00bb:
2780 case 0x00c1:
2781 case 0xc082:
2782 case 0xc083:
2783 return KEX_DH_DSS0x14;
2784 case 0x000e:
2785 case 0x000f:
2786 case 0x0010:
2787 case 0x0031:
2788 case 0x0037:
2789 case 0x003f:
2790 case 0x0043:
2791 case 0x0069:
2792 case 0x0086:
2793 case 0x0098:
2794 case 0x00a0:
2795 case 0x00a1:
2796 case 0x00bc:
2797 case 0x00c2:
2798 case 0xc07e:
2799 case 0xc07f:
2800 return KEX_DH_RSA0x15;
2801 case 0x0011:
2802 case 0x0012:
2803 case 0x0013:
2804 case 0x0032:
2805 case 0x0038:
2806 case 0x0040:
2807 case 0x0044:
2808 case 0x0063:
2809 case 0x0065:
2810 case 0x0066:
2811 case 0x006a:
2812 case 0x0087:
2813 case 0x0099:
2814 case 0x00a2:
2815 case 0x00a3:
2816 case 0x00bd:
2817 case 0x00c3:
2818 case 0xc080:
2819 case 0xc081:
2820 return KEX_DHE_DSS0x10;
2821 case 0x002d:
2822 case 0x008e:
2823 case 0x008f:
2824 case 0x0090:
2825 case 0x0091:
2826 case 0x00aa:
2827 case 0x00ab:
2828 case 0x00b2:
2829 case 0x00b3:
2830 case 0x00b4:
2831 case 0x00b5:
2832 case 0xc090:
2833 case 0xc091:
2834 case 0xc096:
2835 case 0xc097:
2836 case 0xc0a6:
2837 case 0xc0a7:
2838 case 0xc0aa:
2839 case 0xc0ab:
2840 case 0xccad:
2841 case 0xe41c:
2842 case 0xe41d:
2843 return KEX_DHE_PSK0x11;
2844 case 0x0014:
2845 case 0x0015:
2846 case 0x0016:
2847 case 0x0033:
2848 case 0x0039:
2849 case 0x0045:
2850 case 0x0067:
2851 case 0x006b:
2852 case 0x0088:
2853 case 0x009a:
2854 case 0x009e:
2855 case 0x009f:
2856 case 0x00be:
2857 case 0x00c4:
2858 case 0xc07c:
2859 case 0xc07d:
2860 case 0xc09e:
2861 case 0xc09f:
2862 case 0xc0a2:
2863 case 0xc0a3:
2864 case 0xccaa:
2865 case 0xe41e:
2866 case 0xe41f:
2867 return KEX_DHE_RSA0x12;
2868 case 0xc015:
2869 case 0xc016:
2870 case 0xc017:
2871 case 0xc018:
2872 case 0xc019:
2873 return KEX_ECDH_ANON0x19;
2874 case 0xc001:
2875 case 0xc002:
2876 case 0xc003:
2877 case 0xc004:
2878 case 0xc005:
2879 case 0xc025:
2880 case 0xc026:
2881 case 0xc02d:
2882 case 0xc02e:
2883 case 0xc074:
2884 case 0xc075:
2885 case 0xc088:
2886 case 0xc089:
2887 return KEX_ECDH_ECDSA0x1a;
2888 case 0xc00b:
2889 case 0xc00c:
2890 case 0xc00d:
2891 case 0xc00e:
2892 case 0xc00f:
2893 case 0xc029:
2894 case 0xc02a:
2895 case 0xc031:
2896 case 0xc032:
2897 case 0xc078:
2898 case 0xc079:
2899 case 0xc08c:
2900 case 0xc08d:
2901 return KEX_ECDH_RSA0x1b;
2902 case 0xc006:
2903 case 0xc007:
2904 case 0xc008:
2905 case 0xc009:
2906 case 0xc00a:
2907 case 0xc023:
2908 case 0xc024:
2909 case 0xc02b:
2910 case 0xc02c:
2911 case 0xc072:
2912 case 0xc073:
2913 case 0xc086:
2914 case 0xc087:
2915 case 0xc0ac:
2916 case 0xc0ad:
2917 case 0xc0ae:
2918 case 0xc0af:
2919 case 0xcca9:
2920 case 0xe414:
2921 case 0xe415:
2922 return KEX_ECDHE_ECDSA0x16;
2923 case 0xc033:
2924 case 0xc034:
2925 case 0xc035:
2926 case 0xc036:
2927 case 0xc037:
2928 case 0xc038:
2929 case 0xc039:
2930 case 0xc03a:
2931 case 0xc03b:
2932 case 0xc09a:
2933 case 0xc09b:
2934 case 0xccac:
2935 case 0xe418:
2936 case 0xe419:
2937 case 0xd001:
2938 case 0xd002:
2939 case 0xd003:
2940 case 0xd005:
2941 return KEX_ECDHE_PSK0x17;
2942 case 0xc010:
2943 case 0xc011:
2944 case 0xc012:
2945 case 0xc013:
2946 case 0xc014:
2947 case 0xc027:
2948 case 0xc028:
2949 case 0xc02f:
2950 case 0xc030:
2951 case 0xc076:
2952 case 0xc077:
2953 case 0xc08a:
2954 case 0xc08b:
2955 case 0xcca8:
2956 case 0xe412:
2957 case 0xe413:
2958 return KEX_ECDHE_RSA0x18;
2959 case 0x001e:
2960 case 0x001f:
2961 case 0x0020:
2962 case 0x0021:
2963 case 0x0022:
2964 case 0x0023:
2965 case 0x0024:
2966 case 0x0025:
2967 case 0x0026:
2968 case 0x0027:
2969 case 0x0028:
2970 case 0x0029:
2971 case 0x002a:
2972 case 0x002b:
2973 return KEX_KRB50x1c;
2974 case 0x002c:
2975 case 0x008a:
2976 case 0x008b:
2977 case 0x008c:
2978 case 0x008d:
2979 case 0x00a8:
2980 case 0x00a9:
2981 case 0x00ae:
2982 case 0x00af:
2983 case 0x00b0:
2984 case 0x00b1:
2985 case 0xc064:
2986 case 0xc065:
2987 case 0xc08e:
2988 case 0xc08f:
2989 case 0xc094:
2990 case 0xc095:
2991 case 0xc0a4:
2992 case 0xc0a5:
2993 case 0xc0a8:
2994 case 0xc0a9:
2995 case 0xccab:
2996 case 0xe416:
2997 case 0xe417:
2998 return KEX_PSK0x1d;
2999 case 0x0001:
3000 case 0x0002:
3001 case 0x0003:
3002 case 0x0004:
3003 case 0x0005:
3004 case 0x0006:
3005 case 0x0007:
3006 case 0x0008:
3007 case 0x0009:
3008 case 0x000a:
3009 case 0x002f:
3010 case 0x0035:
3011 case 0x003b:
3012 case 0x003c:
3013 case 0x003d:
3014 case 0x0041:
3015 case 0x0060:
3016 case 0x0061:
3017 case 0x0062:
3018 case 0x0064:
3019 case 0x0084:
3020 case 0x0096:
3021 case 0x009c:
3022 case 0x009d:
3023 case 0x00ba:
3024 case 0x00c0:
3025 case 0xc07a:
3026 case 0xc07b:
3027 case 0xc09c:
3028 case 0xc09d:
3029 case 0xc0a0:
3030 case 0xc0a1:
3031 case 0xe410:
3032 case 0xe411:
3033 case 0xfefe:
3034 case 0xfeff:
3035 case 0xffe0:
3036 case 0xffe1:
3037 return KEX_RSA0x1e;
3038 case 0x002e:
3039 case 0x0092:
3040 case 0x0093:
3041 case 0x0094:
3042 case 0x0095:
3043 case 0x00ac:
3044 case 0x00ad:
3045 case 0x00b6:
3046 case 0x00b7:
3047 case 0x00b8:
3048 case 0x00b9:
3049 case 0xc092:
3050 case 0xc093:
3051 case 0xc098:
3052 case 0xc099:
3053 case 0xccae:
3054 case 0xe41a:
3055 case 0xe41b:
3056 return KEX_RSA_PSK0x1f;
3057 case 0xc01a:
3058 case 0xc01d:
3059 case 0xc020:
3060 return KEX_SRP_SHA0x20;
3061 case 0xc01c:
3062 case 0xc01f:
3063 case 0xc022:
3064 return KEX_SRP_SHA_DSS0x21;
3065 case 0xc01b:
3066 case 0xc01e:
3067 case 0xc021:
3068 return KEX_SRP_SHA_RSA0x22;
3069 case 0xc0ff:
3070 return KEX_ECJPAKE0x24;
3071 case 0xe003:
3072 case 0xe013:
3073 case 0xe053:
3074 return KEX_ECC_SM20x26;
3075 default:
3076 break;
3077 }
3078
3079 return 0;
3080 /* }}} */
3081}
3082
3083static wmem_list_t *connection_id_session_list;
3084
3085void
3086ssl_init_cid_list(void) {
3087 connection_id_session_list = wmem_list_new(wmem_file_scope());
3088}
3089
3090void
3091ssl_cleanup_cid_list(void) {
3092 wmem_destroy_list(connection_id_session_list);
3093}
3094
3095void
3096ssl_add_session_by_cid(SslDecryptSession *session)
3097{
3098 wmem_list_append(connection_id_session_list, session);
3099}
3100
3101SslDecryptSession *
3102ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3103{
3104 SslDecryptSession * ssl_cid = NULL((void*)0);
3105 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3106
3107 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3108 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3109 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3109, "ssl != ((void*)0)"))));
3110 SslSession *session = &ssl->session;
3111
3112 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3113 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3114 ssl_cid = ssl;
3115 }
3116 }
3117
3118 if (session->server_cid_len > 0) {
3119 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3120 ssl_cid = ssl;
3121 }
3122 }
3123
3124 it = wmem_list_frame_next(it);
3125 }
3126
3127 return ssl_cid;
3128}
3129
3130/* StringInfo structure (len + data) functions {{{ */
3131
3132int
3133ssl_data_alloc(StringInfo* str, size_t len)
3134{
3135 str->data = (unsigned char *)g_malloc(len);
3136 /* the allocator can return a null pointer for a size equal to 0,
3137 * and that must be allowed */
3138 if (len > 0 && !str->data)
3139 return -1;
3140 str->data_len = (unsigned) len;
3141 return 0;
3142}
3143
3144void
3145ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3146{
3147 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3147, "data"))));
3148 memcpy(str->data, data, len);
3149 str->data_len = len;
3150}
3151
3152static int
3153ssl_data_realloc(StringInfo* str, unsigned len)
3154{
3155 str->data = (unsigned char *)g_realloc(str->data, len);
3156 if (!str->data)
3157 return -1;
3158 str->data_len = len;
3159 return 0;
3160}
3161
3162static StringInfo *
3163ssl_data_clone(StringInfo *str)
3164{
3165 StringInfo *cloned_str;
3166 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3167 sizeof(StringInfo) + str->data_len);
3168 cloned_str->data = (unsigned char *) (cloned_str + 1);
3169 ssl_data_set(cloned_str, str->data, str->data_len);
3170 return cloned_str;
3171}
3172
3173static int
3174ssl_data_copy(StringInfo* dst, StringInfo* src)
3175{
3176 if (dst->data_len < src->data_len) {
3177 if (ssl_data_realloc(dst, src->data_len))
3178 return -1;
3179 }
3180 memcpy(dst->data, src->data, src->data_len);
3181 dst->data_len = src->data_len;
3182 return 0;
3183}
3184
3185/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3186 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3187 * success. */
3188static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3189 size_t i;
3190
3191 if (hex_len & 1)
3192 return false0;
3193
3194 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3195 for (i = 0; i < hex_len / 2; i++) {
3196 int a = ws_xton(in[i*2]);
3197 int b = ws_xton(in[i*2 + 1]);
3198 if (a == -1 || b == -1)
3199 return false0;
3200 out->data[i] = a << 4 | b;
3201 }
3202 out->data_len = (unsigned)hex_len / 2;
3203 return true1;
3204}
3205/* StringInfo structure (len + data) functions }}} */
3206
3207
3208/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3209/* hmac abstraction layer */
3210#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3211
3212static inline int
3213ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3214{
3215 gcry_error_t err;
3216 const char *err_str, *err_src;
3217
3218 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3219 if (err != 0) {
3220 err_str = gcry_strerror(err);
3221 err_src = gcry_strsource(err);
3222 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3223 return -1;
3224 }
3225 return 0;
3226}
3227
3228static inline int
3229ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3230{
3231 gcry_error_t err;
3232 const char *err_str, *err_src;
3233
3234 err = gcry_md_setkey (*(md), key, len);
3235 if (err != 0) {
3236 err_str = gcry_strerror(err);
3237 err_src = gcry_strsource(err);
3238 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3239 return -1;
3240 }
3241 return 0;
3242}
3243
3244static inline int
3245ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3246{
3247 gcry_md_reset(*md);
3248 return 0;
3249}
3250
3251static inline void
3252ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3253{
3254 gcry_md_write(*(md), data, len);
3255}
3256static inline void
3257ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3258{
3259 int algo;
3260 unsigned len;
3261
3262 algo = gcry_md_get_algo (*(md));
3263 len = gcry_md_get_algo_dlen(algo);
3264 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3264, "len <= *datalen"))));
3265 memcpy(data, gcry_md_read(*(md), algo), len);
3266 *datalen = len;
3267}
3268static inline void
3269ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3270{
3271 gcry_md_close(*(md));
3272}
3273
3274/* message digest abstraction layer*/
3275#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3276
3277static inline int
3278ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3279{
3280 gcry_error_t err;
3281 const char *err_str, *err_src;
3282 err = gcry_md_open(md,algo, 0);
3283 if (err != 0) {
3284 err_str = gcry_strerror(err);
3285 err_src = gcry_strsource(err);
3286 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3287 return -1;
3288 }
3289 return 0;
3290}
3291static inline void
3292ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3293{
3294 gcry_md_write(*(md), data, len);
3295}
3296static inline void
3297ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3298{
3299 int algo;
3300 int len;
3301 algo = gcry_md_get_algo (*(md));
3302 len = gcry_md_get_algo_dlen (algo);
3303 memcpy(data, gcry_md_read(*(md), algo), len);
3304 *datalen = len;
3305}
3306static inline void
3307ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3308{
3309 gcry_md_close(*(md));
3310}
3311
3312static inline void
3313ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3314{
3315 gcry_md_reset(*md);
3316}
3317
3318/* md5 /sha abstraction layer */
3319#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3320#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3321
3322static inline int
3323ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3324{
3325 gcry_error_t err;
3326 const char *err_str, *err_src;
3327 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3328 if (err != 0) {
3329 err_str = gcry_strerror(err);
3330 err_src = gcry_strsource(err);
3331 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3332 return -1;
3333 }
3334 return 0;
3335}
3336static inline void
3337ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3338{
3339 gcry_md_write(*(md), data, len);
3340}
3341static inline void
3342ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3343{
3344 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3345 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3346}
3347
3348static inline void
3349ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3350{
3351 gcry_md_reset(*md);
3352}
3353
3354static inline void
3355ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3356{
3357 gcry_md_close(*(md));
3358}
3359
3360static inline int
3361ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3362{
3363 gcry_error_t err;
3364 const char *err_str, *err_src;
3365 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3366 if (err != 0) {
3367 err_str = gcry_strerror(err);
3368 err_src = gcry_strsource(err);
3369 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3370 return -1;
3371 }
3372 return 0;
3373}
3374static inline void
3375ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3376{
3377 gcry_md_write(*(md), data, len);
3378}
3379static inline void
3380ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3381{
3382 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3383 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3384}
3385
3386static inline void
3387ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3388{
3389 gcry_md_reset(*md);
3390}
3391
3392static inline void
3393ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3394{
3395 gcry_md_close(*(md));
3396}
3397/* libgcrypt wrappers for HMAC/message digest operations }}} */
3398
3399/* libgcrypt wrappers for Cipher state manipulation {{{ */
3400int
3401ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3402{
3403 int ret;
3404#if 0
3405 unsigned char *ivp;
3406 int i;
3407 gcry_cipher_hd_t c;
3408 c=(gcry_cipher_hd_t)*cipher;
3409#endif
3410 ssl_debug_printf("--------------------------------------------------------------------");
3411#if 0
3412 for(ivp=c->iv,i=0; i < iv_len; i++ )
3413 {
3414 ssl_debug_printf("%d ",ivp[i]);
3415 i++;
3416 }
3417#endif
3418 ssl_debug_printf("--------------------------------------------------------------------");
3419 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3420#if 0
3421 for(ivp=c->iv,i=0; i < iv_len; i++ )
3422 {
3423 ssl_debug_printf("%d ",ivp[i]);
3424 i++;
3425 }
3426#endif
3427 ssl_debug_printf("--------------------------------------------------------------------");
3428 return ret;
3429}
3430/* stream cipher abstraction layer*/
3431static int
3432ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3433 unsigned char* iv, int mode)
3434{
3435 int gcry_modes[] = {
3436 GCRY_CIPHER_MODE_STREAM,
3437 GCRY_CIPHER_MODE_CBC,
3438 GCRY_CIPHER_MODE_GCM,
3439 GCRY_CIPHER_MODE_CCM,
3440 GCRY_CIPHER_MODE_CCM,
3441 GCRY_CIPHER_MODE_POLY1305,
3442 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3443 };
3444 int err;
3445 if (algo == -1) {
3446 /* NULL mode */
3447 *(cipher) = (gcry_cipher_hd_t)-1;
3448 return 0;
3449 }
3450 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3451 if (err !=0)
3452 return -1;
3453 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3454 if (err != 0)
3455 return -1;
3456 /* AEAD cipher suites will set the nonce later. */
3457 if (mode == MODE_CBC) {
3458 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3459 if (err != 0)
3460 return -1;
3461 }
3462 return 0;
3463}
3464static inline int
3465ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3466 const unsigned char * in, int inl)
3467{
3468 if ((*cipher) == (gcry_cipher_hd_t)-1)
3469 {
3470 if (in && inl)
3471 memcpy(out, in, outl < inl ? outl : inl);
3472 return 0;
3473 }
3474 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3475}
3476static inline int
3477ssl_get_digest_by_name(const char*name)
3478{
3479 return gcry_md_map_name(name);
3480}
3481static inline int
3482ssl_get_cipher_by_name(const char* name)
3483{
3484 return gcry_cipher_map_name(name);
3485}
3486
3487static inline void
3488ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3489{
3490 if ((*cipher) != (gcry_cipher_hd_t)-1)
3491 gcry_cipher_close(*cipher);
3492 *cipher = NULL((void*)0);
3493}
3494/* }}} */
3495
3496/* Digests, Ciphers and Cipher Suites registry {{{ */
3497static const SslDigestAlgo digests[]={
3498 {"MD5", 16},
3499 {"SHA1", 20},
3500 {"SHA256", 32},
3501 {"SHA384", 48},
3502 {"SM3", 32},
3503 {"Not Applicable", 0},
3504};
3505
3506#define DIGEST_MAX_SIZE48 48
3507
3508/* get index digest index */
3509static const SslDigestAlgo *
3510ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3511 return &digests[cs->dig - DIG_MD50x40];
3512}
3513
3514static const char *ciphers[]={
3515 "DES",
3516 "3DES",
3517 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3518 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3519 "IDEA",
3520 "AES",
3521 "AES256",
3522 "CAMELLIA128",
3523 "CAMELLIA256",
3524 "SEED",
3525 "CHACHA20", /* since Libgcrypt 1.7.0 */
3526 "SM1",
3527 "SM4",
3528 "*UNKNOWN*"
3529};
3530
3531static const SslCipherSuite cipher_suites[]={
3532 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3533 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3534 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3535 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3536 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3537 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3538 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3539 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3540 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3541 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3542 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3543 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3544 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3545 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3546 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3547 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3548 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3549 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3550 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3551 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3552 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3553 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3554 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3555 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3556 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3557 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3558 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3559 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3560 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3561 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3562 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3563 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3564 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3565 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3566 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3567 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3568 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3569 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3570 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3571 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3572 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3573 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3574 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3575 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3576 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3577 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3578 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3579 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3580 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3581 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3582 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3583 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3584 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3585 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3586 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3587 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3588 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3589 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3590 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3591 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3592 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3593 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3594 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3595 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3596 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3597 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3598 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3599 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3600 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3601 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3602 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3603 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3604 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3605 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3606 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3607 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3608 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3609 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3610 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3611 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3612 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3613 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3614 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3615 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3616 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3617 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3618 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3619 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3620 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3621 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3622 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3623 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3624 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3625 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3626 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3627 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3628 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3629 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3630 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3631 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3632 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3633 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3634 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3635 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3636 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3637 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3638 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3639 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3640 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3641 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3642 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3643 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3644 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3645 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3646 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3647 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3648 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3649 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3650 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3651 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3652 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3653 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3654 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3655 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3656 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3657 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3658 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3659 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3660 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3661 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3662 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3663 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3664 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3665 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3666
3667 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3668 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3669 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3670 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3671 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3672 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3673 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3674
3675 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3676 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3677 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3678 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3679 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3680 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3681 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3682 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3683 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3684 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3685 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3686 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3687 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3688 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3689 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3690 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3691 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3692 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3693 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3694 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3695 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3696 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3697 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3698 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3699 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3700 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3701 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3702 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3703 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3704 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3705 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3706 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3707 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3708 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3709 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3710 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3711 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3712 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3713 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3714 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3715 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3716 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3717 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3718 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3719 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3720 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3721 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3722 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3723 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3724 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3725 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3726 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3727 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3728 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3729 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3730 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3731 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3732 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3733 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3734 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3735 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3736 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3737 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3738 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3739 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3740 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3741 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3742 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3743 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3744 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3745 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3746 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3747 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3748 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3749 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3750 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3751 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3752 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3753 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3754 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3755 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3756 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3757 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3758 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3759 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3760 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3761 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3762 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3763 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3764 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3765 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3766 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3767 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3768 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3769 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3770 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3771 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3772 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3773 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3774 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3775 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3776 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3777 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3778 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3779 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3780 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3781 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3782 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3783 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3784 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3785 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3786 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3787 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3788 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3789 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3790 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3791 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3792 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3793 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3794 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3795 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3796 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3797 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3798 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3799 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3800 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3801 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3802 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3803 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3804 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3805 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3806 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3807 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3808 /* GM */
3809 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3810 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3811 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3812 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3813 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3814 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3815 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3816 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3817 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3818 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3819 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3820 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3821 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3822 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3823 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3824 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3825 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3826 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3827 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3828 {-1, 0, 0, 0, MODE_STREAM}
3829};
3830
3831#define MAX_BLOCK_SIZE16 16
3832#define MAX_KEY_SIZE32 32
3833
3834const SslCipherSuite *
3835ssl_find_cipher(int num)
3836{
3837 const SslCipherSuite *c;
3838 for(c=cipher_suites;c->number!=-1;c++){
3839 if(c->number==num){
3840 return c;
3841 }
3842 }
3843
3844 return NULL((void*)0);
3845}
3846
3847int
3848ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3849{
3850 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3851}
3852
3853unsigned
3854ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3855{
3856 int cipher_algo;
3857 if (cipher_suite->mode != MODE_CBC) return 0;
3858 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3859 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3860}
3861
3862static unsigned
3863ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3864{
3865 switch (cipher_suite_num) {
3866 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
3867 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3868 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3869 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3870 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3871 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3872 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3873 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3874 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3875 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3876 return 5;
3877
3878 /* not defined in below draft, but "implemented by several vendors",
3879 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
3880 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3881 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3882 return 7;
3883
3884 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
3885 * used 7. Until a pcap proves 8, let's use the old value. Link:
3886 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
3887 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3888 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3889 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3890 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3891 return 7;
3892
3893 default:
3894 return 0;
3895 }
3896}
3897
3898/* Digests, Ciphers and Cipher Suites registry }}} */
3899
3900
3901/* HMAC and the Pseudorandom function {{{ */
3902static int
3903tls_hash(StringInfo *secret, StringInfo *seed, int md,
3904 StringInfo *out, unsigned out_len)
3905{
3906 /* RFC 2246 5. HMAC and the pseudorandom function
3907 * '+' denotes concatenation.
3908 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
3909 * HMAC_hash(secret, A(2) + seed) + ...
3910 * A(0) = seed
3911 * A(i) = HMAC_hash(secret, A(i - 1))
3912 */
3913 uint8_t *ptr;
3914 unsigned left, tocpy;
3915 uint8_t *A;
3916 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
3917 unsigned A_l, tmp_l;
3918 SSL_HMACgcry_md_hd_t hm;
3919
3920 ptr = out->data;
3921 left = out_len;
3922
3923 ssl_print_string("tls_hash: hash secret", secret);
3924 ssl_print_string("tls_hash: hash seed", seed);
3925 /* A(0) = seed */
3926 A = seed->data;
3927 A_l = seed->data_len;
3928
3929 if (ssl_hmac_init(&hm, md) != 0) {
3930 return -1;
3931 }
3932 while (left) {
3933 /* A(i) = HMAC_hash(secret, A(i-1)) */
3934 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3935 ssl_hmac_update(&hm, A, A_l);
3936 A_l = sizeof(_A); /* upper bound len for hash output */
3937 ssl_hmac_final(&hm, _A, &A_l);
3938 A = _A;
3939
3940 /* HMAC_hash(secret, A(i) + seed) */
3941 ssl_hmac_reset(&hm);
3942 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3943 ssl_hmac_update(&hm, A, A_l);
3944 ssl_hmac_update(&hm, seed->data, seed->data_len);
3945 tmp_l = sizeof(tmp); /* upper bound len for hash output */
3946 ssl_hmac_final(&hm, tmp, &tmp_l);
3947 ssl_hmac_reset(&hm);
3948
3949 /* ssl_hmac_final puts the actual digest output size in tmp_l */
3950 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
3951 memcpy(ptr, tmp, tocpy);
3952 ptr += tocpy;
3953 left -= tocpy;
3954 }
3955 ssl_hmac_cleanup(&hm);
3956 out->data_len = out_len;
3957
3958 ssl_print_string("hash out", out);
3959 return 0;
3960}
3961
3962static bool_Bool
3963tls_prf(StringInfo* secret, const char *usage,
3964 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
3965{
3966 StringInfo seed, sha_out, md5_out;
3967 uint8_t *ptr;
3968 StringInfo s1, s2;
3969 unsigned i,s_l;
3970 size_t usage_len, rnd2_len;
3971 bool_Bool success = false0;
3972 usage_len = strlen(usage);
3973 rnd2_len = rnd2 ? rnd2->data_len : 0;
3974
3975 /* initialize buffer for sha, md5 random seed*/
3976 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
3977 ssl_debug_printf("tls_prf: can't allocate sha out\n");
3978 return false0;
3979 }
3980 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
3981 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
3982 goto free_sha;
3983 }
3984 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
3985 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
3986 (int) (usage_len+rnd1->data_len+rnd2_len));
3987 goto free_md5;
3988 }
3989
3990 ptr=seed.data;
3991 memcpy(ptr,usage,usage_len);
3992 ptr+=usage_len;
3993 memcpy(ptr,rnd1->data,rnd1->data_len);
3994 if (rnd2_len > 0) {
3995 ptr+=rnd1->data_len;
3996 memcpy(ptr,rnd2->data,rnd2->data_len);
3997 /*ptr+=rnd2->data_len;*/
3998 }
3999
4000 /* initialize buffer for client/server seeds*/
4001 s_l=secret->data_len/2 + secret->data_len%2;
4002 if (ssl_data_alloc(&s1, s_l) < 0) {
4003 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4004 goto free_seed;
4005 }
4006 if (ssl_data_alloc(&s2, s_l) < 0) {
4007 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4008 goto free_s1;
4009 }
4010
4011 memcpy(s1.data,secret->data,s_l);
4012 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4013
4014 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4015 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4016 goto free_s2;
4017 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4018 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4019 goto free_s2;
4020
4021 for (i = 0; i < out_len; i++)
4022 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4023 /* success, now store the new meaningful data length */
4024 out->data_len = out_len;
4025 success = true1;
4026
4027 ssl_print_string("PRF out",out);
4028free_s2:
4029 g_free(s2.data);
4030free_s1:
4031 g_free(s1.data);
4032free_seed:
4033 g_free(seed.data);
4034free_md5:
4035 g_free(md5_out.data);
4036free_sha:
4037 g_free(sha_out.data);
4038 return success;
4039}
4040
4041static bool_Bool
4042tls12_prf(int md, StringInfo* secret, const char* usage,
4043 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4044{
4045 StringInfo label_seed;
4046 int success;
4047 size_t usage_len, rnd2_len;
4048 rnd2_len = rnd2 ? rnd2->data_len : 0;
4049
4050 usage_len = strlen(usage);
4051 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4052 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4053 return false0;
4054 }
4055 memcpy(label_seed.data, usage, usage_len);
4056 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4057 if (rnd2_len > 0)
4058 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4059
4060 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4061 success = tls_hash(secret, &label_seed, md, out, out_len);
4062 g_free(label_seed.data);
4063 if(success != -1){
4064 ssl_print_string("PRF out", out);
4065 return true1;
4066 }
4067 return false0;
4068}
4069
4070static bool_Bool
4071ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4072 StringInfo *out, unsigned out_len)
4073{
4074 SSL_MD5_CTXgcry_md_hd_t md5;
4075 uint8_t tmp[16];
4076
4077 if (ssl_md5_init(&md5) != 0) {
4078 return false0;
4079 }
4080 ssl_md5_update(&md5,r1->data,r1->data_len);
4081 ssl_md5_update(&md5,r2->data,r2->data_len);
4082 ssl_md5_final(tmp,&md5);
4083 ssl_md5_cleanup(&md5);
4084
4085 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4085, "out_len <= sizeof(tmp)"))));
4086 ssl_data_set(out, tmp, out_len);
4087 ssl_print_string("export iv", out);
4088 return true1;
4089}
4090
4091static bool_Bool
4092ssl3_prf(StringInfo* secret, const char* usage,
4093 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4094{
4095 SSL_MD5_CTXgcry_md_hd_t md5;
4096 SSL_SHA_CTXgcry_md_hd_t sha;
4097 unsigned off;
4098 int i = 0,j;
4099 uint8_t buf[20];
4100
4101 if (ssl_sha_init(&sha) != 0) {
4102 return false0;
4103 }
4104 if (ssl_md5_init(&md5) != 0) {
4105 ssl_sha_cleanup(&sha);
4106 return false0;
4107 }
4108 for (off = 0; off < out_len; off += 16) {
4109 unsigned char outbuf[16];
4110 i++;
4111
4112 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4113 /* A, BB, CCC, ... */
4114 for(j=0;j<i;j++){
4115 buf[j]=64+i;
4116 }
4117
4118 ssl_sha_update(&sha,buf,i);
4119 ssl_sha_update(&sha,secret->data,secret->data_len);
4120
4121 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4122 if (rnd2)
4123 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4124 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4125 }
4126 else{
4127 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4128 if (rnd2)
4129 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4130 }
4131
4132 ssl_sha_final(buf,&sha);
4133 ssl_sha_reset(&sha);
4134
4135 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4136 secret->data_len);
4137 ssl_md5_update(&md5,secret->data,secret->data_len);
4138 ssl_md5_update(&md5,buf,20);
4139 ssl_md5_final(outbuf,&md5);
4140 ssl_md5_reset(&md5);
4141
4142 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4143 }
4144 ssl_sha_cleanup(&sha);
4145 ssl_md5_cleanup(&md5);
4146 out->data_len = out_len;
4147
4148 return true1;
4149}
4150
4151/* out_len is the wanted output length for the pseudorandom function.
4152 * Ensure that ssl->cipher_suite is set. */
4153static bool_Bool
4154prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4155 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4156{
4157 switch (ssl->session.version) {
4158 case SSLV3_VERSION0x300:
4159 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4160
4161 case TLSV1_VERSION0x301:
4162 case TLSV1DOT1_VERSION0x302:
4163 case DTLSV1DOT0_VERSION0xfeff:
4164 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4165 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4166
4167 default: /* TLSv1.2 */
4168 switch (ssl->cipher_suite->dig) {
4169 case DIG_SM30x44:
4170#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4171 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4172 out, out_len);
4173#else
4174 return false0;
4175#endif
4176 case DIG_SHA3840x43:
4177 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4178 out, out_len);
4179 default:
4180 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4181 out, out_len);
4182 }
4183 }
4184}
4185
4186static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4187{
4188 SSL_MD5_CTXgcry_md_hd_t md5;
4189 SSL_SHA_CTXgcry_md_hd_t sha;
4190
4191 if (ssl_data_alloc(out, 36) < 0)
4192 return -1;
4193
4194 if (ssl_md5_init(&md5) != 0)
4195 return -1;
4196 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4197 ssl_md5_final(out->data,&md5);
4198 ssl_md5_cleanup(&md5);
4199
4200 if (ssl_sha_init(&sha) != 0)
4201 return -1;
4202 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4203 ssl_sha_final(out->data+16,&sha);
4204 ssl_sha_cleanup(&sha);
4205 return 0;
4206}
4207
4208static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4209{
4210 SSL_MDgcry_md_hd_t mc;
4211 uint8_t tmp[48];
4212 unsigned len;
4213
4214 if (ssl_md_init(&mc, md) != 0)
4215 return -1;
4216 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4217 ssl_md_final(&mc, tmp, &len);
4218 ssl_md_cleanup(&mc);
4219
4220 if (ssl_data_alloc(out, len) < 0)
4221 return -1;
4222 memcpy(out->data, tmp, len);
4223 return 0;
4224}
4225
4226/**
4227 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4228 * inlined and removed once support for draft 19 and before is dropped.
4229 */
4230static inline const char *
4231tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4232{
4233 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4234 return "TLS 1.3, ";
4235 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4236 return "dtls13";
4237 } else {
4238 return "tls13 ";
4239 }
4240}
4241
4242/*
4243 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4244 * custom label prefix. If "context_hash" is NULL, then an empty context is
4245 * used. Otherwise it must have the same length as the hash algorithm output.
4246 */
4247bool_Bool
4248tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4249 const char *label_prefix, const char *label,
4250 const uint8_t *context_hash, uint8_t context_length,
4251 uint16_t out_len, unsigned char **out)
4252{
4253 /* RFC 8446 Section 7.1:
4254 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4255 * HKDF-Expand(Secret, HkdfLabel, Length)
4256 * struct {
4257 * uint16 length = Length;
4258 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4259 * opaque context<0..255> = Context;
4260 * } HkdfLabel;
4261 *
4262 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4263 * HKDF-Expand(PRK, info, L) -> OKM
4264 */
4265 gcry_error_t err;
4266 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4267 const unsigned label_length = (unsigned) strlen(label);
4268
4269 /* Some sanity checks */
4270 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4270, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
38
'?' condition is true
4271
4272 /* info = HkdfLabel { length, label, context } */
4273 GByteArray *info = g_byte_array_new();
4274 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4275 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4276
4277 const uint8_t label_vector_length = label_prefix_length + label_length;
4278 g_byte_array_append(info, &label_vector_length, 1);
4279 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4280 g_byte_array_append(info, (const uint8_t*)label, label_length);
4281
4282 g_byte_array_append(info, &context_length, 1);
4283 if (context_length
38.1
'context_length' is not equal to 0
) {
39
Taking true branch
4284 g_byte_array_append(info, context_hash, context_length);
4285 }
4286
4287 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4288 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4289 g_byte_array_free(info, true1);
4290
4291 if (err) {
40
Assuming 'err' is not equal to 0
41
Taking true branch
4292 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4293 wmem_free(NULL((void*)0), *out);
4294 *out = NULL((void*)0);
42
Null pointer value stored to 'ech_verify_out'
4295 return false0;
4296 }
4297
4298 return true1;
4299}
4300
4301bool_Bool
4302tls13_hkdf_expand_label(int md, const StringInfo *secret,
4303 const char *label_prefix, const char *label,
4304 uint16_t out_len, unsigned char **out)
4305{
4306 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4307}
4308/* HMAC and the Pseudorandom function }}} */
4309
4310/* Record Decompression (after decryption) {{{ */
4311#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4312/* memory allocation functions for zlib initialization */
4313static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4314{
4315 return g_malloc0(no*size);
4316}
4317static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4318{
4319 g_free(addr);
4320}
4321#endif
4322
4323static SslDecompress*
4324ssl_create_decompressor(int compression)
4325{
4326 SslDecompress *decomp;
4327#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4328 int err;
4329#endif
4330
4331 if (compression == 0) return NULL((void*)0);
4332 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4333 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4334 decomp->compression = compression;
4335 switch (decomp->compression) {
4336#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4337 case 1: /* DEFLATE */
4338 decomp->istream.zalloc = ssl_zalloc;
4339 decomp->istream.zfree = ssl_zfree;
4340 decomp->istream.opaque = Z_NULL0;
4341 decomp->istream.next_in = Z_NULL0;
4342 decomp->istream.next_out = Z_NULL0;
4343 decomp->istream.avail_in = 0;
4344 decomp->istream.avail_out = 0;
4345 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4346 if (err != Z_OK0) {
4347 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4348 return NULL((void*)0);
4349 }
4350 break;
4351#endif
4352 default:
4353 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4354 return NULL((void*)0);
4355 }
4356 return decomp;
4357}
4358
4359#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4360static int
4361ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4362{
4363 int err;
4364
4365 switch (decomp->compression) {
4366 case 1: /* DEFLATE */
4367 err = Z_OK0;
4368 if (out_str->data_len < 16384) { /* maximal plain length */
4369 ssl_data_realloc(out_str, 16384);
4370 }
4371#ifdef z_constconst
4372 decomp->istream.next_in = in;
4373#else
4374DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4375 decomp->istream.next_in = (Bytef *)in;
4376DIAG_ON(cast-qual)clang diagnostic pop
4377#endif
4378 decomp->istream.avail_in = inl;
4379 decomp->istream.next_out = out_str->data;
4380 decomp->istream.avail_out = out_str->data_len;
4381 if (inl > 0)
4382 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4383 if (err != Z_OK0) {
4384 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4385 return -1;
4386 }
4387 *outl = out_str->data_len - decomp->istream.avail_out;
4388 break;
4389 default:
4390 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4391 return -1;
4392 }
4393 return 0;
4394}
4395#else
4396int
4397ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4398{
4399 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4400 return -1;
4401}
4402#endif
4403/* Record Decompression (after decryption) }}} */
4404
4405/* Create a new structure to store decrypted chunks. {{{ */
4406static SslFlow*
4407ssl_create_flow(void)
4408{
4409 SslFlow *flow;
4410
4411 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4412 flow->byte_seq = 0;
4413 flow->flags = 0;
4414 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4415 return flow;
4416}
4417/* }}} */
4418
4419/* Use the negotiated security parameters for decryption. {{{ */
4420void
4421ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4422{
4423 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4424 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4425 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4426 *new_decoder ? "" : " (No decoder found - retransmission?)");
4427 if (*new_decoder) {
4428 *dest = *new_decoder;
4429 *new_decoder = NULL((void*)0);
4430 }
4431}
4432/* }}} */
4433
4434/* Init cipher state given some security parameters. {{{ */
4435static bool_Bool
4436ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4437
4438static SslDecoder*
4439ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4440 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4441{
4442 SslDecoder *dec;
4443 ssl_cipher_mode_t mode = cipher_suite->mode;
4444
4445 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4446 /* init mac buffer: mac storage is embedded into decoder struct to save a
4447 memory allocation and waste samo more memory*/
4448 dec->cipher_suite=cipher_suite;
4449 dec->compression = compression;
4450 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4451 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4452 // the special case for NULL ciphers, even if there is insufficiency
4453 // keying material (including MAC key), we will can still create
4454 // decoders since "decryption" is easy for such ciphers.
4455 dec->mac_key.data = dec->_mac_key_or_write_iv;
4456 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4457 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4458 // Input for the nonce, to be used with AEAD ciphers.
4459 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4459, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4460 dec->write_iv.data = dec->_mac_key_or_write_iv;
4461 ssl_data_set(&dec->write_iv, iv, iv_length);
4462 }
4463 dec->seq = 0;
4464 dec->decomp = ssl_create_decompressor(compression);
4465 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4466
4467 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4468 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4469 cipher_algo, cipher_suite->mode);
4470 return NULL((void*)0);
4471 }
4472
4473 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4474 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4475 mode = MODE_ECB;
4476 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4477 mode = MODE_STREAM;
4478 } else {
4479 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4480 return NULL((void*)0);
4481 }
4482
4483 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4484 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4485 cipher_algo, MODE_ECB);
4486 ssl_cipher_cleanup(&dec->evp);
4487 dec->evp = NULL((void*)0);
4488 return NULL((void*)0);
4489 }
4490 } else {
4491 dec->sn_evp = NULL((void*)0);
4492 }
4493
4494 dec->dtls13_aad.data = NULL((void*)0);
4495 dec->dtls13_aad.data_len = 0;
4496 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4497 return dec;
4498}
4499
4500static bool_Bool
4501ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4502{
4503 SslDecoder *dec = (SslDecoder *) user_data;
4504
4505 if (dec->evp)
4506 ssl_cipher_cleanup(&dec->evp);
4507 if (dec->sn_evp)
4508 ssl_cipher_cleanup(&dec->sn_evp);
4509
4510#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4511 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4512 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4513#endif
4514
4515 return false0;
4516}
4517/* }}} */
4518
4519/* (Pre-)master secrets calculations {{{ */
4520#ifdef HAVE_LIBGNUTLS1
4521static bool_Bool
4522ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4523 StringInfo *encrypted_pre_master,
4524 GHashTable *key_hash);
4525#endif /* HAVE_LIBGNUTLS */
4526
4527static bool_Bool
4528ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4529 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4530
4531bool_Bool
4532ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4533 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4534 const char *ssl_psk, packet_info *pinfo,
4535#ifdef HAVE_LIBGNUTLS1
4536 GHashTable *key_hash,
4537#endif
4538 const ssl_master_key_map_t *mk_map)
4539{
4540 /* check for required session data */
4541 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4542 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4543 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4544 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4545 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4546 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4547 return false0;
4548 }
4549
4550 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4551 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4552 return false0;
4553 }
4554
4555 /* check to see if the PMS was provided to us*/
4556 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4557 mk_map->pms, &ssl_session->client_random)) {
4558 return true1;
4559 }
4560
4561 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4562 {
4563 /* calculate pre master secret*/
4564 StringInfo pre_master_secret;
4565 unsigned psk_len, pre_master_len;
4566
4567 if (!ssl_psk || (ssl_psk[0] == 0)) {
4568 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4569 return false0;
4570 }
4571
4572 /* convert hex string into char*/
4573 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4574 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4575 G_STRFUNC((const char*) (__func__)));
4576 return false0;
4577 }
4578
4579 psk_len = ssl_session->psk.data_len;
4580 if (psk_len >= (2 << 15)) {
4581 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4582 G_STRFUNC((const char*) (__func__)));
4583 return false0;
4584 }
4585
4586
4587 pre_master_len = psk_len * 2 + 4;
4588
4589 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4590 pre_master_secret.data_len = pre_master_len;
4591 /* 2 bytes psk_len*/
4592 pre_master_secret.data[0] = psk_len >> 8;
4593 pre_master_secret.data[1] = psk_len & 0xFF;
4594 /* psk_len bytes times 0*/
4595 memset(&pre_master_secret.data[2], 0, psk_len);
4596 /* 2 bytes psk_len*/
4597 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4598 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4599 /* psk*/
4600 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4601
4602 ssl_session->pre_master_secret.data = pre_master_secret.data;
4603 ssl_session->pre_master_secret.data_len = pre_master_len;
4604 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4605
4606 /* Remove the master secret if it was there.
4607 This forces keying material regeneration in
4608 case we're renegotiating */
4609 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4610 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4611 return true1;
4612 }
4613 else
4614 {
4615 unsigned encrlen, skip;
4616 encrlen = length;
4617 skip = 0;
4618
4619 /* get encrypted data, on tls1 we have to skip two bytes
4620 * (it's the encrypted len and should be equal to record len - 2)
4621 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4622 */
4623 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4624 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4625 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4626 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4627 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4628 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4629 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4630 {
4631 encrlen = tvb_get_ntohs(tvb, offset);
4632 skip = 2;
4633 if (encrlen > length - 2)
4634 {
4635 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4636 G_STRFUNC((const char*) (__func__)), encrlen, length);
4637 return false0;
4638 }
4639 }
4640 /* the valid lower bound is higher than 8, but it is sufficient for the
4641 * ssl keylog file below */
4642 if (encrlen < 8) {
4643 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4644 G_STRFUNC((const char*) (__func__)), encrlen);
4645 return false0;
4646 }
4647
4648 StringInfo encrypted_pre_master = {
4649 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4650 .data_len = encrlen,
4651 };
4652
4653#ifdef HAVE_LIBGNUTLS1
4654 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4655 if (ssl_session->cert_key_id) {
4656 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4657 return true1;
4658
4659 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4660 G_STRFUNC((const char*) (__func__)));
4661 }
4662#endif /* HAVE_LIBGNUTLS */
4663
4664 /* try to find the pre-master secret from the encrypted one. The
4665 * ssl key logfile stores only the first 8 bytes, so truncate it */
4666 encrypted_pre_master.data_len = 8;
4667 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4668 true1, mk_map->pre_master, &encrypted_pre_master))
4669 return true1;
4670 }
4671 return false0;
4672}
4673
4674/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4675int
4676ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4677{
4678 StringInfo key_block = { NULL((void*)0), 0 };
4679 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4680 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4681 int needed;
4682 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4683 unsigned encr_key_len, write_iv_len = 0;
4684 bool_Bool is_export_cipher;
4685 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4686 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4687 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4688
4689 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4690 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4691 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4692 return -1;
4693 }
4694
4695 /* check for enough info to proceed */
4696 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4697 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4698 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
4699 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4700 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4701 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4702 /* Special case: for NULL encryption, allow dissection of data even if
4703 * the Client Hello is missing (MAC keys are now skipped though). */
4704 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4705 if ((ssl_session->state & need_all) == need_all &&
4706 cipher_suite->enc == ENC_NULL0x3D) {
4707 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4708 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4709 goto create_decoders;
4710 }
4711
4712 return -1;
4713 }
4714
4715 /* if master key is not available, generate is from the pre-master secret */
4716 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
4717 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
4718 StringInfo handshake_hashed_data;
4719 int ret;
4720
4721 handshake_hashed_data.data = NULL((void*)0);
4722 handshake_hashed_data.data_len = 0;
4723
4724 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4725 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4726 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4726, "ssl_session->handshake_data.data_len > 0"
))));
4727
4728 switch(ssl_session->session.version) {
4729 case TLSV1_VERSION0x301:
4730 case TLSV1DOT1_VERSION0x302:
4731 case DTLSV1DOT0_VERSION0xfeff:
4732 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4733 case TLCPV1_VERSION0x101:
4734 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
4735 break;
4736 default:
4737 switch (cipher_suite->dig) {
4738 case DIG_SHA3840x43:
4739 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4740 break;
4741 default:
4742 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4743 break;
4744 }
4745 break;
4746 }
4747 if (ret) {
4748 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
4749 return -1;
4750 }
4751
4752 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4753 ssl_session->handshake_data.data = NULL((void*)0);
4754 ssl_session->handshake_data.data_len = 0;
4755
4756 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4757 &handshake_hashed_data,
4758 NULL((void*)0), &ssl_session->master_secret,
4759 SSL_MASTER_SECRET_LENGTH48)) {
4760 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4761 g_free(handshake_hashed_data.data);
4762 return -1;
4763 }
4764 g_free(handshake_hashed_data.data);
4765 } else {
4766 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4767 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4768 ssl_print_string("client random",&ssl_session->client_random);
4769 ssl_print_string("server random",&ssl_session->server_random);
4770 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4771 &ssl_session->client_random,
4772 &ssl_session->server_random, &ssl_session->master_secret,
4773 SSL_MASTER_SECRET_LENGTH48)) {
4774 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4775 return -1;
4776 }
4777 }
4778 ssl_print_string("master secret",&ssl_session->master_secret);
4779
4780 /* the pre-master secret has been 'consumed' so we must clear it now */
4781 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4782 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4783 }
4784
4785 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4786 if (cipher_suite->enc != ENC_NULL0x3D) {
4787 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4788 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4789 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4790 if (cipher_algo == 0) {
4791 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4792 return -1;
4793 }
4794 }
4795
4796 /* Export ciphers consume less material from the key block. */
4797 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4798 is_export_cipher = encr_key_len > 0;
4799 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4800 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4801 }
4802
4803 if (cipher_suite->mode == MODE_CBC) {
4804 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4805 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4806 /* account for a four-byte salt for client and server side (from
4807 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4808 write_iv_len = 4;
4809 } else if (cipher_suite->mode == MODE_POLY1305) {
4810 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4811 write_iv_len = 12;
4812 }
4813
4814 /* Compute the key block. First figure out how much data we need */
4815 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4816 needed += 2 * encr_key_len; /* encryption key */
4817 needed += 2 * write_iv_len; /* write IV */
4818
4819 key_block.data = (unsigned char *)g_malloc(needed);
4820 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4821 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4822 &ssl_session->server_random,&ssl_session->client_random,
4823 &key_block, needed)) {
4824 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4825 goto fail;
4826 }
4827 ssl_print_string("key expansion", &key_block);
4828
4829 ptr=key_block.data;
4830 /* client/server write MAC key (for non-AEAD ciphers) */
4831 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4832 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4833 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4834 }
4835 /* client/server write encryption key */
4836 c_wk=ptr; ptr += encr_key_len;
4837 s_wk=ptr; ptr += encr_key_len;
4838 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4839 if (write_iv_len > 0) {
4840 c_iv=ptr; ptr += write_iv_len;
4841 s_iv=ptr; /* ptr += write_iv_len; */
4842 }
4843
4844 /* export ciphers work with a smaller key length */
4845 if (is_export_cipher) {
4846 if (cipher_suite->mode == MODE_CBC) {
4847
4848 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4849 all we should need. This is a sanity check */
4850 if (write_iv_len > MAX_BLOCK_SIZE16) {
4851 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4852 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4853 goto fail;
4854 }
4855
4856 if(ssl_session->session.version==SSLV3_VERSION0x300){
4857 /* The length of these fields are ignored by this caller */
4858 StringInfo iv_c, iv_s;
4859 iv_c.data = _iv_c;
4860 iv_s.data = _iv_s;
4861
4862 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4863 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4864 &ssl_session->server_random, &iv_c, write_iv_len)) {
4865 goto fail;
4866 }
4867 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
4868 if (!ssl3_generate_export_iv(&ssl_session->server_random,
4869 &ssl_session->client_random, &iv_s, write_iv_len)) {
4870 goto fail;
4871 }
4872 }
4873 else{
4874 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
4875 StringInfo iv_block;
4876 StringInfo key_null;
4877 uint8_t _key_null;
4878
4879 key_null.data = &_key_null;
4880 key_null.data_len = 0;
4881
4882 iv_block.data = _iv_block;
4883
4884 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
4885 if (!prf(ssl_session, &key_null, "IV block",
4886 &ssl_session->client_random,
4887 &ssl_session->server_random, &iv_block,
4888 write_iv_len * 2)) {
4889 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
4890 goto fail;
4891 }
4892
4893 memcpy(_iv_c, iv_block.data, write_iv_len);
4894 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
4895 }
4896
4897 c_iv=_iv_c;
4898 s_iv=_iv_s;
4899 }
4900
4901 if (ssl_session->session.version==SSLV3_VERSION0x300){
4902
4903 SSL_MD5_CTXgcry_md_hd_t md5;
4904 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
4905
4906 if (ssl_md5_init(&md5) != 0)
4907 goto fail;
4908 ssl_md5_update(&md5,c_wk,encr_key_len);
4909 ssl_md5_update(&md5,ssl_session->client_random.data,
4910 ssl_session->client_random.data_len);
4911 ssl_md5_update(&md5,ssl_session->server_random.data,
4912 ssl_session->server_random.data_len);
4913 ssl_md5_final(_key_c,&md5);
4914 ssl_md5_cleanup(&md5);
4915 c_wk=_key_c;
4916
4917 if (ssl_md5_init(&md5) != 0)
4918 goto fail;
4919 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
4920 ssl_md5_update(&md5,s_wk,encr_key_len);
4921 ssl_md5_update(&md5,ssl_session->server_random.data,
4922 ssl_session->server_random.data_len);
4923 ssl_md5_update(&md5,ssl_session->client_random.data,
4924 ssl_session->client_random.data_len);
4925 ssl_md5_final(_key_s,&md5);
4926 ssl_md5_cleanup(&md5);
4927 s_wk=_key_s;
4928 }
4929 else{
4930 StringInfo key_c, key_s, k;
4931 key_c.data = _key_c;
4932 key_s.data = _key_s;
4933
4934 k.data = c_wk;
4935 k.data_len = encr_key_len;
4936 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
4937 if (!prf(ssl_session, &k, "client write key",
4938 &ssl_session->client_random,
4939 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
4940 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
4941 goto fail;
4942 }
4943 c_wk=_key_c;
4944
4945 k.data = s_wk;
4946 k.data_len = encr_key_len;
4947 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
4948 if (!prf(ssl_session, &k, "server write key",
4949 &ssl_session->client_random,
4950 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
4951 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
4952 goto fail;
4953 }
4954 s_wk=_key_s;
4955 }
4956 }
4957
4958 /* show key material info */
4959 if (c_mk != NULL((void*)0)) {
4960 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4961 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4962 }
4963 ssl_print_data("Client Write key", c_wk, encr_key_len);
4964 ssl_print_data("Server Write key", s_wk, encr_key_len);
4965 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
4966 if (write_iv_len > 0) {
4967 ssl_print_data("Client Write IV", c_iv, write_iv_len);
4968 ssl_print_data("Server Write IV", s_iv, write_iv_len);
4969 }
4970
4971create_decoders:
4972 /* create both client and server ciphers*/
4973 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
4974 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
4975 if (!ssl_session->client_new) {
4976 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
4977 goto fail;
4978 }
4979 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
4980 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
4981 if (!ssl_session->server_new) {
4982 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
4983 goto fail;
4984 }
4985
4986 /* Continue the SSL stream after renegotiation with new keys. */
4987 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
4988 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
4989
4990 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
4991 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
4992 g_free(key_block.data);
4993 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
4994 return 0;
4995
4996fail:
4997 g_free(key_block.data);
4998 return -1;
4999}
5000
5001/* Generated the key material based on the given secret. */
5002bool_Bool
5003tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5004{
5005 bool_Bool success = false0;
5006 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5007 unsigned char *sn_key = NULL((void*)0);
5008 SslDecoder *decoder;
5009 unsigned key_length, iv_length;
5010 int hash_algo;
5011 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5012 int cipher_algo;
5013
5014 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5015 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5016 ssl_session->session.version);
5017 return false0;
5018 }
5019
5020 if (cipher_suite == NULL((void*)0)) {
5021 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5022 return false0;
5023 }
5024
5025 if (cipher_suite->kex != KEX_TLS130x23) {
5026 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5027 return false0;
5028 }
5029
5030 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5031 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5032 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5033 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5034 if (cipher_algo == 0) {
5035 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5036 return false0;
5037 }
5038
5039 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5040 hash_algo = ssl_get_digest_by_name(hash_name);
5041 if (!hash_algo) {
5042 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5043 return false0;
5044 }
5045
5046 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5047 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5048 iv_length = 12;
5049 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5050
5051 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5052 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5053 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5054 return false0;
5055 }
5056 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5057 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5058 goto end;
5059 }
5060
5061 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5062 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5063 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5064 goto end;
5065 }
5066 }
5067
5068 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5069 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5070 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5071 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5072 }
5073
5074 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5075 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5076 if (!decoder) {
5077 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5078 goto end;
5079 }
5080
5081 /* Continue the TLS session with new keys, but reuse old flow to keep things
5082 * like "Follow TLS" working (by linking application data records). */
5083 if (is_from_server) {
5084 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5085 ssl_session->server = decoder;
5086 } else {
5087 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5088 ssl_session->client = decoder;
5089 }
5090 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5091 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5092 success = true1;
5093
5094end:
5095 wmem_free(NULL((void*)0), write_key);
5096 wmem_free(NULL((void*)0), write_iv);
5097 if (sn_key)
5098 wmem_free(NULL((void*)0), sn_key);
5099 return success;
5100}
5101/* (Pre-)master secrets calculations }}} */
5102
5103#ifdef HAVE_LIBGNUTLS1
5104/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5105static bool_Bool
5106ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5107 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5108{
5109 int ret;
5110
5111 if (!encrypted_pre_master)
5112 return false0;
5113
5114 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5115 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5116 "(cipher suite 0x%04X %s) and cannot be decrypted "
5117 "using a RSA private key file.\n",
5118 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5119 val_to_str_ext_const(ssl_session->session.cipher,
5120 &ssl_31_ciphersuite_ext, "unknown"));
5121 return false0;
5122 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5123 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5124 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5125 return false0;
5126 }
5127
5128 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5129
5130 ssl_print_string("pre master encrypted", encrypted_pre_master);
5131 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5132 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5133 gnutls_datum_t pms = { 0 };
5134 if (pk) {
5135 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5136 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5137 } else {
5138 // Try to decrypt using a hardware token.
5139 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5140 }
5141 if (ret < 0) {
5142 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5143 return false0;
5144 }
5145
5146 if (pms.size != 48) {
5147 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5148 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5149 if (pk) {
5150 gnutls_free(pms.data);
5151 } else {
5152 g_free(pms.data);
5153 }
5154 return false0;
5155 }
5156
5157 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5158 ssl_session->pre_master_secret.data_len = 48;
5159 if (pk) {
5160 gnutls_free(pms.data);
5161 } else {
5162 g_free(pms.data);
5163 }
5164 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5165
5166 /* Remove the master secret if it was there.
5167 This forces keying material regeneration in
5168 case we're renegotiating */
5169 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5170 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5171 return true1;
5172} /* }}} */
5173#endif /* HAVE_LIBGNUTLS */
5174
5175/* Decryption integrity check {{{ */
5176
5177static int
5178tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5179 uint32_t datalen, uint8_t* mac)
5180{
5181 SSL_HMACgcry_md_hd_t hm;
5182 int md;
5183 uint32_t len;
5184 uint8_t buf[DIGEST_MAX_SIZE48];
5185 int16_t temp;
5186
5187 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5188 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5189 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5190
5191 if (ssl_hmac_init(&hm,md) != 0)
5192 return -1;
5193 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5194 return -1;
5195
5196 /* hash sequence number */
5197 phton64(buf, decoder->seq);
5198
5199 decoder->seq++;
5200
5201 ssl_hmac_update(&hm,buf,8);
5202
5203 /* hash content type */
5204 buf[0]=ct;
5205 ssl_hmac_update(&hm,buf,1);
5206
5207 /* hash version,data length and data*/
5208 /* *((int16_t*)buf) = g_htons(ver); */
5209 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5210 memcpy(buf, &temp, 2);
5211 ssl_hmac_update(&hm,buf,2);
5212
5213 /* *((int16_t*)buf) = g_htons(datalen); */
5214 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5215 memcpy(buf, &temp, 2);
5216 ssl_hmac_update(&hm,buf,2);
5217 ssl_hmac_update(&hm,data,datalen);
5218
5219 /* get digest and digest len*/
5220 len = sizeof(buf);
5221 ssl_hmac_final(&hm,buf,&len);
5222 ssl_hmac_cleanup(&hm);
5223 ssl_print_data("Mac", buf, len);
5224 if(memcmp(mac,buf,len))
5225 return -1;
5226
5227 return 0;
5228}
5229
5230static int
5231ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5232 uint32_t datalen, uint8_t* mac)
5233{
5234 SSL_MDgcry_md_hd_t mc;
5235 int md;
5236 uint32_t len;
5237 uint8_t buf[64],dgst[20];
5238 int pad_ct;
5239 int16_t temp;
5240
5241 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5242
5243 /* get cipher used for digest computation */
5244 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5245 if (ssl_md_init(&mc,md) !=0)
5246 return -1;
5247
5248 /* do hash computation on data && padding */
5249 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5250
5251 /* hash padding*/
5252 memset(buf,0x36,pad_ct);
5253 ssl_md_update(&mc,buf,pad_ct);
5254
5255 /* hash sequence number */
5256 phton64(buf, decoder->seq);
5257 decoder->seq++;
5258 ssl_md_update(&mc,buf,8);
5259
5260 /* hash content type */
5261 buf[0]=ct;
5262 ssl_md_update(&mc,buf,1);
5263
5264 /* hash data length in network byte order and data*/
5265 /* *((int16_t* )buf) = g_htons(datalen); */
5266 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5267 memcpy(buf, &temp, 2);
5268 ssl_md_update(&mc,buf,2);
5269 ssl_md_update(&mc,data,datalen);
5270
5271 /* get partial digest */
5272 ssl_md_final(&mc,dgst,&len);
5273 ssl_md_reset(&mc);
5274
5275 /* hash mac key */
5276 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5277
5278 /* hash padding and partial digest*/
5279 memset(buf,0x5c,pad_ct);
5280 ssl_md_update(&mc,buf,pad_ct);
5281 ssl_md_update(&mc,dgst,len);
5282
5283 ssl_md_final(&mc,dgst,&len);
5284 ssl_md_cleanup(&mc);
5285
5286 if(memcmp(mac,dgst,len))
5287 return -1;
5288
5289 return 0;
5290}
5291
5292static int
5293dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5294 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5295{
5296 SSL_HMACgcry_md_hd_t hm;
5297 int md;
5298 uint32_t len;
5299 uint8_t buf[DIGEST_MAX_SIZE48];
5300 int16_t temp;
5301
5302 int ver = ssl->session.version;
5303 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5304
5305 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5306 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5307 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5308
5309 if (ssl_hmac_init(&hm,md) != 0)
5310 return -1;
5311 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5312 return -1;
5313
5314 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5315
5316 if (is_cid && !ssl->session.deprecated_cid) {
5317 /* hash seq num placeholder */
5318 memset(buf,0xFF,8);
5319 ssl_hmac_update(&hm,buf,8);
5320
5321 /* hash content type + cid length + content type */
5322 buf[0]=ct;
5323 buf[1]=cidl;
5324 buf[2]=ct;
5325 ssl_hmac_update(&hm,buf,3);
5326
5327 /* hash version */
5328 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5329 memcpy(buf, &temp, 2);
5330 ssl_hmac_update(&hm,buf,2);
5331
5332 /* hash sequence number */
5333 phton64(buf, decoder->seq);
5334 buf[0]=decoder->epoch>>8;
5335 buf[1]=(uint8_t)decoder->epoch;
5336 ssl_hmac_update(&hm,buf,8);
5337
5338 /* hash cid */
5339 ssl_hmac_update(&hm,cid,cidl);
5340 } else {
5341 /* hash sequence number */
5342 phton64(buf, decoder->seq);
5343 buf[0]=decoder->epoch>>8;
5344 buf[1]=(uint8_t)decoder->epoch;
5345 ssl_hmac_update(&hm,buf,8);
5346
5347 /* hash content type */
5348 buf[0]=ct;
5349 ssl_hmac_update(&hm,buf,1);
5350
5351 /* hash version */
5352 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5353 memcpy(buf, &temp, 2);
5354 ssl_hmac_update(&hm,buf,2);
5355
5356 if (is_cid && ssl->session.deprecated_cid) {
5357 /* hash cid */
5358 ssl_hmac_update(&hm,cid,cidl);
5359
5360 /* hash cid length */
5361 buf[0] = cidl;
5362 ssl_hmac_update(&hm,buf,1);
5363 }
5364 }
5365
5366 /* data length and data */
5367 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5368 memcpy(buf, &temp, 2);
5369 ssl_hmac_update(&hm,buf,2);
5370 ssl_hmac_update(&hm,data,datalen);
5371
5372 /* get digest and digest len */
5373 len = sizeof(buf);
5374 ssl_hmac_final(&hm,buf,&len);
5375 ssl_hmac_cleanup(&hm);
5376 ssl_print_data("Mac", buf, len);
5377 if(memcmp(mac,buf,len))
5378 return -1;
5379
5380 return 0;
5381}
5382/* Decryption integrity check }}} */
5383
5384
5385static bool_Bool
5386tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
5387 uint8_t ct, uint16_t record_version,
5388 bool_Bool ignore_mac_failed,
5389 const unsigned char *in, uint16_t inl,
5390 const unsigned char *cid, uint8_t cidl,
5391 StringInfo *out_str, unsigned *outl)
5392{
5393 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5394 * GenericAEADCipher: { nonce_explicit, [content] }
5395 * In TLS 1.3 this explicit nonce is gone.
5396 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5397 * ciphertext and authentication tag.
5398 */
5399 const uint16_t version = ssl->session.version;
5400 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5401 gcry_error_t err;
5402 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5403 unsigned ciphertext_len, auth_tag_len;
5404 unsigned char nonce[12];
5405 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5406 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5407 const uint8_t draft_version = ssl->session.tls13_draft_version;
5408 const unsigned char *auth_tag_wire;
5409 unsigned char auth_tag_calc[16];
5410 unsigned char *aad = NULL((void*)0);
5411 unsigned aad_len = 0;
5412
5413 switch (cipher_mode) {
5414 case MODE_GCM:
5415 case MODE_CCM:
5416 case MODE_POLY1305:
5417 auth_tag_len = 16;
5418 break;
5419 case MODE_CCM_8:
5420 auth_tag_len = 8;
5421 break;
5422 default:
5423 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5424 return false0;
5425 }
5426
5427 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5428 if (is_v12 && cipher_mode != MODE_POLY1305) {
5429 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5430 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5431 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5432 return false0;
5433 }
5434 explicit_nonce = in;
5435 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5436 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5437 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5438 if (inl < auth_tag_len) {
5439 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5440 return false0;
5441 }
5442 ciphertext = in;
5443 ciphertext_len = inl - auth_tag_len;
5444 } else {
5445 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5446 return false0;
5447 }
5448 auth_tag_wire = ciphertext + ciphertext_len;
5449
5450 /*
5451 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5452 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5453 */
5454 if (is_v12 && cipher_mode != MODE_POLY1305) {
5455 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5455, "decoder->write_iv.data_len == 4"))));
5456 /* Implicit (4) and explicit (8) part of nonce. */
5457 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5458 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5459
5460 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5461 /*
5462 * Technically the nonce length must be at least 8 bytes, but for
5463 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5464 */
5465 const unsigned nonce_len = 12;
5466 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5466, "decoder->write_iv.data_len == nonce_len"
))));
5467 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5468 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5469 phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);
5470 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5471 }
5472
5473 /* Set nonce and additional authentication data */
5474 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5475 ssl_print_data("nonce", nonce, 12);
5476 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5477 if (err) {
5478 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5479 return false0;
5480 }
5481
5482 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5483 if (is_cid) { /* if connection ID */
5484 if (ssl->session.deprecated_cid) {
5485 aad_len = 14 + cidl;
5486 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5487 phton64(aad, decoder->seq); /* record sequence number */
5488 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5489 aad[8] = ct; /* TLSCompressed.type */
5490 phton16(aad + 9, record_version); /* TLSCompressed.version */
5491 memcpy(aad + 11, cid, cidl); /* cid */
5492 aad[11 + cidl] = cidl; /* cid_length */
5493 phton16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5494 } else {
5495 aad_len = 23 + cidl;
5496 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5497 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5498 aad[8] = ct; /* TLSCompressed.type */
5499 aad[9] = cidl; /* cid_length */
5500 aad[10] = ct; /* TLSCompressed.type */
5501 phton16(aad + 11, record_version); /* TLSCompressed.version */
5502 phton64(aad + 13, decoder->seq); /* record sequence number */
5503 phton16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5504 memcpy(aad + 21, cid, cidl); /* cid */
5505 phton16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5506 }
5507 } else if (is_v12) {
5508 aad_len = 13;
5509 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5510 phton64(aad, decoder->seq); /* record sequence number */
5511 if (version == DTLSV1DOT2_VERSION0xfefd) {
5512 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5513 }
5514 aad[8] = ct; /* TLSCompressed.type */
5515 phton16(aad + 9, record_version); /* TLSCompressed.version */
5516 phton16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5517 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5518 aad_len = decoder->dtls13_aad.data_len;
5519 aad = decoder->dtls13_aad.data;
5520 } else if (draft_version >= 25 || draft_version == 0) {
5521 aad_len = 5;
5522 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5523 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5524 phton16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5525 phton16(aad + 3, inl); /* TLSCiphertext.length */
5526 }
5527
5528 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5529 /* size of plaintext, additional authenticated data and auth tag. */
5530 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5531
5532 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5533 }
5534
5535 if (aad && aad_len > 0) {
5536 ssl_print_data("AAD", aad, aad_len);
5537 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5538 if (err) {
5539 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5540 return false0;
5541 }
5542 }
5543
5544 /* Decrypt now that nonce and AAD are set. */
5545 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5546 if (err) {
5547 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5548 return false0;
5549 }
5550
5551 /* Check authentication tag for authenticity (replaces MAC) */
5552 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5553 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5554 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5555 } else {
5556 if (err) {
5557 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5558 } else {
5559 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5560 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5561 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5562 }
5563 if (ignore_mac_failed) {
5564 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5565 } else {
5566 return false0;
5567 }
5568 }
5569
5570 /*
5571 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5572 * after successful authentication to ensure that early data is skipped when
5573 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5574 */
5575 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5576 decoder->seq++;
5577 }
5578
5579 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5580 *outl = ciphertext_len;
5581 return true1;
5582}
5583
5584/* Record decryption glue based on security parameters {{{ */
5585/* Assume that we are called only for a non-NULL decoder which also means that
5586 * we have a non-NULL decoder->cipher_suite. */
5587int
5588ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5589 bool_Bool ignore_mac_failed,
5590 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5591 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5592{
5593 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5594 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5595
5596 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5597 ssl_print_data("Ciphertext",in, inl);
5598
5599 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5600 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5601 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5602 return -1;
5603 }
5604
5605 /* ensure we have enough storage space for decrypted data */
5606 if (inl > out_str->data_len)
5607 {
5608 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5609 inl + 32, out_str->data_len);
5610 ssl_data_realloc(out_str, inl + 32);
5611 }
5612
5613 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5614 * a separate MAC, so use a different routine for simplicity. */
5615 if (decoder->cipher_suite->mode == MODE_GCM ||
5616 decoder->cipher_suite->mode == MODE_CCM ||
5617 decoder->cipher_suite->mode == MODE_CCM_8 ||
5618 decoder->cipher_suite->mode == MODE_POLY1305 ||
5619 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5620 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5621
5622 if (!tls_decrypt_aead_record(ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5623 /* decryption failed */
5624 return -1;
5625 }
5626
5627 goto skip_mac;
5628 }
5629
5630 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5631 * (notation: { unencrypted, [ encrypted ] })
5632 * GenericStreamCipher: { [content, mac] }
5633 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5634 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5635 * GenericAEADCipher: { nonce_explicit, [content] }
5636 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5637 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5638 */
5639
5640 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5641
5642 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5643 if (decoder->cipher_suite->mode == MODE_CBC) {
5644 unsigned blocksize = 0;
5645
5646 switch (ssl->session.version) {
5647 case TLSV1DOT1_VERSION0x302:
5648 case TLSV1DOT2_VERSION0x303:
5649 case DTLSV1DOT0_VERSION0xfeff:
5650 case DTLSV1DOT2_VERSION0xfefd:
5651 case DTLSV1DOT3_VERSION0xfefc:
5652 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5653 case TLCPV1_VERSION0x101:
5654 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5655 if (inl < blocksize) {
5656 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5657 inl, blocksize);
5658 return -1;
5659 }
5660 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5661 if (pad != 0) {
5662 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5663 gcry_strsource (pad), gcry_strerror (pad));
5664 }
5665
5666 inl -= blocksize;
5667 in += blocksize;
5668 break;
5669 }
5670
5671 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5672 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5673 /*
5674 * MAC is calculated over (IV + ) ENCRYPTED contents:
5675 *
5676 * MAC(MAC_write_key, ... +
5677 * IV + // for TLS 1.1 or greater
5678 * TLSCiphertext.enc_content);
5679 */
5680 if (inl < maclen) {
5681 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5682 G_STRFUNC((const char*) (__func__)), inl, maclen);
5683 return -1;
5684 }
5685 inl -= maclen;
5686 mac = (uint8_t *)in + inl;
5687 mac_frag = (uint8_t *)in - blocksize;
5688 mac_fraglen = blocksize + inl;
5689 }
5690 }
5691
5692 /* First decrypt*/
5693 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5694 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5695 gcry_strerror (pad));
5696 return -1;
5697 }
5698
5699 ssl_print_data("Plaintext", out_str->data, inl);
5700 worklen=inl;
5701
5702
5703 /* strip padding for GenericBlockCipher */
5704 if (decoder->cipher_suite->mode == MODE_CBC) {
5705 if (inl < 1) { /* Should this check happen earlier? */
5706 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5707 return -1;
5708 }
5709 pad=out_str->data[inl-1];
5710 if (worklen <= pad) {
5711 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5712 pad, worklen);
5713 return -1;
5714 }
5715 worklen-=(pad+1);
5716 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5717 pad, worklen);
5718 }
5719
5720 /* MAC for GenericStreamCipher and GenericBlockCipher.
5721 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5722 if (!mac) {
5723 /*
5724 * MAC is calculated over the DECRYPTED contents:
5725 *
5726 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5727 */
5728 if (worklen < maclen) {
5729 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5730 return -1;
5731 }
5732 worklen -= maclen;
5733 mac = out_str->data + worklen;
5734 mac_frag = out_str->data;
5735 mac_fraglen = worklen;
5736 }
5737
5738 /* If NULL encryption active and no keys are available, do not bother
5739 * checking the MAC. We do not have keys for that. */
5740 if (decoder->cipher_suite->mode == MODE_STREAM &&
5741 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5742 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5743 ssl_debug_printf("MAC check skipped due to missing keys\n");
5744 goto skip_mac;
5745 }
5746
5747 /* Now check the MAC */
5748 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5749 worklen, ssl->session.version, ct, decoder->seq);
5750 if(ssl->session.version==SSLV3_VERSION0x300){
5751 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5752 if(ignore_mac_failed) {
5753 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5754 }
5755 else{
5756 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5757 return -1;
5758 }
5759 }
5760 else{
5761 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5762 }
5763 }
5764 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5765 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5766 if(ignore_mac_failed) {
5767 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5768 }
5769 else{
5770 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5771 return -1;
5772 }
5773 }
5774 else{
5775 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5776 }
5777 }
5778 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5779 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5780 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5781 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5782 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5783 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5784 }
5785 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5786 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5787 }
5788 else if(ignore_mac_failed) {
5789 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5790 }
5791 else{
5792 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5793 return -1;
5794 }
5795 }
5796skip_mac:
5797
5798 *outl = worklen;
5799
5800 if (decoder->compression > 0) {
5801 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5802 ssl_data_copy(comp_str, out_str);
5803 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5804 if (!decoder->decomp) {
5805 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5806 return -1;
5807 }
5808 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5809 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5810 *outl = uncomplen;
5811 }
5812
5813 return 0;
5814}
5815/* Record decryption glue based on security parameters }}} */
5816
5817
5818
5819#ifdef HAVE_LIBGNUTLS1
5820
5821/* RSA private key file processing {{{ */
5822static void
5823ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5824 gnutls_datum_t *subjectPublicKeyInfo)
5825{
5826 gnutls_pubkey_t pubkey = NULL((void*)0);
5827 cert_key_id_t key_id;
5828 size_t key_id_len = sizeof(key_id);
5829 int r;
5830
5831 if (!subjectPublicKeyInfo->size) {
5832 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5833 return;
5834 }
5835
5836 r = gnutls_pubkey_init(&pubkey);
5837 if (r < 0) {
5838 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5839 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5840 return;
5841 }
5842
5843 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5844 if (r < 0) {
5845 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5846 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5847 goto end;
5848 }
5849
5850 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5851 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5852 goto end;
5853 }
5854
5855 /* Generate a 20-byte SHA-1 hash. */
5856 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5857 if (r < 0) {
5858 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5859 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5860 goto end;
5861 }
5862
5863 if (key_id_len != sizeof(key_id)) {
5864 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5865 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
5866 goto end;
5867 }
5868
5869 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
5870 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
5871 *ssl->cert_key_id = key_id;
5872
5873end:
5874 gnutls_pubkey_deinit(pubkey);
5875}
5876
5877/* RSA private key file processing }}} */
5878#endif /* HAVE_LIBGNUTLS */
5879
5880/*--- Start of dissector-related code below ---*/
5881
5882/* get ssl data for this session. if no ssl data is found allocate a new one*/
5883SslDecryptSession *
5884ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
5885{
5886 void *conv_data;
5887 SslDecryptSession *ssl_session;
5888 int proto_ssl;
5889
5890 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
5891 conv_data = conversation_get_proto_data(conversation, proto_ssl);
5892 if (conv_data != NULL((void*)0))
5893 return (SslDecryptSession *)conv_data;
5894
5895 /* no previous SSL conversation info, initialize it. */
5896 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
5897
5898 /* data_len is the part that is meaningful, not the allocated length */
5899 ssl_session->master_secret.data_len = 0;
5900 ssl_session->master_secret.data = ssl_session->_master_secret;
5901 ssl_session->session_id.data_len = 0;
5902 ssl_session->session_id.data = ssl_session->_session_id;
5903 ssl_session->client_random.data_len = 0;
5904 ssl_session->client_random.data = ssl_session->_client_random;
5905 ssl_session->server_random.data_len = 0;
5906 ssl_session->server_random.data = ssl_session->_server_random;
5907 ssl_session->session_ticket.data_len = 0;
5908 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
5909 ssl_session->server_data_for_iv.data_len = 0;
5910 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
5911 ssl_session->client_data_for_iv.data_len = 0;
5912 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
5913 ssl_session->app_data_segment.data = NULL((void*)0);
5914 ssl_session->app_data_segment.data_len = 0;
5915 ssl_session->handshake_data.data=NULL((void*)0);
5916 ssl_session->handshake_data.data_len=0;
5917 ssl_session->ech_transcript.data=NULL((void*)0);
5918 ssl_session->ech_transcript.data_len=0;
5919
5920 /* Initialize parameters which are not necessary specific to decryption. */
5921 ssl_session->session.version = SSL_VER_UNKNOWN0;
5922 clear_address(&ssl_session->session.srv_addr);
5923 ssl_session->session.srv_ptype = PT_NONE;
5924 ssl_session->session.srv_port = 0;
5925 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
5926 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
5927 ssl_session->session.client_random.data_len = 0;
5928 ssl_session->session.client_random.data = ssl_session->session._client_random;
5929 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
5930 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
5931 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
5932 ssl_session->session.ech = FALSE(0);
5933 ssl_session->session.hrr_ech_declined = FALSE(0);
5934 ssl_session->session.first_ch_ech_frame = 0;
5935
5936 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
5937 return ssl_session;
5938}
5939
5940void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
5941{
5942 if (ssl) {
5943 /* Ensure that secrets are not restored using stale identifiers. Split
5944 * between client and server in case the packets somehow got out of order. */
5945 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
5946
5947 if (is_client) {
5948 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
5949 ssl->session_id.data_len = 0;
5950 ssl->session_ticket.data_len = 0;
5951 ssl->master_secret.data_len = 0;
5952 ssl->client_random.data_len = 0;
5953 ssl->has_early_data = false0;
5954 if (ssl->handshake_data.data_len > 0) {
5955 // The EMS handshake hash starts with at the Client Hello,
5956 // ensure that any messages before it are forgotten.
5957 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
5958 ssl->handshake_data.data = NULL((void*)0);
5959 ssl->handshake_data.data_len = 0;
5960 }
5961 } else {
5962 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
5963 ssl->server_random.data_len = 0;
5964 ssl->pre_master_secret.data_len = 0;
5965#ifdef HAVE_LIBGNUTLS1
5966 ssl->cert_key_id = NULL((void*)0);
5967#endif
5968 ssl->psk.data_len = 0;
5969 }
5970
5971 if (ssl->state & clear_flags) {
5972 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
5973 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
5974 ssl->state &= ~clear_flags;
5975 }
5976 }
5977
5978 /* These flags might be used for non-decryption purposes and may affect the
5979 * dissection, so reset them as well. */
5980 if (is_client) {
5981 session->client_cert_type = 0;
5982 } else {
5983 session->compression = 0;
5984 session->server_cert_type = 0;
5985 /* session->is_session_resumed is already handled in the ServerHello dissection. */
5986 }
5987 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
5988 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
5989}
5990
5991void
5992tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
5993 dissector_handle_t app_handle)
5994{
5995 conversation_t *conversation;
5996 SslSession *session;
5997
5998 /* Ignore if the TLS or other dissector is disabled. */
5999 if (!tls_handle || !app_handle)
6000 return;
6001
6002 conversation = find_or_create_conversation(pinfo);
6003 session = &ssl_get_session(conversation, tls_handle)->session;
6004 session->app_handle = app_handle;
6005}
6006
6007static uint32_t
6008ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6009 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6010{
6011 conversation_t *conversation;
6012 SslSession *session;
6013
6014 /* Ignore if the TLS dissector is disabled. */
6015 if (!tls_handle)
6016 return 0;
6017 /* The caller should always pass a valid handle to its own dissector. */
6018 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6018, "app_handle"))));
6019
6020 conversation = find_or_create_conversation(pinfo);
6021 session = &ssl_get_session(conversation, tls_handle)->session;
6022
6023 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6024 session->last_nontls_frame,
6025 (void *)session->app_handle,
6026 dissector_handle_get_dissector_name(session->app_handle));
6027 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6028 pinfo->num, (void *)app_handle,
6029 dissector_handle_get_dissector_name(app_handle));
6030
6031 /* Do not switch again if a dissector did it before. */
6032 if (session->last_nontls_frame) {
6033 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6034 return session->last_nontls_frame;
6035 }
6036
6037 session->app_handle = app_handle;
6038 /* The TLS dissector should be called first for this conversation. */
6039 conversation_set_dissector(conversation, tls_handle);
6040 /* TLS starts after this frame. */
6041 session->last_nontls_frame = last_nontls_frame;
6042 return 0;
6043}
6044
6045/* ssl_starttls_ack: mark future frames as encrypted. */
6046uint32_t
6047ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6048 dissector_handle_t app_handle)
6049{
6050 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6051}
6052
6053uint32_t
6054ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6055 dissector_handle_t app_handle)
6056{
6057 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6058}
6059
6060dissector_handle_t
6061ssl_find_appdata_dissector(const char *name)
6062{
6063 /* Accept 'http' for backwards compatibility and sanity. */
6064 if (!strcmp(name, "http"))
6065 name = "http-over-tls";
6066 /* XXX - Should this check to see if the dissector is actually added for
6067 * Decode As in the appropriate table?
6068 */
6069 return find_dissector(name);
6070}
6071
6072/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6073static int
6074ssl_equal (const void *v, const void *v2)
6075{
6076 const StringInfo *val1;
6077 const StringInfo *val2;
6078 val1 = (const StringInfo *)v;
6079 val2 = (const StringInfo *)v2;
6080
6081 if (val1->data_len == val2->data_len &&
6082 !memcmp(val1->data, val2->data, val2->data_len)) {
6083 return 1;
6084 }
6085 return 0;
6086}
6087
6088static unsigned
6089ssl_hash (const void *v)
6090{
6091 unsigned l,hash;
6092 const StringInfo* id;
6093 const unsigned* cur;
6094 hash = 0;
6095 id = (const StringInfo*) v;
6096
6097 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6098 * should be aligned for any kind of access (for example as a unsigned as
6099 * is done below). The intermediate void* cast is to prevent "cast
6100 * increases required alignment of target type" warnings on CPUs (such
6101 * as SPARCs) that do not allow misaligned memory accesses.
6102 */
6103 cur = (const unsigned*)(void*) id->data;
6104
6105 for (l=4; (l < id->data_len); l+=4, cur++)
6106 hash = hash ^ (*cur);
6107
6108 return hash;
6109}
6110/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6111
6112/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6113void
6114ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6115{
6116 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6116, "main_handle"))));
6117 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6117, "subdissector_handle"))));
6118 /* Registration is required for Export PDU feature to work properly. */
6119 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6120, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6120 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6120, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6121 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6122
6123 if (port) {
6124 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6125 if (tcp)
6126 dissector_add_uint("tcp.port", port, main_handle);
6127 else
6128 dissector_add_uint("udp.port", port, main_handle);
6129 dissector_add_uint("sctp.port", port, main_handle);
6130 } else {
6131 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6132 }
6133}
6134
6135void
6136ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6137{
6138 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6139 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6140 if (main_handle) {
6141 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6142 dissector_delete_uint("sctp.port", port, main_handle);
6143 }
6144
6145 if (port) {
6146 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6147 }
6148}
6149
6150void
6151ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6152{
6153 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6154 session->srv_ptype = ptype;
6155 session->srv_port = port;
6156}
6157
6158int
6159ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6160{
6161 int ret;
6162 if (session && session->srv_addr.type != AT_NONE) {
6163 ret = (session->srv_ptype == pinfo->ptype) &&
6164 (session->srv_port == pinfo->srcport) &&
6165 addresses_equal(&session->srv_addr, &pinfo->src);
6166 } else {
6167 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6168 }
6169
6170 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6171 return ret;
6172}
6173/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6174
6175
6176/* Links SSL records with the real packet data. {{{ */
6177SslPacketInfo *
6178tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6179{
6180 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6181 if (!pi) {
6182 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6183 pi->srcport = pinfo->srcport;
6184 pi->destport = pinfo->destport;
6185 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6186 }
6187
6188 return pi;
6189}
6190
6191/**
6192 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6193 * avoid the need for a decoder in the second pass. Additionally, it remembers
6194 * sequence numbers (for reassembly and Follow TLS Stream).
6195 *
6196 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6197 * @param pinfo The packet where the record originates from.
6198 * @param data Decrypted data to store in the record.
6199 * @param data_len Length of decrypted record data.
6200 * @param record_id The identifier for this record within the current packet.
6201 * @param flow Information about sequence numbers, etc.
6202 * @param type TLS Content Type (such as handshake or application_data).
6203 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6204 */
6205void
6206ssl_add_record_info(int proto, packet_info *pinfo, const unsigned char *data, int data_len, int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl)
6207{
6208 SslRecordInfo* rec, **prec;
6209 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6210
6211 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6212 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), data, data_len);
6213 rec->data_len = data_len;
6214 rec->id = record_id;
6215 rec->type = type;
6216 rec->next = NULL((void*)0);
6217
6218 if (flow && type == SSL_ID_APP_DATA) {
6219 rec->seq = flow->byte_seq;
6220 rec->flow = flow;
6221 flow->byte_seq += data_len;
6222 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6223 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + data_len, (void*)flow);
6224 }
6225
6226 /* Remember decrypted records. */
6227 prec = &pi->records;
6228 while (*prec) prec = &(*prec)->next;
6229 *prec = rec;
6230}
6231
6232/* search in packet data for the specified id; return a newly created tvb for the associated data */
6233tvbuff_t*
6234ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6235{
6236 SslRecordInfo* rec;
6237 SslPacketInfo* pi;
6238 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6239
6240 if (!pi)
6241 return NULL((void*)0);
6242
6243 for (rec = pi->records; rec; rec = rec->next)
6244 if (rec->id == record_id) {
6245 *matched_record = rec;
6246 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6247 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->data_len, rec->data_len);
6248 }
6249
6250 return NULL((void*)0);
6251}
6252/* Links SSL records with the real packet data. }}} */
6253
6254/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6255void
6256ssl_common_init(ssl_master_key_map_t *mk_map,
6257 StringInfo *decrypted_data, StringInfo *compressed_data)
6258{
6259 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6260 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6261 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6262 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6263 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6264 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6265 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6266 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6267 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6268 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6269 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6270 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6271
6272 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6273 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6274
6275 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6276
6277 ssl_data_alloc(decrypted_data, 32);
6278 ssl_data_alloc(compressed_data, 32);
6279}
6280
6281void
6282ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6283 StringInfo *decrypted_data, StringInfo *compressed_data)
6284{
6285 g_hash_table_destroy(mk_map->session);
6286 g_hash_table_destroy(mk_map->tickets);
6287 g_hash_table_destroy(mk_map->crandom);
6288 g_hash_table_destroy(mk_map->pre_master);
6289 g_hash_table_destroy(mk_map->pms);
6290 g_hash_table_destroy(mk_map->tls13_client_early);
6291 g_hash_table_destroy(mk_map->tls13_client_handshake);
6292 g_hash_table_destroy(mk_map->tls13_server_handshake);
6293 g_hash_table_destroy(mk_map->tls13_client_appdata);
6294 g_hash_table_destroy(mk_map->tls13_server_appdata);
6295 g_hash_table_destroy(mk_map->tls13_early_exporter);
6296 g_hash_table_destroy(mk_map->tls13_exporter);
6297
6298 g_hash_table_destroy(mk_map->ech_secret);
6299 g_hash_table_destroy(mk_map->ech_config);
6300
6301 g_hash_table_destroy(mk_map->used_crandom);
6302
6303 g_free(decrypted_data->data);
6304 g_free(compressed_data->data);
6305
6306 /* close the previous keylog file now that the cache are cleared, this
6307 * allows the cache to be filled with the full keylog file contents. */
6308 if (*ssl_keylog_file) {
6309 fclose(*ssl_keylog_file);
6310 *ssl_keylog_file = NULL((void*)0);
6311 }
6312}
6313/* }}} */
6314
6315/* parse ssl related preferences (private keys and ports association strings) */
6316#if defined(HAVE_LIBGNUTLS1)
6317/* Load a single RSA key file item from preferences. {{{ */
6318void
6319ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6320{
6321 gnutls_x509_privkey_t x509_priv_key;
6322 gnutls_privkey_t priv_key = NULL((void*)0);
6323 FILE* fp = NULL((void*)0);
6324 int ret;
6325 size_t key_id_len = 20;
6326 unsigned char *key_id = NULL((void*)0);
6327 char *err = NULL((void*)0);
6328 dissector_handle_t handle;
6329 /* try to load keys file first */
6330 fp = ws_fopenfopen(uats->keyfile, "rb");
6331 if (!fp) {
6332 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6333 return;
6334 }
6335
6336 if ((int)strlen(uats->password) == 0) {
6337 x509_priv_key = rsa_load_pem_key(fp, &err);
6338 } else {
6339 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6340 }
6341 fclose(fp);
6342
6343 if (!x509_priv_key) {
6344 if (err) {
6345 report_failure("Can't load private key from %s: %s",
6346 uats->keyfile, err);
6347 g_free(err);
6348 } else
6349 report_failure("Can't load private key from %s: unknown error",
6350 uats->keyfile);
6351 return;
6352 }
6353 if (err) {
6354 report_failure("Load of private key from %s \"succeeded\" with error %s",
6355 uats->keyfile, err);
6356 g_free(err);
6357 }
6358
6359 gnutls_privkey_init(&priv_key);
6360 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6361 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6362 if (ret < 0) {
6363 report_failure("Can't convert private key %s: %s",
6364 uats->keyfile, gnutls_strerror(ret));
6365 goto end;
6366 }
6367
6368 key_id = (unsigned char *) g_malloc0(key_id_len);
6369 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6370 if (ret < 0) {
6371 report_failure("Can't calculate public key ID for %s: %s",
6372 uats->keyfile, gnutls_strerror(ret));
6373 goto end;
6374 }
6375 ssl_print_data("KeyID", key_id, key_id_len);
6376 if (key_id_len != 20) {
6377 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6378 uats->keyfile, key_id_len);
6379 goto end;
6380 }
6381
6382 g_hash_table_replace(key_hash, key_id, priv_key);
6383 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6384 priv_key = NULL((void*)0);
6385 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6386
6387 handle = ssl_find_appdata_dissector(uats->protocol);
6388 if (handle) {
6389 /* Port to subprotocol mapping */
6390 uint16_t port = 0;
6391 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6392 if (port > 0) {
6393 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6394 port, uats->keyfile, uats->password);
6395
6396 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6397 }
6398 } else {
6399 if (strcmp(uats->port, "start_tls"))
6400 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6401 }
6402 }
6403
6404end:
6405 gnutls_x509_privkey_deinit(x509_priv_key);
6406 gnutls_privkey_deinit(priv_key);
6407 g_free(key_id);
6408}
6409/* }}} */
6410#endif
6411
6412
6413/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6414/** store a known (pre-)master secret into cache */
6415static void
6416ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6417 StringInfo *mk)
6418{
6419 StringInfo *ht_key, *master_secret;
6420
6421 if (key->data_len == 0) {
6422 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6423 return;
6424 }
6425
6426 if (mk->data_len == 0) {
6427 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6428 G_STRFUNC((const char*) (__func__)), label);
6429 return;
6430 }
6431
6432 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6433 * so be careful in changing how it is allocated. */
6434 ht_key = ssl_data_clone(key);
6435 master_secret = ssl_data_clone(mk);
6436 g_hash_table_insert(ht, ht_key, master_secret);
6437
6438 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6439 ssl_print_string("stored key", ht_key);
6440 ssl_print_string("stored (pre-)master secret", master_secret);
6441}
6442
6443/** restore a (pre-)master secret given some key in the cache */
6444static bool_Bool
6445ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6446 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6447{
6448 StringInfo *ms;
6449
6450 if (key->data_len == 0) {
6451 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6452 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6453 return false0;
6454 }
6455
6456 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6457 if (!ms) {
6458 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6459 is_pre_master ? "pre-" : "", label);
6460 return false0;
6461 }
6462
6463 /* (pre)master secret found, clear knowledge of other keys and set it in the
6464 * current conversation */
6465 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6466 SSL_HAVE_SESSION_KEY(1<<3));
6467 if (is_pre_master) {
6468 /* unlike master secret, pre-master secret has a variable size (48 for
6469 * RSA, varying for PSK) and is therefore not statically allocated */
6470 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6471 ms->data_len);
6472 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6473 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6474 } else {
6475 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6476 ssl->state |= SSL_MASTER_SECRET(1<<5);
6477 }
6478 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6479 is_pre_master ? "pre-" : "", label);
6480 ssl_print_string(label, key);
6481 ssl_print_string("(pre-)master secret", ms);
6482 return true1;
6483}
6484/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6485
6486/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6487 * the decoder should be attempted to be initialized. {{{*/
6488void
6489ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6490{
6491 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
6492 /* TLS 1.3 implementations only provide secrets derived from the master
6493 * secret which are loaded in tls13_change_key. No master secrets can be
6494 * loaded here, so just return. */
6495 return;
6496 }
6497 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6498 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
6499 ssl_debug_printf(" session key already available, nothing to do.\n");
6500 return;
6501 }
6502 if (!(ssl->state & SSL_CIPHER(1<<2))) {
6503 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6504 return;
6505 }
6506
6507 /* for decryption, there needs to be a master secret (which can be derived
6508 * from pre-master secret). If missing, try to pick a master key from cache
6509 * (an earlier packet in the capture or key logfile). */
6510 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6511 !ssl_restore_master_key(ssl, "Session ID", false0,
6512 mk_map->session, &ssl->session_id) &&
6513 (!ssl->session.is_session_resumed ||
6514 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6515 mk_map->tickets, &ssl->session_ticket)) &&
6516 !ssl_restore_master_key(ssl, "Client Random", false0,
6517 mk_map->crandom, &ssl->client_random)) {
6518 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6519 /* how unfortunate, the master secret could not be found */
6520 ssl_debug_printf(" Cannot find master secret\n");
6521 return;
6522 } else {
6523 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6524 "because of a NULL cipher\n");
6525 }
6526 }
6527
6528 if (ssl_generate_keyring_material(ssl) < 0) {
6529 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6530 return;
6531 }
6532 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6533 ssl_save_master_key("Client Random", mk_map->crandom,
6534 &ssl->client_random, &ssl->master_secret);
6535 ssl_save_master_key("Session ID", mk_map->session,
6536 &ssl->session_id, &ssl->master_secret);
6537 /* Only save the new secrets if the server sent the ticket. The client
6538 * ticket might have become stale. */
6539 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6540 ssl_save_master_key("Session Ticket", mk_map->tickets,
6541 &ssl->session_ticket, &ssl->master_secret);
6542 }
6543} /* }}} */
6544
6545/* Load the traffic key secret from the keylog file. */
6546StringInfo *
6547tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6548 bool_Bool is_from_server, TLSRecordType type)
6549{
6550 GHashTable *key_map;
6551 const char *label;
6552
6553 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6554 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6555 return NULL((void*)0);
6556 }
6557
6558 if (ssl->client_random.data_len == 0) {
6559 /* May happen if Hello message is missing and Finished is found. */
6560 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6561 return NULL((void*)0);
6562 }
6563
6564 switch (type) {
6565 case TLS_SECRET_0RTT_APP:
6566 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6566, "!is_from_server"))));
6567 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6568 key_map = mk_map->tls13_client_early;
6569 break;
6570 case TLS_SECRET_HANDSHAKE:
6571 if (is_from_server) {
6572 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6573 key_map = mk_map->tls13_server_handshake;
6574 } else {
6575 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6576 key_map = mk_map->tls13_client_handshake;
6577 }
6578 break;
6579 case TLS_SECRET_APP:
6580 if (is_from_server) {
6581 label = "SERVER_TRAFFIC_SECRET_0";
6582 key_map = mk_map->tls13_server_appdata;
6583 } else {
6584 label = "CLIENT_TRAFFIC_SECRET_0";
6585 key_map = mk_map->tls13_client_appdata;
6586 }
6587 break;
6588 default:
6589 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6589, __func__, "assertion \"not reached\" failed");
6590 }
6591
6592 /* Transitioning to new keys, mark old ones as unusable. */
6593 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6594 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6595
6596 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6597 if (!secret) {
6598 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6599 /* Disable decryption, the keys are invalid. */
6600 if (is_from_server) {
6601 ssl->server = NULL((void*)0);
6602 } else {
6603 ssl->client = NULL((void*)0);
6604 }
6605 return NULL((void*)0);
6606 }
6607
6608 /* TLS 1.3 secret found, set new keys. */
6609 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6610 ssl_print_string("Client Random", &ssl->client_random);
6611 ssl_print_string(label, secret);
6612 return secret;
6613}
6614
6615/* Load the new key. */
6616void
6617tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6618 bool_Bool is_from_server, TLSRecordType type)
6619{
6620 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6621 /*
6622 * QUIC does not use the TLS record layer for message protection.
6623 * The required keys will be extracted later by QUIC.
6624 */
6625 return;
6626 }
6627
6628 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6629 if (!secret) {
6630 return;
6631 }
6632
6633 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6634 /*
6635 * Remember the application traffic secret to support Key Update. The
6636 * other secrets cannot be used for this purpose, so free them.
6637 */
6638 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6639 StringInfo *app_secret = &decoder->app_traffic_secret;
6640 if (type == TLS_SECRET_APP) {
6641 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6642 app_secret->data,
6643 secret->data_len);
6644 ssl_data_set(app_secret, secret->data, secret->data_len);
6645 } else {
6646 wmem_free(wmem_file_scope(), app_secret->data);
6647 app_secret->data = NULL((void*)0);
6648 app_secret->data_len = 0;
6649 }
6650 }
6651}
6652
6653/**
6654 * Update to next application data traffic secret for TLS 1.3. The previous
6655 * secret should have been set by tls13_change_key.
6656 */
6657void
6658tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6659{
6660 /* RFC 8446 Section 7.2:
6661 * application_traffic_secret_N+1 =
6662 * HKDF-Expand-Label(application_traffic_secret_N,
6663 * "traffic upd", "", Hash.length)
6664 *
6665 * Both application_traffic_secret_N are of the same length (Hash.length).
6666 */
6667 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6668 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6669 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6670 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6671
6672 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6673 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6674 return;
6675 }
6676
6677 /*
6678 * Previous traffic secret is available, so find the hash function,
6679 * expand the new traffic secret and generate new keys.
6680 */
6681 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6682 int hash_algo = ssl_get_digest_by_name(hash_name);
6683 const unsigned hash_len = app_secret->data_len;
6684 unsigned char *new_secret;
6685 const char *label = "traffic upd";
6686 if (tls13_draft_version && tls13_draft_version < 20) {
6687 label = "application traffic secret";
6688 }
6689 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6690 tls13_hkdf_label_prefix(ssl),
6691 label, hash_len, &new_secret)) {
6692 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6693 return;
6694 }
6695 ssl_data_set(app_secret, new_secret, hash_len);
6696 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6697 /*
6698 * Remember the application traffic secret on the new decoder to
6699 * support another Key Update.
6700 */
6701 decoder = is_from_server ? ssl->server : ssl->client;
6702 app_secret = &decoder->app_traffic_secret;
6703 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6704 app_secret->data,
6705 hash_len);
6706 ssl_data_set(app_secret, new_secret, hash_len);
6707 }
6708 wmem_free(NULL((void*)0), new_secret);
6709}
6710
6711void
6712tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6713{
6714 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6715 g_hash_table_add(mk_map->used_crandom, &ssl->client_random);
6716 }
6717}
6718
6719/** SSL keylog file handling. {{{ */
6720
6721static GRegex *
6722ssl_compile_keyfile_regex(void)
6723{
6724#define OCTET "(?:[[:xdigit:]]{2})"
6725 const char *pattern =
6726 "(?:"
6727 /* Matches Client Hellos having this Client Random */
6728 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6729 /* Matches first part of encrypted RSA pre-master secret */
6730 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6731 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6732 but it can be of any length for DHE */
6733 ")(?<pms>" OCTET "+)"
6734 "|(?:"
6735 /* Matches Server Hellos having a Session ID */
6736 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6737 /* Matches Client Hellos having this Client Random */
6738 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6739 /* Master-Secret is given, its length is fixed */
6740 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6741 "|(?"
6742 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6743 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6744 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6745 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6746 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6747 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6748 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6749 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6750 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6751 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6752 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6753 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6754 ") (?<derived_secret>" OCTET "+)";
6755#undef OCTET
6756 static GRegex *regex = NULL((void*)0);
6757 GError *gerr = NULL((void*)0);
6758
6759 if (!regex) {
6760 regex = g_regex_new(pattern,
6761 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6762 G_REGEX_MATCH_ANCHORED, &gerr);
6763 if (gerr) {
6764 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6765 gerr->message);
6766 g_error_free(gerr);
6767 regex = NULL((void*)0);
6768 }
6769 }
6770
6771 return regex;
6772}
6773
6774typedef struct ssl_master_key_match_group {
6775 const char *re_group_name;
6776 GHashTable *master_key_ht;
6777} ssl_master_key_match_group_t;
6778
6779void
6780tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6781{
6782 ssl_master_key_match_group_t mk_groups[] = {
6783 { "encrypted_pmk", mk_map->pre_master },
6784 { "session_id", mk_map->session },
6785 { "client_random", mk_map->crandom },
6786 { "client_random_pms", mk_map->pms },
6787 /* TLS 1.3 map from Client Random to derived secret. */
6788 { "client_early", mk_map->tls13_client_early },
6789 { "client_handshake", mk_map->tls13_client_handshake },
6790 { "server_handshake", mk_map->tls13_server_handshake },
6791 { "client_appdata", mk_map->tls13_client_appdata },
6792 { "server_appdata", mk_map->tls13_server_appdata },
6793 { "early_exporter", mk_map->tls13_early_exporter },
6794 { "exporter", mk_map->tls13_exporter },
6795 { "ech_secret", mk_map->ech_secret },
6796 { "ech_config", mk_map->ech_config },
6797 };
6798
6799 /* The format of the file is a series of records with one of the following formats:
6800 * - "RSA xxxx yyyy"
6801 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6802 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6803 * (this is the original format introduced with bug 4349)
6804 *
6805 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6806 * Where xxxx is the SSL session ID (hex-encoded)
6807 * Where yyyy is the cleartext master secret (hex-encoded)
6808 * (added to support openssl s_client Master-Key output)
6809 * This is somewhat is a misnomer because there's nothing RSA specific
6810 * about this.
6811 *
6812 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6813 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6814 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6815 * (This format allows SSL connections to be decrypted, if a user can
6816 * capture the PMS but could not recover the MS for a specific session
6817 * with a SSL Server.)
6818 *
6819 * - "CLIENT_RANDOM xxxx yyyy"
6820 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6821 * Where yyyy is the cleartext master secret (hex-encoded)
6822 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6823 * ECDHE-RSA.)
6824 *
6825 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
6826 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6827 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6828 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
6829 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
6830 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
6831 * - "EXPORTER_SECRET xxxx yyyy"
6832 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6833 * Where yyyy is the secret (hex-encoded) derived from the early,
6834 * handshake or master secrets. (This format is introduced with TLS 1.3
6835 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
6836 */
6837 GRegex *regex = ssl_compile_keyfile_regex();
6838 if (!regex)
6839 return;
6840
6841 const char *next_line = (const char *)data;
6842 const char *line_end = next_line + datalen;
6843 while (next_line && next_line < line_end) {
6844 const char *line = next_line;
6845 next_line = (const char *)memchr(line, '\n', line_end - line);
6846 ssize_t linelen;
6847
6848 if (next_line) {
6849 linelen = next_line - line;
6850 next_line++; /* drop LF */
6851 } else {
6852 linelen = (ssize_t)(line_end - line);
6853 }
6854 if (linelen > 0 && line[linelen - 1] == '\r') {
6855 linelen--; /* drop CR */
6856 }
6857
6858 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
6859 GMatchInfo *mi;
6860 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
6861 char *hex_key, *hex_pre_ms_or_ms;
6862 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6863 StringInfo *pre_ms_or_ms = NULL((void*)0);
6864 GHashTable *ht = NULL((void*)0);
6865
6866 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
6867 * otherwise we will use the Master Secret
6868 */
6869 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
6870 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
6871 g_free(hex_pre_ms_or_ms);
6872 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
6873 }
6874 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
6875 g_free(hex_pre_ms_or_ms);
6876 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
6877 }
6878 /* There is always a match, otherwise the regex is wrong. */
6879 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6879, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
6880
6881 /* convert from hex to bytes and save to hashtable */
6882 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6883 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
6884 g_free(hex_pre_ms_or_ms);
6885
6886 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
6887 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
6888 ssl_master_key_match_group_t *g = &mk_groups[i];
6889 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
6890 if (hex_key && *hex_key) {
6891 ssl_debug_printf(" matched %s\n", g->re_group_name);
6892 ht = g->master_key_ht;
6893 from_hex(key, hex_key, strlen(hex_key));
6894 g_free(hex_key);
6895 break;
6896 }
6897 g_free(hex_key);
6898 }
6899 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6899, "ht")))); /* Cannot be reached, or regex is wrong. */
6900
6901 g_hash_table_insert(ht, key, pre_ms_or_ms);
6902
6903 } else if (linelen > 0 && line[0] != '#') {
6904 ssl_debug_printf(" unrecognized line\n");
6905 }
6906 /* always free match info even if there is no match. */
6907 g_match_info_free(mi);
6908 }
6909}
6910
6911void
6912ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
6913 const ssl_master_key_map_t *mk_map)
6914{
6915 /* no need to try if no key log file is configured. */
6916 if (!tls_keylog_filename || !*tls_keylog_filename) {
6917 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
6918 G_STRFUNC((const char*) (__func__)));
6919 return;
6920 }
6921
6922 /* Validate regexes before even trying to use it. */
6923 if (!ssl_compile_keyfile_regex()) {
6924 return;
6925 }
6926
6927 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
6928
6929 /* if the keylog file was deleted/overwritten, re-open it */
6930 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
6931 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
6932 fclose(*keylog_file);
6933 *keylog_file = NULL((void*)0);
6934 }
6935
6936 if (*keylog_file == NULL((void*)0)) {
6937 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
6938 if (!*keylog_file) {
6939 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
6940 return;
6941 }
6942 }
6943
6944 for (;;) {
6945 char buf[1110], *line;
6946 line = fgets(buf, sizeof(buf), *keylog_file);
6947 if (!line) {
6948 if (feof(*keylog_file)) {
6949 /* Ensure that newly appended keys can be read in the future. */
6950 clearerr(*keylog_file);
6951 } else if (ferror(*keylog_file)) {
6952 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
6953 fclose(*keylog_file);
6954 *keylog_file = NULL((void*)0);
6955 }
6956 break;
6957 }
6958 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
6959 }
6960}
6961/** SSL keylog file handling. }}} */
6962
6963#ifdef SSL_DECRYPT_DEBUG /* {{{ */
6964
6965static FILE* ssl_debug_file;
6966
6967void
6968ssl_set_debug(const char* name)
6969{
6970 static int debug_file_must_be_closed;
6971 int use_stderr;
6972
6973 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
6974
6975 if (debug_file_must_be_closed)
6976 fclose(ssl_debug_file);
6977
6978 if (use_stderr)
6979 ssl_debug_file = stderrstderr;
6980 else if (!name || (strcmp(name, "") ==0))
6981 ssl_debug_file = NULL((void*)0);
6982 else
6983 ssl_debug_file = ws_fopenfopen(name, "w");
6984
6985 if (!use_stderr && ssl_debug_file)
6986 debug_file_must_be_closed = 1;
6987 else
6988 debug_file_must_be_closed = 0;
6989
6990 ssl_debug_printf("Wireshark SSL debug log \n\n");
6991#ifdef HAVE_LIBGNUTLS1
6992 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
6993#endif
6994 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
6995 ssl_debug_printf("\n");
6996}
6997
6998void
6999ssl_debug_flush(void)
7000{
7001 if (ssl_debug_file)
7002 fflush(ssl_debug_file);
7003}
7004
7005void
7006ssl_debug_printf(const char* fmt, ...)
7007{
7008 va_list ap;
7009
7010 if (!ssl_debug_file)
7011 return;
7012
7013 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7014 vfprintf(ssl_debug_file, fmt, ap);
7015 va_end(ap)__builtin_va_end(ap);
7016}
7017
7018void
7019ssl_print_data(const char* name, const unsigned char* data, size_t len)
7020{
7021 size_t i, j, k;
7022 if (!ssl_debug_file)
7023 return;
7024 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7025 for (i=0; i<len; i+=16) {
7026 fprintf(ssl_debug_file,"| ");
7027 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7028 fprintf(ssl_debug_file,"%.2x ",data[j]);
7029 for (; k<16; ++k)
7030 fprintf(ssl_debug_file," ");
7031 fputc('|', ssl_debug_file);
7032 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7033 unsigned char c = data[j];
7034 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7035 fputc(c, ssl_debug_file);
7036 }
7037 for (; k<16; ++k)
7038 fputc(' ', ssl_debug_file);
7039 fprintf(ssl_debug_file,"|\n");
7040 }
7041}
7042
7043void
7044ssl_print_string(const char* name, const StringInfo* data)
7045{
7046 ssl_print_data(name, data->data, data->data_len);
7047}
7048#endif /* SSL_DECRYPT_DEBUG }}} */
7049
7050/* UAT preferences callbacks. {{{ */
7051/* checks for SSL and DTLS UAT key list fields */
7052
7053bool_Bool
7054ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7055{
7056 // This should be removed in favor of Decode As. Make it optional.
7057 *err = NULL((void*)0);
7058 return true1;
7059}
7060
7061bool_Bool
7062ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7063{
7064 if (!p || strlen(p) == 0u) {
7065 // This should be removed in favor of Decode As. Make it optional.
7066 *err = NULL((void*)0);
7067 return true1;
7068 }
7069
7070 if (strcmp(p, "start_tls") != 0){
7071 uint16_t port;
7072 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7073 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7074 return false0;
7075 }
7076 }
7077
7078 *err = NULL((void*)0);
7079 return true1;
7080}
7081
7082bool_Bool
7083ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7084{
7085 ws_statb64struct stat st;
7086
7087 if (!p || strlen(p) == 0u) {
7088 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7089 return false0;
7090 } else {
7091 if (ws_stat64stat(p, &st) != 0) {
7092 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7093 return false0;
7094 }
7095 }
7096
7097 *err = NULL((void*)0);
7098 return true1;
7099}
7100
7101bool_Bool
7102ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7103{
7104#if defined(HAVE_LIBGNUTLS1)
7105 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7106 FILE *fp = NULL((void*)0);
7107
7108 if (p && (strlen(p) > 0u)) {
7109 fp = ws_fopenfopen(f->keyfile, "rb");
7110 if (fp) {
7111 char *msg = NULL((void*)0);
7112 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7113 if (!priv_key) {
7114 fclose(fp);
7115 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7116 g_free(msg);
7117 return false0;
7118 }
7119 g_free(msg);
7120 gnutls_x509_privkey_deinit(priv_key);
7121 fclose(fp);
7122 } else {
7123 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7124 return false0;
7125 }
7126 }
7127
7128 *err = NULL((void*)0);
7129 return true1;
7130#else
7131 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7132 return false0;
7133#endif
7134}
7135/* UAT preferences callbacks. }}} */
7136
7137/** maximum size of ssl_association_info() string */
7138#define SSL_ASSOC_MAX_LEN8192 8192
7139
7140typedef struct ssl_association_info_callback_data
7141{
7142 char *str;
7143 const char *table_protocol;
7144} ssl_association_info_callback_data_t;
7145
7146/**
7147 * callback function used by ssl_association_info() to traverse the SSL associations.
7148 */
7149static void
7150ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7151{
7152 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7153 const int l = (const int)strlen(data->str);
7154 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7155}
7156
7157/**
7158 * @return an information string on the SSL protocol associations. The string must be freed.
7159 */
7160char*
7161ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7162{
7163 ssl_association_info_callback_data_t data;
7164
7165 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7166 data.table_protocol = table_protocol;
7167 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7168 return data.str;
7169}
7170
7171
7172/** Begin of code related to dissection of wire data. */
7173
7174/* Helpers for dissecting Variable-Length Vectors. {{{ */
7175bool_Bool
7176ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7177 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7178 int hf_length, uint32_t min_value, uint32_t max_value)
7179{
7180 unsigned veclen_size;
7181 uint32_t veclen_value;
7182 proto_item *pi;
7183
7184 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7184, (uint64_t)min_value, (uint64_t)max_value))));
7185 if (offset > offset_end) {
7186 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7187 "Vector offset is past buffer end offset (%u > %u)",
7188 offset, offset_end);
7189 *ret_length = 0;
7190 return false0; /* Cannot read length. */
7191 }
7192
7193 if (max_value > 0xffffff) {
7194 veclen_size = 4;
7195 } else if (max_value > 0xffff) {
7196 veclen_size = 3;
7197 } else if (max_value > 0xff) {
7198 veclen_size = 2;
7199 } else {
7200 veclen_size = 1;
7201 }
7202
7203 if (offset_end - offset < veclen_size) {
7204 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7205 tvb, offset, offset_end - offset,
7206 "No more room for vector of length %u",
7207 veclen_size);
7208 *ret_length = 0;
7209 return false0; /* Cannot read length. */
7210 }
7211
7212 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7213 offset += veclen_size;
7214
7215 if (veclen_value < min_value) {
7216 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7217 "Vector length %u is smaller than minimum %u",
7218 veclen_value, min_value);
7219 } else if (veclen_value > max_value) {
7220 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7221 "Vector length %u is larger than maximum %u",
7222 veclen_value, max_value);
7223 }
7224
7225 if (offset_end - offset < veclen_value) {
7226 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7227 "Vector length %u is too large, truncating it to %u",
7228 veclen_value, offset_end - offset);
7229 *ret_length = offset_end - offset;
7230 return false0; /* Length is truncated to avoid overflow. */
7231 }
7232
7233 *ret_length = veclen_value;
7234 return true1; /* Length is OK. */
7235}
7236
7237bool_Bool
7238ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7239 unsigned offset, unsigned offset_end)
7240{
7241 if (offset < offset_end) {
7242 unsigned trailing = offset_end - offset;
7243 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7244 tvb, offset, trailing,
7245 "%u trailing byte%s unprocessed",
7246 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7247 return false0; /* unprocessed data warning */
7248 } else if (offset > offset_end) {
7249 /*
7250 * Returned offset runs past the end. This should not happen and is
7251 * possibly a dissector bug.
7252 */
7253 unsigned excess = offset - offset_end;
7254 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7255 tvb, offset_end, excess,
7256 "Dissector processed too much data (%u byte%s)",
7257 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7258 return false0; /* overflow error */
7259 }
7260
7261 return true1; /* OK, offset matches. */
7262}
7263/** }}} */
7264
7265
7266static uint32_t
7267ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7268 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7269 uint16_t version, int hf_sig_len, int hf_sig);
7270
7271/* change_cipher_spec(20) dissection */
7272void
7273ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7274 packet_info *pinfo, proto_tree *tree,
7275 uint32_t offset, SslSession *session,
7276 bool_Bool is_from_server,
7277 const SslDecryptSession *ssl)
7278{
7279 /*
7280 * struct {
7281 * enum { change_cipher_spec(1), (255) } type;
7282 * } ChangeCipherSpec;
7283 */
7284 proto_item *ti;
7285 proto_item_set_text(tree,
7286 "%s Record Layer: %s Protocol: Change Cipher Spec",
7287 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7288 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7289 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7290
7291 if (session->version == TLSV1DOT3_VERSION0x304) {
7292 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7293 return;
7294 }
7295
7296 /* Remember frame number of first CCS */
7297 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7298 if (*ccs_frame == 0)
7299 *ccs_frame = pinfo->num;
7300
7301 /* Use heuristics to detect an abbreviated handshake, assume that missing
7302 * ServerHelloDone implies reusing previously negotiating keys. Then when
7303 * a Session ID or ticket is present, it must be a resumed session.
7304 * Normally this should be done at the Finished message, but that may be
7305 * encrypted so we do it here, at the last cleartext message. */
7306 if (is_from_server && ssl) {
7307 if (session->is_session_resumed) {
7308 const char *resumed = NULL((void*)0);
7309 if (ssl->session_ticket.data_len) {
7310 resumed = "Session Ticket";
7311 } else if (ssl->session_id.data_len) {
7312 resumed = "Session ID";
7313 }
7314 if (resumed) {
7315 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7316 } else {
7317 /* Can happen if the capture somehow starts in the middle */
7318 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7319 }
7320 } else {
7321 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7322 }
7323 }
7324 if (is_from_server && session->is_session_resumed)
7325 expert_add_info(pinfo, ti, &hf->ei.resumed);
7326}
7327
7328/** Begin of handshake(22) record dissections */
7329
7330/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7331 * {{{ */
7332static void
7333tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7334{
7335 uint32_t sighash, hashalg, sigalg;
7336 proto_item *ti_sigalg;
7337 proto_tree *sigalg_tree;
7338
7339 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7340 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7341 if (ja4_data) {
7342 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7343 }
7344
7345 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7346
7347 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7348 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7349 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7350 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7351 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7352
7353 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7354 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7355 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7356 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7357 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7358 sighash);
7359 }
7360} /* }}} */
7361
7362/* dissect a list of hash algorithms, return the number of bytes dissected
7363 this is used for the signature algorithms extension and for the
7364 TLS1.2 certificate request. {{{ */
7365static int
7366ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7367 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7368{
7369 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7370 * struct {
7371 * HashAlgorithm hash;
7372 * SignatureAlgorithm signature;
7373 * } SignatureAndHashAlgorithm;
7374 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7375 */
7376 proto_tree *subtree;
7377 proto_item *ti;
7378 unsigned sh_alg_length;
7379 uint32_t next_offset;
7380
7381 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7382 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7383 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7384 return offset_end;
7385 }
7386 offset += 2;
7387 next_offset = offset + sh_alg_length;
7388
7389 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7390 "Signature Hash Algorithms (%u algorithm%s)",
7391 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7392 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7393
7394 while (offset + 2 <= next_offset) {
7395 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7396 offset += 2;
7397 }
7398
7399 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7400 offset = next_offset;
7401 }
7402
7403 return offset;
7404} /* }}} */
7405
7406/* Dissection of DistinguishedName (for CertificateRequest and
7407 * certificate_authorities extension). {{{ */
7408static uint32_t
7409tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7410 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7411{
7412 proto_item *ti;
7413 proto_tree *subtree;
7414 uint32_t dnames_length, next_offset;
7415 asn1_ctx_t asn1_ctx;
7416 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7417
7418 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7419 /* DistinguishedName certificate_authorities<0..2^16-1> */
7420 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7421 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7422 return offset_end;
7423 }
7424 offset += 2;
7425 next_offset = offset + dnames_length;
7426
7427 if (dnames_length > 0) {
7428 ti = proto_tree_add_none_format(tree,
7429 hf->hf.hs_dnames,
7430 tvb, offset, dnames_length,
7431 "Distinguished Names (%d byte%s)",
7432 dnames_length,
7433 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7434 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7435
7436 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7437
7438 while (offset < next_offset) {
7439 /* get the length of the current certificate */
7440 uint32_t name_length;
7441
7442 if (dnames_count-- == 0) {
7443 /* stop adding to tree when the list is considered too large
7444 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7445 Note: dnames_count must be set low enough not to hit the
7446 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7447 */
7448 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7449 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7450 proto_item_set_generated(ti);
7451 return next_offset;
7452 }
7453
7454 /* opaque DistinguishedName<1..2^16-1> */
7455 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7456 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7457 return next_offset;
7458 }
7459 offset += 2;
7460
7461 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7462 subtree, hf->hf.hs_dname);
7463 offset += name_length;
7464 }
7465 }
7466 return offset;
7467} /* }}} */
7468
7469
7470/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7471static int
7472ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7473 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7474{
7475 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7476}
7477
7478static int
7479ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7480 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7481{
7482 if (hnd_type == SSL_HND_CLIENT_HELLO) {
7483 /*
7484 * struct {
7485 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7486 * } SignatureSchemeList;
7487 */
7488
7489 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7490 } else {
7491 asn1_ctx_t asn1_ctx;
7492 unsigned pubkey_length, sign_length;
7493
7494 /*
7495 * struct {
7496 * uint32 valid_time;
7497 * SignatureScheme expected_cert_verify_algorithm;
7498 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7499 * } Credential;
7500 *
7501 * struct {
7502 * Credential cred;
7503 * SignatureScheme algorithm;
7504 * opaque signature<0..2^16-1>;
7505 * } DelegatedCredential;
7506 */
7507
7508 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7509
7510 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7511 offset += 4;
7512
7513 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7514 offset += 2;
7515
7516 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7517 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7518 return offset_end;
7519 }
7520 offset += 3;
7521 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7522 offset += pubkey_length;
7523
7524 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7525 offset += 2;
7526
7527 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7528 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7529 return offset_end;
7530 }
7531 offset += 2;
7532 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7533 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7534 offset += sign_length;
7535
7536 return offset;
7537 }
7538}
7539
7540static int
7541ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7542 packet_info *pinfo, proto_tree *tree,
7543 uint32_t offset, uint32_t offset_end,
7544 uint8_t hnd_type)
7545{
7546
7547 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7548
7549 switch (hnd_type) {
7550 case SSL_HND_CLIENT_HELLO: {
7551 proto_tree *alps_tree;
7552 proto_item *ti;
7553 uint32_t next_offset, alps_length, name_length;
7554
7555 /*
7556 * opaque ProtocolName<1..2^8-1>;
7557 * struct {
7558 * ProtocolName supported_protocols<2..2^16-1>
7559 * } ApplicationSettingsSupport;
7560 */
7561
7562 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7563 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7564 return offset_end;
7565 }
7566 offset += 2;
7567 next_offset = offset + alps_length;
7568
7569 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7570 tvb, offset, alps_length, ENC_NA0x00000000);
7571 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7572
7573 /* Parse list (note missing check for end of vector, ssl_add_vector below
7574 * ensures that data is always available.) */
7575 while (offset < next_offset) {
7576 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7577 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7578 return next_offset;
7579 }
7580 offset++;
7581
7582 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7583 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7584 offset += name_length;
7585 }
7586
7587 return offset;
7588 }
7589 case SSL_HND_ENCRYPTED_EXTS:
7590 /* Opaque blob */
7591 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7592 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7593 break;
7594 }
7595
7596 return offset_end;
7597}
7598
7599static int
7600ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7601 packet_info *pinfo, proto_tree *tree,
7602 uint32_t offset, uint32_t offset_end,
7603 uint8_t hnd_type, SslSession *session,
7604 bool_Bool is_dtls, ja4_data_t *ja4_data)
7605{
7606
7607 /* https://tools.ietf.org/html/rfc7301#section-3.1
7608 * opaque ProtocolName<1..2^8-1>;
7609 * struct {
7610 * ProtocolName protocol_name_list<2..2^16-1>
7611 * } ProtocolNameList;
7612 */
7613 proto_tree *alpn_tree;
7614 proto_item *ti;
7615 uint32_t next_offset, alpn_length, name_length;
7616 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7617
7618 /* ProtocolName protocol_name_list<2..2^16-1> */
7619 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7620 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7621 return offset_end;
7622 }
7623 offset += 2;
7624 next_offset = offset + alpn_length;
7625
7626 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7627 tvb, offset, alpn_length, ENC_NA0x00000000);
7628 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7629
7630 /* Parse list (note missing check for end of vector, ssl_add_vector below
7631 * ensures that data is always available.) */
7632 while (offset < next_offset) {
7633 /* opaque ProtocolName<1..2^8-1> */
7634 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7635 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7636 return next_offset;
7637 }
7638 offset++;
7639
7640 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7641 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7642 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7643 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7644 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7645 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7646 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7647 }
7648 else {
7649 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7650 alpn_last_char & 0x0F);
7651 }
7652 }
7653 /* Remember first ALPN ProtocolName entry for server. */
7654 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7655 /* '\0'-terminated string for dissector table match and prefix
7656 * comparison purposes. */
7657 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7658 name_length, ENC_ASCII0x00000000);
7659 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7660 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7661 name_length, ENC_ASCII0x00000000);
7662 }
7663 offset += name_length;
7664 }
7665
7666 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7667 * exactly one "ProtocolName". */
7668 if (proto_name) {
7669 dissector_handle_t handle;
7670
7671 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7672
7673 if (is_dtls) {
7674 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7675 proto_name);
7676 } else {
7677 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7678 proto_name);
7679 if (handle == NULL((void*)0)) {
7680 /* Try prefix matching */
7681 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7682 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7683
7684 /* string_string is inappropriate as it compares strings
7685 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7686 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7687 handle = find_dissector(alpn_proto->dissector_name);
7688 break;
7689 }
7690 }
7691 }
7692 }
7693 if (handle != NULL((void*)0)) {
7694 /* ProtocolName match, so set the App data dissector handle.
7695 * This may override protocols given via the UAT dialog, but
7696 * since the ALPN hint is precise, do it anyway. */
7697 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7698 (void *)session->app_handle,
7699 (void *)handle,
7700 dissector_handle_get_dissector_name(handle));
7701 session->app_handle = handle;
7702 }
7703 } else if (client_proto_name) {
7704 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7705 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7706 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7707 }
7708
7709 return offset;
7710}
7711
7712static int
7713ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7714 packet_info *pinfo, proto_tree *tree,
7715 uint32_t offset, uint32_t offset_end)
7716{
7717 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7718 * The "extension_data" field of a "next_protocol_negotiation" extension
7719 * in a "ServerHello" contains an optional list of protocols advertised
7720 * by the server. Protocols are named by opaque, non-empty byte strings
7721 * and the list of protocols is serialized as a concatenation of 8-bit,
7722 * length prefixed byte strings. Implementations MUST ensure that the
7723 * empty string is not included and that no byte strings are truncated.
7724 */
7725 uint32_t npn_length;
7726 proto_tree *npn_tree;
7727
7728 /* List is optional, do not add tree if there are no entries. */
7729 if (offset == offset_end) {
7730 return offset;
7731 }
7732
7733 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7734
7735 while (offset < offset_end) {
7736 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7737 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7738 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7739 return offset_end;
7740 }
7741 offset++;
7742
7743 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7744 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7745 offset += npn_length;
7746 }
7747
7748 return offset;
7749}
7750
7751static int
7752ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7753 packet_info *pinfo, proto_tree *tree,
7754 uint32_t offset, uint32_t offset_end)
7755{
7756 /* https://tools.ietf.org/html/rfc5746#section-3.2
7757 * struct {
7758 * opaque renegotiated_connection<0..255>;
7759 * } RenegotiationInfo;
7760 *
7761 */
7762 proto_tree *reneg_info_tree;
7763 uint32_t reneg_info_length;
7764
7765 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7766
7767 /* opaque renegotiated_connection<0..255> */
7768 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7769 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7770 return offset_end;
7771 }
7772 offset++;
7773
7774 if (reneg_info_length > 0) {
7775 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7776 offset += reneg_info_length;
7777 }
7778
7779 return offset;
7780}
7781
7782static int
7783ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7784 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7785 const char **group_name_out)
7786{
7787 /* RFC 8446 Section 4.2.8
7788 * struct {
7789 * NamedGroup group;
7790 * opaque key_exchange<1..2^16-1>;
7791 * } KeyShareEntry;
7792 */
7793 uint32_t key_exchange_length, group;
7794 proto_tree *ks_tree;
7795
7796 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7797
7798 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7799 offset += 2;
7800 const char *group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");
7801 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7802 if (group_name_out) {
7803 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7804 }
7805
7806 /* opaque key_exchange<1..2^16-1> */
7807 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7808 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7809 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7810 }
7811 offset += 2;
7812 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7813 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7814
7815 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
7816 offset += key_exchange_length;
7817
7818 return offset;
7819}
7820
7821static int
7822ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7823 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7824 uint8_t hnd_type)
7825{
7826 proto_tree *key_share_tree;
7827 uint32_t next_offset;
7828 uint32_t client_shares_length;
7829 uint32_t group;
7830 const char *group_name = NULL((void*)0);
7831
7832 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
7833 return offset;
7834 }
7835
7836 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
7837
7838 switch(hnd_type){
7839 case SSL_HND_CLIENT_HELLO:
7840 /* KeyShareEntry client_shares<0..2^16-1> */
7841 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
7842 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
7843 return offset_end;
7844 }
7845 offset += 2;
7846 next_offset = offset + client_shares_length;
7847 const char *sep = " ";
7848 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
7849 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
7850 if (group_name) {
7851 proto_item_append_text(tree, "%s%s", sep, group_name);
7852 sep = ", ";
7853 }
7854 }
7855 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
7856 return next_offset;
7857 }
7858 break;
7859 case SSL_HND_SERVER_HELLO:
7860 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
7861 if (group_name) {
7862 proto_item_append_text(tree, " %s", group_name);
7863 }
7864 break;
7865 case SSL_HND_HELLO_RETRY_REQUEST:
7866 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7867 offset += 2;
7868 group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");
7869 proto_item_append_text(tree, " %s", group_name);
7870 break;
7871 default: /* no default */
7872 break;
7873 }
7874
7875 return offset;
7876}
7877
7878static int
7879ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7880 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7881 uint8_t hnd_type)
7882{
7883 /* RFC 8446 Section 4.2.11
7884 * struct {
7885 * opaque identity<1..2^16-1>;
7886 * uint32 obfuscated_ticket_age;
7887 * } PskIdentity;
7888 * opaque PskBinderEntry<32..255>;
7889 * struct {
7890 * select (Handshake.msg_type) {
7891 * case client_hello:
7892 * PskIdentity identities<7..2^16-1>;
7893 * PskBinderEntry binders<33..2^16-1>;
7894 * case server_hello:
7895 * uint16 selected_identity;
7896 * };
7897 * } PreSharedKeyExtension;
7898 */
7899
7900 proto_tree *psk_tree;
7901
7902 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
7903
7904 switch (hnd_type){
7905 case SSL_HND_CLIENT_HELLO: {
7906 uint32_t identities_length, identities_end, binders_length;
7907
7908 /* PskIdentity identities<7..2^16-1> */
7909 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
7910 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
7911 return offset_end;
7912 }
7913 offset += 2;
7914 identities_end = offset + identities_length;
7915
7916 while (offset < identities_end) {
7917 uint32_t identity_length;
7918 proto_tree *identity_tree;
7919
7920 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
7921
7922 /* opaque identity<1..2^16-1> */
7923 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
7924 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
7925 return identities_end;
7926 }
7927 offset += 2;
7928 proto_item_append_text(identity_tree, "length: %u)", identity_length);
7929
7930 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
7931 offset += identity_length;
7932
7933 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7934 offset += 4;
7935
7936 proto_item_set_len(identity_tree, 2 + identity_length + 4);
7937 }
7938 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
7939 offset = identities_end;
7940 }
7941
7942 /* PskBinderEntry binders<33..2^16-1> */
7943 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
7944 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
7945 return offset_end;
7946 }
7947 offset += 2;
7948
7949 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
7950 offset += binders_length;
7951 }
7952 break;
7953 case SSL_HND_SERVER_HELLO: {
7954 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
7955 offset += 2;
7956 }
7957 break;
7958 default:
7959 break;
7960 }
7961
7962 return offset;
7963}
7964
7965static uint32_t
7966ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
7967 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
7968 uint8_t hnd_type, SslDecryptSession *ssl)
7969{
7970 /* RFC 8446 Section 4.2.10
7971 * struct {} Empty;
7972 * struct {
7973 * select (Handshake.msg_type) {
7974 * case new_session_ticket: uint32 max_early_data_size;
7975 * case client_hello: Empty;
7976 * case encrypted_extensions: Empty;
7977 * };
7978 * } EarlyDataIndication;
7979 */
7980 switch (hnd_type) {
7981 case SSL_HND_CLIENT_HELLO:
7982 /* Remember that early_data will follow the handshake. */
7983 if (ssl) {
7984 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
7985 ssl->has_early_data = true1;
7986 }
7987 break;
7988 case SSL_HND_NEWSESSION_TICKET:
7989 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7990 offset += 4;
7991 break;
7992 default:
7993 break;
7994 }
7995 return offset;
7996}
7997
7998static uint16_t
7999tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8000{
8001 if (draft_version) {
8002 *draft_version = 0;
8003 }
8004 if (!is_dtls) {
8005 uint8_t tls13_draft = extract_tls13_draft_version(version);
8006 if (tls13_draft != 0) {
8007 /* This is TLS 1.3 (a draft version). */
8008 if (draft_version) {
8009 *draft_version = tls13_draft;
8010 }
8011 version = TLSV1DOT3_VERSION0x304;
8012 }
8013 if (version == 0xfb17 || version == 0xfb1a) {
8014 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8015 tls13_draft = (uint8_t)version;
8016 if (draft_version) {
8017 *draft_version = tls13_draft;
8018 }
8019 version = TLSV1DOT3_VERSION0x304;
8020 }
8021 }
8022
8023 switch (version) {
8024 case SSLV3_VERSION0x300:
8025 case TLSV1_VERSION0x301:
8026 case TLSV1DOT1_VERSION0x302:
8027 case TLSV1DOT2_VERSION0x303:
8028 case TLSV1DOT3_VERSION0x304:
8029 case TLCPV1_VERSION0x101:
8030 if (is_dtls)
8031 return SSL_VER_UNKNOWN0;
8032 break;
8033
8034 case DTLSV1DOT0_VERSION0xfeff:
8035 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8036 case DTLSV1DOT2_VERSION0xfefd:
8037 case DTLSV1DOT3_VERSION0xfefc:
8038 if (!is_dtls)
8039 return SSL_VER_UNKNOWN0;
8040 break;
8041
8042 default: /* invalid version number */
8043 return SSL_VER_UNKNOWN0;
8044 }
8045
8046 return version;
8047}
8048
8049static int
8050ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8051 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8052 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8053{
8054
8055 /* RFC 8446 Section 4.2.1
8056 * struct {
8057 * ProtocolVersion versions<2..254>; // ClientHello
8058 * } SupportedVersions;
8059 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8060 */
8061 uint32_t versions_length, next_offset;
8062 /* ProtocolVersion versions<2..254> */
8063 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8064 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8065 return offset_end;
8066 }
8067 offset++;
8068 next_offset = offset + versions_length;
8069
8070 unsigned version;
8071 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8072 uint8_t draft_version, max_draft_version = 0;
8073 const char *sep = " ";
8074 while (offset + 2 <= next_offset) {
8075 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8076 offset += 2;
8077
8078 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8079 proto_item_append_text(tree, "%s%s", sep, val_to_str(version, ssl_versions, "Unknown (0x%04x)"));
8080 sep = ", ";
8081 }
8082
8083 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8084 if (session->version == SSL_VER_UNKNOWN0) {
8085 if (lowest_version == SSL_VER_UNKNOWN0) {
8086 lowest_version = current_version;
8087 } else if (current_version != SSL_VER_UNKNOWN0) {
8088 if (!is_dtls) {
8089 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8090 } else {
8091 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8092 }
8093 }
8094 }
8095 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8096 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8097 /* The DTLS version numbers get mapped to "00" for unknown per
8098 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8099 * need to take the MIN instead of MAX here for DTLS.
8100 */
8101 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8102 }
8103 }
8104 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8105 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8106 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8107 }
8108 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8109 offset = next_offset;
8110 }
8111
8112 /* XXX remove this when draft 19 support is dropped,
8113 * this is only required for early data decryption. */
8114 if (max_draft_version) {
8115 session->tls13_draft_version = max_draft_version;
8116 }
8117
8118 return offset;
8119}
8120
8121static int
8122ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8123 packet_info *pinfo, proto_tree *tree,
8124 uint32_t offset, uint32_t offset_end)
8125{
8126 /* RFC 8446 Section 4.2.2
8127 * struct {
8128 * opaque cookie<1..2^16-1>;
8129 * } Cookie;
8130 */
8131 uint32_t cookie_length;
8132 /* opaque cookie<1..2^16-1> */
8133 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8134 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8135 return offset_end;
8136 }
8137 offset += 2;
8138
8139 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8140 offset += cookie_length;
8141
8142 return offset;
8143}
8144
8145static int
8146ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8147 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8148{
8149 /* RFC 8446 Section 4.2.9
8150 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8151 *
8152 * struct {
8153 * PskKeyExchangeMode ke_modes<1..255>;
8154 * } PskKeyExchangeModes;
8155 */
8156 uint32_t ke_modes_length, next_offset;
8157
8158 /* PskKeyExchangeMode ke_modes<1..255> */
8159 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8160 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8161 return offset_end;
8162 }
8163 offset++;
8164 next_offset = offset + ke_modes_length;
8165
8166 while (offset < next_offset) {
8167 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8168 offset++;
8169 }
8170
8171 return offset;
8172}
8173
8174static uint32_t
8175ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8176 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8177{
8178 /* RFC 8446 Section 4.2.4
8179 * opaque DistinguishedName<1..2^16-1>;
8180 * struct {
8181 * DistinguishedName authorities<3..2^16-1>;
8182 * } CertificateAuthoritiesExtension;
8183 */
8184 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8185}
8186
8187static int
8188ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8189 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8190{
8191 /* RFC 8446 Section 4.2.5
8192 * struct {
8193 * opaque certificate_extension_oid<1..2^8-1>;
8194 * opaque certificate_extension_values<0..2^16-1>;
8195 * } OIDFilter;
8196 * struct {
8197 * OIDFilter filters<0..2^16-1>;
8198 * } OIDFilterExtension;
8199 */
8200 proto_tree *subtree;
8201 uint32_t filters_length, oid_length, values_length, value_offset;
8202 asn1_ctx_t asn1_ctx;
8203 const char *oid, *name;
8204
8205 /* OIDFilter filters<0..2^16-1> */
8206 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8207 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8208 return offset_end;
8209 }
8210 offset += 2;
8211 offset_end = offset + filters_length;
8212
8213 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8214
8215 while (offset < offset_end) {
8216 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8217 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8218
8219 /* opaque certificate_extension_oid<1..2^8-1> */
8220 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8221 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8222 return offset_end;
8223 }
8224 offset++;
8225 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8226 hf->hf.hs_ext_oid_filters_oid, &oid);
8227 offset += oid_length;
8228
8229 /* Append OID to tree label */
8230 name = oid_resolved_from_string(pinfo->pool, oid);
8231 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8232
8233 /* opaque certificate_extension_values<0..2^16-1> */
8234 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8235 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8236 return offset_end;
8237 }
8238 offset += 2;
8239 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8240 if (values_length > 0) {
8241 value_offset = offset;
8242 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8243 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8244 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8245 }
8246 offset += values_length;
8247 }
8248
8249 return offset;
8250}
8251
8252static int
8253ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8254 packet_info *pinfo, proto_tree *tree,
8255 uint32_t offset, uint32_t offset_end)
8256{
8257 /* https://tools.ietf.org/html/rfc6066#section-3
8258 *
8259 * struct {
8260 * NameType name_type;
8261 * select (name_type) {
8262 * case host_name: HostName;
8263 * } name;
8264 * } ServerName;
8265 *
8266 * enum {
8267 * host_name(0), (255)
8268 * } NameType;
8269 *
8270 * opaque HostName<1..2^16-1>;
8271 *
8272 * struct {
8273 * ServerName server_name_list<1..2^16-1>
8274 * } ServerNameList;
8275 */
8276 proto_tree *server_name_tree;
8277 uint32_t list_length, server_name_length, next_offset;
8278
8279 /* The server SHALL include "server_name" extension with empty data. */
8280 if (offset == offset_end) {
8281 return offset;
8282 }
8283
8284 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8285
8286 /* ServerName server_name_list<1..2^16-1> */
8287 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8288 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8289 return offset_end;
8290 }
8291 offset += 2;
8292 next_offset = offset + list_length;
8293
8294 while (offset < next_offset) {
8295 uint32_t name_type;
8296 const uint8_t *server_name = NULL((void*)0);
8297 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8298 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8299 offset++;
8300
8301 /* opaque HostName<1..2^16-1> */
8302 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8303 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8304 return next_offset;
8305 }
8306 offset += 2;
8307
8308 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8309 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8310 pinfo->pool, &server_name);
8311 offset += server_name_length;
8312 // Each type must only occur once, so we don't check for duplicates.
8313 if (name_type == 0) {
8314 proto_item_append_text(tree, " name=%s", server_name);
8315 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8316
8317 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8318 // Client Hello: Client (Src) -> Server (Dst)
8319 switch (pinfo->dst.type) {
8320 case AT_IPv4:
8321 if (pinfo->dst.len == sizeof(uint32_t)) {
8322 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8323 }
8324 break;
8325 case AT_IPv6:
8326 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8327 add_ipv6_name(pinfo->dst.data, server_name, false0);
8328 }
8329 break;
8330 }
8331 }
8332 }
8333 }
8334 return offset;
8335}
8336
8337static int
8338ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8339 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8340{
8341 unsigned ext_len = offset_end - offset;
8342 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8343 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8344 /* Save the Session Ticket such that it can be used as identifier for
8345 * restoring a previous Master Secret (in ChangeCipherSpec) */
8346 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8347 ssl->session_ticket.data, ext_len);
8348 ssl->session_ticket.data_len = ext_len;
8349 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8350 }
8351 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8352 tvb, offset, ext_len, ENC_NA0x00000000);
8353 return offset + ext_len;
8354}
8355
8356static int
8357ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8358 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8359 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8360{
8361 uint8_t cert_list_length;
8362 uint8_t cert_type;
8363 proto_tree *cert_list_tree;
8364 proto_item *ti;
8365
8366 switch(hnd_type){
8367 case SSL_HND_CLIENT_HELLO:
8368 cert_list_length = tvb_get_uint8(tvb, offset);
8369 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8370 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8371 offset += 1;
8372 if (offset_end - offset != (uint32_t)cert_list_length)
8373 return offset;
8374
8375 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8376 cert_list_length, cert_list_length);
8377 proto_item_append_text(ti, " (%d)", cert_list_length);
8378
8379 /* make this a subtree */
8380 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8381
8382 /* loop over all point formats */
8383 while (cert_list_length > 0)
8384 {
8385 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8386 offset++;
8387 cert_list_length--;
8388 }
8389 break;
8390 case SSL_HND_SERVER_HELLO:
8391 case SSL_HND_ENCRYPTED_EXTENSIONS:
8392 case SSL_HND_CERTIFICATE:
8393 cert_type = tvb_get_uint8(tvb, offset);
8394 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8395 offset += 1;
8396 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8397 session->client_cert_type = cert_type;
8398 }
8399 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8400 session->server_cert_type = cert_type;
8401 }
8402 break;
8403 default: /* no default */
8404 break;
8405 }
8406
8407 return offset;
8408}
8409
8410static uint32_t
8411ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8412 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8413 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8414{
8415 uint32_t compress_certificate_algorithms_length, next_offset;
8416
8417 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8418 * enum {
8419 * zlib(1),
8420 * brotli(2),
8421 * (65535)
8422 * } CertificateCompressionAlgorithm;
8423 *
8424 * struct {
8425 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8426 * } CertificateCompressionAlgorithms;
8427 */
8428 switch (hnd_type) {
8429 case SSL_HND_CLIENT_HELLO:
8430 case SSL_HND_CERT_REQUEST:
8431 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8432 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8433 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8434 return offset_end;
8435 }
8436 offset += 1;
8437 next_offset = offset + compress_certificate_algorithms_length;
8438
8439 while (offset < next_offset) {
8440 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8441 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8442 offset += 2;
8443 }
8444 break;
8445 default:
8446 break;
8447 }
8448
8449 return offset;
8450}
8451
8452static uint32_t
8453ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8454 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8455 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8456{
8457 uint32_t key_parameters_length, next_offset;
8458 proto_item *p_ti;
8459 proto_tree *p_tree;
8460
8461 /* RFC 8472
8462 *
8463 * struct {
8464 * uint8 major;
8465 * uint8 minor;
8466 * } TB_ProtocolVersion;
8467 *
8468 * enum {
8469 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8470 * } TokenBindingKeyParameters;
8471 *
8472 * struct {
8473 * TB_ProtocolVersion token_binding_version;
8474 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8475 * } TokenBindingParameters;
8476 */
8477
8478 switch (hnd_type) {
8479 case SSL_HND_CLIENT_HELLO:
8480 case SSL_HND_SERVER_HELLO:
8481 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8482 offset += 1;
8483 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8484 offset += 1;
8485
8486 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8487 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8488 return offset_end;
8489 }
8490 offset += 1;
8491 next_offset = offset + key_parameters_length;
8492
8493 p_ti = proto_tree_add_none_format(tree,
8494 hf->hf.hs_ext_token_binding_key_parameters,
8495 tvb, offset, key_parameters_length,
8496 "Key parameters identifiers (%d identifier%s)",
8497 key_parameters_length,
8498 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8499 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8500
8501 while (offset < next_offset) {
8502 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8503 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8504 offset += 1;
8505 }
8506
8507 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8508 offset = next_offset;
8509 }
8510
8511 break;
8512 default:
8513 break;
8514 }
8515
8516 return offset;
8517}
8518
8519static uint32_t
8520ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8521 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8522 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8523{
8524 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8525 uint32_t next_offset;
8526
8527 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8528 *
8529 * Note: the following structures are not literally defined in the spec,
8530 * they instead use an ASCII diagram.
8531 *
8532 * struct {
8533 * uint16 id;
8534 * opaque value<0..2^16-1>;
8535 * } TransportParameter; // before draft -27
8536 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8537 *
8538 * struct {
8539 * opaque ipv4Address[4];
8540 * uint16 ipv4Port;
8541 * opaque ipv6Address[16];
8542 * uint16 ipv6Port;
8543 * opaque connectionId<0..18>;
8544 * opaque statelessResetToken[16];
8545 * } PreferredAddress;
8546 */
8547
8548 if (offset_end - offset >= 6 &&
8549 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8550 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8551 // Assume encoding of Transport Parameters draft -26 or older with at
8552 // least one transport parameter that has a valid length.
8553 use_varint_encoding = false0;
8554 }
8555
8556 if (use_varint_encoding) {
8557 next_offset = offset_end;
8558 } else {
8559 uint32_t quic_length;
8560 // Assume draft -26 or earlier.
8561 /* TransportParameter TransportParameters<0..2^16-1>; */
8562 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8563 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8564 return offset_end;
8565 }
8566 offset += 2;
8567 next_offset = offset + quic_length;
8568 }
8569
8570 while (offset < next_offset) {
8571 uint64_t parameter_type; /* 62-bit space */
8572 uint32_t parameter_length;
8573 proto_tree *parameter_tree;
8574 uint32_t parameter_end_offset;
8575 uint64_t value;
8576 uint32_t len = 0, i;
8577
8578 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8579 NULL((void*)0), "Parameter");
8580 /* TransportParameter ID and Length. */
8581 if (use_varint_encoding) {
8582 uint64_t parameter_length64;
8583 uint32_t type_len = 0;
8584
8585 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8586 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8587 offset += type_len;
8588
8589 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8590 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8591 parameter_length = (uint32_t)parameter_length64;
8592 offset += len;
8593
8594 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8595 } else {
8596 parameter_type = tvb_get_ntohs(tvb, offset);
8597 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8598 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8599 offset += 2;
8600
8601 /* opaque value<0..2^16-1> */
8602 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8603 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8604 return next_offset;
8605 }
8606 offset += 2;
8607
8608 proto_item_set_len(parameter_tree, 4 + parameter_length);
8609 }
8610
8611 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8612 proto_item_append_text(parameter_tree, ": GREASE");
8613 } else {
8614 proto_item_append_text(parameter_tree, ": %s", val64_to_str(parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8615 }
8616
8617 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8618 parameter_end_offset = offset + parameter_length;
8619
8620 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8621 tvb, offset, parameter_length, ENC_NA0x00000000);
8622
8623 switch (parameter_type) {
8624 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8625 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8626 tvb, offset, parameter_length, ENC_NA0x00000000);
8627 offset += parameter_length;
8628 break;
8629 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8630 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8631 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8632 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8633 offset += len;
8634 break;
8635 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8636 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8637 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8638 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8639 offset += 16;
8640 break;
8641 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8642 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8643 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8644 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8645 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8646 offset += len;
8647 break;
8648 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8649 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8650 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8651 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8652 offset += len;
8653 break;
8654 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8655 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8656 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8657 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8658 offset += len;
8659 break;
8660 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8661 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8662 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8663 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8664 offset += len;
8665 break;
8666 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8667 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8668 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8669 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8670 offset += len;
8671 break;
8672 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8673 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8674 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8675 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8676 offset += len;
8677 break;
8678 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8679 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8680 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8681 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8682 offset += len;
8683 break;
8684 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8685 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8686 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8687 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8688 offset += len;
8689 break;
8690 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8691 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8692 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8693 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8694 offset += len;
8695 break;
8696 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8697 /* No Payload */
8698 break;
8699 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8700 uint32_t connectionid_length;
8701 quic_cid_t cid;
8702
8703 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8704 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8705 offset += 4;
8706 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8707 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8708 offset += 2;
8709 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8710 tvb, offset, 16, ENC_NA0x00000000);
8711 offset += 16;
8712 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8713 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8714 offset += 2;
8715 /* XXX - Should we add these addresses and ports as addresses that the client
8716 * is allowed / expected to migrate the server address to? Right now we don't
8717 * enforce that (see RFC 9000 Section 9, which implies that while the client
8718 * can migrate to whatever address it wants, it can only migrate the server
8719 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8720 */
8721
8722 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8723 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8724 break;
8725 }
8726 offset += 1;
8727
8728 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8729 tvb, offset, connectionid_length, ENC_NA0x00000000);
8730 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8731 cid.len = connectionid_length;
8732 // RFC 9000 5.1.1 "If the preferred_address transport
8733 // parameter is sent, the sequence number of the supplied
8734 // connection ID is 1."
8735 cid.seq_num = 1;
8736 // Multipath draft-07 "Also, the Path Identifier for the
8737 // connection ID specified in the "preferred address"
8738 // transport parameter is 0."
8739 cid.path_id = 0;
8740 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8741 quic_add_connection(pinfo, &cid);
8742 }
8743 offset += connectionid_length;
8744
8745 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8746 tvb, offset, 16, ENC_NA0x00000000);
8747 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8748 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8749 }
8750 offset += 16;
8751 }
8752 break;
8753 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8754 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8755 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8756 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8757 offset += len;
8758 break;
8759 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8760 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8761 tvb, offset, parameter_length, ENC_NA0x00000000);
8762 offset += parameter_length;
8763 break;
8764 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8765 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8766 tvb, offset, parameter_length, ENC_NA0x00000000);
8767 offset += parameter_length;
8768 break;
8769 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8770 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8771 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8772 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8773 offset += len;
8774 break;
8775 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8776 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8777 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8778 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8779 offset += len;
8780 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8781 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8782 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8783 offset += len;
8784 break;
8785 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8786 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8787 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8788 if (len > 0) {
8789 quic_add_loss_bits(pinfo, value);
8790 }
8791 offset += 1;
8792 break;
8793 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
8794 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
8795 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
8796 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
8797 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
8798 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8799 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8800 offset += len;
8801 break;
8802 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
8803 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
8804 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8805 offset += parameter_length;
8806 break;
8807 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
8808 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
8809 tvb, offset, parameter_length, ENC_NA0x00000000);
8810 offset += parameter_length;
8811 break;
8812 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
8813 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
8814 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8815 offset += 4;
8816 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
8817 uint32_t versions_length;
8818
8819 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
8820 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
8821 offset += 1;
8822 for (i = 0; i < versions_length / 4; i++) {
8823 quic_proto_tree_add_version(tvb, parameter_tree,
8824 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
8825 offset += 4;
8826 }
8827 }
8828 break;
8829 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
8830 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
8831 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8832 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
8833 offset += len;
8834 break;
8835 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
8836 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
8837 tvb, offset, parameter_length, ENC_NA0x00000000);
8838 offset += parameter_length;
8839 break;
8840 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
8841 /* This field was used for non-standard Google-specific parameters encoded as a
8842 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
8843 * parameters. Report it as a bytes blob... */
8844 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
8845 tvb, offset, parameter_length, ENC_NA0x00000000);
8846 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
8847 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
8848 tvb, offset, 4, ENC_NA0x00000000);
8849 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
8850 offset += parameter_length;
8851 break;
8852 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
8853 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
8854 tvb, offset, parameter_length, ENC_NA0x00000000);
8855 offset += parameter_length;
8856 break;
8857 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
8858 /* No Payload */
8859 break;
8860 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
8861 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
8862 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8863 offset += parameter_length;
8864 break;
8865 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
8866 quic_proto_tree_add_version(tvb, parameter_tree,
8867 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
8868 offset += 4;
8869 for (i = 4; i < parameter_length; i += 4) {
8870 quic_proto_tree_add_version(tvb, parameter_tree,
8871 hf->hf.hs_ext_quictp_parameter_other_version, offset);
8872 offset += 4;
8873 }
8874 break;
8875 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
8876 /* No Payload */
8877 quic_add_grease_quic_bit(pinfo);
8878 break;
8879 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
8880 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
8881 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8882 offset += parameter_length;
8883 break;
8884 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
8885 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
8886 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8887 if (value == 1) {
8888 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
8889 }
8890 offset += parameter_length;
8891 break;
8892 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
8893 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
8894 /* No Payload */
8895 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
8896 break;
8897 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
8898 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
8899 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8900 if (value > 1) {
8901 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
8902 }
8903 /* multipath draft-07: "The value of the initial_max_paths
8904 * parameter MUST be at least 2." TODO: Expert Info? */
8905 offset += parameter_length;
8906 break;
8907 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
8908 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d11:
8909 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
8910 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8911 /* multipath draft-09 and later: "If an endpoint receives an
8912 * initial_max_path_id transport parameter with value 0, the
8913 * peer aims to enable the multipath extension without allowing
8914 * extra paths immediately."
8915 */
8916 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
8917 offset += parameter_length;
8918 break;
8919 default:
8920 offset += parameter_length;
8921 /*TODO display expert info about unknown ? */
8922 break;
8923 }
8924
8925 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
8926 /* Dissection did not end at expected location, fix it. */
8927 offset = parameter_end_offset;
8928 }
8929 }
8930
8931 return offset;
8932}
8933
8934static int
8935ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8936 proto_tree *tree, uint32_t offset,
8937 SslSession *session, SslDecryptSession *ssl,
8938 bool_Bool from_server, bool_Bool is_hrr)
8939{
8940 uint8_t sessid_length;
8941 proto_item *ti;
8942 proto_tree *rnd_tree;
8943 proto_tree *ti_rnd;
8944 proto_tree *ech_confirm_tree;
8945 uint8_t draft_version = session->tls13_draft_version;
8946
8947 if (ssl) {
7
Assuming 'ssl' is non-null, which participates in a condition later
8
Taking true branch
8948 StringInfo *rnd;
8949 if (from_server
8.1
'from_server' is true
)
9
Taking true branch
8950 rnd = &ssl->server_random;
8951 else
8952 rnd = &ssl->client_random;
8953
8954 /* save provided random for later keyring generation */
8955 tvb_memcpy(tvb, rnd->data, offset, 32);
8956 rnd->data_len = 32;
8957 if (from_server
9.1
'from_server' is true
)
10
Taking true branch
8958 ssl->state |= SSL_SERVER_RANDOM(1<<1);
8959 else
8960 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
8961 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
8962 from_server
10.1
'from_server' is true
 ? "SERVER" : "CLIENT", ssl->state);
11
'?' condition is true
8963 }
8964
8965 if (!from_server
11.1
'from_server' is true
 && session->client_random.data_len == 0) {
8966 session->client_random.data_len = 32;
8967 tvb_memcpy(tvb, session->client_random.data, offset, 32);
8968 }
8969
8970 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
8971
8972 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
12
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
13
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
14
Taking true branch
8973
8974 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
8975 /* show the time */
8976 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
8977 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
8978 offset += 4;
8979
8980 /* show the random bytes */
8981 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
8982 tvb, offset, 28, ENC_NA0x00000000);
8983 offset += 28;
8984 } else {
8985 if (is_hrr) {
8986 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
8987 } else if (from_server && session->ech) {
8988 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
8989 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
8990 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
8991 session->ech_confirmation, 8);
8992 proto_item_set_generated(ti);
8993 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
8994 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
8995 } else {
8996 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
8997 }
8998 }
8999
9000 offset += 32;
9001 }
9002
9003 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9004 if (from_server
14.1
'from_server' is not equal to 0
 == 0 || !(session->version
14.2
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
15
Taking true branch
9005 /* show the session id (length followed by actual Session ID) */
9006 sessid_length = tvb_get_uint8(tvb, offset);
9007 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9008 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9009 offset++;
9010
9011 if (ssl
15.1
'ssl' is non-null, which participates in a condition later
) {
9012 /* save the authoritative SID for later use in ChangeCipherSpec.
9013 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9014 * save more, so ignore larger ones. */
9015 if (from_server
15.2
'from_server' is true
 && sessid_length <= 32) {
16
Assuming 'sessid_length' is > 32
17
Taking false branch
9016 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9017 ssl->session_id.data_len = sessid_length;
9018 }
9019 }
9020 if (sessid_length
17.1
'sessid_length' is > 0
 > 0) {
18
Taking true branch
9021 proto_tree_add_item(tree, hf->hf.hs_session_id,
9022 tvb, offset, sessid_length, ENC_NA0x00000000);
9023 offset += sessid_length;
9024 }
9025 }
9026
9027 return offset;
9028}
9029
9030static int
9031ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9032 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9033 bool_Bool has_length)
9034{
9035 /* TLS 1.2/1.3 status_request Client Hello Extension.
9036 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9037 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9038 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9039 * struct {
9040 * CertificateStatusType status_type;
9041 * uint16 request_length; // for status_request_v2
9042 * select (status_type) {
9043 * case ocsp: OCSPStatusRequest;
9044 * case ocsp_multi: OCSPStatusRequest;
9045 * } request;
9046 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9047 *
9048 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9049 * struct {
9050 * ResponderID responder_id_list<0..2^16-1>;
9051 * Extensions request_extensions;
9052 * } OCSPStatusRequest;
9053 * opaque ResponderID<1..2^16-1>;
9054 * opaque Extensions<0..2^16-1>;
9055 */
9056 unsigned cert_status_type;
9057
9058 cert_status_type = tvb_get_uint8(tvb, offset);
9059 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9060 tvb, offset, 1, ENC_NA0x00000000);
9061 offset++;
9062
9063 if (has_length) {
9064 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9065 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9066 offset += 2;
9067 }
9068
9069 switch (cert_status_type) {
9070 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9071 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9072 {
9073 uint32_t responder_id_list_len;
9074 uint32_t request_extensions_len;
9075
9076 /* ResponderID responder_id_list<0..2^16-1> */
9077 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9078 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9079 return offset_end;
9080 }
9081 offset += 2;
9082 if (responder_id_list_len != 0) {
9083 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9084 tvb, offset, responder_id_list_len,
9085 "Responder ID list is not implemented, contact Wireshark"
9086 " developers if you want this to be supported");
9087 }
9088 offset += responder_id_list_len;
9089
9090 /* opaque Extensions<0..2^16-1> */
9091 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9092 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9093 return offset_end;
9094 }
9095 offset += 2;
9096 if (request_extensions_len != 0) {
9097 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9098 tvb, offset, request_extensions_len,
9099 "Request Extensions are not implemented, contact"
9100 " Wireshark developers if you want this to be supported");
9101 }
9102 offset += request_extensions_len;
9103 break;
9104 }
9105 }
9106
9107 return offset;
9108}
9109
9110static unsigned
9111ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9112 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9113{
9114 /* https://tools.ietf.org/html/rfc6961#section-2.2
9115 * struct {
9116 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9117 * } CertificateStatusRequestListV2;
9118 */
9119 uint32_t req_list_length, next_offset;
9120
9121 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9122 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9123 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9124 return offset_end;
9125 }
9126 offset += 2;
9127 next_offset = offset + req_list_length;
9128
9129 while (offset < next_offset) {
9130 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9131 }
9132
9133 return offset;
9134}
9135
9136static uint32_t
9137tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9138 uint32_t offset, uint32_t offset_end)
9139{
9140 uint32_t response_length;
9141 proto_item *ocsp_resp;
9142 proto_tree *ocsp_resp_tree;
9143 asn1_ctx_t asn1_ctx;
9144
9145 /* opaque OCSPResponse<1..2^24-1>; */
9146 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9147 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9148 return offset_end;
9149 }
9150 offset += 3;
9151
9152 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9153 response_length, ENC_BIG_ENDIAN0x00000000);
9154 proto_item_set_text(ocsp_resp, "OCSP Response");
9155 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9156 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9157 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9158 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9159 }
9160 offset += response_length;
9161
9162 return offset;
9163}
9164
9165uint32_t
9166tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9167 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9168{
9169 /* TLS 1.2 "CertificateStatus" handshake message.
9170 * TLS 1.3 "status_request" Certificate extension.
9171 * struct {
9172 * CertificateStatusType status_type;
9173 * select (status_type) {
9174 * case ocsp: OCSPResponse;
9175 * case ocsp_multi: OCSPResponseList; // status_request_v2
9176 * } response;
9177 * } CertificateStatus;
9178 * opaque OCSPResponse<1..2^24-1>;
9179 * struct {
9180 * OCSPResponse ocsp_response_list<1..2^24-1>;
9181 * } OCSPResponseList; // status_request_v2
9182 */
9183 uint32_t status_type, resp_list_length, next_offset;
9184
9185 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9186 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9187 offset += 1;
9188
9189 switch (status_type) {
9190 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9191 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9192 break;
9193
9194 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9195 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9196 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9197 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9198 return offset_end;
9199 }
9200 offset += 3;
9201 next_offset = offset + resp_list_length;
9202
9203 while (offset < next_offset) {
9204 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9205 }
9206 break;
9207 }
9208
9209 return offset;
9210}
9211
9212static unsigned
9213ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9214 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9215 wmem_strbuf_t *ja3)
9216{
9217 /* RFC 8446 Section 4.2.7
9218 * enum { ..., (0xFFFF) } NamedGroup;
9219 * struct {
9220 * NamedGroup named_group_list<2..2^16-1>
9221 * } NamedGroupList;
9222 *
9223 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9224 * the extension itself from "elliptic_curves" to "supported_groups".
9225 */
9226 uint32_t groups_length, next_offset;
9227 proto_tree *groups_tree;
9228 proto_item *ti;
9229 char *ja3_dash = "";
9230
9231 /* NamedGroup named_group_list<2..2^16-1> */
9232 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9233 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9234 return offset_end;
9235 }
9236 offset += 2;
9237 next_offset = offset + groups_length;
9238
9239 ti = proto_tree_add_none_format(tree,
9240 hf->hf.hs_ext_supported_groups,
9241 tvb, offset, groups_length,
9242 "Supported Groups (%d group%s)",
9243 groups_length / 2,
9244 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9245
9246 /* make this a subtree */
9247 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9248
9249 if (ja3) {
9250 wmem_strbuf_append_c(ja3, ',');
9251 }
9252 /* loop over all groups */
9253 while (offset + 2 <= offset_end) {
9254 uint32_t ext_supported_group;
9255
9256 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9257 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9258 offset += 2;
9259 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9260 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9261 ja3_dash = "-";
9262 }
9263 }
9264 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9265 offset = next_offset;
9266 }
9267
9268 return offset;
9269}
9270
9271static int
9272ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9273 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9274{
9275 uint8_t ecpf_length;
9276 proto_tree *ecpf_tree;
9277 proto_item *ti;
9278
9279 ecpf_length = tvb_get_uint8(tvb, offset);
9280 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9281 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9282
9283 offset += 1;
9284 ti = proto_tree_add_none_format(tree,
9285 hf->hf.hs_ext_ec_point_formats,
9286 tvb, offset, ecpf_length,
9287 "Elliptic curves point formats (%d)",
9288 ecpf_length);
9289
9290 /* make this a subtree */
9291 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9292
9293 if (ja3) {
9294 wmem_strbuf_append_c(ja3, ',');
9295 }
9296
9297 /* loop over all point formats */
9298 while (ecpf_length > 0)
9299 {
9300 uint32_t ext_ec_point_format;
9301
9302 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9303 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9304 offset++;
9305 ecpf_length--;
9306 if (ja3) {
9307 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9308 if (ecpf_length > 0) {
9309 wmem_strbuf_append_c(ja3, '-');
9310 }
9311 }
9312 }
9313
9314 return offset;
9315}
9316
9317static int
9318ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9319 packet_info *pinfo, proto_tree *tree,
9320 uint32_t offset, uint32_t next_offset)
9321{
9322 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9323 * opaque srp_I<1..2^8-1>;
9324 */
9325 uint32_t username_len;
9326
9327 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9328 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9329 return next_offset;
9330 }
9331 offset++;
9332
9333 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9334 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9335 offset += username_len;
9336
9337 return offset;
9338}
9339
9340static uint32_t
9341tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9342 uint32_t offset, uint32_t offset_end, uint16_t version)
9343{
9344 /* https://tools.ietf.org/html/rfc6962#section-3.2
9345 * enum { v1(0), (255) } Version;
9346 * struct {
9347 * opaque key_id[32];
9348 * } LogID;
9349 * opaque CtExtensions<0..2^16-1>;
9350 * struct {
9351 * Version sct_version;
9352 * LogID id;
9353 * uint64 timestamp;
9354 * CtExtensions extensions;
9355 * digitally-signed struct { ... };
9356 * } SignedCertificateTimestamp;
9357 */
9358 uint32_t sct_version;
9359 uint64_t sct_timestamp_ms;
9360 nstime_t sct_timestamp;
9361 uint32_t exts_len;
9362 const char *log_name;
9363
9364 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9365 offset++;
9366 if (sct_version != 0) {
9367 // TODO expert info about unknown SCT version?
9368 return offset;
9369 }
9370 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9371 log_name = bytesval_to_str(tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9372 proto_item_append_text(tree, " (%s)", log_name);
9373 offset += 32;
9374 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9375 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9376 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9377 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9378 offset += 8;
9379 /* opaque CtExtensions<0..2^16-1> */
9380 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9381 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9382 return offset_end;
9383 }
9384 offset += 2;
9385 if (exts_len > 0) {
9386 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9387 offset += exts_len;
9388 }
9389 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9390 hf->hf.sct_sct_signature_length,
9391 hf->hf.sct_sct_signature);
9392 return offset;
9393}
9394
9395uint32_t
9396tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9397 uint32_t offset, uint32_t offset_end, uint16_t version)
9398{
9399 /* https://tools.ietf.org/html/rfc6962#section-3.3
9400 * opaque SerializedSCT<1..2^16-1>;
9401 * struct {
9402 * SerializedSCT sct_list <1..2^16-1>;
9403 * } SignedCertificateTimestampList;
9404 */
9405 uint32_t list_length, sct_length, next_offset;
9406 proto_tree *subtree;
9407
9408 /* SerializedSCT sct_list <1..2^16-1> */
9409 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9410 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9411 return offset_end;
9412 }
9413 offset += 2;
9414
9415 while (offset < offset_end) {
9416 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9417
9418 /* opaque SerializedSCT<1..2^16-1> */
9419 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9420 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9421 return offset_end;
9422 }
9423 offset += 2;
9424 next_offset = offset + sct_length;
9425 proto_item_set_len(subtree, 2 + sct_length);
9426 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9427 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9428 offset = next_offset;
9429 }
9430 }
9431
9432 return offset;
9433}
9434
9435static int
9436dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9437 proto_tree *tree, uint32_t offset)
9438{
9439 uint32_t kdf_id, aead_id;
9440 proto_item *cs_ti;
9441 proto_tree *cs_tree;
9442
9443 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9444 tvb, offset, 4, ENC_NA0x00000000);
9445 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9446
9447 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9448 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9449 offset += 2;
9450 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9451 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9452 offset += 2;
9453
9454 proto_item_append_text(cs_ti, ": %s/%s",
9455 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9456 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9457 return offset;
9458}
9459
9460static int
9461dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9462 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9463 uint32_t *config_id)
9464{
9465 uint32_t length, cipher_suite_length;
9466 proto_item *kc_ti, *css_ti;
9467 proto_tree *kc_tree, *css_tree;
9468 uint32_t original_offset = offset, next_offset;
9469
9470 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9471 tvb, offset, -1, ENC_NA0x00000000);
9472 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9473
9474 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9475 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9476 offset += 1;
9477 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9478 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9479 offset += 2;
9480 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9481 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9482 offset += 2;
9483 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9484 tvb, offset, length, ENC_NA0x00000000);
9485 offset += length;
9486
9487 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9488 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9489 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9490 return offset_end;
9491 }
9492 offset += 2;
9493 next_offset = offset + cipher_suite_length;
9494
9495 css_ti = proto_tree_add_none_format(kc_tree,
9496 hf->hf.ech_hpke_keyconfig_cipher_suites,
9497 tvb, offset, cipher_suite_length,
9498 "Cipher Suites (%d suite%s)",
9499 cipher_suite_length / 4,
9500 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9501 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9502
9503
9504 while (offset + 4 <= next_offset) {
9505 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9506 }
9507
9508 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9509 offset = next_offset;
9510 }
9511
9512 proto_item_set_len(kc_ti, offset - original_offset);
9513
9514 return offset;
9515}
9516
9517static int
9518dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9519 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9520 const uint8_t **public_name, uint32_t *config_id)
9521{
9522 uint32_t public_name_length, extensions_length, next_offset;
9523
9524 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9525 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9526 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9527 offset += 1;
9528 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9529 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9530 offset += 1;
9531 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9532 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9533 offset += public_name_length;
9534
9535 /* Extension extensions<0..2^16-1>; */
9536 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9537 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9538 return offset_end;
9539 }
9540 offset += 2;
9541 next_offset = offset + extensions_length;
9542
9543 if (extensions_length > 0) {
9544 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9545 tvb, offset, extensions_length, ENC_NA0x00000000);
9546 }
9547 offset += extensions_length;
9548
9549 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9550 offset = next_offset;
9551 }
9552
9553 return offset;
9554}
9555
9556static int
9557dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9558 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9559{
9560 uint32_t version, length;
9561 proto_item *ech_ti;
9562 proto_tree *ech_tree;
9563 const uint8_t *public_name = NULL((void*)0);
9564 uint32_t config_id = 0;
9565
9566 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9567 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9568
9569 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9570 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9571 offset += 2;
9572 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9573 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9574 offset += 2;
9575
9576 proto_item_set_len(ech_ti, 4 + length);
9577
9578 switch(version) {
9579 case 0xfe0d:
9580 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9581 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9582 break;
9583
9584 default:
9585 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9586 }
9587
9588 return 4 + length;
9589}
9590
9591uint32_t
9592ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9593 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9594{
9595 uint32_t echconfiglist_length, next_offset;
9596
9597 /* ECHConfig ECHConfigList<1..2^16-1>; */
9598 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9599 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9600 return offset_end;
9601 }
9602 offset += 2;
9603 next_offset = offset + echconfiglist_length;
9604
9605 while (offset < next_offset) {
9606 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9607 }
9608
9609 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9610 offset = next_offset;
9611 }
9612
9613 return offset;
9614}
9615
9616static uint32_t
9617ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9618 uint32_t offset, uint32_t offset_end)
9619{
9620 uint32_t ext_length, next_offset;
9621 proto_tree *ext_tree;
9622 proto_item *ti;
9623
9624 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9625 hf->hf.hs_ext_ech_outer_ext_len, 2, G_MAXUINT8((guint8) 0xff))) {
9626 return offset_end;
9627 }
9628 offset += 1;
9629 next_offset = offset + ext_length;
9630
9631 ti = proto_tree_add_none_format(tree,
9632 hf->hf.hs_ext_ech_outer_ext,
9633 tvb, offset, ext_length,
9634 "Outer Extensions (%d extension%s)",
9635 ext_length / 2,
9636 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9637
9638 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9639
9640 while (offset + 2 <= offset_end) {
9641 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9642 offset += 2;
9643 }
9644
9645 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9646 offset = next_offset;
9647 }
9648
9649 return offset;
9650}
9651
9652static uint32_t
9653// NOLINTNEXTLINE(misc-no-recursion)
9654ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9655 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9656 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9657 uint32_t initial_offset, uint32_t hello_length)
9658{
9659 uint32_t ch_type, length;
9660 proto_item *ti, *payload_ti;
9661 proto_tree *retry_tree, *payload_tree;
9662
9663 switch (hnd_type) {
9664 case SSL_HND_CLIENT_HELLO:
9665 /*
9666 * enum { outer(0), inner(1) } ECHClientHelloType;
9667 *
9668 * struct {
9669 * ECHClientHelloType type;
9670 * select (ECHClientHello.type) {
9671 * case outer:
9672 * HpkeSymmetricCipherSuite cipher_suite;
9673 * uint8 config_id;
9674 * opaque enc<0..2^16-1>;
9675 * opaque payload<1..2^16-1>;
9676 * case inner:
9677 * Empty;
9678 * };
9679 * } ECHClientHello;
9680 */
9681
9682 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9683 offset += 1;
9684 switch (ch_type) {
9685 case 0: /* outer */
9686 if (ssl && session->first_ch_ech_frame == 0) {
9687 session->first_ch_ech_frame = pinfo->num;
9688 }
9689 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9690 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9691 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9692
9693 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9694 uint8_t config_id = tvb_get_uint8(tvb, offset);
9695 offset += 1;
9696 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9697 offset += 2;
9698 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9699 offset += length;
9700 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9701 offset += 2;
9702 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9703 offset += length;
9704
9705 if (!mk_map) {
9706 break;
9707 }
9708 if (session->client_random.data_len == 0) {
9709 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9710 break;
9711 }
9712 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9713 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9714 if (!ech_secret || !ech_config) {
9715 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9716 G_STRFUNC((const char*) (__func__)));
9717 break;
9718 }
9719
9720 if (hpke_hkdf_len(kdf_id) == 0) {
9721 ssl_debug_printf("Unsupported KDF\n");
9722 break;
9723 }
9724
9725 if (hpke_aead_key_len(aead_id) == 0) {
9726 ssl_debug_printf("Unsupported AEAD\n");
9727 break;
9728 }
9729
9730 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9731
9732 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9733 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9734 ssl_debug_printf("Unexpected version in ECH Config\n");
9735 break;
9736 }
9737 uint32_t ech_config_offset = 2;
9738 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9739 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9740 break;
9741 }
9742 ech_config_offset += 2;
9743 if (*(ech_config->data + ech_config_offset) != config_id) {
9744 ssl_debug_printf("ECH Config version mismatch\n");
9745 break;
9746 }
9747 ech_config_offset += 1;
9748 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9749 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9750 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9751 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9752 GByteArray *info = g_byte_array_new();
9753 g_byte_array_append(info, "tls ech", 8);
9754 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9755 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9756 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9757 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9758 key, base_nonce)) {
9759 g_byte_array_free(info, TRUE(!(0)));
9760 break;
9761 }
9762 g_byte_array_free(info, TRUE(!(0)));
9763 gcry_cipher_hd_t cipher;
9764 if (hpke_setup_aead(&cipher, aead_id, key) ||
9765 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9766 gcry_cipher_close(cipher);
9767 break;
9768 }
9769 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9770 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9771 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9772 memset(ech_aad + offset - length - initial_offset, 0, length);
9773 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9774 gcry_cipher_close(cipher);
9775 wmem_free(NULL((void*)0), ech_aad);
9776 break;
9777 }
9778 wmem_free(NULL((void*)0), ech_aad);
9779 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
9780 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
9781 gcry_cipher_close(cipher);
9782 break;
9783 }
9784 guchar ech_auth_tag_calc[16];
9785 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
9786 gcry_cipher_close(cipher);
9787 break;
9788 }
9789 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
9790 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
9791 gcry_cipher_close(cipher);
9792 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
9793 payload + length - 16, 16)) {
9794 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
9795 } else {
9796 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
9797 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
9798 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
9799 if (ssl) {
9800 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
9801 uint32_t len_offset = ssl->ech_transcript.data_len;
9802 if (ssl->ech_transcript.data_len > 0)
9803 ssl->ech_transcript.data = (guchar*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
9804 ssl->ech_transcript.data_len + hello_length + 4);
9805 else
9806 ssl->ech_transcript.data = (guchar*)wmem_alloc(wmem_file_scope(), hello_length + 4);
9807 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
9808 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
9809 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
9810 ssl->ech_transcript.data_len += 38;
9811 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
9812 tvb_get_uint8(tvb, initial_offset + 34) + 1);
9813 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
9814 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
9815 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9816 2 + tvb_get_ntohs(ech_tvb, ech_offset));
9817 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
9818 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
9819 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9820 1 + tvb_get_uint8(ech_tvb, ech_offset));
9821 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
9822 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
9823 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
9824 ssl->ech_transcript.data_len += 2;
9825 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
9826 ech_offset += 2;
9827 while (extensions_end - ech_offset >= 4) {
9828 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
9829 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9830 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
9831 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
9832 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
9833 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
9834 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
9835 ech_offset += 5;
9836 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
9837 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
9838 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
9839 while (outer_extensions_end - ech_offset >= 2) {
9840 while (hello_length - outer_offset >= 4) {
9841 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
9842 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
9843 4 + tvb_get_ntohs(tvb, outer_offset + 2));
9844 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
9845 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
9846 break;
9847 } else {
9848 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
9849 }
9850 }
9851 ech_offset += 2;
9852 }
9853 }
9854 }
9855 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
9856 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
9857 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
9858 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
9859 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
9860 }
9861 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
9862 ssl, NULL((void*)0), mk_map);
9863 if (ech_padding_begin < length - 16) {
9864 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
9865 ENC_NA0x00000000);
9866 }
9867 }
9868
9869 break;
9870 case 1: /* inner */
9871 break;
9872 }
9873 break;
9874
9875 case SSL_HND_ENCRYPTED_EXTENSIONS:
9876 /*
9877 * struct {
9878 * ECHConfigList retry_configs;
9879 * } ECHEncryptedExtensions;
9880 */
9881
9882 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
9883 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
9884 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
9885 break;
9886
9887 case SSL_HND_HELLO_RETRY_REQUEST:
9888 /*
9889 * struct {
9890 * opaque confirmation[8];
9891 * } ECHHelloRetryRequest;
9892 */
9893
9894 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
9895 if (session->ech) {
9896 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
9897 proto_item_set_generated(ti);
9898 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
9899 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9900 } else {
9901 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9902 }
9903 }
9904 offset += 8;
9905 break;
9906 }
9907
9908 return offset;
9909}
9910
9911static uint32_t
9912ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9913 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9914 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
9915{
9916 uint32_t record_digest_length, encrypted_sni_length;
9917
9918 switch (hnd_type) {
9919 case SSL_HND_CLIENT_HELLO:
9920 /*
9921 * struct {
9922 * CipherSuite suite;
9923 * KeyShareEntry key_share;
9924 * opaque record_digest<0..2^16-1>;
9925 * opaque encrypted_sni<0..2^16-1>;
9926 * } ClientEncryptedSNI;
9927 */
9928 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9929 offset += 2;
9930 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
9931
9932 /* opaque record_digest<0..2^16-1> */
9933 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
9934 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
9935 return offset_end;
9936 }
9937 offset += 2;
9938 if (record_digest_length > 0) {
9939 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
9940 offset += record_digest_length;
9941 }
9942
9943 /* opaque encrypted_sni<0..2^16-1> */
9944 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
9945 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
9946 return offset_end;
9947 }
9948 offset += 2;
9949 if (encrypted_sni_length > 0) {
9950 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
9951 offset += encrypted_sni_length;
9952 }
9953 break;
9954
9955 case SSL_HND_ENCRYPTED_EXTENSIONS:
9956 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
9957 offset += 16;
9958 break;
9959 }
9960
9961 return offset;
9962}
9963/** TLS Extensions (in Client Hello and Server Hello). }}} */
9964
9965/* Connection ID dissection. {{{ */
9966static uint32_t
9967ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9968 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
9969 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
9970{
9971 /* keep track of the decrypt session only for the first pass */
9972 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
9973 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
9974 *session_cidl = cidl;
9975 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
9976 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
9977 if (ssl) {
9978 ssl_add_session_by_cid(ssl);
9979 }
9980 }
9981
9982 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
9983 tvb, offset, 1, ENC_NA0x00000000);
9984 offset++;
9985
9986 if (cidl > 0) {
9987 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
9988 tvb, offset, cidl, ENC_NA0x00000000);
9989 offset += cidl;
9990 }
9991
9992 return offset;
9993}
9994
9995static uint32_t
9996ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9997 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
9998 SslSession *session, SslDecryptSession *ssl)
9999{
10000 uint8_t cidl = tvb_get_uint8(tvb, offset);
10001
10002 switch (hnd_type) {
10003 case SSL_HND_CLIENT_HELLO:
10004 session->client_cid_len_present = true1;
10005 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10006 cidl, &session->client_cid, &session->client_cid_len);
10007 case SSL_HND_SERVER_HELLO:
10008 session->server_cid_len_present = true1;
10009 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10010 cidl, &session->server_cid, &session->server_cid_len);
10011 default:
10012 return offset;
10013 }
10014} /* }}} */
10015
10016/* Trusted CA dissection. {{{ */
10017static uint32_t
10018ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10019 uint32_t offset, uint32_t offset_end)
10020{
10021 proto_item *ti;
10022 proto_tree *subtree;
10023 uint32_t keys_length, next_offset;
10024
10025 /*
10026 * struct {
10027 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10028 * } TrustedAuthorities;
10029 *
10030 * struct {
10031 * IdentifierType identifier_type;
10032 * select (identifier_type) {
10033 * case pre_agreed: struct {};
10034 * case key_sha1_hash: SHA1Hash;
10035 * case x509_name: DistinguishedName;
10036 * case cert_sha1_hash: SHA1Hash;
10037 * } identifier;
10038 * } TrustedAuthority;
10039 *
10040 * enum {
10041 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10042 * cert_sha1_hash(3), (255)
10043 * } IdentifierType;
10044 *
10045 * opaque DistinguishedName<1..2^16-1>;
10046 *
10047 */
10048
10049
10050 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10051 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10052 0, UINT16_MAX(65535)))
10053 {
10054 return offset_end;
10055 }
10056 offset += 2;
10057 next_offset = offset + keys_length;
10058
10059 if (keys_length > 0)
10060 {
10061 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10062 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10063 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10064
10065 while (offset < next_offset)
10066 {
10067 uint32_t identifier_type;
10068 proto_tree *trusted_key_tree;
10069 proto_item *trusted_key_item;
10070 asn1_ctx_t asn1_ctx;
10071 uint32_t key_len = 0;
10072
10073 identifier_type = tvb_get_uint8(tvb, offset);
10074
10075 // Use 0 as length for now as we'll only know the size when we decode the identifier
10076 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10077 offset, 0, "Trusted CA Key");
10078 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10079
10080 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10081 offset, 1, identifier_type);
10082 offset++;
10083
10084 /*
10085 * enum {
10086 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10087 * cert_sha1_hash(3), (255)
10088 * } IdentifierType;
10089 */
10090 switch (identifier_type)
10091 {
10092 case 0:
10093 key_len = 0;
10094 break;
10095 case 2:
10096 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10097
10098 uint32_t name_length;
10099 /* opaque DistinguishedName<1..2^16-1> */
10100 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10101 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10102 return next_offset;
10103 }
10104 offset += 2;
10105
10106 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10107 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10108 offset += name_length;
10109 break;
10110 case 1:
10111 case 3:
10112 key_len = 20;
10113 /* opaque SHA1Hash[20]; */
10114 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10115 offset, 20, ENC_NA0x00000000);
10116 break;
10117
10118 default:
10119 key_len = 0;
10120 /*TODO display expert info about unknown ? */
10121 break;
10122 }
10123 proto_item_set_len(trusted_key_item, 1 + key_len);
10124 offset += key_len;
10125 }
10126 }
10127
10128 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10129 {
10130 offset = next_offset;
10131 }
10132
10133 return offset;
10134} /* }}} */
10135
10136
10137/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10138bool_Bool
10139ssl_is_valid_content_type(uint8_t type)
10140{
10141 switch ((ContentType) type) {
10142 case SSL_ID_CHG_CIPHER_SPEC:
10143 case SSL_ID_ALERT:
10144 case SSL_ID_HANDSHAKE:
10145 case SSL_ID_APP_DATA:
10146 case SSL_ID_HEARTBEAT:
10147 case SSL_ID_TLS12_CID:
10148 case SSL_ID_DTLS13_ACK:
10149 return true1;
10150 }
10151 return false0;
10152}
10153
10154bool_Bool
10155ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10156{
10157 switch ((HandshakeType) hs_type) {
10158 case SSL_HND_HELLO_VERIFY_REQUEST:
10159 /* hello_verify_request is DTLS-only */
10160 return is_dtls;
10161
10162 case SSL_HND_HELLO_REQUEST:
10163 case SSL_HND_CLIENT_HELLO:
10164 case SSL_HND_SERVER_HELLO:
10165 case SSL_HND_NEWSESSION_TICKET:
10166 case SSL_HND_END_OF_EARLY_DATA:
10167 case SSL_HND_HELLO_RETRY_REQUEST:
10168 case SSL_HND_ENCRYPTED_EXTENSIONS:
10169 case SSL_HND_CERTIFICATE:
10170 case SSL_HND_SERVER_KEY_EXCHG:
10171 case SSL_HND_CERT_REQUEST:
10172 case SSL_HND_SVR_HELLO_DONE:
10173 case SSL_HND_CERT_VERIFY:
10174 case SSL_HND_CLIENT_KEY_EXCHG:
10175 case SSL_HND_FINISHED:
10176 case SSL_HND_CERT_URL:
10177 case SSL_HND_CERT_STATUS:
10178 case SSL_HND_SUPPLEMENTAL_DATA:
10179 case SSL_HND_KEY_UPDATE:
10180 case SSL_HND_COMPRESSED_CERTIFICATE:
10181 case SSL_HND_ENCRYPTED_EXTS:
10182 return true1;
10183 case SSL_HND_MESSAGE_HASH:
10184 return false0;
10185 }
10186 return false0;
10187}
10188
10189static bool_Bool
10190ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10191 bool_Bool is_dtls)
10192{
10193 /* Consider all valid Handshake messages (except for Client Hello) and
10194 * all other valid record types (other than Handshake) */
10195 return (content_type == SSL_ID_HANDSHAKE &&
10196 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10197 handshake_type != SSL_HND_CLIENT_HELLO) ||
10198 (content_type != SSL_ID_HANDSHAKE &&
10199 ssl_is_valid_content_type(content_type));
10200}
10201
10202/**
10203 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10204 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10205 * Returns true if the supported_versions extension was found, false if not.
10206 */
10207bool_Bool
10208tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10209 uint16_t *server_version, bool_Bool *is_hrr)
10210{
10211 /* SHA256("HelloRetryRequest") */
10212 static const uint8_t tls13_hrr_random_magic[] = {
10213 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10214 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10215 };
10216 uint8_t session_id_length;
10217
10218 *server_version = tvb_get_ntohs(tvb, offset);
10219
10220 /*
10221 * Try to look for supported_versions extension. Minimum length:
10222 * 2 + 32 + 1 = 35 (version, random, session id length)
10223 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10224 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10225 *
10226 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10227 * there's a separate expert info warning for that.
10228 */
10229 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10230 offset += 2;
10231 if (is_hrr) {
10232 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10233 }
10234 offset += 32;
10235 session_id_length = tvb_get_uint8(tvb, offset);
10236 offset++;
10237 if (offset_end - offset < session_id_length + 5u) {
10238 return false0;
10239 }
10240 offset += session_id_length + 5;
10241
10242 while (offset_end - offset >= 6) {
10243 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10244 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10245 if (offset_end - offset < 4u + ext_len) {
10246 break; /* not enough data for type, length and data */
10247 }
10248 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10249 if (ext_len == 2) {
10250 *server_version = tvb_get_ntohs(tvb, offset + 4);
10251 }
10252 return true1;
10253 }
10254 offset += 4 + ext_len;
10255 }
10256 } else {
10257 if (is_hrr) {
10258 *is_hrr = false0;
10259 }
10260 }
10261 return false0;
10262}
10263
10264/**
10265 * Scan a Client Hello handshake message to see if the supported_versions
10266 * extension is found, in which case the version field is legacy_version.
10267 */
10268static bool_Bool
10269tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10270{
10271 uint8_t session_id_length;
10272
10273 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10274
10275 /*
10276 * Try to look for supported_versions extension. Minimum length:
10277 * 2 + 32 + 1 = 35 (version, random, session id length)
10278 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10279 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10280 *
10281 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10282 * there's a separate expert info warning for that.
10283 */
10284 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10285 offset += 2;
10286 offset += 32;
10287 session_id_length = tvb_get_uint8(tvb, offset);
10288 offset++;
10289 if (offset_end - offset < session_id_length + 2u) {
10290 return false0;
10291 }
10292 offset += session_id_length;
10293 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10294 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10295 offset++;
10296 if (offset_end - offset < cookie_length + 2u) {
10297 return false0;
10298 }
10299 }
10300 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10301 offset += 2;
10302 if (offset_end - offset < cipher_suites_length + 1u) {
10303 return false0;
10304 }
10305 offset += cipher_suites_length;
10306 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10307 offset++;
10308 if (offset_end - offset < compression_methods_length + 2u) {
10309 return false0;
10310 }
10311 offset += compression_methods_length + 2;
10312
10313 while (offset_end - offset >= 6) {
10314 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10315 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10316 if (offset_end - offset < 4u + ext_len) {
10317 break; /* not enough data for type, length and data */
10318 }
10319 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10320 return true1;
10321 }
10322 offset += 4 + ext_len;
10323 }
10324 }
10325 return false0;
10326}
10327void
10328ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10329 uint8_t content_type, uint8_t handshake_type,
10330 bool_Bool is_dtls, uint16_t version)
10331{
10332 uint8_t tls13_draft = 0;
10333
10334 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10335 is_dtls))
10336 return;
10337
10338 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10339 if (version == SSL_VER_UNKNOWN0) {
10340 return;
10341 }
10342
10343 session->tls13_draft_version = tls13_draft;
10344 session->version = version;
10345 if (ssl) {
10346 ssl->state |= SSL_VERSION(1<<4);
10347 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10348 }
10349}
10350
10351void
10352ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10353 ContentType content_type,
10354 unsigned record_length, proto_item *length_pi,
10355 uint16_t version, tvbuff_t *decrypted_tvb)
10356{
10357 unsigned max_expansion;
10358 if (version == TLSV1DOT3_VERSION0x304) {
10359 /* TLS 1.3: Max length is 2^14 + 256 */
10360 max_expansion = 256;
10361 } else {
10362 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10363 max_expansion = 2048;
10364 }
10365 /*
10366 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10367 * and ChangeCipherSpec.
10368 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10369 * so assume it is permitted.
10370 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10371 * assume TLS 1.2 requirements.
10372 */
10373 if (record_length == 0 &&
10374 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10375 content_type == SSL_ID_ALERT ||
10376 content_type == SSL_ID_HANDSHAKE)) {
10377 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10378 "Zero-length %s fragments are not allowed",
10379 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10380 }
10381 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10382 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10383 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10384 }
10385 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10386 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10387 "TLSPlaintext length MUST NOT exceed 2^14");
10388 }
10389}
10390
10391static void
10392ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10393{
10394 /* store selected cipher suite for decryption */
10395 ssl->session.cipher = cipher;
10396
10397 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10398 if (!cs) {
10399 ssl->cipher_suite = NULL((void*)0);
10400 ssl->state &= ~SSL_CIPHER(1<<2);
10401 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10402 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10403 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10404 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10405 * to avoid a potential buffer overflow in ssl3_check_mac. */
10406 ssl->cipher_suite = NULL((void*)0);
10407 ssl->state &= ~SSL_CIPHER(1<<2);
10408 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10409 } else {
10410 /* Cipher found, save this for the delayed decoder init */
10411 ssl->cipher_suite = cs;
10412 ssl->state |= SSL_CIPHER(1<<2);
10413 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10414 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10415 ssl->state);
10416 }
10417}
10418/* }}} */
10419
10420
10421/* Client Hello and Server Hello dissections. {{{ */
10422static int
10423ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10424 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10425 SslSession *session, SslDecryptSession *ssl,
10426 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10427 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10428int
10429// NOLINTNEXTLINE(misc-no-recursion)
10430ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10431 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10432 uint32_t offset_end, SslSession *session,
10433 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10434{
10435 /* struct {
10436 * ProtocolVersion client_version;
10437 * Random random;
10438 * SessionID session_id;
10439 * opaque cookie<0..32>; //new field for DTLS
10440 * CipherSuite cipher_suites<2..2^16-1>;
10441 * CompressionMethod compression_methods<1..2^8-1>;
10442 * Extension client_hello_extension_list<0..2^16-1>;
10443 * } ClientHello;
10444 */
10445 proto_item *ti;
10446 proto_tree *cs_tree;
10447 uint32_t client_version;
10448 uint32_t cipher_suite_length;
10449 uint32_t compression_methods_length;
10450 uint8_t compression_method;
10451 uint32_t next_offset;
10452 uint32_t initial_offset = offset;
10453 uint32_t hello_length = offset_end - initial_offset;
10454 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10455 char *ja3_hash;
10456 char *ja3_dash = "";
10457 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10458 ja4_data_t ja4_data;
10459 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10460 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10461 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10462 wmem_list_frame_t *curr_entry;
10463
10464 ja4_data.max_version = 0;
10465 ja4_data.server_name_present = false0;
10466 ja4_data.num_cipher_suites = 0;
10467 ja4_data.num_extensions = 0;
10468 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10469 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10470 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10471 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10472
10473 /* show the client version */
10474 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10475 offset, 2, ENC_BIG_ENDIAN0x00000000,
10476 &client_version);
10477 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10478 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10479 }
10480 offset += 2;
10481 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10482
10483 /*
10484 * Is it version 1.3?
10485 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10486 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10487 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10488 * Hello".
10489 */
10490 if (dtls_hfs != NULL((void*)0)) {
10491 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10492 /* Don't do that. */
10493 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10494 }
10495 } else {
10496 if (client_version == TLSV1DOT3_VERSION0x304) {
10497 /* Don't do that. */
10498 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10499 }
10500 }
10501
10502 /* dissect fields that are present in both ClientHello and ServerHello */
10503 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10504
10505 /* fields specific for DTLS (cookie_len, cookie) */
10506 if (dtls_hfs != NULL((void*)0)) {
10507 uint32_t cookie_length;
10508 /* opaque cookie<0..32> (for DTLS only) */
10509 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10510 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10511 return offset;
10512 }
10513 offset++;
10514 if (cookie_length > 0) {
10515 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10516 tvb, offset, cookie_length, ENC_NA0x00000000);
10517 offset += cookie_length;
10518 }
10519 }
10520
10521 /* CipherSuite cipher_suites<2..2^16-1> */
10522 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10523 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10524 return offset;
10525 }
10526 offset += 2;
10527 next_offset = offset + cipher_suite_length;
10528 ti = proto_tree_add_none_format(tree,
10529 hf->hf.hs_cipher_suites,
10530 tvb, offset, cipher_suite_length,
10531 "Cipher Suites (%d suite%s)",
10532 cipher_suite_length / 2,
10533 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10534 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10535 while (offset + 2 <= next_offset) {
10536 uint32_t cipher_suite;
10537
10538 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10539 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10540 offset += 2;
10541 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10542 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10543 ja3_dash = "-";
10544 ja4_data.num_cipher_suites += 1;
10545 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10546 }
10547 }
10548 wmem_strbuf_append_c(ja3, ',');
10549 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10550 offset = next_offset;
10551 }
10552
10553 /* CompressionMethod compression_methods<1..2^8-1> */
10554 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10555 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10556 return offset;
10557 }
10558 offset++;
10559 next_offset = offset + compression_methods_length;
10560 ti = proto_tree_add_none_format(tree,
10561 hf->hf.hs_comp_methods,
10562 tvb, offset, compression_methods_length,
10563 "Compression Methods (%u method%s)",
10564 compression_methods_length,
10565 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10566 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10567 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10568 while (offset < next_offset) {
10569 compression_method = tvb_get_uint8(tvb, offset);
10570 /* TODO: make reserved/private comp meth. fields selectable */
10571 if (compression_method < 64)
10572 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10573 tvb, offset, 1, compression_method);
10574 else if (compression_method > 63 && compression_method < 193)
10575 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10576 compression_method, "Reserved - to be assigned by IANA (%u)",
10577 compression_method);
10578 else
10579 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10580 compression_method, "Private use range (%u)",
10581 compression_method);
10582 offset++;
10583 }
10584
10585 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10586 if (offset < offset_end) {
10587 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10588 offset_end, SSL_HND_CLIENT_HELLO,
10589 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10590 if (ja4_data.max_version > 0) {
10591 client_version = ja4_data.max_version;
10592 }
10593 } else {
10594 wmem_strbuf_append_printf(ja3, ",,");
10595 }
10596
10597 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10598 wmem_strbuf_append(ja4_a, "t");
10599 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10600 wmem_strbuf_append(ja4_a, "q");
10601 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10602 wmem_strbuf_append(ja4_a, "d");
10603 }
10604 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10605 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10606 if (ja4_data.num_cipher_suites > 99) {
10607 wmem_strbuf_append(ja4_a, "99");
10608 } else {
10609 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10610 }
10611 if (ja4_data.num_extensions > 99) {
10612 wmem_strbuf_append(ja4_a, "99");
10613 } else {
10614 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10615 }
10616 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10617 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10618 } else {
10619 wmem_strbuf_append(ja4_a, "00");
10620 }
10621
10622 curr_entry = wmem_list_head(ja4_data.cipher_list);
10623 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10624 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10625 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10626 wmem_strbuf_append(ja4_br, ",");
10627 }
10628 curr_entry = wmem_list_frame_next(curr_entry);
10629 }
10630
10631 curr_entry = wmem_list_head(ja4_data.extension_list);
10632 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10633 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10634 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10635 wmem_strbuf_append(ja4_cr, ",");
10636 }
10637 curr_entry = wmem_list_frame_next(curr_entry);
10638 }
10639
10640 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10641 wmem_strbuf_append(ja4_cr, "_");
10642 curr_entry = wmem_list_head(ja4_data.sighash_list);
10643 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10644 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10645 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10646 wmem_strbuf_append(ja4_cr, ",");
10647 }
10648 curr_entry = wmem_list_frame_next(curr_entry);
10649 }
10650 }
10651 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10652 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10653 g_free(ja4_hash);
10654 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10655 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10656 } else {
10657 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10658 }
10659 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10660 g_free(ja4_hash);
10661
10662 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10663 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10664
10665 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10666 proto_item_set_generated(ti);
10667 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10668 proto_item_set_generated(ti);
10669
10670 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10671 wmem_strbuf_get_len(ja3));
10672 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10673 proto_item_set_generated(ti);
10674 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10675 proto_item_set_generated(ti);
10676 g_free(ja3_hash);
10677 return offset;
10678}
10679
10680void
10681ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10682 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10683 SslSession *session, SslDecryptSession *ssl,
10684 bool_Bool is_dtls, bool_Bool is_hrr)
10685{
10686 /* struct {
10687 * ProtocolVersion server_version;
10688 * Random random;
10689 * SessionID session_id; // TLS 1.2 and before
10690 * CipherSuite cipher_suite;
10691 * CompressionMethod compression_method; // TLS 1.2 and before
10692 * Extension server_hello_extension_list<0..2^16-1>;
10693 * } ServerHello;
10694 */
10695 uint8_t draft_version = session->tls13_draft_version;
10696 proto_item *ti;
10697 uint32_t server_version;
10698 uint32_t cipher_suite;
10699 uint32_t initial_offset = offset;
10700 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10701 char *ja3_hash;
10702
10703 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10704 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10705
10706 /* Initially assume that the session is resumed. If this is not the case, a
10707 * ServerHelloDone will be observed before the ChangeCipherSpec message
10708 * which will reset this flag. */
10709 session->is_session_resumed = true1;
10710
10711 /* show the server version */
10712 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10713 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10714
10715 uint16_t supported_server_version;
10716 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
1
Taking false branch
10717 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10718 }
10719 /*
10720 * Is it version 1.3?
10721 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10722 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10723 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10724 * Hello".
10725 */
10726 if (is_dtls) {
2
Assuming 'is_dtls' is false
3
Taking false branch
10727 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10728 /* Don't do that. */
10729 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10730 }
10731 } else {
10732 if (server_version == TLSV1DOT3_VERSION0x304) {
4
Assuming 'server_version' is not equal to TLSV1DOT3_VERSION
5
Taking false branch
10733 /* Don't do that. */
10734 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10735 }
10736 }
10737
10738 offset += 2;
10739 wmem_strbuf_append_printf(ja3, "%i", server_version);
10740
10741 /* dissect fields that are present in both ClientHello and ServerHello */
10742 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
6
Calling 'ssl_dissect_hnd_hello_common'
19
Returning from 'ssl_dissect_hnd_hello_common'
10743
10744 if (ssl
19.1
'ssl' is non-null
) {
20
Taking true branch
10745 /* store selected cipher suite for decryption */
10746 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10747 }
10748
10749 /* now the server-selected cipher suite */
10750 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10751 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10752 offset += 2;
10753 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10754
10755 /* No compression with TLS 1.3 before draft -22 */
10756 if (!(session->version
20.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
21
Taking true branch
10757 if (ssl
21.1
'ssl' is non-null
) {
22
Taking true branch
10758 /* store selected compression method for decryption */
10759 ssl->session.compression = tvb_get_uint8(tvb, offset);
10760 }
10761 /* and the server-selected compression method */
10762 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10763 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10764 offset++;
10765 }
10766
10767 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10768 if (offset < offset_end) {
23
Assuming 'offset' is >= 'offset_end'
10769 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10770 offset_end,
10771 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10772 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
10773 }
10774
10775 if (ssl
23.1
'ssl' is non-null
 && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
24
Assuming field 'data_len' is > 0
25
Assuming the condition is true
26
Assuming field 'data_len' is > 0
27
Taking true branch
10776 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
10777 if (hash_algo) {
28
Assuming 'hash_algo' is not equal to 0
29
Taking true branch
10778 SSL_MDgcry_md_hd_t mc;
10779 guchar transcript_hash[DIGEST_MAX_SIZE48];
10780 guchar prk[DIGEST_MAX_SIZE48];
10781 guchar *ech_verify_out = NULL((void*)0);
10782 unsigned int len;
10783 ssl_md_init(&mc, hash_algo);
10784 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
10785 if (is_hrr) {
30
Assuming 'is_hrr' is false
31
Taking false branch
10786 ssl_md_final(&mc, transcript_hash, &len);
10787 ssl_md_cleanup(&mc);
10788 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
10789 ssl->ech_transcript.data_len = 4 + len;
10790 ssl->ech_transcript.data = (guchar*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
10791 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
10792 ssl->ech_transcript.data[1] = 0;
10793 ssl->ech_transcript.data[2] = 0;
10794 ssl->ech_transcript.data[3] = len;
10795 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
10796 ssl_md_init(&mc, hash_algo);
10797 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
10798 } else {
10799 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10800 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
10801 }
10802 if (initial_offset > 4) {
32
Assuming 'initial_offset' is > 4
33
Taking true branch
10803 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
10804 4 + offset_end - initial_offset);
10805 if (is_hrr
33.1
'is_hrr' is false
)
34
Taking false branch
10806 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
10807 else
10808 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
10809 } else {
10810 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
10811 prefix[2] = ((offset - initial_offset) >> 8);
10812 prefix[3] = (offset - initial_offset) & 0xff;
10813 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
10814 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
10815 offset_end - initial_offset);
10816 ssl_md_update(&mc, prefix, 4);
10817 if (is_hrr)
10818 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset, 34), 34);
10819 else
10820 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset, 26), 26);
10821 }
10822 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
10823 uint8_t zeros[8] = { 0 };
10824 uint32_t confirmation_offset = initial_offset + 26;
10825 if (is_hrr
34.1
'is_hrr' is false
) {
35
Taking false branch
10826 uint32_t hrr_offset = initial_offset + 34;
10827 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset,
10828 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
10829 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
10830 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
10831 hrr_offset += 3;
10832 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
10833 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
10834 hrr_offset += 2;
10835 while (extensions_end - hrr_offset >= 4) {
10836 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
10837 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
10838 confirmation_offset = hrr_offset + 4;
10839 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
10840 ssl_md_update(&mc, zeros, 8);
10841 hrr_offset += 12;
10842 } else {
10843 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
10844 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
10845 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
10846 }
10847 }
10848 } else {
10849 ssl_md_update(&mc, zeros, 8);
10850 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
10851 offset - initial_offset - 34);
10852 }
10853 ssl_md_final(&mc, transcript_hash, &len);
10854 ssl_md_cleanup(&mc);
10855 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
10856 StringInfo prk_string = {prk, len};
10857 tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
37
Calling 'tls13_hkdf_expand_label_context'
43
Returning from 'tls13_hkdf_expand_label_context'
10858 is_hrr
35.1
'is_hrr' is false
 ? "hrr ech accept confirmation" : "ech accept confirmation",
36
'?' condition is false
10859 transcript_hash, len, 8, &ech_verify_out);
10860 memcpy(is_hrr
43.1
'is_hrr' is false
 ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
44
'?' condition is false
45
Null pointer passed to 2nd parameter expecting 'nonnull'
10861 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
10862 if (is_hrr) {
10863 ssl->session.hrr_ech_declined = TRUE(!(0));
10864 ssl->session.first_ch_ech_frame = 0;
10865 }
10866 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
10867 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
10868 }
10869 wmem_free(NULL((void*)0), ech_verify_out);
10870 ssl->session.ech = TRUE(!(0));
10871 }
10872 }
10873
10874 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10875 wmem_strbuf_get_len(ja3));
10876 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10877 proto_item_set_generated(ti);
10878 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
10879 proto_item_set_generated(ti);
10880 g_free(ja3_hash);
10881}
10882/* Client Hello and Server Hello dissections. }}} */
10883
10884/* New Session Ticket dissection. {{{ */
10885void
10886ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10887 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10888 SslSession *session, SslDecryptSession *ssl,
10889 bool_Bool is_dtls, GHashTable *session_hash)
10890{
10891 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
10892 * struct {
10893 * uint32 ticket_lifetime_hint;
10894 * opaque ticket<0..2^16-1>;
10895 * } NewSessionTicket;
10896 *
10897 * RFC 8446 Section 4.6.1 (TLS 1.3):
10898 * struct {
10899 * uint32 ticket_lifetime;
10900 * uint32 ticket_age_add;
10901 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
10902 * opaque ticket<1..2^16-1>;
10903 * Extension extensions<0..2^16-2>;
10904 * } NewSessionTicket;
10905 */
10906 proto_tree *subtree;
10907 proto_item *subitem;
10908 uint32_t ticket_len;
10909 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
10910 unsigned char draft_version = session->tls13_draft_version;
10911 uint32_t lifetime_hint;
10912
10913 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
10914 hf->ett.session_ticket, NULL((void*)0),
10915 "TLS Session Ticket");
10916
10917 /* ticket lifetime hint */
10918 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
10919 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
10920 offset += 4;
10921
10922 if (lifetime_hint >= 60) {
10923 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
10924 proto_item_append_text(subitem, " (%s)", time_str);
10925 }
10926
10927 if (is_tls13) {
10928
10929 /* for TLS 1.3: ticket_age_add */
10930 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
10931 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
10932 offset += 4;
10933
10934 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
10935 if (draft_version == 0 || draft_version >= 21) {
10936 uint32_t ticket_nonce_len;
10937
10938 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
10939 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
10940 return;
10941 }
10942 offset++;
10943
10944 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
10945 offset += ticket_nonce_len;
10946 }
10947
10948 }
10949
10950 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
10951 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
10952 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
10953 return;
10954 }
10955 offset += 2;
10956
10957 /* Content depends on implementation, so just show data! */
10958 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
10959 tvb, offset, ticket_len, ENC_NA0x00000000);
10960 /* save the session ticket to cache for ssl_finalize_decryption */
10961 if (ssl && !is_tls13) {
10962 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
10963 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
10964 ssl->session_ticket.data, ticket_len);
10965 ssl->session_ticket.data_len = ticket_len;
10966 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
10967 /* NewSessionTicket is received after the first (client)
10968 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
10969 * Since the second CCS has already the session key available it will
10970 * just return. To ensure that the session ticket is mapped to a
10971 * master key (from the first CCS), save the ticket here too. */
10972 ssl_save_master_key("Session Ticket", session_hash,
10973 &ssl->session_ticket, &ssl->master_secret);
10974 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
10975 }
10976 offset += ticket_len;
10977
10978 if (is_tls13) {
10979 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
10980 offset_end, SSL_HND_NEWSESSION_TICKET,
10981 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
10982 }
10983} /* }}} */
10984
10985void
10986ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10987 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10988 SslSession *session, SslDecryptSession *ssl,
10989 bool_Bool is_dtls)
10990{
10991 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
10992 * struct {
10993 * ProtocolVersion server_version;
10994 * CipherSuite cipher_suite; // not before draft -19
10995 * Extension extensions<2..2^16-1>;
10996 * } HelloRetryRequest;
10997 * Note: no longer used since draft -22
10998 */
10999 uint32_t version;
11000 uint8_t draft_version;
11001
11002 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11003 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11004 draft_version = extract_tls13_draft_version(version);
11005 offset += 2;
11006
11007 if (draft_version == 0 || draft_version >= 19) {
11008 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11009 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11010 offset += 2;
11011 }
11012
11013 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11014 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11015 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11016}
11017
11018void
11019ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11020 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11021 SslSession *session, SslDecryptSession *ssl,
11022 bool_Bool is_dtls)
11023{
11024 /* RFC 8446 Section 4.3.1
11025 * struct {
11026 * Extension extensions<0..2^16-1>;
11027 * } EncryptedExtensions;
11028 */
11029 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11030 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11031 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11032}
11033
11034/* Certificate and Certificate Request dissections. {{{ */
11035void
11036ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11037 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11038 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11039 bool_Bool is_from_server, bool_Bool is_dtls)
11040{
11041 /* opaque ASN.1Cert<1..2^24-1>;
11042 *
11043 * Before RFC 8446 (TLS <= 1.2):
11044 * struct {
11045 * select(certificate_type) {
11046 *
11047 * // certificate type defined in RFC 7250
11048 * case RawPublicKey:
11049 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11050 *
11051 * // X.509 certificate defined in RFC 5246
11052 * case X.509:
11053 * ASN.1Cert certificate_list<0..2^24-1>;
11054 * };
11055 * } Certificate;
11056 *
11057 * RFC 8446 (since draft -20):
11058 * struct {
11059 * select(certificate_type){
11060 * case RawPublicKey:
11061 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11062 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11063 *
11064 * case X.509:
11065 * opaque cert_data<1..2^24-1>;
11066 * }
11067 * Extension extensions<0..2^16-1>;
11068 * } CertificateEntry;
11069 * struct {
11070 * opaque certificate_request_context<0..2^8-1>;
11071 * CertificateEntry certificate_list<0..2^24-1>;
11072 * } Certificate;
11073 */
11074 enum { CERT_X509, CERT_RPK } cert_type;
11075 asn1_ctx_t asn1_ctx;
11076#if defined(HAVE_LIBGNUTLS1)
11077 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11078 unsigned certificate_index = 0;
11079#endif
11080 uint32_t next_offset, certificate_list_length, cert_length;
11081 proto_tree *subtree = tree;
11082
11083 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11084
11085 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11086 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11087 cert_type = CERT_RPK;
11088 } else {
11089 cert_type = CERT_X509;
11090 }
11091
11092#if defined(HAVE_LIBGNUTLS1)
11093 /* Ask the pkcs1 dissector to return the public key details */
11094 if (ssl)
11095 asn1_ctx.private_data = &subjectPublicKeyInfo;
11096#endif
11097
11098 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11099 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11100 uint32_t context_length;
11101 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11102 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11103 return;
11104 }
11105 offset++;
11106 if (context_length > 0) {
11107 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11108 tvb, offset, context_length, ENC_NA0x00000000);
11109 offset += context_length;
11110 }
11111 }
11112
11113 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11114 /* For RPK before TLS 1.3, the single RPK is stored directly without
11115 * another "certificate_list" field. */
11116 certificate_list_length = offset_end - offset;
11117 next_offset = offset_end;
11118 } else {
11119 /* CertificateEntry certificate_list<0..2^24-1> */
11120 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11121 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11122 return;
11123 }
11124 offset += 3; /* 24-bit length value */
11125 next_offset = offset + certificate_list_length;
11126 }
11127
11128 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11129 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11130 proto_item *ti;
11131
11132 ti = proto_tree_add_none_format(tree,
11133 hf->hf.hs_certificates,
11134 tvb, offset, certificate_list_length,
11135 "Certificates (%u bytes)",
11136 certificate_list_length);
11137
11138 /* make it a subtree */
11139 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11140 }
11141
11142 while (offset < next_offset) {
11143 switch (cert_type) {
11144 case CERT_RPK:
11145 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11146 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11147 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11148 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11149 return;
11150 }
11151 offset += 3;
11152
11153 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11154 offset += cert_length;
11155 break;
11156 case CERT_X509:
11157 /* opaque ASN1Cert<1..2^24-1> */
11158 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11159 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11160 return;
11161 }
11162 offset += 3;
11163
11164 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11165#if defined(HAVE_LIBGNUTLS1)
11166 if (is_from_server && ssl && certificate_index == 0) {
11167 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11168 /* Only attempt to get the RSA modulus for the first cert. */
11169 asn1_ctx.private_data = NULL((void*)0);
11170 }
11171#endif
11172 offset += cert_length;
11173 break;
11174 }
11175
11176 /* TLS 1.3: Extension extensions<0..2^16-1> */
11177 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11178 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11179 next_offset, SSL_HND_CERTIFICATE,
11180 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11181 }
11182
11183#if defined(HAVE_LIBGNUTLS1)
11184 certificate_index++;
11185#endif
11186 }
11187}
11188
11189void
11190ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11191 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11192 SslSession *session, bool_Bool is_dtls)
11193{
11194 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11195 * enum {
11196 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11197 * (255)
11198 * } ClientCertificateType;
11199 *
11200 * opaque DistinguishedName<1..2^16-1>;
11201 *
11202 * struct {
11203 * ClientCertificateType certificate_types<1..2^8-1>;
11204 * DistinguishedName certificate_authorities<3..2^16-1>;
11205 * } CertificateRequest;
11206 *
11207 *
11208 * As per TLSv1.2 (RFC 5246) the format has changed to:
11209 *
11210 * enum {
11211 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11212 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11213 * fortezza_dms_RESERVED(20), (255)
11214 * } ClientCertificateType;
11215 *
11216 * enum {
11217 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11218 * sha512(6), (255)
11219 * } HashAlgorithm;
11220 *
11221 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11222 * SignatureAlgorithm;
11223 *
11224 * struct {
11225 * HashAlgorithm hash;
11226 * SignatureAlgorithm signature;
11227 * } SignatureAndHashAlgorithm;
11228 *
11229 * SignatureAndHashAlgorithm
11230 * supported_signature_algorithms<2..2^16-2>;
11231 *
11232 * opaque DistinguishedName<1..2^16-1>;
11233 *
11234 * struct {
11235 * ClientCertificateType certificate_types<1..2^8-1>;
11236 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11237 * DistinguishedName certificate_authorities<0..2^16-1>;
11238 * } CertificateRequest;
11239 *
11240 * draft-ietf-tls-tls13-18:
11241 * struct {
11242 * opaque certificate_request_context<0..2^8-1>;
11243 * SignatureScheme
11244 * supported_signature_algorithms<2..2^16-2>;
11245 * DistinguishedName certificate_authorities<0..2^16-1>;
11246 * CertificateExtension certificate_extensions<0..2^16-1>;
11247 * } CertificateRequest;
11248 *
11249 * RFC 8446 (since draft-ietf-tls-tls13-19):
11250 *
11251 * struct {
11252 * opaque certificate_request_context<0..2^8-1>;
11253 * Extension extensions<2..2^16-1>;
11254 * } CertificateRequest;
11255 */
11256 proto_item *ti;
11257 proto_tree *subtree;
11258 uint32_t next_offset;
11259 asn1_ctx_t asn1_ctx;
11260 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11261 unsigned char draft_version = session->tls13_draft_version;
11262
11263 if (!tree)
11264 return;
11265
11266 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11267
11268 if (is_tls13) {
11269 uint32_t context_length;
11270 /* opaque certificate_request_context<0..2^8-1> */
11271 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11272 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11273 return;
11274 }
11275 offset++;
11276 if (context_length > 0) {
11277 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11278 tvb, offset, context_length, ENC_NA0x00000000);
11279 offset += context_length;
11280 }
11281 } else {
11282 uint32_t cert_types_count;
11283 /* ClientCertificateType certificate_types<1..2^8-1> */
11284 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11285 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11286 return;
11287 }
11288 offset++;
11289 next_offset = offset + cert_types_count;
11290
11291 ti = proto_tree_add_none_format(tree,
11292 hf->hf.hs_cert_types,
11293 tvb, offset, cert_types_count,
11294 "Certificate types (%u type%s)",
11295 cert_types_count,
11296 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11297 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11298
11299 while (offset < next_offset) {
11300 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11301 offset++;
11302 }
11303 }
11304
11305 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11306 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11307 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11308 }
11309
11310 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11311 /*
11312 * TLS 1.3 draft 19 and newer: Extensions.
11313 * SslDecryptSession pointer is NULL because Certificate Extensions
11314 * should not influence decryption state.
11315 */
11316 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11317 offset_end, SSL_HND_CERT_REQUEST,
11318 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11319 } else if (is_tls13 && draft_version <= 18) {
11320 /*
11321 * TLS 1.3 draft 18 and older: certificate_authorities and
11322 * certificate_extensions (a vector of OID mappings).
11323 */
11324 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11325 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11326 } else {
11327 /* for TLS 1.2 and older, the certificate_authorities field. */
11328 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11329 }
11330}
11331/* Certificate and Certificate Request dissections. }}} */
11332
11333void
11334ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11335 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11336{
11337 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11338 hf->hf.hs_client_cert_vrfy_sig_len,
11339 hf->hf.hs_client_cert_vrfy_sig);
11340}
11341
11342/* Finished dissection. {{{ */
11343void
11344ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11345 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11346 const SslSession *session, ssl_hfs_t *ssl_hfs)
11347{
11348 /* For SSLv3:
11349 * struct {
11350 * opaque md5_hash[16];
11351 * opaque sha_hash[20];
11352 * } Finished;
11353 *
11354 * For (D)TLS:
11355 * struct {
11356 * opaque verify_data[12];
11357 * } Finished;
11358 *
11359 * For TLS 1.3:
11360 * struct {
11361 * opaque verify_data[Hash.length];
11362 * }
11363 */
11364 if (!tree)
11365 return;
11366
11367 if (session->version == SSLV3_VERSION0x300) {
11368 if (ssl_hfs != NULL((void*)0)) {
11369 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11370 tvb, offset, 16, ENC_NA0x00000000);
11371 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11372 tvb, offset + 16, 20, ENC_NA0x00000000);
11373 }
11374 } else {
11375 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11376 proto_tree_add_item(tree, hf->hf.hs_finished,
11377 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11378 }
11379} /* }}} */
11380
11381/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11382void
11383ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11384{
11385 uint16_t url_hash_len;
11386
11387 /* enum {
11388 * individual_certs(0), pkipath(1), (255)
11389 * } CertChainType;
11390 *
11391 * struct {
11392 * CertChainType type;
11393 * URLAndHash url_and_hash_list<1..2^16-1>;
11394 * } CertificateURL;
11395 *
11396 * struct {
11397 * opaque url<1..2^16-1>;
11398 * unint8 padding;
11399 * opaque SHA1Hash[20];
11400 * } URLAndHash;
11401 */
11402
11403 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11404 tvb, offset, 1, ENC_NA0x00000000);
11405 offset++;
11406
11407 url_hash_len = tvb_get_ntohs(tvb, offset);
11408 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11409 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11410 offset += 2;
11411 while (url_hash_len-- > 0) {
11412 proto_item *urlhash_item;
11413 proto_tree *urlhash_tree;
11414 uint16_t url_len;
11415
11416 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11417 tvb, offset, -1, ENC_NA0x00000000);
11418 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11419
11420 url_len = tvb_get_ntohs(tvb, offset);
11421 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11422 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11423 offset += 2;
11424
11425 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11426 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11427 offset += url_len;
11428
11429 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11430 tvb, offset, 1, ENC_NA0x00000000);
11431 offset++;
11432 /* Note: RFC 6066 says that padding must be 0x01 */
11433
11434 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11435 tvb, offset, 20, ENC_NA0x00000000);
11436 offset += 20;
11437 }
11438} /* }}} */
11439
11440void
11441ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11442 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11443 SslSession *session, SslDecryptSession *ssl,
11444 bool_Bool is_from_server, bool_Bool is_dtls)
11445{
11446 uint32_t algorithm, uncompressed_length;
11447 uint32_t compressed_certificate_message_length;
11448 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11449 proto_item *ti;
11450 /*
11451 * enum {
11452 * zlib(1),
11453 * brotli(2),
11454 * zstd(3),
11455 * (65535)
11456 * } CertificateCompressionAlgorithm;
11457 *
11458 * struct {
11459 * CertificateCompressionAlgorithm algorithm;
11460 * uint24 uncompressed_length;
11461 * opaque compressed_certificate_message<1..2^24-1>;
11462 * } CompressedCertificate;
11463 */
11464
11465 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11466 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11467 offset += 2;
11468
11469 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11470 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11471 offset += 3;
11472
11473 /* opaque compressed_certificate_message<1..2^24-1>; */
11474 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11475 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11476 return;
11477 }
11478 offset += 3;
11479
11480 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11481 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11482
11483 /* Certificate decompression following algorithm */
11484 switch (algorithm) {
11485 case 2: /* brotli */
11486 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11487 break;
11488 /* TODO: add other algorithms */
11489 }
11490
11491 if (uncompressed_tvb) {
11492 proto_tree *uncompressed_tree;
11493
11494 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11495 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11496 tvb, offset, offset_end - offset,
11497 "Invalid uncompressed length %u (expected %u)",
11498 tvb_captured_length(uncompressed_tvb),
11499 uncompressed_length);
11500 } else {
11501 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11502 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11503 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11504 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11505 }
11506 }
11507}
11508
11509/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11510static int
11511// NOLINTNEXTLINE(misc-no-recursion)
11512ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11513 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11514 SslSession *session, SslDecryptSession *ssl,
11515 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11516 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11517{
11518 uint32_t exts_len;
11519 uint16_t ext_type;
11520 uint32_t ext_len;
11521 uint32_t next_offset;
11522 proto_tree *ext_tree;
11523 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11524 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11525 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11526 char *ja3_dash = "";
11527 unsigned supported_version;
11528
11529 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11530 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11531 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11532 return offset_end;
11533 }
11534 offset += 2;
11535 offset_end = offset + exts_len;
11536
11537 if (ja4_data) {
11538 ja4_data->num_extensions = 0;
11539 }
11540 while (offset_end - offset >= 4)
11541 {
11542 ext_type = tvb_get_ntohs(tvb, offset);
11543 ext_len = tvb_get_ntohs(tvb, offset + 2);
11544
11545 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11546 ja4_data->num_extensions += 1;
11547 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11548 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11549 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11550 }
11551 }
11552
11553 ext_tree = proto_tree_add_subtree_format(tree, tvb, offset, 4 + ext_len, hf->ett.hs_ext, NULL((void*)0),
11554 "Extension: %s (len=%u)", val_to_str(ext_type,
11555 tls_hello_extension_types,
11556 "Unknown type %u"), ext_len);
11557
11558 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11559 tvb, offset, 2, ext_type);
11560 offset += 2;
11561 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11562 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11563 ja3_dash = "-";
11564 }
11565
11566 /* opaque extension_data<0..2^16-1> */
11567 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11568 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11569 return offset_end;
11570 }
11571 offset += 2;
11572 next_offset = offset + ext_len;
11573
11574 switch (ext_type) {
11575 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11576 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11577 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11578 if (ja4_data) {
11579 ja4_data->server_name_present = true1;
11580 }
11581 }
11582 break;
11583 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11584 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11585 offset += 1;
11586 break;
11587 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11588 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11589 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11590 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11591 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11592 }
11593 break;
11594 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11595 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11596 offset, next_offset,
11597 hnd_type, ext_type,
11598 session);
11599 break;
11600 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11601 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11602 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11603 next_offset, ja3_sg);
11604 } else {
11605 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11606 next_offset, NULL((void*)0));
11607 }
11608 break;
11609 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11610 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11611 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11612 } else {
11613 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11614 }
11615 break;
11616 break;
11617 case SSL_HND_HELLO_EXT_SRP12:
11618 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11619 break;
11620 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11621 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11622 break;
11623 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11624 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11625 break;
11626 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11627 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11628 break;
11629 case SSL_HND_HELLO_EXT_USE_SRTP14:
11630 if (is_dtls) {
11631 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11632 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11633 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11634 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11635 }
11636 } else {
11637 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11638 }
11639 break;
11640 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11641 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11642 break;
11643 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11644 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11645 break;
11646 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11647 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11648 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11649 offset++;
11650 break;
11651 case SSL_HND_HELLO_EXT_ALPN16:
11652 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11653 break;
11654 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11655 if (hnd_type == SSL_HND_CLIENT_HELLO)
11656 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11657 break;
11658 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11659 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11660 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11661 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11662 break;
11663 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11664 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11665 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11666 offset, next_offset,
11667 hnd_type, ext_type,
11668 session);
11669 break;
11670 case SSL_HND_HELLO_EXT_PADDING21:
11671 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11672 offset += ext_len;
11673 break;
11674 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11675 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11676 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11677 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11678 }
11679 break;
11680 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11681 if (ssl) {
11682 switch (hnd_type) {
11683 case SSL_HND_CLIENT_HELLO:
11684 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11685 break;
11686 case SSL_HND_SERVER_HELLO:
11687 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11688 break;
11689 default: /* no default */
11690 break;
11691 }
11692 }
11693 break;
11694 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11695 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11696 break;
11697 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11698 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11699 break;
11700 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11701 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11702 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11703 offset += 2;
11704 break;
11705 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11706 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11707 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11708 break;
11709 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11710 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11711 break;
11712 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11713 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11714 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11715 break;
11716 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11717 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11718 break;
11719 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11720 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11721 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11722 break;
11723 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11724 switch (hnd_type) {
11725 case SSL_HND_CLIENT_HELLO:
11726 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11727 break;
11728 case SSL_HND_SERVER_HELLO:
11729 case SSL_HND_HELLO_RETRY_REQUEST:
11730 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11731 offset += 2;
11732 proto_item_append_text(ext_tree, " %s", val_to_str(supported_version, ssl_versions, "Unknown (0x%04x)"));
11733 break;
11734 }
11735 break;
11736 case SSL_HND_HELLO_EXT_COOKIE44:
11737 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11738 break;
11739 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11740 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11741 break;
11742 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11743 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11744 break;
11745 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11746 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11747 break;
11748 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11749 break;
11750 case SSL_HND_HELLO_EXT_NPN13172:
11751 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11752 break;
11753 case SSL_HND_HELLO_EXT_ALPS17513:
11754 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11755 break;
11756 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
11757 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
11758 break;
11759 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
11760 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11761 break;
11762 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
11763 session->deprecated_cid = true1;
11764 /* FALLTHRU */
11765 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
11766 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
11767 break;
11768 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
11769 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
11770 break;
11771 default:
11772 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
11773 tvb, offset, ext_len, ENC_NA0x00000000);
11774 offset += ext_len;
11775 break;
11776 }
11777
11778 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
11779 /* Dissection did not end at expected location, fix it. */
11780 offset = next_offset;
11781 }
11782 }
11783
11784 if (ja3) {
11785 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11786 if(wmem_strbuf_get_len(ja3_sg) > 0) {
11787 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
11788 } else {
11789 wmem_strbuf_append_c(ja3, ',');
11790 }
11791 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
11792 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
11793 } else {
11794 wmem_strbuf_append_c(ja3, ',');
11795 }
11796 }
11797 }
11798
11799 /* Check if Extensions vector is correctly terminated. */
11800 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
11801 offset = offset_end;
11802 }
11803
11804 return offset;
11805} /* }}} */
11806
11807
11808/* ClientKeyExchange algo-specific dissectors. {{{ */
11809
11810static void
11811dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11812 proto_tree *tree, uint32_t offset,
11813 uint32_t length)
11814{
11815 int point_len;
11816 proto_tree *ssl_ecdh_tree;
11817
11818 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11819 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
11820
11821 /* point */
11822 point_len = tvb_get_uint8(tvb, offset);
11823 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
11824 offset, 1, ENC_BIG_ENDIAN0x00000000);
11825 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
11826 offset + 1, point_len, ENC_NA0x00000000);
11827}
11828
11829static void
11830dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11831 proto_tree *tree, uint32_t offset, uint32_t length)
11832{
11833 int yc_len;
11834 proto_tree *ssl_dh_tree;
11835
11836 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11837 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
11838
11839 /* ClientDiffieHellmanPublic.dh_public (explicit) */
11840 yc_len = tvb_get_ntohs(tvb, offset);
11841 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
11842 offset, 2, ENC_BIG_ENDIAN0x00000000);
11843 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
11844 offset + 2, yc_len, ENC_NA0x00000000);
11845}
11846
11847static void
11848dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11849 proto_tree *tree, uint32_t offset,
11850 uint32_t length, const SslSession *session)
11851{
11852 int epms_len;
11853 proto_tree *ssl_rsa_tree;
11854
11855 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11856 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
11857
11858 /* EncryptedPreMasterSecret.pre_master_secret */
11859 switch (session->version) {
11860 case SSLV2_VERSION0x0002:
11861 case SSLV3_VERSION0x300:
11862 case DTLSV1DOT0_OPENSSL_VERSION0x100:
11863 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
11864 * not present. The handshake contents represents the EPMS, see:
11865 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
11866 epms_len = length;
11867 break;
11868
11869 default:
11870 /* TLS and DTLS include vector length before EPMS */
11871 epms_len = tvb_get_ntohs(tvb, offset);
11872 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11873 offset, 2, ENC_BIG_ENDIAN0x00000000);
11874 offset += 2;
11875 break;
11876 }
11877 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
11878 offset, epms_len, ENC_NA0x00000000);
11879}
11880
11881/* Used in PSK cipher suites */
11882static uint32_t
11883dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11884 proto_tree *tree, uint32_t offset)
11885{
11886 unsigned identity_len;
11887 proto_tree *ssl_psk_tree;
11888
11889 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
11890 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
11891 /* identity */
11892 identity_len = tvb_get_ntohs(tvb, offset);
11893 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
11894 offset, 2, ENC_BIG_ENDIAN0x00000000);
11895 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
11896 offset + 2, identity_len, ENC_NA0x00000000);
11897
11898 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
11899 return 2 + identity_len;
11900}
11901
11902/* Used in RSA PSK cipher suites */
11903static void
11904dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11905 proto_tree *tree, uint32_t offset,
11906 uint32_t length)
11907{
11908 int identity_len, epms_len;
11909 proto_tree *ssl_psk_tree;
11910
11911 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11912 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
11913
11914 /* identity */
11915 identity_len = tvb_get_ntohs(tvb, offset);
11916 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
11917 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11918 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
11919 tvb, offset + 2, identity_len, ENC_NA0x00000000);
11920 offset += 2 + identity_len;
11921
11922 /* Yc */
11923 epms_len = tvb_get_ntohs(tvb, offset);
11924 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11925 offset, 2, ENC_BIG_ENDIAN0x00000000);
11926 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
11927 offset + 2, epms_len, ENC_NA0x00000000);
11928}
11929
11930/* Used in Diffie-Hellman PSK cipher suites */
11931static void
11932dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11933 proto_tree *tree, uint32_t offset, uint32_t length)
11934{
11935 /*
11936 * struct {
11937 * select (KeyExchangeAlgorithm) {
11938 * case diffie_hellman_psk:
11939 * opaque psk_identity<0..2^16-1>;
11940 * ClientDiffieHellmanPublic public;
11941 * } exchange_keys;
11942 * } ClientKeyExchange;
11943 */
11944
11945 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11946 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
11947}
11948
11949/* Used in EC Diffie-Hellman PSK cipher suites */
11950static void
11951dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11952 proto_tree *tree, uint32_t offset, uint32_t length)
11953{
11954 /*
11955 * struct {
11956 * select (KeyExchangeAlgorithm) {
11957 * case ec_diffie_hellman_psk:
11958 * opaque psk_identity<0..2^16-1>;
11959 * ClientECDiffieHellmanPublic public;
11960 * } exchange_keys;
11961 * } ClientKeyExchange;
11962 */
11963
11964 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11965 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
11966}
11967
11968/* Used in EC J-PAKE cipher suites */
11969static void
11970dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11971 proto_tree *tree, uint32_t offset,
11972 uint32_t length)
11973{
11974 /*
11975 * struct {
11976 * ECPoint V;
11977 * opaque r<1..2^8-1>;
11978 * } ECSchnorrZKP;
11979 *
11980 * struct {
11981 * ECPoint X;
11982 * ECSchnorrZKP zkp;
11983 * } ECJPAKEKeyKP;
11984 *
11985 * struct {
11986 * ECJPAKEKeyKP ecjpake_key_kp;
11987 * } ClientECJPAKEParams;
11988 *
11989 * select (KeyExchangeAlgorithm) {
11990 * case ecjpake:
11991 * ClientECJPAKEParams params;
11992 * } ClientKeyExchange;
11993 */
11994
11995 int point_len;
11996 proto_tree *ssl_ecjpake_tree;
11997
11998 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11999 hf->ett.keyex_params, NULL((void*)0),
12000 "EC J-PAKE Client Params");
12001
12002 /* ECJPAKEKeyKP.X */
12003 point_len = tvb_get_uint8(tvb, offset);
12004 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12005 offset, 1, ENC_BIG_ENDIAN0x00000000);
12006 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12007 offset + 1, point_len, ENC_NA0x00000000);
12008 offset += 1 + point_len;
12009
12010 /* ECJPAKEKeyKP.zkp.V */
12011 point_len = tvb_get_uint8(tvb, offset);
12012 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12013 offset, 1, ENC_BIG_ENDIAN0x00000000);
12014 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12015 offset + 1, point_len, ENC_NA0x00000000);
12016 offset += 1 + point_len;
12017
12018 /* ECJPAKEKeyKP.zkp.r */
12019 point_len = tvb_get_uint8(tvb, offset);
12020 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12021 offset, 1, ENC_BIG_ENDIAN0x00000000);
12022 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12023 offset + 1, point_len, ENC_NA0x00000000);
12024}
12025
12026static void
12027dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12028 proto_tree *tree, uint32_t offset,
12029 uint32_t length)
12030{
12031 int epms_len;
12032 proto_tree *ssl_ecc_sm2_tree;
12033
12034 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12035 hf->ett.keyex_params, NULL((void*)0),
12036 "ECC-SM2 Encrypted PreMaster Secret");
12037
12038 epms_len = tvb_get_ntohs(tvb, offset);
12039 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12040 offset, 2, ENC_BIG_ENDIAN0x00000000);
12041 offset += 2;
12042 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12043 offset, epms_len, ENC_NA0x00000000);
12044}
12045/* ClientKeyExchange algo-specific dissectors. }}} */
12046
12047
12048/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12049static uint32_t
12050ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12051 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12052 uint16_t version, int hf_sig_len, int hf_sig)
12053{
12054 uint32_t sig_len;
12055
12056 switch (version) {
12057 case TLSV1DOT2_VERSION0x303:
12058 case DTLSV1DOT2_VERSION0xfefd:
12059 case TLSV1DOT3_VERSION0x304:
12060 case DTLSV1DOT3_VERSION0xfefc:
12061 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12062 offset += 2;
12063 break;
12064
12065 default:
12066 break;
12067 }
12068
12069 /* Sig */
12070 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12071 hf_sig_len, 0, UINT16_MAX(65535))) {
12072 return offset_end;
12073 }
12074 offset += 2;
12075 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12076 offset += sig_len;
12077 return offset;
12078} /* }}} */
12079
12080/* ServerKeyExchange algo-specific dissectors. {{{ */
12081
12082/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12083static void
12084dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12085 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12086 uint16_t version)
12087{
12088 /*
12089 * TLSv1.2 (RFC 5246 sec 7.4.8)
12090 * struct {
12091 * digitally-signed struct {
12092 * opaque handshake_messages[handshake_messages_length];
12093 * }
12094 * } CertificateVerify;
12095 *
12096 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12097 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12098 *
12099 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12100 * does more hashing including the master secret and padding.
12101 */
12102 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12103 hf->hf.hs_server_keyex_sig_len,
12104 hf->hf.hs_server_keyex_sig);
12105}
12106
12107static uint32_t
12108dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12109{
12110 /*
12111 * RFC 4492 ECC cipher suites for TLS
12112 *
12113 * struct {
12114 * ECCurveType curve_type;
12115 * select (curve_type) {
12116 * case explicit_prime:
12117 * ...
12118 * case explicit_char2:
12119 * ...
12120 * case named_curve:
12121 * NamedCurve namedcurve;
12122 * };
12123 * } ECParameters;
12124 */
12125
12126 int curve_type;
12127
12128 /* ECParameters.curve_type */
12129 curve_type = tvb_get_uint8(tvb, offset);
12130 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12131 offset, 1, ENC_BIG_ENDIAN0x00000000);
12132 offset++;
12133
12134 if (curve_type != 3)
12135 return offset_end; /* only named_curves are supported */
12136
12137 /* case curve_type == named_curve; ECParameters.namedcurve */
12138 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12139 offset, 2, ENC_BIG_ENDIAN0x00000000);
12140 offset += 2;
12141
12142 return offset;
12143}
12144
12145static void
12146dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12147 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12148 uint16_t version, bool_Bool anon)
12149{
12150 /*
12151 * RFC 4492 ECC cipher suites for TLS
12152 *
12153 * struct {
12154 * opaque point <1..2^8-1>;
12155 * } ECPoint;
12156 *
12157 * struct {
12158 * ECParameters curve_params;
12159 * ECPoint public;
12160 * } ServerECDHParams;
12161 *
12162 * select (KeyExchangeAlgorithm) {
12163 * case ec_diffie_hellman:
12164 * ServerECDHParams params;
12165 * Signature signed_params;
12166 * } ServerKeyExchange;
12167 */
12168
12169 int point_len;
12170 proto_tree *ssl_ecdh_tree;
12171
12172 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12173 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12174
12175 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12176 if (offset >= offset_end)
12177 return; /* only named_curves are supported */
12178
12179 /* ECPoint.point */
12180 point_len = tvb_get_uint8(tvb, offset);
12181 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12182 offset, 1, ENC_BIG_ENDIAN0x00000000);
12183 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12184 offset + 1, point_len, ENC_NA0x00000000);
12185 offset += 1 + point_len;
12186
12187 /* Signature (if non-anonymous KEX) */
12188 if (!anon) {
12189 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12190 }
12191}
12192
12193static void
12194dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12195 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12196 uint16_t version, bool_Bool anon)
12197{
12198 int p_len, g_len, ys_len;
12199 proto_tree *ssl_dh_tree;
12200
12201 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12202 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12203
12204 /* p */
12205 p_len = tvb_get_ntohs(tvb, offset);
12206 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12207 offset, 2, ENC_BIG_ENDIAN0x00000000);
12208 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12209 offset + 2, p_len, ENC_NA0x00000000);
12210 offset += 2 + p_len;
12211
12212 /* g */
12213 g_len = tvb_get_ntohs(tvb, offset);
12214 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12215 offset, 2, ENC_BIG_ENDIAN0x00000000);
12216 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12217 offset + 2, g_len, ENC_NA0x00000000);
12218 offset += 2 + g_len;
12219
12220 /* Ys */
12221 ys_len = tvb_get_ntohs(tvb, offset);
12222 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12223 offset, 2, ys_len);
12224 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12225 offset + 2, ys_len, ENC_NA0x00000000);
12226 offset += 2 + ys_len;
12227
12228 /* Signature (if non-anonymous KEX) */
12229 if (!anon) {
12230 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12231 }
12232}
12233
12234/* Only used in RSA-EXPORT cipher suites */
12235static void
12236dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12237 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12238 uint16_t version)
12239{
12240 int modulus_len, exponent_len;
12241 proto_tree *ssl_rsa_tree;
12242
12243 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12244 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12245
12246 /* modulus */
12247 modulus_len = tvb_get_ntohs(tvb, offset);
12248 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12249 offset, 2, ENC_BIG_ENDIAN0x00000000);
12250 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12251 offset + 2, modulus_len, ENC_NA0x00000000);
12252 offset += 2 + modulus_len;
12253
12254 /* exponent */
12255 exponent_len = tvb_get_ntohs(tvb, offset);
12256 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12257 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12258 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12259 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12260 offset += 2 + exponent_len;
12261
12262 /* Signature */
12263 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12264}
12265
12266/* Used in RSA PSK and PSK cipher suites */
12267static uint32_t
12268dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12269 proto_tree *tree, uint32_t offset)
12270{
12271 unsigned hint_len;
12272 proto_tree *ssl_psk_tree;
12273
12274 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12275 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12276
12277 /* hint */
12278 hint_len = tvb_get_ntohs(tvb, offset);
12279 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12280 offset, 2, ENC_BIG_ENDIAN0x00000000);
12281 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12282 offset + 2, hint_len, ENC_NA0x00000000);
12283
12284 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12285 return 2 + hint_len;
12286}
12287
12288/* Used in Diffie-Hellman PSK cipher suites */
12289static void
12290dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12291 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12292{
12293 /*
12294 * struct {
12295 * select (KeyExchangeAlgorithm) {
12296 * case diffie_hellman_psk:
12297 * opaque psk_identity_hint<0..2^16-1>;
12298 * ServerDHParams params;
12299 * };
12300 * } ServerKeyExchange;
12301 */
12302
12303 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12304 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12305}
12306
12307/* Used in EC Diffie-Hellman PSK cipher suites */
12308static void
12309dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12310 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12311{
12312 /*
12313 * struct {
12314 * select (KeyExchangeAlgorithm) {
12315 * case ec_diffie_hellman_psk:
12316 * opaque psk_identity_hint<0..2^16-1>;
12317 * ServerECDHParams params;
12318 * };
12319 * } ServerKeyExchange;
12320 */
12321
12322 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12323 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12324}
12325
12326/* Used in EC J-PAKE cipher suites */
12327static void
12328dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12329 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12330{
12331 /*
12332 * struct {
12333 * ECPoint V;
12334 * opaque r<1..2^8-1>;
12335 * } ECSchnorrZKP;
12336 *
12337 * struct {
12338 * ECPoint X;
12339 * ECSchnorrZKP zkp;
12340 * } ECJPAKEKeyKP;
12341 *
12342 * struct {
12343 * ECParameters curve_params;
12344 * ECJPAKEKeyKP ecjpake_key_kp;
12345 * } ServerECJPAKEParams;
12346 *
12347 * select (KeyExchangeAlgorithm) {
12348 * case ecjpake:
12349 * ServerECJPAKEParams params;
12350 * } ServerKeyExchange;
12351 */
12352
12353 int point_len;
12354 proto_tree *ssl_ecjpake_tree;
12355
12356 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12357 hf->ett.keyex_params, NULL((void*)0),
12358 "EC J-PAKE Server Params");
12359
12360 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12361 if (offset >= offset_end)
12362 return; /* only named_curves are supported */
12363
12364 /* ECJPAKEKeyKP.X */
12365 point_len = tvb_get_uint8(tvb, offset);
12366 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12367 offset, 1, ENC_BIG_ENDIAN0x00000000);
12368 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12369 offset + 1, point_len, ENC_NA0x00000000);
12370 offset += 1 + point_len;
12371
12372 /* ECJPAKEKeyKP.zkp.V */
12373 point_len = tvb_get_uint8(tvb, offset);
12374 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12375 offset, 1, ENC_BIG_ENDIAN0x00000000);
12376 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12377 offset + 1, point_len, ENC_NA0x00000000);
12378 offset += 1 + point_len;
12379
12380 /* ECJPAKEKeyKP.zkp.r */
12381 point_len = tvb_get_uint8(tvb, offset);
12382 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12383 offset, 1, ENC_BIG_ENDIAN0x00000000);
12384 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12385 offset + 1, point_len, ENC_NA0x00000000);
12386}
12387
12388/* Only used in ECC-SM2-EXPORT cipher suites */
12389static void
12390dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12391 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12392 uint16_t version)
12393{
12394 proto_tree *ssl_ecc_sm2_tree;
12395
12396 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12397 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12398
12399 /* Signature */
12400 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12401}
12402/* ServerKeyExchange algo-specific dissectors. }}} */
12403
12404/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12405void
12406ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12407 proto_tree *tree, uint32_t offset, uint32_t length,
12408 const SslSession *session)
12409{
12410 switch (ssl_get_keyex_alg(session->cipher)) {
12411 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12412 case KEX_DH_DSS0x14:
12413 case KEX_DH_RSA0x15:
12414 case KEX_DHE_DSS0x10:
12415 case KEX_DHE_RSA0x12:
12416 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12417 break;
12418 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12419 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12420 break;
12421 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12422 case KEX_ECDH_ECDSA0x1a:
12423 case KEX_ECDH_RSA0x1b:
12424 case KEX_ECDHE_ECDSA0x16:
12425 case KEX_ECDHE_RSA0x18:
12426 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12427 break;
12428 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12429 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12430 break;
12431 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12432 /* XXX: implement support for KRB5 */
12433 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12434 tvb, offset, length,
12435 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12436 " developers if you want them to be supported");
12437 break;
12438 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12439 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12440 break;
12441 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12442 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12443 break;
12444 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12445 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12446 break;
12447 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12448 case KEX_SRP_SHA_DSS0x21:
12449 case KEX_SRP_SHA_RSA0x22:
12450 /* XXX: implement support for SRP_SHA* */
12451 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12452 tvb, offset, length,
12453 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12454 " developers if you want them to be supported");
12455 break;
12456 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12457 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12458 break;
12459 case KEX_ECC_SM20x26: /* GB/T 38636 */
12460 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12461 break;
12462 default:
12463 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12464 tvb, offset, length);
12465 break;
12466 }
12467}
12468
12469void
12470ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12471 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12472 const SslSession *session)
12473{
12474 switch (ssl_get_keyex_alg(session->cipher)) {
12475 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12476 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12477 break;
12478 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12479 case KEX_DH_RSA0x15:
12480 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12481 tvb, offset, offset_end - offset);
12482 break;
12483 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12484 case KEX_DHE_RSA0x12:
12485 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12486 break;
12487 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12488 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12489 break;
12490 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12491 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12492 break;
12493 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12494 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12495 break;
12496 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12497 case KEX_ECDH_RSA0x1b:
12498 case KEX_ECDHE_ECDSA0x16:
12499 case KEX_ECDHE_RSA0x18:
12500 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12501 break;
12502 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12503 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12504 tvb, offset, offset_end - offset);
12505 break;
12506 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12507 case KEX_RSA_PSK0x1f:
12508 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12509 break;
12510 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12511 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12512 break;
12513 case KEX_ECC_SM20x26: /* GB/T 38636 */
12514 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12515 break;
12516 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12517 case KEX_SRP_SHA_DSS0x21:
12518 case KEX_SRP_SHA_RSA0x22:
12519 /* XXX: implement support for SRP_SHA* */
12520 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12521 tvb, offset, offset_end - offset,
12522 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12523 " developers if you want them to be supported");
12524 break;
12525 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12526 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12527 break;
12528 default:
12529 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12530 tvb, offset, offset_end - offset);
12531 break;
12532 }
12533}
12534/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12535
12536void
12537tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12538 proto_tree *tree, uint32_t offset)
12539{
12540 /* RFC 8446 Section 4.6.3
12541 * enum {
12542 * update_not_requested(0), update_requested(1), (255)
12543 * } KeyUpdateRequest;
12544 *
12545 * struct {
12546 * KeyUpdateRequest request_update;
12547 * } KeyUpdate;
12548 */
12549 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12550}
12551
12552void
12553ssl_common_register_ssl_alpn_dissector_table(const char *name,
12554 const char *ui_name, const int proto)
12555{
12556 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12557 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12558 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12559}
12560
12561void
12562ssl_common_register_dtls_alpn_dissector_table(const char *name,
12563 const char *ui_name, const int proto)
12564{
12565 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12566 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12567 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12568}
12569
12570void
12571ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12572{
12573 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12574 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12575 &(options->psk));
12576
12577 if (is_dtls) {
12578 prefs_register_obsolete_preference(module, "keylog_file");
12579 prefs_register_static_text_preference(module, "keylog_file_removed",
12580 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12581 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12582 return;
12583 }
12584
12585 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12586 "The name of a file which contains a list of \n"
12587 "(pre-)master secrets in one of the following formats:\n"
12588 "\n"
12589 "RSA <EPMS> <PMS>\n"
12590 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12591 "CLIENT_RANDOM <CRAND> <MS>\n"
12592 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12593 "\n"
12594 "Where:\n"
12595 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12596 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12597 "<SSLID> = The SSL Session ID\n"
12598 "<MS> = The Master-Secret (MS)\n"
12599 "<CRAND> = The Client's random number from the ClientHello message\n"
12600 "\n"
12601 "(All fields are in hex notation)",
12602 &(options->keylog_filename), false0);
12603}
12604
12605void
12606ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12607{
12608 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12609 uint32_t old_length = ssl_session->handshake_data.data_len;
12610 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12611 if (tvb) {
12612 if (tvb_bytes_exist(tvb, offset, length)) {
12613 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12614 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12615 ssl_session->handshake_data.data_len += length;
12616 }
12617 } else {
12618 /* DTLS calculates the hash as if each handshake message had been
12619 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12620 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12621 */
12622 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12622, (int64_t)length, (int64_t)4))));
12623 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12624 memset(ssl_session->handshake_data.data + old_length, 0, length);
12625 ssl_session->handshake_data.data_len += length;
12626 }
12627 }
12628}
12629
12630
12631/*
12632 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12633 *
12634 * Local variables:
12635 * c-basic-offset: 4
12636 * tab-width: 8
12637 * indent-tabs-mode: nil
12638 * End:
12639 *
12640 * vi: set shiftwidth=4 tabstop=8 expandtab:
12641 * :indentSize=4:tabSize=8:noTabs=true:
12642 */