Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
Warning:line 4749, column 17
Potential leak of memory pointed to by 'handshake_hashed_data.data'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-tls-utils.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-18/lib/clang/18 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-18/lib/clang/18/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -dwarf-debug-flags /usr/lib/llvm-18/bin/clang -### --analyze -x c -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/epan -fvisibility=hidden -fexcess-precision=fast -fstrict-flex-arrays=3 -fstack-clash-protection -fcf-protection=full -D _GLIBCXX_ASSERTIONS -fstack-protector-strong -fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -fexceptions -Wno-format-truncation -Wno-format-nonliteral -fdiagnostics-color=always -Wno-pointer-sign -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -std=gnu11 -fPIC /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c -o /builds/wireshark/wireshark/sbout/2025-01-03-100300-3868-1 -Xclang -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-01-03-100300-3868-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-tls-utils.c
1/* packet-tls-utils.c
2 * ssl manipulation functions
3 * By Paolo Abeni <[email protected]>
4 *
5 * Copyright (c) 2013, Hauke Mehrtens <[email protected]>
6 * Copyright (c) 2014, Peter Wu <[email protected]>
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <[email protected]>
10 * Copyright 1998 Gerald Combs
11 *
12 * SPDX-License-Identifier: GPL-2.0-or-later
13 */
14
15#include "config.h"
16
17#if defined(HAVE_ZLIB1) && !defined(HAVE_ZLIBNG)
18#define ZLIB_CONST
19#define ZLIB_PREFIX(x)x x
20#include <zlib.h>
21typedef z_stream zlib_stream;
22#endif /* HAVE_ZLIB */
23
24#ifdef HAVE_ZLIBNG
25#define ZLIB_PREFIX(x)x zng_ ## x
26#include <zlib-ng.h>
27typedef zng_stream zlib_stream;
28#endif /* HAVE_ZLIBNG */
29
30#include <stdlib.h>
31#include <errno(*__errno_location ()).h>
32
33#include <epan/packet.h>
34#include <epan/strutil.h>
35#include <epan/addr_resolv.h>
36#include <epan/expert.h>
37#include <epan/asn1.h>
38#include <epan/proto_data.h>
39#include <epan/oids.h>
40#include <epan/secrets.h>
41
42#include <wsutil/inet_cidr.h>
43#include <wsutil/filesystem.h>
44#include <wsutil/file_util.h>
45#include <wsutil/str_util.h>
46#include <wsutil/report_message.h>
47#include <wsutil/pint.h>
48#include <wsutil/strtoi.h>
49#include <wsutil/wsgcrypt.h>
50#include <wsutil/rsa.h>
51#include <wsutil/ws_assert.h>
52#include "packet-ber.h"
53#include "packet-x509af.h"
54#include "packet-x509if.h"
55#include "packet-tls-utils.h"
56#include "packet-ocsp.h"
57#include "packet-tls.h"
58#include "packet-dtls.h"
59#include "packet-quic.h"
60#if defined(HAVE_LIBGNUTLS1)
61#include <gnutls/abstract.h>
62#endif
63
64/* JA3/JA3S calculations must ignore GREASE values
65 * as described in RFC 8701.
66 */
67#define IS_GREASE_TLS(x)((((x) & 0x0f0f) == 0x0a0a) && (((x) & 0xff) ==
(((x)>>8) & 0xff))) ((((x) & 0x0f0f) == 0x0a0a) && \
68 (((x) & 0xff) == (((x)>>8) & 0xff)))
69
70/* Section 22.3 of RFC 9000 (QUIC) reserves values of this
71 * form for a similar purpose as GREASE.
72 */
73#define IS_GREASE_QUIC(x)((x) > 27 ? ((((x) - 27) % 31) == 0) : 0) ((x) > 27 ? ((((x) - 27) % 31) == 0) : 0)
74
75#define DTLS13_MAX_EPOCH10 10
76
77/* Lookup tables {{{ */
78const value_string ssl_version_short_names[] = {
79 { SSLV2_VERSION0x0002, "SSLv2" },
80 { SSLV3_VERSION0x300, "SSLv3" },
81 { TLSV1_VERSION0x301, "TLSv1" },
82 { TLCPV1_VERSION0x101, "TLCP" },
83 { TLSV1DOT1_VERSION0x302, "TLSv1.1" },
84 { TLSV1DOT2_VERSION0x303, "TLSv1.2" },
85 { TLSV1DOT3_VERSION0x304, "TLSv1.3" },
86 { DTLSV1DOT0_VERSION0xfeff, "DTLSv1.0" },
87 { DTLSV1DOT2_VERSION0xfefd, "DTLSv1.2" },
88 { DTLSV1DOT3_VERSION0xfefc, "DTLSv1.3" },
89 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
90 { 0x00, NULL((void*)0) }
91};
92
93const value_string ssl_versions[] = {
94 { SSLV2_VERSION0x0002, "SSL 2.0" },
95 { SSLV3_VERSION0x300, "SSL 3.0" },
96 { TLSV1_VERSION0x301, "TLS 1.0" },
97 { TLCPV1_VERSION0x101, "TLCP" },
98 { TLSV1DOT1_VERSION0x302, "TLS 1.1" },
99 { TLSV1DOT2_VERSION0x303, "TLS 1.2" },
100 { TLSV1DOT3_VERSION0x304, "TLS 1.3" },
101 { 0x7F0E, "TLS 1.3 (draft 14)" },
102 { 0x7F0F, "TLS 1.3 (draft 15)" },
103 { 0x7F10, "TLS 1.3 (draft 16)" },
104 { 0x7F11, "TLS 1.3 (draft 17)" },
105 { 0x7F12, "TLS 1.3 (draft 18)" },
106 { 0x7F13, "TLS 1.3 (draft 19)" },
107 { 0x7F14, "TLS 1.3 (draft 20)" },
108 { 0x7F15, "TLS 1.3 (draft 21)" },
109 { 0x7F16, "TLS 1.3 (draft 22)" },
110 { 0x7F17, "TLS 1.3 (draft 23)" },
111 { 0x7F18, "TLS 1.3 (draft 24)" },
112 { 0x7F19, "TLS 1.3 (draft 25)" },
113 { 0x7F1A, "TLS 1.3 (draft 26)" },
114 { 0x7F1B, "TLS 1.3 (draft 27)" },
115 { 0x7F1C, "TLS 1.3 (draft 28)" },
116 { 0xFB17, "TLS 1.3 (Facebook draft 23)" },
117 { 0xFB1A, "TLS 1.3 (Facebook draft 26)" },
118 { DTLSV1DOT0_OPENSSL_VERSION0x100, "DTLS 1.0 (OpenSSL pre 0.9.8f)" },
119 { DTLSV1DOT0_VERSION0xfeff, "DTLS 1.0" },
120 { DTLSV1DOT2_VERSION0xfefd, "DTLS 1.2" },
121 { DTLSV1DOT3_VERSION0xfefc, "DTLS 1.3" },
122 { 0x0A0A, "Reserved (GREASE)" }, /* RFC 8701 */
123 { 0x1A1A, "Reserved (GREASE)" }, /* RFC 8701 */
124 { 0x2A2A, "Reserved (GREASE)" }, /* RFC 8701 */
125 { 0x3A3A, "Reserved (GREASE)" }, /* RFC 8701 */
126 { 0x4A4A, "Reserved (GREASE)" }, /* RFC 8701 */
127 { 0x5A5A, "Reserved (GREASE)" }, /* RFC 8701 */
128 { 0x6A6A, "Reserved (GREASE)" }, /* RFC 8701 */
129 { 0x7A7A, "Reserved (GREASE)" }, /* RFC 8701 */
130 { 0x8A8A, "Reserved (GREASE)" }, /* RFC 8701 */
131 { 0x9A9A, "Reserved (GREASE)" }, /* RFC 8701 */
132 { 0xAAAA, "Reserved (GREASE)" }, /* RFC 8701 */
133 { 0xBABA, "Reserved (GREASE)" }, /* RFC 8701 */
134 { 0xCACA, "Reserved (GREASE)" }, /* RFC 8701 */
135 { 0xDADA, "Reserved (GREASE)" }, /* RFC 8701 */
136 { 0xEAEA, "Reserved (GREASE)" }, /* RFC 8701 */
137 { 0xFAFA, "Reserved (GREASE)" }, /* RFC 8701 */
138 { 0x00, NULL((void*)0) }
139};
140
141static const value_string ssl_version_ja4_names[] = {
142 { 0x0100, "s1" },
143 { SSLV2_VERSION0x0002, "s2" },
144 { SSLV3_VERSION0x300, "s3" },
145 { TLSV1_VERSION0x301, "10" },
146 { TLSV1DOT1_VERSION0x302, "11" },
147 { TLSV1DOT2_VERSION0x303, "12" },
148 { TLSV1DOT3_VERSION0x304, "13" },
149 { DTLSV1DOT0_VERSION0xfeff, "d1" },
150 { DTLSV1DOT2_VERSION0xfefd, "d2" },
151 { DTLSV1DOT3_VERSION0xfefc, "d3" },
152 { 0x00, NULL((void*)0) }
153};
154
155const value_string ssl_20_msg_types[] = {
156 { SSL2_HND_ERROR0x00, "Error" },
157 { SSL2_HND_CLIENT_HELLO0x01, "Client Hello" },
158 { SSL2_HND_CLIENT_MASTER_KEY0x02, "Client Master Key" },
159 { SSL2_HND_CLIENT_FINISHED0x03, "Client Finished" },
160 { SSL2_HND_SERVER_HELLO0x04, "Server Hello" },
161 { SSL2_HND_SERVER_VERIFY0x05, "Server Verify" },
162 { SSL2_HND_SERVER_FINISHED0x06, "Server Finished" },
163 { SSL2_HND_REQUEST_CERTIFICATE0x07, "Request Certificate" },
164 { SSL2_HND_CLIENT_CERTIFICATE0x08, "Client Certificate" },
165 { 0x00, NULL((void*)0) }
166};
167/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
168/* Note: sorted by ascending value so value_string-ext can do a binary search */
169static const value_string ssl_20_cipher_suites[] = {
170 { 0x000000, "TLS_NULL_WITH_NULL_NULL" },
171 { 0x000001, "TLS_RSA_WITH_NULL_MD5" },
172 { 0x000002, "TLS_RSA_WITH_NULL_SHA" },
173 { 0x000003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
174 { 0x000004, "TLS_RSA_WITH_RC4_128_MD5" },
175 { 0x000005, "TLS_RSA_WITH_RC4_128_SHA" },
176 { 0x000006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
177 { 0x000007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
178 { 0x000008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
179 { 0x000009, "TLS_RSA_WITH_DES_CBC_SHA" },
180 { 0x00000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
181 { 0x00000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
182 { 0x00000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
183 { 0x00000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
184 { 0x00000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
185 { 0x00000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
186 { 0x000010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
187 { 0x000011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
188 { 0x000012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
189 { 0x000013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
190 { 0x000014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
191 { 0x000015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
192 { 0x000016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
193 { 0x000017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
194 { 0x000018, "TLS_DH_anon_WITH_RC4_128_MD5" },
195 { 0x000019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
196 { 0x00001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
197 { 0x00001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
198 { 0x00001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
199 { 0x00001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
200#if 0
201 { 0x00001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
202#endif
203 /* RFC 2712 */
204 { 0x00001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
205 { 0x00001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
206 { 0x000020, "TLS_KRB5_WITH_RC4_128_SHA" },
207 { 0x000021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
208 { 0x000022, "TLS_KRB5_WITH_DES_CBC_MD5" },
209 { 0x000023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
210 { 0x000024, "TLS_KRB5_WITH_RC4_128_MD5" },
211 { 0x000025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
212 { 0x000026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
213 { 0x000027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
214 { 0x000028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
215 { 0x000029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
216 { 0x00002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
217 { 0x00002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
218 /* RFC 4785 */
219 { 0x00002C, "TLS_PSK_WITH_NULL_SHA" },
220 { 0x00002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
221 { 0x00002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
222 /* RFC 5246 */
223 { 0x00002f, "TLS_RSA_WITH_AES_128_CBC_SHA" },
224 { 0x000030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
225 { 0x000031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
226 { 0x000032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
227 { 0x000033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
228 { 0x000034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
229 { 0x000035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
230 { 0x000036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
231 { 0x000037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
232 { 0x000038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
233 { 0x000039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
234 { 0x00003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
235 { 0x00003B, "TLS_RSA_WITH_NULL_SHA256" },
236 { 0x00003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
237 { 0x00003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
238 { 0x00003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
239 { 0x00003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
240 { 0x000040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
241 { 0x000041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
242 { 0x000042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
243 { 0x000043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
244 { 0x000044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
245 { 0x000045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
246 { 0x000046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
247 { 0x000047, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
248 { 0x000048, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
249 { 0x000049, "TLS_ECDH_ECDSA_WITH_DES_CBC_SHA" },
250 { 0x00004A, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
251 { 0x00004B, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
252 { 0x00004C, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
253 { 0x000060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
254 { 0x000061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
255 { 0x000062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
256 { 0x000063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
257 { 0x000064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
258 { 0x000065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
259 { 0x000066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
260 { 0x000067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
261 { 0x000068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
262 { 0x000069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
263 { 0x00006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
264 { 0x00006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
265 { 0x00006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
266 { 0x00006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
267 /* 0x00,0x6E-83 Unassigned */
268 { 0x000084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
269 { 0x000085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
270 { 0x000086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
271 { 0x000087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
272 { 0x000088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
273 { 0x000089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
274 /* RFC 4279 */
275 { 0x00008A, "TLS_PSK_WITH_RC4_128_SHA" },
276 { 0x00008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
277 { 0x00008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
278 { 0x00008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
279 { 0x00008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
280 { 0x00008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
281 { 0x000090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
282 { 0x000091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
283 { 0x000092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
284 { 0x000093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
285 { 0x000094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
286 { 0x000095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
287 /* RFC 4162 */
288 { 0x000096, "TLS_RSA_WITH_SEED_CBC_SHA" },
289 { 0x000097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
290 { 0x000098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
291 { 0x000099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
292 { 0x00009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
293 { 0x00009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
294 /* RFC 5288 */
295 { 0x00009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
296 { 0x00009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
297 { 0x00009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
298 { 0x00009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
299 { 0x0000A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
300 { 0x0000A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
301 { 0x0000A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
302 { 0x0000A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
303 { 0x0000A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
304 { 0x0000A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
305 { 0x0000A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
306 { 0x0000A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
307 /* RFC 5487 */
308 { 0x0000A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
309 { 0x0000A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
310 { 0x0000AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
311 { 0x0000AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
312 { 0x0000AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
313 { 0x0000AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
314 { 0x0000AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
315 { 0x0000AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
316 { 0x0000B0, "TLS_PSK_WITH_NULL_SHA256" },
317 { 0x0000B1, "TLS_PSK_WITH_NULL_SHA384" },
318 { 0x0000B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
319 { 0x0000B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
320 { 0x0000B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
321 { 0x0000B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
322 { 0x0000B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
323 { 0x0000B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
324 { 0x0000B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
325 { 0x0000B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
326 /* From RFC 5932 */
327 { 0x0000BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
328 { 0x0000BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
329 { 0x0000BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
330 { 0x0000BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
331 { 0x0000BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
332 { 0x0000BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
333 { 0x0000C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
334 { 0x0000C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
335 { 0x0000C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
336 { 0x0000C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
337 { 0x0000C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
338 { 0x0000C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
339 /* 0x00,0xC6-FE Unassigned */
340 { 0x0000FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
341 /* 0x01-BF,* Unassigned */
342 /* From RFC 4492 */
343 { 0x00c001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
344 { 0x00c002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
345 { 0x00c003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
346 { 0x00c004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
347 { 0x00c005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
348 { 0x00c006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
349 { 0x00c007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
350 { 0x00c008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
351 { 0x00c009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
352 { 0x00c00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
353 { 0x00c00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
354 { 0x00c00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
355 { 0x00c00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
356 { 0x00c00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
357 { 0x00c00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
358 { 0x00c010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
359 { 0x00c011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
360 { 0x00c012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
361 { 0x00c013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
362 { 0x00c014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
363 { 0x00c015, "TLS_ECDH_anon_WITH_NULL_SHA" },
364 { 0x00c016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
365 { 0x00c017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
366 { 0x00c018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
367 { 0x00c019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
368 /* RFC 5054 */
369 { 0x00C01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
370 { 0x00C01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
371 { 0x00C01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
372 { 0x00C01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
373 { 0x00C01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
374 { 0x00C01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
375 { 0x00C020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
376 { 0x00C021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
377 { 0x00C022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
378 /* RFC 5589 */
379 { 0x00C023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
380 { 0x00C024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
381 { 0x00C025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
382 { 0x00C026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
383 { 0x00C027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
384 { 0x00C028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
385 { 0x00C029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
386 { 0x00C02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
387 { 0x00C02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
388 { 0x00C02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
389 { 0x00C02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
390 { 0x00C02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
391 { 0x00C02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
392 { 0x00C030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
393 { 0x00C031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
394 { 0x00C032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
395 /* RFC 5489 */
396 { 0x00C033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
397 { 0x00C034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
398 { 0x00C035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
399 { 0x00C036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
400 { 0x00C037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
401 { 0x00C038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
402 { 0x00C039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
403 { 0x00C03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
404 { 0x00C03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
405 /* 0xC0,0x3C-FF Unassigned
406 0xC1-FD,* Unassigned
407 0xFE,0x00-FD Unassigned
408 0xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
409 0xFF,0x00-FF Reserved for Private Use [RFC5246]
410 */
411
412 /* old numbers used in the beginning
413 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
414 { 0x00CC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
415 { 0x00CC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
416 { 0x00CC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
417
418 /* https://tools.ietf.org/html/rfc7905 */
419 { 0x00CCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
420 { 0x00CCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
421 { 0x00CCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
422 { 0x00CCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
423 { 0x00CCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
424 { 0x00CCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
425 { 0x00CCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
426
427 /* GM/T 0024-2014 */
428 { 0x00e001, "ECDHE_SM1_SM3"},
429 { 0x00e003, "ECC_SM1_SM3"},
430 { 0x00e005, "IBSDH_SM1_SM3"},
431 { 0x00e007, "IBC_SM1_SM3"},
432 { 0x00e009, "RSA_SM1_SM3"},
433 { 0x00e00a, "RSA_SM1_SHA1"},
434 { 0x00e011, "ECDHE_SM4_CBC_SM3"},
435 { 0x00e013, "ECC_SM4_CBC_SM3"},
436 { 0x00e015, "IBSDH_SM4_CBC_SM3"},
437 { 0x00e017, "IBC_SM4_CBC_SM3"},
438 { 0x00e019, "RSA_SM4_CBC_SM3"},
439 { 0x00e01a, "RSA_SM4_CBC_SHA1"},
440 { 0x00e01c, "RSA_SM4_CBC_SHA256"},
441 { 0x00e051, "ECDHE_SM4_GCM_SM3"},
442 { 0x00e053, "ECC_SM4_GCM_SM3"},
443 { 0x00e055, "IBSDH_SM4_GCM_SM3"},
444 { 0x00e057, "IBC_SM4_GCM_SM3"},
445 { 0x00e059, "RSA_SM4_GCM_SM3"},
446 { 0x00e05a, "RSA_SM4_GCM_SHA256"},
447
448 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
449 { 0x00E410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
450 { 0x00E411, "TLS_RSA_WITH_SALSA20_SHA1" },
451 { 0x00E412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
452 { 0x00E413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
453 { 0x00E414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
454 { 0x00E415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
455 { 0x00E416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
456 { 0x00E417, "TLS_PSK_WITH_SALSA20_SHA1" },
457 { 0x00E418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
458 { 0x00E419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
459 { 0x00E41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
460 { 0x00E41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
461 { 0x00E41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
462 { 0x00E41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
463 { 0x00E41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
464 { 0x00E41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
465
466 /* these from http://www.mozilla.org/projects/
467 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
468 { 0x00fefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
469 { 0x00feff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
470 { 0x00ffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
471 { 0x00ffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
472 /* note that ciphersuites of {0x00????} are TLS cipher suites in
473 * a sslv2 client hello message; the ???? above is the two-byte
474 * tls cipher suite id
475 */
476
477 { 0x010080, "SSL2_RC4_128_WITH_MD5" },
478 { 0x020080, "SSL2_RC4_128_EXPORT40_WITH_MD5" },
479 { 0x030080, "SSL2_RC2_128_CBC_WITH_MD5" },
480 { 0x040080, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5" },
481 { 0x050080, "SSL2_IDEA_128_CBC_WITH_MD5" },
482 { 0x060040, "SSL2_DES_64_CBC_WITH_MD5" },
483 { 0x0700c0, "SSL2_DES_192_EDE3_CBC_WITH_MD5" },
484 { 0x080080, "SSL2_RC4_64_WITH_MD5" },
485
486 { 0x00, NULL((void*)0) }
487};
488
489value_string_ext ssl_20_cipher_suites_ext = VALUE_STRING_EXT_INIT(ssl_20_cipher_suites){ _try_val_to_str_ext_init, 0, (sizeof (ssl_20_cipher_suites)
/ sizeof ((ssl_20_cipher_suites)[0]))-1, ssl_20_cipher_suites
, "ssl_20_cipher_suites" };
490
491
492/*
493 * Supported Groups (formerly named "EC Named Curve").
494 * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
495 */
496const value_string ssl_extension_curves[] = {
497 { 1, "sect163k1" },
498 { 2, "sect163r1" },
499 { 3, "sect163r2" },
500 { 4, "sect193r1" },
501 { 5, "sect193r2" },
502 { 6, "sect233k1" },
503 { 7, "sect233r1" },
504 { 8, "sect239k1" },
505 { 9, "sect283k1" },
506 { 10, "sect283r1" },
507 { 11, "sect409k1" },
508 { 12, "sect409r1" },
509 { 13, "sect571k1" },
510 { 14, "sect571r1" },
511 { 15, "secp160k1" },
512 { 16, "secp160r1" },
513 { 17, "secp160r2" },
514 { 18, "secp192k1" },
515 { 19, "secp192r1" },
516 { 20, "secp224k1" },
517 { 21, "secp224r1" },
518 { 22, "secp256k1" },
519 { 23, "secp256r1" },
520 { 24, "secp384r1" },
521 { 25, "secp521r1" },
522 { 26, "brainpoolP256r1" }, /* RFC 7027 */
523 { 27, "brainpoolP384r1" }, /* RFC 7027 */
524 { 28, "brainpoolP512r1" }, /* RFC 7027 */
525 { 29, "x25519" }, /* RFC 8446 / RFC 8422 */
526 { 30, "x448" }, /* RFC 8446 / RFC 8422 */
527 { 31, "brainpoolP256r1tls13" }, /* RFC8734 */
528 { 32, "brainpoolP384r1tls13" }, /* RFC8734 */
529 { 33, "brainpoolP512r1tls13" }, /* RFC8734 */
530 { 34, "GC256A" }, /* RFC9189 */
531 { 35, "GC256B" }, /* RFC9189 */
532 { 36, "GC256C" }, /* RFC9189 */
533 { 37, "GC256D" }, /* RFC9189 */
534 { 38, "GC512A" }, /* RFC9189 */
535 { 39, "GC512B" }, /* RFC9189 */
536 { 40, "GC512C" }, /* RFC9189 */
537 { 41, "curveSM2" }, /* RFC 8998 */
538 { 256, "ffdhe2048" }, /* RFC 7919 */
539 { 257, "ffdhe3072" }, /* RFC 7919 */
540 { 258, "ffdhe4096" }, /* RFC 7919 */
541 { 259, "ffdhe6144" }, /* RFC 7919 */
542 { 260, "ffdhe8192" }, /* RFC 7919 */
543 { 512, "MLKEM512"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
544 { 513, "MLKEM768"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
545 { 514, "MLKEM1024"}, /* draft-connolly-tls-mlkem-key-agreement-03 */
546 { 2570, "Reserved (GREASE)" }, /* RFC 8701 */
547 { 4587, "SecP256r1MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-02 */
548 { 4588, "X25519MLKEM768" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
549 { 4589, "SecP384r1MLKEM1024" }, /* draft-kwiatkowski-tls-ecdhe-mlkem-03 */
550 { 6682, "Reserved (GREASE)" }, /* RFC 8701 */
551 { 10794, "Reserved (GREASE)" }, /* RFC 8701 */
552 { 14906, "Reserved (GREASE)" }, /* RFC 8701 */
553 { 19018, "Reserved (GREASE)" }, /* RFC 8701 */
554 { 23130, "Reserved (GREASE)" }, /* RFC 8701 */
555 { 25497, "X25519Kyber768Draft00 (OBSOLETE)" }, /* draft-tls-westerbaan-xyber768d00-02 */
556 { 25498, "SecP256r1Kyber768Draft00 (OBSOLETE)" }, /* draft-kwiatkowski-tls-ecdhe-kyber-01 */
557 { 27242, "Reserved (GREASE)" }, /* RFC 8701 */
558 { 31354, "Reserved (GREASE)" }, /* RFC 8701 */
559 { 35466, "Reserved (GREASE)" }, /* RFC 8701 */
560 { 39578, "Reserved (GREASE)" }, /* RFC 8701 */
561 { 43690, "Reserved (GREASE)" }, /* RFC 8701 */
562 { 47802, "Reserved (GREASE)" }, /* RFC 8701 */
563 { 51914, "Reserved (GREASE)" }, /* RFC 8701 */
564 { 56026, "Reserved (GREASE)" }, /* RFC 8701 */
565 { 60138, "Reserved (GREASE)" }, /* RFC 8701 */
566 { 64250, "Reserved (GREASE)" }, /* RFC 8701 */
567 { 0xFF01, "arbitrary_explicit_prime_curves" },
568 { 0xFF02, "arbitrary_explicit_char2_curves" },
569 /* Below are various unofficial values that have been used for testing. */
570 /* PQC key exchange algorithms from OQS-OpenSSL,
571 see https://github.com/open-quantum-safe/oqs-provider/blob/main/oqs-template/oqs-kem-info.md
572 These use IANA unassigned values and this list may be incomplete.
573 */
574 { 0x2F00, "p256_frodo640aes" },
575 { 0x2F01, "p256_frodo640shake" },
576 { 0x2F02, "p384_frodo976aes" },
577 { 0x0203, "frodo976shake" },
578 { 0x2F03, "p384_frodo976shake" },
579 { 0x0204, "frodo1344aes" },
580 { 0x2F04, "p521_frodo1344aes" },
581 { 0x0205, "frodo1344shake" },
582 { 0x2F05, "p521_frodo1344shake" },
583 { 0x023A, "kyber512" },
584 { 0x2F3A, "p256_kyber512" },
585 { 0x023C, "kyber768" },
586 { 0x2F3C, "p384_kyber768" },
587 { 0x023D, "kyber1024" },
588 { 0x2F3D, "p521_kyber1024" },
589 { 0x0214, "ntru_hps2048509" },
590 { 0x2F14, "p256_ntru_hps2048509" },
591 { 0x0215, "ntru_hps2048677" },
592 { 0x2F15, "p384_ntru_hps2048677" },
593 { 0x0216, "ntru_hps4096821" },
594 { 0x2F16, "p521_ntru_hps4096821" },
595 { 0x0245, "ntru_hps40961229" },
596 { 0x2F45, "p521_ntru_hps40961229" },
597 { 0x0217, "ntru_hrss701" },
598 { 0x2F17, "p384_ntru_hrss701" },
599 { 0x0246, "ntru_hrss1373" },
600 { 0x2F46, "p521_ntru_hrss1373" },
601 { 0x0218, "lightsaber" },
602 { 0x2F18, "p256_lightsaber" },
603 { 0x0219, "saber" },
604 { 0x2F19, "p384_saber" },
605 { 0x021A, "firesaber" },
606 { 0x2F1A, "p521_firesaber" },
607 { 0x021B, "sidhp434" },
608 { 0x2F1B, "p256_sidhp434" },
609 { 0x021C, "sidhp503" },
610 { 0x2F1C, "p256_sidhp503" },
611 { 0x021D, "sidhp610" },
612 { 0x2F1D, "p384_sidhp610" },
613 { 0x021E, "sidhp751" },
614 { 0x2F1E, "p521_sidhp751" },
615 { 0x021F, "sikep434" },
616 { 0x2F1F, "p256_sikep434" },
617 { 0x0220, "sikep503" },
618 { 0x2F20, "p256_sikep503" },
619 { 0x0221, "sikep610" },
620 { 0x2F21, "p384_sikep610" },
621 { 0x0222, "sikep751" },
622 { 0x2F22, "p521_sikep751" },
623 { 0x0238, "bikel1" },
624 { 0x2F38, "p256_bikel1" },
625 { 0x023B, "bikel3" },
626 { 0x2F3B, "p384_bikel3" },
627 { 0x023E, "kyber90s512" },
628 { 0x2F3E, "p256_kyber90s512" },
629 { 0x023F, "kyber90s768" },
630 { 0x2F3F, "p384_kyber90s768" },
631 { 0x0240, "kyber90s1024" },
632 { 0x2F40, "p521_kyber90s1024" },
633 { 0x022C, "hqc128" },
634 { 0x2F2C, "p256_hqc128" },
635 { 0x022D, "hqc192" },
636 { 0x2F2D, "p384_hqc192" },
637 { 0x022E, "hqc256" },
638 { 0x2F2E, "p521_hqc256" },
639 { 0x022F, "ntrulpr653" },
640 { 0x2F2F, "p256_ntrulpr653" },
641 { 0x0230, "ntrulpr761" },
642 { 0x2F43, "p256_ntrulpr761" },
643 { 0x0231, "ntrulpr857" },
644 { 0x2F31, "p384_ntrulpr857" },
645 { 0x0241, "ntrulpr1277" },
646 { 0x2F41, "p521_ntrulpr1277" },
647 { 0x0232, "sntrup653" },
648 { 0x2F32, "p256_sntrup653" },
649 { 0x0233, "sntrup761" },
650 { 0x2F44, "p256_sntrup761" },
651 { 0x0234, "sntrup857" },
652 { 0x2F34, "p384_sntrup857" },
653 { 0x0242, "sntrup1277" },
654 { 0x2F42, "p521_sntrup1277" },
655 /* Other PQ key exchange algorithms, using Reserved for Private Use values
656 https://blog.cloudflare.com/post-quantum-for-all
657 https://www.ietf.org/archive/id/draft-tls-westerbaan-xyber768d00-02.txt */
658 { 0xFE30, "X25519Kyber512Draft00 (OBSOLETE)" },
659 { 0xFE31, "X25519Kyber768Draft00 (OBSOLETE)" },
660 { 0x00, NULL((void*)0) }
661};
662
663const value_string ssl_curve_types[] = {
664 { 1, "explicit_prime" },
665 { 2, "explicit_char2" },
666 { 3, "named_curve" },
667 { 0x00, NULL((void*)0) }
668};
669
670const value_string ssl_extension_ec_point_formats[] = {
671 { 0, "uncompressed" },
672 { 1, "ansiX962_compressed_prime" },
673 { 2, "ansiX962_compressed_char2" },
674 { 0x00, NULL((void*)0) }
675};
676
677const value_string ssl_20_certificate_type[] = {
678 { 0x00, "N/A" },
679 { 0x01, "X.509 Certificate" },
680 { 0x00, NULL((void*)0) }
681};
682
683const value_string ssl_31_content_type[] = {
684 { 20, "Change Cipher Spec" },
685 { 21, "Alert" },
686 { 22, "Handshake" },
687 { 23, "Application Data" },
688 { 24, "Heartbeat" },
689 { 25, "Connection ID" },
690 { 0x00, NULL((void*)0) }
691};
692
693#if 0
694/* XXX - would be used if we dissected the body of a Change Cipher Spec
695 message. */
696const value_string ssl_31_change_cipher_spec[] = {
697 { 1, "Change Cipher Spec" },
698 { 0x00, NULL((void*)0) }
699};
700#endif
701
702const value_string ssl_31_alert_level[] = {
703 { 1, "Warning" },
704 { 2, "Fatal" },
705 { 0x00, NULL((void*)0) }
706};
707
708const value_string ssl_31_alert_description[] = {
709 { 0, "Close Notify" },
710 { 1, "End of Early Data" },
711 { 10, "Unexpected Message" },
712 { 20, "Bad Record MAC" },
713 { 21, "Decryption Failed" },
714 { 22, "Record Overflow" },
715 { 30, "Decompression Failure" },
716 { 40, "Handshake Failure" },
717 { 41, "No Certificate" },
718 { 42, "Bad Certificate" },
719 { 43, "Unsupported Certificate" },
720 { 44, "Certificate Revoked" },
721 { 45, "Certificate Expired" },
722 { 46, "Certificate Unknown" },
723 { 47, "Illegal Parameter" },
724 { 48, "Unknown CA" },
725 { 49, "Access Denied" },
726 { 50, "Decode Error" },
727 { 51, "Decrypt Error" },
728 { 60, "Export Restriction" },
729 { 70, "Protocol Version" },
730 { 71, "Insufficient Security" },
731 { 80, "Internal Error" },
732 { 86, "Inappropriate Fallback" },
733 { 90, "User Canceled" },
734 { 100, "No Renegotiation" },
735 { 109, "Missing Extension" },
736 { 110, "Unsupported Extension" },
737 { 111, "Certificate Unobtainable" },
738 { 112, "Unrecognized Name" },
739 { 113, "Bad Certificate Status Response" },
740 { 114, "Bad Certificate Hash Value" },
741 { 115, "Unknown PSK Identity" },
742 { 116, "Certificate Required" },
743 { 120, "No application Protocol" },
744 { 121, "ECH Required" },
745 { 0x00, NULL((void*)0) }
746};
747
748const value_string ssl_31_handshake_type[] = {
749 { SSL_HND_HELLO_REQUEST, "Hello Request" },
750 { SSL_HND_CLIENT_HELLO, "Client Hello" },
751 { SSL_HND_SERVER_HELLO, "Server Hello" },
752 { SSL_HND_HELLO_VERIFY_REQUEST, "Hello Verify Request"},
753 { SSL_HND_NEWSESSION_TICKET, "New Session Ticket" },
754 { SSL_HND_END_OF_EARLY_DATA, "End of Early Data" },
755 { SSL_HND_HELLO_RETRY_REQUEST, "Hello Retry Request" },
756 { SSL_HND_ENCRYPTED_EXTENSIONS, "Encrypted Extensions" },
757 { SSL_HND_CERTIFICATE, "Certificate" },
758 { SSL_HND_SERVER_KEY_EXCHG, "Server Key Exchange" },
759 { SSL_HND_CERT_REQUEST, "Certificate Request" },
760 { SSL_HND_SVR_HELLO_DONE, "Server Hello Done" },
761 { SSL_HND_CERT_VERIFY, "Certificate Verify" },
762 { SSL_HND_CLIENT_KEY_EXCHG, "Client Key Exchange" },
763 { SSL_HND_FINISHED, "Finished" },
764 { SSL_HND_CERT_URL, "Client Certificate URL" },
765 { SSL_HND_CERT_STATUS, "Certificate Status" },
766 { SSL_HND_SUPPLEMENTAL_DATA, "Supplemental Data" },
767 { SSL_HND_KEY_UPDATE, "Key Update" },
768 { SSL_HND_COMPRESSED_CERTIFICATE, "Compressed Certificate" },
769 { SSL_HND_ENCRYPTED_EXTS, "Encrypted Extensions" },
770 { 0x00, NULL((void*)0) }
771};
772
773const value_string tls_heartbeat_type[] = {
774 { 1, "Request" },
775 { 2, "Response" },
776 { 0x00, NULL((void*)0) }
777};
778
779const value_string tls_heartbeat_mode[] = {
780 { 1, "Peer allowed to send requests" },
781 { 2, "Peer not allowed to send requests" },
782 { 0x00, NULL((void*)0) }
783};
784
785const value_string ssl_31_compression_method[] = {
786 { 0, "null" },
787 { 1, "DEFLATE" },
788 { 64, "LZS" },
789 { 0x00, NULL((void*)0) }
790};
791
792#if 0
793/* XXX - would be used if we dissected a Signature, as would be
794 seen in a server key exchange or certificate verify message. */
795const value_string ssl_31_key_exchange_algorithm[] = {
796 { 0, "RSA" },
797 { 1, "Diffie Hellman" },
798 { 0x00, NULL((void*)0) }
799};
800
801const value_string ssl_31_signature_algorithm[] = {
802 { 0, "Anonymous" },
803 { 1, "RSA" },
804 { 2, "DSA" },
805 { 0x00, NULL((void*)0) }
806};
807#endif
808
809const value_string ssl_31_client_certificate_type[] = {
810 { 1, "RSA Sign" },
811 { 2, "DSS Sign" },
812 { 3, "RSA Fixed DH" },
813 { 4, "DSS Fixed DH" },
814 /* GOST certificate types */
815 /* Section 3.5 of draft-chudov-cryptopro-cptls-04 */
816 { 21, "GOST R 34.10-94" },
817 { 22, "GOST R 34.10-2001" },
818 /* END GOST certificate types */
819 { 64, "ECDSA Sign" },
820 { 65, "RSA Fixed ECDH" },
821 { 66, "ECDSA Fixed ECDH" },
822 { 80, "IBC Params" },
823 { 0x00, NULL((void*)0) }
824};
825
826#if 0
827/* XXX - would be used if we dissected exchange keys, as would be
828 seen in a client key exchange message. */
829const value_string ssl_31_public_value_encoding[] = {
830 { 0, "Implicit" },
831 { 1, "Explicit" },
832 { 0x00, NULL((void*)0) }
833};
834#endif
835
836/* http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
837/* Note: sorted by ascending value so value_string_ext fcns can do a binary search */
838static const value_string ssl_31_ciphersuite[] = {
839 /* RFC 2246, RFC 4346, RFC 5246 */
840 { 0x0000, "TLS_NULL_WITH_NULL_NULL" },
841 { 0x0001, "TLS_RSA_WITH_NULL_MD5" },
842 { 0x0002, "TLS_RSA_WITH_NULL_SHA" },
843 { 0x0003, "TLS_RSA_EXPORT_WITH_RC4_40_MD5" },
844 { 0x0004, "TLS_RSA_WITH_RC4_128_MD5" },
845 { 0x0005, "TLS_RSA_WITH_RC4_128_SHA" },
846 { 0x0006, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5" },
847 { 0x0007, "TLS_RSA_WITH_IDEA_CBC_SHA" },
848 { 0x0008, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA" },
849 { 0x0009, "TLS_RSA_WITH_DES_CBC_SHA" },
850 { 0x000a, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
851 { 0x000b, "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA" },
852 { 0x000c, "TLS_DH_DSS_WITH_DES_CBC_SHA" },
853 { 0x000d, "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA" },
854 { 0x000e, "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA" },
855 { 0x000f, "TLS_DH_RSA_WITH_DES_CBC_SHA" },
856 { 0x0010, "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA" },
857 { 0x0011, "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" },
858 { 0x0012, "TLS_DHE_DSS_WITH_DES_CBC_SHA" },
859 { 0x0013, "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" },
860 { 0x0014, "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" },
861 { 0x0015, "TLS_DHE_RSA_WITH_DES_CBC_SHA" },
862 { 0x0016, "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA" },
863 { 0x0017, "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5" },
864 { 0x0018, "TLS_DH_anon_WITH_RC4_128_MD5" },
865 { 0x0019, "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA" },
866 { 0x001a, "TLS_DH_anon_WITH_DES_CBC_SHA" },
867 { 0x001b, "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA" },
868
869 { 0x001c, "SSL_FORTEZZA_KEA_WITH_NULL_SHA" },
870 { 0x001d, "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA" },
871#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
872 to remove according to David Hopwood <[email protected]>
873 of the ietf-tls list */
874 { 0x001e, "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA" },
875#endif
876 /* RFC 2712 */
877 { 0x001E, "TLS_KRB5_WITH_DES_CBC_SHA" },
878 { 0x001F, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" },
879 { 0x0020, "TLS_KRB5_WITH_RC4_128_SHA" },
880 { 0x0021, "TLS_KRB5_WITH_IDEA_CBC_SHA" },
881 { 0x0022, "TLS_KRB5_WITH_DES_CBC_MD5" },
882 { 0x0023, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5" },
883 { 0x0024, "TLS_KRB5_WITH_RC4_128_MD5" },
884 { 0x0025, "TLS_KRB5_WITH_IDEA_CBC_MD5" },
885 { 0x0026, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA" },
886 { 0x0027, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA" },
887 { 0x0028, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA" },
888 { 0x0029, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5" },
889 { 0x002A, "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5" },
890 { 0x002B, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5" },
891 /* RFC 4785 */
892 { 0x002C, "TLS_PSK_WITH_NULL_SHA" },
893 { 0x002D, "TLS_DHE_PSK_WITH_NULL_SHA" },
894 { 0x002E, "TLS_RSA_PSK_WITH_NULL_SHA" },
895 /* RFC 5246 */
896 { 0x002F, "TLS_RSA_WITH_AES_128_CBC_SHA" },
897 { 0x0030, "TLS_DH_DSS_WITH_AES_128_CBC_SHA" },
898 { 0x0031, "TLS_DH_RSA_WITH_AES_128_CBC_SHA" },
899 { 0x0032, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA" },
900 { 0x0033, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" },
901 { 0x0034, "TLS_DH_anon_WITH_AES_128_CBC_SHA" },
902 { 0x0035, "TLS_RSA_WITH_AES_256_CBC_SHA" },
903 { 0x0036, "TLS_DH_DSS_WITH_AES_256_CBC_SHA" },
904 { 0x0037, "TLS_DH_RSA_WITH_AES_256_CBC_SHA" },
905 { 0x0038, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" },
906 { 0x0039, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
907 { 0x003A, "TLS_DH_anon_WITH_AES_256_CBC_SHA" },
908 { 0x003B, "TLS_RSA_WITH_NULL_SHA256" },
909 { 0x003C, "TLS_RSA_WITH_AES_128_CBC_SHA256" },
910 { 0x003D, "TLS_RSA_WITH_AES_256_CBC_SHA256" },
911 { 0x003E, "TLS_DH_DSS_WITH_AES_128_CBC_SHA256" },
912 { 0x003F, "TLS_DH_RSA_WITH_AES_128_CBC_SHA256" },
913 { 0x0040, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" },
914 /* RFC 4132 */
915 { 0x0041, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA" },
916 { 0x0042, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA" },
917 { 0x0043, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA" },
918 { 0x0044, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA" },
919 { 0x0045, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" },
920 { 0x0046, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA" },
921 /* 0x00,0x60-66 Reserved to avoid conflicts with widely deployed implementations */
922 /* --- ??? --- */
923 { 0x0060, "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5" },
924 { 0x0061, "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5" },
925 /* draft-ietf-tls-56-bit-ciphersuites-01.txt */
926 { 0x0062, "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA" },
927 { 0x0063, "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA" },
928 { 0x0064, "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA" },
929 { 0x0065, "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA" },
930 { 0x0066, "TLS_DHE_DSS_WITH_RC4_128_SHA" },
931 /* --- ??? ---*/
932 { 0x0067, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" },
933 { 0x0068, "TLS_DH_DSS_WITH_AES_256_CBC_SHA256" },
934 { 0x0069, "TLS_DH_RSA_WITH_AES_256_CBC_SHA256" },
935 { 0x006A, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" },
936 { 0x006B, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
937 { 0x006C, "TLS_DH_anon_WITH_AES_128_CBC_SHA256" },
938 { 0x006D, "TLS_DH_anon_WITH_AES_256_CBC_SHA256" },
939 /* draft-chudov-cryptopro-cptls-04.txt */
940 { 0x0080, "TLS_GOSTR341094_WITH_28147_CNT_IMIT" },
941 { 0x0081, "TLS_GOSTR341001_WITH_28147_CNT_IMIT" },
942 { 0x0082, "TLS_GOSTR341094_WITH_NULL_GOSTR3411" },
943 { 0x0083, "TLS_GOSTR341001_WITH_NULL_GOSTR3411" },
944 /* RFC 4132 */
945 { 0x0084, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA" },
946 { 0x0085, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA" },
947 { 0x0086, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA" },
948 { 0x0087, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA" },
949 { 0x0088, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" },
950 { 0x0089, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA" },
951 /* RFC 4279 */
952 { 0x008A, "TLS_PSK_WITH_RC4_128_SHA" },
953 { 0x008B, "TLS_PSK_WITH_3DES_EDE_CBC_SHA" },
954 { 0x008C, "TLS_PSK_WITH_AES_128_CBC_SHA" },
955 { 0x008D, "TLS_PSK_WITH_AES_256_CBC_SHA" },
956 { 0x008E, "TLS_DHE_PSK_WITH_RC4_128_SHA" },
957 { 0x008F, "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA" },
958 { 0x0090, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA" },
959 { 0x0091, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA" },
960 { 0x0092, "TLS_RSA_PSK_WITH_RC4_128_SHA" },
961 { 0x0093, "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA" },
962 { 0x0094, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA" },
963 { 0x0095, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA" },
964 /* RFC 4162 */
965 { 0x0096, "TLS_RSA_WITH_SEED_CBC_SHA" },
966 { 0x0097, "TLS_DH_DSS_WITH_SEED_CBC_SHA" },
967 { 0x0098, "TLS_DH_RSA_WITH_SEED_CBC_SHA" },
968 { 0x0099, "TLS_DHE_DSS_WITH_SEED_CBC_SHA" },
969 { 0x009A, "TLS_DHE_RSA_WITH_SEED_CBC_SHA" },
970 { 0x009B, "TLS_DH_anon_WITH_SEED_CBC_SHA" },
971 /* RFC 5288 */
972 { 0x009C, "TLS_RSA_WITH_AES_128_GCM_SHA256" },
973 { 0x009D, "TLS_RSA_WITH_AES_256_GCM_SHA384" },
974 { 0x009E, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" },
975 { 0x009F, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" },
976 { 0x00A0, "TLS_DH_RSA_WITH_AES_128_GCM_SHA256" },
977 { 0x00A1, "TLS_DH_RSA_WITH_AES_256_GCM_SHA384" },
978 { 0x00A2, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256" },
979 { 0x00A3, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" },
980 { 0x00A4, "TLS_DH_DSS_WITH_AES_128_GCM_SHA256" },
981 { 0x00A5, "TLS_DH_DSS_WITH_AES_256_GCM_SHA384" },
982 { 0x00A6, "TLS_DH_anon_WITH_AES_128_GCM_SHA256" },
983 { 0x00A7, "TLS_DH_anon_WITH_AES_256_GCM_SHA384" },
984 /* RFC 5487 */
985 { 0x00A8, "TLS_PSK_WITH_AES_128_GCM_SHA256" },
986 { 0x00A9, "TLS_PSK_WITH_AES_256_GCM_SHA384" },
987 { 0x00AA, "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256" },
988 { 0x00AB, "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384" },
989 { 0x00AC, "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256" },
990 { 0x00AD, "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384" },
991 { 0x00AE, "TLS_PSK_WITH_AES_128_CBC_SHA256" },
992 { 0x00AF, "TLS_PSK_WITH_AES_256_CBC_SHA384" },
993 { 0x00B0, "TLS_PSK_WITH_NULL_SHA256" },
994 { 0x00B1, "TLS_PSK_WITH_NULL_SHA384" },
995 { 0x00B2, "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256" },
996 { 0x00B3, "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384" },
997 { 0x00B4, "TLS_DHE_PSK_WITH_NULL_SHA256" },
998 { 0x00B5, "TLS_DHE_PSK_WITH_NULL_SHA384" },
999 { 0x00B6, "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256" },
1000 { 0x00B7, "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384" },
1001 { 0x00B8, "TLS_RSA_PSK_WITH_NULL_SHA256" },
1002 { 0x00B9, "TLS_RSA_PSK_WITH_NULL_SHA384" },
1003 /* From RFC 5932 */
1004 { 0x00BA, "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1005 { 0x00BB, "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1006 { 0x00BC, "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1007 { 0x00BD, "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256" },
1008 { 0x00BE, "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1009 { 0x00BF, "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256" },
1010 { 0x00C0, "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1011 { 0x00C1, "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1012 { 0x00C2, "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1013 { 0x00C3, "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256" },
1014 { 0x00C4, "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256" },
1015 { 0x00C5, "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256" },
1016 /* RFC 8998 */
1017 { 0x00C6, "TLS_SM4_GCM_SM3" },
1018 { 0x00C7, "TLS_SM4_CCM_SM3" },
1019 /* 0x00,0xC8-FE Unassigned */
1020 /* From RFC 5746 */
1021 { 0x00FF, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" },
1022 /* RFC 8701 */
1023 { 0x0A0A, "Reserved (GREASE)" },
1024 /* RFC 8446 */
1025 { 0x1301, "TLS_AES_128_GCM_SHA256" },
1026 { 0x1302, "TLS_AES_256_GCM_SHA384" },
1027 { 0x1303, "TLS_CHACHA20_POLY1305_SHA256" },
1028 { 0x1304, "TLS_AES_128_CCM_SHA256" },
1029 { 0x1305, "TLS_AES_128_CCM_8_SHA256" },
1030 /* RFC 8701 */
1031 { 0x1A1A, "Reserved (GREASE)" },
1032 { 0x2A2A, "Reserved (GREASE)" },
1033 { 0x3A3A, "Reserved (GREASE)" },
1034 { 0x4A4A, "Reserved (GREASE)" },
1035 /* From RFC 7507 */
1036 { 0x5600, "TLS_FALLBACK_SCSV" },
1037 /* RFC 8701 */
1038 { 0x5A5A, "Reserved (GREASE)" },
1039 { 0x6A6A, "Reserved (GREASE)" },
1040 { 0x7A7A, "Reserved (GREASE)" },
1041 { 0x8A8A, "Reserved (GREASE)" },
1042 { 0x9A9A, "Reserved (GREASE)" },
1043 { 0xAAAA, "Reserved (GREASE)" },
1044 { 0xBABA, "Reserved (GREASE)" },
1045 /* From RFC 4492 */
1046 { 0xc001, "TLS_ECDH_ECDSA_WITH_NULL_SHA" },
1047 { 0xc002, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA" },
1048 { 0xc003, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1049 { 0xc004, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" },
1050 { 0xc005, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA" },
1051 { 0xc006, "TLS_ECDHE_ECDSA_WITH_NULL_SHA" },
1052 { 0xc007, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" },
1053 { 0xc008, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" },
1054 { 0xc009, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" },
1055 { 0xc00a, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" },
1056 { 0xc00b, "TLS_ECDH_RSA_WITH_NULL_SHA" },
1057 { 0xc00c, "TLS_ECDH_RSA_WITH_RC4_128_SHA" },
1058 { 0xc00d, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA" },
1059 { 0xc00e, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" },
1060 { 0xc00f, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA" },
1061 { 0xc010, "TLS_ECDHE_RSA_WITH_NULL_SHA" },
1062 { 0xc011, "TLS_ECDHE_RSA_WITH_RC4_128_SHA" },
1063 { 0xc012, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" },
1064 { 0xc013, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" },
1065 { 0xc014, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" },
1066 { 0xc015, "TLS_ECDH_anon_WITH_NULL_SHA" },
1067 { 0xc016, "TLS_ECDH_anon_WITH_RC4_128_SHA" },
1068 { 0xc017, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA" },
1069 { 0xc018, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA" },
1070 { 0xc019, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA" },
1071 /* RFC 5054 */
1072 { 0xC01A, "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA" },
1073 { 0xC01B, "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA" },
1074 { 0xC01C, "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA" },
1075 { 0xC01D, "TLS_SRP_SHA_WITH_AES_128_CBC_SHA" },
1076 { 0xC01E, "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA" },
1077 { 0xC01F, "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA" },
1078 { 0xC020, "TLS_SRP_SHA_WITH_AES_256_CBC_SHA" },
1079 { 0xC021, "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA" },
1080 { 0xC022, "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA" },
1081 /* RFC 5589 */
1082 { 0xC023, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" },
1083 { 0xC024, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" },
1084 { 0xC025, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256" },
1085 { 0xC026, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384" },
1086 { 0xC027, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
1087 { 0xC028, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
1088 { 0xC029, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256" },
1089 { 0xC02A, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384" },
1090 { 0xC02B, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
1091 { 0xC02C, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
1092 { 0xC02D, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256" },
1093 { 0xC02E, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384" },
1094 { 0xC02F, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
1095 { 0xC030, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" },
1096 { 0xC031, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256" },
1097 { 0xC032, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384" },
1098 /* RFC 5489 */
1099 { 0xC033, "TLS_ECDHE_PSK_WITH_RC4_128_SHA" },
1100 { 0xC034, "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA" },
1101 { 0xC035, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA" },
1102 { 0xC036, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA" },
1103 { 0xC037, "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256" },
1104 { 0xC038, "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384" },
1105 { 0xC039, "TLS_ECDHE_PSK_WITH_NULL_SHA" },
1106 { 0xC03A, "TLS_ECDHE_PSK_WITH_NULL_SHA256" },
1107 { 0xC03B, "TLS_ECDHE_PSK_WITH_NULL_SHA384" },
1108 /* RFC 6209 */
1109 { 0xC03C, "TLS_RSA_WITH_ARIA_128_CBC_SHA256" },
1110 { 0xC03D, "TLS_RSA_WITH_ARIA_256_CBC_SHA384" },
1111 { 0xC03E, "TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256" },
1112 { 0xC03F, "TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384" },
1113 { 0xC040, "TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256" },
1114 { 0xC041, "TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384" },
1115 { 0xC042, "TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256" },
1116 { 0xC043, "TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384" },
1117 { 0xC044, "TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1118 { 0xC045, "TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1119 { 0xC046, "TLS_DH_anon_WITH_ARIA_128_CBC_SHA256" },
1120 { 0xC047, "TLS_DH_anon_WITH_ARIA_256_CBC_SHA384" },
1121 { 0xC048, "TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1122 { 0xC049, "TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1123 { 0xC04A, "TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256" },
1124 { 0xC04B, "TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384" },
1125 { 0xC04C, "TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256" },
1126 { 0xC04D, "TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384" },
1127 { 0xC04E, "TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256" },
1128 { 0xC04F, "TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384" },
1129 { 0xC050, "TLS_RSA_WITH_ARIA_128_GCM_SHA256" },
1130 { 0xC051, "TLS_RSA_WITH_ARIA_256_GCM_SHA384" },
1131 { 0xC052, "TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1132 { 0xC053, "TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1133 { 0xC054, "TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256" },
1134 { 0xC055, "TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384" },
1135 { 0xC056, "TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256" },
1136 { 0xC057, "TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384" },
1137 { 0xC058, "TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256" },
1138 { 0xC059, "TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384" },
1139 { 0xC05A, "TLS_DH_anon_WITH_ARIA_128_GCM_SHA256" },
1140 { 0xC05B, "TLS_DH_anon_WITH_ARIA_256_GCM_SHA384" },
1141 { 0xC05C, "TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1142 { 0xC05D, "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1143 { 0xC05E, "TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256" },
1144 { 0xC05F, "TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384" },
1145 { 0xC060, "TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256" },
1146 { 0xC061, "TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384" },
1147 { 0xC062, "TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256" },
1148 { 0xC063, "TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384" },
1149 { 0xC064, "TLS_PSK_WITH_ARIA_128_CBC_SHA256" },
1150 { 0xC065, "TLS_PSK_WITH_ARIA_256_CBC_SHA384" },
1151 { 0xC066, "TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1152 { 0xC067, "TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1153 { 0xC068, "TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256" },
1154 { 0xC069, "TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384" },
1155 { 0xC06A, "TLS_PSK_WITH_ARIA_128_GCM_SHA256" },
1156 { 0xC06B, "TLS_PSK_WITH_ARIA_256_GCM_SHA384" },
1157 { 0xC06C, "TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256" },
1158 { 0xC06D, "TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384" },
1159 { 0xC06E, "TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256" },
1160 { 0xC06F, "TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384" },
1161 { 0xC070, "TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256" },
1162 { 0xC071, "TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384" },
1163 /* RFC 6367 */
1164 { 0xC072, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1165 { 0xC073, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1166 { 0xC074, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256" },
1167 { 0xC075, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384" },
1168 { 0xC076, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1169 { 0xC077, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1170 { 0xC078, "TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256" },
1171 { 0xC079, "TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384" },
1172 { 0xC07A, "TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1173 { 0xC07B, "TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1174 { 0xC07C, "TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1175 { 0xC07D, "TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1176 { 0xC07E, "TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1177 { 0xC07F, "TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1178 { 0xC080, "TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1179 { 0xC081, "TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1180 { 0xC082, "TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256" },
1181 { 0xC083, "TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384" },
1182 { 0xC084, "TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256" },
1183 { 0xC085, "TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384" },
1184 { 0xC086, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1185 { 0xC087, "TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1186 { 0xC088, "TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256" },
1187 { 0xC089, "TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384" },
1188 { 0xC08A, "TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1189 { 0xC08B, "TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1190 { 0xC08C, "TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256" },
1191 { 0xC08D, "TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384" },
1192 { 0xC08E, "TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1193 { 0xC08F, "TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1194 { 0xC090, "TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1195 { 0xC091, "TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1196 { 0xC092, "TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256" },
1197 { 0xC093, "TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384" },
1198 { 0xC094, "TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1199 { 0xC095, "TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1200 { 0xC096, "TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1201 { 0xC097, "TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1202 { 0xC098, "TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1203 { 0xC099, "TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1204 { 0xC09A, "TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256" },
1205 { 0xC09B, "TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384" },
1206 /* RFC 6655 */
1207 { 0xC09C, "TLS_RSA_WITH_AES_128_CCM" },
1208 { 0xC09D, "TLS_RSA_WITH_AES_256_CCM" },
1209 { 0xC09E, "TLS_DHE_RSA_WITH_AES_128_CCM" },
1210 { 0xC09F, "TLS_DHE_RSA_WITH_AES_256_CCM" },
1211 { 0xC0A0, "TLS_RSA_WITH_AES_128_CCM_8" },
1212 { 0xC0A1, "TLS_RSA_WITH_AES_256_CCM_8" },
1213 { 0xC0A2, "TLS_DHE_RSA_WITH_AES_128_CCM_8" },
1214 { 0xC0A3, "TLS_DHE_RSA_WITH_AES_256_CCM_8" },
1215 { 0xC0A4, "TLS_PSK_WITH_AES_128_CCM" },
1216 { 0xC0A5, "TLS_PSK_WITH_AES_256_CCM" },
1217 { 0xC0A6, "TLS_DHE_PSK_WITH_AES_128_CCM" },
1218 { 0xC0A7, "TLS_DHE_PSK_WITH_AES_256_CCM" },
1219 { 0xC0A8, "TLS_PSK_WITH_AES_128_CCM_8" },
1220 { 0xC0A9, "TLS_PSK_WITH_AES_256_CCM_8" },
1221 { 0xC0AA, "TLS_PSK_DHE_WITH_AES_128_CCM_8" },
1222 { 0xC0AB, "TLS_PSK_DHE_WITH_AES_256_CCM_8" },
1223 /* RFC 7251 */
1224 { 0xC0AC, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM" },
1225 { 0xC0AD, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM" },
1226 { 0xC0AE, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" },
1227 { 0xC0AF, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8" },
1228 /* RFC 8492 */
1229 { 0xC0B0, "TLS_ECCPWD_WITH_AES_128_GCM_SHA256" },
1230 { 0xC0B1, "TLS_ECCPWD_WITH_AES_256_GCM_SHA384" },
1231 { 0xC0B2, "TLS_ECCPWD_WITH_AES_128_CCM_SHA256" },
1232 { 0xC0B3, "TLS_ECCPWD_WITH_AES_256_CCM_SHA384" },
1233 /* draft-camwinget-tls-ts13-macciphersuites */
1234 { 0xC0B4, "TLS_SHA256_SHA256" },
1235 { 0xC0B5, "TLS_SHA384_SHA384" },
1236 /* https://www.ietf.org/archive/id/draft-cragie-tls-ecjpake-01.txt */
1237 { 0xC0FF, "TLS_ECJPAKE_WITH_AES_128_CCM_8" },
1238 /* draft-smyshlyaev-tls12-gost-suites */
1239 { 0xC100, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC" },
1240 { 0xC101, "TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC" },
1241 { 0xC102, "TLS_GOSTR341112_256_WITH_28147_CNT_IMIT" },
1242 /* draft-smyshlyaev-tls13-gost-suites */
1243 { 0xC103, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_L" },
1244 { 0xC104, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_L" },
1245 { 0xC105, "TLS_GOSTR341112_256_WITH_KUZNYECHIK_MGM_S" },
1246 { 0xC106, "TLS_GOSTR341112_256_WITH_MAGMA_MGM_S" },
1247 /* RFC 8701 */
1248 { 0xCACA, "Reserved (GREASE)" },
1249/*
12500xC0,0xAB-FF Unassigned
12510xC1,0x03-FD,* Unassigned
12520xFE,0x00-FD Unassigned
12530xFE,0xFE-FF Reserved to avoid conflicts with widely deployed implementations [Pasi_Eronen]
12540xFF,0x00-FF Reserved for Private Use [RFC5246]
1255*/
1256 /* old numbers used in the beginning
1257 * https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305 */
1258 { 0xCC13, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1259 { 0xCC14, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1260 { 0xCC15, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1261 /* RFC 7905 */
1262 { 0xCCA8, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1263 { 0xCCA9, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
1264 { 0xCCAA, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
1265 { 0xCCAB, "TLS_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1266 { 0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1267 { 0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1268 { 0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256" },
1269 /* RFC 8442 */
1270 { 0xD001, "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
1271 { 0xD002, "TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384" },
1272 { 0xD003, "TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256" },
1273 { 0xD005, "TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256" },
1274 /* RFC 8701 */
1275 { 0xDADA, "Reserved (GREASE)" },
1276 /* GM/T 0024-2014 */
1277 { 0xe001, "ECDHE_SM1_SM3"},
1278 { 0xe003, "ECC_SM1_SM3"},
1279 { 0xe005, "IBSDH_SM1_SM3"},
1280 { 0xe007, "IBC_SM1_SM3"},
1281 { 0xe009, "RSA_SM1_SM3"},
1282 { 0xe00a, "RSA_SM1_SHA1"},
1283 { 0xe011, "ECDHE_SM4_CBC_SM3"},
1284 { 0xe013, "ECC_SM4_CBC_SM3"},
1285 { 0xe015, "IBSDH_SM4_CBC_SM3"},
1286 { 0xe017, "IBC_SM4_CBC_SM3"},
1287 { 0xe019, "RSA_SM4_CBC_SM3"},
1288 { 0xe01a, "RSA_SM4_CBC_SHA1"},
1289 { 0xe01c, "RSA_SM4_CBC_SHA256"},
1290 { 0xe051, "ECDHE_SM4_GCM_SM3"},
1291 { 0xe053, "ECC_SM4_GCM_SM3"},
1292 { 0xe055, "IBSDH_SM4_GCM_SM3"},
1293 { 0xe057, "IBC_SM4_GCM_SM3"},
1294 { 0xe059, "RSA_SM4_GCM_SM3"},
1295 { 0xe05a, "RSA_SM4_GCM_SHA256"},
1296 /* https://tools.ietf.org/html/draft-josefsson-salsa20-tls */
1297 { 0xE410, "TLS_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1298 { 0xE411, "TLS_RSA_WITH_SALSA20_SHA1" },
1299 { 0xE412, "TLS_ECDHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1300 { 0xE413, "TLS_ECDHE_RSA_WITH_SALSA20_SHA1" },
1301 { 0xE414, "TLS_ECDHE_ECDSA_WITH_ESTREAM_SALSA20_SHA1" },
1302 { 0xE415, "TLS_ECDHE_ECDSA_WITH_SALSA20_SHA1" },
1303 { 0xE416, "TLS_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1304 { 0xE417, "TLS_PSK_WITH_SALSA20_SHA1" },
1305 { 0xE418, "TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1306 { 0xE419, "TLS_ECDHE_PSK_WITH_SALSA20_SHA1" },
1307 { 0xE41A, "TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1308 { 0xE41B, "TLS_RSA_PSK_WITH_SALSA20_SHA1" },
1309 { 0xE41C, "TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1" },
1310 { 0xE41D, "TLS_DHE_PSK_WITH_SALSA20_SHA1" },
1311 { 0xE41E, "TLS_DHE_RSA_WITH_ESTREAM_SALSA20_SHA1" },
1312 { 0xE41F, "TLS_DHE_RSA_WITH_SALSA20_SHA1" },
1313 /* RFC 8701 */
1314 { 0xEAEA, "Reserved (GREASE)" },
1315 { 0xFAFA, "Reserved (GREASE)" },
1316 /* these from http://www.mozilla.org/projects/
1317 security/pki/nss/ssl/fips-ssl-ciphersuites.html */
1318 { 0xfefe, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
1319 { 0xfeff, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1320 { 0xffe0, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA" },
1321 { 0xffe1, "SSL_RSA_FIPS_WITH_DES_CBC_SHA" },
1322 /* note that ciphersuites 0xff00 - 0xffff are private */
1323 { 0x00, NULL((void*)0) }
1324};
1325
1326value_string_ext ssl_31_ciphersuite_ext = VALUE_STRING_EXT_INIT(ssl_31_ciphersuite){ _try_val_to_str_ext_init, 0, (sizeof (ssl_31_ciphersuite) /
sizeof ((ssl_31_ciphersuite)[0]))-1, ssl_31_ciphersuite, "ssl_31_ciphersuite"
};
1327
1328/* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1 */
1329const value_string tls_hello_extension_types[] = {
1330 { SSL_HND_HELLO_EXT_SERVER_NAME0, "server_name" }, /* RFC 6066 */
1331 { SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1, "max_fragment_length" },/* RFC 6066 */
1332 { SSL_HND_HELLO_EXT_CLIENT_CERTIFICATE_URL2, "client_certificate_url" }, /* RFC 6066 */
1333 { SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3, "trusted_ca_keys" }, /* RFC 6066 */
1334 { SSL_HND_HELLO_EXT_TRUNCATED_HMAC4, "truncated_hmac" }, /* RFC 6066 */
1335 { SSL_HND_HELLO_EXT_STATUS_REQUEST5, "status_request" }, /* RFC 6066 */
1336 { SSL_HND_HELLO_EXT_USER_MAPPING6, "user_mapping" }, /* RFC 4681 */
1337 { SSL_HND_HELLO_EXT_CLIENT_AUTHZ7, "client_authz" }, /* RFC 5878 */
1338 { SSL_HND_HELLO_EXT_SERVER_AUTHZ8, "server_authz" }, /* RFC 5878 */
1339 { SSL_HND_HELLO_EXT_CERT_TYPE9, "cert_type" }, /* RFC 6091 */
1340 { SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10, "supported_groups" }, /* RFC 4492, RFC 7919 */
1341 { SSL_HND_HELLO_EXT_EC_POINT_FORMATS11, "ec_point_formats" }, /* RFC 4492 */
1342 { SSL_HND_HELLO_EXT_SRP12, "srp" }, /* RFC 5054 */
1343 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13, "signature_algorithms" }, /* RFC 5246 */
1344 { SSL_HND_HELLO_EXT_USE_SRTP14, "use_srtp" }, /* RFC 5764 */
1345 { SSL_HND_HELLO_EXT_HEARTBEAT15, "heartbeat" }, /* RFC 6520 */
1346 { SSL_HND_HELLO_EXT_ALPN16, "application_layer_protocol_negotiation" }, /* RFC 7301 */
1347 { SSL_HND_HELLO_EXT_STATUS_REQUEST_V217, "status_request_v2" }, /* RFC 6961 */
1348 { SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18, "signed_certificate_timestamp" }, /* RFC 6962 */
1349 { SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19, "client_certificate_type" }, /* RFC 7250 */
1350 { SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20, "server_certificate_type" }, /* RFC 7250 */
1351 { SSL_HND_HELLO_EXT_PADDING21, "padding" }, /* RFC 7685 */
1352 { SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22, "encrypt_then_mac" }, /* RFC 7366 */
1353 { SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23, "extended_master_secret" }, /* RFC 7627 */
1354 { SSL_HND_HELLO_EXT_TOKEN_BINDING24, "token_binding" }, /* https://tools.ietf.org/html/draft-ietf-tokbind-negotiation */
1355 { SSL_HND_HELLO_EXT_CACHED_INFO25, "cached_info" }, /* RFC 7924 */
1356 { SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27, "compress_certificate" }, /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03 */
1357 { SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28, "record_size_limit" }, /* RFC 8449 */
1358 { SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34, "delegated_credentials" }, /* draft-ietf-tls-subcerts-10.txt */
1359 { SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35, "session_ticket" }, /* RFC 5077 / RFC 8447 */
1360 { SSL_HND_HELLO_EXT_KEY_SHARE_OLD40, "Reserved (key_share)" }, /* https://tools.ietf.org/html/draft-ietf-tls-tls13-22 (removed in -23) */
1361 { SSL_HND_HELLO_EXT_PRE_SHARED_KEY41, "pre_shared_key" }, /* RFC 8446 */
1362 { SSL_HND_HELLO_EXT_EARLY_DATA42, "early_data" }, /* RFC 8446 */
1363 { SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43, "supported_versions" }, /* RFC 8446 */
1364 { SSL_HND_HELLO_EXT_COOKIE44, "cookie" }, /* RFC 8446 */
1365 { SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45, "psk_key_exchange_modes" }, /* RFC 8446 */
1366 { SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46, "Reserved (ticket_early_data_info)" }, /* draft-ietf-tls-tls13-18 (removed in -19) */
1367 { SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47, "certificate_authorities" }, /* RFC 8446 */
1368 { SSL_HND_HELLO_EXT_OID_FILTERS48, "oid_filters" }, /* RFC 8446 */
1369 { SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49, "post_handshake_auth" }, /* RFC 8446 */
1370 { SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50, "signature_algorithms_cert" }, /* RFC 8446 */
1371 { SSL_HND_HELLO_EXT_KEY_SHARE51, "key_share" }, /* RFC 8446 */
1372 { SSL_HND_HELLO_EXT_TRANSPARENCY_INFO52, "transparency_info" }, /* draft-ietf-trans-rfc6962-bis-41 */
1373 { SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53, "connection_id (deprecated)" }, /* draft-ietf-tls-dtls-connection-id-07 */
1374 { SSL_HND_HELLO_EXT_CONNECTION_ID54, "connection_id" }, /* RFC 9146 */
1375 { SSL_HND_HELLO_EXT_EXTERNAL_ID_HASH55, "external_id_hash" }, /* RFC 8844 */
1376 { SSL_HND_HELLO_EXT_EXTERNAL_SESSION_ID56, "external_session_id" }, /* RFC 8844 */
1377 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157, "quic_transport_parameters" }, /* draft-ietf-quic-tls-33 */
1378 { SSL_HND_HELLO_EXT_TICKET_REQUEST58, "ticket_request" }, /* draft-ietf-tls-ticketrequests-07 */
1379 { SSL_HND_HELLO_EXT_DNSSEC_CHAIN59, "dnssec_chain" }, /* RFC 9102 */
1380 { SSL_HND_HELLO_EXT_GREASE_0A0A2570, "Reserved (GREASE)" }, /* RFC 8701 */
1381 { SSL_HND_HELLO_EXT_GREASE_1A1A6682, "Reserved (GREASE)" }, /* RFC 8701 */
1382 { SSL_HND_HELLO_EXT_GREASE_2A2A10794, "Reserved (GREASE)" }, /* RFC 8701 */
1383 { SSL_HND_HELLO_EXT_NPN13172, "next_protocol_negotiation"}, /* https://tools.ietf.org/id/draft-agl-tls-nextprotoneg-03.html */
1384 { SSL_HND_HELLO_EXT_GREASE_3A3A14906, "Reserved (GREASE)" }, /* RFC 8701 */
1385 { SSL_HND_HELLO_EXT_ALPS17513, "application_settings" }, /* draft-vvv-tls-alps-01 */
1386 { SSL_HND_HELLO_EXT_GREASE_4A4A19018, "Reserved (GREASE)" }, /* RFC 8701 */
1387 { SSL_HND_HELLO_EXT_GREASE_5A5A23130, "Reserved (GREASE)" }, /* RFC 8701 */
1388 { SSL_HND_HELLO_EXT_GREASE_6A6A27242, "Reserved (GREASE)" }, /* RFC 8701 */
1389 { SSL_HND_HELLO_EXT_CHANNEL_ID_OLD30031, "channel_id_old" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-00
1390 https://twitter.com/ericlaw/status/274237352531083264 */
1391 { SSL_HND_HELLO_EXT_CHANNEL_ID30032, "channel_id" }, /* https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
1392 https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/sslt.h&l=209 */
1393 { SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281, "renegotiation_info" }, /* RFC 5746 */
1394 { SSL_HND_HELLO_EXT_GREASE_7A7A31354, "Reserved (GREASE)" }, /* RFC 8701 */
1395 { SSL_HND_HELLO_EXT_GREASE_8A8A35466, "Reserved (GREASE)" }, /* RFC 8701 */
1396 { SSL_HND_HELLO_EXT_GREASE_9A9A39578, "Reserved (GREASE)" }, /* RFC 8701 */
1397 { SSL_HND_HELLO_EXT_GREASE_AAAA43690, "Reserved (GREASE)" }, /* RFC 8701 */
1398 { SSL_HND_HELLO_EXT_GREASE_BABA47802, "Reserved (GREASE)" }, /* RFC 8701 */
1399 { SSL_HND_HELLO_EXT_GREASE_CACA51914, "Reserved (GREASE)" }, /* RFC 8701 */
1400 { SSL_HND_HELLO_EXT_GREASE_DADA56026, "Reserved (GREASE)" }, /* RFC 8701 */
1401 { SSL_HND_HELLO_EXT_GREASE_EAEA60138, "Reserved (GREASE)" }, /* RFC 8701 */
1402 { SSL_HND_HELLO_EXT_GREASE_FAFA64250, "Reserved (GREASE)" }, /* RFC 8701 */
1403 { SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445, "quic_transport_parameters (drafts version)" }, /* https://tools.ietf.org/html/draft-ietf-quic-tls */
1404 { SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486, "encrypted_server_name" }, /* https://tools.ietf.org/html/draft-ietf-tls-esni-01 */
1405 { SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037, "encrypted_client_hello" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1406 { SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768, "ech_outer_extensions" }, /* https://datatracker.ietf.org/doc/draft-ietf-tls-esni/17/ */
1407 { 0, NULL((void*)0) }
1408};
1409
1410const value_string tls_hello_ext_server_name_type_vs[] = {
1411 { 0, "host_name" },
1412 { 0, NULL((void*)0) }
1413};
1414
1415/* RFC 6066 Section 4 */
1416const value_string tls_hello_ext_max_fragment_length[] = {
1417 { 1, "512" }, // 2^9
1418 { 2, "1024" }, // 2^10
1419 { 3, "2048" }, // 2^11
1420 { 4, "4096" }, // 2^12
1421 { 0, NULL((void*)0) }
1422};
1423
1424/* RFC 8446 Section 4.2.9 */
1425const value_string tls_hello_ext_psk_ke_mode[] = {
1426 { 0, "PSK-only key establishment (psk_ke)" },
1427 { 1, "PSK with (EC)DHE key establishment (psk_dhe_ke)" },
1428 { 0, NULL((void*)0) }
1429};
1430
1431/* RFC 6066 Section 6 */
1432const value_string tls_hello_ext_trusted_ca_key_type[] = {
1433 {0, "pre_agreed"},
1434 {1, "key_sha1_hash"},
1435 {2, "x509_name"},
1436 {3, "cert_sha1_hash"},
1437 {0, NULL((void*)0)}
1438};
1439
1440const value_string tls13_key_update_request[] = {
1441 { 0, "update_not_requested" },
1442 { 1, "update_requested" },
1443 { 0, NULL((void*)0) }
1444};
1445
1446/* RFC 5246 7.4.1.4.1 */
1447/* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml */
1448/* Note that the TLS 1.3 SignatureScheme registry reserves all values
1449 * with first octet 0x00-0x06 and all values with second octet 0x00-0x03
1450 * for backwards compatibility with TLS 1.2 SignatureAndHashAlgorithm.
1451 *
1452 * RFC 8422 and RFC 9189 add official support in TLS 1.2 for some algorithms
1453 * originally defined for TLS 1.3, and extend the TLS SignatureAlgorithm
1454 * and TLS HashAlgorithm registries, but the new values are not compatible
1455 * with all of the TLS 1.3-only SignatureSchemes. Adding those values could
1456 * cause confusion if used to interpret one of those schemes in a
1457 * signature_algorithms extension offered in a TLS 1.3 ClientHello.
1458 */
1459const value_string tls_hash_algorithm[] = {
1460 { 0, "None" },
1461 { 1, "MD5" },
1462 { 2, "SHA1" },
1463 { 3, "SHA224" },
1464 { 4, "SHA256" },
1465 { 5, "SHA384" },
1466 { 6, "SHA512" },
1467#if 0
1468 /* RFC 8422 adds this to the HashAlgorithm registry, but it really
1469 * only applies to 0x0807 and 0x0808, not for other TLS 1.3
1470 * SignatureSchemes with 0x08 in the octet used for Hash in TLS 1.2.
1471 * E.g., we don't want to display this for 0x0806 rsa_pss_rsae_sha512.
1472 */
1473 { 8, "Intrinsic" },
1474#endif
1475 { 0, NULL((void*)0) }
1476};
1477
1478const value_string tls_signature_algorithm[] = {
1479 { 0, "Anonymous" },
1480 { 1, "RSA" },
1481 { 2, "DSA" },
1482 { 3, "ECDSA" },
1483#if 0
1484 /* As above. */
1485 { 7, "ED25519" },
1486 { 8, "ED448" },
1487 { 64, "GOSTR34102012_256" },
1488 { 65, "GOSTR34102012_512" },
1489#endif
1490 { 0, NULL((void*)0) }
1491};
1492
1493/* RFC 8446 Section 4.2.3 */
1494const value_string tls13_signature_algorithm[] = {
1495 { 0x0201, "rsa_pkcs1_sha1" },
1496 { 0x0203, "ecdsa_sha1" },
1497 { 0x0401, "rsa_pkcs1_sha256" },
1498 { 0x0403, "ecdsa_secp256r1_sha256" },
1499 { 0x0420, "rsa_pkcs1_sha256_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1500 { 0x0501, "rsa_pkcs1_sha384" },
1501 { 0x0503, "ecdsa_secp384r1_sha384" },
1502 { 0x0520, "rsa_pkcs1_sha384_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1503 { 0x0601, "rsa_pkcs1_sha512" },
1504 { 0x0603, "ecdsa_secp521r1_sha512" },
1505 { 0x0620, "rsa_pkcs1_sha512_legacy" }, /* draft-davidben-tls13-pkcs1-01 */
1506 { 0x0708, "sm2sig_sm3" },
1507 { 0x0709, "gostr34102012_256a" }, /* RFC9367 */
1508 { 0x070a, "gostr34102012_256b" }, /* RFC9367 */
1509 { 0x070b, "gostr34102012_256c" }, /* RFC9367 */
1510 { 0x070c, "gostr34102012_256d" }, /* RFC9367 */
1511 { 0x070d, "gostr34102012_512a" }, /* RFC9367 */
1512 { 0x070e, "gostr34102012_512b" }, /* RFC9367 */
1513 { 0x070f, "gostr34102012_512c" }, /* RFC9367 */
1514 { 0x0804, "rsa_pss_rsae_sha256" },
1515 { 0x0805, "rsa_pss_rsae_sha384" },
1516 { 0x0806, "rsa_pss_rsae_sha512" },
1517 { 0x0807, "ed25519" },
1518 { 0x0808, "ed448" },
1519 { 0x0809, "rsa_pss_pss_sha256" },
1520 { 0x080a, "rsa_pss_pss_sha384" },
1521 { 0x080b, "rsa_pss_pss_sha512" },
1522 { 0x081a, "ecdsa_brainpoolP256r1tls13_sha256" }, /* RFC8734 */
1523 { 0x081b, "ecdsa_brainpoolP384r1tls13_sha384" }, /* RFC8734 */
1524 { 0x081c, "ecdsa_brainpoolP512r1tls13_sha512" }, /* RFC8734 */
1525 /* PQC digital signature algorithms from OQS-OpenSSL,
1526 see https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-sig-info.md */
1527 { 0xfea0, "dilithium2" },
1528 { 0xfea1, "p256_dilithium2" },
1529 { 0xfea2, "rsa3072_dilithium2" },
1530 { 0xfea3, "dilithium3" },
1531 { 0xfea4, "p384_dilithium3" },
1532 { 0xfea5, "dilithium5" },
1533 { 0xfea6, "p521_dilithium5" },
1534 { 0xfea7, "dilithium2_aes" },
1535 { 0xfea8, "p256_dilithium2_aes" },
1536 { 0xfea9, "rsa3072_dilithium2_aes" },
1537 { 0xfeaa, "dilithium3_aes" },
1538 { 0xfeab, "p384_dilithium3_aes" },
1539 { 0xfeac, "dilithium5_aes" },
1540 { 0xfead, "p521_dilithium5_aes" },
1541 { 0xfe0b, "falcon512" },
1542 { 0xfe0c, "p256_falcon512" },
1543 { 0xfe0d, "rsa3072_falcon512" },
1544 { 0xfe0e, "falcon1024" },
1545 { 0xfe0f, "p521_falcon1024" },
1546 { 0xfe96, "picnicl1full" },
1547 { 0xfe97, "p256_picnicl1full" },
1548 { 0xfe98, "rsa3072_picnicl1full" },
1549 { 0xfe1b, "picnic3l1" },
1550 { 0xfe1c, "p256_picnic3l1" },
1551 { 0xfe1d, "rsa3072_picnic3l1" },
1552 { 0xfe27, "rainbowIclassic" },
1553 { 0xfe28, "p256_rainbowIclassic" },
1554 { 0xfe29, "rsa3072_rainbowIclassic" },
1555 { 0xfe3c, "rainbowVclassic" },
1556 { 0xfe3d, "p521_rainbowVclassic" },
1557 { 0xfe42, "sphincsharaka128frobust" },
1558 { 0xfe43, "p256_sphincsharaka128frobust" },
1559 { 0xfe44, "rsa3072_sphincsharaka128frobust" },
1560 { 0xfe5e, "sphincssha256128frobust" },
1561 { 0xfe5f, "p256_sphincssha256128frobust" },
1562 { 0xfe60, "rsa3072_sphincssha256128frobust" },
1563 { 0xfe7a, "sphincsshake256128frobust" },
1564 { 0xfe7b, "p256_sphincsshake256128frobust" },
1565 { 0xfe7c, "rsa3072_sphincsshake256128frobust" },
1566 { 0, NULL((void*)0) }
1567};
1568
1569/* RFC 6091 3.1 */
1570const value_string tls_certificate_type[] = {
1571 { 0, "X.509" },
1572 { 1, "OpenPGP" },
1573 { SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2, "Raw Public Key" }, /* RFC 7250 */
1574 { 0, NULL((void*)0) }
1575};
1576
1577const value_string tls_cert_chain_type[] = {
1578 { SSL_HND_CERT_URL_TYPE_INDIVIDUAL_CERT1, "Individual Certificates" },
1579 { SSL_HND_CERT_URL_TYPE_PKIPATH2, "PKI Path" },
1580 { 0, NULL((void*)0) }
1581};
1582
1583const value_string tls_cert_status_type[] = {
1584 { SSL_HND_CERT_STATUS_TYPE_OCSP1, "OCSP" },
1585 { SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2, "OCSP Multi" },
1586 { 0, NULL((void*)0) }
1587};
1588
1589/* Generated by tools/make-tls-ct-logids.py
1590 * Last-Modified Sat, 05 Oct 2024 13:48:00 GMT, 165 entries. */
1591static const bytes_string ct_logids[] = {
1592 { (const uint8_t[]){
1593 0xb2, 0x1e, 0x05, 0xcc, 0x8b, 0xa2, 0xcd, 0x8a, 0x20, 0x4e, 0x87,
1594 0x66, 0xf9, 0x2b, 0xb9, 0x8a, 0x25, 0x20, 0x67, 0x6b, 0xda, 0xfa,
1595 0x70, 0xe7, 0xb2, 0x49, 0x53, 0x2d, 0xef, 0x8b, 0x90, 0x5e,
1596 },
1597 32, "Google 'Argon2020' log" },
1598 { (const uint8_t[]){
1599 0xf6, 0x5c, 0x94, 0x2f, 0xd1, 0x77, 0x30, 0x22, 0x14, 0x54, 0x18,
1600 0x08, 0x30, 0x94, 0x56, 0x8e, 0xe3, 0x4d, 0x13, 0x19, 0x33, 0xbf,
1601 0xdf, 0x0c, 0x2f, 0x20, 0x0b, 0xcc, 0x4e, 0xf1, 0x64, 0xe3,
1602 },
1603 32, "Google 'Argon2021' log" },
1604 { (const uint8_t[]){
1605 0x29, 0x79, 0xbe, 0xf0, 0x9e, 0x39, 0x39, 0x21, 0xf0, 0x56, 0x73,
1606 0x9f, 0x63, 0xa5, 0x77, 0xe5, 0xbe, 0x57, 0x7d, 0x9c, 0x60, 0x0a,
1607 0xf8, 0xf9, 0x4d, 0x5d, 0x26, 0x5c, 0x25, 0x5d, 0xc7, 0x84,
1608 },
1609 32, "Google 'Argon2022' log" },
1610 { (const uint8_t[]){
1611 0xe8, 0x3e, 0xd0, 0xda, 0x3e, 0xf5, 0x06, 0x35, 0x32, 0xe7, 0x57,
1612 0x28, 0xbc, 0x89, 0x6b, 0xc9, 0x03, 0xd3, 0xcb, 0xd1, 0x11, 0x6b,
1613 0xec, 0xeb, 0x69, 0xe1, 0x77, 0x7d, 0x6d, 0x06, 0xbd, 0x6e,
1614 },
1615 32, "Google 'Argon2023' log" },
1616 { (const uint8_t[]){
1617 0xee, 0xcd, 0xd0, 0x64, 0xd5, 0xdb, 0x1a, 0xce, 0xc5, 0x5c, 0xb7,
1618 0x9d, 0xb4, 0xcd, 0x13, 0xa2, 0x32, 0x87, 0x46, 0x7c, 0xbc, 0xec,
1619 0xde, 0xc3, 0x51, 0x48, 0x59, 0x46, 0x71, 0x1f, 0xb5, 0x9b,
1620 },
1621 32, "Google 'Argon2024' log" },
1622 { (const uint8_t[]){
1623 0x4e, 0x75, 0xa3, 0x27, 0x5c, 0x9a, 0x10, 0xc3, 0x38, 0x5b, 0x6c,
1624 0xd4, 0xdf, 0x3f, 0x52, 0xeb, 0x1d, 0xf0, 0xe0, 0x8e, 0x1b, 0x8d,
1625 0x69, 0xc0, 0xb1, 0xfa, 0x64, 0xb1, 0x62, 0x9a, 0x39, 0xdf,
1626 },
1627 32, "Google 'Argon2025h1' log" },
1628 { (const uint8_t[]){
1629 0x12, 0xf1, 0x4e, 0x34, 0xbd, 0x53, 0x72, 0x4c, 0x84, 0x06, 0x19,
1630 0xc3, 0x8f, 0x3f, 0x7a, 0x13, 0xf8, 0xe7, 0xb5, 0x62, 0x87, 0x88,
1631 0x9c, 0x6d, 0x30, 0x05, 0x84, 0xeb, 0xe5, 0x86, 0x26, 0x3a,
1632 },
1633 32, "Google 'Argon2025h2' log" },
1634 { (const uint8_t[]){
1635 0x0e, 0x57, 0x94, 0xbc, 0xf3, 0xae, 0xa9, 0x3e, 0x33, 0x1b, 0x2c,
1636 0x99, 0x07, 0xb3, 0xf7, 0x90, 0xdf, 0x9b, 0xc2, 0x3d, 0x71, 0x32,
1637 0x25, 0xdd, 0x21, 0xa9, 0x25, 0xac, 0x61, 0xc5, 0x4e, 0x21,
1638 },
1639 32, "Google 'Argon2026h1' log" },
1640 { (const uint8_t[]){
1641 0xd7, 0x6d, 0x7d, 0x10, 0xd1, 0xa7, 0xf5, 0x77, 0xc2, 0xc7, 0xe9,
1642 0x5f, 0xd7, 0x00, 0xbf, 0xf9, 0x82, 0xc9, 0x33, 0x5a, 0x65, 0xe1,
1643 0xd0, 0xb3, 0x01, 0x73, 0x17, 0xc0, 0xc8, 0xc5, 0x69, 0x77,
1644 },
1645 32, "Google 'Argon2026h2' log" },
1646 { (const uint8_t[]){
1647 0x07, 0xb7, 0x5c, 0x1b, 0xe5, 0x7d, 0x68, 0xff, 0xf1, 0xb0, 0xc6,
1648 0x1d, 0x23, 0x15, 0xc7, 0xba, 0xe6, 0x57, 0x7c, 0x57, 0x94, 0xb7,
1649 0x6a, 0xee, 0xbc, 0x61, 0x3a, 0x1a, 0x69, 0xd3, 0xa2, 0x1c,
1650 },
1651 32, "Google 'Xenon2020' log" },
1652 { (const uint8_t[]){
1653 0x7d, 0x3e, 0xf2, 0xf8, 0x8f, 0xff, 0x88, 0x55, 0x68, 0x24, 0xc2,
1654 0xc0, 0xca, 0x9e, 0x52, 0x89, 0x79, 0x2b, 0xc5, 0x0e, 0x78, 0x09,
1655 0x7f, 0x2e, 0x6a, 0x97, 0x68, 0x99, 0x7e, 0x22, 0xf0, 0xd7,
1656 },
1657 32, "Google 'Xenon2021' log" },
1658 { (const uint8_t[]){
1659 0x46, 0xa5, 0x55, 0xeb, 0x75, 0xfa, 0x91, 0x20, 0x30, 0xb5, 0xa2,
1660 0x89, 0x69, 0xf4, 0xf3, 0x7d, 0x11, 0x2c, 0x41, 0x74, 0xbe, 0xfd,
1661 0x49, 0xb8, 0x85, 0xab, 0xf2, 0xfc, 0x70, 0xfe, 0x6d, 0x47,
1662 },
1663 32, "Google 'Xenon2022' log" },
1664 { (const uint8_t[]){
1665 0xad, 0xf7, 0xbe, 0xfa, 0x7c, 0xff, 0x10, 0xc8, 0x8b, 0x9d, 0x3d,
1666 0x9c, 0x1e, 0x3e, 0x18, 0x6a, 0xb4, 0x67, 0x29, 0x5d, 0xcf, 0xb1,
1667 0x0c, 0x24, 0xca, 0x85, 0x86, 0x34, 0xeb, 0xdc, 0x82, 0x8a,
1668 },
1669 32, "Google 'Xenon2023' log" },
1670 { (const uint8_t[]){
1671 0x76, 0xff, 0x88, 0x3f, 0x0a, 0xb6, 0xfb, 0x95, 0x51, 0xc2, 0x61,
1672 0xcc, 0xf5, 0x87, 0xba, 0x34, 0xb4, 0xa4, 0xcd, 0xbb, 0x29, 0xdc,
1673 0x68, 0x42, 0x0a, 0x9f, 0xe6, 0x67, 0x4c, 0x5a, 0x3a, 0x74,
1674 },
1675 32, "Google 'Xenon2024' log" },
1676 { (const uint8_t[]){
1677 0xcf, 0x11, 0x56, 0xee, 0xd5, 0x2e, 0x7c, 0xaf, 0xf3, 0x87, 0x5b,
1678 0xd9, 0x69, 0x2e, 0x9b, 0xe9, 0x1a, 0x71, 0x67, 0x4a, 0xb0, 0x17,
1679 0xec, 0xac, 0x01, 0xd2, 0x5b, 0x77, 0xce, 0xcc, 0x3b, 0x08,
1680 },
1681 32, "Google 'Xenon2025h1' log" },
1682 { (const uint8_t[]){
1683 0xdd, 0xdc, 0xca, 0x34, 0x95, 0xd7, 0xe1, 0x16, 0x05, 0xe7, 0x95,
1684 0x32, 0xfa, 0xc7, 0x9f, 0xf8, 0x3d, 0x1c, 0x50, 0xdf, 0xdb, 0x00,
1685 0x3a, 0x14, 0x12, 0x76, 0x0a, 0x2c, 0xac, 0xbb, 0xc8, 0x2a,
1686 },
1687 32, "Google 'Xenon2025h2' log" },
1688 { (const uint8_t[]){
1689 0x96, 0x97, 0x64, 0xbf, 0x55, 0x58, 0x97, 0xad, 0xf7, 0x43, 0x87,
1690 0x68, 0x37, 0x08, 0x42, 0x77, 0xe9, 0xf0, 0x3a, 0xd5, 0xf6, 0xa4,
1691 0xf3, 0x36, 0x6e, 0x46, 0xa4, 0x3f, 0x0f, 0xca, 0xa9, 0xc6,
1692 },
1693 32, "Google 'Xenon2026h1' log" },
1694 { (const uint8_t[]){
1695 0xd8, 0x09, 0x55, 0x3b, 0x94, 0x4f, 0x7a, 0xff, 0xc8, 0x16, 0x19,
1696 0x6f, 0x94, 0x4f, 0x85, 0xab, 0xb0, 0xf8, 0xfc, 0x5e, 0x87, 0x55,
1697 0x26, 0x0f, 0x15, 0xd1, 0x2e, 0x72, 0xbb, 0x45, 0x4b, 0x14,
1698 },
1699 32, "Google 'Xenon2026h2' log" },
1700 { (const uint8_t[]){
1701 0x68, 0xf6, 0x98, 0xf8, 0x1f, 0x64, 0x82, 0xbe, 0x3a, 0x8c, 0xee,
1702 0xb9, 0x28, 0x1d, 0x4c, 0xfc, 0x71, 0x51, 0x5d, 0x67, 0x93, 0xd4,
1703 0x44, 0xd1, 0x0a, 0x67, 0xac, 0xbb, 0x4f, 0x4f, 0xfb, 0xc4,
1704 },
1705 32, "Google 'Aviator' log" },
1706 { (const uint8_t[]){
1707 0x29, 0x3c, 0x51, 0x96, 0x54, 0xc8, 0x39, 0x65, 0xba, 0xaa, 0x50,
1708 0xfc, 0x58, 0x07, 0xd4, 0xb7, 0x6f, 0xbf, 0x58, 0x7a, 0x29, 0x72,
1709 0xdc, 0xa4, 0xc3, 0x0c, 0xf4, 0xe5, 0x45, 0x47, 0xf4, 0x78,
1710 },
1711 32, "Google 'Icarus' log" },
1712 { (const uint8_t[]){
1713 0xa4, 0xb9, 0x09, 0x90, 0xb4, 0x18, 0x58, 0x14, 0x87, 0xbb, 0x13,
1714 0xa2, 0xcc, 0x67, 0x70, 0x0a, 0x3c, 0x35, 0x98, 0x04, 0xf9, 0x1b,
1715 0xdf, 0xb8, 0xe3, 0x77, 0xcd, 0x0e, 0xc8, 0x0d, 0xdc, 0x10,
1716 },
1717 32, "Google 'Pilot' log" },
1718 { (const uint8_t[]){
1719 0xee, 0x4b, 0xbd, 0xb7, 0x75, 0xce, 0x60, 0xba, 0xe1, 0x42, 0x69,
1720 0x1f, 0xab, 0xe1, 0x9e, 0x66, 0xa3, 0x0f, 0x7e, 0x5f, 0xb0, 0x72,
1721 0xd8, 0x83, 0x00, 0xc4, 0x7b, 0x89, 0x7a, 0xa8, 0xfd, 0xcb,
1722 },
1723 32, "Google 'Rocketeer' log" },
1724 { (const uint8_t[]){
1725 0xbb, 0xd9, 0xdf, 0xbc, 0x1f, 0x8a, 0x71, 0xb5, 0x93, 0x94, 0x23,
1726 0x97, 0xaa, 0x92, 0x7b, 0x47, 0x38, 0x57, 0x95, 0x0a, 0xab, 0x52,
1727 0xe8, 0x1a, 0x90, 0x96, 0x64, 0x36, 0x8e, 0x1e, 0xd1, 0x85,
1728 },
1729 32, "Google 'Skydiver' log" },
1730 { (const uint8_t[]){
1731 0xfa, 0xd4, 0xc9, 0x7c, 0xc4, 0x9e, 0xe2, 0xf8, 0xac, 0x85, 0xc5,
1732 0xea, 0x5c, 0xea, 0x09, 0xd0, 0x22, 0x0d, 0xbb, 0xf4, 0xe4, 0x9c,
1733 0x6b, 0x50, 0x66, 0x2f, 0xf8, 0x68, 0xf8, 0x6b, 0x8c, 0x28,
1734 },
1735 32, "Google 'Argon2017' log" },
1736 { (const uint8_t[]){
1737 0xa4, 0x50, 0x12, 0x69, 0x05, 0x5a, 0x15, 0x54, 0x5e, 0x62, 0x11,
1738 0xab, 0x37, 0xbc, 0x10, 0x3f, 0x62, 0xae, 0x55, 0x76, 0xa4, 0x5e,
1739 0x4b, 0x17, 0x14, 0x45, 0x3e, 0x1b, 0x22, 0x10, 0x6a, 0x25,
1740 },
1741 32, "Google 'Argon2018' log" },
1742 { (const uint8_t[]){
1743 0x63, 0xf2, 0xdb, 0xcd, 0xe8, 0x3b, 0xcc, 0x2c, 0xcf, 0x0b, 0x72,
1744 0x84, 0x27, 0x57, 0x6b, 0x33, 0xa4, 0x8d, 0x61, 0x77, 0x8f, 0xbd,
1745 0x75, 0xa6, 0x38, 0xb1, 0xc7, 0x68, 0x54, 0x4b, 0xd8, 0x8d,
1746 },
1747 32, "Google 'Argon2019' log" },
1748 { (const uint8_t[]){
1749 0xb1, 0x0c, 0xd5, 0x59, 0xa6, 0xd6, 0x78, 0x46, 0x81, 0x1f, 0x7d,
1750 0xf9, 0xa5, 0x15, 0x32, 0x73, 0x9a, 0xc4, 0x8d, 0x70, 0x3b, 0xea,
1751 0x03, 0x23, 0xda, 0x5d, 0x38, 0x75, 0x5b, 0xc0, 0xad, 0x4e,
1752 },
1753 32, "Google 'Xenon2018' log" },
1754 { (const uint8_t[]){
1755 0x08, 0x41, 0x14, 0x98, 0x00, 0x71, 0x53, 0x2c, 0x16, 0x19, 0x04,
1756 0x60, 0xbc, 0xfc, 0x47, 0xfd, 0xc2, 0x65, 0x3a, 0xfa, 0x29, 0x2c,
1757 0x72, 0xb3, 0x7f, 0xf8, 0x63, 0xae, 0x29, 0xcc, 0xc9, 0xf0,
1758 },
1759 32, "Google 'Xenon2019' log" },
1760 { (const uint8_t[]){
1761 0xa8, 0x99, 0xd8, 0x78, 0x0c, 0x92, 0x90, 0xaa, 0xf4, 0x62, 0xf3,
1762 0x18, 0x80, 0xcc, 0xfb, 0xd5, 0x24, 0x51, 0xe9, 0x70, 0xd0, 0xfb,
1763 0xf5, 0x91, 0xef, 0x75, 0xb0, 0xd9, 0x9b, 0x64, 0x56, 0x81,
1764 },
1765 32, "Google 'Submariner' log" },
1766 { (const uint8_t[]){
1767 0x1d, 0x02, 0x4b, 0x8e, 0xb1, 0x49, 0x8b, 0x34, 0x4d, 0xfd, 0x87,
1768 0xea, 0x3e, 0xfc, 0x09, 0x96, 0xf7, 0x50, 0x6f, 0x23, 0x5d, 0x1d,
1769 0x49, 0x70, 0x61, 0xa4, 0x77, 0x3c, 0x43, 0x9c, 0x25, 0xfb,
1770 },
1771 32, "Google 'Daedalus' log" },
1772 { (const uint8_t[]){
1773 0xb0, 0xcc, 0x83, 0xe5, 0xa5, 0xf9, 0x7d, 0x6b, 0xaf, 0x7c, 0x09,
1774 0xcc, 0x28, 0x49, 0x04, 0x87, 0x2a, 0xc7, 0xe8, 0x8b, 0x13, 0x2c,
1775 0x63, 0x50, 0xb7, 0xc6, 0xfd, 0x26, 0xe1, 0x6c, 0x6c, 0x77,
1776 },
1777 32, "Google 'Testtube' log" },
1778 { (const uint8_t[]){
1779 0xc3, 0xbf, 0x03, 0xa7, 0xe1, 0xca, 0x88, 0x41, 0xc6, 0x07, 0xba,
1780 0xe3, 0xff, 0x42, 0x70, 0xfc, 0xa5, 0xec, 0x45, 0xb1, 0x86, 0xeb,
1781 0xbe, 0x4e, 0x2c, 0xf3, 0xfc, 0x77, 0x86, 0x30, 0xf5, 0xf6,
1782 },
1783 32, "Google 'Crucible' log" },
1784 { (const uint8_t[]){
1785 0x52, 0xeb, 0x4b, 0x22, 0x5e, 0xc8, 0x96, 0x97, 0x48, 0x50, 0x67,
1786 0x5f, 0x23, 0xe4, 0x3b, 0xc1, 0xd0, 0x21, 0xe3, 0x21, 0x4c, 0xe5,
1787 0x2e, 0xcd, 0x5f, 0xa8, 0x7c, 0x20, 0x3c, 0xdf, 0xca, 0x03,
1788 },
1789 32, "Google 'Solera2018' log" },
1790 { (const uint8_t[]){
1791 0x0b, 0x76, 0x0e, 0x9a, 0x8b, 0x9a, 0x68, 0x2f, 0x88, 0x98, 0x5b,
1792 0x15, 0xe9, 0x47, 0x50, 0x1a, 0x56, 0x44, 0x6b, 0xba, 0x88, 0x30,
1793 0x78, 0x5c, 0x38, 0x42, 0x99, 0x43, 0x86, 0x45, 0x0c, 0x00,
1794 },
1795 32, "Google 'Solera2019' log" },
1796 { (const uint8_t[]){
1797 0x1f, 0xc7, 0x2c, 0xe5, 0xa1, 0xb7, 0x99, 0xf4, 0x00, 0xc3, 0x59,
1798 0xbf, 0xf9, 0x6c, 0xa3, 0x91, 0x35, 0x48, 0xe8, 0x64, 0x42, 0x20,
1799 0x61, 0x09, 0x52, 0xe9, 0xba, 0x17, 0x74, 0xf7, 0xba, 0xc7,
1800 },
1801 32, "Google 'Solera2020' log" },
1802 { (const uint8_t[]){
1803 0xa3, 0xc9, 0x98, 0x45, 0xe8, 0x0a, 0xb7, 0xce, 0x00, 0x15, 0x7b,
1804 0x37, 0x42, 0xdf, 0x02, 0x07, 0xdd, 0x27, 0x2b, 0x2b, 0x60, 0x2e,
1805 0xcf, 0x98, 0xee, 0x2c, 0x12, 0xdb, 0x9c, 0x5a, 0xe7, 0xe7,
1806 },
1807 32, "Google 'Solera2021' log" },
1808 { (const uint8_t[]){
1809 0x69, 0x7a, 0xaf, 0xca, 0x1a, 0x6b, 0x53, 0x6f, 0xae, 0x21, 0x20,
1810 0x50, 0x46, 0xde, 0xba, 0xd7, 0xe0, 0xea, 0xea, 0x13, 0xd2, 0x43,
1811 0x2e, 0x6e, 0x9d, 0x8f, 0xb3, 0x79, 0xf2, 0xb9, 0xaa, 0xf3,
1812 },
1813 32, "Google 'Solera2022' log" },
1814 { (const uint8_t[]){
1815 0xf9, 0x7e, 0x97, 0xb8, 0xd3, 0x3e, 0xf7, 0xa1, 0x59, 0x02, 0xa5,
1816 0x3a, 0x19, 0xe1, 0x79, 0x90, 0xe5, 0xdc, 0x40, 0x6a, 0x03, 0x18,
1817 0x25, 0xba, 0xad, 0x93, 0xe9, 0x8f, 0x9b, 0x9c, 0x69, 0xcb,
1818 },
1819 32, "Google 'Solera2023' log" },
1820 { (const uint8_t[]){
1821 0x30, 0x24, 0xce, 0x7e, 0xeb, 0x16, 0x88, 0x62, 0x72, 0x4b, 0xea,
1822 0x70, 0x2e, 0xff, 0xf9, 0x92, 0xcf, 0xe4, 0x56, 0x43, 0x41, 0x91,
1823 0xaa, 0x59, 0x5b, 0x25, 0xf8, 0x02, 0x26, 0xc8, 0x00, 0x17,
1824 },
1825 32, "Google 'Solera2024' log" },
1826 { (const uint8_t[]){
1827 0x3f, 0xe1, 0xcb, 0x46, 0xed, 0x47, 0x35, 0x79, 0xaf, 0x01, 0x41,
1828 0xf9, 0x72, 0x4d, 0x9d, 0xc4, 0x43, 0x47, 0x2d, 0x75, 0x6e, 0x85,
1829 0xe7, 0x71, 0x9c, 0x55, 0x82, 0x48, 0x5d, 0xd4, 0xe1, 0xe4,
1830 },
1831 32, "Google 'Solera2025h1' log" },
1832 { (const uint8_t[]){
1833 0x26, 0x02, 0x39, 0x48, 0x87, 0x4c, 0xf7, 0xfc, 0xd0, 0xfb, 0x64,
1834 0x71, 0xa4, 0x3e, 0x84, 0x7e, 0xbb, 0x20, 0x0a, 0xe6, 0xe2, 0xfa,
1835 0x24, 0x23, 0x6d, 0xf6, 0xd1, 0xa6, 0x06, 0x63, 0x0f, 0xb1,
1836 },
1837 32, "Google 'Solera2025h2' log" },
1838 { (const uint8_t[]){
1839 0xc8, 0x4b, 0x90, 0x7a, 0x07, 0xbe, 0xaa, 0x29, 0xa6, 0x14, 0xc2,
1840 0x45, 0x84, 0xb7, 0xa3, 0xf6, 0x62, 0x43, 0x94, 0x68, 0x7b, 0x25,
1841 0xfe, 0x62, 0x83, 0x8b, 0x71, 0xec, 0x42, 0x2a, 0xd2, 0xf9,
1842 },
1843 32, "Google 'Solera2026h1' log" },
1844 { (const uint8_t[]){
1845 0x62, 0xe9, 0x00, 0x60, 0x04, 0xa3, 0x07, 0x95, 0x5a, 0x75, 0x44,
1846 0xb4, 0xd5, 0x84, 0xa9, 0x62, 0x68, 0xca, 0x1d, 0x6e, 0x45, 0x85,
1847 0xad, 0xf0, 0x91, 0x6d, 0xfe, 0x5f, 0xdc, 0x1f, 0x04, 0xdb,
1848 },
1849 32, "Google 'Solera2026h2' log" },
1850 { (const uint8_t[]){
1851 0x5e, 0xa7, 0x73, 0xf9, 0xdf, 0x56, 0xc0, 0xe7, 0xb5, 0x36, 0x48,
1852 0x7d, 0xd0, 0x49, 0xe0, 0x32, 0x7a, 0x91, 0x9a, 0x0c, 0x84, 0xa1,
1853 0x12, 0x12, 0x84, 0x18, 0x75, 0x96, 0x81, 0x71, 0x45, 0x58,
1854 },
1855 32, "Cloudflare 'Nimbus2020' Log" },
1856 { (const uint8_t[]){
1857 0x44, 0x94, 0x65, 0x2e, 0xb0, 0xee, 0xce, 0xaf, 0xc4, 0x40, 0x07,
1858 0xd8, 0xa8, 0xfe, 0x28, 0xc0, 0xda, 0xe6, 0x82, 0xbe, 0xd8, 0xcb,
1859 0x31, 0xb5, 0x3f, 0xd3, 0x33, 0x96, 0xb5, 0xb6, 0x81, 0xa8,
1860 },
1861 32, "Cloudflare 'Nimbus2021' Log" },
1862 { (const uint8_t[]){
1863 0x41, 0xc8, 0xca, 0xb1, 0xdf, 0x22, 0x46, 0x4a, 0x10, 0xc6, 0xa1,
1864 0x3a, 0x09, 0x42, 0x87, 0x5e, 0x4e, 0x31, 0x8b, 0x1b, 0x03, 0xeb,
1865 0xeb, 0x4b, 0xc7, 0x68, 0xf0, 0x90, 0x62, 0x96, 0x06, 0xf6,
1866 },
1867 32, "Cloudflare 'Nimbus2022' Log" },
1868 { (const uint8_t[]){
1869 0x7a, 0x32, 0x8c, 0x54, 0xd8, 0xb7, 0x2d, 0xb6, 0x20, 0xea, 0x38,
1870 0xe0, 0x52, 0x1e, 0xe9, 0x84, 0x16, 0x70, 0x32, 0x13, 0x85, 0x4d,
1871 0x3b, 0xd2, 0x2b, 0xc1, 0x3a, 0x57, 0xa3, 0x52, 0xeb, 0x52,
1872 },
1873 32, "Cloudflare 'Nimbus2023' Log" },
1874 { (const uint8_t[]){
1875 0xda, 0xb6, 0xbf, 0x6b, 0x3f, 0xb5, 0xb6, 0x22, 0x9f, 0x9b, 0xc2,
1876 0xbb, 0x5c, 0x6b, 0xe8, 0x70, 0x91, 0x71, 0x6c, 0xbb, 0x51, 0x84,
1877 0x85, 0x34, 0xbd, 0xa4, 0x3d, 0x30, 0x48, 0xd7, 0xfb, 0xab,
1878 },
1879 32, "Cloudflare 'Nimbus2024' Log" },
1880 { (const uint8_t[]){
1881 0xcc, 0xfb, 0x0f, 0x6a, 0x85, 0x71, 0x09, 0x65, 0xfe, 0x95, 0x9b,
1882 0x53, 0xce, 0xe9, 0xb2, 0x7c, 0x22, 0xe9, 0x85, 0x5c, 0x0d, 0x97,
1883 0x8d, 0xb6, 0xa9, 0x7e, 0x54, 0xc0, 0xfe, 0x4c, 0x0d, 0xb0,
1884 },
1885 32, "Cloudflare 'Nimbus2025'" },
1886 { (const uint8_t[]){
1887 0xcb, 0x38, 0xf7, 0x15, 0x89, 0x7c, 0x84, 0xa1, 0x44, 0x5f, 0x5b,
1888 0xc1, 0xdd, 0xfb, 0xc9, 0x6e, 0xf2, 0x9a, 0x59, 0xcd, 0x47, 0x0a,
1889 0x69, 0x05, 0x85, 0xb0, 0xcb, 0x14, 0xc3, 0x14, 0x58, 0xe7,
1890 },
1891 32, "Cloudflare 'Nimbus2026'" },
1892 { (const uint8_t[]){
1893 0x1f, 0xbc, 0x36, 0xe0, 0x02, 0xed, 0xe9, 0x7f, 0x40, 0x19, 0x9e,
1894 0x86, 0xb3, 0x57, 0x3b, 0x8a, 0x42, 0x17, 0xd8, 0x01, 0x87, 0x74,
1895 0x6a, 0xd0, 0xda, 0x03, 0xa0, 0x60, 0x54, 0xd2, 0x0d, 0xf4,
1896 },
1897 32, "Cloudflare 'Nimbus2017' Log" },
1898 { (const uint8_t[]){
1899 0xdb, 0x74, 0xaf, 0xee, 0xcb, 0x29, 0xec, 0xb1, 0xfe, 0xca, 0x3e,
1900 0x71, 0x6d, 0x2c, 0xe5, 0xb9, 0xaa, 0xbb, 0x36, 0xf7, 0x84, 0x71,
1901 0x83, 0xc7, 0x5d, 0x9d, 0x4f, 0x37, 0xb6, 0x1f, 0xbf, 0x64,
1902 },
1903 32, "Cloudflare 'Nimbus2018' Log" },
1904 { (const uint8_t[]){
1905 0x74, 0x7e, 0xda, 0x83, 0x31, 0xad, 0x33, 0x10, 0x91, 0x21, 0x9c,
1906 0xce, 0x25, 0x4f, 0x42, 0x70, 0xc2, 0xbf, 0xfd, 0x5e, 0x42, 0x20,
1907 0x08, 0xc6, 0x37, 0x35, 0x79, 0xe6, 0x10, 0x7b, 0xcc, 0x56,
1908 },
1909 32, "Cloudflare 'Nimbus2019' Log" },
1910 { (const uint8_t[]){
1911 0x56, 0x14, 0x06, 0x9a, 0x2f, 0xd7, 0xc2, 0xec, 0xd3, 0xf5, 0xe1,
1912 0xbd, 0x44, 0xb2, 0x3e, 0xc7, 0x46, 0x76, 0xb9, 0xbc, 0x99, 0x11,
1913 0x5c, 0xc0, 0xef, 0x94, 0x98, 0x55, 0xd6, 0x89, 0xd0, 0xdd,
1914 },
1915 32, "DigiCert Log Server" },
1916 { (const uint8_t[]){
1917 0x87, 0x75, 0xbf, 0xe7, 0x59, 0x7c, 0xf8, 0x8c, 0x43, 0x99, 0x5f,
1918 0xbd, 0xf3, 0x6e, 0xff, 0x56, 0x8d, 0x47, 0x56, 0x36, 0xff, 0x4a,
1919 0xb5, 0x60, 0xc1, 0xb4, 0xea, 0xff, 0x5e, 0xa0, 0x83, 0x0f,
1920 },
1921 32, "DigiCert Log Server 2" },
1922 { (const uint8_t[]){
1923 0xf0, 0x95, 0xa4, 0x59, 0xf2, 0x00, 0xd1, 0x82, 0x40, 0x10, 0x2d,
1924 0x2f, 0x93, 0x88, 0x8e, 0xad, 0x4b, 0xfe, 0x1d, 0x47, 0xe3, 0x99,
1925 0xe1, 0xd0, 0x34, 0xa6, 0xb0, 0xa8, 0xaa, 0x8e, 0xb2, 0x73,
1926 },
1927 32, "DigiCert Yeti2020 Log" },
1928 { (const uint8_t[]){
1929 0x5c, 0xdc, 0x43, 0x92, 0xfe, 0xe6, 0xab, 0x45, 0x44, 0xb1, 0x5e,
1930 0x9a, 0xd4, 0x56, 0xe6, 0x10, 0x37, 0xfb, 0xd5, 0xfa, 0x47, 0xdc,
1931 0xa1, 0x73, 0x94, 0xb2, 0x5e, 0xe6, 0xf6, 0xc7, 0x0e, 0xca,
1932 },
1933 32, "DigiCert Yeti2021 Log" },
1934 { (const uint8_t[]){
1935 0x22, 0x45, 0x45, 0x07, 0x59, 0x55, 0x24, 0x56, 0x96, 0x3f, 0xa1,
1936 0x2f, 0xf1, 0xf7, 0x6d, 0x86, 0xe0, 0x23, 0x26, 0x63, 0xad, 0xc0,
1937 0x4b, 0x7f, 0x5d, 0xc6, 0x83, 0x5c, 0x6e, 0xe2, 0x0f, 0x02,
1938 },
1939 32, "DigiCert Yeti2022 Log" },
1940 { (const uint8_t[]){
1941 0x35, 0xcf, 0x19, 0x1b, 0xbf, 0xb1, 0x6c, 0x57, 0xbf, 0x0f, 0xad,
1942 0x4c, 0x6d, 0x42, 0xcb, 0xbb, 0xb6, 0x27, 0x20, 0x26, 0x51, 0xea,
1943 0x3f, 0xe1, 0x2a, 0xef, 0xa8, 0x03, 0xc3, 0x3b, 0xd6, 0x4c,
1944 },
1945 32, "DigiCert Yeti2023 Log" },
1946 { (const uint8_t[]){
1947 0x48, 0xb0, 0xe3, 0x6b, 0xda, 0xa6, 0x47, 0x34, 0x0f, 0xe5, 0x6a,
1948 0x02, 0xfa, 0x9d, 0x30, 0xeb, 0x1c, 0x52, 0x01, 0xcb, 0x56, 0xdd,
1949 0x2c, 0x81, 0xd9, 0xbb, 0xbf, 0xab, 0x39, 0xd8, 0x84, 0x73,
1950 },
1951 32, "DigiCert Yeti2024 Log" },
1952 { (const uint8_t[]){
1953 0x7d, 0x59, 0x1e, 0x12, 0xe1, 0x78, 0x2a, 0x7b, 0x1c, 0x61, 0x67,
1954 0x7c, 0x5e, 0xfd, 0xf8, 0xd0, 0x87, 0x5c, 0x14, 0xa0, 0x4e, 0x95,
1955 0x9e, 0xb9, 0x03, 0x2f, 0xd9, 0x0e, 0x8c, 0x2e, 0x79, 0xb8,
1956 },
1957 32, "DigiCert Yeti2025 Log" },
1958 { (const uint8_t[]){
1959 0xc6, 0x52, 0xa0, 0xec, 0x48, 0xce, 0xb3, 0xfc, 0xab, 0x17, 0x09,
1960 0x92, 0xc4, 0x3a, 0x87, 0x41, 0x33, 0x09, 0xe8, 0x00, 0x65, 0xa2,
1961 0x62, 0x52, 0x40, 0x1b, 0xa3, 0x36, 0x2a, 0x17, 0xc5, 0x65,
1962 },
1963 32, "DigiCert Nessie2020 Log" },
1964 { (const uint8_t[]){
1965 0xee, 0xc0, 0x95, 0xee, 0x8d, 0x72, 0x64, 0x0f, 0x92, 0xe3, 0xc3,
1966 0xb9, 0x1b, 0xc7, 0x12, 0xa3, 0x69, 0x6a, 0x09, 0x7b, 0x4b, 0x6a,
1967 0x1a, 0x14, 0x38, 0xe6, 0x47, 0xb2, 0xcb, 0xed, 0xc5, 0xf9,
1968 },
1969 32, "DigiCert Nessie2021 Log" },
1970 { (const uint8_t[]){
1971 0x51, 0xa3, 0xb0, 0xf5, 0xfd, 0x01, 0x79, 0x9c, 0x56, 0x6d, 0xb8,
1972 0x37, 0x78, 0x8f, 0x0c, 0xa4, 0x7a, 0xcc, 0x1b, 0x27, 0xcb, 0xf7,
1973 0x9e, 0x88, 0x42, 0x9a, 0x0d, 0xfe, 0xd4, 0x8b, 0x05, 0xe5,
1974 },
1975 32, "DigiCert Nessie2022 Log" },
1976 { (const uint8_t[]){
1977 0xb3, 0x73, 0x77, 0x07, 0xe1, 0x84, 0x50, 0xf8, 0x63, 0x86, 0xd6,
1978 0x05, 0xa9, 0xdc, 0x11, 0x09, 0x4a, 0x79, 0x2d, 0xb1, 0x67, 0x0c,
1979 0x0b, 0x87, 0xdc, 0xf0, 0x03, 0x0e, 0x79, 0x36, 0xa5, 0x9a,
1980 },
1981 32, "DigiCert Nessie2023 Log" },
1982 { (const uint8_t[]){
1983 0x73, 0xd9, 0x9e, 0x89, 0x1b, 0x4c, 0x96, 0x78, 0xa0, 0x20, 0x7d,
1984 0x47, 0x9d, 0xe6, 0xb2, 0xc6, 0x1c, 0xd0, 0x51, 0x5e, 0x71, 0x19,
1985 0x2a, 0x8c, 0x6b, 0x80, 0x10, 0x7a, 0xc1, 0x77, 0x72, 0xb5,
1986 },
1987 32, "DigiCert Nessie2024 Log" },
1988 { (const uint8_t[]){
1989 0xe6, 0xd2, 0x31, 0x63, 0x40, 0x77, 0x8c, 0xc1, 0x10, 0x41, 0x06,
1990 0xd7, 0x71, 0xb9, 0xce, 0xc1, 0xd2, 0x40, 0xf6, 0x96, 0x84, 0x86,
1991 0xfb, 0xba, 0x87, 0x32, 0x1d, 0xfd, 0x1e, 0x37, 0x8e, 0x50,
1992 },
1993 32, "DigiCert Nessie2025 Log" },
1994 { (const uint8_t[]){
1995 0xb6, 0x9d, 0xdc, 0xbc, 0x3c, 0x1a, 0xbd, 0xef, 0x6f, 0x9f, 0xd6,
1996 0x0c, 0x88, 0xb1, 0x06, 0x7b, 0x77, 0xf0, 0x82, 0x68, 0x8b, 0x2d,
1997 0x78, 0x65, 0xd0, 0x4b, 0x39, 0xab, 0xe9, 0x27, 0xa5, 0x75,
1998 },
1999 32, "DigiCert 'Wyvern2024h1' Log" },
2000 { (const uint8_t[]){
2001 0x0c, 0x2a, 0xef, 0x2c, 0x4a, 0x5b, 0x98, 0x83, 0xd4, 0xdd, 0xa3,
2002 0x82, 0xfe, 0x50, 0xfb, 0x51, 0x88, 0xb3, 0xe9, 0x73, 0x33, 0xa1,
2003 0xec, 0x53, 0xa0, 0x9d, 0xc9, 0xa7, 0x9d, 0x0d, 0x08, 0x20,
2004 },
2005 32, "DigiCert 'Wyvern2024h2' Log" },
2006 { (const uint8_t[]){
2007 0x73, 0x20, 0x22, 0x0f, 0x08, 0x16, 0x8a, 0xf9, 0xf3, 0xc4, 0xa6,
2008 0x8b, 0x0a, 0xb2, 0x6a, 0x9a, 0x4a, 0x00, 0xee, 0xf5, 0x77, 0x85,
2009 0x8a, 0x08, 0x4d, 0x05, 0x00, 0xd4, 0xa5, 0x42, 0x44, 0x59,
2010 },
2011 32, "DigiCert 'Wyvern2025h1' Log" },
2012 { (const uint8_t[]){
2013 0xed, 0x3c, 0x4b, 0xd6, 0xe8, 0x06, 0xc2, 0xa4, 0xa2, 0x00, 0x57,
2014 0xdb, 0xcb, 0x24, 0xe2, 0x38, 0x01, 0xdf, 0x51, 0x2f, 0xed, 0xc4,
2015 0x86, 0xc5, 0x70, 0x0f, 0x20, 0xdd, 0xb7, 0x3e, 0x3f, 0xe0,
2016 },
2017 32, "DigiCert 'Wyvern2025h2' Log" },
2018 { (const uint8_t[]){
2019 0x64, 0x11, 0xc4, 0x6c, 0xa4, 0x12, 0xec, 0xa7, 0x89, 0x1c, 0xa2,
2020 0x02, 0x2e, 0x00, 0xbc, 0xab, 0x4f, 0x28, 0x07, 0xd4, 0x1e, 0x35,
2021 0x27, 0xab, 0xea, 0xfe, 0xd5, 0x03, 0xc9, 0x7d, 0xcd, 0xf0,
2022 },
2023 32, "DigiCert 'Wyvern2026h1'" },
2024 { (const uint8_t[]){
2025 0xc2, 0x31, 0x7e, 0x57, 0x45, 0x19, 0xa3, 0x45, 0xee, 0x7f, 0x38,
2026 0xde, 0xb2, 0x90, 0x41, 0xeb, 0xc7, 0xc2, 0x21, 0x5a, 0x22, 0xbf,
2027 0x7f, 0xd5, 0xb5, 0xad, 0x76, 0x9a, 0xd9, 0x0e, 0x52, 0xcd,
2028 },
2029 32, "DigiCert 'Wyvern2026h2'" },
2030 { (const uint8_t[]){
2031 0xdb, 0x07, 0x6c, 0xde, 0x6a, 0x8b, 0x78, 0xec, 0x58, 0xd6, 0x05,
2032 0x64, 0x96, 0xeb, 0x6a, 0x26, 0xa8, 0xc5, 0x9e, 0x72, 0x12, 0x93,
2033 0xe8, 0xac, 0x03, 0x27, 0xdd, 0xde, 0x89, 0xdb, 0x5a, 0x2a,
2034 },
2035 32, "DigiCert 'Sphinx2024h1' Log" },
2036 { (const uint8_t[]){
2037 0xdc, 0xc9, 0x5e, 0x6f, 0xa2, 0x99, 0xb9, 0xb0, 0xfd, 0xbd, 0x6c,
2038 0xa6, 0xa3, 0x6e, 0x1d, 0x72, 0xc4, 0x21, 0x2f, 0xdd, 0x1e, 0x0f,
2039 0x47, 0x55, 0x3a, 0x36, 0xd6, 0xcf, 0x1a, 0xd1, 0x1d, 0x8d,
2040 },
2041 32, "DigiCert 'Sphinx2024h2' Log" },
2042 { (const uint8_t[]){
2043 0xde, 0x85, 0x81, 0xd7, 0x50, 0x24, 0x7c, 0x6b, 0xcd, 0xcb, 0xaf,
2044 0x56, 0x37, 0xc5, 0xe7, 0x81, 0xc6, 0x4c, 0xe4, 0x6e, 0xd6, 0x17,
2045 0x63, 0x9f, 0x8f, 0x34, 0xa7, 0x26, 0xc9, 0xe2, 0xbd, 0x37,
2046 },
2047 32, "DigiCert 'Sphinx2025h1' Log" },
2048 { (const uint8_t[]){
2049 0xa4, 0x42, 0xc5, 0x06, 0x49, 0x60, 0x61, 0x54, 0x8f, 0x0f, 0xd4,
2050 0xea, 0x9c, 0xfb, 0x7a, 0x2d, 0x26, 0x45, 0x4d, 0x87, 0xa9, 0x7f,
2051 0x2f, 0xdf, 0x45, 0x59, 0xf6, 0x27, 0x4f, 0x3a, 0x84, 0x54,
2052 },
2053 32, "DigiCert 'Sphinx2025h2' Log" },
2054 { (const uint8_t[]){
2055 0x49, 0x9c, 0x9b, 0x69, 0xde, 0x1d, 0x7c, 0xec, 0xfc, 0x36, 0xde,
2056 0xcd, 0x87, 0x64, 0xa6, 0xb8, 0x5b, 0xaf, 0x0a, 0x87, 0x80, 0x19,
2057 0xd1, 0x55, 0x52, 0xfb, 0xe9, 0xeb, 0x29, 0xdd, 0xf8, 0xc3,
2058 },
2059 32, "DigiCert 'Sphinx2026h1'" },
2060 { (const uint8_t[]){
2061 0x94, 0x4e, 0x43, 0x87, 0xfa, 0xec, 0xc1, 0xef, 0x81, 0xf3, 0x19,
2062 0x24, 0x26, 0xa8, 0x18, 0x65, 0x01, 0xc7, 0xd3, 0x5f, 0x38, 0x02,
2063 0x01, 0x3f, 0x72, 0x67, 0x7d, 0x55, 0x37, 0x2e, 0x19, 0xd8,
2064 },
2065 32, "DigiCert 'Sphinx2026h2'" },
2066 { (const uint8_t[]){
2067 0xdd, 0xeb, 0x1d, 0x2b, 0x7a, 0x0d, 0x4f, 0xa6, 0x20, 0x8b, 0x81,
2068 0xad, 0x81, 0x68, 0x70, 0x7e, 0x2e, 0x8e, 0x9d, 0x01, 0xd5, 0x5c,
2069 0x88, 0x8d, 0x3d, 0x11, 0xc4, 0xcd, 0xb6, 0xec, 0xbe, 0xcc,
2070 },
2071 32, "Symantec log" },
2072 { (const uint8_t[]){
2073 0xbc, 0x78, 0xe1, 0xdf, 0xc5, 0xf6, 0x3c, 0x68, 0x46, 0x49, 0x33,
2074 0x4d, 0xa1, 0x0f, 0xa1, 0x5f, 0x09, 0x79, 0x69, 0x20, 0x09, 0xc0,
2075 0x81, 0xb4, 0xf3, 0xf6, 0x91, 0x7f, 0x3e, 0xd9, 0xb8, 0xa5,
2076 },
2077 32, "Symantec 'Vega' log" },
2078 { (const uint8_t[]){
2079 0x15, 0x97, 0x04, 0x88, 0xd7, 0xb9, 0x97, 0xa0, 0x5b, 0xeb, 0x52,
2080 0x51, 0x2a, 0xde, 0xe8, 0xd2, 0xe8, 0xb4, 0xa3, 0x16, 0x52, 0x64,
2081 0x12, 0x1a, 0x9f, 0xab, 0xfb, 0xd5, 0xf8, 0x5a, 0xd9, 0x3f,
2082 },
2083 32, "Symantec 'Sirius' log" },
2084 { (const uint8_t[]){
2085 0x05, 0x9c, 0x01, 0xd3, 0x20, 0xe0, 0x07, 0x84, 0x13, 0x95, 0x80,
2086 0x49, 0x8d, 0x11, 0x7c, 0x90, 0x32, 0x66, 0xaf, 0xaf, 0x72, 0x50,
2087 0xb5, 0xaf, 0x3b, 0x46, 0xa4, 0x3e, 0x11, 0x84, 0x0d, 0x4a,
2088 },
2089 32, "DigiCert Yeti2022-2 Log" },
2090 { (const uint8_t[]){
2091 0xc1, 0x16, 0x4a, 0xe0, 0xa7, 0x72, 0xd2, 0xd4, 0x39, 0x2d, 0xc8,
2092 0x0a, 0xc1, 0x07, 0x70, 0xd4, 0xf0, 0xc4, 0x9b, 0xde, 0x99, 0x1a,
2093 0x48, 0x40, 0xc1, 0xfa, 0x07, 0x51, 0x64, 0xf6, 0x33, 0x60,
2094 },
2095 32, "DigiCert Yeti2018 Log" },
2096 { (const uint8_t[]){
2097 0xe2, 0x69, 0x4b, 0xae, 0x26, 0xe8, 0xe9, 0x40, 0x09, 0xe8, 0x86,
2098 0x1b, 0xb6, 0x3b, 0x83, 0xd4, 0x3e, 0xe7, 0xfe, 0x74, 0x88, 0xfb,
2099 0xa4, 0x8f, 0x28, 0x93, 0x01, 0x9d, 0xdd, 0xf1, 0xdb, 0xfe,
2100 },
2101 32, "DigiCert Yeti2019 Log" },
2102 { (const uint8_t[]){
2103 0x6f, 0xf1, 0x41, 0xb5, 0x64, 0x7e, 0x42, 0x22, 0xf7, 0xef, 0x05,
2104 0x2c, 0xef, 0xae, 0x7c, 0x21, 0xfd, 0x60, 0x8e, 0x27, 0xd2, 0xaf,
2105 0x5a, 0x6e, 0x9f, 0x4b, 0x8a, 0x37, 0xd6, 0x63, 0x3e, 0xe5,
2106 },
2107 32, "DigiCert Nessie2018 Log" },
2108 { (const uint8_t[]){
2109 0xfe, 0x44, 0x61, 0x08, 0xb1, 0xd0, 0x1a, 0xb7, 0x8a, 0x62, 0xcc,
2110 0xfe, 0xab, 0x6a, 0xb2, 0xb2, 0xba, 0xbf, 0xf3, 0xab, 0xda, 0xd8,
2111 0x0a, 0x4d, 0x8b, 0x30, 0xdf, 0x2d, 0x00, 0x08, 0x83, 0x0c,
2112 },
2113 32, "DigiCert Nessie2019 Log" },
2114 { (const uint8_t[]){
2115 0xa7, 0xce, 0x4a, 0x4e, 0x62, 0x07, 0xe0, 0xad, 0xde, 0xe5, 0xfd,
2116 0xaa, 0x4b, 0x1f, 0x86, 0x76, 0x87, 0x67, 0xb5, 0xd0, 0x02, 0xa5,
2117 0x5d, 0x47, 0x31, 0x0e, 0x7e, 0x67, 0x0a, 0x95, 0xea, 0xb2,
2118 },
2119 32, "Symantec Deneb" },
2120 { (const uint8_t[]){
2121 0xcd, 0xb5, 0x17, 0x9b, 0x7f, 0xc1, 0xc0, 0x46, 0xfe, 0xea, 0x31,
2122 0x13, 0x6a, 0x3f, 0x8f, 0x00, 0x2e, 0x61, 0x82, 0xfa, 0xf8, 0x89,
2123 0x6f, 0xec, 0xc8, 0xb2, 0xf5, 0xb5, 0xab, 0x60, 0x49, 0x00,
2124 },
2125 32, "Certly.IO log" },
2126 { (const uint8_t[]){
2127 0x74, 0x61, 0xb4, 0xa0, 0x9c, 0xfb, 0x3d, 0x41, 0xd7, 0x51, 0x59,
2128 0x57, 0x5b, 0x2e, 0x76, 0x49, 0xa4, 0x45, 0xa8, 0xd2, 0x77, 0x09,
2129 0xb0, 0xcc, 0x56, 0x4a, 0x64, 0x82, 0xb7, 0xeb, 0x41, 0xa3,
2130 },
2131 32, "Izenpe log" },
2132 { (const uint8_t[]){
2133 0x89, 0x41, 0x44, 0x9c, 0x70, 0x74, 0x2e, 0x06, 0xb9, 0xfc, 0x9c,
2134 0xe7, 0xb1, 0x16, 0xba, 0x00, 0x24, 0xaa, 0x36, 0xd5, 0x9a, 0xf4,
2135 0x4f, 0x02, 0x04, 0x40, 0x4f, 0x00, 0xf7, 0xea, 0x85, 0x66,
2136 },
2137 32, "Izenpe 'Argi' log" },
2138 { (const uint8_t[]){
2139 0x41, 0xb2, 0xdc, 0x2e, 0x89, 0xe6, 0x3c, 0xe4, 0xaf, 0x1b, 0xa7,
2140 0xbb, 0x29, 0xbf, 0x68, 0xc6, 0xde, 0xe6, 0xf9, 0xf1, 0xcc, 0x04,
2141 0x7e, 0x30, 0xdf, 0xfa, 0xe3, 0xb3, 0xba, 0x25, 0x92, 0x63,
2142 },
2143 32, "WoSign log" },
2144 { (const uint8_t[]){
2145 0x9e, 0x4f, 0xf7, 0x3d, 0xc3, 0xce, 0x22, 0x0b, 0x69, 0x21, 0x7c,
2146 0x89, 0x9e, 0x46, 0x80, 0x76, 0xab, 0xf8, 0xd7, 0x86, 0x36, 0xd5,
2147 0xcc, 0xfc, 0x85, 0xa3, 0x1a, 0x75, 0x62, 0x8b, 0xa8, 0x8b,
2148 },
2149 32, "WoSign CT log #1" },
2150 { (const uint8_t[]){
2151 0x63, 0xd0, 0x00, 0x60, 0x26, 0xdd, 0xe1, 0x0b, 0xb0, 0x60, 0x1f,
2152 0x45, 0x24, 0x46, 0x96, 0x5e, 0xe2, 0xb6, 0xea, 0x2c, 0xd4, 0xfb,
2153 0xc9, 0x5a, 0xc8, 0x66, 0xa5, 0x50, 0xaf, 0x90, 0x75, 0xb7,
2154 },
2155 32, "WoSign log 2" },
2156 { (const uint8_t[]){
2157 0xac, 0x3b, 0x9a, 0xed, 0x7f, 0xa9, 0x67, 0x47, 0x57, 0x15, 0x9e,
2158 0x6d, 0x7d, 0x57, 0x56, 0x72, 0xf9, 0xd9, 0x81, 0x00, 0x94, 0x1e,
2159 0x9b, 0xde, 0xff, 0xec, 0xa1, 0x31, 0x3b, 0x75, 0x78, 0x2d,
2160 },
2161 32, "Venafi log" },
2162 { (const uint8_t[]){
2163 0x03, 0x01, 0x9d, 0xf3, 0xfd, 0x85, 0xa6, 0x9a, 0x8e, 0xbd, 0x1f,
2164 0xac, 0xc6, 0xda, 0x9b, 0xa7, 0x3e, 0x46, 0x97, 0x74, 0xfe, 0x77,
2165 0xf5, 0x79, 0xfc, 0x5a, 0x08, 0xb8, 0x32, 0x8c, 0x1d, 0x6b,
2166 },
2167 32, "Venafi Gen2 CT log" },
2168 { (const uint8_t[]){
2169 0xa5, 0x77, 0xac, 0x9c, 0xed, 0x75, 0x48, 0xdd, 0x8f, 0x02, 0x5b,
2170 0x67, 0xa2, 0x41, 0x08, 0x9d, 0xf8, 0x6e, 0x0f, 0x47, 0x6e, 0xc2,
2171 0x03, 0xc2, 0xec, 0xbe, 0xdb, 0x18, 0x5f, 0x28, 0x26, 0x38,
2172 },
2173 32, "CNNIC CT log" },
2174 { (const uint8_t[]){
2175 0x34, 0xbb, 0x6a, 0xd6, 0xc3, 0xdf, 0x9c, 0x03, 0xee, 0xa8, 0xa4,
2176 0x99, 0xff, 0x78, 0x91, 0x48, 0x6c, 0x9d, 0x5e, 0x5c, 0xac, 0x92,
2177 0xd0, 0x1f, 0x7b, 0xfd, 0x1b, 0xce, 0x19, 0xdb, 0x48, 0xef,
2178 },
2179 32, "StartCom log" },
2180 { (const uint8_t[]){
2181 0x55, 0x81, 0xd4, 0xc2, 0x16, 0x90, 0x36, 0x01, 0x4a, 0xea, 0x0b,
2182 0x9b, 0x57, 0x3c, 0x53, 0xf0, 0xc0, 0xe4, 0x38, 0x78, 0x70, 0x25,
2183 0x08, 0x17, 0x2f, 0xa3, 0xaa, 0x1d, 0x07, 0x13, 0xd3, 0x0c,
2184 },
2185 32, "Sectigo 'Sabre' CT log" },
2186 { (const uint8_t[]){
2187 0xa2, 0xe2, 0xbf, 0xd6, 0x1e, 0xde, 0x2f, 0x2f, 0x07, 0xa0, 0xd6,
2188 0x4e, 0x6d, 0x37, 0xa7, 0xdc, 0x65, 0x43, 0xb0, 0xc6, 0xb5, 0x2e,
2189 0xa2, 0xda, 0xb7, 0x8a, 0xf8, 0x9a, 0x6d, 0xf5, 0x17, 0xd8,
2190 },
2191 32, "Sectigo 'Sabre2024h1'" },
2192 { (const uint8_t[]){
2193 0x19, 0x98, 0x10, 0x71, 0x09, 0xf0, 0xd6, 0x52, 0x2e, 0x30, 0x80,
2194 0xd2, 0x9e, 0x3f, 0x64, 0xbb, 0x83, 0x6e, 0x28, 0xcc, 0xf9, 0x0f,
2195 0x52, 0x8e, 0xee, 0xdf, 0xce, 0x4a, 0x3f, 0x16, 0xb4, 0xca,
2196 },
2197 32, "Sectigo 'Sabre2024h2'" },
2198 { (const uint8_t[]){
2199 0xe0, 0x92, 0xb3, 0xfc, 0x0c, 0x1d, 0xc8, 0xe7, 0x68, 0x36, 0x1f,
2200 0xde, 0x61, 0xb9, 0x96, 0x4d, 0x0a, 0x52, 0x78, 0x19, 0x8a, 0x72,
2201 0xd6, 0x72, 0xc4, 0xb0, 0x4d, 0xa5, 0x6d, 0x6f, 0x54, 0x04,
2202 },
2203 32, "Sectigo 'Sabre2025h1'" },
2204 { (const uint8_t[]){
2205 0x1a, 0x04, 0xff, 0x49, 0xd0, 0x54, 0x1d, 0x40, 0xaf, 0xf6, 0xa0,
2206 0xc3, 0xbf, 0xf1, 0xd8, 0xc4, 0x67, 0x2f, 0x4e, 0xec, 0xee, 0x23,
2207 0x40, 0x68, 0x98, 0x6b, 0x17, 0x40, 0x2e, 0xdc, 0x89, 0x7d,
2208 },
2209 32, "Sectigo 'Sabre2025h2'" },
2210 { (const uint8_t[]){
2211 0x6f, 0x53, 0x76, 0xac, 0x31, 0xf0, 0x31, 0x19, 0xd8, 0x99, 0x00,
2212 0xa4, 0x51, 0x15, 0xff, 0x77, 0x15, 0x1c, 0x11, 0xd9, 0x02, 0xc1,
2213 0x00, 0x29, 0x06, 0x8d, 0xb2, 0x08, 0x9a, 0x37, 0xd9, 0x13,
2214 },
2215 32, "Sectigo 'Mammoth' CT log" },
2216 { (const uint8_t[]){
2217 0x29, 0xd0, 0x3a, 0x1b, 0xb6, 0x74, 0xaa, 0x71, 0x1c, 0xd3, 0x03,
2218 0x5b, 0x65, 0x57, 0xc1, 0x4f, 0x8a, 0xa7, 0x8b, 0x4f, 0xe8, 0x38,
2219 0x94, 0x49, 0xec, 0xa4, 0x53, 0xf9, 0x44, 0xbd, 0x24, 0x68,
2220 },
2221 32, "Sectigo 'Mammoth2024h1'" },
2222 { (const uint8_t[]){
2223 0x50, 0x85, 0x01, 0x58, 0xdc, 0xb6, 0x05, 0x95, 0xc0, 0x0e, 0x92,
2224 0xa8, 0x11, 0x02, 0xec, 0xcd, 0xfe, 0x3f, 0x6b, 0x78, 0x58, 0x42,
2225 0x9f, 0x57, 0x98, 0x35, 0x38, 0xc9, 0xda, 0x52, 0x50, 0x63,
2226 },
2227 32, "Sectigo 'Mammoth2024h1b'" },
2228 { (const uint8_t[]){
2229 0xdf, 0xe1, 0x56, 0xeb, 0xaa, 0x05, 0xaf, 0xb5, 0x9c, 0x0f, 0x86,
2230 0x71, 0x8d, 0xa8, 0xc0, 0x32, 0x4e, 0xae, 0x56, 0xd9, 0x6e, 0xa7,
2231 0xf5, 0xa5, 0x6a, 0x01, 0xd1, 0xc1, 0x3b, 0xbe, 0x52, 0x5c,
2232 },
2233 32, "Sectigo 'Mammoth2024h2'" },
2234 { (const uint8_t[]){
2235 0x13, 0x4a, 0xdf, 0x1a, 0xb5, 0x98, 0x42, 0x09, 0x78, 0x0c, 0x6f,
2236 0xef, 0x4c, 0x7a, 0x91, 0xa4, 0x16, 0xb7, 0x23, 0x49, 0xce, 0x58,
2237 0x57, 0x6a, 0xdf, 0xae, 0xda, 0xa7, 0xc2, 0xab, 0xe0, 0x22,
2238 },
2239 32, "Sectigo 'Mammoth2025h1'" },
2240 { (const uint8_t[]){
2241 0xaf, 0x18, 0x1a, 0x28, 0xd6, 0x8c, 0xa3, 0xe0, 0xa9, 0x8a, 0x4c,
2242 0x9c, 0x67, 0xab, 0x09, 0xf8, 0xbb, 0xbc, 0x22, 0xba, 0xae, 0xbc,
2243 0xb1, 0x38, 0xa3, 0xa1, 0x9d, 0xd3, 0xf9, 0xb6, 0x03, 0x0d,
2244 },
2245 32, "Sectigo 'Mammoth2025h2'" },
2246 { (const uint8_t[]){
2247 0x25, 0x2f, 0x94, 0xc2, 0x2b, 0x29, 0xe9, 0x6e, 0x9f, 0x41, 0x1a,
2248 0x72, 0x07, 0x2b, 0x69, 0x5c, 0x5b, 0x52, 0xff, 0x97, 0xa9, 0x0d,
2249 0x25, 0x40, 0xbb, 0xfc, 0xdc, 0x51, 0xec, 0x4d, 0xee, 0x0b,
2250 },
2251 32, "Sectigo 'Mammoth2026h1'" },
2252 { (const uint8_t[]){
2253 0x94, 0xb1, 0xc1, 0x8a, 0xb0, 0xd0, 0x57, 0xc4, 0x7b, 0xe0, 0xac,
2254 0x04, 0x0e, 0x1f, 0x2c, 0xbc, 0x8d, 0xc3, 0x75, 0x72, 0x7b, 0xc9,
2255 0x51, 0xf2, 0x0a, 0x52, 0x61, 0x26, 0x86, 0x3b, 0xa7, 0x3c,
2256 },
2257 32, "Sectigo 'Mammoth2026h2'" },
2258 { (const uint8_t[]){
2259 0x56, 0x6c, 0xd5, 0xa3, 0x76, 0xbe, 0x83, 0xdf, 0xe3, 0x42, 0xb6,
2260 0x75, 0xc4, 0x9c, 0x23, 0x24, 0x98, 0xa7, 0x69, 0xba, 0xc3, 0x82,
2261 0xcb, 0xab, 0x49, 0xa3, 0x87, 0x7d, 0x9a, 0xb3, 0x2d, 0x01,
2262 },
2263 32, "Sectigo 'Sabre2026h1'" },
2264 { (const uint8_t[]){
2265 0x1f, 0x56, 0xd1, 0xab, 0x94, 0x70, 0x4a, 0x41, 0xdd, 0x3f, 0xea,
2266 0xfd, 0xf4, 0x69, 0x93, 0x55, 0x30, 0x2c, 0x14, 0x31, 0xbf, 0xe6,
2267 0x13, 0x46, 0x08, 0x9f, 0xff, 0xae, 0x79, 0x5d, 0xcc, 0x2f,
2268 },
2269 32, "Sectigo 'Sabre2026h2'" },
2270 { (const uint8_t[]){
2271 0xdb, 0x76, 0xfd, 0xad, 0xac, 0x65, 0xe7, 0xd0, 0x95, 0x08, 0x88,
2272 0x6e, 0x21, 0x59, 0xbd, 0x8b, 0x90, 0x35, 0x2f, 0x5f, 0xea, 0xd3,
2273 0xe3, 0xdc, 0x5e, 0x22, 0xeb, 0x35, 0x0a, 0xcc, 0x7b, 0x98,
2274 },
2275 32, "Sectigo 'Dodo' CT log" },
2276 { (const uint8_t[]){
2277 0xe7, 0x12, 0xf2, 0xb0, 0x37, 0x7e, 0x1a, 0x62, 0xfb, 0x8e, 0xc9,
2278 0x0c, 0x61, 0x84, 0xf1, 0xea, 0x7b, 0x37, 0xcb, 0x56, 0x1d, 0x11,
2279 0x26, 0x5b, 0xf3, 0xe0, 0xf3, 0x4b, 0xf2, 0x41, 0x54, 0x6e,
2280 },
2281 32, "Let's Encrypt 'Oak2020' log" },
2282 { (const uint8_t[]){
2283 0x94, 0x20, 0xbc, 0x1e, 0x8e, 0xd5, 0x8d, 0x6c, 0x88, 0x73, 0x1f,
2284 0x82, 0x8b, 0x22, 0x2c, 0x0d, 0xd1, 0xda, 0x4d, 0x5e, 0x6c, 0x4f,
2285 0x94, 0x3d, 0x61, 0xdb, 0x4e, 0x2f, 0x58, 0x4d, 0xa2, 0xc2,
2286 },
2287 32, "Let's Encrypt 'Oak2021' log" },
2288 { (const uint8_t[]){
2289 0xdf, 0xa5, 0x5e, 0xab, 0x68, 0x82, 0x4f, 0x1f, 0x6c, 0xad, 0xee,
2290 0xb8, 0x5f, 0x4e, 0x3e, 0x5a, 0xea, 0xcd, 0xa2, 0x12, 0xa4, 0x6a,
2291 0x5e, 0x8e, 0x3b, 0x12, 0xc0, 0x20, 0x44, 0x5c, 0x2a, 0x73,
2292 },
2293 32, "Let's Encrypt 'Oak2022' log" },
2294 { (const uint8_t[]){
2295 0xb7, 0x3e, 0xfb, 0x24, 0xdf, 0x9c, 0x4d, 0xba, 0x75, 0xf2, 0x39,
2296 0xc5, 0xba, 0x58, 0xf4, 0x6c, 0x5d, 0xfc, 0x42, 0xcf, 0x7a, 0x9f,
2297 0x35, 0xc4, 0x9e, 0x1d, 0x09, 0x81, 0x25, 0xed, 0xb4, 0x99,
2298 },
2299 32, "Let's Encrypt 'Oak2023' log" },
2300 { (const uint8_t[]){
2301 0x3b, 0x53, 0x77, 0x75, 0x3e, 0x2d, 0xb9, 0x80, 0x4e, 0x8b, 0x30,
2302 0x5b, 0x06, 0xfe, 0x40, 0x3b, 0x67, 0xd8, 0x4f, 0xc3, 0xf4, 0xc7,
2303 0xbd, 0x00, 0x0d, 0x2d, 0x72, 0x6f, 0xe1, 0xfa, 0xd4, 0x17,
2304 },
2305 32, "Let's Encrypt 'Oak2024H1' log" },
2306 { (const uint8_t[]){
2307 0x3f, 0x17, 0x4b, 0x4f, 0xd7, 0x22, 0x47, 0x58, 0x94, 0x1d, 0x65,
2308 0x1c, 0x84, 0xbe, 0x0d, 0x12, 0xed, 0x90, 0x37, 0x7f, 0x1f, 0x85,
2309 0x6a, 0xeb, 0xc1, 0xbf, 0x28, 0x85, 0xec, 0xf8, 0x64, 0x6e,
2310 },
2311 32, "Let's Encrypt 'Oak2024H2' log" },
2312 { (const uint8_t[]){
2313 0xa2, 0xe3, 0x0a, 0xe4, 0x45, 0xef, 0xbd, 0xad, 0x9b, 0x7e, 0x38,
2314 0xed, 0x47, 0x67, 0x77, 0x53, 0xd7, 0x82, 0x5b, 0x84, 0x94, 0xd7,
2315 0x2b, 0x5e, 0x1b, 0x2c, 0xc4, 0xb9, 0x50, 0xa4, 0x47, 0xe7,
2316 },
2317 32, "Let's Encrypt 'Oak2025h1'" },
2318 { (const uint8_t[]){
2319 0x0d, 0xe1, 0xf2, 0x30, 0x2b, 0xd3, 0x0d, 0xc1, 0x40, 0x62, 0x12,
2320 0x09, 0xea, 0x55, 0x2e, 0xfc, 0x47, 0x74, 0x7c, 0xb1, 0xd7, 0xe9,
2321 0x30, 0xef, 0x0e, 0x42, 0x1e, 0xb4, 0x7e, 0x4e, 0xaa, 0x34,
2322 },
2323 32, "Let's Encrypt 'Oak2025h2'" },
2324 { (const uint8_t[]){
2325 0x19, 0x86, 0xd4, 0xc7, 0x28, 0xaa, 0x6f, 0xfe, 0xba, 0x03, 0x6f,
2326 0x78, 0x2a, 0x4d, 0x01, 0x91, 0xaa, 0xce, 0x2d, 0x72, 0x31, 0x0f,
2327 0xae, 0xce, 0x5d, 0x70, 0x41, 0x2d, 0x25, 0x4c, 0xc7, 0xd4,
2328 },
2329 32, "Let's Encrypt 'Oak2026h1'" },
2330 { (const uint8_t[]){
2331 0xac, 0xab, 0x30, 0x70, 0x6c, 0xeb, 0xec, 0x84, 0x31, 0xf4, 0x13,
2332 0xd2, 0xf4, 0x91, 0x5f, 0x11, 0x1e, 0x42, 0x24, 0x43, 0xb1, 0xf2,
2333 0xa6, 0x8c, 0x4f, 0x3c, 0x2b, 0x3b, 0xa7, 0x1e, 0x02, 0xc3,
2334 },
2335 32, "Let's Encrypt 'Oak2026h2'" },
2336 { (const uint8_t[]){
2337 0x65, 0x9b, 0x33, 0x50, 0xf4, 0x3b, 0x12, 0xcc, 0x5e, 0xa5, 0xab,
2338 0x4e, 0xc7, 0x65, 0xd3, 0xfd, 0xe6, 0xc8, 0x82, 0x43, 0x77, 0x77,
2339 0x78, 0xe7, 0x20, 0x03, 0xf9, 0xeb, 0x2b, 0x8c, 0x31, 0x29,
2340 },
2341 32, "Let's Encrypt 'Oak2019' log" },
2342 { (const uint8_t[]){
2343 0x84, 0x9f, 0x5f, 0x7f, 0x58, 0xd2, 0xbf, 0x7b, 0x54, 0xec, 0xbd,
2344 0x74, 0x61, 0x1c, 0xea, 0x45, 0xc4, 0x9c, 0x98, 0xf1, 0xd6, 0x48,
2345 0x1b, 0xc6, 0xf6, 0x9e, 0x8c, 0x17, 0x4f, 0x24, 0xf3, 0xcf,
2346 },
2347 32, "Let's Encrypt 'Testflume2019' log" },
2348 { (const uint8_t[]){
2349 0x23, 0x2d, 0x41, 0xa4, 0xcd, 0xac, 0x87, 0xce, 0xd9, 0xf9, 0x43,
2350 0xf4, 0x68, 0xc2, 0x82, 0x09, 0x5a, 0xe0, 0x9d, 0x30, 0xd6, 0x2e,
2351 0x2f, 0xa6, 0x5d, 0xdc, 0x3b, 0x91, 0x9c, 0x2e, 0x46, 0x8f,
2352 },
2353 32, "Let's Encrypt 'Sapling 2022h2' log" },
2354 { (const uint8_t[]){
2355 0xc1, 0x83, 0x24, 0x0b, 0xf1, 0xa4, 0x50, 0xc7, 0x6f, 0xbb, 0x00,
2356 0x72, 0x69, 0xdc, 0xac, 0x3b, 0xe2, 0x2a, 0x48, 0x05, 0xd4, 0xdb,
2357 0xe0, 0x49, 0x66, 0xc3, 0xc8, 0xab, 0xc4, 0x47, 0xb0, 0x0c,
2358 },
2359 32, "Let's Encrypt 'Sapling 2023h1' log" },
2360 { (const uint8_t[]){
2361 0xc6, 0x3f, 0x22, 0x18, 0xc3, 0x7d, 0x56, 0xa6, 0xaa, 0x06, 0xb5,
2362 0x96, 0xda, 0x8e, 0x53, 0xd4, 0xd7, 0x15, 0x6d, 0x1e, 0x9b, 0xac,
2363 0x8e, 0x44, 0xd2, 0x20, 0x2d, 0xe6, 0x4d, 0x69, 0xd9, 0xdc,
2364 },
2365 32, "Let's Encrypt 'Testflume2020' log" },
2366 { (const uint8_t[]){
2367 0x03, 0xed, 0xf1, 0xda, 0x97, 0x76, 0xb6, 0xf3, 0x8c, 0x34, 0x1e,
2368 0x39, 0xed, 0x9d, 0x70, 0x7a, 0x75, 0x70, 0x36, 0x9c, 0xf9, 0x84,
2369 0x4f, 0x32, 0x7f, 0xe9, 0xe1, 0x41, 0x38, 0x36, 0x1b, 0x60,
2370 },
2371 32, "Let's Encrypt 'Testflume2021' log" },
2372 { (const uint8_t[]){
2373 0x23, 0x27, 0xef, 0xda, 0x35, 0x25, 0x10, 0xdb, 0xc0, 0x19, 0xef,
2374 0x49, 0x1a, 0xe3, 0xff, 0x1c, 0xc5, 0xa4, 0x79, 0xbc, 0xe3, 0x78,
2375 0x78, 0x36, 0x0e, 0xe3, 0x18, 0xcf, 0xfb, 0x64, 0xf8, 0xc8,
2376 },
2377 32, "Let's Encrypt 'Testflume2022' log" },
2378 { (const uint8_t[]){
2379 0x55, 0x34, 0xb7, 0xab, 0x5a, 0x6a, 0xc3, 0xa7, 0xcb, 0xeb, 0xa6,
2380 0x54, 0x87, 0xb2, 0xa2, 0xd7, 0x1b, 0x48, 0xf6, 0x50, 0xfa, 0x17,
2381 0xc5, 0x19, 0x7c, 0x97, 0xa0, 0xcb, 0x20, 0x76, 0xf3, 0xc6,
2382 },
2383 32, "Let's Encrypt 'Testflume2023' log" },
2384 { (const uint8_t[]){
2385 0x29, 0x6a, 0xfa, 0x2d, 0x56, 0x8b, 0xca, 0x0d, 0x2e, 0xa8, 0x44,
2386 0x95, 0x6a, 0xe9, 0x72, 0x1f, 0xc3, 0x5f, 0xa3, 0x55, 0xec, 0xda,
2387 0x99, 0x69, 0x3a, 0xaf, 0xd4, 0x58, 0xa7, 0x1a, 0xef, 0xdd,
2388 },
2389 32, "Let's Encrypt 'Clicky' log" },
2390 { (const uint8_t[]){
2391 0xa5, 0x95, 0x94, 0x3b, 0x53, 0x70, 0xbe, 0xe9, 0x06, 0xe0, 0x05,
2392 0x0d, 0x1f, 0xb5, 0xbb, 0xc6, 0xa4, 0x0e, 0x65, 0xf2, 0x65, 0xae,
2393 0x85, 0x2c, 0x76, 0x36, 0x3f, 0xad, 0xb2, 0x33, 0x36, 0xed,
2394 },
2395 32, "Trust Asia Log2020" },
2396 { (const uint8_t[]){
2397 0xa8, 0xdc, 0x52, 0xf6, 0x3d, 0x6b, 0x24, 0x25, 0xe5, 0x31, 0xe3,
2398 0x7c, 0xf4, 0xe4, 0x4a, 0x71, 0x4f, 0x14, 0x2a, 0x20, 0x80, 0x3b,
2399 0x0d, 0x04, 0xd2, 0xe2, 0xee, 0x06, 0x64, 0x79, 0x4a, 0x23,
2400 },
2401 32, "Trust Asia CT2021" },
2402 { (const uint8_t[]){
2403 0x67, 0x8d, 0xb6, 0x5b, 0x3e, 0x74, 0x43, 0xb6, 0xf3, 0xa3, 0x70,
2404 0xd5, 0xe1, 0x3a, 0xb1, 0xb4, 0x3b, 0xe0, 0xa0, 0xd3, 0x51, 0xf7,
2405 0xca, 0x74, 0x22, 0x50, 0xc7, 0xc6, 0xfa, 0x51, 0xa8, 0x8a,
2406 },
2407 32, "Trust Asia Log2021" },
2408 { (const uint8_t[]){
2409 0xc3, 0x65, 0xf9, 0xb3, 0x65, 0x4f, 0x32, 0x83, 0xc7, 0x9d, 0xa9,
2410 0x8e, 0x93, 0xd7, 0x41, 0x8f, 0x5b, 0xab, 0x7b, 0xe3, 0x25, 0x2c,
2411 0x98, 0xe1, 0xd2, 0xf0, 0x4b, 0xb9, 0xeb, 0x42, 0x7d, 0x23,
2412 },
2413 32, "Trust Asia Log2022" },
2414 { (const uint8_t[]){
2415 0xe8, 0x7e, 0xa7, 0x66, 0x0b, 0xc2, 0x6c, 0xf6, 0x00, 0x2e, 0xf5,
2416 0x72, 0x5d, 0x3f, 0xe0, 0xe3, 0x31, 0xb9, 0x39, 0x3b, 0xb9, 0x2f,
2417 0xbf, 0x58, 0xeb, 0x3b, 0x90, 0x49, 0xda, 0xf5, 0x43, 0x5a,
2418 },
2419 32, "Trust Asia Log2023" },
2420 { (const uint8_t[]){
2421 0x30, 0x6d, 0x29, 0x57, 0x6a, 0xd2, 0x1a, 0x9d, 0x4a, 0xe1, 0x2a,
2422 0xca, 0xd8, 0xaa, 0x8a, 0x78, 0x3a, 0xa6, 0x5a, 0x32, 0x11, 0x60,
2423 0xac, 0xff, 0x5b, 0x0e, 0xee, 0x4c, 0xa3, 0x20, 0x1d, 0x05,
2424 },
2425 32, "Trust Asia Log2024" },
2426 { (const uint8_t[]){
2427 0x87, 0x4f, 0xb5, 0x0d, 0xc0, 0x29, 0xd9, 0x93, 0x1d, 0xe5, 0x73,
2428 0xe9, 0xf2, 0x89, 0x9e, 0x8e, 0x45, 0x33, 0xb3, 0x92, 0xd3, 0x8b,
2429 0x0a, 0x46, 0x25, 0x74, 0xbf, 0x0f, 0xee, 0xb2, 0xfc, 0x1e,
2430 },
2431 32, "Trust Asia Log2024-2" },
2432 { (const uint8_t[]){
2433 0x28, 0xe2, 0x81, 0x38, 0xfd, 0x83, 0x21, 0x45, 0xe9, 0xa9, 0xd6,
2434 0xaa, 0x75, 0x37, 0x6d, 0x83, 0x77, 0xa8, 0x85, 0x12, 0xb3, 0xc0,
2435 0x7f, 0x72, 0x41, 0x48, 0x21, 0xdc, 0xbd, 0xe9, 0x8c, 0x66,
2436 },
2437 32, "TrustAsia Log2025a" },
2438 { (const uint8_t[]){
2439 0x28, 0x2c, 0x8b, 0xdd, 0x81, 0x0f, 0xf9, 0x09, 0x12, 0x0a, 0xce,
2440 0x16, 0xd6, 0xe0, 0xec, 0x20, 0x1b, 0xea, 0x82, 0xa3, 0xa4, 0xaf,
2441 0x19, 0xd9, 0xef, 0xfb, 0x59, 0xe8, 0x3f, 0xdc, 0x42, 0x68,
2442 },
2443 32, "TrustAsia Log2025b" },
2444 { (const uint8_t[]){
2445 0x74, 0xdb, 0x9d, 0x58, 0xf7, 0xd4, 0x7e, 0x9d, 0xfd, 0x78, 0x7a,
2446 0x16, 0x2a, 0x99, 0x1c, 0x18, 0xcf, 0x69, 0x8d, 0xa7, 0xc7, 0x29,
2447 0x91, 0x8c, 0x9a, 0x18, 0xb0, 0x45, 0x0d, 0xba, 0x44, 0xbc,
2448 },
2449 32, "TrustAsia 'log2026a'" },
2450 { (const uint8_t[]){
2451 0x25, 0xb7, 0xef, 0xde, 0xa1, 0x13, 0x01, 0x93, 0xed, 0x93, 0x07,
2452 0x97, 0x70, 0xaa, 0x32, 0x2a, 0x26, 0x62, 0x0d, 0xe3, 0x5a, 0xc8,
2453 0xaa, 0x7c, 0x75, 0x19, 0x7d, 0xe0, 0xb1, 0xa9, 0xe0, 0x65,
2454 },
2455 32, "TrustAsia 'log2026b'" },
2456 { (const uint8_t[]){
2457 0x45, 0x35, 0x94, 0x98, 0xd9, 0x3a, 0x89, 0xe0, 0x28, 0x03, 0x08,
2458 0xd3, 0x7d, 0x62, 0x6d, 0xc4, 0x23, 0x75, 0x47, 0x58, 0xdc, 0xe0,
2459 0x37, 0x00, 0x36, 0xfb, 0xab, 0x0e, 0xdf, 0x8a, 0x6b, 0xcf,
2460 },
2461 32, "Trust Asia Log1" },
2462 { (const uint8_t[]){
2463 0xc9, 0xcf, 0x89, 0x0a, 0x21, 0x10, 0x9c, 0x66, 0x6c, 0xc1, 0x7a,
2464 0x3e, 0xd0, 0x65, 0xc9, 0x30, 0xd0, 0xe0, 0x13, 0x5a, 0x9f, 0xeb,
2465 0xa8, 0x5a, 0xf1, 0x42, 0x10, 0xb8, 0x07, 0x24, 0x21, 0xaa,
2466 },
2467 32, "GDCA CT log #1" },
2468 { (const uint8_t[]){
2469 0x92, 0x4a, 0x30, 0xf9, 0x09, 0x33, 0x6f, 0xf4, 0x35, 0xd6, 0x99,
2470 0x3a, 0x10, 0xac, 0x75, 0xa2, 0xc6, 0x41, 0x72, 0x8e, 0x7f, 0xc2,
2471 0xd6, 0x59, 0xae, 0x61, 0x88, 0xff, 0xad, 0x40, 0xce, 0x01,
2472 },
2473 32, "GDCA CT log #2" },
2474 { (const uint8_t[]){
2475 0x71, 0x7e, 0xa7, 0x42, 0x09, 0x75, 0xbe, 0x84, 0xa2, 0x72, 0x35,
2476 0x53, 0xf1, 0x77, 0x7c, 0x26, 0xdd, 0x51, 0xaf, 0x4e, 0x10, 0x21,
2477 0x44, 0x09, 0x4d, 0x90, 0x19, 0xb4, 0x62, 0xfb, 0x66, 0x68,
2478 },
2479 32, "GDCA Log 1" },
2480 { (const uint8_t[]){
2481 0x14, 0x30, 0x8d, 0x90, 0xcc, 0xd0, 0x30, 0x13, 0x50, 0x05, 0xc0,
2482 0x1c, 0xa5, 0x26, 0xd8, 0x1e, 0x84, 0xe8, 0x76, 0x24, 0xe3, 0x9b,
2483 0x62, 0x48, 0xe0, 0x8f, 0x72, 0x4a, 0xea, 0x3b, 0xb4, 0x2a,
2484 },
2485 32, "GDCA Log 2" },
2486 { (const uint8_t[]){
2487 0xe0, 0x12, 0x76, 0x29, 0xe9, 0x04, 0x96, 0x56, 0x4e, 0x3d, 0x01,
2488 0x47, 0x98, 0x44, 0x98, 0xaa, 0x48, 0xf8, 0xad, 0xb1, 0x66, 0x00,
2489 0xeb, 0x79, 0x02, 0xa1, 0xef, 0x99, 0x09, 0x90, 0x62, 0x73,
2490 },
2491 32, "PuChuangSiDa CT log" },
2492 { (const uint8_t[]){
2493 0x53, 0x7b, 0x69, 0xa3, 0x56, 0x43, 0x35, 0xa9, 0xc0, 0x49, 0x04,
2494 0xe3, 0x95, 0x93, 0xb2, 0xc2, 0x98, 0xeb, 0x8d, 0x7a, 0x6e, 0x83,
2495 0x02, 0x36, 0x35, 0xc6, 0x27, 0x24, 0x8c, 0xd6, 0xb4, 0x40,
2496 },
2497 32, "Nordu 'flimsy' log" },
2498 { (const uint8_t[]){
2499 0xaa, 0xe7, 0x0b, 0x7f, 0x3c, 0xb8, 0xd5, 0x66, 0xc8, 0x6c, 0x2f,
2500 0x16, 0x97, 0x9c, 0x9f, 0x44, 0x5f, 0x69, 0xab, 0x0e, 0xb4, 0x53,
2501 0x55, 0x89, 0xb2, 0xf7, 0x7a, 0x03, 0x01, 0x04, 0xf3, 0xcd,
2502 },
2503 32, "Nordu 'plausible' log" },
2504 { (const uint8_t[]){
2505 0xcf, 0x55, 0xe2, 0x89, 0x23, 0x49, 0x7c, 0x34, 0x0d, 0x52, 0x06,
2506 0xd0, 0x53, 0x53, 0xae, 0xb2, 0x58, 0x34, 0xb5, 0x2f, 0x1f, 0x8d,
2507 0xc9, 0x52, 0x68, 0x09, 0xf2, 0x12, 0xef, 0xdd, 0x7c, 0xa6,
2508 },
2509 32, "SHECA CT log 1" },
2510 { (const uint8_t[]){
2511 0x32, 0xdc, 0x59, 0xc2, 0xd4, 0xc4, 0x19, 0x68, 0xd5, 0x6e, 0x14,
2512 0xbc, 0x61, 0xac, 0x8f, 0x0e, 0x45, 0xdb, 0x39, 0xfa, 0xf3, 0xc1,
2513 0x55, 0xaa, 0x42, 0x52, 0xf5, 0x00, 0x1f, 0xa0, 0xc6, 0x23,
2514 },
2515 32, "SHECA CT log 2" },
2516 { (const uint8_t[]){
2517 0x96, 0x06, 0xc0, 0x2c, 0x69, 0x00, 0x33, 0xaa, 0x1d, 0x14, 0x5f,
2518 0x59, 0xc6, 0xe2, 0x64, 0x8d, 0x05, 0x49, 0xf0, 0xdf, 0x96, 0xaa,
2519 0xb8, 0xdb, 0x91, 0x5a, 0x70, 0xd8, 0xec, 0xf3, 0x90, 0xa5,
2520 },
2521 32, "Akamai CT Log" },
2522 { (const uint8_t[]){
2523 0x39, 0x37, 0x6f, 0x54, 0x5f, 0x7b, 0x46, 0x07, 0xf5, 0x97, 0x42,
2524 0xd7, 0x68, 0xcd, 0x5d, 0x24, 0x37, 0xbf, 0x34, 0x73, 0xb6, 0x53,
2525 0x4a, 0x48, 0x34, 0xbc, 0xf7, 0x2e, 0x68, 0x1c, 0x83, 0xc9,
2526 },
2527 32, "Alpha CT Log" },
2528 { (const uint8_t[]){
2529 0xb0, 0xb7, 0x84, 0xbc, 0x81, 0xc0, 0xdd, 0xc4, 0x75, 0x44, 0xe8,
2530 0x83, 0xf0, 0x59, 0x85, 0xbb, 0x90, 0x77, 0xd1, 0x34, 0xd8, 0xab,
2531 0x88, 0xb2, 0xb2, 0xe5, 0x33, 0x98, 0x0b, 0x8e, 0x50, 0x8b,
2532 },
2533 32, "Up In The Air 'Behind the Sofa' log" },
2534 { (const uint8_t[]){
2535 0x47, 0x44, 0x47, 0x7c, 0x75, 0xde, 0x42, 0x6d, 0x5c, 0x44, 0xef,
2536 0xd4, 0xa9, 0x2c, 0x96, 0x77, 0x59, 0x7f, 0x65, 0x7a, 0x8f, 0xe0,
2537 0xca, 0xdb, 0xc6, 0xd6, 0x16, 0xed, 0xa4, 0x97, 0xc4, 0x25,
2538 },
2539 32, "Qihoo 360 2020" },
2540 { (const uint8_t[]){
2541 0xc6, 0xd7, 0xed, 0x9e, 0xdb, 0x8e, 0x74, 0xf0, 0xa7, 0x1b, 0x4d,
2542 0x4a, 0x98, 0x4b, 0xcb, 0xeb, 0xab, 0xbd, 0x28, 0xcc, 0x1f, 0xd7,
2543 0x63, 0x29, 0xe8, 0x87, 0x26, 0xcd, 0x4c, 0x25, 0x46, 0x63,
2544 },
2545 32, "Qihoo 360 2021" },
2546 { (const uint8_t[]){
2547 0x66, 0x3c, 0xb0, 0x9c, 0x1f, 0xcd, 0x9b, 0xaa, 0x62, 0x76, 0x3c,
2548 0xcb, 0x53, 0x4e, 0xec, 0x80, 0x58, 0x12, 0x28, 0x05, 0x07, 0xac,
2549 0x69, 0xa4, 0x5f, 0xcd, 0x38, 0xcf, 0x4c, 0xc7, 0x4c, 0xf1,
2550 },
2551 32, "Qihoo 360 2022" },
2552 { (const uint8_t[]){
2553 0xe2, 0x64, 0x7f, 0x6e, 0xda, 0x34, 0x05, 0x03, 0xc6, 0x4d, 0x4e,
2554 0x10, 0xa8, 0x69, 0x68, 0x1f, 0xde, 0x9c, 0x5a, 0x2c, 0xf3, 0xb3,
2555 0x2d, 0x5f, 0x20, 0x0b, 0x96, 0x36, 0x05, 0x90, 0x88, 0x23,
2556 },
2557 32, "Qihoo 360 2023" },
2558 { (const uint8_t[]){
2559 0xc5, 0xcf, 0xe5, 0x4b, 0x61, 0x51, 0xb4, 0x9b, 0x14, 0x2e, 0xd2,
2560 0x63, 0xbd, 0xe7, 0x32, 0x93, 0x36, 0x37, 0x99, 0x79, 0x95, 0x50,
2561 0xae, 0x44, 0x35, 0xcd, 0x1a, 0x69, 0x97, 0xc9, 0xc3, 0xc3,
2562 },
2563 32, "Qihoo 360 v1 2020" },
2564 { (const uint8_t[]){
2565 0x48, 0x14, 0x58, 0x7c, 0xf2, 0x8b, 0x08, 0xfe, 0x68, 0x3f, 0xd2,
2566 0xbc, 0xd9, 0x45, 0x99, 0x4c, 0x2e, 0xb7, 0x4c, 0x8a, 0xe8, 0xc8,
2567 0x7f, 0xce, 0x42, 0x9b, 0x7c, 0xd3, 0x1d, 0x51, 0xbd, 0xc4,
2568 },
2569 32, "Qihoo 360 v1 2021" },
2570 { (const uint8_t[]){
2571 0x49, 0x11, 0xb8, 0xd6, 0x14, 0xcf, 0xd3, 0xd9, 0x9f, 0x16, 0xd3,
2572 0x76, 0x54, 0x5e, 0xe1, 0xb8, 0xcc, 0xfc, 0x51, 0x1f, 0x50, 0x9f,
2573 0x08, 0x0b, 0xa0, 0xa0, 0x87, 0xd9, 0x1d, 0xfa, 0xee, 0xa9,
2574 },
2575 32, "Qihoo 360 v1 2022" },
2576 { (const uint8_t[]){
2577 0xb6, 0x74, 0x0b, 0x12, 0x00, 0x2e, 0x03, 0x3f, 0xd0, 0xe7, 0xe9,
2578 0x41, 0xf4, 0xba, 0x3e, 0xe1, 0xbf, 0xc1, 0x49, 0xb5, 0x24, 0xb4,
2579 0xcf, 0x62, 0x8d, 0x53, 0xef, 0xea, 0x1f, 0x40, 0x3a, 0x8d,
2580 },
2581 32, "Qihoo 360 v1 2023" },
2582 { NULL((void*)0), 0, NULL((void*)0) }
2583};
2584
2585/*
2586 * Application-Layer Protocol Negotiation (ALPN) dissector tables.
2587 */
2588static dissector_table_t ssl_alpn_dissector_table;
2589static dissector_table_t dtls_alpn_dissector_table;
2590
2591/*
2592 * Special cases for prefix matching of the ALPN, if the ALPN includes
2593 * a version number for a draft or protocol revision.
2594 */
2595typedef struct ssl_alpn_prefix_match_protocol {
2596 const char *proto_prefix;
2597 const char *dissector_name;
2598} ssl_alpn_prefix_match_protocol_t;
2599
2600static const ssl_alpn_prefix_match_protocol_t ssl_alpn_prefix_match_protocols[] = {
2601 /* SPDY moves so fast, just 1, 2 and 3 are registered with IANA but there
2602 * already exists 3.1 as of this writing... match the prefix. */
2603 { "spdy/", "spdy" },
2604 /* draft-ietf-httpbis-http2-16 */
2605 { "h2-", "http2" }, /* draft versions */
2606};
2607
2608const value_string compress_certificate_algorithm_vals[] = {
2609 { 1, "zlib" },
2610 { 2, "brotli" },
2611 { 3, "zstd" },
2612 { 0, NULL((void*)0) }
2613};
2614
2615
2616const val64_string quic_transport_parameter_id[] = {
2617 { SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00, "original_destination_connection_id" },
2618 { SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01, "max_idle_timeout" },
2619 { SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02, "stateless_reset_token" },
2620 { SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03, "max_udp_payload_size" },
2621 { SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04, "initial_max_data" },
2622 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05, "initial_max_stream_data_bidi_local" },
2623 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06, "initial_max_stream_data_bidi_remote" },
2624 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07, "initial_max_stream_data_uni" },
2625 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09, "initial_max_streams_uni" },
2626 { SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08, "initial_max_streams_bidi" },
2627 { SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a, "ack_delay_exponent" },
2628 { SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b, "max_ack_delay" },
2629 { SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c, "disable_active_migration" },
2630 { SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d, "preferred_address" },
2631 { SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e, "active_connection_id_limit" },
2632 { SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f, "initial_source_connection_id" },
2633 { SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10, "retry_source_connection_id" },
2634 { SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20, "max_datagram_frame_size" },
2635 { SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000, "cibir_encoding" },
2636 { SSL_HND_QUIC_TP_LOSS_BITS0x1057, "loss_bits" },
2637 { SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2, "grease_quic_bit" },
2638 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157, "enable_time_stamp" },
2639 { SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158, "enable_time_stamp_v2" },
2640 { SSL_HND_QUIC_TP_VERSION_INFORMATION0x11, "version_information" },
2641 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a, "min_ack_delay" },
2642 { SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129, "google_user_agent" },
2643 { SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B, "google_key_update_not_yet_supported" },
2644 { SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752, "google_quic_version" },
2645 { SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127, "google_initial_rtt" },
2646 { SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A, "google_support_handshake_done" },
2647 { SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751, "google_quic_params" },
2648 { SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128, "google_connection_options" },
2649 { SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00, "facebook_partial_reliability" },
2650 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A, "min_ack_delay (draft-01)" },
2651 { SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a, "min_ack_delay (draft-05)" },
2652 { SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b, "min_ack_delay" },
2653 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04, "enable_multipath (draft-04)" },
2654 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05, "enable_multipath (draft-05)" },
2655 { SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06, "enable_multipath (draft-06)" },
2656 { SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07, "initial_max_paths (draft-07/08)" },
2657 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09, "initial_max_path_id (draft-09/10)" },
2658 { SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d11, "initial_max_path_id" },
2659 { 0, NULL((void*)0) }
2660};
2661
2662/* https://tools.ietf.org/html/draft-huitema-quic-ts-03 */
2663const val64_string quic_enable_time_stamp_v2_vals[] = {
2664 { 1, "I would like to receive TIME_STAMP frames" },
2665 { 2, "I am able to generate TIME_STAMP frames" },
2666 { 3, "I am able to generate TIME_STAMP frames and I would like to receive them" },
2667 { 0, NULL((void*)0) }
2668};
2669
2670/* https://tools.ietf.org/html/draft-multipath-04 */
2671const val64_string quic_enable_multipath_vals[] = {
2672 { 0, "don't support multipath" },
2673 { 1, "support multipath as defined in this document" },
2674 { 0, NULL((void*)0) }
2675};
2676
2677/* https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.txt */
2678const value_string tls_hello_ext_ech_clienthello_types[] = {
2679 { 0, "Outer Client Hello" },
2680 { 1, "Inner Client Hello" },
2681 { 0, NULL((void*)0) }
2682};
2683
2684/* RFC 9180 */
2685const value_string kem_id_type_vals[] = {
2686 { 0x0000, "Reserved" },
2687 { 0x0010, "DHKEM(P-256, HKDF-SHA256)" },
2688 { 0x0011, "DHKEM(P-384, HKDF-SHA384)" },
2689 { 0x0012, "DHKEM(P-521, HKDF-SHA512)" },
2690 { 0x0020, "DHKEM(X25519, HKDF-SHA256)" },
2691 { 0x0021, "DHKEM(X448, HKDF-SHA512)" },
2692 { 0, NULL((void*)0) }
2693};
2694const value_string kdf_id_type_vals[] = {
2695 { 0x0000, "Reserved" },
2696 { 0x0001, "HKDF-SHA256" },
2697 { 0x0002, "HKDF-SHA384" },
2698 { 0x0003, "HKDF-SHA512" },
2699 { 0, NULL((void*)0) }
2700};
2701const value_string aead_id_type_vals[] = {
2702 { 0x0000, "Reserved" },
2703 { 0x0001, "AES-128-GCM" },
2704 { 0x0002, "AES-256-GCM" },
2705 { 0x0003, "ChaCha20Poly1305" },
2706 { 0xFFFF, "Export-only" },
2707 { 0, NULL((void*)0) }
2708};
2709
2710const value_string token_binding_key_parameter_vals[] = {
2711 { 0, "rsa2048_pkcs1.5" },
2712 { 1, "rsa2048_pss" },
2713 { 2, "ecdsap256" },
2714 { 0, NULL((void*)0) }
2715};
2716
2717/* Lookup tables }}} */
2718
2719void
2720quic_transport_parameter_id_base_custom(char *result, uint64_t parameter_id)
2721{
2722 const char *label;
2723 if (IS_GREASE_QUIC(parameter_id)((parameter_id) > 27 ? ((((parameter_id) - 27) % 31) == 0)
: 0)) {
2724 label = "GREASE";
2725 } else {
2726 label = val64_to_str_const(parameter_id, quic_transport_parameter_id, "Unknown");
2727 }
2728 snprintf(result, ITEM_LABEL_LENGTH240, "%s (0x%02" PRIx64"l" "x" ")", label, parameter_id);
2729}
2730
2731/* we keep this internal to packet-tls-utils, as there should be
2732 no need to access it any other way.
2733
2734 This also allows us to hide the dependency on zlib.
2735*/
2736struct _SslDecompress {
2737 int compression;
2738#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
2739 zlib_stream istream;
2740#endif
2741};
2742
2743/* To assist in parsing client/server key exchange messages
2744 0 indicates unknown */
2745int ssl_get_keyex_alg(int cipher)
2746{
2747 /* Map Cipher suite number to Key Exchange algorithm {{{ */
2748 switch(cipher) {
2749 case 0x0017:
2750 case 0x0018:
2751 case 0x0019:
2752 case 0x001a:
2753 case 0x001b:
2754 case 0x0034:
2755 case 0x003a:
2756 case 0x0046:
2757 case 0x006c:
2758 case 0x006d:
2759 case 0x0089:
2760 case 0x009b:
2761 case 0x00a6:
2762 case 0x00a7:
2763 case 0x00bf:
2764 case 0x00c5:
2765 case 0xc084:
2766 case 0xc085:
2767 return KEX_DH_ANON0x13;
2768 case 0x000b:
2769 case 0x000c:
2770 case 0x000d:
2771 case 0x0030:
2772 case 0x0036:
2773 case 0x003e:
2774 case 0x0042:
2775 case 0x0068:
2776 case 0x0085:
2777 case 0x0097:
2778 case 0x00a4:
2779 case 0x00a5:
2780 case 0x00bb:
2781 case 0x00c1:
2782 case 0xc082:
2783 case 0xc083:
2784 return KEX_DH_DSS0x14;
2785 case 0x000e:
2786 case 0x000f:
2787 case 0x0010:
2788 case 0x0031:
2789 case 0x0037:
2790 case 0x003f:
2791 case 0x0043:
2792 case 0x0069:
2793 case 0x0086:
2794 case 0x0098:
2795 case 0x00a0:
2796 case 0x00a1:
2797 case 0x00bc:
2798 case 0x00c2:
2799 case 0xc07e:
2800 case 0xc07f:
2801 return KEX_DH_RSA0x15;
2802 case 0x0011:
2803 case 0x0012:
2804 case 0x0013:
2805 case 0x0032:
2806 case 0x0038:
2807 case 0x0040:
2808 case 0x0044:
2809 case 0x0063:
2810 case 0x0065:
2811 case 0x0066:
2812 case 0x006a:
2813 case 0x0087:
2814 case 0x0099:
2815 case 0x00a2:
2816 case 0x00a3:
2817 case 0x00bd:
2818 case 0x00c3:
2819 case 0xc080:
2820 case 0xc081:
2821 return KEX_DHE_DSS0x10;
2822 case 0x002d:
2823 case 0x008e:
2824 case 0x008f:
2825 case 0x0090:
2826 case 0x0091:
2827 case 0x00aa:
2828 case 0x00ab:
2829 case 0x00b2:
2830 case 0x00b3:
2831 case 0x00b4:
2832 case 0x00b5:
2833 case 0xc090:
2834 case 0xc091:
2835 case 0xc096:
2836 case 0xc097:
2837 case 0xc0a6:
2838 case 0xc0a7:
2839 case 0xc0aa:
2840 case 0xc0ab:
2841 case 0xccad:
2842 case 0xe41c:
2843 case 0xe41d:
2844 return KEX_DHE_PSK0x11;
2845 case 0x0014:
2846 case 0x0015:
2847 case 0x0016:
2848 case 0x0033:
2849 case 0x0039:
2850 case 0x0045:
2851 case 0x0067:
2852 case 0x006b:
2853 case 0x0088:
2854 case 0x009a:
2855 case 0x009e:
2856 case 0x009f:
2857 case 0x00be:
2858 case 0x00c4:
2859 case 0xc07c:
2860 case 0xc07d:
2861 case 0xc09e:
2862 case 0xc09f:
2863 case 0xc0a2:
2864 case 0xc0a3:
2865 case 0xccaa:
2866 case 0xe41e:
2867 case 0xe41f:
2868 return KEX_DHE_RSA0x12;
2869 case 0xc015:
2870 case 0xc016:
2871 case 0xc017:
2872 case 0xc018:
2873 case 0xc019:
2874 return KEX_ECDH_ANON0x19;
2875 case 0xc001:
2876 case 0xc002:
2877 case 0xc003:
2878 case 0xc004:
2879 case 0xc005:
2880 case 0xc025:
2881 case 0xc026:
2882 case 0xc02d:
2883 case 0xc02e:
2884 case 0xc074:
2885 case 0xc075:
2886 case 0xc088:
2887 case 0xc089:
2888 return KEX_ECDH_ECDSA0x1a;
2889 case 0xc00b:
2890 case 0xc00c:
2891 case 0xc00d:
2892 case 0xc00e:
2893 case 0xc00f:
2894 case 0xc029:
2895 case 0xc02a:
2896 case 0xc031:
2897 case 0xc032:
2898 case 0xc078:
2899 case 0xc079:
2900 case 0xc08c:
2901 case 0xc08d:
2902 return KEX_ECDH_RSA0x1b;
2903 case 0xc006:
2904 case 0xc007:
2905 case 0xc008:
2906 case 0xc009:
2907 case 0xc00a:
2908 case 0xc023:
2909 case 0xc024:
2910 case 0xc02b:
2911 case 0xc02c:
2912 case 0xc072:
2913 case 0xc073:
2914 case 0xc086:
2915 case 0xc087:
2916 case 0xc0ac:
2917 case 0xc0ad:
2918 case 0xc0ae:
2919 case 0xc0af:
2920 case 0xcca9:
2921 case 0xe414:
2922 case 0xe415:
2923 return KEX_ECDHE_ECDSA0x16;
2924 case 0xc033:
2925 case 0xc034:
2926 case 0xc035:
2927 case 0xc036:
2928 case 0xc037:
2929 case 0xc038:
2930 case 0xc039:
2931 case 0xc03a:
2932 case 0xc03b:
2933 case 0xc09a:
2934 case 0xc09b:
2935 case 0xccac:
2936 case 0xe418:
2937 case 0xe419:
2938 case 0xd001:
2939 case 0xd002:
2940 case 0xd003:
2941 case 0xd005:
2942 return KEX_ECDHE_PSK0x17;
2943 case 0xc010:
2944 case 0xc011:
2945 case 0xc012:
2946 case 0xc013:
2947 case 0xc014:
2948 case 0xc027:
2949 case 0xc028:
2950 case 0xc02f:
2951 case 0xc030:
2952 case 0xc076:
2953 case 0xc077:
2954 case 0xc08a:
2955 case 0xc08b:
2956 case 0xcca8:
2957 case 0xe412:
2958 case 0xe413:
2959 return KEX_ECDHE_RSA0x18;
2960 case 0x001e:
2961 case 0x001f:
2962 case 0x0020:
2963 case 0x0021:
2964 case 0x0022:
2965 case 0x0023:
2966 case 0x0024:
2967 case 0x0025:
2968 case 0x0026:
2969 case 0x0027:
2970 case 0x0028:
2971 case 0x0029:
2972 case 0x002a:
2973 case 0x002b:
2974 return KEX_KRB50x1c;
2975 case 0x002c:
2976 case 0x008a:
2977 case 0x008b:
2978 case 0x008c:
2979 case 0x008d:
2980 case 0x00a8:
2981 case 0x00a9:
2982 case 0x00ae:
2983 case 0x00af:
2984 case 0x00b0:
2985 case 0x00b1:
2986 case 0xc064:
2987 case 0xc065:
2988 case 0xc08e:
2989 case 0xc08f:
2990 case 0xc094:
2991 case 0xc095:
2992 case 0xc0a4:
2993 case 0xc0a5:
2994 case 0xc0a8:
2995 case 0xc0a9:
2996 case 0xccab:
2997 case 0xe416:
2998 case 0xe417:
2999 return KEX_PSK0x1d;
3000 case 0x0001:
3001 case 0x0002:
3002 case 0x0003:
3003 case 0x0004:
3004 case 0x0005:
3005 case 0x0006:
3006 case 0x0007:
3007 case 0x0008:
3008 case 0x0009:
3009 case 0x000a:
3010 case 0x002f:
3011 case 0x0035:
3012 case 0x003b:
3013 case 0x003c:
3014 case 0x003d:
3015 case 0x0041:
3016 case 0x0060:
3017 case 0x0061:
3018 case 0x0062:
3019 case 0x0064:
3020 case 0x0084:
3021 case 0x0096:
3022 case 0x009c:
3023 case 0x009d:
3024 case 0x00ba:
3025 case 0x00c0:
3026 case 0xc07a:
3027 case 0xc07b:
3028 case 0xc09c:
3029 case 0xc09d:
3030 case 0xc0a0:
3031 case 0xc0a1:
3032 case 0xe410:
3033 case 0xe411:
3034 case 0xfefe:
3035 case 0xfeff:
3036 case 0xffe0:
3037 case 0xffe1:
3038 return KEX_RSA0x1e;
3039 case 0x002e:
3040 case 0x0092:
3041 case 0x0093:
3042 case 0x0094:
3043 case 0x0095:
3044 case 0x00ac:
3045 case 0x00ad:
3046 case 0x00b6:
3047 case 0x00b7:
3048 case 0x00b8:
3049 case 0x00b9:
3050 case 0xc092:
3051 case 0xc093:
3052 case 0xc098:
3053 case 0xc099:
3054 case 0xccae:
3055 case 0xe41a:
3056 case 0xe41b:
3057 return KEX_RSA_PSK0x1f;
3058 case 0xc01a:
3059 case 0xc01d:
3060 case 0xc020:
3061 return KEX_SRP_SHA0x20;
3062 case 0xc01c:
3063 case 0xc01f:
3064 case 0xc022:
3065 return KEX_SRP_SHA_DSS0x21;
3066 case 0xc01b:
3067 case 0xc01e:
3068 case 0xc021:
3069 return KEX_SRP_SHA_RSA0x22;
3070 case 0xc0ff:
3071 return KEX_ECJPAKE0x24;
3072 case 0xe003:
3073 case 0xe013:
3074 case 0xe053:
3075 return KEX_ECC_SM20x26;
3076 default:
3077 break;
3078 }
3079
3080 return 0;
3081 /* }}} */
3082}
3083
3084static wmem_list_t *connection_id_session_list;
3085
3086void
3087ssl_init_cid_list(void) {
3088 connection_id_session_list = wmem_list_new(wmem_file_scope());
3089}
3090
3091void
3092ssl_cleanup_cid_list(void) {
3093 wmem_destroy_list(connection_id_session_list);
3094}
3095
3096void
3097ssl_add_session_by_cid(SslDecryptSession *session)
3098{
3099 wmem_list_append(connection_id_session_list, session);
3100}
3101
3102SslDecryptSession *
3103ssl_get_session_by_cid(tvbuff_t *tvb, uint32_t offset)
3104{
3105 SslDecryptSession * ssl_cid = NULL((void*)0);
3106 wmem_list_frame_t *it = wmem_list_head(connection_id_session_list);
3107
3108 while (it != NULL((void*)0) && ssl_cid == NULL((void*)0)) {
3109 SslDecryptSession * ssl = (SslDecryptSession *)wmem_list_frame_data(it);
3110 DISSECTOR_ASSERT(ssl != NULL)((void) ((ssl != ((void*)0)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3110, "ssl != ((void*)0)"))));
3111 SslSession *session = &ssl->session;
3112
3113 if (session->client_cid_len > 0 && tvb_bytes_exist(tvb, offset, session->client_cid_len)) {
3114 if (tvb_memeql(tvb, offset, session->client_cid, session->client_cid_len) == 0) {
3115 ssl_cid = ssl;
3116 }
3117 }
3118
3119 if (session->server_cid_len > 0) {
3120 if (tvb_memeql(tvb, offset, session->server_cid, session->server_cid_len) == 0) {
3121 ssl_cid = ssl;
3122 }
3123 }
3124
3125 it = wmem_list_frame_next(it);
3126 }
3127
3128 return ssl_cid;
3129}
3130
3131/* StringInfo structure (len + data) functions {{{ */
3132
3133int
3134ssl_data_alloc(StringInfo* str, size_t len)
3135{
3136 str->data = (unsigned char *)g_malloc(len);
22
Memory is allocated
3137 /* the allocator can return a null pointer for a size equal to 0,
3138 * and that must be allowed */
3139 if (len
22.1
'len' is > 0
 > 0 && !str->data)
23
Assuming field 'data' is non-null
24
Taking false branch
3140 return -1;
3141 str->data_len = (unsigned) len;
3142 return 0;
3143}
3144
3145void
3146ssl_data_set(StringInfo* str, const unsigned char* data, unsigned len)
3147{
3148 DISSECTOR_ASSERT(data)((void) ((data) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 3148, "data"))));
3149 memcpy(str->data, data, len);
3150 str->data_len = len;
3151}
3152
3153static int
3154ssl_data_realloc(StringInfo* str, unsigned len)
3155{
3156 str->data = (unsigned char *)g_realloc(str->data, len);
3157 if (!str->data)
3158 return -1;
3159 str->data_len = len;
3160 return 0;
3161}
3162
3163static StringInfo *
3164ssl_data_clone(StringInfo *str)
3165{
3166 StringInfo *cloned_str;
3167 cloned_str = (StringInfo *) wmem_alloc0(wmem_file_scope(),
3168 sizeof(StringInfo) + str->data_len);
3169 cloned_str->data = (unsigned char *) (cloned_str + 1);
3170 ssl_data_set(cloned_str, str->data, str->data_len);
3171 return cloned_str;
3172}
3173
3174static int
3175ssl_data_copy(StringInfo* dst, StringInfo* src)
3176{
3177 if (dst->data_len < src->data_len) {
3178 if (ssl_data_realloc(dst, src->data_len))
3179 return -1;
3180 }
3181 memcpy(dst->data, src->data, src->data_len);
3182 dst->data_len = src->data_len;
3183 return 0;
3184}
3185
3186/* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
3187 * the result. |out->data| will be allocated using wmem_file_scope. Returns true on
3188 * success. */
3189static bool_Bool from_hex(StringInfo* out, const char* in, size_t hex_len) {
3190 size_t i;
3191
3192 if (hex_len & 1)
3193 return false0;
3194
3195 out->data = (unsigned char *)wmem_alloc(wmem_file_scope(), hex_len / 2);
3196 for (i = 0; i < hex_len / 2; i++) {
3197 int a = ws_xton(in[i*2]);
3198 int b = ws_xton(in[i*2 + 1]);
3199 if (a == -1 || b == -1)
3200 return false0;
3201 out->data[i] = a << 4 | b;
3202 }
3203 out->data_len = (unsigned)hex_len / 2;
3204 return true1;
3205}
3206/* StringInfo structure (len + data) functions }}} */
3207
3208
3209/* libgcrypt wrappers for HMAC/message digest operations {{{ */
3210/* hmac abstraction layer */
3211#define SSL_HMACgcry_md_hd_t gcry_md_hd_t
3212
3213static inline int
3214ssl_hmac_init(SSL_HMACgcry_md_hd_t* md, int algo)
3215{
3216 gcry_error_t err;
3217 const char *err_str, *err_src;
3218
3219 err = gcry_md_open(md,algo, GCRY_MD_FLAG_HMAC);
3220 if (err != 0) {
3221 err_str = gcry_strerror(err);
3222 err_src = gcry_strsource(err);
3223 ssl_debug_printf("ssl_hmac_init(): gcry_md_open failed %s/%s", err_str, err_src);
3224 return -1;
3225 }
3226 return 0;
3227}
3228
3229static inline int
3230ssl_hmac_setkey(SSL_HMACgcry_md_hd_t* md, const void * key, int len)
3231{
3232 gcry_error_t err;
3233 const char *err_str, *err_src;
3234
3235 err = gcry_md_setkey (*(md), key, len);
3236 if (err != 0) {
3237 err_str = gcry_strerror(err);
3238 err_src = gcry_strsource(err);
3239 ssl_debug_printf("ssl_hmac_setkey(): gcry_md_setkey failed %s/%s", err_str, err_src);
3240 return -1;
3241 }
3242 return 0;
3243}
3244
3245static inline int
3246ssl_hmac_reset(SSL_HMACgcry_md_hd_t* md)
3247{
3248 gcry_md_reset(*md);
3249 return 0;
3250}
3251
3252static inline void
3253ssl_hmac_update(SSL_HMACgcry_md_hd_t* md, const void* data, int len)
3254{
3255 gcry_md_write(*(md), data, len);
3256}
3257static inline void
3258ssl_hmac_final(SSL_HMACgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3259{
3260 int algo;
3261 unsigned len;
3262
3263 algo = gcry_md_get_algo (*(md));
3264 len = gcry_md_get_algo_dlen(algo);
3265 DISSECTOR_ASSERT(len <= *datalen)((void) ((len <= *datalen) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 3265, "len <= *datalen"))));
3266 memcpy(data, gcry_md_read(*(md), algo), len);
3267 *datalen = len;
3268}
3269static inline void
3270ssl_hmac_cleanup(SSL_HMACgcry_md_hd_t* md)
3271{
3272 gcry_md_close(*(md));
3273}
3274
3275/* message digest abstraction layer*/
3276#define SSL_MDgcry_md_hd_t gcry_md_hd_t
3277
3278static inline int
3279ssl_md_init(SSL_MDgcry_md_hd_t* md, int algo)
3280{
3281 gcry_error_t err;
3282 const char *err_str, *err_src;
3283 err = gcry_md_open(md,algo, 0);
3284 if (err != 0) {
3285 err_str = gcry_strerror(err);
3286 err_src = gcry_strsource(err);
3287 ssl_debug_printf("ssl_md_init(): gcry_md_open failed %s/%s", err_str, err_src);
3288 return -1;
3289 }
3290 return 0;
3291}
3292static inline void
3293ssl_md_update(SSL_MDgcry_md_hd_t* md, unsigned char* data, int len)
3294{
3295 gcry_md_write(*(md), data, len);
3296}
3297static inline void
3298ssl_md_final(SSL_MDgcry_md_hd_t* md, unsigned char* data, unsigned* datalen)
3299{
3300 int algo;
3301 int len;
3302 algo = gcry_md_get_algo (*(md));
3303 len = gcry_md_get_algo_dlen (algo);
3304 memcpy(data, gcry_md_read(*(md), algo), len);
3305 *datalen = len;
3306}
3307static inline void
3308ssl_md_cleanup(SSL_MDgcry_md_hd_t* md)
3309{
3310 gcry_md_close(*(md));
3311}
3312
3313static inline void
3314ssl_md_reset(SSL_MDgcry_md_hd_t* md)
3315{
3316 gcry_md_reset(*md);
3317}
3318
3319/* md5 /sha abstraction layer */
3320#define SSL_SHA_CTXgcry_md_hd_t gcry_md_hd_t
3321#define SSL_MD5_CTXgcry_md_hd_t gcry_md_hd_t
3322
3323static inline int
3324ssl_sha_init(SSL_SHA_CTXgcry_md_hd_t* md)
3325{
3326 gcry_error_t err;
3327 const char *err_str, *err_src;
3328 err = gcry_md_open(md, GCRY_MD_SHA1, 0);
3329 if (err != 0) {
3330 err_str = gcry_strerror(err);
3331 err_src = gcry_strsource(err);
3332 ssl_debug_printf("ssl_sha_init(): gcry_md_open failed %s/%s", err_str, err_src);
3333 return -1;
3334 }
3335 return 0;
3336}
3337static inline void
3338ssl_sha_update(SSL_SHA_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3339{
3340 gcry_md_write(*(md), data, len);
3341}
3342static inline void
3343ssl_sha_final(unsigned char* buf, SSL_SHA_CTXgcry_md_hd_t* md)
3344{
3345 memcpy(buf, gcry_md_read(*(md), GCRY_MD_SHA1),
3346 gcry_md_get_algo_dlen(GCRY_MD_SHA1));
3347}
3348
3349static inline void
3350ssl_sha_reset(SSL_SHA_CTXgcry_md_hd_t* md)
3351{
3352 gcry_md_reset(*md);
3353}
3354
3355static inline void
3356ssl_sha_cleanup(SSL_SHA_CTXgcry_md_hd_t* md)
3357{
3358 gcry_md_close(*(md));
3359}
3360
3361static inline int
3362ssl_md5_init(SSL_MD5_CTXgcry_md_hd_t* md)
3363{
3364 gcry_error_t err;
3365 const char *err_str, *err_src;
3366 err = gcry_md_open(md,GCRY_MD_MD5, 0);
3367 if (err != 0) {
3368 err_str = gcry_strerror(err);
3369 err_src = gcry_strsource(err);
3370 ssl_debug_printf("ssl_md5_init(): gcry_md_open failed %s/%s", err_str, err_src);
3371 return -1;
3372 }
3373 return 0;
3374}
3375static inline void
3376ssl_md5_update(SSL_MD5_CTXgcry_md_hd_t* md, unsigned char* data, int len)
3377{
3378 gcry_md_write(*(md), data, len);
3379}
3380static inline void
3381ssl_md5_final(unsigned char* buf, SSL_MD5_CTXgcry_md_hd_t* md)
3382{
3383 memcpy(buf, gcry_md_read(*(md), GCRY_MD_MD5),
3384 gcry_md_get_algo_dlen(GCRY_MD_MD5));
3385}
3386
3387static inline void
3388ssl_md5_reset(SSL_MD5_CTXgcry_md_hd_t* md)
3389{
3390 gcry_md_reset(*md);
3391}
3392
3393static inline void
3394ssl_md5_cleanup(SSL_MD5_CTXgcry_md_hd_t* md)
3395{
3396 gcry_md_close(*(md));
3397}
3398/* libgcrypt wrappers for HMAC/message digest operations }}} */
3399
3400/* libgcrypt wrappers for Cipher state manipulation {{{ */
3401int
3402ssl_cipher_setiv(SSL_CIPHER_CTXgcry_cipher_hd_t *cipher, unsigned char* iv, int iv_len)
3403{
3404 int ret;
3405#if 0
3406 unsigned char *ivp;
3407 int i;
3408 gcry_cipher_hd_t c;
3409 c=(gcry_cipher_hd_t)*cipher;
3410#endif
3411 ssl_debug_printf("--------------------------------------------------------------------");
3412#if 0
3413 for(ivp=c->iv,i=0; i < iv_len; i++ )
3414 {
3415 ssl_debug_printf("%d ",ivp[i]);
3416 i++;
3417 }
3418#endif
3419 ssl_debug_printf("--------------------------------------------------------------------");
3420 ret = gcry_cipher_setiv(*(cipher), iv, iv_len);
3421#if 0
3422 for(ivp=c->iv,i=0; i < iv_len; i++ )
3423 {
3424 ssl_debug_printf("%d ",ivp[i]);
3425 i++;
3426 }
3427#endif
3428 ssl_debug_printf("--------------------------------------------------------------------");
3429 return ret;
3430}
3431/* stream cipher abstraction layer*/
3432static int
3433ssl_cipher_init(gcry_cipher_hd_t *cipher, int algo, unsigned char* sk,
3434 unsigned char* iv, int mode)
3435{
3436 int gcry_modes[] = {
3437 GCRY_CIPHER_MODE_STREAM,
3438 GCRY_CIPHER_MODE_CBC,
3439 GCRY_CIPHER_MODE_GCM,
3440 GCRY_CIPHER_MODE_CCM,
3441 GCRY_CIPHER_MODE_CCM,
3442 GCRY_CIPHER_MODE_POLY1305,
3443 GCRY_CIPHER_MODE_ECB, /* used for DTLSv1.3 seq number encryption */
3444 };
3445 int err;
3446 if (algo == -1) {
3447 /* NULL mode */
3448 *(cipher) = (gcry_cipher_hd_t)-1;
3449 return 0;
3450 }
3451 err = gcry_cipher_open(cipher, algo, gcry_modes[mode], 0);
3452 if (err !=0)
3453 return -1;
3454 err = gcry_cipher_setkey(*(cipher), sk, gcry_cipher_get_algo_keylen (algo));
3455 if (err != 0)
3456 return -1;
3457 /* AEAD cipher suites will set the nonce later. */
3458 if (mode == MODE_CBC) {
3459 err = gcry_cipher_setiv(*(cipher), iv, gcry_cipher_get_algo_blklen(algo));
3460 if (err != 0)
3461 return -1;
3462 }
3463 return 0;
3464}
3465static inline int
3466ssl_cipher_decrypt(gcry_cipher_hd_t *cipher, unsigned char * out, int outl,
3467 const unsigned char * in, int inl)
3468{
3469 if ((*cipher) == (gcry_cipher_hd_t)-1)
3470 {
3471 if (in && inl)
3472 memcpy(out, in, outl < inl ? outl : inl);
3473 return 0;
3474 }
3475 return gcry_cipher_decrypt ( *(cipher), out, outl, in, inl);
3476}
3477static inline int
3478ssl_get_digest_by_name(const char*name)
3479{
3480 return gcry_md_map_name(name);
3481}
3482static inline int
3483ssl_get_cipher_by_name(const char* name)
3484{
3485 return gcry_cipher_map_name(name);
3486}
3487
3488static inline void
3489ssl_cipher_cleanup(gcry_cipher_hd_t *cipher)
3490{
3491 if ((*cipher) != (gcry_cipher_hd_t)-1)
3492 gcry_cipher_close(*cipher);
3493 *cipher = NULL((void*)0);
3494}
3495/* }}} */
3496
3497/* Digests, Ciphers and Cipher Suites registry {{{ */
3498static const SslDigestAlgo digests[]={
3499 {"MD5", 16},
3500 {"SHA1", 20},
3501 {"SHA256", 32},
3502 {"SHA384", 48},
3503 {"SM3", 32},
3504 {"Not Applicable", 0},
3505};
3506
3507#define DIGEST_MAX_SIZE48 48
3508
3509/* get index digest index */
3510static const SslDigestAlgo *
3511ssl_cipher_suite_dig(const SslCipherSuite *cs) {
3512 return &digests[cs->dig - DIG_MD50x40];
3513}
3514
3515static const char *ciphers[]={
3516 "DES",
3517 "3DES",
3518 "ARCFOUR", /* libgcrypt does not support rc4, but this should be 100% compatible*/
3519 "RFC2268_128", /* libgcrypt name for RC2 with a 128-bit key */
3520 "IDEA",
3521 "AES",
3522 "AES256",
3523 "CAMELLIA128",
3524 "CAMELLIA256",
3525 "SEED",
3526 "CHACHA20", /* since Libgcrypt 1.7.0 */
3527 "SM1",
3528 "SM4",
3529 "*UNKNOWN*"
3530};
3531
3532static const SslCipherSuite cipher_suites[]={
3533 {0x0001,KEX_RSA0x1e, ENC_NULL0x3D, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_NULL_MD5 */
3534 {0x0002,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA */
3535 {0x0003,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3536 {0x0004,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_MD5 */
3537 {0x0005,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_WITH_RC4_128_SHA */
3538 {0x0006,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3539 {0x0007,KEX_RSA0x1e, ENC_IDEA0x34, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_IDEA_CBC_SHA */
3540 {0x0008,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3541 {0x0009,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_DES_CBC_SHA */
3542 {0x000A,KEX_RSA0x1e, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_3DES_EDE_CBC_SHA */
3543 {0x000B,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3544 {0x000C,KEX_DH_DSS0x14, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_DES_CBC_SHA */
3545 {0x000D,KEX_DH_DSS0x14, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA */
3546 {0x000E,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3547 {0x000F,KEX_DH_RSA0x15, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_DES_CBC_SHA */
3548 {0x0010,KEX_DH_RSA0x15, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA */
3549 {0x0011,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3550 {0x0012,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_DES_CBC_SHA */
3551 {0x0013,KEX_DHE_DSS0x10, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
3552 {0x0014,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3553 {0x0015,KEX_DHE_RSA0x12, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_DES_CBC_SHA */
3554 {0x0016,KEX_DHE_RSA0x12, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
3555 {0x0017,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3556 {0x0018,KEX_DH_ANON0x13, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_DH_anon_WITH_RC4_128_MD5 */
3557 {0x0019,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3558 {0x001A,KEX_DH_ANON0x13, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_DES_CBC_SHA */
3559 {0x001B,KEX_DH_ANON0x13, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_3DES_EDE_CBC_SHA */
3560 {0x002C,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA */
3561 {0x002D,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA */
3562 {0x002E,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA */
3563 {0x002F,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA */
3564 {0x0030,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA */
3565 {0x0031,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA */
3566 {0x0032,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */
3567 {0x0033,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */
3568 {0x0034,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA */
3569 {0x0035,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA */
3570 {0x0036,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA */
3571 {0x0037,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA */
3572 {0x0038,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */
3573 {0x0039,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */
3574 {0x003A,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA */
3575 {0x003B,KEX_RSA0x1e, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_WITH_NULL_SHA256 */
3576 {0x003C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_128_CBC_SHA256 */
3577 {0x003D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_AES_256_CBC_SHA256 */
3578 {0x003E,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_128_CBC_SHA256 */
3579 {0x003F,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_128_CBC_SHA256 */
3580 {0x0040,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 */
3581 {0x0041,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA */
3582 {0x0042,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA */
3583 {0x0043,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA */
3584 {0x0044,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA */
3585 {0x0045,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA */
3586 {0x0046,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA */
3587 {0x0060,KEX_RSA0x1e, ENC_RC40x32, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3588 {0x0061,KEX_RSA0x1e, ENC_RC20x33, DIG_MD50x40, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3589 {0x0062,KEX_RSA0x1e, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3590 {0x0063,KEX_DHE_DSS0x10, ENC_DES0x30, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3591 {0x0064,KEX_RSA0x1e, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3592 {0x0065,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3593 {0x0066,KEX_DHE_DSS0x10, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_DSS_WITH_RC4_128_SHA */
3594 {0x0067,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 */
3595 {0x0068,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_AES_256_CBC_SHA256 */
3596 {0x0069,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_AES_256_CBC_SHA256 */
3597 {0x006A,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 */
3598 {0x006B,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 */
3599 {0x006C,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_128_CBC_SHA256 */
3600 {0x006D,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_AES_256_CBC_SHA256 */
3601 {0x0084,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA */
3602 {0x0085,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA */
3603 {0x0086,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA */
3604 {0x0087,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA */
3605 {0x0088,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA */
3606 {0x0089,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA */
3607 {0x008A,KEX_PSK0x1d, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_PSK_WITH_RC4_128_SHA */
3608 {0x008B,KEX_PSK0x1d, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_3DES_EDE_CBC_SHA */
3609 {0x008C,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA */
3610 {0x008D,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA */
3611 {0x008E,KEX_DHE_PSK0x11, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_DHE_PSK_WITH_RC4_128_SHA */
3612 {0x008F,KEX_DHE_PSK0x11, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA */
3613 {0x0090,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA */
3614 {0x0091,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA */
3615 {0x0092,KEX_RSA_PSK0x1f, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_RSA_PSK_WITH_RC4_128_SHA */
3616 {0x0093,KEX_RSA_PSK0x1f, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA */
3617 {0x0094,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA */
3618 {0x0095,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA */
3619 {0x0096,KEX_RSA0x1e, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_RSA_WITH_SEED_CBC_SHA */
3620 {0x0097,KEX_DH_DSS0x14, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_DSS_WITH_SEED_CBC_SHA */
3621 {0x0098,KEX_DH_RSA0x15, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_RSA_WITH_SEED_CBC_SHA */
3622 {0x0099,KEX_DHE_DSS0x10, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_DSS_WITH_SEED_CBC_SHA */
3623 {0x009A,KEX_DHE_RSA0x12, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DHE_RSA_WITH_SEED_CBC_SHA */
3624 {0x009B,KEX_DH_ANON0x13, ENC_SEED0x39, DIG_SHA0x41, MODE_CBC }, /* TLS_DH_anon_WITH_SEED_CBC_SHA */
3625 {0x009C,KEX_RSA0x1e, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_AES_128_GCM_SHA256 */
3626 {0x009D,KEX_RSA0x1e, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_AES_256_GCM_SHA384 */
3627 {0x009E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 */
3628 {0x009F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */
3629 {0x00A0,KEX_DH_RSA0x15, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_128_GCM_SHA256 */
3630 {0x00A1,KEX_DH_RSA0x15, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_AES_256_GCM_SHA384 */
3631 {0x00A2,KEX_DHE_DSS0x10, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 */
3632 {0x00A3,KEX_DHE_DSS0x10, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */
3633 {0x00A4,KEX_DH_DSS0x14, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_128_GCM_SHA256 */
3634 {0x00A5,KEX_DH_DSS0x14, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_AES_256_GCM_SHA384 */
3635 {0x00A6,KEX_DH_ANON0x13, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_AES_128_GCM_SHA256 */
3636 {0x00A7,KEX_DH_ANON0x13, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_AES_256_GCM_SHA384 */
3637 {0x00A8,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_AES_128_GCM_SHA256 */
3638 {0x00A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_AES_256_GCM_SHA384 */
3639 {0x00AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */
3640 {0x00AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */
3641 {0x00AC,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 */
3642 {0x00AD,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 */
3643 {0x00AE,KEX_PSK0x1d, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_AES_128_CBC_SHA256 */
3644 {0x00AF,KEX_PSK0x1d, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_AES_256_CBC_SHA384 */
3645 {0x00B0,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA256 */
3646 {0x00B1,KEX_PSK0x1d, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_PSK_WITH_NULL_SHA384 */
3647 {0x00B2,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 */
3648 {0x00B3,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 */
3649 {0x00B4,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA256 */
3650 {0x00B5,KEX_DHE_PSK0x11, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_DHE_PSK_WITH_NULL_SHA384 */
3651 {0x00B6,KEX_RSA_PSK0x1f, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 */
3652 {0x00B7,KEX_RSA_PSK0x1f, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 */
3653 {0x00B8,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA256 */
3654 {0x00B9,KEX_RSA_PSK0x1f, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_RSA_PSK_WITH_NULL_SHA384 */
3655 {0x00BA,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3656 {0x00BB,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3657 {0x00BC,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3658 {0x00BD,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 */
3659 {0x00BE,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3660 {0x00BF,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 */
3661 {0x00C0,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3662 {0x00C1,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3663 {0x00C2,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3664 {0x00C3,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 */
3665 {0x00C4,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 */
3666 {0x00C5,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA2560x42, MODE_CBC }, /* TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 */
3667
3668 /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */
3669 {0x1301,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */
3670 {0x1302,KEX_TLS130x23, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */
3671 {0x1303,KEX_TLS130x23, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */
3672 {0x1304,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */
3673 {0x1305,KEX_TLS130x23, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */
3674 {0x00C6,KEX_TLS130x23, ENC_SM40x3C, DIG_SM30x44, MODE_GCM }, /* TLS_SM4_GCM_SM3 */
3675
3676 {0xC001,KEX_ECDH_ECDSA0x1a, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_NULL_SHA */
3677 {0xC002,KEX_ECDH_ECDSA0x1a, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_ECDSA_WITH_RC4_128_SHA */
3678 {0xC003,KEX_ECDH_ECDSA0x1a, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */
3679 {0xC004,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
3680 {0xC005,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
3681 {0xC006,KEX_ECDHE_ECDSA0x16, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_NULL_SHA */
3682 {0xC007,KEX_ECDHE_ECDSA0x16, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */
3683 {0xC008,KEX_ECDHE_ECDSA0x16, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */
3684 {0xC009,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
3685 {0xC00A,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
3686 {0xC00B,KEX_ECDH_RSA0x1b, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_NULL_SHA */
3687 {0xC00C,KEX_ECDH_RSA0x1b, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_RSA_WITH_RC4_128_SHA */
3688 {0xC00D,KEX_ECDH_RSA0x1b, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA */
3689 {0xC00E,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA */
3690 {0xC00F,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA */
3691 {0xC0FF,KEX_ECJPAKE0x24, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECJPAKE_WITH_AES_128_CCM_8 */
3692 {0xC010,KEX_ECDHE_RSA0x18, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_NULL_SHA */
3693 {0xC011,KEX_ECDHE_RSA0x18, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_RSA_WITH_RC4_128_SHA */
3694 {0xC012,KEX_ECDHE_RSA0x18, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */
3695 {0xC013,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */
3696 {0xC014,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */
3697 {0xC015,KEX_ECDH_ANON0x19, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_NULL_SHA */
3698 {0xC016,KEX_ECDH_ANON0x19, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDH_anon_WITH_RC4_128_SHA */
3699 {0xC017,KEX_ECDH_ANON0x19, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA */
3700 {0xC018,KEX_ECDH_ANON0x19, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_128_CBC_SHA */
3701 {0xC019,KEX_ECDH_ANON0x19, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDH_anon_WITH_AES_256_CBC_SHA */
3702 {0xC01A,KEX_SRP_SHA0x20, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA */
3703 {0xC01B,KEX_SRP_SHA_RSA0x22, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA */
3704 {0xC01C,KEX_SRP_SHA_DSS0x21, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA */
3705 {0xC01D,KEX_SRP_SHA0x20, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_128_CBC_SHA */
3706 {0xC01E,KEX_SRP_SHA_RSA0x22, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA */
3707 {0xC01F,KEX_SRP_SHA_DSS0x21, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA */
3708 {0xC020,KEX_SRP_SHA0x20, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_WITH_AES_256_CBC_SHA */
3709 {0xC021,KEX_SRP_SHA_RSA0x22, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA */
3710 {0xC022,KEX_SRP_SHA_DSS0x21, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA */
3711 {0xC023,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 */
3712 {0xC024,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */
3713 {0xC025,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 */
3714 {0xC026,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 */
3715 {0xC027,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 */
3716 {0xC028,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */
3717 {0xC029,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 */
3718 {0xC02A,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 */
3719 {0xC02B,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 */
3720 {0xC02C,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */
3721 {0xC02D,KEX_ECDH_ECDSA0x1a, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 */
3722 {0xC02E,KEX_ECDH_ECDSA0x1a, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 */
3723 {0xC02F,KEX_ECDHE_RSA0x18, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 */
3724 {0xC030,KEX_ECDHE_RSA0x18, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */
3725 {0xC031,KEX_ECDH_RSA0x1b, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 */
3726 {0xC032,KEX_ECDH_RSA0x1b, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 */
3727 {0xC033,KEX_ECDHE_PSK0x17, ENC_RC40x32, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_RC4_128_SHA */
3728 {0xC034,KEX_ECDHE_PSK0x17, ENC_3DES0x31, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA */
3729 {0xC035,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA */
3730 {0xC036,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA0x41, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA */
3731 {0xC037,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 */
3732 {0xC038,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 */
3733 {0xC039,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA0x41, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA */
3734 {0xC03A,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA2560x42, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA256 */
3735 {0xC03B,KEX_ECDHE_PSK0x17, ENC_NULL0x3D, DIG_SHA3840x43, MODE_STREAM}, /* TLS_ECDHE_PSK_WITH_NULL_SHA384 */
3736 {0xC072,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3737 {0xC073,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3738 {0xC074,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 */
3739 {0xC075,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 */
3740 {0xC076,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3741 {0xC077,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3742 {0xC078,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 */
3743 {0xC079,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 */
3744 {0xC07A,KEX_RSA0x1e, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3745 {0xC07B,KEX_RSA0x1e, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3746 {0xC07C,KEX_DHE_RSA0x12, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3747 {0xC07D,KEX_DHE_RSA0x12, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3748 {0xC07E,KEX_DH_RSA0x15, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3749 {0xC07F,KEX_DH_RSA0x15, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3750 {0xC080,KEX_DHE_DSS0x10, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3751 {0xC081,KEX_DHE_DSS0x10, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3752 {0xC082,KEX_DH_DSS0x14, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 */
3753 {0xC083,KEX_DH_DSS0x14, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 */
3754 {0xC084,KEX_DH_ANON0x13, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 */
3755 {0xC085,KEX_DH_ANON0x13, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 */
3756 {0xC086,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3757 {0xC087,KEX_ECDHE_ECDSA0x16, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3758 {0xC088,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 */
3759 {0xC089,KEX_ECDH_ECDSA0x1a, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */
3760 {0xC08A,KEX_ECDHE_RSA0x18, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3761 {0xC08B,KEX_ECDHE_RSA0x18, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3762 {0xC08C,KEX_ECDH_RSA0x1b, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 */
3763 {0xC08D,KEX_ECDH_RSA0x1b, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */
3764 {0xC08E,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3765 {0xC08F,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3766 {0xC090,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3767 {0xC091,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3768 {0xC092,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 */
3769 {0xC093,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_GCM }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 */
3770 {0xC094,KEX_PSK0x1d, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3771 {0xC095,KEX_PSK0x1d, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3772 {0xC096,KEX_DHE_PSK0x11, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3773 {0xC097,KEX_DHE_PSK0x11, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3774 {0xC098,KEX_RSA_PSK0x1f, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3775 {0xC099,KEX_RSA_PSK0x1f, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3776 {0xC09A,KEX_ECDHE_PSK0x17, ENC_CAMELLIA1280x37,DIG_SHA2560x42, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 */
3777 {0xC09B,KEX_ECDHE_PSK0x17, ENC_CAMELLIA2560x38,DIG_SHA3840x43, MODE_CBC }, /* TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 */
3778 {0xC09C,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_128_CCM */
3779 {0xC09D,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_RSA_WITH_AES_256_CCM */
3780 {0xC09E,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_128_CCM */
3781 {0xC09F,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_RSA_WITH_AES_256_CCM */
3782 {0xC0A0,KEX_RSA0x1e, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_128_CCM_8 */
3783 {0xC0A1,KEX_RSA0x1e, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_RSA_WITH_AES_256_CCM_8 */
3784 {0xC0A2,KEX_DHE_RSA0x12, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_128_CCM_8 */
3785 {0xC0A3,KEX_DHE_RSA0x12, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_DHE_RSA_WITH_AES_256_CCM_8 */
3786 {0xC0A4,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_128_CCM */
3787 {0xC0A5,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_PSK_WITH_AES_256_CCM */
3788 {0xC0A6,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_128_CCM */
3789 {0xC0A7,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_DHE_PSK_WITH_AES_256_CCM */
3790 {0xC0A8,KEX_PSK0x1d, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_128_CCM_8 */
3791 {0xC0A9,KEX_PSK0x1d, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_WITH_AES_256_CCM_8 */
3792 {0xC0AA,KEX_DHE_PSK0x11, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_128_CCM_8 */
3793 {0xC0AB,KEX_DHE_PSK0x11, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_PSK_DHE_WITH_AES_256_CCM_8 */
3794 {0xC0AC,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM */
3795 {0xC0AD,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */
3796 {0xC0AE,KEX_ECDHE_ECDSA0x16, ENC_AES0x35, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */
3797 {0xC0AF,KEX_ECDHE_ECDSA0x16, ENC_AES2560x36, DIG_NA0x45, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */
3798 {0xCCA8,KEX_ECDHE_RSA0x18, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3799 {0xCCA9,KEX_ECDHE_ECDSA0x16, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */
3800 {0xCCAA,KEX_DHE_RSA0x12, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */
3801 {0xCCAB,KEX_PSK0x1d, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3802 {0xCCAC,KEX_ECDHE_PSK0x17, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3803 {0xCCAD,KEX_DHE_PSK0x11, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3804 {0xCCAE,KEX_RSA_PSK0x1f, ENC_CHACHA200x3A, DIG_SHA2560x42, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */
3805 {0xD001,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */
3806 {0xD002,KEX_ECDHE_PSK0x17, ENC_AES2560x36, DIG_SHA3840x43, MODE_GCM}, /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */
3807 {0xD003,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM_8}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 */
3808 {0xD005,KEX_ECDHE_PSK0x17, ENC_AES0x35, DIG_SHA2560x42, MODE_CCM}, /* TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 */
3809 /* GM */
3810 {0xe001,KEX_ECDHE_SM20x25, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM1_SM3 */
3811 {0xe003,KEX_ECC_SM20x26, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* ECC_SM1_SM3 */
3812 {0xe005,KEX_IBSDH_SM90x27, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM1_SM3 */
3813 {0xe007,KEX_IBC_SM90x28, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* IBC_SM1_SM3 */
3814 {0xe009,KEX_RSA0x1e, ENC_SM10x3B, DIG_SM30x44, MODE_CBC}, /* RSA_SM1_SM3 */
3815 {0xe00a,KEX_RSA0x1e, ENC_SM10x3B, DIG_SHA0x41, MODE_CBC}, /* RSA_SM1_SHA1 */
3816 {0xe011,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECDHE_SM4_CBC_SM3 */
3817 {0xe013,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* ECC_SM4_CBC_SM3 */
3818 {0xe015,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBSDH_SM4_CBC_SM3 */
3819 {0xe017,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* IBC_SM4_CBC_SM3 */
3820 {0xe019,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_CBC}, /* RSA_SM4_CBC_SM3 */
3821 {0xe01a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA0x41, MODE_CBC}, /* RSA_SM4_CBC_SHA1 */
3822 {0xe01c,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_CBC}, /* RSA_SM4_CBC_SHA256 */
3823 {0xe051,KEX_ECDHE_SM20x25, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECDHE_SM4_GCM_SM3 */
3824 {0xe053,KEX_ECC_SM20x26, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* ECC_SM4_GCM_SM3 */
3825 {0xe055,KEX_IBSDH_SM90x27, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBSDH_SM4_GCM_SM3 */
3826 {0xe057,KEX_IBC_SM90x28, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* IBC_SM4_GCM_SM3 */
3827 {0xe059,KEX_RSA0x1e, ENC_SM40x3C, DIG_SM30x44, MODE_GCM}, /* RSA_SM4_GCM_SM3 */
3828 {0xe05a,KEX_RSA0x1e, ENC_SM40x3C, DIG_SHA2560x42, MODE_GCM}, /* RSA_SM4_GCM_SHA256 */
3829 {-1, 0, 0, 0, MODE_STREAM}
3830};
3831
3832#define MAX_BLOCK_SIZE16 16
3833#define MAX_KEY_SIZE32 32
3834
3835const SslCipherSuite *
3836ssl_find_cipher(int num)
3837{
3838 const SslCipherSuite *c;
3839 for(c=cipher_suites;c->number!=-1;c++){
3840 if(c->number==num){
3841 return c;
3842 }
3843 }
3844
3845 return NULL((void*)0);
3846}
3847
3848int
3849ssl_get_cipher_algo(const SslCipherSuite *cipher_suite)
3850{
3851 return gcry_cipher_map_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3852}
3853
3854unsigned
3855ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite)
3856{
3857 int cipher_algo;
3858 if (cipher_suite->mode != MODE_CBC) return 0;
3859 cipher_algo = ssl_get_cipher_by_name(ciphers[cipher_suite->enc - ENC_START0x30]);
3860 return (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
3861}
3862
3863static unsigned
3864ssl_get_cipher_export_keymat_size(int cipher_suite_num)
3865{
3866 switch (cipher_suite_num) {
3867 /* See RFC 6101 (SSL 3.0), Table 2, column Key Material. */
3868 case 0x0003: /* TLS_RSA_EXPORT_WITH_RC4_40_MD5 */
3869 case 0x0006: /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
3870 case 0x0008: /* TLS_RSA_EXPORT_WITH_DES40_CBC_SHA */
3871 case 0x000B: /* TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA */
3872 case 0x000E: /* TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA */
3873 case 0x0011: /* TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA */
3874 case 0x0014: /* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA */
3875 case 0x0017: /* TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 */
3876 case 0x0019: /* TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA */
3877 return 5;
3878
3879 /* not defined in below draft, but "implemented by several vendors",
3880 * https://www.ietf.org/mail-archive/web/tls/current/msg00036.html */
3881 case 0x0060: /* TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 */
3882 case 0x0061: /* TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 */
3883 return 7;
3884
3885 /* Note: the draft states that DES_CBC needs 8 bytes, but Wireshark always
3886 * used 7. Until a pcap proves 8, let's use the old value. Link:
3887 * https://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01 */
3888 case 0x0062: /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
3889 case 0x0063: /* TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA */
3890 case 0x0064: /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
3891 case 0x0065: /* TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA */
3892 return 7;
3893
3894 default:
3895 return 0;
3896 }
3897}
3898
3899/* Digests, Ciphers and Cipher Suites registry }}} */
3900
3901
3902/* HMAC and the Pseudorandom function {{{ */
3903static int
3904tls_hash(StringInfo *secret, StringInfo *seed, int md,
3905 StringInfo *out, unsigned out_len)
3906{
3907 /* RFC 2246 5. HMAC and the pseudorandom function
3908 * '+' denotes concatenation.
3909 * P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
3910 * HMAC_hash(secret, A(2) + seed) + ...
3911 * A(0) = seed
3912 * A(i) = HMAC_hash(secret, A(i - 1))
3913 */
3914 uint8_t *ptr;
3915 unsigned left, tocpy;
3916 uint8_t *A;
3917 uint8_t _A[DIGEST_MAX_SIZE48], tmp[DIGEST_MAX_SIZE48];
3918 unsigned A_l, tmp_l;
3919 SSL_HMACgcry_md_hd_t hm;
3920
3921 ptr = out->data;
3922 left = out_len;
3923
3924 ssl_print_string("tls_hash: hash secret", secret);
3925 ssl_print_string("tls_hash: hash seed", seed);
3926 /* A(0) = seed */
3927 A = seed->data;
3928 A_l = seed->data_len;
3929
3930 if (ssl_hmac_init(&hm, md) != 0) {
3931 return -1;
3932 }
3933 while (left) {
3934 /* A(i) = HMAC_hash(secret, A(i-1)) */
3935 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3936 ssl_hmac_update(&hm, A, A_l);
3937 A_l = sizeof(_A); /* upper bound len for hash output */
3938 ssl_hmac_final(&hm, _A, &A_l);
3939 A = _A;
3940
3941 /* HMAC_hash(secret, A(i) + seed) */
3942 ssl_hmac_reset(&hm);
3943 ssl_hmac_setkey(&hm, secret->data, secret->data_len);
3944 ssl_hmac_update(&hm, A, A_l);
3945 ssl_hmac_update(&hm, seed->data, seed->data_len);
3946 tmp_l = sizeof(tmp); /* upper bound len for hash output */
3947 ssl_hmac_final(&hm, tmp, &tmp_l);
3948 ssl_hmac_reset(&hm);
3949
3950 /* ssl_hmac_final puts the actual digest output size in tmp_l */
3951 tocpy = MIN(left, tmp_l)(((left) < (tmp_l)) ? (left) : (tmp_l));
3952 memcpy(ptr, tmp, tocpy);
3953 ptr += tocpy;
3954 left -= tocpy;
3955 }
3956 ssl_hmac_cleanup(&hm);
3957 out->data_len = out_len;
3958
3959 ssl_print_string("hash out", out);
3960 return 0;
3961}
3962
3963static bool_Bool
3964tls_prf(StringInfo* secret, const char *usage,
3965 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
3966{
3967 StringInfo seed, sha_out, md5_out;
3968 uint8_t *ptr;
3969 StringInfo s1, s2;
3970 unsigned i,s_l;
3971 size_t usage_len, rnd2_len;
3972 bool_Bool success = false0;
3973 usage_len = strlen(usage);
3974 rnd2_len = rnd2 ? rnd2->data_len : 0;
3975
3976 /* initialize buffer for sha, md5 random seed*/
3977 if (ssl_data_alloc(&sha_out, MAX(out_len, 20)(((out_len) > (20)) ? (out_len) : (20))) < 0) {
3978 ssl_debug_printf("tls_prf: can't allocate sha out\n");
3979 return false0;
3980 }
3981 if (ssl_data_alloc(&md5_out, MAX(out_len, 16)(((out_len) > (16)) ? (out_len) : (16))) < 0) {
3982 ssl_debug_printf("tls_prf: can't allocate md5 out\n");
3983 goto free_sha;
3984 }
3985 if (ssl_data_alloc(&seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
3986 ssl_debug_printf("tls_prf: can't allocate rnd %d\n",
3987 (int) (usage_len+rnd1->data_len+rnd2_len));
3988 goto free_md5;
3989 }
3990
3991 ptr=seed.data;
3992 memcpy(ptr,usage,usage_len);
3993 ptr+=usage_len;
3994 memcpy(ptr,rnd1->data,rnd1->data_len);
3995 if (rnd2_len > 0) {
3996 ptr+=rnd1->data_len;
3997 memcpy(ptr,rnd2->data,rnd2->data_len);
3998 /*ptr+=rnd2->data_len;*/
3999 }
4000
4001 /* initialize buffer for client/server seeds*/
4002 s_l=secret->data_len/2 + secret->data_len%2;
4003 if (ssl_data_alloc(&s1, s_l) < 0) {
4004 ssl_debug_printf("tls_prf: can't allocate secret %d\n", s_l);
4005 goto free_seed;
4006 }
4007 if (ssl_data_alloc(&s2, s_l) < 0) {
4008 ssl_debug_printf("tls_prf: can't allocate secret(2) %d\n", s_l);
4009 goto free_s1;
4010 }
4011
4012 memcpy(s1.data,secret->data,s_l);
4013 memcpy(s2.data,secret->data + (secret->data_len - s_l),s_l);
4014
4015 ssl_debug_printf("tls_prf: tls_hash(md5 secret_len %d seed_len %d )\n", s1.data_len, seed.data_len);
4016 if(tls_hash(&s1, &seed, ssl_get_digest_by_name("MD5"), &md5_out, out_len) != 0)
4017 goto free_s2;
4018 ssl_debug_printf("tls_prf: tls_hash(sha)\n");
4019 if(tls_hash(&s2, &seed, ssl_get_digest_by_name("SHA1"), &sha_out, out_len) != 0)
4020 goto free_s2;
4021
4022 for (i = 0; i < out_len; i++)
4023 out->data[i] = md5_out.data[i] ^ sha_out.data[i];
4024 /* success, now store the new meaningful data length */
4025 out->data_len = out_len;
4026 success = true1;
4027
4028 ssl_print_string("PRF out",out);
4029free_s2:
4030 g_free(s2.data);
4031free_s1:
4032 g_free(s1.data);
4033free_seed:
4034 g_free(seed.data);
4035free_md5:
4036 g_free(md5_out.data);
4037free_sha:
4038 g_free(sha_out.data);
4039 return success;
4040}
4041
4042static bool_Bool
4043tls12_prf(int md, StringInfo* secret, const char* usage,
4044 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4045{
4046 StringInfo label_seed;
4047 int success;
4048 size_t usage_len, rnd2_len;
4049 rnd2_len = rnd2 ? rnd2->data_len : 0;
4050
4051 usage_len = strlen(usage);
4052 if (ssl_data_alloc(&label_seed, usage_len+rnd1->data_len+rnd2_len) < 0) {
4053 ssl_debug_printf("tls12_prf: can't allocate label_seed\n");
4054 return false0;
4055 }
4056 memcpy(label_seed.data, usage, usage_len);
4057 memcpy(label_seed.data+usage_len, rnd1->data, rnd1->data_len);
4058 if (rnd2_len > 0)
4059 memcpy(label_seed.data+usage_len+rnd1->data_len, rnd2->data, rnd2->data_len);
4060
4061 ssl_debug_printf("tls12_prf: tls_hash(hash_alg %s secret_len %d seed_len %d )\n", gcry_md_algo_name(md), secret->data_len, label_seed.data_len);
4062 success = tls_hash(secret, &label_seed, md, out, out_len);
4063 g_free(label_seed.data);
4064 if(success != -1){
4065 ssl_print_string("PRF out", out);
4066 return true1;
4067 }
4068 return false0;
4069}
4070
4071static bool_Bool
4072ssl3_generate_export_iv(StringInfo *r1, StringInfo *r2,
4073 StringInfo *out, unsigned out_len)
4074{
4075 SSL_MD5_CTXgcry_md_hd_t md5;
4076 uint8_t tmp[16];
4077
4078 if (ssl_md5_init(&md5) != 0) {
4079 return false0;
4080 }
4081 ssl_md5_update(&md5,r1->data,r1->data_len);
4082 ssl_md5_update(&md5,r2->data,r2->data_len);
4083 ssl_md5_final(tmp,&md5);
4084 ssl_md5_cleanup(&md5);
4085
4086 DISSECTOR_ASSERT(out_len <= sizeof(tmp))((void) ((out_len <= sizeof(tmp)) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4086, "out_len <= sizeof(tmp)"))));
4087 ssl_data_set(out, tmp, out_len);
4088 ssl_print_string("export iv", out);
4089 return true1;
4090}
4091
4092static bool_Bool
4093ssl3_prf(StringInfo* secret, const char* usage,
4094 StringInfo* rnd1, StringInfo* rnd2, StringInfo* out, unsigned out_len)
4095{
4096 SSL_MD5_CTXgcry_md_hd_t md5;
4097 SSL_SHA_CTXgcry_md_hd_t sha;
4098 unsigned off;
4099 int i = 0,j;
4100 uint8_t buf[20];
4101
4102 if (ssl_sha_init(&sha) != 0) {
4103 return false0;
4104 }
4105 if (ssl_md5_init(&md5) != 0) {
4106 ssl_sha_cleanup(&sha);
4107 return false0;
4108 }
4109 for (off = 0; off < out_len; off += 16) {
4110 unsigned char outbuf[16];
4111 i++;
4112
4113 ssl_debug_printf("ssl3_prf: sha1_hash(%d)\n",i);
4114 /* A, BB, CCC, ... */
4115 for(j=0;j<i;j++){
4116 buf[j]=64+i;
4117 }
4118
4119 ssl_sha_update(&sha,buf,i);
4120 ssl_sha_update(&sha,secret->data,secret->data_len);
4121
4122 if(!strcmp(usage,"client write key") || !strcmp(usage,"server write key")){
4123 if (rnd2)
4124 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4125 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4126 }
4127 else{
4128 ssl_sha_update(&sha,rnd1->data,rnd1->data_len);
4129 if (rnd2)
4130 ssl_sha_update(&sha,rnd2->data,rnd2->data_len);
4131 }
4132
4133 ssl_sha_final(buf,&sha);
4134 ssl_sha_reset(&sha);
4135
4136 ssl_debug_printf("ssl3_prf: md5_hash(%d) datalen %d\n",i,
4137 secret->data_len);
4138 ssl_md5_update(&md5,secret->data,secret->data_len);
4139 ssl_md5_update(&md5,buf,20);
4140 ssl_md5_final(outbuf,&md5);
4141 ssl_md5_reset(&md5);
4142
4143 memcpy(out->data + off, outbuf, MIN(out_len - off, 16)(((out_len - off) < (16)) ? (out_len - off) : (16)));
4144 }
4145 ssl_sha_cleanup(&sha);
4146 ssl_md5_cleanup(&md5);
4147 out->data_len = out_len;
4148
4149 return true1;
4150}
4151
4152/* out_len is the wanted output length for the pseudorandom function.
4153 * Ensure that ssl->cipher_suite is set. */
4154static bool_Bool
4155prf(SslDecryptSession *ssl, StringInfo *secret, const char *usage,
4156 StringInfo *rnd1, StringInfo *rnd2, StringInfo *out, unsigned out_len)
4157{
4158 switch (ssl->session.version) {
4159 case SSLV3_VERSION0x300:
4160 return ssl3_prf(secret, usage, rnd1, rnd2, out, out_len);
4161
4162 case TLSV1_VERSION0x301:
4163 case TLSV1DOT1_VERSION0x302:
4164 case DTLSV1DOT0_VERSION0xfeff:
4165 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4166 return tls_prf(secret, usage, rnd1, rnd2, out, out_len);
4167
4168 default: /* TLSv1.2 */
4169 switch (ssl->cipher_suite->dig) {
4170 case DIG_SM30x44:
4171#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010900
4172 return tls12_prf(GCRY_MD_SM3, secret, usage, rnd1, rnd2,
4173 out, out_len);
4174#else
4175 return false0;
4176#endif
4177 case DIG_SHA3840x43:
4178 return tls12_prf(GCRY_MD_SHA384, secret, usage, rnd1, rnd2,
4179 out, out_len);
4180 default:
4181 return tls12_prf(GCRY_MD_SHA256, secret, usage, rnd1, rnd2,
4182 out, out_len);
4183 }
4184 }
4185}
4186
4187static int tls_handshake_hash(SslDecryptSession* ssl, StringInfo* out)
4188{
4189 SSL_MD5_CTXgcry_md_hd_t md5;
4190 SSL_SHA_CTXgcry_md_hd_t sha;
4191
4192 if (ssl_data_alloc(out, 36) < 0)
21
Calling 'ssl_data_alloc'
25
Returned allocated memory
26
Taking false branch
4193 return -1;
4194
4195 if (ssl_md5_init(&md5) != 0)
27
Taking true branch
4196 return -1;
4197 ssl_md5_update(&md5,ssl->handshake_data.data,ssl->handshake_data.data_len);
4198 ssl_md5_final(out->data,&md5);
4199 ssl_md5_cleanup(&md5);
4200
4201 if (ssl_sha_init(&sha) != 0)
4202 return -1;
4203 ssl_sha_update(&sha,ssl->handshake_data.data,ssl->handshake_data.data_len);
4204 ssl_sha_final(out->data+16,&sha);
4205 ssl_sha_cleanup(&sha);
4206 return 0;
4207}
4208
4209static int tls12_handshake_hash(SslDecryptSession* ssl, int md, StringInfo* out)
4210{
4211 SSL_MDgcry_md_hd_t mc;
4212 uint8_t tmp[48];
4213 unsigned len;
4214
4215 if (ssl_md_init(&mc, md) != 0)
4216 return -1;
4217 ssl_md_update(&mc,ssl->handshake_data.data,ssl->handshake_data.data_len);
4218 ssl_md_final(&mc, tmp, &len);
4219 ssl_md_cleanup(&mc);
4220
4221 if (ssl_data_alloc(out, len) < 0)
4222 return -1;
4223 memcpy(out->data, tmp, len);
4224 return 0;
4225}
4226
4227/**
4228 * Obtains the label prefix used in HKDF-Expand-Label. This function can be
4229 * inlined and removed once support for draft 19 and before is dropped.
4230 */
4231static inline const char *
4232tls13_hkdf_label_prefix(SslDecryptSession *ssl_session)
4233{
4234 if (ssl_session->session.tls13_draft_version && ssl_session->session.tls13_draft_version < 20) {
4235 return "TLS 1.3, ";
4236 } else if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
4237 return "dtls13";
4238 } else {
4239 return "tls13 ";
4240 }
4241}
4242
4243/*
4244 * Computes HKDF-Expand-Label(Secret, Label, Hash(context_value), Length) with a
4245 * custom label prefix. If "context_hash" is NULL, then an empty context is
4246 * used. Otherwise it must have the same length as the hash algorithm output.
4247 */
4248bool_Bool
4249tls13_hkdf_expand_label_context(int md, const StringInfo *secret,
4250 const char *label_prefix, const char *label,
4251 const uint8_t *context_hash, uint8_t context_length,
4252 uint16_t out_len, unsigned char **out)
4253{
4254 /* RFC 8446 Section 7.1:
4255 * HKDF-Expand-Label(Secret, Label, Context, Length) =
4256 * HKDF-Expand(Secret, HkdfLabel, Length)
4257 * struct {
4258 * uint16 length = Length;
4259 * opaque label<7..255> = "tls13 " + Label; // "tls13 " is label prefix.
4260 * opaque context<0..255> = Context;
4261 * } HkdfLabel;
4262 *
4263 * RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF):
4264 * HKDF-Expand(PRK, info, L) -> OKM
4265 */
4266 gcry_error_t err;
4267 const unsigned label_prefix_length = (unsigned) strlen(label_prefix);
4268 const unsigned label_length = (unsigned) strlen(label);
4269
4270 /* Some sanity checks */
4271 DISSECTOR_ASSERT(label_length > 0 && label_prefix_length + label_length <= 255)((void) ((label_length > 0 && label_prefix_length +
label_length <= 255) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 4271, "label_length > 0 && label_prefix_length + label_length <= 255"
))));
4272
4273 /* info = HkdfLabel { length, label, context } */
4274 GByteArray *info = g_byte_array_new();
4275 const uint16_t length = g_htons(out_len)(((((guint16) ( (guint16) ((guint16) (out_len) >> 8) | (
guint16) ((guint16) (out_len) << 8))))));
4276 g_byte_array_append(info, (const uint8_t *)&length, sizeof(length));
4277
4278 const uint8_t label_vector_length = label_prefix_length + label_length;
4279 g_byte_array_append(info, &label_vector_length, 1);
4280 g_byte_array_append(info, (const uint8_t *)label_prefix, label_prefix_length);
4281 g_byte_array_append(info, (const uint8_t*)label, label_length);
4282
4283 g_byte_array_append(info, &context_length, 1);
4284 if (context_length) {
4285 g_byte_array_append(info, context_hash, context_length);
4286 }
4287
4288 *out = (unsigned char *)wmem_alloc(NULL((void*)0), out_len);
4289 err = hkdf_expand(md, secret->data, secret->data_len, info->data, info->len, *out, out_len);
4290 g_byte_array_free(info, true1);
4291
4292 if (err) {
4293 ssl_debug_printf("%s failed %d: %s\n", G_STRFUNC((const char*) (__func__)), md, gcry_strerror(err));
4294 wmem_free(NULL((void*)0), *out);
4295 *out = NULL((void*)0);
4296 return false0;
4297 }
4298
4299 return true1;
4300}
4301
4302bool_Bool
4303tls13_hkdf_expand_label(int md, const StringInfo *secret,
4304 const char *label_prefix, const char *label,
4305 uint16_t out_len, unsigned char **out)
4306{
4307 return tls13_hkdf_expand_label_context(md, secret, label_prefix, label, NULL((void*)0), 0, out_len, out);
4308}
4309/* HMAC and the Pseudorandom function }}} */
4310
4311/* Record Decompression (after decryption) {{{ */
4312#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4313/* memory allocation functions for zlib initialization */
4314static void* ssl_zalloc(void* opaque _U___attribute__((unused)), unsigned int no, unsigned int size)
4315{
4316 return g_malloc0(no*size);
4317}
4318static void ssl_zfree(void* opaque _U___attribute__((unused)), void* addr)
4319{
4320 g_free(addr);
4321}
4322#endif
4323
4324static SslDecompress*
4325ssl_create_decompressor(int compression)
4326{
4327 SslDecompress *decomp;
4328#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4329 int err;
4330#endif
4331
4332 if (compression == 0) return NULL((void*)0);
4333 ssl_debug_printf("ssl_create_decompressor: compression method %d\n", compression);
4334 decomp = wmem_new(wmem_file_scope(), SslDecompress)((SslDecompress*)wmem_alloc((wmem_file_scope()), sizeof(SslDecompress
)));
4335 decomp->compression = compression;
4336 switch (decomp->compression) {
4337#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4338 case 1: /* DEFLATE */
4339 decomp->istream.zalloc = ssl_zalloc;
4340 decomp->istream.zfree = ssl_zfree;
4341 decomp->istream.opaque = Z_NULL0;
4342 decomp->istream.next_in = Z_NULL0;
4343 decomp->istream.next_out = Z_NULL0;
4344 decomp->istream.avail_in = 0;
4345 decomp->istream.avail_out = 0;
4346 err = ZLIB_PREFIX(inflateInit)(&decomp->istream)inflateInit_((&decomp->istream), "1.3", (int)sizeof(z_stream
));
4347 if (err != Z_OK0) {
4348 ssl_debug_printf("ssl_create_decompressor: inflateInit_() failed - %d\n", err);
4349 return NULL((void*)0);
4350 }
4351 break;
4352#endif
4353 default:
4354 ssl_debug_printf("ssl_create_decompressor: unsupported compression method %d\n", decomp->compression);
4355 return NULL((void*)0);
4356 }
4357 return decomp;
4358}
4359
4360#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4361static int
4362ssl_decompress_record(SslDecompress* decomp, const unsigned char* in, unsigned inl, StringInfo* out_str, unsigned* outl)
4363{
4364 int err;
4365
4366 switch (decomp->compression) {
4367 case 1: /* DEFLATE */
4368 err = Z_OK0;
4369 if (out_str->data_len < 16384) { /* maximal plain length */
4370 ssl_data_realloc(out_str, 16384);
4371 }
4372#ifdef z_constconst
4373 decomp->istream.next_in = in;
4374#else
4375DIAG_OFF(cast-qual)clang diagnostic push clang diagnostic ignored "-Wcast-qual"
4376 decomp->istream.next_in = (Bytef *)in;
4377DIAG_ON(cast-qual)clang diagnostic pop
4378#endif
4379 decomp->istream.avail_in = inl;
4380 decomp->istream.next_out = out_str->data;
4381 decomp->istream.avail_out = out_str->data_len;
4382 if (inl > 0)
4383 err = ZLIB_PREFIX(inflate)inflate(&decomp->istream, Z_SYNC_FLUSH2);
4384 if (err != Z_OK0) {
4385 ssl_debug_printf("ssl_decompress_record: inflate() failed - %d\n", err);
4386 return -1;
4387 }
4388 *outl = out_str->data_len - decomp->istream.avail_out;
4389 break;
4390 default:
4391 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4392 return -1;
4393 }
4394 return 0;
4395}
4396#else
4397int
4398ssl_decompress_record(SslDecompress* decomp _U___attribute__((unused)), const unsigned char* in _U___attribute__((unused)), unsigned inl _U___attribute__((unused)), StringInfo* out_str _U___attribute__((unused)), unsigned* outl _U___attribute__((unused)))
4399{
4400 ssl_debug_printf("ssl_decompress_record: unsupported compression method %d\n", decomp->compression);
4401 return -1;
4402}
4403#endif
4404/* Record Decompression (after decryption) }}} */
4405
4406/* Create a new structure to store decrypted chunks. {{{ */
4407static SslFlow*
4408ssl_create_flow(void)
4409{
4410 SslFlow *flow;
4411
4412 flow = wmem_new(wmem_file_scope(), SslFlow)((SslFlow*)wmem_alloc((wmem_file_scope()), sizeof(SslFlow)));
4413 flow->byte_seq = 0;
4414 flow->flags = 0;
4415 flow->multisegment_pdus = wmem_tree_new(wmem_file_scope());
4416 return flow;
4417}
4418/* }}} */
4419
4420/* Use the negotiated security parameters for decryption. {{{ */
4421void
4422ssl_change_cipher(SslDecryptSession *ssl_session, bool_Bool server)
4423{
4424 SslDecoder **new_decoder = server ? &ssl_session->server_new : &ssl_session->client_new;
4425 SslDecoder **dest = server ? &ssl_session->server : &ssl_session->client;
4426 ssl_debug_printf("ssl_change_cipher %s%s\n", server ? "SERVER" : "CLIENT",
4427 *new_decoder ? "" : " (No decoder found - retransmission?)");
4428 if (*new_decoder) {
4429 *dest = *new_decoder;
4430 *new_decoder = NULL((void*)0);
4431 }
4432}
4433/* }}} */
4434
4435/* Init cipher state given some security parameters. {{{ */
4436static bool_Bool
4437ssl_decoder_destroy_cb(wmem_allocator_t *, wmem_cb_event_t, void *);
4438
4439static SslDecoder*
4440ssl_create_decoder(const SslCipherSuite *cipher_suite, int cipher_algo,
4441 int compression, uint8_t *mk, uint8_t *sk, uint8_t *sn_key, uint8_t *iv, unsigned iv_length)
4442{
4443 SslDecoder *dec;
4444 ssl_cipher_mode_t mode = cipher_suite->mode;
4445
4446 dec = wmem_new0(wmem_file_scope(), SslDecoder)((SslDecoder*)wmem_alloc0((wmem_file_scope()), sizeof(SslDecoder
)));
4447 /* init mac buffer: mac storage is embedded into decoder struct to save a
4448 memory allocation and waste samo more memory*/
4449 dec->cipher_suite=cipher_suite;
4450 dec->compression = compression;
4451 if ((mode == MODE_STREAM && mk != NULL((void*)0)) || mode == MODE_CBC) {
4452 // AEAD ciphers use no MAC key, but stream and block ciphers do. Note
4453 // the special case for NULL ciphers, even if there is insufficiency
4454 // keying material (including MAC key), we will can still create
4455 // decoders since "decryption" is easy for such ciphers.
4456 dec->mac_key.data = dec->_mac_key_or_write_iv;
4457 ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len);
4458 } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) {
4459 // Input for the nonce, to be used with AEAD ciphers.
4460 DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv))((void) ((iv_length <= sizeof(dec->_mac_key_or_write_iv
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4460, "iv_length <= sizeof(dec->_mac_key_or_write_iv)"
))));
4461 dec->write_iv.data = dec->_mac_key_or_write_iv;
4462 ssl_data_set(&dec->write_iv, iv, iv_length);
4463 }
4464 dec->seq = 0;
4465 dec->decomp = ssl_create_decompressor(compression);
4466 wmem_register_callback(wmem_file_scope(), ssl_decoder_destroy_cb, dec);
4467
4468 if (ssl_cipher_init(&dec->evp,cipher_algo,sk,iv,cipher_suite->mode) < 0) {
4469 ssl_debug_printf("%s: can't create cipher id:%d mode:%d\n", G_STRFUNC((const char*) (__func__)),
4470 cipher_algo, cipher_suite->mode);
4471 return NULL((void*)0);
4472 }
4473
4474 if (cipher_suite->enc != ENC_NULL0x3D && sn_key != NULL((void*)0)) {
4475 if (cipher_suite->enc == ENC_AES0x35 || cipher_suite->enc == ENC_AES2560x36) {
4476 mode = MODE_ECB;
4477 } else if (cipher_suite->enc == ENC_CHACHA200x3A) {
4478 mode = MODE_STREAM;
4479 } else {
4480 ssl_debug_printf("not supported encryption algorithm for DTLSv1.3\n");
4481 return NULL((void*)0);
4482 }
4483
4484 if (ssl_cipher_init(&dec->sn_evp, cipher_algo, sn_key, NULL((void*)0), mode) < 0) {
4485 ssl_debug_printf("%s: can't create cipher id:%d mode:%d for seq number decryption\n", G_STRFUNC((const char*) (__func__)),
4486 cipher_algo, MODE_ECB);
4487 ssl_cipher_cleanup(&dec->evp);
4488 dec->evp = NULL((void*)0);
4489 return NULL((void*)0);
4490 }
4491 } else {
4492 dec->sn_evp = NULL((void*)0);
4493 }
4494
4495 dec->dtls13_aad.data = NULL((void*)0);
4496 dec->dtls13_aad.data_len = 0;
4497 ssl_debug_printf("decoder initialized (digest len %d)\n", ssl_cipher_suite_dig(cipher_suite)->len);
4498 return dec;
4499}
4500
4501static bool_Bool
4502ssl_decoder_destroy_cb(wmem_allocator_t *allocator _U___attribute__((unused)), wmem_cb_event_t event _U___attribute__((unused)), void *user_data)
4503{
4504 SslDecoder *dec = (SslDecoder *) user_data;
4505
4506 if (dec->evp)
4507 ssl_cipher_cleanup(&dec->evp);
4508 if (dec->sn_evp)
4509 ssl_cipher_cleanup(&dec->sn_evp);
4510
4511#if defined (HAVE_ZLIB1) || defined (HAVE_ZLIBNG)
4512 if (dec->decomp != NULL((void*)0) && dec->decomp->compression == 1 /* DEFLATE */)
4513 ZLIB_PREFIX(inflateEnd)inflateEnd(&dec->decomp->istream);
4514#endif
4515
4516 return false0;
4517}
4518/* }}} */
4519
4520/* (Pre-)master secrets calculations {{{ */
4521#ifdef HAVE_LIBGNUTLS1
4522static bool_Bool
4523ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
4524 StringInfo *encrypted_pre_master,
4525 GHashTable *key_hash);
4526#endif /* HAVE_LIBGNUTLS */
4527
4528static bool_Bool
4529ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
4530 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key);
4531
4532bool_Bool
4533ssl_generate_pre_master_secret(SslDecryptSession *ssl_session,
4534 uint32_t length, tvbuff_t *tvb, uint32_t offset,
4535 const char *ssl_psk, packet_info *pinfo,
4536#ifdef HAVE_LIBGNUTLS1
4537 GHashTable *key_hash,
4538#endif
4539 const ssl_master_key_map_t *mk_map)
4540{
4541 /* check for required session data */
4542 ssl_debug_printf("%s: found SSL_HND_CLIENT_KEY_EXCHG, state %X\n",
4543 G_STRFUNC((const char*) (__func__)), ssl_session->state);
4544 if ((ssl_session->state & (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) !=
4545 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4))) {
4546 ssl_debug_printf("%s: not enough data to generate key (required state %X)\n", G_STRFUNC((const char*) (__func__)),
4547 (SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4)));
4548 return false0;
4549 }
4550
4551 if (ssl_session->session.version == TLSV1DOT3_VERSION0x304) {
4552 ssl_debug_printf("%s: detected TLS 1.3 which has no pre-master secrets\n", G_STRFUNC((const char*) (__func__)));
4553 return false0;
4554 }
4555
4556 /* check to see if the PMS was provided to us*/
4557 if (ssl_restore_master_key(ssl_session, "Unencrypted pre-master secret", true1,
4558 mk_map->pms, &ssl_session->client_random)) {
4559 return true1;
4560 }
4561
4562 if (ssl_session->cipher_suite->kex == KEX_PSK0x1d)
4563 {
4564 /* calculate pre master secret*/
4565 StringInfo pre_master_secret;
4566 unsigned psk_len, pre_master_len;
4567
4568 if (!ssl_psk || (ssl_psk[0] == 0)) {
4569 ssl_debug_printf("%s: can't find pre-shared key\n", G_STRFUNC((const char*) (__func__)));
4570 return false0;
4571 }
4572
4573 /* convert hex string into char*/
4574 if (!from_hex(&ssl_session->psk, ssl_psk, strlen(ssl_psk))) {
4575 ssl_debug_printf("%s: ssl.psk/dtls.psk contains invalid hex\n",
4576 G_STRFUNC((const char*) (__func__)));
4577 return false0;
4578 }
4579
4580 psk_len = ssl_session->psk.data_len;
4581 if (psk_len >= (2 << 15)) {
4582 ssl_debug_printf("%s: ssl.psk/dtls.psk must not be larger than 2^15 - 1\n",
4583 G_STRFUNC((const char*) (__func__)));
4584 return false0;
4585 }
4586
4587
4588 pre_master_len = psk_len * 2 + 4;
4589
4590 pre_master_secret.data = (unsigned char *)wmem_alloc(wmem_file_scope(), pre_master_len);
4591 pre_master_secret.data_len = pre_master_len;
4592 /* 2 bytes psk_len*/
4593 pre_master_secret.data[0] = psk_len >> 8;
4594 pre_master_secret.data[1] = psk_len & 0xFF;
4595 /* psk_len bytes times 0*/
4596 memset(&pre_master_secret.data[2], 0, psk_len);
4597 /* 2 bytes psk_len*/
4598 pre_master_secret.data[psk_len + 2] = psk_len >> 8;
4599 pre_master_secret.data[psk_len + 3] = psk_len & 0xFF;
4600 /* psk*/
4601 memcpy(&pre_master_secret.data[psk_len + 4], ssl_session->psk.data, psk_len);
4602
4603 ssl_session->pre_master_secret.data = pre_master_secret.data;
4604 ssl_session->pre_master_secret.data_len = pre_master_len;
4605 /*ssl_debug_printf("pre master secret",&ssl->pre_master_secret);*/
4606
4607 /* Remove the master secret if it was there.
4608 This forces keying material regeneration in
4609 case we're renegotiating */
4610 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
4611 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
4612 return true1;
4613 }
4614 else
4615 {
4616 unsigned encrlen, skip;
4617 encrlen = length;
4618 skip = 0;
4619
4620 /* get encrypted data, on tls1 we have to skip two bytes
4621 * (it's the encrypted len and should be equal to record len - 2)
4622 * in case of rsa1024 that would be 128 + 2 = 130; for psk not necessary
4623 */
4624 if (ssl_session->cipher_suite->kex == KEX_RSA0x1e &&
4625 (ssl_session->session.version == TLSV1_VERSION0x301 ||
4626 ssl_session->session.version == TLSV1DOT1_VERSION0x302 ||
4627 ssl_session->session.version == TLSV1DOT2_VERSION0x303 ||
4628 ssl_session->session.version == DTLSV1DOT0_VERSION0xfeff ||
4629 ssl_session->session.version == DTLSV1DOT2_VERSION0xfefd ||
4630 ssl_session->session.version == TLCPV1_VERSION0x101 ))
4631 {
4632 encrlen = tvb_get_ntohs(tvb, offset);
4633 skip = 2;
4634 if (encrlen > length - 2)
4635 {
4636 ssl_debug_printf("%s: wrong encrypted length (%d max %d)\n",
4637 G_STRFUNC((const char*) (__func__)), encrlen, length);
4638 return false0;
4639 }
4640 }
4641 /* the valid lower bound is higher than 8, but it is sufficient for the
4642 * ssl keylog file below */
4643 if (encrlen < 8) {
4644 ssl_debug_printf("%s: invalid encrypted pre-master key length %d\n",
4645 G_STRFUNC((const char*) (__func__)), encrlen);
4646 return false0;
4647 }
4648
4649 StringInfo encrypted_pre_master = {
4650 .data = (unsigned char *)tvb_memdup(pinfo->pool, tvb, offset + skip, encrlen),
4651 .data_len = encrlen,
4652 };
4653
4654#ifdef HAVE_LIBGNUTLS1
4655 /* Try to lookup an appropriate RSA private key to decrypt the Encrypted Pre-Master Secret. */
4656 if (ssl_session->cert_key_id) {
4657 if (ssl_decrypt_pre_master_secret(ssl_session, &encrypted_pre_master, key_hash))
4658 return true1;
4659
4660 ssl_debug_printf("%s: can't decrypt pre-master secret\n",
4661 G_STRFUNC((const char*) (__func__)));
4662 }
4663#endif /* HAVE_LIBGNUTLS */
4664
4665 /* try to find the pre-master secret from the encrypted one. The
4666 * ssl key logfile stores only the first 8 bytes, so truncate it */
4667 encrypted_pre_master.data_len = 8;
4668 if (ssl_restore_master_key(ssl_session, "Encrypted pre-master secret",
4669 true1, mk_map->pre_master, &encrypted_pre_master))
4670 return true1;
4671 }
4672 return false0;
4673}
4674
4675/* Used for (D)TLS 1.2 and earlier versions (not with TLS 1.3). */
4676int
4677ssl_generate_keyring_material(SslDecryptSession*ssl_session)
4678{
4679 StringInfo key_block = { NULL((void*)0), 0 };
4680 uint8_t _iv_c[MAX_BLOCK_SIZE16],_iv_s[MAX_BLOCK_SIZE16];
4681 uint8_t _key_c[MAX_KEY_SIZE32],_key_s[MAX_KEY_SIZE32];
4682 int needed;
4683 int cipher_algo = -1; /* special value (-1) for NULL encryption */
4684 unsigned encr_key_len, write_iv_len = 0;
4685 bool_Bool is_export_cipher;
4686 uint8_t *ptr, *c_iv = NULL((void*)0), *s_iv = NULL((void*)0);
4687 uint8_t *c_wk = NULL((void*)0), *s_wk = NULL((void*)0), *c_mk = NULL((void*)0), *s_mk = NULL((void*)0);
4688 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
4689
4690 /* (D)TLS 1.3 is handled directly in tls13_change_key. */
4691 if (ssl_session->session.version
7.1
Field 'version' is not equal to TLSV1DOT3_VERSION
 == TLSV1DOT3_VERSION0x304 || ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
8
Assuming field 'version' is not equal to DTLSV1DOT3_VERSION
9
Taking false branch
4692 ssl_debug_printf("%s: detected TLS 1.3. Should not have been called!\n", G_STRFUNC((const char*) (__func__)));
4693 return -1;
4694 }
4695
4696 /* check for enough info to proceed */
4697 unsigned need_all = SSL_CIPHER(1<<2)|SSL_CLIENT_RANDOM(1<<0)|SSL_SERVER_RANDOM(1<<1)|SSL_VERSION(1<<4);
4698 unsigned need_any = SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
4699 if (((ssl_session->state & need_all) != need_all) || ((ssl_session->state & need_any) == 0)) {
10
Assuming the condition is false
11
Assuming the condition is false
12
Taking false branch
4700 ssl_debug_printf("ssl_generate_keyring_material not enough data to generate key "
4701 "(0x%02X required 0x%02X or 0x%02X)\n", ssl_session->state,
4702 need_all|SSL_MASTER_SECRET(1<<5), need_all|SSL_PRE_MASTER_SECRET(1<<6));
4703 /* Special case: for NULL encryption, allow dissection of data even if
4704 * the Client Hello is missing (MAC keys are now skipped though). */
4705 need_all = SSL_CIPHER(1<<2)|SSL_VERSION(1<<4);
4706 if ((ssl_session->state & need_all) == need_all &&
4707 cipher_suite->enc == ENC_NULL0x3D) {
4708 ssl_debug_printf("%s NULL cipher found, will create a decoder but "
4709 "skip MAC validation as keys are missing.\n", G_STRFUNC((const char*) (__func__)));
4710 goto create_decoders;
4711 }
4712
4713 return -1;
4714 }
4715
4716 /* if master key is not available, generate is from the pre-master secret */
4717 if (!(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
13
Assuming the condition is true
14
Taking true branch
4718 if ((ssl_session->state & SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) == SSL_EXTENDED_MASTER_SECRET_MASK((1<<7)|(1<<8))) {
15
Assuming the condition is true
16
Taking true branch
4719 StringInfo handshake_hashed_data;
4720 int ret;
4721
4722 handshake_hashed_data.data = NULL((void*)0);
4723 handshake_hashed_data.data_len = 0;
4724
4725 ssl_debug_printf("%s:PRF(pre_master_secret_extended)\n", G_STRFUNC((const char*) (__func__)));
4726 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4727 DISSECTOR_ASSERT(ssl_session->handshake_data.data_len > 0)((void) ((ssl_session->handshake_data.data_len > 0) ? (
void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 4727, "ssl_session->handshake_data.data_len > 0"
))));
17
Assuming field 'data_len' is > 0
18
'?' condition is true
4728
4729 switch(ssl_session->session.version) {
19
Control jumps to 'case 257:' at line 4734
4730 case TLSV1_VERSION0x301:
4731 case TLSV1DOT1_VERSION0x302:
4732 case DTLSV1DOT0_VERSION0xfeff:
4733 case DTLSV1DOT0_OPENSSL_VERSION0x100:
4734 case TLCPV1_VERSION0x101:
4735 ret = tls_handshake_hash(ssl_session, &handshake_hashed_data);
20
Calling 'tls_handshake_hash'
28
Returned allocated memory
4736 break;
4737 default:
4738 switch (cipher_suite->dig) {
4739 case DIG_SHA3840x43:
4740 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA384, &handshake_hashed_data);
4741 break;
4742 default:
4743 ret = tls12_handshake_hash(ssl_session, GCRY_MD_SHA256, &handshake_hashed_data);
4744 break;
4745 }
4746 break;
4747 }
4748 if (ret
29.1
'ret' is -1
) {
29
 Execution continues on line 4748
30
Taking true branch
4749 ssl_debug_printf("%s can't generate handshake hash\n", G_STRFUNC((const char*) (__func__)));
31
Potential leak of memory pointed to by 'handshake_hashed_data.data'
4750 return -1;
4751 }
4752
4753 wmem_free(wmem_file_scope(), ssl_session->handshake_data.data);
4754 ssl_session->handshake_data.data = NULL((void*)0);
4755 ssl_session->handshake_data.data_len = 0;
4756
4757 if (!prf(ssl_session, &ssl_session->pre_master_secret, "extended master secret",
4758 &handshake_hashed_data,
4759 NULL((void*)0), &ssl_session->master_secret,
4760 SSL_MASTER_SECRET_LENGTH48)) {
4761 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4762 g_free(handshake_hashed_data.data);
4763 return -1;
4764 }
4765 g_free(handshake_hashed_data.data);
4766 } else {
4767 ssl_debug_printf("%s:PRF(pre_master_secret)\n", G_STRFUNC((const char*) (__func__)));
4768 ssl_print_string("pre master secret",&ssl_session->pre_master_secret);
4769 ssl_print_string("client random",&ssl_session->client_random);
4770 ssl_print_string("server random",&ssl_session->server_random);
4771 if (!prf(ssl_session, &ssl_session->pre_master_secret, "master secret",
4772 &ssl_session->client_random,
4773 &ssl_session->server_random, &ssl_session->master_secret,
4774 SSL_MASTER_SECRET_LENGTH48)) {
4775 ssl_debug_printf("%s can't generate master_secret\n", G_STRFUNC((const char*) (__func__)));
4776 return -1;
4777 }
4778 }
4779 ssl_print_string("master secret",&ssl_session->master_secret);
4780
4781 /* the pre-master secret has been 'consumed' so we must clear it now */
4782 ssl_session->state &= ~SSL_PRE_MASTER_SECRET(1<<6);
4783 ssl_session->state |= SSL_MASTER_SECRET(1<<5);
4784 }
4785
4786 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
4787 if (cipher_suite->enc != ENC_NULL0x3D) {
4788 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
4789 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4790 cipher_algo = ssl_get_cipher_by_name(cipher_name);
4791 if (cipher_algo == 0) {
4792 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
4793 return -1;
4794 }
4795 }
4796
4797 /* Export ciphers consume less material from the key block. */
4798 encr_key_len = ssl_get_cipher_export_keymat_size(cipher_suite->number);
4799 is_export_cipher = encr_key_len > 0;
4800 if (!is_export_cipher && cipher_suite->enc != ENC_NULL0x3D) {
4801 encr_key_len = (unsigned)gcry_cipher_get_algo_keylen(cipher_algo);
4802 }
4803
4804 if (cipher_suite->mode == MODE_CBC) {
4805 write_iv_len = (unsigned)gcry_cipher_get_algo_blklen(cipher_algo);
4806 } else if (cipher_suite->mode == MODE_GCM || cipher_suite->mode == MODE_CCM || cipher_suite->mode == MODE_CCM_8) {
4807 /* account for a four-byte salt for client and server side (from
4808 * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */
4809 write_iv_len = 4;
4810 } else if (cipher_suite->mode == MODE_POLY1305) {
4811 /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */
4812 write_iv_len = 12;
4813 }
4814
4815 /* Compute the key block. First figure out how much data we need */
4816 needed = ssl_cipher_suite_dig(cipher_suite)->len*2; /* MAC key */
4817 needed += 2 * encr_key_len; /* encryption key */
4818 needed += 2 * write_iv_len; /* write IV */
4819
4820 key_block.data = (unsigned char *)g_malloc(needed);
4821 ssl_debug_printf("%s sess key generation\n", G_STRFUNC((const char*) (__func__)));
4822 if (!prf(ssl_session, &ssl_session->master_secret, "key expansion",
4823 &ssl_session->server_random,&ssl_session->client_random,
4824 &key_block, needed)) {
4825 ssl_debug_printf("%s can't generate key_block\n", G_STRFUNC((const char*) (__func__)));
4826 goto fail;
4827 }
4828 ssl_print_string("key expansion", &key_block);
4829
4830 ptr=key_block.data;
4831 /* client/server write MAC key (for non-AEAD ciphers) */
4832 if (cipher_suite->mode == MODE_STREAM || cipher_suite->mode == MODE_CBC) {
4833 c_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4834 s_mk=ptr; ptr+=ssl_cipher_suite_dig(cipher_suite)->len;
4835 }
4836 /* client/server write encryption key */
4837 c_wk=ptr; ptr += encr_key_len;
4838 s_wk=ptr; ptr += encr_key_len;
4839 /* client/server write IV (used as IV (for CBC) or salt (for AEAD)) */
4840 if (write_iv_len > 0) {
4841 c_iv=ptr; ptr += write_iv_len;
4842 s_iv=ptr; /* ptr += write_iv_len; */
4843 }
4844
4845 /* export ciphers work with a smaller key length */
4846 if (is_export_cipher) {
4847 if (cipher_suite->mode == MODE_CBC) {
4848
4849 /* We only have room for MAX_BLOCK_SIZE bytes IVs, but that's
4850 all we should need. This is a sanity check */
4851 if (write_iv_len > MAX_BLOCK_SIZE16) {
4852 ssl_debug_printf("%s cipher suite block must be at most %d nut is %d\n",
4853 G_STRFUNC((const char*) (__func__)), MAX_BLOCK_SIZE16, write_iv_len);
4854 goto fail;
4855 }
4856
4857 if(ssl_session->session.version==SSLV3_VERSION0x300){
4858 /* The length of these fields are ignored by this caller */
4859 StringInfo iv_c, iv_s;
4860 iv_c.data = _iv_c;
4861 iv_s.data = _iv_s;
4862
4863 ssl_debug_printf("%s ssl3_generate_export_iv\n", G_STRFUNC((const char*) (__func__)));
4864 if (!ssl3_generate_export_iv(&ssl_session->client_random,
4865 &ssl_session->server_random, &iv_c, write_iv_len)) {
4866 goto fail;
4867 }
4868 ssl_debug_printf("%s ssl3_generate_export_iv(2)\n", G_STRFUNC((const char*) (__func__)));
4869 if (!ssl3_generate_export_iv(&ssl_session->server_random,
4870 &ssl_session->client_random, &iv_s, write_iv_len)) {
4871 goto fail;
4872 }
4873 }
4874 else{
4875 uint8_t _iv_block[MAX_BLOCK_SIZE16 * 2];
4876 StringInfo iv_block;
4877 StringInfo key_null;
4878 uint8_t _key_null;
4879
4880 key_null.data = &_key_null;
4881 key_null.data_len = 0;
4882
4883 iv_block.data = _iv_block;
4884
4885 ssl_debug_printf("%s prf(iv_block)\n", G_STRFUNC((const char*) (__func__)));
4886 if (!prf(ssl_session, &key_null, "IV block",
4887 &ssl_session->client_random,
4888 &ssl_session->server_random, &iv_block,
4889 write_iv_len * 2)) {
4890 ssl_debug_printf("%s can't generate tls31 iv block\n", G_STRFUNC((const char*) (__func__)));
4891 goto fail;
4892 }
4893
4894 memcpy(_iv_c, iv_block.data, write_iv_len);
4895 memcpy(_iv_s, iv_block.data + write_iv_len, write_iv_len);
4896 }
4897
4898 c_iv=_iv_c;
4899 s_iv=_iv_s;
4900 }
4901
4902 if (ssl_session->session.version==SSLV3_VERSION0x300){
4903
4904 SSL_MD5_CTXgcry_md_hd_t md5;
4905 ssl_debug_printf("%s MD5(client_random)\n", G_STRFUNC((const char*) (__func__)));
4906
4907 if (ssl_md5_init(&md5) != 0)
4908 goto fail;
4909 ssl_md5_update(&md5,c_wk,encr_key_len);
4910 ssl_md5_update(&md5,ssl_session->client_random.data,
4911 ssl_session->client_random.data_len);
4912 ssl_md5_update(&md5,ssl_session->server_random.data,
4913 ssl_session->server_random.data_len);
4914 ssl_md5_final(_key_c,&md5);
4915 ssl_md5_cleanup(&md5);
4916 c_wk=_key_c;
4917
4918 if (ssl_md5_init(&md5) != 0)
4919 goto fail;
4920 ssl_debug_printf("%s MD5(server_random)\n", G_STRFUNC((const char*) (__func__)));
4921 ssl_md5_update(&md5,s_wk,encr_key_len);
4922 ssl_md5_update(&md5,ssl_session->server_random.data,
4923 ssl_session->server_random.data_len);
4924 ssl_md5_update(&md5,ssl_session->client_random.data,
4925 ssl_session->client_random.data_len);
4926 ssl_md5_final(_key_s,&md5);
4927 ssl_md5_cleanup(&md5);
4928 s_wk=_key_s;
4929 }
4930 else{
4931 StringInfo key_c, key_s, k;
4932 key_c.data = _key_c;
4933 key_s.data = _key_s;
4934
4935 k.data = c_wk;
4936 k.data_len = encr_key_len;
4937 ssl_debug_printf("%s PRF(key_c)\n", G_STRFUNC((const char*) (__func__)));
4938 if (!prf(ssl_session, &k, "client write key",
4939 &ssl_session->client_random,
4940 &ssl_session->server_random, &key_c, sizeof(_key_c))) {
4941 ssl_debug_printf("%s can't generate tll31 server key \n", G_STRFUNC((const char*) (__func__)));
4942 goto fail;
4943 }
4944 c_wk=_key_c;
4945
4946 k.data = s_wk;
4947 k.data_len = encr_key_len;
4948 ssl_debug_printf("%s PRF(key_s)\n", G_STRFUNC((const char*) (__func__)));
4949 if (!prf(ssl_session, &k, "server write key",
4950 &ssl_session->client_random,
4951 &ssl_session->server_random, &key_s, sizeof(_key_s))) {
4952 ssl_debug_printf("%s can't generate tll31 client key \n", G_STRFUNC((const char*) (__func__)));
4953 goto fail;
4954 }
4955 s_wk=_key_s;
4956 }
4957 }
4958
4959 /* show key material info */
4960 if (c_mk != NULL((void*)0)) {
4961 ssl_print_data("Client MAC key",c_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4962 ssl_print_data("Server MAC key",s_mk,ssl_cipher_suite_dig(cipher_suite)->len);
4963 }
4964 ssl_print_data("Client Write key", c_wk, encr_key_len);
4965 ssl_print_data("Server Write key", s_wk, encr_key_len);
4966 /* used as IV for CBC mode and the AEAD implicit nonce (salt) */
4967 if (write_iv_len > 0) {
4968 ssl_print_data("Client Write IV", c_iv, write_iv_len);
4969 ssl_print_data("Server Write IV", s_iv, write_iv_len);
4970 }
4971
4972create_decoders:
4973 /* create both client and server ciphers*/
4974 ssl_debug_printf("%s ssl_create_decoder(client)\n", G_STRFUNC((const char*) (__func__)));
4975 ssl_session->client_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, c_mk, c_wk, NULL((void*)0), c_iv, write_iv_len);
4976 if (!ssl_session->client_new) {
4977 ssl_debug_printf("%s can't init client decoder\n", G_STRFUNC((const char*) (__func__)));
4978 goto fail;
4979 }
4980 ssl_debug_printf("%s ssl_create_decoder(server)\n", G_STRFUNC((const char*) (__func__)));
4981 ssl_session->server_new = ssl_create_decoder(cipher_suite, cipher_algo, ssl_session->session.compression, s_mk, s_wk, NULL((void*)0), s_iv, write_iv_len);
4982 if (!ssl_session->server_new) {
4983 ssl_debug_printf("%s can't init server decoder\n", G_STRFUNC((const char*) (__func__)));
4984 goto fail;
4985 }
4986
4987 /* Continue the SSL stream after renegotiation with new keys. */
4988 ssl_session->client_new->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
4989 ssl_session->server_new->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
4990
4991 ssl_debug_printf("%s: client seq %" PRIu64"l" "u" ", server seq %" PRIu64"l" "u" "\n",
4992 G_STRFUNC((const char*) (__func__)), ssl_session->client_new->seq, ssl_session->server_new->seq);
4993 g_free(key_block.data);
4994 ssl_session->state |= SSL_HAVE_SESSION_KEY(1<<3);
4995 return 0;
4996
4997fail:
4998 g_free(key_block.data);
4999 return -1;
5000}
5001
5002/* Generated the key material based on the given secret. */
5003bool_Bool
5004tls13_generate_keys(SslDecryptSession *ssl_session, const StringInfo *secret, bool_Bool is_from_server)
5005{
5006 bool_Bool success = false0;
5007 unsigned char *write_key = NULL((void*)0), *write_iv = NULL((void*)0);
5008 unsigned char *sn_key = NULL((void*)0);
5009 SslDecoder *decoder;
5010 unsigned key_length, iv_length;
5011 int hash_algo;
5012 const SslCipherSuite *cipher_suite = ssl_session->cipher_suite;
5013 int cipher_algo;
5014
5015 if ((ssl_session->session.version != TLSV1DOT3_VERSION0x304) && (ssl_session->session.version != DTLSV1DOT3_VERSION0xfefc)) {
5016 ssl_debug_printf("%s only usable for TLS 1.3, not %#x!\n", G_STRFUNC((const char*) (__func__)),
5017 ssl_session->session.version);
5018 return false0;
5019 }
5020
5021 if (cipher_suite == NULL((void*)0)) {
5022 ssl_debug_printf("%s Unknown cipher\n", G_STRFUNC((const char*) (__func__)));
5023 return false0;
5024 }
5025
5026 if (cipher_suite->kex != KEX_TLS130x23) {
5027 ssl_debug_printf("%s Invalid cipher suite 0x%04x spotted!\n", G_STRFUNC((const char*) (__func__)), cipher_suite->number);
5028 return false0;
5029 }
5030
5031 /* Find the Libgcrypt cipher algorithm for the given SSL cipher suite ID */
5032 const char *cipher_name = ciphers[cipher_suite->enc-ENC_START0x30];
5033 ssl_debug_printf("%s CIPHER: %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5034 cipher_algo = ssl_get_cipher_by_name(cipher_name);
5035 if (cipher_algo == 0) {
5036 ssl_debug_printf("%s can't find cipher %s\n", G_STRFUNC((const char*) (__func__)), cipher_name);
5037 return false0;
5038 }
5039
5040 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
5041 hash_algo = ssl_get_digest_by_name(hash_name);
5042 if (!hash_algo) {
5043 ssl_debug_printf("%s can't find hash function %s\n", G_STRFUNC((const char*) (__func__)), hash_name);
5044 return false0;
5045 }
5046
5047 key_length = (unsigned) gcry_cipher_get_algo_keylen(cipher_algo);
5048 /* AES-GCM/AES-CCM/Poly1305-ChaCha20 all have N_MIN=N_MAX = 12. */
5049 iv_length = 12;
5050 ssl_debug_printf("%s key_length %u iv_length %u\n", G_STRFUNC((const char*) (__func__)), key_length, iv_length);
5051
5052 const char *label_prefix = tls13_hkdf_label_prefix(ssl_session);
5053 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "key", key_length, &write_key)) {
5054 ssl_debug_printf("%s write_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5055 return false0;
5056 }
5057 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "iv", iv_length, &write_iv)) {
5058 ssl_debug_printf("%s write_iv expansion failed\n", G_STRFUNC((const char*) (__func__)));
5059 goto end;
5060 }
5061
5062 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5063 if (!tls13_hkdf_expand_label(hash_algo, secret, label_prefix, "sn", key_length, &sn_key)) {
5064 ssl_debug_printf("%s sn_key expansion failed\n", G_STRFUNC((const char*) (__func__)));
5065 goto end;
5066 }
5067 }
5068
5069 ssl_print_data(is_from_server ? "Server Write Key" : "Client Write Key", write_key, key_length);
5070 ssl_print_data(is_from_server ? "Server Write IV" : "Client Write IV", write_iv, iv_length);
5071 if (ssl_session->session.version == DTLSV1DOT3_VERSION0xfefc) {
5072 ssl_print_data(is_from_server ? "Server Write SN" : "Client Write SN", sn_key, key_length);
5073 }
5074
5075 ssl_debug_printf("%s ssl_create_decoder(%s)\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5076 decoder = ssl_create_decoder(cipher_suite, cipher_algo, 0, NULL((void*)0), write_key, sn_key, write_iv, iv_length);
5077 if (!decoder) {
5078 ssl_debug_printf("%s can't init %s decoder\n", G_STRFUNC((const char*) (__func__)), is_from_server ? "server" : "client");
5079 goto end;
5080 }
5081
5082 /* Continue the TLS session with new keys, but reuse old flow to keep things
5083 * like "Follow TLS" working (by linking application data records). */
5084 if (is_from_server) {
5085 decoder->flow = ssl_session->server ? ssl_session->server->flow : ssl_create_flow();
5086 ssl_session->server = decoder;
5087 } else {
5088 decoder->flow = ssl_session->client ? ssl_session->client->flow : ssl_create_flow();
5089 ssl_session->client = decoder;
5090 }
5091 ssl_debug_printf("%s %s ready using cipher suite 0x%04x (cipher %s hash %s)\n", G_STRFUNC((const char*) (__func__)),
5092 is_from_server ? "Server" : "Client", cipher_suite->number, cipher_name, hash_name);
5093 success = true1;
5094
5095end:
5096 wmem_free(NULL((void*)0), write_key);
5097 wmem_free(NULL((void*)0), write_iv);
5098 if (sn_key)
5099 wmem_free(NULL((void*)0), sn_key);
5100 return success;
5101}
5102/* (Pre-)master secrets calculations }}} */
5103
5104#ifdef HAVE_LIBGNUTLS1
5105/* Decrypt RSA pre-master secret using RSA private key. {{{ */
5106static bool_Bool
5107ssl_decrypt_pre_master_secret(SslDecryptSession *ssl_session,
5108 StringInfo *encrypted_pre_master, GHashTable *key_hash)
5109{
5110 int ret;
5111
5112 if (!encrypted_pre_master)
5113 return false0;
5114
5115 if (KEX_IS_DH(ssl_session->cipher_suite->kex)((ssl_session->cipher_suite->kex) >= 0x10 &&
(ssl_session->cipher_suite->kex) <= 0x1b)) {
5116 ssl_debug_printf("%s: session uses Diffie-Hellman key exchange "
5117 "(cipher suite 0x%04X %s) and cannot be decrypted "
5118 "using a RSA private key file.\n",
5119 G_STRFUNC((const char*) (__func__)), ssl_session->session.cipher,
5120 val_to_str_ext_const(ssl_session->session.cipher,
5121 &ssl_31_ciphersuite_ext, "unknown"));
5122 return false0;
5123 } else if (ssl_session->cipher_suite->kex != KEX_RSA0x1e) {
5124 ssl_debug_printf("%s key exchange %d different from KEX_RSA (%d)\n",
5125 G_STRFUNC((const char*) (__func__)), ssl_session->cipher_suite->kex, KEX_RSA0x1e);
5126 return false0;
5127 }
5128
5129 gnutls_privkey_t pk = (gnutls_privkey_t)g_hash_table_lookup(key_hash, ssl_session->cert_key_id);
5130
5131 ssl_print_string("pre master encrypted", encrypted_pre_master);
5132 ssl_debug_printf("%s: RSA_private_decrypt\n", G_STRFUNC((const char*) (__func__)));
5133 const gnutls_datum_t epms = { encrypted_pre_master->data, encrypted_pre_master->data_len };
5134 gnutls_datum_t pms = { 0 };
5135 if (pk) {
5136 // Try to decrypt using the RSA keys table from (D)TLS preferences.
5137 ret = gnutls_privkey_decrypt_data(pk, 0, &epms, &pms);
5138 } else {
5139 // Try to decrypt using a hardware token.
5140 ret = secrets_rsa_decrypt(ssl_session->cert_key_id, epms.data, epms.size, &pms.data, &pms.size);
5141 }
5142 if (ret < 0) {
5143 ssl_debug_printf("%s: decryption failed: %d (%s)\n", G_STRFUNC((const char*) (__func__)), ret, gnutls_strerror(ret));
5144 return false0;
5145 }
5146
5147 if (pms.size != 48) {
5148 ssl_debug_printf("%s wrong pre_master_secret length (%d, expected %d)\n",
5149 G_STRFUNC((const char*) (__func__)), pms.size, 48);
5150 if (pk) {
5151 gnutls_free(pms.data);
5152 } else {
5153 g_free(pms.data);
5154 }
5155 return false0;
5156 }
5157
5158 ssl_session->pre_master_secret.data = (uint8_t *)wmem_memdup(wmem_file_scope(), pms.data, 48);
5159 ssl_session->pre_master_secret.data_len = 48;
5160 if (pk) {
5161 gnutls_free(pms.data);
5162 } else {
5163 g_free(pms.data);
5164 }
5165 ssl_print_string("pre master secret", &ssl_session->pre_master_secret);
5166
5167 /* Remove the master secret if it was there.
5168 This forces keying material regeneration in
5169 case we're renegotiating */
5170 ssl_session->state &= ~(SSL_MASTER_SECRET(1<<5)|SSL_HAVE_SESSION_KEY(1<<3));
5171 ssl_session->state |= SSL_PRE_MASTER_SECRET(1<<6);
5172 return true1;
5173} /* }}} */
5174#endif /* HAVE_LIBGNUTLS */
5175
5176/* Decryption integrity check {{{ */
5177
5178static int
5179tls_check_mac(SslDecoder*decoder, int ct, int ver, uint8_t* data,
5180 uint32_t datalen, uint8_t* mac)
5181{
5182 SSL_HMACgcry_md_hd_t hm;
5183 int md;
5184 uint32_t len;
5185 uint8_t buf[DIGEST_MAX_SIZE48];
5186 int16_t temp;
5187
5188 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5189 ssl_debug_printf("tls_check_mac mac type:%s md %d\n",
5190 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5191
5192 if (ssl_hmac_init(&hm,md) != 0)
5193 return -1;
5194 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5195 return -1;
5196
5197 /* hash sequence number */
5198 phton64(buf, decoder->seq);
5199
5200 decoder->seq++;
5201
5202 ssl_hmac_update(&hm,buf,8);
5203
5204 /* hash content type */
5205 buf[0]=ct;
5206 ssl_hmac_update(&hm,buf,1);
5207
5208 /* hash version,data length and data*/
5209 /* *((int16_t*)buf) = g_htons(ver); */
5210 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5211 memcpy(buf, &temp, 2);
5212 ssl_hmac_update(&hm,buf,2);
5213
5214 /* *((int16_t*)buf) = g_htons(datalen); */
5215 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5216 memcpy(buf, &temp, 2);
5217 ssl_hmac_update(&hm,buf,2);
5218 ssl_hmac_update(&hm,data,datalen);
5219
5220 /* get digest and digest len*/
5221 len = sizeof(buf);
5222 ssl_hmac_final(&hm,buf,&len);
5223 ssl_hmac_cleanup(&hm);
5224 ssl_print_data("Mac", buf, len);
5225 if(memcmp(mac,buf,len))
5226 return -1;
5227
5228 return 0;
5229}
5230
5231static int
5232ssl3_check_mac(SslDecoder*decoder,int ct,uint8_t* data,
5233 uint32_t datalen, uint8_t* mac)
5234{
5235 SSL_MDgcry_md_hd_t mc;
5236 int md;
5237 uint32_t len;
5238 uint8_t buf[64],dgst[20];
5239 int pad_ct;
5240 int16_t temp;
5241
5242 pad_ct=(decoder->cipher_suite->dig==DIG_SHA0x41)?40:48;
5243
5244 /* get cipher used for digest computation */
5245 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5246 if (ssl_md_init(&mc,md) !=0)
5247 return -1;
5248
5249 /* do hash computation on data && padding */
5250 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5251
5252 /* hash padding*/
5253 memset(buf,0x36,pad_ct);
5254 ssl_md_update(&mc,buf,pad_ct);
5255
5256 /* hash sequence number */
5257 phton64(buf, decoder->seq);
5258 decoder->seq++;
5259 ssl_md_update(&mc,buf,8);
5260
5261 /* hash content type */
5262 buf[0]=ct;
5263 ssl_md_update(&mc,buf,1);
5264
5265 /* hash data length in network byte order and data*/
5266 /* *((int16_t* )buf) = g_htons(datalen); */
5267 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5268 memcpy(buf, &temp, 2);
5269 ssl_md_update(&mc,buf,2);
5270 ssl_md_update(&mc,data,datalen);
5271
5272 /* get partial digest */
5273 ssl_md_final(&mc,dgst,&len);
5274 ssl_md_reset(&mc);
5275
5276 /* hash mac key */
5277 ssl_md_update(&mc,decoder->mac_key.data,decoder->mac_key.data_len);
5278
5279 /* hash padding and partial digest*/
5280 memset(buf,0x5c,pad_ct);
5281 ssl_md_update(&mc,buf,pad_ct);
5282 ssl_md_update(&mc,dgst,len);
5283
5284 ssl_md_final(&mc,dgst,&len);
5285 ssl_md_cleanup(&mc);
5286
5287 if(memcmp(mac,dgst,len))
5288 return -1;
5289
5290 return 0;
5291}
5292
5293static int
5294dtls_check_mac(SslDecryptSession *ssl, SslDecoder*decoder, int ct, uint8_t* data,
5295 uint32_t datalen, uint8_t* mac, const unsigned char *cid, uint8_t cidl)
5296{
5297 SSL_HMACgcry_md_hd_t hm;
5298 int md;
5299 uint32_t len;
5300 uint8_t buf[DIGEST_MAX_SIZE48];
5301 int16_t temp;
5302
5303 int ver = ssl->session.version;
5304 bool_Bool is_cid = ((ct == SSL_ID_TLS12_CID) && (ver == DTLSV1DOT2_VERSION0xfefd));
5305
5306 md=ssl_get_digest_by_name(ssl_cipher_suite_dig(decoder->cipher_suite)->name);
5307 ssl_debug_printf("dtls_check_mac mac type:%s md %d\n",
5308 ssl_cipher_suite_dig(decoder->cipher_suite)->name, md);
5309
5310 if (ssl_hmac_init(&hm,md) != 0)
5311 return -1;
5312 if (ssl_hmac_setkey(&hm,decoder->mac_key.data,decoder->mac_key.data_len) != 0)
5313 return -1;
5314
5315 ssl_debug_printf("dtls_check_mac seq: %" PRIu64"l" "u" " epoch: %d\n",decoder->seq,decoder->epoch);
5316
5317 if (is_cid && !ssl->session.deprecated_cid) {
5318 /* hash seq num placeholder */
5319 memset(buf,0xFF,8);
5320 ssl_hmac_update(&hm,buf,8);
5321
5322 /* hash content type + cid length + content type */
5323 buf[0]=ct;
5324 buf[1]=cidl;
5325 buf[2]=ct;
5326 ssl_hmac_update(&hm,buf,3);
5327
5328 /* hash version */
5329 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5330 memcpy(buf, &temp, 2);
5331 ssl_hmac_update(&hm,buf,2);
5332
5333 /* hash sequence number */
5334 phton64(buf, decoder->seq);
5335 buf[0]=decoder->epoch>>8;
5336 buf[1]=(uint8_t)decoder->epoch;
5337 ssl_hmac_update(&hm,buf,8);
5338
5339 /* hash cid */
5340 ssl_hmac_update(&hm,cid,cidl);
5341 } else {
5342 /* hash sequence number */
5343 phton64(buf, decoder->seq);
5344 buf[0]=decoder->epoch>>8;
5345 buf[1]=(uint8_t)decoder->epoch;
5346 ssl_hmac_update(&hm,buf,8);
5347
5348 /* hash content type */
5349 buf[0]=ct;
5350 ssl_hmac_update(&hm,buf,1);
5351
5352 /* hash version */
5353 temp = g_htons(ver)(((((guint16) ( (guint16) ((guint16) (ver) >> 8) | (guint16
) ((guint16) (ver) << 8))))));
5354 memcpy(buf, &temp, 2);
5355 ssl_hmac_update(&hm,buf,2);
5356
5357 if (is_cid && ssl->session.deprecated_cid) {
5358 /* hash cid */
5359 ssl_hmac_update(&hm,cid,cidl);
5360
5361 /* hash cid length */
5362 buf[0] = cidl;
5363 ssl_hmac_update(&hm,buf,1);
5364 }
5365 }
5366
5367 /* data length and data */
5368 temp = g_htons(datalen)(((((guint16) ( (guint16) ((guint16) (datalen) >> 8) | (
guint16) ((guint16) (datalen) << 8))))));
5369 memcpy(buf, &temp, 2);
5370 ssl_hmac_update(&hm,buf,2);
5371 ssl_hmac_update(&hm,data,datalen);
5372
5373 /* get digest and digest len */
5374 len = sizeof(buf);
5375 ssl_hmac_final(&hm,buf,&len);
5376 ssl_hmac_cleanup(&hm);
5377 ssl_print_data("Mac", buf, len);
5378 if(memcmp(mac,buf,len))
5379 return -1;
5380
5381 return 0;
5382}
5383/* Decryption integrity check }}} */
5384
5385
5386static bool_Bool
5387tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
5388 uint8_t ct, uint16_t record_version,
5389 bool_Bool ignore_mac_failed,
5390 const unsigned char *in, uint16_t inl,
5391 const unsigned char *cid, uint8_t cidl,
5392 StringInfo *out_str, unsigned *outl)
5393{
5394 /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
5395 * GenericAEADCipher: { nonce_explicit, [content] }
5396 * In TLS 1.3 this explicit nonce is gone.
5397 * With AES GCM/CCM, "[content]" is actually the concatenation of the
5398 * ciphertext and authentication tag.
5399 */
5400 const uint16_t version = ssl->session.version;
5401 const bool_Bool is_v12 = version == TLSV1DOT2_VERSION0x303 || version == DTLSV1DOT2_VERSION0xfefd || version == TLCPV1_VERSION0x101;
5402 gcry_error_t err;
5403 const unsigned char *explicit_nonce = NULL((void*)0), *ciphertext;
5404 unsigned ciphertext_len, auth_tag_len;
5405 unsigned char nonce[12];
5406 const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
5407 const bool_Bool is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION0xfefd;
5408 const uint8_t draft_version = ssl->session.tls13_draft_version;
5409 const unsigned char *auth_tag_wire;
5410 unsigned char auth_tag_calc[16];
5411 unsigned char *aad = NULL((void*)0);
5412 unsigned aad_len = 0;
5413
5414 switch (cipher_mode) {
5415 case MODE_GCM:
5416 case MODE_CCM:
5417 case MODE_POLY1305:
5418 auth_tag_len = 16;
5419 break;
5420 case MODE_CCM_8:
5421 auth_tag_len = 8;
5422 break;
5423 default:
5424 ssl_debug_printf("%s unsupported cipher!\n", G_STRFUNC((const char*) (__func__)));
5425 return false0;
5426 }
5427
5428 /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */
5429 if (is_v12 && cipher_mode != MODE_POLY1305) {
5430 if (inl < EXPLICIT_NONCE_LEN8 + auth_tag_len) {
5431 ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n",
5432 G_STRFUNC((const char*) (__func__)), inl, EXPLICIT_NONCE_LEN8, auth_tag_len);
5433 return false0;
5434 }
5435 explicit_nonce = in;
5436 ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN8;
5437 ciphertext_len = inl - EXPLICIT_NONCE_LEN8 - auth_tag_len;
5438 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5439 if (inl < auth_tag_len) {
5440 ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC((const char*) (__func__)), inl, auth_tag_len);
5441 return false0;
5442 }
5443 ciphertext = in;
5444 ciphertext_len = inl - auth_tag_len;
5445 } else {
5446 ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC((const char*) (__func__)), version);
5447 return false0;
5448 }
5449 auth_tag_wire = ciphertext + ciphertext_len;
5450
5451 /*
5452 * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
5453 * (RFC 7905) uses a nonce construction similar to TLS 1.3.
5454 */
5455 if (is_v12 && cipher_mode != MODE_POLY1305) {
5456 DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN)((void) ((decoder->write_iv.data_len == 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 5456, "decoder->write_iv.data_len == 4"))));
5457 /* Implicit (4) and explicit (8) part of nonce. */
5458 memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN4);
5459 memcpy(nonce + IMPLICIT_NONCE_LEN4, explicit_nonce, EXPLICIT_NONCE_LEN8);
5460
5461 } else if (version == TLSV1DOT3_VERSION0x304 || version == DTLSV1DOT3_VERSION0xfefc || cipher_mode == MODE_POLY1305) {
5462 /*
5463 * Technically the nonce length must be at least 8 bytes, but for
5464 * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12.
5465 */
5466 const unsigned nonce_len = 12;
5467 DISSECTOR_ASSERT(decoder->write_iv.data_len == nonce_len)((void) ((decoder->write_iv.data_len == nonce_len) ? (void
)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 5467, "decoder->write_iv.data_len == nonce_len"
))));
5468 memcpy(nonce, decoder->write_iv.data, decoder->write_iv.data_len);
5469 /* Sequence number is left-padded with zeroes and XORed with write_iv */
5470 phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq);
5471 ssl_debug_printf("%s seq %" PRIu64"l" "u" "\n", G_STRFUNC((const char*) (__func__)), decoder->seq);
5472 }
5473
5474 /* Set nonce and additional authentication data */
5475 gcry_cipher_reset(decoder->evp)gcry_cipher_ctl ((decoder->evp), GCRYCTL_RESET, ((void*)0)
, 0);
5476 ssl_print_data("nonce", nonce, 12);
5477 err = gcry_cipher_setiv(decoder->evp, nonce, 12);
5478 if (err) {
5479 ssl_debug_printf("%s failed to set nonce: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5480 return false0;
5481 }
5482
5483 /* (D)TLS 1.2 needs specific AAD, TLS 1.3 (before -25) uses empty AAD. */
5484 if (is_cid) { /* if connection ID */
5485 if (ssl->session.deprecated_cid) {
5486 aad_len = 14 + cidl;
5487 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5488 phton64(aad, decoder->seq); /* record sequence number */
5489 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5490 aad[8] = ct; /* TLSCompressed.type */
5491 phton16(aad + 9, record_version); /* TLSCompressed.version */
5492 memcpy(aad + 11, cid, cidl); /* cid */
5493 aad[11 + cidl] = cidl; /* cid_length */
5494 phton16(aad + 12 + cidl, ciphertext_len); /* TLSCompressed.length */
5495 } else {
5496 aad_len = 23 + cidl;
5497 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5498 memset(aad, 0xFF, 8); /* seq_num_placeholder */
5499 aad[8] = ct; /* TLSCompressed.type */
5500 aad[9] = cidl; /* cid_length */
5501 aad[10] = ct; /* TLSCompressed.type */
5502 phton16(aad + 11, record_version); /* TLSCompressed.version */
5503 phton64(aad + 13, decoder->seq); /* record sequence number */
5504 phton16(aad + 13, decoder->epoch); /* DTLS 1.2 includes epoch. */
5505 memcpy(aad + 21, cid, cidl); /* cid */
5506 phton16(aad + 21 + cidl, ciphertext_len); /* TLSCompressed.length */
5507 }
5508 } else if (is_v12) {
5509 aad_len = 13;
5510 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5511 phton64(aad, decoder->seq); /* record sequence number */
5512 if (version == DTLSV1DOT2_VERSION0xfefd) {
5513 phton16(aad, decoder->epoch); /* DTLS 1.2 includes epoch. */
5514 }
5515 aad[8] = ct; /* TLSCompressed.type */
5516 phton16(aad + 9, record_version); /* TLSCompressed.version */
5517 phton16(aad + 11, ciphertext_len); /* TLSCompressed.length */
5518 } else if (version == DTLSV1DOT3_VERSION0xfefc) {
5519 aad_len = decoder->dtls13_aad.data_len;
5520 aad = decoder->dtls13_aad.data;
5521 } else if (draft_version >= 25 || draft_version == 0) {
5522 aad_len = 5;
5523 aad = wmem_alloc(wmem_packet_scope(), aad_len);
5524 aad[0] = ct; /* TLSCiphertext.opaque_type (23) */
5525 phton16(aad + 1, record_version); /* TLSCiphertext.legacy_record_version (0x0303) */
5526 phton16(aad + 3, inl); /* TLSCiphertext.length */
5527 }
5528
5529 if (decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8) {
5530 /* size of plaintext, additional authenticated data and auth tag. */
5531 uint64_t lengths[3] = { ciphertext_len, aad_len, auth_tag_len };
5532
5533 gcry_cipher_ctl(decoder->evp, GCRYCTL_SET_CCM_LENGTHS, lengths, sizeof(lengths));
5534 }
5535
5536 if (aad && aad_len > 0) {
5537 ssl_print_data("AAD", aad, aad_len);
5538 err = gcry_cipher_authenticate(decoder->evp, aad, aad_len);
5539 if (err) {
5540 ssl_debug_printf("%s failed to set AAD: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5541 return false0;
5542 }
5543 }
5544
5545 /* Decrypt now that nonce and AAD are set. */
5546 err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
5547 if (err) {
5548 ssl_debug_printf("%s decrypt failed: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5549 return false0;
5550 }
5551
5552 /* Check authentication tag for authenticity (replaces MAC) */
5553 err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
5554 if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
5555 ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
5556 } else {
5557 if (err) {
5558 ssl_debug_printf("%s cannot obtain tag: %s\n", G_STRFUNC((const char*) (__func__)), gcry_strerror(err));
5559 } else {
5560 ssl_debug_printf("%s auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
5561 ssl_print_data("auth_tag(expect)", auth_tag_calc, auth_tag_len);
5562 ssl_print_data("auth_tag(actual)", auth_tag_wire, auth_tag_len);
5563 }
5564 if (ignore_mac_failed) {
5565 ssl_debug_printf("%s: auth check failed, but ignored for troubleshooting ;-)\n", G_STRFUNC((const char*) (__func__)));
5566 } else {
5567 return false0;
5568 }
5569 }
5570
5571 /*
5572 * Increment the (implicit) sequence number for TLS 1.2/1.3 and TLCP 1.1. This is done
5573 * after successful authentication to ensure that early data is skipped when
5574 * CLIENT_EARLY_TRAFFIC_SECRET keys are unavailable.
5575 */
5576 if (version == TLSV1DOT2_VERSION0x303 || version == TLSV1DOT3_VERSION0x304 || version == TLCPV1_VERSION0x101) {
5577 decoder->seq++;
5578 }
5579
5580 ssl_print_data("Plaintext", out_str->data, ciphertext_len);
5581 *outl = ciphertext_len;
5582 return true1;
5583}
5584
5585/* Record decryption glue based on security parameters {{{ */
5586/* Assume that we are called only for a non-NULL decoder which also means that
5587 * we have a non-NULL decoder->cipher_suite. */
5588int
5589ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, uint8_t ct, uint16_t record_version,
5590 bool_Bool ignore_mac_failed,
5591 const unsigned char *in, uint16_t inl, const unsigned char *cid, uint8_t cidl,
5592 StringInfo *comp_str, StringInfo *out_str, unsigned *outl)
5593{
5594 unsigned pad, worklen, uncomplen, maclen, mac_fraglen = 0;
5595 uint8_t *mac = NULL((void*)0), *mac_frag = NULL((void*)0);
5596
5597 ssl_debug_printf("ssl_decrypt_record ciphertext len %d\n", inl);
5598 ssl_print_data("Ciphertext",in, inl);
5599
5600 if (((ssl->session.version == TLSV1DOT3_VERSION0x304 || ssl->session.version == DTLSV1DOT3_VERSION0xfefc))
5601 != (decoder->cipher_suite->kex == KEX_TLS130x23)) {
5602 ssl_debug_printf("%s Invalid cipher suite for the protocol version!\n", G_STRFUNC((const char*) (__func__)));
5603 return -1;
5604 }
5605
5606 /* ensure we have enough storage space for decrypted data */
5607 if (inl > out_str->data_len)
5608 {
5609 ssl_debug_printf("ssl_decrypt_record: allocating %d bytes for decrypt data (old len %d)\n",
5610 inl + 32, out_str->data_len);
5611 ssl_data_realloc(out_str, inl + 32);
5612 }
5613
5614 /* AEAD ciphers (GenericAEADCipher in TLS 1.2; TLS 1.3) have no padding nor
5615 * a separate MAC, so use a different routine for simplicity. */
5616 if (decoder->cipher_suite->mode == MODE_GCM ||
5617 decoder->cipher_suite->mode == MODE_CCM ||
5618 decoder->cipher_suite->mode == MODE_CCM_8 ||
5619 decoder->cipher_suite->mode == MODE_POLY1305 ||
5620 ssl->session.version == TLSV1DOT3_VERSION0x304 ||
5621 ssl->session.version == DTLSV1DOT3_VERSION0xfefc) {
5622
5623 if (!tls_decrypt_aead_record(ssl, decoder, ct, record_version, ignore_mac_failed, in, inl, cid, cidl, out_str, &worklen)) {
5624 /* decryption failed */
5625 return -1;
5626 }
5627
5628 goto skip_mac;
5629 }
5630
5631 /* RFC 6101/2246: SSLCipherText/TLSCipherText has two structures for types:
5632 * (notation: { unencrypted, [ encrypted ] })
5633 * GenericStreamCipher: { [content, mac] }
5634 * GenericBlockCipher: { IV (TLS 1.1+), [content, mac, padding, padding_len] }
5635 * RFC 5426 (TLS 1.2): TLSCipherText has additionally:
5636 * GenericAEADCipher: { nonce_explicit, [content] }
5637 * RFC 4347 (DTLS): based on TLS 1.1, only GenericBlockCipher is supported.
5638 * RFC 6347 (DTLS 1.2): based on TLS 1.2, includes GenericAEADCipher too.
5639 */
5640
5641 maclen = ssl_cipher_suite_dig(decoder->cipher_suite)->len;
5642
5643 /* (TLS 1.1 and later, DTLS) Extract explicit IV for GenericBlockCipher */
5644 if (decoder->cipher_suite->mode == MODE_CBC) {
5645 unsigned blocksize = 0;
5646
5647 switch (ssl->session.version) {
5648 case TLSV1DOT1_VERSION0x302:
5649 case TLSV1DOT2_VERSION0x303:
5650 case DTLSV1DOT0_VERSION0xfeff:
5651 case DTLSV1DOT2_VERSION0xfefd:
5652 case DTLSV1DOT3_VERSION0xfefc:
5653 case DTLSV1DOT0_OPENSSL_VERSION0x100:
5654 case TLCPV1_VERSION0x101:
5655 blocksize = ssl_get_cipher_blocksize(decoder->cipher_suite);
5656 if (inl < blocksize) {
5657 ssl_debug_printf("ssl_decrypt_record failed: input %d has no space for IV %d\n",
5658 inl, blocksize);
5659 return -1;
5660 }
5661 pad = gcry_cipher_setiv(decoder->evp, in, blocksize);
5662 if (pad != 0) {
5663 ssl_debug_printf("ssl_decrypt_record failed: failed to set IV: %s %s\n",
5664 gcry_strsource (pad), gcry_strerror (pad));
5665 }
5666
5667 inl -= blocksize;
5668 in += blocksize;
5669 break;
5670 }
5671
5672 /* Encrypt-then-MAC for (D)TLS (RFC 7366) */
5673 if (ssl->state & SSL_ENCRYPT_THEN_MAC(1<<11)) {
5674 /*
5675 * MAC is calculated over (IV + ) ENCRYPTED contents:
5676 *
5677 * MAC(MAC_write_key, ... +
5678 * IV + // for TLS 1.1 or greater
5679 * TLSCiphertext.enc_content);
5680 */
5681 if (inl < maclen) {
5682 ssl_debug_printf("%s failed: input %d has no space for MAC %d\n",
5683 G_STRFUNC((const char*) (__func__)), inl, maclen);
5684 return -1;
5685 }
5686 inl -= maclen;
5687 mac = (uint8_t *)in + inl;
5688 mac_frag = (uint8_t *)in - blocksize;
5689 mac_fraglen = blocksize + inl;
5690 }
5691 }
5692
5693 /* First decrypt*/
5694 if ((pad = ssl_cipher_decrypt(&decoder->evp, out_str->data, out_str->data_len, in, inl)) != 0) {
5695 ssl_debug_printf("ssl_decrypt_record failed: ssl_cipher_decrypt: %s %s\n", gcry_strsource (pad),
5696 gcry_strerror (pad));
5697 return -1;
5698 }
5699
5700 ssl_print_data("Plaintext", out_str->data, inl);
5701 worklen=inl;
5702
5703
5704 /* strip padding for GenericBlockCipher */
5705 if (decoder->cipher_suite->mode == MODE_CBC) {
5706 if (inl < 1) { /* Should this check happen earlier? */
5707 ssl_debug_printf("ssl_decrypt_record failed: input length %d too small\n", inl);
5708 return -1;
5709 }
5710 pad=out_str->data[inl-1];
5711 if (worklen <= pad) {
5712 ssl_debug_printf("ssl_decrypt_record failed: padding %d too large for work %d\n",
5713 pad, worklen);
5714 return -1;
5715 }
5716 worklen-=(pad+1);
5717 ssl_debug_printf("ssl_decrypt_record found padding %d final len %d\n",
5718 pad, worklen);
5719 }
5720
5721 /* MAC for GenericStreamCipher and GenericBlockCipher.
5722 * (normal case without Encrypt-then-MAC (RFC 7366) extension. */
5723 if (!mac) {
5724 /*
5725 * MAC is calculated over the DECRYPTED contents:
5726 *
5727 * MAC(MAC_write_key, ... + TLSCompressed.fragment);
5728 */
5729 if (worklen < maclen) {
5730 ssl_debug_printf("%s wrong record len/padding outlen %d\n work %d\n", G_STRFUNC((const char*) (__func__)), *outl, worklen);
5731 return -1;
5732 }
5733 worklen -= maclen;
5734 mac = out_str->data + worklen;
5735 mac_frag = out_str->data;
5736 mac_fraglen = worklen;
5737 }
5738
5739 /* If NULL encryption active and no keys are available, do not bother
5740 * checking the MAC. We do not have keys for that. */
5741 if (decoder->cipher_suite->mode == MODE_STREAM &&
5742 decoder->cipher_suite->enc == ENC_NULL0x3D &&
5743 !(ssl->state & SSL_MASTER_SECRET(1<<5))) {
5744 ssl_debug_printf("MAC check skipped due to missing keys\n");
5745 goto skip_mac;
5746 }
5747
5748 /* Now check the MAC */
5749 ssl_debug_printf("checking mac (len %d, version %X, ct %d seq %" PRIu64"l" "u" ")\n",
5750 worklen, ssl->session.version, ct, decoder->seq);
5751 if(ssl->session.version==SSLV3_VERSION0x300){
5752 if(ssl3_check_mac(decoder,ct,mac_frag,mac_fraglen,mac) < 0) {
5753 if(ignore_mac_failed) {
5754 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5755 }
5756 else{
5757 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5758 return -1;
5759 }
5760 }
5761 else{
5762 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5763 }
5764 }
5765 else if(ssl->session.version==TLSV1_VERSION0x301 || ssl->session.version==TLSV1DOT1_VERSION0x302 || ssl->session.version==TLSV1DOT2_VERSION0x303 || ssl->session.version==TLCPV1_VERSION0x101){
5766 if(tls_check_mac(decoder,ct,ssl->session.version,mac_frag,mac_fraglen,mac)< 0) {
5767 if(ignore_mac_failed) {
5768 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5769 }
5770 else{
5771 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5772 return -1;
5773 }
5774 }
5775 else{
5776 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5777 }
5778 }
5779 else if(ssl->session.version==DTLSV1DOT0_VERSION0xfeff ||
5780 ssl->session.version==DTLSV1DOT2_VERSION0xfefd ||
5781 ssl->session.version==DTLSV1DOT0_OPENSSL_VERSION0x100){
5782 /* Try rfc-compliant mac first, and if failed, try old openssl's non-rfc-compliant mac */
5783 if(dtls_check_mac(ssl,decoder,ct,mac_frag,mac_fraglen,mac,cid,cidl)>= 0) {
5784 ssl_debug_printf("ssl_decrypt_record: mac ok\n");
5785 }
5786 else if(tls_check_mac(decoder,ct,TLSV1_VERSION0x301,mac_frag,mac_fraglen,mac)>= 0) {
5787 ssl_debug_printf("ssl_decrypt_record: dtls rfc-compliant mac failed, but old openssl's non-rfc-compliant mac ok\n");
5788 }
5789 else if(ignore_mac_failed) {
5790 ssl_debug_printf("ssl_decrypt_record: mac failed, but ignored for troubleshooting ;-)\n");
5791 }
5792 else{
5793 ssl_debug_printf("ssl_decrypt_record: mac failed\n");
5794 return -1;
5795 }
5796 }
5797skip_mac:
5798
5799 *outl = worklen;
5800
5801 if (decoder->compression > 0) {
5802 ssl_debug_printf("ssl_decrypt_record: compression method %d\n", decoder->compression);
5803 ssl_data_copy(comp_str, out_str);
5804 ssl_print_data("Plaintext compressed", comp_str->data, worklen);
5805 if (!decoder->decomp) {
5806 ssl_debug_printf("decrypt_ssl3_record: no decoder available\n");
5807 return -1;
5808 }
5809 if (ssl_decompress_record(decoder->decomp, comp_str->data, worklen, out_str, &uncomplen) < 0) return -1;
5810 ssl_print_data("Plaintext uncompressed", out_str->data, uncomplen);
5811 *outl = uncomplen;
5812 }
5813
5814 return 0;
5815}
5816/* Record decryption glue based on security parameters }}} */
5817
5818
5819
5820#ifdef HAVE_LIBGNUTLS1
5821
5822/* RSA private key file processing {{{ */
5823static void
5824ssl_find_private_key_by_pubkey(SslDecryptSession *ssl,
5825 gnutls_datum_t *subjectPublicKeyInfo)
5826{
5827 gnutls_pubkey_t pubkey = NULL((void*)0);
5828 cert_key_id_t key_id;
5829 size_t key_id_len = sizeof(key_id);
5830 int r;
5831
5832 if (!subjectPublicKeyInfo->size) {
5833 ssl_debug_printf("%s: could not find SubjectPublicKeyInfo\n", G_STRFUNC((const char*) (__func__)));
5834 return;
5835 }
5836
5837 r = gnutls_pubkey_init(&pubkey);
5838 if (r < 0) {
5839 ssl_debug_printf("%s: failed to init pubkey: %s\n",
5840 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5841 return;
5842 }
5843
5844 r = gnutls_pubkey_import(pubkey, subjectPublicKeyInfo, GNUTLS_X509_FMT_DER);
5845 if (r < 0) {
5846 ssl_debug_printf("%s: failed to import pubkey from handshake: %s\n",
5847 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5848 goto end;
5849 }
5850
5851 if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL((void*)0)) != GNUTLS_PK_RSA) {
5852 ssl_debug_printf("%s: Not a RSA public key - ignoring.\n", G_STRFUNC((const char*) (__func__)));
5853 goto end;
5854 }
5855
5856 /* Generate a 20-byte SHA-1 hash. */
5857 r = gnutls_pubkey_get_key_id(pubkey, 0, key_id.key_id, &key_id_len);
5858 if (r < 0) {
5859 ssl_debug_printf("%s: failed to extract key id from pubkey: %s\n",
5860 G_STRFUNC((const char*) (__func__)), gnutls_strerror(r));
5861 goto end;
5862 }
5863
5864 if (key_id_len != sizeof(key_id)) {
5865 ssl_debug_printf("%s: expected Key ID size %zu, got %zu\n",
5866 G_STRFUNC((const char*) (__func__)), sizeof(key_id), key_id_len);
5867 goto end;
5868 }
5869
5870 ssl_print_data("Certificate.KeyID", key_id.key_id, key_id_len);
5871 ssl->cert_key_id = wmem_new(wmem_file_scope(), cert_key_id_t)((cert_key_id_t*)wmem_alloc((wmem_file_scope()), sizeof(cert_key_id_t
)));
5872 *ssl->cert_key_id = key_id;
5873
5874end:
5875 gnutls_pubkey_deinit(pubkey);
5876}
5877
5878/* RSA private key file processing }}} */
5879#endif /* HAVE_LIBGNUTLS */
5880
5881/*--- Start of dissector-related code below ---*/
5882
5883/* get ssl data for this session. if no ssl data is found allocate a new one*/
5884SslDecryptSession *
5885ssl_get_session(conversation_t *conversation, dissector_handle_t tls_handle)
5886{
5887 void *conv_data;
5888 SslDecryptSession *ssl_session;
5889 int proto_ssl;
5890
5891 proto_ssl = dissector_handle_get_protocol_index(tls_handle);
5892 conv_data = conversation_get_proto_data(conversation, proto_ssl);
5893 if (conv_data != NULL((void*)0))
5894 return (SslDecryptSession *)conv_data;
5895
5896 /* no previous SSL conversation info, initialize it. */
5897 ssl_session = wmem_new0(wmem_file_scope(), SslDecryptSession)((SslDecryptSession*)wmem_alloc0((wmem_file_scope()), sizeof(
SslDecryptSession)));
5898
5899 /* data_len is the part that is meaningful, not the allocated length */
5900 ssl_session->master_secret.data_len = 0;
5901 ssl_session->master_secret.data = ssl_session->_master_secret;
5902 ssl_session->session_id.data_len = 0;
5903 ssl_session->session_id.data = ssl_session->_session_id;
5904 ssl_session->client_random.data_len = 0;
5905 ssl_session->client_random.data = ssl_session->_client_random;
5906 ssl_session->server_random.data_len = 0;
5907 ssl_session->server_random.data = ssl_session->_server_random;
5908 ssl_session->session_ticket.data_len = 0;
5909 ssl_session->session_ticket.data = NULL((void*)0); /* will be re-alloced as needed */
5910 ssl_session->server_data_for_iv.data_len = 0;
5911 ssl_session->server_data_for_iv.data = ssl_session->_server_data_for_iv;
5912 ssl_session->client_data_for_iv.data_len = 0;
5913 ssl_session->client_data_for_iv.data = ssl_session->_client_data_for_iv;
5914 ssl_session->app_data_segment.data = NULL((void*)0);
5915 ssl_session->app_data_segment.data_len = 0;
5916 ssl_session->handshake_data.data=NULL((void*)0);
5917 ssl_session->handshake_data.data_len=0;
5918 ssl_session->ech_transcript.data=NULL((void*)0);
5919 ssl_session->ech_transcript.data_len=0;
5920
5921 /* Initialize parameters which are not necessary specific to decryption. */
5922 ssl_session->session.version = SSL_VER_UNKNOWN0;
5923 clear_address(&ssl_session->session.srv_addr);
5924 ssl_session->session.srv_ptype = PT_NONE;
5925 ssl_session->session.srv_port = 0;
5926 ssl_session->session.dtls13_current_epoch[0] = ssl_session->session.dtls13_current_epoch[1] = 0;
5927 ssl_session->session.dtls13_next_seq_num[0] = ssl_session->session.dtls13_next_seq_num[1] = 0;
5928 ssl_session->session.client_random.data_len = 0;
5929 ssl_session->session.client_random.data = ssl_session->session._client_random;
5930 memset(ssl_session->session.ech_confirmation, 0, sizeof(ssl_session->session.ech_confirmation));
5931 memset(ssl_session->session.hrr_ech_confirmation, 0, sizeof(ssl_session->session.hrr_ech_confirmation));
5932 memset(ssl_session->session.first_ech_auth_tag, 0, sizeof(ssl_session->session.first_ech_auth_tag));
5933 ssl_session->session.ech = FALSE(0);
5934 ssl_session->session.hrr_ech_declined = FALSE(0);
5935 ssl_session->session.first_ch_ech_frame = 0;
5936
5937 conversation_add_proto_data(conversation, proto_ssl, ssl_session);
5938 return ssl_session;
5939}
5940
5941void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, bool_Bool is_client)
5942{
5943 if (ssl) {
5944 /* Ensure that secrets are not restored using stale identifiers. Split
5945 * between client and server in case the packets somehow got out of order. */
5946 int clear_flags = SSL_HAVE_SESSION_KEY(1<<3) | SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6);
5947
5948 if (is_client) {
5949 clear_flags |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
5950 ssl->session_id.data_len = 0;
5951 ssl->session_ticket.data_len = 0;
5952 ssl->master_secret.data_len = 0;
5953 ssl->client_random.data_len = 0;
5954 ssl->has_early_data = false0;
5955 if (ssl->handshake_data.data_len > 0) {
5956 // The EMS handshake hash starts with at the Client Hello,
5957 // ensure that any messages before it are forgotten.
5958 wmem_free(wmem_file_scope(), ssl->handshake_data.data);
5959 ssl->handshake_data.data = NULL((void*)0);
5960 ssl->handshake_data.data_len = 0;
5961 }
5962 } else {
5963 clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8) | SSL_NEW_SESSION_TICKET(1<<10);
5964 ssl->server_random.data_len = 0;
5965 ssl->pre_master_secret.data_len = 0;
5966#ifdef HAVE_LIBGNUTLS1
5967 ssl->cert_key_id = NULL((void*)0);
5968#endif
5969 ssl->psk.data_len = 0;
5970 }
5971
5972 if (ssl->state & clear_flags) {
5973 ssl_debug_printf("%s detected renegotiation, clearing 0x%02x (%s side)\n",
5974 G_STRFUNC((const char*) (__func__)), ssl->state & clear_flags, is_client ? "client" : "server");
5975 ssl->state &= ~clear_flags;
5976 }
5977 }
5978
5979 /* These flags might be used for non-decryption purposes and may affect the
5980 * dissection, so reset them as well. */
5981 if (is_client) {
5982 session->client_cert_type = 0;
5983 } else {
5984 session->compression = 0;
5985 session->server_cert_type = 0;
5986 /* session->is_session_resumed is already handled in the ServerHello dissection. */
5987 }
5988 session->dtls13_next_seq_num[0] = session->dtls13_next_seq_num[1] = 0;
5989 session->dtls13_current_epoch[0] = session->dtls13_current_epoch[1] = 0;
5990}
5991
5992void
5993tls_set_appdata_dissector(dissector_handle_t tls_handle, packet_info *pinfo,
5994 dissector_handle_t app_handle)
5995{
5996 conversation_t *conversation;
5997 SslSession *session;
5998
5999 /* Ignore if the TLS or other dissector is disabled. */
6000 if (!tls_handle || !app_handle)
6001 return;
6002
6003 conversation = find_or_create_conversation(pinfo);
6004 session = &ssl_get_session(conversation, tls_handle)->session;
6005 session->app_handle = app_handle;
6006}
6007
6008static uint32_t
6009ssl_starttls(dissector_handle_t tls_handle, packet_info *pinfo,
6010 dissector_handle_t app_handle, uint32_t last_nontls_frame)
6011{
6012 conversation_t *conversation;
6013 SslSession *session;
6014
6015 /* Ignore if the TLS dissector is disabled. */
6016 if (!tls_handle)
6017 return 0;
6018 /* The caller should always pass a valid handle to its own dissector. */
6019 DISSECTOR_ASSERT(app_handle)((void) ((app_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6019, "app_handle"))));
6020
6021 conversation = find_or_create_conversation(pinfo);
6022 session = &ssl_get_session(conversation, tls_handle)->session;
6023
6024 ssl_debug_printf("%s: old frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6025 session->last_nontls_frame,
6026 (void *)session->app_handle,
6027 dissector_handle_get_dissector_name(session->app_handle));
6028 ssl_debug_printf("%s: current frame %d, app_handle=%p (%s)\n", G_STRFUNC((const char*) (__func__)),
6029 pinfo->num, (void *)app_handle,
6030 dissector_handle_get_dissector_name(app_handle));
6031
6032 /* Do not switch again if a dissector did it before. */
6033 if (session->last_nontls_frame) {
6034 ssl_debug_printf("%s: not overriding previous app handle!\n", G_STRFUNC((const char*) (__func__)));
6035 return session->last_nontls_frame;
6036 }
6037
6038 session->app_handle = app_handle;
6039 /* The TLS dissector should be called first for this conversation. */
6040 conversation_set_dissector(conversation, tls_handle);
6041 /* TLS starts after this frame. */
6042 session->last_nontls_frame = last_nontls_frame;
6043 return 0;
6044}
6045
6046/* ssl_starttls_ack: mark future frames as encrypted. */
6047uint32_t
6048ssl_starttls_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6049 dissector_handle_t app_handle)
6050{
6051 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num);
6052}
6053
6054uint32_t
6055ssl_starttls_post_ack(dissector_handle_t tls_handle, packet_info *pinfo,
6056 dissector_handle_t app_handle)
6057{
6058 return ssl_starttls(tls_handle, pinfo, app_handle, pinfo->num - 1);
6059}
6060
6061dissector_handle_t
6062ssl_find_appdata_dissector(const char *name)
6063{
6064 /* Accept 'http' for backwards compatibility and sanity. */
6065 if (!strcmp(name, "http"))
6066 name = "http-over-tls";
6067 /* XXX - Should this check to see if the dissector is actually added for
6068 * Decode As in the appropriate table?
6069 */
6070 return find_dissector(name);
6071}
6072
6073/* Functions for TLS/DTLS sessions and RSA private keys hashtables. {{{ */
6074static int
6075ssl_equal (const void *v, const void *v2)
6076{
6077 const StringInfo *val1;
6078 const StringInfo *val2;
6079 val1 = (const StringInfo *)v;
6080 val2 = (const StringInfo *)v2;
6081
6082 if (val1->data_len == val2->data_len &&
6083 !memcmp(val1->data, val2->data, val2->data_len)) {
6084 return 1;
6085 }
6086 return 0;
6087}
6088
6089static unsigned
6090ssl_hash (const void *v)
6091{
6092 unsigned l,hash;
6093 const StringInfo* id;
6094 const unsigned* cur;
6095 hash = 0;
6096 id = (const StringInfo*) v;
6097
6098 /* id and id->data are mallocated in ssl_save_master_key(). As such 'data'
6099 * should be aligned for any kind of access (for example as a unsigned as
6100 * is done below). The intermediate void* cast is to prevent "cast
6101 * increases required alignment of target type" warnings on CPUs (such
6102 * as SPARCs) that do not allow misaligned memory accesses.
6103 */
6104 cur = (const unsigned*)(void*) id->data;
6105
6106 for (l=4; (l < id->data_len); l+=4, cur++)
6107 hash = hash ^ (*cur);
6108
6109 return hash;
6110}
6111/* Functions for TLS/DTLS sessions and RSA private keys hashtables. }}} */
6112
6113/* Handling of association between tls/dtls ports and clear text protocol. {{{ */
6114void
6115ssl_association_add(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6116{
6117 DISSECTOR_ASSERT(main_handle)((void) ((main_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6117, "main_handle"))));
6118 DISSECTOR_ASSERT(subdissector_handle)((void) ((subdissector_handle) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6118, "subdissector_handle"))));
6119 /* Registration is required for Export PDU feature to work properly. */
6120 DISSECTOR_ASSERT_HINT(dissector_handle_get_dissector_name(subdissector_handle),((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6121, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))))
6121 "SSL appdata dissectors must register with register_dissector()!")((void) ((dissector_handle_get_dissector_name(subdissector_handle
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\" (%s)"
, "epan/dissectors/packet-tls-utils.c", 6121, "dissector_handle_get_dissector_name(subdissector_handle)"
, "SSL appdata dissectors must register with register_dissector()!"
))));
6122 ssl_debug_printf("association_add %s port %d handle %p\n", dissector_table_name, port, (void *)subdissector_handle);
6123
6124 if (port) {
6125 dissector_add_uint(dissector_table_name, port, subdissector_handle);
6126 if (tcp)
6127 dissector_add_uint("tcp.port", port, main_handle);
6128 else
6129 dissector_add_uint("udp.port", port, main_handle);
6130 dissector_add_uint("sctp.port", port, main_handle);
6131 } else {
6132 dissector_add_for_decode_as(dissector_table_name, subdissector_handle);
6133 }
6134}
6135
6136void
6137ssl_association_remove(const char* dissector_table_name, dissector_handle_t main_handle, dissector_handle_t subdissector_handle, unsigned port, bool_Bool tcp)
6138{
6139 ssl_debug_printf("ssl_association_remove removing %s %u - handle %p\n",
6140 tcp?"TCP":"UDP", port, (void *)subdissector_handle);
6141 if (main_handle) {
6142 dissector_delete_uint(tcp?"tcp.port":"udp.port", port, main_handle);
6143 dissector_delete_uint("sctp.port", port, main_handle);
6144 }
6145
6146 if (port) {
6147 dissector_delete_uint(dissector_table_name, port, subdissector_handle);
6148 }
6149}
6150
6151void
6152ssl_set_server(SslSession *session, address *addr, port_type ptype, uint32_t port)
6153{
6154 copy_address_wmem(wmem_file_scope(), &session->srv_addr, addr);
6155 session->srv_ptype = ptype;
6156 session->srv_port = port;
6157}
6158
6159int
6160ssl_packet_from_server(SslSession *session, dissector_table_t table, const packet_info *pinfo)
6161{
6162 int ret;
6163 if (session && session->srv_addr.type != AT_NONE) {
6164 ret = (session->srv_ptype == pinfo->ptype) &&
6165 (session->srv_port == pinfo->srcport) &&
6166 addresses_equal(&session->srv_addr, &pinfo->src);
6167 } else {
6168 ret = (dissector_get_uint_handle(table, pinfo->srcport) != 0);
6169 }
6170
6171 ssl_debug_printf("packet_from_server: is from server - %s\n", (ret)?"TRUE":"FALSE");
6172 return ret;
6173}
6174/* Handling of association between tls/dtls ports and clear text protocol. }}} */
6175
6176
6177/* Links SSL records with the real packet data. {{{ */
6178SslPacketInfo *
6179tls_add_packet_info(int proto, packet_info *pinfo, uint8_t curr_layer_num_ssl)
6180{
6181 SslPacketInfo *pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6182 if (!pi) {
6183 pi = wmem_new0(wmem_file_scope(), SslPacketInfo)((SslPacketInfo*)wmem_alloc0((wmem_file_scope()), sizeof(SslPacketInfo
)));
6184 pi->srcport = pinfo->srcport;
6185 pi->destport = pinfo->destport;
6186 p_add_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl, pi);
6187 }
6188
6189 return pi;
6190}
6191
6192/**
6193 * Remembers the decrypted TLS record fragment (TLSInnerPlaintext in TLS 1.3) to
6194 * avoid the need for a decoder in the second pass. Additionally, it remembers
6195 * sequence numbers (for reassembly and Follow TLS Stream).
6196 *
6197 * @param proto The protocol identifier (proto_ssl or proto_dtls).
6198 * @param pinfo The packet where the record originates from.
6199 * @param data Decrypted data to store in the record.
6200 * @param data_len Length of decrypted record data.
6201 * @param record_id The identifier for this record within the current packet.
6202 * @param flow Information about sequence numbers, etc.
6203 * @param type TLS Content Type (such as handshake or application_data).
6204 * @param curr_layer_num_ssl The layer identifier for this TLS session.
6205 */
6206void
6207ssl_add_record_info(int proto, packet_info *pinfo, const unsigned char *data, int data_len, int record_id, SslFlow *flow, ContentType type, uint8_t curr_layer_num_ssl)
6208{
6209 SslRecordInfo* rec, **prec;
6210 SslPacketInfo *pi = tls_add_packet_info(proto, pinfo, curr_layer_num_ssl);
6211
6212 rec = wmem_new(wmem_file_scope(), SslRecordInfo)((SslRecordInfo*)wmem_alloc((wmem_file_scope()), sizeof(SslRecordInfo
)));
6213 rec->plain_data = (unsigned char *)wmem_memdup(wmem_file_scope(), data, data_len);
6214 rec->data_len = data_len;
6215 rec->id = record_id;
6216 rec->type = type;
6217 rec->next = NULL((void*)0);
6218
6219 if (flow && type == SSL_ID_APP_DATA) {
6220 rec->seq = flow->byte_seq;
6221 rec->flow = flow;
6222 flow->byte_seq += data_len;
6223 ssl_debug_printf("%s stored decrypted record seq=%d nxtseq=%d flow=%p\n",
6224 G_STRFUNC((const char*) (__func__)), rec->seq, rec->seq + data_len, (void*)flow);
6225 }
6226
6227 /* Remember decrypted records. */
6228 prec = &pi->records;
6229 while (*prec) prec = &(*prec)->next;
6230 *prec = rec;
6231}
6232
6233/* search in packet data for the specified id; return a newly created tvb for the associated data */
6234tvbuff_t*
6235ssl_get_record_info(tvbuff_t *parent_tvb, int proto, packet_info *pinfo, int record_id, uint8_t curr_layer_num_ssl, SslRecordInfo **matched_record)
6236{
6237 SslRecordInfo* rec;
6238 SslPacketInfo* pi;
6239 pi = (SslPacketInfo *)p_get_proto_data(wmem_file_scope(), pinfo, proto, curr_layer_num_ssl);
6240
6241 if (!pi)
6242 return NULL((void*)0);
6243
6244 for (rec = pi->records; rec; rec = rec->next)
6245 if (rec->id == record_id) {
6246 *matched_record = rec;
6247 /* link new real_data_tvb with a parent tvb so it is freed when frame dissection is complete */
6248 return tvb_new_child_real_data(parent_tvb, rec->plain_data, rec->data_len, rec->data_len);
6249 }
6250
6251 return NULL((void*)0);
6252}
6253/* Links SSL records with the real packet data. }}} */
6254
6255/* initialize/reset per capture state data (ssl sessions cache). {{{ */
6256void
6257ssl_common_init(ssl_master_key_map_t *mk_map,
6258 StringInfo *decrypted_data, StringInfo *compressed_data)
6259{
6260 mk_map->session = g_hash_table_new(ssl_hash, ssl_equal);
6261 mk_map->tickets = g_hash_table_new(ssl_hash, ssl_equal);
6262 mk_map->crandom = g_hash_table_new(ssl_hash, ssl_equal);
6263 mk_map->pre_master = g_hash_table_new(ssl_hash, ssl_equal);
6264 mk_map->pms = g_hash_table_new(ssl_hash, ssl_equal);
6265 mk_map->tls13_client_early = g_hash_table_new(ssl_hash, ssl_equal);
6266 mk_map->tls13_client_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6267 mk_map->tls13_server_handshake = g_hash_table_new(ssl_hash, ssl_equal);
6268 mk_map->tls13_client_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6269 mk_map->tls13_server_appdata = g_hash_table_new(ssl_hash, ssl_equal);
6270 mk_map->tls13_early_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6271 mk_map->tls13_exporter = g_hash_table_new(ssl_hash, ssl_equal);
6272
6273 mk_map->ech_secret = g_hash_table_new(ssl_hash, ssl_equal);
6274 mk_map->ech_config = g_hash_table_new(ssl_hash, ssl_equal);
6275
6276 mk_map->used_crandom = g_hash_table_new(ssl_hash, ssl_equal);
6277
6278 ssl_data_alloc(decrypted_data, 32);
6279 ssl_data_alloc(compressed_data, 32);
6280}
6281
6282void
6283ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
6284 StringInfo *decrypted_data, StringInfo *compressed_data)
6285{
6286 g_hash_table_destroy(mk_map->session);
6287 g_hash_table_destroy(mk_map->tickets);
6288 g_hash_table_destroy(mk_map->crandom);
6289 g_hash_table_destroy(mk_map->pre_master);
6290 g_hash_table_destroy(mk_map->pms);
6291 g_hash_table_destroy(mk_map->tls13_client_early);
6292 g_hash_table_destroy(mk_map->tls13_client_handshake);
6293 g_hash_table_destroy(mk_map->tls13_server_handshake);
6294 g_hash_table_destroy(mk_map->tls13_client_appdata);
6295 g_hash_table_destroy(mk_map->tls13_server_appdata);
6296 g_hash_table_destroy(mk_map->tls13_early_exporter);
6297 g_hash_table_destroy(mk_map->tls13_exporter);
6298
6299 g_hash_table_destroy(mk_map->ech_secret);
6300 g_hash_table_destroy(mk_map->ech_config);
6301
6302 g_hash_table_destroy(mk_map->used_crandom);
6303
6304 g_free(decrypted_data->data);
6305 g_free(compressed_data->data);
6306
6307 /* close the previous keylog file now that the cache are cleared, this
6308 * allows the cache to be filled with the full keylog file contents. */
6309 if (*ssl_keylog_file) {
6310 fclose(*ssl_keylog_file);
6311 *ssl_keylog_file = NULL((void*)0);
6312 }
6313}
6314/* }}} */
6315
6316/* parse ssl related preferences (private keys and ports association strings) */
6317#if defined(HAVE_LIBGNUTLS1)
6318/* Load a single RSA key file item from preferences. {{{ */
6319void
6320ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, bool_Bool tcp)
6321{
6322 gnutls_x509_privkey_t x509_priv_key;
6323 gnutls_privkey_t priv_key = NULL((void*)0);
6324 FILE* fp = NULL((void*)0);
6325 int ret;
6326 size_t key_id_len = 20;
6327 unsigned char *key_id = NULL((void*)0);
6328 char *err = NULL((void*)0);
6329 dissector_handle_t handle;
6330 /* try to load keys file first */
6331 fp = ws_fopenfopen(uats->keyfile, "rb");
6332 if (!fp) {
6333 report_open_failure(uats->keyfile, errno(*__errno_location ()), false0);
6334 return;
6335 }
6336
6337 if ((int)strlen(uats->password) == 0) {
6338 x509_priv_key = rsa_load_pem_key(fp, &err);
6339 } else {
6340 x509_priv_key = rsa_load_pkcs12(fp, uats->password, &err);
6341 }
6342 fclose(fp);
6343
6344 if (!x509_priv_key) {
6345 if (err) {
6346 report_failure("Can't load private key from %s: %s",
6347 uats->keyfile, err);
6348 g_free(err);
6349 } else
6350 report_failure("Can't load private key from %s: unknown error",
6351 uats->keyfile);
6352 return;
6353 }
6354 if (err) {
6355 report_failure("Load of private key from %s \"succeeded\" with error %s",
6356 uats->keyfile, err);
6357 g_free(err);
6358 }
6359
6360 gnutls_privkey_init(&priv_key);
6361 ret = gnutls_privkey_import_x509(priv_key, x509_priv_key,
6362 GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE|GNUTLS_PRIVKEY_IMPORT_COPY);
6363 if (ret < 0) {
6364 report_failure("Can't convert private key %s: %s",
6365 uats->keyfile, gnutls_strerror(ret));
6366 goto end;
6367 }
6368
6369 key_id = (unsigned char *) g_malloc0(key_id_len);
6370 ret = gnutls_x509_privkey_get_key_id(x509_priv_key, 0, key_id, &key_id_len);
6371 if (ret < 0) {
6372 report_failure("Can't calculate public key ID for %s: %s",
6373 uats->keyfile, gnutls_strerror(ret));
6374 goto end;
6375 }
6376 ssl_print_data("KeyID", key_id, key_id_len);
6377 if (key_id_len != 20) {
6378 report_failure("Expected Key ID size %u for %s, got %zu", 20,
6379 uats->keyfile, key_id_len);
6380 goto end;
6381 }
6382
6383 g_hash_table_replace(key_hash, key_id, priv_key);
6384 key_id = NULL((void*)0); /* used in key_hash, do not free. */
6385 priv_key = NULL((void*)0);
6386 ssl_debug_printf("ssl_init private key file %s successfully loaded.\n", uats->keyfile);
6387
6388 handle = ssl_find_appdata_dissector(uats->protocol);
6389 if (handle) {
6390 /* Port to subprotocol mapping */
6391 uint16_t port = 0;
6392 if (ws_strtou16(uats->port, NULL((void*)0), &port)) {
6393 if (port > 0) {
6394 ssl_debug_printf("ssl_init port '%d' filename '%s' password(only for p12 file) '%s'\n",
6395 port, uats->keyfile, uats->password);
6396
6397 ssl_association_add(dissector_table_name, main_handle, handle, port, tcp);
6398 }
6399 } else {
6400 if (strcmp(uats->port, "start_tls"))
6401 ssl_debug_printf("invalid ssl_init_port: %s\n", uats->port);
6402 }
6403 }
6404
6405end:
6406 gnutls_x509_privkey_deinit(x509_priv_key);
6407 gnutls_privkey_deinit(priv_key);
6408 g_free(key_id);
6409}
6410/* }}} */
6411#endif
6412
6413
6414/* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
6415/** store a known (pre-)master secret into cache */
6416static void
6417ssl_save_master_key(const char *label, GHashTable *ht, StringInfo *key,
6418 StringInfo *mk)
6419{
6420 StringInfo *ht_key, *master_secret;
6421
6422 if (key->data_len == 0) {
6423 ssl_debug_printf("%s: not saving empty %s!\n", G_STRFUNC((const char*) (__func__)), label);
6424 return;
6425 }
6426
6427 if (mk->data_len == 0) {
6428 ssl_debug_printf("%s not saving empty (pre-)master secret for %s!\n",
6429 G_STRFUNC((const char*) (__func__)), label);
6430 return;
6431 }
6432
6433 /* ssl_hash() depends on session_ticket->data being aligned for unsigned access
6434 * so be careful in changing how it is allocated. */
6435 ht_key = ssl_data_clone(key);
6436 master_secret = ssl_data_clone(mk);
6437 g_hash_table_insert(ht, ht_key, master_secret);
6438
6439 ssl_debug_printf("%s inserted (pre-)master secret for %s\n", G_STRFUNC((const char*) (__func__)), label);
6440 ssl_print_string("stored key", ht_key);
6441 ssl_print_string("stored (pre-)master secret", master_secret);
6442}
6443
6444/** restore a (pre-)master secret given some key in the cache */
6445static bool_Bool
6446ssl_restore_master_key(SslDecryptSession *ssl, const char *label,
6447 bool_Bool is_pre_master, GHashTable *ht, StringInfo *key)
6448{
6449 StringInfo *ms;
6450
6451 if (key->data_len == 0) {
6452 ssl_debug_printf("%s can't restore %smaster secret using an empty %s\n",
6453 G_STRFUNC((const char*) (__func__)), is_pre_master ? "pre-" : "", label);
6454 return false0;
6455 }
6456
6457 ms = (StringInfo *)g_hash_table_lookup(ht, key);
6458 if (!ms) {
6459 ssl_debug_printf("%s can't find %smaster secret by %s\n", G_STRFUNC((const char*) (__func__)),
6460 is_pre_master ? "pre-" : "", label);
6461 return false0;
6462 }
6463
6464 /* (pre)master secret found, clear knowledge of other keys and set it in the
6465 * current conversation */
6466 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) |
6467 SSL_HAVE_SESSION_KEY(1<<3));
6468 if (is_pre_master) {
6469 /* unlike master secret, pre-master secret has a variable size (48 for
6470 * RSA, varying for PSK) and is therefore not statically allocated */
6471 ssl->pre_master_secret.data = (unsigned char *) wmem_alloc(wmem_file_scope(),
6472 ms->data_len);
6473 ssl_data_set(&ssl->pre_master_secret, ms->data, ms->data_len);
6474 ssl->state |= SSL_PRE_MASTER_SECRET(1<<6);
6475 } else {
6476 ssl_data_set(&ssl->master_secret, ms->data, ms->data_len);
6477 ssl->state |= SSL_MASTER_SECRET(1<<5);
6478 }
6479 ssl_debug_printf("%s %smaster secret retrieved using %s\n", G_STRFUNC((const char*) (__func__)),
6480 is_pre_master ? "pre-" : "", label);
6481 ssl_print_string(label, key);
6482 ssl_print_string("(pre-)master secret", ms);
6483 return true1;
6484}
6485/* Store/load a known (pre-)master secret from/for this SSL session. }}} */
6486
6487/* Should be called when all parameters are ready (after ChangeCipherSpec), and
6488 * the decoder should be attempted to be initialized. {{{*/
6489void
6490ssl_finalize_decryption(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6491{
6492 if (ssl->session.version == TLSV1DOT3_VERSION0x304) {
1
Assuming field 'version' is not equal to TLSV1DOT3_VERSION
2
Taking false branch
6493 /* TLS 1.3 implementations only provide secrets derived from the master
6494 * secret which are loaded in tls13_change_key. No master secrets can be
6495 * loaded here, so just return. */
6496 return;
6497 }
6498 ssl_debug_printf("%s state = 0x%02X\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6499 if (ssl->state & SSL_HAVE_SESSION_KEY(1<<3)) {
3
Assuming the condition is false
4
Taking false branch
6500 ssl_debug_printf(" session key already available, nothing to do.\n");
6501 return;
6502 }
6503 if (!(ssl->state & SSL_CIPHER(1<<2))) {
5
Assuming the condition is false
6504 ssl_debug_printf(" Cipher suite (Server Hello) is missing!\n");
6505 return;
6506 }
6507
6508 /* for decryption, there needs to be a master secret (which can be derived
6509 * from pre-master secret). If missing, try to pick a master key from cache
6510 * (an earlier packet in the capture or key logfile). */
6511 if (!(ssl->state & (SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6))) &&
6
Assuming the condition is false
6512 !ssl_restore_master_key(ssl, "Session ID", false0,
6513 mk_map->session, &ssl->session_id) &&
6514 (!ssl->session.is_session_resumed ||
6515 !ssl_restore_master_key(ssl, "Session Ticket", false0,
6516 mk_map->tickets, &ssl->session_ticket)) &&
6517 !ssl_restore_master_key(ssl, "Client Random", false0,
6518 mk_map->crandom, &ssl->client_random)) {
6519 if (ssl->cipher_suite->enc != ENC_NULL0x3D) {
6520 /* how unfortunate, the master secret could not be found */
6521 ssl_debug_printf(" Cannot find master secret\n");
6522 return;
6523 } else {
6524 ssl_debug_printf(" Cannot find master secret, continuing anyway "
6525 "because of a NULL cipher\n");
6526 }
6527 }
6528
6529 if (ssl_generate_keyring_material(ssl) < 0) {
7
Calling 'ssl_generate_keyring_material'
6530 ssl_debug_printf("%s can't generate keyring material\n", G_STRFUNC((const char*) (__func__)));
6531 return;
6532 }
6533 /* Save Client Random/ Session ID for "SSL Export Session keys" */
6534 ssl_save_master_key("Client Random", mk_map->crandom,
6535 &ssl->client_random, &ssl->master_secret);
6536 ssl_save_master_key("Session ID", mk_map->session,
6537 &ssl->session_id, &ssl->master_secret);
6538 /* Only save the new secrets if the server sent the ticket. The client
6539 * ticket might have become stale. */
6540 if (ssl->state & SSL_NEW_SESSION_TICKET(1<<10)) {
6541 ssl_save_master_key("Session Ticket", mk_map->tickets,
6542 &ssl->session_ticket, &ssl->master_secret);
6543 }
6544} /* }}} */
6545
6546/* Load the traffic key secret from the keylog file. */
6547StringInfo *
6548tls13_load_secret(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6549 bool_Bool is_from_server, TLSRecordType type)
6550{
6551 GHashTable *key_map;
6552 const char *label;
6553
6554 if (ssl->session.version != TLSV1DOT3_VERSION0x304 && ssl->session.version != DTLSV1DOT3_VERSION0xfefc) {
6555 ssl_debug_printf("%s TLS version %#x is not 1.3\n", G_STRFUNC((const char*) (__func__)), ssl->session.version);
6556 return NULL((void*)0);
6557 }
6558
6559 if (ssl->client_random.data_len == 0) {
6560 /* May happen if Hello message is missing and Finished is found. */
6561 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
6562 return NULL((void*)0);
6563 }
6564
6565 switch (type) {
6566 case TLS_SECRET_0RTT_APP:
6567 DISSECTOR_ASSERT(!is_from_server)((void) ((!is_from_server) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-tls-utils.c"
, 6567, "!is_from_server"))));
6568 label = "CLIENT_EARLY_TRAFFIC_SECRET";
6569 key_map = mk_map->tls13_client_early;
6570 break;
6571 case TLS_SECRET_HANDSHAKE:
6572 if (is_from_server) {
6573 label = "SERVER_HANDSHAKE_TRAFFIC_SECRET";
6574 key_map = mk_map->tls13_server_handshake;
6575 } else {
6576 label = "CLIENT_HANDSHAKE_TRAFFIC_SECRET";
6577 key_map = mk_map->tls13_client_handshake;
6578 }
6579 break;
6580 case TLS_SECRET_APP:
6581 if (is_from_server) {
6582 label = "SERVER_TRAFFIC_SECRET_0";
6583 key_map = mk_map->tls13_server_appdata;
6584 } else {
6585 label = "CLIENT_TRAFFIC_SECRET_0";
6586 key_map = mk_map->tls13_client_appdata;
6587 }
6588 break;
6589 default:
6590 ws_assert_not_reached()ws_log_fatal_full("", LOG_LEVEL_ERROR, "epan/dissectors/packet-tls-utils.c"
, 6590, __func__, "assertion \"not reached\" failed");
6591 }
6592
6593 /* Transitioning to new keys, mark old ones as unusable. */
6594 ssl_debug_printf("%s transitioning to new key, old state 0x%02x\n", G_STRFUNC((const char*) (__func__)), ssl->state);
6595 ssl->state &= ~(SSL_MASTER_SECRET(1<<5) | SSL_PRE_MASTER_SECRET(1<<6) | SSL_HAVE_SESSION_KEY(1<<3));
6596
6597 StringInfo *secret = (StringInfo *)g_hash_table_lookup(key_map, &ssl->client_random);
6598 if (!secret) {
6599 ssl_debug_printf("%s Cannot find %s, decryption impossible\n", G_STRFUNC((const char*) (__func__)), label);
6600 /* Disable decryption, the keys are invalid. */
6601 if (is_from_server) {
6602 ssl->server = NULL((void*)0);
6603 } else {
6604 ssl->client = NULL((void*)0);
6605 }
6606 return NULL((void*)0);
6607 }
6608
6609 /* TLS 1.3 secret found, set new keys. */
6610 ssl_debug_printf("%s Retrieved TLS 1.3 traffic secret.\n", G_STRFUNC((const char*) (__func__)));
6611 ssl_print_string("Client Random", &ssl->client_random);
6612 ssl_print_string(label, secret);
6613 return secret;
6614}
6615
6616/* Load the new key. */
6617void
6618tls13_change_key(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
6619 bool_Bool is_from_server, TLSRecordType type)
6620{
6621 if (ssl->state & SSL_QUIC_RECORD_LAYER(1<<13)) {
6622 /*
6623 * QUIC does not use the TLS record layer for message protection.
6624 * The required keys will be extracted later by QUIC.
6625 */
6626 return;
6627 }
6628
6629 StringInfo *secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6630 if (!secret) {
6631 if (type != TLS_SECRET_HANDSHAKE) {
6632 return;
6633 }
6634 /*
6635 * Workaround for when for some reason we don't have the handshake
6636 * secret but do have the application traffic secret. (#20240)
6637 * If we can't find the handshake secret, we'll never decrypt the
6638 * Finished message, so we won't know when to change to the app
6639 * traffic key, so we do so now.
6640 */
6641 type = TLS_SECRET_APP;
6642 secret = tls13_load_secret(ssl, mk_map, is_from_server, type);
6643 if (!secret) {
6644 return;
6645 }
6646 }
6647
6648 if (tls13_generate_keys(ssl, secret, is_from_server)) {
6649 /*
6650 * Remember the application traffic secret to support Key Update. The
6651 * other secrets cannot be used for this purpose, so free them.
6652 */
6653 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6654 StringInfo *app_secret = &decoder->app_traffic_secret;
6655 if (type == TLS_SECRET_APP) {
6656 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6657 app_secret->data,
6658 secret->data_len);
6659 ssl_data_set(app_secret, secret->data, secret->data_len);
6660 } else {
6661 wmem_free(wmem_file_scope(), app_secret->data);
6662 app_secret->data = NULL((void*)0);
6663 app_secret->data_len = 0;
6664 }
6665 }
6666}
6667
6668/**
6669 * Update to next application data traffic secret for TLS 1.3. The previous
6670 * secret should have been set by tls13_change_key.
6671 */
6672void
6673tls13_key_update(SslDecryptSession *ssl, bool_Bool is_from_server)
6674{
6675 /* RFC 8446 Section 7.2:
6676 * application_traffic_secret_N+1 =
6677 * HKDF-Expand-Label(application_traffic_secret_N,
6678 * "traffic upd", "", Hash.length)
6679 *
6680 * Both application_traffic_secret_N are of the same length (Hash.length).
6681 */
6682 const SslCipherSuite *cipher_suite = ssl->cipher_suite;
6683 SslDecoder *decoder = is_from_server ? ssl->server : ssl->client;
6684 StringInfo *app_secret = decoder ? &decoder->app_traffic_secret : NULL((void*)0);
6685 uint8_t tls13_draft_version = ssl->session.tls13_draft_version;
6686
6687 if (!cipher_suite || !app_secret || app_secret->data_len == 0) {
6688 ssl_debug_printf("%s Cannot perform Key Update due to missing info\n", G_STRFUNC((const char*) (__func__)));
6689 return;
6690 }
6691
6692 /*
6693 * Previous traffic secret is available, so find the hash function,
6694 * expand the new traffic secret and generate new keys.
6695 */
6696 const char *hash_name = ssl_cipher_suite_dig(cipher_suite)->name;
6697 int hash_algo = ssl_get_digest_by_name(hash_name);
6698 const unsigned hash_len = app_secret->data_len;
6699 unsigned char *new_secret;
6700 const char *label = "traffic upd";
6701 if (tls13_draft_version && tls13_draft_version < 20) {
6702 label = "application traffic secret";
6703 }
6704 if (!tls13_hkdf_expand_label(hash_algo, app_secret,
6705 tls13_hkdf_label_prefix(ssl),
6706 label, hash_len, &new_secret)) {
6707 ssl_debug_printf("%s traffic_secret_N+1 expansion failed\n", G_STRFUNC((const char*) (__func__)));
6708 return;
6709 }
6710 ssl_data_set(app_secret, new_secret, hash_len);
6711 if (tls13_generate_keys(ssl, app_secret, is_from_server)) {
6712 /*
6713 * Remember the application traffic secret on the new decoder to
6714 * support another Key Update.
6715 */
6716 decoder = is_from_server ? ssl->server : ssl->client;
6717 app_secret = &decoder->app_traffic_secret;
6718 app_secret->data = (unsigned char *) wmem_realloc(wmem_file_scope(),
6719 app_secret->data,
6720 hash_len);
6721 ssl_data_set(app_secret, new_secret, hash_len);
6722 }
6723 wmem_free(NULL((void*)0), new_secret);
6724}
6725
6726void
6727tls_save_crandom(SslDecryptSession *ssl, ssl_master_key_map_t *mk_map)
6728{
6729 if (ssl && (ssl->state & SSL_CLIENT_RANDOM(1<<0))) {
6730 g_hash_table_add(mk_map->used_crandom, &ssl->client_random);
6731 }
6732}
6733
6734/** SSL keylog file handling. {{{ */
6735
6736static GRegex *
6737ssl_compile_keyfile_regex(void)
6738{
6739#define OCTET "(?:[[:xdigit:]]{2})"
6740 const char *pattern =
6741 "(?:"
6742 /* Matches Client Hellos having this Client Random */
6743 "PMS_CLIENT_RANDOM (?<client_random_pms>" OCTET "{32}) "
6744 /* Matches first part of encrypted RSA pre-master secret */
6745 "|RSA (?<encrypted_pmk>" OCTET "{8}) "
6746 /* Pre-Master-Secret is given, it is 48 bytes for RSA,
6747 but it can be of any length for DHE */
6748 ")(?<pms>" OCTET "+)"
6749 "|(?:"
6750 /* Matches Server Hellos having a Session ID */
6751 "RSA Session-ID:(?<session_id>" OCTET "+) Master-Key:"
6752 /* Matches Client Hellos having this Client Random */
6753 "|CLIENT_RANDOM (?<client_random>" OCTET "{32}) "
6754 /* Master-Secret is given, its length is fixed */
6755 ")(?<master_secret>" OCTET "{" G_STRINGIFY(SSL_MASTER_SECRET_LENGTH)"48" "})"
6756 "|(?"
6757 /* TLS 1.3 Client Random to Derived Secrets mapping. */
6758 ":CLIENT_EARLY_TRAFFIC_SECRET (?<client_early>" OCTET "{32})"
6759 "|CLIENT_HANDSHAKE_TRAFFIC_SECRET (?<client_handshake>" OCTET "{32})"
6760 "|SERVER_HANDSHAKE_TRAFFIC_SECRET (?<server_handshake>" OCTET "{32})"
6761 "|CLIENT_TRAFFIC_SECRET_0 (?<client_appdata>" OCTET "{32})"
6762 "|SERVER_TRAFFIC_SECRET_0 (?<server_appdata>" OCTET "{32})"
6763 "|EARLY_EXPORTER_SECRET (?<early_exporter>" OCTET "{32})"
6764 "|EXPORTER_SECRET (?<exporter>" OCTET "{32})"
6765 /* ECH. Secret length is defined by HPKE KEM Nsecret and can vary between 32 and 64 bytes */
6766 /* These labels and their notation are specified in draft-ietf-tls-ech-keylogfile-01 */
6767 "|ECH_SECRET (?<ech_secret>" OCTET "{32,64})"
6768 "|ECH_CONFIG (?<ech_config>" OCTET "{22,})"
6769 ") (?<derived_secret>" OCTET "+)";
6770#undef OCTET
6771 static GRegex *regex = NULL((void*)0);
6772 GError *gerr = NULL((void*)0);
6773
6774 if (!regex) {
6775 regex = g_regex_new(pattern,
6776 (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_ANCHORED | G_REGEX_RAW),
6777 G_REGEX_MATCH_ANCHORED, &gerr);
6778 if (gerr) {
6779 ssl_debug_printf("%s failed to compile regex: %s\n", G_STRFUNC((const char*) (__func__)),
6780 gerr->message);
6781 g_error_free(gerr);
6782 regex = NULL((void*)0);
6783 }
6784 }
6785
6786 return regex;
6787}
6788
6789typedef struct ssl_master_key_match_group {
6790 const char *re_group_name;
6791 GHashTable *master_key_ht;
6792} ssl_master_key_match_group_t;
6793
6794void
6795tls_keylog_process_lines(const ssl_master_key_map_t *mk_map, const uint8_t *data, unsigned datalen)
6796{
6797 ssl_master_key_match_group_t mk_groups[] = {
6798 { "encrypted_pmk", mk_map->pre_master },
6799 { "session_id", mk_map->session },
6800 { "client_random", mk_map->crandom },
6801 { "client_random_pms", mk_map->pms },
6802 /* TLS 1.3 map from Client Random to derived secret. */
6803 { "client_early", mk_map->tls13_client_early },
6804 { "client_handshake", mk_map->tls13_client_handshake },
6805 { "server_handshake", mk_map->tls13_server_handshake },
6806 { "client_appdata", mk_map->tls13_client_appdata },
6807 { "server_appdata", mk_map->tls13_server_appdata },
6808 { "early_exporter", mk_map->tls13_early_exporter },
6809 { "exporter", mk_map->tls13_exporter },
6810 { "ech_secret", mk_map->ech_secret },
6811 { "ech_config", mk_map->ech_config },
6812 };
6813
6814 /* The format of the file is a series of records with one of the following formats:
6815 * - "RSA xxxx yyyy"
6816 * Where xxxx are the first 8 bytes of the encrypted pre-master secret (hex-encoded)
6817 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6818 * (this is the original format introduced with bug 4349)
6819 *
6820 * - "RSA Session-ID:xxxx Master-Key:yyyy"
6821 * Where xxxx is the SSL session ID (hex-encoded)
6822 * Where yyyy is the cleartext master secret (hex-encoded)
6823 * (added to support openssl s_client Master-Key output)
6824 * This is somewhat is a misnomer because there's nothing RSA specific
6825 * about this.
6826 *
6827 * - "PMS_CLIENT_RANDOM xxxx yyyy"
6828 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6829 * Where yyyy is the cleartext pre-master secret (hex-encoded)
6830 * (This format allows SSL connections to be decrypted, if a user can
6831 * capture the PMS but could not recover the MS for a specific session
6832 * with a SSL Server.)
6833 *
6834 * - "CLIENT_RANDOM xxxx yyyy"
6835 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6836 * Where yyyy is the cleartext master secret (hex-encoded)
6837 * (This format allows non-RSA SSL connections to be decrypted, i.e.
6838 * ECDHE-RSA.)
6839 *
6840 * - "CLIENT_EARLY_TRAFFIC_SECRET xxxx yyyy"
6841 * - "CLIENT_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6842 * - "SERVER_HANDSHAKE_TRAFFIC_SECRET xxxx yyyy"
6843 * - "CLIENT_TRAFFIC_SECRET_0 xxxx yyyy"
6844 * - "SERVER_TRAFFIC_SECRET_0 xxxx yyyy"
6845 * - "EARLY_EXPORTER_SECRET xxxx yyyy"
6846 * - "EXPORTER_SECRET xxxx yyyy"
6847 * Where xxxx is the client_random from the ClientHello (hex-encoded)
6848 * Where yyyy is the secret (hex-encoded) derived from the early,
6849 * handshake or master secrets. (This format is introduced with TLS 1.3
6850 * and supported by BoringSSL, OpenSSL, etc. See bug 12779.)
6851 */
6852 GRegex *regex = ssl_compile_keyfile_regex();
6853 if (!regex)
6854 return;
6855
6856 const char *next_line = (const char *)data;
6857 const char *line_end = next_line + datalen;
6858 while (next_line && next_line < line_end) {
6859 const char *line = next_line;
6860 next_line = (const char *)memchr(line, '\n', line_end - line);
6861 ssize_t linelen;
6862
6863 if (next_line) {
6864 linelen = next_line - line;
6865 next_line++; /* drop LF */
6866 } else {
6867 linelen = (ssize_t)(line_end - line);
6868 }
6869 if (linelen > 0 && line[linelen - 1] == '\r') {
6870 linelen--; /* drop CR */
6871 }
6872
6873 ssl_debug_printf(" checking keylog line: %.*s\n", (int)linelen, line);
6874 GMatchInfo *mi;
6875 if (g_regex_match_full(regex, line, linelen, 0, G_REGEX_MATCH_ANCHORED, &mi, NULL((void*)0))) {
6876 char *hex_key, *hex_pre_ms_or_ms;
6877 StringInfo *key = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6878 StringInfo *pre_ms_or_ms = NULL((void*)0);
6879 GHashTable *ht = NULL((void*)0);
6880
6881 /* Is the PMS being supplied with the PMS_CLIENT_RANDOM
6882 * otherwise we will use the Master Secret
6883 */
6884 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "master_secret");
6885 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
6886 g_free(hex_pre_ms_or_ms);
6887 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "pms");
6888 }
6889 if (hex_pre_ms_or_ms == NULL((void*)0) || !*hex_pre_ms_or_ms) {
6890 g_free(hex_pre_ms_or_ms);
6891 hex_pre_ms_or_ms = g_match_info_fetch_named(mi, "derived_secret");
6892 }
6893 /* There is always a match, otherwise the regex is wrong. */
6894 DISSECTOR_ASSERT(hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms))((void) ((hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms
)) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6894, "hex_pre_ms_or_ms && strlen(hex_pre_ms_or_ms)"
))));
6895
6896 /* convert from hex to bytes and save to hashtable */
6897 pre_ms_or_ms = wmem_new(wmem_file_scope(), StringInfo)((StringInfo*)wmem_alloc((wmem_file_scope()), sizeof(StringInfo
)));
6898 from_hex(pre_ms_or_ms, hex_pre_ms_or_ms, strlen(hex_pre_ms_or_ms));
6899 g_free(hex_pre_ms_or_ms);
6900
6901 /* Find a master key from any format (CLIENT_RANDOM, SID, ...) */
6902 for (unsigned i = 0; i < G_N_ELEMENTS(mk_groups)(sizeof (mk_groups) / sizeof ((mk_groups)[0])); i++) {
6903 ssl_master_key_match_group_t *g = &mk_groups[i];
6904 hex_key = g_match_info_fetch_named(mi, g->re_group_name);
6905 if (hex_key && *hex_key) {
6906 ssl_debug_printf(" matched %s\n", g->re_group_name);
6907 ht = g->master_key_ht;
6908 from_hex(key, hex_key, strlen(hex_key));
6909 g_free(hex_key);
6910 break;
6911 }
6912 g_free(hex_key);
6913 }
6914 DISSECTOR_ASSERT(ht)((void) ((ht) ? (void)0 : (proto_report_dissector_bug("%s:%u: failed assertion \"%s\""
, "epan/dissectors/packet-tls-utils.c", 6914, "ht")))); /* Cannot be reached, or regex is wrong. */
6915
6916 g_hash_table_insert(ht, key, pre_ms_or_ms);
6917
6918 } else if (linelen > 0 && line[0] != '#') {
6919 ssl_debug_printf(" unrecognized line\n");
6920 }
6921 /* always free match info even if there is no match. */
6922 g_match_info_free(mi);
6923 }
6924}
6925
6926void
6927ssl_load_keyfile(const char *tls_keylog_filename, FILE **keylog_file,
6928 const ssl_master_key_map_t *mk_map)
6929{
6930 /* no need to try if no key log file is configured. */
6931 if (!tls_keylog_filename || !*tls_keylog_filename) {
6932 ssl_debug_printf("%s dtls/tls.keylog_file is not configured!\n",
6933 G_STRFUNC((const char*) (__func__)));
6934 return;
6935 }
6936
6937 /* Validate regexes before even trying to use it. */
6938 if (!ssl_compile_keyfile_regex()) {
6939 return;
6940 }
6941
6942 ssl_debug_printf("trying to use TLS keylog in %s\n", tls_keylog_filename);
6943
6944 /* if the keylog file was deleted/overwritten, re-open it */
6945 if (*keylog_file && file_needs_reopen(ws_filenofileno(*keylog_file), tls_keylog_filename)) {
6946 ssl_debug_printf("%s file got deleted, trying to re-open\n", G_STRFUNC((const char*) (__func__)));
6947 fclose(*keylog_file);
6948 *keylog_file = NULL((void*)0);
6949 }
6950
6951 if (*keylog_file == NULL((void*)0)) {
6952 *keylog_file = ws_fopenfopen(tls_keylog_filename, "r");
6953 if (!*keylog_file) {
6954 ssl_debug_printf("%s failed to open SSL keylog\n", G_STRFUNC((const char*) (__func__)));
6955 return;
6956 }
6957 }
6958
6959 for (;;) {
6960 char buf[1110], *line;
6961 line = fgets(buf, sizeof(buf), *keylog_file);
6962 if (!line) {
6963 if (feof(*keylog_file)) {
6964 /* Ensure that newly appended keys can be read in the future. */
6965 clearerr(*keylog_file);
6966 } else if (ferror(*keylog_file)) {
6967 ssl_debug_printf("%s Error while reading key log file, closing it!\n", G_STRFUNC((const char*) (__func__)));
6968 fclose(*keylog_file);
6969 *keylog_file = NULL((void*)0);
6970 }
6971 break;
6972 }
6973 tls_keylog_process_lines(mk_map, (uint8_t *)line, (int)strlen(line));
6974 }
6975}
6976/** SSL keylog file handling. }}} */
6977
6978#ifdef SSL_DECRYPT_DEBUG /* {{{ */
6979
6980static FILE* ssl_debug_file;
6981
6982void
6983ssl_set_debug(const char* name)
6984{
6985 static int debug_file_must_be_closed;
6986 int use_stderr;
6987
6988 use_stderr = name?(strcmp(name, SSL_DEBUG_USE_STDERR"-") == 0):0;
6989
6990 if (debug_file_must_be_closed)
6991 fclose(ssl_debug_file);
6992
6993 if (use_stderr)
6994 ssl_debug_file = stderrstderr;
6995 else if (!name || (strcmp(name, "") ==0))
6996 ssl_debug_file = NULL((void*)0);
6997 else
6998 ssl_debug_file = ws_fopenfopen(name, "w");
6999
7000 if (!use_stderr && ssl_debug_file)
7001 debug_file_must_be_closed = 1;
7002 else
7003 debug_file_must_be_closed = 0;
7004
7005 ssl_debug_printf("Wireshark SSL debug log \n\n");
7006#ifdef HAVE_LIBGNUTLS1
7007 ssl_debug_printf("GnuTLS version: %s\n", gnutls_check_version(NULL((void*)0)));
7008#endif
7009 ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL((void*)0)));
7010 ssl_debug_printf("\n");
7011}
7012
7013void
7014ssl_debug_flush(void)
7015{
7016 if (ssl_debug_file)
7017 fflush(ssl_debug_file);
7018}
7019
7020void
7021ssl_debug_printf(const char* fmt, ...)
7022{
7023 va_list ap;
7024
7025 if (!ssl_debug_file)
7026 return;
7027
7028 va_start(ap, fmt)__builtin_va_start(ap, fmt);
7029 vfprintf(ssl_debug_file, fmt, ap);
7030 va_end(ap)__builtin_va_end(ap);
7031}
7032
7033void
7034ssl_print_data(const char* name, const unsigned char* data, size_t len)
7035{
7036 size_t i, j, k;
7037 if (!ssl_debug_file)
7038 return;
7039 fprintf(ssl_debug_file,"%s[%d]:\n",name, (int) len);
7040 for (i=0; i<len; i+=16) {
7041 fprintf(ssl_debug_file,"| ");
7042 for (j=i, k=0; k<16 && j<len; ++j, ++k)
7043 fprintf(ssl_debug_file,"%.2x ",data[j]);
7044 for (; k<16; ++k)
7045 fprintf(ssl_debug_file," ");
7046 fputc('|', ssl_debug_file);
7047 for (j=i, k=0; k<16 && j<len; ++j, ++k) {
7048 unsigned char c = data[j];
7049 if (!g_ascii_isprint(c)((g_ascii_table[(guchar) (c)] & G_ASCII_PRINT) != 0) || (c=='\t')) c = '.';
7050 fputc(c, ssl_debug_file);
7051 }
7052 for (; k<16; ++k)
7053 fputc(' ', ssl_debug_file);
7054 fprintf(ssl_debug_file,"|\n");
7055 }
7056}
7057
7058void
7059ssl_print_string(const char* name, const StringInfo* data)
7060{
7061 ssl_print_data(name, data->data, data->data_len);
7062}
7063#endif /* SSL_DECRYPT_DEBUG }}} */
7064
7065/* UAT preferences callbacks. {{{ */
7066/* checks for SSL and DTLS UAT key list fields */
7067
7068bool_Bool
7069ssldecrypt_uat_fld_ip_chk_cb(void* r _U___attribute__((unused)), const char* p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7070{
7071 // This should be removed in favor of Decode As. Make it optional.
7072 *err = NULL((void*)0);
7073 return true1;
7074}
7075
7076bool_Bool
7077ssldecrypt_uat_fld_port_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7078{
7079 if (!p || strlen(p) == 0u) {
7080 // This should be removed in favor of Decode As. Make it optional.
7081 *err = NULL((void*)0);
7082 return true1;
7083 }
7084
7085 if (strcmp(p, "start_tls") != 0){
7086 uint16_t port;
7087 if (!ws_strtou16(p, NULL((void*)0), &port)) {
7088 *err = g_strdup("Invalid port given.")g_strdup_inline ("Invalid port given.");
7089 return false0;
7090 }
7091 }
7092
7093 *err = NULL((void*)0);
7094 return true1;
7095}
7096
7097bool_Bool
7098ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U___attribute__((unused)), const char* p, unsigned len _U___attribute__((unused)), const void* u1 _U___attribute__((unused)), const void* u2 _U___attribute__((unused)), char** err)
7099{
7100 ws_statb64struct stat st;
7101
7102 if (!p || strlen(p) == 0u) {
7103 *err = g_strdup("No filename given.")g_strdup_inline ("No filename given.");
7104 return false0;
7105 } else {
7106 if (ws_stat64stat(p, &st) != 0) {
7107 *err = ws_strdup_printf("File '%s' does not exist or access is denied.", p)wmem_strdup_printf(((void*)0), "File '%s' does not exist or access is denied."
, p);
7108 return false0;
7109 }
7110 }
7111
7112 *err = NULL((void*)0);
7113 return true1;
7114}
7115
7116bool_Bool
7117ssldecrypt_uat_fld_password_chk_cb(void *r _U___attribute__((unused)), const char *p _U___attribute__((unused)), unsigned len _U___attribute__((unused)), const void *u1 _U___attribute__((unused)), const void *u2 _U___attribute__((unused)), char **err)
7118{
7119#if defined(HAVE_LIBGNUTLS1)
7120 ssldecrypt_assoc_t* f = (ssldecrypt_assoc_t *)r;
7121 FILE *fp = NULL((void*)0);
7122
7123 if (p && (strlen(p) > 0u)) {
7124 fp = ws_fopenfopen(f->keyfile, "rb");
7125 if (fp) {
7126 char *msg = NULL((void*)0);
7127 gnutls_x509_privkey_t priv_key = rsa_load_pkcs12(fp, p, &msg);
7128 if (!priv_key) {
7129 fclose(fp);
7130 *err = ws_strdup_printf("Could not load PKCS#12 key file: %s", msg)wmem_strdup_printf(((void*)0), "Could not load PKCS#12 key file: %s"
, msg);
7131 g_free(msg);
7132 return false0;
7133 }
7134 g_free(msg);
7135 gnutls_x509_privkey_deinit(priv_key);
7136 fclose(fp);
7137 } else {
7138 *err = ws_strdup_printf("Leave this field blank if the keyfile is not PKCS#12.")wmem_strdup_printf(((void*)0), "Leave this field blank if the keyfile is not PKCS#12."
);
7139 return false0;
7140 }
7141 }
7142
7143 *err = NULL((void*)0);
7144 return true1;
7145#else
7146 *err = g_strdup("Cannot load key files, support is not compiled in.")g_strdup_inline ("Cannot load key files, support is not compiled in."
);
7147 return false0;
7148#endif
7149}
7150/* UAT preferences callbacks. }}} */
7151
7152/** maximum size of ssl_association_info() string */
7153#define SSL_ASSOC_MAX_LEN8192 8192
7154
7155typedef struct ssl_association_info_callback_data
7156{
7157 char *str;
7158 const char *table_protocol;
7159} ssl_association_info_callback_data_t;
7160
7161/**
7162 * callback function used by ssl_association_info() to traverse the SSL associations.
7163 */
7164static void
7165ssl_association_info_(const char *table _U___attribute__((unused)), void *handle, void *user_data)
7166{
7167 ssl_association_info_callback_data_t* data = (ssl_association_info_callback_data_t*)user_data;
7168 const int l = (const int)strlen(data->str);
7169 snprintf(data->str+l, SSL_ASSOC_MAX_LEN8192-l, "'%s' (%s)\n", dissector_handle_get_dissector_name((dissector_handle_t)handle), dissector_handle_get_description((dissector_handle_t)handle));
7170}
7171
7172/**
7173 * @return an information string on the SSL protocol associations. The string must be freed.
7174 */
7175char*
7176ssl_association_info(const char* dissector_table_name, const char* table_protocol)
7177{
7178 ssl_association_info_callback_data_t data;
7179
7180 data.str = (char *)g_malloc0(SSL_ASSOC_MAX_LEN8192);
7181 data.table_protocol = table_protocol;
7182 dissector_table_foreach_handle(dissector_table_name, ssl_association_info_, &data);
7183 return data.str;
7184}
7185
7186
7187/** Begin of code related to dissection of wire data. */
7188
7189/* Helpers for dissecting Variable-Length Vectors. {{{ */
7190bool_Bool
7191ssl_add_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7192 unsigned offset, unsigned offset_end, uint32_t *ret_length,
7193 int hf_length, uint32_t min_value, uint32_t max_value)
7194{
7195 unsigned veclen_size;
7196 uint32_t veclen_value;
7197 proto_item *pi;
7198
7199 DISSECTOR_ASSERT_CMPUINT(min_value, <=, max_value)((void) ((min_value <= max_value) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "min_value" " " "<=" " " "max_value"
" (" "%" "l" "u" " " "<=" " " "%" "l" "u" ")", "epan/dissectors/packet-tls-utils.c"
, 7199, (uint64_t)min_value, (uint64_t)max_value))));
7200 if (offset > offset_end) {
7201 expert_add_info_format(pinfo, tree, &hf->ei.malformed_buffer_too_small,
7202 "Vector offset is past buffer end offset (%u > %u)",
7203 offset, offset_end);
7204 *ret_length = 0;
7205 return false0; /* Cannot read length. */
7206 }
7207
7208 if (max_value > 0xffffff) {
7209 veclen_size = 4;
7210 } else if (max_value > 0xffff) {
7211 veclen_size = 3;
7212 } else if (max_value > 0xff) {
7213 veclen_size = 2;
7214 } else {
7215 veclen_size = 1;
7216 }
7217
7218 if (offset_end - offset < veclen_size) {
7219 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7220 tvb, offset, offset_end - offset,
7221 "No more room for vector of length %u",
7222 veclen_size);
7223 *ret_length = 0;
7224 return false0; /* Cannot read length. */
7225 }
7226
7227 pi = proto_tree_add_item_ret_uint(tree, hf_length, tvb, offset, veclen_size, ENC_BIG_ENDIAN0x00000000, &veclen_value);
7228 offset += veclen_size;
7229
7230 if (veclen_value < min_value) {
7231 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7232 "Vector length %u is smaller than minimum %u",
7233 veclen_value, min_value);
7234 } else if (veclen_value > max_value) {
7235 expert_add_info_format(pinfo, pi, &hf->ei.malformed_vector_length,
7236 "Vector length %u is larger than maximum %u",
7237 veclen_value, max_value);
7238 }
7239
7240 if (offset_end - offset < veclen_value) {
7241 expert_add_info_format(pinfo, pi, &hf->ei.malformed_buffer_too_small,
7242 "Vector length %u is too large, truncating it to %u",
7243 veclen_value, offset_end - offset);
7244 *ret_length = offset_end - offset;
7245 return false0; /* Length is truncated to avoid overflow. */
7246 }
7247
7248 *ret_length = veclen_value;
7249 return true1; /* Length is OK. */
7250}
7251
7252bool_Bool
7253ssl_end_vector(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
7254 unsigned offset, unsigned offset_end)
7255{
7256 if (offset < offset_end) {
7257 unsigned trailing = offset_end - offset;
7258 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_trailing_data,
7259 tvb, offset, trailing,
7260 "%u trailing byte%s unprocessed",
7261 trailing, plurality(trailing, " was", "s were")((trailing) == 1 ? (" was") : ("s were")));
7262 return false0; /* unprocessed data warning */
7263 } else if (offset > offset_end) {
7264 /*
7265 * Returned offset runs past the end. This should not happen and is
7266 * possibly a dissector bug.
7267 */
7268 unsigned excess = offset - offset_end;
7269 proto_tree_add_expert_format(tree, pinfo, &hf->ei.malformed_buffer_too_small,
7270 tvb, offset_end, excess,
7271 "Dissector processed too much data (%u byte%s)",
7272 excess, plurality(excess, "", "s")((excess) == 1 ? ("") : ("s")));
7273 return false0; /* overflow error */
7274 }
7275
7276 return true1; /* OK, offset matches. */
7277}
7278/** }}} */
7279
7280
7281static uint32_t
7282ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7283 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7284 uint16_t version, int hf_sig_len, int hf_sig);
7285
7286/* change_cipher_spec(20) dissection */
7287void
7288ssl_dissect_change_cipher_spec(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7289 packet_info *pinfo, proto_tree *tree,
7290 uint32_t offset, SslSession *session,
7291 bool_Bool is_from_server,
7292 const SslDecryptSession *ssl)
7293{
7294 /*
7295 * struct {
7296 * enum { change_cipher_spec(1), (255) } type;
7297 * } ChangeCipherSpec;
7298 */
7299 proto_item *ti;
7300 proto_item_set_text(tree,
7301 "%s Record Layer: %s Protocol: Change Cipher Spec",
7302 val_to_str_const(session->version, ssl_version_short_names, "SSL"),
7303 val_to_str_const(SSL_ID_CHG_CIPHER_SPEC, ssl_31_content_type, "unknown"));
7304 ti = proto_tree_add_item(tree, hf->hf.change_cipher_spec, tvb, offset, 1, ENC_NA0x00000000);
7305
7306 if (session->version == TLSV1DOT3_VERSION0x304) {
7307 /* CCS is a dummy message in TLS 1.3, do not parse it further. */
7308 return;
7309 }
7310
7311 /* Remember frame number of first CCS */
7312 uint32_t *ccs_frame = is_from_server ? &session->server_ccs_frame : &session->client_ccs_frame;
7313 if (*ccs_frame == 0)
7314 *ccs_frame = pinfo->num;
7315
7316 /* Use heuristics to detect an abbreviated handshake, assume that missing
7317 * ServerHelloDone implies reusing previously negotiating keys. Then when
7318 * a Session ID or ticket is present, it must be a resumed session.
7319 * Normally this should be done at the Finished message, but that may be
7320 * encrypted so we do it here, at the last cleartext message. */
7321 if (is_from_server && ssl) {
7322 if (session->is_session_resumed) {
7323 const char *resumed = NULL((void*)0);
7324 if (ssl->session_ticket.data_len) {
7325 resumed = "Session Ticket";
7326 } else if (ssl->session_id.data_len) {
7327 resumed = "Session ID";
7328 }
7329 if (resumed) {
7330 ssl_debug_printf("%s Session resumption using %s\n", G_STRFUNC((const char*) (__func__)), resumed);
7331 } else {
7332 /* Can happen if the capture somehow starts in the middle */
7333 ssl_debug_printf("%s No Session resumption, missing packets?\n", G_STRFUNC((const char*) (__func__)));
7334 }
7335 } else {
7336 ssl_debug_printf("%s Not using Session resumption\n", G_STRFUNC((const char*) (__func__)));
7337 }
7338 }
7339 if (is_from_server && session->is_session_resumed)
7340 expert_add_info(pinfo, ti, &hf->ei.resumed);
7341}
7342
7343/** Begin of handshake(22) record dissections */
7344
7345/* Dissects a SignatureScheme (TLS 1.3) or SignatureAndHashAlgorithm (TLS 1.2).
7346 * {{{ */
7347static void
7348tls_dissect_signature_algorithm(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, ja4_data_t *ja4_data)
7349{
7350 uint32_t sighash, hashalg, sigalg;
7351 proto_item *ti_sigalg;
7352 proto_tree *sigalg_tree;
7353
7354 ti_sigalg = proto_tree_add_item_ret_uint(tree, hf->hf.hs_sig_hash_alg, tvb,
7355 offset, 2, ENC_BIG_ENDIAN0x00000000, &sighash);
7356 if (ja4_data) {
7357 wmem_list_append(ja4_data->sighash_list, GUINT_TO_POINTER(sighash)((gpointer) (gulong) (sighash)));
7358 }
7359
7360 sigalg_tree = proto_item_add_subtree(ti_sigalg, hf->ett.hs_sig_hash_alg);
7361
7362 /* TLS 1.2: SignatureAndHashAlgorithm { hash, signature } */
7363 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_hash, tvb,
7364 offset, 1, ENC_BIG_ENDIAN0x00000000, &hashalg);
7365 proto_tree_add_item_ret_uint(sigalg_tree, hf->hf.hs_sig_hash_sig, tvb,
7366 offset + 1, 1, ENC_BIG_ENDIAN0x00000000, &sigalg);
7367
7368 /* No TLS 1.3 SignatureScheme? Fallback to TLS 1.2 interpretation. */
7369 if (!try_val_to_str(sighash, tls13_signature_algorithm)) {
7370 proto_item_set_text(ti_sigalg, "Signature Algorithm: %s %s (0x%04x)",
7371 val_to_str_const(hashalg, tls_hash_algorithm, "Unknown"),
7372 val_to_str_const(sigalg, tls_signature_algorithm, "Unknown"),
7373 sighash);
7374 }
7375} /* }}} */
7376
7377/* dissect a list of hash algorithms, return the number of bytes dissected
7378 this is used for the signature algorithms extension and for the
7379 TLS1.2 certificate request. {{{ */
7380static int
7381ssl_dissect_hash_alg_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
7382 packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7383{
7384 /* https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
7385 * struct {
7386 * HashAlgorithm hash;
7387 * SignatureAlgorithm signature;
7388 * } SignatureAndHashAlgorithm;
7389 * SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2>;
7390 */
7391 proto_tree *subtree;
7392 proto_item *ti;
7393 unsigned sh_alg_length;
7394 uint32_t next_offset;
7395
7396 /* SignatureAndHashAlgorithm supported_signature_algorithms<2..2^16-2> */
7397 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sh_alg_length,
7398 hf->hf.hs_sig_hash_alg_len, 2, UINT16_MAX(65535) - 1)) {
7399 return offset_end;
7400 }
7401 offset += 2;
7402 next_offset = offset + sh_alg_length;
7403
7404 ti = proto_tree_add_none_format(tree, hf->hf.hs_sig_hash_algs, tvb, offset, sh_alg_length,
7405 "Signature Hash Algorithms (%u algorithm%s)",
7406 sh_alg_length / 2, plurality(sh_alg_length / 2, "", "s")((sh_alg_length / 2) == 1 ? ("") : ("s")));
7407 subtree = proto_item_add_subtree(ti, hf->ett.hs_sig_hash_algs);
7408
7409 while (offset + 2 <= next_offset) {
7410 tls_dissect_signature_algorithm(hf, tvb, subtree, offset, ja4_data);
7411 offset += 2;
7412 }
7413
7414 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
7415 offset = next_offset;
7416 }
7417
7418 return offset;
7419} /* }}} */
7420
7421/* Dissection of DistinguishedName (for CertificateRequest and
7422 * certificate_authorities extension). {{{ */
7423static uint32_t
7424tls_dissect_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7425 proto_tree *tree, uint32_t offset, uint32_t offset_end)
7426{
7427 proto_item *ti;
7428 proto_tree *subtree;
7429 uint32_t dnames_length, next_offset;
7430 asn1_ctx_t asn1_ctx;
7431 int dnames_count = 100; /* the maximum number of DNs to add to the tree */
7432
7433 /* Note: minimum length is 0 for TLS 1.1/1.2 and 3 for earlier/later */
7434 /* DistinguishedName certificate_authorities<0..2^16-1> */
7435 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &dnames_length,
7436 hf->hf.hs_dnames_len, 0, UINT16_MAX(65535))) {
7437 return offset_end;
7438 }
7439 offset += 2;
7440 next_offset = offset + dnames_length;
7441
7442 if (dnames_length > 0) {
7443 ti = proto_tree_add_none_format(tree,
7444 hf->hf.hs_dnames,
7445 tvb, offset, dnames_length,
7446 "Distinguished Names (%d byte%s)",
7447 dnames_length,
7448 plurality(dnames_length, "", "s")((dnames_length) == 1 ? ("") : ("s")));
7449 subtree = proto_item_add_subtree(ti, hf->ett.dnames);
7450
7451 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7452
7453 while (offset < next_offset) {
7454 /* get the length of the current certificate */
7455 uint32_t name_length;
7456
7457 if (dnames_count-- == 0) {
7458 /* stop adding to tree when the list is considered too large
7459 * https://gitlab.com/wireshark/wireshark/-/issues/16202
7460 Note: dnames_count must be set low enough not to hit the
7461 limit set by PINFO_LAYER_MAX_RECURSION_DEPTH in packet.c
7462 */
7463 ti = proto_tree_add_item(subtree, hf->hf.hs_dnames_truncated,
7464 tvb, offset, next_offset - offset, ENC_NA0x00000000);
7465 proto_item_set_generated(ti);
7466 return next_offset;
7467 }
7468
7469 /* opaque DistinguishedName<1..2^16-1> */
7470 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &name_length,
7471 hf->hf.hs_dname_len, 1, UINT16_MAX(65535))) {
7472 return next_offset;
7473 }
7474 offset += 2;
7475
7476 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
7477 subtree, hf->hf.hs_dname);
7478 offset += name_length;
7479 }
7480 }
7481 return offset;
7482} /* }}} */
7483
7484
7485/** TLS Extensions (in Client Hello and Server Hello). {{{ */
7486static int
7487ssl_dissect_hnd_hello_ext_sig_hash_algs(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7488 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, ja4_data_t *ja4_data)
7489{
7490 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, ja4_data);
7491}
7492
7493static int
7494ssl_dissect_hnd_ext_delegated_credentials(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7495 proto_tree *tree, packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type)
7496{
7497 if (hnd_type == SSL_HND_CLIENT_HELLO) {
7498 /*
7499 * struct {
7500 * SignatureScheme supported_signature_algorithm<2..2^16-2>;
7501 * } SignatureSchemeList;
7502 */
7503
7504 return ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
7505 } else {
7506 asn1_ctx_t asn1_ctx;
7507 unsigned pubkey_length, sign_length;
7508
7509 /*
7510 * struct {
7511 * uint32 valid_time;
7512 * SignatureScheme expected_cert_verify_algorithm;
7513 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
7514 * } Credential;
7515 *
7516 * struct {
7517 * Credential cred;
7518 * SignatureScheme algorithm;
7519 * opaque signature<0..2^16-1>;
7520 * } DelegatedCredential;
7521 */
7522
7523 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
7524
7525 proto_tree_add_item(tree, hf->hf.hs_cred_valid_time, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7526 offset += 4;
7527
7528 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7529 offset += 2;
7530
7531 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &pubkey_length,
7532 hf->hf.hs_cred_pubkey_len, 1, G_MAXUINT24((1U << 24) - 1))) {
7533 return offset_end;
7534 }
7535 offset += 3;
7536 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, tree, hf->hf.hs_cred_pubkey);
7537 offset += pubkey_length;
7538
7539 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
7540 offset += 2;
7541
7542 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sign_length,
7543 hf->hf.hs_cred_signature_len, 1, UINT16_MAX(65535))) {
7544 return offset_end;
7545 }
7546 offset += 2;
7547 proto_tree_add_item(tree, hf->hf.hs_cred_signature,
7548 tvb, offset, sign_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7549 offset += sign_length;
7550
7551 return offset;
7552 }
7553}
7554
7555static int
7556ssl_dissect_hnd_hello_ext_alps(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7557 packet_info *pinfo, proto_tree *tree,
7558 uint32_t offset, uint32_t offset_end,
7559 uint8_t hnd_type)
7560{
7561
7562 /* https://datatracker.ietf.org/doc/html/draft-vvv-tls-alps-01#section-4 */
7563
7564 switch (hnd_type) {
7565 case SSL_HND_CLIENT_HELLO: {
7566 proto_tree *alps_tree;
7567 proto_item *ti;
7568 uint32_t next_offset, alps_length, name_length;
7569
7570 /*
7571 * opaque ProtocolName<1..2^8-1>;
7572 * struct {
7573 * ProtocolName supported_protocols<2..2^16-1>
7574 * } ApplicationSettingsSupport;
7575 */
7576
7577 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alps_length,
7578 hf->hf.hs_ext_alps_len, 2, UINT16_MAX(65535))) {
7579 return offset_end;
7580 }
7581 offset += 2;
7582 next_offset = offset + alps_length;
7583
7584 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alps_alpn_list,
7585 tvb, offset, alps_length, ENC_NA0x00000000);
7586 alps_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alps);
7587
7588 /* Parse list (note missing check for end of vector, ssl_add_vector below
7589 * ensures that data is always available.) */
7590 while (offset < next_offset) {
7591 if (!ssl_add_vector(hf, tvb, pinfo, alps_tree, offset, next_offset, &name_length,
7592 hf->hf.hs_ext_alps_alpn_str_len, 1, UINT8_MAX(255))) {
7593 return next_offset;
7594 }
7595 offset++;
7596
7597 proto_tree_add_item(alps_tree, hf->hf.hs_ext_alps_alpn_str,
7598 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7599 offset += name_length;
7600 }
7601
7602 return offset;
7603 }
7604 case SSL_HND_ENCRYPTED_EXTS:
7605 /* Opaque blob */
7606 proto_tree_add_item(tree, hf->hf.hs_ext_alps_settings,
7607 tvb, offset, offset_end - offset, ENC_ASCII0x00000000|ENC_NA0x00000000);
7608 break;
7609 }
7610
7611 return offset_end;
7612}
7613
7614static int
7615ssl_dissect_hnd_hello_ext_alpn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7616 packet_info *pinfo, proto_tree *tree,
7617 uint32_t offset, uint32_t offset_end,
7618 uint8_t hnd_type, SslSession *session,
7619 bool_Bool is_dtls, ja4_data_t *ja4_data)
7620{
7621
7622 /* https://tools.ietf.org/html/rfc7301#section-3.1
7623 * opaque ProtocolName<1..2^8-1>;
7624 * struct {
7625 * ProtocolName protocol_name_list<2..2^16-1>
7626 * } ProtocolNameList;
7627 */
7628 proto_tree *alpn_tree;
7629 proto_item *ti;
7630 uint32_t next_offset, alpn_length, name_length;
7631 uint8_t *proto_name = NULL((void*)0), *client_proto_name = NULL((void*)0);
7632
7633 /* ProtocolName protocol_name_list<2..2^16-1> */
7634 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &alpn_length,
7635 hf->hf.hs_ext_alpn_len, 2, UINT16_MAX(65535))) {
7636 return offset_end;
7637 }
7638 offset += 2;
7639 next_offset = offset + alpn_length;
7640
7641 ti = proto_tree_add_item(tree, hf->hf.hs_ext_alpn_list,
7642 tvb, offset, alpn_length, ENC_NA0x00000000);
7643 alpn_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_alpn);
7644
7645 /* Parse list (note missing check for end of vector, ssl_add_vector below
7646 * ensures that data is always available.) */
7647 while (offset < next_offset) {
7648 /* opaque ProtocolName<1..2^8-1> */
7649 if (!ssl_add_vector(hf, tvb, pinfo, alpn_tree, offset, next_offset, &name_length,
7650 hf->hf.hs_ext_alpn_str_len, 1, UINT8_MAX(255))) {
7651 return next_offset;
7652 }
7653 offset++;
7654
7655 proto_tree_add_item(alpn_tree, hf->hf.hs_ext_alpn_str,
7656 tvb, offset, name_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7657 if (ja4_data && wmem_strbuf_get_len(ja4_data->alpn) == 0) {
7658 const char alpn_first_char = (char)tvb_get_uint8(tvb,offset);
7659 const char alpn_last_char = (char)tvb_get_uint8(tvb,offset + name_length - 1);
7660 if ((g_ascii_isprint(alpn_first_char)((g_ascii_table[(guchar) (alpn_first_char)] & G_ASCII_PRINT
) != 0)) && g_ascii_isprint(alpn_last_char)((g_ascii_table[(guchar) (alpn_last_char)] & G_ASCII_PRINT
) != 0)) {
7661 wmem_strbuf_append_printf(ja4_data->alpn, "%c%c", alpn_first_char, alpn_last_char);
7662 }
7663 else {
7664 wmem_strbuf_append_printf(ja4_data->alpn, "%x%x",(alpn_first_char >> 4) & 0x0F,
7665 alpn_last_char & 0x0F);
7666 }
7667 }
7668 /* Remember first ALPN ProtocolName entry for server. */
7669 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) {
7670 /* '\0'-terminated string for dissector table match and prefix
7671 * comparison purposes. */
7672 proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7673 name_length, ENC_ASCII0x00000000);
7674 } else if (hnd_type == SSL_HND_CLIENT_HELLO) {
7675 client_proto_name = tvb_get_string_enc(pinfo->pool, tvb, offset,
7676 name_length, ENC_ASCII0x00000000);
7677 }
7678 offset += name_length;
7679 }
7680
7681 /* If ALPN is given in ServerHello, then ProtocolNameList MUST contain
7682 * exactly one "ProtocolName". */
7683 if (proto_name) {
7684 dissector_handle_t handle;
7685
7686 session->alpn_name = wmem_strdup(wmem_file_scope(), proto_name);
7687
7688 if (is_dtls) {
7689 handle = dissector_get_string_handle(dtls_alpn_dissector_table,
7690 proto_name);
7691 } else {
7692 handle = dissector_get_string_handle(ssl_alpn_dissector_table,
7693 proto_name);
7694 if (handle == NULL((void*)0)) {
7695 /* Try prefix matching */
7696 for (size_t i = 0; i < G_N_ELEMENTS(ssl_alpn_prefix_match_protocols)(sizeof (ssl_alpn_prefix_match_protocols) / sizeof ((ssl_alpn_prefix_match_protocols
)[0])); i++) {
7697 const ssl_alpn_prefix_match_protocol_t *alpn_proto = &ssl_alpn_prefix_match_protocols[i];
7698
7699 /* string_string is inappropriate as it compares strings
7700 * while "byte strings MUST NOT be truncated" (RFC 7301) */
7701 if (g_str_has_prefix(proto_name, alpn_proto->proto_prefix)(__builtin_constant_p (alpn_proto->proto_prefix)? __extension__
({ const char * const __str = (proto_name); const char * const
__prefix = (alpn_proto->proto_prefix); gboolean __result =
(0); if (__str == ((void*)0) || __prefix == ((void*)0)) __result
= (g_str_has_prefix) (__str, __prefix); else { const size_t __str_len
= strlen (((__str) + !(__str))); const size_t __prefix_len =
strlen (((__prefix) + !(__prefix))); if (__str_len >= __prefix_len
) __result = memcmp (((__str) + !(__str)), ((__prefix) + !(__prefix
)), __prefix_len) == 0; } __result; }) : (g_str_has_prefix) (
proto_name, alpn_proto->proto_prefix) )) {
7702 handle = find_dissector(alpn_proto->dissector_name);
7703 break;
7704 }
7705 }
7706 }
7707 }
7708 if (handle != NULL((void*)0)) {
7709 /* ProtocolName match, so set the App data dissector handle.
7710 * This may override protocols given via the UAT dialog, but
7711 * since the ALPN hint is precise, do it anyway. */
7712 ssl_debug_printf("%s: changing handle %p to %p (%s)", G_STRFUNC((const char*) (__func__)),
7713 (void *)session->app_handle,
7714 (void *)handle,
7715 dissector_handle_get_dissector_name(handle));
7716 session->app_handle = handle;
7717 }
7718 } else if (client_proto_name) {
7719 // No current use for looking up the handle as the only consumer of this API is currently the QUIC dissector
7720 // and it just needs the string since there are/were various HTTP/3 ALPNs to check for.
7721 session->client_alpn_name = wmem_strdup(wmem_file_scope(), client_proto_name);
7722 }
7723
7724 return offset;
7725}
7726
7727static int
7728ssl_dissect_hnd_hello_ext_npn(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7729 packet_info *pinfo, proto_tree *tree,
7730 uint32_t offset, uint32_t offset_end)
7731{
7732 /* https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04#page-3
7733 * The "extension_data" field of a "next_protocol_negotiation" extension
7734 * in a "ServerHello" contains an optional list of protocols advertised
7735 * by the server. Protocols are named by opaque, non-empty byte strings
7736 * and the list of protocols is serialized as a concatenation of 8-bit,
7737 * length prefixed byte strings. Implementations MUST ensure that the
7738 * empty string is not included and that no byte strings are truncated.
7739 */
7740 uint32_t npn_length;
7741 proto_tree *npn_tree;
7742
7743 /* List is optional, do not add tree if there are no entries. */
7744 if (offset == offset_end) {
7745 return offset;
7746 }
7747
7748 npn_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_npn, NULL((void*)0), "Next Protocol Negotiation");
7749
7750 while (offset < offset_end) {
7751 /* non-empty, 8-bit length prefixed strings means range 1..255 */
7752 if (!ssl_add_vector(hf, tvb, pinfo, npn_tree, offset, offset_end, &npn_length,
7753 hf->hf.hs_ext_npn_str_len, 1, UINT8_MAX(255))) {
7754 return offset_end;
7755 }
7756 offset++;
7757
7758 proto_tree_add_item(npn_tree, hf->hf.hs_ext_npn_str,
7759 tvb, offset, npn_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
7760 offset += npn_length;
7761 }
7762
7763 return offset;
7764}
7765
7766static int
7767ssl_dissect_hnd_hello_ext_reneg_info(ssl_common_dissect_t *hf, tvbuff_t *tvb,
7768 packet_info *pinfo, proto_tree *tree,
7769 uint32_t offset, uint32_t offset_end)
7770{
7771 /* https://tools.ietf.org/html/rfc5746#section-3.2
7772 * struct {
7773 * opaque renegotiated_connection<0..255>;
7774 * } RenegotiationInfo;
7775 *
7776 */
7777 proto_tree *reneg_info_tree;
7778 uint32_t reneg_info_length;
7779
7780 reneg_info_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_reneg_info, NULL((void*)0), "Renegotiation Info extension");
7781
7782 /* opaque renegotiated_connection<0..255> */
7783 if (!ssl_add_vector(hf, tvb, pinfo, reneg_info_tree, offset, offset_end, &reneg_info_length,
7784 hf->hf.hs_ext_reneg_info_len, 0, 255)) {
7785 return offset_end;
7786 }
7787 offset++;
7788
7789 if (reneg_info_length > 0) {
7790 proto_tree_add_item(reneg_info_tree, hf->hf.hs_ext_reneg_info, tvb, offset, reneg_info_length, ENC_NA0x00000000);
7791 offset += reneg_info_length;
7792 }
7793
7794 return offset;
7795}
7796
7797static int
7798ssl_dissect_hnd_hello_ext_key_share_entry(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7799 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7800 const char **group_name_out)
7801{
7802 /* RFC 8446 Section 4.2.8
7803 * struct {
7804 * NamedGroup group;
7805 * opaque key_exchange<1..2^16-1>;
7806 * } KeyShareEntry;
7807 */
7808 uint32_t key_exchange_length, group;
7809 proto_tree *ks_tree;
7810
7811 ks_tree = proto_tree_add_subtree(tree, tvb, offset, 4, hf->ett.hs_ext_key_share_ks, NULL((void*)0), "Key Share Entry");
7812
7813 proto_tree_add_item_ret_uint(ks_tree, hf->hf.hs_ext_key_share_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7814 offset += 2;
7815 const char *group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");
7816 proto_item_append_text(ks_tree, ": Group: %s", group_name);
7817 if (group_name_out) {
7818 *group_name_out = !IS_GREASE_TLS(group)((((group) & 0x0f0f) == 0x0a0a) && (((group) &
0xff) == (((group)>>8) & 0xff))) ? group_name : NULL((void*)0);
7819 }
7820
7821 /* opaque key_exchange<1..2^16-1> */
7822 if (!ssl_add_vector(hf, tvb, pinfo, ks_tree, offset, offset_end, &key_exchange_length,
7823 hf->hf.hs_ext_key_share_key_exchange_length, 1, UINT16_MAX(65535))) {
7824 return offset_end; /* Bad (possible truncated) length, skip to end of KeyShare extension. */
7825 }
7826 offset += 2;
7827 proto_item_set_len(ks_tree, 2 + 2 + key_exchange_length);
7828 proto_item_append_text(ks_tree, ", Key Exchange length: %u", key_exchange_length);
7829
7830 proto_tree_add_item(ks_tree, hf->hf.hs_ext_key_share_key_exchange, tvb, offset, key_exchange_length, ENC_NA0x00000000);
7831 offset += key_exchange_length;
7832
7833 return offset;
7834}
7835
7836static int
7837ssl_dissect_hnd_hello_ext_key_share(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7838 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7839 uint8_t hnd_type)
7840{
7841 proto_tree *key_share_tree;
7842 uint32_t next_offset;
7843 uint32_t client_shares_length;
7844 uint32_t group;
7845 const char *group_name = NULL((void*)0);
7846
7847 if (offset_end <= offset) { /* Check if ext_len == 0 and "overflow" (offset + ext_len) > uint32_t) */
7848 return offset;
7849 }
7850
7851 key_share_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_key_share, NULL((void*)0), "Key Share extension");
7852
7853 switch(hnd_type){
7854 case SSL_HND_CLIENT_HELLO:
7855 /* KeyShareEntry client_shares<0..2^16-1> */
7856 if (!ssl_add_vector(hf, tvb, pinfo, key_share_tree, offset, offset_end, &client_shares_length,
7857 hf->hf.hs_ext_key_share_client_length, 0, UINT16_MAX(65535))) {
7858 return offset_end;
7859 }
7860 offset += 2;
7861 next_offset = offset + client_shares_length;
7862 const char *sep = " ";
7863 while (offset + 4 <= next_offset) { /* (NamedGroup (2 bytes), key_exchange (1 byte for length, 1 byte minimum data) */
7864 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, next_offset, &group_name);
7865 if (group_name) {
7866 proto_item_append_text(tree, "%s%s", sep, group_name);
7867 sep = ", ";
7868 }
7869 }
7870 if (!ssl_end_vector(hf, tvb, pinfo, key_share_tree, offset, next_offset)) {
7871 return next_offset;
7872 }
7873 break;
7874 case SSL_HND_SERVER_HELLO:
7875 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, key_share_tree, offset, offset_end, &group_name);
7876 if (group_name) {
7877 proto_item_append_text(tree, " %s", group_name);
7878 }
7879 break;
7880 case SSL_HND_HELLO_RETRY_REQUEST:
7881 proto_tree_add_item_ret_uint(key_share_tree, hf->hf.hs_ext_key_share_selected_group, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &group);
7882 offset += 2;
7883 group_name = val_to_str(group, ssl_extension_curves, "Unknown (%u)");
7884 proto_item_append_text(tree, " %s", group_name);
7885 break;
7886 default: /* no default */
7887 break;
7888 }
7889
7890 return offset;
7891}
7892
7893static int
7894ssl_dissect_hnd_hello_ext_pre_shared_key(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
7895 proto_tree *tree, uint32_t offset, uint32_t offset_end,
7896 uint8_t hnd_type)
7897{
7898 /* RFC 8446 Section 4.2.11
7899 * struct {
7900 * opaque identity<1..2^16-1>;
7901 * uint32 obfuscated_ticket_age;
7902 * } PskIdentity;
7903 * opaque PskBinderEntry<32..255>;
7904 * struct {
7905 * select (Handshake.msg_type) {
7906 * case client_hello:
7907 * PskIdentity identities<7..2^16-1>;
7908 * PskBinderEntry binders<33..2^16-1>;
7909 * case server_hello:
7910 * uint16 selected_identity;
7911 * };
7912 * } PreSharedKeyExtension;
7913 */
7914
7915 proto_tree *psk_tree;
7916
7917 psk_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_pre_shared_key, NULL((void*)0), "Pre-Shared Key extension");
7918
7919 switch (hnd_type){
7920 case SSL_HND_CLIENT_HELLO: {
7921 uint32_t identities_length, identities_end, binders_length;
7922
7923 /* PskIdentity identities<7..2^16-1> */
7924 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &identities_length,
7925 hf->hf.hs_ext_psk_identities_length, 7, UINT16_MAX(65535))) {
7926 return offset_end;
7927 }
7928 offset += 2;
7929 identities_end = offset + identities_length;
7930
7931 while (offset < identities_end) {
7932 uint32_t identity_length;
7933 proto_tree *identity_tree;
7934
7935 identity_tree = proto_tree_add_subtree(psk_tree, tvb, offset, 4, hf->ett.hs_ext_psk_identity, NULL((void*)0), "PSK Identity (");
7936
7937 /* opaque identity<1..2^16-1> */
7938 if (!ssl_add_vector(hf, tvb, pinfo, identity_tree, offset, identities_end, &identity_length,
7939 hf->hf.hs_ext_psk_identity_identity_length, 1, UINT16_MAX(65535))) {
7940 return identities_end;
7941 }
7942 offset += 2;
7943 proto_item_append_text(identity_tree, "length: %u)", identity_length);
7944
7945 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_identity, tvb, offset, identity_length, ENC_BIG_ENDIAN0x00000000);
7946 offset += identity_length;
7947
7948 proto_tree_add_item(identity_tree, hf->hf.hs_ext_psk_identity_obfuscated_ticket_age, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
7949 offset += 4;
7950
7951 proto_item_set_len(identity_tree, 2 + identity_length + 4);
7952 }
7953 if (!ssl_end_vector(hf, tvb, pinfo, psk_tree, offset, identities_end)) {
7954 offset = identities_end;
7955 }
7956
7957 /* PskBinderEntry binders<33..2^16-1> */
7958 if (!ssl_add_vector(hf, tvb, pinfo, psk_tree, offset, offset_end, &binders_length,
7959 hf->hf.hs_ext_psk_binders_length, 33, UINT16_MAX(65535))) {
7960 return offset_end;
7961 }
7962 offset += 2;
7963
7964 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_binders, tvb, offset, binders_length, ENC_NA0x00000000);
7965 offset += binders_length;
7966 }
7967 break;
7968 case SSL_HND_SERVER_HELLO: {
7969 proto_tree_add_item(psk_tree, hf->hf.hs_ext_psk_identity_selected, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
7970 offset += 2;
7971 }
7972 break;
7973 default:
7974 break;
7975 }
7976
7977 return offset;
7978}
7979
7980static uint32_t
7981ssl_dissect_hnd_hello_ext_early_data(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
7982 proto_tree *tree, uint32_t offset, uint32_t offset_end _U___attribute__((unused)),
7983 uint8_t hnd_type, SslDecryptSession *ssl)
7984{
7985 /* RFC 8446 Section 4.2.10
7986 * struct {} Empty;
7987 * struct {
7988 * select (Handshake.msg_type) {
7989 * case new_session_ticket: uint32 max_early_data_size;
7990 * case client_hello: Empty;
7991 * case encrypted_extensions: Empty;
7992 * };
7993 * } EarlyDataIndication;
7994 */
7995 switch (hnd_type) {
7996 case SSL_HND_CLIENT_HELLO:
7997 /* Remember that early_data will follow the handshake. */
7998 if (ssl) {
7999 ssl_debug_printf("%s found early_data extension\n", G_STRFUNC((const char*) (__func__)));
8000 ssl->has_early_data = true1;
8001 }
8002 break;
8003 case SSL_HND_NEWSESSION_TICKET:
8004 proto_tree_add_item(tree, hf->hf.hs_ext_max_early_data_size, tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8005 offset += 4;
8006 break;
8007 default:
8008 break;
8009 }
8010 return offset;
8011}
8012
8013static uint16_t
8014tls_try_get_version(bool_Bool is_dtls, uint16_t version, uint8_t *draft_version)
8015{
8016 if (draft_version) {
8017 *draft_version = 0;
8018 }
8019 if (!is_dtls) {
8020 uint8_t tls13_draft = extract_tls13_draft_version(version);
8021 if (tls13_draft != 0) {
8022 /* This is TLS 1.3 (a draft version). */
8023 if (draft_version) {
8024 *draft_version = tls13_draft;
8025 }
8026 version = TLSV1DOT3_VERSION0x304;
8027 }
8028 if (version == 0xfb17 || version == 0xfb1a) {
8029 /* Unofficial TLS 1.3 draft version for Facebook fizz. */
8030 tls13_draft = (uint8_t)version;
8031 if (draft_version) {
8032 *draft_version = tls13_draft;
8033 }
8034 version = TLSV1DOT3_VERSION0x304;
8035 }
8036 }
8037
8038 switch (version) {
8039 case SSLV3_VERSION0x300:
8040 case TLSV1_VERSION0x301:
8041 case TLSV1DOT1_VERSION0x302:
8042 case TLSV1DOT2_VERSION0x303:
8043 case TLSV1DOT3_VERSION0x304:
8044 case TLCPV1_VERSION0x101:
8045 if (is_dtls)
8046 return SSL_VER_UNKNOWN0;
8047 break;
8048
8049 case DTLSV1DOT0_VERSION0xfeff:
8050 case DTLSV1DOT0_OPENSSL_VERSION0x100:
8051 case DTLSV1DOT2_VERSION0xfefd:
8052 case DTLSV1DOT3_VERSION0xfefc:
8053 if (!is_dtls)
8054 return SSL_VER_UNKNOWN0;
8055 break;
8056
8057 default: /* invalid version number */
8058 return SSL_VER_UNKNOWN0;
8059 }
8060
8061 return version;
8062}
8063
8064static int
8065ssl_dissect_hnd_hello_ext_supported_versions(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8066 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8067 SslSession *session, bool_Bool is_dtls, ja4_data_t *ja4_data)
8068{
8069
8070 /* RFC 8446 Section 4.2.1
8071 * struct {
8072 * ProtocolVersion versions<2..254>; // ClientHello
8073 * } SupportedVersions;
8074 * Note that ServerHello and HelloRetryRequest are handled by the caller.
8075 */
8076 uint32_t versions_length, next_offset;
8077 /* ProtocolVersion versions<2..254> */
8078 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &versions_length,
8079 hf->hf.hs_ext_supported_versions_len, 2, 254)) {
8080 return offset_end;
8081 }
8082 offset++;
8083 next_offset = offset + versions_length;
8084
8085 unsigned version;
8086 unsigned current_version, lowest_version = SSL_VER_UNKNOWN0;
8087 uint8_t draft_version, max_draft_version = 0;
8088 const char *sep = " ";
8089 while (offset + 2 <= next_offset) {
8090 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
8091 offset += 2;
8092
8093 if (!IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8094 proto_item_append_text(tree, "%s%s", sep, val_to_str(version, ssl_versions, "Unknown (0x%04x)"));
8095 sep = ", ";
8096 }
8097
8098 current_version = tls_try_get_version(is_dtls, version, &draft_version);
8099 if (session->version == SSL_VER_UNKNOWN0) {
8100 if (lowest_version == SSL_VER_UNKNOWN0) {
8101 lowest_version = current_version;
8102 } else if (current_version != SSL_VER_UNKNOWN0) {
8103 if (!is_dtls) {
8104 lowest_version = MIN(lowest_version, current_version)(((lowest_version) < (current_version)) ? (lowest_version)
: (current_version));
8105 } else {
8106 lowest_version = MAX(lowest_version, current_version)(((lowest_version) > (current_version)) ? (lowest_version)
: (current_version));
8107 }
8108 }
8109 }
8110 max_draft_version = MAX(draft_version, max_draft_version)(((draft_version) > (max_draft_version)) ? (draft_version)
: (max_draft_version));
8111 if (ja4_data && !IS_GREASE_TLS(version)((((version) & 0x0f0f) == 0x0a0a) && (((version) &
0xff) == (((version)>>8) & 0xff)))) {
8112 /* The DTLS version numbers get mapped to "00" for unknown per
8113 * JA4 spec, but if JA4 ever does support DTLS we'll probably
8114 * need to take the MIN instead of MAX here for DTLS.
8115 */
8116 ja4_data->max_version = MAX(version, ja4_data->max_version)(((version) > (ja4_data->max_version)) ? (version) : (ja4_data
->max_version));
8117 }
8118 }
8119 if (session->version == SSL_VER_UNKNOWN0 && lowest_version != SSL_VER_UNKNOWN0) {
8120 col_set_str(pinfo->cinfo, COL_PROTOCOL,
8121 val_to_str_const(version, ssl_version_short_names, is_dtls ? "DTLS" : "TLS"));
8122 }
8123 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
8124 offset = next_offset;
8125 }
8126
8127 /* XXX remove this when draft 19 support is dropped,
8128 * this is only required for early data decryption. */
8129 if (max_draft_version) {
8130 session->tls13_draft_version = max_draft_version;
8131 }
8132
8133 return offset;
8134}
8135
8136static int
8137ssl_dissect_hnd_hello_ext_cookie(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8138 packet_info *pinfo, proto_tree *tree,
8139 uint32_t offset, uint32_t offset_end)
8140{
8141 /* RFC 8446 Section 4.2.2
8142 * struct {
8143 * opaque cookie<1..2^16-1>;
8144 * } Cookie;
8145 */
8146 uint32_t cookie_length;
8147 /* opaque cookie<1..2^16-1> */
8148 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
8149 hf->hf.hs_ext_cookie_len, 1, UINT16_MAX(65535))) {
8150 return offset_end;
8151 }
8152 offset += 2;
8153
8154 proto_tree_add_item(tree, hf->hf.hs_ext_cookie, tvb, offset, cookie_length, ENC_NA0x00000000);
8155 offset += cookie_length;
8156
8157 return offset;
8158}
8159
8160static int
8161ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8162 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8163{
8164 /* RFC 8446 Section 4.2.9
8165 * enum { psk_ke(0), psk_dhe_ke(1), (255) } PskKeyExchangeMode;
8166 *
8167 * struct {
8168 * PskKeyExchangeMode ke_modes<1..255>;
8169 * } PskKeyExchangeModes;
8170 */
8171 uint32_t ke_modes_length, next_offset;
8172
8173 /* PskKeyExchangeMode ke_modes<1..255> */
8174 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ke_modes_length,
8175 hf->hf.hs_ext_psk_ke_modes_length, 1, 255)) {
8176 return offset_end;
8177 }
8178 offset++;
8179 next_offset = offset + ke_modes_length;
8180
8181 while (offset < next_offset) {
8182 proto_tree_add_item(tree, hf->hf.hs_ext_psk_ke_mode, tvb, offset, 1, ENC_NA0x00000000);
8183 offset++;
8184 }
8185
8186 return offset;
8187}
8188
8189static uint32_t
8190ssl_dissect_hnd_hello_ext_certificate_authorities(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8191 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8192{
8193 /* RFC 8446 Section 4.2.4
8194 * opaque DistinguishedName<1..2^16-1>;
8195 * struct {
8196 * DistinguishedName authorities<3..2^16-1>;
8197 * } CertificateAuthoritiesExtension;
8198 */
8199 return tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
8200}
8201
8202static int
8203ssl_dissect_hnd_hello_ext_oid_filters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8204 proto_tree *tree, uint32_t offset, uint32_t offset_end)
8205{
8206 /* RFC 8446 Section 4.2.5
8207 * struct {
8208 * opaque certificate_extension_oid<1..2^8-1>;
8209 * opaque certificate_extension_values<0..2^16-1>;
8210 * } OIDFilter;
8211 * struct {
8212 * OIDFilter filters<0..2^16-1>;
8213 * } OIDFilterExtension;
8214 */
8215 proto_tree *subtree;
8216 uint32_t filters_length, oid_length, values_length, value_offset;
8217 asn1_ctx_t asn1_ctx;
8218 const char *oid, *name;
8219
8220 /* OIDFilter filters<0..2^16-1> */
8221 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &filters_length,
8222 hf->hf.hs_ext_psk_ke_modes_length, 0, UINT16_MAX(65535))) {
8223 return offset_end;
8224 }
8225 offset += 2;
8226 offset_end = offset + filters_length;
8227
8228 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
8229
8230 while (offset < offset_end) {
8231 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
8232 hf->ett.hs_ext_oid_filter, NULL((void*)0), "OID Filter");
8233
8234 /* opaque certificate_extension_oid<1..2^8-1> */
8235 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &oid_length,
8236 hf->hf.hs_ext_oid_filters_oid_length, 1, UINT8_MAX(255))) {
8237 return offset_end;
8238 }
8239 offset++;
8240 dissect_ber_object_identifier_str(false0, &asn1_ctx, subtree, tvb, offset,
8241 hf->hf.hs_ext_oid_filters_oid, &oid);
8242 offset += oid_length;
8243
8244 /* Append OID to tree label */
8245 name = oid_resolved_from_string(pinfo->pool, oid);
8246 proto_item_append_text(subtree, " (%s)", name ? name : oid);
8247
8248 /* opaque certificate_extension_values<0..2^16-1> */
8249 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &values_length,
8250 hf->hf.hs_ext_oid_filters_values_length, 0, UINT16_MAX(65535))) {
8251 return offset_end;
8252 }
8253 offset += 2;
8254 proto_item_set_len(subtree, 1 + oid_length + 2 + values_length);
8255 if (values_length > 0) {
8256 value_offset = offset;
8257 value_offset = dissect_ber_identifier(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0), NULL((void*)0));
8258 value_offset = dissect_ber_length(pinfo, subtree, tvb, value_offset, NULL((void*)0), NULL((void*)0));
8259 call_ber_oid_callback(oid, tvb, value_offset, pinfo, subtree, NULL((void*)0));
8260 }
8261 offset += values_length;
8262 }
8263
8264 return offset;
8265}
8266
8267static int
8268ssl_dissect_hnd_hello_ext_server_name(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8269 packet_info *pinfo, proto_tree *tree,
8270 uint32_t offset, uint32_t offset_end)
8271{
8272 /* https://tools.ietf.org/html/rfc6066#section-3
8273 *
8274 * struct {
8275 * NameType name_type;
8276 * select (name_type) {
8277 * case host_name: HostName;
8278 * } name;
8279 * } ServerName;
8280 *
8281 * enum {
8282 * host_name(0), (255)
8283 * } NameType;
8284 *
8285 * opaque HostName<1..2^16-1>;
8286 *
8287 * struct {
8288 * ServerName server_name_list<1..2^16-1>
8289 * } ServerNameList;
8290 */
8291 proto_tree *server_name_tree;
8292 uint32_t list_length, server_name_length, next_offset;
8293
8294 /* The server SHALL include "server_name" extension with empty data. */
8295 if (offset == offset_end) {
8296 return offset;
8297 }
8298
8299 server_name_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset, hf->ett.hs_ext_server_name, NULL((void*)0), "Server Name Indication extension");
8300
8301 /* ServerName server_name_list<1..2^16-1> */
8302 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, offset_end, &list_length,
8303 hf->hf.hs_ext_server_name_list_len, 1, UINT16_MAX(65535))) {
8304 return offset_end;
8305 }
8306 offset += 2;
8307 next_offset = offset + list_length;
8308
8309 while (offset < next_offset) {
8310 uint32_t name_type;
8311 const uint8_t *server_name = NULL((void*)0);
8312 proto_tree_add_item_ret_uint(server_name_tree, hf->hf.hs_ext_server_name_type,
8313 tvb, offset, 1, ENC_NA0x00000000, &name_type);
8314 offset++;
8315
8316 /* opaque HostName<1..2^16-1> */
8317 if (!ssl_add_vector(hf, tvb, pinfo, server_name_tree, offset, next_offset, &server_name_length,
8318 hf->hf.hs_ext_server_name_len, 1, UINT16_MAX(65535))) {
8319 return next_offset;
8320 }
8321 offset += 2;
8322
8323 proto_tree_add_item_ret_string(server_name_tree, hf->hf.hs_ext_server_name,
8324 tvb, offset, server_name_length, ENC_ASCII0x00000000|ENC_NA0x00000000,
8325 pinfo->pool, &server_name);
8326 offset += server_name_length;
8327 // Each type must only occur once, so we don't check for duplicates.
8328 if (name_type == 0) {
8329 proto_item_append_text(tree, " name=%s", server_name);
8330 col_append_fstr(pinfo->cinfo, COL_INFO, " (SNI=%s)", server_name);
8331
8332 if (gbl_resolv_flags.handshake_sni_addr_resolution) {
8333 // Client Hello: Client (Src) -> Server (Dst)
8334 switch (pinfo->dst.type) {
8335 case AT_IPv4:
8336 if (pinfo->dst.len == sizeof(uint32_t)) {
8337 add_ipv4_name(*(uint32_t *)pinfo->dst.data, server_name, false0);
8338 }
8339 break;
8340 case AT_IPv6:
8341 if (pinfo->dst.len == sizeof(ws_in6_addr)) {
8342 add_ipv6_name(pinfo->dst.data, server_name, false0);
8343 }
8344 break;
8345 }
8346 }
8347 }
8348 }
8349 return offset;
8350}
8351
8352static int
8353ssl_dissect_hnd_hello_ext_session_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8354 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint8_t hnd_type, SslDecryptSession *ssl)
8355{
8356 unsigned ext_len = offset_end - offset;
8357 if (hnd_type == SSL_HND_CLIENT_HELLO && ssl && ext_len != 0) {
8358 tvb_ensure_bytes_exist(tvb, offset, ext_len);
8359 /* Save the Session Ticket such that it can be used as identifier for
8360 * restoring a previous Master Secret (in ChangeCipherSpec) */
8361 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
8362 ssl->session_ticket.data, ext_len);
8363 ssl->session_ticket.data_len = ext_len;
8364 tvb_memcpy(tvb,ssl->session_ticket.data, offset, ext_len);
8365 }
8366 proto_tree_add_item(tree, hf->hf.hs_ext_session_ticket,
8367 tvb, offset, ext_len, ENC_NA0x00000000);
8368 return offset + ext_len;
8369}
8370
8371static int
8372ssl_dissect_hnd_hello_ext_cert_type(ssl_common_dissect_t *hf, tvbuff_t *tvb,
8373 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8374 uint8_t hnd_type, uint16_t ext_type, SslSession *session)
8375{
8376 uint8_t cert_list_length;
8377 uint8_t cert_type;
8378 proto_tree *cert_list_tree;
8379 proto_item *ti;
8380
8381 switch(hnd_type){
8382 case SSL_HND_CLIENT_HELLO:
8383 cert_list_length = tvb_get_uint8(tvb, offset);
8384 proto_tree_add_item(tree, hf->hf.hs_ext_cert_types_len,
8385 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8386 offset += 1;
8387 if (offset_end - offset != (uint32_t)cert_list_length)
8388 return offset;
8389
8390 ti = proto_tree_add_item(tree, hf->hf.hs_ext_cert_types, tvb, offset,
8391 cert_list_length, cert_list_length);
8392 proto_item_append_text(ti, " (%d)", cert_list_length);
8393
8394 /* make this a subtree */
8395 cert_list_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_cert_types);
8396
8397 /* loop over all point formats */
8398 while (cert_list_length > 0)
8399 {
8400 proto_tree_add_item(cert_list_tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8401 offset++;
8402 cert_list_length--;
8403 }
8404 break;
8405 case SSL_HND_SERVER_HELLO:
8406 case SSL_HND_ENCRYPTED_EXTENSIONS:
8407 case SSL_HND_CERTIFICATE:
8408 cert_type = tvb_get_uint8(tvb, offset);
8409 proto_tree_add_item(tree, hf->hf.hs_ext_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8410 offset += 1;
8411 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19) {
8412 session->client_cert_type = cert_type;
8413 }
8414 if (ext_type == SSL_HND_HELLO_EXT_CERT_TYPE9 || ext_type == SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20) {
8415 session->server_cert_type = cert_type;
8416 }
8417 break;
8418 default: /* no default */
8419 break;
8420 }
8421
8422 return offset;
8423}
8424
8425static uint32_t
8426ssl_dissect_hnd_hello_ext_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8427 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8428 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8429{
8430 uint32_t compress_certificate_algorithms_length, next_offset;
8431
8432 /* https://tools.ietf.org/html/draft-ietf-tls-certificate-compression-03#section-3.0
8433 * enum {
8434 * zlib(1),
8435 * brotli(2),
8436 * (65535)
8437 * } CertificateCompressionAlgorithm;
8438 *
8439 * struct {
8440 * CertificateCompressionAlgorithm algorithms<1..2^8-1>;
8441 * } CertificateCompressionAlgorithms;
8442 */
8443 switch (hnd_type) {
8444 case SSL_HND_CLIENT_HELLO:
8445 case SSL_HND_CERT_REQUEST:
8446 /* CertificateCompressionAlgorithm algorithms<1..2^8-1>;*/
8447 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compress_certificate_algorithms_length,
8448 hf->hf.hs_ext_compress_certificate_algorithms_length, 1, UINT8_MAX(255)-1)) {
8449 return offset_end;
8450 }
8451 offset += 1;
8452 next_offset = offset + compress_certificate_algorithms_length;
8453
8454 while (offset < next_offset) {
8455 proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_algorithm,
8456 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8457 offset += 2;
8458 }
8459 break;
8460 default:
8461 break;
8462 }
8463
8464 return offset;
8465}
8466
8467static uint32_t
8468ssl_dissect_hnd_hello_ext_token_binding(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8469 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8470 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8471{
8472 uint32_t key_parameters_length, next_offset;
8473 proto_item *p_ti;
8474 proto_tree *p_tree;
8475
8476 /* RFC 8472
8477 *
8478 * struct {
8479 * uint8 major;
8480 * uint8 minor;
8481 * } TB_ProtocolVersion;
8482 *
8483 * enum {
8484 * rsa2048_pkcs1.5(0), rsa2048_pss(1), ecdsap256(2), (255)
8485 * } TokenBindingKeyParameters;
8486 *
8487 * struct {
8488 * TB_ProtocolVersion token_binding_version;
8489 * TokenBindingKeyParameters key_parameters_list<1..2^8-1>
8490 * } TokenBindingParameters;
8491 */
8492
8493 switch (hnd_type) {
8494 case SSL_HND_CLIENT_HELLO:
8495 case SSL_HND_SERVER_HELLO:
8496 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_major, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8497 offset += 1;
8498 proto_tree_add_item(tree, hf->hf.hs_ext_token_binding_version_minor, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8499 offset += 1;
8500
8501 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &key_parameters_length,
8502 hf->hf.hs_ext_token_binding_key_parameters_length, 1, UINT8_MAX(255))) {
8503 return offset_end;
8504 }
8505 offset += 1;
8506 next_offset = offset + key_parameters_length;
8507
8508 p_ti = proto_tree_add_none_format(tree,
8509 hf->hf.hs_ext_token_binding_key_parameters,
8510 tvb, offset, key_parameters_length,
8511 "Key parameters identifiers (%d identifier%s)",
8512 key_parameters_length,
8513 plurality(key_parameters_length, "", "s")((key_parameters_length) == 1 ? ("") : ("s")));
8514 p_tree = proto_item_add_subtree(p_ti, hf->ett.hs_ext_token_binding_key_parameters);
8515
8516 while (offset < next_offset) {
8517 proto_tree_add_item(p_tree, hf->hf.hs_ext_token_binding_key_parameter,
8518 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
8519 offset += 1;
8520 }
8521
8522 if (!ssl_end_vector(hf, tvb, pinfo, p_tree, offset, next_offset)) {
8523 offset = next_offset;
8524 }
8525
8526 break;
8527 default:
8528 break;
8529 }
8530
8531 return offset;
8532}
8533
8534static uint32_t
8535ssl_dissect_hnd_hello_ext_quic_transport_parameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8536 proto_tree *tree, uint32_t offset, uint32_t offset_end,
8537 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
8538{
8539 bool_Bool use_varint_encoding = true1; // Whether this is draft -27 or newer.
8540 uint32_t next_offset;
8541
8542 /* https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-18
8543 *
8544 * Note: the following structures are not literally defined in the spec,
8545 * they instead use an ASCII diagram.
8546 *
8547 * struct {
8548 * uint16 id;
8549 * opaque value<0..2^16-1>;
8550 * } TransportParameter; // before draft -27
8551 * TransportParameter TransportParameters<0..2^16-1>; // before draft -27
8552 *
8553 * struct {
8554 * opaque ipv4Address[4];
8555 * uint16 ipv4Port;
8556 * opaque ipv6Address[16];
8557 * uint16 ipv6Port;
8558 * opaque connectionId<0..18>;
8559 * opaque statelessResetToken[16];
8560 * } PreferredAddress;
8561 */
8562
8563 if (offset_end - offset >= 6 &&
8564 2 + (unsigned)tvb_get_ntohs(tvb, offset) == offset_end - offset &&
8565 6 + (unsigned)tvb_get_ntohs(tvb, offset + 4) <= offset_end - offset) {
8566 // Assume encoding of Transport Parameters draft -26 or older with at
8567 // least one transport parameter that has a valid length.
8568 use_varint_encoding = false0;
8569 }
8570
8571 if (use_varint_encoding) {
8572 next_offset = offset_end;
8573 } else {
8574 uint32_t quic_length;
8575 // Assume draft -26 or earlier.
8576 /* TransportParameter TransportParameters<0..2^16-1>; */
8577 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &quic_length,
8578 hf->hf.hs_ext_quictp_len, 0, UINT16_MAX(65535))) {
8579 return offset_end;
8580 }
8581 offset += 2;
8582 next_offset = offset + quic_length;
8583 }
8584
8585 while (offset < next_offset) {
8586 uint64_t parameter_type; /* 62-bit space */
8587 uint32_t parameter_length;
8588 proto_tree *parameter_tree;
8589 uint32_t parameter_end_offset;
8590 uint64_t value;
8591 uint32_t len = 0, i;
8592
8593 parameter_tree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.hs_ext_quictp_parameter,
8594 NULL((void*)0), "Parameter");
8595 /* TransportParameter ID and Length. */
8596 if (use_varint_encoding) {
8597 uint64_t parameter_length64;
8598 uint32_t type_len = 0;
8599
8600 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8601 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_type, &type_len);
8602 offset += type_len;
8603
8604 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_len,
8605 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &parameter_length64, &len);
8606 parameter_length = (uint32_t)parameter_length64;
8607 offset += len;
8608
8609 proto_item_set_len(parameter_tree, type_len + len + parameter_length);
8610 } else {
8611 parameter_type = tvb_get_ntohs(tvb, offset);
8612 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_type,
8613 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8614 offset += 2;
8615
8616 /* opaque value<0..2^16-1> */
8617 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, next_offset, &parameter_length,
8618 hf->hf.hs_ext_quictp_parameter_len_old, 0, UINT16_MAX(65535))) {
8619 return next_offset;
8620 }
8621 offset += 2;
8622
8623 proto_item_set_len(parameter_tree, 4 + parameter_length);
8624 }
8625
8626 if (IS_GREASE_QUIC(parameter_type)((parameter_type) > 27 ? ((((parameter_type) - 27) % 31) ==
0) : 0)) {
8627 proto_item_append_text(parameter_tree, ": GREASE");
8628 } else {
8629 proto_item_append_text(parameter_tree, ": %s", val64_to_str(parameter_type, quic_transport_parameter_id, "Unknown 0x%04x"));
8630 }
8631
8632 proto_item_append_text(parameter_tree, " (len=%u)", parameter_length);
8633 parameter_end_offset = offset + parameter_length;
8634
8635 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_value,
8636 tvb, offset, parameter_length, ENC_NA0x00000000);
8637
8638 switch (parameter_type) {
8639 case SSL_HND_QUIC_TP_ORIGINAL_DESTINATION_CONNECTION_ID0x00:
8640 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_original_destination_connection_id,
8641 tvb, offset, parameter_length, ENC_NA0x00000000);
8642 offset += parameter_length;
8643 break;
8644 case SSL_HND_QUIC_TP_MAX_IDLE_TIMEOUT0x01:
8645 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_idle_timeout,
8646 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8647 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " ms", value);
8648 offset += len;
8649 break;
8650 case SSL_HND_QUIC_TP_STATELESS_RESET_TOKEN0x02:
8651 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_stateless_reset_token,
8652 tvb, offset, 16, ENC_BIG_ENDIAN0x00000000);
8653 quic_add_stateless_reset_token(pinfo, tvb, offset, NULL((void*)0));
8654 offset += 16;
8655 break;
8656 case SSL_HND_QUIC_TP_MAX_UDP_PAYLOAD_SIZE0x03:
8657 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_udp_payload_size,
8658 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8659 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8660 /*TODO display expert info about invalid value (< 1252 or >65527) ? */
8661 offset += len;
8662 break;
8663 case SSL_HND_QUIC_TP_INITIAL_MAX_DATA0x04:
8664 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_data,
8665 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8666 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8667 offset += len;
8668 break;
8669 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_LOCAL0x05:
8670 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_local,
8671 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8672 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8673 offset += len;
8674 break;
8675 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_BIDI_REMOTE0x06:
8676 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_bidi_remote,
8677 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8678 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8679 offset += len;
8680 break;
8681 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAM_DATA_UNI0x07:
8682 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_stream_data_uni,
8683 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8684 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8685 offset += len;
8686 break;
8687 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_UNI0x09:
8688 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_uni,
8689 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8690 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8691 offset += len;
8692 break;
8693 case SSL_HND_QUIC_TP_INITIAL_MAX_STREAMS_BIDI0x08:
8694 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_streams_bidi,
8695 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8696 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8697 offset += len;
8698 break;
8699 case SSL_HND_QUIC_TP_ACK_DELAY_EXPONENT0x0a:
8700 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_ack_delay_exponent,
8701 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, NULL((void*)0), &len);
8702 /*TODO display multiplier (x8) and expert info about invalid value (> 20) ? */
8703 offset += len;
8704 break;
8705 case SSL_HND_QUIC_TP_MAX_ACK_DELAY0x0b:
8706 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_ack_delay,
8707 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8708 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8709 offset += len;
8710 break;
8711 case SSL_HND_QUIC_TP_DISABLE_ACTIVE_MIGRATION0x0c:
8712 /* No Payload */
8713 break;
8714 case SSL_HND_QUIC_TP_PREFERRED_ADDRESS0x0d: {
8715 uint32_t connectionid_length;
8716 quic_cid_t cid;
8717
8718 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4address,
8719 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8720 offset += 4;
8721 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv4port,
8722 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8723 offset += 2;
8724 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6address,
8725 tvb, offset, 16, ENC_NA0x00000000);
8726 offset += 16;
8727 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_ipv6port,
8728 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
8729 offset += 2;
8730 /* XXX - Should we add these addresses and ports as addresses that the client
8731 * is allowed / expected to migrate the server address to? Right now we don't
8732 * enforce that (see RFC 9000 Section 9, which implies that while the client
8733 * can migrate to whatever address it wants, it can only migrate the server
8734 * address to the Server's Preferred Address as in 9.6. Also Issue #20165.)
8735 */
8736
8737 if (!ssl_add_vector(hf, tvb, pinfo, parameter_tree, offset, offset_end, &connectionid_length,
8738 hf->hf.hs_ext_quictp_parameter_pa_connectionid_length, 0, 20)) {
8739 break;
8740 }
8741 offset += 1;
8742
8743 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_connectionid,
8744 tvb, offset, connectionid_length, ENC_NA0x00000000);
8745 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8746 cid.len = connectionid_length;
8747 // RFC 9000 5.1.1 "If the preferred_address transport
8748 // parameter is sent, the sequence number of the supplied
8749 // connection ID is 1."
8750 cid.seq_num = 1;
8751 // Multipath draft-07 "Also, the Path Identifier for the
8752 // connection ID specified in the "preferred address"
8753 // transport parameter is 0."
8754 cid.path_id = 0;
8755 tvb_memcpy(tvb, cid.cid, offset, connectionid_length);
8756 quic_add_connection(pinfo, &cid);
8757 }
8758 offset += connectionid_length;
8759
8760 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_pa_statelessresettoken,
8761 tvb, offset, 16, ENC_NA0x00000000);
8762 if (connectionid_length >= 1 && connectionid_length <= QUIC_MAX_CID_LENGTH20) {
8763 quic_add_stateless_reset_token(pinfo, tvb, offset, &cid);
8764 }
8765 offset += 16;
8766 }
8767 break;
8768 case SSL_HND_QUIC_TP_ACTIVE_CONNECTION_ID_LIMIT0x0e:
8769 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_active_connection_id_limit,
8770 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8771 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8772 offset += len;
8773 break;
8774 case SSL_HND_QUIC_TP_INITIAL_SOURCE_CONNECTION_ID0x0f:
8775 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_source_connection_id,
8776 tvb, offset, parameter_length, ENC_NA0x00000000);
8777 offset += parameter_length;
8778 break;
8779 case SSL_HND_QUIC_TP_RETRY_SOURCE_CONNECTION_ID0x10:
8780 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_retry_source_connection_id,
8781 tvb, offset, parameter_length, ENC_NA0x00000000);
8782 offset += parameter_length;
8783 break;
8784 case SSL_HND_QUIC_TP_MAX_DATAGRAM_FRAME_SIZE0x20:
8785 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_max_datagram_frame_size,
8786 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8787 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8788 offset += len;
8789 break;
8790 case SSL_HND_QUIC_TP_CIBIR_ENCODING0x1000:
8791 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_length,
8792 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8793 proto_item_append_text(parameter_tree, " Length: %" PRIu64"l" "u", value);
8794 offset += len;
8795 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_cibir_encoding_offset,
8796 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8797 proto_item_append_text(parameter_tree, ", Offset: %" PRIu64"l" "u", value);
8798 offset += len;
8799 break;
8800 case SSL_HND_QUIC_TP_LOSS_BITS0x1057:
8801 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_loss_bits,
8802 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8803 if (len > 0) {
8804 quic_add_loss_bits(pinfo, value);
8805 }
8806 offset += 1;
8807 break;
8808 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_OLD0xde1a:
8809 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT_V10xFF03DE1A:
8810 case SSL_HND_QUIC_TP_MIN_ACK_DELAY_DRAFT050xff04de1a:
8811 case SSL_HND_QUIC_TP_MIN_ACK_DELAY0xff04de1b:
8812 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_min_ack_delay,
8813 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8814 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u", value);
8815 offset += len;
8816 break;
8817 case SSL_HND_QUIC_TP_GOOGLE_USER_AGENT0x3129:
8818 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_user_agent_id,
8819 tvb, offset, parameter_length, ENC_ASCII0x00000000|ENC_NA0x00000000);
8820 offset += parameter_length;
8821 break;
8822 case SSL_HND_QUIC_TP_GOOGLE_KEY_UPDATE_NOT_YET_SUPPORTED0x312B:
8823 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_key_update_not_yet_supported,
8824 tvb, offset, parameter_length, ENC_NA0x00000000);
8825 offset += parameter_length;
8826 break;
8827 case SSL_HND_QUIC_TP_GOOGLE_QUIC_VERSION0x4752:
8828 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_version,
8829 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
8830 offset += 4;
8831 if (hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS) { /* From server */
8832 uint32_t versions_length;
8833
8834 proto_tree_add_item_ret_uint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_supported_versions_length,
8835 tvb, offset, 1, ENC_NA0x00000000, &versions_length);
8836 offset += 1;
8837 for (i = 0; i < versions_length / 4; i++) {
8838 quic_proto_tree_add_version(tvb, parameter_tree,
8839 hf->hf.hs_ext_quictp_parameter_google_supported_version, offset);
8840 offset += 4;
8841 }
8842 }
8843 break;
8844 case SSL_HND_QUIC_TP_GOOGLE_INITIAL_RTT0x3127:
8845 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_initial_rtt,
8846 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8847 proto_item_append_text(parameter_tree, " %" PRIu64"l" "u" " us", value);
8848 offset += len;
8849 break;
8850 case SSL_HND_QUIC_TP_GOOGLE_SUPPORT_HANDSHAKE_DONE0x312A:
8851 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_support_handshake_done,
8852 tvb, offset, parameter_length, ENC_NA0x00000000);
8853 offset += parameter_length;
8854 break;
8855 case SSL_HND_QUIC_TP_GOOGLE_QUIC_PARAMS0x4751:
8856 /* This field was used for non-standard Google-specific parameters encoded as a
8857 * Google QUIC_CRYPTO CHLO and it has been replaced (version >= T051) by individual
8858 * parameters. Report it as a bytes blob... */
8859 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params,
8860 tvb, offset, parameter_length, ENC_NA0x00000000);
8861 /* ... and try decoding it: not sure what the first 4 bytes are (but they seems to be always 0) */
8862 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_quic_params_unknown_field,
8863 tvb, offset, 4, ENC_NA0x00000000);
8864 dissect_gquic_tags(tvb, pinfo, parameter_tree, offset + 4);
8865 offset += parameter_length;
8866 break;
8867 case SSL_HND_QUIC_TP_GOOGLE_CONNECTION_OPTIONS0x3128:
8868 proto_tree_add_item(parameter_tree, hf->hf.hs_ext_quictp_parameter_google_connection_options,
8869 tvb, offset, parameter_length, ENC_NA0x00000000);
8870 offset += parameter_length;
8871 break;
8872 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP0x7157:
8873 /* No Payload */
8874 break;
8875 case SSL_HND_QUIC_TP_ENABLE_TIME_STAMP_V20x7158:
8876 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_time_stamp_v2,
8877 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8878 offset += parameter_length;
8879 break;
8880 case SSL_HND_QUIC_TP_VERSION_INFORMATION0x11:
8881 quic_proto_tree_add_version(tvb, parameter_tree,
8882 hf->hf.hs_ext_quictp_parameter_chosen_version, offset);
8883 offset += 4;
8884 for (i = 4; i < parameter_length; i += 4) {
8885 quic_proto_tree_add_version(tvb, parameter_tree,
8886 hf->hf.hs_ext_quictp_parameter_other_version, offset);
8887 offset += 4;
8888 }
8889 break;
8890 case SSL_HND_QUIC_TP_GREASE_QUIC_BIT0x2ab2:
8891 /* No Payload */
8892 quic_add_grease_quic_bit(pinfo);
8893 break;
8894 case SSL_HND_QUIC_TP_FACEBOOK_PARTIAL_RELIABILITY0xFF00:
8895 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_facebook_partial_reliability,
8896 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8897 offset += parameter_length;
8898 break;
8899 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT040x0f739bbc1b666d04:
8900 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_enable_multipath,
8901 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8902 if (value == 1) {
8903 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
8904 }
8905 offset += parameter_length;
8906 break;
8907 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH_DRAFT050x0f739bbc1b666d05:
8908 case SSL_HND_QUIC_TP_ENABLE_MULTIPATH0x0f739bbc1b666d06:
8909 /* No Payload */
8910 quic_add_multipath(pinfo, QUIC_MP_NO_PATH_ID1);
8911 break;
8912 case SSL_HND_QUIC_TP_INITIAL_MAX_PATHS0x0f739bbc1b666d07:
8913 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_paths,
8914 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8915 if (value > 1) {
8916 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
8917 }
8918 /* multipath draft-07: "The value of the initial_max_paths
8919 * parameter MUST be at least 2." TODO: Expert Info? */
8920 offset += parameter_length;
8921 break;
8922 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID_DRAFT090x0f739bbc1b666d09:
8923 case SSL_HND_QUIC_TP_INITIAL_MAX_PATH_ID0x0f739bbc1b666d11:
8924 proto_tree_add_item_ret_varint(parameter_tree, hf->hf.hs_ext_quictp_parameter_initial_max_path_id,
8925 tvb, offset, -1, ENC_VARINT_QUIC0x00000004, &value, &len);
8926 /* multipath draft-09 and later: "If an endpoint receives an
8927 * initial_max_path_id transport parameter with value 0, the
8928 * peer aims to enable the multipath extension without allowing
8929 * extra paths immediately."
8930 */
8931 quic_add_multipath(pinfo, QUIC_MP_PATH_ID2);
8932 offset += parameter_length;
8933 break;
8934 default:
8935 offset += parameter_length;
8936 /*TODO display expert info about unknown ? */
8937 break;
8938 }
8939
8940 if (!ssl_end_vector(hf, tvb, pinfo, parameter_tree, offset, parameter_end_offset)) {
8941 /* Dissection did not end at expected location, fix it. */
8942 offset = parameter_end_offset;
8943 }
8944 }
8945
8946 return offset;
8947}
8948
8949static int
8950ssl_dissect_hnd_hello_common(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
8951 proto_tree *tree, uint32_t offset,
8952 SslSession *session, SslDecryptSession *ssl,
8953 bool_Bool from_server, bool_Bool is_hrr)
8954{
8955 uint8_t sessid_length;
8956 proto_item *ti;
8957 proto_tree *rnd_tree;
8958 proto_tree *ti_rnd;
8959 proto_tree *ech_confirm_tree;
8960 uint8_t draft_version = session->tls13_draft_version;
8961
8962 if (ssl) {
8963 StringInfo *rnd;
8964 if (from_server)
8965 rnd = &ssl->server_random;
8966 else
8967 rnd = &ssl->client_random;
8968
8969 /* save provided random for later keyring generation */
8970 tvb_memcpy(tvb, rnd->data, offset, 32);
8971 rnd->data_len = 32;
8972 if (from_server)
8973 ssl->state |= SSL_SERVER_RANDOM(1<<1);
8974 else
8975 ssl->state |= SSL_CLIENT_RANDOM(1<<0);
8976 ssl_debug_printf("%s found %s RANDOM -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)),
8977 from_server ? "SERVER" : "CLIENT", ssl->state);
8978 }
8979
8980 if (!from_server && session->client_random.data_len == 0) {
8981 session->client_random.data_len = 32;
8982 tvb_memcpy(tvb, session->client_random.data, offset, 32);
8983 }
8984
8985 ti_rnd = proto_tree_add_item(tree, hf->hf.hs_random, tvb, offset, 32, ENC_NA0x00000000);
8986
8987 if ((session->version != TLSV1DOT3_VERSION0x304) && (session->version != DTLSV1DOT3_VERSION0xfefc)) { /* No time on first bytes random with TLS 1.3 */
8988
8989 rnd_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
8990 /* show the time */
8991 proto_tree_add_item(rnd_tree, hf->hf.hs_random_time,
8992 tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_BIG_ENDIAN0x00000000);
8993 offset += 4;
8994
8995 /* show the random bytes */
8996 proto_tree_add_item(rnd_tree, hf->hf.hs_random_bytes,
8997 tvb, offset, 28, ENC_NA0x00000000);
8998 offset += 28;
8999 } else {
9000 if (is_hrr) {
9001 proto_item_append_text(ti_rnd, " (HelloRetryRequest magic)");
9002 } else if (from_server && session->ech) {
9003 ech_confirm_tree = proto_item_add_subtree(ti_rnd, hf->ett.hs_random);
9004 proto_tree_add_item(ech_confirm_tree, hf->hf.hs_ech_confirm, tvb, offset + 24, 8, ENC_NA0x00000000);
9005 ti = proto_tree_add_bytes_with_length(ech_confirm_tree, hf->hf.hs_ech_confirm_compute, tvb, offset + 24, 0,
9006 session->ech_confirmation, 8);
9007 proto_item_set_generated(ti);
9008 if (memcmp(session->ech_confirmation, tvb_get_ptr(tvb, offset+24, 8), 8)) {
9009 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9010 } else {
9011 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9012 }
9013 }
9014
9015 offset += 32;
9016 }
9017
9018 /* No Session ID with TLS 1.3 on Server Hello before draft -22 */
9019 if (from_server == 0 || !(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
9020 /* show the session id (length followed by actual Session ID) */
9021 sessid_length = tvb_get_uint8(tvb, offset);
9022 proto_tree_add_item(tree, hf->hf.hs_session_id_len,
9023 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9024 offset++;
9025
9026 if (ssl) {
9027 /* save the authoritative SID for later use in ChangeCipherSpec.
9028 * (D)TLS restricts the SID to 32 chars, it does not make sense to
9029 * save more, so ignore larger ones. */
9030 if (from_server && sessid_length <= 32) {
9031 tvb_memcpy(tvb, ssl->session_id.data, offset, sessid_length);
9032 ssl->session_id.data_len = sessid_length;
9033 }
9034 }
9035 if (sessid_length > 0) {
9036 proto_tree_add_item(tree, hf->hf.hs_session_id,
9037 tvb, offset, sessid_length, ENC_NA0x00000000);
9038 offset += sessid_length;
9039 }
9040 }
9041
9042 return offset;
9043}
9044
9045static int
9046ssl_dissect_hnd_hello_ext_status_request(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9047 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9048 bool_Bool has_length)
9049{
9050 /* TLS 1.2/1.3 status_request Client Hello Extension.
9051 * TLS 1.2 status_request_v2 CertificateStatusRequestItemV2 type.
9052 * https://tools.ietf.org/html/rfc6066#section-8 (status_request)
9053 * https://tools.ietf.org/html/rfc6961#section-2.2 (status_request_v2)
9054 * struct {
9055 * CertificateStatusType status_type;
9056 * uint16 request_length; // for status_request_v2
9057 * select (status_type) {
9058 * case ocsp: OCSPStatusRequest;
9059 * case ocsp_multi: OCSPStatusRequest;
9060 * } request;
9061 * } CertificateStatusRequest; // CertificateStatusRequestItemV2
9062 *
9063 * enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
9064 * struct {
9065 * ResponderID responder_id_list<0..2^16-1>;
9066 * Extensions request_extensions;
9067 * } OCSPStatusRequest;
9068 * opaque ResponderID<1..2^16-1>;
9069 * opaque Extensions<0..2^16-1>;
9070 */
9071 unsigned cert_status_type;
9072
9073 cert_status_type = tvb_get_uint8(tvb, offset);
9074 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_type,
9075 tvb, offset, 1, ENC_NA0x00000000);
9076 offset++;
9077
9078 if (has_length) {
9079 proto_tree_add_item(tree, hf->hf.hs_ext_cert_status_request_len,
9080 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9081 offset += 2;
9082 }
9083
9084 switch (cert_status_type) {
9085 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9086 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9087 {
9088 uint32_t responder_id_list_len;
9089 uint32_t request_extensions_len;
9090
9091 /* ResponderID responder_id_list<0..2^16-1> */
9092 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &responder_id_list_len,
9093 hf->hf.hs_ext_cert_status_responder_id_list_len, 0, UINT16_MAX(65535))) {
9094 return offset_end;
9095 }
9096 offset += 2;
9097 if (responder_id_list_len != 0) {
9098 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9099 tvb, offset, responder_id_list_len,
9100 "Responder ID list is not implemented, contact Wireshark"
9101 " developers if you want this to be supported");
9102 }
9103 offset += responder_id_list_len;
9104
9105 /* opaque Extensions<0..2^16-1> */
9106 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &request_extensions_len,
9107 hf->hf.hs_ext_cert_status_request_extensions_len, 0, UINT16_MAX(65535))) {
9108 return offset_end;
9109 }
9110 offset += 2;
9111 if (request_extensions_len != 0) {
9112 proto_tree_add_expert_format(tree, pinfo, &hf->ei.hs_ext_cert_status_undecoded,
9113 tvb, offset, request_extensions_len,
9114 "Request Extensions are not implemented, contact"
9115 " Wireshark developers if you want this to be supported");
9116 }
9117 offset += request_extensions_len;
9118 break;
9119 }
9120 }
9121
9122 return offset;
9123}
9124
9125static unsigned
9126ssl_dissect_hnd_hello_ext_status_request_v2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9127 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9128{
9129 /* https://tools.ietf.org/html/rfc6961#section-2.2
9130 * struct {
9131 * CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1>;
9132 * } CertificateStatusRequestListV2;
9133 */
9134 uint32_t req_list_length, next_offset;
9135
9136 /* CertificateStatusRequestItemV2 certificate_status_req_list<1..2^16-1> */
9137 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &req_list_length,
9138 hf->hf.hs_ext_cert_status_request_list_len, 1, UINT16_MAX(65535))) {
9139 return offset_end;
9140 }
9141 offset += 2;
9142 next_offset = offset + req_list_length;
9143
9144 while (offset < next_offset) {
9145 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, tree, offset, next_offset, true1);
9146 }
9147
9148 return offset;
9149}
9150
9151static uint32_t
9152tls_dissect_ocsp_response(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9153 uint32_t offset, uint32_t offset_end)
9154{
9155 uint32_t response_length;
9156 proto_item *ocsp_resp;
9157 proto_tree *ocsp_resp_tree;
9158 asn1_ctx_t asn1_ctx;
9159
9160 /* opaque OCSPResponse<1..2^24-1>; */
9161 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &response_length,
9162 hf->hf.hs_ocsp_response_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9163 return offset_end;
9164 }
9165 offset += 3;
9166
9167 ocsp_resp = proto_tree_add_item(tree, proto_ocsp, tvb, offset,
9168 response_length, ENC_BIG_ENDIAN0x00000000);
9169 proto_item_set_text(ocsp_resp, "OCSP Response");
9170 ocsp_resp_tree = proto_item_add_subtree(ocsp_resp, hf->ett.ocsp_response);
9171 if (proto_is_protocol_enabled(find_protocol_by_id(proto_ocsp))) {
9172 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
9173 dissect_ocsp_OCSPResponse(false0, tvb, offset, &asn1_ctx, ocsp_resp_tree, -1);
9174 }
9175 offset += response_length;
9176
9177 return offset;
9178}
9179
9180uint32_t
9181tls_dissect_hnd_certificate_status(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9182 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9183{
9184 /* TLS 1.2 "CertificateStatus" handshake message.
9185 * TLS 1.3 "status_request" Certificate extension.
9186 * struct {
9187 * CertificateStatusType status_type;
9188 * select (status_type) {
9189 * case ocsp: OCSPResponse;
9190 * case ocsp_multi: OCSPResponseList; // status_request_v2
9191 * } response;
9192 * } CertificateStatus;
9193 * opaque OCSPResponse<1..2^24-1>;
9194 * struct {
9195 * OCSPResponse ocsp_response_list<1..2^24-1>;
9196 * } OCSPResponseList; // status_request_v2
9197 */
9198 uint32_t status_type, resp_list_length, next_offset;
9199
9200 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_cert_status_type,
9201 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &status_type);
9202 offset += 1;
9203
9204 switch (status_type) {
9205 case SSL_HND_CERT_STATUS_TYPE_OCSP1:
9206 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, offset_end);
9207 break;
9208
9209 case SSL_HND_CERT_STATUS_TYPE_OCSP_MULTI2:
9210 /* OCSPResponse ocsp_response_list<1..2^24-1> */
9211 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &resp_list_length,
9212 hf->hf.hs_ocsp_response_list_len, 1, G_MAXUINT24((1U << 24) - 1))) {
9213 return offset_end;
9214 }
9215 offset += 3;
9216 next_offset = offset + resp_list_length;
9217
9218 while (offset < next_offset) {
9219 offset = tls_dissect_ocsp_response(hf, tvb, pinfo, tree, offset, next_offset);
9220 }
9221 break;
9222 }
9223
9224 return offset;
9225}
9226
9227static unsigned
9228ssl_dissect_hnd_hello_ext_supported_groups(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9229 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9230 wmem_strbuf_t *ja3)
9231{
9232 /* RFC 8446 Section 4.2.7
9233 * enum { ..., (0xFFFF) } NamedGroup;
9234 * struct {
9235 * NamedGroup named_group_list<2..2^16-1>
9236 * } NamedGroupList;
9237 *
9238 * NOTE: "NamedCurve" (RFC 4492) is renamed to "NamedGroup" (RFC 7919) and
9239 * the extension itself from "elliptic_curves" to "supported_groups".
9240 */
9241 uint32_t groups_length, next_offset;
9242 proto_tree *groups_tree;
9243 proto_item *ti;
9244 char *ja3_dash = "";
9245
9246 /* NamedGroup named_group_list<2..2^16-1> */
9247 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &groups_length,
9248 hf->hf.hs_ext_supported_groups_len, 2, UINT16_MAX(65535))) {
9249 return offset_end;
9250 }
9251 offset += 2;
9252 next_offset = offset + groups_length;
9253
9254 ti = proto_tree_add_none_format(tree,
9255 hf->hf.hs_ext_supported_groups,
9256 tvb, offset, groups_length,
9257 "Supported Groups (%d group%s)",
9258 groups_length / 2,
9259 plurality(groups_length/2, "", "s")((groups_length/2) == 1 ? ("") : ("s")));
9260
9261 /* make this a subtree */
9262 groups_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_groups);
9263
9264 if (ja3) {
9265 wmem_strbuf_append_c(ja3, ',');
9266 }
9267 /* loop over all groups */
9268 while (offset + 2 <= offset_end) {
9269 uint32_t ext_supported_group;
9270
9271 proto_tree_add_item_ret_uint(groups_tree, hf->hf.hs_ext_supported_group, tvb, offset, 2,
9272 ENC_BIG_ENDIAN0x00000000, &ext_supported_group);
9273 offset += 2;
9274 if (ja3 && !IS_GREASE_TLS(ext_supported_group)((((ext_supported_group) & 0x0f0f) == 0x0a0a) && (
((ext_supported_group) & 0xff) == (((ext_supported_group)
>>8) & 0xff)))) {
9275 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_supported_group);
9276 ja3_dash = "-";
9277 }
9278 }
9279 if (!ssl_end_vector(hf, tvb, pinfo, groups_tree, offset, next_offset)) {
9280 offset = next_offset;
9281 }
9282
9283 return offset;
9284}
9285
9286static int
9287ssl_dissect_hnd_hello_ext_ec_point_formats(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9288 proto_tree *tree, uint32_t offset, wmem_strbuf_t *ja3)
9289{
9290 uint8_t ecpf_length;
9291 proto_tree *ecpf_tree;
9292 proto_item *ti;
9293
9294 ecpf_length = tvb_get_uint8(tvb, offset);
9295 proto_tree_add_item(tree, hf->hf.hs_ext_ec_point_formats_len,
9296 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9297
9298 offset += 1;
9299 ti = proto_tree_add_none_format(tree,
9300 hf->hf.hs_ext_ec_point_formats,
9301 tvb, offset, ecpf_length,
9302 "Elliptic curves point formats (%d)",
9303 ecpf_length);
9304
9305 /* make this a subtree */
9306 ecpf_tree = proto_item_add_subtree(ti, hf->ett.hs_ext_curves_point_formats);
9307
9308 if (ja3) {
9309 wmem_strbuf_append_c(ja3, ',');
9310 }
9311
9312 /* loop over all point formats */
9313 while (ecpf_length > 0)
9314 {
9315 uint32_t ext_ec_point_format;
9316
9317 proto_tree_add_item_ret_uint(ecpf_tree, hf->hf.hs_ext_ec_point_format, tvb, offset, 1,
9318 ENC_BIG_ENDIAN0x00000000, &ext_ec_point_format);
9319 offset++;
9320 ecpf_length--;
9321 if (ja3) {
9322 wmem_strbuf_append_printf(ja3, "%i", ext_ec_point_format);
9323 if (ecpf_length > 0) {
9324 wmem_strbuf_append_c(ja3, '-');
9325 }
9326 }
9327 }
9328
9329 return offset;
9330}
9331
9332static int
9333ssl_dissect_hnd_hello_ext_srp(ssl_common_dissect_t *hf, tvbuff_t *tvb,
9334 packet_info *pinfo, proto_tree *tree,
9335 uint32_t offset, uint32_t next_offset)
9336{
9337 /* https://tools.ietf.org/html/rfc5054#section-2.8.1
9338 * opaque srp_I<1..2^8-1>;
9339 */
9340 uint32_t username_len;
9341
9342 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, next_offset, &username_len,
9343 hf->hf.hs_ext_srp_len, 1, UINT8_MAX(255))) {
9344 return next_offset;
9345 }
9346 offset++;
9347
9348 proto_tree_add_item(tree, hf->hf.hs_ext_srp_username,
9349 tvb, offset, username_len, ENC_UTF_80x00000002|ENC_NA0x00000000);
9350 offset += username_len;
9351
9352 return offset;
9353}
9354
9355static uint32_t
9356tls_dissect_sct(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9357 uint32_t offset, uint32_t offset_end, uint16_t version)
9358{
9359 /* https://tools.ietf.org/html/rfc6962#section-3.2
9360 * enum { v1(0), (255) } Version;
9361 * struct {
9362 * opaque key_id[32];
9363 * } LogID;
9364 * opaque CtExtensions<0..2^16-1>;
9365 * struct {
9366 * Version sct_version;
9367 * LogID id;
9368 * uint64 timestamp;
9369 * CtExtensions extensions;
9370 * digitally-signed struct { ... };
9371 * } SignedCertificateTimestamp;
9372 */
9373 uint32_t sct_version;
9374 uint64_t sct_timestamp_ms;
9375 nstime_t sct_timestamp;
9376 uint32_t exts_len;
9377 const char *log_name;
9378
9379 proto_tree_add_item_ret_uint(tree, hf->hf.sct_sct_version, tvb, offset, 1, ENC_NA0x00000000, &sct_version);
9380 offset++;
9381 if (sct_version != 0) {
9382 // TODO expert info about unknown SCT version?
9383 return offset;
9384 }
9385 proto_tree_add_item(tree, hf->hf.sct_sct_logid, tvb, offset, 32, ENC_BIG_ENDIAN0x00000000);
9386 log_name = bytesval_to_str(tvb_get_ptr(tvb, offset, 32), 32, ct_logids, "Unknown Log");
9387 proto_item_append_text(tree, " (%s)", log_name);
9388 offset += 32;
9389 sct_timestamp_ms = tvb_get_ntoh64(tvb, offset);
9390 sct_timestamp.secs = (time_t)(sct_timestamp_ms / 1000);
9391 sct_timestamp.nsecs = (int)((sct_timestamp_ms % 1000) * 1000000);
9392 proto_tree_add_time(tree, hf->hf.sct_sct_timestamp, tvb, offset, 8, &sct_timestamp);
9393 offset += 8;
9394 /* opaque CtExtensions<0..2^16-1> */
9395 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
9396 hf->hf.sct_sct_extensions_length, 0, UINT16_MAX(65535))) {
9397 return offset_end;
9398 }
9399 offset += 2;
9400 if (exts_len > 0) {
9401 proto_tree_add_item(tree, hf->hf.sct_sct_extensions, tvb, offset, exts_len, ENC_BIG_ENDIAN0x00000000);
9402 offset += exts_len;
9403 }
9404 offset = ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
9405 hf->hf.sct_sct_signature_length,
9406 hf->hf.sct_sct_signature);
9407 return offset;
9408}
9409
9410uint32_t
9411tls_dissect_sct_list(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9412 uint32_t offset, uint32_t offset_end, uint16_t version)
9413{
9414 /* https://tools.ietf.org/html/rfc6962#section-3.3
9415 * opaque SerializedSCT<1..2^16-1>;
9416 * struct {
9417 * SerializedSCT sct_list <1..2^16-1>;
9418 * } SignedCertificateTimestampList;
9419 */
9420 uint32_t list_length, sct_length, next_offset;
9421 proto_tree *subtree;
9422
9423 /* SerializedSCT sct_list <1..2^16-1> */
9424 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &list_length,
9425 hf->hf.sct_scts_length, 1, UINT16_MAX(65535))) {
9426 return offset_end;
9427 }
9428 offset += 2;
9429
9430 while (offset < offset_end) {
9431 subtree = proto_tree_add_subtree(tree, tvb, offset, 2, hf->ett.sct, NULL((void*)0), "Signed Certificate Timestamp");
9432
9433 /* opaque SerializedSCT<1..2^16-1> */
9434 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &sct_length,
9435 hf->hf.sct_sct_length, 1, UINT16_MAX(65535))) {
9436 return offset_end;
9437 }
9438 offset += 2;
9439 next_offset = offset + sct_length;
9440 proto_item_set_len(subtree, 2 + sct_length);
9441 offset = tls_dissect_sct(hf, tvb, pinfo, subtree, offset, next_offset, version);
9442 if (!ssl_end_vector(hf, tvb, pinfo, subtree, offset, next_offset)) {
9443 offset = next_offset;
9444 }
9445 }
9446
9447 return offset;
9448}
9449
9450static int
9451dissect_ech_hpke_cipher_suite(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo _U___attribute__((unused)),
9452 proto_tree *tree, uint32_t offset)
9453{
9454 uint32_t kdf_id, aead_id;
9455 proto_item *cs_ti;
9456 proto_tree *cs_tree;
9457
9458 cs_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig_cipher_suite,
9459 tvb, offset, 4, ENC_NA0x00000000);
9460 cs_tree = proto_item_add_subtree(cs_ti, hf->ett.ech_hpke_cipher_suite);
9461
9462 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_kdf_id,
9463 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &kdf_id);
9464 offset += 2;
9465 proto_tree_add_item_ret_uint(cs_tree, hf->hf.ech_hpke_keyconfig_cipher_suite_aead_id,
9466 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &aead_id);
9467 offset += 2;
9468
9469 proto_item_append_text(cs_ti, ": %s/%s",
9470 val_to_str_const(kdf_id, kdf_id_type_vals, "Unknown"),
9471 val_to_str_const(aead_id, aead_id_type_vals, "Unknown"));
9472 return offset;
9473}
9474
9475static int
9476dissect_ech_hpke_key_config(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9477 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9478 uint32_t *config_id)
9479{
9480 uint32_t length, cipher_suite_length;
9481 proto_item *kc_ti, *css_ti;
9482 proto_tree *kc_tree, *css_tree;
9483 uint32_t original_offset = offset, next_offset;
9484
9485 kc_ti = proto_tree_add_item(tree, hf->hf.ech_hpke_keyconfig,
9486 tvb, offset, -1, ENC_NA0x00000000);
9487 kc_tree = proto_item_add_subtree(kc_ti, hf->ett.ech_hpke_keyconfig);
9488
9489 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_config_id,
9490 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, config_id);
9491 offset += 1;
9492 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_kem_id,
9493 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9494 offset += 2;
9495 proto_tree_add_item_ret_uint(kc_tree, hf->hf.ech_hpke_keyconfig_public_key_length,
9496 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9497 offset += 2;
9498 proto_tree_add_item(kc_tree, hf->hf.ech_hpke_keyconfig_public_key,
9499 tvb, offset, length, ENC_NA0x00000000);
9500 offset += length;
9501
9502 /* HpkeSymmetricCipherSuite cipher_suites<4..2^16-4> */
9503 if (!ssl_add_vector(hf, tvb, pinfo, kc_tree, offset, offset_end, &cipher_suite_length,
9504 hf->hf.ech_hpke_keyconfig_cipher_suites_length, 4, UINT16_MAX(65535) - 3)) {
9505 return offset_end;
9506 }
9507 offset += 2;
9508 next_offset = offset + cipher_suite_length;
9509
9510 css_ti = proto_tree_add_none_format(kc_tree,
9511 hf->hf.ech_hpke_keyconfig_cipher_suites,
9512 tvb, offset, cipher_suite_length,
9513 "Cipher Suites (%d suite%s)",
9514 cipher_suite_length / 4,
9515 plurality(cipher_suite_length / 4, "", "s")((cipher_suite_length / 4) == 1 ? ("") : ("s")));
9516 css_tree = proto_item_add_subtree(css_ti, hf->ett.ech_hpke_cipher_suites);
9517
9518
9519 while (offset + 4 <= next_offset) {
9520 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, css_tree, offset);
9521 }
9522
9523 if (!ssl_end_vector(hf, tvb, pinfo, css_tree, offset, next_offset)) {
9524 offset = next_offset;
9525 }
9526
9527 proto_item_set_len(kc_ti, offset - original_offset);
9528
9529 return offset;
9530}
9531
9532static int
9533dissect_ech_echconfig_contents(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9534 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9535 const uint8_t **public_name, uint32_t *config_id)
9536{
9537 uint32_t public_name_length, extensions_length, next_offset;
9538
9539 offset = dissect_ech_hpke_key_config(hf, tvb, pinfo, tree, offset, offset_end, config_id);
9540 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_maximum_name_length,
9541 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9542 offset += 1;
9543 proto_tree_add_item_ret_uint(tree, hf->hf.ech_echconfigcontents_public_name_length,
9544 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &public_name_length);
9545 offset += 1;
9546 proto_tree_add_item_ret_string(tree, hf->hf.ech_echconfigcontents_public_name,
9547 tvb, offset, public_name_length, ENC_ASCII0x00000000, pinfo->pool, public_name);
9548 offset += public_name_length;
9549
9550 /* Extension extensions<0..2^16-1>; */
9551 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &extensions_length,
9552 hf->hf.ech_echconfigcontents_extensions_length, 0, UINT16_MAX(65535))) {
9553 return offset_end;
9554 }
9555 offset += 2;
9556 next_offset = offset + extensions_length;
9557
9558 if (extensions_length > 0) {
9559 proto_tree_add_item(tree, hf->hf.ech_echconfigcontents_extensions,
9560 tvb, offset, extensions_length, ENC_NA0x00000000);
9561 }
9562 offset += extensions_length;
9563
9564 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9565 offset = next_offset;
9566 }
9567
9568 return offset;
9569}
9570
9571static int
9572dissect_ech_echconfig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9573 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9574{
9575 uint32_t version, length;
9576 proto_item *ech_ti;
9577 proto_tree *ech_tree;
9578 const uint8_t *public_name = NULL((void*)0);
9579 uint32_t config_id = 0;
9580
9581 ech_ti = proto_tree_add_item(tree, hf->hf.ech_echconfig, tvb, offset, -1, ENC_NA0x00000000);
9582 ech_tree = proto_item_add_subtree(ech_ti, hf->ett.ech_echconfig);
9583
9584 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_version,
9585 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
9586 offset += 2;
9587 proto_tree_add_item_ret_uint(ech_tree, hf->hf.ech_echconfig_length,
9588 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9589 offset += 2;
9590
9591 proto_item_set_len(ech_ti, 4 + length);
9592
9593 switch(version) {
9594 case 0xfe0d:
9595 dissect_ech_echconfig_contents(hf, tvb, pinfo, ech_tree, offset, offset_end, &public_name, &config_id);
9596 proto_item_append_text(ech_ti, ": id=%d %s", config_id, public_name);
9597 break;
9598
9599 default:
9600 expert_add_info_format(pinfo, ech_ti, &hf->ei.ech_echconfig_invalid_version, "Unsupported/unknown ECHConfig version 0x%x", version);
9601 }
9602
9603 return 4 + length;
9604}
9605
9606uint32_t
9607ssl_dissect_ext_ech_echconfiglist(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9608 proto_tree *tree, uint32_t offset, uint32_t offset_end)
9609{
9610 uint32_t echconfiglist_length, next_offset;
9611
9612 /* ECHConfig ECHConfigList<1..2^16-1>; */
9613 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &echconfiglist_length,
9614 hf->hf.ech_echconfiglist_length, 1, UINT16_MAX(65535))) {
9615 return offset_end;
9616 }
9617 offset += 2;
9618 next_offset = offset + echconfiglist_length;
9619
9620 while (offset < next_offset) {
9621 offset += dissect_ech_echconfig(hf, tvb, pinfo, tree, offset, offset_end);
9622 }
9623
9624 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset)) {
9625 offset = next_offset;
9626 }
9627
9628 return offset;
9629}
9630
9631static uint32_t
9632ssl_dissect_hnd_ech_outer_ext(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
9633 uint32_t offset, uint32_t offset_end)
9634{
9635 uint32_t ext_length, next_offset;
9636 proto_tree *ext_tree;
9637 proto_item *ti;
9638
9639 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &ext_length,
9640 hf->hf.hs_ext_ech_outer_ext_len, 2, G_MAXUINT8((guint8) 0xff))) {
9641 return offset_end;
9642 }
9643 offset += 1;
9644 next_offset = offset + ext_length;
9645
9646 ti = proto_tree_add_none_format(tree,
9647 hf->hf.hs_ext_ech_outer_ext,
9648 tvb, offset, ext_length,
9649 "Outer Extensions (%d extension%s)",
9650 ext_length / 2,
9651 plurality(ext_length/2, "", "s")((ext_length/2) == 1 ? ("") : ("s")));
9652
9653 ext_tree = proto_item_add_subtree(ti, hf->ett.hs_ext);
9654
9655 while (offset + 2 <= offset_end) {
9656 proto_tree_add_item(ext_tree, hf->hf.hs_ext_type, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9657 offset += 2;
9658 }
9659
9660 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
9661 offset = next_offset;
9662 }
9663
9664 return offset;
9665}
9666
9667static uint32_t
9668// NOLINTNEXTLINE(misc-no-recursion)
9669ssl_dissect_hnd_hello_ext_ech(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9670 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9671 uint8_t hnd_type, SslSession *session, SslDecryptSession *ssl, ssl_master_key_map_t *mk_map,
9672 uint32_t initial_offset, uint32_t hello_length)
9673{
9674 uint32_t ch_type, length;
9675 proto_item *ti, *payload_ti;
9676 proto_tree *retry_tree, *payload_tree;
9677
9678 switch (hnd_type) {
9679 case SSL_HND_CLIENT_HELLO:
9680 /*
9681 * enum { outer(0), inner(1) } ECHClientHelloType;
9682 *
9683 * struct {
9684 * ECHClientHelloType type;
9685 * select (ECHClientHello.type) {
9686 * case outer:
9687 * HpkeSymmetricCipherSuite cipher_suite;
9688 * uint8 config_id;
9689 * opaque enc<0..2^16-1>;
9690 * opaque payload<1..2^16-1>;
9691 * case inner:
9692 * Empty;
9693 * };
9694 * } ECHClientHello;
9695 */
9696
9697 proto_tree_add_item_ret_uint(tree, hf->hf.ech_clienthello_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000, &ch_type);
9698 offset += 1;
9699 switch (ch_type) {
9700 case 0: /* outer */
9701 if (ssl && session->first_ch_ech_frame == 0) {
9702 session->first_ch_ech_frame = pinfo->num;
9703 }
9704 offset = dissect_ech_hpke_cipher_suite(hf, tvb, pinfo, tree, offset);
9705 uint16_t kdf_id = tvb_get_ntohs(tvb, offset - 4);
9706 uint16_t aead_id = tvb_get_ntohs(tvb, offset - 2);
9707
9708 proto_tree_add_item(tree, hf->hf.ech_config_id, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
9709 uint8_t config_id = tvb_get_uint8(tvb, offset);
9710 offset += 1;
9711 proto_tree_add_item_ret_uint(tree, hf->hf.ech_enc_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9712 offset += 2;
9713 proto_tree_add_item(tree, hf->hf.ech_enc, tvb, offset, length, ENC_NA0x00000000);
9714 offset += length;
9715 proto_tree_add_item_ret_uint(tree, hf->hf.ech_payload_length, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &length);
9716 offset += 2;
9717 payload_ti = proto_tree_add_item(tree, hf->hf.ech_payload, tvb, offset, length, ENC_NA0x00000000);
9718 offset += length;
9719
9720 if (!mk_map) {
9721 break;
9722 }
9723 if (session->client_random.data_len == 0) {
9724 ssl_debug_printf("%s missing Client Random\n", G_STRFUNC((const char*) (__func__)));
9725 break;
9726 }
9727 StringInfo *ech_secret = (StringInfo *)g_hash_table_lookup(mk_map->ech_secret, &session->client_random);
9728 StringInfo *ech_config = (StringInfo *)g_hash_table_lookup(mk_map->ech_config, &session->client_random);
9729 if (!ech_secret || !ech_config) {
9730 ssl_debug_printf("%s Cannot find ECH_SECRET or ECH_CONFIG, Encrypted Client Hello decryption impossible\n",
9731 G_STRFUNC((const char*) (__func__)));
9732 break;
9733 }
9734
9735 if (hpke_hkdf_len(kdf_id) == 0) {
9736 ssl_debug_printf("Unsupported KDF\n");
9737 break;
9738 }
9739
9740 if (hpke_aead_key_len(aead_id) == 0) {
9741 ssl_debug_printf("Unsupported AEAD\n");
9742 break;
9743 }
9744
9745 size_t aead_nonce_len = hpke_aead_nonce_len(aead_id);
9746
9747 uint16_t version = GUINT16_FROM_BE(*(uint16_t *)ech_config->data)(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)ech_config
->data) >> 8) | (guint16) ((guint16) (*(uint16_t *)ech_config
->data) << 8))))));
9748 if (version != SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037) {
9749 ssl_debug_printf("Unexpected version in ECH Config\n");
9750 break;
9751 }
9752 uint32_t ech_config_offset = 2;
9753 if (GUINT16_FROM_BE(*(uint16_t *)(ech_config->data + ech_config_offset))(((((guint16) ( (guint16) ((guint16) (*(uint16_t *)(ech_config
->data + ech_config_offset)) >> 8) | (guint16) ((guint16
) (*(uint16_t *)(ech_config->data + ech_config_offset)) <<
8)))))) != ech_config->data_len - 4) {
9754 ssl_debug_printf("Malformed ECH Config, invalid length\n");
9755 break;
9756 }
9757 ech_config_offset += 2;
9758 if (*(ech_config->data + ech_config_offset) != config_id) {
9759 ssl_debug_printf("ECH Config version mismatch\n");
9760 break;
9761 }
9762 ech_config_offset += 1;
9763 uint16_t kem_id_be = *(uint16_t *)(ech_config->data + ech_config_offset);
9764 uint16_t kem_id = GUINT16_FROM_BE(kem_id_be)(((((guint16) ( (guint16) ((guint16) (kem_id_be) >> 8) |
(guint16) ((guint16) (kem_id_be) << 8))))));
9765 uint8_t suite_id[HPKE_SUIT_ID_LEN10];
9766 hpke_suite_id(kem_id, kdf_id, aead_id, suite_id);
9767 GByteArray *info = g_byte_array_new();
9768 g_byte_array_append(info, "tls ech", 8);
9769 g_byte_array_append(info, ech_config->data, ech_config->data_len);
9770 uint8_t key[AEAD_MAX_KEY_LENGTH32];
9771 uint8_t base_nonce[HPKE_AEAD_NONCE_LENGTH12];
9772 if (hpke_key_schedule(kdf_id, aead_id, ech_secret->data, ech_secret->data_len, suite_id, info->data, info->len, HPKE_MODE_BASE0,
9773 key, base_nonce)) {
9774 g_byte_array_free(info, TRUE(!(0)));
9775 break;
9776 }
9777 g_byte_array_free(info, TRUE(!(0)));
9778 gcry_cipher_hd_t cipher;
9779 if (hpke_setup_aead(&cipher, aead_id, key) ||
9780 hpke_set_nonce(cipher, !session->hrr_ech_declined && pinfo->num > session->first_ch_ech_frame, base_nonce, aead_nonce_len)) {
9781 gcry_cipher_close(cipher);
9782 break;
9783 }
9784 const uint8_t *payload = tvb_get_ptr(tvb, offset - length, length);
9785 uint8_t *ech_aad = (uint8_t *)wmem_alloc(NULL((void*)0), hello_length);
9786 tvb_memcpy(tvb, ech_aad, initial_offset, hello_length);
9787 memset(ech_aad + offset - length - initial_offset, 0, length);
9788 if (gcry_cipher_authenticate(cipher, ech_aad, hello_length)) {
9789 gcry_cipher_close(cipher);
9790 wmem_free(NULL((void*)0), ech_aad);
9791 break;
9792 }
9793 wmem_free(NULL((void*)0), ech_aad);
9794 uint8_t *ech_decrypted_data = (uint8_t *)wmem_alloc(pinfo->pool, length - 16);
9795 if (gcry_cipher_decrypt(cipher, ech_decrypted_data, length - 16, payload, length - 16)) {
9796 gcry_cipher_close(cipher);
9797 break;
9798 }
9799 guchar ech_auth_tag_calc[16];
9800 if (gcry_cipher_gettag(cipher, ech_auth_tag_calc, 16)) {
9801 gcry_cipher_close(cipher);
9802 break;
9803 }
9804 if (ssl && !session->hrr_ech_declined && session->first_ch_ech_frame == pinfo->num)
9805 memcpy(session->first_ech_auth_tag, ech_auth_tag_calc, 16);
9806 gcry_cipher_close(cipher);
9807 if (memcmp(pinfo->num > session->first_ch_ech_frame ? ech_auth_tag_calc : session->first_ech_auth_tag,
9808 payload + length - 16, 16)) {
9809 ssl_debug_printf("%s ECH auth tag mismatch\n", G_STRFUNC((const char*) (__func__)));
9810 } else {
9811 payload_tree = proto_item_add_subtree(payload_ti, hf->ett.ech_decrypt);
9812 tvbuff_t *ech_tvb = tvb_new_child_real_data(tvb, ech_decrypted_data, length - 16, length - 16);
9813 add_new_data_source(pinfo, ech_tvb, "Client Hello Inner");
9814 if (ssl) {
9815 tvb_memcpy(ech_tvb, ssl->client_random.data, 2, 32);
9816 uint32_t len_offset = ssl->ech_transcript.data_len;
9817 if (ssl->ech_transcript.data_len > 0)
9818 ssl->ech_transcript.data = (guchar*)wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
9819 ssl->ech_transcript.data_len + hello_length + 4);
9820 else
9821 ssl->ech_transcript.data = (guchar*)wmem_alloc(wmem_file_scope(), hello_length + 4);
9822 ssl->ech_transcript.data[ssl->ech_transcript.data_len] = SSL_HND_CLIENT_HELLO;
9823 ssl->ech_transcript.data[ssl->ech_transcript.data_len + 1] = 0;
9824 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, 0, 34);
9825 ssl->ech_transcript.data_len += 38;
9826 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset + 34,
9827 tvb_get_uint8(tvb, initial_offset + 34) + 1);
9828 ssl->ech_transcript.data_len += tvb_get_uint8(tvb, initial_offset + 34) + 1;
9829 uint32_t ech_offset = 35 + tvb_get_uint8(ech_tvb, 34);
9830 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9831 2 + tvb_get_ntohs(ech_tvb, ech_offset));
9832 ssl->ech_transcript.data_len += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
9833 ech_offset += 2 + tvb_get_ntohs(ech_tvb, ech_offset);
9834 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9835 1 + tvb_get_uint8(ech_tvb, ech_offset));
9836 ssl->ech_transcript.data_len += 1 + tvb_get_uint8(ech_tvb, ech_offset);
9837 ech_offset += 1 + tvb_get_uint8(ech_tvb, ech_offset);
9838 uint32_t ech_extensions_len_offset = ssl->ech_transcript.data_len;
9839 ssl->ech_transcript.data_len += 2;
9840 uint16_t extensions_end = ech_offset + tvb_get_ntohs(ech_tvb, ech_offset) + 2;
9841 ech_offset += 2;
9842 while (extensions_end - ech_offset >= 4) {
9843 if (tvb_get_ntohs(ech_tvb, ech_offset) != SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768) {
9844 tvb_memcpy(ech_tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, ech_offset,
9845 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2));
9846 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
9847 ech_offset += 4 + tvb_get_ntohs(ech_tvb, ech_offset + 2);
9848 } else if (tvb_get_ntohs(ech_tvb, ech_offset + 2) > 0) {
9849 uint8_t outer_extensions_end = tvb_get_uint8(ech_tvb, ech_offset + 4) + ech_offset + 5;
9850 ech_offset += 5;
9851 uint16_t outer_offset = initial_offset + 35 + tvb_get_uint8(tvb, initial_offset + 34);
9852 outer_offset += tvb_get_ntohs(tvb, outer_offset) + 2;
9853 outer_offset += tvb_get_uint8(tvb, outer_offset) + 3;
9854 while (outer_extensions_end - ech_offset >= 2) {
9855 while (hello_length - outer_offset >= 4) {
9856 if (tvb_get_ntohs(tvb, outer_offset) == tvb_get_ntohs(ech_tvb, ech_offset)) {
9857 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, outer_offset,
9858 4 + tvb_get_ntohs(tvb, outer_offset + 2));
9859 ssl->ech_transcript.data_len += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
9860 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
9861 break;
9862 } else {
9863 outer_offset += 4 + tvb_get_ntohs(tvb, outer_offset + 2);
9864 }
9865 }
9866 ech_offset += 2;
9867 }
9868 }
9869 }
9870 uint16_t ech_extensions_len_be = GUINT16_TO_BE(ssl->ech_transcript.data_len - ech_extensions_len_offset - 2)((((guint16) ( (guint16) ((guint16) (ssl->ech_transcript.data_len
- ech_extensions_len_offset - 2) >> 8) | (guint16) ((guint16
) (ssl->ech_transcript.data_len - ech_extensions_len_offset
- 2) << 8)))));
9871 *(ssl->ech_transcript.data + ech_extensions_len_offset) = ech_extensions_len_be & 0xff;
9872 *(ssl->ech_transcript.data + ech_extensions_len_offset + 1) = (ech_extensions_len_be >> 8);
9873 *(ssl->ech_transcript.data + len_offset + 2) = ((ssl->ech_transcript.data_len - len_offset - 4) >> 8);
9874 *(ssl->ech_transcript.data + len_offset + 3) = (ssl->ech_transcript.data_len - len_offset - 4) & 0xff;
9875 }
9876 uint32_t ech_padding_begin = (uint32_t)ssl_dissect_hnd_cli_hello(hf, ech_tvb, pinfo, payload_tree, 0, length - 16, session,
9877 ssl, NULL((void*)0), mk_map);
9878 if (ech_padding_begin < length - 16) {
9879 proto_tree_add_item(payload_tree, hf->hf.ech_padding_data, ech_tvb, ech_padding_begin, length - 16 - ech_padding_begin,
9880 ENC_NA0x00000000);
9881 }
9882 }
9883
9884 break;
9885 case 1: /* inner */
9886 break;
9887 }
9888 break;
9889
9890 case SSL_HND_ENCRYPTED_EXTENSIONS:
9891 /*
9892 * struct {
9893 * ECHConfigList retry_configs;
9894 * } ECHEncryptedExtensions;
9895 */
9896
9897 ti = proto_tree_add_item(tree, hf->hf.ech_retry_configs, tvb, offset, offset_end - offset, ENC_NA0x00000000);
9898 retry_tree = proto_item_add_subtree(ti, hf->ett.ech_retry_configs);
9899 offset = ssl_dissect_ext_ech_echconfiglist(hf, tvb, pinfo, retry_tree, offset, offset_end);
9900 break;
9901
9902 case SSL_HND_HELLO_RETRY_REQUEST:
9903 /*
9904 * struct {
9905 * opaque confirmation[8];
9906 * } ECHHelloRetryRequest;
9907 */
9908
9909 proto_tree_add_item(tree, hf->hf.ech_confirmation, tvb, offset, 8, ENC_NA0x00000000);
9910 if (session->ech) {
9911 ti = proto_tree_add_bytes_with_length(tree, hf->hf.hs_ech_confirm_compute, tvb, offset, 0, session->hrr_ech_confirmation, 8);
9912 proto_item_set_generated(ti);
9913 if (memcmp(session->hrr_ech_confirmation, tvb_get_ptr(tvb, offset, 8), 8)) {
9914 expert_add_info(pinfo, ti, &hf->ei.ech_rejected);
9915 } else {
9916 expert_add_info(pinfo, ti, &hf->ei.ech_accepted);
9917 }
9918 }
9919 offset += 8;
9920 break;
9921 }
9922
9923 return offset;
9924}
9925
9926static uint32_t
9927ssl_dissect_hnd_hello_ext_esni(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9928 proto_tree *tree, uint32_t offset, uint32_t offset_end,
9929 uint8_t hnd_type, SslDecryptSession *ssl _U___attribute__((unused)))
9930{
9931 uint32_t record_digest_length, encrypted_sni_length;
9932
9933 switch (hnd_type) {
9934 case SSL_HND_CLIENT_HELLO:
9935 /*
9936 * struct {
9937 * CipherSuite suite;
9938 * KeyShareEntry key_share;
9939 * opaque record_digest<0..2^16-1>;
9940 * opaque encrypted_sni<0..2^16-1>;
9941 * } ClientEncryptedSNI;
9942 */
9943 proto_tree_add_item(tree, hf->hf.esni_suite, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
9944 offset += 2;
9945 offset = ssl_dissect_hnd_hello_ext_key_share_entry(hf, tvb, pinfo, tree, offset, offset_end, NULL((void*)0));
9946
9947 /* opaque record_digest<0..2^16-1> */
9948 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &record_digest_length,
9949 hf->hf.esni_record_digest_length, 0, UINT16_MAX(65535))) {
9950 return offset_end;
9951 }
9952 offset += 2;
9953 if (record_digest_length > 0) {
9954 proto_tree_add_item(tree, hf->hf.esni_record_digest, tvb, offset, record_digest_length, ENC_NA0x00000000);
9955 offset += record_digest_length;
9956 }
9957
9958 /* opaque encrypted_sni<0..2^16-1> */
9959 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &encrypted_sni_length,
9960 hf->hf.esni_encrypted_sni_length, 0, UINT16_MAX(65535))) {
9961 return offset_end;
9962 }
9963 offset += 2;
9964 if (encrypted_sni_length > 0) {
9965 proto_tree_add_item(tree, hf->hf.esni_encrypted_sni, tvb, offset, encrypted_sni_length, ENC_NA0x00000000);
9966 offset += encrypted_sni_length;
9967 }
9968 break;
9969
9970 case SSL_HND_ENCRYPTED_EXTENSIONS:
9971 proto_tree_add_item(tree, hf->hf.esni_nonce, tvb, offset, 16, ENC_NA0x00000000);
9972 offset += 16;
9973 break;
9974 }
9975
9976 return offset;
9977}
9978/** TLS Extensions (in Client Hello and Server Hello). }}} */
9979
9980/* Connection ID dissection. {{{ */
9981static uint32_t
9982ssl_dissect_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
9983 proto_tree *tree, uint32_t offset, SslDecryptSession *ssl,
9984 uint8_t cidl, uint8_t **session_cid, uint8_t *session_cidl)
9985{
9986 /* keep track of the decrypt session only for the first pass */
9987 if (cidl > 0 && !PINFO_FD_VISITED(pinfo)((pinfo)->fd->visited)) {
9988 tvb_ensure_bytes_exist(tvb, offset + 1, cidl);
9989 *session_cidl = cidl;
9990 *session_cid = (uint8_t*)wmem_alloc0(wmem_file_scope(), cidl);
9991 tvb_memcpy(tvb, *session_cid, offset + 1, cidl);
9992 if (ssl) {
9993 ssl_add_session_by_cid(ssl);
9994 }
9995 }
9996
9997 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id_length,
9998 tvb, offset, 1, ENC_NA0x00000000);
9999 offset++;
10000
10001 if (cidl > 0) {
10002 proto_tree_add_item(tree, hf->hf.hs_ext_connection_id,
10003 tvb, offset, cidl, ENC_NA0x00000000);
10004 offset += cidl;
10005 }
10006
10007 return offset;
10008}
10009
10010static uint32_t
10011ssl_dissect_hnd_hello_ext_connection_id(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10012 proto_tree *tree, uint32_t offset, uint8_t hnd_type,
10013 SslSession *session, SslDecryptSession *ssl)
10014{
10015 uint8_t cidl = tvb_get_uint8(tvb, offset);
10016
10017 switch (hnd_type) {
10018 case SSL_HND_CLIENT_HELLO:
10019 session->client_cid_len_present = true1;
10020 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10021 cidl, &session->client_cid, &session->client_cid_len);
10022 case SSL_HND_SERVER_HELLO:
10023 session->server_cid_len_present = true1;
10024 return ssl_dissect_ext_connection_id(hf, tvb, pinfo, tree, offset, ssl,
10025 cidl, &session->server_cid, &session->server_cid_len);
10026 default:
10027 return offset;
10028 }
10029} /* }}} */
10030
10031/* Trusted CA dissection. {{{ */
10032static uint32_t
10033ssl_dissect_hnd_hello_ext_trusted_ca_keys(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
10034 uint32_t offset, uint32_t offset_end)
10035{
10036 proto_item *ti;
10037 proto_tree *subtree;
10038 uint32_t keys_length, next_offset;
10039
10040 /*
10041 * struct {
10042 * TrustedAuthority trusted_authorities_list<0..2^16-1>;
10043 * } TrustedAuthorities;
10044 *
10045 * struct {
10046 * IdentifierType identifier_type;
10047 * select (identifier_type) {
10048 * case pre_agreed: struct {};
10049 * case key_sha1_hash: SHA1Hash;
10050 * case x509_name: DistinguishedName;
10051 * case cert_sha1_hash: SHA1Hash;
10052 * } identifier;
10053 * } TrustedAuthority;
10054 *
10055 * enum {
10056 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10057 * cert_sha1_hash(3), (255)
10058 * } IdentifierType;
10059 *
10060 * opaque DistinguishedName<1..2^16-1>;
10061 *
10062 */
10063
10064
10065 /* TrustedAuthority trusted_authorities_list<0..2^16-1> */
10066 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &keys_length, hf->hf.hs_ext_trusted_ca_keys_len,
10067 0, UINT16_MAX(65535)))
10068 {
10069 return offset_end;
10070 }
10071 offset += 2;
10072 next_offset = offset + keys_length;
10073
10074 if (keys_length > 0)
10075 {
10076 ti = proto_tree_add_none_format(tree, hf->hf.hs_ext_trusted_ca_keys_list, tvb, offset, keys_length,
10077 "Trusted CA keys (%d byte%s)", keys_length, plurality(keys_length, "", "s")((keys_length) == 1 ? ("") : ("s")));
10078 subtree = proto_item_add_subtree(ti, hf->ett.hs_ext_trusted_ca_keys);
10079
10080 while (offset < next_offset)
10081 {
10082 uint32_t identifier_type;
10083 proto_tree *trusted_key_tree;
10084 proto_item *trusted_key_item;
10085 asn1_ctx_t asn1_ctx;
10086 uint32_t key_len = 0;
10087
10088 identifier_type = tvb_get_uint8(tvb, offset);
10089
10090 // Use 0 as length for now as we'll only know the size when we decode the identifier
10091 trusted_key_item = proto_tree_add_none_format(subtree, hf->hf.hs_ext_trusted_ca_key, tvb,
10092 offset, 0, "Trusted CA Key");
10093 trusted_key_tree = proto_item_add_subtree(trusted_key_item, hf->ett.hs_ext_trusted_ca_key);
10094
10095 proto_tree_add_uint(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_type, tvb,
10096 offset, 1, identifier_type);
10097 offset++;
10098
10099 /*
10100 * enum {
10101 * pre_agreed(0), key_sha1_hash(1), x509_name(2),
10102 * cert_sha1_hash(3), (255)
10103 * } IdentifierType;
10104 */
10105 switch (identifier_type)
10106 {
10107 case 0:
10108 key_len = 0;
10109 break;
10110 case 2:
10111 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
10112
10113 uint32_t name_length;
10114 /* opaque DistinguishedName<1..2^16-1> */
10115 if (!ssl_add_vector(hf, tvb, pinfo, trusted_key_tree, offset, next_offset, &name_length,
10116 hf->hf.hs_ext_trusted_ca_key_dname_len, 1, UINT16_MAX(65535))) {
10117 return next_offset;
10118 }
10119 offset += 2;
10120
10121 dissect_x509if_DistinguishedName(false0, tvb, offset, &asn1_ctx,
10122 trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_dname);
10123 offset += name_length;
10124 break;
10125 case 1:
10126 case 3:
10127 key_len = 20;
10128 /* opaque SHA1Hash[20]; */
10129 proto_tree_add_item(trusted_key_tree, hf->hf.hs_ext_trusted_ca_key_hash, tvb,
10130 offset, 20, ENC_NA0x00000000);
10131 break;
10132
10133 default:
10134 key_len = 0;
10135 /*TODO display expert info about unknown ? */
10136 break;
10137 }
10138 proto_item_set_len(trusted_key_item, 1 + key_len);
10139 offset += key_len;
10140 }
10141 }
10142
10143 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, next_offset))
10144 {
10145 offset = next_offset;
10146 }
10147
10148 return offset;
10149} /* }}} */
10150
10151
10152/* Whether the Content and Handshake Types are valid; handle Protocol Version. {{{ */
10153bool_Bool
10154ssl_is_valid_content_type(uint8_t type)
10155{
10156 switch ((ContentType) type) {
10157 case SSL_ID_CHG_CIPHER_SPEC:
10158 case SSL_ID_ALERT:
10159 case SSL_ID_HANDSHAKE:
10160 case SSL_ID_APP_DATA:
10161 case SSL_ID_HEARTBEAT:
10162 case SSL_ID_TLS12_CID:
10163 case SSL_ID_DTLS13_ACK:
10164 return true1;
10165 }
10166 return false0;
10167}
10168
10169bool_Bool
10170ssl_is_valid_handshake_type(uint8_t hs_type, bool_Bool is_dtls)
10171{
10172 switch ((HandshakeType) hs_type) {
10173 case SSL_HND_HELLO_VERIFY_REQUEST:
10174 /* hello_verify_request is DTLS-only */
10175 return is_dtls;
10176
10177 case SSL_HND_HELLO_REQUEST:
10178 case SSL_HND_CLIENT_HELLO:
10179 case SSL_HND_SERVER_HELLO:
10180 case SSL_HND_NEWSESSION_TICKET:
10181 case SSL_HND_END_OF_EARLY_DATA:
10182 case SSL_HND_HELLO_RETRY_REQUEST:
10183 case SSL_HND_ENCRYPTED_EXTENSIONS:
10184 case SSL_HND_CERTIFICATE:
10185 case SSL_HND_SERVER_KEY_EXCHG:
10186 case SSL_HND_CERT_REQUEST:
10187 case SSL_HND_SVR_HELLO_DONE:
10188 case SSL_HND_CERT_VERIFY:
10189 case SSL_HND_CLIENT_KEY_EXCHG:
10190 case SSL_HND_FINISHED:
10191 case SSL_HND_CERT_URL:
10192 case SSL_HND_CERT_STATUS:
10193 case SSL_HND_SUPPLEMENTAL_DATA:
10194 case SSL_HND_KEY_UPDATE:
10195 case SSL_HND_COMPRESSED_CERTIFICATE:
10196 case SSL_HND_ENCRYPTED_EXTS:
10197 return true1;
10198 case SSL_HND_MESSAGE_HASH:
10199 return false0;
10200 }
10201 return false0;
10202}
10203
10204static bool_Bool
10205ssl_is_authoritative_version_message(uint8_t content_type, uint8_t handshake_type,
10206 bool_Bool is_dtls)
10207{
10208 /* Consider all valid Handshake messages (except for Client Hello) and
10209 * all other valid record types (other than Handshake) */
10210 return (content_type == SSL_ID_HANDSHAKE &&
10211 ssl_is_valid_handshake_type(handshake_type, is_dtls) &&
10212 handshake_type != SSL_HND_CLIENT_HELLO) ||
10213 (content_type != SSL_ID_HANDSHAKE &&
10214 ssl_is_valid_content_type(content_type));
10215}
10216
10217/**
10218 * Scan a Server Hello handshake message for the negotiated version. For TLS 1.3
10219 * draft 22 and newer, it also checks whether it is a HelloRetryRequest.
10220 * Returns true if the supported_versions extension was found, false if not.
10221 */
10222bool_Bool
10223tls_scan_server_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end,
10224 uint16_t *server_version, bool_Bool *is_hrr)
10225{
10226 /* SHA256("HelloRetryRequest") */
10227 static const uint8_t tls13_hrr_random_magic[] = {
10228 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
10229 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
10230 };
10231 uint8_t session_id_length;
10232
10233 *server_version = tvb_get_ntohs(tvb, offset);
10234
10235 /*
10236 * Try to look for supported_versions extension. Minimum length:
10237 * 2 + 32 + 1 = 35 (version, random, session id length)
10238 * 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10239 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10240 *
10241 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10242 * there's a separate expert info warning for that.
10243 */
10244 if ((*server_version == TLSV1DOT2_VERSION0x303 || *server_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10245 offset += 2;
10246 if (is_hrr) {
10247 *is_hrr = tvb_memeql(tvb, offset, tls13_hrr_random_magic, sizeof(tls13_hrr_random_magic)) == 0;
10248 }
10249 offset += 32;
10250 session_id_length = tvb_get_uint8(tvb, offset);
10251 offset++;
10252 if (offset_end - offset < session_id_length + 5u) {
10253 return false0;
10254 }
10255 offset += session_id_length + 5;
10256
10257 while (offset_end - offset >= 6) {
10258 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10259 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10260 if (offset_end - offset < 4u + ext_len) {
10261 break; /* not enough data for type, length and data */
10262 }
10263 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10264 if (ext_len == 2) {
10265 *server_version = tvb_get_ntohs(tvb, offset + 4);
10266 }
10267 return true1;
10268 }
10269 offset += 4 + ext_len;
10270 }
10271 } else {
10272 if (is_hrr) {
10273 *is_hrr = false0;
10274 }
10275 }
10276 return false0;
10277}
10278
10279/**
10280 * Scan a Client Hello handshake message to see if the supported_versions
10281 * extension is found, in which case the version field is legacy_version.
10282 */
10283static bool_Bool
10284tls_scan_client_hello(tvbuff_t *tvb, uint32_t offset, uint32_t offset_end)
10285{
10286 uint8_t session_id_length;
10287
10288 uint16_t client_version = tvb_get_ntohs(tvb, offset);
10289
10290 /*
10291 * Try to look for supported_versions extension. Minimum length:
10292 * 2 + 32 + 1 = 35 (version, random, session id length)
10293 * 2 + 2 + 1 + 2 = 5 (cipher suite, compression method, extensions length)
10294 * 2 + 2 + 2 = 6 (ext type, ext len, version)
10295 *
10296 * We only check for the [legacy_]version field to be [D]TLS 1.2; if it's 1.3,
10297 * there's a separate expert info warning for that.
10298 */
10299 if ((client_version == TLSV1DOT2_VERSION0x303 || client_version == DTLSV1DOT2_VERSION0xfefd) && offset_end - offset >= 46) {
10300 offset += 2;
10301 offset += 32;
10302 session_id_length = tvb_get_uint8(tvb, offset);
10303 offset++;
10304 if (offset_end - offset < session_id_length + 2u) {
10305 return false0;
10306 }
10307 offset += session_id_length;
10308 if (client_version == DTLSV1DOT2_VERSION0xfefd) {
10309 uint8_t cookie_length = tvb_get_uint8(tvb, offset);
10310 offset++;
10311 if (offset_end - offset < cookie_length + 2u) {
10312 return false0;
10313 }
10314 }
10315 uint16_t cipher_suites_length = tvb_get_ntohs(tvb, offset);
10316 offset += 2;
10317 if (offset_end - offset < cipher_suites_length + 1u) {
10318 return false0;
10319 }
10320 offset += cipher_suites_length;
10321 uint8_t compression_methods_length = tvb_get_uint8(tvb, offset);
10322 offset++;
10323 if (offset_end - offset < compression_methods_length + 2u) {
10324 return false0;
10325 }
10326 offset += compression_methods_length + 2;
10327
10328 while (offset_end - offset >= 6) {
10329 uint16_t ext_type = tvb_get_ntohs(tvb, offset);
10330 uint16_t ext_len = tvb_get_ntohs(tvb, offset + 2);
10331 if (offset_end - offset < 4u + ext_len) {
10332 break; /* not enough data for type, length and data */
10333 }
10334 if (ext_type == SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43) {
10335 return true1;
10336 }
10337 offset += 4 + ext_len;
10338 }
10339 }
10340 return false0;
10341}
10342void
10343ssl_try_set_version(SslSession *session, SslDecryptSession *ssl,
10344 uint8_t content_type, uint8_t handshake_type,
10345 bool_Bool is_dtls, uint16_t version)
10346{
10347 uint8_t tls13_draft = 0;
10348
10349 if (!ssl_is_authoritative_version_message(content_type, handshake_type,
10350 is_dtls))
10351 return;
10352
10353 version = tls_try_get_version(is_dtls, version, &tls13_draft);
10354 if (version == SSL_VER_UNKNOWN0) {
10355 return;
10356 }
10357
10358 session->tls13_draft_version = tls13_draft;
10359 session->version = version;
10360 if (ssl) {
10361 ssl->state |= SSL_VERSION(1<<4);
10362 ssl_debug_printf("%s found version 0x%04X -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), version, ssl->state);
10363 }
10364}
10365
10366void
10367ssl_check_record_length(ssl_common_dissect_t *hf, packet_info *pinfo,
10368 ContentType content_type,
10369 unsigned record_length, proto_item *length_pi,
10370 uint16_t version, tvbuff_t *decrypted_tvb)
10371{
10372 unsigned max_expansion;
10373 if (version == TLSV1DOT3_VERSION0x304) {
10374 /* TLS 1.3: Max length is 2^14 + 256 */
10375 max_expansion = 256;
10376 } else {
10377 /* RFC 5246, Section 6.2.3: TLSCiphertext.fragment length MUST NOT exceed 2^14 + 2048 */
10378 max_expansion = 2048;
10379 }
10380 /*
10381 * RFC 5246 (TLS 1.2), Section 6.2.1 forbids zero-length Handshake, Alert
10382 * and ChangeCipherSpec.
10383 * RFC 6520 (Heartbeats) does not mention zero-length Heartbeat fragments,
10384 * so assume it is permitted.
10385 * RFC 6347 (DTLS 1.2) does not mention zero-length fragments either, so
10386 * assume TLS 1.2 requirements.
10387 */
10388 if (record_length == 0 &&
10389 (content_type == SSL_ID_CHG_CIPHER_SPEC ||
10390 content_type == SSL_ID_ALERT ||
10391 content_type == SSL_ID_HANDSHAKE)) {
10392 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10393 "Zero-length %s fragments are not allowed",
10394 val_to_str_const(content_type, ssl_31_content_type, "unknown"));
10395 }
10396 if (record_length > TLS_MAX_RECORD_LENGTH0x4000 + max_expansion) {
10397 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10398 "TLSCiphertext length MUST NOT exceed 2^14 + %u", max_expansion);
10399 }
10400 if (decrypted_tvb && tvb_captured_length(decrypted_tvb) > TLS_MAX_RECORD_LENGTH0x4000) {
10401 expert_add_info_format(pinfo, length_pi, &hf->ei.record_length_invalid,
10402 "TLSPlaintext length MUST NOT exceed 2^14");
10403 }
10404}
10405
10406static void
10407ssl_set_cipher(SslDecryptSession *ssl, uint16_t cipher)
10408{
10409 /* store selected cipher suite for decryption */
10410 ssl->session.cipher = cipher;
10411
10412 const SslCipherSuite *cs = ssl_find_cipher(cipher);
10413 if (!cs) {
10414 ssl->cipher_suite = NULL((void*)0);
10415 ssl->state &= ~SSL_CIPHER(1<<2);
10416 ssl_debug_printf("%s can't find cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10417 } else if (ssl->session.version == SSLV3_VERSION0x300 && !(cs->dig == DIG_MD50x40 || cs->dig == DIG_SHA0x41)) {
10418 /* A malicious packet capture contains a SSL 3.0 session using a TLS 1.2
10419 * cipher suite that uses for example MACAlgorithm SHA256. Reject that
10420 * to avoid a potential buffer overflow in ssl3_check_mac. */
10421 ssl->cipher_suite = NULL((void*)0);
10422 ssl->state &= ~SSL_CIPHER(1<<2);
10423 ssl_debug_printf("%s invalid SSL 3.0 cipher suite 0x%04X\n", G_STRFUNC((const char*) (__func__)), cipher);
10424 } else {
10425 /* Cipher found, save this for the delayed decoder init */
10426 ssl->cipher_suite = cs;
10427 ssl->state |= SSL_CIPHER(1<<2);
10428 ssl_debug_printf("%s found CIPHER 0x%04X %s -> state 0x%02X\n", G_STRFUNC((const char*) (__func__)), cipher,
10429 val_to_str_ext_const(cipher, &ssl_31_ciphersuite_ext, "unknown"),
10430 ssl->state);
10431 }
10432}
10433/* }}} */
10434
10435
10436/* Client Hello and Server Hello dissections. {{{ */
10437static int
10438ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
10439 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
10440 SslSession *session, SslDecryptSession *ssl,
10441 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
10442 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length);
10443int
10444// NOLINTNEXTLINE(misc-no-recursion)
10445ssl_dissect_hnd_cli_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10446 packet_info *pinfo, proto_tree *tree, uint32_t offset,
10447 uint32_t offset_end, SslSession *session,
10448 SslDecryptSession *ssl, dtls_hfs_t *dtls_hfs, ssl_master_key_map_t *mk_map)
10449{
10450 /* struct {
10451 * ProtocolVersion client_version;
10452 * Random random;
10453 * SessionID session_id;
10454 * opaque cookie<0..32>; //new field for DTLS
10455 * CipherSuite cipher_suites<2..2^16-1>;
10456 * CompressionMethod compression_methods<1..2^8-1>;
10457 * Extension client_hello_extension_list<0..2^16-1>;
10458 * } ClientHello;
10459 */
10460 proto_item *ti;
10461 proto_tree *cs_tree;
10462 uint32_t client_version;
10463 uint32_t cipher_suite_length;
10464 uint32_t compression_methods_length;
10465 uint8_t compression_method;
10466 uint32_t next_offset;
10467 uint32_t initial_offset = offset;
10468 uint32_t hello_length = offset_end - initial_offset;
10469 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10470 char *ja3_hash;
10471 char *ja3_dash = "";
10472 char *ja4, *ja4_r, *ja4_hash, *ja4_b, *ja4_c;
10473 ja4_data_t ja4_data;
10474 wmem_strbuf_t *ja4_a = wmem_strbuf_new(pinfo->pool, "");
10475 wmem_strbuf_t *ja4_br = wmem_strbuf_new(pinfo->pool, "");
10476 wmem_strbuf_t *ja4_cr = wmem_strbuf_new(pinfo->pool, "");
10477 wmem_list_frame_t *curr_entry;
10478
10479 ja4_data.max_version = 0;
10480 ja4_data.server_name_present = false0;
10481 ja4_data.num_cipher_suites = 0;
10482 ja4_data.num_extensions = 0;
10483 ja4_data.alpn = wmem_strbuf_new(pinfo->pool, "");
10484 ja4_data.cipher_list = wmem_list_new(pinfo->pool);
10485 ja4_data.extension_list = wmem_list_new(pinfo->pool);
10486 ja4_data.sighash_list = wmem_list_new(pinfo->pool);
10487
10488 /* show the client version */
10489 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_client_version, tvb,
10490 offset, 2, ENC_BIG_ENDIAN0x00000000,
10491 &client_version);
10492 if (tls_scan_client_hello(tvb, offset, offset_end)) {
10493 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10494 }
10495 offset += 2;
10496 wmem_strbuf_append_printf(ja3, "%i,", client_version);
10497
10498 /*
10499 * Is it version 1.3?
10500 * If so, that's an error; TLS and DTLS 1.3 Client Hellos claim
10501 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10502 * section 4.1.2 "Client Hello" and RFC 9147 Section 5.3 "Client
10503 * Hello".
10504 */
10505 if (dtls_hfs != NULL((void*)0)) {
10506 if (client_version == DTLSV1DOT3_VERSION0xfefc) {
10507 /* Don't do that. */
10508 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10509 }
10510 } else {
10511 if (client_version == TLSV1DOT3_VERSION0x304) {
10512 /* Don't do that. */
10513 expert_add_info(pinfo, ti, &hf->ei.client_version_error);
10514 }
10515 }
10516
10517 /* dissect fields that are present in both ClientHello and ServerHello */
10518 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, false0, false0);
10519
10520 /* fields specific for DTLS (cookie_len, cookie) */
10521 if (dtls_hfs != NULL((void*)0)) {
10522 uint32_t cookie_length;
10523 /* opaque cookie<0..32> (for DTLS only) */
10524 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cookie_length,
10525 dtls_hfs->hf_dtls_handshake_cookie_len, 0, 32)) {
10526 return offset;
10527 }
10528 offset++;
10529 if (cookie_length > 0) {
10530 proto_tree_add_item(tree, dtls_hfs->hf_dtls_handshake_cookie,
10531 tvb, offset, cookie_length, ENC_NA0x00000000);
10532 offset += cookie_length;
10533 }
10534 }
10535
10536 /* CipherSuite cipher_suites<2..2^16-1> */
10537 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cipher_suite_length,
10538 hf->hf.hs_cipher_suites_len, 2, UINT16_MAX(65535))) {
10539 return offset;
10540 }
10541 offset += 2;
10542 next_offset = offset + cipher_suite_length;
10543 ti = proto_tree_add_none_format(tree,
10544 hf->hf.hs_cipher_suites,
10545 tvb, offset, cipher_suite_length,
10546 "Cipher Suites (%d suite%s)",
10547 cipher_suite_length / 2,
10548 plurality(cipher_suite_length/2, "", "s")((cipher_suite_length/2) == 1 ? ("") : ("s")));
10549 cs_tree = proto_item_add_subtree(ti, hf->ett.cipher_suites);
10550 while (offset + 2 <= next_offset) {
10551 uint32_t cipher_suite;
10552
10553 proto_tree_add_item_ret_uint(cs_tree, hf->hf.hs_cipher_suite, tvb, offset, 2,
10554 ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10555 offset += 2;
10556 if (!IS_GREASE_TLS(cipher_suite)((((cipher_suite) & 0x0f0f) == 0x0a0a) && (((cipher_suite
) & 0xff) == (((cipher_suite)>>8) & 0xff)))) {
10557 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, cipher_suite);
10558 ja3_dash = "-";
10559 ja4_data.num_cipher_suites += 1;
10560 wmem_list_insert_sorted(ja4_data.cipher_list, GUINT_TO_POINTER(cipher_suite)((gpointer) (gulong) (cipher_suite)), wmem_compare_uint);
10561 }
10562 }
10563 wmem_strbuf_append_c(ja3, ',');
10564 if (!ssl_end_vector(hf, tvb, pinfo, cs_tree, offset, next_offset)) {
10565 offset = next_offset;
10566 }
10567
10568 /* CompressionMethod compression_methods<1..2^8-1> */
10569 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compression_methods_length,
10570 hf->hf.hs_comp_methods_len, 1, UINT8_MAX(255))) {
10571 return offset;
10572 }
10573 offset++;
10574 next_offset = offset + compression_methods_length;
10575 ti = proto_tree_add_none_format(tree,
10576 hf->hf.hs_comp_methods,
10577 tvb, offset, compression_methods_length,
10578 "Compression Methods (%u method%s)",
10579 compression_methods_length,
10580 plurality(compression_methods_length,((compression_methods_length) == 1 ? ("") : ("s"))
10581 "", "s")((compression_methods_length) == 1 ? ("") : ("s")));
10582 cs_tree = proto_item_add_subtree(ti, hf->ett.comp_methods);
10583 while (offset < next_offset) {
10584 compression_method = tvb_get_uint8(tvb, offset);
10585 /* TODO: make reserved/private comp meth. fields selectable */
10586 if (compression_method < 64)
10587 proto_tree_add_uint(cs_tree, hf->hf.hs_comp_method,
10588 tvb, offset, 1, compression_method);
10589 else if (compression_method > 63 && compression_method < 193)
10590 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10591 compression_method, "Reserved - to be assigned by IANA (%u)",
10592 compression_method);
10593 else
10594 proto_tree_add_uint_format_value(cs_tree, hf->hf.hs_comp_method, tvb, offset, 1,
10595 compression_method, "Private use range (%u)",
10596 compression_method);
10597 offset++;
10598 }
10599
10600 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10601 if (offset < offset_end) {
10602 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10603 offset_end, SSL_HND_CLIENT_HELLO,
10604 session, ssl, dtls_hfs != NULL((void*)0), ja3, &ja4_data, mk_map, initial_offset, hello_length);
10605 if (ja4_data.max_version > 0) {
10606 client_version = ja4_data.max_version;
10607 }
10608 } else {
10609 wmem_strbuf_append_printf(ja3, ",,");
10610 }
10611
10612 if (proto_is_frame_protocol(pinfo->layers,"tcp")) {
10613 wmem_strbuf_append(ja4_a, "t");
10614 } else if (proto_is_frame_protocol(pinfo->layers,"quic")) {
10615 wmem_strbuf_append(ja4_a, "q");
10616 } else if (proto_is_frame_protocol(pinfo->layers,"dtls")) {
10617 wmem_strbuf_append(ja4_a, "d");
10618 }
10619 wmem_strbuf_append_printf(ja4_a, "%s", val_to_str_const(client_version, ssl_version_ja4_names, "00"));
10620 wmem_strbuf_append_printf(ja4_a, "%s", ja4_data.server_name_present ? "d" : "i");
10621 if (ja4_data.num_cipher_suites > 99) {
10622 wmem_strbuf_append(ja4_a, "99");
10623 } else {
10624 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_cipher_suites);
10625 }
10626 if (ja4_data.num_extensions > 99) {
10627 wmem_strbuf_append(ja4_a, "99");
10628 } else {
10629 wmem_strbuf_append_printf(ja4_a, "%02d", ja4_data.num_extensions);
10630 }
10631 if (wmem_strbuf_get_len(ja4_data.alpn) > 0 ) {
10632 wmem_strbuf_append_printf(ja4_a, "%s", wmem_strbuf_get_str(ja4_data.alpn));
10633 } else {
10634 wmem_strbuf_append(ja4_a, "00");
10635 }
10636
10637 curr_entry = wmem_list_head(ja4_data.cipher_list);
10638 for (unsigned i = 0; i < wmem_list_count(ja4_data.cipher_list); i++) {
10639 wmem_strbuf_append_printf(ja4_br, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10640 if (i < wmem_list_count(ja4_data.cipher_list) - 1) {
10641 wmem_strbuf_append(ja4_br, ",");
10642 }
10643 curr_entry = wmem_list_frame_next(curr_entry);
10644 }
10645
10646 curr_entry = wmem_list_head(ja4_data.extension_list);
10647 for (unsigned i = 0; i < wmem_list_count(ja4_data.extension_list); i++) {
10648 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10649 if (i < wmem_list_count(ja4_data.extension_list) - 1) {
10650 wmem_strbuf_append(ja4_cr, ",");
10651 }
10652 curr_entry = wmem_list_frame_next(curr_entry);
10653 }
10654
10655 if (wmem_list_count(ja4_data.sighash_list) > 0) {
10656 wmem_strbuf_append(ja4_cr, "_");
10657 curr_entry = wmem_list_head(ja4_data.sighash_list);
10658 for (unsigned i = 0; i < wmem_list_count(ja4_data.sighash_list); i++) {
10659 wmem_strbuf_append_printf(ja4_cr, "%04x", GPOINTER_TO_UINT(wmem_list_frame_data(curr_entry))((guint) (gulong) (wmem_list_frame_data(curr_entry))));
10660 if (i < wmem_list_count(ja4_data.sighash_list) - 1) {
10661 wmem_strbuf_append(ja4_cr, ",");
10662 }
10663 curr_entry = wmem_list_frame_next(curr_entry);
10664 }
10665 }
10666 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_br),-1);
10667 ja4_b = wmem_strndup(pinfo->pool, ja4_hash, 12);
10668 g_free(ja4_hash);
10669 if ( wmem_strbuf_get_len(ja4_cr) == 0 ) {
10670 ja4_hash = g_strdup("000000000000")g_strdup_inline ("000000000000");
10671 } else {
10672 ja4_hash = g_compute_checksum_for_string(G_CHECKSUM_SHA256, wmem_strbuf_get_str(ja4_cr),-1);
10673 }
10674 ja4_c = wmem_strndup(pinfo->pool, ja4_hash, 12);
10675 g_free(ja4_hash);
10676
10677 ja4 = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), ja4_b, ja4_c);
10678 ja4_r = wmem_strdup_printf(pinfo->pool, "%s_%s_%s", wmem_strbuf_get_str(ja4_a), wmem_strbuf_get_str(ja4_br), wmem_strbuf_get_str(ja4_cr));
10679
10680 ti = proto_tree_add_string(tree, hf->hf.hs_ja4, tvb, offset, 0, ja4);
10681 proto_item_set_generated(ti);
10682 ti = proto_tree_add_string(tree, hf->hf.hs_ja4_r, tvb, offset, 0, ja4_r);
10683 proto_item_set_generated(ti);
10684
10685 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10686 wmem_strbuf_get_len(ja3));
10687 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10688 proto_item_set_generated(ti);
10689 ti = proto_tree_add_string(tree, hf->hf.hs_ja3_hash, tvb, offset, 0, ja3_hash);
10690 proto_item_set_generated(ti);
10691 g_free(ja3_hash);
10692 return offset;
10693}
10694
10695void
10696ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
10697 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
10698 SslSession *session, SslDecryptSession *ssl,
10699 bool_Bool is_dtls, bool_Bool is_hrr)
10700{
10701 /* struct {
10702 * ProtocolVersion server_version;
10703 * Random random;
10704 * SessionID session_id; // TLS 1.2 and before
10705 * CipherSuite cipher_suite;
10706 * CompressionMethod compression_method; // TLS 1.2 and before
10707 * Extension server_hello_extension_list<0..2^16-1>;
10708 * } ServerHello;
10709 */
10710 uint8_t draft_version = session->tls13_draft_version;
10711 proto_item *ti;
10712 uint32_t server_version;
10713 uint32_t cipher_suite;
10714 uint32_t initial_offset = offset;
10715 wmem_strbuf_t *ja3 = wmem_strbuf_new(pinfo->pool, "");
10716 char *ja3_hash;
10717
10718 col_set_str(pinfo->cinfo, COL_PROTOCOL,
10719 val_to_str_const(session->version, ssl_version_short_names, "SSL"));
10720
10721 /* Initially assume that the session is resumed. If this is not the case, a
10722 * ServerHelloDone will be observed before the ChangeCipherSpec message
10723 * which will reset this flag. */
10724 session->is_session_resumed = true1;
10725
10726 /* show the server version */
10727 ti = proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
10728 offset, 2, ENC_BIG_ENDIAN0x00000000, &server_version);
10729
10730 uint16_t supported_server_version;
10731 if (tls_scan_server_hello(tvb, offset, offset_end, &supported_server_version, NULL((void*)0))) {
10732 expert_add_info(pinfo, ti, &hf->ei.legacy_version);
10733 }
10734 /*
10735 * Is it version 1.3?
10736 * If so, that's an error; TLS and DTLS 1.3 Server Hellos claim
10737 * to be TLS 1.2, and mention 1.3 in an extension. See RFC 8446
10738 * section 4.1.3 "Server Hello" and RFC 9147 Section 5.4 "Server
10739 * Hello".
10740 */
10741 if (is_dtls) {
10742 if (server_version == DTLSV1DOT3_VERSION0xfefc) {
10743 /* Don't do that. */
10744 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10745 }
10746 } else {
10747 if (server_version == TLSV1DOT3_VERSION0x304) {
10748 /* Don't do that. */
10749 expert_add_info(pinfo, ti, &hf->ei.server_version_error);
10750 }
10751 }
10752
10753 offset += 2;
10754 wmem_strbuf_append_printf(ja3, "%i", server_version);
10755
10756 /* dissect fields that are present in both ClientHello and ServerHello */
10757 offset = ssl_dissect_hnd_hello_common(hf, tvb, pinfo, tree, offset, session, ssl, true1, is_hrr);
10758
10759 if (ssl) {
10760 /* store selected cipher suite for decryption */
10761 ssl_set_cipher(ssl, tvb_get_ntohs(tvb, offset));
10762 }
10763
10764 /* now the server-selected cipher suite */
10765 proto_tree_add_item_ret_uint(tree, hf->hf.hs_cipher_suite,
10766 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &cipher_suite);
10767 offset += 2;
10768 wmem_strbuf_append_printf(ja3, ",%i,", cipher_suite);
10769
10770 /* No compression with TLS 1.3 before draft -22 */
10771 if (!(session->version == TLSV1DOT3_VERSION0x304 && draft_version > 0 && draft_version < 22)) {
10772 if (ssl) {
10773 /* store selected compression method for decryption */
10774 ssl->session.compression = tvb_get_uint8(tvb, offset);
10775 }
10776 /* and the server-selected compression method */
10777 proto_tree_add_item(tree, hf->hf.hs_comp_method,
10778 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
10779 offset++;
10780 }
10781
10782 /* SSL v3.0 has no extensions, so length field can indeed be missing. */
10783 if (offset < offset_end) {
10784 offset = ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
10785 offset_end,
10786 is_hrr ? SSL_HND_HELLO_RETRY_REQUEST : SSL_HND_SERVER_HELLO,
10787 session, ssl, is_dtls, ja3, NULL((void*)0), NULL((void*)0), 0, 0);
10788 }
10789
10790 if (ssl && ssl->ech_transcript.data_len > 0 && (ssl->state & SSL_CIPHER(1<<2)) && ssl->client_random.data_len > 0) {
10791 int hash_algo = ssl_get_digest_by_name(ssl_cipher_suite_dig(ssl->cipher_suite)->name);
10792 if (hash_algo) {
10793 SSL_MDgcry_md_hd_t mc;
10794 guchar transcript_hash[DIGEST_MAX_SIZE48];
10795 guchar prk[DIGEST_MAX_SIZE48];
10796 guchar *ech_verify_out = NULL((void*)0);
10797 unsigned int len;
10798 ssl_md_init(&mc, hash_algo);
10799 ssl_md_update(&mc, ssl->ech_transcript.data, ssl->ech_transcript.data_len);
10800 if (is_hrr) {
10801 ssl_md_final(&mc, transcript_hash, &len);
10802 ssl_md_cleanup(&mc);
10803 wmem_free(wmem_file_scope(), ssl->ech_transcript.data);
10804 ssl->ech_transcript.data_len = 4 + len;
10805 ssl->ech_transcript.data = (guchar*)wmem_alloc(wmem_file_scope(), 4 + len + 4 + offset_end - initial_offset);
10806 ssl->ech_transcript.data[0] = SSL_HND_MESSAGE_HASH;
10807 ssl->ech_transcript.data[1] = 0;
10808 ssl->ech_transcript.data[2] = 0;
10809 ssl->ech_transcript.data[3] = len;
10810 memcpy(ssl->ech_transcript.data + 4, transcript_hash, len);
10811 ssl_md_init(&mc, hash_algo);
10812 ssl_md_update(&mc, ssl->ech_transcript.data, 4 + len);
10813 } else {
10814 ssl->ech_transcript.data = wmem_realloc(wmem_file_scope(), ssl->ech_transcript.data,
10815 ssl->ech_transcript.data_len + 4 + offset_end - initial_offset);
10816 }
10817 if (initial_offset > 4) {
10818 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len, initial_offset - 4,
10819 4 + offset_end - initial_offset);
10820 if (is_hrr)
10821 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset-4, 38), 38);
10822 else
10823 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset-4, 30), 30);
10824 } else {
10825 uint8_t prefix[4] = {SSL_HND_SERVER_HELLO, 0x00, 0x00, 0x00};
10826 prefix[2] = ((offset - initial_offset) >> 8);
10827 prefix[3] = (offset - initial_offset) & 0xff;
10828 memcpy(ssl->ech_transcript.data + ssl->ech_transcript.data_len, prefix, 4);
10829 tvb_memcpy(tvb, ssl->ech_transcript.data + ssl->ech_transcript.data_len + 4, initial_offset,
10830 offset_end - initial_offset);
10831 ssl_md_update(&mc, prefix, 4);
10832 if (is_hrr)
10833 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset, 34), 34);
10834 else
10835 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset, 26), 26);
10836 }
10837 ssl->ech_transcript.data_len += 4 + offset_end - initial_offset;
10838 uint8_t zeros[8] = { 0 };
10839 uint32_t confirmation_offset = initial_offset + 26;
10840 if (is_hrr) {
10841 uint32_t hrr_offset = initial_offset + 34;
10842 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset,
10843 tvb_get_uint8(tvb, hrr_offset) + 1), tvb_get_uint8(tvb, hrr_offset) + 1);
10844 hrr_offset += tvb_get_uint8(tvb, hrr_offset) + 1;
10845 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, 3), 3);
10846 hrr_offset += 3;
10847 uint16_t extensions_end = hrr_offset + tvb_get_ntohs(tvb, hrr_offset) + 2;
10848 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, 2), 2);
10849 hrr_offset += 2;
10850 while (extensions_end - hrr_offset >= 4) {
10851 if (tvb_get_ntohs(tvb, hrr_offset) == SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037 &&
10852 tvb_get_ntohs(tvb, hrr_offset + 2) == 8) {
10853 confirmation_offset = hrr_offset + 4;
10854 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, 4), 4);
10855 ssl_md_update(&mc, zeros, 8);
10856 hrr_offset += 12;
10857 } else {
10858 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, hrr_offset, tvb_get_ntohs(tvb, hrr_offset + 2) + 4),
10859 tvb_get_ntohs(tvb, hrr_offset + 2) + 4);
10860 hrr_offset += tvb_get_ntohs(tvb, hrr_offset + 2) + 4;
10861 }
10862 }
10863 } else {
10864 ssl_md_update(&mc, zeros, 8);
10865 ssl_md_update(&mc, (guchar *)tvb_get_ptr(tvb, initial_offset + 34, offset - initial_offset - 34),
10866 offset - initial_offset - 34);
10867 }
10868 ssl_md_final(&mc, transcript_hash, &len);
10869 ssl_md_cleanup(&mc);
10870 hkdf_extract(hash_algo, NULL((void*)0), 0, ssl->client_random.data, 32, prk);
10871 StringInfo prk_string = {prk, len};
10872 tls13_hkdf_expand_label_context(hash_algo, &prk_string, tls13_hkdf_label_prefix(ssl),
10873 is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
10874 transcript_hash, len, 8, &ech_verify_out);
10875 memcpy(is_hrr ? ssl->session.hrr_ech_confirmation : ssl->session.ech_confirmation, ech_verify_out, 8);
10876 if (tvb_memeql(tvb, confirmation_offset, ech_verify_out, 8) == -1) {
10877 if (is_hrr) {
10878 ssl->session.hrr_ech_declined = TRUE(!(0));
10879 ssl->session.first_ch_ech_frame = 0;
10880 }
10881 memcpy(ssl->client_random.data, ssl->session.client_random.data, ssl->session.client_random.data_len);
10882 ssl_print_data("Updated Client Random", ssl->client_random.data, 32);
10883 }
10884 wmem_free(NULL((void*)0), ech_verify_out);
10885 ssl->session.ech = TRUE(!(0));
10886 }
10887 }
10888
10889 ja3_hash = g_compute_checksum_for_string(G_CHECKSUM_MD5, wmem_strbuf_get_str(ja3),
10890 wmem_strbuf_get_len(ja3));
10891 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_full, tvb, offset, 0, wmem_strbuf_get_str(ja3));
10892 proto_item_set_generated(ti);
10893 ti = proto_tree_add_string(tree, hf->hf.hs_ja3s_hash, tvb, offset, 0, ja3_hash);
10894 proto_item_set_generated(ti);
10895 g_free(ja3_hash);
10896}
10897/* Client Hello and Server Hello dissections. }}} */
10898
10899/* New Session Ticket dissection. {{{ */
10900void
10901ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
10902 proto_tree *tree, uint32_t offset, uint32_t offset_end,
10903 SslSession *session, SslDecryptSession *ssl,
10904 bool_Bool is_dtls, GHashTable *session_hash)
10905{
10906 /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
10907 * struct {
10908 * uint32 ticket_lifetime_hint;
10909 * opaque ticket<0..2^16-1>;
10910 * } NewSessionTicket;
10911 *
10912 * RFC 8446 Section 4.6.1 (TLS 1.3):
10913 * struct {
10914 * uint32 ticket_lifetime;
10915 * uint32 ticket_age_add;
10916 * opaque ticket_nonce<0..255>; // new in draft -21, updated in -22
10917 * opaque ticket<1..2^16-1>;
10918 * Extension extensions<0..2^16-2>;
10919 * } NewSessionTicket;
10920 */
10921 proto_tree *subtree;
10922 proto_item *subitem;
10923 uint32_t ticket_len;
10924 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc;
10925 unsigned char draft_version = session->tls13_draft_version;
10926 uint32_t lifetime_hint;
10927
10928 subtree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
10929 hf->ett.session_ticket, NULL((void*)0),
10930 "TLS Session Ticket");
10931
10932 /* ticket lifetime hint */
10933 subitem = proto_tree_add_item_ret_uint(subtree, hf->hf.hs_session_ticket_lifetime_hint,
10934 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000, &lifetime_hint);
10935 offset += 4;
10936
10937 if (lifetime_hint >= 60) {
10938 char *time_str = unsigned_time_secs_to_str(pinfo->pool, lifetime_hint);
10939 proto_item_append_text(subitem, " (%s)", time_str);
10940 }
10941
10942 if (is_tls13) {
10943
10944 /* for TLS 1.3: ticket_age_add */
10945 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_age_add,
10946 tvb, offset, 4, ENC_BIG_ENDIAN0x00000000);
10947 offset += 4;
10948
10949 /* for TLS 1.3: ticket_nonce (coming with Draft 21)*/
10950 if (draft_version == 0 || draft_version >= 21) {
10951 uint32_t ticket_nonce_len;
10952
10953 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_nonce_len,
10954 hf->hf.hs_session_ticket_nonce_len, 0, 255)) {
10955 return;
10956 }
10957 offset++;
10958
10959 proto_tree_add_item(subtree, hf->hf.hs_session_ticket_nonce, tvb, offset, ticket_nonce_len, ENC_NA0x00000000);
10960 offset += ticket_nonce_len;
10961 }
10962
10963 }
10964
10965 /* opaque ticket<0..2^16-1> (with TLS 1.3 the minimum is 1) */
10966 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, offset_end, &ticket_len,
10967 hf->hf.hs_session_ticket_len, is_tls13 ? 1 : 0, UINT16_MAX(65535))) {
10968 return;
10969 }
10970 offset += 2;
10971
10972 /* Content depends on implementation, so just show data! */
10973 proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
10974 tvb, offset, ticket_len, ENC_NA0x00000000);
10975 /* save the session ticket to cache for ssl_finalize_decryption */
10976 if (ssl && !is_tls13) {
10977 tvb_ensure_bytes_exist(tvb, offset, ticket_len);
10978 ssl->session_ticket.data = (unsigned char*)wmem_realloc(wmem_file_scope(),
10979 ssl->session_ticket.data, ticket_len);
10980 ssl->session_ticket.data_len = ticket_len;
10981 tvb_memcpy(tvb, ssl->session_ticket.data, offset, ticket_len);
10982 /* NewSessionTicket is received after the first (client)
10983 * ChangeCipherSpec, and before the second (server) ChangeCipherSpec.
10984 * Since the second CCS has already the session key available it will
10985 * just return. To ensure that the session ticket is mapped to a
10986 * master key (from the first CCS), save the ticket here too. */
10987 ssl_save_master_key("Session Ticket", session_hash,
10988 &ssl->session_ticket, &ssl->master_secret);
10989 ssl->state |= SSL_NEW_SESSION_TICKET(1<<10);
10990 }
10991 offset += ticket_len;
10992
10993 if (is_tls13) {
10994 ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
10995 offset_end, SSL_HND_NEWSESSION_TICKET,
10996 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
10997 }
10998} /* }}} */
10999
11000void
11001ssl_dissect_hnd_hello_retry_request(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11002 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11003 SslSession *session, SslDecryptSession *ssl,
11004 bool_Bool is_dtls)
11005{
11006 /* https://tools.ietf.org/html/draft-ietf-tls-tls13-19#section-4.1.4
11007 * struct {
11008 * ProtocolVersion server_version;
11009 * CipherSuite cipher_suite; // not before draft -19
11010 * Extension extensions<2..2^16-1>;
11011 * } HelloRetryRequest;
11012 * Note: no longer used since draft -22
11013 */
11014 uint32_t version;
11015 uint8_t draft_version;
11016
11017 proto_tree_add_item_ret_uint(tree, hf->hf.hs_server_version, tvb,
11018 offset, 2, ENC_BIG_ENDIAN0x00000000, &version);
11019 draft_version = extract_tls13_draft_version(version);
11020 offset += 2;
11021
11022 if (draft_version == 0 || draft_version >= 19) {
11023 proto_tree_add_item(tree, hf->hf.hs_cipher_suite,
11024 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11025 offset += 2;
11026 }
11027
11028 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11029 offset_end, SSL_HND_HELLO_RETRY_REQUEST,
11030 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11031}
11032
11033void
11034ssl_dissect_hnd_encrypted_extensions(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11035 packet_info* pinfo, proto_tree *tree, uint32_t offset, uint32_t offset_end,
11036 SslSession *session, SslDecryptSession *ssl,
11037 bool_Bool is_dtls)
11038{
11039 /* RFC 8446 Section 4.3.1
11040 * struct {
11041 * Extension extensions<0..2^16-1>;
11042 * } EncryptedExtensions;
11043 */
11044 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11045 offset_end, SSL_HND_ENCRYPTED_EXTENSIONS,
11046 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11047}
11048
11049/* Certificate and Certificate Request dissections. {{{ */
11050void
11051ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11052 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11053 SslSession *session, SslDecryptSession *ssl _U___attribute__((unused)),
11054 bool_Bool is_from_server, bool_Bool is_dtls)
11055{
11056 /* opaque ASN.1Cert<1..2^24-1>;
11057 *
11058 * Before RFC 8446 (TLS <= 1.2):
11059 * struct {
11060 * select(certificate_type) {
11061 *
11062 * // certificate type defined in RFC 7250
11063 * case RawPublicKey:
11064 * opaque ASN.1_subjectPublicKeyInfo<1..2^24-1>;
11065 *
11066 * // X.509 certificate defined in RFC 5246
11067 * case X.509:
11068 * ASN.1Cert certificate_list<0..2^24-1>;
11069 * };
11070 * } Certificate;
11071 *
11072 * RFC 8446 (since draft -20):
11073 * struct {
11074 * select(certificate_type){
11075 * case RawPublicKey:
11076 * // From RFC 7250 ASN.1_subjectPublicKeyInfo
11077 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
11078 *
11079 * case X.509:
11080 * opaque cert_data<1..2^24-1>;
11081 * }
11082 * Extension extensions<0..2^16-1>;
11083 * } CertificateEntry;
11084 * struct {
11085 * opaque certificate_request_context<0..2^8-1>;
11086 * CertificateEntry certificate_list<0..2^24-1>;
11087 * } Certificate;
11088 */
11089 enum { CERT_X509, CERT_RPK } cert_type;
11090 asn1_ctx_t asn1_ctx;
11091#if defined(HAVE_LIBGNUTLS1)
11092 gnutls_datum_t subjectPublicKeyInfo = { NULL((void*)0), 0 };
11093 unsigned certificate_index = 0;
11094#endif
11095 uint32_t next_offset, certificate_list_length, cert_length;
11096 proto_tree *subtree = tree;
11097
11098 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11099
11100 if ((is_from_server && session->server_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2) ||
11101 (!is_from_server && session->client_cert_type == SSL_HND_CERT_TYPE_RAW_PUBLIC_KEY2)) {
11102 cert_type = CERT_RPK;
11103 } else {
11104 cert_type = CERT_X509;
11105 }
11106
11107#if defined(HAVE_LIBGNUTLS1)
11108 /* Ask the pkcs1 dissector to return the public key details */
11109 if (ssl)
11110 asn1_ctx.private_data = &subjectPublicKeyInfo;
11111#endif
11112
11113 /* TLS 1.3: opaque certificate_request_context<0..2^8-1> */
11114 if (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc) {
11115 uint32_t context_length;
11116 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11117 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11118 return;
11119 }
11120 offset++;
11121 if (context_length > 0) {
11122 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11123 tvb, offset, context_length, ENC_NA0x00000000);
11124 offset += context_length;
11125 }
11126 }
11127
11128 if ((session->version != TLSV1DOT3_VERSION0x304 && session->version != DTLSV1DOT3_VERSION0xfefc) && cert_type == CERT_RPK) {
11129 /* For RPK before TLS 1.3, the single RPK is stored directly without
11130 * another "certificate_list" field. */
11131 certificate_list_length = offset_end - offset;
11132 next_offset = offset_end;
11133 } else {
11134 /* CertificateEntry certificate_list<0..2^24-1> */
11135 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &certificate_list_length,
11136 hf->hf.hs_certificates_len, 0, G_MAXUINT24((1U << 24) - 1))) {
11137 return;
11138 }
11139 offset += 3; /* 24-bit length value */
11140 next_offset = offset + certificate_list_length;
11141 }
11142
11143 /* RawPublicKey must have one cert, but X.509 can have multiple. */
11144 if (certificate_list_length > 0 && cert_type == CERT_X509) {
11145 proto_item *ti;
11146
11147 ti = proto_tree_add_none_format(tree,
11148 hf->hf.hs_certificates,
11149 tvb, offset, certificate_list_length,
11150 "Certificates (%u bytes)",
11151 certificate_list_length);
11152
11153 /* make it a subtree */
11154 subtree = proto_item_add_subtree(ti, hf->ett.certificates);
11155 }
11156
11157 while (offset < next_offset) {
11158 switch (cert_type) {
11159 case CERT_RPK:
11160 /* TODO add expert info if there is more than one RPK entry (certificate_index > 0) */
11161 /* opaque ASN.1_subjectPublicKeyInfo<1..2^24-1> */
11162 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11163 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11164 return;
11165 }
11166 offset += 3;
11167
11168 dissect_x509af_SubjectPublicKeyInfo(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11169 offset += cert_length;
11170 break;
11171 case CERT_X509:
11172 /* opaque ASN1Cert<1..2^24-1> */
11173 if (!ssl_add_vector(hf, tvb, pinfo, subtree, offset, next_offset, &cert_length,
11174 hf->hf.hs_certificate_len, 1, G_MAXUINT24((1U << 24) - 1))) {
11175 return;
11176 }
11177 offset += 3;
11178
11179 dissect_x509af_Certificate(false0, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
11180#if defined(HAVE_LIBGNUTLS1)
11181 if (is_from_server && ssl && certificate_index == 0) {
11182 ssl_find_private_key_by_pubkey(ssl, &subjectPublicKeyInfo);
11183 /* Only attempt to get the RSA modulus for the first cert. */
11184 asn1_ctx.private_data = NULL((void*)0);
11185 }
11186#endif
11187 offset += cert_length;
11188 break;
11189 }
11190
11191 /* TLS 1.3: Extension extensions<0..2^16-1> */
11192 if ((session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc)) {
11193 offset = ssl_dissect_hnd_extension(hf, tvb, subtree, pinfo, offset,
11194 next_offset, SSL_HND_CERTIFICATE,
11195 session, ssl, is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11196 }
11197
11198#if defined(HAVE_LIBGNUTLS1)
11199 certificate_index++;
11200#endif
11201 }
11202}
11203
11204void
11205ssl_dissect_hnd_cert_req(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11206 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11207 SslSession *session, bool_Bool is_dtls)
11208{
11209 /* From SSL 3.0 and up (note that since TLS 1.1 certificate_authorities can be empty):
11210 * enum {
11211 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11212 * (255)
11213 * } ClientCertificateType;
11214 *
11215 * opaque DistinguishedName<1..2^16-1>;
11216 *
11217 * struct {
11218 * ClientCertificateType certificate_types<1..2^8-1>;
11219 * DistinguishedName certificate_authorities<3..2^16-1>;
11220 * } CertificateRequest;
11221 *
11222 *
11223 * As per TLSv1.2 (RFC 5246) the format has changed to:
11224 *
11225 * enum {
11226 * rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
11227 * rsa_ephemeral_dh_RESERVED(5), dss_ephemeral_dh_RESERVED(6),
11228 * fortezza_dms_RESERVED(20), (255)
11229 * } ClientCertificateType;
11230 *
11231 * enum {
11232 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
11233 * sha512(6), (255)
11234 * } HashAlgorithm;
11235 *
11236 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
11237 * SignatureAlgorithm;
11238 *
11239 * struct {
11240 * HashAlgorithm hash;
11241 * SignatureAlgorithm signature;
11242 * } SignatureAndHashAlgorithm;
11243 *
11244 * SignatureAndHashAlgorithm
11245 * supported_signature_algorithms<2..2^16-2>;
11246 *
11247 * opaque DistinguishedName<1..2^16-1>;
11248 *
11249 * struct {
11250 * ClientCertificateType certificate_types<1..2^8-1>;
11251 * SignatureAndHashAlgorithm supported_signature_algorithms<2^16-1>;
11252 * DistinguishedName certificate_authorities<0..2^16-1>;
11253 * } CertificateRequest;
11254 *
11255 * draft-ietf-tls-tls13-18:
11256 * struct {
11257 * opaque certificate_request_context<0..2^8-1>;
11258 * SignatureScheme
11259 * supported_signature_algorithms<2..2^16-2>;
11260 * DistinguishedName certificate_authorities<0..2^16-1>;
11261 * CertificateExtension certificate_extensions<0..2^16-1>;
11262 * } CertificateRequest;
11263 *
11264 * RFC 8446 (since draft-ietf-tls-tls13-19):
11265 *
11266 * struct {
11267 * opaque certificate_request_context<0..2^8-1>;
11268 * Extension extensions<2..2^16-1>;
11269 * } CertificateRequest;
11270 */
11271 proto_item *ti;
11272 proto_tree *subtree;
11273 uint32_t next_offset;
11274 asn1_ctx_t asn1_ctx;
11275 bool_Bool is_tls13 = (session->version == TLSV1DOT3_VERSION0x304 || session->version == DTLSV1DOT3_VERSION0xfefc);
11276 unsigned char draft_version = session->tls13_draft_version;
11277
11278 if (!tree)
11279 return;
11280
11281 asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, true1, pinfo);
11282
11283 if (is_tls13) {
11284 uint32_t context_length;
11285 /* opaque certificate_request_context<0..2^8-1> */
11286 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &context_length,
11287 hf->hf.hs_certificate_request_context_length, 0, UINT8_MAX(255))) {
11288 return;
11289 }
11290 offset++;
11291 if (context_length > 0) {
11292 proto_tree_add_item(tree, hf->hf.hs_certificate_request_context,
11293 tvb, offset, context_length, ENC_NA0x00000000);
11294 offset += context_length;
11295 }
11296 } else {
11297 uint32_t cert_types_count;
11298 /* ClientCertificateType certificate_types<1..2^8-1> */
11299 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &cert_types_count,
11300 hf->hf.hs_cert_types_count, 1, UINT8_MAX(255))) {
11301 return;
11302 }
11303 offset++;
11304 next_offset = offset + cert_types_count;
11305
11306 ti = proto_tree_add_none_format(tree,
11307 hf->hf.hs_cert_types,
11308 tvb, offset, cert_types_count,
11309 "Certificate types (%u type%s)",
11310 cert_types_count,
11311 plurality(cert_types_count, "", "s")((cert_types_count) == 1 ? ("") : ("s")));
11312 subtree = proto_item_add_subtree(ti, hf->ett.cert_types);
11313
11314 while (offset < next_offset) {
11315 proto_tree_add_item(subtree, hf->hf.hs_cert_type, tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11316 offset++;
11317 }
11318 }
11319
11320 if (session->version == TLSV1DOT2_VERSION0x303 || session->version == DTLSV1DOT2_VERSION0xfefd ||
11321 (is_tls13 && (draft_version > 0 && draft_version < 19))) {
11322 offset = ssl_dissect_hash_alg_list(hf, tvb, tree, pinfo, offset, offset_end, NULL((void*)0));
11323 }
11324
11325 if (is_tls13 && (draft_version == 0 || draft_version >= 19)) {
11326 /*
11327 * TLS 1.3 draft 19 and newer: Extensions.
11328 * SslDecryptSession pointer is NULL because Certificate Extensions
11329 * should not influence decryption state.
11330 */
11331 ssl_dissect_hnd_extension(hf, tvb, tree, pinfo, offset,
11332 offset_end, SSL_HND_CERT_REQUEST,
11333 session, NULL((void*)0), is_dtls, NULL((void*)0), NULL((void*)0), NULL((void*)0), 0, 0);
11334 } else if (is_tls13 && draft_version <= 18) {
11335 /*
11336 * TLS 1.3 draft 18 and older: certificate_authorities and
11337 * certificate_extensions (a vector of OID mappings).
11338 */
11339 offset = tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11340 ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, tree, offset, offset_end);
11341 } else {
11342 /* for TLS 1.2 and older, the certificate_authorities field. */
11343 tls_dissect_certificate_authorities(hf, tvb, pinfo, tree, offset, offset_end);
11344 }
11345}
11346/* Certificate and Certificate Request dissections. }}} */
11347
11348void
11349ssl_dissect_hnd_cli_cert_verify(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
11350 proto_tree *tree, uint32_t offset, uint32_t offset_end, uint16_t version)
11351{
11352 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
11353 hf->hf.hs_client_cert_vrfy_sig_len,
11354 hf->hf.hs_client_cert_vrfy_sig);
11355}
11356
11357/* Finished dissection. {{{ */
11358void
11359ssl_dissect_hnd_finished(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11360 proto_tree *tree, uint32_t offset, uint32_t offset_end,
11361 const SslSession *session, ssl_hfs_t *ssl_hfs)
11362{
11363 /* For SSLv3:
11364 * struct {
11365 * opaque md5_hash[16];
11366 * opaque sha_hash[20];
11367 * } Finished;
11368 *
11369 * For (D)TLS:
11370 * struct {
11371 * opaque verify_data[12];
11372 * } Finished;
11373 *
11374 * For TLS 1.3:
11375 * struct {
11376 * opaque verify_data[Hash.length];
11377 * }
11378 */
11379 if (!tree)
11380 return;
11381
11382 if (session->version == SSLV3_VERSION0x300) {
11383 if (ssl_hfs != NULL((void*)0)) {
11384 proto_tree_add_item(tree, ssl_hfs->hs_md5_hash,
11385 tvb, offset, 16, ENC_NA0x00000000);
11386 proto_tree_add_item(tree, ssl_hfs->hs_sha_hash,
11387 tvb, offset + 16, 20, ENC_NA0x00000000);
11388 }
11389 } else {
11390 /* Length should be 12 for TLS before 1.3, assume this is the case. */
11391 proto_tree_add_item(tree, hf->hf.hs_finished,
11392 tvb, offset, offset_end - offset, ENC_NA0x00000000);
11393 }
11394} /* }}} */
11395
11396/* RFC 6066 Certificate URL handshake message dissection. {{{ */
11397void
11398ssl_dissect_hnd_cert_url(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset)
11399{
11400 uint16_t url_hash_len;
11401
11402 /* enum {
11403 * individual_certs(0), pkipath(1), (255)
11404 * } CertChainType;
11405 *
11406 * struct {
11407 * CertChainType type;
11408 * URLAndHash url_and_hash_list<1..2^16-1>;
11409 * } CertificateURL;
11410 *
11411 * struct {
11412 * opaque url<1..2^16-1>;
11413 * unint8 padding;
11414 * opaque SHA1Hash[20];
11415 * } URLAndHash;
11416 */
11417
11418 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_type,
11419 tvb, offset, 1, ENC_NA0x00000000);
11420 offset++;
11421
11422 url_hash_len = tvb_get_ntohs(tvb, offset);
11423 proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_url_hash_list_len,
11424 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11425 offset += 2;
11426 while (url_hash_len-- > 0) {
11427 proto_item *urlhash_item;
11428 proto_tree *urlhash_tree;
11429 uint16_t url_len;
11430
11431 urlhash_item = proto_tree_add_item(tree, hf->hf.hs_ext_cert_url_item,
11432 tvb, offset, -1, ENC_NA0x00000000);
11433 urlhash_tree = proto_item_add_subtree(urlhash_item, hf->ett.urlhash);
11434
11435 url_len = tvb_get_ntohs(tvb, offset);
11436 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url_len,
11437 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11438 offset += 2;
11439
11440 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_url,
11441 tvb, offset, url_len, ENC_ASCII0x00000000|ENC_NA0x00000000);
11442 offset += url_len;
11443
11444 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_padding,
11445 tvb, offset, 1, ENC_NA0x00000000);
11446 offset++;
11447 /* Note: RFC 6066 says that padding must be 0x01 */
11448
11449 proto_tree_add_item(urlhash_tree, hf->hf.hs_ext_cert_url_sha1,
11450 tvb, offset, 20, ENC_NA0x00000000);
11451 offset += 20;
11452 }
11453} /* }}} */
11454
11455void
11456ssl_dissect_hnd_compress_certificate(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11457 uint32_t offset, uint32_t offset_end, packet_info *pinfo,
11458 SslSession *session, SslDecryptSession *ssl,
11459 bool_Bool is_from_server, bool_Bool is_dtls)
11460{
11461 uint32_t algorithm, uncompressed_length;
11462 uint32_t compressed_certificate_message_length;
11463 tvbuff_t *uncompressed_tvb = NULL((void*)0);
11464 proto_item *ti;
11465 /*
11466 * enum {
11467 * zlib(1),
11468 * brotli(2),
11469 * zstd(3),
11470 * (65535)
11471 * } CertificateCompressionAlgorithm;
11472 *
11473 * struct {
11474 * CertificateCompressionAlgorithm algorithm;
11475 * uint24 uncompressed_length;
11476 * opaque compressed_certificate_message<1..2^24-1>;
11477 * } CompressedCertificate;
11478 */
11479
11480 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_algorithm,
11481 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &algorithm);
11482 offset += 2;
11483
11484 proto_tree_add_item_ret_uint(tree, hf->hf.hs_ext_compress_certificate_uncompressed_length,
11485 tvb, offset, 3, ENC_BIG_ENDIAN0x00000000, &uncompressed_length);
11486 offset += 3;
11487
11488 /* opaque compressed_certificate_message<1..2^24-1>; */
11489 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &compressed_certificate_message_length,
11490 hf->hf.hs_ext_compress_certificate_compressed_certificate_message_length, 1, G_MAXUINT24((1U << 24) - 1))) {
11491 return;
11492 }
11493 offset += 3;
11494
11495 ti = proto_tree_add_item(tree, hf->hf.hs_ext_compress_certificate_compressed_certificate_message,
11496 tvb, offset, compressed_certificate_message_length, ENC_NA0x00000000);
11497
11498 /* Certificate decompression following algorithm */
11499 switch (algorithm) {
11500 case 1: /* zlib */
11501 uncompressed_tvb = tvb_child_uncompress_zlib(tvb, tvb, offset, compressed_certificate_message_length);
11502 break;
11503 case 2: /* brotli */
11504 uncompressed_tvb = tvb_child_uncompress_brotli(tvb, tvb, offset, compressed_certificate_message_length);
11505 break;
11506 case 3: /* zstd */
11507 uncompressed_tvb = tvb_child_uncompress_zstd(tvb, tvb, offset, compressed_certificate_message_length);
11508 break;
11509 }
11510
11511 if (uncompressed_tvb) {
11512 proto_tree *uncompressed_tree;
11513
11514 if (uncompressed_length != tvb_captured_length(uncompressed_tvb)) {
11515 proto_tree_add_expert_format(tree, pinfo, &hf->ei.decompression_error,
11516 tvb, offset, offset_end - offset,
11517 "Invalid uncompressed length %u (expected %u)",
11518 tvb_captured_length(uncompressed_tvb),
11519 uncompressed_length);
11520 } else {
11521 uncompressed_tree = proto_item_add_subtree(ti, hf->ett.uncompressed_certificates);
11522 ssl_dissect_hnd_cert(hf, uncompressed_tvb, uncompressed_tree,
11523 0, uncompressed_length, pinfo, session, ssl, is_from_server, is_dtls);
11524 add_new_data_source(pinfo, uncompressed_tvb, "Uncompressed certificate(s)");
11525 }
11526 }
11527}
11528
11529/* Dissection of TLS Extensions in Client Hello, Server Hello, etc. {{{ */
11530static int
11531// NOLINTNEXTLINE(misc-no-recursion)
11532ssl_dissect_hnd_extension(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
11533 packet_info* pinfo, uint32_t offset, uint32_t offset_end, uint8_t hnd_type,
11534 SslSession *session, SslDecryptSession *ssl,
11535 bool_Bool is_dtls, wmem_strbuf_t *ja3, ja4_data_t *ja4_data,
11536 ssl_master_key_map_t *mk_map, uint32_t initial_offset, uint32_t hello_length)
11537{
11538 uint32_t exts_len;
11539 uint16_t ext_type;
11540 uint32_t ext_len;
11541 uint32_t next_offset;
11542 proto_tree *ext_tree;
11543 bool_Bool is_tls13 = session->version == TLSV1DOT3_VERSION0x304;
11544 wmem_strbuf_t *ja3_sg = wmem_strbuf_new(pinfo->pool, "");
11545 wmem_strbuf_t *ja3_ecpf = wmem_strbuf_new(pinfo->pool, "");
11546 char *ja3_dash = "";
11547 unsigned supported_version;
11548
11549 /* Extension extensions<0..2^16-2> (for TLS 1.3 HRR/CR min-length is 2) */
11550 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &exts_len,
11551 hf->hf.hs_exts_len, 0, UINT16_MAX(65535))) {
11552 return offset_end;
11553 }
11554 offset += 2;
11555 offset_end = offset + exts_len;
11556
11557 if (ja4_data) {
11558 ja4_data->num_extensions = 0;
11559 }
11560 while (offset_end - offset >= 4)
11561 {
11562 ext_type = tvb_get_ntohs(tvb, offset);
11563 ext_len = tvb_get_ntohs(tvb, offset + 2);
11564
11565 if (ja4_data && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11566 ja4_data->num_extensions += 1;
11567 if (ext_type != SSL_HND_HELLO_EXT_SERVER_NAME0 &&
11568 ext_type != SSL_HND_HELLO_EXT_ALPN16) {
11569 wmem_list_insert_sorted(ja4_data->extension_list, GUINT_TO_POINTER(ext_type)((gpointer) (gulong) (ext_type)), wmem_compare_uint);
11570 }
11571 }
11572
11573 ext_tree = proto_tree_add_subtree_format(tree, tvb, offset, 4 + ext_len, hf->ett.hs_ext, NULL((void*)0),
11574 "Extension: %s (len=%u)", val_to_str(ext_type,
11575 tls_hello_extension_types,
11576 "Unknown type %u"), ext_len);
11577
11578 proto_tree_add_uint(ext_tree, hf->hf.hs_ext_type,
11579 tvb, offset, 2, ext_type);
11580 offset += 2;
11581 if (ja3 && !IS_GREASE_TLS(ext_type)((((ext_type) & 0x0f0f) == 0x0a0a) && (((ext_type
) & 0xff) == (((ext_type)>>8) & 0xff)))) {
11582 wmem_strbuf_append_printf(ja3, "%s%i",ja3_dash, ext_type);
11583 ja3_dash = "-";
11584 }
11585
11586 /* opaque extension_data<0..2^16-1> */
11587 if (!ssl_add_vector(hf, tvb, pinfo, ext_tree, offset, offset_end, &ext_len,
11588 hf->hf.hs_ext_len, 0, UINT16_MAX(65535))) {
11589 return offset_end;
11590 }
11591 offset += 2;
11592 next_offset = offset + ext_len;
11593
11594 switch (ext_type) {
11595 case SSL_HND_HELLO_EXT_SERVER_NAME0:
11596 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11597 offset = ssl_dissect_hnd_hello_ext_server_name(hf, tvb, pinfo, ext_tree, offset, next_offset);
11598 if (ja4_data) {
11599 ja4_data->server_name_present = true1;
11600 }
11601 }
11602 break;
11603 case SSL_HND_HELLO_EXT_MAX_FRAGMENT_LENGTH1:
11604 proto_tree_add_item(ext_tree, hf->hf.hs_ext_max_fragment_length, tvb, offset, 1, ENC_NA0x00000000);
11605 offset += 1;
11606 break;
11607 case SSL_HND_HELLO_EXT_STATUS_REQUEST5:
11608 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11609 offset = ssl_dissect_hnd_hello_ext_status_request(hf, tvb, pinfo, ext_tree, offset, next_offset, false0);
11610 } else if (is_tls13 && hnd_type == SSL_HND_CERTIFICATE) {
11611 offset = tls_dissect_hnd_certificate_status(hf, tvb, pinfo, ext_tree, offset, next_offset);
11612 }
11613 break;
11614 case SSL_HND_HELLO_EXT_CERT_TYPE9:
11615 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11616 offset, next_offset,
11617 hnd_type, ext_type,
11618 session);
11619 break;
11620 case SSL_HND_HELLO_EXT_SUPPORTED_GROUPS10:
11621 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11622 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11623 next_offset, ja3_sg);
11624 } else {
11625 offset = ssl_dissect_hnd_hello_ext_supported_groups(hf, tvb, pinfo, ext_tree, offset,
11626 next_offset, NULL((void*)0));
11627 }
11628 break;
11629 case SSL_HND_HELLO_EXT_EC_POINT_FORMATS11:
11630 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11631 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, ja3_ecpf);
11632 } else {
11633 offset = ssl_dissect_hnd_hello_ext_ec_point_formats(hf, tvb, ext_tree, offset, NULL((void*)0));
11634 }
11635 break;
11636 break;
11637 case SSL_HND_HELLO_EXT_SRP12:
11638 offset = ssl_dissect_hnd_hello_ext_srp(hf, tvb, pinfo, ext_tree, offset, next_offset);
11639 break;
11640 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS13:
11641 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, ja4_data);
11642 break;
11643 case SSL_HND_HELLO_EXT_SIGNATURE_ALGORITHMS_CERT50: /* since TLS 1.3 draft -23 */
11644 offset = ssl_dissect_hnd_hello_ext_sig_hash_algs(hf, tvb, ext_tree, pinfo, offset, next_offset, NULL((void*)0));
11645 break;
11646 case SSL_HND_HELLO_EXT_DELEGATED_CREDENTIALS34:
11647 offset = ssl_dissect_hnd_ext_delegated_credentials(hf, tvb, ext_tree, pinfo, offset, next_offset, hnd_type);
11648 break;
11649 case SSL_HND_HELLO_EXT_USE_SRTP14:
11650 if (is_dtls) {
11651 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11652 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, false0);
11653 } else if (hnd_type == SSL_HND_SERVER_HELLO) {
11654 offset = dtls_dissect_hnd_hello_ext_use_srtp(pinfo, tvb, ext_tree, offset, next_offset, true1);
11655 }
11656 } else {
11657 // XXX expert info: This extension MUST only be used with DTLS, and not with TLS.
11658 }
11659 break;
11660 case SSL_HND_HELLO_EXT_ECH_OUTER_EXTENSIONS64768:
11661 offset = ssl_dissect_hnd_ech_outer_ext(hf, tvb, pinfo, ext_tree, offset, next_offset);
11662 break;
11663 case SSL_HND_HELLO_EXT_ENCRYPTED_CLIENT_HELLO65037:
11664 offset = ssl_dissect_hnd_hello_ext_ech(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, ssl, mk_map, initial_offset, hello_length);
11665 break;
11666 case SSL_HND_HELLO_EXT_HEARTBEAT15:
11667 proto_tree_add_item(ext_tree, hf->hf.hs_ext_heartbeat_mode,
11668 tvb, offset, 1, ENC_BIG_ENDIAN0x00000000);
11669 offset++;
11670 break;
11671 case SSL_HND_HELLO_EXT_ALPN16:
11672 offset = ssl_dissect_hnd_hello_ext_alpn(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, session, is_dtls, ja4_data);
11673 break;
11674 case SSL_HND_HELLO_EXT_STATUS_REQUEST_V217:
11675 if (hnd_type == SSL_HND_CLIENT_HELLO)
11676 offset = ssl_dissect_hnd_hello_ext_status_request_v2(hf, tvb, pinfo, ext_tree, offset, next_offset);
11677 break;
11678 case SSL_HND_HELLO_EXT_SIGNED_CERTIFICATE_TIMESTAMP18:
11679 // TLS 1.3 note: SCT only appears in EE in draft -16 and before.
11680 if (hnd_type == SSL_HND_SERVER_HELLO || hnd_type == SSL_HND_ENCRYPTED_EXTENSIONS || hnd_type == SSL_HND_CERTIFICATE)
11681 offset = tls_dissect_sct_list(hf, tvb, pinfo, ext_tree, offset, next_offset, session->version);
11682 break;
11683 case SSL_HND_HELLO_EXT_CLIENT_CERT_TYPE19:
11684 case SSL_HND_HELLO_EXT_SERVER_CERT_TYPE20:
11685 offset = ssl_dissect_hnd_hello_ext_cert_type(hf, tvb, ext_tree,
11686 offset, next_offset,
11687 hnd_type, ext_type,
11688 session);
11689 break;
11690 case SSL_HND_HELLO_EXT_PADDING21:
11691 proto_tree_add_item(ext_tree, hf->hf.hs_ext_padding_data, tvb, offset, ext_len, ENC_NA0x00000000);
11692 offset += ext_len;
11693 break;
11694 case SSL_HND_HELLO_EXT_ENCRYPT_THEN_MAC22:
11695 if (ssl && hnd_type == SSL_HND_SERVER_HELLO) {
11696 ssl_debug_printf("%s enabling Encrypt-then-MAC\n", G_STRFUNC((const char*) (__func__)));
11697 ssl->state |= SSL_ENCRYPT_THEN_MAC(1<<11);
11698 }
11699 break;
11700 case SSL_HND_HELLO_EXT_EXTENDED_MASTER_SECRET23:
11701 if (ssl) {
11702 switch (hnd_type) {
11703 case SSL_HND_CLIENT_HELLO:
11704 ssl->state |= SSL_CLIENT_EXTENDED_MASTER_SECRET(1<<7);
11705 break;
11706 case SSL_HND_SERVER_HELLO:
11707 ssl->state |= SSL_SERVER_EXTENDED_MASTER_SECRET(1<<8);
11708 break;
11709 default: /* no default */
11710 break;
11711 }
11712 }
11713 break;
11714 case SSL_HND_HELLO_EXT_COMPRESS_CERTIFICATE27:
11715 offset = ssl_dissect_hnd_hello_ext_compress_certificate(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11716 break;
11717 case SSL_HND_HELLO_EXT_TOKEN_BINDING24:
11718 offset = ssl_dissect_hnd_hello_ext_token_binding(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11719 break;
11720 case SSL_HND_HELLO_EXT_RECORD_SIZE_LIMIT28:
11721 proto_tree_add_item(ext_tree, hf->hf.hs_ext_record_size_limit,
11722 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11723 offset += 2;
11724 break;
11725 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS65445:
11726 case SSL_HND_HELLO_EXT_QUIC_TRANSPORT_PARAMETERS_V157:
11727 offset = ssl_dissect_hnd_hello_ext_quic_transport_parameters(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11728 break;
11729 case SSL_HND_HELLO_EXT_SESSION_TICKET_TLS35:
11730 offset = ssl_dissect_hnd_hello_ext_session_ticket(hf, tvb, ext_tree, offset, next_offset, hnd_type, ssl);
11731 break;
11732 case SSL_HND_HELLO_EXT_KEY_SHARE_OLD40: /* used before TLS 1.3 draft -23 */
11733 case SSL_HND_HELLO_EXT_KEY_SHARE51:
11734 offset = ssl_dissect_hnd_hello_ext_key_share(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11735 break;
11736 case SSL_HND_HELLO_EXT_PRE_SHARED_KEY41:
11737 offset = ssl_dissect_hnd_hello_ext_pre_shared_key(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11738 break;
11739 case SSL_HND_HELLO_EXT_EARLY_DATA42:
11740 case SSL_HND_HELLO_EXT_TICKET_EARLY_DATA_INFO46:
11741 offset = ssl_dissect_hnd_hello_ext_early_data(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11742 break;
11743 case SSL_HND_HELLO_EXT_SUPPORTED_VERSIONS43:
11744 switch (hnd_type) {
11745 case SSL_HND_CLIENT_HELLO:
11746 offset = ssl_dissect_hnd_hello_ext_supported_versions(hf, tvb, pinfo, ext_tree, offset, next_offset, session, is_dtls, ja4_data);
11747 break;
11748 case SSL_HND_SERVER_HELLO:
11749 case SSL_HND_HELLO_RETRY_REQUEST:
11750 proto_tree_add_item_ret_uint(ext_tree, hf->hf.hs_ext_supported_version, tvb, offset, 2, ENC_BIG_ENDIAN0x00000000, &supported_version);
11751 offset += 2;
11752 proto_item_append_text(ext_tree, " %s", val_to_str(supported_version, ssl_versions, "Unknown (0x%04x)"));
11753 break;
11754 }
11755 break;
11756 case SSL_HND_HELLO_EXT_COOKIE44:
11757 offset = ssl_dissect_hnd_hello_ext_cookie(hf, tvb, pinfo, ext_tree, offset, next_offset);
11758 break;
11759 case SSL_HND_HELLO_EXT_PSK_KEY_EXCHANGE_MODES45:
11760 offset = ssl_dissect_hnd_hello_ext_psk_key_exchange_modes(hf, tvb, pinfo, ext_tree, offset, next_offset);
11761 break;
11762 case SSL_HND_HELLO_EXT_CERTIFICATE_AUTHORITIES47:
11763 offset = ssl_dissect_hnd_hello_ext_certificate_authorities(hf, tvb, pinfo, ext_tree, offset, next_offset);
11764 break;
11765 case SSL_HND_HELLO_EXT_OID_FILTERS48:
11766 offset = ssl_dissect_hnd_hello_ext_oid_filters(hf, tvb, pinfo, ext_tree, offset, next_offset);
11767 break;
11768 case SSL_HND_HELLO_EXT_POST_HANDSHAKE_AUTH49:
11769 break;
11770 case SSL_HND_HELLO_EXT_NPN13172:
11771 offset = ssl_dissect_hnd_hello_ext_npn(hf, tvb, pinfo, ext_tree, offset, next_offset);
11772 break;
11773 case SSL_HND_HELLO_EXT_ALPS17513:
11774 offset = ssl_dissect_hnd_hello_ext_alps(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type);
11775 break;
11776 case SSL_HND_HELLO_EXT_RENEGOTIATION_INFO65281:
11777 offset = ssl_dissect_hnd_hello_ext_reneg_info(hf, tvb, pinfo, ext_tree, offset, next_offset);
11778 break;
11779 case SSL_HND_HELLO_EXT_ENCRYPTED_SERVER_NAME65486:
11780 offset = ssl_dissect_hnd_hello_ext_esni(hf, tvb, pinfo, ext_tree, offset, next_offset, hnd_type, ssl);
11781 break;
11782 case SSL_HND_HELLO_EXT_CONNECTION_ID_DEPRECATED53:
11783 session->deprecated_cid = true1;
11784 /* FALLTHRU */
11785 case SSL_HND_HELLO_EXT_CONNECTION_ID54:
11786 offset = ssl_dissect_hnd_hello_ext_connection_id(hf, tvb, pinfo, ext_tree, offset, hnd_type, session, ssl);
11787 break;
11788 case SSL_HND_HELLO_EXT_TRUSTED_CA_KEYS3:
11789 offset = ssl_dissect_hnd_hello_ext_trusted_ca_keys(hf, tvb, pinfo, ext_tree, offset, next_offset);
11790 break;
11791 default:
11792 proto_tree_add_item(ext_tree, hf->hf.hs_ext_data,
11793 tvb, offset, ext_len, ENC_NA0x00000000);
11794 offset += ext_len;
11795 break;
11796 }
11797
11798 if (!ssl_end_vector(hf, tvb, pinfo, ext_tree, offset, next_offset)) {
11799 /* Dissection did not end at expected location, fix it. */
11800 offset = next_offset;
11801 }
11802 }
11803
11804 if (ja3) {
11805 if (hnd_type == SSL_HND_CLIENT_HELLO) {
11806 if(wmem_strbuf_get_len(ja3_sg) > 0) {
11807 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_sg));
11808 } else {
11809 wmem_strbuf_append_c(ja3, ',');
11810 }
11811 if(wmem_strbuf_get_len(ja3_ecpf) > 0) {
11812 wmem_strbuf_append_printf(ja3, "%s", wmem_strbuf_get_str(ja3_ecpf));
11813 } else {
11814 wmem_strbuf_append_c(ja3, ',');
11815 }
11816 }
11817 }
11818
11819 /* Check if Extensions vector is correctly terminated. */
11820 if (!ssl_end_vector(hf, tvb, pinfo, tree, offset, offset_end)) {
11821 offset = offset_end;
11822 }
11823
11824 return offset;
11825} /* }}} */
11826
11827
11828/* ClientKeyExchange algo-specific dissectors. {{{ */
11829
11830static void
11831dissect_ssl3_hnd_cli_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11832 proto_tree *tree, uint32_t offset,
11833 uint32_t length)
11834{
11835 int point_len;
11836 proto_tree *ssl_ecdh_tree;
11837
11838 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11839 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Client Params");
11840
11841 /* point */
11842 point_len = tvb_get_uint8(tvb, offset);
11843 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point_len, tvb,
11844 offset, 1, ENC_BIG_ENDIAN0x00000000);
11845 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_client_keyex_point, tvb,
11846 offset + 1, point_len, ENC_NA0x00000000);
11847}
11848
11849static void
11850dissect_ssl3_hnd_cli_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11851 proto_tree *tree, uint32_t offset, uint32_t length)
11852{
11853 int yc_len;
11854 proto_tree *ssl_dh_tree;
11855
11856 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11857 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Client Params");
11858
11859 /* ClientDiffieHellmanPublic.dh_public (explicit) */
11860 yc_len = tvb_get_ntohs(tvb, offset);
11861 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc_len, tvb,
11862 offset, 2, ENC_BIG_ENDIAN0x00000000);
11863 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_client_keyex_yc, tvb,
11864 offset + 2, yc_len, ENC_NA0x00000000);
11865}
11866
11867static void
11868dissect_ssl3_hnd_cli_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11869 proto_tree *tree, uint32_t offset,
11870 uint32_t length, const SslSession *session)
11871{
11872 int epms_len;
11873 proto_tree *ssl_rsa_tree;
11874
11875 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11876 hf->ett.keyex_params, NULL((void*)0), "RSA Encrypted PreMaster Secret");
11877
11878 /* EncryptedPreMasterSecret.pre_master_secret */
11879 switch (session->version) {
11880 case SSLV2_VERSION0x0002:
11881 case SSLV3_VERSION0x300:
11882 case DTLSV1DOT0_OPENSSL_VERSION0x100:
11883 /* OpenSSL pre-0.9.8f DTLS and pre-TLS quirk: 2-octet length vector is
11884 * not present. The handshake contents represents the EPMS, see:
11885 * https://gitlab.com/wireshark/wireshark/-/issues/10222 */
11886 epms_len = length;
11887 break;
11888
11889 default:
11890 /* TLS and DTLS include vector length before EPMS */
11891 epms_len = tvb_get_ntohs(tvb, offset);
11892 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11893 offset, 2, ENC_BIG_ENDIAN0x00000000);
11894 offset += 2;
11895 break;
11896 }
11897 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_client_keyex_epms, tvb,
11898 offset, epms_len, ENC_NA0x00000000);
11899}
11900
11901/* Used in PSK cipher suites */
11902static uint32_t
11903dissect_ssl3_hnd_cli_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11904 proto_tree *tree, uint32_t offset)
11905{
11906 unsigned identity_len;
11907 proto_tree *ssl_psk_tree;
11908
11909 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
11910 hf->ett.keyex_params, NULL((void*)0), "PSK Client Params");
11911 /* identity */
11912 identity_len = tvb_get_ntohs(tvb, offset);
11913 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len, tvb,
11914 offset, 2, ENC_BIG_ENDIAN0x00000000);
11915 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity, tvb,
11916 offset + 2, identity_len, ENC_NA0x00000000);
11917
11918 proto_item_set_len(ssl_psk_tree, 2 + identity_len);
11919 return 2 + identity_len;
11920}
11921
11922/* Used in RSA PSK cipher suites */
11923static void
11924dissect_ssl3_hnd_cli_keyex_rsa_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11925 proto_tree *tree, uint32_t offset,
11926 uint32_t length)
11927{
11928 int identity_len, epms_len;
11929 proto_tree *ssl_psk_tree;
11930
11931 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, length,
11932 hf->ett.keyex_params, NULL((void*)0), "RSA PSK Client Params");
11933
11934 /* identity */
11935 identity_len = tvb_get_ntohs(tvb, offset);
11936 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity_len,
11937 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
11938 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_identity,
11939 tvb, offset + 2, identity_len, ENC_NA0x00000000);
11940 offset += 2 + identity_len;
11941
11942 /* Yc */
11943 epms_len = tvb_get_ntohs(tvb, offset);
11944 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms_len, tvb,
11945 offset, 2, ENC_BIG_ENDIAN0x00000000);
11946 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_client_keyex_epms, tvb,
11947 offset + 2, epms_len, ENC_NA0x00000000);
11948}
11949
11950/* Used in Diffie-Hellman PSK cipher suites */
11951static void
11952dissect_ssl3_hnd_cli_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11953 proto_tree *tree, uint32_t offset, uint32_t length)
11954{
11955 /*
11956 * struct {
11957 * select (KeyExchangeAlgorithm) {
11958 * case diffie_hellman_psk:
11959 * opaque psk_identity<0..2^16-1>;
11960 * ClientDiffieHellmanPublic public;
11961 * } exchange_keys;
11962 * } ClientKeyExchange;
11963 */
11964
11965 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11966 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset + psk_len, length - psk_len);
11967}
11968
11969/* Used in EC Diffie-Hellman PSK cipher suites */
11970static void
11971dissect_ssl3_hnd_cli_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11972 proto_tree *tree, uint32_t offset, uint32_t length)
11973{
11974 /*
11975 * struct {
11976 * select (KeyExchangeAlgorithm) {
11977 * case ec_diffie_hellman_psk:
11978 * opaque psk_identity<0..2^16-1>;
11979 * ClientECDiffieHellmanPublic public;
11980 * } exchange_keys;
11981 * } ClientKeyExchange;
11982 */
11983
11984 uint32_t psk_len = dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
11985 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset + psk_len, length - psk_len);
11986}
11987
11988/* Used in EC J-PAKE cipher suites */
11989static void
11990dissect_ssl3_hnd_cli_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
11991 proto_tree *tree, uint32_t offset,
11992 uint32_t length)
11993{
11994 /*
11995 * struct {
11996 * ECPoint V;
11997 * opaque r<1..2^8-1>;
11998 * } ECSchnorrZKP;
11999 *
12000 * struct {
12001 * ECPoint X;
12002 * ECSchnorrZKP zkp;
12003 * } ECJPAKEKeyKP;
12004 *
12005 * struct {
12006 * ECJPAKEKeyKP ecjpake_key_kp;
12007 * } ClientECJPAKEParams;
12008 *
12009 * select (KeyExchangeAlgorithm) {
12010 * case ecjpake:
12011 * ClientECJPAKEParams params;
12012 * } ClientKeyExchange;
12013 */
12014
12015 int point_len;
12016 proto_tree *ssl_ecjpake_tree;
12017
12018 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12019 hf->ett.keyex_params, NULL((void*)0),
12020 "EC J-PAKE Client Params");
12021
12022 /* ECJPAKEKeyKP.X */
12023 point_len = tvb_get_uint8(tvb, offset);
12024 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc_len, tvb,
12025 offset, 1, ENC_BIG_ENDIAN0x00000000);
12026 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_xc, tvb,
12027 offset + 1, point_len, ENC_NA0x00000000);
12028 offset += 1 + point_len;
12029
12030 /* ECJPAKEKeyKP.zkp.V */
12031 point_len = tvb_get_uint8(tvb, offset);
12032 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc_len, tvb,
12033 offset, 1, ENC_BIG_ENDIAN0x00000000);
12034 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_vc, tvb,
12035 offset + 1, point_len, ENC_NA0x00000000);
12036 offset += 1 + point_len;
12037
12038 /* ECJPAKEKeyKP.zkp.r */
12039 point_len = tvb_get_uint8(tvb, offset);
12040 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc_len, tvb,
12041 offset, 1, ENC_BIG_ENDIAN0x00000000);
12042 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_client_keyex_rc, tvb,
12043 offset + 1, point_len, ENC_NA0x00000000);
12044}
12045
12046static void
12047dissect_ssl3_hnd_cli_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12048 proto_tree *tree, uint32_t offset,
12049 uint32_t length)
12050{
12051 int epms_len;
12052 proto_tree *ssl_ecc_sm2_tree;
12053
12054 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, length,
12055 hf->ett.keyex_params, NULL((void*)0),
12056 "ECC-SM2 Encrypted PreMaster Secret");
12057
12058 epms_len = tvb_get_ntohs(tvb, offset);
12059 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms_len, tvb,
12060 offset, 2, ENC_BIG_ENDIAN0x00000000);
12061 offset += 2;
12062 proto_tree_add_item(ssl_ecc_sm2_tree, hf->hf.hs_client_keyex_epms, tvb,
12063 offset, epms_len, ENC_NA0x00000000);
12064}
12065/* ClientKeyExchange algo-specific dissectors. }}} */
12066
12067
12068/* Dissects DigitallySigned (see RFC 5246 4.7 Cryptographic Attributes). {{{ */
12069static uint32_t
12070ssl_dissect_digitally_signed(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12071 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12072 uint16_t version, int hf_sig_len, int hf_sig)
12073{
12074 uint32_t sig_len;
12075
12076 switch (version) {
12077 case TLSV1DOT2_VERSION0x303:
12078 case DTLSV1DOT2_VERSION0xfefd:
12079 case TLSV1DOT3_VERSION0x304:
12080 case DTLSV1DOT3_VERSION0xfefc:
12081 tls_dissect_signature_algorithm(hf, tvb, tree, offset, NULL((void*)0));
12082 offset += 2;
12083 break;
12084
12085 default:
12086 break;
12087 }
12088
12089 /* Sig */
12090 if (!ssl_add_vector(hf, tvb, pinfo, tree, offset, offset_end, &sig_len,
12091 hf_sig_len, 0, UINT16_MAX(65535))) {
12092 return offset_end;
12093 }
12094 offset += 2;
12095 proto_tree_add_item(tree, hf_sig, tvb, offset, sig_len, ENC_NA0x00000000);
12096 offset += sig_len;
12097 return offset;
12098} /* }}} */
12099
12100/* ServerKeyExchange algo-specific dissectors. {{{ */
12101
12102/* dissects signed_params inside a ServerKeyExchange for some keyex algos */
12103static void
12104dissect_ssl3_hnd_srv_keyex_sig(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12105 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12106 uint16_t version)
12107{
12108 /*
12109 * TLSv1.2 (RFC 5246 sec 7.4.8)
12110 * struct {
12111 * digitally-signed struct {
12112 * opaque handshake_messages[handshake_messages_length];
12113 * }
12114 * } CertificateVerify;
12115 *
12116 * TLSv1.0/TLSv1.1 (RFC 5436 sec 7.4.8 and 7.4.3) works essentially the same
12117 * as TLSv1.2, but the hash algorithms are not explicit in digitally-signed.
12118 *
12119 * SSLv3 (RFC 6101 sec 5.6.8) essentially works the same as TLSv1.0 but it
12120 * does more hashing including the master secret and padding.
12121 */
12122 ssl_dissect_digitally_signed(hf, tvb, pinfo, tree, offset, offset_end, version,
12123 hf->hf.hs_server_keyex_sig_len,
12124 hf->hf.hs_server_keyex_sig);
12125}
12126
12127static uint32_t
12128dissect_tls_ecparameters(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree, uint32_t offset, uint32_t offset_end)
12129{
12130 /*
12131 * RFC 4492 ECC cipher suites for TLS
12132 *
12133 * struct {
12134 * ECCurveType curve_type;
12135 * select (curve_type) {
12136 * case explicit_prime:
12137 * ...
12138 * case explicit_char2:
12139 * ...
12140 * case named_curve:
12141 * NamedCurve namedcurve;
12142 * };
12143 * } ECParameters;
12144 */
12145
12146 int curve_type;
12147
12148 /* ECParameters.curve_type */
12149 curve_type = tvb_get_uint8(tvb, offset);
12150 proto_tree_add_item(tree, hf->hf.hs_server_keyex_curve_type, tvb,
12151 offset, 1, ENC_BIG_ENDIAN0x00000000);
12152 offset++;
12153
12154 if (curve_type != 3)
12155 return offset_end; /* only named_curves are supported */
12156
12157 /* case curve_type == named_curve; ECParameters.namedcurve */
12158 proto_tree_add_item(tree, hf->hf.hs_server_keyex_named_curve, tvb,
12159 offset, 2, ENC_BIG_ENDIAN0x00000000);
12160 offset += 2;
12161
12162 return offset;
12163}
12164
12165static void
12166dissect_ssl3_hnd_srv_keyex_ecdh(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12167 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12168 uint16_t version, bool_Bool anon)
12169{
12170 /*
12171 * RFC 4492 ECC cipher suites for TLS
12172 *
12173 * struct {
12174 * opaque point <1..2^8-1>;
12175 * } ECPoint;
12176 *
12177 * struct {
12178 * ECParameters curve_params;
12179 * ECPoint public;
12180 * } ServerECDHParams;
12181 *
12182 * select (KeyExchangeAlgorithm) {
12183 * case ec_diffie_hellman:
12184 * ServerECDHParams params;
12185 * Signature signed_params;
12186 * } ServerKeyExchange;
12187 */
12188
12189 int point_len;
12190 proto_tree *ssl_ecdh_tree;
12191
12192 ssl_ecdh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12193 hf->ett.keyex_params, NULL((void*)0), "EC Diffie-Hellman Server Params");
12194
12195 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecdh_tree, offset, offset_end);
12196 if (offset >= offset_end)
12197 return; /* only named_curves are supported */
12198
12199 /* ECPoint.point */
12200 point_len = tvb_get_uint8(tvb, offset);
12201 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point_len, tvb,
12202 offset, 1, ENC_BIG_ENDIAN0x00000000);
12203 proto_tree_add_item(ssl_ecdh_tree, hf->hf.hs_server_keyex_point, tvb,
12204 offset + 1, point_len, ENC_NA0x00000000);
12205 offset += 1 + point_len;
12206
12207 /* Signature (if non-anonymous KEX) */
12208 if (!anon) {
12209 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecdh_tree, offset, offset_end, version);
12210 }
12211}
12212
12213static void
12214dissect_ssl3_hnd_srv_keyex_dhe(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12215 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12216 uint16_t version, bool_Bool anon)
12217{
12218 int p_len, g_len, ys_len;
12219 proto_tree *ssl_dh_tree;
12220
12221 ssl_dh_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12222 hf->ett.keyex_params, NULL((void*)0), "Diffie-Hellman Server Params");
12223
12224 /* p */
12225 p_len = tvb_get_ntohs(tvb, offset);
12226 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p_len, tvb,
12227 offset, 2, ENC_BIG_ENDIAN0x00000000);
12228 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_p, tvb,
12229 offset + 2, p_len, ENC_NA0x00000000);
12230 offset += 2 + p_len;
12231
12232 /* g */
12233 g_len = tvb_get_ntohs(tvb, offset);
12234 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g_len, tvb,
12235 offset, 2, ENC_BIG_ENDIAN0x00000000);
12236 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_g, tvb,
12237 offset + 2, g_len, ENC_NA0x00000000);
12238 offset += 2 + g_len;
12239
12240 /* Ys */
12241 ys_len = tvb_get_ntohs(tvb, offset);
12242 proto_tree_add_uint(ssl_dh_tree, hf->hf.hs_server_keyex_ys_len, tvb,
12243 offset, 2, ys_len);
12244 proto_tree_add_item(ssl_dh_tree, hf->hf.hs_server_keyex_ys, tvb,
12245 offset + 2, ys_len, ENC_NA0x00000000);
12246 offset += 2 + ys_len;
12247
12248 /* Signature (if non-anonymous KEX) */
12249 if (!anon) {
12250 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_dh_tree, offset, offset_end, version);
12251 }
12252}
12253
12254/* Only used in RSA-EXPORT cipher suites */
12255static void
12256dissect_ssl3_hnd_srv_keyex_rsa(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12257 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12258 uint16_t version)
12259{
12260 int modulus_len, exponent_len;
12261 proto_tree *ssl_rsa_tree;
12262
12263 ssl_rsa_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12264 hf->ett.keyex_params, NULL((void*)0), "RSA-EXPORT Server Params");
12265
12266 /* modulus */
12267 modulus_len = tvb_get_ntohs(tvb, offset);
12268 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus_len, tvb,
12269 offset, 2, ENC_BIG_ENDIAN0x00000000);
12270 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_modulus, tvb,
12271 offset + 2, modulus_len, ENC_NA0x00000000);
12272 offset += 2 + modulus_len;
12273
12274 /* exponent */
12275 exponent_len = tvb_get_ntohs(tvb, offset);
12276 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent_len,
12277 tvb, offset, 2, ENC_BIG_ENDIAN0x00000000);
12278 proto_tree_add_item(ssl_rsa_tree, hf->hf.hs_server_keyex_exponent,
12279 tvb, offset + 2, exponent_len, ENC_NA0x00000000);
12280 offset += 2 + exponent_len;
12281
12282 /* Signature */
12283 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_rsa_tree, offset, offset_end, version);
12284}
12285
12286/* Used in RSA PSK and PSK cipher suites */
12287static uint32_t
12288dissect_ssl3_hnd_srv_keyex_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12289 proto_tree *tree, uint32_t offset)
12290{
12291 unsigned hint_len;
12292 proto_tree *ssl_psk_tree;
12293
12294 ssl_psk_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
12295 hf->ett.keyex_params, NULL((void*)0), "PSK Server Params");
12296
12297 /* hint */
12298 hint_len = tvb_get_ntohs(tvb, offset);
12299 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint_len, tvb,
12300 offset, 2, ENC_BIG_ENDIAN0x00000000);
12301 proto_tree_add_item(ssl_psk_tree, hf->hf.hs_server_keyex_hint, tvb,
12302 offset + 2, hint_len, ENC_NA0x00000000);
12303
12304 proto_item_set_len(ssl_psk_tree, 2 + hint_len);
12305 return 2 + hint_len;
12306}
12307
12308/* Used in Diffie-Hellman PSK cipher suites */
12309static void
12310dissect_ssl3_hnd_srv_keyex_dhe_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12311 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12312{
12313 /*
12314 * struct {
12315 * select (KeyExchangeAlgorithm) {
12316 * case diffie_hellman_psk:
12317 * opaque psk_identity_hint<0..2^16-1>;
12318 * ServerDHParams params;
12319 * };
12320 * } ServerKeyExchange;
12321 */
12322
12323 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12324 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12325}
12326
12327/* Used in EC Diffie-Hellman PSK cipher suites */
12328static void
12329dissect_ssl3_hnd_srv_keyex_ecdh_psk(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12330 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12331{
12332 /*
12333 * struct {
12334 * select (KeyExchangeAlgorithm) {
12335 * case ec_diffie_hellman_psk:
12336 * opaque psk_identity_hint<0..2^16-1>;
12337 * ServerECDHParams params;
12338 * };
12339 * } ServerKeyExchange;
12340 */
12341
12342 uint32_t psk_len = dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12343 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset + psk_len, offset_end, 0, true1);
12344}
12345
12346/* Used in EC J-PAKE cipher suites */
12347static void
12348dissect_ssl3_hnd_srv_keyex_ecjpake(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12349 proto_tree *tree, uint32_t offset, uint32_t offset_end)
12350{
12351 /*
12352 * struct {
12353 * ECPoint V;
12354 * opaque r<1..2^8-1>;
12355 * } ECSchnorrZKP;
12356 *
12357 * struct {
12358 * ECPoint X;
12359 * ECSchnorrZKP zkp;
12360 * } ECJPAKEKeyKP;
12361 *
12362 * struct {
12363 * ECParameters curve_params;
12364 * ECJPAKEKeyKP ecjpake_key_kp;
12365 * } ServerECJPAKEParams;
12366 *
12367 * select (KeyExchangeAlgorithm) {
12368 * case ecjpake:
12369 * ServerECJPAKEParams params;
12370 * } ServerKeyExchange;
12371 */
12372
12373 int point_len;
12374 proto_tree *ssl_ecjpake_tree;
12375
12376 ssl_ecjpake_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12377 hf->ett.keyex_params, NULL((void*)0),
12378 "EC J-PAKE Server Params");
12379
12380 offset = dissect_tls_ecparameters(hf, tvb, ssl_ecjpake_tree, offset, offset_end);
12381 if (offset >= offset_end)
12382 return; /* only named_curves are supported */
12383
12384 /* ECJPAKEKeyKP.X */
12385 point_len = tvb_get_uint8(tvb, offset);
12386 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs_len, tvb,
12387 offset, 1, ENC_BIG_ENDIAN0x00000000);
12388 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_xs, tvb,
12389 offset + 1, point_len, ENC_NA0x00000000);
12390 offset += 1 + point_len;
12391
12392 /* ECJPAKEKeyKP.zkp.V */
12393 point_len = tvb_get_uint8(tvb, offset);
12394 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs_len, tvb,
12395 offset, 1, ENC_BIG_ENDIAN0x00000000);
12396 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_vs, tvb,
12397 offset + 1, point_len, ENC_NA0x00000000);
12398 offset += 1 + point_len;
12399
12400 /* ECJPAKEKeyKP.zkp.r */
12401 point_len = tvb_get_uint8(tvb, offset);
12402 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs_len, tvb,
12403 offset, 1, ENC_BIG_ENDIAN0x00000000);
12404 proto_tree_add_item(ssl_ecjpake_tree, hf->hf.hs_server_keyex_rs, tvb,
12405 offset + 1, point_len, ENC_NA0x00000000);
12406}
12407
12408/* Only used in ECC-SM2-EXPORT cipher suites */
12409static void
12410dissect_ssl3_hnd_srv_keyex_ecc_sm2(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12411 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12412 uint16_t version)
12413{
12414 proto_tree *ssl_ecc_sm2_tree;
12415
12416 ssl_ecc_sm2_tree = proto_tree_add_subtree(tree, tvb, offset, offset_end - offset,
12417 hf->ett.keyex_params, NULL((void*)0), "ECC-SM2-EXPORT Server Params");
12418
12419 /* Signature */
12420 dissect_ssl3_hnd_srv_keyex_sig(hf, tvb, pinfo, ssl_ecc_sm2_tree, offset, offset_end, version);
12421}
12422/* ServerKeyExchange algo-specific dissectors. }}} */
12423
12424/* Client Key Exchange and Server Key Exchange handshake dissections. {{{ */
12425void
12426ssl_dissect_hnd_cli_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12427 proto_tree *tree, uint32_t offset, uint32_t length,
12428 const SslSession *session)
12429{
12430 switch (ssl_get_keyex_alg(session->cipher)) {
12431 case KEX_DH_ANON0x13: /* RFC 5246; DHE_DSS, DHE_RSA, DH_DSS, DH_RSA, DH_ANON: ClientDiffieHellmanPublic */
12432 case KEX_DH_DSS0x14:
12433 case KEX_DH_RSA0x15:
12434 case KEX_DHE_DSS0x10:
12435 case KEX_DHE_RSA0x12:
12436 dissect_ssl3_hnd_cli_keyex_dhe(hf, tvb, tree, offset, length);
12437 break;
12438 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity, ClientDiffieHellmanPublic */
12439 dissect_ssl3_hnd_cli_keyex_dhe_psk(hf, tvb, tree, offset, length);
12440 break;
12441 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ClientECDiffieHellmanPublic */
12442 case KEX_ECDH_ECDSA0x1a:
12443 case KEX_ECDH_RSA0x1b:
12444 case KEX_ECDHE_ECDSA0x16:
12445 case KEX_ECDHE_RSA0x18:
12446 dissect_ssl3_hnd_cli_keyex_ecdh(hf, tvb, tree, offset, length);
12447 break;
12448 case KEX_ECDHE_PSK0x17: /* RFC 5489; ec_diffie_hellman_psk: psk_identity, ClientECDiffieHellmanPublic */
12449 dissect_ssl3_hnd_cli_keyex_ecdh_psk(hf, tvb, tree, offset, length);
12450 break;
12451 case KEX_KRB50x1c: /* RFC 2712; krb5: KerberosWrapper */
12452 /* XXX: implement support for KRB5 */
12453 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12454 tvb, offset, length,
12455 "Kerberos ciphersuites (RFC 2712) are not implemented, contact Wireshark"
12456 " developers if you want them to be supported");
12457 break;
12458 case KEX_PSK0x1d: /* RFC 4279; psk: psk_identity */
12459 dissect_ssl3_hnd_cli_keyex_psk(hf, tvb, tree, offset);
12460 break;
12461 case KEX_RSA0x1e: /* RFC 5246; rsa: EncryptedPreMasterSecret */
12462 dissect_ssl3_hnd_cli_keyex_rsa(hf, tvb, tree, offset, length, session);
12463 break;
12464 case KEX_RSA_PSK0x1f: /* RFC 4279; rsa_psk: psk_identity, EncryptedPreMasterSecret */
12465 dissect_ssl3_hnd_cli_keyex_rsa_psk(hf, tvb, tree, offset, length);
12466 break;
12467 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ClientSRPPublic */
12468 case KEX_SRP_SHA_DSS0x21:
12469 case KEX_SRP_SHA_RSA0x22:
12470 /* XXX: implement support for SRP_SHA* */
12471 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12472 tvb, offset, length,
12473 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12474 " developers if you want them to be supported");
12475 break;
12476 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12477 dissect_ssl3_hnd_cli_keyex_ecjpake(hf, tvb, tree, offset, length);
12478 break;
12479 case KEX_ECC_SM20x26: /* GB/T 38636 */
12480 dissect_ssl3_hnd_cli_keyex_ecc_sm2(hf, tvb, tree, offset, length);
12481 break;
12482 default:
12483 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12484 tvb, offset, length);
12485 break;
12486 }
12487}
12488
12489void
12490ssl_dissect_hnd_srv_keyex(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
12491 proto_tree *tree, uint32_t offset, uint32_t offset_end,
12492 const SslSession *session)
12493{
12494 switch (ssl_get_keyex_alg(session->cipher)) {
12495 case KEX_DH_ANON0x13: /* RFC 5246; ServerDHParams */
12496 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12497 break;
12498 case KEX_DH_DSS0x14: /* RFC 5246; not allowed */
12499 case KEX_DH_RSA0x15:
12500 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12501 tvb, offset, offset_end - offset);
12502 break;
12503 case KEX_DHE_DSS0x10: /* RFC 5246; dhe_dss, dhe_rsa: ServerDHParams, Signature */
12504 case KEX_DHE_RSA0x12:
12505 dissect_ssl3_hnd_srv_keyex_dhe(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12506 break;
12507 case KEX_DHE_PSK0x11: /* RFC 4279; diffie_hellman_psk: psk_identity_hint, ServerDHParams */
12508 dissect_ssl3_hnd_srv_keyex_dhe_psk(hf, tvb, pinfo, tree, offset, offset_end);
12509 break;
12510 case KEX_ECDH_ANON0x19: /* RFC 4492; ec_diffie_hellman: ServerECDHParams (without signature for anon) */
12511 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, true1);
12512 break;
12513 case KEX_ECDHE_PSK0x17: /* RFC 5489; psk_identity_hint, ServerECDHParams */
12514 dissect_ssl3_hnd_srv_keyex_ecdh_psk(hf, tvb, pinfo, tree, offset, offset_end);
12515 break;
12516 case KEX_ECDH_ECDSA0x1a: /* RFC 4492; ec_diffie_hellman: ServerECDHParams, Signature */
12517 case KEX_ECDH_RSA0x1b:
12518 case KEX_ECDHE_ECDSA0x16:
12519 case KEX_ECDHE_RSA0x18:
12520 dissect_ssl3_hnd_srv_keyex_ecdh(hf, tvb, pinfo, tree, offset, offset_end, session->version, false0);
12521 break;
12522 case KEX_KRB50x1c: /* RFC 2712; not allowed */
12523 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_srv_keyex_illegal,
12524 tvb, offset, offset_end - offset);
12525 break;
12526 case KEX_PSK0x1d: /* RFC 4279; psk, rsa: psk_identity */
12527 case KEX_RSA_PSK0x1f:
12528 dissect_ssl3_hnd_srv_keyex_psk(hf, tvb, tree, offset);
12529 break;
12530 case KEX_RSA0x1e: /* only allowed if the public key in the server certificate is longer than 512 bits */
12531 dissect_ssl3_hnd_srv_keyex_rsa(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12532 break;
12533 case KEX_ECC_SM20x26: /* GB/T 38636 */
12534 dissect_ssl3_hnd_srv_keyex_ecc_sm2(hf, tvb, pinfo, tree, offset, offset_end, session->version);
12535 break;
12536 case KEX_SRP_SHA0x20: /* RFC 5054; srp: ServerSRPParams, Signature */
12537 case KEX_SRP_SHA_DSS0x21:
12538 case KEX_SRP_SHA_RSA0x22:
12539 /* XXX: implement support for SRP_SHA* */
12540 proto_tree_add_expert_format(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12541 tvb, offset, offset_end - offset,
12542 "SRP_SHA ciphersuites (RFC 5054) are not implemented, contact Wireshark"
12543 " developers if you want them to be supported");
12544 break;
12545 case KEX_ECJPAKE0x24: /* https://tools.ietf.org/html/draft-cragie-tls-ecjpake-01 used in Thread Commissioning */
12546 dissect_ssl3_hnd_srv_keyex_ecjpake(hf, tvb, tree, offset, offset_end);
12547 break;
12548 default:
12549 proto_tree_add_expert(tree, NULL((void*)0), &hf->ei.hs_ciphersuite_undecoded,
12550 tvb, offset, offset_end - offset);
12551 break;
12552 }
12553}
12554/* Client Key Exchange and Server Key Exchange handshake dissections. }}} */
12555
12556void
12557tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
12558 proto_tree *tree, uint32_t offset)
12559{
12560 /* RFC 8446 Section 4.6.3
12561 * enum {
12562 * update_not_requested(0), update_requested(1), (255)
12563 * } KeyUpdateRequest;
12564 *
12565 * struct {
12566 * KeyUpdateRequest request_update;
12567 * } KeyUpdate;
12568 */
12569 proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA0x00000000);
12570}
12571
12572void
12573ssl_common_register_ssl_alpn_dissector_table(const char *name,
12574 const char *ui_name, const int proto)
12575{
12576 ssl_alpn_dissector_table = register_dissector_table(name, ui_name,
12577 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12578 register_dissector_table_alias(ssl_alpn_dissector_table, "ssl.handshake.extensions_alpn_str");
12579}
12580
12581void
12582ssl_common_register_dtls_alpn_dissector_table(const char *name,
12583 const char *ui_name, const int proto)
12584{
12585 dtls_alpn_dissector_table = register_dissector_table(name, ui_name,
12586 proto, FT_STRING, STRING_CASE_SENSITIVE0);
12587 register_dissector_table_alias(ssl_alpn_dissector_table, "dtls.handshake.extensions_alpn_str");
12588}
12589
12590void
12591ssl_common_register_options(module_t *module, ssl_common_options_t *options, bool_Bool is_dtls)
12592{
12593 prefs_register_string_preference(module, "psk", "Pre-Shared Key",
12594 "Pre-Shared Key as HEX string. Should be 0 to 16 bytes.",
12595 &(options->psk));
12596
12597 if (is_dtls) {
12598 prefs_register_obsolete_preference(module, "keylog_file");
12599 prefs_register_static_text_preference(module, "keylog_file_removed",
12600 "The (Pre)-Master-Secret log filename preference can be configured in the TLS protocol preferences.",
12601 "Use the TLS protocol preference to configure the keylog file for both DTLS and TLS.");
12602 return;
12603 }
12604
12605 prefs_register_filename_preference(module, "keylog_file", "(Pre)-Master-Secret log filename",
12606 "The name of a file which contains a list of \n"
12607 "(pre-)master secrets in one of the following formats:\n"
12608 "\n"
12609 "RSA <EPMS> <PMS>\n"
12610 "RSA Session-ID:<SSLID> Master-Key:<MS>\n"
12611 "CLIENT_RANDOM <CRAND> <MS>\n"
12612 "PMS_CLIENT_RANDOM <CRAND> <PMS>\n"
12613 "\n"
12614 "Where:\n"
12615 "<EPMS> = First 8 bytes of the Encrypted PMS\n"
12616 "<PMS> = The Pre-Master-Secret (PMS) used to derive the MS\n"
12617 "<SSLID> = The SSL Session ID\n"
12618 "<MS> = The Master-Secret (MS)\n"
12619 "<CRAND> = The Client's random number from the ClientHello message\n"
12620 "\n"
12621 "(All fields are in hex notation)",
12622 &(options->keylog_filename), false0);
12623}
12624
12625void
12626ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, uint32_t offset, uint32_t length)
12627{
12628 if (ssl_session && ssl_session->session.version != TLSV1DOT3_VERSION0x304 && !(ssl_session->state & SSL_MASTER_SECRET(1<<5))) {
12629 uint32_t old_length = ssl_session->handshake_data.data_len;
12630 ssl_debug_printf("Calculating hash with offset %d %d\n", offset, length);
12631 if (tvb) {
12632 if (tvb_bytes_exist(tvb, offset, length)) {
12633 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12634 tvb_memcpy(tvb, ssl_session->handshake_data.data + old_length, offset, length);
12635 ssl_session->handshake_data.data_len += length;
12636 }
12637 } else {
12638 /* DTLS calculates the hash as if each handshake message had been
12639 * sent as a single fragment (RFC 6347, section 4.2.6) and passes
12640 * in a null tvbuff to add 3 bytes for a zero fragment offset.
12641 */
12642 DISSECTOR_ASSERT_CMPINT(length, <, 4)((void) ((length < 4) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion " "length" " " "<" " " "4" " (" "%"
"l" "d" " " "<" " " "%" "l" "d" ")", "epan/dissectors/packet-tls-utils.c"
, 12642, (int64_t)length, (int64_t)4))));
12643 ssl_session->handshake_data.data = (unsigned char *)wmem_realloc(wmem_file_scope(), ssl_session->handshake_data.data, old_length + length);
12644 memset(ssl_session->handshake_data.data + old_length, 0, length);
12645 ssl_session->handshake_data.data_len += length;
12646 }
12647 }
12648}
12649
12650
12651/*
12652 * Editor modelines - https://www.wireshark.org/tools/modelines.html
12653 *
12654 * Local variables:
12655 * c-basic-offset: 4
12656 * tab-width: 8
12657 * indent-tabs-mode: nil
12658 * End:
12659 *
12660 * vi: set shiftwidth=4 tabstop=8 expandtab:
12661 * :indentSize=4:tabSize=8:noTabs=true:
12662 */